Ukukhutshwa kwe-packet filter nftables 0.9.9 ishicilelwe, idibanisa i-interfaces yokucoca ipakethe ye-IPv4, IPv6, ARP kunye neebhuloho zenethiwekhi (ezijoliswe ekutshintsheni iptables, ip6table, arptables kunye ne-ebtables). Ngexesha elifanayo, ukukhutshwa kwelayibrari engumhlobo we-libnftnl 1.2.0 yapapashwa, ibonelela nge-API ephantsi yokunxibelelana ne-nf_tables subsystem. Utshintsho olufunekayo kwi-nftables 0.9.9 ukukhutshwa emsebenzini kufakwe kwi-Linux kernel 5.13-rc1.
Ipakethe ye-nftables ibandakanya iinxalenye zepakethe zokucoca ezisebenza kwindawo yomsebenzisi, ngelixa umsebenzi we-kernel-level unikezelwa yi-nf_tables subsystem, ebiyinxalenye ye-Linux kernel ukususela ekukhululweni kwe-3.13. Inqanaba le-kernel libonelela kuphela i-generic protocol-independent interface ebonelela ngemisebenzi esisiseko yokukhupha idatha kwiipakethi, ukwenza imisebenzi yedatha, kunye nokulawula ukuhamba.
Imithetho yokucoca kunye ne-protocol-specific handlers ihlanganiswe kwi-bytecode kwindawo yomsebenzisi, emva koko le bytecode ilayishwe kwi-kernel isebenzisa ujongano lwe-Netlink kwaye iqhutywe kwi-kernel kumatshini okhethekileyo okhumbuza i-BPF (i-Berkeley Packet Filters). Le ndlela ikuvumela ukuba unciphise kakhulu ubungakanani bekhowudi yokucoca esebenza kwinqanaba le-kernel kwaye uhambise yonke imisebenzi yokwahlulahlula imithetho kunye nengqiqo yokusebenza kunye neeprotocol kwindawo yomsebenzisi.
Iinguqulelo eziphambili:
- Ukukwazi ukuhambisa inkqubo equkuqelayo ukuya kwicala leadaptha yothungelwano iphunyeziwe, yenziwe kusetyenziswa iflegi 'yokhuphela'. I-Flowtable yindlela yokuphucula indlela yokuhanjiswa kwepakethi, apho ukugqithwa okupheleleyo kwayo yonke imixokelelwano yomgaqo-nkqubo isetyenziswe kuphela kwipakethi yokuqala, kwaye zonke ezinye iipakethi zokuhamba zithunyelwa ngokuthe ngqo. itheyibhile ip yehlabathi { flowtable f { hook ingress isihluzo + 1 izixhobo = {lan3, lan0, wan } iiflegi ezikhutshiweyo } ikhonkco eliphambili {uhlobo lokucoca ihuku ephambili isihluzo esiphambili; umgaqo-nkqubo wamkele; iprotocol ye-ip { tcp, udp } qukuqela ukongeza @f } isithuba sekhonkco {chwetheza ikhonkco lokuthumela isihluzo esiphambili; umgaqo-nkqubo wamkele; oifname "wan" masquerade }}
- Inkxaso eyongeziweyo yokuncamathisela iflegi yomnini kwitafile ukuqinisekisa ukusetyenziswa kwetheyibhile ngenkqubo. Xa inkqubo iphela, itheyibhile enxulumene nayo iyacinywa ngokuzenzekelayo. Ulwazi malunga nenkqubo luboniswa kwimigaqo yokulahla ngendlela yenkcazo: itheyibhile ip x {# progname nft iflegi yomnini chain y {uhlobo lokucoca ikhonkco lokucoca icebo lokucoca kuqala; umgaqo-nkqubo wamkele; iipakethi zokubala 1 bytes 309 }}
- Inkxaso eyongeziweyo yenkcazo ye-IEEE 802.1ad (i-VLAN stacking okanye i-QinQ), echaza indlela yokutshintsha iithegi zeVLAN ezininzi kwisakhelo esisodwa se-Ethernet. Umzekelo, ukujonga uhlobo lwesakhelo se-Ethernet yangaphandle 8021ad kunye ne-vlan id=342, ungasebenzisa ulwakhiwo ... uhlobo lwe-ether 802.1ad vlan id 342 ukujonga uhlobo lwangaphandle lwesakhelo se-Ethernet 8021ad/vlan id=1, i-nested 802.1 q/vlan id=2 kunye ne-IP eyongezelelekileyo ye-packet encapsulation: ... uhlobo lwe-ether 8021ad vlan id 1 uhlobo lwe-vlan 8021q vlan id 2 uhlobo lwe-ip counter
- Inkxaso eyongeziweyo yokulawula izixhobo kusetyenziswa amaqela adityanisiweyo olawulo lweqela v2. Umahluko ophambili phakathi kwe-cgroups v2 kunye ne-v1 kusetyenziso lwe-cgroups hierarchy yazo zonke iintlobo zemithombo, endaweni yoluhlu oluhlukeneyo lokwabiwa kwezixhobo ze-CPU, zokulawula ukusetyenziswa kwememori, kunye ne-I / O. Umzekelo, ukujonga ukuba ukhokho wesokhethi kwinqanaba lokuqala le-cgroupv2 lihambelana ne-mask "system.slice", ungasebenzisa ulwakhiwo: ... i-socket cgroupv2 level 1 "system.slice"
- Kongezwe amandla okukhangela amacandelo eepakethe ze-SCTP (ukusebenza okufunekayo koku kuya kuvela kwi-Linux kernel 5.14). Umzekelo, ukujonga ukuba ipakethe iqulathe iqhekeza elinodidi 'idatha' kunye nomhlaba 'uhlobo': ... idata ye-sctp chunk ikhona ... sctp chunk data type 0
- Ukuphunyezwa komsebenzi wokulayisha umgaqo kuye kwakhawuleziswa malunga namaxesha amabini kusetyenziswa iflegi "-f". Imveliso yoluhlu lwemithetho nayo iye yakhawuleziswa.
- Ifomu ebambeneyo yokukhangela ukuba iibhithi zeflegi zibekiwe. Umzekelo, ukujonga ukuba i-snat kunye ne-bits yemo ye-dnat ayicwangciswanga, ungakhankanya: ... ct status ! snat,dnat ukujonga ukuba i-sync bit icwangcisiwe kwi-bitmask syn,ack: ... tcp iflegi syn / syn,ack ukujonga ukuba i-fin kunye ne-rst bits azicwangciswanga kwi-bitmask syn,ack,fin,rst: ... iiflegi zetcp = fin,rst / syn,ack,fin,rst
- Vumela igama elingundoqo elithi "isigwebo" kwiseti/kwimephu yodidi lweenkcazelo: yongeza imephu xm {typeof iifname. IP protocol th dport : isigwebo ;}
umthombo: opennet.ru