[dijit]

The key is “for each packet”, because it’s bucket based it will entirely skip evaluation for packets that do not match. This is due to how the rule set is compiled, but I can see how it could be confusing if you’re used to iptables and only think in those terms.

I posted the architectural diagrams of both in another comment on this thread yesterday, I think you missed that.

[ta20210405]

>The key is “for each packet”, because it’s bucket based it will entirely skip evaluation for packets that do not match.

That is how it works in nftables.

>but I can see how it could be confusing if you’re used to iptables and only think in those terms.

Considering you're misunderstanding some basics about nftables and iptables here, I think you need to look in the mirror.

>I posted the architectural diagrams of both in another comment on this thread yesterday, I think you missed that.

I saw, and it only reenforced the fact that that's how nftables works. Hilariously enough, the OpenBSD webpage crashed and wouldn't load, giving various 500 and 42X errors.

[ta20210405]

Here is an article that covers performance between Linux and FreeBSD, and it leaves BSD in the dust: https://matteocroce.medium.com/linux-and-freebsd-networking-...

Also, it specifically outlined how more rules slow down of on FreeBSD, and how poor multicore support is on pf.