ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > nftables pob ntawv lim 1.0.0 tso tawm

nftables pob ntawv lim 1.0.0 tso tawm

Kev tso tawm ntawm pob ntawv lim nftables 1.0.0 tau tshaj tawm, sib sau ua ke pob ntawv lim dej sib cuam tshuam rau IPv4, IPv6, ARP thiab cov txuas txuas hauv network (lub hom phiaj ntawm kev hloov iptables, ip6table, arptables thiab ebtables). Cov kev hloov pauv xav tau rau nftables 1.0.0 tso tawm ua haujlwm tau suav nrog hauv Linux 5.13 kernel. Ib qho kev hloov pauv tseem ceeb hauv tus lej version tsis cuam tshuam nrog cov kev hloov pauv tseem ceeb, tab sis tsuas yog qhov tshwm sim ntawm qhov txuas ntxiv ntawm tus lej hauv cov lej lej (qhov kev tso tawm dhau los yog 0.9.9).

Cov pob nftables suav nrog cov pob ntawv lim cov khoom siv uas khiav hauv cov neeg siv qhov chaw, thaum lub kernel qib yog muab los ntawm nf_tables subsystem, uas yog ib feem ntawm Linux ntsiav txij li tso tawm 3.13. Nyob rau hauv lub kernel theem, tsuas yog ib tug generic raws tu qauv-yooj yim interface yog muab uas muab lub luag hauj lwm yooj yim rau rho tawm cov ntaub ntawv los ntawm pob ntawv, ua hauj lwm rau cov ntaub ntawv, thiab tswj ndlwg.

Cov kev lim dej lawv tus kheej thiab cov neeg ua haujlwm tshwj xeeb tau muab tso ua ke rau hauv cov neeg siv-chaw bytecode, tom qab ntawd cov bytecode no tau thauj mus rau hauv cov ntsiav siv Netlink interface thiab raug tua hauv cov ntsiav hauv lub tshuab virtual tshwj xeeb zoo li BPF (Berkeley Packet Filters). Txoj hauv kev no ua rau nws muaj peev xwm txo qis qhov loj ntawm cov lim dej uas khiav ntawm qib ntsiav thiab txav tag nrho cov haujlwm ntawm parsing cov cai thiab cov laj thawj ntawm kev ua haujlwm nrog cov txheej txheem rau hauv cov neeg siv qhov chaw.

Main innovations:

  • Kev them nyiaj yug rau "*" lub npog ntsej muag tau ntxiv rau cov npe teev, uas tau tshwm sim rau txhua pob khoom uas tsis poob rau hauv lwm cov ntsiab lus uas tau teev tseg hauv cov txheej txheem. rooj x { daim ntawv qhia blocklist { hom ipv4_addr : kev txiav txim chij ntu ntu = { 192.168.0.0/16 : txais, 10.0.0.0/8 : txais, * : poob } } saw y { hom lim nuv prerouting qhov tseem ceeb 0; txoj cai txais; ip saddr vmap @blocklist } }
  • Nws muaj peev xwm los txhais cov kev hloov pauv los ntawm kab hais kom ua siv qhov "--define" kev xaiv. # cat test.nft rooj netdev x { saw y { hom lim nuv ingress li = $dev qhov tseem ceeb 0; txoj cai poob; } } # nft β€”define dev="{ eth0, eth1 }" -f test.nft
  • Hauv daim ntawv teev npe, kev siv cov lus tsis tu ncua (xeev) raug tso cai: rooj inet lim { daim ntawv qhia chaw nres nkoj { hom inet_service : kev txiav txim cov ntsiab lus = { 22 cov ntawv ntim khoom 0 bytes 0 : dhia ssh_input, * txee pob ntawv 0 bytes 0 : poob } } saw ssh_input { } saw wan_input { tcp dport vmap @portmap } saw prerouting { hom lim nuv prerouting qhov tseem ceeb raw; txoj cai txais; iif vmap { "lo" : dhia wan_input } } }
  • Ntxiv "cov npe hooks" hais kom ua kom pom cov npe ntawm cov neeg ua haujlwm rau tsev neeg pob khoom: # nft daim ntawv teev hooks ip ntaus ntawv eth0 tsev neeg ip { nuv ingress { +0000000010 saw netdev xy [nf_tables] +0000000300 chain inet mw [nf_tables] } { -0000000100 chain ip ab [nf_tables] +0000000300 chain inet mz [nf_tables] } nuv rau pem hauv ntej { -0000000225 selinux_ipv4_forward 0000000000 chain ip ac [nf_tables 0000000225] 4 ipv0000000225_output } nuv postrouting { +4 XNUMX selinux_ipvXNUMX_postroute } }
  • Queue blocks tso cai rau jhash, symhash, thiab numgen kab lus ua ke los faib cov pob ntawv rau cov kab hauv cov neeg siv qhov chaw. … queue rau symhash mod 65536 … queue chij bypass rau numgen inc mod 65536 … queue rau jhash oif . meta mark mod 32 "queue" kuj tuaj yeem ua ke nrog cov npe hauv daim ntawv qhia kom xaiv ib kab hauv cov neeg siv qhov chaw raws li cov yuam sij arbitrary. ... queue chij bypass rau oifname daim ntawv qhia { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }
  • Nws muaj peev xwm nthuav dav qhov sib txawv uas suav nrog cov npe teev rau hauv ntau daim duab qhia. txhais interfaces = {eth0, eth1 } rooj ip x { saw y { hom lim nuv input qhov tseem ceeb 0; txoj cai txais; iifname vmap { lo : txais, $interfaces : poob } } } # nft -f x.nft # nft daim ntawv teev cov lus teev ip x { saw y { hom lim nuv input qhov tseem ceeb 0; txoj cai txais; iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop } } }
  • Kev sib xyaw vmaps ( daim ntawv txiav txim txiav txim) ntawm lub sijhawm tau tso cai: # nft ntxiv txoj cai xy tcp dport . ip saddr vmap { 1025-65535 . 192.168.10.2 : txais }
  • Simplified syntax rau NAT mappings. Tso cai qhia qhov chaw nyob: ... snat rau ip saddr daim ntawv qhia { 10.141.11.4 : 192.168.2.2-192.168.2.4 } lossis qhia meej IP chaw nyob thiab chaw nres nkoj: ... dnat rau ip saddr daim ntawv qhia { 10.141.11.4 : . 192.168.2.3 } lossis kev sib txuas ntawm IP ntau thiab chaw nres nkoj: ... dnat rau ip saddr . tcp dport daim ntawv qhia { 80 . 192.168.1.2: 80-10.141.10.2. 10.141.10.5-8888 }

Tau qhov twg los: opennet.ru

Ntxiv ib saib