Kutulutsidwa kwa paketi ftables nftables 1.0.7 kwasindikizidwa, kugwirizanitsa zosefera za paketi za IPv4, IPv6, ARP ndi maukonde milatho (yolinga kusintha iptables, ip6table, arptables ndi ebtables). Phukusi la nftables limaphatikizapo zosefera za paketi zomwe zimagwira ntchito pamalo ogwiritsira ntchito, pomwe ntchito ya kernel imaperekedwa ndi nf_tables subsystem, yomwe yakhala gawo la Linux kernel kuyambira kutulutsidwa kwa 3.13. Mulingo wa kernel umapereka mawonekedwe odziyimira pawokha a generic omwe amapereka ntchito zoyambira kuchotsa deta m'mapaketi, kuchita ma data, ndikuwongolera kuyenda.
Malamulo osefera ndi ogwiritsira ntchito ma protocol amapangidwa kukhala bytecode mu malo ogwiritsira ntchito, pambuyo pake bytecode iyi imayikidwa mu kernel pogwiritsa ntchito mawonekedwe a Netlink ndi kuphedwa mu kernel mu makina apadera omwe amakumbukira BPF (Berkeley Packet Filters). Njirayi imakuthandizani kuti muchepetse kwambiri kukula kwa code yosefera yomwe ikuyenda pamlingo wa kernel ndikusuntha ntchito zonse za malamulo ophatikizira ndi malingaliro ogwirira ntchito ndi ma protocol mu malo ogwiritsa ntchito.
Zosintha zazikulu:
- Pamakina omwe ali ndi Linux kernel 6.2+, chithandizo cha ma protocol a vxlan, geneve, gre, ndi gretap awonjezedwa, kulola mawu osavuta kuyang'ana mitu m'mapaketi ophatikizidwa. Mwachitsanzo, kuti muwone adilesi ya IP pamutu wa paketi yokhala ndi zisa kuchokera ku VxLAN, mutha kugwiritsa ntchito malamulowo (popanda kufunikira koyambitsanso mutu wa VxLAN ndikumanga fyuluta ku mawonekedwe a vxlan0): ... udp dport 4789 vxlan ip protocol udp ... udp dport 4789 vxlan ip saddr 1.2.3.0. 24/4789 ... udp dport 1.2.3.4 vxlan ip saddr . vxlan ip daddr {4.3.2.1. XNUMX }
- Thandizo lophatikiza zotsalira pambuyo pochotsa pang'ono mndandanda wazinthu zomwe zakhazikitsidwa, zomwe zimakupatsani mwayi wochotsa chinthu kapena gawo lamitundu yosiyanasiyana kuchokera pamndandanda womwe ulipo (m'mbuyomu, mndandanda ukhoza kuchotsedwa kwathunthu). Mwachitsanzo, mutatha kuchotsa gawo 25 pamndandanda wokhazikika wokhala ndi magawo 24-30 ndi 40-50, mndandandawo ukhalabe 24, 26-30 ndi 40-50. Zokonzekera zomwe zimafunikira kuti automerging igwire ntchito idzaperekedwa pokonza nthambi zokhazikika za 5.10+ kernel. # nft mndandanda wa malamulo a tebulo ip x {set y {typeof tcp dport mbendera interval auto-merge elements = {24-30, 40-50}}} # nft chotsani chinthu ip xy {25} # nft mndandanda wa malamulo ip x { set y {typeof tcp dport flags interval auto-merge elements = {24, 26-30, 40-50}}}
- Amaloleza kugwiritsa ntchito maadiresi ndi masinthidwe pomasulira maadiresi (NAT). table ip nat {maketani prerouting {type nat hook prerouting dstnat; kuvomereza ndondomeko; dnat ku ip dadr. tcp dport mapu {10.1.1.136. 80: 1.1.2.69. 1024, 10.1.1.10-10.1.1.20. 8888-8889: 1.1.2.69. 2048-2049 } kulimbikira }}
- Thandizo lowonjezera la mawu "otsiriza", omwe amakupatsani mwayi wodziwa nthawi yomaliza kugwiritsa ntchito chinthu chalamulo kapena mndandanda wazinthu. Mbaliyi imathandizidwa kuyambira ndi Linux kernel 5.14. tebulo ip x { set y {typeof ip daddr . tcp dport kukula 65535 mbendera zamphamvu, kutha kwa nthawi yomaliza 1h} unyolo z {mtundu fyuluta mbedza zotulutsa zosefera; kuvomereza ndondomeko; sinthani @y {ip dadr. tcp dport }}} # nft mndandanda wa ip xy table ip x { set y {typeof ip daddr . tcp dport kukula 65535 mbendera zamphamvu, kutha kwa nthawi yomaliza 1h zinthu = {172.217.17.14. 443 yomaliza kugwiritsidwa ntchito 1s591ms nthawi yomaliza 1h imatha 59m58s409ms, 172.67.69.19 . 443 yomaliza kugwiritsidwa ntchito 4s636ms nthawi yomaliza 1h imatha 59m55s364ms, 142.250.201.72 . 443 yomaliza kugwiritsidwa ntchito 4s748ms nthawi yomaliza 1h imatha 59m55s252ms, 172.67.70.134 . 443 yomaliza kugwiritsidwa ntchito 4s688ms nthawi yomaliza 1h imatha 59m55s312ms, 35.241.9.150 . 443 yomaliza kugwiritsidwa ntchito 5s204ms nthawi yomaliza 1h imatha 59m54s796ms, 138.201.122.174 . 443 yomaliza kugwiritsidwa ntchito 4s537ms nthawi yomaliza 1h imatha 59m55s463ms, 34.160.144.191 . 443 yomaliza kugwiritsidwa ntchito 5s205ms nthawi yomaliza 1h imatha 59m54s795ms, 130.211.23.194 . 443 yomaliza kugwiritsidwa ntchito 4s436ms nthawi yomaliza 1h imatha 59m55s564ms }}}
- Adawonjezera kuthekera kofotokozera ma quotas mumindandanda. Mwachitsanzo, kuti mudziwe kuchuluka kwa magalimoto pa adilesi iliyonse ya IP, mutha kufotokoza: tebulo netdev x { set y {typeof ip daddr size 65535 quota yoposa 10000 mbytes } unyolo y {mtundu fyuluta hook egress chipangizo "eth0" choyambirira fyuluta; kuvomereza ndondomeko; ip daddr @y drop } } # nft kuwonjezera element inet xy {8.8.8.8 } # ping -c 2 8.8.8.8 # nft mndandanda wa malamulo tebulo netdev x { set y {mtundu ipv4_addr size 65535 quota pa 10000 m.8.8.8.8 zinthu = {10000 m.196 element. 0 kupitilira XNUMX mabyte ogwiritsidwa ntchito XNUMX mabayiti }} unyolo y {mtundu wa fyuluta mbedza egress chipangizo "ethXNUMX" fyuluta yofunika kwambiri; kuvomereza ndondomeko; ip dadr @y drop }}
- Kugwiritsa ntchito zokhazikika m'mindandanda yazololedwa kumaloledwa. Mwachitsanzo, mukamagwiritsa ntchito adilesi yopita ndi ID ya VLAN monga fungulo la mndandanda, mutha kufotokoza mwachindunji nambala ya VLAN (daddr. 123): table netdev t {set s { typeof ether saddr . vlan id kukula 2048 mbendera zamphamvu, kutha kwa nthawi 1m} unyolo c {mtundu fyuluta mbedza ingress chipangizo eth0 patsogolo 0; kuvomereza ndondomeko; mtundu wa ether != 8021q zosintha @s {ether daddr. 123 } }}
- Anawonjezera lamulo latsopano la "kuwononga" kuti muchotse zinthu mopanda malire (mosiyana ndi lamulo lochotsa, silimapanga ENOENT poyesa kuchotsa chinthu chomwe chikusowa). Imafunika osachepera Linux kernel 6.3-rc kuti igwire ntchito. kuwononga tebulo ip fyuluta
Source: opennet.ru