Am 02.07.24 um 21:03 schrieb William N.:
- chain A would work best (least instructions to verdict) if there is no match (e.g. if hoplimit is indeed not 255) but in all other cases the total number of instructions to be processed is greater - chain B and C seem to have the same number of instructions but perhaps B would outperform C in case of multiple elements in the set (e.g. more types or codes to check) Also, it is not clear what is the actual "load" of different instructions in terms of CPU cycles and memory, i.e. one instruction may look as "one" but may actually cost more than another 2, right? What is the proper way to evaluate and optimize rule efficiency?
understanding what is your primary load and make final decisions as soon as possible
"ctstate RELATED,ESTABLISHED" hits 99% of all packages and after that you only handle new connections
when you have 99% of your load on port 443 and before the ACCEPT rule are 50 others rules for whatever services they are all evaluated
the same for drop/reject rules - on top the ones which hit most of teh time you have rule counters how much packets every rule triggered
