The nftables 1.0.7 packet filter release e hatisitsoe, e kopanyang li-interfaces tsa ho hloekisa liphutheloana bakeng sa IPv4, IPv6, ARP le marokho a marang-rang (a reretsoeng ho nkela sebaka sa iptables, ip6table, arptables le ebtables). Sephutheloana sa nftables se kenyelletsa likarolo tsa sefahla sa pakete tse sebetsang sebakeng sa mosebelisi, ha boemo ba kernel bo fanoa ke nf_tables subsystem, eo esale e le karolo ea Linux kernel ho tloha ha e lokolloa 3.13. Boemong ba kernel, ho fanoa feela ka sebopeho se ikemetseng se ikemetseng sa protocol se fanang ka mesebetsi ea mantlha bakeng sa ho ntša data ho lipakete, ho etsa ts'ebetso ho data, le ho laola phallo.
Melao ea ho sefa ka botsona le li-protocol-specific handlers li bokelloa ka har'a li-bytecode tsa sebaka sa basebelisi, ka mor'a moo bytecode ena e kenngoa ka har'a kernel e sebelisa sebopeho sa Netlink ebe e etsoa ka har'a kernel ka mochine o khethehileng o tšoanang le BPF (Berkeley Packet Filters). Mokhoa ona o etsa hore ho khonehe ho fokotsa haholo boholo ba khoutu ea ho sefa e sebetsang boemong ba kernel le ho tsamaisa mesebetsi eohle ea melao ea ho arola le mohopolo oa ho sebetsa le li-protocol sebakeng sa mosebedisi.
Liphetoho tse kholo:
- Bakeng sa lits'ebetso tsa kernel tsa Linux 6.2+, tšehetso ea vxlan, geneve, gre, le gretap protocol e kenyellelitsoeng, e lumellang mantsoe a bonolo ho lekola lihlooho ka lipaketeng tse kentsoeng. Ka mohlala, ho hlahloba aterese ea IP ka hlooho ea pakete e entsoeng ka sehlaha ho tloha VxLAN, joale u ka sebelisa melao (ntle le tlhokahalo ea ho qala ho koala hlooho ea VxLAN le ho tlama sefahla ho sebopeho sa vxlan0): ... udp dport 4789 vxlan ip protocol udp ... udp dport 4789 vxlan ip saddr 1.2.3.0. 24/4789 ... udp dport 1.2.3.4 vxlan ip saddr . vxlan ip daddr { 4.3.2.1 . XNUMX}
- Ts'ehetso e kentsoeng ea ho kopanya masalla ka mokhoa o itekanetseng ka mor'a hore ho hlakoe karolo e itseng ea lenane, e lumellang ho hlakola ntho kapa karolo ea mefuta e fapaneng ea mefuta e teng (pele, mefuta e ne e ka hlakoloa ka botlalo). Ka mohlala, ka mor'a ho tlosa karolo ea 25 lethathamong le behiloeng le 24-30 le 40-50, 24, 26-30 le 40-50 e tla sala lethathamong. Litokiso tse hlokahalang bakeng sa ho kopanya ka boits'oaro ho sebetsa li tla fanoa ka tokiso ea makala a 5.10+ a tsitsitseng a kernel. # nft lethathamo la melao ea tafole ip x {set y {typeof tcp dport flags interval auto-merge elements = { 24-30, 40-50 } } } # nft hlakola element ip xy { 25} # nft lenane la melao tafole ip x { set y {typeof tcp dport interval auto-merge elements = {24, 26-30, 40-50 }}}
- Lumella mabitso le libaka ho sebelisoa ho fetolela aterese (NAT) 'mapa. tafole ip nat {ketane prerouting { type nat hook prerouting priority dstnat; leano amohela; dnat ho ip dadr. tcp dport 'mapa {10.1.1.136 . 80 : 1.1.2.69 . 1024, 10.1.1.10-10.1.1.20. 8888-8889 : 1.1.2.69 . 2048-2049 } phehellang }}
- Tšehetso e ekelitsoeng bakeng sa polelo ea "ho qetela", e u lumellang ho fumana nako ea tšebeliso ea ho qetela ea karolo ea molao kapa lenane le behiloeng. Karolo ena e tšehelitsoe ho tloha Linux kernel 5.14. tafole ip x {set y {typeof ip daddr . tcp dport size 65535 lifolakha dynamic, timeout last timeout 1h } chain z {mofuta filter hook output priority filter; leano amohela; ntjhafatsa @y {ip dadr. tcp dport } }} # nft lenane set ip xy tafole ip x {set y {typeof ip daddr. tcp dport size 65535 lifolakha tse matla, nako ea ho qetela ea ho qetela 1h elements = {172.217.17.14 . 443 e qetetse ho sebelisoa 1s591ms timeout 1h e felloa ke nako 59m58s409ms, 172.67.69.19 . 443 e sebelisitsoeng ho qetela 4s636ms timeout 1h e felloa ke nako 59m55s364ms, 142.250.201.72 . 443 ea ho qetela e sebelisitsoeng 4s748ms timeout 1h e felloa ke nako 59m55s252ms, 172.67.70.134 . 443 e qetetse ho sebelisoa 4s688ms timeout 1h e felloa ke nako 59m55s312ms, 35.241.9.150 . 443 e qetetse ho sebelisoa 5s204ms timeout 1h e felloa ke nako 59m54s796ms, 138.201.122.174 . 443 e qetetse ho sebelisoa 4s537ms timeout 1h e felloa ke nako 59m55s463ms, 34.160.144.191 . 443 e qetetse ho sebelisoa 5s205ms timeout 1h e felloa ke nako 59m54s795ms, 130.211.23.194 . 443 e qetetse ho sebelisoa 4s436ms timeout 1h e felloa ke nako 59m55s564ms }}}
- E kentse bokhoni ba ho hlalosa li-quotas mananeng a behiloeng. Ka mohlala, ho hlalosa palo ea sephethephethe bakeng sa aterese e 'ngoe le e 'ngoe ea IP, u ka hlakisa: tafole netdev x {set y { typeof ip daddr size 65535 quota over 10000 mbytes } chain y { type filter hook egress device "eth0" priority filter; leano amohela; ip daddr @y drop } } # nft eketsa element inet xy { 8.8.8.8 } # ping -c 2 8.8.8.8 # nft list ruleset table netdev x { set y { mofuta oa ipv4_addr size 65535 quota ho feta 10000 mbytes elements = 8.8.8.8 elements. 10000 palo e fetang 196 mbytes e sebelisitsoeng 0 byte }} ketane y {mofuta oa sefa hook egress sesebelisoa "ethXNUMX" sefa pele; leano amohela; ip dadr @y drop }}
- Tšebeliso ea li-constants ka har'a manane a behiloeng a lumelloa. Ka mohlala, ha u sebelisa lethathamo la aterese le VLAN ID e le senotlolo, u ka hlakisa nomoro ea VLAN ka ho toba (daddr. 123): table netdev t {set s { typeof ether saddr . vlan id size 2048 lifolakha dynamic, timeout timeout 1m } ketane c {mofuta filter hook ingress device eth0 priority 0; leano amohela; mofuta oa ether != 8021q update @s {ether daddr . 123 } khaonta }}
- Taelo e ncha ea "senya" e kentsoe ho hlakola lintho ntle le maemo (ho fapana le taelo ea ho hlakola, ha e hlahise ENOENT ha e leka ho hlakola ntho e sieo). E hloka bonyane Linux 6.3-rc kernel ho sebetsa. senya tafole ip filter
Source: opennet.ru