Another test, using only invalid packets, shows the opposite result: timeout 65s hping3 <host> --flood --xmas When dropping in ingress: 14455889 packets transmitted (on <host>) load average: 0.26, 0.30, 0.18 When dropping in prerouting (conntrack 'invalid'): 13794361 packets transmitted (on <host>) load average: 0.55, 0.29, 0.19 So, after all, dropping in ingress seems faster (5% more packets for the same time) and x2 less resource intensive.
