ProHoster > Блог > ozi ịntanetị > nftables ngwugwu nzacha 1.0.5 mwepụta

nftables ngwugwu nzacha 1.0.5 mwepụta

Ebipụtala ntọhapụ ngwugwu nftables 1.0.5, na-eme ka oghere nzacha ngwugwu dị maka IPv4, IPv6, ARP na bridges (ezubere iji dochie iptables, ip6table, arptables na ebtables). N'otu oge ahụ, e bipụtara ntọhapụ nke ibe ọbá akwụkwọ libnftnl 1.2.3, na-enye API dị ala maka imekọrịta na nf_tables subsystem.

Ngwugwu nftables nwere ihe nzacha ngwugwu nke na-arụ ọrụ n'ime oghere onye ọrụ, ebe sistemụ nf_tables, nke bụ akụkụ nke kernel, na-enye ọrụ ọkwa kernel. Linux Kemgbe mwepụta 3.13, naanị njikọ na-adabereghị na protocol ka enyere na ọkwa kernel, na-enye ọrụ bụ isi maka iwepụta data site na ngwugwu, ịrụ ọrụ data, na njikwa mmiri.

Nchịkọta nzacha ahụ na-achịkwa onwe ha, a na-achịkọtakwa ndị njikwa kpọmkwem na protocol n'ime bytecode na oghere onye ọrụ, mgbe nke ahụ gasịrị, a na-ebunye bytecode a n'ime kernel site na iji Netlink interface ma rụọ ya na kernel n'ụzọ pụrụ iche. igwe mebere, nke na-echetara BPF (Berkeley Packet Filters). Ụzọ a na-enye ohere maka mbelata dị ukwuu na nha nke koodu nzacha na-agba ọsọ na ọkwa kernel ma na-ebugharị nkọwa iwu niile na usoro nhazi n'ime oghere onye ọrụ.

Isi mgbanwe:

  • N'ime ụkpụrụ ụkpụrụ, nke a na-akpọ mgbe ezipụta nhọrọ "-o/-optimize", edozila nsogbu dị na ijikọta iwu, maapụ na ndepụta nhazi. # cat ruleset.nft table ip x { yinye y {ụdị nat nko postrouting prior srcnat; ọdịda amụma; ip saddr 1.1.1.1 tcp dport 8000 snat na 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat na 5.5.5.5:90}} # nft -o -c -f ruleset.nft Merging: rulett. : 4-3: ip saddr 52 tcp dport 1.1.1.1 snat na 8000:4.4.4.4 ruleset.nft: 80: 5-3: ip saddr 52 tcp dport 2.2.2.2 snat na 8001:5.5.5.5 n'ime: snat. sadr. tcp dport map {90. 1.1.1.1: 8000. 4.4.4.4, 80. 2.2.2.2: 8001. 5.5.5.5}
  • Mgbe ị na-ejikọta ethernet na vlan ọcha, a na-akọwapụta ndepụta ihe dị ike, jupụtara na-adabere na packet ụzọ parampat. tinye table netdev x tinye yinye netdev xy {ụdị nzacha nko ingress ngwaọrụ enp0s25 mkpa 0; } tinye set netdev x macset {typeof ether daddr. vlan id; flags ike, oge agwụ; } tinye iwu netdev xy update @macset { ether daddr . vlan id timeout 60s} tinye iwu netdev xy ether saddr. vlan id {0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } counter nabata
  • Emezigharịrị ngosi iwu nwere ndepụta maapụ nwere nkpuchi na aha interface. table inet filter { yinye INPUT {iifname vmap {"eth0" : jump input_lan, "wg*" : jump input_vpn } } chain input_lan {} chain input_vpn {}}
  • Mgbanwe mgbanwe na-eduga n'ịtụle usoro okwu na-ezighi ezi nke iwu ziri ezi ewepụla.
  • E doziela nsogbu na nhazi ngwa ngwa na ijikọ akpaaka nke nnukwu ndepụta nwere ihe na-akọwa oke uru.
  • Mkpọka emebere mgbe ị na-agbakwunye ihe na ndetu ezighi ezi.

isi: opennet.ru

Zụta nnabata ntụkwasị obi maka saịtị nwere nchekwa DDoS, sava VPS VDS 🔥 Zụta ebe nrụọrụ weebụ a pụrụ ịtụkwasị obi na nchekwa DDoS, sava VPS VDS | ProHoster