ProHoster > Блог > rongo ipurangi > Nftables packet tātari tuku 1.0.7

Nftables packet tātari tuku 1.0.7

Kua tukuna te tātari mōkihi nftables 1.0.7. Ka whakakotahi i ngā atanga tātari mōkihi mō te IPv4, IPv6, ARP, me ngā piriti whatunga (e whai ana ki te whakakapi i te iptables, ip6table, arptables, me te ebtables). Kei roto i te mōkihi nftables ngā wāhanga tātari mōkihi wāhi-kaiwhakamahi, ā, ko te mahi taumata-pūmua e whakaratohia ana e te pūnaha iti nf_tables, he wāhanga o te pūmua. Linux Mai i te tukunga 3.13, he atanga whānui motuhake-kawa anake e whakaratohia ana i te taumata kernel, e whakarato ana i ngā mahi taketake mō te tango raraunga mai i ngā mōkihi, te mahi i ngā mahi raraunga, me te whakahaere rere.

Ka whakahiatohia ngā ture tātari me ngā kaiwhakahaere motuhake ki roto i te waehere paita i te wāhi kaiwhakamahi, ā, muri iho ka utaina tēnei waehere paita ki roto i te kernel mā te whakamahi i te atanga Netlink, ā, ka whakahaerehia i roto i te kernel i roto i tētahi pūnaha motuhake. miihini mariko, he rite ki te BPF (Berkeley Packet Filters). Mā tēnei huarahi ka taea te whakaiti nui i te rahi o te waehere tātari e rere ana i te taumata kernel, ā, ka nukuhia ngā wetewete ture me ngā arorau kawa katoa ki te wāhi kaiwhakamahi.

Nga huringa matua:

  • Для систем с ядром Linux 6.2+ добавлена поддержка сопоставления протоколов vxlan, geneve, gre и gretap, что позволяет использовать простые выражения для проверки заголовков в инкапсулированных пакетах. Например, для проверки Wāhitau IP i roto i te pane o te mōkihi whakauru mai i VxLAN, ka taea e koe te whakamahi i ngā ture (me te kore e hiahiatia te wetewete i te pane VxLAN me te here i te tātari ki te atanga vxlan0): ... udp dport 4789 vxlan ip protocol udp ... udp dport 4789 vxlan ip saddr 1.2.3.0/24 ... udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 }
  • He whakakotahitanga aunoa o te toenga o te huānga rārangi-huinga i muri i te whakakorenga hapa. Mā tēnei ka taea e koe te tango i tētahi huānga, i tētahi wāhanga rānei o tētahi awhe mai i tētahi awhe o nāianei (i mua, ko te awhe katoa anake ka taea te muku). Hei tauira, i muri i te mukunga o te huānga 25 mai i tētahi rārangi-huinga me ngā awhe 24-30 me 40-50, ko ngā huānga rārangi-huinga e toe ana ko 24, 26-30, me 40-50. Ka whakaarohia ngā whakatikatika e hiahiatia ana mō te whakakotahitanga aunoa i roto i ngā tukunga tiaki o ngā peka kernel pumau 5.10+. # nft rārangi ture huinga ripanga ip x { whakaturia y { momo o ngā haki tcp dport wā whakakotahi-aunoa huānga = { 24-30, 40-50 } } } # nft muku huānga ip xy { 25 } # nft rārangi ture huinga ripanga ip x { whakaturia y { momo o ngā haki tcp dport wā whakakotahi-aunoa huānga = { 24, 26-30, 40-50 } } }
  • Kua whakahohea te whakaaetanga ki te whakamahi i ngā hoapā me ngā awhe i roto i te mahere Whatunga Wāhitau Whakamāori (NAT). table ip nat { chain prerouting { type nat hook prerouting priority dstnat; policy accept; dnat to ip daddr . tcp dport map { 10.1.1.136 . 80 : 1.1.2.69 . 1024, 10.1.1.10-10.1.1.20 . 8888-8889 : 1.1.2.69 . 2048-2049 } persistent } }
  • Добавлена поддержка выражения «last», позволяющего узнать время последнего использования элемента правила или set-списка. Возможность поддерживается начиная с ядра Linux 5.14. table ip x { set y { typeof ip daddr . tcp dport size 65535 flags dynamic,timeout last timeout 1h } chain z { type filter hook output priority filter; policy accept; update @y { ip daddr . tcp dport } } } # nft list set ip x y table ip x { set y { typeof ip daddr . tcp dport size 65535 flags dynamic,timeout last timeout 1h elements = { 172.217.17.14 . 443 last used 1s591ms timeout 1h expires 59m58s409ms, 172.67.69.19 . 443 last used 4s636ms timeout 1h expires 59m55s364ms, 142.250.201.72 . 443 last used 4s748ms timeout 1h expires 59m55s252ms, 172.67.70.134 . 443 last used 4s688ms timeout 1h expires 59m55s312ms, 35.241.9.150 . 443 last used 5s204ms timeout 1h expires 59m54s796ms, 138.201.122.174 . 443 last used 4s537ms timeout 1h expires 59m55s463ms, 34.160.144.191 . 443 last used 5s205ms timeout 1h expires 59m54s795ms, 130.211.23.194 . 443 last used 4s436ms timeout 1h expires 59m55s564ms } } }
  • Kua tāpirihia te kaha ki te tautuhi i ngā toha i roto i ngā rārangi kua whakaritea. Hei tauira, hei tautuhi i tētahi toha waka mō ia wāhitau IP ūnga, ka taea e koe te tohu: table netdev x { set y { typeof ip daddr size 65535 quota over 10000 mbytes } chain y { type filter hook egress device "eth0" priority filter; policy accept; ip daddr @y drop } } # nft add element inet xy { 8.8.8.8 } # ping -c 2 8.8.8.8 # nft list ruleset table netdev x { set y { type ipv4_addr size 65535 quota over 10000 mbytes elements = { 8.8.8.8 quota over 10000 mbytes used 196 bytes } } chain y { type filter hook egress device "eth0" priority filter; policy accept; ip daddr @y drop } }
  • E whakaaetia ana ngā pūmau i roto i ngā rārangi-whakatakoto. Hei tauira, ina whakamahia he wāhitau ūnga me te VLAN ID hei kī rārangi, ka taea e koe te tohu tika i te tau VLAN (daddr . 123): table netdev t { set s { typeof ether saddr . vlan id size 2048 flags dynamic,timeout timeout 1m } chain c { type filter hook ingress device eth0 priority 0; policy accept; ether type != 8021q update @s { ether daddr . 123 } counter } }
  • Добавлена новая команда «destroy» для безоговорочного удаления объектов (в отличие от команды delete не генерирует ENOENT при попытке удаления отсутствующего объекта). Для работы требуется как минимум ядро Linux 6.3-rc. destroy table ip filter

Source: opennet.ru

Hokona te manaaki pono mo nga waahi me te tiaki DDoS, nga kaiwhakarato VPS VDS 🔥 Hokona he manaaki paetukutuku pono me te tiakitanga DDoS, ngā tūmau VPS VDS | ProHoster