Kuburitswa kwepaketi sefa nftables 1.0.0 kwakaburitswa, kubatanidza packet kusefa nzvimbo dzeIPv4, IPv6, ARP uye network mabhiriji (ane chinangwa chekutsiva iptables, ip6table, arptables uye ebtables). Shanduko dzinodiwa kuti nftables 1.0.0 isunungurwe kushanda inosanganisirwa muLinux 5.13 kernel. Shanduko yakakosha munhamba yevhezheni haina hukama nechero shanduko yakakosha, asi inongove mhedzisiro yekuenderera mberi kwenhamba mudecimal notation (yakamboburitswa yaive 0.9.9).
Iyo nftables package inosanganisira packet filter zvikamu zvinomhanya munzvimbo yemushandisi, nepo kernel-level basa rinopihwa nenf_tables subsystem, yanga iri chikamu cheLinux kernel kubva pakaburitswa 3.13. Iyo kernel level inopa chete generic protocol-yakazvimirira interface inopa zvakakosha mabasa ekubvisa data kubva pamapakiti, kuita data mashandiro, uye kuyerera kuyerera.
Iyo yekusefa inotonga pachayo uye maprotocol-chaiwo mabati anounganidzwa muuser-space bytecode, mushure meiyo bytecode inoiswa mukernel uchishandisa iyo Netlink interface uye inouraiwa mukernel mune yakakosha muchina wakafanana neBPF (Berkeley Packet Filters). Iyi nzira inoita kuti zvikwanise kudzikisa zvakanyanya saizi yekusefa kodhi inomhanya padanho re kernel uye kufambisa mabasa ese emitemo yekuparadzanisa uye pfungwa yekushanda nemaprotocol munzvimbo yemushandisi.
Zvitsva zvikuru:
- Tsigiro ye "*" mask element yakawedzerwa kuseta rondedzero, iyo inokonzereswa kune chero mapakeji asingawire pasi pezvimwe zvinhu zvinotsanangurwa museti. tafura x {mepu blocklist {mhando ipv4_addr : mutongo mireza nguva yenguva = {192.168.0.0/16 : bvuma, 10.0.0.0/8 : bvuma, * : donhedza }} cheni y { type filter hook prerouting priority 0; mutemo accept; ip saddr vmap @blocklist }}
- Zvinogoneka kutsanangura zvinosiyana kubva pamutsetse wekuraira uchishandisa "--define" sarudzo. # katsi test.nft tafura netdev x {cheni y {mhando sefa hook ingress zvishandiso = $ dev pamberi 0; kudonha kwepolicy; } } # nft βdefine dev="{ eth0, eth1 }" -f test.nft
- Muzvinyorwa zvemepu, kushandiswa kwemazwi anogara achitaurwa (akarongeka) anobvumirwa: tafura inet filter {mepu portmap { type inet_service : mutongo counter elements = {22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0: donhedza} } chain ssh_input { } chain wan_input { tcp dport vmap @portmap } chain prerouting { type filter hook prerouting priority raw; mutemo accept; iif vmap {"tarira" : svetuka wan_input }}}
- Yakawedzerwa "list hooks" murairo kuratidza runyoro rwevabati vemhuri yepakiti yakapiwa: # nft list hook ip device eth0 family ip { hook ingress { +0000000010 chain netdev xy [nf_tables] +0000000300 chain inet mw [nf_tables] } hook { -0000000100 chain ip ab [nf_tables] +0000000300 chain inet mz [nf_tables] hook kumberi { -0000000225 selinux_ipv4_forward 0000000000 chain ip ok_0000000225 chain ip ok_4 chain ip ok_0000000225 chain ip ok_4_XNUMX vXNUMX_output } hook postrouting { +XNUMX XNUMX selinux_ipvXNUMX_postroute }}
- Mitsetse yemitsara inobvumira jhash, symhash, uye numgen kutaura kusanganiswa kugovera mapaketi kumitsara munzvimbo yemushandisi. β¦ mutsara we symhash mod 65536 β¦ mutsara mireza bypass to numgen inc mod 65536 β¦ queue to jhash oif . meta mark mod 32 "queue" inogona zvakare kusanganiswa nemepu rondedzero kusarudza mutsara munzvimbo yemushandisi zvichienderana nemakiyi anopokana. ... mireza mireza yekunzvenga kuoifname mepu {"eth0": 0, "ppp0": 2, "eth1": 2}
- Zvinogoneka kuwedzera mutsauko unosanganisira seti rondedzero kuita mamepu akati wandei. define interfaces = {eth0, eth1} tafura ip x {cheni y {rudzi rwesefa hook yekuisa pekutanga 0; mutemo accept; iifname vmap {lo: bvuma, $interfaces : donhedza}}} # nft -f x.nft # nft list ruleset table ip x {chain y {type filter hook input priority 0; mutemo accept; iifname vmap { "lo" : bvuma, "eth0" : donhedza, "eth1" : donhedza}}}
- Kubatanidza vmaps (mutongo mepu) panguva dzinotenderwa: # nft wedzera mutemo xy tcp dport . ip saddr vmap { 1025-65535 . 192.168.10.2 : bvuma }
- Syntax yakareruka yeNAT mepu. Inotenderwa kudoma kero kero: ... snat to ip saddr mepu { 10.141.11.4 : 192.168.2.2-192.168.2.4 } . 10.141.11.4 } kana misanganiswa ye IP siyana nezviteshi: ... dnat to ip saddr . tcp dport mepu { 192.168.2.3 . 80: 192.168.1.2-80. 10.141.10.2-10.141.10.5 }
Source: opennet.ru