ProHoster > Blog > litaba tsa inthanete > nftables pakete filthara 1.0.6 tokollo

nftables pakete filthara 1.0.6 tokollo

The nftables 1.0.6 packet filter release e hatisitsoe, e kopanyang li-interfaces tsa ho hloekisa liphutheloana bakeng sa IPv4, IPv6, ARP le marokho a marang-rang (a reretsoeng ho nkela sebaka sa iptables, ip6table, arptables le ebtables). Sephutheloana sa nftables se kenyelletsa likarolo tsa sefahla sa pakete tse sebetsang sebakeng sa mosebelisi, ha boemo ba kernel bo fanoa ke nf_tables subsystem, eo esale e le karolo ea Linux kernel ho tloha ha e lokolloa 3.13. Boemong ba kernel, ho fanoa feela ka sebopeho se ikemetseng se ikemetseng sa protocol se fanang ka mesebetsi ea mantlha bakeng sa ho ntša data ho lipakete, ho etsa ts'ebetso ho data, le ho laola phallo.

Melao ea ho sefa ka botsona le li-protocol-specific handlers li bokelloa ka har'a li-bytecode tsa sebaka sa basebelisi, ka mor'a moo bytecode ena e kenngoa ka har'a kernel e sebelisa sebopeho sa Netlink ebe e etsoa ka har'a kernel ka mochine o khethehileng o tšoanang le BPF (Berkeley Packet Filters). Mokhoa ona o etsa hore ho khonehe ho fokotsa haholo boholo ba khoutu ea ho sefa e sebetsang boemong ba kernel le ho tsamaisa mesebetsi eohle ea melao ea ho arola le mohopolo oa ho sebetsa le li-protocol sebakeng sa mosebedisi.

Liphetoho tse kholo:

  • Ho melaoana e ntlafatsang e bitsoang ha ho hlakisoa khetho ea "-o/--optimize", ho phutheloa ha melao ka boiketsetso ho thehiloe ka ho e kopanya le ho e fetolela ho limmapa-le manane a behiloeng. Mohlala, melaoana ke # cat ruleset.nft tafole ip x {ketane y {mofuta filter hook input priority filter; ho theoha ha pholisi; meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 amohela meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 amohela meta iifname eth1 ip saddr 1.1.1.2if2.2.3.0 24 ip saddr 1 .1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 amohela meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.5 amohela }} ka mor'a hore "nft -o -c -f ruleet.nft" e fetoleloe ho tse latelang: melaoana nft:4:17-74: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 amohela ruleset.nft:5:17-74: meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 amohela melaoet. 6:17-77: meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 amohela ruleset.nft:7:17-83: meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0 amohela. ruleet.nft:2.2.4.10:8-17: meta iifname eth74 ip saddr 2 ip daddr 1.1.1.3 amohela ho: iifname . ip sadr. ip dadr { eth2.2.2.5 . 1. 1.1.1.1, eth2.2.2.3 . 1. 1.1.1.2, eth2.2.2.4 . 1. 1.1.1.2/2.2.3.0, eth24 . 1. 1.1.1.2-2.2.4.0, eth2.2.4.10 . 2. 1.1.1.3 } amohela
  • optimizer e ka boela ea fokotsa melao e seng e ntse e sebelisa li-setlist tse bonolo ho ea ka mokhoa o kopanetsoeng haholoanyane, joalo ka: # cat ruleset.nft table ip filter {ketane input { type filter hook input priority filter; ho theoha ha pholisi; iifname "lo" amohela ct state e thehiloe, e amanang le ho amohela maikutlo "Ka har'a sephethephethe, rea tšepa" iifname "enp0s31f6" ip saddr { 209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149 udport 123p 32768 udport 65535p 0. 31 amohela Iifname "enp6s64.59.144.17f64.59.150.133" ip Shldr {10.0.0.149-53 : ruleet.nft:32768:65535-6: iifname "enp22s149f0" ip saddr { 31, 6} ip daddr 209.115.181.102 udp 216.197.228.230 usport 10.0.0.149 melao ea 123 ud32768 65535 7 amohela 22 d 143 ft:0:31-6 64.59.144.17 : iifname "enp64.59.150.133s10.0.0.149f53" ip saddr { 32768, 65535 } ip daddr 0 udp sport 31 udp dport 6-209.115.181.102 amohela. ip sadr. ip ntate. lipapali tsa udp. udp dport {enp10.0.0.149s123f32768 . 65535 . 0 . 31 . 6-216.197.228.230, enp10.0.0.149s123f32768 . 65535 . 0 . 31 . 6-64.59.144.17, enp10.0.0.149s53f32768 . 65535. 0 . 31 . 6-64.59.150.133, enp10.0.0.149s53f32768 . 65535. XNUMX . XNUMX . XNUMX-XNUMX } amohela
  • E rarollotse bothata ka tlhahiso ea bytecode bakeng sa ho kopanya linako tse sebelisang mefuta e nang le mefuta e fapaneng, joalo ka IPv4 (network endian) le meta mark (system endian). tafole ip x {mapa w {typeof ip saddr. letšoao la meta : lifolakha tsa kahlolo nako ea counter elements = {127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : amohela, 192.168.0.10-192.168.1.20 . 0x0000aa00-0x0000aaff : amohela, } } ketane k { mofuta oa filter hook input priority filter; ho theoha ha leano; ip sadr. meta mark vmap @w }}
  • Limmapa tse ntlafalitsoeng tse sa tloaelehang ha u sebelisa mantsoe a tala, mohlala: meta l4proto 91 @th,400,16 0x0 amohela
  • Mathata a tsitsitseng a nang le melao e lumellang ka linako tse ling: kenya molao xy tcp sport {3478-3497, 16384-16387} counter accept
  • JSON API e ntlafalitsoe ho ts'ehetsa lipolelo tse hlahang mananeng a limmapa.
  • Likatolosong tsa laeborari ea nftables python, li-rules li lumelloa ho jarisoa bakeng sa ts'ebetso ka mokhoa oa ho hlahloba ("-c") mme ts'ehetso bakeng sa tlhaloso e fapaneng ea kantle e kentsoe.
  • Ho eketsa maikutlo ho lumelloa likarolong tsa li-set-list.
  • E lumelletsoe ho hlakisa boleng ba zero ho "byte ratelimit".

Source: opennet.ru

Eketsa ka tlhaloso