Re: nftables rule optimization - evaluating efficiency

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "William N." <netfilter@riseup.net>
To: netfilter@vger.kernel.org
Subject: Re: nftables rule optimization - evaluating efficiency
Date: Wed, 3 Jul 2024 10:44:27 -0000	[thread overview]
Message-ID: <20240703104427.1718eb5e@localhost> (raw)
In-Reply-To: <3d2ba9fe-0265-46ee-a98b-9d6a1c84cca4@thelounge.net>

On Wed, 3 Jul 2024 11:37:10 +0200 Reindl Harald wrote:

> understanding what is your primary load and make final decisions as
> soon as possible
> 
> "ctstate RELATED,ESTABLISHED" hits 99% of all packages and after that 
> you only handle new connections

That particular problem was discussed in another thread:

https://marc.info/?t=171360284600001&r=1&w=2

A little side note: The capitalized words imply iptables syntax. In
case I may somehow been misunderstood, please let me note just for the
sake of clarity that the actual question is about nftables.

> when you have 99% of your load on port 443 and before the ACCEPT rule 
> are 50 others rules for whatever services they are all evaluated
> 
> the same for drop/reject rules - on top the ones which hit most of
> teh time

Sure. That is clear. The question is not how to order rules but how to
write a rule in the most optimal way and to evaluate its performance,
i.e. I would like to go beyond ordering and into the rule itself.

> you have rule counters how much packets every rule triggered

Counters don't tell how much system resources a rule consumes.

next prev parent reply	other threads:[~2024-07-03 10:44 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-07-02 19:03 nftables rule optimization - evaluating efficiency William N.
2024-07-03  9:37 ` Reindl Harald
2024-07-03 10:44   ` William N. [this message]
2024-07-10 18:34 ` William N.
2024-07-10 21:27   ` Kerin Millar
2024-07-10 21:39     ` Florian Westphal
2024-07-11 19:15       ` William N.
2024-07-11 19:14     ` William N.

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240703104427.1718eb5e@localhost \
    --to=netfilter@riseup.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.