Tim Mooney <Tim.Mooney@xxxxxxxx> wrote: > I haven't been able to find anywhere in the nftables wiki that talks > about "Dos and Don'ts" from an efficiency perspective, especially for > people that may be coming from iptables/ip6tables to nftables. If it's > there and I've missed it, please point me at it. > > I have a mix of 32 iptables and ip6tables rules on a RHEL 7 box that I > want to convert to nftables for RHEL 9 (kernel 5.14.0 + Red Hat vendor > sauce, nftables 1.0.4). > > The obvious thing to do would be to just directly translate each rule to > nftables, and have 32 nftables rules. > > However, the iptables rules are all pairs of > > -A ports_allow -p tcp -m tcp -s X.Y.0.0/16 --dport 80 -j ACCEPT > -A ports_allow -p tcp -m tcp -s X.Y.0.0/16 --dport 443 -j ACCEPT > > -A ports_allow -p tcp -m tcp -s A.B.C.D/32 --dport 80 -j ACCEPT > -A ports_allow -p tcp -m tcp -s A.B.C.D/32 --dport 443 -j ACCEPT > > So I could cut the number of ntables rules in half just by using > > dport { 80, 443 } > > in the translated rule. For the record, nft -o suggest to merge into one rule: nft -o -f example Merging: Y:3:3-68: ip saddr 10.2.0.0/16 tcp dport 80 counter packets 0 bytes 0 accept Y:4:3-69: ip saddr 10.2.0.0/16 tcp dport 443 counter packets 0 bytes 0 accept Y:5:3-68: ip saddr 10.20.30.40 tcp dport 80 counter packets 0 bytes 0 accept Y:6:3-69: ip saddr 10.20.30.40 tcp dport 443 counter packets 0 bytes 0 accept into: ip saddr . tcp dport { 10.2.0.0/16 . 80, 10.2.0.0/16 . 443, 10.20.30.40 . 80, 10.20.30.40 . 443 } counter accept depending on the number of elements you might want to use a named set for this, so you can add/remove to it later.