From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Amish <anon.amish@gmail.com>
Cc: netfilter <netfilter@vger.kernel.org>,
netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: Optimization works only on specific syntax? (was [ANNOUNCE] nftables 1.0.5 release)
Date: Mon, 22 Aug 2022 22:53:49 +0200 [thread overview]
Message-ID: <YwPs3eBF/7IOhlHS@salvia> (raw)
In-Reply-To: <71eda095-f021-3d00-7ad8-568b934ac194@gmail.com>
Hi,
On Mon, Aug 22, 2022 at 08:53:39PM +0530, Amish wrote:
> On 15/08/22 06:30, Amish wrote:
> > On 10/08/22 01:24, Pablo Neira Ayuso wrote:
> > > - Fixes for the -o/--optimize, run this --optimize option to
> > > automagically
> > > compact your ruleset using sets, maps and concatenations, eg.
> > >
> > > # cat ruleset.nft
> > > table ip x {
> > > chain y {
> > > type nat hook postrouting priority srcnat;
> > > policy drop;
> > > ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
> > > ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
> > > }
> > > }
> > >
> > > # nft -o -c -f ruleset.nft
> > > Merging:
> > > ruleset.nft:4:3-52: ip saddr 1.1.1.1 tcp dport
> > > 8000 snat to 4.4.4.4:80
> > > ruleset.nft:5:3-52: ip saddr 2.2.2.2 tcp dport
> > > 8001 snat to 5.5.5.5:90
> > > into:
> > > snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 :
> > > 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 }
> >
> > This optimization seems to be working only on specific syntax.
> >
> > If I mention same thing with alternative syntax, there is no suggestion
> > to optimize.
> >
> > # cat ruleset.nft
> > add table ip x
> > add chain ip x y { type nat hook postrouting priority srcnat; policy
> > drop; }
> > add rule ip x y ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
> > add rule ip x y ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
> >
> > # nft -o -c -f ruleset.nft
> > <no output with exit code 0>
> >
> > Which means that no optimization is suggested but check passed
> > successfully.
> >
> > I was expecting that it will reply with:
> >
> > Merging:
> > ...
> > into:
> > add rule ip x y snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 :
> > 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 }
> >
> > OR if it can not translate to exact syntax then atleast it should
> > mention that there is possibility to optimize the rules.
> >
> > Is there any reason? Am I doing something wrong?
The plain syntax is not supported yet, that's all, it needs a bit of work.
prev parent reply other threads:[~2022-08-22 20:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-09 19:54 [ANNOUNCE] nftables 1.0.5 release Pablo Neira Ayuso
2022-08-15 1:00 ` Optimization works only on specific syntax? (was [ANNOUNCE] nftables 1.0.5 release) Amish
2022-08-22 15:23 ` Amish
2022-08-22 20:53 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YwPs3eBF/7IOhlHS@salvia \
--to=pablo@netfilter.org \
--cc=anon.amish@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.