Kutulutsidwa kwa paketi ftables nftables 0.9.9 kwasindikizidwa, kugwirizanitsa zosefera za paketi za IPv4, IPv6, ARP ndi milatho yamanetiweki (yofuna kusintha ma iptables, ip6table, arptables ndi ebtables). Pa nthawi yomweyi, kutulutsidwa kwa laibulale yothandizana nayo libnftnl 1.2.0 inasindikizidwa, kupereka API yotsika kwambiri yolumikizana ndi nf_tables subsystem. Zosintha zofunika kuti nftables 0.9.9 amasulidwe kuti azigwira ntchito zikuphatikizidwa mu Linux kernel 5.13-rc1.
Phukusi la nftables limaphatikizapo zosefera zapaketi ya ogwiritsa ntchito, pomwe ntchito ya kernel-level imaperekedwa ndi nf_tables subsystem, yomwe yakhala gawo la Linux kernel kuyambira kutulutsidwa kwa 3.13. Mulingo wa kernel umapereka mawonekedwe odziyimira pawokha a generic omwe amapereka ntchito zoyambira kuchotsa deta m'mapaketi, kuchita ma data, ndikuwongolera kuyenda.
Malamulo osefera ndi ogwiritsira ntchito ma protocol amapangidwa kukhala bytecode mu malo ogwiritsira ntchito, pambuyo pake bytecode iyi imayikidwa mu kernel pogwiritsa ntchito mawonekedwe a Netlink ndi kuphedwa mu kernel mu makina apadera omwe amakumbukira BPF (Berkeley Packet Filters). Njirayi imakuthandizani kuti muchepetse kwambiri kukula kwa code yosefera yomwe ikuyenda pamlingo wa kernel ndikusuntha ntchito zonse za malamulo ophatikizira ndi malingaliro ogwirira ntchito ndi ma protocol mu malo ogwiritsa ntchito.
Zatsopano zazikulu:
- Kutha kusuntha makonzedwe oyenda kupita ku mbali ya adapter ya netiweki kwakhazikitsidwa, pogwiritsa ntchito mbendera ya 'kutsitsa'. Flowtable ndi njira yowonjezeretsa njira yolozeranso paketi, momwe ndime yonse ya maunyolo onse opangira malamulo amangogwiritsidwa ntchito pa paketi yoyamba, ndipo mapaketi ena onse omwe akuyenda amatumizidwa mwachindunji. table ip global {flowtable f {hook ingress priority fyuluta + 1 zipangizo = {lan3, lan0, wan } mbendera zotsitsa} unyolo kutsogolo {mtundu wa fyuluta hook patsogolo fyuluta; kuvomereza ndondomeko; ip protocol {tcp, udp} flow add @f } chain post {mtundu wa nat hook postrouting priority fyuluta; kuvomereza ndondomeko; oifname "wan" masquerade }}
- Thandizo lowonjezera pakuyika mbendera ya eni patebulo kuti muwonetsetse kuti tebulo likugwiritsidwa ntchito mwadongosolo. Pamene ndondomeko ikutha, tebulo kugwirizana ndi izo basi zichotsedwa. Chidziwitso chokhudza ndondomekoyi chikuwonetsedwa mu malamulo otayira mu mawonekedwe a ndemanga: tebulo ip x {# progname nft flags eni ake unyolo y {mtundu fyuluta mbedza zolowetsa patsogolo fyuluta; kuvomereza ndondomeko; mapaketi owerengera 1 mabayiti 309}}
- Thandizo lowonjezera la IEEE 802.1ad specification (VLAN stacking kapena QinQ), lomwe limatanthawuza njira yosinthira ma tag angapo a VLAN mu chimango chimodzi cha Ethernet. Mwachitsanzo, kuyang'ana mtundu wa kunja Efaneti chimango 8021ad ndi vlan id = 342, mungagwiritse ntchito yomanga ... etha mtundu 802.1ad vlan id 342 kuyang'ana kunja mtundu Efaneti chimango 8021ad/vlan id=1, zisa 802.1 q/vlan id = 2 ndi zina IP paketi encapsulation: ... ether mtundu 8021ad vlan id 1 vlan mtundu 8021q vlan id 2 vlan mtundu ip counter
- Thandizo lowonjezera pakuwongolera zothandizira pogwiritsa ntchito magulu a utsogoleri wolumikizana v2. Kusiyana kwakukulu pakati pa cgroups v2 ndi v1 ndikugwiritsa ntchito maulamuliro wamba wamagulu amitundu yonse yazinthu, m'malo mwa magawo osiyana pakugawa zida za CPU, pakuwongolera kugwiritsa ntchito kukumbukira, ndi I/O. Mwachitsanzo, kuti muwone ngati kholo la socket pamlingo woyamba cgroupv2 likufanana ndi chigoba cha "system.slice", mungagwiritse ntchito zomangamanga: ... socket cgroupv2 level 1 "system.slice"
- Anawonjezera kuthekera koyang'ana zigawo za mapaketi a SCTP (machitidwe ofunikira pa izi awonekera mu Linux 5.14 kernel). Mwachitsanzo, kuti muwone ngati paketi ili ndi chunk ndi mtundu wa 'data' ndi munda 'mtundu': ... sctp chunk data ilipo ... sctp chunk data type 0
- Kugwira ntchito yotsitsa malamulo kwafulumizitsa pafupifupi kawiri pogwiritsa ntchito mbendera ya "-f". Kutulutsa kwa mndandanda wa malamulo kwafulumizitsanso.
- Fomu yophatikizika yowunikira ngati mbendera zayikidwa. Mwachitsanzo, kuti muwone ngati mawonekedwe a snat ndi dnat sanakhazikitsidwe, mutha kufotokoza: ... ct status ! snat,dnat kuti muwone ngati syn bit yakhazikitsidwa mu bitmask syn,ack: ... ... tcp mbendera ! = fin,rst / syn,ack,fin,rst
- Lolani mawu ofunikira a "chigamulo" pamatanthauzidwe amtundu wa set/mapu: onjezani mapu xm {typeof iifname . ip protocol th dport: chigamulo;}
Source: opennet.ru