Ukukhutshwa kwe-packet filter nftables 1.0.0 iye yapapashwa, idibanisa i-interfaces yokucoca ipakethe ye-IPv4, IPv6, ARP kunye neebhuloho zenethiwekhi (ezijoliswe ekutshintsheni iptables, ip6table, arptables kunye ne-ebtables). Utshintsho olufunekayo kwi-nftables 1.0.0 ukukhutshwa emsebenzini ziqukiwe kwi-Linux 5.13 kernel. Utshintsho olubalulekileyo kwinombolo yoguqulelo alunxulunyaniswa nalo naluphi na utshintsho olusisiseko, kodwa sisiphumo kuphela sokuqhubekeka okungaguquguqukiyo kokubala amanani kwi-decimal notation (ukukhululwa kwangaphambili bekuyi-0.9.9).
Ipakethe ye-nftables ibandakanya iinxalenye zepakethe zokucoca ezisebenza kwindawo yomsebenzisi, ngelixa umsebenzi we-kernel-level unikezelwa yi-nf_tables subsystem, ebiyinxalenye ye-Linux kernel ukususela ekukhululweni kwe-3.13. Inqanaba le-kernel libonelela kuphela i-generic protocol-independent interface ebonelela ngemisebenzi esisiseko yokukhupha idatha kwiipakethi, ukwenza imisebenzi yedatha, kunye nokulawula ukuhamba.
Imithetho yokucoca kunye ne-protocol-specific handlers ihlanganiswe kwi-bytecode kwindawo yomsebenzisi, emva koko le bytecode ilayishwe kwi-kernel isebenzisa ujongano lwe-Netlink kwaye iqhutywe kwi-kernel kumatshini okhethekileyo okhumbuza i-BPF (i-Berkeley Packet Filters). Le ndlela ikuvumela ukuba unciphise kakhulu ubungakanani bekhowudi yokucoca esebenza kwinqanaba le-kernel kwaye uhambise yonke imisebenzi yokwahlulahlula imithetho kunye nengqiqo yokusebenza kunye neeprotocol kwindawo yomsebenzisi.
Iinguqulelo eziphambili:
- Inkxaso yesiqalelo semaski "*" yongezwe kuluhlu lokuseta, oluthi luvulelwe naziphi na iipakethe ezingawi phantsi kwezinye izinto ezichazwe kwiseti. itheyibhile x {uluhlu lwebhloko yemephu {uhlobo ipv4_addr : iziflegi zesigwebo sexesha = { 192.168.0.0/16 : yamkela, 10.0.0.0/8 : yamkela, * : yehla }} ikhonkco y { uhlobo lwe hook yesihluzo prerouting ephambili 0; umgaqo-nkqubo wamkele; ip saddr vmap @blocklist }}
- Kuyenzeka ukuchaza izinto eziguquguqukayo ukusuka kumgca womyalelo usebenzisa "--define" ukhetho. # uvavanyo lwekati.nft itheyibhile netdev x {itsheyini y { uhlobo lokucoca hook izixhobo zokungena = $dev ephambili 0; ukwehla komgaqo-nkqubo; } } # nft βdefine dev="{ eth0, eth1 }" -f test.nft
- Kuluhlu lweemephu, ukusetyenziswa kweentetho eziqhubekayo (ezixeliweyo) zivumelekile: isihluzo se-inet yetafile {imephu yemephu yemephu {uhlobo lwe-inet_service : i-counter counter elements = {22 iipakethi zokubala 0 bytes 0: tsiba ssh_input, * iipakethi zokubala 0 bytes 0: drop}} chain ssh_input { } chain wan_input { tcp dport vmap @ portmap } chain prerouting { udidi lwe hook ihuku prerouting ekrwada; umgaqo-nkqubo wamkele; if vmap { "bona" ββ: tsiba wan_input }}}
- Kongezwe "uluhlu lwamagwegwe" umyalelo wokubonisa uluhlu lwabaphangi kusapho lwepakethe enikiweyo: # nft uluhlu amagwegwe ip isixhobo eth0 usapho ip { hook ingress { +0000000010 chain netdev xy [nf_tables] +0000000300 chain input mw [nf_tables]} hook { -0000000100 chain ip ab [nf_tables] +0000000300 chain inet mz [nf_tables]} hook phambili { -0000000225 selinux_ipv4_forward 0000000000 chain ip tables_0000000225 ip ok_4 chain ip ok_0000000225 ip ok_4 ityathanga ip ok_XNUMX ip ok_XNUMX_XNUMX ipvXNUMX_output } hook postrouting { +XNUMX XNUMX selinux_ipvXNUMX_postroute }}
- Iibhloko zemigca zivumela i-jhash, i-symhash, kunye ne-numgen expressions ukuba zidityaniswe ukusasaza iipakethi kwimigca kwisithuba somsebenzisi. β¦ emgceni ukuya kwi-symhash mod 65536 β¦ iiflegi emgceni zidlula kwi-numgen inc mod 65536 β¦ emgceni oya ejhash oif . meta mark mod 32 "umgca" unokudityaniswa noluhlu lweemephu ukukhetha umgca kwisithuba somsebenzisi ngokusekelwe kwizitshixo ezingenasizathu. ... umgca wokugqitha kwimephu ye-oifname { "eth0" : 0, "ppp0" : 2, "eth1": 2}
- Kuyenzeka ukwandisa iinguqu ezibandakanya uluhlu olusetiyo kwiimephu ezininzi. chaza ujongano = { eth0, eth1 } itheyibhile ip x {ityathanga y { uhlobo lokucoca ihuku ephambili 0; umgaqo-nkqubo wamkele; iifname vmap {lo : yamkela, $iinterfaces : drop }}} # nft -f x.nft # nft uluhlu lwemithetho yetafile ip x {itsheyini y { uhlobo lokucoca ihuku ephambili 0; umgaqo-nkqubo wamkele; iifname vmap { "lo" : yamkela, "eth0" : yehla, "eth1" : yehla}}}
- Ukudibanisa iimephu ze-vmaps (imephu yesigwebo) ngezithuba zivumelekile: # nft yongeza umthetho xy tcp dport. ip saddr vmap {1025-65535. 192.168.10.2 : yamkela}
- I-syntax eyenziwe lula yeemaphu ze-NAT. Ivumelekile ukuba ichaze uluhlu lweedilesi: ... snat to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } okanye iidilesi ezicacileyo ze-IP kunye namazibuko: ... dnat to ip saddr map { 10.141.11.4 : 192.168.2.3: 80. . 192.168.1.2 } okanye indibaniselwano yoluhlu lwe IP namazibuko: ... dnat to ip saddr . Imephu ye-tcp dport {80. 10.141.10.2: 10.141.10.5-8888. 8999-XNUMX }
umthombo: opennet.ru