ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > nftables baakada shaandhada 1.0.6 sii deynta

nftables baakada shaandhada 1.0.6 sii deynta

Siideynta xirmada filter nftables 1.0.6 waa la daabacay, midaynta xirmooyinka shaandhaynta xirmooyinka ee IPv4, IPv6, ARP iyo buundooyinka shabakada (ujeeddadu tahay in lagu beddelo iptables, ip6table, arptables iyo ebtables). Xirmada nftables waxaa ka mid ah qaybaha shaandhada baakidhka ee ku shaqeeya booska isticmaalaha, halka shaqada heerka kernel ay bixiso nf_tables subsystem, kaas oo qayb ka ahaa kernel Linux tan iyo markii la sii daayay 3.13. Heerka kernel-ku wuxuu bixiyaa kaliya is-dhex-dhexaad ka madax-bannaan borotokoolka guud kaas oo bixiya hawlaha aasaasiga ah ee soo saarista xogta xirmooyinka, fulinta hawlaha xogta, iyo xakamaynta socodka.

Xeerarka shaandhaynta iyo maamulayaasha qaaska ah waxa lagu ururiyaa bytecode ee goobta isticmaalaha, ka dib bytecode-kan waxa lagu shubaa kernel-ka iyada oo la adeegsanayo Netlink interface waxaana lagu dhex diraa kernel mashiin khaas ah oo xasuusiya BPF (Berkeley Packet Filters). Habkani wuxuu kuu ogolaanayaa inaad si weyn u yareyso cabbirka koodhka shaandhaynta ee ku socda heerka kernel oo aad u guurto dhammaan hawlaha qawaaniinta qawaaniinta iyo macquulka ah ee la shaqeynta borotokoolka booska isticmaalaha.

Isbeddellada ugu waaweyn:

  • Shuruucda hagaajinta, oo loo yaqaan "-o/-optimize" ikhtiyaarka la cayimay, wuxuu leeyahay baakad toos ah oo xeerar ah iyadoo la isku darayo oo u beddelaya khariidad iyo liisyo dejisan. Tusaale ahaan, xeerarka # bisad ruleset.nft miiska ip x {silsiladda y {nooca filtarka galinta mudnaanta filtarka; hoos u dhaca siyaasadda; meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 ip daddr .1 ip daddr 1.1.1.2-2.2.2.4 aqbal meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0 aqbal }} ka dib marka la fuliyo "nft -o -c -f ruleset.nft" waxa loo rogi doonaa sidan soo socota: xeerbeegtida nft:24:1-1.1.1.2: meta iifname eth2.2.4.0 ip saddr 2.2.4.10 ip daddr 2 aqbal xeerarka : 1.1.1.3: 2.2.2.5-4: meta iifname eth17 ip saddr 74 ip daddr 1/1.1.1.1 aqbal xeerarka aqbal xeerarka.nft:2.2.2.3:5-17: meta iifname eth74 ip saddr 1 ip daddr 1.1.1.2 ip saddr. ip daddr {eth2.2.2.4. 6. 17, eth77 . 1. 1.1.1.2, eth2.2.3.0 . 24. 7/17, eth83 . 1. 1.1.1.2-2.2.4.0, eth2.2.4.10. 8. 17 } aqbali
  • Wanaajiyahu waxa kale oo uu u rogi karaa xeerarka horeba u isticmaalay liisaska fudud qaab is haysta, tusaale ahaan xeerarka: # cat ruleset.nft table ip filter { chain input { type filter hook input prior filter; hoos u dhaca siyaasadda; iifname β€œlo” aqbal ct state aasaasay, laxiriira aqbal faallooyinka β€œTaraafikada waxaan ka soo bilownay, waan ku kalsoonahay” iifname β€œenp0s31f6” ip saddr {209.115.181.102, 216.197.228.230} ip daddr 10.0.0.149 123 aqbal Ips Sport 32768 : ruleset.nft:65535:0-31: iifname "enp6s64.59.144.17f64.59.150.133" ip saddr {10.0.0.149, 53} ip daddr 32768 udp sport 65535ft6. :22-149: iifname "enp0s31f6" ip saddr {209.115.181.102, 216.197.228.230} ip daddr 10.0.0.149 udp sport 123 udp dport 32768-65535 ku aqbal: iifname ip saddr. ip aabe. ciyaaraha udp. udp dport { enp7s22f143 . 0. 31. 6. 64.59.144.17-64.59.150.133, enp10.0.0.149s53f32768. 65535. 0. 31. 6-209.115.181.102, enp10.0.0.149s123f32768. 65535. 0. 31. 6-216.197.228.230, enp10.0.0.149s123f32768. 65535. 0. 31. 6-64.59.144.17} aqbal
  • Dhibaatada la xaliyay ee jiilka bytecode ee isku darka dhexda ee adeegsada noocyo leh habab byte kala duwan, sida IPv4 (habka nidaamka shabakada) iyo calaamada meta (habka nidaamka byte). miiska ip x { map w { typeof ip saddr . calaamadda meta: xukummada calannada u dhexaysa counter element = {127.0.0.1-127.0.0.4 . 0x123434-0xb00122: aqbal, 192.168.0.10-192.168.1.20. 0x0000aa00-0x0000aaff: aqbal,}} silsilad k {nooca shaandhada galinta jillaabka mudnaanta filtarka; hoos u dhaca siyaasadda; ip saddr. meta calaamad vmap @w}}
  • Isbarbardhigga hab-maamuuska dhifka ah marka la isticmaalayo tibaaxaha cayriin, tusaale ahaan: meta l4proto 91 @th,400,16 0x0
  • Dhibaatooyinka awood u siinta sharciyada waqtiyo kala duwan ayaa la xaliyay: geli xeerka xy tcp sport {3478-3497, 16384-16387} counter aqbal
  • JSON API waa la hagaajiyay si loogu daro taageerada tibaaxaha ee liisaska iyo khariidadaha.
  • Kordhinta laybareeriga nftables python waxay u oggolaanaysaa rarida jaangooyooyinka qaanuunka si loogu habeeyo habka ansaxinta ("-c") oo ku dara taageerada qeexida dibadda ee doorsoomayaasha.
  • Ku darista faallooyinka waa la oggol yahay in liiska la dajiyay.
  • Xadka xad-dhaafka ah ee Byte wuxuu ogolaanayaa in la qeexo qiimaha eber.

Source: opennet.ru

Add a comment