Siideynta xirmada filter nftables 0.9.9 waa la daabacay, midaynta xirmooyinka shaandhaynta xirmooyinka IPv4, IPv6, ARP iyo buundooyinka shabakada (ujeeddadu tahay in lagu beddelo iptables, ip6table, arptables iyo ebtables). Isla mar ahaantaana, siideynta maktabadda saaxiibka libnftnl 1.2.0 ayaa la daabacay, taasoo bixisa API heer hoose ah oo la falgalaya nidaamka hoose ee nf_tables. Isbedelada looga baahan yahay nftables 0.9.9 siideynta shaqada ayaa lagu daray Linux kernel 5.13-rc1.
Xirmada nftables waxaa ka mid ah qaybaha shaandhada baakidhka ee ku shaqeeya booska isticmaalaha, halka shaqada heerka kernel ay bixiso nf_tables subsystem, kaas oo qayb ka ahaa kernel Linux tan iyo markii la sii daayay 3.13. Heerka kernel-ku wuxuu bixiyaa oo kaliya is-dhex-dhexaadiye madax-bannaan oo borotokoolka guud ah kaas oo bixiya hawlaha aasaasiga ah ee soo saarista xogta xirmooyinka, fulinta hawlaha xogta, iyo xakamaynta socodka.
Xeerarka shaandhaynta iyo maamulayaasha qaaska ah waxa lagu ururiyaa bytecode ee goobta isticmaalaha, ka dib bytecode-kan waxa lagu shubaa kernel-ka iyada oo la adeegsanayo Netlink interface waxaana lagu dhex diraa kernel mashiin khaas ah oo xasuusiya BPF (Berkeley Packet Filters). Habkani wuxuu kuu ogolaanayaa inaad si weyn u yareyso cabbirka koodhka shaandhaynta ee ku socda heerka kernel oo aad u guurto dhammaan hawlaha qawaaniinta qawaaniinta iyo macquulka ah ee la shaqeynta borotokoolka booska isticmaalaha.
Hal-abuurka ugu muhiimsan:
- Kartida lagu wareejin karo habaynta socodka dhinaca isku xidhka adabtarada ayaa la hirgaliyay, iyada oo la adeegsanayo calanka 'offload'. Flowtable waa hab lagu wanaajiyo dariiqa wareejinta baakidhka, kaas oo marinka dhammaystiran ee dhammaan silsiladaha samaynta qaanuunka lagu dabaqo oo keliya baakidhka ugu horreeya, dhammaan baakadaha kale ee qulqulka ayaa si toos ah loogu gudbiyaa. miiska ip caalami ah {flowtable f { hook ingress mudnaanta filter + 1 qalab = { lan3, lan0, wan} calanka offload } silsilad hore {nooca filter jillaab horudhac filter mudnaanta; siyaasad aqbali; ip protocol {tcp, udp} socodka ku dar @f} silsilad boostada {nooca nat hook postrouting filter mudnaanta; siyaasad aqbali; oifname "wan" masquerade } }
- Taageero lagu daray in lagu lifaaqo calanka milkiilaha si loo hubiyo isticmaalka gaarka ah ee miiska habsocod. Marka hawshu dhamaato, shaxda laxiriirta si toos ah ayaa loo tirtiraa. Macluumaad ku saabsan habka waxaa lagu soo bandhigay qawaaniinta loo daadiyo qaab faallo ah: miiska ip x {# progname nft calanka silsiladda milkiilaha y {nooca filter galinta mudnaanta filtarka; siyaasad aqbali; xirmooyinka miiska 1 bytes 309 } }
- Taageerada lagu daray IEEE 802.1ad specification (VLAN stacking or QinQ), kaas oo qeexaya habka loogu badali karo calaamado badan oo VLAN ah oo lagu beddelayo halbeeg Ethernet ah. Tusaale ahaan, si aad u hubiso nooca ka baxsan Ethernet frame 8021ad iyo vlan id=342, waxaad isticmaali kartaa dhismaha ... ether type 802.1ad vlan id 342 si aad u hubiso nooca dibadda ee Ethernet frame 8021ad/vlan id=1, buul 802.1 q/vlan id=2 iyo xirmo kale oo IP ah: ... nooca ether 8021ad vlan id 1 vlan nooca 8021q vlan id 2 vlan nooca ip counter
- Taageero lagu daray maaraynta agabka iyadoo la adeegsanayo kooxaha kala sareynta midaysan v2. Farqiga ugu muhiimsan ee u dhexeeya kooxaha v2 iyo v1 waa adeegsiga kala sareynta kooxaha guud ee dhammaan noocyada agabka, halkii ay ka ahaan lahaayeen kala sareynta kala sareynta qoondaynta agabka CPU, habaynta isticmaalka xusuusta, iyo I/O. Tusaale ahaan, si loo hubiyo in awoowaha godka heerka koowaad cgroupv2 uu ku habboon yahay maaskarada "system.slice", waxaad isticmaali kartaa dhismaha: ... socket cgroupv2 heerka 1 "system.slice"
- Waxaa lagu daray awoodda lagu hubinayo qaybaha xirmooyinka SCTP (shaqada looga baahan yahay tan waxay ka muuqan doontaa Linux kernel 5.14). Tusaale ahaan, si loo hubiyo in baakidhku ka kooban yahay qayb ka mid ah nooca 'data' iyo goobta 'nooca': ... xogta chunk ee sctp ayaa jirta ... sctp chunk data type 0
- Fulinta hawlgalka rarista qaanuunka ayaa la dardar geliyay ku dhawaad ββlaba jeer iyadoo la adeegsanayo calanka β-fβ. Waxa kale oo la dedejiyay soo saarista liiska xeerarka.
- Foom kooban oo lagu hubinayo in qaniinyada calanka la dhigay iyo in kale ayaa la bixiyay. Tusaale ahaan, si aad u hubiso in heerka snat iyo dnat aan la dejin, waxaad qeexi kartaa: ... ct status ! snat,dnat si aad u hubiso in syn bit-ku uu ku jiro bitmask syn,ack: ... tcp flags syn / syn,ack si loo hubiyo in fin iyo fir-fircooni aanay ku jirin bitmask syn,ack,fin, first: ... tcp calanka
- Oggolow ereyga muhiimka ah ee "xukun" ee qeexidda nooca/maabka: ku dar khariidadda xm {typeof iifname . borotokoolka ip th dport: xukun;}
Source: opennet.ru