On Tuesday 2010-06-01 13:25, Radek Kanovsky wrote: > >Whole iptables ruleset is represented by few files in /etc. Some of them >are generated, some of them are hand written. I am able to feed /etc >rules to iptables-restore or execute them as shell script. This is >trivial. Although iptables-restore is faster than executing iptables in >shell script, it is still very slow sometimes. > >Changes in /etc ruleset are small but frequent. But primarily both >solutions reset couters if used and it is not good for me now. So I >ended with script that does incremental updates. How slow are we talking about? restore is never slower than iptables - ever, because, like iptables, it does one table replace operation per invocation of either binary. Your "incremental update" is in fact none, because tables are always replaced wholesome. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
