Ebipụtala ntọhapụ ngwugwu nftables 1.0.0, na-eme ka oghere nzacha ngwugwu dị maka IPv4, IPv6, ARP na bridges (ezubere iji dochie iptables, ip6table, arptables na ebtables). Mgbanwe ndị achọrọ maka nftables 1.0.0 ka ọ rụọ ọrụ gụnyere na Linux kernel 5.13. Mgbanwe dị ịrịba ama na ọnụọgụ ụdị ejikọtaghị ya na mgbanwe ọ bụla dị mkpa, kama ọ bụ naanị nsonaazụ na-aga n'ihu nke ọnụọgụgụ na akara nrịbama (ntọhapụ gara aga bụ 0.9.9).
Ngwungwu nftables gụnyere ihe nzacha ngwugwu na-agba ọsọ na oghere onye ọrụ, ebe kernel subsystem nf_tables na-enye ọkwa kernel, nke bụbu akụkụ nke kernel Linux kemgbe ewepụtara 3.13. N'ọkwa kernel, ọ bụ naanị interface nke nwere onwe ya ka enyere nke na-enye ọrụ ndị bụ isi maka iwepụta data na ngwugwu, ịrụ ọrụ na data, na ịchịkwa usoro.
A na-achịkọta usoro nzacha ahụ n'onwe ha na ndị na-ahụ maka usoro protocol n'ime bytecode onye ọrụ, mgbe nke a gasịrị, a na-etinye bytecode a n'ime kernel site na iji Netlink interface wee gbuo ya na kernel na igwe mebere pụrụ iche nke yiri BPF (Berkeley Packet Filters). Usoro a na-eme ka o kwe omume ibelata nha nke koodu nzacha na-agba ọsọ na ọkwa kernel wee bugharịa ọrụ niile nke iwu nlegharị anya na mgbagha nke ịrụ ọrụ na protocol n'ime oghere onye ọrụ.
Isi ihe ọhụrụ:
- Agbakwunyela nkwado maka ihe nkpuchi "*" ka ọ bụrụ ndepụta aha, nke na-akpalite maka ngwugwu ọ bụla na-adaghị n'okpuru ihe ndị ọzọ akọwapụtara na nhazi ahụ. table x {map blocklist {ụdị ipv4_addr: verdict flags interval element = {192.168.0.0/16 : nnabata, 10.0.0.0/8: nabata, * : dobe}} yinye y {ụdị nko nyo prerouting mkpa 0; iwu nabata; ip saddr vmap @blocklist }}
- Ọ ga-ekwe omume ịkọwapụta mgbanwe site na ahịrị iwu site na iji nhọrọ "--define". # cat test.nft table netdev x { yinye y {ụdị nzacha nko ingress ngwaọrụ = $ dev priority 0; ọdịda amụma; } } # nft —define dev="{eth0, eth1}" -f test.nft
- Na ndepụta maapụ, a na-anabata iji okwu okwu mgbe niile (steeti): table inet filter { map portmap {ụdị inet_service : verdict counter elements = {22 counter packets 0 bytes 0: jump ssh_input, * counter packets 0 bytes 0 : drop}} yinye ssh_input {} yinye wan_input {tcp dport vmap @portmap} yinye prerouting {ụdị nko nko na-ebute ụzọ dị mkpa raw; iwu nabata; iif vmap {"lo" : jump wan_input }} }
- agbakwunyere iwu "ndepụta hooks" iji gosipụta ndepụta ndị njikwa maka ezinụlọ ngwugwu enyere: # nft list hooks ip device eth0 family ip { hook ingress { +0000000010 chain netdev xy [nf_tables] +0000000300 chain inet mw [nf_tables]} ntinye nko. {-0000000100 ip ab [nf_tables] +0000000300 yinye inet mz [nf_tables] } nko n'ihu {-0000000225 selinux_ipv4_forward 0000000000 yinye ip ac [nf_tables] -0000000225}4 } nkogharị ụzọ { +0000000225 4 selinux_ipvXNUMX_postroute}}
- Ihe mgbochi kwụ n'ahịrị na-enye ohere ijikọ jhash, symhash, na okwu numgen iji kesaa ngwugwu na kwụ n'ahịrị na oghere onye ọrụ. … kwụ n'ahịrị ka symhash mod 65536 … kwụ n'ahịrị ọkọlọtọ uzo ka numgen inc mod 65536 … kwụ n'ahịrị ka jhash oif . meta mark mod 32 "queue" nwekwara ike ijikọ ya na ndepụta maapụ ịhọrọ kwụ n'ahịrị na oghere onye ọrụ dabere na igodo aka ike. ... ọkọlọtọ kwụ n'ahịrị gaa na map oifname {"eth0": 0, "ppp0": 2, "eth1": 2 }
- Ọ ga-ekwe omume ịgbasa mgbanwe ndị gụnyere ndepụta atọrọ n'ime ọtụtụ maapụ. kọwapụta interfaces = {eth0, eth1} table ip x { yinye y {ụdị ntinye nko ntinye mkpa 0; iwu nabata; iifname vmap {lo: nnabata, $ interfaces: dobe}} } # nft -f x.nft # nft ndepụta ruleset table ip x { yinye y {ụdị nyo nko ntinye mkpa 0; iwu nabata; iifname vmap {"lo": nnabata, "eth0": dobe, "eth1": dobe}}}
- A na-anabata ijikọta vmaps (maapụ mkpebi) na etiti oge: # nft tinye iwu xy tcp dport . ip saddr vmap {1025-65535 . 192.168.10.2: nabata }
- Syntax dị mfe maka nkewa NAT. Ekwenyere ka ezipụta akara adreesị: ... snat to ip saddr map {10.141.11.4 : 192.168.2.2-192.168.2.4 } ma ọ bụ adreesị IP doro anya na ọdụ ụgbọ mmiri: ... dnat ka ip saddr map {10.141.11.4. . 192.168.2.3 } ma ọ bụ nchikota nke oke IP na ọdụ ụgbọ mmiri: ... dnat to ip saddr . tcp dport map {80 . 192.168.1.2: 80-10.141.10.2. 10.141.10.5-8888 }
isi: opennet.ru