Kutulutsidwa kwa paketi ftables nftables 1.0.0 kwasindikizidwa, kugwirizanitsa zosefera za paketi za IPv4, IPv6, ARP ndi milatho yamanetiweki (yofuna kusintha ma iptables, ip6table, arptables ndi ebtables). Zosintha zofunika kuti nftables 1.0.0 amasulidwe kuti agwire ntchito zikuphatikizidwa mu Linux 5.13 kernel. Kusintha kwakukulu mu nambala yamtunduwu sikukhudzana ndi kusintha kulikonse, koma ndi zotsatira chabe za kupitiriza kosalekeza kwa manambala mu zolemba za decimal (kutulutsidwa koyambirira kunali 0.9.9).
Phukusi la nftables limaphatikizapo zosefera zapaketi ya ogwiritsa ntchito, pomwe ntchito ya kernel-level imaperekedwa ndi nf_tables subsystem, yomwe yakhala gawo la Linux kernel kuyambira kutulutsidwa kwa 3.13. Mulingo wa kernel umapereka mawonekedwe odziyimira pawokha a generic omwe amapereka ntchito zoyambira kuchotsa deta m'mapaketi, kuchita ma data, ndikuwongolera kuyenda.
Malamulo osefera ndi ogwiritsira ntchito ma protocol amapangidwa kukhala bytecode mu malo ogwiritsira ntchito, pambuyo pake bytecode iyi imayikidwa mu kernel pogwiritsa ntchito mawonekedwe a Netlink ndi kuphedwa mu kernel mu makina apadera omwe amakumbukira BPF (Berkeley Packet Filters). Njirayi imakuthandizani kuti muchepetse kwambiri kukula kwa code yosefera yomwe ikuyenda pamlingo wa kernel ndikusuntha ntchito zonse za malamulo ophatikizira ndi malingaliro ogwirira ntchito ndi ma protocol mu malo ogwiritsa ntchito.
Zatsopano zazikulu:
- Thandizo la chinthu cha "*" chigoba chawonjezedwa pamindandanda, yomwe imayambika pamaphukusi aliwonse omwe sagwera pansi pazinthu zina zomwe zafotokozedwa mu seti. tebulo x {mapu blocklist {mtundu ipv4_addr : chigamulo mbendera interval zinthu = {192.168.0.0/16 : kuvomereza, 10.0.0.0/8 : kuvomereza, * : dontho }} unyolo y {mtundu fyuluta mbedza prerouting patsogolo 0; kuvomereza ndondomeko; ip saddr vmap @blocklist }}
- Ndizotheka kutanthauzira zosinthika kuchokera pamzere wamalamulo pogwiritsa ntchito njira ya "--define". # cat test.nft table netdev x {unyolo y {mtundu wa fyuluta mbedza ingress zida = $dev patsogolo 0; kutsika kwa ndondomeko; } } # nft βdefine dev="{ eth0, eth1 }" -f test.nft
- Pamndandanda wamapu, kugwiritsa ntchito mawu okhazikika (okhazikika) amaloledwa: fyuluta ya inet ya tebulo {mapu a mapu {mtundu wa inet_service : zigamulo zowerengera = {22 mapaketi owerengera 0 bytes 0: kulumpha ssh_input, * mapaketi owerengera 0 bytes 0: dontho}} chain ssh_input {} unyolo wan_input {tcp dport vmap @portmap } unyolo prerouting {mtundu fyuluta hook prerouting patsogolo yaiwisi; kuvomereza ndondomeko; if vmap {"lo" : jump wan_input }}}}
- Lamulo lowonjezera la "mindandanda yazingwe" kuti muwonetse mndandanda wazogwirizira pagulu lomwe lapatsidwa: # nft mndandanda zokoka ip chipangizo eth0 banja ip {hook ingress { +0000000010 chain netdev xy [nf_tables] +0000000300 chain innet mw [nf_tables] } hook { -0000000100 unyolo ip ab [nf_tables] +0000000300 unyolo inet mz [nf_tables]} mbedza kutsogolo { -0000000225 selinux_ipv4_forward 0000000000 unyolo ip ok_0000000225 ip ok_4 chain ip ac0000000225_4 hop acXNUMX [nf_XNUMX] vXNUMX_output } hook postrouting { +XNUMX XNUMX selinux_ipvXNUMX_postroute }}
- Mizere ya mizere imalola mawu a jhash, symhash, ndi numgen kuti agwirizane kuti agawire mapaketi pamizere pamalo ogwiritsira ntchito. β¦ pamzere wopita ku symhash mod 65536 β¦ lembani mbendera modutsa kupita ku numgen inc mod 65536 β¦ pamzere wopita ku jhash oif . meta mark mod 32 "mzere" utha kuphatikizidwanso ndi mindandanda yamapu kuti musankhe pamzere pamalo ogwiritsira ntchito potengera makiyi osasintha. ... mizere yodutsa pamzere kupita ku mapu a oifname {"eth0" : 0, "ppp0" : 2, "eth1": 2}
- Ndizotheka kukulitsa zosinthika zomwe zimaphatikizapo mndandanda wamapu angapo. define interfaces = {eth0, eth1} tebulo ip x {unyolo y {mtundu wolowetsa mbedza yolowera patsogolo 0; kuvomereza ndondomeko; iifname vmap {onani: kuvomereza, $interfaces: dontho}}} # nft -f x.nft # nft mndandanda wa malamulo tebulo ip x {unyolo y {mtundu fyuluta hook zolowetsa patsogolo 0; kuvomereza ndondomeko; iifname vmap {"lo" : kuvomereza, "eth0" : drop, "eth1" : drop }}}
- Kuphatikiza vmaps (mapu a chigamulo) pakapita nthawi ndizololedwa: # nft add rule xy tcp dport . ip saddr vmap {1025-65535. 192.168.10.2: kuvomereza}
- Mawu osavuta amapu a NAT. Amaloledwa kufotokoza ma adilesi: ... snat to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } kapena ma adilesi aku IP ndi madoko: ... dnat to ip saddr map { 10.141.11.4 : 192.168.2.3-80 } . 192.168.1.2 } kapena masanjidwe a IP ndi madoko: ... dnat to ip saddr . tcp dport mapu {80. 10.141.10.2: 10.141.10.5-8888. 8999-XNUMX }
Source: opennet.ru