diff options
authorPhil Sutter <>2019-08-28 22:10:40 +0200
committerPhil Sutter <>2019-09-23 13:05:50 +0200
commit5a0294901db1df0d8b1f22c2f64e3b967562ad2e (patch)
parent3897b008281888f7905cc1857ccb316cdf686061 (diff)
nft Increase mnl_talk() receive buffer size
This improves cache population quite a bit and therefore helps when dealing with large rulesets. A simple hard to improve use-case is listing the last rule in a large chain. These are the average program run times depending on number of rules: rule count | legacy | nft old | nft new --------------------------------------------------------- 50,000 | .052s | .611s | .406s 100,000 | .115s | 2.12s | 1.24s 150,000 | .265s | 7.63s | 4.14s 200,000 | .411s | 21.0s | 10.6s So while legacy iptables is still magnitudes faster, this simple change doubles iptables-nft performance in ideal cases. Note that using a larger buffer than 32KB doesn't further improve performance since linux kernel won't transmit more data at once. This limit was set (actually extended from 16KB) in kernel commit d35c99ff77ecb ("netlink: do not enter direct reclaim from netlink_dump()"). Signed-off-by: Phil Sutter <> Acked-by: Pablo Neira Ayuso <>
1 files changed, 1 insertions, 1 deletions
diff --git a/iptables/nft.c b/iptables/nft.c
index 77ebc4f6..8047a51f 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -101,7 +101,7 @@ int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
void *data)
int ret;
- char buf[16536];
+ char buf[32768];
if (mnl_socket_sendto(h->nl, nlh, nlh->nlmsg_len) < 0)
return -1;