nftables wani aiki ne wanda ke ba da tacewa da fakiti akan Linux
An buga sakin fakitin fakitin nftables 1.0.7, wanda ya zo tare da wasu haɓakawa, gyare-gyare da kuma wasu sabbin abubuwa.
Ga waɗanda ba su saba da nftables, ya kamata ku san cewa wannan yana haɓaka musaya masu tace fakiti don IPv4, IPv6, ARP, da haɗin yanar gizo (wanda aka nufa don maye gurbin iptables, ip6table, arptables, da ebtables). A lokaci guda, an fito da ɗakin karatu na abokin haɗin gwiwa na libnftnl 1.2.3, wanda ke ba da ƙaramin matakin API don yin hulɗa tare da tsarin nf_tables.
Kunshin nftables ya haɗa da kayan haɗin fakiti waɗanda ke aiki a sararin mai amfani, yayin a matakin kernel, nf_tables subsystem yana samar da wani ɓangare na kwayar Linux tun daga sigar 3.13.
A matakin farko, kawai yana samar da hanyar sadarwa ta yau da kullun wacce ke zaman kanta daga yarjejeniya takamaiman kuma yana ba da ayyuka na asali don cire bayanai daga fakiti, aiwatar da ayyukan bayanai da kuma sarrafa kwararar.
da madaidaiciyar dokokin tacewa da takamaiman yarjejeniya ana haɗa su a cikin bytecode a cikin sararin mai amfani, bayan haka ana ɗora wannan bytecode a cikin kwaya ta amfani da hanyar Netlink kuma ana aiwatar da ita a cikin kernel a cikin wata na’ura ta musamman wacce ta yi kama da BPF (Matatun Berkeley Packet).
Babban sabon fasali na Nftables 1.0.7
A cikin wannan sabon sigar da ta fito daga nftables 1.0.7, don Linux 6.2+ kernel Systems, kara da cewa goyan bayan vxlan, geneve, gre da gretap protocol matching, wanda ke ba da damar kalmomi masu sauƙi don duba rubutun kai a cikin fakitin da aka rufe.
Misali, don duba adireshin IP a cikin taken fakitin VxLAN mai gida, yanzu zaku iya amfani da dokoki (ba tare da buƙatar fara cire taken VxLAN ba kuma ku ɗaure tacewa zuwa ƙirar vxlan0):
Baya ga wannan, an kuma nuna cewada aiwatar da tallafi don haɗawa ta atomatik na ragowar bayan cire wani yanki na abu daga lissafin daidaitawa, ba da damar abu ko wani yanki na kewayo don cire shi daga kewayon da ake da shi (a baya, za a iya cire kewayon gaba ɗaya kawai).
Misali, bayan cire abu na 25 daga lissafin da aka saita tare da jeri na 24-30 da 40-50, 24, 26-30, da 40-50 za su kasance cikin jerin. Za a samar da gyaran gyare-gyaren da ake buƙata don haɗa kai ta atomatik zuwa aiki a cikin fitattun sassan 5.10+ bargawar kernel.
Hakanan an lura cewa an ƙara goyon bayan furcin "karshe", cewa yana ba da damar gano lokaci na ƙarshe da aka yi amfani da kashi na ƙa'idar ko lissafin tsari. Ana tallafawa wannan fasalin tun Linux kernel 5.14.
A gefe guda, an kuma haskaka hakan an ƙara sabon umarni na "hallaka". don cire abubuwa ba tare da wani sharadi ba (ba kamar umarnin cirewa ba, baya tada ENOENT yayin ƙoƙarin cire abin da ya ɓace). Yana buƙatar aƙalla Linux 6.3-rc kernel don aiki.
- An ba da izinin amfani da madaukai a cikin jerin saiti. Misali, ta amfani da jerin adireshi da kuma VLAN ID a matsayin maɓalli, zaku iya saka lambar VLAN kai tsaye (daddr. 123):
- Ƙara ikon ayyana ƙididdiga akan lissafin daidaitawa. Misali, don ayyana keɓancewar zirga-zirga don kowane adireshin IP na manufa, zaku iya saka .
- Bada damar yin amfani da lambobi da jeri a cikin fassarar adireshi (NAT) taswira.
Finalmente ga masu sha'awar ƙarin sani game da shi Game da wannan sabon sigar, zaku iya bincika cikakkun bayanai A cikin mahaɗin mai zuwa.
Yadda ake girka sabon fasalin nftables 1.0.7?
Ga waɗanda ke da sha'awar samun damar samun sabon sigar nftables 1.0.7 a halin yanzu lambar tushe kawai za a iya tattarawa akan tsarinka. Kodayake a cikin 'yan kwanaki akwai wadatattun kayan binary da za a samar a cikin rarraba Linux daban-daban.
Don tattarawa, dole ne a shigar da dogaro masu zuwa:
Wadannan za a iya tattara su tare da:
./autogen.sh ./configure make make install
Kuma don nftables 1.0.5 mun zazzage shi daga mahada mai zuwa. Kuma ana yin tattarawa tare da umarni masu zuwa:
cd nftables ./autogen.sh ./configure make make install