ProHoster > Блог > ayelujara iroyin > nftables soso àlẹmọ 1.0.6 Tu

nftables soso àlẹmọ 1.0.6 Tu

Itusilẹ àlẹmọ apo-iwe nftables 1.0.6 ti jẹ atẹjade, awọn atọkun sisẹ apo-iṣọkan fun IPv4, IPv6, ARP ati awọn afara nẹtiwọọki (ti a pinnu lati rọpo iptables, ip6table, arptables ati ebtables). Apopọ nftables pẹlu awọn paati àlẹmọ apo-iwe ti o ṣiṣẹ ni aaye olumulo, lakoko ti ipele kernel ti pese nipasẹ eto inu nf_tables, eyiti o jẹ apakan ti ekuro Linux lati igba itusilẹ 3.13. Ni ipele ekuro, nikan ni wiwo olominira ilana ilana jeneriki ti pese ti o pese awọn iṣẹ ipilẹ fun yiyo data lati awọn apo-iwe, ṣiṣe awọn iṣẹ lori data, ati ṣiṣakoso ṣiṣan.

Awọn ofin sisẹ funrara wọn ati awọn olutọju-ila-ilana ni a ṣajọpọ sinu bytecode olumulo-aaye, lẹhin eyiti a ti kojọpọ bytecode yii sinu ekuro nipa lilo wiwo Netlink ati ṣiṣe ni ekuro ni ẹrọ foju pataki kan ti o jọmọ BPF (Awọn Ajọ Packet Berkeley). Ọna yii jẹ ki o ṣee ṣe lati dinku iwọn iwọn koodu sisẹ ti n ṣiṣẹ ni ipele ekuro ati gbe gbogbo awọn iṣẹ ti awọn ofin itọka ati ọgbọn ti ṣiṣẹ pẹlu awọn ilana sinu aaye olumulo.

Awọn iyipada akọkọ:

  • Ninu olupilẹṣẹ awọn ofin ti a pe nigbati o n ṣalaye aṣayan “-o/--optimize”, iṣakojọpọ awọn ofin laifọwọyi ti ṣeto nipasẹ apapọ wọn ati yiyipada wọn sinu maapu- ati awọn atokọ ṣeto. Fun apẹẹrẹ, awọn ofin ni o wa # cat ruleset.nft tabili ip x {pq y {iru àlẹmọ kio input ayo àlẹmọ; silẹ eto imulo; meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 gba meta iifname eth1 ip saddr 1.1.1.2 ip baba 2.2.2.4 gba meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0. .24 ip daddr 1-1.1.1.2 gba meta iifname eth2.2.4.0 ip saddr 2.2.4.10 ip daddr 2 gba}} lẹhin "nft -o -c -f ruleset.nft" yoo yipada si awọn wọnyi: ruleset. nft: 1.1.1.3: 2.2.2.5-4: meta iifname eth17 ip saddr 74 ip daddr 1 gba ruleset.nft: 1.1.1.1: 2.2.2.3-5: meta iifname eth17 ip saddr 74 ip daddr 1: gba awọn ofinet.nft. 1.1.1.2: 2.2.2.4-6: meta iifname eth17 ip saddr 77 ip daddr 1/1.1.1.2 gba ruleset.nft: 2.2.3.0: 24-7: meta iifname eth17 ip saddr 83 ip daddr 1-1.1.1.2. ruleset.nft: 2.2.4.0: 2.2.4.10-8: meta iifname eth17 ip saddr 74 ip daddr 2 gba sinu: iifname . ip saddr . ip baba {eth1.1.1.3. 2.2.2.5. 1, eth1.1.1.1 . 2.2.2.3. 1, eth1.1.1.2 . 2.2.2.4. 1/1.1.1.2, eth2.2.3.0. 24. 1-1.1.1.2, eth2.2.4.0. 2.2.4.10. 2 } gba
  • Oluṣapejuwe tun le di awọn ofin ti o ti lo awọn atokọ ti o rọrun tẹlẹ sinu fọọmu iwapọ diẹ sii, gẹgẹbi: # cat ruleset.nft table ip filter {pq input {type filter hook input ayo filter; silẹ eto imulo; iifname "lo" gba ipinle ct ti iṣeto, ti o ni ibatan gba asọye "Ninu ijabọ ti a wa, a gbẹkẹle" iifname "enp0s31f6" ip saddr {209.115.181.102, 216.197.228.230} ip daddr 10.0.0.149 udport 123 udport 32768 udport 65535. gba iifname "enp0s31f6" ip saddr {64.59.144.17, 64.59.150.133} ip daddr 10.0.0.149 udp sport 53 udp dport 32768-65535 gba - ft-packet lẹhin ti nṣiṣẹ nf. : ruleset.nft: 6: 22-149: iifname "enp0s31f6" ip saddr {209.115.181.102, 216.197.228.230} ip daddr 10.0.0.149 udp idaraya 123-32768 ofin udp 65535-7. : 22-143 0 : iifname "enp31s6f64.59.144.17" ip saddr {64.59.150.133, 10.0.0.149} ip daddr 53 udp idaraya 32768 udp dport 65535-0 gba sinu: i. ip saddr . ip baba. udp idaraya . udp dport {enp31s6f209.115.181.102. 10.0.0.149. 123. 32768 . 65535-0, enp31s6f216.197.228.230. 10.0.0.149. 123. 32768 . 65535-0, enp31s6f64.59.144.17. 10.0.0.149. 53. 32768 . 65535-0, enp31s6f64.59.150.133. 10.0.0.149. 53. 32768 . 65535-XNUMX } gba
  • Ti yanju ọrọ kan pẹlu iran bytecode fun iṣakojọpọ awọn aaye arin ti o lo awọn oriṣi pẹlu oriṣiriṣi endianness, gẹgẹ bi IPv4 (nẹtiwọọki nẹtiwọọki) ati ami meta (system endian). tabili ip x { maapu w {typeof ip saddr . meta ami: idajo awọn asia aarin counter eroja = {127.0.0.1-127.0.0.4. 0x123434-0xb00122: gba, 192.168.0.10-192.168.1.20. 0x0000aa00-0x0000aaff : gba, }} pq k {Iru àlẹmọ kio igbewọle ayo Ajọ; silẹ eto imulo; ip saddr . meta ami vmap @w }}
  • Ilọsiwaju awọn iyaworan ilana ilana toje nigba lilo awọn ikosile aise, fun apẹẹrẹ: meta l4proto 91 @th,400,16 0x0 gba
  • Awọn ọran ti o wa titi pẹlu awọn ofin mimuuṣiṣẹ ni awọn aaye arin: fi ofin sii xy tcp idaraya {3478-3497, 16384-16387} counter gba
  • JSON API ti ni ilọsiwaju lati ṣe atilẹyin awọn ikosile ninu ṣeto ati awọn atokọ maapu.
  • Ni awọn amugbooro si ile-ikawe Python nfttables, awọn eto ofin gba laaye lati kojọpọ fun sisẹ ni ipo ayẹwo ("-c") ati atilẹyin fun asọye oniyipada ita ti ṣafikun.
  • Ṣafikun awọn asọye ni a gba laaye ninu awọn eroja ti awọn atokọ ti a ṣeto.
  • O ti wa ni laaye lati pato odo iye ni baiti oṣuwọn.

orisun: opennet.ru

Fi ọrọìwòye kun