ProHoster > Блог > interrete nuntium > nftables packet filter release 1.0.7

nftables packet filter release 1.0.7

In nftables 1.0.7 divulgatio colum emissio divulgata est, fasciculum eliquandi interfaces coniungens pro IPv4, IPv6, ARP et retis pontes (quae ad reponendas iptables, ip6table, arptables et eblemata sunt). Involucrum nftables includit membra fasciculi filtri quae in spatio usoris currunt, dum gradus nuclei ab nf_tables subsystem providetur, quae pars nuclei Linux cum emissione 3.13 fuit. In gradu nucleo solum protocollo-independens interfacies generica cavetur, quae praecipuas functiones praebet ad notitias ex fasciculis extrahendas, operationes in notitia exercendas, et fluxum moderantum.

Collaboratio regulae ipsae et protocollo-speciales tractatores in spatio usoris bytecode compilavit, post quod hoc bytecode oneratur in nucleum utens Netlink interfaciem et in nucleo in specie virtuali machinae BPF instar (Berkeley Packet Filters). Hic accessus efficit ut signanter magnitudinem codicis eliquationis in gradu nuclei currentis minuere possit et omnia munera regulae parsing movere et logicam operandi cum protocolla in spatium usoris.

Major changes:

  • Ad systemata Linux nuclei 6.2+ decurrentes, subsidium vxlan, geneve, gre, et gretap protocollo mappings adiectae sunt, permittens expressiones simplices capitis in fasciculis encapsulatis cohibere. Exempli gratia, inscriptionem IP reprimendam in capite fasciculi a VxLAN nidos, regulis uti nunc potes (sine necessitate primi capitis de-encapsulare VxLAN caput et colum ad vxlan0 ligare): ... udp dport 4789 vxlan ip protocol udp ... udp dport 4789 vxlan ip saddr 1.2.3.0. 24/4789 ... udp dport 1.2.3.4 vxlan ip saddr . vxlan ip daddr { 4.3.2.1. XNUMX}
  • Support pro automati mergentibus reliquiarum post deletionem elementi instituti partialis adductum est, quod sinit te elementum vel partem range ex range exsistenti delere (antea, statio nonnisi omnino deleri potuit). Exempli gratia, sublatis elementis 25 e indice praepositorum 24-30 et 40-50, remanebit index 24, 26-30 et 40-50. Fixae requisitae ad opus automerging praebebuntur in tutela emissione ramorum stabilium 5.10+ nuclei. # nft list ruleset table ip x { set y { typeof tcp dport flags interval auto-merge elements = { 24-30, 40-50 } } } # nft delete elementum ip xy { 25 } # nft list ruleset table ip x { set y { typeof tcp dport flags intervallis auto-merge elements = { 24, 26-30, 40-50 } } }
  • Permittit usum notorum et vagationum cum translatione inscriptionis destinata (NAT). table ip nat { chain prerouting { type nat hook prerouting priory dstnat ; consilium accipio; dnat to ip daddr. tcp dport map {10.1.1.136. 80: 1.1.2.69. 1024, 10.1.1.10-10.1.1.20. 8888-8889: 1.1.2.69. pertinax } }
  • Adiecta subsidia expressionis "ultimi", quae tempus ultimi usus regulae elementi vel indicem constitutum invenire sinit. Pluma initium cum Linux nucleo 5.14 sustentatur. table ip x { set y { typeof ip daddr . tcp dport size 65535 flags dynamicas, timeout last timeout 1h } catena z { type filter hook output prior filter; consilium accipio; update @y{ip daddr. tcp dport } } } # nft list set ip xy table ip x { set y { typeof ip daddr . tcp dport size 65535 flags dynamicas, timeout last timeout 1h elements = { 172.217.17.14. 443 last used 1s591ms timeout 1h expires 59m58s409ms, 172.67.69.19 . 443 last used 4s636ms timeout 1h expires 59m55s364ms, 142.250.201.72 . 443 last used 4s748ms timeout 1h expires 59m55s252ms, 172.67.70.134. 443 extremus usus 4s688ms timeout 1h exspirat 59m55s312ms, 35.241.9.150. 443 extremus usus 5s204ms timeout 1h expiret 59m54s796ms, 138.201.122.174. 443 extremus usus 4s537ms timeout 1h exspirat 59m55s463ms, 34.160.144.191. 443 extremus usus 5s205ms timeout 1h exspirat 59m54s795ms, 130.211.23.194. 443 ultimo usus est 4s436ms timeout 1h expiret 59m55s564ms } } }
  • Facultatem adiecit quotas definiendi in limitibus positis. Exempli gratia, quota negotiatio pro singulis scopo IP inscriptionis determinare potes, exprimere potes: tabula netdev x { paro y { typeof ip daddr size 65535 quota super 10000 mbytes } catena y { type filter hamo exitus fabrica "eth0" prioritatem sparguntur; consilium accipio; ip daddr @y drop } } # nft add element inet xy { 8.8.8.8 } # ping -c 2 8.8.8.8 # nft list ruleset table netdev x { set y { type ipv4_addr size 65535 quota super 10000 mbytes elementa = { 8.8.8.8. 10000 quota super 196 mbytes adhibita 0 bytes } } catena y { type filter hamo exitus fabrica "ethXNUMX" prioritas sparguntur; consilium accipio; ip daddr @y drop } }
  • Usus constantium in tabulis constitutis permittitur. Exempli gratia, cum destinatione inscriptionis utens et VLAN ID ut clavem indicem, directe potes numerum VLAN (daddr. 123): tabula netdev t { set s {type of aether saddr . vlan id size 2048 flag dynamica, timeout timeout 1m } catena c { type filter hook ingressu fabrica eth0 prioritas 0; consilium accipio; ether type != 8021q update @s { ether daddr. 123 } counter } }
  • Novum mandatum "perdere" addidit ut res sine condicione delere (similiter mandatum deletum, non generat ENOENT cum obiectum absentis delere conatur). Requirit saltem Linux nucleum 6.3-rc ad operandum. perdere mensam IP filter

Source: opennet.ru

Add a comment