ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > nftables pob ntawv lim 1.0.6 tso tawm

nftables pob ntawv lim 1.0.6 tso tawm

Lub nftables 1.0.6 pob ntawv lim tawm tau tshaj tawm, kev sib koom ua ke pob ntawv lim dej cuam tshuam rau IPv4, IPv6, ARP thiab cov txuas txuas hauv network (hom phiaj hloov iptables, ip6table, arptables thiab ebtables). Cov pob nftables suav nrog cov pob ntawv lim cov khoom siv uas khiav hauv cov neeg siv qhov chaw, thaum lub kernel qib yog muab los ntawm nf_tables subsystem, uas yog ib feem ntawm Linux ntsiav txij li tso tawm 3.13. Nyob rau hauv lub kernel theem, tsuas yog ib tug generic raws tu qauv-yooj yim interface yog muab uas muab lub luag hauj lwm yooj yim rau rho tawm cov ntaub ntawv los ntawm pob ntawv, ua hauj lwm rau cov ntaub ntawv, thiab tswj ndlwg.

Cov kev lim dej lawv tus kheej thiab cov neeg ua haujlwm tshwj xeeb tau muab tso ua ke rau hauv cov neeg siv-chaw bytecode, tom qab ntawd cov bytecode no tau thauj mus rau hauv cov ntsiav siv Netlink interface thiab raug tua hauv cov ntsiav hauv lub tshuab virtual tshwj xeeb zoo li BPF (Berkeley Packet Filters). Txoj hauv kev no ua rau nws muaj peev xwm txo qis qhov loj ntawm cov lim dej uas khiav ntawm qib ntsiav thiab txav tag nrho cov haujlwm ntawm parsing cov cai thiab cov laj thawj ntawm kev ua haujlwm nrog cov txheej txheem rau hauv cov neeg siv qhov chaw.

Cov kev hloov loj:

  • Cov kev cai optimizer, hu ua thaum qhov "-o/-optimize" kev xaiv tau teev tseg, muaj kev ntim khoom tsis siv neeg los ntawm kev sib txuas lawv thiab hloov lawv mus rau hauv daim ntawv qhia thiab teeb tsa. Piv txwv li, cov cai # miv ruleset.nft rooj ip x { saw y { hom lim nuv input qhov tseem ceeb lim; txoj cai poob; meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 txais meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 txais meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0. .24 ip daddr 1-1.1.1.2 txais meta iifname eth2.2.4.0 ip saddr 2.2.4.10 ip daddr 2 lees txais } } tom qab ua tiav "nft -o -c -f ruleset.nft" yuav raug hloov mus rau raws li hauv qab no: ruleset . nft:1.1.1.3:2.2.2.5-4: meta iifname eth17 ip saddr 74 ip daddr 1 txais ruleset.nft:1.1.1.1:2.2.2.3-5: meta iifname eth17 ip saddr 74 ip daddr 1 txais ruleset.nft : 1.1.1.2:2.2.2.4-6: meta iifname eth17 ip saddr 77 ip daddr 1/1.1.1.2 txais ruleset.nft:2.2.3.0:24-7: meta iifname eth17 ip saddr 83 ip daddr 1 lees txais ruleset.nft:1.1.1.2:2.2.4.0-2.2.4.10: meta iifname eth8 ip saddr 17 ip daddr 74 txais rau hauv: iifname . ip siab. ip daddr {eth2 . 1.1.1.3 ib. 2.2.2.5, ib. 1. 1.1.1.1, ib. 2.2.2.3. 1/1.1.1.2, eth2.2.2.4. 1. 1.1.1.2-2.2.3.0, eth24. 1. 1.1.1.2 } txais
  • Lub optimizer tseem tuaj yeem hloov cov cai uas twb tau siv cov ntawv teev npe yooj yim rau hauv daim ntawv cog lus ntau dua, piv txwv li cov cai: # miv ruleset.nft lub rooj ip lim { saw input { hom lim nuv input qhov tseem ceeb lim; txoj cai poob; iifname "lo" txais ct lub xeev tsim, hais txog lees txais cov lus "Nyob hauv kev tsheb peb pib, peb ntseeg" iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 port 123 udp 32768 udp iifname "enp65535s0f31" ip saddr { 6, 64.59.144.17 } ip daddr 64.59.150.133 udp kev ua si nawv 10.0.0.149 udp dport 53-32768 lees txais } "}" -nft yuav ua raws li cov cai execut. : ruleset.nft:65535:6-22: iifname "enp149s0f31" ip saddr { 6, 209.115.181.102 } ip daddr 216.197.228.230 udp sport 10.0.0.149-port 123et.32768 } 65535 7 :ifname "enp22s143f0" ip saddr { 31, 6 } ip daddr 64.59.144.17 udp sport 64.59.150.133 udp dport 10.0.0.149-53 lees txais rau hauv: iifname . ip siab. ip dab. ua sport. udp dport { enp32768s65535f0 . 31. 6 Nws. 209.115.181.102. 10.0.0.149-123, np32768s65535f0. 31. 6 Nws. 216.197.228.230. 10.0.0.149-123, np32768s65535f0. 31. 6 Nws. 64.59.144.17. 10.0.0.149-53, np32768s65535f0. 31. 6 Nws. 64.59.150.133. 10.0.0.149-53 } txais
  • Kev daws teeb meem nrog bytecode tiam rau kev sib koom ua ke uas siv hom sib txawv byte kev txiav txim, xws li IPv4 (network byte order) thiab meta mark (system byte order). rooj ip x { map w { typeof ip saddr . meta mark : verdict flags interval counter elements = { 127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : txais, 192.168.0.10-192.168.1.20 . 0x0000aa00-0x0000aaff : txais, } } saw k { hom lim nuv input qhov tseem ceeb lim; txoj cai poob; ip siab. meta mark vmap @w } }
  • Txhim kho kev sib piv ntawm cov txheej txheem tsis tshua muaj thaum siv cov kab lus nyoos, piv txwv li: meta l4proto 91 @th,400,16 0x0 lees txais
  • Cov teeb meem ntawm kev ua kom cov cai nrog lub sijhawm tau raug daws: ntxig txoj cai x y tcp kev ua si nawv { 3478-3497, 16384-16387 } counter txais
  • JSON API tau raug txhim kho kom suav nrog kev txhawb nqa rau cov lus qhia hauv cov npe teev thiab daim ntawv qhia.
  • Extensions rau lub tsev qiv ntawv nftables python tso cai rau kev thauj khoom ntawm cov cai teev rau kev ua haujlwm hauv validation hom ("-c") thiab ntxiv kev txhawb nqa rau sab nraud txhais ntawm kev hloov pauv.
  • Ntxiv cov lus tso cai rau hauv cov npe teev cov ntsiab lus.
  • Byte ratelimit tso cai qhia tus nqi xoom.

Tau qhov twg los: opennet.ru

Ntxiv ib saib