ProHoster > Блог > ozi ịntanetị > nftables ngwugwu nzacha 0.9.4 mwepụta

nftables ngwugwu nzacha 0.9.4 mwepụta

bipụtara ntọhapụ nzacha ngwugwu Ihe eji eme ihe 0.9.4, na-emepe emepe dị ka onye na-anọchi anya iptables, ip6table, arptables na ebtables site na ijikọ ọnụ ahịa nzacha ngwugwu maka IPv4, IPv6, ARP na netwọk netwọk. Ngwungwu nftables gụnyere ihe nzacha ngwugwu na-arụ n'ime oghere onye ọrụ, ebe nf_tables subsystem na-enye ọrụ ọkwa kernel, nke bụbu akụkụ nke kernel Linux kemgbe ewepụtara 3.13. Mgbanwe ndị dị mkpa maka nftables 0.9.4 ntọhapụ ka ọ rụọ ọrụ gụnyere na ngalaba kernel n'ọdịnihu Linux 5.6.

Ọkwa kernel na-enye naanị interface nke nwere onwe nke protocol nke na-enye ọrụ ndị bụ isi maka iwepụta data na ngwugwu, ịrụ ọrụ data, yana njikwa ọsọ. A na-achịkọta iwu nzacha na ndị na-ahụ maka usoro protocol n'ime bytecode na oghere onye ọrụ, mgbe nke a gasịrị, a na-etinye bytecode a n'ime kernel site na iji interface Netlink wee gbuo ya na kernel na igwe mebere pụrụ iche na-echetara BPF (Berkeley Packet Filters). Usoro a na-enye gị ohere ibelata nha nke koodu nzacha na-agba ọsọ na ọkwa kernel wee bugharịa ọrụ niile nke iwu nyocha na mgbagha maka ịrụ ọrụ na protocol n'ime oghere onye ọrụ.

Isi ihe ọhụrụ:

  • Nkwado maka ọnụọgụ dị na njikọ (njikọta, ụfọdụ ngwugwu adreesị na ọdụ ụgbọ mmiri na-eme ka ntụnyere dị mfe). Dịka ọmụmaatụ, maka otu "onye na-acha ọcha" nke ihe ya bụ ihe mgbakwunye, ịkọwapụta ọkọlọtọ "n'etiti" ga-egosi na nhazi ahụ nwere ike ịgụnye oke na mgbakwunye (maka mgbakwunye "ipv4_addr. ipv4_addr. inet_service" ọ ga-ekwe omume ịdepụta kpọmkwem kpọmkwem. ọkụ nke ụdị "192.168.10.35. 192.68.11.123", na ugbu a, i nwere ike ezipụta otu nke adreesị "80-192.168.10.35-192.168.10.40".

    table ip foo {
    tọọ akwụkwọ ọcha {
    ụdị ipv4_addr. IPv4_addr. inet_ọrụ
    etiti oge ọkọlọtọ
    ọcha = {192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125. 80}
    }

    mmanya yinye {
    ụdị nko nko prerouting mkpa nzacha; ọdịda amụma;
    ip sadr. ip baba. tcp dport @whitelist nabata
    }
    }

  • Na setịpụ na ndepụta map, ọ ga-ekwe omume iji ntuziaka "typeof", nke na-ekpebi usoro nke mmewere mgbe ọ dabara.
    Dịka ọmụmaatụ:

    table ip foo {
    tọọ akwụkwọ ọcha {
    ụdị ip saddr
    ọcha = {192.168.10.35, 192.168.10.101, 192.168.10.135}
    }

    mmanya yinye {
    ụdị nko nko prerouting mkpa nzacha; ọdịda amụma;
    ip daddr @whitelist nabata
    }
    }

    table ip foo {
    map addr2mark {
    ụdị ip saddr: akara meta
    ihe = {192.168.10.35: 0x00000001, 192.168.10.135 : 0x00000002}
    }
    }

  • Agbakwunyere ikike iji njikọ na njikọ NAT, nke na-enye gị ohere ịkọwapụta adreesị na ọdụ ụgbọ mmiri mgbe ị na-akọwa mgbanwe NAT dabere na ndepụta maapụ ma ọ bụ aha aha:

    nft tinye iwu ip nat pre dnat ip addr . ọdụ ụgbọ mmiri gaa ip saddr map {1.1.1.1: 2.2.2.2 . iri atọ }

    nft tinye map ip nat ebe {ụdị ipv4_addr. inet_service: ipv4_addr. ọrụ inet \; }
    nft tinye iwu ip nat pre dnat ip addr . ọdụ ụgbọ mmiri na ip saddr. tcp dport map @ ebe aga

  • Nkwado maka ngwangwa ngwaike na ụfọdụ ọrụ nzacha nke kaadị netwọk na-arụ. A na-eme ngwa ngwa site na ngwa ethtool ("ethtool -K eth0 hw-tc-offload on"), emesịa ọ na-arụ ọrụ na nftables maka isi yinye site na iji ọkọlọtọ "offload". Mgbe ị na-eji Linux kernel 5.6, a na-akwado ngwaike ngwaike maka ndakọrịta nkụnye eji isi mee na nyocha interface na-abata yana nchikota na nnata, ịtụfu, oyiri (dup), na mbugharị (fwd). N'ihe atụ dị n'okpuru, a na-arụ ọrụ nke ngwugwu ntinye na-abịa site na adreesị 192.168.30.20 na ọkwa kaadị netwọk, na-agafeghị ngwugwu ahụ na kernel:

    # nwamba file.nft
    okpokoro netdev x {
    yinye y {
    ụdị nyo nko ingress ngwaọrụ eth0 mkpa 10; ebupụ ọkọlọtọ;
    ip saddr 192.168.30.20 dobe
    }
    }
    # nft -f faịlụ.nft

  • Ozi emelitere gbasara ebe njehie dị na iwu.

    # nft ihichapụ iwu ip yz handle 7
    Njehie: Enweghị ike ịhazi iwu: Enweghị ụdị faịlụ ma ọ bụ ndekọ aha
    ihichapụ iwu ip yz handle 7
    ^

    # nft ihichapụ iwu ip xx njikwa 7
    Njehie: Enweghị ike ịhazi iwu: Enweghị ụdị faịlụ ma ọ bụ ndekọ aha
    hichapụ iwu ip xx aka 7
    ^

    # nft hichapụ tebụl twst
    Njehie: Enweghị faịlụ ma ọ bụ ndekọ aha; ị pụtara table ‘ule' na ezinụlọ ip?
    hichapụ tebụl twst
    ^^^^

    Ihe atụ nke mbụ na-egosi na tebụl "y" adịghị na sistemụ, nke abụọ na onye na-ahụ maka "7" na-efu, na nke atọ na-egosi ngwa ngwa typo mgbe ị na-ede aha tebụl.

  • Nkwado agbakwunyere maka ịlele interface ohu site na ịkọwapụta "meta sdif" ma ọ bụ "meta sdifname":

    ... meta sdifname vrf1 ...

  • Nkwado agbakwunyere maka ọrụ mgbanwe aka nri ma ọ bụ aka ekpe. Dịka ọmụmaatụ, ka ịgbanwee akara ngwungwu dị adị site na 1 bit hapụrụ wee tọọ obere ntakịrị ka ọ bụrụ 1:

    Meta akara setịpụrụ meta akara lshift 1 ma ọ bụ 0x1…

  • Emebere nhọrọ "-V" iji gosipụta ozi ụdị agbatiri.

    # nft -V
    nftables v0.9.4 (Jive na ise)
    cli: readline
    json: ee
    minigmp: mba
    libxtables: ee

  • A ga-akọwarịrị nhọrọ ahịrị iwu ugbu a tupu iwu. Dịka ọmụmaatụ, ịkwesịrị ịkọwapụta "nft -a list ruleset", na ịgba ọsọ "nft list ruleset -a" ga-ebute njehie.

    isi: opennet.ru

Tinye a comment