ProHoster > Blog > talafou initaneti > nftables packet filter release 0.9.5

nftables packet filter release 0.9.5

lomia faasalalau fa'amama fa'amama afifi nfttables 0.9.5, fa'atupuina e fai ma sui mo iptables, ip6table, arptables ma ebtables e ala i le tu'ufa'atasia o feso'ota'iga fa'amama pusa mo IPv4, IPv6, ARP ma alalaupapa feso'otaiga. O le afifi nftables e aofia ai vaega faamama packet o loʻo taʻavale i avanoa faʻaoga, aʻo tuʻuina atu le galuega kernel-level e le nf_tables subsystem, lea na avea ma vaega o le Linux kernel talu mai le tatalaina o le 3.13. Suiga e manaʻomia mo le faʻasaʻoina o le nftables 0.9.5 e galue o loʻo aofia i totonu o le fatu Linux 5.7.

Ole maualuga ole kernel e maua ai na'o se fa'aoga tuto'atasi tuto'atasi lautele e maua ai galuega fa'avae mo le su'eina o fa'amaumauga mai fa'amaumauga, fa'atinoina o fa'amaumauga, ma le pulea o le tafe. O tulafono faʻapipiʻi ma faʻataʻitaʻiga faʻapitoa e tuʻufaʻatasia i le bytecode i avanoa faʻaoga, a maeʻa ona utaina lea o le bytecode i totonu o le fatu e faʻaaoga ai le Netlink interface ma faʻatinoina i totonu o le fatu i totonu o se masini faʻapitoa faʻapitoa e manatua ai le BPF (Berkeley Packet Filters). O lenei faiga e mafai ai e oe ona faʻaititia tele le tele o le faʻamaʻiina o le code o loʻo taʻavale i le kernel level ma faʻagaoioia galuega uma o le faʻavasegaina o tulafono ma le faʻaogaina mo le galulue faʻatasi ma protocols i avanoa faʻaoga.

Autu fa'afouga:

  • Lagolago mo pusa ma fefaʻatauaʻiga faʻatau e fesoʻotaʻi ma elemene seti ua faʻaopoopoina i seti. E mafai ona fa'aogaina le fa'atautaiga e fa'aaoga ai le upu "counter":

    laulau ip x {
    seti y {
    ituaiga ip saddr
    laulau faʻatau
    elemene = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
    }

    filifili z {
    fa'amama fa'aigoa mea fa'amuamua fa'amama; talia faiga faavae;
    ip tama @y
    }
    }

  • Ina ia setiina muamua tau o faʻatau, mo se faʻataʻitaʻiga, e toe faʻafoʻi faʻatau muamua pe a uma le toe amataina, e mafai ona e faʻaogaina le poloaiga "nft -f":

    # cat ruleset.nft
    laulau ip x {
    seti y {
    ituaiga ip saddr
    laulau faʻatau
    elemene = { 192.168.10.35 pusa fa'atau 1 paita 84, 192.168.10.101 \
    fa'atusa p 192.168.10.135 pusa fa'ata 0 paita 0 }
    }

    filifili z {
    fa'amama fa'aigoa mea fa'amuamua fa'amama; talia faiga faavae;
    ip tama @y
    }
    }
    # nft -f ruleset.nft
    #nft lisi tulafonoseti
    laulau ip x {
    seti y {
    ituaiga ip saddr
    laulau faʻatau
    elemene = { 192.168.10.35 pusa fa'atau 1 paita 84, 192.168.10.101 \
    fa'atusa p 192.168.10.135 pusa fa'ata 0 paita 0 }
    }

    filifili z {
    fa'amama fa'aigoa mea fa'amuamua fa'amama; talia faiga faavae;
    ip tama @y
    }
    }

  • O lo'o fa'aopoopoina fo'i le lagolago fa'asagatau ile laulau fa'asolo:

    laulau ip foo {
    pa fa'afefe {
    fa'amuamua o matau -100
    masini = { eth0, eth1 }
    laulau faʻatau
    }

    filifili i luma {
    fa'aigoa fa'amama fa'amata'u fa'amuamua faamama;
    tafe faaopoopo @bar counter
    }
    }

    E mafai ona e vaʻai i le lisi o faʻatau e faʻaaoga ai le poloaiga "conntrack -L":

    tcp 6 src=192.168.10.2 dst=10.0.1.2 taaloga=47278 dport=5201 taga=9 paita=608 \
    src=10.0.1.2 dst=10.0.1.1 taaloga=5201 dport=47278 taga=8 paita=428 [OFFLOAD] faailoga=0 \
    secctx=null fa'aoga=2 tcp 6 src=192.168.10.2 dst=10.0.1.2 ta'aloga=47280 dport=5201 \
    afifi=1005763 paita=44075714753 src=10.0.1.2 dst=10.0.1.1 ta'aloga=5201 dport=47280 \
    packets=967505 bytes=50310268 [OFFLOAD] maka=0 secctx=null use=2

  • I seti mo concatenation (concatenation, nisi fusi o tuatusi ma ports e faafaigofieina le faatusatusaga), e mafai ona faaaoga le "ituaiga" faatonuga, lea e fuafua ai le ituaiga faamatalaga o elemene mo vaega o le elemene o le seti:

    laulau ip foo {
    seti le lisi papa'e {
    ituaiga ip saddr . tcp dport
    elemene = { 192.168.10.35 . 80, 192.168.10.101. 80}
    }

    filifili pa {
    fa'aigoa fa'amama fa'aa'oa muamua fa'aa'e fa'amuamua faamama; pa'u o faiga faavae;
    ip tama. tcp dport @whitelist talia
    }
    }

  • O le ituaiga o faʻatonuga o loʻo faʻaoga nei i faʻatasi i lisi faʻafanua:

    laulau ip foo {
    fa'afanua addr2mark {
    ituaiga ip saddr . tcp dport: faʻailoga meta
    elemene = { 192.168.10.35 . 80 : 0x00000001,
    192.168.10.135. 80 : 0x00000002 }
    }

    filifili pa {
    fa'aigoa fa'amama fa'aa'oa muamua fa'aa'e fa'amuamua faamama; pa'u o faiga faavae;
    faʻailoga meta seti ip daddr . tcp dport faafanua @addr2mark talia
    }
    }

  • Fa'aopoopoina le lagolago mo feso'ota'iga fa'atasi i seti le ta'ua (le ta'ua):

    # nft fa'aopoopo le tulafono inet filter input ip daddr . tcp dport\
    { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8. 80-443 } talia

  • Le mafai ona lafoa'i pepa ma fu'a 802.1q (VLAN) pe a tu'uina atu alalaupapa feso'otaiga:

    # nft faaopoopo tulafono alalaupapa foo pa eter ituaiga vlan teena ma toe setiina tcp

  • Fa'aopoopoina le lagolago mo le fa'atusaina e ala i le fa'ailoaina o sauniga TCP (conntrack ID). Ina ia iloa le conntrack ID, e mafai ona e faʻaogaina le "--output id" filifiliga:

    # conntrack -L —output id
    udp 17 18 src=192.168.2.118 dst=192.168.2.1 taaloga=36424 dport=53 afifi=2 \
    paita=122 src=192.168.2.1 dst=192.168.2.118 ta'aloga=53 dport=36424 afifi=2 paita=320 \
    [ASSURED] fa'ailoga=0 fa'aoga=1 id=2779986232

    # nft fa'aopoopo le tulafono foo pa ct id 2779986232 fa'atau

puna: opennet.ru

Faaopoopo i ai se faamatalaga