-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello qubes-devel,
Is it worth it looking into improving QubesOS NFTables rule matching
speed? In order of speed: `if` > `ifgroup` > `ifname` (output and
input). Qubes uses a mix of them. Should work regarding changing the
rules to have a faster matching be worth it?
Some rules matching 'iifname "vif*"' could be changed to 'iifgroup 2'.
Rules of a netvm:
$ sudo nft -s list ruleset | grep iif
iifgroup 2 goto antispoof
iifname . ip saddr @allowed accept
iifgroup 2 udp dport 68 counter drop
iifgroup 2 meta l4proto icmp accept
iif "lo" accept
iifgroup 2 counter reject with icmp host-prohibited
iifname . ip6 saddr @allowed accept
iifgroup 2 goto antispoof
iifgroup 2 goto _icmpv6
iif "lo" accept
iifname != "vif*" accept
iifname != "vif*" ip saddr { 10.137.0.67, 10.137.0.90, 10.138.35.169,
10.138.38.234 } drop
iifname != "vif*" accept
meta l4proto { tcp, udp } iifgroup 2 oifgroup 1 flow add @qubes-accel
- --
Benjamin Grande
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZmCTSAAKCRAbcxS/DMyW
h8zNAP0TQc1GEYoZna1VrkQhQ8e1x3VIZRGey3QL0J+h9mHGewEA1glVYs3EN5i2
CNR8XDWsx8Pd0I4Ms/m9T00AbQxzYAE=
=bfmt
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/ZmCTZkk6jEUjq6v3%40aiGX-oB1.
