Unfortunately there is no rule timing feature (stealth or otherwise) in v4.x.
Overall impact of rules on performance can be also estimated based on CPU utilization induced by a known traffic load. CPU utilization is best monitored using the "cpu bigip" command (e.g. watch cpu bigip). Standard utilities (e.g. top, vmstat) may give misleading results especiall y on dual processor systems running in ANIP mode. Time spent in rule evaluation is accounted for (together with other operations) in the BIGIP column. NOTE: the maximum CPU utilization on a dual CPU system is 200% in SMP mode and 100% in ANIP mode (the ANIP column shows aggregated utilization on the second [ANIP] CPU).
Rules are compiled when configuration is loaded and stored in memory.
Assuming that you are terminating SSL connections on the BIG-IP (using SSL proxy), SSL is definitely a more limiting factor for performance than your rules. High volume of SSL traffic will translate into high CPU utilization shown for the "proxyd" process (e.g. in "top" output). Proxyd will consume both user and kernel CPU time. It consumes more kernel CPU for high connection rate and more user CPU for high traffic volume on several persistent connections. In the "cpu bigip" output, CPU used by proxyd is shown (together with all other user processes) in the "Unix" column.
Adding another nested if-then to your rule should not have any negative impact on preformance as long as the expression is similar to your existing expressions. I'd need to see your new rule to be able to tell more.
Performance impact of various iRule features can be ordered as follows (ordered from lowest to highest [negative] impact on performance):
* no rules :-),
* L4 rules (i.e. rules referring only to addresses and/or ports [or other
data found in Ethernet, IP and/or TCP/UDP header]),
------
performace with only the above features can be significantly better than with any of the features bellow, especially on dual processor systems -- this is because the above features do not require the
BIG-IP to do so called late-binding
-------
* header insert feature (not an iRule feature per-se),
* HTTP rules referring only to data in HTTP request headers (URI, header
fields, cookies), header erase feature has about the same impact,
* cookie persistence, SSL session id persistence (agai not iRule features
per-se)
* rules referring to TCP content,
* rules referring to HTTP content
In general, the more the BIG-IP has to buffer and parse in order to evaluate expressions, the more impact will the rule have on performance. As Brian already pointed out, keeping branches that are likely to match close to the top of the if-then-else chain improves performance because rule evaluation stops at the first "use pool" or "discard" statement.
Measuring and even more so predicting performance of (any) L7 loadbalancer is very complicated because it depends on many factors with non-trivial dependencies among them.