I am probably the exception but I make heavy use of several modules to block bots. I would love to try out bpfilter when they support connlimit, tcpmss, length, limit, owner, recent, set, tcp, ttl and maybe u32. In regards to performance I get some gains using NOTRACK in the raw table for ports I expect high packet rates in combination with stateless rules.