The results clearly show that nf-HiPAC outperforms iptables at any number of rules, i.e. the classification engine does not impose any overhead even for very small rulesets. The throughput achieved with iptables decreases very fast. A ruleset of merely 50 rules already yields a noticeable performance penalty. 200 rules reduce the performance to 55 % of the theoretically possible throughput and above 800 rules, iptables renders the firewall unusable. In contrast, the throughput achieved with nf-HiPAC is almost constant. It slightly decreases in a linear manner while the number of rules is doubled. However, nf-HiPAC with 25600 rules still outperforms iptables with 50 rules.
The performance of nf-HiPAC certainly depends on the number of rules, but it also depends on the structure of the ruleset. For a given number of rules, the ruleset structure we used for nf-HiPAC leads to the theoretical worst case performance of the algorithm. No real ruleset with that number of rules will look like that. So if you use a realistic ruleset with nf-HiPAC, the worst case performance of nf-HiPAC for that ruleset will be much better than the worst case performance of our synthetic ruleset.
Note that the scope of the performance results is not limited to iptables. Any linear packet filter will show similar results.