I think I found a possible workaround/solution.
First I dumped the current ruleset using “sudo nft -s list ruleset > /config/ruleset.txt”.
Then added this at begining of “table ip vyos_filter {” inside the above ruleset.txt:
set P_wg-ports {
type inet_service
flags interval
auto-merge
elements = { 51820, 51822 }
}
set N_private-nets {
type ipv4_addr
flags interval
auto-merge
elements = { 1.1.0.0/8, 2.2.0.0/12,
3.3.0.0/16 }
}
Then I got this as error (when running “sudo nft -c -t -o -f /config/ruleset.txt”):
internal:0:0-0: Error: Could not process rule: File exists
internal:0:0-0: Error: Could not process rule: File exists
Verified that its my additions who causes these errors by commenting out (using #) the newly added lines in /config/ruleset.txt (after verification I removed the # chars so I get the error again).
Then I added this to the top of the ruleset.txt file:
flush ruleset
If you do this as script you can run:
sudo sed -i '1s/^/flush ruleset\n\n/' /config/ruleset.txt
Now the optimize succeeds without errors:
vyos@vyos:~$ sudo nft -c -t -o -f /config/ruleset.txt
Merging:
/config/ruleset.txt:151:3-37: ct state established counter accept
/config/ruleset.txt:152:3-31: ct state invalid counter drop
/config/ruleset.txt:153:3-33: ct state related counter accept
into:
ct state vmap { established : accept, invalid : drop, related : accept }
Merging:
/config/ruleset.txt:186:3-37: ct state established counter accept
/config/ruleset.txt:187:3-31: ct state invalid counter drop
/config/ruleset.txt:188:3-33: ct state related counter accept
into:
ct state vmap { established : accept, invalid : drop, related : accept }
Verified that the optimize is actually being runned by then running:
sudo nft -o -f /config/ruleset.txt
sudo nft -s list ruleset > /config/ruleset2.txt
and verified that ruleset2.txt contains my added lines of “P_wg-ports” and “set N_private-nets”.
So could you test again doing something like:
sudo nft -s list ruleset > /config/ruleset.txt
sudo sed -i '1s/^/flush ruleset\n\n/' /config/ruleset.txt
sudo nft -o -f /config/ruleset.txt
sudo nft -s list ruleset > /config/ruleset2.txt
Would be interresting to know if the filesizes changes anything.
Instead of “sudo nft -o -f /config/ruleset.txt” you could do a dry run with just “sudo nft -c -t -o -f /config/ruleset.txt” to get a dump of which changes the optimizer has detected it can perform.