ProHoster > Blog > litaba tsa inthanete > nftables pakete filthara 1.0.0 tokollo

nftables pakete filthara 1.0.0 tokollo

Ho lokolloa ha li-packet filter nftables 1.0.0 ho hatisitsoe, ho kopanya li-interface tsa ho sefa lipakete bakeng sa IPv4, IPv6, ARP le marokho a marang-rang (a reretsoeng ho nkela sebaka sa iptables, ip6table, arptables le ebtables). Liphetoho tse hlokahalang bakeng sa tokollo ea nftables 1.0.0 ho sebetsa li kenyelelitsoe ho Linux 5.13 kernel. Phetoho e kholo ea nomoro ea phetolelo ha e amane le liphetoho leha e le life tsa mantlha, empa ke phello feela ea ho tsoela pele ka mokhoa o ts'oanang oa ho bala linomoro ho li-decimal notation (tokollo e fetileng e ne e le 0.9.9).

Sephutheloana sa nftables se kenyelletsa likarolo tsa sefahla sa pakete tse sebetsang sebakeng sa mosebelisi, ha mosebetsi oa boemo ba kernel o fanoa ke nf_tables subsystem, eo esale e le karolo ea Linux kernel ho tloha ha e lokolloa 3.13. Boemo ba kernel bo fana feela ka sebopeho se ikemetseng se ikemetseng se fanang ka mesebetsi ea mantlha bakeng sa ho ntša data ho lipakete, ho etsa ts'ebetso ea data, le taolo ea phallo.

Melao ea ho sefa ka botsona le li-protocol-specific handlers li bokelloa ka har'a li-bytecode tsa sebaka sa basebelisi, ka mor'a moo bytecode ena e kenngoa ka har'a kernel e sebelisa sebopeho sa Netlink ebe e etsoa ka har'a kernel ka mochine o khethehileng o tšoanang le BPF (Berkeley Packet Filters). Mokhoa ona o etsa hore ho khonehe ho fokotsa haholo boholo ba khoutu ea ho sefa e sebetsang boemong ba kernel le ho tsamaisa mesebetsi eohle ea melao ea ho arola le mohopolo oa ho sebetsa le li-protocol sebakeng sa mosebedisi.

Litlhahiso tse ka sehloohong:

  • Ts'ehetso bakeng sa "*" mask element e kenyellelitsoe mananeng a behiloeng, a hlahisoang bakeng sa liphutheloana leha e le life tse sa oeleng tlas'a likarolo tse ling tse hlalositsoeng ka har'a sete. tafole x {lethathamo la 'mapa {mofuta oa ipv4_addr : lifolakha tsa kahlolo ea nako = {192.168.0.0/16 : amohela, 10.0.0.0/8 : amohela, * : theoha }} ketane y { mofuta oa filter hook prerouting bohlokoa 0; leano amohela; ip saddr vmap @blocklist }}
  • Hoa khoneha ho hlalosa mefuta e fapaneng ho tloha moleng oa taelo ho sebelisa khetho ea "--define". # teko ea katse.nft tafole netdev x {ketane y {mofuta oa filthara hook ingress lisebelisoa = $ dev ea bohlokoa 0; ho theoha ha pholisi; } } # nft —define dev="{ eth0, eth1 }" -f test.nft
  • Lethathamong la limmapa, tšebeliso ea lipolelo tse sa fetoheng (tse hlakileng) li lumelloa: sefahla sa inet ea tafole {mapa portmap {type inet_service : verdict counter elements = {22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0 : drop }} chain ssh_input { } chain wan_input {tcp dport vmap @portmap } prerouting ea mofuta { mofuta oa hook oan_input prerouting priority raw; leano amohela; iif vmap {"lo" : jump wan_input }}}}
  • E kenyelitsoe "lethathamo la lihakisi" taelo ea ho hlahisa lenane la ba sebetsanang le lelapa la pakete e fanoeng: # nft list hook ip device eth0 family ip {hook ingress { +0000000010 chain netdev x y [nf_tables] +0000000300 chain innet input m w [nf_tables] } { -0000000100 chain ip a b [nf_tables] +0000000300 chain inet m z [nf_tables] } hook forward { -0000000225 selinux_ipv4_forward 0000000000 chain ip_tables0000000225 [selinux4] 0000000225 chain ip_tables4 pvXNUMX_output } hook postrouting { +XNUMX XNUMX selinux_ipvXNUMX_postroute }}
  • Mela e lumella jhash, symhash, le mantsoe a numgen ho kopanngoa ho aba lipakete ho mela sebakeng sa basebelisi. … queue to symhash mod 65536 … queue the folaga bypass to numgen inc mod 65536 … queue to jhash oif . meta mark mod 32 "queue" le eona e ka kopanngoa le manane a limmapa ho khetha letoto sebakeng sa mosebelisi ho ipapisitsoe le linotlolo tse sa reroang. ... lifolakha tsa mokoloko li feta ho 'mapa oa oifname {"eth0" : 0, "ppp0" : 2, "eth1" : 2}
  • Hoa khoneha ho atolosa mefuta-futa e kenyelletsang lenane le behiloeng ho limmapa tse 'maloa. hlalosa li-interfaces = { eth0, eth1 } tafole ip x {ketane y { mofuta oa ho kenya hook ea pele 0; leano amohela; iifname vmap {lo : amohela, $interfaces : drop }} } # nft -f x.nft # nft lenane la melao ea tsamaiso tafole ip x {ketane y {mofuta filter hook input priority 0; leano amohela; iifname vmap {"lo" : amohela, "eth0" : drop, "eth1" : drop }}}
  • Ho kopanya li-vmaps ('mapa oa qeto) ka linako tse ling ho lumelloa: # nft eketsa molao x y tcp dport. ip saddr vmap {1025-65535 . 192.168.10.2 : amohela }
  • Syntax e nolofalitsoeng bakeng sa limmapa tsa NAT. E lumelletsoe ho hlakisa mekhahlelo ea liaterese: ... snat to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } kapa liaterese tse hlakileng tsa IP le likou: ... dnat to ip saddr map { 10.141.11.4 : 192.168.2.3-80 } kapa liaterese tse hlakileng tsa IP le likou: ... dnat to ip saddr map { 192.168.1.2:80. . 10.141.10.2 } kapa metswako ya mefuta ya IP le boemakepe: ... dnat to ip saddr . tcp dport 'mapa {10.141.10.5 . 8888: 8999-XNUMX. XNUMX-XNUMX }

Source: opennet.ru

Eketsa ka tlhaloso