Andrew

No, it should sray like this short simple. 1k evaluations on a pc totals to about same 7.abit ms for either but vmap version has broader deviation not explainable by...

Yes, default configuration is revert (2 rules swapped tough)

Ill split this in 2 pieces - 1/2 handling invalid packets early 2/2 jump-branching offload

It is still valid. if i split it 2nd half has to be heavily re-based other patches reduce non-mandatory packet examination in kind of default established,related accept adding some throughput...

I am splitting this in 3 pieces, later today.

@CallMeR If you see the diagram conntrack state is classified at -200, last chance to make it valid (or notrack for more obvious usage) was respective raw table, e.g setting...

@glassd00r yes, thats correct. 3rd patch should be simple ```diff +if offload devs > 0 + ct state established related goto handle_offload +else ct state established related accept +endif ......

@glassd00r Why one patch? It changes same lines over and over again Bad: it looks messy in totality Why layer up 3 patches Good: simple few-line patches are easier to...

@glassd00r i remember writing those in forum, yep ill add example in /etc/nftables.d ;-)

Last 3rd here: https://github.com/brada4/firewall4/tree/guard-offload ruleset.uc includes 2nd 3rd too.