On Tue, Jun 01, 2010 at 08:19:35PM +0200, Jan Engelhardt wrote: > >I know that iptables-restore with 10000 rules on input is faster than > >10000 sequential "iptables -A ..." rules. It is obvious. But anyway it > >is sometimes slower than my one "iptables -D" command followed by one > >"iptables -A" command that both together reflect one particular change > >in ruleset that I am able to recognize with rule comparison. Especially > >under higher load. Reason is not obvious. > > Look obvious to me. Under load, the execution time of a process can > arbitrarily be delayed by other processes. That isn't really a > surprise. The delay itself is even a function of that factor. I didn't want to say it but it would be better described as some kind of deadlock if system is in good health but iptables-save that started hour before doesn't mean to finish. Radek Kanovsky -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
