On Fri, May 24, 2019 at 11:25:06PM +0200, Pablo Neira Ayuso wrote:
[...]
> We can add a new parameter to optimize rulesets, we can start with
> something simple, ie.
>
> * collapse consecutive several rules that come with the same
> selectors, only values change.
>
> * turn { 22 } into 22.
>
> * turn ct state {new, established } into ct new,established.
This new optimization option would work both for "nft add rule" and
"nft -f", and we can also include a mode that just prints the
optimization, similar to iptables-translate. So users can diff their
rulesets before and after.
