Ukukhishwa kwesihlungi se-packet nftables 0.9.9 kushicilelwe, okuhlanganisa izixhumanisi zokuhlunga iphakethe ze-IPv4, IPv6, ARP kanye namabhuloho enethiwekhi (okuhloswe ngawo ukufaka esikhundleni se-iptables, ip6table, arptables kanye nama-ebtables). Ngesikhathi esifanayo, ukukhishwa komtapo wolwazi ongumngane we-libnftnl 1.2.0 kwashicilelwa, kuhlinzeka nge-API yezinga eliphansi ukuze ihlanganyele nesistimu engaphansi ye-nf_tables. Izinguquko ezidingekayo ukuze i-nftables 0.9.9 ikhishwe ukuze isebenze ifakiwe ku-Linux kernel 5.13-rc1.
Iphakheji ye-nftables ihlanganisa izingxenye zokuhlunga zephakethe ezisebenza endaweni yomsebenzisi, kuyilapho umsebenzi wezinga le-kernel unikezwa i-nf_tables subsystem, ebiyingxenye ye-Linux kernel kusukela ekukhululweni okungu-3.13. Izinga le-kernel linikeza kuphela isixhumi esibonakalayo esizimele esijwayelekile esihlinzeka ngemisebenzi eyisisekelo yokukhipha idatha emaphaketheni, ukwenza imisebenzi yedatha, nokulawula ukugeleza.
Imithetho yokuhlunga nezibambi eziqondene nephrothokholi kuhlanganiswa ku-bytecode esikhaleni somsebenzisi, ngemva kwalokho le-bytecode ilayishwa ku-kernel kusetshenziswa isixhumi esibonakalayo se-Netlink futhi isetshenziswe ku-kernel emshinini okhethekile osikhumbuza i-BPF (Izihlungi Zephakethe Le-Berkeley). Le ndlela ikuvumela ukuthi unciphise ngokuphawulekayo usayizi wekhodi yokuhlunga egijima ezingeni le-kernel futhi uhambise yonke imisebenzi yemithetho yokuhlukanisa kanye nengqondo yokusebenza ngamaphrothokholi endaweni yomsebenzisi.
Okuqanjiwe okuyinhloko:
- Amandla okuhambisa ukucutshungulwa okugelezayo ohlangothini lwe-adaptha yenethiwekhi asetshenzisiwe, anikwe amandla kusetshenziswa ifulegi 'lokukhipha'. I-Flowtable iyindlela yokuthuthukisa indlela yokuqondisa kabusha iphakethe, lapho ukudlula okuphelele kwawo wonke amaketanga okucubungula umthetho kusetshenziswa kuphela ephaketheni lokuqala, futhi wonke amanye amaphakethe ekugelezeni athunyelwa ngqo. ithebula ip global { flowtable f { hook ingress priority filter + 1 devices = {lan3, lan0, wan } amafulegi akhulula } iketango eliya phambili { uhlobo lokuhlunga hook phambili isihlungi esibalulekile; yamukela inqubomgomo; Iphrothokholi ye-ip { tcp, udp } geleza engeza @f } i-chain post {thayipha i-nat hook postrouting priority filter; yamukela inqubomgomo; oifname "wan" masquerade }}
- Kwengezwe usekelo lokunamathisela ifulegi lomnikazi kuthebula ukuze kuqinisekiswe ukusetshenziswa okukhethekile kwethebula ngenqubo. Uma inqubo iphela, ithebula elihlobene nayo lisuswa ngokuzenzakalelayo. Ulwazi mayelana nenqubo luboniswa ekulahlweni kwemithetho ngendlela yokubeka amazwana: ithebula ip x {# progname nft iketango lomnikazi wamafulegi y { thayipha isihlungi sokufakwa kwehhuku kuqala kwesihlungi; yamukela inqubomgomo; counter amaphakethe 1 bytes 309 }}
- Ukwesekwa okwengeziwe kokucaciswa kwe-IEEE 802.1ad (i-VLAN stacking noma i-QinQ), echaza indlela yokufaka amathegi e-VLAN amaningi kuhlaka olulodwa lwe-Ethernet. Isibonelo, ukuze uhlole uhlobo lohlaka lwe-Ethernet lwangaphandle 8021ad kanye ne-vlan id=342, ungasebenzisa ukwakhiwa ... uhlobo lwe-ether 802.1ad vlan id 342 ukuze uhlole uhlobo lwangaphandle lozimele we-Ethernet 8021ad/vlan id=1, efakwe ku-802.1 q/vlan id=2 kanye nokunye ukufakwa kwephakethe le-IP: ... uhlobo lwe-ether 8021ad vlan id 1 uhlobo lwe-vlan 8021q vlan id 2 uhlobo lwe-ip counter
- Ukwesekwa okungeziwe kokuphatha izinsiza kusetshenziswa amaqoqo e-hierarchy ahlanganisiwe v2. Umehluko oyinhloko phakathi kwamaqoqo v2 kanye ne-v1 ukusetshenziswa kwesigaba samaqembu esivamile kuzo zonke izinhlobo zezinsiza, esikhundleni sezigaba ezihlukene zokwaba izinsiza ze-CPU, zokulawula ukusetshenziswa kwememori, kanye ne-I/O. Isibonelo, ukuze uhlole ukuthi ingabe idlozi lesokhethi elisezingeni lokuqala le-cgroupv2 lifana ne-mask ethi "system.slice", ungasebenzisa ukwakhiwa: ... isokhethi cgroupv2 level 1 "system.slice"
- Kwengezwe amandla okuhlola izingxenye zamaphakethe e-SCTP (ukusebenza okudingekayo kulokhu kuzovela ku-Linux 5.14 kernel). Isibonelo, ukuhlola ukuthi iphakethe liqukethe yini ingxenye enohlobo 'lwedatha' kanye 'nohlobo' lwenkambu: ... idatha ye-sctp chunk ikhona ... sctp chunk data type 0
- Ukwenziwa komsebenzi wokulayisha umthetho kusheshiswe cishe izikhathi ezimbili kusetshenziswa ifulegi elithi β-fβ. Ukukhishwa kohlu lwemithetho nakho kusheshisiwe.
- Ifomu elihlangene lokuhlola ukuthi amabhithi efulegi asethiwe linikeziwe. Isibonelo, ukuhlola ukuthi izingcezu zesimo se-snat ne-dnat asethiwe, ungacacisa: ... ct status ! snat,dnat ukuze uhlole ukuthi i-sync bit isethwe ku-bitmask syn,ack: ... i-tcp ihlaba umkhosi u-sync / syn,ack ukuze uhlole ukuthi amabhithi e-fin nawokuqala awamisiwe yini ku-bitmask syn,ack,fin,rst: ... amafulegi we-tcp! = fin,rst / syn,ack,fin,rst
- Vumela igama elingukhiye elithi "isinqumo" ezincazelweni zohlobo lwesethi/yemephu: engeza imephu xm {typeof iifname . ip protocol th dport : isinqumo ;}
Source: opennet.ru