Re: nftables rule optimization - evaluating efficiency

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 3 Jul 2024 11:37:10 +0200 Reindl Harald wrote:

> understanding what is your primary load and make final decisions as
> soon as possible
> 
> "ctstate RELATED,ESTABLISHED" hits 99% of all packages and after that 
> you only handle new connections

That particular problem was discussed in another thread:

https://marc.info/?t=171360284600001&r=1&w=2

A little side note: The capitalized words imply iptables syntax. In
case I may somehow been misunderstood, please let me note just for the
sake of clarity that the actual question is about nftables.

> when you have 99% of your load on port 443 and before the ACCEPT rule 
> are 50 others rules for whatever services they are all evaluated
> 
> the same for drop/reject rules - on top the ones which hit most of
> teh time

Sure. That is clear. The question is not how to order rules but how to
write a rule in the most optimal way and to evaluate its performance,
i.e. I would like to go beyond ordering and into the rule itself.

> you have rule counters how much packets every rule triggered

Counters don't tell how much system resources a rule consumes.




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux