ProHoster > ื‘ืœื•ื’ > ื—ื“ืฉื•ืช ื‘ืื™ื ื˜ืจื ื˜ > ืžื”ื“ื•ืจืช ืžืกื ืŸ ืžื ื•ืช nftables 1.0.3

ืžื”ื“ื•ืจืช ืžืกื ืŸ ืžื ื•ืช nftables 1.0.3

ืคื•ืจืกื ืฉื—ืจื•ืจื• ืฉืœ ืžืกื ืŸ ืžื ื•ืช nftables 1.0.3, ื”ืžืื—ื“ ืžืžืฉืงื™ ืกื™ื ื•ืŸ ืžื ื•ืช ืขื‘ื•ืจ IPv4, IPv6, ARP ื•ื’ืฉืจื™ ืจืฉืช (ืฉืžื˜ืจืชื ืœื”ื—ืœื™ืฃ iptables, ip6table, arptables ื•-ebtables). ื”ืฉื™ื ื•ื™ื™ื ื”ื ื“ืจืฉื™ื ื›ื“ื™ ืฉื”ื’ืจืกื” ืฉืœ nftables 1.0.3 ืชืขื‘ื•ื“ ื›ืœื•ืœื™ื ื‘ืœื™ื‘ืช Linux 5.18.

ื—ื‘ื™ืœืช nftables ื›ื•ืœืœืช ืจื›ื™ื‘ื™ ืžืกื ืŸ ืžื ื•ืช ื”ืคื•ืขืœื™ื ื‘ื—ืœืœ ื”ืžืฉืชืžืฉ, ื‘ืขื•ื“ ืฉื”ืขื‘ื•ื“ื” ื‘ืจืžืช ื”ืœื™ื‘ื” ืžืกื•ืคืงืช ืขืœ ื™ื“ื™ ืชืช-ื”ืžืขืจื›ืช nf_tables, ืฉื”ื™ื™ืชื” ื—ืœืง ืžืœื™ื‘ืช ืœื™ื ื•ืงืก ืžืื– ื’ืจืกื” 3.13. ืจืžืช ื”ืงืจื ืœ ืžืกืคืงืช ืจืง ืžืžืฉืง ื’ื ืจื™ ื‘ืœืชื™ ืชืœื•ื™ ื‘ืคืจื•ื˜ื•ืงื•ืœ ื”ืžืกืคืง ืคื•ื ืงืฆื™ื•ืช ื‘ืกื™ืกื™ื•ืช ืœื—ื™ืœื•ืฅ ื ืชื•ื ื™ื ืžืžื ื•ืช, ื‘ื™ืฆื•ืข ืคืขื•ืœื•ืช ื ืชื•ื ื™ื ื•ื‘ืงืจืช ื–ืจื™ืžื”.

ื›ืœืœื™ ื”ืกื™ื ื•ืŸ ืขืฆืžื ื•ื”ืžื˜ืคืœื™ื ื”ืกืคืฆื™ืคื™ื™ื ืœืคืจื•ื˜ื•ืงื•ืœ ืžื•ืจื›ื‘ื™ื ืœืชื•ืš bytecode ืฉืœ ืžืจื—ื‘ ื”ืžืฉืชืžืฉ, ื•ืœืื—ืจ ืžื›ืŸ ืงื•ื“ ื‘ื™ืช ื–ื” ื ื˜ืขืŸ ืœืชื•ืš ื”ืœื™ื‘ื” ื‘ืืžืฆืขื•ืช ืžืžืฉืง Netlink ื•ืžื‘ื•ืฆืข ื‘ืงืจื ืœ ื‘ืžื›ื•ื ื” ื•ื™ืจื˜ื•ืืœื™ืช ืžื™ื•ื—ื“ืช ื”ื“ื•ืžื” ืœ-BPF (Berkeley Packet Filters). ื’ื™ืฉื” ื–ื• ืžืืคืฉืจืช ืœื”ืงื˜ื™ืŸ ืžืฉืžืขื•ืชื™ืช ืืช ื’ื•ื“ืœ ืงื•ื“ ื”ืกื™ื ื•ืŸ ื”ืคื•ืขืœ ื‘ืจืžืช ื”ืงืจื ืœ ื•ืœื”ืขื‘ื™ืจ ืืช ื›ืœ ื”ืคื•ื ืงืฆื™ื•ืช ืฉืœ ื—ื•ืงื™ ื”ื ื™ืชื•ื— ื•ื”ื”ื™ื’ื™ื•ืŸ ืฉืœ ืขื‘ื•ื“ื” ืขื ืคืจื•ื˜ื•ืงื•ืœื™ื ืœืžืจื—ื‘ ื”ืžืฉืชืžืฉ.

ื—ื™ื“ื•ืฉื™ื ืขื™ืงืจื™ื™ื:

  • ืจืฉื™ืžื•ืช ืกื˜ ืชื•ืžื›ื•ืช ื›ืขืช ื‘ื”ืชืืžืช ืฉืžื•ืช ืžืžืฉืงื™ ืจืฉืช ืขืœ ื™ื“ื™ ืžืกื™ื›ื”, ืœืžืฉืœ, ืฉืฆื•ื™ื ื” ื‘ืืžืฆืขื•ืช ื”ืกืžืœ "*": table inet testifsets { set simple_wild { type ifname flags interval elements = { "abcdef*", "othername", "ppp0" } } ืฉืจืฉืจืช v4icmp { ืกื•ื’ ืžืกื ืŸ ื”ื•ืง ืขื“ื™ืคื•ืช ืงืœื˜ 0; ืงื‘ืœืช ืžื“ื™ื ื™ื•ืช; iifname @simple_wild ืžื•ื ื” ืžื ื•ืช 0 ื‘ืชื™ื 0 iifname { "abcdef*", "eth0" } ืžื ื•ืช ืžื•ื ื” 0 ื‘ืชื™ื 0 } }
  • ื”ื˜ืžืข ืžื™ื–ื•ื’ ืื•ื˜ื•ืžื˜ื™ ืฉืœ ืจื›ื™ื‘ื™ ืกื˜-ืœื™ืกื˜ ืžืฆื˜ืœื‘ื™ื ื‘ืžื”ืœืš ื”ืคืขื•ืœื”. ื‘ืขื‘ืจ, ื›ืืฉืจ ื ืงื‘ืขื” ืืคืฉืจื•ืช "ืžื™ื–ื•ื’ ืื•ื˜ื•ืžื˜ื™", ื”ืžื™ื–ื•ื’ ื‘ื•ืฆืข ื‘ืฉืœื‘ ื”ื”ื›ืจื–ื” ืขืœ ื”ื›ืœืœื™ื, ืืš ื›ืขืช ื”ื•ื ืขื•ื‘ื“ ื’ื ื›ืืฉืจ ืืœืžื ื˜ื™ื ื—ื“ืฉื™ื ืžืชื•ื•ืกืคื™ื ื‘ื”ื“ืจื’ื” ื‘ืžื”ืœืš ื”ืคืขื•ืœื”. ืœื“ื•ื’ืžื”, ื‘ืฉืœื‘ ื”ื”ื›ืจื–ื”, ื”ืจืฉื™ืžื” ืขืจื›ื” y { flags interval auto-merge elements = { 1.2.3.0, 1.2.3.255, 1.2.3.0/24, 3.3.3.3, 4.4.4.4, 4.4.4.4-4.4.4.8 , 3.3.3.4 , 3.3.3.5 } } ื™ื”ืคื›ื• ืœืืœืžื ื˜ื™ื = { 1.2.3.0/24, 3.3.3.3-3.3.3.5, 4.4.4.4-4.4.4.8 } ื•ืื– ืื ืชื•ืกื™ืฃ ืืœืžื ื˜ื™ื ื—ื“ืฉื™ื # nft ื”ื•ืกืฃ ืืœืžื ื˜ ip xy { 1.2.3.0 -1.2.4.255, 3.3.3.6 } ื™ื™ืจืื” ื›ืžื• ืืœืžื ื˜ื™ื = { 1.2.3.0-1.2.4.255, 3.3.3.3-3.3.3.6, 4.4.4.4-4.4.4.8 }

    ื›ืืฉืจ ืืชื” ืžืกื™ืจ ืคืจื™ื˜ื™ื ื‘ื•ื“ื“ื™ื ืžื”ืจืฉื™ืžื” ืฉื ื›ืœืœื™ื ื‘ืชื•ืš ืคืจื™ื˜ื™ ื˜ื•ื•ื— ืงื™ื™ืžื™ื, ื”ื˜ื•ื•ื— ืžืชืงืฆืจ ืื• ืžืคื•ืฆืœ.

  • ืชืžื™ื›ื” ื‘ืฉื™ืœื•ื‘ ื›ืœืœื™ ืชืจื’ื•ื ื›ืชื•ื‘ื•ืช ืžืจื•ื‘ื•ืช (NAT) ืœืจืฉื™ืžืช ืžืคื•ืช ื ื•ืกืคื” ืœืื•ืคื˜ื™ืžื™ื–ืฆื™ื™ืช ื”ื›ืœืœื™ื, ื”ื ืงืจืืช ื›ืืฉืจ ืžืฆื•ื™ื ืช ื”ืืคืฉืจื•ืช "-o/-optimize". ืœื“ื•ื’ืžื”, ืขื‘ื•ืจ ื”ืกื˜ # cat ruleset.nft table ip x { chain y { type nat hook postrouting priority srcnat; ื™ืจื™ื“ืช ืžื“ื™ื ื™ื•ืช; ip saddr 1.1.1.1 tcp dport 8000 snat ืœ- 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat ืœ- 5.5.5.5:90 } }

    ื”ืคืขืœืช "nft -o -c -f ruleset.nft" ืชืžื™ืจ ืืช ื›ืœืœื™ "ip saddr" ื”ื ืคืจื“ื™ื ืœืจืฉื™ืžืช ืžืคื•ืช: snat ืœ-ip saddr. tcp dport map { 1.1.1.1. 8000: 4.4.4.4. 80, 2.2.2.2. 8001: 5.5.5.5. 90}

    ื‘ืื•ืคืŸ ื“ื•ืžื”, ื ื™ืชืŸ ืœื”ืžื™ืจ ื‘ื™ื˜ื•ื™ื™ื ื’ื•ืœืžื™ื™ื ืœืจืฉื™ืžื•ืช ืžืคื•ืช: # cat ruleset.nft table ip x { [โ€ฆ] chain nat_dns_acme { udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 goto 62 natp 78 160,128 0x0e31393032383939353831343037320e goto nat_dns_this_5301 ืื•ืจืš udp 62-78 @th,160,128 0x0e31363436323733373931323934300e goto nat_dns_saturn_5301 ืื•ืจืš udp 62-78 @th,160,128 0x0e32393535373539353636383732310 5302 62 78 160,128x0e0 38353439353637323038363633390 5303 XNUMX XNUMX XNUMX XNUMX XNUMXxXNUMXeXNUMX XNUMX XNUMX XNUMX XNUMX XNUMX XNUMXe goto nat_dns_saturn_XNUMX udp ืื•ืจืš XNUMX-XNUMX @th,XNUMX XNUMXxXNUMXeXNUMXe goto nat_dns_saturn_XNUMX drop } }

    ืœืื—ืจ ืื•ืคื˜ื™ืžื™ื–ืฆื™ื” ื ืงื‘ืœ ืจืฉื™ืžืช ืžืคื•ืช: udp length . @th,160,128 vmap { 47-63 . 0x0e373135363130333131303735353203 : goto nat_dns_dnstc, 62-78 . 0x0e31393032383939353831343037320e : goto nat_dns_this_5301, 62-78 . 0x0e31363436323733373931323934300e : goto nat_dns_saturn_5301, 62-78 . 0x0e32393535373539353636383732310e : goto nat_dns_saturn_5302, 62-78 . 0x0e38353439353637323038363633390e : goto nat_dns_saturn_5303 }

  • ื”ืฉื™ืžื•ืฉ ื‘ื‘ื™ื˜ื•ื™ื™ื ื’ื•ืœืžื™ื™ื ื‘ืคืขื•ืœื•ืช ืฉืจืฉื•ืจ ืžื•ืชืจ. ืœื“ื•ื’ืžื”: #nft ื”ื•ืกืฃ ื›ืœืœ xy ip saddr. @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } ืื• table x { set y { typeof ip saddr . @ih,32,32 elements = { 1.1.1.1 . 0x14 } } }
  • ื ื•ืกืคื” ืชืžื™ื›ื” ืœืฆื™ื•ืŸ ืฉื“ื•ืช ื›ื•ืชืจื•ืช ืฉืœืžื™ื ื‘ืคืขื•ืœื•ืช ืฉืจืฉื•ืจ: table inet t { map m1 { typeof udp length . @ih,32,32: ืืœืžื ื˜ื™ื ืฉืœ ืžืจื•ื•ื—ื™ ืคืกืง ื“ื™ืŸ ืžืกืžื ื™ื = { 20-80. 0x14 : ืงื‘ืœ, 1-10 . 0xa : drop } } ืฉืจืฉืจืช c { ืกื•ื’ ืžืกื ืŸ ื”ื•ืง ืขื“ื™ืคื•ืช ืงืœื˜ 0; ื™ืจื™ื“ืช ืžื“ื™ื ื™ื•ืช; ืื•ืจืš udp. @ih,32,32 vmap @m1 } }
  • ื ื•ืกืคื” ืชืžื™ื›ื” ืœืื™ืคื•ืก ืืคืฉืจื•ื™ื•ืช TCP (ืขื•ื‘ื“ ืจืง ืขื ืœื™ื‘ืช ืœื™ื ื•ืงืก 5.18+): tcp flags syn reset tcp option sack-perm
  • ื”ื‘ื™ืฆื•ืข ืฉืœ ืคืงื•ื“ื•ืช ืคืœื˜ ืฉืจืฉืจืช ("ืฉืจืฉืจืช nft list xy") ื”ื•ืืฅ.

ืžืงื•ืจ: OpenNet.ru

ื”ื•ืกืคืช ืชื’ื•ื‘ื”