extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-01 07:25:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Document optimize 16 in the manpages

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-11-24 11:11:59 -08:00
parent f305da9d0d
commit 0f02b497f6
2 changed files with 117 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
manpages/shorewall.conf.xml
View File

@ -1506,13 +1506,66 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem> <listitem>
<para>Optimization category 8 - Added in Shorewall 4.4.9. When <para>Optimization category 8 - Added in Shorewall 4.4.9. When
set, causes chains with duplicate rules to be collapsed into a set, causes chains with identical rules to be collapsed into a
single chain.</para> single chain.</para>
</listitem>
<caution> <listitem>
<para>Optimization category 8 adds significantly to the time <para>Optimization category 16 - Added in Shorewall 4.4.26. When
required to compile a large ruleset.</para> set, causes sequences of <firstterm>compatible</firstterm> rules
</caution> to be combined into a single rule. Rules are considered
compatible if they differ only in their destination ports and
comments.</para>
<para>A sequence of combatible rules is often generated when
macros are invoked in sequence.</para>
<para>The ability to combine adjacent rules is limited by two
factors:</para>
<itemizedlist>
<listitem>
<para>Destination port lists may only be combined up to a
maximum of 15 ports, where a port-pair counts as two
ports.</para>
</listitem>
<listitem>
<para>Rules may only be combined until the length of their
concatinated comment reaches 255 characters.</para>
</listitem>
</itemizedlist>
<para>When either of these limits would be exceeded, the current
combined rule is emitted and the compiler attemts to combine
rules beginning with the one that would have exceeded the limit.
Adjacent combined comments are separated by ', '. Empty comments
at the front of a group of combined comments are replaced by
'Others and'. Empty comments at the end of a group of combined
comments are replaced by 'and others'.</para>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>Rules with comments "FOO", &lt;empty&gt; and "BAR"
would result in the combined comment "FOO and others,
BAR".</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>Rules with comments &lt;empty&gt;, "FOO" and "BAR"
would reult in the combined comment "Others and FOO, BAR".
Note: Optimize level 16 requires "Extended Multi-port
Match" in your iptables and kernel.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem> </listitem>
</itemizedlist> </itemizedlist>

60
manpages6/shorewall6.conf.xml
View File

@ -1304,9 +1304,67 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem> <listitem>
<para>Optimization category 8 - Added in Shorewall 4.4.9. When <para>Optimization category 8 - Added in Shorewall 4.4.9. When
set, causes chains with duplicate rules to be collapsed into a set, causes chains with identical rules to be collapsed into a
single chain.</para> single chain.</para>
</listitem> </listitem>
<listitem>
<para>Optimization category 16 - Added in Shorewall 4.4.26. When
set, causes sequences of <firstterm>compatible</firstterm> rules
to be combined into a single rule. Rules are considered
compatible if they differ only in their destination ports and
comments.</para>
<para>A sequence of combatible rules is often generated when
macros are invoked in sequence.</para>
<para>The ability to combine adjacent rules is limited by two
factors:</para>
<itemizedlist>
<listitem>
<para>Destination port lists may only be combined up to a
maximum of 15 ports, where a port-pair counts as two
ports.</para>
</listitem>
<listitem>
<para>Rules may only be combined until the length of their
concatinated comment reaches 255 characters.</para>
</listitem>
</itemizedlist>
<para>When either of these limits would be exceeded, the current
combined rule is emitted and the compiler attemts to combine
rules beginning with the one that would have exceeded the limit.
Adjacent combined comments are separated by ', '. Empty comments
at the front of a group of combined comments are replaced by
'Others and'. Empty comments at the end of a group of combined
comments are replaced by 'and others'.</para>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>Rules with comments "FOO", &lt;empty&gt; and "BAR"
would result in the combined comment "FOO and others,
BAR".</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>Rules with comments &lt;empty&gt;, "FOO" and "BAR"
would reult in the combined comment "Others and FOO, BAR".
Note: Optimize level 16 requires "Extended Multi-port
Match" in your iptables and kernel.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</itemizedlist> </itemizedlist>
<para>The default value is zero which disables all <para>The default value is zero which disables all