netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nftables,v2 0/7] ruleset optimization infrastructure
Date: Mon, 3 Jan 2022 11:41:05 +0100	[thread overview]
Message-ID: <YdLSwcG3oMmKmmnN@salvia> (raw)
In-Reply-To: <20220102221452.86469-1-pablo@netfilter.org>

On Sun, Jan 02, 2022 at 11:14:45PM +0100, Pablo Neira Ayuso wrote:
[...]
> Updates since last patch series:
> 
> - display information on the rule merges that are proposed, this can be
>   combined with -c to inspect the proposed ruleset updates.
> 
>   # nft -c -o -f ruleset.nft

For the record, an example output of -c -o

nft -o -c -f ruleset.nft
Merging:
ruleset.nft:3:3-46:            ip daddr 192.168.1.0/24 ct state new counter
ruleset.nft:4:3-46:            ip daddr 192.168.2.0/24 ct state new counter
ruleset.nft:5:3-46:            ip daddr 192.168.3.0/24 ct state new counter
ruleset.nft:6:3-46:            ip daddr 192.168.4.0/24 ct state new counter
into:
        ip daddr . ct state { 192.168.1.0/24 . new, 192.168.2.0/24 . new, 192.168.3.0/24 . new, 192.168.4.0/24 . new } counter packets 0 bytes 0
Merging:
ruleset.nft:7:3-23:            ct state invalid drop
ruleset.nft:8:3-37:            ct state established,related accept
into:
        ct state vmap { invalid : drop, established : accept, related : accept }
Merging:
ruleset.nft:9:3-60:            meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.3 accept
ruleset.nft:10:3-60:           meta iifname eth1 ip saddr 2.2.2.2 ip daddr 2.2.2.5 accept
ruleset.nft:11:3-60:           meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.6 accept
into:
        ip daddr . iifname . ip saddr { 2.2.2.3 . eth1 . 1.1.1.2, 2.2.2.5 . eth1 . 2.2.2.2, 2.2.2.6 . eth2 . 1.1.1.3 } accept
Merging:
ruleset.nft:12:3-97:           ip saddr 10.69.0.0/24 ct state new counter packets 0 bytes 0 log prefix "unexpected traffic" level debug
ruleset.nft:13:3-97:           ip saddr 10.69.1.0/24 ct state new counter packets 0 bytes 0 log prefix "unexpected traffic" level debug
into:
        ct state . ip saddr { new . 10.69.0.0/24, new . 10.69.1.0/24 } counter packets 0 bytes 0 log prefix "unexpected traffic" level debug
Merging:
ruleset.nft:16:3-37:           ip daddr 192.168.0.1 counter accept
ruleset.nft:17:3-37:           ip daddr 192.168.0.2 counter accept
ruleset.nft:18:3-37:           ip daddr 192.168.0.3 counter accept
into:
        ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept


  parent reply	other threads:[~2022-01-03 10:41 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-02 22:14 [PATCH nftables,v2 0/7] ruleset optimization infrastructure Pablo Neira Ayuso
2022-01-02 22:14 ` [PATCH nftables,v2 1/7] erec: expose print_location() and line_location() Pablo Neira Ayuso
2022-01-02 22:14 ` [PATCH nftables,v2 2/7] src: error reporting with -f and read from stdin Pablo Neira Ayuso
2022-01-02 22:14 ` [PATCH nftables,v2 3/7] src: remove '$' in symbol_expr_print Pablo Neira Ayuso
2022-01-02 22:14 ` [PATCH nftables,v2 4/7] src: add ruleset optimization infrastructure Pablo Neira Ayuso
2022-01-02 22:14 ` [PATCH nftables,v2 5/7] optimize: merge rules with same selectors into a concatenation Pablo Neira Ayuso
2022-01-02 22:14 ` [PATCH nftables,v2 6/7] optimize: merge same selector with different verdict into verdict map Pablo Neira Ayuso
2022-01-02 22:14 ` [PATCH nftables,v2 7/7] optimize: merge several selectors " Pablo Neira Ayuso
2022-01-03 10:41 ` Pablo Neira Ayuso [this message]
2022-01-03 13:33 ` [PATCH nftables,v2 0/7] ruleset optimization infrastructure Nicolas Dichtel
2022-01-15 17:29 ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YdLSwcG3oMmKmmnN@salvia \
    --to=pablo@netfilter.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).