diff options
author | Phil Sutter <phil@nwl.cc> | 2019-08-28 22:10:40 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2019-09-23 13:05:50 +0200 |
commit | 5a0294901db1df0d8b1f22c2f64e3b967562ad2e (patch) | |
tree | 62fd33280000a43d6e3efa984276d9fc458e377e /extensions/libarpt_CLASSIFY.t | |
parent | 3897b008281888f7905cc1857ccb316cdf686061 (diff) |
nft Increase mnl_talk() receive buffer size
This improves cache population quite a bit and therefore helps when
dealing with large rulesets. A simple hard to improve use-case is
listing the last rule in a large chain. These are the average program
run times depending on number of rules:
rule count | legacy | nft old | nft new
---------------------------------------------------------
50,000 | .052s | .611s | .406s
100,000 | .115s | 2.12s | 1.24s
150,000 | .265s | 7.63s | 4.14s
200,000 | .411s | 21.0s | 10.6s
So while legacy iptables is still magnitudes faster, this simple change
doubles iptables-nft performance in ideal cases.
Note that using a larger buffer than 32KB doesn't further improve
performance since linux kernel won't transmit more data at once. This
limit was set (actually extended from 16KB) in kernel commit
d35c99ff77ecb ("netlink: do not enter direct reclaim from
netlink_dump()").
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions/libarpt_CLASSIFY.t')
0 files changed, 0 insertions, 0 deletions