I-ProHoster > Блог > izindaba ze-inthanethi > ukukhishwa kwesihlungi sephakethe le-nftables 0.9.5

ukukhishwa kwesihlungi sephakethe le-nftables 0.9.5

eshicilelwe ukukhishwa kwesihlungi sephakethe ama-nfttables 0.9.5, ukuthuthukiswa njengokumiselela ama-iptables, ip6table, arptables kanye nama-ebtable ngokuhlanganisa izixhumanisi zokuhlunga iphakethe ze-IPv4, IPv6, ARP kanye namabhuloho enethiwekhi. Iphakheji ye-nftables ihlanganisa izingxenye zokuhlunga zephakethe ezisebenza endaweni yomsebenzisi, kuyilapho umsebenzi wezinga le-kernel unikezwa i-nf_tables subsystem, ebiyingxenye ye-Linux kernel kusukela ekukhululweni okungu-3.13. Izinguquko ezidingekayo ku-nftables 0.9.5 ukukhululwa emsebenzini zifakiwe ku-kernel Linux 5.7.

Izinga le-kernel linikeza kuphela isixhumi esibonakalayo esizimele esijwayelekile esihlinzeka ngemisebenzi eyisisekelo yokukhipha idatha emaphaketheni, ukwenza imisebenzi yedatha, nokulawula ukugeleza. Imithetho yokuhlunga kanye nezibambi eziqondene nephrothokholi kuhlanganiswa ku-bytecode esikhaleni somsebenzisi, ngemva kwalokho le-bytecode ilayishwa ku-kernel kusetshenziswa isixhumi esibonakalayo se-Netlink futhi isetshenziswe ku-kernel emshinini okhethekile osikhumbuza i-BPF (Izihlungi ze-Berkeley Packet). Le ndlela ikuvumela ukuthi unciphise ngokuphawulekayo usayizi wekhodi yokuhlunga egijima ezingeni le-kernel futhi uhambise yonke imisebenzi yemithetho yokuhlukanisa kanye nengqondo yokusebenza namaphrothokholi endaweni yomsebenzisi.

Okuqanjiwe okuyinhloko:

  • Usekelo lwezibali zephakethe nethrafikhi ezihlotshaniswa nesethi yezakhi zengezwe kumasethi. Izibali zinikwe amandla kusetshenziswa igama elingukhiye elithi “counter”:

    ithebula ip x {
    setha y {
    uhlobo lwe-ip saddr
    Counter
    izici = { 192.168.10.35, 192.168.10.101, 192.168.10.135}
    }

    iketango z {
    thayipha isihlungi se-hook yokuphuma kuqala kwesihlungi; yamukela inqubomgomo;
    ip baba @y
    }
    }

  • Ukusetha amanani okuqala okubala, ngokwesibonelo, ukubuyisela izinto zokubala zangaphambilini ngemuva kokuqalisa kabusha, ungasebenzisa umyalo othi “nft -f”:

    # cat ruleset.nft
    ithebula ip x {
    setha y {
    uhlobo lwe-ip saddr
    Counter
    izinto = { 192.168.10.35 counter amaphakethe 1 byte 84, 192.168.10.101 \
    counter p 192.168.10.135 counter amaphakethe 0 amabhayithi 0 }
    }

    iketango z {
    thayipha isihlungi se-hook yokuphuma kuqala kwesihlungi; yamukela inqubomgomo;
    ip baba @y
    }
    }
    # nft -f ruleset.nft
    Isethi yemithetho yohlu engu-#nft
    ithebula ip x {
    setha y {
    uhlobo lwe-ip saddr
    Counter
    izinto = { 192.168.10.35 counter amaphakethe 1 byte 84, 192.168.10.101 \
    counter p 192.168.10.135 counter amaphakethe 0 amabhayithi 0 }
    }

    iketango z {
    thayipha isihlungi se-hook yokuphuma kuqala kwesihlungi; yamukela inqubomgomo;
    ip baba @y
    }
    }

  • Ukusekelwa kwekhawunta nakho kungeziwe ku-flowtable:

    ithebula ip foo {
    ibha egelezayo {
    i-hook ingress priority -100
    amadivayisi = { eth0, eth1 }
    Counter
    }

    iketango phambili {
    thayipha isihlungi sehhuku yokuya phambili isihlungi esibalulekile;
    geleza engeza @bar counter
    }
    }

    Ungabuka uhlu lwezinto zokubala usebenzisa umyalo “contrack -L”:

    tcp 6 src=192.168.10.2 dst=10.0.1.2 ezemidlalo=47278 dport=5201 amaphakethe=9 bytes=608\
    src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47278 amaphakethe=8 bytes=428 [KHIPHA] mark=0 \
    secctx=null use=2 tcp 6 src=192.168.10.2 dst=10.0.1.2 ezemidlalo=47280 dport=5201 \
    amaphakethe=1005763 amabhayithi=44075714753 src=10.0.1.2 dst=10.0.1.1 ezemidlalo=5201 dport=47280 \
    amaphakethe=967505 amabhayithi=50310268 [KHISHIWE] mark=0 secctx=null use=2

  • Kumasethi okuhlanganisa (i-concatenation, inqwaba yamakheli nezimbobo ezenza ukuqhathanisa kube lula), kuyenzeka kusetshenziswe umyalelo othi “typeof”, onquma uhlobo lwedatha lwezingxenye zezakhi zesethi:

    ithebula ip foo {
    setha uhlu olumhlophe {
    uhlobo lwe-ip saddr. tcp dport
    izakhi = { 192.168.10.35 . 80, 192.168.10.101. 80}
    }

    ibha yeketango {
    thayipha isihlungi sehuku yokulungiselela isihlungi esibalulekile; ukwehla kwenqubomgomo;
    ip baba. tcp dport @whitelist vuma
    }
    }

  • I-typeof Directive manje iyasebenza kwabajoyina ohlwini lwamamephu:

    ithebula ip foo {
    imephu addr2mark {
    uhlobo lwe-ip saddr. tcp dport: meta mark
    izakhi = { 192.168.10.35 . 80 : 0x00000001,
    192.168.10.135. 80 : 0x00000002 }
    }

    ibha yeketango {
    thayipha isihlungi sehuku yokulungiselela isihlungi esibalulekile; ukwehla kwenqubomgomo;
    I-meta mark set ip daddr. imephu ye-tcp dport @addr2mark yamukela
    }
    }

  • Ukusekela okungeziwe kobubanzi kujoyina kumasethi angaziwa (angaqanjwanga):

    # nft engeza umthetho we-inet filter input ip daddr. tcp dport\
    { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8. 80-443 } vuma

  • Ikhono lokulahla amaphakethe anamafulegi angu-802.1q (VLAN) lapho kucutshungulwa amabhuloho enethiwekhi kunikezwa:

    # nft engeza ibhuloho lokubusa i-foo bar ether uhlobo lwe-vlan yenqaba ngokusetha kabusha kwe-tcp

  • Kwengezwe usekelo lokufanisa ngesihlonzi seseshini ye-TCP (i-ID yokuxhumana). Ukuze unqume i-ID ye-conntrack, ungasebenzisa inketho "--output id":

    # contrack -L -i-id yokuphumayo
    udp 17 18 src=192.168.2.118 dst=192.168.2.1 ezemidlalo=36424 dport=53 amaphakethe=2 \
    bytes=122 src=192.168.2.1 dst=192.168.2.118 sport=53 dport=36424 amaphakethe=2 bytes=320\
    [OKUQINISEKISIWE] umaka=0 ukusetshenziswa=1 id=2779986232

    # nft add rule foo bar ct id 2779986232 counter

Source: opennet.ru

Engeza amazwana