Hi,
On Mon, Aug 22, 2022 at 08:53:39PM +0530, Amish wrote:
> On 15/08/22 06:30, Amish wrote:
> > On 10/08/22 01:24, Pablo Neira Ayuso wrote:
> > > - Fixes for the -o/--optimize, run this --optimize option to
> > > automagically
> > > compact your ruleset using sets, maps and concatenations, eg.
> > >
> > > # cat ruleset.nft
> > > table ip x {
> > > chain y {
> > > type nat hook postrouting priority srcnat;
> > > policy drop;
> > > ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
> > > ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
> > > }
> > > }
> > >
> > > # nft -o -c -f ruleset.nft
> > > Merging:
> > > ruleset.nft:4:3-52: ip saddr 1.1.1.1 tcp dport
> > > 8000 snat to 4.4.4.4:80
> > > ruleset.nft:5:3-52: ip saddr 2.2.2.2 tcp dport
> > > 8001 snat to 5.5.5.5:90
> > > into:
> > > snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 :
> > > 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 }
> >
> > This optimization seems to be working only on specific syntax.
> >
> > If I mention same thing with alternative syntax, there is no suggestion
> > to optimize.
> >
> > # cat ruleset.nft
> > add table ip x
> > add chain ip x y { type nat hook postrouting priority srcnat; policy
> > drop; }
> > add rule ip x y ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
> > add rule ip x y ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
> >
> > # nft -o -c -f ruleset.nft
> > <no output with exit code 0>
> >
> > Which means that no optimization is suggested but check passed
> > successfully.
> >
> > I was expecting that it will reply with:
> >
> > Merging:
> > ...
> > into:
> > add rule ip x y snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 :
> > 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 }
> >
> > OR if it can not translate to exact syntax then atleast it should
> > mention that there is possibility to optimize the rules.
> >
> > Is there any reason? Am I doing something wrong?
The plain syntax is not supported yet, that's all, it needs a bit of work.
