* [nftables] optimization steps before rules get send to the kernel
@ 2009-08-13 21:33 Christoph A.
2009-08-14 12:38 ` Patrick McHardy
0 siblings, 1 reply; 2+ messages in thread
From: Christoph A. @ 2009-08-13 21:33 UTC (permalink / raw)
To: Netfilter Developer Mailing List; +Cc: Christoph A.
[-- Attachment #1: Type: text/plain, Size: 840 bytes --]
Hi,
from the nftables announcement:
> Redundant information might get lost before it is sent to the kernel,
> but both the kernel and the reconstructed ruleset are semantically
> equivalent.
As I'm currently not aware of a possibility to dump the actual rules
currently used by the kernel, to investigate this myself, I would have
another question:
Does the optimization which removes redundant information also remove
entire redundant rules or redundant checks within rules?
example:
ip saddr 1.1.1.1 tcp dport 22 accept
tcp dport 22 accept
would become
tcp dport 22 accept
tcp sport 0-65535 tcp dport 80 accept
would become
tcp dport 80 accept
if not: is something like this planed for the future or will the
stupidity of big rulesets never be removed by nftables? ;)
thanks,
Christoph
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [nftables] optimization steps before rules get send to the kernel
2009-08-13 21:33 [nftables] optimization steps before rules get send to the kernel Christoph A.
@ 2009-08-14 12:38 ` Patrick McHardy
0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2009-08-14 12:38 UTC (permalink / raw)
To: Christoph A.; +Cc: Netfilter Developer Mailing List
Christoph A. wrote:
> Hi,
>
> from the nftables announcement:
>
>> Redundant information might get lost before it is sent to the kernel,
>> but both the kernel and the reconstructed ruleset are semantically
>> equivalent.
>
> As I'm currently not aware of a possibility to dump the actual rules
> currently used by the kernel, to investigate this myself, I would have
> another question:
nft list table filter
nft list chain filter output
nft list sets filter
nft list set filter xyz
> Does the optimization which removes redundant information also remove
> entire redundant rules or redundant checks within rules?
>
> example:
>
> ip saddr 1.1.1.1 tcp dport 22 accept
> tcp dport 22 accept
>
> would become
> tcp dport 22 accept
>
>
> tcp sport 0-65535 tcp dport 80 accept
> would become
> tcp dport 80 accept
>
> if not: is something like this planed for the future or will the
> stupidity of big rulesets never be removed by nftables? ;)
It does not currently. Its planned for the future to perform
optimizations across the entire ruleset. It requires a few
limitations though, f.i. in your example, it needs to make
sure you won't insert a rule between those two later on.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-08-14 12:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-13 21:33 [nftables] optimization steps before rules get send to the kernel Christoph A.
2009-08-14 12:38 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.