ProHoster > Blog > internet nhau > nftables packet filter kuburitswa 1.0.7

nftables packet filter kuburitswa 1.0.7

Iyo nftables 1.0.7 packet filter kuburitswa yakaburitswa, ichibatanidza packet kusefa nzvimbo dzeIPv4, IPv6, ARP uye network mabhiriji (ane chinangwa chekutsiva iptables, ip6table, arptables uye ebtables). Iyo nftables package inosanganisira packet filter zvikamu zvinomhanya munzvimbo yemushandisi, nepo kernel level ichipihwa nenf_tables subsystem, yanga iri chikamu cheLinux kernel kubva pakaburitswa 3.13. Padanho re kernel, chete generic protocol-yakazvimirira interface inopihwa inopa mabasa ekutanga ekubvisa data kubva pamapakiti, kuita mashandiro pane data, uye kudzora kuyerera.

Iyo yekusefa inotonga pachayo uye maprotocol-chaiwo mabati anounganidzwa muuser-space bytecode, mushure meiyo bytecode inoiswa mukernel uchishandisa iyo Netlink interface uye inouraiwa mukernel mune yakakosha muchina wakafanana neBPF (Berkeley Packet Filters). Iyi nzira inoita kuti zvikwanise kudzikisa zvakanyanya saizi yekusefa kodhi inomhanya padanho re kernel uye kufambisa mabasa ese emitemo yekuparadzanisa uye pfungwa yekushanda nemaprotocol munzvimbo yemushandisi.

Shanduko huru:

  • Kune masisitimu anomhanyisa Linux kernel 6.2+, tsigiro yevxlan, geneve, gre, uye gretap protocol mappings yawedzerwa, ichibvumira mataurirwo akareruka kutarisa misoro mumapaketi akavharirwa. Semuenzaniso, kutarisa IP kero mumusoro weiyo nested packet kubva kuVxLAN, unogona ikozvino kushandisa mitemo (pasina chikonzero chekutanga de-encapsulate musoro weVxLAN uye kusunga sefa kune vxlan0 interface): ... udp dport 4789 vxlan ip protocol udp ... udp dport 4789 vxlan ip saddr 1.2.3.0 24/4789 ... udp dport 1.2.3.4 vxlan ip saddr . vxlan ip daddr { 4.3.2.1 . XNUMX }
  • Tsigiro yekubatanidza otomatiki kwemasara mushure mekudzima zvishoma kweseti-runyoro chinhu chaitwa, icho chinokutendera iwe kudzima chinhu kana chikamu cherenji kubva kune iripo renji (kare, renji yaigona kungodzimwa zvachose). Semuenzaniso, mushure mekubvisa chikamu chemakumi maviri neshanu kubva pane yakatarwa runyorwa ine mitsara 25-24 uye 30-40, iyo rondedzero icharamba iri 50, 24-26 uye 30-40. Izvo zvinogadziriswa zvinodikanwa kuti automerging kushanda ichapihwa mukugadziriswa kuburitswa kwemapazi akagadzikana eiyo 50+ kernel. # nft list mitemo tafura ip x {set y {typeof tcp dport mireza interval auto-merge elements = {5.10-24, 30-40 }}} # nft bvisa element ip xy {50} # nft list yemitemo tafura ip x { set y {typeof tcp dport mireza nguva otomatiki-kubatanidza zvinhu = {25, 24-26, 30-40}}}
  • Inobvumira kushandiswa kwevanobatika uye mitsara paunenge uchigadzira kero yemutauro (NAT). tafura ip nat {chain prerouting { type nat hook prerouting priority dstnat; mutemo accept; dnat kuti ip baba. tcp dport mepu { 10.1.1.136 . 80: 1.1.2.69. 1024, 10.1.1.10-10.1.1.20. 8888-8889: 1.1.2.69. 2048-2049 } kuramba }}
  • Yakawedzera tsigiro ye "yekupedzisira" kutaura, iyo inokutendera iwe kuti uwane iyo nguva yekupedzisira kushandiswa kweiyo mutemo element kana set list. Iyo ficha inotsigirwa kutanga neLinux kernel 5.14. tafura ip x {set y {typeof ip daddr. tcp dport saizi 65535 mireza ine simba, nguva yekupedzisira nguva yekupedzisira 1h } cheni z {rudzi rwesefa hook inoburitsa pamberi pesefa; mutemo accept; update @y {ip baba. tcp dport } } } # nft list set ip xy table ip x { set y { typeof ip daddr . tcp dport saizi 65535 mireza ine simba, nguva yekupedza nguva yekupedzisira 1h zvinhu = {172.217.17.14. 443 yakapedzisira kushandiswa 1s591ms timeout 1h inopera 59m58s409ms, 172.67.69.19 . 443 yakapedzisira kushandiswa 4s636ms timeout 1h inopera 59m55s364ms, 142.250.201.72 . 443 yakapedzisira kushandiswa 4s748ms timeout 1h inopera 59m55s252ms, 172.67.70.134 . 443 yakapedzisira kushandiswa 4s688ms timeout 1h inopera 59m55s312ms, 35.241.9.150 . 443 yakapedzisira kushandiswa 5s204ms timeout 1h inopera 59m54s796ms, 138.201.122.174 . 443 yakapedzisira kushandiswa 4s537ms timeout 1h inopera 59m55s463ms, 34.160.144.191 . 443 yakapedzisira kushandiswa 5s205ms timeout 1h inopera 59m54s795ms, 130.211.23.194 . 443 yakapedzisira kushandiswa 4s436ms nguva yekupera 1h inopera 59m55s564ms }}}
  • Yakawedzera kugona kutsanangura quotas mumaseti rondedzero. Semuenzaniso, kuti uone traffic quota kune yega yega IP kero, unogona kutsanangura: tafura netdev x {set y { typeof ip daddr size 65535 quota pamusoro pe 10000 mbytes } cheni y { type filter hook egress device "eth0" priority filter; mutemo accept; ip daddr @y kudonha } } # nft wedzera element inet xy {8.8.8.8 } # ping -c 2 8.8.8.8 # nft list mitemo tafura netdev x { set y { type ipv4_addr size 65535 quota pamusoro pe 10000 mbytes zvinhu = 8.8.8.8 element. 10000 quota inopfuura 196 mbytes yakashandiswa 0 bytes } } cheni y { type filter hook egress device β€œethXNUMX” priority filter; mutemo accept; ip baba @y drop }}
  • Kushandiswa kwemaconstants mumaseti mazita kunobvumirwa. Semuenzaniso, paunenge uchishandisa kero yekuenda uye VLAN ID sekiyi yerondedzero, unogona kudoma zvakananga nhamba yeVLAN (daddr. 123): table netdev t {set s { typeof ether saddr . vlan id saizi 2048 mireza ine simba, nguva yekupedza nguva 1m } cheni c {mhando sefa hook ingress mudziyo eth0 pamberi 0; mutemo accept; ether type != 8021q update @s {ether daddr . 123 } counter }}
  • Yakawedzera murairo mutsva we "kuparadza" kudzima zvinhu zvisingaite (kusiyana nemirairo yekudzima, haiburitse ENOENT kana uchiedza kudzima chinhu chisipo). Inoda kanenge Linux kernel 6.3-rc kushanda. paradza tafura ip sefa

Source: opennet.ru

Voeg