On Friday 2017-02-03 21:37, Shaun Crampton wrote: > >I'm trying to diagnose an incompatibility between my application >(Project Calico's Felix daemon) and another (Kuberenetes' kube-proxy). >Both are (ab)using iptables-restore to do high-speed bulk updates to >iptables and they're both using --noflush so they can use >iptables-restore to edit only some chains. Mostly, this works great >and it's many times faster than using individual iptables commands. [...] >My understanding is that each iptables-restore call actually does a >read-modify-write of the whole table This is by design; the RMW cycle in principle also affects the "slower" iptables - which is why it is slower, because it does only one rule per cycle. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
