ProHoster > Blog > nkhani zapaintaneti > ftables paketi fyuluta 1.0.5 kumasulidwa

ftables paketi fyuluta 1.0.5 kumasulidwa

Kutulutsidwa kwa paketi ftables nftables 1.0.5 kwasindikizidwa, kugwirizanitsa zosefera za paketi za IPv4, IPv6, ARP ndi milatho yamanetiweki (yofuna kusintha ma iptables, ip6table, arptables ndi ebtables). Panthawi imodzimodziyo, kutulutsidwa kwa laibulale yothandizana nayo libnftnl 1.2.3 inasindikizidwa, kupereka API yotsika kwambiri yolumikizana ndi nf_tables subsystem.

Phukusi la nftables lili ndi zigawo za fyuluta ya paketi zomwe zimagwira ntchito pamalo ogwiritsira ntchito, pomwe ntchito ya kernel-level imaperekedwa ndi nf_tables subsystem, yomwe ndi gawo la kernel. Linux Kuyambira pomwe idatulutsidwa 3.13, mawonekedwe okhazikika osadalira protocol okha ndi omwe amaperekedwa pamlingo wa kernel, zomwe zimapereka magwiridwe antchito oyambira pochotsa deta kuchokera m'mapaketi, kuchita ntchito za data, ndikuwongolera kayendedwe ka madzi.

Kusefa kumalamulira okha ndipo othandizira ena a protocol amaphatikizidwa mu bytecode mu malo ogwiritsira ntchito, pambuyo pake bytecode iyi imayikidwa mu kernel pogwiritsa ntchito Netlink interface ndikuyiyika mu kernel mwanjira yapadera. makina enieni, zomwe zimakumbutsa BPF (Berkeley Packet Filters). Njirayi imalola kuchepetsa kwambiri kukula kwa code yosefera yomwe ikuyenda pamlingo wa kernel ndipo imasuntha malamulo onse ndi protocol logic kupita kumalo ogwiritsira ntchito.

Zosintha zazikulu:

  • M'malamulo okhathamiritsa, otchedwa pofotokoza njira ya "-o/—optimize", mavuto ophatikiza malamulo, mapu ndi mindandanda yazokhazikitsidwa athetsedwa. # cat ruleet.nft tebulo ip x {chain y {mtundu wa nat hook postrouting priority srcnat; kutsika kwa ndondomeko; ip saddr 1.1.1.1 tcp dport 8000 snat ku 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat ku 5.5.5.5:90 } } # nft -o -c-nft -nft malamulo. :4-3: ip saddr 52 tcp dport 1.1.1.1 snat ku 8000:4.4.4.4 ruleset.nft:80:5-3: ip saddr 52 tcp dport 2.2.2.2 snat mpaka 8001:5.5.5.5 ku i. sadr. tcp dport mapu {90. 1.1.1.1: 8000. 4.4.4.4, 80. 2.2.2.2: 8001. 5.5.5.5}
  • Mukaphatikiza zinthu za ethernet ndi vlan, mndandanda wa seti yamphamvu umatanthauzidwa, wodzazidwa kutengera magawo a paketi. onjezani tebulo netdev x onjezani unyolo netdev x y {mtundu wa fyuluta mbedza ingress chipangizo enp0s25 patsogolo 0; } onjezani set netdev x macset {typeof ether daddr . vlan id; mbendera zamphamvu, yatha; } onjezani lamulo netdev x y sinthani @macset {ether daddr. vlan id timeout 60s } onjezerani lamulo netdev x y ether saddr. vlan id {0a:0b:0c:0d:0e:0f. 42, 0a:0b:0c:0d:0e:0f. 4095 } kuvomereza kuvomereza
  • Kuwonetsedwa kwa malamulo okhala ndi mindandanda yamapu okhala ndi masks m'mayina olumikizirana kwasinthidwa. sefa ya tebulo {chain INPUT {iifname vmap {"eth0" : jump input_lan, "wg*" : jump input_vpn }} chain input_lan {} chain input_vpn {}}
  • Zosintha zosinthika zomwe zimatsogolera ku katsalidwe kolakwika ka lexical kwa malamulo olondola zathetsedwa.
  • Mavuto ndi kukonza pang'onopang'ono ndikuphatikiza mindandanda yayikulu yokhala ndi zinthu zofotokozera kuchuluka kwamitengo yathetsedwa.
  • Kuwonongeka kokhazikika powonjezera zinthu pamndandanda wolakwika.

Source: opennet.ru

Gulani kuchititsa kodalirika kwamasamba okhala ndi chitetezo cha DDoS, ma seva a VPS VDS Gulani malo odalirika osungira mawebusayiti okhala ndi chitetezo cha DDoS, ma seva a VPS VDS | ProHoster