ProHoster > Blog > talafou initaneti > nftables packet filter release 1.0.0

nftables packet filter release 1.0.0

O le faʻasalalauga o le packet filter nftables 1.0.0 ua faʻasalalau, faʻapipiʻi fesoʻotaʻiga faʻapipiʻiina mo IPv4, IPv6, ARP ma alalaupapa fesoʻotaʻiga (faʻamoemoe e sui iptables, ip6table, arptables ma ebtables). O suiga e manaʻomia mo le faʻasaʻoina o le nftables 1.0.0 e galue o loʻo aofia i le Linux 5.13 kernel. O se suiga taua i le numera o le fa'aliliuga e le o feso'ota'i ma so'o se suiga fa'avae, ae na'o se fa'ai'uga o le fa'aauau pea o le faanumera i fa'ailoga tesi (o le fa'asalalauga muamua o le 0.9.9).

O le afifi nftables e aofia ai vaega faamama packet o loʻo taʻavale i avanoa faʻaoga, aʻo tuʻuina atu le galuega kernel-level e le nf_tables subsystem, lea na avea ma vaega o le Linux kernel talu mai le tatalaina o le 3.13. Ole maualuga ole kernel e maua ai na'o se fa'aoga tuto'atasi tuto'atasi lautele e maua ai galuega fa'avae mo le su'eina o fa'amaumauga mai fa'amaumauga, fa'atinoina o fa'amaumauga, ma le pulea o le tafe.

O tulafono faʻamama latou lava ma faʻatautaia faʻapitoa faʻapitoa e tuʻufaʻatasia i le user-space bytecode, pe a maeʻa ona utaina lenei bytecode i totonu o le fatu e faʻaaoga ai le Netlink interface ma faʻatino i totonu o le fatu i se masini faʻapitoa faʻapitoa e pei o le BPF (Berkeley Packet Filters). O lenei faiga e mafai ai ona faʻaitiitia le tele o le numera o le faʻaogaina o loʻo taʻavale i le kernel level ma faʻagasolo uma galuega o tulafono faʻasalalau ma le faʻaogaina o le galue faʻatasi ma protocols i avanoa faʻaoga.

Autu fa'afouga:

  • Lagolago mo le "*" mask element ua faʻaopoopoina i seti lisi, lea e faʻaosoina mo soʻo se afifi e le pa'ū i lalo o isi elemene faʻamatalaina i le seti. laulau x { fa'afanua poloka {ituaiga ipv4_addr : fa'ai'uga fu'a elemene vaeluaga = { 192.168.0.0/16 : talia, 10.0.0.0/8 : talia, * : pa'u } } filifili y { type filter hook prerouting priority 0; talia faiga faavae; ip saddr vmap @blocklist } }
  • E mafai ona faʻamatalaina fesuiaiga mai le laina faʻatonu e faʻaaoga ai le "--define" filifiliga. # cat test.nft table netdev x { filifili y { type filter hook ingress devices = $dev priority 0; pa'u o faiga faavae; } } # nft —define dev="{ eth0, eth1 }" -f test.nft
  • I lisi o fa'afanua, e fa'atagaina le fa'aogaina o fa'amatalaga faifaipea (status): fa'amama inet table { map portmap { type inet_service : fa'ai'uga fa'asaga elemene = { 22 fa'asaga fa'asagatau 0 paita 0: oso ssh_input, * fa'asaga fa'asaga 0 paita 0: fa'a'a'u } } filifili ssh_input { } filifili wan_input { tcp dport vmap @portmap } filifili mua'i ala { type faamama matau fa'amuamua fa'amua; talia faiga faavae; iif vmap {"lo" : oso wan_input } } }
  • Ua fa'aopoopoina le fa'atonuga "lisi lisi" e fa'aali ai se lisi o tagata e fa'afoe mo se aiga fa'aputu tu'u mai: # nft lisi fa'aoga ip masini eth0 aiga ip { matau i totonu { +0000000010 filifili netdev xy [nf_tables] +0000000300 filifili inet mw [nf_tables] } fa'aoga matau { -0000000100 filifili ip ab [nf_tables] +0000000300 filifili inet mz [nf_tables] } matau i luma { -0000000225 selinux_ipv4_forward 0000000000 filifili ip ac [nf0000000225_tables] 4 selinux_ipv0000000225_forward } matau postrouting { +4 XNUMX selinux_ipvXNUMX_postroute } }
  • O poloka laina e mafai ai ona tuʻufaʻatasia faʻamatalaga jhash, symhash, ma numgen e tufatufa atu ai pusa i laina i avanoa faʻaoga. … fa'asolo i le symhash mod 65536 … fa'asolo fu'a fa'asolo ile numgen inc mod 65536 … fa'ailoga ile jhash oif . meta mark mod 32 "queue" e mafai foi ona tu'ufa'atasia ma lisi fa'afanua e filifili ai se fa'ailoga i avanoa fa'aoga e fa'avae i luga o ki fa'atonu. ... fa'asolo fu'a laina i le oifname faafanua { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }
  • E mafai ona fa'alautele fesuiaiga e aofia ai se lisi seti i ni fa'afanua. fa'amatala feso'ota'iga = { eth0, eth1 } laulau ip x { filifili y { fa'aigoa fa'amama fa'aoga fa'amuamua 0; talia faiga faavae; iifname vmap { lo : talia, $interfaces : drop } } } # nft -f x.nft # nft list ruleset table ip x { chain y { type filter hook input priority 0; talia faiga faavae; iifname vmap { "lo" : talia, "eth0" : fa'atāua, "eth1" : fa'ato'a } } }
  • O le tu'ufa'atasia o vmaps (fa'ai'uga fa'ai'uga) i va'ava'a e fa'atagaina: # nft fa'aopoopo le tulafono xy tcp dport . ip saddr vmap { 1025-65535 . 192.168.10.2 : talia }
  • Fa'afaigofie le fa'asologa mo fa'afanua NAT. Fa'ataga e fa'ama'oti tulaga tuatusi: ... snat to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } po'o tuatusi IP manino ma ports: ... dnat to ip saddr map { 10.141.11.4 : 192.168.2.3 : . 80 } poʻo tuʻufaʻatasiga o laina IP ma ports: ... dnat to ip saddr . tcp dport faafanua {192.168.1.2. 80: 10.141.10.2-10.141.10.5. 8888-8999 }

puna: opennet.ru

Faaopoopo i ai se faamatalaga