[ta20210405]

>nftables (like iptables before it) is rule based and not bucket based.

What does this even mean? Do you have any documentation to explain?

>So high numbers of rules will not affect pf’s performance like it does with nftables.

This is wrong. From OpenBSD documentation:

"More lines being evaluated for each packet will result in slower performance."

[0]https://www.openbsd.org/faq/pf/perf.html

It's not 2001 any more. Nftables and Linux have left the BSDs in the dust.

[dijit]

The key is “for each packet”, because it’s bucket based it will entirely skip evaluation for packets that do not match. This is due to how the rule set is compiled, but I can see how it could be confusing if you’re used to iptables and only think in those terms.

I posted the architectural diagrams of both in another comment on this thread yesterday, I think you missed that.

[ta20210405]

>The key is “for each packet”, because it’s bucket based it will entirely skip evaluation for packets that do not match.

That is how it works in nftables.

>but I can see how it could be confusing if you’re used to iptables and only think in those terms.

Considering you're misunderstanding some basics about nftables and iptables here, I think you need to look in the mirror.

>I posted the architectural diagrams of both in another comment on this thread yesterday, I think you missed that.

I saw, and it only reenforced the fact that that's how nftables works. Hilariously enough, the OpenBSD webpage crashed and wouldn't load, giving various 500 and 42X errors.

[ta20210405]

Here is an article that covers performance between Linux and FreeBSD, and it leaves BSD in the dust: https://matteocroce.medium.com/linux-and-freebsd-networking-...

Also, it specifically outlined how more rules slow down of on FreeBSD, and how poor multicore support is on pf.