On Tue, Jun 01, 2010 at 08:26:30PM +0200, Jan Engelhardt wrote: > Sounds like you need xt_quota2. As its counters are independent of > rules when given names, they can never get set back to a value > less than what they were. I wanted to avoid any nonstandard packages but this looks promissing. I will take a look. Thanks. > As I said before, there is no concept of unchanged rules. > > When you iptables -A, the entire ruleset is fetched from the kernel, > then modified, and finally reinserted - even when having only > added a single rule. But I have scalability problems even if there is declared O(N) complexity of iptables-restore. There is a really big difference if counters are reset at 9:14:01 or at 9:14:53. I am not sure what COMMIT during restoration exactly do but can't it be used for tuning in such cases? Radek Kanovsky -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
