Tim Mooney <Tim.Mooney@xxxxxxxx> wrote:
> I haven't been able to find anywhere in the nftables wiki that talks
> about "Dos and Don'ts" from an efficiency perspective, especially for
> people that may be coming from iptables/ip6tables to nftables. If it's
> there and I've missed it, please point me at it.
>
> I have a mix of 32 iptables and ip6tables rules on a RHEL 7 box that I
> want to convert to nftables for RHEL 9 (kernel 5.14.0 + Red Hat vendor
> sauce, nftables 1.0.4).
>
> The obvious thing to do would be to just directly translate each rule to
> nftables, and have 32 nftables rules.
>
> However, the iptables rules are all pairs of
>
> -A ports_allow -p tcp -m tcp -s X.Y.0.0/16 --dport 80 -j ACCEPT
> -A ports_allow -p tcp -m tcp -s X.Y.0.0/16 --dport 443 -j ACCEPT
>
> -A ports_allow -p tcp -m tcp -s A.B.C.D/32 --dport 80 -j ACCEPT
> -A ports_allow -p tcp -m tcp -s A.B.C.D/32 --dport 443 -j ACCEPT
>
> So I could cut the number of ntables rules in half just by using
>
> dport { 80, 443 }
>
> in the translated rule.
For the record, nft -o suggest to merge into one rule:
nft -o -f example
Merging:
Y:3:3-68: ip saddr 10.2.0.0/16 tcp dport 80 counter packets 0 bytes 0 accept
Y:4:3-69: ip saddr 10.2.0.0/16 tcp dport 443 counter packets 0 bytes 0 accept
Y:5:3-68: ip saddr 10.20.30.40 tcp dport 80 counter packets 0 bytes 0 accept
Y:6:3-69: ip saddr 10.20.30.40 tcp dport 443 counter packets 0 bytes 0 accept
into:
ip saddr . tcp dport { 10.2.0.0/16 . 80, 10.2.0.0/16 . 443, 10.20.30.40 . 80, 10.20.30.40 . 443 } counter accept
depending on the number of elements you might want to use
a named set for this, so you can add/remove to it later.
