Bahlahisi ba Netfilter filtering le subsystem ea phetoho bakeng sa lipakete tsa marang-rang sete ea li-patches tse potlakisang haholo ho sebetsana le manane a maholo a lipapali (li-nftables set), tse hlokang ho hlahloba motsoako oa li-subnets, likoung tsa marang-rang, protocol le liaterese tsa MAC. Lipache li se li amohetsoe lekaleng , e tla sisinngoa hore e kenyelelitsoe ho Linux 5.7 kernel. Ho potlakisa ka ho fetisisa ho ile ha finyelloa ka lebaka la Litaelo tsa AVX2 (nakong e tlang ho reriloe ho phatlalatsa lintlafatso tse tšoanang ho latela litaelo tsa NEON bakeng sa ARM).
Lintlafatso tse kenyellelitsoeng mojuleng (PIle Packet POLICies), e rarollang bothata ba ho bapisa litaba tsa pakete e nang le mekhahlelo e sa lumellaneng ea naha e sebelisoang melaong ea ho sefa, joalo ka IP le marang-rang a marang-rang a marang-rang (nft_set_rbtree le nft_set_hash ba laola nako ea ho bapisa le ho bonahatsa ka ho toba litekanyetso). Mofuta oa pipapo vectorized o sebelisa litaelo tsa 256-bit AVX2 ho sistimi e nang le processor ea AMD Epyc 7402 e bonts'itse keketseho ea ts'ebetso ea 420% ha ho hlahlobisisoa lirekoto tse likete tse 30 ho kenyeletsoa motsoako oa li-port-protocol. Keketseho ha ho bapisoa motsoako oa subnet le nomoro ea boema-kepe ha ho aroloa lirekoto tse 1000 e bile 87% bakeng sa IPv4 le 128% bakeng sa IPv6.
Ntlafatso e 'ngoe, e lumellang tšebeliso ea lihlopha tsa lipapali tsa 8-bit ho e-na le 4-bit, e boetse e bonts'a katleho e kholo ea ts'ebetso: 66% ha ho hlahlobisisoa likenyelletso tse likete tse 30 tsa port-protocol, 43% bakeng sa subnet_IPv4-port, le 61% bakeng sa subnet_IPv6-port. Ka kakaretso, ho nahanela lintlafatso tsa AVX2, ts'ebetso ea pipapo e eketsehile litekong tsena ka 766%, 168% le 269%, ka ho latellana. Litšobotsi tse fumanoeng bakeng sa papiso e rarahaneng li pele ho tlhahlobo e le 'ngoe ea tšimo (ntle le tlhahlobo ea port + protocol), empa ho fihlela joale ba salla morao ho licheke tse tobileng ba sebelisa le ho theola li-handers tse thehiloeng ho netdev.
Source: opennet.ru