ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > nftables baakada shaandhada 1.0.7 sii deynta

nftables baakada shaandhada 1.0.7 sii deynta

Siideynta xirmada filter nftables 1.0.7 waa la daabacay, midaynta xirmooyinka shaandhaynta xirmooyinka ee IPv4, IPv6, ARP iyo buundooyinka shabakada (ujeeddadu tahay in lagu beddelo iptables, ip6table, arptables iyo ebtables). Xirmada nftables waxaa ka mid ah qaybaha shaandhada baakidhka ee ku shaqeeya booska isticmaalaha, halka shaqada heerka kernel ay bixiso nf_tables subsystem, kaas oo qayb ka ahaa kernel Linux tan iyo markii la sii daayay 3.13. Heerka kernel-ku wuxuu bixiyaa kaliya is-dhex-dhexaad ka madax-bannaan borotokoolka guud kaas oo bixiya hawlaha aasaasiga ah ee soo saarista xogta xirmooyinka, fulinta hawlaha xogta, iyo xakamaynta socodka.

Xeerarka shaandhaynta iyo maamulayaasha qaaska ah waxa lagu ururiyaa bytecode ee goobta isticmaalaha, ka dib bytecode-kan waxa lagu shubaa kernel-ka iyada oo la adeegsanayo Netlink interface waxaana lagu dhex diraa kernel mashiin khaas ah oo xasuusiya BPF (Berkeley Packet Filters). Habkani wuxuu kuu ogolaanayaa inaad si weyn u yareyso cabbirka koodhka shaandhaynta ee ku socda heerka kernel oo aad u guurto dhammaan hawlaha qawaaniinta qawaaniinta iyo macquulka ah ee la shaqeynta borotokoolka booska isticmaalaha.

Isbeddellada ugu waaweyn:

  • Nidaamyada ku shaqeeya Linux kernel 6.2+, taageerada vxlan, geneve, gre, iyo khariidadaha borotokoolka gretap ayaa lagu daray, taas oo u oggolaanaysa tibaaxaha fudud in lagu hubiyo madaxyada xirmooyinka la duubay. Tusaale ahaan, si aad u hubiso ciwaanka IP-ga ee ciwaanka baakidhka buulka leh ee VxLAN, waxaad hadda isticmaali kartaa xeerarka (adoo aan loo baahnayn in marka hore laga saaro madaxa VxLAN oo ku xidh shaandhada interface vxlan0): ... udp dport 4789 vxlan ip protocol udp ... udp dport 4789 vxlan ip saddr 1.2.3.0. 24/4789 ... udp dport 1.2.3.4 vxlan ip saddr . vxlan ip daddr {4.3.2.1 . XNUMX }
  • Taageerada isku darka tooska ah ee hadhaaga ka dib tirtirida qayb ka mid ah curiyaha liiska la dajiyay, kaas oo kuu ogolaanaya inaad tirtirto shay ama qayb ka mid ah kala duwanaanshiyaha jira (horey, kala duwani waa la tirtiri karaa oo kaliya). Tusaale ahaan, ka dib marka laga saaro curiyaha 25 liiska go'an ee u dhexeeya 24-30 iyo 40-50, liisku wuxuu ahaan doonaa 24, 26-30 iyo 40-50. Hagaajinta loo baahan yahay si otomaatig ah loogu shaqeeyo waxaa lagu soo bandhigi doonaa sii deynta dayactirka ee laamaha xasilloon ee kernel 5.10+. # nft list ruleset table ip x { dhigay y {typeof tcp dport flags interval auto-mirge element = {24-30, 40-50} } y {nooca tcp dport calamada dhexda u dhexaysa walxaha iswada isku dara = {25, 24-26, 30-40}}}
  • Oggolow isticmaalka xidhiidhada iyo kala duwanaanta marka la samaynayo turjumaadda ciwaanka (NAT). miiska ip nat { silsilad horudhac ah {nooca nat hook prerouting mudnaanta dstnat; siyaasad aqbali; dnat ilaa ip daddr. tcp dport map {10.1.1.136 . 80: 1.1.2.69. 1024, 10.1.1.10-10.1.1.20. 8888-8889: 1.1.2.69. 2048-2049} joogto ah }}
  • Taageero lagu daray odhaahda "u dambaysay", taas oo kuu ogolaanaysa inaad ogaato wakhtiga isticmaalka ugu dambeeya ee cunsur qaanuunka ama liiska go'an. Tilmaamaha waxaa lagu taageerayaa laga bilaabo Linux kernel 5.14. miiska ip x { dhigay y { type of ip daddr . cabbirka tcp dport 65535 calamada firfircoon,wakhti dhammaatay wakhtiga u dambeeya 1h} silsilad z {nooca filtarrada soo saarista mudnaanta filtarka; siyaasad aqbali; update @y {ip daddr . tcp dport }}} # nft liiska dhigay ip xy miiska ip x { dhigay y { typeof ip daddr . tcp dport size 65535 calamada firfircoon, wakhtiga dhammaatay ee u dambeeyay curiyayaasha 1 saac = {172.217.17.14 . 443 kii ugu dambeeyay ee la isticmaalo 1s591ms 1saac waxa uu dhacayaa 59m58s409ms, 172.67.69.19 . 443 kii ugu dambeeyay ee la isticmaalo 4s636ms 1saac waxa uu dhacayaa 59m55s364ms, 142.250.201.72 . 443 kii ugu dambeeyay ee la isticmaalo 4s748ms 1saac waxa uu dhacayaa 59m55s252ms, 172.67.70.134 . 443 kii ugu dambeeyay ee la isticmaalo 4s688ms 1saac waxa uu dhacayaa 59m55s312ms, 35.241.9.150 . 443 kii ugu dambeeyay ee la isticmaalo 5s204ms 1saac waxa uu dhacayaa 59m54s796ms, 138.201.122.174 . 443 kii ugu dambeeyay ee la isticmaalo 4s537ms 1saac waxa uu dhacayaa 59m55s463ms, 34.160.144.191 . 443 kii ugu dambeeyay ee la isticmaalo 5s205ms 1saac waxa uu dhacayaa 59m54s795ms, 130.211.23.194 . 443 kii ugu dambeeyay ee la isticmaalo 4s436ms 1saac waxa uu dhacayaa 59m55s564ms}}}
  • Lagu daray awoodda lagu qeexo kootada liisaska la dajiyay. Tusaale ahaan, si loo go'aamiyo kootada taraafikada ee ciwaanka IP-ga bartilmaameedka ah, waxaad cayimi kartaa: miiska netdev x { set y {typeof ip daddr size 65535 koot in ka badan 10000 mbytes} silsilad y {nooca filter hook egress device "eth0" filter filter mudnaanta leh; siyaasad aqbali; ip daddr @y drop }} # nft add element inet xy {8.8.8.8} # ping -c 2 8.8.8.8 # nft list ruleset table netdev x { dhig y {nooca ipv4_addr size 65535 kootada in ka badan 10000 mbytes.8.8.8.8. 10000 kootada in ka badan 196 mbytes oo la isticmaalay 0 bytes}} silsilad y {nooca filter hook egress qalab "ethXNUMX" filter mudnaanta; siyaasad aqbali; ip daddr @y drop }}
  • Isticmaalka joogtada ah ee liisaska go'an waa la oggol yahay. Tusaale ahaan, marka aad isticmaalayso ciwaanka loo socdo iyo VLAN ID furaha liiska, waxaad si toos ah u cayimi kartaa lambarka VLAN (daddr. 123): table netdev t {set s { typeof ether saddr . vlan id size 2048 calamada firfircoon, wakhti go'an 1m } silsilad c {nooca filter hook ingress qalab eth0 mudnaanta 0; siyaasad aqbali; nooca ether != 8021q update @s { ether daddr . 123 }
  • Waxaa lagu daray amar cusub oo "burburin" si shuruud la'aan loo tirtiro walxaha (si ka duwan amarka tirtirka, ma dhaliso ENOENT marka la isku dayayo in la tirtiro shay maqan). Wuxuu u baahan yahay ugu yaraan Linux kernel 6.3-rc inuu shaqeeyo. baabi'in shaandhada ip miiska

Source: opennet.ru

Add a comment