ProHoster > Blog > internet nhau > nftables packet filter kuburitswa 1.0.3

nftables packet filter kuburitswa 1.0.3

Kuburitswa kwepaketi sefa nftables 1.0.3 kwakabudiswa, kubatanidza packet kusefa nzvimbo dzeIPv4, IPv6, ARP uye network mabhiriji (ane chinangwa chekutsiva iptables, ip6table, arptables uye ebtables). Shanduko dzinodiwa kuti nftables 1.0.3 kuburitswa kushanda inosanganisirwa muLinux 5.18 kernel.

Iyo nftables package inosanganisira packet filter zvikamu zvinomhanya munzvimbo yemushandisi, nepo kernel-level basa rinopihwa nenf_tables subsystem, yanga iri chikamu cheLinux kernel kubva pakaburitswa 3.13. Iyo kernel level inopa chete generic protocol-yakazvimirira interface inopa zvakakosha mabasa ekubvisa data kubva pamapakiti, kuita data mashandiro, uye kuyerera kuyerera.

Iyo yekusefa inotonga pachayo uye maprotocol-chaiwo mabati anounganidzwa muuser-space bytecode, mushure meiyo bytecode inoiswa mukernel uchishandisa iyo Netlink interface uye inouraiwa mukernel mune yakakosha muchina wakafanana neBPF (Berkeley Packet Filters). Iyi nzira inoita kuti zvikwanise kudzikisa zvakanyanya saizi yekusefa kodhi inomhanya padanho re kernel uye kufambisa mabasa ese emitemo yekuparadzanisa uye pfungwa yekushanda nemaprotocol munzvimbo yemushandisi.

Zvitsva zvikuru:

  • Seta rondedzero ikozvino inotsigira inofananidzwa netiweki interface mazita nemasiki, semuenzaniso, inotsanangurwa uchishandisa iyo "*" chiratidzo: tafura inet testifsets {set simple_wild {type ifname flags interval elements = {"abcdef*", "rimwe zita", "ppp0" } } cheni v4icmp {mhando sefa hook yekuisa pamberi 0; mutemo accept; iifname @simple_wild counter packets 0 bytes 0 iifname { "abcdef*", "eth0" } counter packets 0 bytes 0 } }
  • Yakaitwa otomatiki kusanganisa kweinopindirana seti-rondedzero zvinhu panguva yekushanda. Kare, apo sarudzo ye "auto-merge" yakagadzwa, kubatanidzwa kwakaitwa padanho rekuzivisa mitemo, asi ikozvino inoshandawo kana zvinhu zvitsva zvichiwedzerwa panguva yekushanda. Semuenzaniso, padanho rekuzivisa, runyoro rwakaiswa y {mireza interval auto-merge elements = {1.2.3.0, 1.2.3.255, 1.2.3.0/24, 3.3.3.3, 4.4.4.4, 4.4.4.4-4.4.4.8 . ip xy {3.3.3.4 -3.3.3.5, 1.2.3.0 } ichaita sezvinhu = { 24-3.3.3.3, 3.3.3.5-4.4.4.4, 4.4.4.8-1.2.3.0 }

    Paunobvisa zvinhu zvega kubva pane rondedzero inowira mukati mezvimiro zviripo, huwandu hunopfupikiswa kana kupatsanurwa.

  • Tsigiro yekubatanidza akawanda kero yekududzira (NAT) mitemo mumepu runyorwa yakawedzerwa kune mitemo optimizer, inonzi kana "-o/β€”optimize" sarudzo yatsanangurwa. Somuenzaniso, nokuda kweseti # katsi ruleet.nft tafura ip x {chain y {type nat hook postrouting priority srcnat; kudonha kwepolicy; ip saddr 1.1.1.1 tcp dport 8000 snat kusvika 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat kusvika 5.5.5.5:90 } }

    kuita "nft -o -c -f ruleset.nft" kunoshandura iyo yakaparadzana "ip saddr" mitemo kuita runyorwa rwemepu: snat to ip saddr . tcp dport mepu { 1.1.1.1 . 8000: 4.4.4.4. 80, 2.2.2.2. 8001: 5.5.5.5. 90}

    Saizvozvo, mataurirwo akaitwa anogona kushandurwa kuita runyorwa rwemepu: # katsi ruleet.nft tafura ip x { […] chain nat_dns_acme { udp kureba 47-63 @th,160,128 0x0e373135363130333131303735353203 udp62 ,78 160,128x0e0e goto nat_dns_this_31393032383939353831343037320 Udp kureba 5301e goto nat_dns_saturn_62 udp kureba 78-160,128 @th,0 0x31363436323733373931323934300e5301e goto nat_dns_saturn_62 drop }}

    mushure mekugadzirisa tinowana runyoro rwemepu: udp kureba. @th,160,128 vmap { 47-63 . 0x0e373135363130333131303735353203 : goto nat_dns_dnstc, 62-78 . 0x0e31393032383939353831343037320e : goto nat_dns_this_5301, 62-78 . 0x0e31363436323733373931323934300e : goto nat_dns_saturn_5301, 62-78 . 0x0e32393535373539353636383732310e : goto nat_dns_saturn_5302, 62-78 . 0x0e38353439353637323038363633390e : goto nat_dns_saturn_5303 }

  • Kushandiswa kwemazwi akasvibira mukuita kwekubatanidza kunobvumidzwa. Semuenzaniso: #nft wedzera mutemo xy ip saddr. @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } kana tafura x {set y {typeof ip saddr. @ih,32,32 zvinhu = {1.1.1.1 . 0x14 } }
  • Yakawedzera tsigiro yekutsanangudza zvikamu zvemusoro mukuita kwekubatanidza: tafura inet t {mepu m1 {typeof udp kureba. @ih,32,32 : mutongo mureza wenguva zvinhu = {20-80 . 0x14 : bvuma, 1-10 . 0xa : donhedza }} cheni c {rudzi rwesefa hook yekuisa pekutanga 0; kudonha kwepolicy; udp urefu. @ih,32,32 vmap @m1 }}
  • Yakawedzerwa rutsigiro rwekugadzirisa zvakare TCP sarudzo (inoshanda chete neLinux kernel 5.18+): tcp mireza syn reset tcp sarudzo sack-perm
  • Kuitwa kwemaketani ekubuda kwemirairo ("nft list chain xy") kwave kumhanyisa.

Source: opennet.ru

Voeg