ProHoster > Блог > interrete nuntium > nftables packet filter release 1.0.6

nftables packet filter release 1.0.6

In nftables 1.0.6 divulgatio colum emissio divulgata est, fasciculum eliquandi interfaces coniungens pro IPv4, IPv6, ARP et retis pontes (quae ad reponendas iptables, ip6table, arptables et eblemata sunt). Involucrum nftables includit membra fasciculi filtri quae in spatio usoris currunt, dum gradus nuclei ab nf_tables subsystem providetur, quae pars nuclei Linux cum emissione 3.13 fuit. In gradu nucleo solum protocollo-independens interfacies generica cavetur, quae praecipuas functiones praebet ad notitias ex fasciculis extrahendas, operationes in notitia exercendas, et fluxum moderantum.

Collaboratio regulae ipsae et protocollo-speciales tractatores in spatio usoris bytecode compilavit, post quod hoc bytecode oneratur in nucleum utens Netlink interfaciem et in nucleo in specie virtuali machinae BPF instar (Berkeley Packet Filters). Hic accessus efficit ut signanter magnitudinem codicis eliquationis in gradu nuclei currentis minuere possit et omnia munera regulae parsing movere et logicam operandi cum protocolla in spatium usoris.

Major changes:

  • In regulis optimizer vocatus cum "-o/--optimize" specificans optionem, regularum sarcina latae iungendo eas erecta est et convertendo in tabulas geographicas et tabulas. Exempli gratia regulas # cat regulaset.nft table ip x { catena y { genus filter hamo input prioritatem sparguntur; consilium occumbo; meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 accept meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accepta meta iifname eth1 ip saddr 1.1.1.2 .2.2.4.0 ip daddr 2.2.4.10-2 accipiet meta iifname eth1.1.1.3 ip saddr 2.2.2.5 ip daddr 4 accept }} post "nft -o -c -f ruleset.nft" convertetur ad sequentia: ruleset. nft:17:74-1: meta iifname eth1.1.1.1 ip saddr 2.2.2.3 ip daddr 5 accept ruleset.nft:17:74-1: meta iifname eth1.1.1.2 ip saddr 2.2.2.4 ip daddr 6 accept ruleset.nft: 17-77: meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept ruleset.nft:7:17-83: meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept ruleet.nft:8:17-74: meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept in: iifname . ip saddr . ip daddr { eth1 . 1.1.1.1. 2.2.2.3, eth1. 1.1.1.2. 2.2.2.4, eth1. 1.1.1.2. 2.2.3.0/24, eth1 . 1.1.1.2. 2.2.4.0-2.2.4.10, eth2. 1.1.1.3. 2.2.2.5} accept
  • Optimizer etiam regulas condensare potest quae iam in setis simplicibus in forma pressiore utuntur, ut: # cattus regulaset.nft tabula ip filter { catena input {type filter hook input prior filter; consilium occumbo; iifname "lo" accipimus et statutum, relatum accipimus commentum "In commercii oriundis, confidimus" iifname "enp0s31f6" ip saddr {209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 udp sport 123 udp dport 32768-65535 accipimus iifname "enp0s31f6" ip saddr {64.59.144.17, 64.59.150.133 } ip daddr 10.0.0.149 udp sport 53 udp dport 32768-65535} }} post currit "nft -o -c -f ruleset.nft" erit sic packaged sic : ruleset.nft:6:22-149: iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 udp sport 123 udp dport 32768-65535 accept ruleset.nft:7:22-143 0 : iifname "enp31s6f64.59.144.17" ip saddr { 64.59.150.133, 10.0.0.149 } ip daddr 53 udp sport 32768 udp dport 65535-0 accept into: iifname . ip saddr . ip daddr . udp ludo. udp dport {enp31s6f209.115.181.102. 10.0.0.149. 123. 32768 . 65535-0, enp31s6f216.197.228.230. 10.0.0.149. 123. 32768 . 65535-0, enp31s6f64.59.144.17. 10.0.0.149. 53. 32768 . 65535-0, enp31s6f64.59.150.133. 10.0.0.149. 53. 32768 . 65535-XNUMX } accept
  • Profluvium cum bytecode generationis solvendum est ad intervalla mergendi, quae genera cum diversis endianness utuntur, ut IPv4 (network endian) et meta meta (ratio endian). table ip x { map w { typeof ip saddr . meta mark : sentence flags interval counter elements = { 127.0.0.1-127.0.0.4. 0x123434-0xb00122 : accept, 192.168.0.10-192.168.1.20. 0x0000aa00-0x0000aaff : accipe, } } catena k { type filter hook input prior filter; consilium occumbo; ip saddr . meta mark vmap @w } }
  • Tabulae mappings protocollo rarae cum rudibus expressionibus utentes, exempli gratia: meta l4proto 91 @th, 400,16 0x0 accipio
  • Constitutiones fixae cum regulas intervallis dandis: inserta regulae xy tcp lusus {3478-3497, 16384-16387} occurro recipio
  • JSON API emendatus est ut expressiones in tabulatis et in tabulis positis sustineat.
  • In extensionibus ad bibliothecam pythonis nftables, regulae copiae onerari permittuntur ad modum reprimendi ("-c") et subsidium externae variabilis definitionis additae sunt.
  • Addere commentarios licet in elementis electronicarum litterarum.
  • Licet nullum valorem definire in byte limitis.

Source: opennet.ru

Add a comment