注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

itoedr的it学苑

记录从IT文盲学到专家的历程

 
 
 

日志

 
 

netfilter的应用技巧集(收集中......)  

2014-06-11 10:32:49|  分类: xtables应用 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
        *******************
      最新更新的netfilter框架中数据流径图>>>
netfilter的应用技巧集(收集中......) - itoedr - itoedr的it学苑
 
       *******************
      Nftables已发布到0.22版本了,为了同步理解nftables的功能深入,笔者重拾以往开发中iptables与ebtables的使用技术,加强对netfilter的理解与nftables的应用跟进。
       1::关于ebtables的使用技巧集
                atomic的使用技巧:              netfilter的应用技巧集(收集中......) - itoedr - itoedr的it学苑
                ebtables使用中保存已有规则。
netfilter的应用技巧集(收集中......) - itoedr - itoedr的it学苑
按照规则,broute功能表专门用于处理网桥的数据流。
 
       2::在网络层(iptables)识别ebtables桥的端口

        linux核心2.6+都支持一个physdev的模块,帮助我们在三层识别来识别二层网桥上的物理端口.

The 2.6+ standard kernel contains an iptables match module called physdev which has to be used to match the bridge's physical in and out ports. 

 下面的例子就展示了这种识别物理端口的方法:

         iptables -m physdev --physdev-in <bridge-port>
         #这里使用了iptables的复杂匹配方式(-m),使用了netfilter的扩展模块. --physdev-in表示报文进入的端口;

and

     iptables -m physdev --physdev-out <bridge-port> #--physdev-out表示数据转出的端口;
另外使用mac模块也可以识别报文的mac地址;
       3:: ebtables规则的自动加载与存储方法

       Atomically load or update a table:

          Why do we want to be able to atomically load or update a table? Because then the table data is given to the kernel in one step. This is sometimes desirable to prevent race conditions when adding multiple rules at once. The most obvious use case, however, is when the tables are initially populated with rules. Committing the table to the kernel at once saves a lot of context switching and kernel time, resulting in much faster configuration. Here is a brief description how to do this. The examples will use the nat table, of course this works for any table.
          The simplest situation is when the kernel table already contains the right data. We can then do the following:
First we put the kernel's table into the file nat_table:

       ebtables --atomic-file nat_table -t nat --atomic-save

Then we (optionally) zero the counters of the rules in the file:

       ebtables -t nat --atomic-file nat_table -Z

At bootup we use the following command to get everything into the kernel table at once:

        ebtables --atomic-file nat_table -t nat --atomic-commit

We can also build up the complete table in the file. We can use the environment variable EBTABLES_ATOMIC_FILE. First we set the environment variable:

        export EBTABLES_ATOMIC_FILE=nat_table

Then we initialize the file with the default table, which has empty chains and policy ACCEPT:

        ebtables -t nat --atomic-init

We then add our rules, user defined chains, change policies:

         ebtables -t nat -A PREROUTING -j DROP

We can check the contents of our table with:

         ebtables -t nat -L --Lc --Ln

We then use the following command to get everything into the kernel table at once:

          ebtables -t nat --atomic-commit

Don't forget to unset the environment variable:

          unset EBTABLES_ATOMIC_FILE

Now all ebtables commands will execute onto the actual kernel table again, instead of on the file nat_table.

    另外几个常量:$mangle_table, $filter_table,  $nat_table

  评论这张
 
阅读(192)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017