Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > ftables paketi fyuluta 1.0.6 kumasulidwa

ftables paketi fyuluta 1.0.6 kumasulidwa

Kutulutsidwa kwa paketi ftables nftables 1.0.6 kwasindikizidwa, kugwirizanitsa zosefera za paketi za IPv4, IPv6, ARP ndi maukonde milatho (yolinga kusintha iptables, ip6table, arptables ndi ebtables). Phukusi la nftables limaphatikizapo zosefera za paketi zomwe zimagwira ntchito pamalo ogwiritsira ntchito, pomwe ntchito ya kernel imaperekedwa ndi nf_tables subsystem, yomwe yakhala gawo la Linux kernel kuyambira kutulutsidwa kwa 3.13. Mulingo wa kernel umapereka mawonekedwe odziyimira pawokha a generic omwe amapereka ntchito zoyambira kuchotsa deta m'mapaketi, kuchita ma data, ndikuwongolera kuyenda.

Malamulo osefera ndi ogwiritsira ntchito ma protocol amapangidwa kukhala bytecode mu malo ogwiritsira ntchito, pambuyo pake bytecode iyi imayikidwa mu kernel pogwiritsa ntchito mawonekedwe a Netlink ndi kuphedwa mu kernel mu makina apadera omwe amakumbukira BPF (Berkeley Packet Filters). Njirayi imakuthandizani kuti muchepetse kwambiri kukula kwa code yosefera yomwe ikuyenda pamlingo wa kernel ndikusuntha ntchito zonse za malamulo ophatikizira ndi malingaliro ogwirira ntchito ndi ma protocol mu malo ogwiritsa ntchito.

Zosintha zazikulu:

  • Malamulo okhathamiritsa, omwe amatchedwa "-o/-optimize" njira yatchulidwa, imakhala ndi malamulo okhazikika powaphatikiza ndikuwasintha kukhala mapu ndikuyika mindandanda. Mwachitsanzo, malamulo # cat ruleet.nft tebulo ip x {chain y {mtundu fyuluta hook zolowetsa patsogolo fyuluta; kutsika kwa ndondomeko; meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 kulandira meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 kuvomereza meta iifname eth1 ip saddr 1.1.1.2if2.2.3.0 ip saddr 24if1 1.1.1.2 ip saddr 2.2.4.0 .2.2.4.10 ip daddr 2-1.1.1.3 kuvomereza meta iifname eth2.2.2.5 ip saddr 4 ip daddr 17 kuvomereza } } mukamaliza "nft -o -c -f ruleet.nft" idzasinthidwa kukhala malamulo otsatirawa: . nft:74:1-1.1.1.1: meta iifname eth2.2.2.3 ip saddr 5 ip daddr 17 vomerezani malamulo.nft:74:1-1.1.1.2: meta iifname eth2.2.2.4 ip saddr 6 ip daddr 17ft kuvomereza. : 77:1-1.1.1.2: meta iifname eth2.2.3.0 ip saddr 24 ip daddr 7/17 kuvomereza malamulo.nft:83:1-1.1.1.2: meta iifname eth2.2.4.0 ip saddr 2.2.4.10 ip daddr 8. vomerezani ruleet.nft:17:74-2: meta iifname eth1.1.1.3 ip saddr 2.2.2.5 ip daddr 1 vomerezani mu: iifname . ip sadr. ip adadr { eth1.1.1.1 . 2.2.2.3. 1, ndi1.1.1.2. 2.2.2.4. 1, ndi1.1.1.2. 2.2.3.0. 24/1, eth1.1.1.2 . 2.2.4.0. 2.2.4.10-2, eth1.1.1.3. 2.2.2.5. XNUMX } kuvomereza
  • The optimizer imathanso kusinthira malamulo omwe amagwiritsa ntchito kale mindandanda yosavuta kukhala mawonekedwe ophatikizika, mwachitsanzo malamulo: # cat ruleset.nft tebulo ip fyuluta {kulowetsa unyolo {mtundu wa fyuluta hook yolowetsa patsogolo fyuluta; kutsika kwa ndondomeko; iifname "lo" kuvomereza ct state kukhazikitsidwa, kuvomereza kuvomereza ndemanga "Mumsewu womwe timayambira, timakhulupirira" iifname "enp0s31f6" ip saddr {209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149. 123 kuvomereza iifname "enp32768s65535f0" ip saddr {31, 6} ip daddr 64.59.144.17 udp sport 64.59.150.133 udp dport 10.0.0.149-53}-pambuyo pake "exe-ft-kuvomereza". d motere : ruleet.nft:32768:65535-6: iifname "enp22s149f0" ip saddr {31, 6} ip daddr 209.115.181.102 udp216.197.228.230 usport 10.0.0.149 d123 32768 dp 65535 7 ft: 22:143- 0: iifname "enp31s6f64.59.144.17" ip saddr {64.59.150.133, 10.0.0.149} ip daddr 53 udp sport 32768 udp dport 65535-0 landirani mu: ip sadr. ip pa. udp masewera. udp dport {enp31s6f209.115.181.102 . 10.0.0.149. 123. 32768. 65535-0, enp31s6f216.197.228.230. 10.0.0.149. 123. 32768. 65535-0, enp31s6f64.59.144.17. 10.0.0.149. 53. 32768. 65535-0, enp31s6f64.59.150.133. 10.0.0.149. 53. 32768. 65535-XNUMX } kuvomereza
  • Kuthana ndi vuto la kupanga ma bytecode pakuphatikiza magawo omwe amagwiritsa ntchito mitundu yokhala ndi ma byte osiyanasiyana, monga IPv4 (network byte order) ndi meta mark (system byte order). tebulo ip x {mapu w {typeof ip saddr. meta chizindikiro: chigamulo mbendera interval zinthu zowerengera = {127.0.0.1-127.0.0.4. 0x123434-0xb00122 : kuvomereza, 192.168.0.10-192.168.1.20 . 0x0000aa00-0x0000aaff : kuvomereza, }} unyolo k {mtundu fyuluta mbedza zolowetsa patsogolo fyuluta; kutsika kwa ndondomeko; ip sadr. meta mark vmap @w }}
  • Kuyerekeza bwino kwa ma protocol osowa mukamagwiritsa ntchito mawu osaphika, mwachitsanzo: meta l4proto 91 @th,400,16 0x0 kuvomereza
  • Mavuto ndi malamulo owongolera pakapita nthawi adathetsedwa: ikani lamulo xy tcp masewera {3478-3497, 16384-16387} kuvomereza
  • JSON API yawongoleredwa kuti iphatikizepo chithandizo cha mawu omwe ali pamndandanda ndi mapu.
  • Zowonjezera ku laibulale ya nftables python imalola kutsitsa kwa malamulo kuti akonzedwe mumayendedwe ovomerezeka ("-c") ndikuwonjezera kuthandizira kutanthauzira kwakunja kwa zosintha.
  • Kuonjezera ndemanga kumaloledwa muzinthu za mndandanda.
  • Bite ratelimit imalola kufotokoza mtengo wa ziro.

Source: opennet.ru

Kuwonjezera ndemanga