A tọhapụrụ nzacha ngwugwu nftables 0.9.9. Ọ na-ejikọta njikọ nzacha ngwugwu maka IPv4, IPv6, ARP, na àkwà mmiri netwọk (nke ezubere iche dị ka nnọchi maka iptables, ip6table, arptables, na ebtables). Ọbá akwụkwọ libnftnl 1.2.0 nke na-eso ya, nke na-enye API dị ala maka mmekọrịta na sistemụ nf_tables, ewepụtala n'otu oge. A tinyela mgbanwe ndị achọrọ maka nftables 0.9.9 na kernel. Linux 5.13-rc1.
Ngwugwu nftables nwere ihe nzacha ngwugwu nke na-arụ ọrụ n'ime oghere onye ọrụ, ebe sistemụ nf_tables, nke bụ akụkụ nke kernel, na-enye ọrụ ọkwa kernel. Linux Kemgbe mwepụta 3.13, naanị njikọ na-adabereghị na protocol ka enyere na ọkwa kernel, na-enye ọrụ bụ isi maka iwepụta data site na ngwugwu, ịrụ ọrụ data, na njikwa mmiri.
Nchịkọta nzacha ahụ na-achịkwa onwe ha, a na-achịkọtakwa ndị njikwa kpọmkwem na protocol n'ime bytecode na oghere onye ọrụ, mgbe nke ahụ gasịrị, a na-ebunye bytecode a n'ime kernel site na iji Netlink interface ma rụọ ya na kernel n'ụzọ pụrụ iche. igwe mebere, nke na-echetara BPF (Berkeley Packet Filters). Ụzọ a na-enye ohere maka mbelata dị ukwuu na nha nke koodu nzacha na-agba ọsọ na ọkwa kernel ma na-ebugharị nkọwa iwu niile na usoro nhazi n'ime oghere onye ọrụ.
Isi ihe ọhụrụ:
- E mejuputawo ikike ịkwaga nhazi usoro n'akụkụ ihe nkwụnye netwọkụ, nyere ya aka site na iji ọkọlọtọ 'offload'. Flowtable bụ usoro maka ịkwalite ụzọ redirection nke ngwugwu, nke a na-etinye usoro nhazi usoro iwu niile naanị na ngwugwu mbụ, a na-ebugharị ngwugwu ndị ọzọ niile dị na mmiri ahụ ozugbo. table ip global {flowtable f { nko ingress prior filter + 1 Devices = {lan3, lan0, wan} flags offload } yinye n'ihu {ụdị nko n'ihu nzacha mkpa; iwu nabata; ip protocol {tcp, udp} eruba tinye @f} yinye post {ụdị nat nko postrouting mkpa nzacha; iwu nabata; oifname "wan" masquerade } }
- Nkwado agbakwunyere maka itinye ọkọlọtọ onye nwe ya na tebụl iji hụ na iji tebụl ahụ eme ihe naanị site na usoro. Mgbe usoro kwụsịrị, tebụl ejikọtara ya na-ehichapụ na-akpaghị aka. A na-egosipụta ozi gbasara usoro a n'usoro iwu na-atụfu n'ụdị nkọwa: table ip x {# progname nft flags owner chain y {ụdị filter nko input prior filter; iwu nabata; ngwugwu counter 1 bytes 309}}
- Nkwado agbakwunyere maka nkọwapụta IEEE 802.1ad (VLAN stacking ma ọ bụ QinQ), nke na-akọwapụta ụzọ iji dochie ọtụtụ mkpado VLAN n'ime otu etiti Ethernet. Ọmụmaatụ, ịlele ụdị mpụga Ethernet etiti 8021ad na vlan id=342, ị nwere ike iji ihe owuwu ... ether ụdị 802.1ad vlan id 342 ịlele mpụga ụdị nke Ethernet etiti 8021ad/vlan id=1, akwu 802.1 q/vlan id = 2 na n'ihu IP ngwugwu encapsulation: ... ether ụdị 8021ad vlan id 1 vlan ụdị 8021q vlan id 2 vlan ụdị ip counter
- Nkwado agbakwunyere maka ijikwa akụrụngwa site na iji otu ndị isi otu cgroups v2. Isi ihe dị iche n'etiti cgroups v2 na v1 bụ iji otu ndị isi otu dị iche iche maka ụdị akụrụngwa ọ bụla, kama usoro nhazi dị iche iche maka ikenye akụrụngwa CPU, maka ịhazi oriri ebe nchekwa, yana maka I/O. Dịka ọmụmaatụ, iji lelee ma nna nna nke oghere na ọkwa mbụ cgroupv2 dabara na nkpuchi "system.slice", ị nwere ike iji ihe owuwu ahụ: ... socket cgroupv2 level 1 "system.slice"
- Agbakwunyere ikike ịlele ihe mejupụtara ngwugwu SCTP (ọrụ achọrọ maka ọrụ ga-apụta na kernel Linux 5.14). Dịka ọmụmaatụ, iji lelee ma ngwugwu nwere iberibe nwere ụdị 'data' na ubi 'ụdị': ... data sctp chunk dị ... ụdị data sctp chunk 0
- A na-eme ka mmezu nke ọrụ ntinye iwu mee ngwa ngwa ihe dịka ugboro abụọ site na iji ọkọlọtọ "-f". A na-emewanyekwa mmepụta nke ndepụta iwu.
- Ụdị kọmpat maka ịlele ma edobere ibe n'ibe ọkọlọtọ. Dịka ọmụmaatụ, iji lelee na edobeghị bits status snat na dnat, ị nwere ike ịkọwapụta: ... ct status ! snat,dnat ịlele na syn bit ka edobere na bitmask syn,ack: ... tcp flags syn / syn,ack ịlele na fin na rst bits adịghị etinye na bitmask syn,ack,fin, mbụ: ... tcp flags = fin, mbụ / syn, ack, fin, mbụ
- Hapụ mkpụrụokwu “mkpebi” na nkọwa ụdịdị nkọwapụta set/map: tinye maapụ xm {typeof iifname . ip protocol th dport: ikpe;}
isi: opennet.ru
