ProHoster > Blog > nkhani zapaintaneti > ftables paketi fyuluta 1.0.2 kumasulidwa

ftables paketi fyuluta 1.0.2 kumasulidwa

nftables 1.0.2, chimango chosefera mapaketi chomwe chimagwirizanitsa ma interface osefera mapaketi a IPv4, IPv6, ARP, ndi ma network bridges, chatulutsidwa (cholingaliridwa ngati cholowa m'malo mwa iptables, ip6table, arptables, ndi ebtables). Kusintha komwe kumafunika pa nftables 1.0.2 kwaphatikizidwa mu kernel. Linux 5.17-rc.

Phukusi la nftables lili ndi zigawo za fyuluta ya paketi zomwe zimagwira ntchito pamalo ogwiritsira ntchito, pomwe ntchito ya kernel-level imaperekedwa ndi nf_tables subsystem, yomwe ndi gawo la kernel. Linux Kuyambira pomwe idatulutsidwa 3.13, mawonekedwe okhazikika osadalira protocol okha ndi omwe amaperekedwa pamlingo wa kernel, zomwe zimapereka magwiridwe antchito oyambira pochotsa deta kuchokera m'mapaketi, kuchita ntchito za data, ndikuwongolera kayendedwe ka madzi.

Kusefa kumalamulira okha ndipo othandizira ena a protocol amaphatikizidwa mu bytecode mu malo ogwiritsira ntchito, pambuyo pake bytecode iyi imayikidwa mu kernel pogwiritsa ntchito Netlink interface ndikuyiyika mu kernel mwanjira yapadera. makina enieni, zomwe zimakumbutsa BPF (Berkeley Packet Filters). Njirayi imalola kuchepetsa kwambiri kukula kwa code yosefera yomwe ikuyenda pamlingo wa kernel ndipo imasuntha malamulo onse ndi protocol logic kupita kumalo ogwiritsira ntchito.

Zatsopano zazikulu:

  • Njira yokhathamiritsa malamulo yawonjezedwa, yothandizidwa pogwiritsa ntchito njira yatsopano "-o" ("--optimize"), yomwe ingaphatikizidwe ndi njira ya "--check" kuti muwone ndikuwongolera zosintha pafayilo yokhazikitsidwa popanda kuyiyika. . Kukhathamiritsa kumakupatsani mwayi wophatikiza malamulo ofanana, mwachitsanzo, malamulo: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 kuvomereza meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 kuvomereza ip1.1.1.1. .2.2.2.2 vomereza ip saddr 2.2.2.2 ip daddr 3.3.3.3 dontho

    zidzaphatikizidwa kukhala meta iifname . ip sadr. ip adadr { eth1 . 1.1.1.1. 2.2.2.3, ndi1. 1.1.1.2. 2.2.2.5 } vomereza ip saddr . ip daddr vmap {1.1.1.1. 2.2.2.2 : kuvomereza, 2.2.2.2 . 3.3.3.3: kutsika}

    Kagwiritsidwe ntchito kachitsanzo: # nft -c -o -f ruleset.test Kuphatikiza: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter kuvomereza ruleet.nft:17:3-37: ip daddr 192.168.0.2 counter kuvomereza ruleet.nft:18:3-37: ip daddr 192.168.0.3 kauntala vomerezani mu: ip daddr {192.168.0.1, 192.168.0.2, 192.168.0.3} mapaketi owerengera 0 mabayiti 0 amavomereza

  • Mindandanda yokhazikika imakwaniritsa kuthekera kofotokozera zosankha za ip ndi tcp, komanso sctp chunks: set s5 {typeof ip option ra value elements = {1, 1024}} set s7 {typeof sctp chunk init num-inbound-streams elements = { 1, 4 } } unyolo c5 {ip option ra value @s5 accept } unyolo c7 {sctp chunk init num-inbound-streams @s7 accept }
  • Thandizo lowonjezera la zosankha za TCP fastopen, md5sig ndi mptcp.
  • Zowonjezera zothandizira kugwiritsa ntchito mp-tcp subtype pamapu: njira ya tcp mptcp subtype 1
  • Khodi yosefera yam'mbali ya kernel yowongolera.
  • Flowtable tsopano ili ndi chithandizo chonse cha mtundu wa JSON.
  • Kutha kugwiritsa ntchito "kukana" muzochita zofananira ndi Ethernet kwaperekedwa. ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 kukana

Source: opennet.ru

Gulani kuchititsa kodalirika kwamasamba okhala ndi chitetezo cha DDoS, ma seva a VPS VDS Gulani malo odalirika osungira mawebusayiti okhala ndi chitetezo cha DDoS, ma seva a VPS VDS | ProHoster