ProHoster > Blog > internet nhau > nftables packet filter kuburitswa 1.0.6

nftables packet filter kuburitswa 1.0.6

Iyo nftables 1.0.6 packet filter kuburitswa yakaburitswa, ichibatanidza packet kusefa nzvimbo dzeIPv4, IPv6, ARP uye network mabhiriji (ane chinangwa chekutsiva iptables, ip6table, arptables uye ebtables). Iyo nftables package inosanganisira packet filter zvikamu zvinomhanya munzvimbo yemushandisi, nepo kernel level ichipihwa nenf_tables subsystem, yanga iri chikamu cheLinux kernel kubva pakaburitswa 3.13. Padanho re kernel, chete generic protocol-yakazvimirira interface inopihwa inopa mabasa ekutanga ekubvisa data kubva pamapakiti, kuita mashandiro pane data, uye kudzora kuyerera.

Iyo yekusefa inotonga pachayo uye maprotocol-chaiwo mabati anounganidzwa muuser-space bytecode, mushure meiyo bytecode inoiswa mukernel uchishandisa iyo Netlink interface uye inouraiwa mukernel mune yakakosha muchina wakafanana neBPF (Berkeley Packet Filters). Iyi nzira inoita kuti zvikwanise kudzikisa zvakanyanya saizi yekusefa kodhi inomhanya padanho re kernel uye kufambisa mabasa ese emitemo yekuparadzanisa uye pfungwa yekushanda nemaprotocol munzvimbo yemushandisi.

Shanduko huru:

  • Mune iyo mitemo optimizer inodaidzwa kana uchitsanangura iyo "-o/--optimize" sarudzo, otomatiki kurongedza yemitemo yakaiswa nekuisanganisa nekuishandura kuita mepu- uye set-zvinyorwa. Semuenzaniso, iyo mitemo ndeye # cat ruleset.nft tafura ip x {chain y {type filter hook input priority filter; kudonha kwepolicy; meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 bvuma meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 bvuma meta iifname eth1 ip saddr 1.1.1.2if2.2.3.0 ip daddr 24 1 ip saddr 1.1.1.2 .2.2.4.0 ip daddr 2.2.4.10-2 bvuma meta iifname eth1.1.1.3 ip saddr 2.2.2.5 ip daddr 4 bvuma } } mushure me "nft -o -c -f mutemo.nft" ichashandurwa kune inotevera: mitemo. nft:17:74-1: meta iifname eth1.1.1.1 ip saddr 2.2.2.3 ip daddr 5 bvuma mutemo.nft:17:74-1: meta iifname eth1.1.1.2 ip saddr 2.2.2.4 ip daddr 6. 17:77-1: meta iifname eth1.1.1.2 ip saddr 2.2.3.0 ip daddr 24/7 bvuma mutemo.nft:17:83-1: meta iifname eth1.1.1.2 ip saddr 2.2.4.0 ip daddr 2.2.4.10 bvuma. ruleset.nft:8:17-74: meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 accept into: iifname . ip saddr . ip baba { eth1 . 1.1.1.1. 2.2.2.3, eth1 . 1.1.1.2. 2.2.2.4, eth1 . 1.1.1.2. 2.2.3.0/24, eth1 . 1.1.1.2. 2.2.4.0-2.2.4.10, eth2 . 1.1.1.3. 2.2.2.5 } bvuma
  • Iyo optimizer inogona zvakare kudzoreredza mitemo inotoshandisa yakapfava setlists mune yakawedzera compact fomu, senge: # katsi ruleset.nft tafura ip sefa {ketani yekupinza { mhando sefa hook yekuisa yekutanga sefa; kudonha kwepolicy; iifname "lo" bvuma ct state yakagadzwa,inoenderana gamuchira mhinduro "Mutraffic isu tinovamba, tinovimba" iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149s123f32768 udport 65535 udport 0. 31 bvuma iifname "enp6s64.59.144.17f64.59.150.133" IP Saddr {10.0.0.149 - : ruleset.nft:53:32768-65535: iifname "enp6s22f149" ip saddr { 0, 31 } ip daddr 6 udp 209.115.181.102 usport 216.197.228.230 mitemo 10.0.0.149 bvuma 123 usport 32768 ft:65535:7-22 143 : iifname "enp0s31f6" ip saddr { 64.59.144.17, 64.59.150.133 } ip daddr 10.0.0.149 udp sport 53 udp dport 32768-65535 kugamuchira. ip saddr . ip baba. udp sport. udp dport {enp0s31f6 . 209.115.181.102 . 10.0.0.149 . 123 . 32768-65535, enp0s31f6 . 216.197.228.230 . 10.0.0.149 . 123 . 32768-65535, enp0s31f6 . 64.59.144.17. 10.0.0.149 . 53 . 32768-65535, enp0s31f6 . 64.59.150.133. 10.0.0.149 . 53 . 32768-65535 } bvuma
  • Yakagadzirisa nyaya nekugadzirwa kwebytecode yekubatanidza nguva dzinoshandisa marudzi ane magumo akasiyana, akadai seIPv4 (network endian) uye meta mark (system endian). tafura ip x {mepu w {typeof ip saddr. meta mark : mutongo mireza interval counter elements = {127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : bvuma, 192.168.0.10-192.168.1.20 . 0x0000aa00-0x0000aaff : bvuma, } } cheni k {rudzi rwesefa hook yekuisa pekutanga sefa; kudonha kwepolicy; ip saddr . meta mark vmap @w }}
  • Yakavandudzwa isingawanzo ratidziro yeprotocol mepu kana uchishandisa mataurirwo akabikwa, semuenzaniso: meta l4proto 91 @th,400,16 0x0 bvuma
  • Yakagadziriswa nyaya dzine mitemo inogonesa nguva nenguva: isa mutemo xy tcp mutambo {3478-3497, 16384-16387} bvuma
  • Iyo JSON API yakagadziridzwa kuti itsigire mataurirwo ari museti uye mepu rondedzero.
  • Mukuwedzera kune nftables python raibhurari, seti yemitemo inotenderwa kutakurwa kuti igadziriswe mucheki modhi ("-c") uye tsigiro yekunze kusiyanisa tsananguro yakawedzerwa.
  • Kuwedzera makomendi kunobvumidzwa muzvinhu zve-set-zvinyorwa.
  • Inotenderwa kutaura zero kukosha mu byte ratelimit.

Source: opennet.ru

Voeg