ProHoster > Blog > litaba tsa inthanete > nftables pakete filthara 1.0.2 tokollo

nftables pakete filthara 1.0.2 tokollo

Ho lokolloa ha li-packet filter nftables 1.0.2 ho hatisitsoe, ho kopanya li-interfaces tsa ho hloekisa lipakete bakeng sa IPv4, IPv6, ARP le marokho a marang-rang (a reretsoeng ho nkela sebaka sa iptables, ip6table, arptables le ebtables). Liphetoho tse hlokahalang bakeng sa ho lokolloa ha nftables 1.0.2 ho sebetsa li kenyelelitsoe ho Linux kernel 5.17-rc.

Sephutheloana sa nftables se kenyelletsa likarolo tsa sefahla sa pakete tse sebetsang sebakeng sa mosebelisi, ha mosebetsi oa boemo ba kernel o fanoa ke nf_tables subsystem, eo esale e le karolo ea Linux kernel ho tloha ha e lokolloa 3.13. Boemo ba kernel bo fana feela ka sebopeho se ikemetseng se ikemetseng se fanang ka mesebetsi ea mantlha bakeng sa ho ntša data ho lipakete, ho etsa ts'ebetso ea data, le taolo ea phallo.

Melao ea ho sefa ka botsona le li-protocol-specific handlers li bokelloa ka har'a li-bytecode tsa sebaka sa basebelisi, ka mor'a moo bytecode ena e kenngoa ka har'a kernel e sebelisa sebopeho sa Netlink ebe e etsoa ka har'a kernel ka mochine o khethehileng o tšoanang le BPF (Berkeley Packet Filters). Mokhoa ona o etsa hore ho khonehe ho fokotsa haholo boholo ba khoutu ea ho sefa e sebetsang boemong ba kernel le ho tsamaisa mesebetsi eohle ea melao ea ho arola le mohopolo oa ho sebetsa le li-protocol sebakeng sa mosebedisi.

Litlhahiso tse ka sehloohong:

  • Ho ekelitsoe mokhoa oa ho ntlafatsa melao, o nolofalitsoeng ho sebelisoa khetho e ncha ea "-o" ("--optimize"), e ka kopanngoang le khetho ea "--check" ho lekola le ho ntlafatsa liphetoho faeleng ea melao ntle le ho e kenya. . Ho ntlafatsa ho u lumella ho kopanya melao e tšoanang, mohlala, melao: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 amohela meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 amohela ip.1.1.1.1 ip. .2.2.2.2 amohela ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop

    e tla kopanngoa ho meta iifname . ip sadr. ip dadr { eth1 . 1.1.1.1. 2.2.2.3, eth1 . 1.1.1.2. 2.2.2.5 } amohela ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 : amohela, 2.2.2.2 . 3.3.3.3 : theoha }

    Mohlala oa tšebeliso: # nft -c -o -f ruleset.test Merging: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter accept ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter accept ruleet.nft:18:3-37: ip daddr 192.168.0.3

  • Lethathamo le behiloeng le kenya tšebetsong bokhoni ba ho hlakisa likhetho tsa ip le tcp, hammoho le sctp chunks: set s5 {typeof ip khetho ra bohlokoa elements = {1, 1024}} set s7 {typeof sctp chunk init num-inbound-streams elements = { 1, 4 } } ketane c5 {ip kgetho ra boleng @s5 amohela } ketane c7 { sctp chunk init num-inbound-streams @s7 amohela }
  • Ts'ehetso e ekelitsoeng bakeng sa likhetho tsa TCP fastopen, md5sig le mptcp.
  • Tšehetso e ekelitsoeng bakeng sa ho sebelisa mofuta o monyenyane oa mp-tcp ho limmapa: khetho ea tcp mptcp subtype 1
  • Khoutu e ntlafalitsoeng ea ho sefa ea kernel-side.
  • Hona joale Flowtable e na le tšehetso e felletseng bakeng sa sebopeho sa JSON.
  • Bokhoni ba ho sebelisa ketso ea "hana" lits'ebetsong tse bapisang foreimi ea Ethernet bo fanoe. ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 hana

Source: opennet.ru

Eketsa ka tlhaloso