mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 05:35:25 +00:00
network: use iif/oif instead of iifname/oifname in nftables rules
iifname/oifname need to lookup the string that contains the name of the interface each time a packet is checked, while iif/oif compare the ifindex of the interface, which is included directly in the packet. Conveniently, the rule is created using the *name* of the interface (which gets converted to ifindex as the rule is added), so no extra work is required other than changing the commandline option. If it was the case that the interface could be deleted and re-added during the life of the rule, we would have to use Xifname (since deleting and re-adding the interface would result in ifindex changing), but for our uses this never happens, so Xif works for us, and undoubtedly improves performance by at least 0.0000001%. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
This commit is contained in:
Laine Stump
Jiri Denemark
parent
bbc1b3fc6e
commit
a4f38f6ffe
@ -236,7 +236,7 @@ nftablesAddInput(virFirewall *fw,
|
||||
virFirewallAddCmd(fw, layer, "insert", "rule",
|
||||
layerStr, VIR_NFTABLES_PRIVATE_TABLE,
|
||||
VIR_NFTABLES_INPUT_CHAIN,
|
||||
"iifname", iface,
|
||||
"iif", iface,
|
||||
tcp ? "tcp" : "udp",
|
||||
"dport", portstr,
|
||||
"counter", "accept",
|
||||
@ -257,7 +257,7 @@ nftablesAddOutput(virFirewall *fw,
|
||||
virFirewallAddCmd(fw, layer, "insert", "rule",
|
||||
layerStr, VIR_NFTABLES_PRIVATE_TABLE,
|
||||
VIR_NFTABLES_OUTPUT_CHAIN,
|
||||
"oifname", iface,
|
||||
"oif", iface,
|
||||
tcp ? "tcp" : "udp",
|
||||
"dport", portstr,
|
||||
"counter", "accept",
|
||||
@ -359,10 +359,10 @@ nftablesAddForwardAllowOut(virFirewall *fw,
|
||||
layerStr, VIR_NFTABLES_PRIVATE_TABLE,
|
||||
VIR_NFTABLES_FWD_OUT_CHAIN,
|
||||
layerStr, "saddr", networkstr,
|
||||
"iifname", iface, NULL);
|
||||
"iif", iface, NULL);
|
||||
|
||||
if (physdev && physdev[0])
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
|
||||
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "counter", "accept", NULL);
|
||||
|
||||
@ -398,9 +398,9 @@ nftablesAddForwardAllowRelatedIn(virFirewall *fw,
|
||||
VIR_NFTABLES_FWD_IN_CHAIN, NULL);
|
||||
|
||||
if (physdev && physdev[0])
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL);
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL);
|
||||
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface,
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "oif", iface,
|
||||
layerStr, "daddr", networkstr,
|
||||
"ct", "state", "related,established",
|
||||
"counter", "accept", NULL);
|
||||
@ -437,9 +437,9 @@ nftablesAddForwardAllowIn(virFirewall *fw,
|
||||
layerStr, "daddr", networkstr, NULL);
|
||||
|
||||
if (physdev && physdev[0])
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL);
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL);
|
||||
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface,
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "oif", iface,
|
||||
"counter", "accept", NULL);
|
||||
return 0;
|
||||
}
|
||||
@ -461,8 +461,8 @@ nftablesAddForwardAllowCross(virFirewall *fw,
|
||||
nftablesLayerTypeToString(layer),
|
||||
VIR_NFTABLES_PRIVATE_TABLE,
|
||||
VIR_NFTABLES_FWD_X_CHAIN,
|
||||
"iifname", iface,
|
||||
"oifname", iface,
|
||||
"iif", iface,
|
||||
"oif", iface,
|
||||
"counter", "accept",
|
||||
NULL);
|
||||
}
|
||||
@ -485,7 +485,7 @@ nftablesAddForwardRejectOut(virFirewall *fw,
|
||||
nftablesLayerTypeToString(layer),
|
||||
VIR_NFTABLES_PRIVATE_TABLE,
|
||||
VIR_NFTABLES_FWD_OUT_CHAIN,
|
||||
"iifname", iface,
|
||||
"iif", iface,
|
||||
"counter", "reject",
|
||||
NULL);
|
||||
}
|
||||
@ -508,7 +508,7 @@ nftablesAddForwardRejectIn(virFirewall *fw,
|
||||
nftablesLayerTypeToString(layer),
|
||||
VIR_NFTABLES_PRIVATE_TABLE,
|
||||
VIR_NFTABLES_FWD_IN_CHAIN,
|
||||
"oifname", iface,
|
||||
"oif", iface,
|
||||
"counter", "reject",
|
||||
NULL);
|
||||
}
|
||||
@ -566,7 +566,7 @@ nftablesAddForwardMasquerade(virFirewall *fw,
|
||||
layerStr, "daddr", "!=", networkstr, NULL);
|
||||
|
||||
if (physdev && physdev[0])
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
|
||||
|
||||
if (protocol && protocol[0]) {
|
||||
if (port->start == 0 && port->end == 0) {
|
||||
@ -634,7 +634,7 @@ nftablesAddDontMasquerade(virFirewall *fw,
|
||||
VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL);
|
||||
|
||||
if (physdev && physdev[0])
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
|
||||
virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
|
||||
|
||||
virFirewallCmdAddArgList(fw, fwCmd,
|
||||
layerStr, "saddr", networkstr,
|
||||
|
||||
@ -4,7 +4,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_output \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -14,7 +14,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -24,9 +24,9 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_cross \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -39,7 +39,7 @@ guest_output \
|
||||
ip \
|
||||
saddr \
|
||||
192.168.122.0/24 \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -49,7 +49,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
ip \
|
||||
daddr \
|
||||
|
||||
@ -4,7 +4,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_output \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -14,7 +14,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -24,9 +24,9 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_cross \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -36,7 +36,7 @@ rule \
|
||||
ip6 \
|
||||
libvirt_network \
|
||||
guest_output \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -46,7 +46,7 @@ rule \
|
||||
ip6 \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -56,9 +56,9 @@ rule \
|
||||
ip6 \
|
||||
libvirt_network \
|
||||
guest_cross \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -71,7 +71,7 @@ guest_output \
|
||||
ip \
|
||||
saddr \
|
||||
192.168.122.0/24 \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -81,7 +81,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
ip \
|
||||
daddr \
|
||||
@ -183,7 +183,7 @@ guest_output \
|
||||
ip6 \
|
||||
saddr \
|
||||
2001:db8:ca2:2::/64 \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -196,7 +196,7 @@ guest_input \
|
||||
ip6 \
|
||||
daddr \
|
||||
2001:db8:ca2:2::/64 \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
|
||||
@ -4,7 +4,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_output \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -14,7 +14,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -24,9 +24,9 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_cross \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -36,7 +36,7 @@ rule \
|
||||
ip6 \
|
||||
libvirt_network \
|
||||
guest_output \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -46,7 +46,7 @@ rule \
|
||||
ip6 \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -56,9 +56,9 @@ rule \
|
||||
ip6 \
|
||||
libvirt_network \
|
||||
guest_cross \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -71,7 +71,7 @@ guest_output \
|
||||
ip \
|
||||
saddr \
|
||||
192.168.122.0/24 \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -81,7 +81,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
ip \
|
||||
daddr \
|
||||
@ -183,7 +183,7 @@ guest_output \
|
||||
ip6 \
|
||||
saddr \
|
||||
2001:db8:ca2:2::/64 \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -193,7 +193,7 @@ rule \
|
||||
ip6 \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
ip6 \
|
||||
daddr \
|
||||
|
||||
@ -4,7 +4,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_output \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -14,7 +14,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -24,9 +24,9 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_cross \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -39,7 +39,7 @@ guest_output \
|
||||
ip \
|
||||
saddr \
|
||||
192.168.122.0/24 \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -49,7 +49,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
ip \
|
||||
daddr \
|
||||
@ -151,7 +151,7 @@ guest_output \
|
||||
ip \
|
||||
saddr \
|
||||
192.168.128.0/24 \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -161,7 +161,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
ip \
|
||||
daddr \
|
||||
@ -263,7 +263,7 @@ guest_output \
|
||||
ip \
|
||||
saddr \
|
||||
192.168.150.0/24 \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -273,7 +273,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
ip \
|
||||
daddr \
|
||||
|
||||
@ -4,7 +4,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_output \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -14,7 +14,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -24,9 +24,9 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_cross \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -36,7 +36,7 @@ rule \
|
||||
ip6 \
|
||||
libvirt_network \
|
||||
guest_output \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -46,7 +46,7 @@ rule \
|
||||
ip6 \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -56,9 +56,9 @@ rule \
|
||||
ip6 \
|
||||
libvirt_network \
|
||||
guest_cross \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -71,7 +71,7 @@ guest_output \
|
||||
ip \
|
||||
saddr \
|
||||
192.168.122.0/24 \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -81,7 +81,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
ip \
|
||||
daddr \
|
||||
@ -183,7 +183,7 @@ guest_output \
|
||||
ip6 \
|
||||
saddr \
|
||||
2001:db8:ca2:2::/64 \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -196,7 +196,7 @@ guest_input \
|
||||
ip6 \
|
||||
daddr \
|
||||
2001:db8:ca2:2::/64 \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
|
||||
@ -4,7 +4,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_output \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -14,7 +14,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -24,9 +24,9 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_cross \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -39,7 +39,7 @@ guest_output \
|
||||
ip \
|
||||
saddr \
|
||||
192.168.122.0/24 \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -49,7 +49,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
ip \
|
||||
daddr \
|
||||
|
||||
@ -4,7 +4,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_output \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -14,7 +14,7 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_input \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
reject
|
||||
@ -24,9 +24,9 @@ rule \
|
||||
ip \
|
||||
libvirt_network \
|
||||
guest_cross \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -39,7 +39,7 @@ guest_output \
|
||||
ip \
|
||||
saddr \
|
||||
192.168.122.0/24 \
|
||||
iifname \
|
||||
iif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
@ -52,7 +52,7 @@ guest_input \
|
||||
ip \
|
||||
daddr \
|
||||
192.168.122.0/24 \
|
||||
oifname \
|
||||
oif \
|
||||
virbr0 \
|
||||
counter \
|
||||
accept
|
||||
|
||||
Loading…
Reference in New Issue
Block a user