Open
Conversation
This improves efficiency when adding a lot of rules to a table. Rather than calling insert or append for each rule, we can execute one iptables operation to replace them all. Signed-off-by: Tim Rozet <trozet@redhat.com>
trozet
force-pushed
the
iptables-restore
branch
from
7d07ae3 to
077e672
Compare
Author
|
@squeed can you PTAL? |
trozet
commented
Apr 2, 2024
| for chain, rules := range rulesMap { | ||
| restoreRules += "\n" + fmt.Sprintf(":%s - [0:0]", strings.ToUpper(chain)) | ||
| for _, rule := range rules { | ||
| restoreRules += "\n" + fmt.Sprintf("-I %s %s", chain, strings.Join(rule, " ")) |
Author
There was a problem hiding this comment.
Here I assumed Insert for the rules...but maybe it would be more appropriate to use Append. Another option is make it part of the rule, or make it a parameter to the function. I dont have any preference.
There was a problem hiding this comment.
I would personally expect Append but perhaps it could be documented that this is the behavior
|
@jcaamano tagging me here |
nickgarlis
reviewed
Sep 25, 2024
|
|
||
| // runWithOutput runs an iptables command with the given arguments, | ||
| // writing any stdout output to the given writer | ||
| func (ipt *IPTables) runRestore(args []string, input string) error { |
There was a problem hiding this comment.
I don't know if the maintainers are planning to merge this PR but it'd be nice to make this function public or maybe create a wrapper RestoreRaw(args []string, input string)
|
Is there any progress on this PR? I have encountered similar problems and I think I can help to advance it.😀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This improves efficiency when adding a lot of rules to a table. Rather than calling insert or append for each rule, we can execute one iptables operation to replace them all.
This was identified to greatly improve the performance in ovn-kubernetes. The overall time of installing 1000 rules was taking 4.8 seconds by insert operations. By moving to this commit it only takes .058 seconds.
ovn-kubernetes/ovn-kubernetes#4241
ovn-kubernetes/ovn-kubernetes#4241 (comment)