Radek, your problem is getting the rules into a standard format, where you can match them to existing rules. Would a solution/workaround not be to 1. create a dummy test chain/table not being used. 2. add new rules to the chain/table (have to modify them slightly) 1 by 1 3. retrieve them in a standard form as provided by iptables-save -t test 4. spend time in python routine to match and decide what to remove/update. 5. make single insertion/replacement if needed. 6. clear test table and start with next rule. On Tue, Jun 1, 2010 at 9:36 PM, Radek Kanovsky <rk@xxxxxx> wrote: > On Tue, Jun 01, 2010 at 08:26:30PM +0200, Jan Engelhardt wrote: > >> Sounds like you need xt_quota2. As its counters are independent of >> rules when given names, they can never get set back to a value >> less than what they were. > > I wanted to avoid any nonstandard packages but this looks promissing. > I will take a look. Thanks. > >> As I said before, there is no concept of unchanged rules. >> >> When you iptables -A, the entire ruleset is fetched from the kernel, >> then modified, and finally reinserted - even when having only >> added a single rule. > > But I have scalability problems even if there is declared O(N) > complexity of iptables-restore. There is a really big difference > if counters are reset at 9:14:01 or at 9:14:53. I am not sure > what COMMIT during restoration exactly do but can't it be > used for tuning in such cases? > > Radek Kanovsky > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
