Lub nftables 1.0.7 pob ntawv lim tawm tau tshaj tawm, kev sib koom ua ke pob ntawv lim dej cuam tshuam rau IPv4, IPv6, ARP thiab cov txuas txuas hauv network (hom phiaj hloov iptables, ip6table, arptables thiab ebtables). Cov pob nftables suav nrog cov pob ntawv lim cov khoom siv uas khiav hauv cov neeg siv qhov chaw, thaum lub kernel qib yog muab los ntawm nf_tables subsystem, uas yog ib feem ntawm Linux ntsiav txij li tso tawm 3.13. Nyob rau hauv lub kernel theem, tsuas yog ib tug generic raws tu qauv-yooj yim interface yog muab uas muab lub luag hauj lwm yooj yim rau rho tawm cov ntaub ntawv los ntawm pob ntawv, ua hauj lwm rau cov ntaub ntawv, thiab tswj ndlwg.
Cov kev lim dej lawv tus kheej thiab cov neeg ua haujlwm tshwj xeeb tau muab tso ua ke rau hauv cov neeg siv-chaw bytecode, tom qab ntawd cov bytecode no tau thauj mus rau hauv cov ntsiav siv Netlink interface thiab raug tua hauv cov ntsiav hauv lub tshuab virtual tshwj xeeb zoo li BPF (Berkeley Packet Filters). Txoj hauv kev no ua rau nws muaj peev xwm txo qis qhov loj ntawm cov lim dej uas khiav ntawm qib ntsiav thiab txav tag nrho cov haujlwm ntawm parsing cov cai thiab cov laj thawj ntawm kev ua haujlwm nrog cov txheej txheem rau hauv cov neeg siv qhov chaw.
Cov kev hloov loj:
- Rau Linux 6.2+ kernel systems, kev txhawb nqa rau vxlan, geneve, gre, thiab gretap raws tu qauv sib txuam tau ntxiv, tso cai rau cov lus qhia yooj yim los xyuas cov headers hauv cov pob ntawv encapsulated. Piv txwv li, txhawm rau txheeb xyuas tus IP chaw nyob hauv header ntawm ib pob ntawv zes los ntawm VxLAN, tam sim no koj tuaj yeem siv cov cai (tsis tas yuav tsum xub deencapsulate VxLAN header thiab khi cov lim rau vxlan0 interface): ... udp dport 4789 vxlan ip raws tu qauv udp ... udp dport 4789 vxlan ip saddr 1.2.3.0. 24/4789 ... udp dport 1.2.3.4 vxlan ip saddr . vxlan ip daddr { 4.3.2.1 . XNUMX}
- Kev txhawb nqa rau kev sib koom ua ke ntawm cov khoom seem tsis siv neeg tom qab kev tshem tawm ib nrab ntawm cov npe teev npe, uas tso cai rau tshem tawm cov khoom lossis ib feem ntawm qhov ntau ntawm cov khoom uas twb muaj lawm (yav dhau los, qhov ntau tsuas tuaj yeem raug tshem tawm tag nrho). Piv txwv li, tom qab tshem tawm cov ntsiab lus 25 los ntawm ib daim ntawv teev npe nrog thaj tsam 24-30 thiab 40-50, 24, 26-30 thiab 40-50 yuav nyob twj ywm hauv cov npe. Cov kev kho uas xav tau rau kev sib koom ua ke pib ua haujlwm yuav raug muab rau hauv kev kho kom raug tso tawm ntawm 5.10+ cov ceg ruaj khov ntawm cov ntsiav. # nft daim ntawv teev cov lus teev ip x { teeb y { hom tcp dport chij lub caij nyoog pib-merge cov ntsiab lus = { 24-30, 40-50 } } } } # nft rho tawm keeb ip xy { 25 } # nft daim ntawv teev cov cai rooj ip x { teeb y {typeof tcp dport chij lub sijhawm pib-merge cov ntsiab lus = { 24, 26-30, 40-50 } } }
- Tso cai rau kev sib cuag thiab ntau yam siv rau hauv chaw nyob txhais lus (NAT) daim ntawv qhia. rooj ip nat { saw prerouting { hom nat nuv prerouting qhov tseem ceeb dstnat; txoj cai txais; dnat rau ip daddr. tcp dport map { 10.1.1.136 . 80: 1.1.2.69 ib. 1024, 10.1.1.10-10.1.1.20. 8888-8889: 1.1.2.69 . 2048-2049 } tsis tu ncua } }
- Ntxiv kev txhawb nqa rau qhov "kawg" qhia, uas tso cai rau koj kom paub txog lub sijhawm ntawm kev siv kawg ntawm cov cai lossis cov npe teev tseg. Cov yam ntxwv no tau txais kev txhawb nqa txij li Linux ntsiav 5.14. rooj ip x {set y { typeof ip daddr . tcp dport loj 65535 chij dynamic, ncua sij hawm kawg lub sij hawm 1h } saw z { hom lim nuv tawm qhov tseem ceeb lim; txoj cai txais; hloov tshiab @y { ip daddr . tcp dport } } } # nft daim ntawv teev ip xy rooj ip x { teem y { typeof ip daddr . tcp dport loj 65535 chij dynamic, ncua sij hawm kawg lub sij hawm 1h ntsiab = { 172.217.17.14 . 443 kawg siv 1s591ms timeout 1h tas sij hawm 59m58s409ms, 172.67.69.19 . 443 kawg siv 4s636ms timeout 1h tas sij hawm 59m55s364ms, 142.250.201.72 . 443 kawg siv 4s748ms timeout 1h tas sij hawm 59m55s252ms, 172.67.70.134 . 443 kawg siv 4s688ms timeout 1h tas sij hawm 59m55s312ms, 35.241.9.150 . 443 kawg siv 5s204ms timeout 1h tas sij hawm 59m54s796ms, 138.201.122.174 . 443 kawg siv 4s537ms timeout 1h tas sij hawm 59m55s463ms, 34.160.144.191 . 443 kawg siv 5s205ms timeout 1h tas sij hawm 59m54s795ms, 130.211.23.194 . 443 kawg siv 4s436ms timeout 1h tas sij hawm 59m55s564ms } } }
- Ntxiv lub peev xwm los txhais cov quotas hauv cov npe teev. Piv txwv li, txhawm rau txheeb xyuas qhov kev sib tw tsheb rau txhua lub hom phiaj IP chaw nyob, koj tuaj yeem hais qhia: rooj netdev x { teeb y { hom ip daddr loj 65535 quota tshaj 10000 mbytes } saw y { hom lim nuv egress ntaus "eth0" qhov tseem ceeb lim; txoj cai txais; ip daddr @y drop } } # nft ntxiv cov ntsiab lus inet xy { 8.8.8.8 } # ping -c 2 8.8.8.8 # nft daim ntawv teev cov lus teev netdev x { teeb y { hom ipv4_addr loj 65535 quota tshaj 10000 mbytes cov ntsiab lus = { 8.8.8.8. 10000 quota tshaj 196 mbytes siv 0 bytes } } saw y { hom lim nuv egress ntaus "ethXNUMX" qhov tseem ceeb lim; txoj cai txais; ip daddr @y drop } }
- Kev siv qhov tsis tu ncua hauv cov npe teev tau tso cai. Piv txwv li, thaum siv cov npe ntawm qhov chaw nyob thiab VLAN ID ua tus yuam sij, koj tuaj yeem qhia tus lej VLAN ncaj qha (daddr . 123): rooj netdev t {set s { typeof ether saddr . vlan id size 2048 chij dynamic, timeout timeout 1m } saw c { hom lim nuv ingress ntaus ntawv eth0 qhov tseem ceeb 0; txoj cai txais; ether hom != 8021q hloov tshiab @s { ether daddr . 123 } rov } }
- Cov lus txib tshiab "ua kom puas tsuaj" tau ntxiv rau unconditionally rho tawm cov khoom (tsis zoo li cov lus txib rho tawm, nws tsis tsim ENOENT thaum sim rho tawm cov khoom ploj). Yuav tsum muaj tsawg kawg yog Linux 6.3-rc kernel ua haujlwm. rhuav tshem rooj ip lim
Tau qhov twg los: opennet.ru