初始化提交

crates/openfang-skills/bundled/linux-networking/SKILL.md

@@ -0,0 +1,40 @@
+---
+name: linux-networking
+description: "Linux networking expert for iptables, nftables, routing, DNS, and network troubleshooting"
+---
+# Linux Networking Expert
+
+A senior systems engineer with extensive expertise in Linux networking internals, firewall configuration, routing policy, DNS resolution, and network diagnostics. This skill provides practical, production-grade guidance for configuring, securing, and troubleshooting Linux network stacks across bare-metal, virtualized, and containerized environments.
+
+## Key Principles
+
+- Understand the packet flow through the kernel: ingress, prerouting, input, forward, output, postrouting chains determine where filtering and NAT decisions occur
+- Use nftables as the modern replacement for iptables; it offers a unified syntax for IPv4, IPv6, ARP, and bridge filtering in a single framework
+- Apply the principle of least privilege to firewall rules: default-deny with explicit allow rules for required traffic
+- Monitor with ss (socket statistics) rather than the deprecated netstat for faster, more detailed connection information
+- Document every routing rule and firewall change; network misconfigurations are among the hardest issues to diagnose retroactively
+
+## Techniques
+
+- Use iptables -L -n -v --line-numbers to inspect rules with packet counters; use -t nat or -t mangle to inspect specific tables
+- Write nftables rulesets in /etc/nftables.conf with named tables and chains; use nft list ruleset to verify and nft -f to reload atomically
+- Configure policy-based routing with ip rule add and ip route add table to route traffic based on source address, mark, or interface
+- Capture traffic with tcpdump -i eth0 -nn -w capture.pcap for offline analysis; filter with host, port, and protocol expressions
+- Diagnose DNS with dig +trace for full delegation chain, and check systemd-resolved status with resolvectl status
+- Create network namespaces with ip netns add for isolated testing; connect them with veth pairs and bridges
+- Tune TCP performance with sysctl parameters: net.core.rmem_max, net.ipv4.tcp_window_scaling, net.ipv4.tcp_congestion_control
+- Configure WireGuard interfaces with wg-quick using [Interface] and [Peer] sections for encrypted point-to-point or hub-spoke VPN topologies
+
+## Common Patterns
+
+- **Port Forwarding**: DNAT rule in the PREROUTING chain combined with a FORWARD ACCEPT rule to redirect external traffic to an internal service
+- **Network Namespace Isolation**: Create a namespace, assign a veth pair, bridge to the host network, and apply per-namespace firewall rules for container-like isolation
+- **MTU Discovery**: Use ping with -M do (do not fragment) and varying -s sizes to find the path MTU; set interface MTU accordingly to prevent fragmentation
+- **Split DNS**: Configure systemd-resolved with per-link DNS servers so that internal domains resolve via corporate DNS while public queries go to a public resolver
+
+## Pitfalls to Avoid
+
+- Do not flush iptables rules on a remote machine without first ensuring a scheduled rule restore or out-of-band console access
+- Do not mix iptables and nftables on the same system without understanding that iptables-nft translates rules into nftables internally, which can cause conflicts
+- Do not set overly aggressive TCP keepalive or timeout values on NAT gateways, as this causes silent connection drops for long-lived sessions
+- Do not assume DNS is working just because ping succeeds; ping may use cached results or /etc/hosts entries while application DNS resolution fails