ProHoster > Blog > talafou initaneti > nftables packet filter release 1.0.2

nftables packet filter release 1.0.2

O le tuʻuina atu o le packet filter nftables 1.0.2 ua faʻasalalau, faʻapipiʻi fesoʻotaʻiga faʻapipiʻi packet mo IPv4, IPv6, ARP ma alalaupapa fesoʻotaʻiga (faʻamoemoe e sui iptables, ip6table, arptables ma ebtables). O suiga e manaʻomia mo le faʻasaʻoina o le nftables 1.0.2 e galue o loʻo aofia i le Linux kernel 5.17-rc.

O le afifi nftables e aofia ai vaega faamama packet o loʻo taʻavale i avanoa faʻaoga, aʻo tuʻuina atu le galuega kernel-level e le nf_tables subsystem, lea na avea ma vaega o le Linux kernel talu mai le tatalaina o le 3.13. Ole maualuga ole kernel e maua ai na'o se fa'aoga tuto'atasi tuto'atasi lautele e maua ai galuega fa'avae mo le su'eina o fa'amaumauga mai fa'amaumauga, fa'atinoina o fa'amaumauga, ma le pulea o le tafe.

O tulafono faʻamama latou lava ma faʻatautaia faʻapitoa faʻapitoa e tuʻufaʻatasia i le user-space bytecode, pe a maeʻa ona utaina lenei bytecode i totonu o le fatu e faʻaaoga ai le Netlink interface ma faʻatino i totonu o le fatu i se masini faʻapitoa faʻapitoa e pei o le BPF (Berkeley Packet Filters). O lenei faiga e mafai ai ona faʻaitiitia le tele o le numera o le faʻaogaina o loʻo taʻavale i le kernel level ma faʻagasolo uma galuega o tulafono faʻasalalau ma le faʻaogaina o le galue faʻatasi ma protocols i avanoa faʻaoga.

Autu fa'afouga:

  • Ua faʻaopoopoina se faiga faʻaleleia tulafono, faʻatagaina le faʻaaogaina o le "-o" ("--optimize") filifiliga fou, lea e mafai ona tuʻufaʻatasia ma le "--check" filifiliga e siaki ma faʻamaonia suiga i le faila seti e aunoa ma le utaina moni. . Optimization e mafai ai ona e tuʻufaʻatasia tulafono tutusa, mo se faʻataʻitaʻiga, tulafono: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 talia meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 talia ip saddr 1.1.1.1. .2.2.2.2 talia ip saddr 2.2.2.2 ip daddr 3.3.3.3 pa'u

    o le a tu'ufa'atasia i meta iifname . ip saddr. ip daddr { eth1 . 1.1.1.1. 2.2.2.3, eth1 . 1.1.1.2. 2.2.2.5 } talia ip saddr . ip daddr vmap {1.1.1.1. 2.2.2.2 : talia, 2.2.2.2 . 3.3.3.3 : faapa'ū }

    Fa'ata'ita'iga fa'aoga: # nft -c -o -f ruleset.test Tu'ufa'atasi: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter accept ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter accept ruleset.nft:18:3-37: ip daddr 192.168.0.3 counter talia i: ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accepts

  • O lisi seti o loʻo faʻaaogaina le gafatia e faʻamaonia ai ip ma tcp filifiliga, faʻapea foʻi ma sctp pusi: seti s5 {typeof ip option ra value elements = {1, 1024}}set s7 {typeof sctp chunk init num-inbound-streams elements = { 1, 4 } } filifili c5 { ip option ra value @s5 accept } filifili c7 { sctp chunk init num-inbound-streams @s7 accept }
  • Fa'aopoopo le lagolago mo filifiliga TCP fa'atosina, md5sig ma mptcp.
  • Faʻaopoopo le lagolago mo le faʻaaogaina o le mp-tcp subtype i faʻafanua: tcp filifiliga mptcp subtype 1
  • Fa'aleleia le numera o le fa'amama o le kernel-itu.
  • Flowtable ua i ai nei le lagolago atoatoa mo le faatulagaga JSON.
  • Le mafai ona faʻaogaina le "teena" gaioiga i le Ethernet faʻatusa faʻatulagaina galuega ua tuʻuina atu. eteru saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 teena

puna: opennet.ru

Faaopoopo i ai se faamatalaga