On Tue, Nov 12, 2024 at 07:44:17PM +0000, Kerin Millar wrote: > On Tue, 12 Nov 2024, at 6:18 PM, Florian Westphal wrote: > > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > >> > But one can have multiple hooks (chains) in one table, even with the > >> > same priority (i not suggest that). Thus one can combine multiple > >> > tables into one and share sets, eg. in raw & filter hooks. > >> > >> Don't do that, please. > > > > Why not? Single-table approach makes sense, in my opinion, > > provided that single table is controlled by single entity, be > > that a program like firewalld or traditional sysadmin. > > > > With multi-table things become awkward due to the imposed > > scoping rules that prevent cross-table use of sets/maps. > > I read it as being an objection to (potentially) using hooks that > duplicate one another exactly. Mind you, if it be considered so > objectionable, why doesn't nft refuse to compile rulesets that do > this? Or, at least, raise a warning. A warning to what? example?