Firiji yepaketi yenftables 0.9.9 yaburitswa. Inobatanidza ma interfaces ekusefa mapaketi eIPv4, IPv6, ARP, uye network bridges (yakanangwa sekutsiva iptables, ip6table, arptables, uye ebtables). Raibhurari yelibnftnl 1.2.0, iyo inopa API yepasi-pasi yekudyidzana nenf_tables subsystem, yaburitswa panguva imwe chete. Shanduko dzinodiwa dzenftables 0.9.9 dzakabatanidzwa mukernel. Linux 5.13-rc1.
Pakeji yenftables ine zvikamu zvepacket filter zvinoshanda munzvimbo yemushandisi, ukuwo basa rekernel-level richipihwa nenf_tables subsystem, iyo iri chikamu chekernel. Linux Kubva pakaburitswa 3.13, pane chete interface yakajairika isina protocol inopihwa padanho rekernel, ichipa mashandiro ekutanga ekubvisa data kubva mumapaketi, kuita mashandiro edata, uye kudzora kuyerera kwedata.
Kusefa kunotonga pachako uye ma handler akanangana neprotocol anounganidzwa kuita bytecode munzvimbo yemushandisi, mushure mezvo bytecode iyi inoiswa mukernel uchishandisa Netlink interface uye inoiswa mukernel mune imwe nzira yakakosha. muchina chaiwo, inoyeuchidza BPF (Berkeley Packet Filters). Nzira iyi inobvumira kudzikiswa kukuru kwehukuru hwekodhi yekusefa iri kushanda padanho rekernel uye inofambisa zvese zvinoongorora mitemo uye protocol logic munzvimbo yemushandisi.
Zvitsva zvikuru:
- Yakagadzirisa kugona kufambisa inoyerera kudivi retiweki adapta, inogoneswa uchishandisa iyo 'offload' mureza. Flowtable inzira yekugadzirisa nzira yekufambisa yepakiti, umo kutenderera kwakazara kwemitemo yose yekugadzirisa maketani kunoshandiswa chete pakiti yekutanga, uye mamwe ose mapeji ekuyerera anotumirwa zvakananga. tafura ip yepasi rose {inoyerera f {hook ingress priority filter + 1 zvishandiso = {lan3, lan0, wan } mireza inodururwa } cheni kumberi {mhando sefa hook pamberi pekutanga sefa; mutemo accept; ip protocol {tcp, udp } kuyerera wedzera @f } cheni post { type nat hook postrouting priority filter; mutemo accept; oifname "wan" masquerade }}
- Yakawedzerwa rutsigiro rwekuisa mureza wemuridzi patafura, iyo inovimbisa kushandiswa kwega kwetafura nemaitiro. Kana maitiro apera, tafura yakabatana inobviswa otomatiki. Ruzivo rwechigadziriso runoratidzwa mumirau yekurasa sekutaura: tafura ip x {# progname nft mireza muridzi ketani y { type filter hook input priority filter; mutemo accept; counter packets 1 bytes 309 }}
- Yakawedzerwa tsigiro yeIEEE 802.1ad (VLAN stacking kana QinQ) yakatarwa, iyo inotsanangura nzira dzekutsiva akawanda VLAN tag mune imwechete Ethernet furemu. Semuyenzaniso, kutarisa yekunze Ethernet furemu mhando 8021ad uye vlan id = 342, unogona kushandisa kuvaka ... ether mhando 802.1ad vlan id 342 kutarisa yekunze Ethernet furemu mhando 8021ad/vlan id=1, nested 802.1q/vlan id=2, uye imwezve IP-encap8021 id 1 vlan mhando 8021q vlan id 2 vlan mhando ip counter
- Tsigiro yekutarisira zviwanikwa uchishandisa iyo yakabatana cgroups v2 hierarchy yakawedzerwa. Musiyano wakakosha pakati pecgroups v2 uye v1 iko kushandiswa kweakajairwa cgroups hierarchy kune ese maturusi marudzi, pachinzvimbo cheakasiyana hierarchies yeCPU resource allocation, memory management, uye I/O. Semuenzaniso, kutarisa kana tateguru wesoketi padanho rekutanga re cgroupv2 rinoenderana ne "system.slice" mask, unogona kushandisa zvinotevera kuvaka: ... socket cgroupv2 level 1 "system.slice"
- Yakawedzera kugona kutarisa zvikamu zvemapaketi eSCTP (kushanda kunodiwa kuti ushande kuchaonekwa mukernel Linux 5.14). Semuenzaniso, kutarisa kana packet ine chunk ine 'data' type uye 'type' field: … sctp chunk data iripo … sctp chunk data type 0
- Kurodha mitemo uchishandisa "-f" mureza wakapetwa kaviri mukumhanya. Rule list inobuda yakafambiswawo nekukurumidza.
- Iyo compact fomu yekutarisa kusetwa kwemabits mumureza inopihwa. Semuenzaniso, kutarisa kuti snat uye dnat status bits hazvina kuiswa, unogona kutsanangura: ... ct status ! snat,dnat kutarisa kuti syn bit yakaiswa mu syn,ack bit mask: ... tcp mireza syn / syn,ack kutarisa kuti zvipedzi nekutanga hazvina kuiswa mu syn,ack,fin, first bit mask: ... tcp mireza != fin,rst / syn,ack,fin,kutanga
- Izwi rekuti "mutongo" rinotenderwa mu typeof tsananguro dzeset/mepu: wedzera mepu xm {typeof iifname . ip protocol. th dport: mutongo;}
Source: opennet.ru
