From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Amish <anon.amish@gmail.com>
Cc: netfilter <netfilter@vger.kernel.org>,
netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: Optimization works only on specific syntax? (was [ANNOUNCE] nftables 1.0.5 release)
Date: Mon, 22 Aug 2022 22:53:49 +0200 [thread overview]
Message-ID: <YwPs3eBF/7IOhlHS@salvia> (raw)
In-Reply-To: <71eda095-f021-3d00-7ad8-568b934ac194@gmail.com>
Hi,
On Mon, Aug 22, 2022 at 08:53:39PM +0530, Amish wrote:
> On 15/08/22 06:30, Amish wrote:
> > On 10/08/22 01:24, Pablo Neira Ayuso wrote:
> > > - Fixes for the -o/--optimize, run this --optimize option to
> > > automagically
> > > compact your ruleset using sets, maps and concatenations, eg.
> > >
> > > # cat ruleset.nft
> > > table ip x {
> > > chain y {
> > > type nat hook postrouting priority srcnat;
> > > policy drop;
> > > ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
> > > ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
> > > }
> > > }
> > >
> > > # nft -o -c -f ruleset.nft
> > > Merging:
> > > ruleset.nft:4:3-52: ip saddr 1.1.1.1 tcp dport
> > > 8000 snat to 4.4.4.4:80
> > > ruleset.nft:5:3-52: ip saddr 2.2.2.2 tcp dport
> > > 8001 snat to 5.5.5.5:90
> > > into:
> > > snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 :
> > > 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 }
> >
> > This optimization seems to be working only on specific syntax.
> >
> > If I mention same thing with alternative syntax, there is no suggestion
> > to optimize.
> >
> > # cat ruleset.nft
> > add table ip x
> > add chain ip x y { type nat hook postrouting priority srcnat; policy
> > drop; }
> > add rule ip x y ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80
> > add rule ip x y ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90
> >
> > # nft -o -c -f ruleset.nft
> > <no output with exit code 0>
> >
> > Which means that no optimization is suggested but check passed
> > successfully.
> >
> > I was expecting that it will reply with:
> >
> > Merging:
> > ...
> > into:
> > add rule ip x y snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 :
> > 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 }
> >
> > OR if it can not translate to exact syntax then atleast it should
> > mention that there is possibility to optimize the rules.
> >
> > Is there any reason? Am I doing something wrong?
The plain syntax is not supported yet, that's all, it needs a bit of work.
prev parent reply other threads:[~2022-08-22 20:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-09 19:54 [ANNOUNCE] nftables 1.0.5 release Pablo Neira Ayuso
2022-08-15 1:00 ` Optimization works only on specific syntax? (was [ANNOUNCE] nftables 1.0.5 release) Amish
2022-08-22 15:23 ` Amish
2022-08-22 20:53 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YwPs3eBF/7IOhlHS@salvia \
--to=pablo@netfilter.org \
--cc=anon.amish@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).