ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > nftables pob ntawv lim 1.0.2 tso tawm

nftables pob ntawv lim 1.0.2 tso tawm

Lub nftables 1.0.2 pob ntawv lim tawm tau tshaj tawm, kev sib koom ua ke pob ntawv lim dej cuam tshuam rau IPv4, IPv6, ARP thiab cov txuas txuas hauv network (lub hom phiaj ntawm kev hloov iptables, ip6table, arptables thiab ebtables). Cov kev hloov pauv xav tau rau nftables 1.0.2 tso tawm ua haujlwm yog suav nrog hauv Linux ntsiav 5.17-rc.

Cov pob nftables suav nrog cov pob ntawv lim cov khoom siv uas khiav hauv cov neeg siv qhov chaw, thaum lub kernel qib yog muab los ntawm nf_tables subsystem, uas yog ib feem ntawm Linux ntsiav txij li tso tawm 3.13. Nyob rau hauv lub kernel theem, tsuas yog ib tug generic raws tu qauv-yooj yim interface yog muab uas muab lub luag hauj lwm yooj yim rau rho tawm cov ntaub ntawv los ntawm pob ntawv, ua hauj lwm rau cov ntaub ntawv, thiab tswj ndlwg.

Cov kev lim dej lawv tus kheej thiab cov neeg ua haujlwm tshwj xeeb tau muab tso ua ke rau hauv cov neeg siv-chaw bytecode, tom qab ntawd cov bytecode no tau thauj mus rau hauv cov ntsiav siv Netlink interface thiab raug tua hauv cov ntsiav hauv lub tshuab virtual tshwj xeeb zoo li BPF (Berkeley Packet Filters). Txoj hauv kev no ua rau nws muaj peev xwm txo qis qhov loj ntawm cov lim dej uas khiav ntawm qib ntsiav thiab txav tag nrho cov haujlwm ntawm parsing cov cai thiab cov laj thawj ntawm kev ua haujlwm nrog cov txheej txheem rau hauv cov neeg siv qhov chaw.

Main innovations:

  • Txoj cai optimization hom tau ntxiv, enabled nrog ib tug tshiab "-o" ("--optimize") kev xaiv, uas tuaj yeem ua ke nrog cov kev xaiv "--check" los xyuas thiab optimize cov kev hloov pauv rau cov ntaub ntawv ruleset yam tsis tau loading nws. Optimization tso cai rau koj los ua ke cov kev cai zoo sib xws, piv txwv li, cov cai: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 txais meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 txais ip saddr 1.1.1.1 2.2.2.2 ip da .2.2.2.2 txais ip saddr 3.3.3.3 ip daddr XNUMX poob

    yuav muab merged rau hauv meta iifname. ip siab. ip daddr {eth1 . 1.1.1.1 ib. 2.2.2.3, ib. 1. 1.1.1.2 } txais ip saddr . ip daddr vmap { 2.2.2.5 . 1.1.1.1: txais, 2.2.2.2. 2.2.2.2: dr hab

    Kev siv piv txwv: # nft -c -o -f ruleset.test Kev sib koom ua ke: ruleset.nft:16:3-37: ip daddr 192.168.0.1 txee lees txais ruleset.nft:17:3-37: ip daddr 192.168.0.2 txee txais ruleset.nft:18:3-37: ip daddr 192.168.0.3 txee txais mus rau: ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter pob ntawv 0 bytes 0 txais

  • Cov npe teev npe siv lub peev xwm los qhia ip- thiab tcp-xaiv, nrog rau sctp chunks: teeb s5 { hom ip xaiv ra tus nqi ntsiab = { 1, 1024 } } teeb s7 { hom sctp chunk init num-inbound-kwj ntsiab = { 1, 4 } } saw c5 { ip xaiv ra tus nqi @ s5 txais } saw c7 { sctp chunk init num-inbound-streams @s7 txais }
  • Ntxiv kev txhawb nqa rau fastopen, md5sig thiab mptcp TCP xaiv.
  • Ntxiv kev txhawb nqa rau kev siv mp-tcp subtype hauv mappings: tcp xaiv mptcp subtype 1
  • Txhim kho filtering code khiav ntawm lub kernel sab.
  • Flowtable muaj kev txhawb nqa tag nrho rau JSON hom.
  • Muab lub peev xwm los siv qhov "tsis lees paub" kev txiav txim hauv Ethernet thav duab sib txuam ua haujlwm. ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 tsis lees paub

Tau qhov twg los: opennet.ru

Ntxiv ib saib