Just still thinking about the incremental applying solution... +1 for writing rules to file.
2013/7/23 Alex Huang <alex.hu...@citrix.com> > The file approach will definitely make it faster. > > Just thinking out loud, If we can write all of the rules on a file, why > not do an iptables-save, perform a diff and apply the difference? > > --Alex > > > -----Original Message----- > > From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] > > Sent: Tuesday, July 23, 2013 5:08 AM > > To: dev@cloudstack.apache.org > > Cc: Nguyen Anh Tu > > Subject: Re: [Discuss] Apply rules on Virtual Router > > > > It is quite hard to do a delta update correctly, so a complete rewrite > of the > > ruleset is the safest way to do it. Not sure why it is "slow", but I'd > compare it > > to the time taken to start a VM. > > One way to make it slightly faster is to write the ruleset to a file and > use > > iptables-restore from the file. > > > > On 7/23/13 5:22 PM, "Nguyen Anh Tu" <ng.t...@gmail.com> wrote: > > > > >Anyone? > > > > > > > > >2013/7/22 Nguyen Anh Tu <ng.t...@gmail.com> > > > > > >> Hi guys, > > >> > > >> While working with L3 network services, I found a problem in the > > >>process of applying iptables rules. It currently works not good in my > > opinion. > > >>When > > >> you apply a new rule (eg. StaticNat or Egress rule), Virtual Router > > >>backups old rules and re-apply all of non-revoked rules related to > > >>source IP on the new rule, including this one. It causes a slow, > > >>especially when you have a lot of running rules. When you delete a > > >>rule, the process happens in the same. The deleting rule is marked as > > >>"revoked", so it doesn't appear in the list. I think we should have a > > >>better approach. > > >> > > >> Any idea? > > >> > > >> -- > > >> > > >> N.g.U.y.e.N.A.n.H.t.U > > >> > > > > > > > > > > > >-- > > > > > >N.g.U.y.e.N.A.n.H.t.U > > -- N.g.U.y.e.N.A.n.H.t.U
