HI all One more after switch to all rule and use only nft (remove qdisc from kernel config, and remove all iptables tables) in perf top see nft_do_chain is up to 3-4% on all core and if isolate with perf top -C X i see on one core is up to 10-15% : 31.26% [pppoe] [k] pppoe_rcv 3.19% [nf_tables] [k] nft_do_chain 2.46% [kernel] [k] __netif_receive_skb_core.constprop.0 2.18% [kernel] [k] fib_table_lookup 2.07% [i40e] [k] i40e_clean_rx_irq 1.51% [kernel] [k] __dev_queue_xmit 1.23% [kernel] [k] dev_queue_xmit_nit 1.23% [nf_conntrack] [k] __nf_conntrack_find_get.isra.0 1.20% [kernel] [k] __copy_skb_header 1.19% [kernel] [k] kmem_cache_free 1.17% [kernel] [k] skb_release_data 1.06% [nf_tables] [k] nft_rhash_lookup Is have options to optimize work of nft rule set. and for second question is it posible to make work this limiter in flow table rule set : #table inet filter { # flowtable fastnat { # hook ingress priority 0; devices = { eth0, eth1 }; # } # # chain forward { # type filter hook forward priority 0; policy accept; # ip protocol { tcp , udp } flow offload @fastnat; # } #} Like this and if have options to make devices list dynamic to add device automatic or to add device with * If limiter work in flow table will make offload traffic and reduce cpu load Martin > On 23 Mar 2022, at 0:55, Martin Zaharinov <micron10@xxxxxxxxx> wrote: > > Hi Florian > > yes now work perfect > i will test with 1-4k ips to see performance vs qdisc or iptables. > > for second offload question: > > is it possible to make limiter work in offload mode and ia it posible to add dynamic interface like ppp* or vlan* or other type. > > > > P.S. > > thanks for fast reply for first part! > > P.S.2 > > resend mail to netfilter group > > Martin > >> On 22 Mar 2022, at 12:32, Florian Westphal <fw@xxxxxxxxx> wrote: >> >> Martin Zaharinov <micron10@xxxxxxxxx> wrote: >>> Hi Florian >>> >>> Look good this config but not work after set user not limit by speed. >> >> Works for me. Before: >> [ ID] Interval Transfer Bitrate Retr >> [ 5] 0.00-10.00 sec 5.09 GBytes 4.37 Gbits/sec 0 sender >> [ 5] 0.00-10.00 sec 5.08 GBytes 4.36 Gbits/sec receiver >> >> After: >> [ 5] 0.00-10.00 sec 62.9 MBytes 52.7 Mbits/sec 0 sender >> [ 5] 0.00-10.00 sec 59.8 MBytes 50.1 Mbits/sec receiver >> >>> table inet nft-qos-static { >>> set limit_ul { >>> typeof ip saddr >>> flags dynamic >>> elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes } >>> } >>> set limit_dl { >>> typeof ip saddr >>> flags dynamic >>> elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes } >>> } >>> >>> chain upload { >>> type filter hook postrouting priority filter; policy accept; >>> ip saddr @limit_ul drop >>> } >>> chain download { >>> type filter hook prerouting priority filter; policy accept; >>> ip saddr @limit_dl drop >>> } >> >> daddr? >> >>> With this config user with ip 10.0.0.1 not limited to 5 mbytes , >> >>> When back to this config : >>> >>> table inet nft-qos-static { >>> chain upload { >>> type filter hook postrouting priority filter; policy accept; >>> ip saddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop >>> } >>> >>> chain download { >>> type filter hook prerouting priority filter; policy accept; >>> ip daddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop >> ~~~~~ >