Home Explore Help
Register Sign In
FreifunkHochstift
/
ffho-salt-public
2
0
Fork 2
Files Issues 0 Pull Requests 0
Browse Source

nftables: Use iifname rather than iif.

  »iifname« will always evaluate the interface name (slower), whereas »iif«
  will look up the ifIndex once when loading rules and then use the ifIndex
  for lookups after that.  If the ifIndex changes over time this will fail.
  So we choose less filtering performance over failures.

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Maximilian Wilhelm 2 years ago
parent
c7d7222bf5
commit
b515b6a04b
1 changed files with 8 additions and 8 deletions
Unified View Show Diff Stats
  1. 8 8
      nftables/nftables.conf.tmpl

+ 8 - 8
nftables/nftables.conf.tmpl
View File 

@@ -49,7 +49,7 @@ table ip filter {
 
 		tcp dport 22 counter jump ssh
 
 		tcp dport 22 counter jump ssh
 
 {%- if ospf_ifaces %}
 
 {%- if ospf_ifaces %}
 
 		{#- ifname sets are introduced in nftables 2.11 #}
 
 		{#- ifname sets are introduced in nftables 2.11 #}
 
-		meta l4proto ospf iif { {{ ospf_ifaces|join(', ') }} } counter accept
 
+		meta l4proto ospf iifname { {{ ospf_ifaces|join(', ') }} } counter accept
 
 {%- endif %}
 
 {%- endif %}
 
 {%- if 'router' in roles %}
 
 {%- if 'router' in roles %}
 
 		tcp dport 179 counter jump bgp
 
 		tcp dport 179 counter jump bgp
 
@@ -121,9 +121,9 @@ table ip filter {
 
 	chain urpf {
 
 	chain urpf {
 
   {%- for iface_cfg in urpf  %}
 
   {%- for iface_cfg in urpf  %}
 
     {%- for pfx in iface_cfg[4] %}
 
     {%- for pfx in iface_cfg[4] %}
 
-		iif {{ iface_cfg['iface'] }} ip saddr {{ pfx }} return
 
+		iifname {{ iface_cfg['iface'] }} ip saddr {{ pfx }} return
 
     {%- endfor %}
 
     {%- endfor %}
 
-		iif {{ iface_cfg['iface'] }} counter drop
 
+		iifname {{ iface_cfg['iface'] }} counter drop
 
   {%- endfor %}
 
   {%- endfor %}
 
 	}
 
 	}
 
 {%- endif %}
 
 {%- endif %}
 
@@ -131,7 +131,7 @@ table ip filter {
 
 {%- if vxlan_ifaces %}
 
 {%- if vxlan_ifaces %}
 
 	chain vxlan {
 
 	chain vxlan {
 
   {%- for iface in vxlan_ifaces %}
 
   {%- for iface in vxlan_ifaces %}
 
-		iif {{ iface }} accept
 
+		iifname {{ iface }} accept
 
   {%- endfor %}
 
   {%- endfor %}
 
 		counter drop
 
 		counter drop
 
 	}
 
 	}
 
@@ -176,7 +176,7 @@ table ip6 filter {
 
 		tcp dport 22 counter jump ssh
 
 		tcp dport 22 counter jump ssh
 
 {%- if ospf_ifaces %}
 
 {%- if ospf_ifaces %}
 
 		{#- ifname sets are introduced in nftables 2.11 #}
 
 		{#- ifname sets are introduced in nftables 2.11 #}
 
-		meta l4proto ospf iif { {{ ospf_ifaces|join(', ') }} } counter accept
 
+		meta l4proto ospf iifname { {{ ospf_ifaces|join(', ') }} } counter accept
 
 {%- endif %}
 
 {%- endif %}
 
 {%- if 'router' in roles %}
 
 {%- if 'router' in roles %}
 
 		tcp dport 179 counter jump bgp
 
 		tcp dport 179 counter jump bgp
 
@@ -250,9 +250,9 @@ table ip6 filter {
 
 		ip6 saddr fe80::/64 return
 
 		ip6 saddr fe80::/64 return
 
   {%- for iface_cfg in urpf  %}
 
   {%- for iface_cfg in urpf  %}
 
     {%- for pfx in iface_cfg[6] %}
 
     {%- for pfx in iface_cfg[6] %}
 
-		iif {{ iface_cfg['iface'] }} ip6 saddr {{ pfx }} return
 
+		iifname {{ iface_cfg['iface'] }} ip6 saddr {{ pfx }} return
 
     {%- endfor %}
 
     {%- endfor %}
 
-		iif {{ iface_cfg['iface'] }} counter drop
 
+		iifname {{ iface_cfg['iface'] }} counter drop
 
   {%- endfor %}
 
   {%- endfor %}
 
 	}
 
 	}
 
 {%- endif %}
 
 {%- endif %}
 
@@ -260,7 +260,7 @@ table ip6 filter {
 
 {%- if vxlan_ifaces %}
 
 {%- if vxlan_ifaces %}
 
 	chain vxlan {
 
 	chain vxlan {
 
   {%- for iface in vxlan_ifaces %}
 
   {%- for iface in vxlan_ifaces %}
 
-		iif {{ iface }} accept
 
+		iifname {{ iface }} accept
 
   {%- endfor %}
 
   {%- endfor %}
 
 		counter drop
 
 		counter drop
 
 	}
 
 	}