Ukukhishwa kwesihlungi se-packet nftables 1.0.2 kushicilelwe, okuhlanganisa izixhumanisi zokuhlunga iphakethe ze-IPv4, IPv6, ARP kanye namabhuloho enethiwekhi (okuhloswe ngayo ukufaka esikhundleni se-iptables, ip6table, arptables kanye nama-ebtables). Izinguquko ezidingekayo ukuze i-nftables 1.0.2 ikhishwe ukuze isebenze ifakiwe ku-Linux kernel 5.17-rc.
Iphakheji ye-nftables ihlanganisa izingxenye zokuhlunga zephakethe ezisebenza endaweni yomsebenzisi, kuyilapho umsebenzi wezinga le-kernel unikezwa i-nf_tables subsystem, ebiyingxenye ye-Linux kernel kusukela ekukhululweni okungu-3.13. Izinga le-kernel linikeza kuphela isixhumi esibonakalayo esizimele esijwayelekile esihlinzeka ngemisebenzi eyisisekelo yokukhipha idatha emaphaketheni, ukwenza imisebenzi yedatha, nokulawula ukugeleza.
Imithetho yokuhlunga nezibambi eziqondene nephrothokholi kuhlanganiswa ku-bytecode esikhaleni somsebenzisi, ngemva kwalokho le-bytecode ilayishwa ku-kernel kusetshenziswa isixhumi esibonakalayo se-Netlink futhi isetshenziswe ku-kernel emshinini okhethekile osikhumbuza i-BPF (Izihlungi Zephakethe Le-Berkeley). Le ndlela ikuvumela ukuthi unciphise ngokuphawulekayo usayizi wekhodi yokuhlunga egijima ezingeni le-kernel futhi uhambise yonke imisebenzi yemithetho yokuhlukanisa kanye nengqondo yokusebenza ngamaphrothokholi endaweni yomsebenzisi.
Okuqanjiwe okuyinhloko:
- Imodi yokuthuthukisa imithetho yengeziwe, inikwe amandla kusetshenziswa inketho entsha ethi "-o" ("--optimize"), engahlanganiswa nenketho ethi "--check" ukuhlola nokwenza izinguquko kufayela lesethi yomthetho ngaphandle kokuyilayisha. . Ukuthuthukisa kukuvumela ukuthi uhlanganise imithetho efanayo, isibonelo, imithetho: meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 yamukela i-meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 yamukela ip1.1.1.1 ip daddr 2.2.2.2. .2.2.2.2 yamukela ip saddr 3.3.3.3 ip daddr XNUMX drop
izohlanganiswa ibe imeta iifname . ip sadr. ip daddr { eth1 . 1.1.1.1. 2.2.2.3, eth1 . 1.1.1.2. 2.2.2.5 } yamukela ip saddr . ip daddr vmap {1.1.1.1. 2.2.2.2 : vuma, 2.2.2.2 . 3.3.3.3 : yehlisa }
Isibonelo sokusetshenziswa: # nft -c -o -f ruleset.test Ukuhlanganisa: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter accept ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter yamukela ruleet.nft:18:3-37: ip daddr 192.168.0.3 counter yamukela kokuthi: ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } amaphakethe ekhawunta 0 bytes 0 yamukela
- Uhlu olusethiwe lisebenzisa ikhono lokucacisa izinketho ze-ip ne-tcp, kanye nama-sctp chunks: set s5 {typeof ip option ra value elements = { 1, 1024 } } set s7 { typeof sctp chunk init num-inbound-streams elements = { 1, 4 } } iketango c5 {ip option ra value @s5 accept } iketango c7 { sctp chunk init num-inbound-streams @s7 accept }
- Ukwesekwa okwengeziwe kwezinketho ze-TCP fastopen, md5sig kanye ne-mptcp.
- Ukwesekwa okwengeziwe kokusebenzisa i-mp-tcp subtype kumamephu: inketho ye-tcp mptcp subtype 1
- Ikhodi yokuhlunga ohlangothini lwe-kernel ethuthukisiwe.
- I-Flowtable manje inokusekelwa okugcwele kwefomethi ye-JSON.
- Ikhono lokusebenzisa isenzo "sokwenqaba" emisebenzini yokufanisa uzimele we-Ethernet linikeziwe. ether saddr aa:bb:cc:dd:ee:ff ip daddr 192.168.0.1 yenqaba
Source: opennet.ru