ProHoster > Blog > litaba tsa inthanete > nftables pakete filthara 1.0.1 tokollo

nftables pakete filthara 1.0.1 tokollo

Ho lokolloa ha li-packet filter nftables 1.0.1 ho hatisitsoe, ho kopanya li-interfaces tsa ho sefa lipakete bakeng sa IPv4, IPv6, ARP le marokho a marang-rang (a reretsoeng ho nkela sebaka sa iptables, ip6table, arptables le ebtables). Liphetoho tse hlokahalang bakeng sa ho lokolloa ha nftables 1.0.1 ho sebetsa li kenyelelitsoe ho Linux kernel 5.16-rc1.

Sephutheloana sa nftables se kenyelletsa likarolo tsa sefahla sa pakete tse sebetsang sebakeng sa mosebelisi, ha mosebetsi oa boemo ba kernel o fanoa ke nf_tables subsystem, eo esale e le karolo ea Linux kernel ho tloha ha e lokolloa 3.13. Boemo ba kernel bo fana feela ka sebopeho se ikemetseng se ikemetseng se fanang ka mesebetsi ea mantlha bakeng sa ho ntša data ho lipakete, ho etsa ts'ebetso ea data, le taolo ea phallo.

Melao ea ho sefa ka botsona le li-protocol-specific handlers li bokelloa ka har'a li-bytecode tsa sebaka sa basebelisi, ka mor'a moo bytecode ena e kenngoa ka har'a kernel e sebelisa sebopeho sa Netlink ebe e etsoa ka har'a kernel ka mochine o khethehileng o tšoanang le BPF (Berkeley Packet Filters). Mokhoa ona o etsa hore ho khonehe ho fokotsa haholo boholo ba khoutu ea ho sefa e sebetsang boemong ba kernel le ho tsamaisa mesebetsi eohle ea melao ea ho arola le mohopolo oa ho sebetsa le li-protocol sebakeng sa mosebedisi.

Litlhahiso tse ka sehloohong:

  • Ho fokotsa tšebeliso ea memori ha o kenya sete e kholo le manane a limmapa.
  • Ho kenya bocha manane a limmapa ho potlakisitsoe.
  • Tlhahiso ea litafole le liketane tse khethiloeng ka lihlopha tse kholo tsa melao e potlakile. Mohlala, nako ea ts'ebetso ea taelo ea "nft list ruleset" ea ho bonts'a melao e nang le mela e likete tse 100 ke metsotsoana e 3.049, 'me ha ho hlahisoa litafole tsa nat le filter feela ("nft list table nat", "nft list table filter" ”) e fokotsehile ho metsotsoana ea 1.969 le 0.697.
  • Phethahatso ea lipotso ka khetho ea "--terse" e potlakisitsoe ha ho sebetsoa melao ka lethathamo le leholo la limmapa.
  • Hoa khoneha ho sefa sephethephethe ho tloha ketane ea "egress", e sebetsoang ka tekanyo e lekanang le ea egress handler ka ketane ea netdev (egress hook), i.e. sethaleng ha mokhanni a amohela pakete ho tsoa ho kernel network stack. tafole netdev filter {ketane egress {mofuta oa sefahla sa hook egress lisebelisoa = {eth0, eth1} bohlokoa 0; meta priority set ip saddr map {192.168.10.2: abcd:2, 192.168.10.3 : abcd:3}}}
  • E lumella ho nyallana le ho fetoloa ha li-byte hloohong le likateng tsa pakete ka nako e itseng. # nft eketsa molao x y @ih,32,32 0x14000000 counter # nft eketsa molao x y @ih,32,32 set 0x14000000 counter

Source: opennet.ru

Eketsa ka tlhaloso