1. Patchew
  2. Libvirt
  3. [PATCH v5 00/30] native support for nftables in virtual network driver
  4. View patch

[PATCH v5 31/30] network: use iif/oif instead of iifname/oifname in nftables rules

Laine Stump posted 30 patches 4 months ago
[PATCH v5 31/30] network: use iif/oif instead of iifname/oifname in nftables rules
Posted by Laine Stump 3 months, 3 weeks ago 

iifname/oifname need to lookup the string that contains the name of
the interface each time a packet is checked, while iif/oif compare the
ifindex of the interface, which is included directly in the
packet. Conveniently, the rule is created using the *name* of the
interface (which gets converted to ifindex as the rule is added), so
no extra work is required other than changing the commandline option.

If it was the case that the interface could be deleted and re-added
during the life of the rule, we would have to use Xifname (since
deleting and re-adding the interface would result in ifindex
changing), but for our uses this never happens, so Xif works for us,
and undoubtedly improves performance by at least 0.0000001%.

Signed-off-by: Laine Stump <laine@redhat.com>
---
 src/network/network_nftables.c                | 28 +++++++++----------
 .../nat-default-linux.nftables                | 12 ++++----
 .../nat-ipv6-linux.nftables                   | 24 ++++++++--------
 .../nat-ipv6-masquerade-linux.nftables        | 24 ++++++++--------
 .../nat-many-ips-linux.nftables               | 20 ++++++-------
 .../nat-no-dhcp-linux.nftables                | 24 ++++++++--------
 .../nat-tftp-linux.nftables                   | 12 ++++----
 .../route-default-linux.nftables              | 12 ++++----
 8 files changed, 78 insertions(+), 78 deletions(-)

diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
index f3824ece99..59ab231a06 100644
--- a/src/network/network_nftables.c
+++ b/src/network/network_nftables.c
@@ -236,7 +236,7 @@ nftablesAddInput(virFirewall *fw,
     virFirewallAddCmd(fw, layer, "insert", "rule",
                       layerStr, VIR_NFTABLES_PRIVATE_TABLE,
                       VIR_NFTABLES_INPUT_CHAIN,
-                      "iifname", iface,
+                      "iif", iface,
                       tcp ? "tcp" : "udp",
                       "dport", portstr,
                       "counter", "accept",
@@ -257,7 +257,7 @@ nftablesAddOutput(virFirewall *fw,
     virFirewallAddCmd(fw, layer, "insert", "rule",
                       layerStr, VIR_NFTABLES_PRIVATE_TABLE,
                       VIR_NFTABLES_OUTPUT_CHAIN,
-                      "oifname", iface,
+                      "oif", iface,
                       tcp ? "tcp" : "udp",
                       "dport", portstr,
                       "counter", "accept",
@@ -359,10 +359,10 @@ nftablesAddForwardAllowOut(virFirewall *fw,
                               layerStr, VIR_NFTABLES_PRIVATE_TABLE,
                               VIR_NFTABLES_FWD_OUT_CHAIN,
                               layerStr, "saddr", networkstr,
-                              "iifname", iface, NULL);
+                              "iif", iface, NULL);
 
     if (physdev && physdev[0])
-        virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+        virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
 
     virFirewallCmdAddArgList(fw, fwCmd, "counter", "accept", NULL);
 
@@ -398,9 +398,9 @@ nftablesAddForwardAllowRelatedIn(virFirewall *fw,
                               VIR_NFTABLES_FWD_IN_CHAIN, NULL);
 
     if (physdev && physdev[0])
-        virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL);
+        virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL);
 
-    virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface,
+    virFirewallCmdAddArgList(fw, fwCmd, "oif", iface,
                              layerStr, "daddr", networkstr,
                              "ct", "state", "related,established",
                              "counter", "accept", NULL);
@@ -437,9 +437,9 @@ nftablesAddForwardAllowIn(virFirewall *fw,
                              layerStr, "daddr", networkstr, NULL);
 
     if (physdev && physdev[0])
-        virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL);
+        virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL);
 
-    virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface,
+    virFirewallCmdAddArgList(fw, fwCmd, "oif", iface,
                               "counter", "accept", NULL);
     return 0;
 }
@@ -461,8 +461,8 @@ nftablesAddForwardAllowCross(virFirewall *fw,
                       nftablesLayerTypeToString(layer),
                       VIR_NFTABLES_PRIVATE_TABLE,
                       VIR_NFTABLES_FWD_X_CHAIN,
-                      "iifname", iface,
-                      "oifname", iface,
+                      "iif", iface,
+                      "oif", iface,
                       "counter", "accept",
                       NULL);
 }
@@ -485,7 +485,7 @@ nftablesAddForwardRejectOut(virFirewall *fw,
                       nftablesLayerTypeToString(layer),
                       VIR_NFTABLES_PRIVATE_TABLE,
                       VIR_NFTABLES_FWD_OUT_CHAIN,
-                      "iifname", iface,
+                      "iif", iface,
                       "counter", "reject",
                       NULL);
 }
@@ -508,7 +508,7 @@ nftablesAddForwardRejectIn(virFirewall *fw,
                       nftablesLayerTypeToString(layer),
                       VIR_NFTABLES_PRIVATE_TABLE,
                       VIR_NFTABLES_FWD_IN_CHAIN,
-                      "oifname", iface,
+                      "oif", iface,
                       "counter", "reject",
                       NULL);
 }
@@ -566,7 +566,7 @@ nftablesAddForwardMasquerade(virFirewall *fw,
                              layerStr, "daddr", "!=", networkstr, NULL);
 
     if (physdev && physdev[0])
-        virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+        virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
 
     if (protocol && protocol[0]) {
         if (port->start == 0 && port->end == 0) {
@@ -634,7 +634,7 @@ nftablesAddDontMasquerade(virFirewall *fw,
                               VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL);
 
     if (physdev && physdev[0])
-        virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+        virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
 
     virFirewallCmdAddArgList(fw, fwCmd,
                              layerStr, "saddr", networkstr,
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables
index 298a83d088..28508292f9 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -4,7 +4,7 @@ rule \
 ip \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -14,7 +14,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -24,9 +24,9 @@ rule \
 ip \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -39,7 +39,7 @@ guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -49,7 +49,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
index 615bb4e144..d8a9ba706d 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -4,7 +4,7 @@ rule \
 ip \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -14,7 +14,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -24,9 +24,9 @@ rule \
 ip \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -36,7 +36,7 @@ rule \
 ip6 \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -46,7 +46,7 @@ rule \
 ip6 \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -56,9 +56,9 @@ rule \
 ip6 \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -71,7 +71,7 @@ guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -81,7 +81,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \
@@ -183,7 +183,7 @@ guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -196,7 +196,7 @@ guest_input \
 ip6 \
 daddr \
 2001:db8:ca2:2::/64 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
index 27817d8a68..a7f09cda59 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -4,7 +4,7 @@ rule \
 ip \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -14,7 +14,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -24,9 +24,9 @@ rule \
 ip \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -36,7 +36,7 @@ rule \
 ip6 \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -46,7 +46,7 @@ rule \
 ip6 \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -56,9 +56,9 @@ rule \
 ip6 \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -71,7 +71,7 @@ guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -81,7 +81,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \
@@ -183,7 +183,7 @@ guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -193,7 +193,7 @@ rule \
 ip6 \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip6 \
 daddr \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
index 3ab6286d2c..b826fe6134 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -4,7 +4,7 @@ rule \
 ip \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -14,7 +14,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -24,9 +24,9 @@ rule \
 ip \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -39,7 +39,7 @@ guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -49,7 +49,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \
@@ -151,7 +151,7 @@ guest_output \
 ip \
 saddr \
 192.168.128.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -161,7 +161,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \
@@ -263,7 +263,7 @@ guest_output \
 ip \
 saddr \
 192.168.150.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -273,7 +273,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
index 615bb4e144..d8a9ba706d 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -4,7 +4,7 @@ rule \
 ip \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -14,7 +14,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -24,9 +24,9 @@ rule \
 ip \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -36,7 +36,7 @@ rule \
 ip6 \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -46,7 +46,7 @@ rule \
 ip6 \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -56,9 +56,9 @@ rule \
 ip6 \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -71,7 +71,7 @@ guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -81,7 +81,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \
@@ -183,7 +183,7 @@ guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -196,7 +196,7 @@ guest_input \
 ip6 \
 daddr \
 2001:db8:ca2:2::/64 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
index 298a83d088..28508292f9 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -4,7 +4,7 @@ rule \
 ip \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -14,7 +14,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -24,9 +24,9 @@ rule \
 ip \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -39,7 +39,7 @@ guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -49,7 +49,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables
index 09a32f0949..282c9542a5 100644
--- a/tests/networkxml2firewalldata/route-default-linux.nftables
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -4,7 +4,7 @@ rule \
 ip \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -14,7 +14,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -24,9 +24,9 @@ rule \
 ip \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -39,7 +39,7 @@ guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -52,7 +52,7 @@ guest_input \
 ip \
 daddr \
 192.168.122.0/24 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
-- 
2.45.0
Re: [PATCH v5 31/30] network: use iif/oif instead of iifname/oifname in nftables rules
Posted by Jiri Denemark 3 months, 3 weeks ago 
On Wed, May 22, 2024 at 23:13:33 -0400, Laine Stump wrote:
> 
> iifname/oifname need to lookup the string that contains the name of
> the interface each time a packet is checked, while iif/oif compare the
> ifindex of the interface, which is included directly in the
> packet. Conveniently, the rule is created using the *name* of the
> interface (which gets converted to ifindex as the rule is added), so
> no extra work is required other than changing the commandline option.
> 
> If it was the case that the interface could be deleted and re-added
> during the life of the rule, we would have to use Xifname (since
> deleting and re-adding the interface would result in ifindex
> changing), but for our uses this never happens, so Xif works for us,
> and undoubtedly improves performance by at least 0.0000001%.
> 
> Signed-off-by: Laine Stump <laine@redhat.com>
> ---
>  src/network/network_nftables.c                | 28 +++++++++----------
>  .../nat-default-linux.nftables                | 12 ++++----
>  .../nat-ipv6-linux.nftables                   | 24 ++++++++--------
>  .../nat-ipv6-masquerade-linux.nftables        | 24 ++++++++--------
>  .../nat-many-ips-linux.nftables               | 20 ++++++-------
>  .../nat-no-dhcp-linux.nftables                | 24 ++++++++--------
>  .../nat-tftp-linux.nftables                   | 12 ++++----
>  .../route-default-linux.nftables              | 12 ++++----
>  8 files changed, 78 insertions(+), 78 deletions(-)

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.