Hi other than "iptables" with "nftables" which is the backend of "iptables-nft" most default chains are not mandatory unless they are in use * nft delete chain ip filter OUTPUT * the unused chain can be removed in theory that way * iptables-nft -t filter --list * all the empty compat chains are there again i would expect them only to appear when using them like "iptables-nft -t filter -A OUTPUT ..." and given that they have counters that's some overhead which probably could be avoided even on the datacenter-firewall which makes heavy use of all tables are 6 chains which could be avoided * filter OUTPUT * mangle FORWARD * mangle INPUT * mangle OUTPUT * nat INPUT * nat OUTPUT looks like there is some room for optimization by create them omly at first use aka apply a rule or explizit call by "list rules"
