ukukhishwa kwesihlungi sephakethe , ukuthuthukiswa njengokumiselela ama-iptables, ip6table, arptables kanye nama-ebtable ngokuhlanganisa izixhumanisi zokuhlunga iphakethe ze-IPv4, IPv6, ARP kanye namabhuloho enethiwekhi. Iphakheji ye-nftables ihlanganisa izingxenye zokuhlunga zephakethe ezisebenza endaweni yomsebenzisi, kuyilapho umsebenzi wezinga le-kernel unikezwa i-nf_tables subsystem, ebiyingxenye ye-Linux kernel kusukela ekukhululweni okungu-3.13. Izinguquko ezidingekayo zokukhishwa kwe-nftables 0.9.4 ukusebenza zifakiwe egatsheni le-kernel lesikhathi esizayo .
Izinga le-kernel linikeza kuphela isixhumi esibonakalayo esizimele esijwayelekile esihlinzeka ngemisebenzi eyisisekelo yokukhipha idatha emaphaketheni, ukwenza imisebenzi yedatha, nokulawula ukugeleza. Imithetho yokuhlunga kanye nezibambi eziqondene nephrothokholi kuhlanganiswa ku-bytecode esikhaleni somsebenzisi, ngemva kwalokho le-bytecode ilayishwa ku-kernel kusetshenziswa isixhumi esibonakalayo se-Netlink futhi isetshenziswe ku-kernel emshinini okhethekile osikhumbuza i-BPF (Izihlungi ze-Berkeley Packet). Le ndlela ikuvumela ukuthi unciphise ngokuphawulekayo usayizi wekhodi yokuhlunga egijima ezingeni le-kernel futhi uhambise yonke imisebenzi yemithetho yokuhlukanisa kanye nengqondo yokusebenza namaphrothokholi endaweni yomsebenzisi.
Okuqanjiwe okuyinhloko:
- Ukusekelwa kobubanzi ekuxhumekeni (ukuhlanganisa, inqwaba yamakheli nezimbobo ezenza ukuqhathanisa kube lula). Ngokwesibonelo, kusethi "uhlu olugunyaziwe" izici zalo eziyisinamathiselwa, ukucacisa ifulegi elithi "ikhefu" kuzobonisa ukuthi isethi ingabandakanya ububanzi kokunamathiselwe kwi-imeyili (kokunamathiselwe kokuthi "ipv4_addr . ipv4_addr . inet_service" bekungenzeka ngaphambili ukuthi kufakwe kuhlu olunembile. okufanayo kwefomu elithi "192.168.10.35. 192.68.11.123", futhi manje ungacacisa amaqembu amakheli "80-192.168.10.35-192.168.10.40").
ithebula ip foo {
setha uhlu olumhlophe {
thayipha ipv4_addr. ipv4_add. inet_service
amafulegi isikhawu
izakhi = { 192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125. 80}
}ibha yeketango {
thayipha isihlungi sehuku yokulungiselela isihlungi esibalulekile; ukwehla kwenqubomgomo;
ip sadr. ip baba. tcp dport @whitelist vuma
}
} - Kumasethi nohlu lwamamephu, kungenzeka ukusebenzisa isiyalelo "sohlobo", esinquma ifomethi ye-elementi uma imesha.
Isibonelo:ithebula ip foo {
setha uhlu olumhlophe {
uhlobo lwe-ip saddr
izici = { 192.168.10.35, 192.168.10.101, 192.168.10.135}
}ibha yeketango {
thayipha isihlungi sehuku yokulungiselela isihlungi esibalulekile; ukwehla kwenqubomgomo;
ip daddr @whitelist vuma
}
}ithebula ip foo {
imephu addr2mark {
uhlobo lwe-ip saddr: uphawu lwemeta
izici = { 192.168.10.35 : 0x00000001, 192.168.10.135 : 0x00000002 }
}
} - Kwengezwe amandla okusebenzisa ukujoyina ekubopheni kwe-NAT, okukuvumela ukuthi ucacise ikheli kanye nembobo lapho uchaza ukuguqulwa kwe-NAT ngokusekelwe kuhlu lwamamephu noma amasethi aqanjwe amagama:
nft engeza umthetho ip nat pre dnat ip addr . port to ip saddr map { 1.1.1.1 : 2.2.2.2 . amashumi amathathu }
nft engeza imephu ip nat izindawo {type ipv4_addr . inet_service: ipv4_addr. inet_service \\; }
nft engeza umthetho ip nat pre dnat ip addr . port ku-ip saddr. imephu ye-tcp dport @izindawo - Ukusekela ukusheshisa kwehadiwe ngokusebenza okuthile kokuhlunga okwenziwa ikhadi lenethiwekhi. Ukusheshisa kunikwe amandla ngensiza ye-ethtool (“i-ethtool -K eth0 hw-tc-offload on”), ngemva kwalokho icushwe kuma-nfttables ochungechungeni oluyinhloko kusetshenziswa ifulegi elithi “khipha”. Uma usebenzisa i-Linux kernel 5.6, ukusheshiswa kwehadiwe kusekelwa ukufanisa inkambu kanhlokweni nokuhlola isixhumi esibonakalayo esingenayo kuhlanganiswe nokwamukela, ukulahla, ukuphindaphinda (dup), kanye nokudlulisa amaphakethe (fwd). Esibonelweni esingezansi, imisebenzi yokulahla amaphakethe evela ekhelini elithi 192.168.30.20 yenziwa ezingeni lekhadi lenethiwekhi, ngaphandle kokudlulisela amaphakethe ku-kernel:
# ifayela lekati.nft
ithebula netdev x {
iketango y {
thayipha isihlungi se-hook ingress device eth0 priority 10; amafulegi alahliwe;
ip saddr 192.168.30.20 yehla
}
}
# nft -f file.nft - Ulwazi oluthuthukisiwe mayelana nendawo yephutha emithethweni.
# nft susa umthetho we-ip yz isibambo 7
Iphutha: Ayikwazanga ukucubungula umthetho: Alikho ifayela elinjalo noma uhla lwemibhalo
susa umthetho we-ip yz isibambo 7
^# nft susa umthetho we-ip xx isibambo 7
Iphutha: Ayikwazanga ukucubungula umthetho: Alikho ifayela elinjalo noma uhla lwemibhalo
susa umthetho we-ip xx isibambo 7
^# nft susa i-twst yetafula
Iphutha: Alikho ifayela elinjalo noma uhla lwemibhalo; ubuqonde ithebula ‘test' ku-ip yomndeni?
susa i-twst yetafula
^^^^Isibonelo sokuqala sibonisa ukuthi ithebula elithi “y” alikho ohlelweni, okwesibili isibambi esithi “7” sishoda, kanti esesithathu siboniswa ukwaziswa kokuthayipha lapho uthayipha igama lethebula.
- Ukwesekwa okwengeziwe kokuhlola ukusebenzelana kwesigqila ngokucacisa “i-meta sdif” noma “i-meta sdifname”:
... imeta sdifname vrf1 ...
- Ukwesekwa okwengeziwe kokusebenza kweshifu yesokudla noma kwesokunxele. Isibonelo, ukushintsha ilebula yephakethe ekhona ishiywe yibhithi elingu-1 bese usetha incunyana ku-1:
… meta mark set meta mark lshift 1 noma 0x1 …
- Inketho ethi "-V" esetshenzisiwe yokubonisa ulwazi lwenguqulo enwetshiwe.
# nft -V
nfttables v0.9.4 (Jive at Five)
cli:umugqa wokufunda
json: yebo
minigmp: cha
libxtables: yebo - Izinketho zomugqa womyalo kufanele manje zicaciswe ngaphambi kwemiyalo. Isibonelo, udinga ukucacisa okuthi “nft -a list ruleset”, nokusebenzisa okuthi “nft list ruleset -a” kuzoholela ephutheni.
Source: opennet.ru