On Sat, 23 Mar 2024 13:05:39 +0000 'unman' via qubes-devel wrote: > However, the 4 and 6 rulesets are distinct and although they could be > merged to a single table, the result would not be any cleaner. While > there is some duplication, there are also distinctions. > Sometimes keeping separate tables allows for greater clarity.
I am not quite sure what you mean by cleaner and greater clarity. Compare the 2 files I am attaching. separate.nft - as it is currently in Qubes single.nft - a quick attempt to merge them into a single inet table separate - 133 lines single - 82 lines I have not made any performance comparison but in regards to simplicity, single.nft looks simpler to me. Perhaps it can be optimized even more, e.g. dropping invalid packets in early in prerouting hook instead of letting them to input. What do you think? Has any optimization been considered? -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20240323195517.0ef368e7%40localhost.
separate.nft
Description: Binary data
single.nft
Description: Binary data
