Kuburitswa kwepaketi sefa nftables 0.9.9 kwakabudiswa, kubatanidza packet kusefa nzvimbo dzeIPv4, IPv6, ARP uye network mabhiriji (ane chinangwa chekutsiva iptables, ip6table, arptables uye ebtables). Panguva imwecheteyo, kuburitswa kweiyo shamwari raibhurari libnftnl 1.2.0 yakabudiswa, ichipa yakaderera-level API yekudyidzana nenf_tables subsystem. Shanduko dzinodiwa kuti nftables 0.9.9 kuburitswa kushanda inosanganisirwa muLinux kernel 5.13-rc1.
Iyo nftables package inosanganisira packet filter zvikamu zvinomhanya munzvimbo yemushandisi, nepo kernel-level basa rinopihwa nenf_tables subsystem, yanga iri chikamu cheLinux kernel kubva pakaburitswa 3.13. Iyo kernel level inopa chete generic protocol-yakazvimirira interface inopa zvakakosha mabasa ekubvisa data kubva pamapakiti, kuita data mashandiro, uye kuyerera kuyerera.
Iyo yekusefa inotonga pachayo uye maprotocol-chaiwo mabati anounganidzwa muuser-space bytecode, mushure meiyo bytecode inoiswa mukernel uchishandisa iyo Netlink interface uye inouraiwa mukernel mune yakakosha muchina wakafanana neBPF (Berkeley Packet Filters). Iyi nzira inoita kuti zvikwanise kudzikisa zvakanyanya saizi yekusefa kodhi inomhanya padanho re kernel uye kufambisa mabasa ese emitemo yekuparadzanisa uye pfungwa yekushanda nemaprotocol munzvimbo yemushandisi.
Zvitsva zvikuru:
- Iko kugona kufambisa inoyerera kudivi kune network adapta yaitwa, yakagoneswa uchishandisa iyo 'offload' mureza. Flowtable inzira yekugadzirisa nzira yekutenderera kwepakiti, iyo iyo nzira yakakwana yemitemo yose yekugadzirisa maketani inoshandiswa chete pakiti yekutanga, uye mamwe ose mapeji ekuyerera anotumirwa zvakananga. tafura ip yepasi rose {inoyerera f {hook ingress priority filter + 1 zvishandiso = {lan3, lan0, wan } mireza inodururwa } cheni kumberi {mhando sefa hook pamberi pekutanga sefa; mutemo accept; ip protocol {tcp, udp } kuyerera wedzera @f } cheni post { type nat hook postrouting priority filter; mutemo accept; oifname "wan" masquerade }}
- Yakawedzerwa rutsigiro rwekuisa mureza wemuridzi patafura kuti ive nechokwadi chekushandiswa kwetafura nemaitiro. Kana maitirwo apera, tafura yakabatana nayo inongodzimwa. Mashoko pamusoro pemaitiro anoratidzwa mumitemo yekurasa nenzira yekutaura: tafura ip x {# progname nft mireza muridzi chain y { type filter hook input priority filter; mutemo accept; counter packets 1 bytes 309 }}
- Yakawedzerwa tsigiro yeIEEE 802.1ad yakatarwa (VLAN stacking kana QinQ), iyo inotsanangura nzira yekutsiva akawanda VLAN tag mune imwechete Ethernet furemu. Semuenzaniso, kutarisa mhando yekunze Ethernet furemu 8021ad uye vlan id = 342, unogona kushandisa kuvaka ... ether mhando 802.1ad vlan id 342 kutarisa yekunze mhando yeEthernet furemu 8021ad/vlan id=1, nested 802.1 q/vlan id = 2 uye imwezve IP packet encapsulation: ... ether mhando 8021ad vlan id 1 vlan mhando 8021q vlan id 2 vlan mhando ip counter
- Yakawedzerwa rutsigiro rwekutonga zviwanikwa uchishandisa iyo yakabatana hierarchy cgroups v2. Musiyano wakakosha pakati pecgroups v2 uye v1 iko kushandiswa kweakajairwa cgroups hierarchy kune ese marudzi ezviwanikwa, pachinzvimbo cheakaparadzana hierarchies yekugovera CPU zviwanikwa, zvekudzora mashandisirwo endangariro, uye yeI/O. Semuenzaniso, kutarisa kana tateguru wesokisi padanho rekutanga cgroupv2 rinoenderana ne "system.slice" mask, unogona kushandisa kuvaka: ... socket cgroupv2 level 1 "system.slice"
- Yakawedzera kugona kutarisa zvikamu zveSCTP mapaketi (kushanda kunodiwa kune izvi kuchaonekwa muLinux kernel 5.14). Semuenzaniso, kutarisa kana packet ine chunk ine mhando 'data' uye munda 'rudzi': ... sctp chunk data iripo ... sctp chunk data type 0
- Kuitwa kwemutemo wekurodha oparesheni kwakakwidziridzwa nekanenge kaviri uchishandisa "-f" mureza. Kubuda kwechinyorwa chemitemo kwakavewo nekukasira.
- A compact form yekutarisa kana mabits emureza akaiswa anopihwa. Semuenzaniso, kutarisa kuti snat uye dnat status bits hazvina kuiswa, unogona kutsanangura: ... ct status ! snat,dnat kutarisa kuti syn bit yakaiswa mu bitmask syn,ack: ... tcp mireza syn / syn,ack kutarisa kuti zvipedzi nekutanga hazvina kuiswa mu bitmask syn,ack,fin,kutanga: ... tcp mireza! = fin,kutanga / syn,ack,fin,kutanga
- Bvumira izwi rekuti "mutongo" museti/mepu typeof tsananguro: wedzera mepu xm {typeof iifname . ip protocol th dport: mutongo;}
Source: opennet.ru