I-ProHoster > Π‘Π»ΠΎΠ³ > izindaba ze-inthanethi > ukukhishwa kwesihlungi sephakethe le-nftables 1.0.6

ukukhishwa kwesihlungi sephakethe le-nftables 1.0.6

Ukukhishwa kwesihlungi se-packet nftables 1.0.6 kushicilelwe, okuhlanganisa izixhumanisi zokuhlunga iphakethe ze-IPv4, IPv6, ARP kanye namabhuloho enethiwekhi (okuhloswe ngayo ukufaka esikhundleni se-iptables, ip6table, arptables kanye nama-ebtables). Iphakheji ye-nftables ihlanganisa izingxenye zokuhlunga zephakethe ezisebenza endaweni yomsebenzisi, kuyilapho umsebenzi wezinga le-kernel unikezwa i-nf_tables subsystem, ebiyingxenye ye-Linux kernel kusukela ekukhululweni okungu-3.13. Izinga le-kernel linikeza kuphela isixhumi esibonakalayo esizimele esijwayelekile esihlinzeka ngemisebenzi eyisisekelo yokukhipha idatha emaphaketheni, ukwenza imisebenzi yedatha, nokulawula ukugeleza.

Imithetho yokuhlunga nezibambi eziqondene nephrothokholi kuhlanganiswa ku-bytecode esikhaleni somsebenzisi, ngemva kwalokho le-bytecode ilayishwa ku-kernel kusetshenziswa isixhumi esibonakalayo se-Netlink futhi isetshenziswe ku-kernel emshinini okhethekile osikhumbuza i-BPF (Izihlungi Zephakethe Le-Berkeley). Le ndlela ikuvumela ukuthi unciphise ngokuphawulekayo usayizi wekhodi yokuhlunga egijima ezingeni le-kernel futhi uhambise yonke imisebenzi yemithetho yokuhlukanisa kanye nengqondo yokusebenza ngamaphrothokholi endaweni yomsebenzisi.

Izinguquko eziyinhloko:

  • Isilungiseleli semithetho, esibizwa lapho inketho ethi β€œ-o/β€”optimize” icacisiwe, sinokupakishwa okuzenzakalelayo kwemithetho ngokuyihlanganisa nokuyiguqulela kumephu nokusetha izinhlu. Isibonelo, imithetho ethi # cat ruleset.nft ithebula ip x {chain y {thayipha isihlungi sokufakwa kwehuku kuqala isihlungi; ukwehla kwenqubomgomo; i-meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 yamukela imeta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.4 yamukela i-meta iifname eth1 ip saddr 1.1.1.2if2.2.3.0 ip saddr 24if1. 1.1.1.2 ip saddr 2.2.4.0 .2.2.4.10 ip daddr 2-1.1.1.3 yamukela i-meta iifname eth2.2.2.5 ip saddr 4 ip daddr 17 yamukela } } ngemva kokusebenzisa okuthi "nft -o -c -f ruleset.nft" izoguqulelwa njengokulandelayo: imithetho .nft:74:1-1.1.1.1: meta iifname eth2.2.2.3 ip saddr 5 ip daddr 17 accept ruleset.nft:74:1-1.1.1.2: meta iifname eth2.2.2.4 ip saddr 6 ip daddr 17 vuma imithetho. : 77:1-1.1.1.2: meta iifname eth2.2.3.0 ip saddr 24 ip daddr 7/17 yamukela i-ruleset.nft:83:1-1.1.1.2: meta iifname eth2.2.4.0 ip saddr 2.2.4.10 ip daddr. 8-17. yamukela i-ruleset.nft:74:2-1.1.1.3: meta iifname eth2.2.2.5 ip saddr 1 ip daddr 1.1.1.1 yamukela kokuthi: iifname . ip sadr. ip daddr { eth2.2.2.3 . 1. 1.1.1.2, eth2.2.2.4 . 1. 1.1.1.2, eth2.2.3.0 . 24. 1/1.1.1.2, eth2.2.4.0 . 2.2.4.10. 2-1.1.1.3, eth2.2.2.5. XNUMX. XNUMX } vuma
  • I-optimizer ingase futhi iguqule imithetho esevele isebenzisa isethi elula yohlu ibe ifomu elihlangene kakhulu, isibonelo imithetho: # cat ruleset.nft ithebula le-ip filter { okokufaka kweketango {uhlobo lokuhlunga ihuku lokufaka isihlungi esibalulekile; ukwehla kwenqubomgomo; iifname "lo" yamukela ct isimo esimisiwe, okuhlobene nokwamukela amazwana "Ethrafikhini esiyimvelaphi yethu, siyethemba" iifname "enp0s31f6" ip saddr {209.115.181.102, 216.197.228.230 } ip daddr 10.0.0.149p123p32768p65535p0p31p 6 udport 64.59.144.17 udport 64.59.150.133 udport 10.0.0.149. 53 vuma iifname "enp32768s65535f6" ip saddr { 22, 149 } ip daddr 0 udp sport 31 udp dport 6-209.115.181.102} 216.197.228.230-10.0.0.149 ft iphakheji -ft -ft -ft -ft, emva kwe-exe, izovuma d kanje : ruleset.nft:123:32768-65535: iifname "enp7s22f143" ip saddr { 0, 31 } ip daddr 6 udp64.59.144.17 usport 64.59.150.133 ud10.0.0.149p 53 izimiso 32768 65535 0 ft:31:6-209.115.181.102: iifname "enp10.0.0.149s123f32768" ip saddr { 65535, 0 } ip daddr 31 udp sport 6 udp dport 216.197.228.230-10.0.0.149 mukela ku: i ip sadr. ip baba. udp ezemidlalo. udp dport {enp123s32768f65535. 0. 31. 6. 64.59.144.17-10.0.0.149, enp53s32768f65535. 0. 31. 6. 64.59.150.133-10.0.0.149, enp53s32768f65535. XNUMX. XNUMX. XNUMX. XNUMX-XNUMX, enpXNUMXsXNUMXfXNUMX. XNUMX. XNUMX. XNUMX. XNUMX-XNUMX } yamukela
  • Inkinga exazululiwe ngokwenza i-bytecode yokuhlanganisa izikhawu ezisebenzisa izinhlobo ezinokuhleleka kwebhayithi okuhlukile, njenge-IPv4 (i-network byte order) kanye ne-meta mark (i-system byte order). ithebula ip x {imephu w {typeof ip saddr. umaki we-meta : izici zokubala zesikhawu sefulegi yesinqumo = {127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : yamukela, 192.168.0.10-192.168.1.20 . 0x0000aa00-0x0000aaff : vuma, } } iketango k { thayipha isihlungi sokufaka ihhuku isihlungi esibalulekile; ukwehla kwenqubomgomo; ip sadr. meta mark vmap @w }}
  • Ukuqhathaniswa okuthuthukisiwe kwamaphrothokholi angavamile uma usebenzisa izinkulumo ezingavuthiwe, isibonelo: i-meta l4proto 91 @th,400,16 0x0 yamukela
  • Izinkinga ngemithetho yokuvumela ngezikhathi ezithile zixazululiwe: faka umthetho xy tcp ezemidlalo {3478-3497, 16384-16387 } counter accept
  • I-JSON API ithuthukisiwe ukuze ifake ukusekela kwezinkulumo kuhlu olusethiwe nolwemephu.
  • Izandiso kumtapo wezincwadi we-nfttables python zivumela ukulayishwa kwamasethi omthetho ukuze kucutshungulwe kumodi yokuqinisekisa ("-c") futhi kwengeze usekelo lwencazelo yangaphandle yezinto eziguquguqukayo.
  • Ukwengeza amazwana kuvunyelwe ezicini zohlu olusethiwe.
  • I-Byte ratelimit ivumela ukucacisa inani elinguziro.

Source: opennet.ru

Engeza amazwana