Thank you @dibdot for the link
However I to respond to @slh 's claim that
CPU is good for around 200 MBit/s
I have to disagree, here is a speedtest that I've just done right now on a Archer C7 V2
I don't know if it would make it to gigabit, would iperf3 testing be conclusive or too artificial ?
There was another reply that is no longer visible in this thread which suggested googling NFTABLE BENCHMARK
And I found this informative link
Also on the broader subject of router for gigabit WAN, I found this topic
My takeaway from this topic are
CPU time required per packet increase roughly linearly with the number of rules up to the point that the CPU can no longer keep up, drops packets and cause throttling at the source
Nftables requires more CPU time per packet per rule than iptables when filtering by IP address
About 15% worse for the same computer capable of 2.1GPBS throughput, falls to 1.6GBPS at 1000 rules with iptables and 1.4GPBS with nftable
However for port number based filtering the story is very different. Iptables shows significant performance degradation with more ports blocked while nftable shows no such degradation
As an Archer C7 users, I think my solution to be optimal will be to keep as few IPs in the ban list as possible, perhaps I will splice my wan port with a sniffer wiretap, duplicate all traffic to a second router, look for traffic to bad IP addresses and remotely add those IPs to the main router's ban list only when packets from those are being exchanged (sort of like a tripwire arrangement, a few packets may get throught but it should cut off before any transaction is actually completed and will fail)
Also, I think an arrangement to preserve performance will but to place a second archer c7 router in series with my wan port, in bridge mode, and only do IP filtering on that first device, just dropping packets on the ban list and nothing else.