ProHoster > Blog > nkhani zapaintaneti > ftables paketi fyuluta 1.0.1 kumasulidwa

ftables paketi fyuluta 1.0.1 kumasulidwa

nftables 1.0.1, chimango chosefera mapaketi chomwe chimagwirizanitsa ma interface osefera mapaketi a IPv4, IPv6, ARP, ndi ma network bridges, chatulutsidwa (cholingaliridwa ngati cholowa m'malo mwa iptables, ip6table, arptables, ndi ebtables). Kusintha komwe kumafunika pa nftables 1.0.1 kwaphatikizidwa mu kernel. Linux 5.16-rc1.

Phukusi la nftables lili ndi zigawo za fyuluta ya paketi zomwe zimagwira ntchito pamalo ogwiritsira ntchito, pomwe ntchito ya kernel-level imaperekedwa ndi nf_tables subsystem, yomwe ndi gawo la kernel. Linux Kuyambira pomwe idatulutsidwa 3.13, mawonekedwe okhazikika osadalira protocol okha ndi omwe amaperekedwa pamlingo wa kernel, zomwe zimapereka magwiridwe antchito oyambira pochotsa deta kuchokera m'mapaketi, kuchita ntchito za data, ndikuwongolera kayendedwe ka madzi.

Kusefa kumalamulira okha ndipo othandizira ena a protocol amaphatikizidwa mu bytecode mu malo ogwiritsira ntchito, pambuyo pake bytecode iyi imayikidwa mu kernel pogwiritsa ntchito Netlink interface ndikuyiyika mu kernel mwanjira yapadera. makina enieni, zomwe zimakumbutsa BPF (Berkeley Packet Filters). Njirayi imalola kuchepetsa kwambiri kukula kwa code yosefera yomwe ikuyenda pamlingo wa kernel ndipo imasuntha malamulo onse ndi protocol logic kupita kumalo ogwiritsira ntchito.

Zatsopano zazikulu:

  • Kuchepetsa kukumbukira kukumbukira potsegula ma seti akulu ndi mndandanda wamapu.
  • Kutsegulanso ndandanda ndi mapu kwafulumizitsa.
  • Kutulutsa kwa matebulo osankhidwa ndi maunyolo mumagulu akuluakulu a malamulo kwafulumizitsa. Mwachitsanzo, nthawi yoperekera lamulo la "nft list ruleset" kuti muwonetse malamulo okhala ndi mizere 100 ndi masekondi 3.049, ndipo potulutsa matebulo a nat ndi fyuluta okha ("nft list table nat", "nft list table fyuluta". ”) yachepetsedwa kukhala 1.969 ndi 0.697 masekondi.
  • Kuyankha kwamafunso ndi njira ya "--terse" kwachulukitsidwa mukakonza malamulo okhala ndi mindandanda yayikulu ndi mapu.
  • N'zotheka kusefa magalimoto kuchokera ku "egress" chain, yomwe imakonzedwa pamlingo wofanana ndi egress handler mu netdev chain (egress hook), i.e. pa siteji pamene dalaivala amalandira paketi kuchokera ku kernel network stack. tebulo netdev fyuluta {chain egress {mtundu wa fyuluta hook egress zida = {eth0, eth1} patsogolo 0; meta patsogolo seti ip saddr map {192.168.10.2: abcd:2, 192.168.10.3: abcd:3}}}
  • Amalola kufananitsa ndi kusinthidwa kwa ma byte pamutu ndi zomwe zili mu paketi panthawi yomwe mwapatsidwa. # nft onjezani lamulo xy @ih,32,32 0x14000000 counter # nft onjezani lamulo xy @ih,32,32 set 0x14000000 counter

Source: opennet.ru

Gulani kuchititsa kodalirika kwamasamba okhala ndi chitetezo cha DDoS, ma seva a VPS VDS Gulani malo odalirika osungira mawebusayiti okhala ndi chitetezo cha DDoS, ma seva a VPS VDS | ProHoster