On Tue, Apr 26, 2022 at 06:06:41PM +0200, Phil Sutter wrote: [...] > > Benchmark #3: match on mark > > > > *raw > > :PREROUTING DROP [9:2781] > > :OUTPUT ACCEPT [0:0] > > -A PREROUTING -m mark --mark 100 -j DROP > > [... 98 times same rule above to trigger mismatch ...] > > -A PREROUTING -d 198.18.0.42/32 -j DROP # matching rule > > > > iptables-legacy 255Mb > > iptables-nft 865Mb (+239.21%) > > Great results, but obviously biased test cases. Did you measure a more > "realistic" ruleset? The goal of the benchmark is to show that iptables-legacy is optimized for five-tuple matching, while iptables-nft with dynamic register allocation is generically optimized for any selector through native nftables bytecode. > > In these cases, iptables-nft generates netlink bytecode which uses the > > native expressions, ie. payload + cmp and meta + cmp. > > Sounds like a real point for further conversion into native nftables > expressions where possible. Exactly.
