Ho lokolloa ha li-packet filter nftables 0.9.9 ho hatisitsoe, ho kopanya li-interfaces tsa ho sefa lipakete bakeng sa IPv4, IPv6, ARP le marokho a marang-rang (a reretsoeng ho nkela sebaka sa iptables, ip6table, arptables le ebtables). Ka nako e ts'oanang, ho lokolloa ha laebrari e tsamaeang le libnftnl 1.2.0 ho ile ha hatisoa, ho fana ka API ea boemo bo tlaase bakeng sa ho sebelisana le nf_tables subsystem. Liphetoho tse hlokahalang bakeng sa ho lokolloa ha nftables 0.9.9 ho sebetsa li kenyelelitsoe ho Linux kernel 5.13-rc1.
Sephutheloana sa nftables se kenyelletsa likarolo tsa sefahla sa pakete tse sebetsang sebakeng sa mosebelisi, ha mosebetsi oa boemo ba kernel o fanoa ke nf_tables subsystem, eo esale e le karolo ea Linux kernel ho tloha ha e lokolloa 3.13. Boemo ba kernel bo fana feela ka sebopeho se ikemetseng se ikemetseng se fanang ka mesebetsi ea mantlha bakeng sa ho ntša data ho lipakete, ho etsa ts'ebetso ea data, le taolo ea phallo.
Melao ea ho sefa ka botsona le li-protocol-specific handlers li bokelloa ka har'a li-bytecode tsa sebaka sa basebelisi, ka mor'a moo bytecode ena e kenngoa ka har'a kernel e sebelisa sebopeho sa Netlink ebe e etsoa ka har'a kernel ka mochine o khethehileng o tšoanang le BPF (Berkeley Packet Filters). Mokhoa ona o etsa hore ho khonehe ho fokotsa haholo boholo ba khoutu ea ho sefa e sebetsang boemong ba kernel le ho tsamaisa mesebetsi eohle ea melao ea ho arola le mohopolo oa ho sebetsa le li-protocol sebakeng sa mosebedisi.
Litlhahiso tse ka sehloohong:
- Bokhoni ba ho tsamaisa ts'ebetso ea phallo ho lehlakoreng la adaptara ea marang-rang bo se bo kentsoe ts'ebetsong, bo nolofalitsoe ho sebelisoa folakha ea 'offload'. Flowtable ke mokhoa oa ho ntlafatsa tsela ea ho tsamaisa lipakete, moo karolo e felletseng ea liketane tsohle tsa ts'ebetso ea melao e sebelisoang feela paketeng ea pele, 'me lipakete tse ling kaofela tsa phallo li fetisetsoa ka kotloloho. tafole ip global {flowtable f {hook ingress priority filter + 1 lisebelisoa = {lan3, lan0, wan } lifolakha li theoleloa } ketane ea pele {sefate sa mofuta oa hook hook ea pele; leano amohela; ip protocol {tcp, udp } flow add @f } chain post { type nat hook postrouting priority filter; leano amohela; oifname "wan" masquerade }}
- Ts'ehetso e ekelitsoeng bakeng sa ho hokela folakha ea mong'a tafole ho netefatsa tšebeliso e ikhethileng ea tafole ka ts'ebetso. Ha ts'ebetso e fela, tafole e amanang le eona e tla hlakoloa ka bo eona. Tlhahisoleseding e mabapi le ts'ebetso e bonts'oa ho lahla melao ka mokhoa oa ho fana ka maikutlo: tafole ip x { # progname nft lifolakha tsa mong'a ketane y { mofuta oa filter hook input priority filter; leano amohela; lipakete tsa counter 1 byte 309 }}
- Ts'ehetso e ekelitsoeng bakeng sa litlhaloso tsa IEEE 802.1ad (VLAN stacking kapa QinQ), e hlalosang mokhoa oa ho kenya li-tag tse ngata tsa VLAN ho foreimi e le 'ngoe ea Ethernet. Mohlala, ho hlahloba mofuta oa kantle Ethernet foreime 8021ad le vlan id=342, u ka sebelisa kaho ... ether mofuta 802.1ad vlan id 342 ho hlahloba mofuta o ka ntle oa Ethernet foreimi 8021ad/vlan id=1, Nested 802.1 q/vlan id = 2 le ho feta IP pakete encapsulation: ... mofuta oa ether 8021ad vlan id 1 vlan mofuta 8021q vlan id 2 vlan mofuta oa ip counter
- Ts'ehetso e ekelitsoeng bakeng sa ho laola lisebelisoa ka ho sebelisa lihlopha tse kopaneng tsa maemo a holimo v2. Phapang e ka sehloohong pakeng tsa lihlopha tsa v2 le v1 ke tšebeliso ea lihlopha tse tloaelehileng tsa lihlopha bakeng sa mefuta eohle ea lisebelisoa, ho e-na le lihlopha tse arohaneng tsa ho fana ka lisebelisoa tsa CPU, bakeng sa ho laola tšebeliso ea mohopolo, le bakeng sa I / O. Ka mohlala, ho hlahloba hore na moholo-holo oa sokete sebakeng sa pele sa cgroupv2 se lumellana le mask "system.slice", u ka sebelisa mohaho: ... socket cgroupv2 level 1 "system.slice"
- E kentse bokhoni ba ho hlahloba likarolo tsa lipakete tsa SCTP (ts'ebetso e hlokahalang bakeng sa sena e tla hlaha ho Linux 5.14 kernel). Mohlala, ho hlahloba hore na pakete e na le chunk e nang le mofuta oa 'data' le tšimo 'mofuta': ... sctp chunk data e teng ... sctp chunk data type 0
- Ts'ebetso ea ts'ebetso ea ho kenya melao e potlakisitsoe ka makhetlo a ka bang peli ho sebelisoa folakha ea "-f". Sephetho sa lenane la melao le sona se potlakisitsoe.
- Ho fanoe ka foromo e kopanetsoeng ea ho hlahloba hore na likotoana tsa folakha li setiloe. Ka mohlala, ho hlahloba hore na li-bits tsa boemo ba snat le dnat ha lia behoa, u ka hlakisa: ... ct boemo ! snat,dnat ho hlahloba hore na syn bit e behiloe ho bitmask syn,ack: ... tcp flags syn / syn,ack ho hlahloba hore na li-fin le tsa rst bits ha lia behoa ho bitmask syn,ack,fin,rst: ... lifolakha tsa tcp! = fin,rst / syn,ack,fin,rst
- Lumella lentsoe la sehlooho la "kahlolo" ho litlhaloso tsa mofuta oa set/mapa: eketsa 'mapa x m {typeof iifname . ip protocol th dport : kahlolo ;}
Source: opennet.ru