ruleset: reduce ksoftirqd load by refering to looopback by numeric id

Reduce ksoftirq load by half using more efficient reference to loopback
which always has index equal to one.

Should help a lot with openwrt/openwrt#12914, openwrt/openwrt#12121 and
similar iperf3 cases clamping against 100% CPU usage.

Signed-off-by: Andris PE <neandris@gmail.com>
[fix S-o-b tag, fix commit author, rewrap commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index f7c93fc47077de547be0315c75db230a0a2fffea..4210d64461f2861b6972b609a6e575111c26753f 100644 (file)
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -112,7 +112,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy {{ fw4.input_policy(true) }};
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
 {% fw4.includes('chain-prepend', 'input') %}
                ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle inbound flows"
@@ -154,7 +154,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy {{ fw4.output_policy(true) }};
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
 {% fw4.includes('chain-prepend', 'output') %}
                ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle outbound flows"

diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset
index 6a30d2209974dfb408d1a85713219a3f9f47c107..c1a12c7ad91e642b2da8f5db22197332c3ba519b 100644 (file)
--- a/tests/01_configuration/01_ruleset
+++ b/tests/01_configuration/01_ruleset
@@ -110,7 +110,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
@@ -132,7 +132,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy accept;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                meta l4proto tcp counter comment "!fw4: Test-Deprecated-Rule-Option"

diff --git a/tests/01_configuration/02_rule_order b/tests/01_configuration/02_rule_order
index 7b62d682cd106f8929a7b5bb39d0e616f7b5f6f6..c5c52a463cb36e6753a8fc7faef40137655b2873 100644 (file)
--- a/tests/01_configuration/02_rule_order
+++ b/tests/01_configuration/02_rule_order
@@ -91,7 +91,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
@@ -109,7 +109,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"

diff --git a/tests/02_zones/01_policies b/tests/02_zones/01_policies
index 572086e14ebfdbc0c3133a2509cda3774b3aa7f8..e956ad4e321b29330341138c67538b6305777e05 100644 (file)
--- a/tests/02_zones/01_policies
+++ b/tests/02_zones/01_policies
@@ -93,7 +93,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
@@ -113,7 +113,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"

diff --git a/tests/02_zones/02_masq b/tests/02_zones/02_masq
index 35d3cbc3dac4ea8defa93a16cb426a249fe5b3b6..aedc9bdbcabf9729f7ab29a78cadf22d0d75c97c 100644 (file)
--- a/tests/02_zones/02_masq
+++ b/tests/02_zones/02_masq
@@ -97,7 +97,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
@@ -117,7 +117,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"

diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions
index 51e05db2b44dc7581369d94c62d493d1bd57b362..e1736010a46e9947994c49b943406bb760b841cd 100644 (file)
--- a/tests/02_zones/03_masq_src_dest_restrictions
+++ b/tests/02_zones/03_masq_src_dest_restrictions
@@ -120,7 +120,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
@@ -138,7 +138,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"

diff --git a/tests/02_zones/04_masq_allow_invalid b/tests/02_zones/04_masq_allow_invalid
index bdda791d85d70f73b7788ec91c4fa739f96e893b..d5d1ccf122cc55050e06c0dccbe64626f394ee02 100644 (file)
--- a/tests/02_zones/04_masq_allow_invalid
+++ b/tests/02_zones/04_masq_allow_invalid
@@ -69,7 +69,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
@@ -85,7 +85,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"

diff --git a/tests/02_zones/04_wildcard_devices b/tests/02_zones/04_wildcard_devices
index 22c2183f3b97bc68ef96e533d1a01784a804327f..5e6809a2497c5e84dd6d319434f148c706f8f51e 100644 (file)
--- a/tests/02_zones/04_wildcard_devices
+++ b/tests/02_zones/04_wildcard_devices
@@ -120,7 +120,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
@@ -152,7 +152,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"

diff --git a/tests/02_zones/05_subnet_mask_matches b/tests/02_zones/05_subnet_mask_matches
index a66ad736ef3da7d6e7d4132f90b6a13b823e5949..55c5635512a5299d3516b0a2e9ab1899ef92011d 100644 (file)
--- a/tests/02_zones/05_subnet_mask_matches
+++ b/tests/02_zones/05_subnet_mask_matches
@@ -79,7 +79,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump input_test1 comment "!fw4: Handle test1 IPv6 input traffic"
@@ -101,7 +101,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                meta nfproto ipv6 ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 jump output_test1 comment "!fw4: Handle test1 IPv6 output traffic"

diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections
index 28a4894ae3e01daa8cf6654eeb46f5399320863b..d766be7fe1ac3ca17baf14815421144de62faedb 100644 (file)
--- a/tests/02_zones/06_family_selections
+++ b/tests/02_zones/06_family_selections
@@ -134,7 +134,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                meta nfproto ipv4 ip saddr 10.0.0.0/8 jump input_test1 comment "!fw4: Handle test1 IPv4 input traffic"
@@ -160,7 +160,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                meta nfproto ipv4 ip daddr 10.0.0.0/8 jump output_test1 comment "!fw4: Handle test1 IPv4 output traffic"

diff --git a/tests/02_zones/07_helpers b/tests/02_zones/07_helpers
index 363aff17342dabbbfa95cf30948f61e174dda8da..e4955a1f88594865e920ee8abb3b47679b5cb594 100644 (file)
--- a/tests/02_zones/07_helpers
+++ b/tests/02_zones/07_helpers
@@ -166,7 +166,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
@@ -188,7 +188,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"

diff --git a/tests/03_rules/01_direction b/tests/03_rules/01_direction
index 4a7ba42a3276b9f1f96335a102ca893dd66767d8..535ffcb6673538cf9680c009b6b55eaa15c414f9 100644 (file)
--- a/tests/03_rules/01_direction
+++ b/tests/03_rules/01_direction
@@ -69,7 +69,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                counter comment "!fw4: @rule[1]"
@@ -85,7 +85,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                counter comment "!fw4: @rule[0]"

diff --git a/tests/03_rules/02_enabled b/tests/03_rules/02_enabled
index ae2f424ca935939d4a8f6b8f34d4f13c1af5c9cd..9c14ed9cf9818fb7d2ae098e6dcecf7e209349e2 100644 (file)
--- a/tests/03_rules/02_enabled
+++ b/tests/03_rules/02_enabled
@@ -66,7 +66,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
@@ -80,7 +80,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                counter comment "!fw4: Implicitly enabled"

diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints
index eb3272fb41d7d2039ac5fccf868a737c41d3afa7..76f4c0c8bfd37044cc1c1bc94ec89d712dea6775 100644 (file)
--- a/tests/03_rules/03_constraints
+++ b/tests/03_rules/03_constraints
@@ -105,7 +105,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
@@ -119,7 +119,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1"

diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp
index b70d1027c3f460fa646de13e351dee5726c749d5..f9eec479f5a6194e7e939b638ee1e1ba38a6fd5d 100644 (file)
--- a/tests/03_rules/04_icmp
+++ b/tests/03_rules/04_icmp
@@ -75,7 +75,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
@@ -89,7 +89,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1"

diff --git a/tests/03_rules/05_mangle b/tests/03_rules/05_mangle
index e1d27e31cce51e8de8f11e69569748a49b4bfc9b..fbb8141c8a0fc17b5934272c7a2f3a4f94c885f2 100644 (file)
--- a/tests/03_rules/05_mangle
+++ b/tests/03_rules/05_mangle
@@ -176,7 +176,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname { "eth0", "eth1" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
@@ -194,7 +194,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname { "eth0", "eth1" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"

diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches
index 0bedf5073c7045cb0025cff81614f45166c78c76..b397066ca25e0d95017cec93c68ae4eb1cc09b9f 100644 (file)
--- a/tests/03_rules/06_subnet_mask_matches
+++ b/tests/03_rules/06_subnet_mask_matches
@@ -131,7 +131,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
@@ -151,7 +151,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                ip6 saddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 counter comment "!fw4: Mask rule #1"

diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect
index 80a9773c1f5d39b5565d980488edeb8052135d4f..80e24bba4d795fa17439f00495096f07c1287d18 100644 (file)
--- a/tests/03_rules/07_redirect
+++ b/tests/03_rules/07_redirect
@@ -163,7 +163,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
@@ -183,7 +183,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"

diff --git a/tests/03_rules/08_family_inheritance b/tests/03_rules/08_family_inheritance
index b275ca6291c8b3a254258c7e6183ecdbe60c272c..679f3b91e2d1c0aa4f5fab373694d43f9d99304b 100644 (file)
--- a/tests/03_rules/08_family_inheritance
+++ b/tests/03_rules/08_family_inheritance
@@ -200,7 +200,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                meta nfproto ipv4 ip saddr 192.168.1.0/24 jump input_ipv4only comment "!fw4: Handle ipv4only IPv4 input traffic"
@@ -216,7 +216,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic"

diff --git a/tests/03_rules/09_time b/tests/03_rules/09_time
index cba19145cfe5b1efd487d6364c6ad3db38523b8f..63c7724751925c19c816895f7b7064ebe8ca913b 100644 (file)
--- a/tests/03_rules/09_time
+++ b/tests/03_rules/09_time
@@ -137,7 +137,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
@@ -151,7 +151,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                meta time >= "2022-05-30 21:51:23" counter accept comment "!fw4: Time rule #1"

diff --git a/tests/03_rules/10_notrack b/tests/03_rules/10_notrack
index d64df1114999b8b058c53a793534c41acac16028..470f922dd17c5f21c348a0d039a2353c6215fe7c 100644 (file)
--- a/tests/03_rules/10_notrack
+++ b/tests/03_rules/10_notrack
@@ -101,7 +101,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "eth0" jump input_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 input traffic"
@@ -123,7 +123,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "eth0" jump output_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 output traffic"

diff --git a/tests/03_rules/11_log b/tests/03_rules/11_log
index 6404a58b9bf3e2016e6fc8c7a8271d9f2035b63d..f777291afe5015b33f8efe620a88f83ec3f69723 100644 (file)
--- a/tests/03_rules/11_log
+++ b/tests/03_rules/11_log
@@ -112,7 +112,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
@@ -126,7 +126,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                counter log prefix "@rule[0]: " comment "!fw4: @rule[0]"

diff --git a/tests/03_rules/12_mark b/tests/03_rules/12_mark
index 1d095cf86a0f9bea31d74ec4f8276a76eed62b66..274409625814b22991da805aaa391186d1fd14f2 100644 (file)
--- a/tests/03_rules/12_mark
+++ b/tests/03_rules/12_mark
@@ -96,7 +96,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
@@ -110,7 +110,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
        }

diff --git a/tests/04_forwardings/01_family_selections b/tests/04_forwardings/01_family_selections
index 54431ba74c4d33dd94917f9f6bf14c46a40eae62..029501a41acc3b3ba541869f0b9b2cec643a7c2e 100644 (file)
--- a/tests/04_forwardings/01_family_selections
+++ b/tests/04_forwardings/01_family_selections
@@ -90,7 +90,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "eth0" jump input_wanA comment "!fw4: Handle wanA IPv4/IPv6 input traffic"
@@ -110,7 +110,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "eth0" jump output_wanA comment "!fw4: Handle wanA IPv4/IPv6 output traffic"

diff --git a/tests/05_ipsets/01_declaration b/tests/05_ipsets/01_declaration
index cebb33739c78af70a0342f013cdb4c7f8e92764a..60c151414bdf47de72dd4fa4d0adad5442aadc6a 100644 (file)
--- a/tests/05_ipsets/01_declaration
+++ b/tests/05_ipsets/01_declaration
@@ -86,7 +86,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
@@ -100,7 +100,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
        }

diff --git a/tests/05_ipsets/02_usage b/tests/05_ipsets/02_usage
index 6bff992662118b51759f62a2fd9375f712c1ebeb..81ed6ed400b4f5182e3a19cf361d4a51bbb765b3 100644 (file)
--- a/tests/05_ipsets/02_usage
+++ b/tests/05_ipsets/02_usage
@@ -160,7 +160,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        }
@@ -180,7 +180,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
        }

diff --git a/tests/06_includes/01_nft_includes b/tests/06_includes/01_nft_includes
index 275f9eea83f84cf995db4580df5915b13cac271d..d267f5cd2b426af100fc249978c963b7ecfb5d5a 100644 (file)
--- a/tests/06_includes/01_nft_includes
+++ b/tests/06_includes/01_nft_includes
@@ -154,7 +154,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic"
@@ -172,7 +172,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic"

diff --git a/tests/06_includes/02_firewall.user_include b/tests/06_includes/02_firewall.user_include
index e822fb8a135e3d9812e9e882dcd87f5373fd105a..1f83b041a76bd87df7d5e7e0c961984d0addd899 100644 (file)
--- a/tests/06_includes/02_firewall.user_include
+++ b/tests/06_includes/02_firewall.user_include
@@ -91,7 +91,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic"
@@ -107,7 +107,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic"

diff --git a/tests/06_includes/04_disabled_include b/tests/06_includes/04_disabled_include
index b0072d315f0597e6ef8315c3fa2d3c7c7d3e76fa..5b695405db5b3fb15fd021f02bf5d3f9b644b752 100644 (file)
--- a/tests/06_includes/04_disabled_include
+++ b/tests/06_includes/04_disabled_include
@@ -97,7 +97,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic"
@@ -113,7 +113,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic"

diff --git a/tests/06_includes/05_automatic_includes b/tests/06_includes/05_automatic_includes
index f2b89c3e6031516c6f14298e9dd5ff17616d574a..83322b9c658daef4c7e96973de83fe967d9a7ce3 100644 (file)
--- a/tests/06_includes/05_automatic_includes
+++ b/tests/06_includes/05_automatic_includes
@@ -97,7 +97,7 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
 
-               iifname "lo" accept comment "!fw4: Accept traffic from loopback"
+               iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic"
@@ -113,7 +113,7 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy drop;
 
-               oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
+               oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
                oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic"