On 12/15/21 20:56, Pablo Neira Ayuso wrote:
Hi,
This patchset adds a new -o/--optimize option to enable ruleset
optimization.
Thanks for working on this. From what I see in the community, this feature will
be of high value to some folks: users often struggle with doing this kind of
optimizations by hand.
The ruleset optimization first loads the ruleset in "dry run" mode to
validate that the original ruleset is correct. Then, on a second pass it
performs the ruleset optimization before adding the rules into the
kernel.
Could you please describe how to work with this if all I want is to check how an
optimized version of my ruleset would look like, but not load it into the kernel?
The use case would be: I just need a diff between my ruleset.nft file and
whatever the optimized version would be, without performing any actual change.
Of course this can be added later on if not supported in this patch.
This infrastructure collects the statements that are used in rules. Then,
it builds a matrix of rules vs. statements. Then, it looks for common
statements in consecutive rules that are candidate to be merged. Finally,
it merges rules.
clever!
Is this infra extensible enough to support scanning non-adjacent rules in the
future?
ie, being able to transform:
* ip daddr 1.1.1.1 counter accept
* tcp dport 80 accept
* ip daddr 2.2.2.2 counter accept
into:
* ip daddr { 1.1.1., 2.2.2.2 } counter accept
* tcp dport 80 accept