ProHoster > Blog > internet nhau > nftables packet filter kuburitswa 0.9.5

nftables packet filter kuburitswa 0.9.5

rakabudiswa packet filter kusunungurwa nftables 0.9.5, kuvandudza sechinotsiva iptables, ip6table, arptables uye ebtables nekubatanidza packet kusefa nzvimbo dzeIPv4, IPv6, ARP uye network mabhiriji. Iyo nftables package inosanganisira mushandisi-nzvimbo packet sefa zvikamu, nepo kernel-level basa rinopihwa nenf_tables subsystem, yanga iri chikamu cheLinux kernel kubva pakaburitswa 3.13. Shanduko dzinodiwa kune nftables 0.9.5 kuburitswa kushanda inosanganisirwa mu kernel Linux 5.7.

Padanho re kernel, chete generic protocol-yakazvimirira interface inopihwa inopa mabasa ekutanga ekubvisa data kubva pamapakiti, kuita mashandiro pane data, uye kudzora kuyerera. Iyo yekusefa inotonga pachayo uye maprotocol-chaiwo mabati anounganidzwa muuser-space bytecode, mushure meiyo bytecode inoiswa mukernel uchishandisa iyo Netlink interface uye inouraiwa mukernel mune yakakosha muchina wakafanana neBPF (Berkeley Packet Filters). Iyi nzira inoita kuti zvikwanise kudzikisa zvakanyanya saizi yekusefa kodhi inomhanya padanho re kernel uye kufambisa mabasa ese emitemo yekuparadzanisa uye pfungwa yekushanda nemaprotocol munzvimbo yemushandisi.

Zvitsva zvikuru:

  • Tsigiro yepakiti uye traffic counter ine hukama neseti zvinhu yakawedzerwa kumaseti. Makaunda anogoneswa uchishandisa izwi rekuti "counter":

    tafura ip x {
    seta y {
    typeof ip saddr
    kaunda
    zvinhu = {192.168.10.35, 192.168.10.101, 192.168.10.135 }
    }

    cheni z {
    type filter hook output priority filter; mutemo accept;
    ip baba @y
    }
    }

  • Kuisa kukosha kwekutanga kwezviverengero, semuenzaniso, kudzoreredza zviverengero zvakapfuura mushure mekutangazve, unogona kushandisa murairo "nft -f":

    # katsi mitemo.nft
    tafura ip x {
    seta y {
    typeof ip saddr
    kaunda
    zvinhu = { 192.168.10.35 counter packets 1 bytes 84, 192.168.10.101 \
    counter p 192.168.10.135 counter packets 0 bytes 0 }
    }

    cheni z {
    type filter hook output priority filter; mutemo accept;
    ip baba @y
    }
    }
    # nft -f mitemo.nft
    #nft rondedzero yemitemo
    tafura ip x {
    seta y {
    typeof ip saddr
    kaunda
    zvinhu = { 192.168.10.35 counter packets 1 bytes 84, 192.168.10.101 \
    counter p 192.168.10.135 counter packets 0 bytes 0 }
    }

    cheni z {
    type filter hook output priority filter; mutemo accept;
    ip baba @y
    }
    }

  • Counter rutsigiro yakawedzerwawo kune inoyerera:

    tafura ip foo {
    bhawa rinoyerera {
    hoko ingress pamberi -100
    zvishandiso = { eth0, eth1 }
    kaunda
    }

    cheni kumberi {
    mhando sefa hook pamberi pekutanga sefa;
    yerera wedzera @bar counter
    }
    }

    Unogona kuona rondedzero yemakongi uchishandisa murairo wekuti "contrack -L":

    tcp 6 src=192.168.10.2 dst=10.0.1.2 sport=47278 dport=5201 mapaketi=9 bytes=608 \
    src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47278 mapaketi=8 bytes=428 [OFFLOAD] mark=0 \
    secctx=null use=2 tcp 6 src=192.168.10.2 dst=10.0.1.2 sport=47280 dport=5201 \
    packets=1005763 bytes=44075714753 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47280 \
    mapaketi=967505 bytes=50310268 [OFFLOAD] mark=0 secctx=null use=2

  • Mune seti ye concatenation (concatenation, mamwe masumbu emakero uye zviteshi zvinorerutsa kuenzanisa), zvinokwanisika kushandisa iyo "typeof" kuraira, iyo inotaridza iyo data mhando yezvinhu zvezvikamu zvinoumba zvezvinhu zveseti:

    tafura ip foo {
    set whitelist {
    typeof ip saddr . tcp dport
    zvinhu = { 192.168.10.35 . 80, 192.168.10.101. 80}
    }

    cheni bar {
    type filter hook prerouting priority sefa; kudonha kwepolicy;
    ip baba. tcp dport @whitelist bvuma
    }
    }

  • Iyo typeof dhairekitori ikozvino inoshandawo kune vanojoinha mumepu rondedzero:

    tafura ip foo {
    mepu addr2mark {
    typeof ip saddr . tcp dport: meta mark
    zvinhu = { 192.168.10.35 . 80 : 0x00000001,
    192.168.10.135. 80 : 0x00000002 }
    }

    cheni bar {
    type filter hook prerouting priority sefa; kudonha kwepolicy;
    meta mark set ip daddr . tcp dport mepu @addr2mark bvuma
    }
    }

  • Yakawedzerwa rutsigiro rwemhando inojoinha mune isingazivikanwe (isina zita) seti:

    # nft wedzera mutemo inet sefa yekuisa ip baba. tcp dport\
    { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8. 80-443 } bvuma

  • Iko kugona kurasa mapaketi ane 802.1q (VLAN) mireza kana kugadzirisa network mabhiriji anopihwa:

    # nft wedzera mutemo bhiriji foo bar ether mhando vlan kuramba ne tcp reset

  • Yakawedzera rutsigiro rwekuenzanisa neTCP chikamu chiziviso (contrack ID). Kuti uone iyo contrack ID, unogona kushandisa "-output id" sarudzo:

    # contrack -L -output id
    udp 17 18 src=192.168.2.118 dst=192.168.2.1 sport=36424 dport=53 mapaketi=2 \
    bytes=122 src=192.168.2.1 dst=192.168.2.118 sport=53 dport=36424 packets=2 bytes=320 \
    [ASSURED] mark=0 use=1 id=2779986232

    # nft wedzera mutemo foo bar ct id 2779986232 counter

Source: opennet.ru

Voeg