On Tuesday 2010-06-01 18:03, Radek Kanovsky wrote: > >I know that iptables-restore with 10000 rules on input is faster than >10000 sequential "iptables -A ..." rules. It is obvious. But anyway it >is sometimes slower than my one "iptables -D" command followed by one >"iptables -A" command that both together reflect one particular change >in ruleset that I am able to recognize with rule comparison. Especially >under higher load. Reason is not obvious. Look obvious to me. Under load, the execution time of a process can arbitrarily be delayed by other processes. That isn't really a surprise. The delay itself is even a function of that factor. >I was forced also implement my >own locking and memoization around iptables-save that prevents its >concurrent invocation from accounting process. Indeed, if iptables has to race with another instance of itself, when replacing a table, it has to retry whole the operation. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
