ProHoster > Блог > ozi ịntanetị > nftables ngwugwu nzacha 0.9.5 mwepụta

nftables ngwugwu nzacha 0.9.5 mwepụta

bipụtara ntọhapụ nzacha ngwugwu Ihe eji eme ihe 0.9.5, na-emepe emepe dị ka onye na-anọchi anya iptables, ip6table, arptables na ebtables site na ijikọ ọnụ ahịa nzacha ngwugwu maka IPv4, IPv6, ARP na netwọk netwọk. Ngwungwu nftables gụnyere ihe nzacha ngwugwu na-arụ ọrụ na oghere onye ọrụ, ebe sistemụ nf_tables na-enye ọrụ ọkwa kernel, nke bụbu akụkụ nke kernel Linux kemgbe ewepụtara 3.13. Mgbanwe achọrọ maka nftables 0.9.5 ntọhapụ ka ọ rụọ ọrụ gụnyere na kernel Linux 5.7.

Ọkwa kernel na-enye naanị interface nke nwere onwe nke protocol nke na-enye ọrụ ndị bụ isi maka iwepụta data na ngwugwu, ịrụ ọrụ data, yana njikwa ọsọ. A na-achịkọta iwu nzacha na ndị na-ahụ maka usoro protocol n'ime bytecode na oghere onye ọrụ, mgbe nke a gasịrị, a na-etinye bytecode a n'ime kernel site na iji interface Netlink wee gbuo ya na kernel na igwe mebere pụrụ iche na-echetara BPF (Berkeley Packet Filters). Usoro a na-enye gị ohere ibelata nha nke koodu nzacha na-agba ọsọ na ọkwa kernel wee bugharịa ọrụ niile nke iwu nyocha na mgbagha maka ịrụ ọrụ na protocol n'ime oghere onye ọrụ.

Isi ihe ọhụrụ:

  • Agbakwunyela nkwado maka ngwugwu na ọnụ ahịa okporo ụzọ jikọtara ihe ndị etinyere na nhazi. A na-enyere ndị na-agụta ihe aka site na iji mkpụrụokwu “counter”:

    okpokoro ip x {
    set y {
    ụdị ip saddr
    counter
    ọcha = {192.168.10.35, 192.168.10.101, 192.168.10.135}
    }

    yinye z {
    ụdị nyo nko mmepụta mkpa nzacha; iwu nabata;
    ip baba @y
    }
    }

  • Iji tọọ ụkpụrụ mbụ nke counters, dịka ọmụmaatụ, iji weghachite counters gara aga ka ịmalitegharịa, ị nwere ike iji iwu "nft -f":

    # nwamba ruleset.nft
    okpokoro ip x {
    set y {
    ụdị ip saddr
    counter
    ọcha = {192.168.10.35 ngwugwu counter 1 bytes 84, 192.168.10.101 \
    counter p 192.168.10.135 mpempe akwụkwọ 0 bytes 0}
    }

    yinye z {
    ụdị nyo nko mmepụta mkpa nzacha; iwu nabata;
    ip baba @y
    }
    }
    # nft -f ruleset.nft
    #nft ndepụta iwu
    okpokoro ip x {
    set y {
    ụdị ip saddr
    counter
    ọcha = {192.168.10.35 ngwugwu counter 1 bytes 84, 192.168.10.101 \
    counter p 192.168.10.135 mpempe akwụkwọ 0 bytes 0}
    }

    yinye z {
    ụdị nyo nko mmepụta mkpa nzacha; iwu nabata;
    ip baba @y
    }
    }

  • agbakwunyela nkwado counter na flowtable:

    table ip foo {
    mmanya na-agbagharị agbagharị {
    nko ntinye mkpa -100
    ngwaọrụ = {eth0, eth1}
    counter
    }

    yinye n'ihu {
    ụdị nyo nko n'ihu nzacha mkpa;
    eruba tinye @bar counter
    }
    }

    Ị nwere ike ịlele ndepụta nke counters site na iji iwu "conntrack -L":

    tcp 6 src = 192.168.10.2 dst = 10.0.1.2 egwuregwu = 47278 dport = 5201 ngwugwu = 9 bytes = 608 \
    src = 10.0.1.2 dst = 10.0.1.1 egwuregwu = 5201 dport = 47278 ngwugwu = 8 bytes = 428 [OFFLOAD] akara = 0 \
    sectx = ojiji efu = 2 tcp 6 src = 192.168.10.2 dst = 10.0.1.2 egwuregwu = 47280 dport = 5201 \
    ngwugwu = 1005763 bytes=44075714753 src=10.0.1.2 dst=10.0.1.1 egwuregwu=5201 dport=47280 \
    ngwugwu = 967505 bytes=50310268 [OFFLOAD] akara = 0 secx = ojiji efu = 2

  • N'ime usoro maka njikọta (concatenation, ụfọdụ ngwugwu adreesị na ọdụ ụgbọ mmiri na-eme ka ntụnyere dị mfe), enwere ike iji ntuziaka "typeof", nke na-ekpebi ụdị data nke ihe maka akụkụ nke ihe mejupụtara:

    table ip foo {
    tọọ akwụkwọ ọcha {
    ụdị ip saddr . tcp dport
    ihe = {192.168.10.35 . 80, 192.168.10.101. 80}
    }

    mmanya yinye {
    ụdị nko nko prerouting mkpa nzacha; ọdịda amụma;
    ip baba. tcp dport @whitelist nabata
    }
    }

  • Ụdị ntuziaka a na-emetụtakwa na nsonye na ndepụta maapụ:

    table ip foo {
    map addr2mark {
    ụdị ip saddr . tcp dport: akara meta
    ihe = {192.168.10.35 . 80: 0x00000001,
    192.168.10.135. 80: 0x00000002 }
    }

    mmanya yinye {
    ụdị nko nko prerouting mkpa nzacha; ọdịda amụma;
    meta mark set ip daddr . tcp dport maapụ @addr2mark nabata
    }
    }

  • Nkwado agbakwunyere maka nsonye na-esonye na nhazi ahaghị aha (akpọghị aha):

    # nft tinye iwu inet filter ntinye ip daddr. tcp dport \
    {10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8. 80-443 } nabata

  • Ikike ịtụfu ngwugwu nwere ọkọlọtọ 802.1q (VLAN) mgbe enyere akwa mmiri netwọkụ:

    # nft tinye iwu bridge foo bar ether ụdị vlan jụrụ na tcp nrụpụta

  • Nkwado agbakwunyere maka dakọtara site na njirimara oge TCP (NJ conntrack). Iji chọpụta njirimara conntrack, ị nwere ike iji nhọrọ "--output id":

    # conntrack -L — mmepụta id
    udp 17 18 src=192.168.2.118 dst=192.168.2.1 egwuregwu=36424 dport=53 ngwugwu=2 \
    bytes=122 src=192.168.2.1 dst=192.168.2.118 egwuregwu=53 dport=36424 ngwugwu =2 bytes=320 \
    [AKWỤKWỌ] akara = 0 ojiji=1 id=2779986232

    # nft tinye iwu foo bar ct id 2779986232 counter

isi: opennet.ru

Tinye a comment