network: use iif/oif instead of iifname/oifname in nftables rules

iifname/oifname need to lookup the string that contains the name of
the interface each time a packet is checked, while iif/oif compare the
ifindex of the interface, which is included directly in the
packet. Conveniently, the rule is created using the *name* of the
interface (which gets converted to ifindex as the rule is added), so
no extra work is required other than changing the commandline option.

If it was the case that the interface could be deleted and re-added
during the life of the rule, we would have to use Xifname (since
deleting and re-adding the interface would result in ifindex
changing), but for our uses this never happens, so Xif works for us,
and undoubtedly improves performance by at least 0.0000001%.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
index f3824ece99fcc4016434e9b78f0b95864a999666..59ab231a0642ee99812b9f8185ed5d6742ddad95 100644 (file)
--- a/src/network/network_nftables.c
+++ b/src/network/network_nftables.c
@@ -236,7 +236,7 @@ nftablesAddInput(virFirewall *fw,
     virFirewallAddCmd(fw, layer, "insert", "rule",
                       layerStr, VIR_NFTABLES_PRIVATE_TABLE,
                       VIR_NFTABLES_INPUT_CHAIN,
-                      "iifname", iface,
+                      "iif", iface,
                       tcp ? "tcp" : "udp",
                       "dport", portstr,
                       "counter", "accept",
@@ -257,7 +257,7 @@ nftablesAddOutput(virFirewall *fw,
     virFirewallAddCmd(fw, layer, "insert", "rule",
                       layerStr, VIR_NFTABLES_PRIVATE_TABLE,
                       VIR_NFTABLES_OUTPUT_CHAIN,
-                      "oifname", iface,
+                      "oif", iface,
                       tcp ? "tcp" : "udp",
                       "dport", portstr,
                       "counter", "accept",
@@ -359,10 +359,10 @@ nftablesAddForwardAllowOut(virFirewall *fw,
                               layerStr, VIR_NFTABLES_PRIVATE_TABLE,
                               VIR_NFTABLES_FWD_OUT_CHAIN,
                               layerStr, "saddr", networkstr,
-                              "iifname", iface, NULL);
+                              "iif", iface, NULL);
 
     if (physdev && physdev[0])
-        virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+        virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
 
     virFirewallCmdAddArgList(fw, fwCmd, "counter", "accept", NULL);
 
@@ -398,9 +398,9 @@ nftablesAddForwardAllowRelatedIn(virFirewall *fw,
                               VIR_NFTABLES_FWD_IN_CHAIN, NULL);
 
     if (physdev && physdev[0])
-        virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL);
+        virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL);
 
-    virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface,
+    virFirewallCmdAddArgList(fw, fwCmd, "oif", iface,
                              layerStr, "daddr", networkstr,
                              "ct", "state", "related,established",
                              "counter", "accept", NULL);
@@ -437,9 +437,9 @@ nftablesAddForwardAllowIn(virFirewall *fw,
                              layerStr, "daddr", networkstr, NULL);
 
     if (physdev && physdev[0])
-        virFirewallCmdAddArgList(fw, fwCmd, "iifname", physdev, NULL);
+        virFirewallCmdAddArgList(fw, fwCmd, "iif", physdev, NULL);
 
-    virFirewallCmdAddArgList(fw, fwCmd, "oifname", iface,
+    virFirewallCmdAddArgList(fw, fwCmd, "oif", iface,
                               "counter", "accept", NULL);
     return 0;
 }
@@ -461,8 +461,8 @@ nftablesAddForwardAllowCross(virFirewall *fw,
                       nftablesLayerTypeToString(layer),
                       VIR_NFTABLES_PRIVATE_TABLE,
                       VIR_NFTABLES_FWD_X_CHAIN,
-                      "iifname", iface,
-                      "oifname", iface,
+                      "iif", iface,
+                      "oif", iface,
                       "counter", "accept",
                       NULL);
 }
@@ -485,7 +485,7 @@ nftablesAddForwardRejectOut(virFirewall *fw,
                       nftablesLayerTypeToString(layer),
                       VIR_NFTABLES_PRIVATE_TABLE,
                       VIR_NFTABLES_FWD_OUT_CHAIN,
-                      "iifname", iface,
+                      "iif", iface,
                       "counter", "reject",
                       NULL);
 }
@@ -508,7 +508,7 @@ nftablesAddForwardRejectIn(virFirewall *fw,
                       nftablesLayerTypeToString(layer),
                       VIR_NFTABLES_PRIVATE_TABLE,
                       VIR_NFTABLES_FWD_IN_CHAIN,
-                      "oifname", iface,
+                      "oif", iface,
                       "counter", "reject",
                       NULL);
 }
@@ -566,7 +566,7 @@ nftablesAddForwardMasquerade(virFirewall *fw,
                              layerStr, "daddr", "!=", networkstr, NULL);
 
     if (physdev && physdev[0])
-        virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+        virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
 
     if (protocol && protocol[0]) {
         if (port->start == 0 && port->end == 0) {
@@ -634,7 +634,7 @@ nftablesAddDontMasquerade(virFirewall *fw,
                               VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL);
 
     if (physdev && physdev[0])
-        virFirewallCmdAddArgList(fw, fwCmd, "oifname", physdev, NULL);
+        virFirewallCmdAddArgList(fw, fwCmd, "oif", physdev, NULL);
 
     virFirewallCmdAddArgList(fw, fwCmd,
                              layerStr, "saddr", networkstr,

diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables
index 298a83d08802f3b32cbfc43042871ca955cdaf70..28508292f9efe44100077972853ba67fa0d7001e 100644 (file)
--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -4,7 +4,7 @@ rule \
 ip \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -14,7 +14,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -24,9 +24,9 @@ rule \
 ip \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -39,7 +39,7 @@ guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -49,7 +49,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \

diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
index 615bb4e144d905cce72e9a946813203365fec3b0..d8a9ba706d8b92b1ef4b9c2e36aa8c8fbba88760 100644 (file)
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -4,7 +4,7 @@ rule \
 ip \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -14,7 +14,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -24,9 +24,9 @@ rule \
 ip \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -36,7 +36,7 @@ rule \
 ip6 \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -46,7 +46,7 @@ rule \
 ip6 \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -56,9 +56,9 @@ rule \
 ip6 \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -71,7 +71,7 @@ guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -81,7 +81,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \
@@ -183,7 +183,7 @@ guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -196,7 +196,7 @@ guest_input \
 ip6 \
 daddr \
 2001:db8:ca2:2::/64 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept

diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
index 27817d8a68995903b141d8ea01142b968f043b1b..a7f09cda59e0385acb48b2238809d3f8ffe3b38a 100644 (file)
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -4,7 +4,7 @@ rule \
 ip \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -14,7 +14,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -24,9 +24,9 @@ rule \
 ip \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -36,7 +36,7 @@ rule \
 ip6 \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -46,7 +46,7 @@ rule \
 ip6 \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -56,9 +56,9 @@ rule \
 ip6 \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -71,7 +71,7 @@ guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -81,7 +81,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \
@@ -183,7 +183,7 @@ guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -193,7 +193,7 @@ rule \
 ip6 \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip6 \
 daddr \

diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
index 3ab6286d2cdb87ddc5877f5aa39af9722457f0c6..b826fe6134d64dd0e01f19661787e73ad5e52893 100644 (file)
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -4,7 +4,7 @@ rule \
 ip \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -14,7 +14,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -24,9 +24,9 @@ rule \
 ip \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -39,7 +39,7 @@ guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -49,7 +49,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \
@@ -151,7 +151,7 @@ guest_output \
 ip \
 saddr \
 192.168.128.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -161,7 +161,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \
@@ -263,7 +263,7 @@ guest_output \
 ip \
 saddr \
 192.168.150.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -273,7 +273,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \

diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
index 615bb4e144d905cce72e9a946813203365fec3b0..d8a9ba706d8b92b1ef4b9c2e36aa8c8fbba88760 100644 (file)
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -4,7 +4,7 @@ rule \
 ip \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -14,7 +14,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -24,9 +24,9 @@ rule \
 ip \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -36,7 +36,7 @@ rule \
 ip6 \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -46,7 +46,7 @@ rule \
 ip6 \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -56,9 +56,9 @@ rule \
 ip6 \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -71,7 +71,7 @@ guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -81,7 +81,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \
@@ -183,7 +183,7 @@ guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -196,7 +196,7 @@ guest_input \
 ip6 \
 daddr \
 2001:db8:ca2:2::/64 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept

diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
index 298a83d08802f3b32cbfc43042871ca955cdaf70..28508292f9efe44100077972853ba67fa0d7001e 100644 (file)
--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -4,7 +4,7 @@ rule \
 ip \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -14,7 +14,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -24,9 +24,9 @@ rule \
 ip \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -39,7 +39,7 @@ guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -49,7 +49,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 ip \
 daddr \

diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables
index 09a32f09495885990e6e596999a2e38fa3610ec0..282c9542a54d404a18434362b3b3f027e07b12ff 100644 (file)
--- a/tests/networkxml2firewalldata/route-default-linux.nftables
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -4,7 +4,7 @@ rule \
 ip \
 libvirt_network \
 guest_output \
-iifname \
+iif \
 virbr0 \
 counter \
 reject
@@ -14,7 +14,7 @@ rule \
 ip \
 libvirt_network \
 guest_input \
-oifname \
+oif \
 virbr0 \
 counter \
 reject
@@ -24,9 +24,9 @@ rule \
 ip \
 libvirt_network \
 guest_cross \
-iifname \
+iif \
 virbr0 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept
@@ -39,7 +39,7 @@ guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
-iifname \
+iif \
 virbr0 \
 counter \
 accept
@@ -52,7 +52,7 @@ guest_input \
 ip \
 daddr \
 192.168.122.0/24 \
-oifname \
+oif \
 virbr0 \
 counter \
 accept