ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > nftables pob ntawv lim 1.0.3 tso tawm

nftables pob ntawv lim 1.0.3 tso tawm

Kev tso tawm ntawm pob ntawv lim nftables 1.0.3 tau tshaj tawm, kev sib koom ua ke pob ntawv lim dej cuam tshuam rau IPv4, IPv6, ARP thiab cov txuas txuas hauv network (lub hom phiaj ntawm kev hloov iptables, ip6table, arptables thiab ebtables). Cov kev hloov pauv xav tau rau nftables 1.0.3 tso tawm ua haujlwm tau suav nrog hauv Linux 5.18 kernel.

Cov pob nftables suav nrog cov pob ntawv lim cov khoom siv uas khiav hauv cov neeg siv qhov chaw, thaum lub kernel qib yog muab los ntawm nf_tables subsystem, uas yog ib feem ntawm Linux ntsiav txij li tso tawm 3.13. Nyob rau hauv lub kernel theem, tsuas yog ib tug generic raws tu qauv-yooj yim interface yog muab uas muab lub luag hauj lwm yooj yim rau rho tawm cov ntaub ntawv los ntawm pob ntawv, ua hauj lwm rau cov ntaub ntawv, thiab tswj ndlwg.

Cov kev lim dej lawv tus kheej thiab cov neeg ua haujlwm tshwj xeeb tau muab tso ua ke rau hauv cov neeg siv-chaw bytecode, tom qab ntawd cov bytecode no tau thauj mus rau hauv cov ntsiav siv Netlink interface thiab raug tua hauv cov ntsiav hauv lub tshuab virtual tshwj xeeb zoo li BPF (Berkeley Packet Filters). Txoj hauv kev no ua rau nws muaj peev xwm txo qis qhov loj ntawm cov lim dej uas khiav ntawm qib ntsiav thiab txav tag nrho cov haujlwm ntawm parsing cov cai thiab cov laj thawj ntawm kev ua haujlwm nrog cov txheej txheem rau hauv cov neeg siv qhov chaw.

Main innovations:

  • Teem cov npe tam sim no txhawb nqa cov npe sib txuas hauv lub network los ntawm lub npog ntsej muag, piv txwv li, teev siv lub cim "*": rooj inet testifsets { teeb simple_wild { hom ifname chij ntu ntu = { "abcdef*", "lwm lub npe", "ppp0" } } saw v4icmp { hom lim nuv input qhov tseem ceeb 0; txoj cai txais; iifname @simple_wild counter packets 0 bytes 0 iifname { β€œabcdef*”, β€œeth0” } counter packets 0 bytes 0 } }
  • Ua haujlwm tsis siv neeg sib koom ua ke ntawm kev sib tshuam cov npe teev cov ntsiab lus thaum lub sijhawm ua haujlwm. Yav dhau los, thaum qhov kev xaiv "auto-merge" tau teeb tsa, kev sib koom ua ke tau ua nyob rau theem ntawm kev tshaj tawm cov cai, tab sis tam sim no nws kuj ua haujlwm thaum cov ntsiab lus tshiab tau ntxiv ntxiv thaum lub sijhawm ua haujlwm. Piv txwv li, nyob rau theem tshaj tawm, daim ntawv teev y { chij ncua sij hawm nws pib-merge ntsiab = { 1.2.3.0, 1.2.3.255, 1.2.3.0/24, 3.3.3.3, 4.4.4.4, 4.4.4.4-4.4.4.8 , 3.3.3.4 , 3.3.3.5 } } yuav hloov mus rau hauv cov ntsiab lus = { 1.2.3.0/24, 3.3.3.3-3.3.3.5, 4.4.4.4-4.4.4.8 } thiab tom qab ntawd yog tias koj ntxiv cov ntsiab lus tshiab # nft ntxiv cov khoom ip xy { 1.2.3.0 -1.2.4.255, 3.3.3.6 } yuav zoo li cov ntsiab lus = { 1.2.3.0-1.2.4.255, 3.3.3.3-3.3.3.6, 4.4.4.4-4.4.4.8 }

    Thaum koj tshem tawm ib tus neeg los ntawm cov npe uas poob rau hauv cov khoom uas twb muaj lawm, qhov ntau yog luv los yog sib cais.

  • Kev them nyiaj yug rau kev sib txuas ntau qhov chaw txhais lus (NAT) cov cai rau hauv daim ntawv teev npe tau muab ntxiv rau cov kev cai optimizer, hu ua thaum qhov "-o/-optimize" kev xaiv tau teev tseg. Piv txwv li, rau cov teeb # miv ruleset.nft rooj ip x { saw y { hom nat nuv postrouting qhov tseem ceeb srcnat; txoj cai poob; ip saddr 1.1.1.1 tcp dport 8000 snat rau 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat rau 5.5.5.5:90 } }

    executing "nft -o -c -f ruleset.nft" yuav hloov cov cai "ip saddr" cais rau hauv daim ntawv teev npe: snat rau ip saddr . tcp dport daim ntawv qhia { 1.1.1.1 . 8000: 4.4.4.4. 80, 2.2.2.2. 8001 5.5.5.5:90. XNUMX}

    Ib yam li ntawd, cov kab lus nyoos tuaj yeem hloov mus rau hauv daim ntawv teev npe: # cat ruleset.nft rooj ip x { […] saw nat_dns_acme { udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 goto ntev 62, 78 160,128x0e0e mus nat_dns_this_31393032383939353831343037320 udp length 5301-62 @th,78 160,128x0e0e goto nat_dns_saturn_31363436323733373931323934300 udp length 5301-62 @th,78 160,128x0 0e goto nat_dns_saturn_32393535373539353636383732310 udp length 5302-62 @th,78 160,128x0e0e goto nat_dns_saturn_38353439353637323038363633390 poob } }

    tom qab optimization peb tau txais daim ntawv teev npe: udp ntev . @th,160,128 vmap { 47-63 . 0x0e373135363130333131303735353203 : goto nat_dns_dnstc, 62-78 . 0x0e31393032383939353831343037320e : goto nat_dns_this_5301, 62-78 . 0x0e31363436323733373931323934300e : goto nat_dns_saturn_5301, 62-78 . 0x0e32393535373539353636383732310e : goto nat_dns_saturn_5302, 62-78 . 0x0e38353439353637323038363633390e : goto nat_dns_saturn_5303 }

  • Kev siv cov lus nyoos hauv kev ua haujlwm sib txuas tau tso cai. Piv txwv li: #nft ntxiv txoj cai xy ip saddr. @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2. 0x1e } los yog rooj x { teeb y { typeof ip saddr . @ih,32,32 cov = { 1.1.1.1 . 0x14 } }
  • Ntxiv kev txhawb nqa rau kev qhia cov lej ntawm lub taub hau hauv kev ua haujlwm sib txuas: rooj inet t { daim ntawv qhia m1 { typeof udp ntev . @ih,32,32 : verdict flags interval elements = { 20-80 . 0x14 : 1-10 . 0xa : poob } } saw c { hom lim nuv input qhov tseem ceeb 0; txoj cai poob; udp ntev. @ih,32,32 vmap @m1 } }
  • Ntxiv kev txhawb nqa rau rov pib dua TCP kev xaiv (tsuas yog ua haujlwm nrog Linux ntsiav 5.18+): tcp chij syn pib dua tcp xaiv sack-perm
  • Kev ua tiav ntawm cov lus tso tawm cov lus txib ("nft list chain xy") tau nrawm dua.

Tau qhov twg los: opennet.ru

Ntxiv ib saib