It is quite hard to do a delta update correctly, so a complete rewrite of the ruleset is the safest way to do it. Not sure why it is "slow", but I'd compare it to the time taken to start a VM. One way to make it slightly faster is to write the ruleset to a file and use iptables-restore from the file.
On 7/23/13 5:22 PM, "Nguyen Anh Tu" <ng.t...@gmail.com> wrote: >Anyone? > > >2013/7/22 Nguyen Anh Tu <ng.t...@gmail.com> > >> Hi guys, >> >> While working with L3 network services, I found a problem in the process >> of applying iptables rules. It currently works not good in my opinion. >>When >> you apply a new rule (eg. StaticNat or Egress rule), Virtual Router >>backups >> old rules and re-apply all of non-revoked rules related to source IP on >>the >> new rule, including this one. It causes a slow, especially when you >>have a >> lot of running rules. When you delete a rule, the process happens in the >> same. The deleting rule is marked as "revoked", so it doesn't appear in >>the >> list. I think we should have a better approach. >> >> Any idea? >> >> -- >> >> N.g.U.y.e.N.A.n.H.t.U >> > > > >-- > >N.g.U.y.e.N.A.n.H.t.U
