nftables baakada shaandhada 1.0.7 sii deynta

Shaandhada baakadaha nftables 1.0.7 ayaa la sii daayay. Waxay mideyneysaa is-dhexgalka shaandhaynta baakadaha ee loogu talagalay buundooyinka IPv4, IPv6, ARP, iyo shabakadaha (oo loogu talagalay in lagu beddelo iptables, ip6table, arptables, iyo ebtables). Xirmada nftables waxay ka kooban tahay qaybaha shaandhada baakadaha ee isticmaalaha-meel bannaan, halka shaqada heerka kernel-ka ay bixiso nidaamka hoose ee nf_tables, kaas oo qayb ka ah kernel-ka. Linux Tan iyo markii la sii daayay 3.13, kaliya is-dhexgal guud oo madax-bannaan oo ku salaysan hab-maamuuska ayaa la bixiyaa heerka kernel-ka, kaas oo bixiya shaqo aasaasi ah oo loogu talagalay soo saarista xogta baakadaha, fulinta hawlgallada xogta, iyo xakamaynta socodka.

Shaandheyntu lafteeda ayaa nidaamisa, hawlwadeennada gaarka u ah hab-maamuuskana waxaa loo soo ururiyaa bytecode booska isticmaalaha, ka dibna bytecode-kan waxaa lagu shubaa kernel-ka iyadoo la adeegsanayo interface-ka Netlink waxaana lagu sameeyaa kernel-ka gaar ahaan mashiinka dalwaddii, oo xasuusinaya BPF (Berkeley Packet Filters). Habkani wuxuu u oggolaanayaa hoos u dhac weyn oo ku yimaada cabbirka koodka shaandhaynta ee ka shaqeynaya heerka kernel-ka wuxuuna u dhaqaajiyaa dhammaan falanqaynta xeerarka iyo macquulka hab-maamuuska booska isticmaalaha.

Isbeddellada ugu waaweyn:

• Nidaamyada leh kernel Linux 6.2+ waxay ku daraysaa taageero loogu talagalay isku-xidhka borotokoollada vxlan, geneve, gre, iyo gretap, taasoo kuu oggolaanaysa inaad isticmaasho tibaaxo fudud si aad u hubiso cinwaannada ku jira baakadaha la duubay. Tusaale ahaan, si aad u hubiso Ciwaanka IP-ga Madaxa baakadda ku dhex jirta VxLAN, hadda waxaad isticmaali kartaa xeerar (iyada oo aan loo baahnayn in marka hore laga saaro madaxa VxLAN oo shaandhada lagu xidho is-dhexgalka vxlan0): ... udp dport 4789 vxlan ip protocol udp ... udp dport 4789 vxlan ip saddr 1.2.3.0/24 ... udp dport 4789 vxlan ip saddr . vxlan ip daddr { 1.2.3.4 . 4.3.2.1 }
• Isku darka tooska ah ee hadhaaga curiyaha liiska go'an kadib tirtirida qayb ka mid ah ayaa la hirgaliyay. Tani waxay kuu ogolaanaysaa inaad ka saarto shay ama qayb ka mid ah kala duwanaanshaha kala duwan ee jira (horay, kaliya xadka oo dhan waa la tirtiri karaa). Tusaale ahaan, ka dib markii laga tirtiro curiyaha 25 liiska go'an ee u dhexeeya 24-30 iyo 40-50, canaasiirta liiska la dhigay waa 24, 26-30, iyo 40-50. Hagaajinta loo baahan yahay isku-dhafka tooska ah ayaa lagu soo jeedin doonaa siidaynta dayactirka ee laamaha kernel-ka ee deggan 5.10+. # nft list ruleset table ip x { dhigay y { typeof tcp dport calamada dhexda isugaynta walxaha = {24-30, 40-50} } } }
• Oggolaanshaha isticmaalka xidhiidhada iyo kala duwanaanta ee Turjumaadda Ciwaanka Shabakadda (NAT) waa la oggolaaday. miiska ip nat { silsilad horudhac ah {nooca nat hook prerouting mudnaanta dstnat; siyaasad aqbali; dnat ilaa ip daddr . tcp dport map {10.1.1.136 . 80: 1.1.2.69. 1024, 10.1.1.10-10.1.1.20 . 8888-8889: 1.1.2.69. 2048-2049} joogto ah }}
• Waxaa lagu daray taageero tibaaxaha "ugu dambeeya", kaas oo kuu oggolaanaya inaad ogaato markii ugu dambeysay ee la isticmaalay qayb sharci ama liis dejin ah. Sifadan waxaa la taageeray tan iyo xudunta. Linux 5.14. miiska ip x { deji y { nooca ip daddr. tcp dport cabbirka 65535 calamada firfircoon, waqtiga kama dambaysta ah ee waqtiga kama dambaysta ah 1h } silsilad z { nooca shaandhada jillaab soo saarista filter mudnaanta leh; siyaasadda aqbal; cusboonaysii @y { ip daddr. tcp dport } } } # liiska nft deji ip xy miiska ip x { deji y { nooca ip daddr. tcp dport cabbirka 65535 calamada firfircoon, waqtiga kama dambaysta ah ee waqtiga kama dambaysta ah 1h elements = { 172.217.17.14 . 443 markii ugu dambeysay ee la isticmaalay 1s591ms waqti kama dambaysta ah 1h wuxuu dhacayaa 59m58s409ms, 172.67.69.19. 443 markii ugu dambeysay ee la isticmaalay 4s636ms waqti nasasho 1 saac wuxuu dhacayaa 59m55s364ms, 142.250.201.72. 443 markii ugu dambeysay ee la isticmaalay 4s748ms waqti nasasho 1 saac wuxuu dhacayaa 59m55s252ms, 172.67.70.134. 443 markii ugu dambeysay ee la isticmaalay 4s688ms waqti nasasho 1 saac wuxuu dhacayaa 59m55s312ms, 35.241.9.150. 443 markii ugu dambeysay ee la isticmaalay 5s204ms waqti nasasho 1 saac wuxuu dhacayaa 59m54s796ms, 138.201.122.174. 443 markii ugu dambeysay ee la isticmaalay 4s537ms waqti nasasho 1 saac wuxuu dhacayaa 59m55s463ms, 34.160.144.191. 443 markii ugu dambeysay ee la isticmaalay 5s205ms waqti nasasho 1 saac wuxuu dhacayaa 59m54s795ms, 130.211.23.194. 443 markii ugu dambeysay ee la isticmaalay 4s436ms waqti nasasho 1 saac wuxuu dhacayaa 59m55s564ms } } }
• Lagu daray awoodda lagu qeexo kootada liisaska la dajiyay. Tusaale ahaan, si loo qeexo kootada taraafikada ee ciwaanka IP-ga bartilmaameedka ah, waxaad cayimi kartaa: miiska netdev x { set y {typeof ip daddr size 65535 koot in ka badan 10000 mbytes} silsilad y {nooca filter hook egress qalab "eth0" filter mudnaanta; siyaasad aqbali; ip daddr @y drop }} # nft add element inet xy {8.8.8.8} # ping -c 2 8.8.8.8 # nft list ruleset table netdev x { dhigay y {nooca ipv4_addr size 65535 kootada in ka badan 10000 mbytes.8.8.8.8 mbytes =10000 la isticmaalo 196 bytes}} silsilad y {nooca filter jillaab egress qalab "eth0" filter mudnaanta; siyaasad aqbali; ip daddr @y drop }}
• Joogtada waa loo ogolyahay liiska go'an. Tusaale ahaan, marka aad isticmaalayso ciwaanka loo socdo iyo VLAN ID furaha liiska, waxaad si toos ah u cayimi kartaa lambarka VLAN (daddr. 123): table netdev t {set s { typeof ether saddr . vlan id size 2048 calamada firfircoon, wakhti go'an 1m } silsilad c {nooca filter hook ingress qalab eth0 mudnaanta 0; siyaasad aqbali; nooca ether != 8021q update @s { ether daddr . 123 }
• Amar cusub oo "burburin" ah ayaa lagu daray tirtirka shayada ee aan shuruudda lahayn (si ka duwan amarka tirtirka, ma soo saaro ENOENT marka la isku dayayo in la tirtiro shay maqan). Waxay u baahan tahay ugu yaraan kernel-ka. Linux 6.3-rc. burburi shaandhada IP-ga miiska

Source: opennet.ru