On Tue, Jan 21, 2014 at 02:17:31PM +0200, Tomasz Bursztyka wrote: > > >>Actually, after your patch and Arturo's, it could be possible to > >>improve the ruleset management so > >>it would use create/add/replace accordingly. > >> > >>Though it means it would need to dump first the targeted > >>tables/chains to do so, > >>thus I am not sure how relevant is my blabbering from performance > >>point of view. > >How would that work? Dumping rules, flushing the old ones and reinstalling > >them is prone to race conditions. > > There would be no flushing involved. > Comparing the dump vs the input ruleset you would know what to > remove/replace/add. > > But maybe there is no benefit from that anyway. I still I don't see how this helps. Incremental updates already work, the two problems I see are: - create something only iff it doesn't exist: easy, not use NLM_F_EXCL - replace entire tables or chains: harder since the transactions need to handle tables, chains and sets which they currently don't. For basechains this goes down all the way to nf_register_hooks() since we need to atomically replace the hooks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
