ProHoster > Blog > litaba tsa inthanete > nftables pakete filthara 1.0.3 tokollo

nftables pakete filthara 1.0.3 tokollo

Ho lokolloa ha li-packet filter nftables 1.0.3 ho hatisitsoe, ho kopanya li-interfaces tsa ho hloekisa lipakete bakeng sa IPv4, IPv6, ARP le marokho a marang-rang (a reretsoeng ho nkela sebaka sa iptables, ip6table, arptables le ebtables). Liphetoho tse hlokahalang bakeng sa ho lokolloa ha nftables 1.0.3 ho sebetsa li kenyelelitsoe ho Linux 5.18 kernel.

Sephutheloana sa nftables se kenyelletsa likarolo tsa sefahla sa pakete tse sebetsang sebakeng sa mosebelisi, ha mosebetsi oa boemo ba kernel o fanoa ke nf_tables subsystem, eo esale e le karolo ea Linux kernel ho tloha ha e lokolloa 3.13. Boemo ba kernel bo fana feela ka sebopeho se ikemetseng se ikemetseng se fanang ka mesebetsi ea mantlha bakeng sa ho ntša data ho lipakete, ho etsa ts'ebetso ea data, le taolo ea phallo.

Melao ea ho sefa ka botsona le li-protocol-specific handlers li bokelloa ka har'a li-bytecode tsa sebaka sa basebelisi, ka mor'a moo bytecode ena e kenngoa ka har'a kernel e sebelisa sebopeho sa Netlink ebe e etsoa ka har'a kernel ka mochine o khethehileng o tšoanang le BPF (Berkeley Packet Filters). Mokhoa ona o etsa hore ho khonehe ho fokotsa haholo boholo ba khoutu ea ho sefa e sebetsang boemong ba kernel le ho tsamaisa mesebetsi eohle ea melao ea ho arola le mohopolo oa ho sebetsa le li-protocol sebakeng sa mosebedisi.

Litlhahiso tse ka sehloohong:

  • Beha manane hona joale a tšehetsa mabitso a marang-rang a tšoanang ka mask, mohlala, a boletsoeng ho sebelisoa letšoao la "*": tableinet testifsets {set simple_wild {type ifname flags interval elements = {"abcdef*", "othername", "ppp0" } } ketane v4icmp {mofuta oa ho kenya hook ea bohlokoa 0; leano amohela; iifname @simple_wild counter packets 0 byte 0 iifname {“abcdef*”, “eth0” } li-counter packets 0 byte 0 }}
  • Ho kenyelelitsoe ho kopanya ka bohona ha likarolo tsa lethathamo la li-intersecting nakong ea ts'ebetso. Nakong e fetileng, ha khetho ea "auto-merge" e ne e behiloe, ho kopanngoa ho ile ha etsoa sethaleng sa ho phatlalatsa melao, empa hona joale e sebetsa le ha likarolo tse ncha li eketsoa ka mokhoa o ntseng o eketseha nakong ea ts'ebetso. Ka mohlala, sethaleng sa phatlalatso, lenane le behiloeng y {lifolakha nako ea ho kopanya li-auto-marge elements = {1.2.3.0, 1.2.3.255, 1.2.3.0/24, 3.3.3.3, 4.4.4.4, 4.4.4.4-4.4.4.8 , 3.3.3.4 , 3.3.3.5 }} e tla fetoloa likarolo = {1.2.3.0/24, 3.3.3.3-3.3.3.5, 4.4.4.4-4.4.4.8 } 'me joale haeba u eketsa likarolo tse ncha # nft eketsa element ip x y { 1.2.3.0 -1.2.4.255, 3.3.3.6 } e tla shebahala joaloka likarolo = { 1.2.3.0-1.2.4.255, 3.3.3.3-3.3.3.6, 4.4.4.4-4.4.4.8 }

    Ha u tlosa lintho ka bomong lethathamong le oelang ka har'a lintho tse teng tsa mefuta-futa, sebaka se khutsufatsoa kapa se arohane.

  • Ts'ehetso ea ho kopanya melao ea phetolelo ea liaterese tse ngata (NAT) lenaneng la 'mapa e kentsoe ho se ntlafatsang melao, se bitsoang ha ho boletsoe khetho ea "-o/—optimize". Ka mohlala, bakeng sa sete # cat ruleet.nft tafole ip x {ketane y {type nat hook postrouting priority srcnat; ho theoha ha leano; ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90 } }

    ho sebelisa "nft -o -c -f ruleset.nft" ho tla fetola melao e arohaneng ea "ip saddr" hore e be lethathamo la 'mapa: snat to ip saddr . 'mapa oa tcp dport { 1.1.1.1 . 8000: 4.4.4.4. 80, 2.2.2.2. 8001: 5.5.5.5. 90}

    Ka mokhoa o ts'oanang, lipolelo tse tala li ka fetoloa manane a 'mapa: # cat ruleet.nft tafole ip x { […] chain nat_dns_acme { udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 dp 62 78 160,128x0e0e goto nat_dns_this_31393032383939353831343037320 udp bolelele 5301-62 @th,78 160,128x0e0e goto nat_dns_saturn_31363436323733373931323934300 udp bolelele 5301-62x78 160,128 0 0 32393535373539353636383732310 5302e goto nat_dns_saturn_62 udp length 78-160,128 @th,0 0x38353439353637323038363633390e5303e goto nat_XNUMX_saturn_XNUMX

    ka mor'a ho ntlafatsa re fumana lethathamo la 'mapa: udp length . @th,160,128 vmap {47-63 . 0x0e373135363130333131303735353203 : goto nat_dns_dnstc, 62-78 . 0x0e31393032383939353831343037320e : goto nat_dns_this_5301, 62-78 . 0x0e31363436323733373931323934300e : goto nat_dns_saturn_5301, 62-78 . 0x0e32393535373539353636383732310e : goto nat_dns_saturn_5302, 62-78 . 0x0e38353439353637323038363633390e : goto nat_dns_saturn_5303 }

  • Tšebeliso ea mantsoe a tala ts'ebetsong ea ho kopanya e lumelletsoe. Mohlala: # nft eketsa molao x y ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } kapa tafole x {set y {typeof ip saddr . @ih,32,32 elements = { 1.1.1.1 . 0x14 }}}
  • Tšehetso e ekelitsoeng bakeng sa ho hlakisa likarolo tsa lihlooho tse felletseng ts'ebetsong ea khokahano: inet ea tafole t {mapa m1 {typeof udp length . @ih,32,32 : lifolakha tsa kahlolo ea nako ea likarolo = {20-80 . 0x14 : amohela, 1-10 . 0xa : drop } } ketane c { mofuta oa hook oa ho kenya pele 0; ho theoha ha leano; udp bolelele. @ih,32,32 vmap @m1 }}
  • Ts'ehetso e ekelitsoeng bakeng sa ho seta likhetho tsa TCP (e sebetsa feela le Linux kernel 5.18+): tcp flags syn reset tcp khetho sack-perm
  • Phethahatso ea litaelo tsa tlhahiso ea ketane ("nft list chain x y") e potlakisitsoe.

Source: opennet.ru

Eketsa ka tlhaloso