siidaynta shaandhada baakadka , horumarinta beddelka iptables, ip6table, arptables iyo ebtables iyada oo la mideynayo xirmooyinka shaandhaynta baakidhka ee IPv4, IPv6, ARP iyo buundooyinka shabakadda. Xirmada nftables waxaa ka mid ah qaybaha shaandhada baakidhka ee ku shaqeeya booska isticmaalaha, halka shaqada heerka kernel ay bixiso nf_tables subsystem, kaas oo qayb ka ahaa kernel Linux tan iyo markii la sii daayay 3.13. Isbedelada looga baahan yahay nftables 0.9.3 siideynta shaqada ayaa lagu daray laanta kernel Linux 5.5 ee soo socota.
Heerka kernel-ku wuxuu bixiyaa kaliya is-dhex-dhexaad ka madax-bannaan borotokoolka guud kaas oo bixiya hawlaha aasaasiga ah ee soo saarista xogta xirmooyinka, fulinta hawlaha xogta, iyo xakamaynta socodka. Caqliga shaandhaynta laftiisa iyo maamulayaasha qaaska ah ee borotokoolka ayaa lagu soo ururiyay bytecode ee goobta isticmaalaha, ka dib bytecode-kan waxaa lagu shubaa kernel-ka iyadoo la adeegsanayo Netlink interface waxaana lagu fuliyay mishiin khaas ah oo xusuusta BPF (Berkeley Packet Filters). Habkani wuxuu kuu ogolaanayaa inaad si weyn u yareyso cabbirka koodhka shaandhaynta ee ku socda heerka kernel oo aad u guurto dhammaan hawlaha qawaaniinta qawaaniinta iyo macquulka ah ee la shaqeynta borotokoolka booska isticmaalaha.
Hal-abuurka ugu muhiimsan:
- Taageerida baakadaha ku habboon waqtiga. Waxaad qeexi kartaa wakhtiga iyo taariikhda inta u dhaxaysa labadaba kaas oo sharciga la kicin doono, oo aad dejin karto kicinta maalmaha gaarka ah ee usbuuca. Waxa kale oo lagu daray ikhtiyaar cusub "-T" si uu u muujiyo wakhtiga epochal ilbiriqsiyo gudahood.
waqtiga meta \"2019-12-24 16:00" - \"2020-01-02 7:00"
saacada meta \"17:00\" - \"19:00\"
maalinta meta \"Jimce\" - Taageerada soo kabashada iyo badbaadinta calaamadaha SELinux (seconmark).
ct secmark waxay dejisay sektooyada meta
meta secmark dhigay ct ilbiriqsi - Taageerada liisaska khariidadaha synproxy, taas oo kuu ogolaanaysa inaad qeexdo wax ka badan hal xeer dhabarkiiba.
miiska ip foo {
synproxy https-synproxy {
mss 1460
wskeelka 7
timestamp joonyado-perm
}synproxy-kale
mss 1460
wskeelka 5
}silsilad hore {
nooca jillaab filtareedka horudhaca mudnaanta cayriin; siyaasad aqbali;
tcp dport 8888 tcp calanka syn notrack
}silsilad silsilad {
nooca shaandhada shaandhada hore ee shaandhada mudnaanta leh; siyaasad aqbali;
ct state mid aan sax ahayn, lamana daba socon magaca synproxy ip saddr map {192.168.1.0/24: "https-synproxy", 192.168.2.0/24: "other-synproxy"}
}
} - Awoodda in si firfircoon looga saaro canaasirta go'an ee xeerarka habaynta baakadaha.
nft ku dar qaanuunka ... tirtir @set5 {ip6 saddr. ip6 daddr}
- Taageerada khariidaynta VLAN ee aqoonsiga iyo borotokoolka lagu qeexay isku xidhka buundada metadata;
meta ibrpvid 100
meta ibrvproto vlan - Ikhtiyaarka "-t" ("--terse") si looga saaro canaasirta go'an marka la soo bandhigo xeerarka. Ku orda "nft-t list ruleset" ayaa soo saari doonta:
miiska ip x {
dhigay y {
nooca ipv4_addr
}
}Oo leh "Nft list ruleset"
miiska ip x {
dhigay y {
nooca ipv4_addr
curiyayaasha = {192.168.10.2, 192.168.20.1,
192.168.4.4, 192.168.2.34 }
}
} - Awoodda lagu qeexayo wax ka badan hal qalab oo ku jira silsiladaha netdev (wuxuu la shaqeeyaa kaliya kernel 5.5) si loo isku daro xeerarka shaandhaynta caadiga ah.
ku dar miiska netdev x
ku dar silsilad netdev x y { \
nooca shaandhaynta jillaabyada gelitaanka qalabka = {eth0, eth1} mudnaanta 0;
} - Awoodda lagu daro sharaxaadaha noocyada xogta.
# nft sharax ipv4_adr
datatype ipv4_addr (cinwaanka IPv4) (basetype integer), 32 bits - Awoodda lagu dhisayo is-dhex-galka CLI oo leh maktabadda linenoise halkii aad ka ahaan lahayd libreadline.
./configure --with-cli=linenoise
Source: opennet.ru