This improves cache population quite a bit and therefore helps when
dealing with large rulesets. A simple hard to improve use-case is
listing the last rule in a large chain. These are the average program
run times depending on number of rules:
rule count | legacy | nft old | nft new
---------------------------------------------------------
50,000 | .052s | .611s | .406s
100,000 | .115s | 2.12s | 1.24s
150,000 | .265s | 7.63s | 4.14s
200,000 | .411s | 21.0s | 10.6s
So while legacy iptables is still magnitudes faster, this simple change
doubles iptables-nft performance in ideal cases.
Note that increasing the buffer even further didn't improve performance
anymore, so 32KB seems to be an upper limit in kernel space.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 6248b9eb10a85..7f0f9e1234ae4 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -101,7 +101,7 @@ int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
void *data)
{
int ret;
- char buf[16536];
+ char buf[32768];
if (mnl_socket_sendto(h->nl, nlh, nlh->nlmsg_len) < 0)
return -1;
--
2.23.0
