Kuburitswa kwepaketi sefa nftables 1.0.2 kwave kuburitswa, kubatanidza packet kusefa nzvimbo dzeIPv4, IPv6, ARP uye network mabhiriji (ane chinangwa chekutsiva iptables, ip6table, arptables uye ebtables). Shanduko dzinodiwa kuti nftables 1.0.2 isunungurwe kushanda inosanganisirwa muLinux kernel 5.17-rc.
Iyo nftables package inosanganisira packet filter zvikamu zvinomhanya munzvimbo yemushandisi, nepo kernel-level basa rinopihwa nenf_tables subsystem, yanga iri chikamu cheLinux kernel kubva pakaburitswa 3.13. Iyo kernel level inopa chete generic protocol-yakazvimirira interface inopa zvakakosha mabasa ekubvisa data kubva pamapakiti, kuita data mashandiro, uye kuyerera kuyerera.
Iyo yekusefa inotonga pachayo uye maprotocol-chaiwo mabati anounganidzwa muuser-space bytecode, mushure meiyo bytecode inoiswa mukernel uchishandisa iyo Netlink interface uye inouraiwa mukernel mune yakakosha muchina wakafanana neBPF (Berkeley Packet Filters). Iyi nzira inoita kuti zvikwanise kudzikisa zvakanyanya saizi yekusefa kodhi inomhanya padanho re kernel uye kufambisa mabasa ese emitemo yekuparadzanisa uye pfungwa yekushanda nemaprotocol munzvimbo yemushandisi.
Zvitsva zvikuru:
- Mitemo yekuvandudza maitiro yakawedzerwa, yakagoneswa uchishandisa iyo nyowani "-o" ("--optimize") sarudzo, iyo inogona kusanganiswa ne "--check" sarudzo yekutarisa uye kugadzirisa shanduko kune iyo ruleset faira pasina kunyatso kurodha. . Optimization inokubvumira kusanganisa mitemo yakafanana, semuenzaniso, mitemo: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 bvuma meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 bvuma ip. .1.1.1.1 bvuma ip saddr 2.2.2.2 ip daddr 2.2.2.2 donhwe
ichabatanidzwa kuita meta iifname . ip saddr. ip baba { eth1 . 1.1.1.1. 2.2.2.3, eth1 . 1.1.1.2. 2.2.2.5 } bvuma ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 : bvuma, 2.2.2.2 . 3.3.3.3 : kudonha }
Muenzaniso kushandiswa: # nft -c -o -f ruleset.test Kubatanidza: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter accept ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter accept ruleet.nft:18:3-37: ip daddr 192.168.0.3 counter accept into: ip daddr {192.168.0.1, 192.168.0.2, 192.168.0.3} counter packets 0 bytes 0 bvuma
- Rondedzero dzakaiswa dzinoshandisa kugona kutsanangura ip uye tcp sarudzo, pamwe ne sctp chunks: set s5 {typeof ip sarudzo ra kukosha zvinhu = {1, 1024}} set s7 {typeof sctp chunk init num-inbound-hova zvinhu = { 1, 4 } } cheni c5 {ip sarudzo ra kukosha @s5 bvuma } cheni c7 { sctp chunk init num-inbound-streams @s7 bvuma }
- Yakawedzerwa rutsigiro rweTCP sarudzo fastopen, md5sig uye mptcp.
- Yakawedzerwa rutsigiro rwekushandisa iyo mp-tcp subtype mune mappings: tcp sarudzo mptcp subtype 1.
- Yakavandudzwa kernel-side kusefa kodhi.
- Flowtable ikozvino ine rutsigiro rwakazara rweiyo JSON fomati.
- Iko kugona kushandisa "kuramba" chiito muEthernet furemu yekufananidza mashandiro kwakapihwa. ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 kuramba
Source: opennet.ru