Hi, from the nftables announcement: > Redundant information might get lost before it is sent to the kernel, > but both the kernel and the reconstructed ruleset are semantically > equivalent. As I'm currently not aware of a possibility to dump the actual rules currently used by the kernel, to investigate this myself, I would have another question: Does the optimization which removes redundant information also remove entire redundant rules or redundant checks within rules? example: ip saddr 1.1.1.1 tcp dport 22 accept tcp dport 22 accept would become tcp dport 22 accept tcp sport 0-65535 tcp dport 80 accept would become tcp dport 80 accept if not: is something like this planed for the future or will the stupidity of big rulesets never be removed by nftables? ;) thanks, Christoph
Attachment:
signature.asc
Description: OpenPGP digital signature
