Abaphuhlisi be-Netfilter yokucoca ipakethe yenethiwekhi kunye nokulungiswa kwenkqubo engaphantsi iseti yeepetshi ezikhawulezisa ngokubalulekileyo ukuqhubekekiswa koluhlu lomdlalo omkhulu (i-nftables iseti), efuna ukukhangela indibaniselwano ye-subnets, izibuko zenethiwekhi, iprotocol kunye needilesi ze-MAC. Iipetshi sele zamkelwe kwisebe , eza kucetywayo ukuba ifakwe kwisiseko Linux 5.7. Ukukhawuleza okuphawulekayo kufezekisiwe ngenxa Imiyalelo ye-AVX2 (kwixesha elizayo kucwangciswe ukupapasha ukulungiswa okufanayo ngokusekelwe kwimiyalelo ye-NEON ye-ARM).
Ulungelelaniso olubandakanyiweyo kwimodyuli (Imigaqo-nkqubo ye-PIle ye-Packet), eyisombulula ingxaki yokudibanisa imixholo yepakethi kunye noluhlu lwelizwe lommandla ongekho mthethweni olusetyenziswa kwimithetho yokucoca, njenge-IP kunye ne-network port ranges (nft_set_rbtree kunye ne-nft_set_hash ukuphatha ukuhambelana kwexesha kunye nokubonakaliswa ngokuthe ngqo kwamaxabiso). Uguqulelo lwe pipapo vectorized usebenzisa 256-bit imiyalelo AVX2 kwinkqubo nge AMD Epyc 7402 iprosesa ibonise i-420% ukwanda ukusebenza xa ukwahlula 30 amawaka iirekhodi kuquka port-protocol indibaniselwano. Ukunyuka xa kuthelekiswa indibaniselwano ye-subnet kunye nenombolo yezibuko xa kucazululwa iirekhodi ze-1000 kwakuyi-87% ye-IPv4 kunye ne-128% ye-IPv6.
Enye i-optimization, evumela ukusetyenziswa kwamaqela omdlalo we-8-bit endaweni ye-4-bit, nayo yabonisa iinzuzo zokusebenza ezibalulekileyo: i-66% xa uhlalutya amangenelo angama-30 amawaka e-port-protocol, i-43% ye-subnet_IPv4-port, kunye ne-61% ye-subnet_IPv6-port. Lilonke, kuthathelwa ingqalelo ukulungelelaniswa kwe-AVX2, ukusebenza kwepipapo kwandiswe kwezi mvavanyo nge-766%, 168% kunye ne-269%, ngokulandelanayo. Iimpawu ezifunyenweyo kuthelekiso oluntsonkothileyo ziphambi kokuhlolwa kwendawo enye (ngaphandle kwezibuko+lovavanyo lweprotocol), kodwa ukuza kuthi ga ngoku basalela ngasemva kukhangelo oluthe ngqo besebenzisa kwaye uwise abaphathi abasekwe kwi-netdev.
umthombo: opennet.ru
