openwrt
Could firewall4 use iif/oif instead of iifname/oifname?
I've noticed that all the firewall4 entries except for link-local use iifname/oifname which does a string comparison and is resource intensive. Wouldn't it be possible for firewall4 to use iif/oif exclusively given that it reloads automatically on any interface change?
Certainly when any offload is enabled, as that is bound to interface id.
Certainly not with interfaces matched by wildcard.
Maybe not - if users make iif in ruleset insert then fw4 glitches at boot when matched interface is not yet present.
It's not an issue though, in that case the ifindex will just be unused/have no effect.
Pragmatically have to expand wildcards in scripts to jump the barrier. Anyway you can reload for (performance) testing.
#!/bin/ash -x
A=`mktemp`
echo flush table inet fw4 > $A
nft list table inet fw4 | sed s/ifname/if/g >> $A
nft -c -o -f $A && nft -o -f $A
rm $A
(i tagged you in forum)
Pragmatically have to expand wildcards in scripts to jump the barrier. Anyway you can reload for (performance) testing.
#!/bin/ash -x
A=
mktempecho flush table inet fw4 > $A nft list table inet fw4 | sed s/ifname/if/g >> $A nft -c -o -f $A && nft -o -f $A
rm $A
You don't need to do this. You can just edit all the .uc templates, find and replace iifname/oifname to iif/oif. After fw4 reload it will work immediately and seems like all is well.
Antithesis for simple sed -i (id have done it by now if it was that simple)
table inet t {
chain c {
iif "lo*"
}
}
Formal reference https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Meta
@brada4 Just use for x in /usr/share/firewall4/templates/*.uc; do sed -i $x -e 's|ifname |if |g' -e 's|ifname"|if"|g'; done.
That breaks wildcard interface test case....
It's just for testing the idea out on typical installs that don't need that.