Best practices on iif usage at persistent ruleset

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Best practices on iif usage at persistent ruleset
@ 2023-07-03  7:40 Serg
  2023-07-03 14:04 ` George Shuklin
  2023-07-03 15:25 ` Florian Westphal
  0 siblings, 2 replies; 5+ messages in thread
From: Serg @ 2023-07-03  7:40 UTC (permalink / raw)
  To: netfilter

Hello netfilter community,

How do you deal with iif used at persistent ruleset? Personally, my 
issue is that VLAN device is not created at the moment when 
nftables.service is started on boot, thus the following error happens:

> Error: Interface does not exist

To solve this issue I use this systemd service override configuration:

> # /etc/systemd/system/nftables.service.d/override.conf
> # Configuring the nftables to start after the network has been started
> [Unit]
> Before=
> After=network-online.target

But are there any alternatives approaches to this issue?

I know that there is iifname as a safe alternative, but as far as I know 
it has huge performance drawback and thus its' usage is discouraged in 
my case.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Best practices on iif usage at persistent ruleset
  2023-07-03  7:40 Best practices on iif usage at persistent ruleset Serg
@ 2023-07-03 14:04 ` George Shuklin
  2023-07-03 15:25 ` Florian Westphal
  1 sibling, 0 replies; 5+ messages in thread
From: George Shuklin @ 2023-07-03 14:04 UTC (permalink / raw)
  To: Serg, netfilter

I think, dependencies is the proper way. iif is just an integer (index), 
so kernel can't work with it when it's not present (and you usually 
can't predict the index of the given interface).
iffname does lookup, but it's slow.

On 03/07/2023 10:40, Serg wrote:
> Hello netfilter community,
>
> How do you deal with iif used at persistent ruleset? Personally, my 
> issue is that VLAN device is not created at the moment when 
> nftables.service is started on boot, thus the following error happens:
>
>> Error: Interface does not exist
>
> To solve this issue I use this systemd service override configuration:
>
>> # /etc/systemd/system/nftables.service.d/override.conf
>> # Configuring the nftables to start after the network has been started
>> [Unit]
>> Before=
>> After=network-online.target
>
> But are there any alternatives approaches to this issue?
>
> I know that there is iifname as a safe alternative, but as far as I 
> know it has huge performance drawback and thus its' usage is 
> discouraged in my case.



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Best practices on iif usage at persistent ruleset
  2023-07-03  7:40 Best practices on iif usage at persistent ruleset Serg
  2023-07-03 14:04 ` George Shuklin
@ 2023-07-03 15:25 ` Florian Westphal
  2023-07-04 13:04   ` George Shuklin
  1 sibling, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2023-07-03 15:25 UTC (permalink / raw)
  To: Serg; +Cc: netfilter

Serg <seentr@at.encryp.ch> wrote:
> I know that there is iifname as a safe alternative, but as far as I know it
> has huge performance drawback and thus its' usage is discouraged in my case.

Not really. Its copy and compare 4 bytes vs. copy and compare 16 bytes.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Best practices on iif usage at persistent ruleset
  2023-07-03 15:25 ` Florian Westphal
@ 2023-07-04 13:04   ` George Shuklin
  2023-07-04 13:09     ` Florian Westphal
  0 siblings, 1 reply; 5+ messages in thread
From: George Shuklin @ 2023-07-04 13:04 UTC (permalink / raw)
  To: Florian Westphal, Serg; +Cc: netfilter

On 03/07/2023 18:25, Florian Westphal wrote:
> Serg <seentr@at.encryp.ch> wrote:
>> I know that there is iifname as a safe alternative, but as far as I know it
>> has huge performance drawback and thus its' usage is discouraged in my case.
> Not really. Its copy and compare 4 bytes vs. copy and compare 16 bytes.

Is iface name lookup o(1)?


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Best practices on iif usage at persistent ruleset
  2023-07-04 13:04   ` George Shuklin
@ 2023-07-04 13:09     ` Florian Westphal
  0 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2023-07-04 13:09 UTC (permalink / raw)
  To: George Shuklin; +Cc: Florian Westphal, Serg, netfilter

George Shuklin <george.shuklin@gmail.com> wrote:
> On 03/07/2023 18:25, Florian Westphal wrote:
> > Serg <seentr@at.encryp.ch> wrote:
> > > I know that there is iifname as a safe alternative, but as far as I know it
> > > has huge performance drawback and thus its' usage is discouraged in my case.
> > Not really. Its copy and compare 4 bytes vs. copy and compare 16 bytes.
> 
> Is iface name lookup o(1)?

Yes, its just dev->name vs. dev->ifindex.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-07-04 13:09 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-03  7:40 Best practices on iif usage at persistent ruleset Serg
2023-07-03 14:04 ` George Shuklin
2023-07-03 15:25 ` Florian Westphal
2023-07-04 13:04   ` George Shuklin
2023-07-04 13:09     ` Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox