Kutulutsidwa kwa paketi ftables nftables 1.0.2 kwasindikizidwa, kugwirizanitsa zosefera za paketi za IPv4, IPv6, ARP ndi milatho ya netiweki (yofuna kusintha ma iptables, ip6table, arptables ndi ebtables). Zosintha zofunika kuti nftables 1.0.2 amasulidwe kuti agwire ntchito zikuphatikizidwa mu Linux kernel 5.17-rc.
Phukusi la nftables limaphatikizapo zosefera zapaketi ya ogwiritsa ntchito, pomwe ntchito ya kernel-level imaperekedwa ndi nf_tables subsystem, yomwe yakhala gawo la Linux kernel kuyambira kutulutsidwa kwa 3.13. Mulingo wa kernel umapereka mawonekedwe odziyimira pawokha a generic omwe amapereka ntchito zoyambira kuchotsa deta m'mapaketi, kuchita ma data, ndikuwongolera kuyenda.
Malamulo osefera ndi ogwiritsira ntchito ma protocol amapangidwa kukhala bytecode mu malo ogwiritsira ntchito, pambuyo pake bytecode iyi imayikidwa mu kernel pogwiritsa ntchito mawonekedwe a Netlink ndi kuphedwa mu kernel mu makina apadera omwe amakumbukira BPF (Berkeley Packet Filters). Njirayi imakuthandizani kuti muchepetse kwambiri kukula kwa code yosefera yomwe ikuyenda pamlingo wa kernel ndikusuntha ntchito zonse za malamulo ophatikizira ndi malingaliro ogwirira ntchito ndi ma protocol mu malo ogwiritsa ntchito.
Zatsopano zazikulu:
- Njira yokhathamiritsa malamulo yawonjezedwa, yothandizidwa pogwiritsa ntchito njira yatsopano "-o" ("--optimize"), yomwe ingaphatikizidwe ndi njira ya "--check" kuti muwone ndikuwongolera zosintha pafayilo yokhazikitsidwa popanda kuyiyika. . Kukhathamiritsa kumakupatsani mwayi wophatikiza malamulo ofanana, mwachitsanzo, malamulo: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 kuvomereza meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 kuvomereza ip1.1.1.1. .2.2.2.2 vomereza ip saddr 2.2.2.2 ip daddr 3.3.3.3 dontho
zidzaphatikizidwa kukhala meta iifname . ip sadr. ip adadr { eth1 . 1.1.1.1. 2.2.2.3, ndi1. 1.1.1.2. 2.2.2.5 } vomereza ip saddr . ip daddr vmap {1.1.1.1. 2.2.2.2 : kuvomereza, 2.2.2.2 . 3.3.3.3: kutsika}
Kagwiritsidwe ntchito kachitsanzo: # nft -c -o -f ruleset.test Kuphatikiza: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter kuvomereza ruleet.nft:17:3-37: ip daddr 192.168.0.2 counter kuvomereza ruleet.nft:18:3-37: ip daddr 192.168.0.3 kauntala vomerezani mu: ip daddr {192.168.0.1, 192.168.0.2, 192.168.0.3} mapaketi owerengera 0 mabayiti 0 amavomereza
- Mindandanda yokhazikika imakwaniritsa kuthekera kofotokozera zosankha za ip ndi tcp, komanso sctp chunks: set s5 {typeof ip option ra value elements = {1, 1024}} set s7 {typeof sctp chunk init num-inbound-streams elements = { 1, 4 } } unyolo c5 {ip option ra value @s5 accept } unyolo c7 {sctp chunk init num-inbound-streams @s7 accept }
- Thandizo lowonjezera la zosankha za TCP fastopen, md5sig ndi mptcp.
- Zowonjezera zothandizira kugwiritsa ntchito mp-tcp subtype pamapu: njira ya tcp mptcp subtype 1
- Khodi yosefera yam'mbali ya kernel yowongolera.
- Flowtable tsopano ili ndi chithandizo chonse cha mtundu wa JSON.
- Kutha kugwiritsa ntchito "kukana" muzochita zofananira ndi Ethernet kwaperekedwa. ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 kukana
Source: opennet.ru