---- From: Sixene <notsixene@xxxxxxxxx> -- Sent: 2023-11-17 - 15:40 ---- > Hi, > I hope this is the right channel to reach out for support, the wiki > mentioned this mailing list. > I'm having trouble optimizing my large ruleset of 26000+ lines. > When I run 'nft -c -o -f ruleset.nft', after the while processes, I > get the following error: > nft: optimize.c:423: merge_verdict_stmts: Assertion `0' failed. > Aborted (core dumped) > > My ruleset mostly consists of just 'ip saddr x.x.x.x/xx counter > packets 0 bytes 0 drop' > Hope you can help, as I'm facing very bad performance with this list, > however I have no choice because I need to block all of these > addresses. > Thanks! A workaround would be to use ipset. But it only works with the iptables version netfilter, AFAIK. Ipset is optimised to handle large sets of addresses. https://ipset.netfilter.org/ > > (i could not attach the file due to your service's policies, however i > am using x4bnet's lists_vpn on github)
