ProHoster > Blog > internet nhau > nftables packet filter kuburitswa 0.9.4

nftables packet filter kuburitswa 0.9.4

rakabudiswa packet filter kusunungurwa nftables 0.9.4, iyo iri kusimukira senzvimbo yekutsiva iptables, ip6table, arptables uye ebtables nekubatanidza mapaketi ekusefa nzvimbo dzeIPv4, IPv6, ARP uye network mabhiriji. Iyo nftables package inosanganisira packet filter zvikamu zvinomhanya munzvimbo yevashandisi, nepo kernel level ichipihwa nenf_tables subsystem, yanga iri chikamu cheLinux kernel kubva pakaburitswa 3.13. Shanduko dzinodiwa pakuburitswa kwenftables 0.9.4 kushanda dzinosanganisirwa mune ramangwana kernel bazi. Linux 5.6.

Padanho re kernel, chete generic protocol-yakazvimirira interface inopihwa inopa mabasa ekutanga ekubvisa data kubva pamapakiti, kuita mashandiro pane data, uye kudzora kuyerera. Iyo yekusefa inotonga pachayo uye maprotocol-chaiwo mabati anounganidzwa muuser-space bytecode, mushure meiyo bytecode inoiswa mukernel uchishandisa iyo Netlink interface uye inouraiwa mukernel mune yakakosha muchina wakafanana neBPF (Berkeley Packet Filters). Iyi nzira inoita kuti zvikwanise kudzikisa zvakanyanya saizi yekusefa kodhi inomhanya padanho re kernel uye kufambisa mabasa ese emitemo yekuparadzanisa uye pfungwa yekushanda nemaprotocol munzvimbo yemushandisi.

Zvitsva zvikuru:

  • Tsigiro yemarenji mumajoini (concatenation, zvimwe zvinosungirwa zvekero uye zviteshi zvinorerutsa kuenzanisa). Semuyenzaniso, kune "whitelist" seti ine zvinhu zvakanamirwa, kudoma "interval" mureza kucharatidza kuti iyo seti inogona kusanganisira mitsara mune zvakanamirwa (pazvakanamirwa "ipv4_addr . ipv4_addr . inet_service" zvaigoneka kare kunyora chaizvo. machisi se "192.168.10.35. 192.68.11.123", uye zvino unogona kutsanangura mapoka emakero "80-192.168.10.35-192.168.10.40."").

    tafura ip foo {
    set whitelist {
    nyora ipv4_addr. ipv4_addr . inet_service
    mireza nguva
    zvinhu = { 192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125 . 80}
    }

    cheni bar {
    type filter hook prerouting priority sefa; kudonha kwepolicy;
    ip saddr . ip baba. tcp dport@whitelist bvuma
    }
    }

  • Mune seti uye mepu-zvinyorwa, zvinokwanisika kushandisa iyo "typeof" kuraira, iyo inotemesa chimiro chechinhu kana uchigadzira mepu.
    Somuenzaniso:

    tafura ip foo {
    set whitelist {
    typeof ip saddr
    zvinhu = {192.168.10.35, 192.168.10.101, 192.168.10.135 }
    }

    cheni bar {
    type filter hook prerouting priority sefa; kudonha kwepolicy;
    ip baba @whitelist bvuma
    }
    }

    tafura ip foo {
    mepu addr2mark {
    typeof ip saddr: meta mark
    zvinhu = {192.168.10.35 : 0x00000001, 192.168.10.135 : 0x00000002 }
    }
    }

  • Yakawedzera kugona kushandisa zvakanamirwa muNAT zvinosungirirwa, izvo zvinokutendera kuti utaure kero nechiteshi paunenge uchitsanangura shanduro dzeNAT zvichibva pamazita emepu kana seti dzine mazita:

    nft add rule ip nat pre dnat ip addr . chiteshi kuenda ku ip saddr mepu { 1.1.1.1 : 2.2.2.2 . makumi matatu }

    nft wedzera mepu ip nat nzvimbo {type ipv4_addr . inet_service : ipv4_addr . inet_service\\; }
    nft add rule ip nat pre dnat ip addr . port kune ip saddr. tcp dport mepu @destinations

  • Rutsigiro rwekukwidziridzwa kwehardware nekubviswa kwemamwe kusefa mashandiro pamafudzi etiweki kadhi. Kukwidziridza kunogoneswa kuburikidza neiyo ethtool utility ("ethtool -K eth0 hw-tc-offload on"), mushure meiyo inogadziriswa munftables yeketani huru uchishandisa "offload" mureza. Paunenge uchishandisa iyo Linux 5.6 kernel, kukwidziridzwa kwehardware kunotsigirwa kune musoro wemunda unoenderana uye inopinda interface yekuongorora pamwe nekugamuchira, kudonhedza, kudzokorora (dup), uye kutumira (fwd) mapaketi. Mumuenzaniso uri pazasi, mashandiro ekudonhedza mapaketi anobva kukero 192.168.30.20 anoitwa padanho retiweki kadhi, pasina kupfuudza mapaketi kukernel:

    # katsi faira.nft
    tafura netdev x {
    cheni y {
    mhando sefa hook ingress mudziyo eth0 pamberi 10; mireza offload;
    ip saddr 192.168.30.20 kudonha
    }
    }
    # nft -f file.nft

  • Ruzivo rwakavandudzwa nezve nzvimbo yekukanganisa mumitemo.

    # nft bvisa mutemo ip yz mubato 7
    Mhosho: Hatina kukwanisa kugadzirisa mutemo: Hapana faira rakadaro kana dhairekitori
    bvisa mutemo ip yz mubato 7
    ^

    # nft bvisa mutemo ip xx mubato 7
    Mhosho: Hatina kukwanisa kugadzirisa mutemo: Hapana faira rakadaro kana dhairekitori
    bvisa mutemo ip xx mubato 7
    ^

    # nft bvisa tafura twst
    Mhosho: Hapana faira rakadaro kana dhairekitori; wanga uchireva tafura Γ’β‚¬Λœtest' mumhuri ip?
    bvisa tafura twist
    ^^^^

    Muenzaniso wekutanga unoratidza kuti tafura 'y' haipo muhurongwa, yechipiri inoratidza kuti '7' inobata asipo, uye yechitatu inoratidza typo hint paunonyora zita retafura.

  • Yakawedzerwa rutsigiro rwekutarisa iyo muranda interface kuburikidza nekutsanangura "meta sdif" kana "meta sdifname":

    ... meta sdifname vrf1 ...

  • Yakawedzerwa tsigiro yekuchinja kurudyi kana kuruboshwe kushanda. Semuenzaniso, kushandura iyo iripo packet label inosiiwa ne1 bit uye woisa yakaderera ku1:

    … meta mark set meta mark lshift 1 kana 0x1 ...

  • Yakaitwa "-V" sarudzo yekuratidza ruzivo rwakawedzerwa.

    #nft -V
    nftables v0.9.4 (Jive pashanu)
    cli:readline
    json:hongu
    minigmp: kwete
    libxtables: hongu

  • Command line sarudzo dzave kusungirwa pamberi pemirairo. Semuenzaniso, iwe unofanirwa kutsanangura "nft -a list ruleset", uye kumhanya "nft list ruleset -a" kunoguma nekukanganisa.

    Source: opennet.ru

Voeg