ProHoster > Блог > rongo ipurangi > Nftables packet tātari tuku 0.9.9

Nftables packet tātari tuku 0.9.9

Kua tukuna te tātari mōkihi nftables 0.9.9. Ka whakakotahi i ngā atanga tātari mōkihi mō te IPv4, IPv6, ARP, me ngā piriti whatunga (e whai ana hei whakakapi mō te iptables, ip6table, arptables, me te ebtables). Kua tukuna ngātahitia te whare pukapuka libnftnl 1.2.0 e haere tahi ana, e whakarato ana i te API taumata-iti mō te taunekeneke ki te pūnaha iti nf_tables. Kua whakaurua ngā huringa e hiahiatia ana mō te nftables 0.9.9 ki roto i te kernel. Linux 5.13-rc1.

Kei roto i te mōkihi nftables ngā wāhanga tātari mōkihi e mahi ana i roto i te wāhi kaiwhakamahi, ko te mahi taumata-keri e whakaratohia ana e te pūnaha iti nf_tables, he wāhanga o te kernel. Linux Mai i te tukunga 3.13, he atanga whānui motuhake-kawa anake e whakaratohia ana i te taumata kernel, e whakarato ana i ngā mahi taketake mō te tango raraunga mai i ngā mōkihi, te mahi i ngā mahi raraunga, me te whakahaere rere.

Ka whakahiatohia ngā ture tātari me ngā kaiwhakahaere motuhake ki roto i te waehere paita i te wāhi kaiwhakamahi, ā, muri iho ka utaina tēnei waehere paita ki roto i te kernel mā te whakamahi i te atanga Netlink, ā, ka whakahaerehia i roto i te kernel i roto i tētahi pūnaha motuhake. miihini mariko, he rite ki te BPF (Berkeley Packet Filters). Mā tēnei huarahi ka taea te whakaiti nui i te rahi o te waehere tātari e rere ana i te taumata kernel, ā, ka nukuhia ngā wetewete ture me ngā arorau kawa katoa ki te wāhi kaiwhakamahi.

Nga mahi hou:

  • Kua whakatinanahia te kaha ki te nuku i te tukatuka ripanga rere ki te taha urutau whatunga, kua taea te whakamahi i te haki 'offload'. Ko te Ripanga Rere he tikanga mo te arotau i te ara o te whakangao i te paatete, ka tukuna te waahanga katoa o nga mekameka tukatuka ture katoa ki te paatete tuatahi, ka tukuna tika atu nga paanui katoa o te rerenga. ripanga ip ao { tepu rere f { te whiriwhiringa matua whakaurunga matau + 1 taputapu = { lan3, lan0, wan } haki wetewete } mekameka whakamua { momo tātari matau matapae tātari matua; whakaae kaupapa here; kawa ip { tcp, udp } flow add @f } chain post { type nat hook postrouting priority filter; whakaae kaupapa here; oifname "wan" whakahiato } }
  • He tautoko taapiri mo te whakapiri i te haki rangatira ki te teepu hei whakarite i te whakamahinga motuhake o te ripanga ma te tukanga. Ka mutu te tukanga, ka mukua aunoatia te ripanga e hono ana. Ko nga korero e pa ana ki te tukanga ka whakaatuhia ki roto i nga ture putunga i roto i te ahua o te korero: ripanga ip x { # tohu tohu nft haki rangatira mekameka y { momo tātari matau urunga tātari matua; whakaae kaupapa here; pākete porotiti 1 paita 309 } }
  • He tautoko taapiri mo te tohu IEEE 802.1ad (VLAN stacking, QinQ ranei), e whakaatu ana i te huarahi hei whakakapi i nga tohu VLAN maha ki te anga Ethernet kotahi. Hei tauira, hei tirotiro i te momo anga Ethernet waho 8021ad me vlan id=342, ka taea e koe te whakamahi i te hanga ... momo ether 802.1ad vlan id 342 ki te tirotiro i te momo waho o te anga Ethernet 8021ad/vlan id=1, kohanga 802.1 q/vlan id=2 me etahi atu whakahiatotanga paatete IP: ... momo ether 8021ad vlan id 1 momo vlan 8021q vlan id 2 momo vlan ip counter
  • He tautoko taapiri mo te whakahaere rauemi ma te whakamahi i nga roopu hierarchy cgroups v2. Ko te rereketanga nui i waenga i nga cgroups v2 me v1 ko te whakamahi i te rarangi cgroups noa mo nga momo rauemi katoa, hei utu mo nga hierarchy motuhake mo te tohatoha rauemi CPU, mo te whakahaere i te kohi mahara, me te I/O. Hei tauira, ki te tirotiro mena ka rite te tipuna o te turanga i te taumata tuatahi cgroupv2 ki te kanohi "system.slice", ka taea e koe te whakamahi i te hanga: ... socket cgroupv2 level 1 "system.slice"
  • Добавлена возможность проверки составных частей пакетов SCTP (необходимая для работы функциональность появится в ядре Linux 5.14). Например, для проверки наличия в пакете chunk-а с типом ‘data’ и полем ‘type’: … sctp chunk data exists … sctp chunk data type 0
  • Ko te mahi o te mahi uta ture kua whakaterehia e tata ki te rua nga wa ma te whakamahi i te haki “-f”. Kua whakaterehia ano te putanga o te rarangi ture.
  • He puka kiato hei tirotiro mena kua whakaritea nga moka haki. Hei tauira, ki te tirotiro kaore i te tautuhia nga moka tuanga snat me te dnat, ka taea e koe te tohu: ... ct status ! snat,dnat ki te taki kua tautuhia te moka syn ki te syn moka moka,ack: ... nga haki tcp syn / syn,ack ki te taki ko nga paraka me te moka tuatahi kaore i te tautuhia ki te syn,ack,fin,tuamua: ... haki tcp! = fin,tuatahi / syn,ack,fin,tuatahi
  • Whakaaetia te kupu "whakatau" i roto i te huinga/mahere momo whakamaramatanga: taapirihia te mapi xm {typeof iifname. kawa ip th dport: whakatau;}

Source: opennet.ru

Hokona te manaaki pono mo nga waahi me te tiaki DDoS, nga kaiwhakarato VPS VDS 🔥 Hokona he manaaki paetukutuku pono me te tiakitanga DDoS, ngā tūmau VPS VDS | ProHoster