The file approach will definitely make it faster. Just thinking out loud, If we can write all of the rules on a file, why not do an iptables-save, perform a diff and apply the difference?
--Alex > -----Original Message----- > From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] > Sent: Tuesday, July 23, 2013 5:08 AM > To: dev@cloudstack.apache.org > Cc: Nguyen Anh Tu > Subject: Re: [Discuss] Apply rules on Virtual Router > > It is quite hard to do a delta update correctly, so a complete rewrite of the > ruleset is the safest way to do it. Not sure why it is "slow", but I'd > compare it > to the time taken to start a VM. > One way to make it slightly faster is to write the ruleset to a file and use > iptables-restore from the file. > > On 7/23/13 5:22 PM, "Nguyen Anh Tu" <ng.t...@gmail.com> wrote: > > >Anyone? > > > > > >2013/7/22 Nguyen Anh Tu <ng.t...@gmail.com> > > > >> Hi guys, > >> > >> While working with L3 network services, I found a problem in the > >>process of applying iptables rules. It currently works not good in my > opinion. > >>When > >> you apply a new rule (eg. StaticNat or Egress rule), Virtual Router > >>backups old rules and re-apply all of non-revoked rules related to > >>source IP on the new rule, including this one. It causes a slow, > >>especially when you have a lot of running rules. When you delete a > >>rule, the process happens in the same. The deleting rule is marked as > >>"revoked", so it doesn't appear in the list. I think we should have a > >>better approach. > >> > >> Any idea? > >> > >> -- > >> > >> N.g.U.y.e.N.A.n.H.t.U > >> > > > > > > > >-- > > > >N.g.U.y.e.N.A.n.H.t.U
