ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > nftables baakada shaandhada 0.9.4 sii deynta

nftables baakada shaandhada 0.9.4 sii deynta

la daabacay siidaynta shaandhada baakadka 0.9.4, kaas oo u kobcaya sidii beddelka iptables, ip6table, arptables iyo ebtables iyadoo la mideynayo xirmooyin shaandhaynta xirmooyinka IPV4, IPv6, ARP iyo buundooyinka shabakadda. Xirmada nftables waxaa ka mid ah qaybaha shaandhada baakidhka ee ku dhex shaqeeya booska isticmaalaha, halka heerka kernel-ka uu bixiyo nf_tables subsystem, kaas oo qayb ka ahaa kernel Linux tan iyo markii la sii daayay 3.13. Isbedelada looga baahan yahay sii deynta nftables 0.9.4 si ay u shaqeyso ayaa lagu daray laanta kernel mustaqbalka Linux 5.6.

Marka la eego heerka kernel-ka, kaliya interface-ka-madax-bannaan ee borotokoolka guud ayaa la bixiyaa kaas oo bixiya hawlaha aasaasiga ah ee soo saarista xogta xirmooyinka, fulinta hawlaha xogta, iyo xakamaynta socodka. Shaandhaynta laftooda iyo maamulayaasha qaaska ah ee hab-maamuuska ah waxa lagu soo ururiyaa bytecode meel-isticmaalka, ka dib bytecode-kan waxa lagu shubaa kernel-ka iyada oo la isticmaalayo Netlink interface waxaana lagu dhex diraa kernel mashiin khaas ah oo u eg BPF (Berkeley Packet Filters). Habkani wuxuu suurtogal ka dhigayaa in si weyn loo yareeyo cabbirka koodhka shaandhaynta ee ku socda heerka kernel oo u dhaqaajiyo dhammaan hawlaha qawaaniinta kala-soocidda iyo macquulka ah ee la shaqeynta borotokoolka ee booska isticmaalaha.

Hal-abuurka ugu muhiimsan:

  • Taageerada kala duwanaanshaha isku xidhka (isku xidhka, xidhidhiyaha ciwaanka iyo dekedaha qaarkood kuwaas oo fududaynaya is-waafajinta). Tusaale ahaan, dejiyaha "whitelist" oo curyaashoodu yihiin lifaaq, qeexida calanka "interval" waxay muujin doontaa in setku ku jiri karo xaddiyada lifaaqa (ee lifaaqa "ipv4_addr . ipv4_addr. inet_service" waxaa hore u suurtogal ahayd in si sax ah loo qoro u dhigma sida "192.168.10.35. 192.68.11.123", oo hadda waxaad cayimi kartaa kooxaha cinwaanada "80-192.168.10.35-192.168.10.40").

    miiska ip foo {
    deji liis cad {
    nooca ipv4_addr . ipv4_addr adeeg_inet
    inta u dhaxaysa calanka
    curiye = {192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125 . 80}
    }

    silsilad silsilad {
    nooca jillaab filtarka horudhaca shaandhada mudnaanta leh; hoos u dhaca siyaasadda;
    ip saddr . ip daddr . tcp dport@whitelist aqbal
    }
    }

  • Liisaska iyo khariidadaha, waxaa suurtagal ah in la isticmaalo dardaaranka "typeof", kaas oo go'aaminaya qaabka curiyaha marka la samaynayo.
    Tusaale ahaan:

    miiska ip foo {
    deji liis cad {
    nooca ip saddr
    curiyayaasha = {192.168.10.35, 192.168.10.101, 192.168.10.135}
    }

    silsilad silsilad {
    nooca jillaab filtarka horudhaca shaandhada mudnaanta leh; hoos u dhaca siyaasadda;
    ip daddr @whitelist aqbal
    }
    }

    miiska ip foo {
    khariidad addr2mark {
    nooca ip saddr: calaamad meta
    walxaha = {192.168.10.35: 0x00000001, 192.168.10.135: 0x00000002}
    }
    }

  • Waxaa lagu daray awoodda lagu isticmaalo lifaaqyada NAT, taas oo kuu ogolaanaysa inaad qeexdo ciwaan iyo deked marka aad qeexayso tarjumaada NAT ee ku salaysan liisaska khariidadda ama qaybaha la magacaabay:

    nft add ku dar xeer ip nat pre dnat ip addr . port to ip saddr map {1.1.1.1: 2.2.2.2. soddon}

    nft ku dar khariidadda ip nat meelaha la aadayo {nooca ipv4_addr. inet_service: ipv4_addr. inet_service \; }
    nft add ku dar xeer ip nat pre dnat ip addr . dekeda ip saddr . tcp dport khariidad @meesha

  • Taageerada dardargelinta qalabka iyadoo meesha laga saarayo qaar ka mid ah hawlgallada shaandhaynta ee garbaha kaarka shabakadda. Dardargelinta waxaa lagu sahlayaa utility ethtool ("ethtool -K eth0 hw-tc-offload on"), ka dib waxaa lagu hawlgelinayaa nftables silsiladda ugu weyn iyadoo la adeegsanayo calanka "offload". Marka la isticmaalayo Linux 5.6 kernel, dardargelinta qalabka waxaa lagu taageerayaa isbarbardhigga goobta madaxa iyo kormeerka soo galaya ee xirmooyinka helitaanka, daadinta, nuqulka (dup), iyo gudbinta (fwd). Tusaalaha hoose, hawlgallada baakooyinka ka imanaya ciwaanka 192.168.30.20 waxa lagu sameeyaa heerka kaadhka shabakada, iyada oo aan loo gudbin baakidhka kernel-ka:

    # faylka bisadaha.nft
    miiska netdev x {
    silsilad y {
    nooca shaandhaynta jillaab gelinta qalabka eth0 mudnaanta 10; calamada laga saaray;
    ip saddr 192.168.30.20 hoos u dhaca
    }
    }
    # nft -f file.nft

  • Macluumaad la wanaajiyey oo ku saabsan meesha qaladka ee xeerarka.

    # nft tirtir xeerka ip yz gacanta 7
    Khalad: Ma socodsiin karo sharciga: Ma jiro faylkaas ama hagaha
    tirtir xeerka ip yz handle 7
    ^

    # nft tirtir xeerka ip xx gacanta 7
    Khalad: Ma socodsiin karo sharciga: Ma jiro faylkaas ama hagaha
    tirtir xeerka ip xx gacanta 7
    ^

    # nft tirtir miiska twst
    Khalad: Ma jiro faylkaas ama hagaha; ma waxaad ula jeedaa miiska Γ’β‚¬Λœimtixaanka' qoyska ip?
    maroojin miiska tirtirto
    ^^^^

    Tusaalaha koowaad wuxuu muujinayaa in shaxda 'y' aanu ku jirin nidaamka, ka labaadna wuxuu muujinayaa in '7' gacan-qabeeyaha maqan yahay, kan saddexaadna wuxuu muujinayaa tilmaanta qoraalka marka la qorayo magaca miiska.

  • Taageero dheeri ah oo lagu hubinayo is-dhexgalka addoonta iyada oo loo marayo qeexida "meta sdif" ama "meta sdifname":

    … meta sdifname vrf1…

  • Taageero lagu daray hawlgalka midig ama bidix ee wareejinta. Tusaale ahaan, si aad u bedesho summada baakidhka jira ee u hadhay 1 bit oo aad u dejiso qaybta hoose 1:

    … calaamada meta waxay dejisay calaamadda meta lshift 1 ama 0x1…

  • Doorka "-V" ee la hirgaliyay si loo muujiyo macluumaadka nooca la fidiyay.

    #nft -V
    nftables v0.9.4 (Jive at Five)
    cli:readline
    json: waa
    minigmp: maya
    libxtables: haa

  • Ikhtiyaarada khadka taliska hadda waa qasab amarrada ka hor. Tusaale ahaan, waxaad u baahan tahay inaad qeexdo "nft -a list ruleset", iyo socodsiinta "nft list ruleset -a" waxay keeni doontaa qalad.

    Source: opennet.ru

Add a comment