ProHoster > Блог > ayelujara iroyin > nftables soso àlẹmọ 1.0.2 Tu

nftables soso àlẹmọ 1.0.2 Tu

Itusilẹ ti àlẹmọ apo-iwe nftables 1.0.2 ti ṣe atẹjade, awọn atọkun sisẹ apo-iṣọkan fun IPv4, IPv6, ARP ati awọn afara nẹtiwọọki (ti a pinnu lati rọpo iptables, ip6table, arptables ati awọn ebtables). Awọn ayipada ti o nilo fun itusilẹ 1.0.2 nftables lati ṣiṣẹ wa ninu ekuro Linux 5.17-rc.

Apopọ nftables pẹlu awọn paati àlẹmọ apo-iwe ti o ṣiṣẹ ni aaye olumulo, lakoko ti iṣẹ ipele kernel ti pese nipasẹ eto ipilẹ-nf_tables, eyiti o jẹ apakan ti ekuro Linux lati itusilẹ 3.13. Ipele ekuro n pese nikan ni wiwo olominira ilana ilana jeneriki ti o pese awọn iṣẹ ipilẹ fun yiyo data lati awọn apo-iwe, ṣiṣe awọn iṣẹ data, ati iṣakoso sisan.

Awọn ofin sisẹ funrara wọn ati awọn olutọju-ila-ilana ni a ṣajọpọ sinu bytecode olumulo-aaye, lẹhin eyiti a ti kojọpọ bytecode yii sinu ekuro nipa lilo wiwo Netlink ati ṣiṣe ni ekuro ni ẹrọ foju pataki kan ti o jọmọ BPF (Awọn Ajọ Packet Berkeley). Ọna yii jẹ ki o ṣee ṣe lati dinku iwọn iwọn koodu sisẹ ti n ṣiṣẹ ni ipele ekuro ati gbe gbogbo awọn iṣẹ ti awọn ofin itọka ati ọgbọn ti ṣiṣẹ pẹlu awọn ilana sinu aaye olumulo.

Awọn imotuntun akọkọ:

  • Ipo iṣapeye awọn ofin kan ti ṣafikun, mu ṣiṣẹ ni lilo aṣayan “-o” (“--optimize”) tuntun, eyiti o le ṣe idapo pelu aṣayan “--check” lati ṣayẹwo ati mu awọn ayipada pọ si faili awọn ofin lai ṣe ikojọpọ rẹ gangan. . Iṣapeye gba ọ laaye lati ṣajọpọ awọn ofin ti o jọra, fun apẹẹrẹ, awọn ofin: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 gba meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 gba ip saddr 1.1.1.1 2.2.2.2. .2.2.2.2 gba ip saddr 3.3.3.3 ip daddr XNUMX silẹ

    ao parapo sinu meta iifname. ip saddr. ip baba {eth1. 1.1.1.1. 2.2.2.3, eth1 . 1.1.1.2. 2.2.2.5 } gba ip saddr. ip daddr vmap {1.1.1.1. 2.2.2.2: gba, 2.2.2.2 . 3.3.3.3: silẹ}

    Apeere lilo: # nft -c -o -f ruleset.test Dapọ: ruleset.nft: 16: 3-37: ip daddr 192.168.0.1 counter gba ruleset.nft: 17: 3-37: ip daddr 192.168.0.2 counter gba ofin. ruleset.nft: 18: 3-37: ip daddr 192.168.0.3 counter gba sinu: ip daddr {192.168.0.1, 192.168.0.2, 192.168.0.3} counter awọn apo-iwe 0 baiti 0 gba

  • Awọn atokọ ti a ṣeto ṣe imuse agbara lati pato awọn aṣayan ip ati tcp, bakanna bi awọn chunks sctp: ṣeto s5 {typeof ip option ra value elements = {1, 1024} } set s7 {typeof sctp chunk init num-inbound-streams eroja = { 1}} pq c4 {ip aṣayan ra iye @s5 gba} pq c5 {sctp chunk init num-inbound-streams @s7 gba}
  • Atilẹyin ti a ṣafikun fun awọn aṣayan TCP ni kiakia, md5sig ati mptcp.
  • Atilẹyin ti a ṣafikun fun lilo iru-ẹgbẹ mp-tcp ni awọn maapu: aṣayan tcp mptcp subtype 1
  • Imudara koodu sisẹ ẹgbẹ-kernel.
  • Flowtable ni atilẹyin kikun fun ọna kika JSON.
  • Agbara lati lo iṣẹ “kọ” ni awọn iṣẹ ibaramu fireemu Ethernet ti pese. ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 kọ

orisun: opennet.ru

Fi ọrọìwòye kun