nftables ipurojekiti inopa kusefa kwepaketi uye kupatsanurwa kwepaketi paLinux
Kuburitswa kweiyo nftables 1.0.7 packet sefa yakaburitswa, iyo inouya nekumwe kuvandudzwa, kugadzirisa pamwe nezvimwe zvitsva.
Kune avo vasina kujaira nftables, iwe unofanirwa kuziva kuti izvi inobatanidza packet kusefa nzvimbo dze IPv4, IPv6, ARP, uye network bridging (inoda kutsiva iptables, ip6table, arptables, uye ebtables). Panguva imwecheteyo, libnftnl 1.2.3 shamwari raibhurari yakasunungurwa, iyo inopa yakaderera-level API yekupindirana nenf_tables subsystem.
Iyo nftables package inosanganisira packet firita yezvinhu zvinoshanda munzvimbo yemushandisi, uchiri padanho rekernel, iyo nf_tables subsystem inopa chikamu cheLinux kernel kubvira vhezheni 3.13.
Padanho repakati, chete inopa yakajairika interface iyo yakazvimiririra kune protocol chaiyo uye inopa iyo mabasa ekutanga kutora data kubva pamapakeji, kuita mashandiro edhata uye kudzora kuyerera
ari yakananga kusefa mitemo uye protocol-yakatarwa madhiraivha iwo akaunganidzwa mu bytecode munzvimbo yemushandisi, mushure meizvozvo iyi bytecode inoiswa mukati meiyo kernel ichishandisa iyo Netlink interface uye ndokuurayiwa mukernel mune yakakosha chaiyo muchina wakafanana neBPF (Berkeley Packet Filters).
Main nyowani maficha eNftables 1.0.7
Mune iyi vhezheni itsva inouya kubva kunftables 1.0.7, ye Linux 6.2+ kernel masisitimu, akawedzera Tsigiro yevxlan, geneve, gre uye gretap protocol inoenderana, iyo inobvumira mazwi akareruka kutarisa misoro mumapaketi akafukidzwa.
Semuenzaniso, kutarisa IP kero mumusoro weiyo nested VxLAN packet, unogona ikozvino kushandisa mitemo (pasina chikonzero chekutanga uncapsulate VxLAN musoro uye kusunga sefa kune vxlan0 interface):
Mukuwedzera kune izvi, zvinoratidzwa zvakare kutiuye yakaitwa tsigiro yekubatanidza otomatiki yemasara mushure mekubviswa kwechikamu chechinhu kubva murunyoro rwekugadziriswa, kubvumira chinhu kana chikamu chechikamu kuti chibviswe kubva pane chiripo (kare, huwandu hwaigona kubviswa chete hwakazara).
Semuenzaniso, mushure mekubvisa chinhu chemakumi maviri neshanu kubva pane rondedzero yakatarwa ine mitsara 25-24 uye 30-40, 50, 24-26, uye 30-40 icharamba iri muchirongwa. Magadziriso anodiwa pakubatanidza otomatiki kushanda anozopihwa mukuburitswa kwechigamba cheiyo 50+ yakagadzikana kernel mapazi.
Zvinotaridzawo kuti yakawedzerwa tsigiro yeshoko rekuti "kupedzisira"que inobvumira kutsvaga nguva yekupedzisira iyo element yemutemo kana gadziriso runyorwa rwakashandiswa. Ichi chimiro chakatsigirwa kubvira Linux kernel 5.14.
Kune rimwe divi, zvinoratidzwawo izvo murairo mutsva "kuparadza" wawedzerwa kubvisa zvinhu zvisina magumo (kusiyana nemirairo yekubvisa, haisimudze ENOENT paunenge uchiedza kubvisa chinhu chisipo). Inoda kanenge Linux 6.3-rc kernel kushanda.
- Kushandiswa kwemaconstants mu-set-lists kunobvumirwa. Semuyenzaniso, uchishandisa runyoro rwekero yekwaunoenda uye VLAN ID sekiyi, unogona kudoma zvakananga nhamba yeVLAN (baba . 123):
- Yakawedzera kugona kutsanangura quotas pane zvigadziriso zvinyorwa. Semuenzaniso, kutsanangura traffic quota kune yega yega IP kero, unogona kudoma .
- Bvumira vanobatika uye masanji kuti ashandiswe mukududzira kero (NAT) mepu.
Finalmente kune avo vanofarira kuziva zvakawanda nezvazvo Nezve iyi vhezheni vhezheni, unogona kutarisa iyo ruzivo Mune inotevera chinongedzo.
Maitiro ekuisa iyo nyowani vhezheni yenftables 1.0.7?
Kune avo vanofarira kukwanisa kuwana shanduro itsva ye nftables 1.0.7 parizvino kodhi yekodhi chete inogona kunyorwa pane yako system. Kunyangwe mune nyaya yemazuva iwo akatorongedzwa mabhinari mapakeji anowanikwa mukati meakasiyana maLinux.
Kuti ubatanidze, iwe unofanirwa kuve uine zvinotevera zvido zvinoiswa:
Izvi zvinogona kunyorwa ne:
./autogen.sh ./configure make make install
Uye zve nftables 1.0.5 tinoitora kubva chinotevera chinongedzo. Uye kuunganidzwa kunoitwa nemirairo inotevera:
cd nftables ./autogen.sh ./configure make make install