On 22/04/2024 17:12, William N. wrote: > Thanks for the feedback, Quentin! > It's great to have you here. > > As discussed in another thread recently, I wonder what your testing > procedures are to compare the performance of one ruleset with that of > another for the purpose of hopefully optimizing whatever is possible. I've used pktgen [0], which is a kernel module able to generate fake traffic at very high speed. You can define the packet size and rate. Using two servers, I've been able to estimate the processing rate of iptables, nftables, and bpfilter's BPF programs by using the rules packet counters. I'm not 100% sure checking the rules counters is the best approach, but it's convenient and reliable. [0]: https://docs.kernel.org/networking/pktgen.html