Ukukhutshwa kwe-packet filter nftables 1.0.2 iye yapapashwa, idibanisa i-interfaces yokucoca ipakethe ye-IPv4, IPv6, ARP kunye neebhuloho zenethiwekhi (ezijoliswe ekutshintsheni iptables, ip6table, arptables kunye ne-ebtables). Utshintsho olufunekayo kwi-nftables 1.0.2 ukukhutshwa emsebenzini kufakwe kwi-Linux kernel 5.17-rc.
Ipakethe ye-nftables ibandakanya iinxalenye zepakethe zokucoca ezisebenza kwindawo yomsebenzisi, ngelixa umsebenzi we-kernel-level unikezelwa yi-nf_tables subsystem, ebiyinxalenye ye-Linux kernel ukususela ekukhululweni kwe-3.13. Inqanaba le-kernel libonelela kuphela i-generic protocol-independent interface ebonelela ngemisebenzi esisiseko yokukhupha idatha kwiipakethi, ukwenza imisebenzi yedatha, kunye nokulawula ukuhamba.
Imithetho yokucoca kunye ne-protocol-specific handlers ihlanganiswe kwi-bytecode kwindawo yomsebenzisi, emva koko le bytecode ilayishwe kwi-kernel isebenzisa ujongano lwe-Netlink kwaye iqhutywe kwi-kernel kumatshini okhethekileyo okhumbuza i-BPF (i-Berkeley Packet Filters). Le ndlela ikuvumela ukuba unciphise kakhulu ubungakanani bekhowudi yokucoca esebenza kwinqanaba le-kernel kwaye uhambise yonke imisebenzi yokwahlulahlula imithetho kunye nengqiqo yokusebenza kunye neeprotocol kwindawo yomsebenzisi.
Iinguqulelo eziphambili:
- Indlela yokwandisa imithetho yongeziwe, yenziwe ukuba kusetyenziswa u "-o" omtsha ("--optimize") ukhetho, olunokudityaniswa no "--check" ukhetho lokujonga kunye nokwandisa utshintsho kwifayile yolawulo ngaphandle kokuyilayisha. . Ukuphucula kukuvumela ukuba udibanise imithetho efanayo, umzekelo, imigaqo: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 yamkela i-meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 ip daddr 1.1.1.1 ip 2.2.2.2. .2.2.2.2 yamkela ip saddr 3.3.3.3 ip daddr XNUMX drop
iya kudityaniswa ibe yimeta iifname . ip sadr. ip daddr { eth1 . 1.1.1.1. 2.2.2.3, i-eth1. 1.1.1.2. 2.2.2.5 } yamkela ip saddr . ip daddr vmap {1.1.1.1. 2.2.2.2 : yamkela, 2.2.2.2 . 3.3.3.3 : yehla}
Umzekelo wokusetyenziswa: # nft -c -o -f ruleset.test Ukudibanisa: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter yamkela ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter yamkela ruleet.nft:18:3-37: ip daddr 192.168.0.3 counter yamkela kwi: ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3} iipakethi zokubala 0 bytes 0 yamkela
- Uluhlu olusetiyo luphumeza ukukwazi ukucacisa iinketho ze-ip kunye ne-tcp, kunye ne-sctp chunks: seta s5 {typeof ip ukhetho ra izinto zexabiso = {1, 1024}} misela s7 { typeof sctp chunk init num-inbound-streams elements = { 1, 4 } } ityathanga c5 {ip inketho ra ixabiso @s5 yamkela } ityathanga c7 { sctp chunk init num-inbound-streams @s7 yamkela }
- Inkxaso eyongeziweyo yeenketho ze-TCP ngokukhawuleza, i-md5sig kunye ne-mptcp.
- Inkxaso eyongeziweyo yokusebenzisa i-mp-tcp subtype kwiimaphu: ukhetho lwe-tcp mptcp subtype 1
- Ikhowudi yokucoca yekernel ephuculweyo.
- I-Flowtable ngoku inenkxaso epheleleyo yefomathi ye-JSON.
- Ikhono lokusebenzisa isenzo "sokwenqaba" kwimisebenzi yokulinganisa isakhelo se-Ethernet inikezelwe. ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 yala
umthombo: opennet.ru