From 5a0294901db1df0d8b1f22c2f64e3b967562ad2e Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 28 Aug 2019 22:10:40 +0200 Subject: nft Increase mnl_talk() receive buffer size This improves cache population quite a bit and therefore helps when dealing with large rulesets. A simple hard to improve use-case is listing the last rule in a large chain. These are the average program run times depending on number of rules: rule count | legacy | nft old | nft new --------------------------------------------------------- 50,000 | .052s | .611s | .406s 100,000 | .115s | 2.12s | 1.24s 150,000 | .265s | 7.63s | 4.14s 200,000 | .411s | 21.0s | 10.6s So while legacy iptables is still magnitudes faster, this simple change doubles iptables-nft performance in ideal cases. Note that using a larger buffer than 32KB doesn't further improve performance since linux kernel won't transmit more data at once. This limit was set (actually extended from 16KB) in kernel commit d35c99ff77ecb ("netlink: do not enter direct reclaim from netlink_dump()"). Signed-off-by: Phil Sutter Acked-by: Pablo Neira Ayuso --- iptables/nft.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'iptables') diff --git a/iptables/nft.c b/iptables/nft.c index 77ebc4f6..8047a51f 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -101,7 +101,7 @@ int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, void *data) { int ret; - char buf[16536]; + char buf[32768]; if (mnl_socket_sendto(h->nl, nlh, nlh->nlmsg_len) < 0) return -1; -- cgit v1.2.3