Best practices on iif usage at persistent ruleset

Best practices on iif usage at persistent ruleset

[Serg]

Hello netfilter community,

How do you deal with iif used at persistent ruleset? Personally, my 
issue is that VLAN device is not created at the moment when 
nftables.service is started on boot, thus the following error happens:

> Error: Interface does not exist

To solve this issue I use this systemd service override configuration:

> # /etc/systemd/system/nftables.service.d/override.conf
> # Configuring the nftables to start after the network has been started
> [Unit]
> Before=
> After=network-online.target

But are there any alternatives approaches to this issue?

I know that there is iifname as a safe alternative, but as far as I know 
it has huge performance drawback and thus its' usage is discouraged in 
my case.

Re: Best practices on iif usage at persistent ruleset

[George Shuklin]

I think, dependencies is the proper way. iif is just an integer (index), 
so kernel can't work with it when it's not present (and you usually 
can't predict the index of the given interface).
iffname does lookup, but it's slow.

On 03/07/2023 10:40, Serg wrote:
> Hello netfilter community,
>
> How do you deal with iif used at persistent ruleset? Personally, my 
> issue is that VLAN device is not created at the moment when 
> nftables.service is started on boot, thus the following error happens:
>
>> Error: Interface does not exist
>
> To solve this issue I use this systemd service override configuration:
>
>> # /etc/systemd/system/nftables.service.d/override.conf
>> # Configuring the nftables to start after the network has been started
>> [Unit]
>> Before=
>> After=network-online.target
>
> But are there any alternatives approaches to this issue?
>
> I know that there is iifname as a safe alternative, but as far as I 
> know it has huge performance drawback and thus its' usage is 
> discouraged in my case.

Re: Best practices on iif usage at persistent ruleset

[Florian Westphal]

Serg <seentr@at.encryp.ch> wrote:
> I know that there is iifname as a safe alternative, but as far as I know it
> has huge performance drawback and thus its' usage is discouraged in my case.

Not really. Its copy and compare 4 bytes vs. copy and compare 16 bytes.

Re: Best practices on iif usage at persistent ruleset

[George Shuklin]

On 03/07/2023 18:25, Florian Westphal wrote:
> Serg <seentr@at.encryp.ch> wrote:
>> I know that there is iifname as a safe alternative, but as far as I know it
>> has huge performance drawback and thus its' usage is discouraged in my case.
> Not really. Its copy and compare 4 bytes vs. copy and compare 16 bytes.

Is iface name lookup o(1)?

Re: Best practices on iif usage at persistent ruleset

[Florian Westphal]

George Shuklin <george.shuklin@gmail.com> wrote:
> On 03/07/2023 18:25, Florian Westphal wrote:
> > Serg <seentr@at.encryp.ch> wrote:
> > > I know that there is iifname as a safe alternative, but as far as I know it
> > > has huge performance drawback and thus its' usage is discouraged in my case.
> > Not really. Its copy and compare 4 bytes vs. copy and compare 16 bytes.
> 
> Is iface name lookup o(1)?

Yes, its just dev->name vs. dev->ifindex.