ProHoster > Π‘Π»ΠΎΠ³ > warta internet > nftables packet filter 1.0.2 release

nftables packet filter 1.0.2 release

Rilis packet filter nftables 1.0.2 wis diterbitake, nyawiji antarmuka panyaring paket kanggo IPv4, IPv6, ARP lan jembatan jaringan (kanggo ngganti iptables, ip6table, arptables lan ebtables). Owah-owahan sing dibutuhake kanggo rilis nftables 1.0.2 supaya bisa digunakake kalebu ing kernel Linux 5.17-rc.

Paket nftables kalebu komponen filter paket sing mlaku ing ruang pangguna, dene karya tingkat kernel diwenehake dening subsistem nf_tables, sing wis dadi bagian saka kernel Linux wiwit dirilis 3.13. Tingkat kernel mung nyedhiyakake antarmuka bebas protokol umum sing nyedhiyakake fungsi dhasar kanggo ngekstrak data saka paket, nindakake operasi data, lan kontrol aliran.

Aturan nyaring dhewe lan panangan khusus protokol dikompilasi menyang bytecode spasi pangguna, sawise bytecode iki dimuat menyang kernel nggunakake antarmuka Netlink lan dieksekusi ing kernel ing mesin virtual khusus sing meh padha karo BPF (Berkeley Packet Filters). Pendekatan iki ndadekake bisa nyuda ukuran kode nyaring sing mlaku ing tingkat kernel lan mindhah kabeh fungsi aturan parsing lan logika nggarap protokol menyang ruang pangguna.

Inovasi utama:

  • Mode optimasi aturan wis ditambahake, diaktifake nggunakake opsi "-o" ("--optimize") anyar, sing bisa digabungake karo opsi "--check" kanggo mriksa lan ngoptimalake owah-owahan menyang file set aturan tanpa ngemot. . Optimasi ngidini sampeyan nggabungake aturan sing padha, contone, aturan: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 nampa meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 nampa ip saddr 1.1.1.1 .2.2.2.2 nampa ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop

    bakal digabung dadi meta iifname . ip sadr. ip daddr { eth1. 1.1.1.1. 2.2.2.3, eth1 . 1.1.1.2. 2.2.2.5 } nampa ip saddr . ip daddr vmap {1.1.1.1. 2.2.2.2: nampa, 2.2.2.2. 3.3.3.3: gulung }

    Conto panggunaan: # nft -c -o -f ruleset.test Penggabungan: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter accept ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter accept ruleset.nft:18:3-37: ip daddr 192.168.0.3 counter accept into: ip daddr {192.168.0.1, 192.168.0.2, 192.168.0.3} counter packets 0 byte 0 accept

  • Dhaptar set ngetrapake kemampuan kanggo nemtokake opsi ip lan tcp, uga potongan sctp: set s5 {typeof ip option ra value elements = {1, 1024}} set s7 {typeof sctp chunk init num-inbound-streams elements = { 1, 4 } } chain c5 { ip option ra value @s5 accept } chain c7 { sctp chunk init num-inbound-streams @s7 accept }
  • Dhukungan ditambahake kanggo opsi TCP fastopen, md5sig lan mptcp.
  • Dhukungan tambahan kanggo nggunakake subtipe mp-tcp ing pemetaan: opsi tcp mptcp subtipe 1
  • Kode nyaring sisih kernel sing luwih apik.
  • Flowtable saiki duwe dhukungan lengkap kanggo format JSON.
  • Kemampuan kanggo nggunakake tumindak "nolak" ing operasi cocog pigura Ethernet wis kasedhiya. eter saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 nolak

Source: opennet.ru

Add a comment