I came up with a bunch of tests to compare nft and legacy performance in rulesets of varying size, so I could not only compare individual performance but also scaling ability of each. Initial results were sobering, current nft performs worse in all tests and scales much worse in almost all of them. With this series applied, nft is on par or better in most of the cases, often also scaling much better. Leftovers are scenarios which require to fetch the large ruleset, e.g. deleting a rule from a large chain or calling iptables-restore with --noflush option. Patches 1-6 are merely fallout, fixing things or improving code. Patch 7 is the first performance-related one: Simply increasing mnl_talk() receive buffer size speeds up all cache fetches. The remaining patches uniformly deal with caching: Either avoiding the cache entirely or allowing for finer granular cache content selection. Phil Sutter (14): tests/shell: Make ebtables-basic test more verbose tests/shell: Speed up ipt-restore/0004-restore-race_0 DEBUG: Print to stderr to not disturb iptables-save nft: Use nftnl_*_set_str() functions nft: Introduce nft_bridge_commit() nft: Fix for add and delete of same rule in single batch nft Increase mnl_talk() receive buffer size xtables-restore: Avoid cache population when flushing nft: Rename have_cache into have_chain_cache nft: Fetch rule cache only if needed nft: Allow to fetch only a specific chain from kernel nft: Support fetching rules for a single chain only nft: Optimize flushing all chains of a table nft: Reduce impact of nft_chain_builtin_init() iptables/nft.c | 285 +++++++++++++----- iptables/nft.h | 13 +- .../testcases/ebtables/0001-ebtables-basic_0 | 28 +- .../ipt-restore/0003-restore-ordering_0 | 18 +- .../testcases/ipt-restore/0004-restore-race_0 | 4 +- iptables/xshared.h | 2 +- iptables/xtables-eb-standalone.c | 2 +- iptables/xtables-restore.c | 11 +- iptables/xtables-save.c | 4 +- 9 files changed, 268 insertions(+), 99 deletions(-) -- 2.23.0
