ProHoster > Blog > talafou initaneti > nftables packet filter release 1.0.7

nftables packet filter release 1.0.7

O le faʻasalalauga o le packet filter nftables 1.0.7 ua faʻasalalau, faʻapipiʻi fesoʻotaʻiga faʻapipiʻi mo IPv4, IPv6, ARP ma fesoʻotaʻiga alalaupapa (faʻamoemoe e sui iptables, ip6table, arptables ma ebtables). O le afifi nftables e aofia ai vaega faamama packet o loʻo taʻavale i avanoa faʻaoga, aʻo tuʻuina atu le galuega kernel-level e le nf_tables subsystem, lea na avea ma vaega o le Linux kernel talu mai le tatalaina o le 3.13. Ole maualuga ole kernel e maua ai na'o se fa'aoga tuto'atasi tuto'atasi lautele e maua ai galuega fa'avae mo le su'eina o fa'amaumauga mai fa'amaumauga, fa'atinoina o fa'amaumauga, ma le pulea o le tafe.

O tulafono faʻamama latou lava ma faʻatautaia faʻapitoa faʻapitoa e tuʻufaʻatasia i le user-space bytecode, pe a maeʻa ona utaina lenei bytecode i totonu o le fatu e faʻaaoga ai le Netlink interface ma faʻatino i totonu o le fatu i se masini faʻapitoa faʻapitoa e pei o le BPF (Berkeley Packet Filters). O lenei faiga e mafai ai ona faʻaitiitia le tele o le numera o le faʻaogaina o loʻo taʻavale i le kernel level ma faʻagasolo uma galuega o tulafono faʻasalalau ma le faʻaogaina o le galue faʻatasi ma protocols i avanoa faʻaoga.

Suiga autu:

  • Mo faiga fa'aoga Linux kernel 6.2+, lagolago mo vxlan, geneve, gre, ma gretap protocol mappings ua fa'aopoopoina, fa'atagaina fa'amatalaga faigofie e siaki ai ulutala i fa'aputu fa'aputu. Mo se faʻataʻitaʻiga, e siaki le tuatusi IP i le ulutala o se pusa faʻapipiʻi mai VxLAN, e mafai nei ona e faʻaogaina tulafono (e aunoa ma le manaʻomia e faʻamalo muamua le ulutala VxLAN ma fusifusia le faamama i le vxlan0 interface): ... udp dport 4789 vxlan ip protocol udp ... udp dport 4789 vxlan ip saddr 1.2.3.0. 24/4789 ... udp dport 1.2.3.4 vxlan ip saddr . vxlan ip daddr {4.3.2.1. XNUMX }
  • Lagolago mo le tuʻufaʻatasia otometi o totoe pe a maeʻa ona faʻaaogaina se vaega o le seti-lisi elemene, lea e mafai ai ona e tapeina se elemene poʻo se vaega o se vaega mai se laina o loʻo i ai (muamua, o se laina e mafai ona tape atoa). Mo se faʻataʻitaʻiga, a maeʻa ona aveese le elemene 25 mai se lisi seti ma laina 24-30 ma le 40-50, o le a tumau le lisi 24, 26-30 ma le 40-50. O faʻatonuga e manaʻomia mo le faʻapipiʻiina e galue o le a ofoina atu i faʻasalalauga faʻaleleia o lala mautu o le fatu 5.10+. # nft list ruleset table ip x {set y {typeof tcp dport flags interval auto-merge elemene = { 24-30, 40-50 }} } # nft delete element ip xy { 25 } # nft list ruleset table ip x {set y { typeof tcp dport flags interval auto-merge elemene = { 24, 26-30, 40-50 } } }
  • Fa'ataga le fa'aogaina o feso'ota'iga ma va'aiga pe a fa'afanua fa'aliliuga tuatusi (NAT). laulau ip nat { filifili prerouting { type nat hook prerouting priority dstnat; talia faiga faavae; dnat i ip daddr. tcp dport faafanua {10.1.1.136 . 80: 1.1.2.69. 1024, 10.1.1.10-10.1.1.20. 8888-8889: 1.1.2.69. 2048-2049 } tumau } }
  • Faʻaopoopo le lagolago mo le faʻamatalaga "mulimuli", lea e mafai ai ona e suʻeina le taimi o le faʻaaogaina mulimuli o se elemene tulafono poʻo se lisi seti. O loʻo lagolagoina le ata amata ile Linux kernel 5.14. laulau ip x {set y {ituaiga ip daddr. tcp dport lapopo'a 65535 fu'a malosi,taimi fa'ato'a fa'agata 1h } filifili z {ituaiga fa'amama fa'amama mea fa'amuamua faamama; talia faiga faavae; faafou @y { ip daddr. tcp dport } } } # nft list set ip xy table ip x {set y {typeof ip daddr. tcp dport lapopoa 65535 fu'a malosi,taimi taimi fa'ato'a 1h elemene = {172.217.17.14 . 443 fa'aaoga mulimuli 1s591ms taimi fa'agata 1h e muta 59m58s409ms, 172.67.69.19 . 443 fa'aaoga mulimuli 4s636ms taimi 1h e muta 59m55s364ms, 142.250.201.72 . 443 fa'aaoga mulimuli 4s748ms taimi 1h e muta 59m55s252ms, 172.67.70.134 . 443 fa'aaoga mulimuli 4s688ms taimi 1h e muta 59m55s312ms, 35.241.9.150 . 443 fa'aaoga mulimuli 5s204ms taimi 1h e muta 59m54s796ms, 138.201.122.174 . 443 fa'aaoga mulimuli 4s537ms taimi 1h e muta 59m55s463ms, 34.160.144.191 . 443 fa'aaoga mulimuli 5s205ms taimi 1h e muta 59m54s795ms, 130.211.23.194 . 443 fa'aaoga mulimuli 4s436ms taimi 1h e muta 59m55s564ms } } }
  • Fa'aopoopo le tomai e fa'amatala ai upusii i lisi seti. Mo se fa'ata'ita'iga, e fa'amautu le aofa'i o felauaiga mo tuatusi IP ta'itasi, e mafai ona e fa'amaoti: laulau netdev x {set y {typeof ip daddr size 65535 quota over 10000 mbytes } chain y {type filter hook egress device "eth0" priority filter; talia faiga faavae; ip daddr @y drop } } # nft add element inet xy { 8.8.8.8 } # ping -c 2 8.8.8.8 # nft list ruleset table netdev x {set y {type ipv4_addr size 65535 quota over 10000 mbytes elements = {8.8.8.8 mbytes element. 10000 quota i luga ole 196 mbytes fa'aaoga 0 bytes } } filifili y { type filter hook egress device "ethXNUMX" priority filter; talia faiga faavae; ip daddr @y drop } }
  • E fa'atagaina le fa'aogaina o mea tumau i lisi seti. Mo se faʻataʻitaʻiga, pe a faʻaaogaina le tuatusi faʻasinomaga ma le VLAN ID o le lisi ki, e mafai ona e faʻamaonia saʻo le numera VLAN (daddr. 123): table netdev t {set s {typeof ether saddr. vlan id lapopo'a 2048 fu'a fa'amalosi,ta'i taimi e fa'amuta 1m} filifili c {ituaiga fa'amama fa'aoga masini eth0 fa'amuamua 0; talia faiga faavae; ituaiga eteru != 8021q fa'afouga @s {eter daddr. 123 } counter } }
  • Faʻaopoopoina se faʻatonuga fou "faʻaumatia" e tape le faʻamalo mea (e le pei o le tapeina o le poloaiga, e le maua ai le ENOENT pe a taumafai e tape se mea o loʻo misi). Manaomia a itiiti mai Linux kernel 6.3-rc e galue. fa'aleaga laulau ip filter

puna: opennet.ru

Faaopoopo i ai se faamatalaga