Fedora builds the kernel with CONFIG_IP_NF_IPTABLES=y.
This is known to have a measurable performance impact even when there
are no firewall rules.
This is a series of 10 tests made with a Fedora 4.19.0-1.fc30 kernel
built with ip_tables as module, thousands of packets per second on an
8 core machine:
no module ip_filter loaded
run 1 8.484 8.027
run 2 8.466 8.042
run 3 8.446 8.176
run 4 8.313 7.900
run 5 8.457 8.165
run 6 8.459 8.202
run 7 8.403 7.978
run 8 8.487 7.991
run 9 8.567 8.124
run 10 8.244 7.966
----------------------------
average 8.433 8.057
stdev 92 103
% -4,66%
Building iptable_filter as module should not have any disadvantage
because it's loaded on first iptables call, and dracut can be
instructed to put it in the initramfs if needed.
This is what happens on Fedora 29 (obviously with firewalld disabled on boot):
# lsmod |grep iptable
# iptables -A INPUT -i lo -j ACCEPT
# lsmod |grep iptable
iptable_filter 16384 1
ip_tables 28672 1 iptable_filter
x_tables 45056 2 iptable_filter,ip_tables
Regards,
--
Matteo Croce
per aspera ad upstream