ProHoster > Blog > litaba tsa inthanete > nftables pakete filthara 1.0.3 tokollo

nftables pakete filthara 1.0.3 tokollo

nftables 1.0.3, moralo oa ho sefa lipakete o kopanyang li-interface tsa ho sefa lipakete bakeng sa IPv4, IPv6, ARP, le marokho a marang-rang, o lokollotsoe (o reretsoe ho nka sebaka sa li-iptables, ip6table, arptables, le li-ebtables). Liphetoho tse hlokahalang bakeng sa li-nftables 1.0.3 li kenyelelitsoe ka har'a kernel. Linux 5.18.

Sephutheloana sa nftables se na le dikarolo tsa sefe sa pakete tse sebetsang sebakeng sa mosebedisi, ha mosebetsi wa boemo ba kernel o fanwa ke sistimi e nyane ya nf_tables, e leng karolo ya kernel. Linux Ho tloha ha ho lokolloa 3.13, ke sebopeho se ikemetseng sa protocol feela se fanoeng boemong ba kernel, se fanang ka ts'ebetso ea motheo bakeng sa ho ntša data ho tsoa lipaketeng, ho etsa ts'ebetso ea data, le taolo ea phallo.

Melao ea ho sefa ka boyona 'me bahlokomeli ba itseng ba protocol ba bokelloa ho ba bytecode sebakeng sa mosebelisi, ka mor'a moo bytecode ena e kenngoa ka har'a kernel ho sebelisoa sebopeho sa Netlink 'me e etsoa ka har'a kernel ka mokhoa o khethehileng. mochini o sebetsang ka ho toba, e hopotsang BPF (Berkeley Packet Filters). Mokhoa ona o dumella phokotso e kgolo ya boholo ba khoutu ya ho sefa e sebetsang boemong ba kernel mme o tsamaisa tlhahlobo yohle ya melao le logic ya protocol sebakeng sa mosebedisi.

Litlhahiso tse ka sehloohong:

  • Beha manane hona joale a tšehetsa mabitso a marang-rang a tšoanang ka mask, mohlala, a boletsoeng ho sebelisoa letšoao la "*": tableinet testifsets {set simple_wild {type ifname flags interval elements = {"abcdef*", "othername", "ppp0" } } ketane v4icmp {mofuta oa ho kenya hook ea bohlokoa 0; leano amohela; iifname @simple_wild counter packets 0 byte 0 iifname {“abcdef*”, “eth0” } li-counter packets 0 byte 0 }}
  • Ho kenyelelitsoe ho kopanya ka bohona ha likarolo tsa lethathamo la li-intersecting nakong ea ts'ebetso. Nakong e fetileng, ha khetho ea "auto-merge" e ne e behiloe, ho kopanngoa ho ile ha etsoa sethaleng sa ho phatlalatsa melao, empa hona joale e sebetsa le ha likarolo tse ncha li eketsoa ka mokhoa o ntseng o eketseha nakong ea ts'ebetso. Ka mohlala, sethaleng sa phatlalatso, lenane le behiloeng y {lifolakha nako ea ho kopanya li-auto-marge elements = {1.2.3.0, 1.2.3.255, 1.2.3.0/24, 3.3.3.3, 4.4.4.4, 4.4.4.4-4.4.4.8 , 3.3.3.4 , 3.3.3.5 }} e tla fetoloa likarolo = {1.2.3.0/24, 3.3.3.3-3.3.3.5, 4.4.4.4-4.4.4.8 } 'me joale haeba u eketsa likarolo tse ncha # nft eketsa element ip x y { 1.2.3.0 -1.2.4.255, 3.3.3.6 } e tla shebahala joaloka likarolo = { 1.2.3.0-1.2.4.255, 3.3.3.3-3.3.3.6, 4.4.4.4-4.4.4.8 }

    Ha u tlosa lintho ka bomong lethathamong le oelang ka har'a lintho tse teng tsa mefuta-futa, sebaka se khutsufatsoa kapa se arohane.

  • Ts'ehetso ea ho kopanya melao ea phetolelo ea liaterese tse ngata (NAT) lenaneng la 'mapa e kentsoe ho se ntlafatsang melao, se bitsoang ha ho boletsoe khetho ea "-o/—optimize". Ka mohlala, bakeng sa sete # cat ruleet.nft tafole ip x {ketane y {type nat hook postrouting priority srcnat; ho theoha ha leano; ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90 } }

    ho sebelisa "nft -o -c -f ruleset.nft" ho tla fetola melao e arohaneng ea "ip saddr" hore e be lethathamo la 'mapa: snat to ip saddr . 'mapa oa tcp dport { 1.1.1.1 . 8000: 4.4.4.4. 80, 2.2.2.2. 8001: 5.5.5.5. 90}

    Ka mokhoa o ts'oanang, lipolelo tse tala li ka fetoloa manane a 'mapa: # cat ruleet.nft tafole ip x { […] chain nat_dns_acme { udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 dp 62 78 160,128x0e0e goto nat_dns_this_31393032383939353831343037320 udp bolelele 5301-62 @th,78 160,128x0e0e goto nat_dns_saturn_31363436323733373931323934300 udp bolelele 5301-62x78 160,128 0 0 32393535373539353636383732310 5302e goto nat_dns_saturn_62 udp length 78-160,128 @th,0 0x38353439353637323038363633390e5303e goto nat_XNUMX_saturn_XNUMX

    ka mor'a ho ntlafatsa re fumana lethathamo la 'mapa: udp length . @th,160,128 vmap {47-63 . 0x0e373135363130333131303735353203 : goto nat_dns_dnstc, 62-78 . 0x0e31393032383939353831343037320e : goto nat_dns_this_5301, 62-78 . 0x0e31363436323733373931323934300e : goto nat_dns_saturn_5301, 62-78 . 0x0e32393535373539353636383732310e : goto nat_dns_saturn_5302, 62-78 . 0x0e38353439353637323038363633390e : goto nat_dns_saturn_5303 }

  • Tšebeliso ea mantsoe a tala ts'ebetsong ea ho kopanya e lumelletsoe. Mohlala: # nft eketsa molao x y ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } kapa tafole x {set y {typeof ip saddr . @ih,32,32 elements = { 1.1.1.1 . 0x14 }}}
  • Tšehetso e ekelitsoeng bakeng sa ho hlakisa likarolo tsa lihlooho tse felletseng ts'ebetsong ea khokahano: inet ea tafole t {mapa m1 {typeof udp length . @ih,32,32 : lifolakha tsa kahlolo ea nako ea likarolo = {20-80 . 0x14 : amohela, 1-10 . 0xa : drop } } ketane c { mofuta oa hook oa ho kenya pele 0; ho theoha ha leano; udp bolelele. @ih,32,32 vmap @m1 }}
  • Добавлена поддержка сброса TCP-опций (работает только при наличии ядра Linux 5.18+): tcp flags syn reset tcp option sack-perm
  • Phethahatso ea litaelo tsa tlhahiso ea ketane ("nft list chain x y") e potlakisitsoe.

Source: opennet.ru

Reka sebaka se tšepahalang sa libaka tse nang le ts'ireletso ea DDoS, li-server tsa VPS VDS 🔥 Reka sebaka se tšepahalang sa ho amohela webosaete ka tšireletso ea DDoS, li-server tsa VPS VDS | ProHoster