ukukhishwa kwesihlungi sephakethe , ukuthuthukiswa njengokumiselela ama-iptables, ip6table, arptables kanye nama-ebtable ngokuhlanganisa izixhumanisi zokuhlunga iphakethe ze-IPv4, IPv6, ARP kanye namabhuloho enethiwekhi. Iphakheji ye-nftables ihlanganisa izingxenye zokuhlunga zephakethe ezisebenza endaweni yomsebenzisi, kuyilapho umsebenzi wezinga le-kernel unikezwa i-nf_tables subsystem, ebiyingxenye ye-Linux kernel kusukela ekukhululweni okungu-3.13. Izinguquko ezidingekayo ukuze i-nftables 0.9.3 ikhishwe ukuze isebenze ifakiwe egatsheni le-Linux 5.5 kernel elizayo.
Izinga le-kernel linikeza kuphela isixhumi esibonakalayo esizimele esijwayelekile esihlinzeka ngemisebenzi eyisisekelo yokukhipha idatha emaphaketheni, ukwenza imisebenzi yedatha, nokulawula ukugeleza. I-logic yokuhlunga ngokwayo kanye nezibambi eziqondene nephrothokholi kuhlanganiswa ku-bytecode esikhaleni somsebenzisi, ngemva kwalokho le-bytecode ilayishwa ku-kernel kusetshenziswa isixhumi esibonakalayo se-Netlink futhi sisetshenziswe emshinini obonakalayo okhethekile osikhumbuza i-BPF (Izihlungi ze-Berkeley Packet). Le ndlela ikuvumela ukuthi unciphise ngokuphawulekayo usayizi wekhodi yokuhlunga egijima ezingeni le-kernel futhi uhambise yonke imisebenzi yemithetho yokuhlukanisa kanye nengqondo yokusebenza ngamaphrothokholi endaweni yomsebenzisi.
Okuqanjiwe okuyinhloko:
- Ukusekela ukufanisa amaphakethe ngesikhathi. Ungachaza kokubili ibanga lesikhathi nedethi lapho umthetho uzoqaliswa khona, futhi ulungiselele ukuqalisa ngezinsuku ngazinye zeviki. Futhi yengeze inketho entsha "-T" ukuze ubonise isikhathi se-epochal ngemizuzwana.
isikhathi se-meta \Β»2019-12-24 16:00\" - \Β»2020-01-02 7:00\"
ihora lemetha \"17:00\" - \"19:00\"
usuku lwemeta \"Ngolwesihlanu\" - Ukusekela ukubuyisela nokulondoloza amamaki e-SELinux (i-secmark).
ct secmark setha i-meta secmark
i-meta secmark setha i-ct secmark - Ukusekelwa kohlu lwemephu ye-syproxy, okukuvumela ukuthi uchaze umthetho ongaphezu kowodwa ngesiphetho ngasinye.
ithebula ip foo {
i-synproxy https-synproxy {
mss 1460
isikali 7
isitembu sesikhathi sesaka-perm
}i-synproxy enye-synproxy {
mss 1460
isikali 5
}iketango ngaphambili {
thayipha ihuku yesihlungi prerouting kuqala eluhlaza; yamukela inqubomgomo;
tcp dport 8888 tcp amafulegi syntrack
}ibha yeketango {
thayipha isihlungi sehhuku yokuya phambili isihlungi esibalulekile; yamukela inqubomgomo;
I-ct state ayivumelekile, igama le-sync proxy elingalandeliwe ip saddr map { 192.168.1.0/24 : βhttps-synproxyβ, 192.168.2.0/24 : βother-synproxyβ }
}
} - Ikhono lokususa izinto ezimisiwe kusuka emithethweni yokucubungula iphakethe.
nft engeza umthetho ... susa @set5 {ip6 saddr. ip6 dadr}
- Ukusekelwa kokumepha kwe-VLAN nge-ID nephrothokholi echazwe kumethadatha yesixhumi esibonakalayo sebhuloho lenethiwekhi;
meta ibrpvid 100
meta ibrvproto vlan - Inketho ethi "-t" ("--terse") yokukhipha izici zamasethi lapho ubonisa imithetho. Ukusebenzisa i-"nft -t list ruleset" kuzokhipha:
ithebula ip x {
setha y {
thayipha ipv4_addr
}
}Futhi βngesethi yemithetho yohlu lwe-nftβ
ithebula ip x {
setha y {
thayipha ipv4_addr
izici = {192.168.10.2, 192.168.20.1,
192.168.4.4, 192.168.2.34 }
}
} - Ikhono lokucacisa idivayisi engaphezu kweyodwa kumaketanga e-netdev (isebenza kuphela nge-kernel 5.5) ukuhlanganisa imithetho yokuhlunga evamile.
engeza ithebula netdev x
engeza uchungechunge lwe-netdev xy {\
thayipha amadivayisi we-hook ingress yokuhlunga = {eth0, eth1 } okubalulekile 0;
} - Ikhono lokwengeza izincazelo zezinhlobo zedatha.
# nft chaza ipv4_addr
i-datatype ipv4_addr (IPv4 ikheli) (inombolo ye-basetype), amabhithi angama-32 - Ikhono lokwakha isixhumi esibonakalayo se-CLI ngomtapo wolwazi we-linenoise esikhundleni se-libreadline.
./configure --with-cli=linenoise
Source: opennet.ru