The previous patch series created separate global libvirt chains for
virtual network rules
This goes further and creates chains per virtual network. The idea is
that when stopping networks, we can just delet the chains, instead of
every individual rule.
Unfortunately creating/deleting/flushing chains appears surprisingly
expensive.
With 100 networks running, this series slows down libvirtd restart
from 13 seconds to 30 seconds :-(
Thus I'm not proposing to continue with this idea unless there's a
more compelling reason to do it.
Daniel P. Berrangé (2):
util: add support for creating per-network chains
util: move firewall rules into per network chains
src/libvirt_private.syms | 3 +-
src/network/bridge_driver_linux.c | 28 ++-
src/util/viriptables.c | 201 +++++++++++++++---
src/util/viriptables.h | 8 +-
.../nat-default-linux.args | 128 +++++++++--
.../nat-ipv6-linux.args | 144 +++++++++++--
.../nat-many-ips-linux.args | 156 +++++++++++---
.../nat-no-dhcp-linux.args | 142 +++++++++++--
.../nat-tftp-linux.args | 130 +++++++++--
.../route-default-linux.args | 118 +++++++++-
10 files changed, 901 insertions(+), 157 deletions(-)
--
2.19.2
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list