iifname/oifname need to lookup the string that contains the name of
the interface each time a packet is checked, while iif/oif compare the
ifindex of the interface, which is included directly in the
packet. Conveniently, the rule is created using the *name* of the
interface (which gets converted to ifindex as the rule is added), so
no extra work is required other than changing the commandline option.
If it was the case that the interface could be deleted and re-added
during the life of the rule, we would have to use Xifname (since
deleting and re-adding the interface would result in ifindex
changing), but for our uses this never happens, so Xif works for us,
and undoubtedly improves performance by at least 0.0000001%.
Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
---
src/network/network_nftables.c | 28 +++++++++----------
.../nat-default-linux.nftables | 12 ++++----
.../nat-ipv6-linux.nftables | 24 ++++++++--------
.../nat-ipv6-masquerade-linux.nftables | 24 ++++++++--------
.../nat-many-ips-linux.nftables | 20 ++++++-------
.../nat-no-dhcp-linux.nftables | 24 ++++++++--------
.../nat-tftp-linux.nftables | 12 ++++----
.../route-default-linux.nftables | 12 ++++----
8 files changed, 78 insertions(+), 78 deletions(-)
diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
index f3824ece99..59ab231a06 100644
--- a/src/network/network_nftables.c
+++ b/src/network/network_nftables.c
@@ -236,7 +236,7 @@ nftablesAddInput(virFirewall *fw,
virFirewallAddCmd(fw, layer, "insert", "rule",
layerStr, VIR_NFTABLES_PRIVATE_TABLE,
VIR_NFTABLES_INPUT_CHAIN,
- "iifname", iface,
+ "iif", iface,
tcp ? "tcp" : "udp",
"dport", portstr,
"counter", "accept",
@@ -257,7 +257,7 @@ nftablesAddOutput(virFirewall *fw,
virFirewallAddCmd(fw, layer, "insert", "rule",
layerStr, VIR_NFTABLES_PRIVATE_TABLE,
VIR_NFTABLES_OUTPUT_CHAIN,
- "oifname", iface,
+ "oif", iface,
tcp ? "tcp" : "udp",
"dport", portstr,
"counter", "accept",
@@ -359,10 +359,10 @@ nftablesAddForwardAllowOut(virFirewall *fw,
layerStr, VIR_NFTABLES_PRIVATE_TABLE,
VIR_NFTABLES_FWD_OUT_CHAIN,
layerStr, "saddr", networkstr,
- "iifname", iface, NULL);
+ "iif", iface, NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
virFirewallCmdAddArgList(fw, fwCmd, "counter", "accept", NULL);
@@ -398,9 +398,9 @@ nftablesAddForwardAllowRelatedIn(virFirewall *fw,
VIR_NFTABLES_FWD_IN_CHAIN, NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL);
- virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface,
+ virFirewallCmdAddArgList(fw, fwCmd, "oif", iface,
layerStr, "daddr", networkstr,
"ct", "state", "related,established",
"counter", "accept", NULL);
@@ -437,9 +437,9 @@ nftablesAddForwardAllowIn(virFirewall *fw,
layerStr, "daddr", networkstr, NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL);
- virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface,
+ virFirewallCmdAddArgList(fw, fwCmd, "oif", iface,
"counter", "accept", NULL);
return 0;
}
@@ -461,8 +461,8 @@ nftablesAddForwardAllowCross(virFirewall *fw,
nftablesLayerTypeToString(layer),
VIR_NFTABLES_PRIVATE_TABLE,
VIR_NFTABLES_FWD_X_CHAIN,
- "iifname", iface,
- "oifname", iface,
+ "iif", iface,
+ "oif", iface,
"counter", "accept",
NULL);
}
@@ -485,7 +485,7 @@ nftablesAddForwardRejectOut(virFirewall *fw,
nftablesLayerTypeToString(layer),
VIR_NFTABLES_PRIVATE_TABLE,
VIR_NFTABLES_FWD_OUT_CHAIN,
- "iifname", iface,
+ "iif", iface,
"counter", "reject",
NULL);
}
@@ -508,7 +508,7 @@ nftablesAddForwardRejectIn(virFirewall *fw,
nftablesLayerTypeToString(layer),
VIR_NFTABLES_PRIVATE_TABLE,
VIR_NFTABLES_FWD_IN_CHAIN,
- "oifname", iface,
+ "oif", iface,
"counter", "reject",
NULL);
}
@@ -566,7 +566,7 @@ nftablesAddForwardMasquerade(virFirewall *fw,
layerStr, "daddr", "!=", networkstr, NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
if (protocol && protocol[0]) {
if (port->start == 0 && port->end == 0) {
@@ -634,7 +634,7 @@ nftablesAddDontMasquerade(virFirewall *fw,
VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL);
if (physdev && physdev[0])
- virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
virFirewallCmdAddArgList(fw, fwCmd,
layerStr, "saddr", networkstr,
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables
index 298a83d088..28508292f9 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -4,7 +4,7 @@ rule \
ip \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -14,7 +14,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -24,9 +24,9 @@ rule \
ip \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -39,7 +39,7 @@ guest_output \
ip \
saddr \
192.168.122.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -49,7 +49,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
index 615bb4e144..d8a9ba706d 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -4,7 +4,7 @@ rule \
ip \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -14,7 +14,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -24,9 +24,9 @@ rule \
ip \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -36,7 +36,7 @@ rule \
ip6 \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -46,7 +46,7 @@ rule \
ip6 \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -56,9 +56,9 @@ rule \
ip6 \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -71,7 +71,7 @@ guest_output \
ip \
saddr \
192.168.122.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -81,7 +81,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
@@ -183,7 +183,7 @@ guest_output \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -196,7 +196,7 @@ guest_input \
ip6 \
daddr \
2001:db8:ca2:2::/64 \
-oifname \
+oif \
virbr0 \
counter \
accept
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
index 27817d8a68..a7f09cda59 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -4,7 +4,7 @@ rule \
ip \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -14,7 +14,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -24,9 +24,9 @@ rule \
ip \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -36,7 +36,7 @@ rule \
ip6 \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -46,7 +46,7 @@ rule \
ip6 \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -56,9 +56,9 @@ rule \
ip6 \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -71,7 +71,7 @@ guest_output \
ip \
saddr \
192.168.122.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -81,7 +81,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
@@ -183,7 +183,7 @@ guest_output \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -193,7 +193,7 @@ rule \
ip6 \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip6 \
daddr \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
index 3ab6286d2c..b826fe6134 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -4,7 +4,7 @@ rule \
ip \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -14,7 +14,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -24,9 +24,9 @@ rule \
ip \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -39,7 +39,7 @@ guest_output \
ip \
saddr \
192.168.122.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -49,7 +49,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
@@ -151,7 +151,7 @@ guest_output \
ip \
saddr \
192.168.128.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -161,7 +161,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
@@ -263,7 +263,7 @@ guest_output \
ip \
saddr \
192.168.150.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -273,7 +273,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
index 615bb4e144..d8a9ba706d 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -4,7 +4,7 @@ rule \
ip \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -14,7 +14,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -24,9 +24,9 @@ rule \
ip \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -36,7 +36,7 @@ rule \
ip6 \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -46,7 +46,7 @@ rule \
ip6 \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -56,9 +56,9 @@ rule \
ip6 \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -71,7 +71,7 @@ guest_output \
ip \
saddr \
192.168.122.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -81,7 +81,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
@@ -183,7 +183,7 @@ guest_output \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -196,7 +196,7 @@ guest_input \
ip6 \
daddr \
2001:db8:ca2:2::/64 \
-oifname \
+oif \
virbr0 \
counter \
accept
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
index 298a83d088..28508292f9 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -4,7 +4,7 @@ rule \
ip \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -14,7 +14,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -24,9 +24,9 @@ rule \
ip \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -39,7 +39,7 @@ guest_output \
ip \
saddr \
192.168.122.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -49,7 +49,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
ip \
daddr \
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables
index 09a32f0949..282c9542a5 100644
--- a/tests/networkxml2firewalldata/route-default-linux.nftables
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -4,7 +4,7 @@ rule \
ip \
libvirt_network \
guest_output \
-iifname \
+iif \
virbr0 \
counter \
reject
@@ -14,7 +14,7 @@ rule \
ip \
libvirt_network \
guest_input \
-oifname \
+oif \
virbr0 \
counter \
reject
@@ -24,9 +24,9 @@ rule \
ip \
libvirt_network \
guest_cross \
-iifname \
+iif \
virbr0 \
-oifname \
+oif \
virbr0 \
counter \
accept
@@ -39,7 +39,7 @@ guest_output \
ip \
saddr \
192.168.122.0/24 \
-iifname \
+iif \
virbr0 \
counter \
accept
@@ -52,7 +52,7 @@ guest_input \
ip \
daddr \
192.168.122.0/24 \
-oifname \
+oif \
virbr0 \
counter \
accept
--
2.45.0
