?????????? ?????????

?????????? ????????? - ??????????????? - /home/agenciai/public_html/cd38d8/nftables.tar

???????
examples/load_balancing.nft��0000755��00000003502�15125522777�0012030 0��ustar�00��#!/usr/sbin/nft -f # This example file shows how to implement load balancing using the nftables # framework. # This script is meant to be loaded with `nft -f <file>` # You require linux kernel >= 4.12 and nft >= 0.7 # For up-to-date information please visit https://wiki.nftables.org flush ruleset table ip nat { chain prerouting { type nat hook prerouting priority -300; # round-robing load balancing between the 2 IPv4 addresses: dnat to numgen inc mod 2 map { 0 : 192.168.10.100, \ 1 : 192.168.20.200 } # emulate flow distribution with different backend weights using intervals: dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, \ 6-9 : 192.168.20.200 } # tcp port based distribution is also possible: ip protocol tcp dnat to 192.168.1.100 : numgen inc mod 2 map { 0 : 4040 ,\ 1 : 4050 } # consistent hash-based distribution: dnat to jhash ip saddr . tcp dport mod 2 map { 0 : 192.168.20.100, \ 1 : 192.168.30.100 } } } table ip raw { chain prerouting { type filter hook prerouting priority -300; # using stateless NAT, round-robing distribution (you could use hashing too): tcp dport 80 notrack ip daddr set numgen inc mod 2 map { 0 : 192.168.1.100, 1 : 192.168.1.101 } } } table netdev mytable { chain ingress { # mind the NIC devices, they must exist in the system type filter hook ingress device eth0 priority 0; # using Direct Server Return (DSR), connectionless approach: udp dport 53 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set numgen inc mod 2 map { 0 : aa:aa:aa:aa:aa:aa, 1 : bb:bb:bb:bb:bb:bb } fwd to eth1 # using Direct Server Return (DSR), connection-oriented flows: tcp dport 80 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set jhash ip saddr . tcp sport mod 2 map { 0 : aa:aa:aa:aa:aa:aa, 1 : bb:bb:bb:bb:bb:bb } fwd to eth1 } } ��examples/sets_and_maps.nft��0000755��00000002376�15125522777�0011743 0��ustar�00��#!/usr/sbin/nft -f # This example file shows how to use sets and maps in the nftables framework. # This script is meant to be loaded with `nft -f <file>` # For up-to-date information please visit https://wiki.nftables.org # symbolic anonymous set definition built from symbolic singleton definitions define int_if1 = eth0 define int_if2 = eth1 define int_ifs = { $int_if1, $int_if2 } define ext_if1 = eth2 define ext_if2 = eth3 define ext_ifs = { $ext_if1, $ext_if2 } # recursive symbolic anonymous set definition define local_ifs = { $int_ifs, $ext_ifs } # symbolic anonymous set definition define tcp_ports = { ssh, domain, https, 123-125 } delete table filter table filter { # named set of type iface_index set local_ifs { type iface_index } # named map of type iface_index : ipv4_addr map nat_map { type iface_index : ipv4_addr } map jump_map { type iface_index : verdict } chain input_1 { counter; } chain input_2 { counter; } chain input { type filter hook input priority 0 # symbolic anonymous sets meta iif $local_ifs tcp dport $tcp_ports counter # literal anonymous set meta iif { eth0, eth1 } counter meta iif @local_ifs counter meta iif vmap @jump_map #meta iif vmap { eth0 : jump input1, eth1 : jump input2 } } } ��examples/secmark.nft��0000755��00000004544�15125522777�0010547 0��ustar�00��#!/usr/sbin/nft -f # This example file shows how to use secmark labels with the nftables framework. # This script is meant to be loaded with `nft -f <file>` # You require linux kernel >= 4.20 and nft >= 0.9.3 # This example is SELinux based, for the secmark objects you require # SELinux enabled and a SELinux policy defining the stated contexts # For up-to-date information please visit https://wiki.nftables.org flush ruleset table inet x { secmark ssh_server { "system_u:object_r:ssh_server_packet_t:s0" } secmark dns_client { "system_u:object_r:dns_client_packet_t:s0" } secmark http_client { "system_u:object_r:http_client_packet_t:s0" } secmark https_client { "system_u:object_r:http_client_packet_t:s0" } secmark ntp_client { "system_u:object_r:ntp_client_packet_t:s0" } secmark icmp_client { "system_u:object_r:icmp_client_packet_t:s0" } secmark icmp_server { "system_u:object_r:icmp_server_packet_t:s0" } secmark ssh_client { "system_u:object_r:ssh_client_packet_t:s0" } secmark git_client { "system_u:object_r:git_client_packet_t:s0" } map secmapping_in { type inet_service : secmark elements = { 22 : "ssh_server" } } map secmapping_out { type inet_service : secmark elements = { 22 : "ssh_client", 53 : "dns_client", 80 : "http_client", 123 : "ntp_client", 443 : "http_client", 9418 : "git_client" } } chain y { type filter hook input priority -225; # label new incoming packets and add to connection ct state new meta secmark set tcp dport map @secmapping_in ct state new meta secmark set udp dport map @secmapping_in ct state new ip protocol icmp meta secmark set "icmp_server" ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_server" ct state new ct secmark set meta secmark # set label for est/rel packets from connection ct state established,related meta secmark set ct secmark } chain z { type filter hook output priority 225; # label new outgoing packets and add to connection ct state new meta secmark set tcp dport map @secmapping_out ct state new meta secmark set udp dport map @secmapping_out ct state new ip protocol icmp meta secmark set "icmp_client" ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_client" ct state new ct secmark set meta secmark # set label for est/rel packets from connection ct state established,related meta secmark set ct secmark } } ��examples/ct_helpers.nft��0000755��00000002357�15125522777�0011252 0��ustar�00��#!/usr/sbin/nft -f # This example file shows how to use ct helpers in the nftables framework. # Note that nftables includes interesting improvements compared to how this # was done with iptables, such as loading multiple helpers with a single rule # This script is meant to be loaded with `nft -f <file>` # You require linux kernel >= 4.12 and nft >= 0.8 # For up-to-date information please visit https://wiki.nftables.org # Using ct helpers is an important security feature when doing stateful # firewalling, since it mitigate certain networking attacks. # More info at: https://home.regit.org/netfilter-en/secure-use-of-helpers/ flush ruleset table inet filter { # declare helpers of this table ct helper ftp-standard { type "ftp" protocol tcp; l3proto inet } ct helper sip-5060 { type "sip" protocol udp; l3proto inet } ct helper tftp-69 { type "tftp" protocol udp l3proto inet } chain input { type filter hook input priority 0; policy drop; ct state established,related accept # assign a single helper in a single rule tcp dport 21 ct helper set "ftp-standard" # assign multiple helpers in a single rule ct helper set udp dport map { 69 : "tftp-69", \ 5060 : "sip-5060" } } } ��

| ver. 1.6 | Github | . | PHP 8.2.30 | ??????????? ?????????: 0 | proxy | phpinfo | ???????????