The following two patches improve packet throughput in a test setup sending UDP packets (using iperf3) between two netns. The ruleset used on receiver side is like this: | *filter | :test - [0:0] | -A INPUT -j test | -A INPUT -j ACCEPT | -A test ! -s 10.0.0.0/10 -j DROP # this line repeats 10000 times | COMMIT These are the generated VM instructions for each rule: | [ payload load 4b @ network header + 12 => reg 1 ] | [ bitwise reg 1 = (reg=1 & 0x0000c0ff ) ^ 0x00000000 ] | [ cmp eq reg 1 0x0000000a ] | [ counter pkts 0 bytes 0 ] | [ immediate reg 0 drop ] Both sender and receiver reside within 10/10 network, iperf3 is just used to fill the (virtual) wire: | iperf3 -c 10.0.0.2 -u -b 10G -t 1000 On receiver side, "packets received" counter of 'netstat -su' is monitored to calculate throughput. Averaging over about a minute, these are the figures: legacy: ~10000pkt/s nft (base): ~3000pkt/s nft (patch1): ~4000pkt/s nft (patch1+2): ~5200pkt/s In summary, this increases nftables throughput for this specific test case from 1/3 of legacy iptables to 1/2. Phil Sutter (2): net: netfilter: Enable fast nft_cmp for inverted matches net: netfilter: Implement fast bitwise expression include/net/netfilter/nf_tables_core.h | 11 ++ net/netfilter/nf_tables_core.c | 15 ++- net/netfilter/nft_bitwise.c | 141 +++++++++++++++++++++++-- net/netfilter/nft_cmp.c | 10 +- 4 files changed, 164 insertions(+), 13 deletions(-) -- 2.28.0
