ProHoster > Blog > talafou initaneti > nftables packet filter release 1.0.6

nftables packet filter release 1.0.6

O le faʻasalalauga o le packet filter nftables 1.0.6 ua faʻasalalau, faʻapipiʻi fesoʻotaʻiga faʻapipiʻi mo IPv4, IPv6, ARP ma fesoʻotaʻiga alalaupapa (faʻamoemoe e sui iptables, ip6table, arptables ma ebtables). O le afifi nftables e aofia ai vaega faamama packet o loʻo taʻavale i avanoa faʻaoga, aʻo tuʻuina atu le galuega kernel-level e le nf_tables subsystem, lea na avea ma vaega o le Linux kernel talu mai le tatalaina o le 3.13. Ole maualuga ole kernel e maua ai na'o se fa'aoga tuto'atasi tuto'atasi lautele e maua ai galuega fa'avae mo le su'eina o fa'amaumauga mai fa'amaumauga, fa'atinoina o fa'amaumauga, ma le pulea o le tafe.

O tulafono faʻamama latou lava ma faʻatautaia faʻapitoa faʻapitoa e tuʻufaʻatasia i le user-space bytecode, pe a maeʻa ona utaina lenei bytecode i totonu o le fatu e faʻaaoga ai le Netlink interface ma faʻatino i totonu o le fatu i se masini faʻapitoa faʻapitoa e pei o le BPF (Berkeley Packet Filters). O lenei faiga e mafai ai ona faʻaitiitia le tele o le numera o le faʻaogaina o loʻo taʻavale i le kernel level ma faʻagasolo uma galuega o tulafono faʻasalalau ma le faʻaogaina o le galue faʻatasi ma protocols i avanoa faʻaoga.

Suiga autu:

  • O le tulafono optimizer, e taʻua pe a faʻamaonia le "-o / -optimize" filifiliga, e otometi le afifiina o tulafono e ala i le tuʻufaʻatasia ma faʻaliliu i latou i faʻafanua ma seti lisi. Mo se fa'ata'ita'iga, tulafono # cat ruleset.nft table ip x { chain y { type filter hook input priority filter; pa'u o faiga faavae; meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 talia meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 talia meta iifname eth1 ip saddr 1.1.1.2 ip daddr i/2.2.3.0. .24 ip daddr 1-1.1.1.2 accept meta iifname eth2.2.4.0 ip saddr 2.2.4.10 ip daddr 2 accept } } ina ua uma ona faatino "nft -o -c -f ruleset.nft" o le a liua e pei ona taua i lalo: .nft:1.1.1.3:2.2.2.5-4: meta iifname eth17 ip saddr 74 ip daddr 1 talia tulafonoset.nft:1.1.1.1:2.2.2.3-5: meta iifname eth17 ip saddr 74 ip daddr 1 talia tulafono. : 1.1.1.2:2.2.2.4-6: meta iifname eth17 ip saddr 77 ip daddr 1/1.1.1.2 accept ruleset.nft:2.2.3.0:24-7: meta iifname eth17 ip saddr 83 ip daddr 1-1.1.1.2. talia ruleset.nft:2.2.4.0:2.2.4.10-8: meta iifname eth17 ip saddr 74 ip daddr 2 accept into: iifname . ip saddr. ip daddr { eth1.1.1.3 . 2.2.2.5. 1, eth1.1.1.1 . 2.2.2.3. 1, eth1.1.1.2 . 2.2.2.4. 1/1.1.1.2, eth2.2.3.0 . 24. 1-1.1.1.2, eth2.2.4.0. 2.2.4.10. 2 } talia
  • E mafai fo'i e le optimizer ona fa'aliliu tulafono ua uma ona fa'aogaina lisi seti faigofie i se fa'ata'ita'iga sili atu, mo se fa'ata'ita'iga tulafono: # cat ruleset.nft table ip filter { chain input { type filter hook input priority filter; pa'u o faiga faavae; iifname "lo" talia ct setete faatuina, e fesootai talia faamatalaga "I feoaiga matou te afua mai, matou te faatuatuaina" iifname "enp0s31f6" ip saddr {209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 talia 123 32768 . iifname "enp65535s0f31" ip saddr { 6, 64.59.144.17 } ip daddr 64.59.150.133 udp taʻaloga 10.0.0.149 udp dport 53-32768 talia } } ina ua uma le faʻatinoina o tulafono faʻapipiʻi. : ruleset.nft:65535:6-22: iifname "enp149s0f31" ip saddr { 6, 209.115.181.102 } ip daddr 216.197.228.230 udp sport 10.0.0.149:123 udp sport 32768:65535 udp7 udp22 143 0 :ifname "enp31s6f64.59.144.17" ip saddr { 64.59.150.133, 10.0.0.149 } ip daddr 53 udp sport 32768 udp dport 65535-0 accept into: iifname . ip saddr. ip tama. udp taaloga. udp dport { enp31s6f209.115.181.102 . 10.0.0.149. 123. 32768. 65535-0, enp31s6f216.197.228.230. 10.0.0.149. 123. 32768. 65535-0, enp31s6f64.59.144.17. 10.0.0.149. 53. 32768. 65535-0, enp31s6f64.59.150.133. 10.0.0.149. 53. 32768. 65535-XNUMX } talia
  • Foia le fa'afitauli ile fa'atupuina o le bytecode mo le tu'ufa'atasia o vaeluaga e fa'aogaina ai ituaiga fa'asologa o le byte eseese, e pei o le IPv4 (fa'atonuga feso'ota'iga) ma le fa'ailoga meta (fa'atonuga byte faiga). laulau ip x {faafanua w {ituaiga ip saddr. fa'ailoga meta : fa'ai'uga fu'a va'aiga fa'asaga elemene = {127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : talia, 192.168.0.10-192.168.1.20 . 0x0000aa00-0x0000aaff : talia, } } filifili k { type faamama matau mea e ave i ai le faamuamua faamama; pa'u o faiga faavae; ip saddr. fa'ailoga meta vmap @w } }
  • Fa'aleleia le fa'atusatusaga o fa'asalalauga e le masani ai pe a fa'aogaina fa'amatalaga mata'utia, mo se fa'ata'ita'iga: meta l4proto 91 @th,400,16 0x0 talia
  • Fa'afitauli i tulafono fa'aagaaga i va'aiga ua fo'ia: fa'aofi le tulafono xy tcp sport { 3478-3497, 16384-16387 } counter accept
  • Le JSON API ua faʻaleleia e aofia ai le lagolago mo faʻamatalaga i seti ma lisi faʻafanua.
  • O fa'aopoopoga i le faletusi o le python nftables e fa'atagaina le utaina o seti tulafono mo le fa'agaioiga i le fa'amaoniga ("-c") ma fa'aopoopo le lagolago mo fa'amatalaga fafo o fesuiaiga.
  • O le fa'aopoopoina o fa'amatalaga e fa'atagaina ile seti lisi elemene.
  • Byte ratelimit e mafai ai ona fa'amaoti se tau e leai.

puna: opennet.ru

Faaopoopo i ai se faamatalaga