payload: refine payload expr merging
nf_tables can handle payload exprs for sizes <= sizeof(u32) via a direct operation from the eval loop, rather than a a call to the payload expression. Two loads for four byte quantities are thus faster than a single load for an 8 byte load. ip saddr ip daddr is faster with this applied, even though it involves two payload and two two compare expressions, just because all can be handled from the main loop without any calls to expression ops. Keep merging for linklayer and when at least one of the expressions already exceeded the 4 byte "limit" anyway. Signed-off-by: Florian Westphal <> Acked-by: Pablo Neira Ayuso <>
diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft
--- a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft
+++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft
@@ -4,7 +4,7 @@ table inet t {
iifname { "whatever" } iif { "lo" } meta mark 0x0000007b
ct state established,related,new
ct state != established | related | new
- ip saddr ip saddr ip daddr
+ ip saddr ip daddr ip saddr
ip6 daddr fe0::1 ip6 saddr fe0::2
ip saddr vmap { : drop, : accept }
ip6 daddr vmap { fe0::1 : drop, fe0::2 : accept }