You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The flush method, and thus the shell out in persist_iptables, is called on every modified resource. It would be more cost effective to call it once after all Firewall/Firewallchain resources have been synced.
@kbarber, any idea if this is technically possible?
The text was updated successfully, but these errors were encountered:
I was thinking about this as well. I mean, I don't think the cost is that bad to an extent - dunno, run it with 100 rules and compare it I guess. There is always this fear of shelling out being costly but with no data to back it up.
Having said that you could flush very late, we used to do this with puppet-iptables but it was in the type itself - somehow attached to when the type object was destroyed. The danger in this is that the API may not be solid. If we can find a method call in the provider then great, but I've got a feeling its going to be dodgy either way.
Improvements on #133
The
flush
method, and thus the shell out inpersist_iptables
, is called on every modified resource. It would be more cost effective to call it once after all Firewall/Firewallchain resources have been synced.@kbarber, any idea if this is technically possible?
The text was updated successfully, but these errors were encountered: