我正在配置 Netfilter 表来对进出用户空间的数据包进行排队,到目前为止我的表配置如下所示:
table inet filter {
# protocols to allow
set allowed_protocols {
type inet_proto
elements = { icmp, icmpv6 }
}
# interfaces to accept any traffic on
set allowed_interfaces {
type ifname
elements = { "lo" }
}
# services to allow
set allowed_tcp_dports {
type inet_service
elements = { ssh, 9090 }
}
# this chain gathers all accept conditions
chain allow {
ct state established,related accept
meta l4proto @allowed_protocols accept
iifname @allowed_interfaces accept
tcp dport @allowed_tcp_dports accept
}
# base-chain for traffic to this host
chain INPUT {
type filter hook input priority filter + 20
policy accept
jump allow
reject with icmpx type port-unreachable
}
chain input {
type filter hook input priority 0;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
到目前为止,这似乎可以很好地加载nft -f。
但是,当我运行这些命令中的任何一个时......
nft add inet filter input counter queue num 0
或者
nft add inet filter output counter queue num 1
...我的虚拟机完全停止响应输入,当我终止连接时vagrant reload,我被告知必须强制关闭我的虚拟机才能重新启动。任何有关如何正确配置这些队列的帮助将不胜感激!
操作系统:Linux fedora 5.19.8-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Sep 8 19:02:21 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
流浪汉:Vagrant 2.3.0
答案1
如果您的应用程序未侦听队列,请尝试bypass接受数据包
nft add inet filter input counter queue num 0 bypass
读这个 https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace