ProHoster > Blog > litaba tsa inthanete > nftables pakete filthara 0.9.5 tokollo

nftables pakete filthara 0.9.5 tokollo

e hatisitsoeng ho lokolloa ha sefahla sa pakete nfttables 0.9.5, ho nts'etsopele e le sebaka sa li-iptables, ip6table, arptables le ebtables ka ho kopanya li-interfaces tsa ho sefa lipakete bakeng sa IPv4, IPv6, ARP le marokho a marang-rang. Sephutheloana sa nftables se kenyelletsa likarolo tsa sefahla sa pakete ea mosebelisi, ha mosebetsi oa boemo ba kernel o fanoa ke nf_tables subsystem, eo esale e le karolo ea Linux kernel ho tloha ha e lokolloa 3.13. Liphetoho tse hlokahalang bakeng sa ho lokolloa ha nftables 0.9.5 ho sebetsa li kenyelelitsoe kernel Linux 5.7.

Boemong ba kernel, ho fanoa feela ka sebopeho se ikemetseng se ikemetseng sa protocol se fanang ka mesebetsi ea mantlha bakeng sa ho ntša data ho lipakete, ho etsa ts'ebetso ho data, le ho laola phallo. Melao ea ho sefa ka botsona le li-protocol-specific handlers li bokelloa ka har'a li-bytecode tsa sebaka sa basebelisi, ka mor'a moo bytecode ena e kenngoa ka har'a kernel e sebelisa sebopeho sa Netlink ebe e etsoa ka har'a kernel ka mochine o khethehileng o tšoanang le BPF (Berkeley Packet Filters). Mokhoa ona o etsa hore ho khonehe ho fokotsa haholo boholo ba khoutu ea ho sefa e sebetsang boemong ba kernel le ho tsamaisa mesebetsi eohle ea melao ea ho arola le mohopolo oa ho sebetsa le li-protocol sebakeng sa mosebedisi.

Litlhahiso tse ka sehloohong:

  • Ts'ehetso ea li-packet le li-traffic counters tse amanang le likarolo tse behiloeng li ekelitsoe ho lihlopha. Li-counter li lumelloa ho sebelisa "counter" keyword:

    tafole ip x {
    beha y {
    mofuta oa ip saddr
    stats
    likarolo = {192.168.10.35, 192.168.10.101, 192.168.10.135}
    }

    ketane z {
    mofuta oa filthara hook sephetho sa pele; leano amohela;
    ip ntate @y
    }
    }

  • Ho beha litekanyetso tsa pele tsa li-counters, ho etsa mohlala, ho tsosolosa lisebelisoa tse fetileng ka mor'a ho qala bocha, u ka sebelisa taelo "nft -f":

    # cat ruleset.nft
    tafole ip x {
    beha y {
    mofuta oa ip saddr
    stats
    likarolo = {192.168.10.35 lipakete tsa counter 1 byte 84, 192.168.10.101 \
    counter p 192.168.10.135 counterpackets 0 byte 0 }
    }

    ketane z {
    mofuta oa filthara hook sephetho sa pele; leano amohela;
    ip ntate @y
    }
    }
    # nft -f ruleset.nft
    #nft lenane la melaoana
    tafole ip x {
    beha y {
    mofuta oa ip saddr
    stats
    likarolo = {192.168.10.35 lipakete tsa counter 1 byte 84, 192.168.10.101 \
    counter p 192.168.10.135 counterpackets 0 byte 0 }
    }

    ketane z {
    mofuta oa filthara hook sephetho sa pele; leano amohela;
    ip ntate @y
    }
    }

  • Tšehetso ea li-counter e boetse e kenyelelitsoe ho flowtable:

    tafole ip foo {
    bar e phallang {
    hook ingress priority -100
    lisebelisoa = { eth0, eth1 }
    stats
    }

    ketane pele {
    filtara ea mofuta oa hook ea pele filtara ea bohlokoa;
    phallo eketsa @bar counter
    }
    }

    U ka sheba lenane la li-counters u sebelisa taelo "contrack -L":

    tcp 6 src=192.168.10.2 dst=10.0.1.2 sport=47278 dport=5201 lipakete=9 byte=608\
    src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47278 dipakete=8 byte=428 [OFFLOAD] mark=0\
    secctx=null use=2 tcp 6 src=192.168.10.2 dst=10.0.1.2 sport=47280 dport=5201 \
    lipakete=1005763 bytes=44075714753 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47280\
    lipakete=967505 byte=50310268 [OFFLOAD] mark=0 secctx=null use=2

  • Ka har'a lihlopha tsa concatenation (concatenation, li-bundle tse ling tsa liaterese le likou tse nolofatsang papiso), hoa khoneha ho sebelisa taelo ea "typeof", e khethollang mofuta oa lintlha tsa likarolo tsa likarolo tsa sete:

    tafole ip foo {
    beha whitelist {
    mofuta oa ip saddr. tcp dport
    likarolo = { 192.168.10.35 . 80, 192.168.10.101. 80}
    }

    ketane bar {
    mofuta filthara hook prerouting priority filthara; ho theoha ha pholisi;
    ip ntate. tcp dport @whitelist amohela
    }
    }

  • Taelo ea mofuta oa hona joale e sebetsa le ho ba kopanyang manane a limmapa:

    tafole ip foo {
    'mapa addr2mark {
    mofuta oa ip saddr. tcp dport: letšoao la meta
    likarolo = { 192.168.10.35 . 80 : 0x00000001,
    192.168.10.135. 80 : 0x00000002 }
    }

    ketane bar {
    mofuta filthara hook prerouting priority filthara; ho theoha ha pholisi;
    meta mark set ip dadr . 'mapa oa tcp dport @addr2mark amohela
    }
    }

  • Ts'ehetso e ekelitsoeng bakeng sa mefuta e kopanyang ho lihlopha tse sa tsejoeng (tse sa boleloang ka mabitso):

    # nft eketsa molao oa inet filter input ip daddr. tcp dport\
    { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8. 80-443 } amohela

  • Bokhoni ba ho lahla lipakete tse nang le lifolakha tsa 802.1q (VLAN) ha ho etsoa marokho a marang-rang a fanoa:

    # nft eketsa borokho ba molao foo bar ether mofuta oa vlan hana ka tcp reset

  • Tšehetso e ekelitsoeng bakeng sa ho bapisa ka sekhetho sa nako ea TCP (ID ea contrack). Ho fumana ID ea conntrack, o ka sebelisa khetho ea "-output id":

    # contrack -L -Id ea tlhahiso
    udp 17 18 src=192.168.2.118 dst=192.168.2.1 sport=36424 dport=53 lipakete=2 \
    bytes=122 src=192.168.2.1 dst=192.168.2.118 sport=53 dport=36424 lipakete=2 byte=320\
    [ TIISETSO] letšoao=0 tshebediso=1 id=2779986232

    # nft eketsa molao foo bar ct id 2779986232 counter

Source: opennet.ru

Eketsa ka tlhaloso