Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > ftables paketi fyuluta 0.9.4 kumasulidwa

ftables paketi fyuluta 0.9.4 kumasulidwa

Lofalitsidwa kumasulidwa kwa paketi fyuluta nftables 0.9.4, kupanga m'malo mwa ma iptables, ip6table, arptables ndi ebtables mwa kugwirizanitsa zosefera za paketi za IPv4, IPv6, ARP ndi milatho ya maukonde. Phukusi la nftables limaphatikizapo zosefera za paketi zomwe zimagwira ntchito pamalo ogwiritsira ntchito, pomwe ntchito ya kernel imaperekedwa ndi nf_tables subsystem, yomwe yakhala gawo la Linux kernel kuyambira kutulutsidwa kwa 3.13. Zosintha zofunikira pakutulutsidwa kwa nftables 0.9.4 kuti zigwire ntchito zikuphatikizidwa munthambi yamtsogolo ya kernel Linux 5.6.

Mulingo wa kernel umapereka mawonekedwe odziyimira pawokha a generic omwe amapereka ntchito zoyambira kuchotsa deta m'mapaketi, kuchita ma data, ndikuwongolera kuyenda. Malamulo osefera ndi othandizira okhazikika amapangidwa kukhala bytecode mu malo ogwiritsa ntchito, pambuyo pake bytecode iyi imayikidwa mu kernel pogwiritsa ntchito mawonekedwe a Netlink ndikuphedwa mu kernel mu makina apadera okumbukira BPF (Berkeley Packet Filters). Njirayi imakuthandizani kuti muchepetse kwambiri kukula kwa code yosefera yomwe ikuyenda pamlingo wa kernel ndikusuntha ntchito zonse za malamulo ophatikizira ndi malingaliro ogwirira ntchito ndi ma protocol mu malo ogwiritsa ntchito.

Zatsopano zazikulu:

  • Kuthandizira kwamitundu yolumikizana (kuphatikiza, mitolo ina ya ma adilesi ndi madoko omwe amathandizira kufananitsa). Mwachitsanzo, pagulu la "whitelist" lomwe zinthu zake ndi zolumikizidwa, kutchula mbendera ya "interval" kudzawonetsa kuti setiyo ikhoza kukhala ndi masinthidwe ophatikizika (pazophatikiza "ipv4_addr . ipv4_addr . inet_service" zinali zotheka kundandalika zenizeni. mafananidwe a mawonekedwe "192.168.10.35. 192.68.11.123", ndipo tsopano mukhoza kufotokoza magulu a maadiresi "80-192.168.10.35-192.168.10.40" 192.68.11.123.

    tebulo ip foo {
    khazikitsani whitelist {
    lembani ipv4_addr. ipv4_addr. inet_service
    mbendera nthawi
    zinthu = {192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125. 80}
    }

    unyolo bar {
    mtundu fyuluta mbedza prerouting patsogolo fyuluta; kutsika kwa ndondomeko;
    ip sadr. ip pa. tcp dport @whitelist kuvomereza
    }
    }

  • M'maseti ndi mndandanda wamapu, ndizotheka kugwiritsa ntchito malangizo a "typeof", omwe amasankha mtundu wa chinthucho pofananiza.
    Mwachitsanzo:

    tebulo ip foo {
    khazikitsani whitelist {
    mtundu wa ip saddr
    zinthu = {192.168.10.35, 192.168.10.101, 192.168.10.135}
    }

    unyolo bar {
    mtundu fyuluta mbedza prerouting patsogolo fyuluta; kutsika kwa ndondomeko;
    ip daddr @whitelist vomereza
    }
    }

    tebulo ip foo {
    mapu addr2mark {
    typeof ip saddr: meta mark
    zinthu = {192.168.10.35: 0x00000001, 192.168.10.135: 0x00000002}
    }
    }

  • Onjezani kuthekera kogwiritsa ntchito zolumikizira pazomangira za NAT, zomwe zimakupatsani mwayi wofotokozera adilesi ndi doko mukamafotokozera masinthidwe a NAT kutengera mndandanda wamapu kapena ma seti otchulidwa:

    nft kuwonjezera lamulo ip nat pre dnat ip addr. port to ip saddr map { 1.1.1.1 : 2.2.2.2 . makumi atatu }

    nft onjezani mapu a ip nat {mtundu wa ipv4_addr . inet_service: ipv4_addr. inet_service \\; }
    nft kuwonjezera lamulo ip nat pre dnat ip addr. doko ku ip saddr. tcp dport map @destinations

  • Thandizo la hardware mathamangitsidwe ndi ntchito zina zosefera ikuchitika ndi netiweki khadi. Kuthamanga kumayatsidwa kudzera pa ethtool utility ("ethtool -K eth0 hw-tc-offload on"), pambuyo pake imatsegulidwa mu nftables pa unyolo waukulu pogwiritsa ntchito mbendera ya "kutsitsa". Mukamagwiritsa ntchito Linux kernel 5.6, kuthamangitsa kwa hardware kumathandizidwa kuti mufanane ndi mutu wamutu ndikuwunika mawonekedwe obwera kuphatikiza kulandira, kutaya, kubwereza (dup), ndi kutumiza (fwd) mapaketi. Muchitsanzo chomwe chili pansipa, magwiridwe antchito akugwetsa mapaketi ochokera ku adilesi 192.168.30.20 amachitidwa pamlingo wamakadi a netiweki, osapereka mapaketi ku kernel:

    # mphaka file.nft
    tebulo netdev x {
    unyolo y {
    mtundu fyuluta mbedza ingress chipangizo eth0 patsogolo 10; mbendera kutsitsa;
    ip saddr 192.168.30.20 dontho
    }
    }
    # nft -f file.nft

  • Zambiri zokhudzana ndi malo olakwika m'malamulo.

    # nft chotsani lamulo ip yz chogwirira 7
    Cholakwika: Sitinathe kukonza lamulo: Palibe fayilo yotere kapena chikwatu
    Chotsani lamulo ip yz chogwirira 7
    ^

    # nft chotsani lamulo la ip xx 7
    Cholakwika: Sitinathe kukonza lamulo: Palibe fayilo yotere kapena chikwatu
    Chotsani lamulo la ip xx 7
    ^

    # nft chotsani tebulo twst
    Cholakwika: Palibe fayilo kapena chikwatu chotere; mumatanthauza tebulo Γ’β‚¬Λœtest' mu ip yabanja?
    Chotsani tebulo twst
    ^^^^

    Chitsanzo choyamba chikuwonetsa kuti tebulo "y" mulibe m'dongosolo, chachiwiri kuti chothandizira "7" chikusowa, ndipo chachitatu kuti typo mwamsanga ikuwonetsedwa polemba dzina la tebulo.

  • Zowonjezera zothandizira kuyang'ana mawonekedwe a akapolo potchula "meta sdif" kapena "meta sdifname":

    ... meta sdifname vrf1 ...

  • Thandizo lowonjezera pazosintha zamanja kapena kumanzere. Mwachitsanzo, sinthani paketi yomwe ilipo yomwe idasiyidwa ndi 1 pang'ono ndikuyika kakang'ono kukhala 1:

    … meta mark set meta mark lshift 1 kapena 0x1…

  • Yakhazikitsidwa "-V" njira yowonetsera zambiri zamtundu.

    # nft -V
    nftables v0.9.4 (Jive at Five)
    cli:werengani mzere
    json: ndi
    minig: pa
    libxtables: inde

  • Zosankha za mzere wa malamulo ziyenera kufotokozedwa musanatumize. Mwachitsanzo, muyenera kufotokoza "nft -a list ruleset", ndikuyendetsa "nft list ruleset -a" kumabweretsa cholakwika.

    Source: opennet.ru

Kuwonjezera ndemanga