ProHoster > Blog > litaba tsa inthanete > nftables pakete filthara 0.9.4 tokollo

nftables pakete filthara 0.9.4 tokollo

e hatisitsoeng ho lokolloa ha sefahla sa pakete nfttables 0.9.4, e ntseng e tsoela pele e le sebaka sa li-iptables, ip6table, arptables le ebtables ka ho kopanya li-interface tsa ho sefa lipakete bakeng sa IPv4, IPv6, ARP le marokho a marang-rang. Sephutheloana sa nftables se kenyelletsa likarolo tsa sefahla sa pakete tse sebetsang sebakeng sa mosebelisi, ha boemo ba kernel bo fanoa ke nf_tables subsystem, eo esale e le karolo ea Linux kernel ho tloha ha e lokolloa 3.13. Liphetoho tse hlokahalang bakeng sa ho lokolloa ha nftables 0.9.4 ho sebetsa li kenyelelitsoe lekaleng la kernel le tlang. Linux 5.6.

Boemong ba kernel, ho fanoa feela ka sebopeho se ikemetseng se ikemetseng sa protocol se fanang ka mesebetsi ea mantlha bakeng sa ho ntša data ho lipakete, ho etsa ts'ebetso ho data, le ho laola phallo. Melao ea ho sefa ka botsona le li-protocol-specific handlers li bokelloa ka har'a li-bytecode tsa sebaka sa basebelisi, ka mor'a moo bytecode ena e kenngoa ka har'a kernel e sebelisa sebopeho sa Netlink ebe e etsoa ka har'a kernel ka mochine o khethehileng o tšoanang le BPF (Berkeley Packet Filters). Mokhoa ona o etsa hore ho khonehe ho fokotsa haholo boholo ba khoutu ea ho sefa e sebetsang boemong ba kernel le ho tsamaisa mesebetsi eohle ea melao ea ho arola le mohopolo oa ho sebetsa le li-protocol sebakeng sa mosebedisi.

Litlhahiso tse ka sehloohong:

  • Ts'ehetso bakeng sa mekhahlelo ea ho kopanya (ho kopanya, litlamo tse itseng tsa liaterese le likou tse nolofatsang ho bapisa). Ka mohlala, bakeng sa "whitelist" sete eo likarolo tsa eona e leng sephutheloana, ho totobatsa "interval" folaga e tla bontša hore sehlopha se ka kenyelletsa mekhahlelo ho sephutheloana (bakeng sa sephutheloana "ipv4_addr . ipv4_addr . inet_service" ho ne ho khoneha ho thathamisetsa ka ho hlaka. e tšoana le "192.168.10.35. 192.68.11.123", 'me joale u ka hlalosa lihlopha tsa liaterese "80-192.168.10.35-192.168.10.40."

    tafole ip foo {
    beha whitelist {
    mofuta oa ipv4_addr. ipv4_addr. inet_service
    lifolakha karohano
    likarolo = { 192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125 . 80}
    }

    ketane bar {
    mofuta filthara hook prerouting priority filthara; ho theoha ha pholisi;
    ip sadr. ip ntate. tcp dport@whitelist amohela
    }
    }

  • Ho li-sete le manane a limmapa, hoa khoneha ho sebelisa taelo ea "typeof", e khethollang sebopeho sa sebopeho ha ho etsoa 'mapa.
    Ka mohlala:

    tafole ip foo {
    beha whitelist {
    mofuta oa ip saddr
    likarolo = {192.168.10.35, 192.168.10.101, 192.168.10.135}
    }

    ketane bar {
    mofuta filthara hook prerouting priority filthara; ho theoha ha pholisi;
    ip dadr @whitelist amohela
    }
    }

    tafole ip foo {
    'mapa addr2mark {
    typeof ip saddr: letšoao la meta
    likarolo = { 192.168.10.35 : 0x00000001, 192.168.10.135 : 0x00000002 }
    }
    }

  • E kentse bokhoni ba ho sebelisa liphutheloana tse tlamang tsa NAT, tse u lumellang hore u hlalose aterese le kou ha u hlalosa liphetolelo tsa NAT ho latela manane a limmapa kapa lihlopha tse nang le mabitso:

    nft eketsa molao ip nat pre dnat ip addr . koung ho ea ho ip saddr 'mapa { 1.1.1.1 : 2.2.2.2 . mashome a mararo }

    nft eketsa libaka tsa ip nat tsa 'mapa { mofuta oa ipv4_addr . inet_service : ipv4_addr . inet_service\\; }
    nft eketsa molao ip nat pre dnat ip addr . koung ho ip saddr. tcp dport 'mapa @destinations

  • Tšehetso ea ho potlakisa lisebelisoa tsa hardware ka ho tlosoa ha mesebetsi e meng ea ho hloekisa mahetleng a karete ea marang-rang. Ho potlakisa ho nolofalloa ka ts'ebeliso ea ethtool ("ethtool -K eth0 hw-tc-offload on"), ka mor'a moo e kenngoa ka nftables bakeng sa ketane e kholo e sebelisang folakha ea "offload". Ha u sebelisa kernel ea Linux 5.6, ho potlakisa lisebelisoa ho tšehetsoa bakeng sa ho bapisa lebala la lihlooho le tlhahlobo ea sebopeho se kenang hammoho le ho amohela, ho lahla, ho kopitsa (dup), le ho fetisa lipakete (fwd). Mohlala o ka tlase, ts'ebetso ea ho lahla lipakete tse tsoang atereseng 192.168.30.20 e etsoa boemong ba karete ea marang-rang, ntle le ho fetisetsa lipakete ho kernel:

    # faele ea katse.nft
    tafole netdev x {
    ketane y {
    mofuta filthara hook ingress sesebelisoa eth0 bohlokoa 10; lifolakha theoha;
    ip saddr 192.168.30.20 theoha
    }
    }
    # nft -f file.nft

  • Tlhahisoleseding e ntlafetseng mabapi le sebaka sa phoso melaong.

    # nft hlakola molao oa ip yz 7
    Phoso: Ha e khone ho sebetsana le molao: Ha ho faele kapa buka e joalo
    hlakola molao oa ip yz handle 7
    ^

    # nft hlakola molao oa ip xx 7
    Phoso: Ha e khone ho sebetsana le molao: Ha ho faele kapa buka e joalo
    hlakola molao oa ip xx 7
    ^

    # nft hlakola tafole twst
    Phoso: Ha ho faele kapa buka e joalo; u ne u bolela tafole ‘test' in family ip?
    hlakola tafole sotha
    ^^^^

    Mohlala oa pele o bontša hore tafole 'y' ha e eo tsamaisong, ea bobeli e bontša hore '7' e le sieo, 'me ea boraro e bontša letšoao la ho thaepa ha u thaepa lebitso la tafole.

  • Ts'ehetso e ekelitsoeng ea ho lekola sebopeho sa makhoba ka ho hlakisa "meta sdif" kapa "meta sdifname":

    ... meta sdifname vrf1 ...

  • Ts'ehetso e ekelitsoeng bakeng sa ts'ebetso ea shift ka ho le letona kapa le letšehali. Ka mohlala, ho fetola label e teng ea pakete e siiloeng ke 1 bit le ho beha karolo e tlaase ho 1:

    … meta mark set meta mark lshift 1 kapa 0x1 ...

  • E kentsoe "-V" khetho ea ho bonts'a tlhaiso-leseling e atolositsoeng ea mofuta.

    #nft -V
    nftables v0.9.4 (Jive ho Bohlano)
    cli: bala mola
    json: ho
    minigmp: che
    libxtables: ho joalo

  • Likhetho tsa mola oa taelo joale li tlameha ho hlalosoa pele ho litaelo. Mohlala, o hloka ho hlakisa "nft -a list ruleset", mme ho sebelisa "nft list ruleset -a" ho tla baka phoso.

    Source: opennet.ru

Eketsa ka tlhaloso