ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > nftables baakada shaandhada 1.0.0 sii deynta

nftables baakada shaandhada 1.0.0 sii deynta

Siideynta xirmada filter nftables 1.0.0 waa la daabacay, midaynta xirmooyinka shaandhaynta baakidhka ee IPv4, IPv6, ARP iyo buundooyinka shabakada (loogu talagalay in lagu beddelo iptables, ip6table, arptables iyo ebtables). Isbeddellada looga baahan yahay nftables 1.0.0 si ay u shaqeeyaan waxay ku jiraan Linux 5.13 kernel. Isbeddelka la taaban karo ee nambarka nooca lama xiriiriyo isbeddellada aasaasiga ah, laakiin waa uun natiijada sii socoshada joogtada ah ee nambarada jajab tobanle (siideynta hore waxay ahayd 0.9.9).

Xirmada nftables waxaa ka mid ah qaybaha shaandhada baakidhka ee ku shaqeeya booska isticmaalaha, halka shaqada heerka kernel ay bixiso nf_tables subsystem, kaas oo qayb ka ahaa kernel Linux tan iyo markii la sii daayay 3.13. Heerka kernel-ku wuxuu bixiyaa oo kaliya is-dhex-dhexaadiye madax-bannaan oo borotokoolka guud ah kaas oo bixiya hawlaha aasaasiga ah ee soo saarista xogta xirmooyinka, fulinta hawlaha xogta, iyo xakamaynta socodka.

Xeerarka shaandhaynta iyo maamulayaasha qaaska ah waxa lagu ururiyaa bytecode ee goobta isticmaalaha, ka dib bytecode-kan waxa lagu shubaa kernel-ka iyada oo la adeegsanayo Netlink interface waxaana lagu dhex diraa kernel mashiin khaas ah oo xasuusiya BPF (Berkeley Packet Filters). Habkani wuxuu kuu ogolaanayaa inaad si weyn u yareyso cabbirka koodhka shaandhaynta ee ku socda heerka kernel oo aad u guurto dhammaan hawlaha qawaaniinta qawaaniinta iyo macquulka ah ee la shaqeynta borotokoolka booska isticmaalaha.

Hal-abuurka ugu muhiimsan:

  • Taageerada qaybta maaskarada "*" ayaa lagu daray liisaska, taas oo ka dhalatay baakado kasta oo aan hoos iman walxaha kale ee lagu qeexay shaxda. miiska x {maabka xannibaadda {nooca ipv4_addr: xukummada calannada muddada dhexda ah = {192.168.0.0/16: aqbal, 10.0.0.0/8: aqbal, * : drop}} silsilad y {nooca shaandhada shaandhada horudhaca mudnaanta 0; siyaasad aqbali; ip saddr vmap @blocklist }}
  • Waa suurtagal in la qeexo doorsoomayaasha khadka taliska iyadoo la adeegsanayo ikhtiyaarka "--define". # cat test.nft miiska netdev x {silsilad y {nooca filter hook ingress tools = $dev mudnaanta 0; hoos u dhaca siyaasadda; } } # nft β€”define dev="{eth0, eth1}" -f test.nft
  • Liisaska khariidada, isticmaalka tibaaxaha joogtada ah (stateful) waa la ogolyahay: shaandhada miiska (maabka portmapka) {nooca inet_service : verdict counter element = {22 counter packets 0 bytes 0: jump ssh_input, * counterpackets 0 bytes 0 : drop}} silsilad ssh_input {} silsilad wan_input {tcp dport vmap @portmap} silsilad horudhac ah {nooca filtarrada horudhaca mudnaanta cayriin; siyaasad aqbali; iif vmap {"lo": bood wan_input}}}
  • Waxaa lagu daray "list hooks" amarka si uu u muujiyo liiska maamulayaasha qoyska baakidhka la bixiyay: # nft list hooks ip device eth0 family ip { hook ingress { +0000000010 chain netdev xy [nf_tables] +0000000300 silsilad inet mw [nf_tables]} {-0000000100 silsilad ip ab [nf_tables] +0000000300 silsilad inet mz [nf_tables] } horay u jillaab {-0000000225 selinux_ipv4_forward 0000000000 silsilad ip ac [nf_tables] -0000000225}4 jillaab dib u dhigista {+0000000225 4 selinux_ipvXNUMX_postroute}}
  • Queue blocks waxay ogoladaan jhash, symhash, iyo tibaaxaha nambarada in la isku daro si loo qaybiyo baakidhyada safafka goobta isticmaalaha. … safka loogu jiro symhash mod 65536 … calanka safka loo dhaafo numgen inc mod 65536 … safka jhash oif . Meta mark mod 32 " safka" sidoo kale waxaa lagu dari karaa liisaska khariidadaha si loo doorto safka booska isticmaalaha iyadoo lagu salaynayo furayaal aan sabab lahayn. ... calanka safka u dhaafa oifname map {"eth0" : 0, "ppp0" : 2, "eth1": 2 }
  • Waa suurtogal in la balaadhiyo doorsoomayaasha ay ku jiraan liis go'an oo loo geliyo dhowr maab. qeex interfaces = {eth0, eth1} miiska ip x {silsiladda y {nooca mudnaanta gelida jillaabka filtarka 0; siyaasad aqbali; iifname vmap {lo: aqbal, $interfaces: drop}}} # nft -f x.nft # nft liiska ruleset table ip x {silsilad y {nooca filter jillaab mudnaanta gelinta 0; siyaasad aqbali; iifname vmap {"lo" : aqbal, "eth0" : drop, "eth1" : drop}}}
  • Isku darka vmaps (khariidadda xukunka) waqtiyo kala duwan waa la oggol yahay: # nft ku dar qaanuunka xy tcp dport . ip saddr vmap {1025-65535. 192.168.10.2: aqbal
  • Syntax la fududeeyay ee khariidadaha NAT. Loo oggol yahay in la cayimo kala duwanaanshaha ciwaanka: ... snat to ip saddr map {10.141.11.4 : 192.168.2.2-192.168.2.4 } ama ciwaanada IP iyo dekedaha: ... dnat to ip saddr map {10.141.11.4. . 192.168.2.3 } ama isku-darka kala duwanaanta IP-ga iyo dekedaha: ... dnat to ip saddr . tcp dport map {80 . 192.168.1.2: 80-10.141.10.2. 10.141.10.5-8888 }

Source: opennet.ru

Add a comment