On Friday 2020-06-19 16:11, Phil Sutter wrote: > >I remember you once asked for the benchmark scripts I used to compare >performance of iptables-nft with -legacy in terms of command overhead >and caching, as detailed in a blog[1] I wrote about it. I meanwhile >managed to polish the scripts a bit and push them into a public repo, >accessible here[2]. I'm not sure whether they are useful for regular >runs (or even CI) as a single run takes a few hours and parallel use >likely kills result precision. > >[1] https://developers.redhat.com/blog/2020/04/27/optimizing-iptables-nft-large-ruleset-performance-in-user-space/ > >"""My main suspects for why iptables-nft performed so poorly were kernel ruleset >caching and the internal conversion from nftables rules in libnftnl data >structures to iptables rules in libxtables data structures.""" Did you record any syscall-induced latency? The classic ABI used a one-syscall approach, passing the entire buffer at once. With netlink, it's a bit of a ping-pong between user and kernel unless one uses mmap like on AF_PACKET — and I don't see any mmap in libmnl or libnftnl. Furthermore, loading the ruleset is just one aspect. Evaluating it for every packet is what should weigh in a lot more. Did you by chance collect any numbers in that regard?
