ukukhutshwa kwesihluzi sepakethi , ukuphuhlisa njengokutshintshwa kwee-iptables, ip6table, arptables kunye ne-ebtables ngokudibanisa i-interfaces yokucoca ipakethe ye-IPv4, IPv6, ARP kunye neebhulorho zenethiwekhi. Ipakethe ye-nftables ibandakanya iinxalenye zepakethe zokucoca ezisebenza kwindawo yomsebenzisi, ngelixa i-kernel-level work inikezelwa yi-nf_tables subsystem, ebiyinxalenye ye-Linux kernel ukususela ekukhululweni kwe-3.13. Utshintsho olufunekayo kwi-nftables 0.9.3 ukukhutshwa emsebenzini kufakwe kwi-Linux 5.5 kernel yesebe ezayo.
Inqanaba le-kernel libonelela kuphela i-generic protocol-independent interface ebonelela ngemisebenzi esisiseko yokukhupha idatha kwiipakethi, ukwenza imisebenzi yedatha, kunye nokulawula ukuhamba. Ingqiqo yokucoca ngokwayo kunye ne-protocol-specific handlers ihlanganiswe kwi-bytecode kwindawo yomsebenzisi, emva koko le bytecode ilayishwa kwi-kernel isebenzisa ujongano lwe-Netlink kwaye iqhutywe kumatshini okhethekileyo okhumbuza i-BPF (i-Berkeley Packet Filters). Le ndlela ikuvumela ukuba unciphise kakhulu ubungakanani bekhowudi yokucoca esebenza kwinqanaba le-kernel kwaye uhambise yonke imisebenzi yokwahlulahlula imithetho kunye nengqiqo yokusebenza kunye neeprotocol kwindawo yomsebenzisi.
Iinguqulelo eziphambili:
- Inkxaso yokufanisa iipakethi ngexesha. Ungachaza zombini ixesha kunye noluhlu lomhla apho umgaqo uya kuqalwa, kwaye uqwalasele ukuxhokonxa ngeentsuku ezizimeleyo zeveki. Kwakhona wongeze ukhetho olutsha "-T" ukubonisa ixesha le-epochal kwimizuzwana.
ixesha lemeta \Β»2019-12-24 16:00\" - \Β»2020-01-02 7:00\"
iyure meta \"17:00\" - \"19:00\"
usuku lwemeta \"ngoLwesihlanu\" - Inkxaso yokubuyisela kunye nokugcina amanqaku e-SELinux (i-secmark).
ct isiqingatha sekmark set secmark yemeta
meta umlinganiselo usete ct isiqingatha sem - Inkxaso yoluhlu lweemephu ze synproxy, ekuvumela ukuba uchaze ngaphezulu komthetho omnye ngasemva.
itafile ip foo {
i-sync proxy https-synproxy {
mss 1460
isikali 7
isitampu sexesha sesaka-perm
}i-sync proxy enye-synproxy {
mss 1460
isikali 5
}ityathanga ngaphambili {
uhlobo lwehuku yesihluzi elungiselela kuqala ekrwada; umgaqo-nkqubo wamkele;
tcp dport 8888 tcp iiflegi syn notrack
}ibha yekhonkco {
isihluzi sodidi lwehuku phambili oluphambili lokucoca; umgaqo-nkqubo wamkele;
I-ct state ayisebenzi, igama le-sync proxy elingachazwanga ip saddr map {192.168.1.0/24 : "https-synproxy", 192.168.2.0/24: "enye-synproxy"}
}
} - Ukukwazi ukususa ngokuguquguqukayo izinto ezicwangcisiweyo kwimigaqo yokucubungula ipakethi.
nft yongeza umthetho ... cima @ set5 {ip6 saddr. ip6 tata}
- Inkxaso ye-VLAN mapping nge-ID kunye neprotocol echazwe kwi-network network interface metadata;
imeta ibrpvid 100
meta ibrvproto vlan - Ukhetho "-t" ("--terse") lokukhuphela ngaphandle iimpawu zeeseti xa ubonisa imithetho. Ukubaleka "nft -t uluhlu lweseti yemithetho" iya kukhupha:
itafile ip x {
seta y {
chwetheza ipv4_addr
}
}Kwaye ngo "nft uluhlu lwemithetho yemithetho"
itafile ip x {
seta y {
chwetheza ipv4_addr
izinto = {192.168.10.2, 192.168.20.1,
192.168.4.4, 192.168.2.34}
}
} - Ukukwazi ukucacisa ngaphezu kwesixhobo esinye kwimixokelelwane ye-netdev (isebenza kuphela nge-kernel 5.5) ukudibanisa imigaqo yokucoca eqhelekileyo.
yongeza itafile netdev x
yongeza ikhonkco netdev x y {\
uhlobo lokucoca ihuku yezixhobo zokungena = { eth0, eth1 } okuphambili 0;
} - Ukukwazi ukongeza iinkcazo zeentlobo zedatha.
# nft chaza ipv4_addr
datatype ipv4_addr (IPv4 idilesi) (basetype integer), 32 bits - Ukukwazi ukwakha i-interface ye-CLI kunye nelayibrari ye-linenoise endaweni ye-libreadline.
./configure --with-cli=linenoise
umthombo: opennet.ru