ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > nftables baakada shaandhada 1.0.2 sii deynta

nftables baakada shaandhada 1.0.2 sii deynta

Siideynta xirmada filter nftables 1.0.2 waa la daabacay, midaynta xirmooyinka shaandhaynta baakidhka ee IPv4, IPv6, ARP iyo buundooyinka shabakada (loogu talagalay in lagu beddelo iptables, ip6table, arptables iyo ebtables). Isbedelada looga baahan yahay nftables 1.0.2 siideynta shaqada ayaa lagu daray Linux kernel 5.17-rc.

Xirmada nftables waxaa ka mid ah qaybaha shaandhada baakidhka ee ku shaqeeya booska isticmaalaha, halka shaqada heerka kernel ay bixiso nf_tables subsystem, kaas oo qayb ka ahaa kernel Linux tan iyo markii la sii daayay 3.13. Heerka kernel-ku wuxuu bixiyaa oo kaliya is-dhex-dhexaadiye madax-bannaan oo borotokoolka guud ah kaas oo bixiya hawlaha aasaasiga ah ee soo saarista xogta xirmooyinka, fulinta hawlaha xogta, iyo xakamaynta socodka.

Xeerarka shaandhaynta iyo maamulayaasha qaaska ah waxa lagu ururiyaa bytecode ee goobta isticmaalaha, ka dib bytecode-kan waxa lagu shubaa kernel-ka iyada oo la adeegsanayo Netlink interface waxaana lagu dhex diraa kernel mashiin khaas ah oo xasuusiya BPF (Berkeley Packet Filters). Habkani wuxuu kuu ogolaanayaa inaad si weyn u yareyso cabbirka koodhka shaandhaynta ee ku socda heerka kernel oo aad u guurto dhammaan hawlaha qawaaniinta qawaaniinta iyo macquulka ah ee la shaqeynta borotokoolka booska isticmaalaha.

Hal-abuurka ugu muhiimsan:

  • Habka hagaajinta qawaaniinta ayaa lagu daray, karti u leh iyada oo la adeegsanayo ikhtiyaarka cusub ee "-o" ("--optimize"), kaas oo lagu dari karo "--check" ikhtiyaarka si loo hubiyo loona hagaajiyo isbeddelada faylka nidaamka iyada oo aan dhab ahaantii la rarin. . Hagaajinta waxay kuu ogolaanaysaa inaad isku darsato xeerar la mid ah, tusaale ahaan, xeerarka: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 aqbal meta iifname eth1 ip saddr 1.1.1.2 ip daddr .2.2.2.5 aqbal ip saddr 1.1.1.1 ip daddr 2.2.2.2 dhibic

    waxaa lagu dari doonaa meta iifname . ip saddr. ip daddr {eth1. 1.1.1.1. 2.2.2.3, eth1 . 1.1.1.2. 2.2.2.5} aqbal ip saddr. ip daddr vmap {1.1.1.1. 2.2.2.2: aqbal, 2.2.2.2. 3.3.3.3: hoos u dhac

    Tusaalaha isticmaalka: # nft -c -o -f ruleset.test Isku-dhafka: ruleset.nft: 16: 3-37: ip daddr 192.168.0.1 counter accept ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter aqbalo ruleset.nft:18:3-37: ip daddr 192.168.0.3 counter aqbalo galay: ip daddr {192.168.0.1, 192.168.0.2, 192.168.0.3} baakadaha counter 0 bytes 0

  • Liisaska dejisan waxay hirgeliyaan awoodda lagu qeexo fursadaha ip iyo tcp, iyo sidoo kale jajabyada sctp: set s5 {typeof ip option ra value elements = {1, 1024}} set s7 {typeof sctp chunk init num-inbound-streams element = { 1}
  • Taageero lagu daray ikhtiyaarrada TCP si degdeg ah, md5sig iyo mptcp.
  • Taageero lagu daray isticmaalka mp-tcp-hoosaadka khariidadaha: tcp option mptcp subtype 1
  • Koodhka shaandhaynta dhinaca kernel-ka oo la hagaajiyay.
  • Flowtable hadda waxay taageero buuxda u haysaa qaabka JSON.
  • Kartida loo isticmaalo ficilka "diidmada" ee hawlgallada isbarbardhigga ee Ethernet waa la bixiyay. ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 diiday

Source: opennet.ru

Add a comment