ProHoster > Блог > ozi ịntanetị > nftables ngwugwu nzacha 1.0.6 mwepụta

nftables ngwugwu nzacha 1.0.6 mwepụta

Ebipụtala ntọhapụ nke ngwugwu nftables 1.0.6, na-eme ka oghere nzacha ngwugwu dị maka IPv4, IPv6, ARP na bridges netwọk (ezubere iji dochie iptables, ip6table, arptables na ebtables). Ngwungwu nftables gụnyere ihe nzacha ngwugwu na-arụ n'ime oghere onye ọrụ, ebe nf_tables subsystem na-enye ọrụ ọkwa kernel, nke bụbu akụkụ nke kernel Linux kemgbe ewepụtara 3.13. Ọkwa kernel na-enye naanị interface nke nwere onwe nke protocol nke na-enye ọrụ ndị bụ isi maka iwepụta data na ngwugwu, ịrụ ọrụ data, yana njikwa ọsọ.

A na-achịkọta usoro nzacha ahụ n'onwe ha na ndị na-ahụ maka usoro protocol n'ime bytecode onye ọrụ, mgbe nke a gasịrị, a na-etinye bytecode a n'ime kernel site na iji Netlink interface wee gbuo ya na kernel na igwe mebere pụrụ iche nke yiri BPF (Berkeley Packet Filters). Usoro a na-eme ka o kwe omume ibelata nha nke koodu nzacha na-agba ọsọ na ọkwa kernel wee bugharịa ọrụ niile nke iwu nlegharị anya na mgbagha nke ịrụ ọrụ na protocol n'ime oghere onye ọrụ.

Isi mgbanwe:

  • Usoro njikarịcha iwu, nke a na-akpọ mgbe akọwapụtara nhọrọ “-o/—optimize” nwere nkwakọ ngwaahịa akpaka nke iwu site na ijikọta ha na ịtụgharị ha ka ọ bụrụ maapụ ma tọọ ndepụta. Dịka ọmụmaatụ, iwu # cat ruleset.nft table ip x { yinye y {ụdị nzacha nko ntinye mkpa nzacha; ọdịda amụma; meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 nabata meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 nabata meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24. .1 ip daddr 1.1.1.2-2.2.4.0 nabata meta iifname eth2.2.4.10 ip saddr 2 ip daddr 1.1.1.3 ịnakwere }} mgbe emechara "nft -o -c -f ruleset.nft" ga-atụgharị ka ọ bụrụ nke a: iwu. nft:2.2.2.5:4-17: meta iifname eth74 ip saddr 1 ip daddr 1.1.1.1 nabata ruleset.nft:2.2.2.3:5-17: meta iifname eth74 ip saddr 1 ip daddr 1.1.1.2 nabata iwu. : 2.2.2.4:6-17: meta iifname eth77 ip saddr 1 ip daddr 1.1.1.2/2.2.3.0 nabata iwu.nft:24:7-17: meta iifname eth83 ip saddr 1 ip daddr 1.1.1.2/2.2.4.0. nabata ruleset.nft:2.2.4.10:8-17: meta iifname eth74 ip saddr 2 ip daddr 1.1.1.3 nabata n'ime: iifname . ip sadr. ip nna {eth2.2.2.5. 1. 1.1.1.1, eth2.2.2.3 . 1. 1.1.1.2, eth2.2.2.4 . 1. 1.1.1.2/2.2.3.0, eth24 . 1. 1.1.1.2-2.2.4.0, eth2.2.4.10. 2. 1.1.1.3 } nabata
  • Onye na-ebuli elu nwekwara ike ịtụgharị iwu ndị na-ejirị ndetu dị mfe mee ihe ka ọ bụrụ ụdị kọmpat karịa, dịka ọmụmaatụ iwu: # cat ruleset.nft table ip filter { chain input {ụdị filter nko input prior filter; ọdịda amụma; iifname “lo” nabata ct steeti guzosie ike, metụtara nnabata ikwu “Na okporo ụzọ anyị sitere, anyị tụkwasịrị obi” iifname “enp0s31f6” ip saddr {209.115.181.102, 216.197.228.230} ip daddr 10.0.0.149 nabata iifname "Enp123s32768f65535" IP Shiddy {0-31-6-64.59.144.17 : ruleset.nft:64.59.150.133:10.0.0.149-53: iifname "enp32768s65535f6" ip saddr {22, 149} ip daddr 0 udp egwuregwu 31ft d6t iwu udp 209.115.181.102. : 216.197.228.230-10.0.0.149: iifname "enp123s32768f65535" ip saddr {7, 22} ip daddr 143 udp egwuregwu 0 udp dport 31-6 nabata n'ime: iifname ip sadr. ip baba. udp egwuregwu. udp dport {enp64.59.144.17s64.59.150.133f10.0.0.149 . 53. 32768. 65535. 0-31, enp6s209.115.181.102f10.0.0.149. 123. 32768. 65535. 0-31, enp6s216.197.228.230f10.0.0.149. 123. 32768. 65535. 0-31, enp6s64.59.144.17f10.0.0.149. 53. 32768. 65535. 0-31 } nabata
  • Edoziri nsogbu na ọgbọ bytecode maka ijikọ etiti oge na-eji ụdị nwere usoro byte dị iche iche, dị ka IPv4 (usoro byte netwọk) na akara meta (usoro byte sistemu). table ip x {map w {ụdị ip saddr . meta akara: mkpebi flags etiti oge counter element = {127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : nabata, 192.168.0.10-192.168.1.20 . 0x0000aa00-0x0000aaff: nabata,}} yinye k {ụdị nzacha nko ntinye mkpa nzacha; ọdịda amụma; ip sadr. meta akara vmap @w }}
  • Ntụle emelitere nke protocol na-adịghị ahụkebe mgbe ị na-eji ngwa okwu, dịka ọmụmaatụ: meta l4proto 91 @th,400,16 0x0 nabata.
  • E doziela nsogbu dị na inye iwu n'oge etiti oge: tinye iwu xy tcp egwuregwu {3478-3497, 16384-16387} counter nnabata
  • Emezigharịrị JSON API ka ọ tinye nkwado maka okwu na ndetu maapụ.
  • Mgbakwunye na ọba akwụkwọ Python nke nftables na-enye ohere ịbuba usoro iwu maka nhazi na ọnọdụ nkwado ("-c") ma gbakwunye nkwado maka nkọwa mpụga nke mgbanwe.
  • A na-anabata ntinye nkọwa na ihe ndetu ahaziri.
  • Oke ọnụọgụ byte na-enye ohere ịkọwa uru efu.

isi: opennet.ru

Tinye a comment