From 8d0753ced829f536f9a82e9b0a548e70ec3ff089 Mon Sep 17 00:00:00 2001 From: Ihar Hancharenka Date: Tue, 29 Jul 2025 20:05:15 +0300 Subject: [PATCH] m --- nontech/intelligence/people/kolpakidi.txt | 3 + .../admin/security/firewall/nft-netfilter.txt | 60 +++++++++++++++++++ 2 files changed, 63 insertions(+) diff --git a/nontech/intelligence/people/kolpakidi.txt b/nontech/intelligence/people/kolpakidi.txt index 4602a7106..18cce3ad8 100644 --- a/nontech/intelligence/people/kolpakidi.txt +++ b/nontech/intelligence/people/kolpakidi.txt @@ -26,6 +26,9 @@ https://iknigi.net/avtor-aleksandr-kolpakidi/60821-gru-v-velikoy-otechestvennoy- https://coollib.com/b/109300-aleksandr-ivanovich-kolpakidi-superfrau-iz-gru/read 2025 +YeyOfGod - Zikurat of Destruction of 49:24 + https://www.youtube.com/watch?v=-caBUu1k2I4 + ! 3:00 Mavzoley - symbol of victory on fascism CognitiveThinking - Kolpakidi - Vrangel and Other Oligarhs of 17:18 https://www.youtube.com/watch?v=xpjH4tk7sXE Provocazii - Honey Traps of 14:46 diff --git a/os/unix/admin/security/firewall/nft-netfilter.txt b/os/unix/admin/security/firewall/nft-netfilter.txt index 1dba89b3d..9df0cb80e 100644 --- a/os/unix/admin/security/firewall/nft-netfilter.txt +++ b/os/unix/admin/security/firewall/nft-netfilter.txt @@ -1,15 +1,41 @@ https://wiki.nftables.org/wiki-nftables/index.php/Main_Page +https://wiki.nftables.org/wiki-nftables/index.php/Sets + +https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes + +https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation + In this example, the conntrack mark is stored in the packet. + nft add rule filter forward meta mark set ct mark https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation skuid UID associated with originating socket + You can use your user name to match traffic, eg. + nft add rule filter output meta skuid pablo[|1000] counter + + nft add rule filter output meta mark 123 counter + secmark Y packet secmark integer (32 bit) https://www.mankier.com/8/nft https://www.netfilter.org/projects/nftables/manpage.html +tutorial +https://people.netfilter.org/pablo/nft-tutorial.pdf + ! p14 + nft add rule ip foo bar meta skuid 1000-1100 + nft add rule ip foo bar ct mark set 10 + nft add rule ip foo bar ct mark set meta mark + +src +https://git.netfilter.org/nftables/ + +samples +https://kernelnewbies.org/nftables_examples wiki https://wiki.gentoo.org/wiki/Nftables https://wiki.archlinux.org/title/Nftables + /etc/systemd/system/docker.service.d/netns.conf + ... nsenter ... https://wiki.archlinux.org/title/Nftables_(%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9) /etc/nftables/ @@ -23,7 +49,41 @@ nft sudo systemctl status nftables.service sudo systemctl is-enabled nftables.service +backend + firewalld (https://wiki.archlinux.org/title/Firewalld) + 2016 iptables deprecation https://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables#known_limitations https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality + +sudo nft + +table ip filter { + chain output { + type filter hook output priority 0; policy accept; + ip daddr 0.0.0.0/0 meta skuid 1000($UID) mark set 0x1 + } +} + +sudo nft list ruleset +sudo ip rule add fwmark 0x1 table 100 +sudo ip route add default via 192.168.1.1 table 100 + +install packages + nftables + # cgroup-tools + libcgroup-tools + /etc/cgconfig.conf + +sudo lsmod | grep net_cls +sudo mkdir /sys/fs/cgroup/net_cls/firefox +sudo sh -c "echo 0x100001 > /sys/fs/cgroup/net_cls/firefox/net_cls.classid" +sudo cgexec -g net_cls:firefox firefox + +sudo nft add table ip filter +sudo nft add chain ip filter output { type filter hook output priority 0; } +sudo nft add rule ip filter output meta cgroup 0x100001 meta mark set 0x1 + +sudo nft list ruleset > /etc/nftables.conf +sudo systemctl enable nftables