ProHoster > Blog > internet nhau > nftables packet filter kuburitswa 1.0.1

nftables packet filter kuburitswa 1.0.1

Kuburitswa kwepacket filter nftables 1.0.1 kwakabudiswa, kubatanidza packet filtering interfaces ye IPv4, IPv6, ARP uye network mabhiriji (ane chinangwa chekutsiva iptables, ip6table, arptables uye ebtables). Shanduko dzinodiwa kuti nftables 1.0.1 isunungurwe kushanda inosanganisirwa muLinux kernel 5.16-rc1.

Iyo nftables package inosanganisira packet filter zvikamu zvinomhanya munzvimbo yemushandisi, nepo kernel-level basa rinopihwa nenf_tables subsystem, yanga iri chikamu cheLinux kernel kubva pakaburitswa 3.13. Iyo kernel level inopa chete generic protocol-yakazvimirira interface inopa zvakakosha mabasa ekubvisa data kubva pamapakiti, kuita data mashandiro, uye kuyerera kuyerera.

Iyo yekusefa inotonga pachayo uye maprotocol-chaiwo mabati anounganidzwa muuser-space bytecode, mushure meiyo bytecode inoiswa mukernel uchishandisa iyo Netlink interface uye inouraiwa mukernel mune yakakosha muchina wakafanana neBPF (Berkeley Packet Filters). Iyi nzira inoita kuti zvikwanise kudzikisa zvakanyanya saizi yekusefa kodhi inomhanya padanho re kernel uye kufambisa mabasa ese emitemo yekuparadzanisa uye pfungwa yekushanda nemaprotocol munzvimbo yemushandisi.

Zvitsva zvikuru:

  • Kudzikisira kushandiswa kwendangariro paunenge uchiisa hombe seti uye mapepa emepu.
  • Kurodha patsva kweseti uye mapepa emepu kwawedzerwa.
  • Kubuda kwematafura akasarudzwa uye maketani mumaseti makuru emitemo yakakurumidza. Semuenzaniso, nguva yekuuraya ye "nft list ruleset" yekuraira kuratidza seti yemitemo ine zviuru zana mitsara ndeye 100 masekondi, uye kana uchiburitsa chete nat uye mafirita matafura ("nft list tafura nat", "nft list tafura sefa. ”) yakaderedzwa kusvika 3.049 uye 1.969 masekonzi.
  • Kuitwa kwemibvunzo ine "--terse" sarudzo yakakwidziridzwa kana kugadzirisa mitemo ine hombe seti- uye mepu-zvinyorwa.
  • Izvo zvinokwanisika kusefa traffic kubva kune "egress" chain, iyo inogadziriswa pamwero wakafanana neyeegress handler munetdev chain (egress hook), i.e. padanho apo mutyairi anogamuchira pakiti kubva kune kernel network stack. tafura netdev sefa {cheni egress {mhando sefa hook egress zvishandiso = {eth0, eth1} pamberi 0; meta yakakosha set ip saddr mepu {192.168.10.2 : abcd:2, 192.168.10.3 : abcd:3}}}
  • Inobvumira kuenzanirana uye kugadziridzwa kwemabyte mumusoro uye zviri mukati mepaketi pane yakapihwa offset. # nft wedzera mutemo xy @ih,32,32 0x14000000 counter # nft wedzera mutemo xy @ih,32,32 set 0x14000000 counter

Source: opennet.ru

Voeg