On Wed, 3 Jul 2024 11:37:10 +0200 Reindl Harald wrote: > understanding what is your primary load and make final decisions as > soon as possible > > "ctstate RELATED,ESTABLISHED" hits 99% of all packages and after that > you only handle new connections That particular problem was discussed in another thread: https://marc.info/?t=171360284600001&r=1&w=2 A little side note: The capitalized words imply iptables syntax. In case I may somehow been misunderstood, please let me note just for the sake of clarity that the actual question is about nftables. > when you have 99% of your load on port 443 and before the ACCEPT rule > are 50 others rules for whatever services they are all evaluated > > the same for drop/reject rules - on top the ones which hit most of > teh time Sure. That is clear. The question is not how to order rules but how to write a rule in the most optimal way and to evaluate its performance, i.e. I would like to go beyond ordering and into the rule itself. > you have rule counters how much packets every rule triggered Counters don't tell how much system resources a rule consumes.