ProHoster > Блог > interrete nuntium > nftables packet filter release 0.9.5

nftables packet filter release 0.9.5

editis packet filter release nftables 0.9.5, enucleans ut substitutio pro iptables, ip6tabula, arptableia et ebullientia componendo fasciculum interfaces eliquandi pro IPv4, IPv6, ARP et pontes retis. Involucrum nftables includit membra fasciculi filtri quae in spatio usoris currunt, dum opus nuclei subsystem ab nf_tabularum subsystem, quae pars nuclei Linux 3.13 emissio fuit. Mutationes requiruntur pro nftables 0.9.5 emissio ad laborem comprehenduntur in nucleo Linux 5.7.

Gradus nucleus solum praebet protocollo-independens interfaciem genericam, quae praecipuas functiones praebet ad notitias ex fasciculis extrahendas, datas operationes faciendo, et imperium defluentes. Regulae eliquare et tracto protocollo-specialis in spatio usoris in bytecode compilata sunt, post quae hoc bytecode oneratur in nucleum utens Netlink interface et in nucleo in peculiari virtuali machina reminiscentis BPF (Berkeley Packet Filters). Hic aditus permittit ut signanter magnitudinem codicis eliquationis in gradu nuclei currentis minuas et omnia munera regulae parsingis et logicae moveas ad operandum cum protocollis in spatium usoris.

Innovationes principales:

  • Firmamentum pro fasciculis et calculis commercii cum elementis set elementis adiunctis additum est. Calculis enabled per "contra" keyword:

    table IP x {
    set y {
    typeof ip saddr
    counter
    elementa = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
    }

    torquem z {
    type filter hook output prior filter; consilium accipio;
    ip daddr @y
    }
    }

  • Ponere valores initiales calculorum, exempli gratia, calculis priores post sileo restituere, imperio uti potes "nft -f";

    # cat ruleset.nft
    table IP x {
    set y {
    typeof ip saddr
    counter
    elementa = { 192.168.10.35 1 bytes 84, 192.168.10.101
    192.168.10.135 bytes 0 }
    }

    torquem z {
    type filter hook output prior filter; consilium accipio;
    ip daddr @y
    }
    }
    # nft -f ruleset.nft
    #nft album ruleset
    table IP x {
    set y {
    typeof ip saddr
    counter
    elementa = { 192.168.10.35 1 bytes 84, 192.168.10.101
    192.168.10.135 bytes 0 }
    }

    torquem z {
    type filter hook output prior filter; consilium accipio;
    ip daddr @y
    }
    }

  • Auxilio contrarius etiam ad fluxibiles accessus est:

    mensa ip foo {
    flowtable bar {
    hamo ingressu prioritate -100
    cogitationes = { eth0, eth1}
    counter
    }

    torquem deinceps {
    typus filter hamo deinceps prioritatem sparguntur;
    influunt addendi @bar counter
    }
    }

    Inspicere potes indicem calculorum uti mandato "contrack -L":

    tcp 6 src=192.168.10.2 dst=10.0.1.2 sport=47278 dport= 5201 facis=9 bytes=608 \
    src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47278 packets=8 bytes=428 [OFFLOAD] mark=0 \
    secctx=null use=2 tcp 6 src=192.168.10.2 dst=10.0.1.2 sport=47280 dport= 5201 \
    packets=1005763 bytes=44075714753 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47280 \
    packets=967505 bytes=50310268 [OFFLOAD] mark=0 secctx=null use=2

  • In propositis pro concatenationibus (concatenationes, fasciculi quidam inscriptionum et portuum qui comparationem simpliciorem reddunt), uti potest "typeof" directiva, quae datorum typum determinat ad partes elementorum constituentium;

    mensa ip foo {
    set whitelist {
    typeof ip saddr . tcp dport
    elementa = {192.168.10.35. LXXX, 80. 192.168.10.101}
    }

    catena catenae {
    type filter hook prerouting prior filter; consilium occumbo;
    ip daddr. tcp dport @whitelist accept
    }
    }

  • Typographum directivum nunc etiam applicat ad iuncturas in tabulis geographicis:

    mensa ip foo {
    map addr2mark {
    typeof ip saddr . tcp dport: meta marcam
    elementa = {192.168.10.35. 80 : 0x00000001,
    192.168.10.135. 80 : 0x00000002 }
    }

    catena catenae {
    type filter hook prerouting prior filter; consilium occumbo;
    meta mark set ip daddr. tcp dport map @addr2mark accept
    }
    }

  • Adiecta subsidia pro range anonyma (unnamed) sets:

    # nft add rule inet filter input ip daddr . tcp dport\
    { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8. 80-443 } accept

  • Facultas abiiciendi facis cum 802.1q (VLAN) vexilla cum pontes retis dispensando praebetur:

    # Nft addendi regulae pontis foo bar aethere genus vlan rejiciunt cum tcp reset

  • Addidit subsidium matching per TCP sessionem identifier (conntrack ID). Ad conntrack ID determinare, optione "-output" uti potes:

    # Conntrack L -output id
    udp 17 18 src=192.168.2.118 dst=192.168.2.1 sport=36424 dport=53 packets=2 \
    bytes=122 src=192.168.2.1 dst=192.168.2.118 sport=53 dport=36424 packets=2 bytes=320 \
    [ASSURED] mark=0 use=1 id=2779986232

    # Nft add foo bar ct id 2779986232 counter

Source: opennet.ru

Add a comment