Persistence: flush shells out on every resource

[dcarley]

Improvements on #133

The flush method, and thus the shell out in persist_iptables, is called on every modified resource. It would be more cost effective to call it once after all Firewall/Firewallchain resources have been synced.

@kbarber, any idea if this is technically possible?

[kbarber]

I was thinking about this as well. I mean, I don't think the cost is that bad to an extent - dunno, run it with 100 rules and compare it I guess. There is always this fear of shelling out being costly but with no data to back it up.

Having said that you could flush very late, we used to do this with puppet-iptables but it was in the type itself - somehow attached to when the type object was destroyed. The danger in this is that the API may not be solid. If we can find a method call in the provider then great, but I've got a feeling its going to be dodgy either way.

[chelnak]

Hello! We are doing some house keeping and noticed that this issue has been open for a long time.

We're going to close it but please do raise another issue if the issue still persists. 😄