Could firewall4 use iif/oif instead of iifname/oifname?

[rany2]

I've noticed that all the firewall4 entries except for link-local use iifname/oifname which does a string comparison and is resource intensive. Wouldn't it be possible for firewall4 to use iif/oif exclusively given that it reloads automatically on any interface change?

[brada4]

Certainly when any offload is enabled, as that is bound to interface id.

Certainly not with interfaces matched by wildcard.

Maybe not - if users make iif in ruleset insert then fw4 glitches at boot when matched interface is not yet present.

[brada4]

When interface is removed reload is not triggered (probably a bug)

[rany2]

It's not an issue though, in that case the ifindex will just be unused/have no effect.

[brada4]

Pragmatically have to expand wildcards in scripts to jump the barrier.
Anyway you can reload for (performance) testing.

#!/bin/ash -x

A=`mktemp`

 echo flush table inet fw4 > $A
 nft list table inet fw4 | sed s/ifname/if/g >> $A
 nft -c -o -f $A && nft -o -f $A

rm $A

(i tagged you in forum)

[rany2]

i tagged you in forum)

I don't have an account on forum.

[rany2]

Pragmatically have to expand wildcards in scripts to jump the barrier. Anyway you can reload for (performance) testing.

#!/bin/ash -x

A=mktemp

echo flush table inet fw4 > $A
nft list table inet fw4 | sed s/ifname/if/g >> $A
nft -c -o -f $A && nft -o -f $A

rm $A

You don't need to do this. You can just edit all the .uc templates, find and replace iifname/oifname to iif/oif. After fw4 reload it will work immediately and seems like all is well.

[brada4]

Antithesis for simple sed -i (id have done it by now if it was that simple)

table inet t {
 chain c {
  iif "lo*"
 }
}

Formal reference https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Meta

[rany2]

@brada4 Just use for x in /usr/share/firewall4/templates/*.uc; do sed -i $x -e 's|ifname |if |g' -e 's|ifname"|if"|g'; done.

[brada4]

That breaks wildcard interface test case....

[rany2]

That breaks wildcard interface test case....

It's just for testing the idea out on typical installs that don't need that.

[brada4]

Mine is kind of with safety pillow for any unmodified installl....

[brada4]

It has 3x xifname in the default established,related quickest-of-slow-paths
one: #27
two: #64 - this is partial.... just one postrouting rule without interfaces would do good for WAN, and for confusing jumbo/1500 ethernets
Just a side-look at the problem area.....