ProHoster > Blog > nkhani zapaintaneti > ftables paketi fyuluta 0.9.9 kumasulidwa

ftables paketi fyuluta 0.9.9 kumasulidwa

Fyuluta ya pakiti ya nftables 0.9.9 yatulutsidwa. Imagwirizanitsa ma interface a pakiti osefera a IPv4, IPv6, ARP, ndi ma network bridges (omwe akuyang'aniridwa ngati m'malo mwa iptables, ip6table, arptables, ndi ebtables). Laibulale ya libnftnl 1.2.0 yomwe ili nayo, yomwe imapereka API yotsika yolumikizirana ndi subsystem ya nf_tables, yatulutsidwa nthawi imodzi. Kusintha komwe kumafunika pa nftables 0.9.9 kwaphatikizidwa mu kernel. Linux 5.13-rc1.

Phukusi la nftables lili ndi zigawo za fyuluta ya paketi zomwe zimagwira ntchito pamalo ogwiritsira ntchito, pomwe ntchito ya kernel-level imaperekedwa ndi nf_tables subsystem, yomwe ndi gawo la kernel. Linux Kuyambira pomwe idatulutsidwa 3.13, mawonekedwe okhazikika osadalira protocol okha ndi omwe amaperekedwa pamlingo wa kernel, zomwe zimapereka magwiridwe antchito oyambira pochotsa deta kuchokera m'mapaketi, kuchita ntchito za data, ndikuwongolera kayendedwe ka madzi.

Kusefa kumalamulira okha ndipo othandizira ena a protocol amaphatikizidwa mu bytecode mu malo ogwiritsira ntchito, pambuyo pake bytecode iyi imayikidwa mu kernel pogwiritsa ntchito Netlink interface ndikuyiyika mu kernel mwanjira yapadera. makina enieni, zomwe zimakumbutsa BPF (Berkeley Packet Filters). Njirayi imalola kuchepetsa kwambiri kukula kwa code yosefera yomwe ikuyenda pamlingo wa kernel ndipo imasuntha malamulo onse ndi protocol logic kupita kumalo ogwiritsira ntchito.

Zatsopano zazikulu:

  • Kutha kusuntha makonzedwe oyenda kupita ku mbali ya adapter ya netiweki kwakhazikitsidwa, pogwiritsa ntchito mbendera ya 'kutsitsa'. Flowtable ndi njira yowonjezeretsa njira yolozeranso paketi, momwe ndime yonse ya maunyolo onse opangira malamulo amangogwiritsidwa ntchito pa paketi yoyamba, ndipo mapaketi ena onse omwe akuyenda amatumizidwa mwachindunji. table ip global {flowtable f {hook ingress priority fyuluta + 1 zipangizo = {lan3, lan0, wan } mbendera zotsitsa} unyolo kutsogolo {mtundu wa fyuluta hook patsogolo fyuluta; kuvomereza ndondomeko; ip protocol {tcp, udp} flow add @f } chain post {mtundu wa nat hook postrouting priority fyuluta; kuvomereza ndondomeko; oifname "wan" masquerade }}
  • Thandizo lowonjezera pakuyika mbendera ya eni patebulo kuti muwonetsetse kuti tebulo likugwiritsidwa ntchito mwadongosolo. Pamene ndondomeko ikutha, tebulo kugwirizana ndi izo basi zichotsedwa. Chidziwitso chokhudza ndondomekoyi chikuwonetsedwa mu malamulo otayira mu mawonekedwe a ndemanga: tebulo ip x {# progname nft flags eni ake unyolo y {mtundu fyuluta mbedza zolowetsa patsogolo fyuluta; kuvomereza ndondomeko; mapaketi owerengera 1 mabayiti 309}}
  • Thandizo lowonjezera la IEEE 802.1ad specification (VLAN stacking kapena QinQ), lomwe limatanthawuza njira yosinthira ma tag angapo a VLAN mu chimango chimodzi cha Ethernet. Mwachitsanzo, kuyang'ana mtundu wa kunja Efaneti chimango 8021ad ndi vlan id = 342, mungagwiritse ntchito yomanga ... etha mtundu 802.1ad vlan id 342 kuyang'ana kunja mtundu Efaneti chimango 8021ad/vlan id=1, zisa 802.1 q/vlan id = 2 ndi zina IP paketi encapsulation: ... ether mtundu 8021ad vlan id 1 vlan mtundu 8021q vlan id 2 vlan mtundu ip counter
  • Thandizo lowonjezera pakuwongolera zothandizira pogwiritsa ntchito magulu a utsogoleri wolumikizana v2. Kusiyana kwakukulu pakati pa cgroups v2 ndi v1 ndikugwiritsa ntchito maulamuliro wamba wamagulu amitundu yonse yazinthu, m'malo mwa magawo osiyana pakugawa zida za CPU, pakuwongolera kugwiritsa ntchito kukumbukira, ndi I/O. Mwachitsanzo, kuti muwone ngati kholo la socket pamlingo woyamba cgroupv2 likufanana ndi chigoba cha "system.slice", mungagwiritse ntchito zomangamanga: ... socket cgroupv2 level 1 "system.slice"
  • Yawonjezera kuthekera koyang'ana zigawo za mapaketi a SCTP (ntchito yofunikira pakugwira ntchito idzawonekera mu kernel Linux 5.14). Mwachitsanzo, kuti muwone ngati paketi ili ndi chidutswa chokhala ndi mtundu wa 'data' ndi gawo la 'type': … sctp chunk data ilipo … sctp chunk data type 0
  • Kugwira ntchito yotsitsa malamulo kwafulumizitsa pafupifupi kawiri pogwiritsa ntchito mbendera ya "-f". Kutulutsa kwa mndandanda wa malamulo kwafulumizitsanso.
  • Fomu yophatikizika yowunikira ngati mbendera zayikidwa. Mwachitsanzo, kuti muwone ngati mawonekedwe a snat ndi dnat sanakhazikitsidwe, mutha kufotokoza: ... ct status ! snat,dnat kuti muwone ngati syn bit yakhazikitsidwa mu bitmask syn,ack: ... ... tcp mbendera ! = fin,rst / syn,ack,fin,rst
  • Lolani mawu ofunikira a "chigamulo" pamatanthauzidwe amtundu wa set/mapu: onjezani mapu xm {typeof iifname . ip protocol th dport: chigamulo;}

Source: opennet.ru

Gulani kuchititsa kodalirika kwamasamba okhala ndi chitetezo cha DDoS, ma seva a VPS VDS Gulani malo odalirika osungira mawebusayiti okhala ndi chitetezo cha DDoS, ma seva a VPS VDS | ProHoster