Hi,
Since it is possible to do the same thing using different rules, I am
looking for the most optimal (low resource usage, high speed) way to
write my rules.
Here is just a very simple test to compare the different approaches:
#!/usr/sbin/nft -f
flush ruleset
table ip6 t {
# Goal: fast processing through early "exit"
chain A {
ip6 hoplimit != 255 return
icmpv6 type != 133 return
icmpv6 code != 0 return
accept
}
# Goal: compact syntax
chain B {
icmpv6 type . icmpv6 code . ip6 hoplimit {
133 . 0 . 255
} \
accept
return
}
# Goal: no specific, using "general" syntax
chain C {
icmpv6 type 133 icmpv6 code 0 ip6 hoplimit 255 \
accept
return
}
}
Looking at the output of 'nft -c --debug=netlink -f <this file>', it
seems:
- chain A would work best (least instructions to verdict) if there is
no match (e.g. if hoplimit is indeed not 255) but in all other cases
the total number of instructions to be processed is greater
- chain B and C seem to have the same number of instructions but
perhaps B would outperform C in case of multiple elements in the set
(e.g. more types or codes to check)
Also, it is not clear what is the actual "load" of different
instructions in terms of CPU cycles and memory, i.e. one instruction
may look as "one" but may actually cost more than another 2, right?
What is the proper way to evaluate and optimize rule efficiency?
