Performance with iptables-restore is significantly better than the performance of iptables. For set sizes of 10k and 50k rules:
root@ubuntu-xenial:/home/ubuntu# iptables -F
root@ubuntu-xenial:/home/ubuntu# time (./restore-bulk-set 10000 | iptables-restore --noflush)
real 0m0.419s
user 0m0.232s
sys 0m0.180s
root@ubuntu-xenial:/home/ubuntu# iptables -F
root@ubuntu-xenial:/home/ubuntu# time (./gen-bulk-set 50000 | iptables-restore --noflush)
real 0m4.285s
user 0m1.252s
sys 0m3.028sWith repeated addition of new rules, it slows down, but not nearly as bad as with iptables:
root@ubuntu-xenial:/home/ubuntu# iptables -F
root@ubuntu-xenial:/home/ubuntu# time (./restore-bulk-set 5000 | iptables-restore --noflush)
real 0m0.193s
user 0m0.148s
sys 0m0.040s
root@ubuntu-xenial:/home/ubuntu# time (./restore-bulk-set 5000 | iptables-restore --noflush)
real 0m0.401s
user 0m0.128s
sys 0m0.268s
root@ubuntu-xenial:/home/ubuntu# time (./restore-bulk-set 5000 | iptables-restore --noflush)
real 0m0.712s
user 0m0.112s
sys 0m0.596s
root@ubuntu-xenial:/home/ubuntu# time (./restore-bulk-set 5000 | iptables-restore --noflush)
real 0m1.167s
user 0m0.132s
sys 0m1.028s
root@ubuntu-xenial:/home/ubuntu# time (./restore-bulk-set 5000 | iptables-restore --noflush)
real 0m1.816s
user 0m0.120s
sys 0m1.720s