Re: [qubes-devel] Increase NFTables rule matching speed

Wed, 05 Jun 2024 09:36:31 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, Jun 05, 2024 at 06:33:42PM +0200, Ben Grande wrote:
> Hello qubes-devel,
> 
> Is it worth it looking into improving QubesOS NFTables rule matching
> speed? In order of speed: `if` > `ifgroup` > `ifname` (output and
> input). Qubes uses a mix of them. Should work regarding changing the
> rules to have a faster matching be worth it?
> 
> Some rules matching 'iifname "vif*"' could be changed to 'iifgroup 2'.
> 
> Rules of a netvm:
> 
>       $ sudo nft -s list ruleset  | grep iif
> 
>       iifgroup 2 goto antispoof
>       iifname . ip saddr @allowed accept
>       iifgroup 2 udp dport 68 counter drop
>       iifgroup 2 meta l4proto icmp accept
>       iif "lo" accept
>       iifgroup 2 counter reject with icmp host-prohibited
>       iifname . ip6 saddr @allowed accept
>       iifgroup 2 goto antispoof
>       iifgroup 2 goto _icmpv6
>       iif "lo" accept
>       iifname != "vif*" accept
>       iifname != "vif*" ip saddr { 10.137.0.67, 10.137.0.90, 10.138.35.169, 
> 10.138.38.234 } drop
>       iifname != "vif*" accept
>       meta l4proto { tcp, udp } iifgroup 2 oifgroup 1 flow add @qubes-accel

Take a look at the "Firewall antispoofing in ingress hook" thread, it
goes even further for some parts.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmZglAYACgkQ24/THMrX
1yzlSQf/aQc8SkF4Ijy3Jz300HNdMvQbmKufzh4qSokRKWbySRJgVOtDWhMNMDCG
h8QMExbgLJm8/sUIJvmhjACCyTsV76UGbpgA8RST7gxXTrK+7yJTZ8rCuUNhZXpU
+VFHRZun/agBMK/WiVW8IrksBz80oQ48XGU/IexQaLCS9meQrm+ydEn0E72hHA3u
osNxwKZoLjDkq7An+a74er/vgCdKFRp7rQWupsq7gPyI+eBa3CMMumMlSZSHSDhB
T1pd5ykzTIREZUO7GBQ+rZPjgSlBU1EaQm2UNlXKVSukBtQqzj6U8pp01ebFs/PH
p92Lj179p2jB3Z+XDEodhtsyiUekxw==
=SyDH
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/ZmCUBma0HJIcMOgN%40mail-itl.

Reply via email to