The previous patch series created separate global libvirt chains for virtual network rules This goes further and creates chains per virtual network. The idea is that when stopping networks, we can just delet the chains, instead of every individual rule. Unfortunately creating/deleting/flushing chains appears surprisingly expensive. With 100 networks running, this series slows down libvirtd restart from 13 seconds to 30 seconds :-( Thus I'm not proposing to continue with this idea unless there's a more compelling reason to do it. Daniel P. Berrangé (2): util: add support for creating per-network chains util: move firewall rules into per network chains src/libvirt_private.syms | 3 +- src/network/bridge_driver_linux.c | 28 ++- src/util/viriptables.c | 201 +++++++++++++++--- src/util/viriptables.h | 8 +- .../nat-default-linux.args | 128 +++++++++-- .../nat-ipv6-linux.args | 144 +++++++++++-- .../nat-many-ips-linux.args | 156 +++++++++++--- .../nat-no-dhcp-linux.args | 142 +++++++++++-- .../nat-tftp-linux.args | 130 +++++++++-- .../route-default-linux.args | 118 +++++++++- 10 files changed, 901 insertions(+), 157 deletions(-) -- 2.19.2 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list