ProHoster > Ibhulogi > iindaba ze-intanethi > i-nftables packet filter 0.9.4 ukukhululwa

i-nftables packet filter 0.9.4 ukukhululwa

ipapashiwe ukukhutshwa kwesihluzi sepakethi ii-nftables 0.9.4, ukuphuhlisa njengokutshintshwa kwee-iptables, ip6table, arptables kunye ne-ebtables ngokudibanisa i-interfaces yokucoca ipakethe ye-IPv4, IPv6, ARP kunye neebhulorho zenethiwekhi. Ipakethe ye-nftables ibandakanya amacandelo okucoca ipakethe yendawo yomsebenzisi, ngelixa umsebenzi wenqanaba le-kernel unikezelwa yi-nf_tables subsystem, ebiyinxalenye ye-Linux kernel ukususela ekukhululweni kwe-3.13. Utshintsho oluyimfuneko kwi-nftables 0.9.4 ukukhutshwa emsebenzini kubandakanyiwe kwisebe le-kernel lexesha elizayo Linux 5.6.

Inqanaba le-kernel libonelela kuphela i-generic protocol-independent interface ebonelela ngemisebenzi esisiseko yokukhupha idatha kwiipakethi, ukwenza imisebenzi yedatha, kunye nokulawula ukuhamba. Imithetho yokucoca kunye ne-protocol-specific handlers ihlanganiswe kwi-bytecode kwindawo yomsebenzisi, emva koko le bytecode ilayishwe kwi-kernel isebenzisa ujongano lwe-Netlink kwaye iqhutywe kwi-kernel kumatshini okhethekileyo okhumbuza i-BPF (i-Berkeley Packet Filters). Le ndlela ikuvumela ukuba unciphise kakhulu ubungakanani bekhowudi yokucoca esebenza kwinqanaba le-kernel kwaye uhambise yonke imisebenzi yokwahlulahlula imithetho kunye nengqiqo yokusebenza kunye neeprotocol kwindawo yomsebenzisi.

Iinguqulelo eziphambili:

  • Inkxaso yoluhlu kuqhagamshelwano (ukudibanisa, iinyanda ezithile zeedilesi kunye namazibuko ezenza lula uthelekiso). Umzekelo, kwiseti ethi "whitelist" eneelementi eziluncamatheliso, echaza iflegi "yekhefu" iya kubonisa ukuba iseti inokubandakanya uluhlu kuluncamathiselo (kwisihlomelo "ipv4_addr . ipv4_addr . inet_service" bekusenzeka ngaphambili ukudwelisa ngokuthe ngqo uluhlu oluchanekileyo. imidlalo yefom "192.168.10.35. 192.68.11.123", kwaye ngoku ungacacisa amaqela eedilesi "80-192.168.10.35-192.168.10.40" 192.68.11.123 ").

    itafile ip foo {
    seta uluhlu olumhlophe {
    chwetheza ipv4_addr. ipv4_yongeza. inet_service
    ikhefu leflegi
    izinto = { 192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125. 80}
    }

    ibha yekhonkco {
    isihluzo sodidi lwehuku yokulungiselela kwangaphambili isihluzo esiphambili; ukwehla komgaqo-nkqubo;
    ip sadr. ip tata. tcp dport @whitelist yamkela
    }
    }

  • Kwiiseti kunye noluhlu lweemephu, kunokwenzeka ukusebenzisa i-"typeof" yomyalelo, omisela ifomathi yento xa ihambelana.
    Umzekelo:

    itafile ip foo {
    seta uluhlu olumhlophe {
    uhlobo lwe ip saddr
    izinto = {192.168.10.35, 192.168.10.101, 192.168.10.135}
    }

    ibha yekhonkco {
    isihluzo sodidi lwehuku yokulungiselela kwangaphambili isihluzo esiphambili; ukwehla komgaqo-nkqubo;
    ip daddr @whitelist yamkela
    }
    }

    itafile ip foo {
    imephu addr2mark {
    typeof ip saddr : meta mark
    izinto = { 192.168.10.35 : 0x00000001, 192.168.10.135 : 0x00000002}
    }
    }

  • Kongezwe ukukwazi ukusebenzisa ukudibanisa kwizibophelelo ze-NAT, ezikuvumela ukuba ukhankanye idilesi kunye nezibuko xa uchaza uguqulo lwe-NAT olusekwe kuluhlu lweemephu okanye iiseti ezinamagama:

    nft yongeza umthetho ip nat pre dnat ip addr . izibuko ukuya kwimephu yesaddr { 1.1.1.1 : 2.2.2.2 . Amashumi amathathu }

    nft yongeza imephu ip nat iindawo ekuya kuzo {chwetheza ipv4_addr. inet_service: ipv4_addr. inet_service \\; }
    nft yongeza umthetho ip nat pre dnat ip addr . izibuko ukuya kwi-ip saddr. Imephu ye-tcp dport @indawo

  • Inkxaso ye-hardware yokukhawulezisa kunye nemisebenzi ethile yokucoca eyenziwa yikhadi lenethiwekhi. Ukukhawuleza kunikwe amandla ngokusetyenziswa kwe-ethtool (β€œi-ethtool -K eth0 hw-tc-offload on”), emva koko isebenze kwii-nftables zekhonkco eliphambili kusetyenziswa iflegi "yokukhuphela". Xa usebenzisa i-Linux kernel 5.6, ukukhawuleza kwehardware kuxhaswe kungqamaniso lwentsimi yeheader kunye nokuhlola ujongano olungenayo ludityaniswe nokufumana, ukulahla, ukuphindaphinda (dup), kunye nokudlulisa (fwd) iipakethi. Kulo mzekelo ungezantsi, imisebenzi yokulahla iipakethi ezivela kwidilesi 192.168.30.20 yenziwa kwinqanaba lekhadi lenethiwekhi, ngaphandle kokudlulisa iipakethi kwi-kernel:

    # ifayile yekati.nft
    itafile netdev x {
    ikhonkco y {
    uhlobo lokucoca ihuku lokungena isixhobo eth0 ephambili 10; iiflegi zikhutshiwe;
    ip saddr 192.168.30.20 yehla
    }
    }
    # nft -f file.nft

  • Ulwazi oluphuculweyo malunga nendawo yempazamo kwimithetho.

    # nft cima umthetho ip yz umqheba 7
    Imposiso: Ayinakuqhuba umthetho: Akukho fayile okanye ulawulo olunjalo
    cima umthetho ip yz umqheba 7
    ^

    # nft cima umthetho ip xx isiphatho 7
    Imposiso: Ayinakuqhuba umthetho: Akukho fayile okanye ulawulo olunjalo
    cima umthetho ip xx isiphatho 7
    ^

    # nft cima itafile twst
    Imposiso: Akukho fayile okanye ulawulo olunjalo; ubuthetha itheyibhile Γ’β‚¬Λœtest' kusapho ip?
    cima i-twst yetafile
    ^^^^

    Umzekelo wokuqala ubonisa ukuba itheyibhile "y" ayikho kwinkqubo, okwesibini ukuba "7" isibambi silahlekile, kwaye okwesithathu i-typo prompt iboniswa xa uchwetheza igama letafile.

  • Inkxaso eyongeziweyo yokujonga ujongano lwekhoboka ngokuchaza "meta sdif" okanye "meta sdifname":

    ... imeta sdifname vrf1 ...

  • Inkxaso eyongeziweyo yokusebenza kweshifti ekunene okanye ekhohlo. Umzekelo, ukutshintsha ipakethe esele ikhona ishiywe yi-1 bit kwaye usete i-bit encinci ku-1:

    … uphawu lwemeta lusete uphawu lwemeta lshift 1 okanye 0x1 ...

  • Iphunyeziwe "-V" ukhetho lokubonisa ulwazi loguqulelo olwandisiweyo.

    # nft -V
    nftables v0.9.4 (Jive at Five)
    cli:funda umgca
    json: ewe
    minigmp: hayi
    libxtables: ewe

  • Iinketho zomgca womyalelo kufuneka zicaciswe ngoku phambi kwemiyalelo. Umzekelo, kufuneka uchaze "nft -a list ruleset", kunye nokusebenza "nft list ruleset -a" kuya kubangela impazamo.

    umthombo: opennet.ru

Yongeza izimvo