Libvirt iptables firewall rules performance
Software environment
- Operating system: Ubuntu 22.04 and 20.04
- Architecture: amd64
- kernel version: 6.2.0-32-generic
- libvirt version: 9.1
- Hypervisor and version: qemu 7.2
Description of problem
Libvirt uses the name of the interface in iptables to determine what chain (if any) to enter:
Chain libvirt-host-in (1 references)
target prot opt source destination
HI-v100335679 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in v100335679
HI-v100298530 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in v100298530
HI-v100248763 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in v100248763
<repeat>
When there are a lot of domains present on a machine a significant amount of time is spent getting the device name in nf-tables, see the attached flamegraph where 29% is matched on strncpy. Are there alternative ways to match the interface or manage the firewall, perhaps on the mac address, that could improve the speed?