ProHoster > Π‘Π»ΠΎΠ³ > warta internet > nftables packet filter 1.0.6 release

nftables packet filter 1.0.6 release

Rilis filter paket nftables 1.0.6 wis diterbitake, nyawiji antarmuka panyaring paket kanggo IPv4, IPv6, ARP lan jembatan jaringan (kanggo ngganti iptables, ip6table, arptables lan ebtables). Paket nftables kalebu komponen filter paket sing mlaku ing ruang pangguna, dene level kernel diwenehake dening subsistem nf_tables, sing wis dadi bagian saka kernel Linux wiwit dirilis 3.13. Ing tingkat kernel, mung antarmuka bebas protokol umum sing diwenehake sing nyedhiyakake fungsi dhasar kanggo ngekstrak data saka paket, nindakake operasi ing data, lan ngontrol aliran.

Aturan nyaring dhewe lan panangan khusus protokol dikompilasi menyang bytecode spasi pangguna, sawise bytecode iki dimuat menyang kernel nggunakake antarmuka Netlink lan dieksekusi ing kernel ing mesin virtual khusus sing meh padha karo BPF (Berkeley Packet Filters). Pendekatan iki ndadekake bisa nyuda ukuran kode nyaring sing mlaku ing tingkat kernel lan mindhah kabeh fungsi aturan parsing lan logika nggarap protokol menyang ruang pangguna.

Owah-owahan utama:

  • Pangoptimal aturan, sing diarani nalika opsi "-o / - ngoptimalake" ditemtokake, nduweni aturan kemasan otomatis kanthi nggabungake lan ngowahi menyang peta lan nyetel dhaptar. Contone, aturan # cat ruleset.nft tabel ip x { chain y { jinis filter pancing prioritas input filter; kawicaksanan mudhun; meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 nampa meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 nampa meta iifname eth1 ip saddr 1.1.1.2 ip ep daddr i/2.2.3.0 .24 ip daddr 1-1.1.1.2 nampa meta iifname eth2.2.4.0 ip saddr 2.2.4.10 ip daddr 2 nampa}} sawise nglakokakΓ© "nft -o -c -f ruleset.nft" bakal diowahi dadi: ruleset .nft:1.1.1.3:2.2.2.5-4: meta iifname eth17 ip saddr 74 ip daddr 1 nampa ruleset.nft:1.1.1.1:2.2.2.3-5: meta iifname eth17 ip saddr 74 ip daddr 1 accept ruleset. : 1.1.1.2:2.2.2.4-6: meta iifname eth17 ip saddr 77 ip daddr 1/1.1.1.2 nampa ruleset.nft:2.2.3.0:24-7: meta iifname eth17 ip saddr 83 ip daddr 1-1.1.1.2. accept ruleset.nft:2.2.4.0:2.2.4.10-8: meta iifname eth17 ip saddr 74 ip daddr 2 accept into: iifname . ip sadr. ip daddr { eth1.1.1.3. 2.2.2.5. 1, eth1.1.1.1 . 2.2.2.3. 1, eth1.1.1.2 . 2.2.2.4. 1/1.1.1.2, eth2.2.3.0. 24. 1-1.1.1.2, eth2.2.4.0. 2.2.4.10. 2 } nampa
  • Optimizer uga bisa ngowahi aturan sing wis nggunakake dhaptar pesawat prasaja menyang wangun luwih kompak, contone aturan: # cat ruleset.nft Tabel ip Filter { chain input {jinis Filter pancing prioritas input Filter; kawicaksanan mudhun; iifname "lo" nampa ct negara ditetepake, related nampa komentar "Ing lalu lintas kita asal, kita dipercaya" iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 ip daddr 123 iifname "enp32768s65535f0" ip saddr { 31, 6 } ip daddr 64.59.144.17 udp olahraga 64.59.150.133 udp dport 10.0.0.149-53 nrima } } sawise executing aturan -sft. : ruleset.nft: 32768: 65535-6: iifname "enp22s149f0" ip saddr { 31, 6} ip daddr 209.115.181.102 udp olahraga 216.197.228.230 udp10.0.0.149 udp olahraga 123 udp32768. - 65535: iifname "enp7s22f143" ip saddr { 0, 31 } ip daddr 6 udp olahraga 64.59.144.17 udp dport 64.59.150.133-10.0.0.149 nampa menyang: iifname . ip sadr. ip bapak. olahraga udp. udp dport {enp53s32768f65535. 0. 31. 6. 209.115.181.102-10.0.0.149, enp123s32768f65535. 0. 31. 6. 216.197.228.230-10.0.0.149, enp123s32768f65535. 0. 31. 6. 64.59.144.17-10.0.0.149, enp53s32768f65535. 0. 31. 6. 64.59.150.133-10.0.0.149 } nampa
  • Masalah sing ditanggulangi karo generasi bytecode kanggo nggabungake interval sing nggunakake jinis kanthi urutan bait sing beda, kayata IPv4 (urutan byte jaringan) lan tandha meta (urutan byte sistem). tabel ip x {peta w {jinis ip saddr. tandha meta: panji putusan unsur counter interval = {127.0.0.1-127.0.0.4. 0x123434-0xb00122 : nampa, 192.168.0.10-192.168.1.20. 0x0000aa00-0x0000aaff : nrima, }} chain k {jinis pancing pancing saringan prioritas input; kawicaksanan mudhun; ip sadr. meta tandha vmap @w }}
  • Perbandingan protokol langka nalika nggunakake ekspresi mentah, contone: meta l4proto 91 @th,400,16 0x0 accept
  • Masalah karo ngaktifake aturan ing interval wis ditanggulangi: masang aturan xy tcp olahraga { 3478-3497, 16384-16387 } counter accept
  • API JSON wis apik kanggo nyakup dhukungan kanggo ekspresi ing dhaptar set lan peta.
  • Ekstensi kanggo perpustakaan python nftables ngidini loading set aturan kanggo proses ing mode validasi ("-c") lan nambah dhukungan kanggo definisi eksternal variabel.
  • Nambahake komentar diijini ing unsur dhaptar pesawat.
  • Ratelimit byte ngidini nemtokake nilai nol.

Source: opennet.ru

Add a comment