Madivelopa a subsystem yosefera ndikusintha mapaketi a netiweki a Netfilter seti ya zigamba zomwe zimafulumizitsa kwambiri kukonza mndandanda wamapu akulu (ma seti a nftables), omwe amafunikira kuyang'ana kuphatikiza kwa ma subnets, ma network, ma protocol ndi ma adilesi a MAC. Zigamba zavomerezedwa kale kunthambi , yomwe iperekedwa kuti ikhale mu Linux 5.7 kernel. Kuthamanga kowoneka bwino kunakwaniritsidwa chifukwa Malangizo a AVX2 (m'tsogolomu, akukonzekera kufalitsa kukhathamiritsa kofananako kutengera malangizo a NEON a ARM).
Zowonjezera zomwe zapangidwa ku module (PIle PAcket POLICies), yomwe imathetsa vuto lofananiza zomwe zili mu paketi yokhala ndi magawo osasinthika a magawo omwe amagwiritsidwa ntchito posefa malamulo, monga ma IP ndi ma network a port ranges (nft_set_rbtree ndi nft_set_hash amawongolera kufananitsa kwanthawi ndikuwonetsa molunjika pamakhalidwe). Mtundu wa pipapo vectorized ndi malangizo a 256-bit AVX2 pamakina okhala ndi purosesa ya AMD Epyc 7402 adawonetsa kuchuluka kwa magwiridwe antchito a 420% polemba zolemba 30 zomwe zidaphatikiza zomangira ma port-protocol. Kuwonjezeka kwa kufananitsa ulalo kuchokera ku subnet ndi nambala ya doko pophatikiza zolowa 1000 kunali 87% kwa IPv4 ndi 128% kwa IPv6.
Kukhathamiritsa kwina, kulola kugwiritsa ntchito magulu a mapu a 8-bit m'malo mwa 4-bit, kunawonetsanso zopindulitsa zoyezeka: 66% pophatikiza zolowa 30k port-protocol, 43% for subnet_IPv4-port, ndi 61% for subnet_IPv6-port. Ponseponse, poganizira kukhathamiritsa kwa AVX2, ntchito ya pipapo idakwera pamayesowa ndi 766%, 168% ndi 269%, motsatana. Makhalidwe omwe amapezedwa pofananiza zovuta ali patsogolo pa mayeso a magawo amodzi (kupatulapo kuyesa kwa doko + protocol), koma mpaka pano amatsalira kumbuyo kwa mayeso achindunji pogwiritsa ntchito ndikugwetsa othandizira kutengera netdev.
Source: opennet.ru