+1 It is also much better if CS supports adding multiple rules in one request.
2013/7/23 Nguyen Anh Tu <ng.t...@gmail.com> > Just still thinking about the incremental applying solution... > > +1 for writing rules to file. > > > 2013/7/23 Alex Huang <alex.hu...@citrix.com> > > > The file approach will definitely make it faster. > > > > Just thinking out loud, If we can write all of the rules on a file, why > > not do an iptables-save, perform a diff and apply the difference? > > > > --Alex > > > > > -----Original Message----- > > > From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] > > > Sent: Tuesday, July 23, 2013 5:08 AM > > > To: dev@cloudstack.apache.org > > > Cc: Nguyen Anh Tu > > > Subject: Re: [Discuss] Apply rules on Virtual Router > > > > > > It is quite hard to do a delta update correctly, so a complete rewrite > > of the > > > ruleset is the safest way to do it. Not sure why it is "slow", but I'd > > compare it > > > to the time taken to start a VM. > > > One way to make it slightly faster is to write the ruleset to a file > and > > use > > > iptables-restore from the file. > > > > > > On 7/23/13 5:22 PM, "Nguyen Anh Tu" <ng.t...@gmail.com> wrote: > > > > > > >Anyone? > > > > > > > > > > > >2013/7/22 Nguyen Anh Tu <ng.t...@gmail.com> > > > > > > > >> Hi guys, > > > >> > > > >> While working with L3 network services, I found a problem in the > > > >>process of applying iptables rules. It currently works not good in > my > > > opinion. > > > >>When > > > >> you apply a new rule (eg. StaticNat or Egress rule), Virtual Router > > > >>backups old rules and re-apply all of non-revoked rules related to > > > >>source IP on the new rule, including this one. It causes a slow, > > > >>especially when you have a lot of running rules. When you delete a > > > >>rule, the process happens in the same. The deleting rule is marked > as > > > >>"revoked", so it doesn't appear in the list. I think we should have > a > > > >>better approach. > > > >> > > > >> Any idea? > > > >> > > > >> -- > > > >> > > > >> N.g.U.y.e.N.A.n.H.t.U > > > >> > > > > > > > > > > > > > > > >-- > > > > > > > >N.g.U.y.e.N.A.n.H.t.U > > > > > > > -- > > N.g.U.y.e.N.A.n.H.t.U >
