Ukukhishwa kwesihlungi se-packet nftables 1.0.7 kushicilelwe, okuhlanganisa izixhumanisi zokuhlunga iphakethe ze-IPv4, IPv6, ARP kanye namabhuloho enethiwekhi (okuhloswe ngayo ukufaka esikhundleni se-iptables, ip6table, arptables kanye nama-ebtables). Iphakheji ye-nftables ihlanganisa izingxenye zokuhlunga zephakethe ezisebenza endaweni yomsebenzisi, kuyilapho umsebenzi wezinga le-kernel unikezwa i-nf_tables subsystem, ebiyingxenye ye-Linux kernel kusukela ekukhululweni okungu-3.13. Izinga le-kernel linikeza kuphela isixhumi esibonakalayo esizimele esijwayelekile esihlinzeka ngemisebenzi eyisisekelo yokukhipha idatha emaphaketheni, ukwenza imisebenzi yedatha, nokulawula ukugeleza.
Imithetho yokuhlunga nezibambi eziqondene nephrothokholi kuhlanganiswa ku-bytecode esikhaleni somsebenzisi, ngemva kwalokho le-bytecode ilayishwa ku-kernel kusetshenziswa isixhumi esibonakalayo se-Netlink futhi isetshenziswe ku-kernel emshinini okhethekile osikhumbuza i-BPF (Izihlungi Zephakethe Le-Berkeley). Le ndlela ikuvumela ukuthi unciphise ngokuphawulekayo usayizi wekhodi yokuhlunga egijima ezingeni le-kernel futhi uhambise yonke imisebenzi yemithetho yokuhlukanisa kanye nengqondo yokusebenza ngamaphrothokholi endaweni yomsebenzisi.
Izinguquko eziyinhloko:
- Kuzinhlelo ezisebenzisa i-Linux kernel 6.2+, usekelo lwe-vxlan, i-geneve, i-gre, ne-gretap protocol mappings yengeziwe, okuvumela izinkulumo ezilula ukuhlola izihloko kumaphakethe ahlanganisiwe. Isibonelo, ukuze uhlole ikheli le-IP kunhlokweni yephakethe elifakwe esidlekeni elivela ku-VxLAN, manje ungasebenzisa imithetho (ngaphandle kwesidingo sokuqala ukususa encapsulate isihloko se-VxLAN bese ubopha isihlungi kusixhumi esibonakalayo se-vxlan0): ... udp dport 4789 vxlan ip protocol udp ... udp dport 4789 vxlan ip saddr 1.2.3.0. 24/4789 ... udp dport 1.2.3.4 vxlan ip saddr . vxlan ip daddr { 4.3.2.1 . XNUMX }
- Ukusekela ukuhlanganisa okuzenzakalelayo kwezinsalela ngemva kokususwa kwengxenye kwesici sohlu olumisiwe, okukuvumela ukuba ususe i-elementi noma ingxenye yobubanzi kububanzi obukhona (ngaphambilini, ububanzi bebungasuswa ngokuphelele). Isibonelo, ngemva kokukhipha ingxenye engu-25 kuhlu olusethiwe olunobubanzi obungu-24-30 no-40-50, uhlu luzohlala luyi-24, 26-30 kanye no-40-50. Ukulungiswa okudingekayo ukuze kusebenze i-automerging kuzonikezwa ekukhishweni kokunakekelwa kwamagatsha azinzile we-5.10+ kernel. # nft uhlu lwemithetho yethebula ip x { set y { typeof tcp dport flags interval auto-merge elements = { 24-30, 40-50 } } } # nft susa isici ip xy { 25 } # nft uhlu lwemithetho ithebula ip x { set y { typeof tcp dport flags interval auto-merge elements = { 24, 26-30, 40-50 } }
- Ivumela ukusetshenziswa koxhumana nabo nobubanzi lapho kumepha ukuhumusha ikheli (NAT). ithebula ip nat { chain prerouting { type nat hook prerouting priority dstnat; yamukela inqubomgomo; dnat ku-ip baba. imephu ye-tcp dport {10.1.1.136. 80: 1.1.2.69. 1024, 10.1.1.10-10.1.1.20. 8888-8889: 1.1.2.69. 2048-2049 } phikelela }}
- Ukwesekwa okwengeziwe kwenkulumo βyokugcina,β ekuvumela ukuthi uthole isikhathi sokugcina sokusetshenziswa kwento yomthetho noma uhlu olusethiwe. Isici sisekelwa ukuqala nge-Linux kernel 5.14. ithebula ip x {set y {typeof ip daddr. Usayizi we-tcp dport 65535 amafulegi ashukumisayo, ukuphela kwesikhathi sokugcina 1h } iketango z {hlobo lokuhlunga okuphumayo kwesihlungi esiphuma phambili; yamukela inqubomgomo; buyekeza @y {ip daddr. tcp dport } } } # nft uhlu setha ip xy ithebula ip x {set y {typeof ip daddr. Usayizi we-tcp dport 65535 amafulegi aguqukayo, ukuphela kokuphela kwesikhathi sokuvala izici ezingu-1h = {172.217.17.14 . 443 igcine ukusetshenziswa 1s591ms isikhathi sokuvala 1h siphelelwa yisikhathi 59m58s409ms, 172.67.69.19 . 443 igcine ukusetshenziswa 4s636ms isikhathi sokuvala 1h siphelelwa yisikhathi 59m55s364ms, 142.250.201.72 . 443 igcine ukusetshenziswa 4s748ms isikhathi sokuvala 1h siphelelwa yisikhathi 59m55s252ms, 172.67.70.134 . 443 igcine ukusetshenziswa 4s688ms isikhathi sokuvala 1h siphelelwa yisikhathi 59m55s312ms, 35.241.9.150 . 443 igcine ukusetshenziswa 5s204ms isikhathi sokuvala 1h siphelelwa yisikhathi 59m54s796ms, 138.201.122.174 . 443 igcine ukusetshenziswa 4s537ms isikhathi sokuvala 1h siphelelwa yisikhathi 59m55s463ms, 34.160.144.191 . 443 igcine ukusetshenziswa 5s205ms isikhathi sokuvala 1h siphelelwa yisikhathi 59m54s795ms, 130.211.23.194 . 443 igcine ukusetshenziswa 4s436ms isikhathi sokuvala 1h siphelelwa yisikhathi 59m55s564ms } }}
- Kwengezwe ikhono lokuchaza ama-quota ohlwini olusethiwe. Isibonelo, ukuze unqume inani lethrafikhi yekheli le-IP eliqondiwe ngalinye, ungacacisa: ithebula netdev x {set y { typeof ip daddr size 65535 quota ngaphezu kuka-10000 mbytes } iketango y { thayipha isihlungi sehuku egress isihlungi esibalulekile "eth0"; yamukela inqubomgomo; ip daddr @y drop } } # nft engeza isici inet xy { 8.8.8.8 } # ping -c 2 8.8.8.8 # nft uhlu lwemithetho yethebula netdev x { set y { thayipha ipv4_addr usayizi 65535 quota phezu 10000 mbytes izici = 8.8.8.8 ama-elementi. 10000 isabelo esingaphezu kwama-mbytes angu-196 asetshenziswe amabhayithi angu-0 } } iketango y {uhlobo lokuhlunga ihuku lokuphuma kwedivayisi βethXNUMXβ isihlungi esibalulekile; yamukela inqubomgomo; ip baba @y drop }}
- Ukusetshenziswa kwama-constants ohlwini olumisiwe kuvunyelwe. Isibonelo, uma usebenzisa ikheli lendawo kanye ne-VLAN ID njengokhiye wohlu, ungacacisa ngokuqondile inombolo ye-VLAN (daddr . 123): table netdev t { set s { typeof ether saddr . usayizi we-vlan id 2048 amafulegi ashukumisayo, ukuphela kwesikhathi sokuvala 1m } iketango c {uhlobo lwesihlungi se-hook ingress device eth0 priority 0; yamukela inqubomgomo; uhlobo lwe-ether != 8021q update @s { ether daddr . 123 } isibali }}
- Kwengezwe umyalo omusha "wokucekela phansi" ukuze ususe izinto ngaphandle kwemibandela (ngokungafani nomyalo wokususa, awukhiqizi i-ENOENT uma uzama ukususa into engekho). Idinga okungenani i-Linux kernel 6.3-rc ukuze isebenze. chitha isihlungi se-ip setafula
Source: opennet.ru