ProHoster > Blog > litaba tsa inthanete > nftables pakete filthara 1.1.0 tokollo

nftables pakete filthara 1.1.0 tokollo

Ho lokolloa ha li-packet filter nftables 1.1.0 ho hatisitsoe, ho kopanya li-interface tsa ho sefa lipakete bakeng sa IPv4, IPv6, ARP le marokho a marang-rang (a reretsoeng ho nkela li-iptables, ip6table, arptables le ebtables sebaka). Phetoho e kholo ea nomoro ea phetolelo ha e amane le liphetoho leha e le life tsa mantlha, empa e mpa e le phello ea ho tsoela pele ka mokhoa o tsitsitseng oa ho bala linomoro ho li-decimal notation (tokollo e fetileng e ne e le 1.0.9). Ka nako e ts'oanang, ho lokolloa ha laebrari ea motsoalle libnftnl 1.2.7 ho ile ha hatisoa, ho fana ka API ea boemo bo tlaase bakeng sa ho sebelisana le nf_tables subsystem.

Sephutheloana sa nftables se na le dikarolo tsa sefe sa pakete tse sebetsang sebakeng sa mosebedisi, ha mosebetsi wa boemo ba kernel o fanwa ke sistimi e nyane ya nf_tables, e leng karolo ya kernel. Linux Ho tloha ha ho lokolloa 3.13, ke sebopeho se ikemetseng sa protocol feela se fanoeng boemong ba kernel, se fanang ka ts'ebetso ea motheo bakeng sa ho ntša data ho tsoa lipaketeng, ho etsa ts'ebetso ea data, le taolo ea phallo.

Melao ea ho sefa ka boyona 'me bahlokomeli ba itseng ba protocol ba bokelloa ho ba bytecode sebakeng sa mosebelisi, ka mor'a moo bytecode ena e kenngoa ka har'a kernel ho sebelisoa sebopeho sa Netlink 'me e etsoa ka har'a kernel ka mokhoa o khethehileng. mochini o sebetsang ka ho toba, e hopotsang BPF (Berkeley Packet Filters). Mokhoa ona o dumella phokotso e kgolo ya boholo ba khoutu ya ho sefa e sebetsang boemong ba kernel mme o tsamaisa tlhahlobo yohle ya melao le logic ya protocol sebakeng sa mosebedisi.

Liphetoho tse kholo:

  • Tšehetso e feto-fetohang e ekelitsoe ho lipolelo tsa 'mapa: define dst_map = { ::1234 : 5678 } tafole ip6 nat {mapa dst_map {typeof ip6 daddr: tcp dport; element = $dst_map } prerouting {ip6 nexthdr tcp e lebisa ho ip6 daddr map @dst_map }}
  • Ts'ehetso ea VLAN e ekelitsoeng: ip saddr 10.1.1.1 icmp mofuta oa echo-kopo vlan id set 321 # payload ether mofuta 8021ad vlan id 10 vlan mofuta 8021q vlan id 100 vlan mofuta oa ip amohela
  • Bakeng sa lipolelo tsa "log", "preprocessor" e ncha e nang le ts'ehetso e fapaneng e ea lumelloa: define message="test" log prefix "my $message"
  • Ha ho baloa boleng ba polelo ea "meta hour", ts'ebetso ea "negative offset" sebakeng sa nako e boletsoeng ho feto-fetoha ha tikoloho ea TZ e kenngoa ts'ebetsong: TZ=UTC-4 nft add rule xy meta hour "22:00"
  • Phetoho ea odara ea li-byte e fanoa ha u sebelisa poleloana ea ct le meta, hammoho le ha u sebelisa ts'ebetso ea ho kopanya le ho hlakisa mekhahlelo ka har'a sete. mapv6 {typeof ip6 dscp: letšoao la meta; } meta mark set ip6 dscp map @map1 bytecode e tla amoheloa: [ payload load 2b @ netweke header + 0 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] [ byteorder ntoh (reg 1 = 1 , 2, 2) ] [ bitwise reg 1 = ( reg 1 > 0x00000006 )] [ lookup reg 1 set mapv6 dreg 1 ] [ meta set mark with reg 1 ]
  • Tšehetso bakeng sa taelo ea "replace rule" e tsosolositsoe. nka sebaka sa molao ip t1 c1 sebetsana 3 'jhash ip protocol . ip saddr mod 170 vmap {0-94: goto wan1, 95-169: goto wan2, 170-269}"
  • Bokhoni ba ho eketsa lisebelisoa tsa marang-rang ho li-flowtables tse teng li tsosolositsoe: etsa "flowtable inet filter" f1 {hook ingress priority 0; k'hamera } eketsa sefahla sa inet f1 {lisebelisoa = {dummy1}; }
  • Mathata a rarollotsoe ha u sebelisa taelo ea "create set": hlalosa ip-block-4 = {1.1.1.1} theha set netdev filter ip-block-4-test { mofuta oa ipv4_addr lifolakha interval auto-merge elements = $ ip-block-4 }
  • Mathata a rarollotsoeng ha ho sebelisoa kemelo ea dijithale ea likhetho tsa tcp: khetho ea tcp 254
  • Mathata a rarollotsoe ha ho sebelisoa meta le ct lipolelo tse nang le lihlopha tsa 'mapa: meta mark set vlan id map {1: 0x00000001, 4095: 0x00004095}
  • Lipolelo tsa payload le concat ha li lumelle data e kholo ho feta 512 byte.
  • Ha o etsa taelo ea "nft hlalosa", litekanyetso tse tsoang sehlopheng, rt_mark le lifaele tsa rt_realms tse fumanehang ho /etc/iproute2/ le /use/share/iproute2/ li-directory li hlokomeloa. # nft hlalosa meta rtclassid meta expression, datatype realm (routing realm) (basetype integer), 32 bits pre-defined constants symbols from /etc/iproute2/rt_realms (ka decimal): cosmos 0 Hana polelo e nang le meta mark set 0-100
  • Ts'ebetso ea ho hlahisa lethathamo la litafole e potlakisitsoe. Ts'ehetso e kentsoeng bakeng sa khetho ea -t/—terse ho potlakisa "tafole ea lenane" le litaelo tsa "list set".
  • Phetoho ea mantsoe a metha hore e be li-dynamic set sets e fanoe: eketsa molao tc tcp dport 80 meter m size 128 {ip saddr timeout 2s limit rate 10/motsotsoana } e tla fetoloa ho seta m { mofuta oa ipv4_addr size 128 lifolakha dynamic,timeout} tcp 80 update @m {ip saddr timeout 2s moeli oa sekhahla 10/motsotsoana ho phatloha ha lipakete tse 5 }
  • Ka sebopeho sa JSON, ho kentsoe tšehetso ea lintho tsa synproxy le limmapa tse nang le data e kopaneng.
  • Lihlopha tse boletsoeng ka mokhoa oa JSON li tšehetsa folakha ea ho kopanya ka bo eona.
  • Ha u sebelisa boemeli ba JSON, lisebelisoa tse ngata li ka hlalosoa ka har'a "ketane" block.
  • Ha u sebelisa likhetho tsa -f/-filename, ts'ebetso ea tsela e netefatsoa e amanang le bukana ea faele ea hajoale.
  • Ha u sebelisa -I/--kenyelletsa likhetho, litsela li se li baloa ho tloha qetellong ea lenane ka ho sa feleng.
  • Likhetho tsa -o/—optimize li ntlafalitsoe hore li sebetse ka lipolelo tse nang le libali tsa boleng: # nft -c -o -f ruleset.nft Merging: ruleset.nft:5:17-45: ct state invalid counter drop ruleset.nft : 6:17 -59: ct state e thehiloe, khaonta e amanang le eona e amohela ho: ct state vmap {khaonta e sa sebetseng : theola, k'haonta e thehiloeng : amohela, k'haonta e amanang : amohela } Ho kopanya: ruleset.nft:7:17-43: tcp dport 80 counter amohela molao oa nft:8:17-44: tcp dport 123 counter amohela ho: tcp dport {80, 123} counter accept Merging: ruleset.nft:9:17-64: ip saddr 1.1.1.1 ip daddr 2.2.2.2 counter amohela molao oa nft:10:17-62: ip saddr 1.1.1.2 ip daddr 3.3.3.3 khaonta e oela ho: ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 counter : amohela, 1.1.1.2 . 3.3.3.3 counter : drop }
  • Tšebelisano e tsosolositsoeng le lithōle tsa likarolo tse entsoeng ka nftables pele ho mofuta oa 0.9.8.

Source: opennet.ru

Reka sebaka se tšepahalang sa libaka tse nang le ts'ireletso ea DDoS, li-server tsa VPS VDS 🔥 Reka sebaka se tšepahalang sa ho amohela webosaete ka tšireletso ea DDoS, li-server tsa VPS VDS | ProHoster