ProHoster > Ibhulogi > iindaba ze-intanethi > i-nftables packet filter 1.0.1 ukukhululwa

i-nftables packet filter 1.0.1 ukukhululwa

i-nftables 1.0.1, isakhelo sokucoca iipakethi esidibanisa ujongano lokucoca iipakethi ze-IPv4, IPv6, ARP, kunye neebridges zenethiwekhi, ikhutshiwe (ejoliswe endaweni yee-iptables, i-ip6table, ii-arptables, kunye nee-ebtables). Utshintsho olufunekayo kwii-nftables 1.0.1 lufakiwe kwi-kernel. Linux 5.16-rc1.

Iphakheji ye-nftables iqulethe izixhobo zesihluzi sepakethi ezisebenza kwindawo yomsebenzisi, ngelixa umsebenzi wenqanaba le-kernel unikezelwa yinkqubo engaphantsi ye-nf_tables, eyinxalenye ye-kernel. Linux Ukususela ekukhutshweni kwe-3.13, kuphela ujongano oluzimeleyo lweprotocol oluqhelekileyo olunikezelwa kwinqanaba le-kernel, olubonelela ngokusebenza okusisiseko kokukhupha idatha kwiipakethi, ukwenza imisebenzi yedatha, kunye nolawulo lokuhamba kwamanzi.

Imithetho yokucoca ngokwayo kwaye abaphathi beprotocol ethile bahlanganiswa kwi-bytecode kwindawo yomsebenzisi, emva koko le bytecode ilayishwa kwi-kernel kusetyenziswa i-Netlink interface kwaye yenziwe kwi-kernel ngendlela ekhethekileyo. umatshini wenyani, okukhumbuza i-BPF (Berkeley Packet Filters). Le ndlela ivumela ukuncipha okukhulu kubungakanani bekhowudi yokucoca esebenza kwinqanaba le-kernel kwaye ihambisa yonke i-rule parsing kunye ne-protocol logic kwindawo yomsebenzisi.

Iinguqulelo eziphambili:

  • Ukunciphisa ukusetyenziswa kwememori xa ulayisha isethi enkulu kunye noluhlu lweemephu.
  • Ukulayishwa kwakhona koluhlu kunye noluhlu lweemephu kukhawulezisiwe.
  • Imveliso yeetheyibhile ezikhethiweyo kunye namatyathanga kwiisethi ezinkulu zemithetho iye yakhawuleza. Umzekelo, ixesha lophumezo lomyalelo "nft uluhlu lweseti yemithetho" ukubonisa uluhlu lwemithetho ene-100 lamawaka imiqolo yi-3.049 imizuzwana, kwaye xa ukhupha kuphela i-nat kunye neetafile zokucoca ("nft uluhlu lwetafile nat", "nft uluhlu lwetafile yokucoca itafile ”) ithotywe ukuya kwimizuzwana eyi-1.969 kunye ne-0.697.
  • Ukuphunyezwa kwemibuzo ngokhetho lwe-“--terse” lukhawuleziswe xa kusenziwa imithetho enesethi enkulu- kunye noluhlu lwemephu.
  • Kunokwenzeka ukucoca i-traffic kwi-chain "egress", eqhutyelwa kwinqanaba elifanayo kunye nomphathi we-egress kwikhonkco ye-netdev (egress hook), i.e. kwinqanaba xa umqhubi efumana ipakethe kwi-kernel network stack. itafile netdev icebo lokucoca {ikhonkco egress {uhlobo lokucoca hook izixhobo egress = {eth0, eth1} kuqala 0; Imeta ephambili iseti ip saddr imephu {192.168.10.2: abcd:2, 192.168.10.3: abcd:3}}}
  • Ivumela uthelekiso kunye nohlengahlengiso lwee-byte kwiheda kunye nemixholo yepakethi kwindawo ethile. # nft yongeza umthetho xy @ih,32,32 0x14000000 counter # nft yongeza umthetho xy @ih,32,32 usete 0x14000000 counter

umthombo: opennet.ru

Thenga ukusingathwa okuthembekileyo kwiindawo ezinokhuseleko lweDDoS, iiseva zeVPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekileyo ngokhuseleko lwe-DDoS, iiseva zeVPS VDS | ProHoster