cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nguyen Anh Tu <ng.t...@gmail.com>
Subject Re: [Discuss] Apply rules on Virtual Router
Date Tue, 23 Jul 2013 16:33:40 GMT
Just still thinking about the incremental applying solution...

+1 for writing rules to file.


2013/7/23 Alex Huang <Alex.Huang@citrix.com>

> The file approach will definitely make it faster.
>
> Just thinking out loud, If we can write all of the rules on a file, why
> not do an iptables-save, perform a diff and apply the difference?
>
> --Alex
>
> > -----Original Message-----
> > From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> > Sent: Tuesday, July 23, 2013 5:08 AM
> > To: dev@cloudstack.apache.org
> > Cc: Nguyen Anh Tu
> > Subject: Re: [Discuss] Apply rules on Virtual Router
> >
> > It is quite hard to do a delta update correctly, so a complete rewrite
> of the
> > ruleset is the safest way to do it. Not sure why it is "slow", but I'd
> compare it
> > to the time taken to start a VM.
> > One way to make it slightly faster is to write the ruleset to a file and
> use
> > iptables-restore from the file.
> >
> > On 7/23/13 5:22 PM, "Nguyen Anh Tu" <ng.tuna@gmail.com> wrote:
> >
> > >Anyone?
> > >
> > >
> > >2013/7/22 Nguyen Anh Tu <ng.tuna@gmail.com>
> > >
> > >> Hi guys,
> > >>
> > >> While working with L3 network services, I found a problem in the
> > >>process  of applying iptables rules. It currently works not good in my
> > opinion.
> > >>When
> > >> you apply a new rule (eg. StaticNat or Egress rule), Virtual Router
> > >>backups  old rules and re-apply all of non-revoked rules related to
> > >>source IP on the  new rule, including this one. It causes a slow,
> > >>especially when you have a  lot of running rules. When you delete a
> > >>rule, the process happens in the  same. The deleting rule is marked as
> > >>"revoked", so it doesn't appear in the  list. I think we should have a
> > >>better approach.
> > >>
> > >> Any idea?
> > >>
> > >> --
> > >>
> > >> N.g.U.y.e.N.A.n.H.t.U
> > >>
> > >
> > >
> > >
> > >--
> > >
> > >N.g.U.y.e.N.A.n.H.t.U
>
>


-- 

N.g.U.y.e.N.A.n.H.t.U

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message