Itusilẹ ti àlẹmọ apo-iwe nftables 1.0.0 ti ṣe atẹjade, awọn atọkun sisẹ apo-iṣọkan fun IPv4, IPv6, ARP ati awọn afara nẹtiwọọki (ti a pinnu lati rọpo iptables, ip6table, arptables ati ebtables). Awọn ayipada ti o nilo fun itusilẹ nfttables 1.0.0 lati ṣiṣẹ wa ninu ekuro Linux 5.13. Iyipada pataki ninu nọmba ikede ko ni nkan ṣe pẹlu eyikeyi awọn ayipada ipilẹ, ṣugbọn o jẹ abajade ti ilọsiwaju deede ti nọmba ni amiakosile eleemewa (itusilẹ iṣaaju jẹ 0.9.9).
Apopọ nftables pẹlu awọn paati àlẹmọ apo-iwe ti o ṣiṣẹ ni aaye olumulo, lakoko ti iṣẹ ipele kernel ti pese nipasẹ eto ipilẹ-nf_tables, eyiti o jẹ apakan ti ekuro Linux lati itusilẹ 3.13. Ipele ekuro n pese nikan ni wiwo olominira ilana ilana jeneriki ti o pese awọn iṣẹ ipilẹ fun yiyo data lati awọn apo-iwe, ṣiṣe awọn iṣẹ data, ati iṣakoso sisan.
Awọn ofin sisẹ funrara wọn ati awọn olutọju-ila-ilana ni a ṣajọpọ sinu bytecode olumulo-aaye, lẹhin eyiti a ti kojọpọ bytecode yii sinu ekuro nipa lilo wiwo Netlink ati ṣiṣe ni ekuro ni ẹrọ foju pataki kan ti o jọmọ BPF (Awọn Ajọ Packet Berkeley). Ọna yii jẹ ki o ṣee ṣe lati dinku iwọn iwọn koodu sisẹ ti n ṣiṣẹ ni ipele ekuro ati gbe gbogbo awọn iṣẹ ti awọn ofin itọka ati ọgbọn ti ṣiṣẹ pẹlu awọn ilana sinu aaye olumulo.
Awọn imotuntun akọkọ:
- Atilẹyin fun nkan boju-boju “*” ti ṣafikun si awọn atokọ ṣeto, eyiti o jẹfa fun eyikeyi awọn idii ti ko ṣubu labẹ awọn eroja miiran ti asọye ninu ṣeto. tabili x {mapu blocklist {iru ipv4_addr: idajo awọn asia aarin eroja = {192.168.0.0/16: gba, 10.0.0.0/8: gba, * : ju}} pq y { Iru àlẹmọ kio prerouting ayo 0; imulo gba; ip saddr vmap @blocklist }}
- O ṣee ṣe lati ṣalaye awọn oniyipada lati laini aṣẹ nipa lilo aṣayan “--define”. # cat test.nft tabili netdev x {pq y {iru àlẹmọ ìkọ ingress awọn ẹrọ = $dev ayo 0; silẹ eto imulo; } } # nft —define dev="{ eth0, eth1 }" -f test.nft
- Ninu awọn atokọ maapu, lilo awọn ikosile igbagbogbo (ipinlẹ) ni a gba laaye: àlẹmọ tabili inet {mapu portmap {type inet_service : verdict counter elements = { 22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0 : drop}} pq ssh_input {} pq wan_input {tcp dport vmap @portmap} pq prerouting {iru àlẹmọ kio prerouting ayo aise; imulo gba; iif vmap {"lo": fo wan_input }}}
- Fikun aṣẹ “akojọ atokọ” lati ṣafihan atokọ awọn olutọju fun idile apo-iwe ti a fun: # nft list hooks ip device eth0 family ip { hook ingress { +0000000010 chain netdev xy [nf_tables] +0000000300 chain inet mw [nf_tables]} input hook {-0000000100 pq ip ab [nf_tables] +0000000300 pq inet mz [nf_tables] } kio siwaju {-0000000225 selinux_ipv4_forward 0000000000 pq ip ac [nf_tables0000000225 -4} } ìkọ́ ìkọjá {+0000000225 4 selinux_ipvXNUMX_postroute}}
- Awọn bulọọki isinku gba jhash, symhash, ati awọn ikosile numgen ni idapo lati pin kaakiri awọn apo-iwe si awọn ila ni aaye olumulo. … queue to symhash mod 65536 … queue flags fori to numgen inc mod 65536 … queue to jhash oif . meta mark mod 32 "isinyi" tun le ni idapo pelu awọn akojọ maapu lati yan isinyi ni aaye olumulo ti o da lori awọn bọtini lainidii. ... awọn asia ti isinyi fori si maapu oifname {"eth0" : 0, "ppp0" : 2, "eth1" : 2 }
- O ṣee ṣe lati faagun awọn oniyipada ti o pẹlu atokọ ti a ṣeto sinu awọn maapu pupọ. setumo awọn atọkun = {eth0, eth1} tabili ip x {pq y {Iru àlẹmọ kio igbewọle ayo 0; imulo gba; iifname vmap {lo : gba, $ awọn atọkun: silẹ}} } # nft -f x.nft # nft akojọ awọn ofinet tabili ip x {pq y { iru àlẹmọ kio igbewọle ayo 0; imulo gba; iifname vmap {"lo" : gba, "eth0" : silẹ, "eth1" : silẹ}}}
- Pipọpọ awọn vmaps (maapu idajọ) ni awọn aaye arin ni a gba laaye: # nft add rule xy tcp dport . ip saddr vmap {1025-65535. 192.168.10.2: gba}
- Irọrun sintasi fun NAT mappings. Ti gba laaye lati tokasi awọn sakani adirẹsi: ... snat to ip saddr map {10.141.11.4 : 192.168.2.2-192.168.2.4 } tabi adiresi IP ti o han gbangba ati awọn ibudo: ... dnat to ip saddr map {10.141.11.4. . 192.168.2.3 } tabi akojọpọ awọn sakani IP ati awọn ibudo: ... dnat si ip saddr. tcp dport maapu {80 . 192.168.1.2: 80-10.141.10.2. 10.141.10.5-8888 }
orisun: opennet.ru