Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
FreifunkHochstift
/
ffho-salt-public
2
0
Atdalīts 2
Faili Problēmas 0 Izmaiņu pieprasījumi 0
Pārlūkot izejas kodu

nftables: Use iifname rather than iif.

  »iifname« will always evaluate the interface name (slower), whereas »iif«
  will look up the ifIndex once when loading rules and then use the ifIndex
  for lookups after that.  If the ifIndex changes over time this will fail.
  So we choose less filtering performance over failures.

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Maximilian Wilhelm 2 gadi atpakaļ
vecāks
c7d7222bf5
revīzija
b515b6a04b
1 mainītis faili ar 8 papildinājumiem un 8 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 8 8
      nftables/nftables.conf.tmpl

+ 8 - 8
nftables/nftables.conf.tmpl
Parādīt failu 

@@ -49,7 +49,7 @@ table ip filter {
 
 		tcp dport 22 counter jump ssh
 
 {%- if ospf_ifaces %}
 
 		{#- ifname sets are introduced in nftables 2.11 #}
 
-		meta l4proto ospf iif { {{ ospf_ifaces|join(', ') }} } counter accept
 
+		meta l4proto ospf iifname { {{ ospf_ifaces|join(', ') }} } counter accept
 
 {%- endif %}
 
 {%- if 'router' in roles %}
 
 		tcp dport 179 counter jump bgp
 
@@ -121,9 +121,9 @@ table ip filter {
 
 	chain urpf {
 
   {%- for iface_cfg in urpf  %}
 
     {%- for pfx in iface_cfg[4] %}
 
-		iif {{ iface_cfg['iface'] }} ip saddr {{ pfx }} return
 
+		iifname {{ iface_cfg['iface'] }} ip saddr {{ pfx }} return
 
     {%- endfor %}
 
-		iif {{ iface_cfg['iface'] }} counter drop
 
+		iifname {{ iface_cfg['iface'] }} counter drop
 
   {%- endfor %}
 
 	}
 
 {%- endif %}
 
@@ -131,7 +131,7 @@ table ip filter {
 
 {%- if vxlan_ifaces %}
 
 	chain vxlan {
 
   {%- for iface in vxlan_ifaces %}
 
-		iif {{ iface }} accept
 
+		iifname {{ iface }} accept
 
   {%- endfor %}
 
 		counter drop
 
 	}
 
@@ -176,7 +176,7 @@ table ip6 filter {
 
 		tcp dport 22 counter jump ssh
 
 {%- if ospf_ifaces %}
 
 		{#- ifname sets are introduced in nftables 2.11 #}
 
-		meta l4proto ospf iif { {{ ospf_ifaces|join(', ') }} } counter accept
 
+		meta l4proto ospf iifname { {{ ospf_ifaces|join(', ') }} } counter accept
 
 {%- endif %}
 
 {%- if 'router' in roles %}
 
 		tcp dport 179 counter jump bgp
 
@@ -250,9 +250,9 @@ table ip6 filter {
 
 		ip6 saddr fe80::/64 return
 
   {%- for iface_cfg in urpf  %}
 
     {%- for pfx in iface_cfg[6] %}
 
-		iif {{ iface_cfg['iface'] }} ip6 saddr {{ pfx }} return
 
+		iifname {{ iface_cfg['iface'] }} ip6 saddr {{ pfx }} return
 
     {%- endfor %}
 
-		iif {{ iface_cfg['iface'] }} counter drop
 
+		iifname {{ iface_cfg['iface'] }} counter drop
 
   {%- endfor %}
 
 	}
 
 {%- endif %}
 
@@ -260,7 +260,7 @@ table ip6 filter {
 
 {%- if vxlan_ifaces %}
 
 	chain vxlan {
 
   {%- for iface in vxlan_ifaces %}
 
-		iif {{ iface }} accept
 
+		iifname {{ iface }} accept
 
   {%- endfor %}
 
 		counter drop
 
 	}