Slow nft set lookup?

I did a simple comparison between nft-sets and ipsets on a Cudy TR1200 (MT7628AN). regarding speed of lookup . Both sets had same amount of elements, about 3000 IPs of well-known DoH-servers. I ran both iptables and nftables simultaneously, on same device, using a custom built openwrt 25.12.2.

And I got following results, when quering for an exising and non-existing IP:

root@OpenWrt:~# time ipset test doh_ips 1.1.1.1
Warning: 1.1.1.1 is in set doh_ips.
real 0m 0.01s
user 0m 0.00s
sys 0m 0.00s
root@OpenWrt:~# time nft get element inet fw4 doh_ips { 1.1.1.1 }
table inet fw4 {
set doh_ips {
type ipv4_addr
flags interval
elements = { 1.1.1.1 }
}
}
real 0m 0.25s
user 0m 0.20s
sys 0m 0.03s

oot@OpenWrt:~# time ipset test doh_ips 1.1.1.99
1.1.1.99 is NOT in set doh_ips.
Command exited with non-zero status 1
real 0m 0.01s
user 0m 0.00s
sys 0m 0.00s
root@OpenWrt:~# time nft get element inet fw4 doh_ips { 1.1.1.99 }
Error: Could not process rule: No such file or directory
get element inet fw4 doh_ips { 1.1.1.99 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Command exited with non-zero status 1
real 0m 0.25s
user 0m 0.17s
sys 0m 0.05s

This shows drastic difference in speed of lookup.

Does this also mean, that using a lookup in a nft set in fw4 is so much slower compared to a lookup in iptables-based firewall, using ipset ?

I know nothing about it, but, the cli lookup program could have a different overhead that the package filter does not have, when processing your packets against the rules. it's worth checking the cpu utilization/throughput of a real rule with traffic.

There's a few threads that mention nft not processing large ip sets well. I discovered that when OpenWrt first moved to fw4.

Looking at systime only, time, spent in kernel, it is much higher for nft-sets. Packages, which need to block DoH, or do geo based blocking, and using nft-sets for this, seem to be slowed down significantly opposed to using iptables-ipsets instead. As many (or all) packets have to be checked against a set.