ProHoster > Blog > internet nhau > nftables packet filter kuburitswa 1.0.1

nftables packet filter kuburitswa 1.0.1

nftables 1.0.1, iyo packet filtering framework inobatanidza packet filtering interfaces yeIPv4, IPv6, ARP, uye network bridges, yaburitswa (yakanangwa sekutsiva iptables, ip6table, arptables, uye ebtables). Shanduko dzinodiwa kune nftables 1.0.1 dzakabatanidzwa mu kernel. Linux 5.16-rc1.

Pakeji yenftables ine zvikamu zvepacket filter zvinoshanda munzvimbo yemushandisi, ukuwo basa rekernel-level richipihwa nenf_tables subsystem, iyo iri chikamu chekernel. Linux Kubva pakaburitswa 3.13, pane chete interface yakajairika isina protocol inopihwa padanho rekernel, ichipa mashandiro ekutanga ekubvisa data kubva mumapaketi, kuita mashandiro edata, uye kudzora kuyerera kwedata.

Kusefa kunotonga pachako uye ma handler akanangana neprotocol anounganidzwa kuita bytecode munzvimbo yemushandisi, mushure mezvo bytecode iyi inoiswa mukernel uchishandisa Netlink interface uye inoiswa mukernel mune imwe nzira yakakosha. muchina chaiwo, inoyeuchidza BPF (Berkeley Packet Filters). Nzira iyi inobvumira kudzikiswa kukuru kwehukuru hwekodhi yekusefa iri kushanda padanho rekernel uye inofambisa zvese zvinoongorora mitemo uye protocol logic munzvimbo yemushandisi.

Zvitsva zvikuru:

  • Kudzikisira kushandiswa kwendangariro paunenge uchiisa hombe seti uye mapepa emepu.
  • Kurodha patsva kweseti uye mapepa emepu kwawedzerwa.
  • Kubuda kwematafura akasarudzwa uye maketani mumaseti makuru emitemo yakakurumidza. Semuenzaniso, nguva yekuuraya ye "nft list ruleset" yekuraira kuratidza seti yemitemo ine zviuru zana mitsara ndeye 100 masekondi, uye kana uchiburitsa chete nat uye mafirita matafura ("nft list tafura nat", "nft list tafura sefa. ”) yakaderedzwa kusvika 3.049 uye 1.969 masekonzi.
  • Kuitwa kwemibvunzo ine "--terse" sarudzo yakakwidziridzwa kana kugadzirisa mitemo ine hombe seti- uye mepu-zvinyorwa.
  • Izvo zvinokwanisika kusefa traffic kubva kune "egress" chain, iyo inogadziriswa pamwero wakafanana neyeegress handler munetdev chain (egress hook), i.e. padanho apo mutyairi anogamuchira pakiti kubva kune kernel network stack. tafura netdev sefa {cheni egress {mhando sefa hook egress zvishandiso = {eth0, eth1} pamberi 0; meta yakakosha set ip saddr mepu {192.168.10.2 : abcd:2, 192.168.10.3 : abcd:3}}}
  • Inobvumira kuenzanirana uye kugadziridzwa kwemabyte mumusoro uye zviri mukati mepaketi pane yakapihwa offset. # nft wedzera mutemo xy @ih,32,32 0x14000000 counter # nft wedzera mutemo xy @ih,32,32 set 0x14000000 counter

Source: opennet.ru

Tenga inovimbika yekutambira kwemasaiti ane DDoS dziviriro, VPS VDS maseva 🔥 Tenga webhusaiti yakavimbika ine dziviriro yeDDoS, maseva eVPS VDS | ProHoster