ProHoster > Блог > wararka internetka > nftables baakada shaandhada 1.1.6 sii deynta

nftables baakada shaandhada 1.1.6 sii deynta

Siideynta shaandhada xirmada nftables 1.1.6 waa la sii daayay. Waxay midaynaysaa is-dhexgalka baakadaha shaandhaynta ee IPv4, IPv6, ARP, iyo buundooyinka shabakada (loogu talagalay in lagu beddelo iptables, ip6table, arptables, iyo ebtables). Maktabadda libnftnl 1.3.1 ee la socota, oo bixisa API heer hoose ah ee la falgalka nidaamka hoose ee nf_tables, ayaa la sii daayay isku mar.

Xirmada nftables waxay ka kooban tahay qaybaha shaandhada baakadka ee ka shaqeeya booska isticmaalaha, halka shaqada heerka kernel-ka ay bixiso nidaamka hoose ee nf_tables, kaas oo qayb ka ah kernel-ka. Linux Tan iyo markii la sii daayay 3.13, kaliya is-dhexgal guud oo madax-bannaan oo ku salaysan hab-maamuuska ayaa la bixiyaa heerka kernel-ka, kaas oo bixiya shaqo aasaasi ah oo loogu talagalay soo saarista xogta baakadaha, fulinta hawlgallada xogta, iyo xakamaynta socodka.

Shaandheyntu lafteeda ayaa nidaamisa, hawlwadeennada gaarka u ah hab-maamuuskana waxaa loo soo ururiyaa bytecode booska isticmaalaha, ka dibna bytecode-kan waxaa lagu shubaa kernel-ka iyadoo la adeegsanayo interface-ka Netlink waxaana lagu sameeyaa kernel-ka gaar ahaan mashiinka dalwaddii, oo xasuusinaya BPF (Berkeley Packet Filters). Habkani wuxuu u oggolaanayaa hoos u dhac weyn oo ku yimaada cabbirka koodka shaandhaynta ee ka shaqeynaya heerka kernel-ka wuxuuna u dhaqaajiyaa dhammaan falanqaynta xeerarka iyo macquulka hab-maamuuska booska isticmaalaha.

Isbeddellada ugu waaweyn:

  • Taageero buuxda oo loogu talagalay qaab-dhismeedka tunnel-ka fudud sida vxlan, geneve, iyo erspan: table netdev global {tunnel t1 { id 10 ip saddr 192.168.2.10 ip daddr 192.168.2.11 sport 1025 dport 20020 ttl 1} 10 ip saddr 192.168.3.10 ip daddr 192.168.3.11 sport 1025 dport 21021 tl Magaca tunnel ip saddr map {10.141.10.12:"t1", 10.141.10.13
  • Taageero lagu daray waji-xidhka magacyada is-dhexgalka shabakada ee gacan-ku-hayayaasha netdev. Tusaale ahaan, si aad ugu darto silsilad sal ah shaandhada taraafikada soo socota ee dhammaan qalabka vlan, waxaad qeexi kartaa: miiska netdev t {silsiladda c {nooca filter hook ingress devices = {"vlan*", "veth0"} filter filter; siyaasad aqbali; }
  • Nidaamyada leh kernel-ka Linux 6.18+ waxay taageertaa gudbinta qaababka L2 ee isku xirka buundada shabakadda si loo farsameeyo deegaanka. Tusaale ahaan, si aad u hagto dhammaan qaababka Ethernet ee cinwaanka MAC de:ad:00:00:be:ef ilaa IP stack, waxaad cayimi kartaa: table bridge global { chain pre { type filter hook prerouting priority 0; policy accept; ether daddr de:ad:00:00:be:ef meta pkttype set host ether daddr set meta ibrhwaddr accept } }
  • Waxaa lagu daray kaabayaal cusub oo loogu talagalay tijaabinta jahawareerka iyadoo la adeegsanayo afl++ (american fuzzy lop++) qalabaynta, oo karti u leh waqtiga la dhisayo iyada oo loo marayo "./configure --with-fuzzer".

Source: opennet.ru

U soo iibso martigelin lagu kalsoonaan karo oo loogu talagalay bogagga leh ilaalinta DDoS, VPS VDS servers 🔥 Iibso martigelin degel oo lagu kalsoonaan karo oo leh ilaalinta DDoS, VPS VDS servers | ProHoster