ProHoster > Блог > interrete nuntium > nftables packet filter release 1.0.2

nftables packet filter release 1.0.2

Emissio fasciculi filorum nftablerum 1.0.2 divulgata est, fasciculum eliquandi interfaces coniungens pro IPv4, IPv6, ARP et retis pontibus (quae ad reponendas iptables, ip6tabulas, arptables et ebullitiones tendebant). Mutationes quae ad nftables requiruntur 1.0.2 emissio laboris in Linux nucleo 5.17-rc comprehenduntur.

Involucrum nftables involvit fasciculum colum usoris, dum opus nuclei subsystem ab nf_tables subsystem, quae pars Linux nuclei cum emissione 3.13 fuit. Gradus nucleus solum praebet protocollo-independens interfaciem genericam, quae praecipuas functiones praebet ad notitias ex fasciculis extrahendas, datas operationes faciendo, et imperium defluentes.

Collaboratio regulae ipsae et protocollo-speciales tractatores in spatio usoris bytecode compilavit, post quod hoc bytecode oneratur in nucleum utens Netlink interfaciem et in nucleo in specie virtuali machinae BPF instar (Berkeley Packet Filters). Hic accessus efficit ut signanter magnitudinem codicis eliquationis in gradu nuclei currentis minuere possit et omnia munera regulae parsing movere et logicam operandi cum protocolla in spatium usoris.

Innovationes principales:

  • Regulae optimizationis modus adiectus est, utens novo "-o" ("-optimize") optione, quae componi potest cum "--reprehendo" optioni ad reprimendam et optimize mutationes mutationes regulae fasciculi sine actu oneratione . Optimization permittit ut regulas similes coniungas, exempli gratia, regulas: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 accept ip saddr 1.1.1.1 ip daddr 2.2.2.2 ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop

    componetur in meta iifname. ip saddr. ip daddr { eth1 . 1.1.1.1. 2.2.2.3, eth1 . 1.1.1.2. 2.2.2.5} accept ip saddr. ip daddr vmap {1.1.1.1. 2.2.2.2 : accipe, 2.2.2.2 . 3.3.3.3: stilla }

    Exemplum usus: # nft -c -o -f ruleset.test Merging: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter accept ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter accept ruleet.nft:18:3-37: ip daddr 192.168.0.3 counter accept into: ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept

  • Praescripti indices efficiendi facultatem IP et tcp optiones definiendi, tum chunks inibi: pone s5 { typeof ip optionis ra value elementa = { 1, 1024 } } pone s7 { typeof sctp FRUSTUM init num-inbound-fluminum elementa = { 1, 4 } } catena c5 { ip option ra value @s5 accipe } catenam c7
  • Auxilia additae pro TCP optiones fastopen, md5sig et mptcp.
  • Subtype in mappings: tcp optio mptcp subtype 1
  • Emendavit nucleum latus eliquare codicem.
  • Flutabile nunc plenum subsidium pro forma JSON habet.
  • Facultas utendi "rejecti" actionis in Aer compagibus adaptatis operationibus provisum est. aut saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 reject

Source: opennet.ru

Add a comment