In regard to: Re: converting iptables/ip6tables to efficient nftables...:
Similarly, all of the rules list CIDR ranges or individual IPs, though
there are a mix of IPv4 and IPv6 ranges. I therefore could greatly reduce
the number of rules by creating a couple of named sets, one for IPv4 and
one for IPv6, and match the 'ip saddr' against the sets.
You are definitely on the right track. Maps and/or verdict maps
incorporating concatenations of the form "ipv4_addr . inet_service" and
"ipv6_addr . inet_service" might also prove useful, depending on your
exact requirements.
Thanks Kerin!
I really appreciate you taking the time to reply. It was very helpful.
Cheers!
Tim
--
Tim Mooney Tim.Mooney@xxxxxxxx
Enterprise Computing & Infrastructure /
Division of Information Technology / 701-231-1076 (Voice)
North Dakota State University, Fargo, ND 58105-5164