Ebipụtala ntọhapụ nke ngwugwu nftables 1.0.7, na-eme ka oghere nzacha ngwugwu dị maka IPv4, IPv6, ARP na bridges netwọk (ezubere iji dochie iptables, ip6table, arptables na ebtables). Ngwungwu nftables gụnyere ihe nzacha ngwugwu na-arụ n'ime oghere onye ọrụ, ebe nf_tables subsystem na-enye ọrụ ọkwa kernel, nke bụbu akụkụ nke kernel Linux kemgbe ewepụtara 3.13. Ọkwa kernel na-enye naanị interface nke nwere onwe nke protocol nke na-enye ọrụ ndị bụ isi maka iwepụta data na ngwugwu, ịrụ ọrụ data, yana njikwa ọsọ.
A na-achịkọta usoro nzacha ahụ n'onwe ha na ndị na-ahụ maka usoro protocol n'ime bytecode onye ọrụ, mgbe nke a gasịrị, a na-etinye bytecode a n'ime kernel site na iji Netlink interface wee gbuo ya na kernel na igwe mebere pụrụ iche nke yiri BPF (Berkeley Packet Filters). Usoro a na-eme ka o kwe omume ibelata nha nke koodu nzacha na-agba ọsọ na ọkwa kernel wee bugharịa ọrụ niile nke iwu nlegharị anya na mgbagha nke ịrụ ọrụ na protocol n'ime oghere onye ọrụ.
Isi mgbanwe:
- Maka sistemụ na-agba Linux kernel 6.2+, nkwado maka vxlan, geneve, gre, na gretap mappings protocol agbakwunyere, na-enye ohere ka okwu dị mfe lelee ndị nkụnye eji isi mee na ngwugwu ekpuchiri. Dịka ọmụmaatụ, iji lelee adreesị IP dị na nkụnye eji isi mee nke ngwugwu akwụ ụgwọ sitere na VxLAN, ị nwere ike ugbu a iji iwu (na-enweghị mkpa ibu ụzọ de-encapsulate VxLAN nkụnye eji isi mee ma kechie nzacha na interface vxlan0): ... udp dport 4789 vxlan ip protocol udp ... udp dport 4789 vxlan ip saddr 1.2.3.0. 24/4789 ... udp dport 1.2.3.4 vxlan ip saddr . vxlan ip nna {4.3.2.1. XNUMX }
- Nkwado maka ijikọ ihe fọdụrụ na akpaaka ka emechara ihichapụ akụkụ nke ndetu, nke na-enye gị ohere ihichapụ ihe mmewere ma ọ bụ akụkụ nke oke site na nso dị adị (na mbụ, enwere ike ihichapụ oke kpamkpam). Dịka ọmụmaatụ, mgbe ewepụsịrị mmewere 25 na ndepụta setịpụrụ nwere oke 24-30 na 40-50, ndepụta ahụ ga-adị 24, 26-30 na 40-50. A ga-enye ndozi a chọrọ maka iji rụọ ọrụ na mwepụta mmezi nke ngalaba kwụsiri ike nke kernel 5.10+. # nft ndepụta ruleset table ip x {setịpụrụ y {type of tcp dport flags etiti oge auto-merge ọcha = {24-30, 40-50} } y {ụdị nke tcp dport flags etiti ihe jikọrọ akpaaka = {25, 24-26, 30-40}}}
- Na-enye ohere iji kọntaktị na oke mgbe ị na-atụgharị ntụgharị asụsụ adreesị (NAT). table ip nat { yinye prerouting {ụdị nat nko prerouting prior dstnat; iwu nabata; dnat ka ip nna. tcp dport map {10.1.1.136 . 80: 1.1.2.69. 1024, 10.1.1.10-10.1.1.20. 8888-8889: 1.1.2.69. 2048-2049 } na-adịgide adịgide }}
- Nkwado agbakwunyere maka okwu "ikpeazụ", nke na-enye gị ohere ịchọpụta oge ikpeazụ iji ihe mmewere iwu ma ọ bụ ndepụta setịpụrụ. A na-akwado atụmatụ ahụ malite na Linux kernel 5.14. table ip x {setịpụrụ y {ụdị ip daddr . tcp dport size 65535 flags ike, oge ngwụcha ikpeazụ 1h} yinye z {ụdị nzacha nko mmepụta ihe kacha mkpa; iwu nabata; melite @y {ip daddr . tcp dport }}} # nft ndepụta setịpụrụ ip x y table ip x {set y {typeof ip daddr . tcp dport size 65535 flags ike, oge ngwụcha ikpeazụ 1h ọcha = {172.217.17.14 . 443 ejiri ikpeazụ 1s591ms oge nkwụsị 1h kubie ume 59m58s409ms, 172.67.69.19 . 443 ikpeazụ ejiri 4s636ms oge nkwụsị 1h kubie ume 59m55s364ms, 142.250.201.72 . 443 ikpeazụ ejiri 4s748ms oge nkwụsị 1h kubie ume 59m55s252ms, 172.67.70.134 . 443 ikpeazụ ejiri 4s688ms akwụsị oge 1h kubie ume 59m55s312ms, 35.241.9.150 . 443 ikpeazụ ejiri 5s204ms oge nkwụsị 1h kubie ume 59m54s796ms, 138.201.122.174 . 443 ikpeazụ ejiri 4s537ms oge nkwụsị 1h kubie ume 59m55s463ms, 34.160.144.191 . 443 ikpeazụ ejiri 5s205ms oge nkwụsị 1h kubie ume 59m54s795ms, 130.211.23.194 . 443 ikpeazụ ejiri 4s436ms oge nkwụsị 1h kubie ume 59m55s564ms}}}
- Agbakwunyere ikike ịkọwa oke n'ime ndetu atọrọ. Dịka ọmụmaatụ, iji chọpụta oke okporo ụzọ maka adreesị IP nke ọ bụla, ị nwere ike ịkọwapụta: table netdev x {set y { typeof ip daddr size 65535 quota over 10000 mbytes } chain y { ụdị filter hook egress device "eth0" prior filter; iwu nabata; ip daddr @y drop }} # nft tinye element inet x y {8.8.8.8} # ping -c 2 8.8.8.8 # nft ndepụta ruleet table netdev x {set y {ụdị ipv4_addr size 65535 oke n'elu 10000 mbytes.8.8.8.8 ọcha. 10000 oke n'elu 196 mbytes eji 0 bytes}} yinye y {ụdị nzacha nko egress ngwaọrụ “ethXNUMX” mkpa nzacha; iwu nabata; ip baba @y drop }}
- A na-anabata iji ihe nkwụsịtụ n'ime listi setịpụrụ. Dịka ọmụmaatụ, mgbe ị na-eji adreesị ebe ị na-aga na VLAN ID dị ka igodo ndepụta, ị nwere ike ịkọwa nọmba VLAN (daddr . 123): table netdev t {set s { typeof ether saddr . vlan id size 2048 flags ike, oge nkwụsị oge 1m} yinye c {ụdị nzacha nko ingress ngwaọrụ eth0 mkpa 0; iwu nabata; ụdị ether != 8021q update @s { ether daddr . 123} counter }}
- Agbakwunyere iwu "bibi" ọhụrụ ka ihichapụ ihe na-enweghị ihe ọ bụla (n'adịghị ka iwu ihichapụ, ọ naghị ewepụta ENOENT mgbe ị na-agbalị ihichapụ ihe efu). Achọrọ opekata mpe Linux kernel 6.3-rc ka ọ rụọ ọrụ. mebie okpokoro ip nyo
isi: opennet.ru