ProHoster > Блог > izindaba ze-inthanethi > ukukhishwa kwesihlungi sephakethe le-nftables 0.9.9

ukukhishwa kwesihlungi sephakethe le-nftables 0.9.9

Isihlungi sephakethe se-nftables 0.9.9 sesikhishiwe. Sihlanganisa izixhumi zokuhlunga iphakethe ze-IPv4, IPv6, ARP, kanye namabhuloho enethiwekhi (okuqondiswe esikhundleni sama-iptables, ip6table, ama-arptables, kanye nama-ebtables). Umtapo wolwazi we-libnftnl 1.2.0 ohambisana nawo, ohlinzeka nge-API esezingeni eliphansi yokusebenzisana nesistimu engaphansi ye-nf_tables, ukhishwe ngasikhathi sinye. Izinguquko ezidingekayo kuma-nftables 0.9.9 zifakiwe ku-kernel. Linux 5.13-rc1.

Iphakheji ye-nftables iqukethe izingxenye zesihlungi sephakethe ezisebenza esikhaleni somsebenzisi, kuyilapho umsebenzi wezinga le-kernel unikezwa uhlelo olungaphansi lwe-nf_tables, oluyingxenye ye-kernel. Linux Kusukela ekukhishweni kwe-3.13, kunikezwe isikhombimsebenzisi esizimele sephrothokholi ejwayelekile kuphela ezingeni le-kernel, esinikeza ukusebenza okuyisisekelo kokukhipha idatha kumaphakethe, ukwenza imisebenzi yedatha, kanye nokulawula ukugeleza.

Ukuhlunga kuyalawula ngokwako kanye nabaphathi bephrothokholi ethile bahlanganiswa baba yi-bytecode esikhaleni somsebenzisi, ngemva kwalokho le-bytecode ilayishwa ku-kernel kusetshenziswa i-Netlink interface bese isetshenziswa ku-kernel ngendlela ekhethekile. umshini obonakalayo, okusikhumbuza i-BPF (Berkeley Packet Filters). Le ndlela ivumela ukwehla okukhulu kosayizi wekhodi yokuhlunga esebenza ezingeni le-kernel futhi ihambisa konke ukuhlaziya imithetho kanye ne-protocol logic esikhaleni somsebenzisi.

Okuqanjiwe okuyinhloko:

  • Kusetshenziswe ikhono lokuhambisa ukucubungula okugelezayo ohlangothini lwe-adaptha yenethiwekhi, enikwe amandla kusetshenziswa ifulegi 'lokukhipha'. I-Flowtable iwumshini wokuthuthukisa indlela yokudlulisela iphakethe, lapho ukunqamula okugcwele kwawo wonke amaketanga okucubungula imithetho kusetshenziswa kuphela ephaketheni lokuqala, futhi wonke amanye amaphakethe ekugelezeni athunyelwa ngqo. ithebula ip global { flowtable f { hook ingress priority filter + 1 devices = {lan3, lan0, wan } amafulegi akhulula } iketango eliya phambili { uhlobo lokuhlunga hook phambili isihlungi esibalulekile; yamukela inqubomgomo; Iphrothokholi ye-ip { tcp, udp } geleza engeza @f } i-chain post { thayipha i-nat hook postrouting isihlungi esibalulekile; yamukela inqubomgomo; oifname "wan" masquerade }}
  • Usekelo olungeziwe lokunamathisela ifulegi lomnikazi kuthebula, okuqinisekisa ukusetshenziswa okukhethekile kwethebula ngenqubo. Uma inqubo iphela, ithebula elihlobene liyasuswa ngokuzenzakalelayo. Ulwazi lwenqubo luboniswa ekulahlweni kwemithetho njengamazwana: ithebula ip x {# iketango lomnikazi we-progname nft y { thayipha isihlungi sokufaka ihhuku yokubeka kuqala isihlungi; yamukela inqubomgomo; counter amaphakethe 1 bytes 309 }}
  • Usekelo olungeziwe lwencazelo ye-IEEE 802.1ad (VLAN stacking noma QinQ), echaza izindlela zokufaka omaka abaningi be-VLAN kuhlaka olulodwa lwe-Ethernet. Isibonelo, ukuze uhlole uhlobo lozimele lwe-Ethernet lwangaphandle 8021ad kanye ne-vlan id=342, ungasebenzisa ukwakha ... uhlobo lwe-ether 802.1ad vlan id 342 ukuze uhlole uhlobo lozimele we-Ethernet wangaphandle 8021ad/vlan id=1, efakwe ku-802.1q/vlan id=2, kanye nohlobo oluthuthukisiwe lwe-IP8021: id 1 vlan uhlobo 8021q vlan id 2 vlan uhlobo ip counter
  • Usekelo lokuphathwa kwensiza kusetshenziswa isigaba esihlanganisiwe se-v2 hierarchy sengeziwe. Umehluko oyinhloko phakathi kwamaqoqo v2 kanye ne-v1 ukusetshenziswa kwesigaba samaqembu esivamile kuzo zonke izinhlobo zezinsiza, esikhundleni sezigaba ezihlukene zokwabiwa kwensiza ye-CPU, ukuphathwa kwememori, kanye ne-I/O. Isibonelo, ukuhlola ukuthi idlozi lesokhethi elisezingeni lokuqala le-cgroupv2 liyahambisana yini ne-mask ethi "system.slice", ungasebenzisa ukwakhiwa okulandelayo: ... isokhethi cgroupv2 level 1 "system.slice"
  • Kwengezwe ikhono lokuhlola izingxenye zamaphakethe e-SCTP (ukusebenza okudingekayo ekusebenzeni kuzovela ku-kernel Linux 5.14). Isibonelo, ukuhlola ukuthi iphakethe liqukethe yini isicucu esinohlobo 'lwedatha' kanye nensimu 'yohlobo': … idatha yesicucu se-sctp ikhona … idatha yesicucu se-sctp uhlobo 0
  • Ukulayisha imithetho kusetshenziswa ifulegi elithi "-f" cishe liphindwe kabili ngesivinini. Okuphumayo kohlu lwemithetho nakho kusheshisiwe.
  • Kunikezwe ifomu elihlangene lokuhlola ukumiswa kwamabhithi kumafulegi. Isibonelo, ukuhlola ukuthi izingcezu zesimo se-snat ne-dnat asethiwe, ungacacisa: ... ct status ! snat,dnat ukuze uhlole ukuthi i-sync bit isethwe kumaski we-sync,ack bit: ... i-tcp ihlaba umkhosi u-sync / syn,ack ukuze uhlole ukuthi amabhithi e-fin nawokuqala awamisiwe yini kumaski we-sync,ack,fin,rst bit: ... tcp flags != fin,rst / syn,ack,fin,fin,kuqala
  • Igama elingukhiye elithi "isinqumo" manje selivunyelwe ezincazelweni zohlobo lwe-set/map: engeza imephu xm {typeof iifname . ip protocol. th dport : isinqumo ;}

Source: opennet.ru

Thenga ukusingathwa okuthembekile kwamasayithi anokuvikelwa kwe-DDoS, amaseva e-VPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekile ngokuvikelwa kwe-DDoS, amaseva e-VPS VDS | ProHoster