From nobody Thu Sep 19 01:06:57 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1716434291547283.36258848565103; Wed, 22 May 2024 20:18:11 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 7AA331B96; Wed, 22 May 2024 23:18:10 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id D85B61B70; Wed, 22 May 2024 23:16:41 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id E75C61B62; Wed, 22 May 2024 23:16:38 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 04A641944 for ; Wed, 22 May 2024 23:16:37 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-210-uX4kPUFwOuWcj-Zsgf12NA-1; Wed, 22 May 2024 23:16:36 -0400 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D0F3B185A780 for ; Thu, 23 May 2024 03:16:35 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.32.93]) by smtp.corp.redhat.com (Postfix) with ESMTP id B47B740004D for ; Thu, 23 May 2024 03:16:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1716434197; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=96Bs5UFra05oe7ryE9hwaaetI3Ib0NmxUa8cH8mprJc=; b=hjIi4hqmRB6eO603dXSUrbh35E4Be4zZU+IeQzWqTRprcv1ppMmagZpD754Eo/FLRWRMaJ 7VSd2+eWr4yFFwnCjAA117MK/raLiECLUFK+ykyk/GPwTwfzeCSoHp1CR/FHgwglYQ19vA JRHHbNDIlhUnsLVTSupNC9xzL+D1OaI= X-MC-Unique: uX4kPUFwOuWcj-Zsgf12NA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v5 31/30] network: use iif/oif instead of iifname/oifname in nftables rules Date: Wed, 22 May 2024 23:13:33 -0400 Message-ID: <20240523031635.121470-1-laine@redhat.com> In-Reply-To: <20240517173007.8125-1-laine@redhat.com> References: <20240517173007.8125-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: TGGZDAYTRQVMTMXPOMRG76P24SZWIX2I X-Message-ID-Hash: TGGZDAYTRQVMTMXPOMRG76P24SZWIX2I X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1716434293031100001 Content-Type: text/plain; charset="utf-8"; x-default="true" iifname/oifname need to lookup the string that contains the name of the interface each time a packet is checked, while iif/oif compare the ifindex of the interface, which is included directly in the packet. Conveniently, the rule is created using the *name* of the interface (which gets converted to ifindex as the rule is added), so no extra work is required other than changing the commandline option. If it was the case that the interface could be deleted and re-added during the life of the rule, we would have to use Xifname (since deleting and re-adding the interface would result in ifindex changing), but for our uses this never happens, so Xif works for us, and undoubtedly improves performance by at least 0.0000001%. Signed-off-by: Laine Stump Reviewed-by: Jiri Denemark --- src/network/network_nftables.c | 28 +++++++++---------- .../nat-default-linux.nftables | 12 ++++---- .../nat-ipv6-linux.nftables | 24 ++++++++-------- .../nat-ipv6-masquerade-linux.nftables | 24 ++++++++-------- .../nat-many-ips-linux.nftables | 20 ++++++------- .../nat-no-dhcp-linux.nftables | 24 ++++++++-------- .../nat-tftp-linux.nftables | 12 ++++---- .../route-default-linux.nftables | 12 ++++---- 8 files changed, 78 insertions(+), 78 deletions(-) diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c index f3824ece99..59ab231a06 100644 --- a/src/network/network_nftables.c +++ b/src/network/network_nftables.c @@ -236,7 +236,7 @@ nftablesAddInput(virFirewall *fw, virFirewallAddCmd(fw, layer, "insert", "rule", layerStr, VIR_NFTABLES_PRIVATE_TABLE, VIR_NFTABLES_INPUT_CHAIN, - "iifname", iface, + "iif", iface, tcp ? "tcp" : "udp", "dport", portstr, "counter", "accept", @@ -257,7 +257,7 @@ nftablesAddOutput(virFirewall *fw, virFirewallAddCmd(fw, layer, "insert", "rule", layerStr, VIR_NFTABLES_PRIVATE_TABLE, VIR_NFTABLES_OUTPUT_CHAIN, - "oifname", iface, + "oif", iface, tcp ? "tcp" : "udp", "dport", portstr, "counter", "accept", @@ -359,10 +359,10 @@ nftablesAddForwardAllowOut(virFirewall *fw, layerStr, VIR_NFTABLES_PRIVATE_TABLE, VIR_NFTABLES_FWD_OUT_CHAIN, layerStr, "saddr", networkstr, - "iifname", iface, NULL); + "iif", iface, NULL); =20 if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL); =20 virFirewallCmdAddArgList(fw, fwCmd, "counter", "accept", NULL); =20 @@ -398,9 +398,9 @@ nftablesAddForwardAllowRelatedIn(virFirewall *fw, VIR_NFTABLES_FWD_IN_CHAIN, NULL); =20 if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL); =20 - virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface, + virFirewallCmdAddArgList(fw, fwCmd, "oif", iface, layerStr, "daddr", networkstr, "ct", "state", "related,established", "counter", "accept", NULL); @@ -437,9 +437,9 @@ nftablesAddForwardAllowIn(virFirewall *fw, layerStr, "daddr", networkstr, NULL); =20 if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL); =20 - virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface, + virFirewallCmdAddArgList(fw, fwCmd, "oif", iface, "counter", "accept", NULL); return 0; } @@ -461,8 +461,8 @@ nftablesAddForwardAllowCross(virFirewall *fw, nftablesLayerTypeToString(layer), VIR_NFTABLES_PRIVATE_TABLE, VIR_NFTABLES_FWD_X_CHAIN, - "iifname", iface, - "oifname", iface, + "iif", iface, + "oif", iface, "counter", "accept", NULL); } @@ -485,7 +485,7 @@ nftablesAddForwardRejectOut(virFirewall *fw, nftablesLayerTypeToString(layer), VIR_NFTABLES_PRIVATE_TABLE, VIR_NFTABLES_FWD_OUT_CHAIN, - "iifname", iface, + "iif", iface, "counter", "reject", NULL); } @@ -508,7 +508,7 @@ nftablesAddForwardRejectIn(virFirewall *fw, nftablesLayerTypeToString(layer), VIR_NFTABLES_PRIVATE_TABLE, VIR_NFTABLES_FWD_IN_CHAIN, - "oifname", iface, + "oif", iface, "counter", "reject", NULL); } @@ -566,7 +566,7 @@ nftablesAddForwardMasquerade(virFirewall *fw, layerStr, "daddr", "!=3D", networkstr, NULL); =20 if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL); =20 if (protocol && protocol[0]) { if (port->start =3D=3D 0 && port->end =3D=3D 0) { @@ -634,7 +634,7 @@ nftablesAddDontMasquerade(virFirewall *fw, VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL); =20 if (physdev && physdev[0]) - virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL); + virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL); =20 virFirewallCmdAddArgList(fw, fwCmd, layerStr, "saddr", networkstr, diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tes= ts/networkxml2firewalldata/nat-default-linux.nftables index 298a83d088..28508292f9 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.nftables +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -4,7 +4,7 @@ rule \ ip \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -14,7 +14,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -24,9 +24,9 @@ rule \ ip \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -39,7 +39,7 @@ guest_output \ ip \ saddr \ 192.168.122.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -49,7 +49,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/= networkxml2firewalldata/nat-ipv6-linux.nftables index 615bb4e144..d8a9ba706d 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -4,7 +4,7 @@ rule \ ip \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -14,7 +14,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -24,9 +24,9 @@ rule \ ip \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -36,7 +36,7 @@ rule \ ip6 \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -46,7 +46,7 @@ rule \ ip6 \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -56,9 +56,9 @@ rule \ ip6 \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -71,7 +71,7 @@ guest_output \ ip \ saddr \ 192.168.122.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -81,7 +81,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ @@ -183,7 +183,7 @@ guest_output \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -196,7 +196,7 @@ guest_input \ ip6 \ daddr \ 2001:db8:ca2:2::/64 \ -oifname \ +oif \ virbr0 \ counter \ accept diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftabl= es b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables index 27817d8a68..a7f09cda59 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -4,7 +4,7 @@ rule \ ip \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -14,7 +14,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -24,9 +24,9 @@ rule \ ip \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -36,7 +36,7 @@ rule \ ip6 \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -46,7 +46,7 @@ rule \ ip6 \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -56,9 +56,9 @@ rule \ ip6 \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -71,7 +71,7 @@ guest_output \ ip \ saddr \ 192.168.122.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -81,7 +81,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ @@ -183,7 +183,7 @@ guest_output \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -193,7 +193,7 @@ rule \ ip6 \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip6 \ daddr \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/te= sts/networkxml2firewalldata/nat-many-ips-linux.nftables index 3ab6286d2c..b826fe6134 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -4,7 +4,7 @@ rule \ ip \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -14,7 +14,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -24,9 +24,9 @@ rule \ ip \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -39,7 +39,7 @@ guest_output \ ip \ saddr \ 192.168.122.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -49,7 +49,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ @@ -151,7 +151,7 @@ guest_output \ ip \ saddr \ 192.168.128.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -161,7 +161,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ @@ -263,7 +263,7 @@ guest_output \ ip \ saddr \ 192.168.150.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -273,7 +273,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tes= ts/networkxml2firewalldata/nat-no-dhcp-linux.nftables index 615bb4e144..d8a9ba706d 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -4,7 +4,7 @@ rule \ ip \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -14,7 +14,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -24,9 +24,9 @@ rule \ ip \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -36,7 +36,7 @@ rule \ ip6 \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -46,7 +46,7 @@ rule \ ip6 \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -56,9 +56,9 @@ rule \ ip6 \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -71,7 +71,7 @@ guest_output \ ip \ saddr \ 192.168.122.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -81,7 +81,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ @@ -183,7 +183,7 @@ guest_output \ ip6 \ saddr \ 2001:db8:ca2:2::/64 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -196,7 +196,7 @@ guest_input \ ip6 \ daddr \ 2001:db8:ca2:2::/64 \ -oifname \ +oif \ virbr0 \ counter \ accept diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/= networkxml2firewalldata/nat-tftp-linux.nftables index 298a83d088..28508292f9 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -4,7 +4,7 @@ rule \ ip \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -14,7 +14,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -24,9 +24,9 @@ rule \ ip \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -39,7 +39,7 @@ guest_output \ ip \ saddr \ 192.168.122.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -49,7 +49,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ ip \ daddr \ diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/t= ests/networkxml2firewalldata/route-default-linux.nftables index 09a32f0949..282c9542a5 100644 --- a/tests/networkxml2firewalldata/route-default-linux.nftables +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -4,7 +4,7 @@ rule \ ip \ libvirt_network \ guest_output \ -iifname \ +iif \ virbr0 \ counter \ reject @@ -14,7 +14,7 @@ rule \ ip \ libvirt_network \ guest_input \ -oifname \ +oif \ virbr0 \ counter \ reject @@ -24,9 +24,9 @@ rule \ ip \ libvirt_network \ guest_cross \ -iifname \ +iif \ virbr0 \ -oifname \ +oif \ virbr0 \ counter \ accept @@ -39,7 +39,7 @@ guest_output \ ip \ saddr \ 192.168.122.0/24 \ -iifname \ +iif \ virbr0 \ counter \ accept @@ -52,7 +52,7 @@ guest_input \ ip \ daddr \ 192.168.122.0/24 \ -oifname \ +oif \ virbr0 \ counter \ accept --=20 2.45.0