Christoph A. wrote: > Hi, > > from the nftables announcement: > >> Redundant information might get lost before it is sent to the kernel, >> but both the kernel and the reconstructed ruleset are semantically >> equivalent. > > As I'm currently not aware of a possibility to dump the actual rules > currently used by the kernel, to investigate this myself, I would have > another question: nft list table filter nft list chain filter output nft list sets filter nft list set filter xyz > Does the optimization which removes redundant information also remove > entire redundant rules or redundant checks within rules? > > example: > > ip saddr 1.1.1.1 tcp dport 22 accept > tcp dport 22 accept > > would become > tcp dport 22 accept > > > tcp sport 0-65535 tcp dport 80 accept > would become > tcp dport 80 accept > > if not: is something like this planed for the future or will the > stupidity of big rulesets never be removed by nftables? ;) It does not currently. Its planned for the future to perform optimizations across the entire ruleset. It requires a few limitations though, f.i. in your example, it needs to make sure you won't insert a rule between those two later on. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
