Ukukhishwa kwesihlungi se-packet nftables 1.0.0 kushicilelwe, okuhlanganisa izixhumanisi zokuhlunga iphakethe ze-IPv4, IPv6, ARP namabhuloho enethiwekhi (okuhloswe ngayo ukufaka esikhundleni se-iptables, ip6table, arptables kanye nama-ebtables). Izinguquko ezidingekayo ukuze i-nftables 1.0.0 ikhishwe ukuze isebenze ifakiwe ku-Linux 5.13 kernel. Ushintsho olubalulekile kunombolo yenguqulo aluhlotshaniswa nanoma yiziphi izinguquko ezibalulekile, kodwa luwumphumela kuphela wokuqhubeka okungaguquguquki kwezinombolo ezibhalwe ngedesimali (ukukhishwa kwangaphambilini bekungu-0.9.9).
Iphakheji ye-nftables ihlanganisa izingxenye zokuhlunga zephakethe ezisebenza endaweni yomsebenzisi, kuyilapho umsebenzi wezinga le-kernel unikezwa i-nf_tables subsystem, ebiyingxenye ye-Linux kernel kusukela ekukhululweni okungu-3.13. Izinga le-kernel linikeza kuphela isixhumi esibonakalayo esizimele esijwayelekile esihlinzeka ngemisebenzi eyisisekelo yokukhipha idatha emaphaketheni, ukwenza imisebenzi yedatha, nokulawula ukugeleza.
Imithetho yokuhlunga nezibambi eziqondene nephrothokholi kuhlanganiswa ku-bytecode esikhaleni somsebenzisi, ngemva kwalokho le-bytecode ilayishwa ku-kernel kusetshenziswa isixhumi esibonakalayo se-Netlink futhi isetshenziswe ku-kernel emshinini okhethekile osikhumbuza i-BPF (Izihlungi Zephakethe Le-Berkeley). Le ndlela ikuvumela ukuthi unciphise ngokuphawulekayo usayizi wekhodi yokuhlunga egijima ezingeni le-kernel futhi uhambise yonke imisebenzi yemithetho yokuhlukanisa kanye nengqondo yokusebenza ngamaphrothokholi endaweni yomsebenzisi.
Okuqanjiwe okuyinhloko:
- Usekelo lwesici semaski esithi β*β sengeziwe kusethi yohlu, oluqalwa kunoma imaphi amaphakheji angaweli ngaphansi kwezinye izici ezichazwe kusethi. ithebula x {uhlu lokuvimba imephu {uhlobo ipv4_addr : izici zesikhawu sefulegi yesinqumo = { 192.168.0.0/16 : vuma, 10.0.0.0/8 : vuma, * : lahla } } iketango y { thayipha ihuku yesihlungi sokuhambisa kuqala okubalulekile 0; yamukela inqubomgomo; ip saddr vmap @blocklist }}
- Kungenzeka ukuchaza okuguquguqukayo emgqeni womyalo usebenzisa inketho ethi β--defineβ. # i-cat test.nft ithebula netdev x {chain y {uhlobo lokuhlunga ama-hook ingress device = $dev priority 0; ukwehla kwenqubomgomo; } } # nft βdefine dev="{ eth0, eth1 }" -f test.nft
- Ezinhlwini zemephu, ukusetshenziswa kwezinkulumo ezingaguquki (eziqinile) kuvunyelwe: isihlungi se-inet yethebula {isithombe semephu {uhlobo lwe-inet_service : izici zokubala zesigwebo = { 22 amaphakethe ekhawunta 0 amabhayithi 0 : gxuma ssh_input, * amaphakethe ekhawunta 0 amabhayithi 0 : drop } } chain ssh_input { } chain wan_input { tcp dport vmap @portmap } chain prerouting { uhlobo lwehhuku yesihlungi prerouting kuqala eluhlaza; yamukela inqubomgomo; if vmap {"bheka" : jump wan_input }}}}
- Kwengezwe umyalo "wohlu lwamahhuku" wokubonisa uhlu lwabaphathi bomndeni wephakethe elithile: # nft uhlu izingwegwe idivayisi ye-ip eth0 umndeni ip { hook ingress { +0000000010 chain netdev xy [nf_tables] +0000000300 chain input mw [nf_tables] } hook { -0000000100 chain ip ab [nf_tables] +0000000300 chain inet mz [nf_tables] } hook phambili { -0000000225 selinux_ipv4_forward 0000000000 chain ip ok_0000000225_4 0000000225 ipv4_output } ihuku postrouting { +XNUMX XNUMX selinux_ipvXNUMX_postroute }}
- Amabhulokhi emugqeni avumela izinkulumo ze-jhash, i-symhash, ne-numgen ukuthi zihlanganiswe ukuze kusatshalaliswe amaphakethe kolayini esikhaleni somsebenzisi. β¦ ulayini we-symhash mod 65536 β¦ ulayini amafulegi dlula ku-numgen inc mod 65536 β¦ ulayini oya e-jhash oif . I-meta mark mod 32 "umugqa" ungaphinda uhlanganiswe nohlu lwamamephu ukuze ukhethe ulayini esikhaleni somsebenzisi ngokusekelwe kokhiye abangenangqondo. ... amafulegi emugqeni adlula kumephu ye-oifname {"eth0" : 0, "ppp0" : 2, "eth1" : 2}
- Kungenzeka ukwandisa okuguquguqukayo okuhlanganisa uhlu olusethiwe kumamephu amaningana. define interfaces = { eth0, eth1 } ithebula ip x {ketango y {uhlobo lokuhlunga lwehuku lokungena kuqala 0; yamukela inqubomgomo; iifname vmap {lo: vuma, $interfaces : drop }}} # nft -f x.nft # nft uhlu lwemithetho yethebula ip x {chain y {hlobo lokuhlunga hook yokufaka kuqala 0; yamukela inqubomgomo; iifname vmap {"lo" : vuma, "eth0" : drop, "eth1" : drop }}}
- Ukuhlanganisa ama-vmaps (imephu yesinqumo) ngezikhathi ezithile kuvunyelwe: # nft add rule xy tcp dport . ip saddr vmap {1025-65535. 192.168.10.2 : vuma }
- I-syntax eyenziwe lula yamamephu e-NAT. Ivunyelwe ukucacisa ububanzi bamakheli: ... snat to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 } noma amakheli e-IP acacile nezimbobo: ... dnat to ip saddr map { 10.141.11.4 .192.168.2.3 80. . 192.168.1.2 } noma inhlanganisela yobubanzi be-IP nezimbobo: ... dnat to ip saddr . imephu ye-tcp dport {80. 10.141.10.2: 10.141.10.5-8888. 8999-XNUMX }
Source: opennet.ru