extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-02 02:49:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make OPTIMIZE=16 an order of magnitude faster

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2020-04-20 10:29:36 -07:00
parent 18360471ab
commit e14798b4a2
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
2 changed files with 69 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Shorewall-init/shorewall-init
View File

@ -25,6 +25,7 @@
# #
############################################################################### ###############################################################################
# set the STATEDIR variable # set the STATEDIR variable
setstatedir() { setstatedir() {
local statedir local statedir
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
@ -59,8 +60,9 @@ else
exit 1 exit 1
fi fi
# Initialize the firewall # Initialize the firewalls
shorewall_start () {
shorewall_init_start () {
local PRODUCT local PRODUCT
local STATEDIR local STATEDIR
@ -86,12 +88,14 @@ shorewall_start () {
return 0 return 0
} }
# Clear the firewall # Clear the firewalls
shorewall_stop () {
shorewall_init_stop () {
local PRODUCT local PRODUCT
local STATEDIR local STATEDIR
printf "Clearing \"Shorewall-based firewalls\": " printf "Clearing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do for PRODUCT in $PRODUCTS; do
if setstatedir; then if setstatedir; then
# #
@ -119,10 +123,10 @@ shorewall_stop () {
case "$1" in case "$1" in
start) start)
shorewall_start shorewall_init_start
;; ;;
stop) stop)
shorewall_stop shorewall_init_stop
;; ;;
*) *)
echo "Usage: $0 {start|stop}" echo "Usage: $0 {start|stop}"

99
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -726,6 +726,7 @@ our %opttype = ( rule => CONTROL,
'icmpv6-type' => UNIQUE, 'icmpv6-type' => UNIQUE,
comment => CONTROL, comment => CONTROL,
digest => CONTROL,
policy => MATCH, policy => MATCH,
state => EXCLUSIVE, state => EXCLUSIVE,
@ -3521,6 +3522,33 @@ sub irule_to_string( $ ) {
$string; $string;
} }
#
# This one omits the comment
#
sub irule_to_string1( $ ) {
my ( $ruleref ) = @_;
return $ruleref->{cmd} if exists $ruleref->{cmd};
my $string = '';
for ( grep ! ( get_opttype( $_, 0 ) & ( CONTROL | TARGET ) ), @{$ruleref->{matches}}) {
my $value = $ruleref->{$_};
if ( reftype $value ) {
$string .= "$_=" . join( ',', @$value ) . ' ';
} else {
$string .= "$_=$value ";
}
}
if ( $ruleref->{target} ) {
$string .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
$string .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};
}
$string;
}
sub calculate_digest( $ ) { sub calculate_digest( $ ) {
my $chainref = shift; my $chainref = shift;
my $rules = ''; my $rules = '';
@ -4193,7 +4221,7 @@ sub get_multi_sports( $ ) {
# Return an array of keys for the passed rule. 'dport', 'comment', and 'origin' are omitted; # Return an array of keys for the passed rule. 'dport', 'comment', and 'origin' are omitted;
# #
sub get_keys( $ ) { sub get_keys( $ ) {
my %skip = ( dport => 1, comment => 1, origin => 1 ); my %skip = ( dport => 1, comment => 1, origin => 1, digest => 1 );
sort grep ! $skip{$_}, keys %{$_[0]}; sort grep ! $skip{$_}, keys %{$_[0]};
} }
@ -4374,64 +4402,55 @@ sub delete_duplicates {
my @rules; my @rules;
my $chainref = shift; my $chainref = shift;
my $lastrule = @_; my $lastrule = @_;
my $baseref = pop;
my $ruleref; my $ruleref;
my %skip = ( comment => 1, origin => 1 ); my %skip = ( comment => 1, origin => 1 );
for ( @_ ) {
$_->{digest} = sha1_hex irule_to_string1( $_ );
}
my $baseref = pop;
while ( @_ ) { while ( @_ ) {
my $docheck; my $docheck;
my $duplicate = 0; my $duplicate = 0;
if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) { if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
my $ports1; my $ports1;
my @keys1 = sort( grep ! $skip{$_}, keys( %$baseref ) ); my $bad_key;
my $rulenum = @_; my $rulenum = @_;
my $adjacent = 1; my $adjacent = 1;
my $digest = $baseref->{digest};
{ for ( grep ! $skip{$_}, keys( %$baseref ) ) {
RULE: $bad_key = 1, last if $bad_match{$_};
}
while ( --$rulenum >= 0 ) { while ( --$rulenum >= 0 ) {
$ruleref = $_[$rulenum]; $ruleref = $_[$rulenum];
last unless $ruleref->{mode} == CAT_MODE; last unless $ruleref->{mode} == CAT_MODE;
my @keys2 = sort(grep ! $skip{$_}, keys( %$ruleref ) );
next unless @keys1 == @keys2 ;
next unless $digest eq $ruleref->{digest};
my $keynum = 0; my $keynum = 0;
if ( $adjacent > 0 ) { unless ( $adjacent > 0 ) {
#
# There are no non-duplicate rules between this rule and the base rule
#
for my $key ( @keys1 ) {
next RULE unless $key eq $keys2[$keynum++];
next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
}
} else {
#
# There are non-duplicate rules between this rule and the base rule
#
for my $key ( @keys1 ) {
next RULE unless $key eq $keys2[$keynum++];
next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
last RULE if $bad_match{$key};
}
}
# #
# This rule is a duplicate # There are non-duplicate rules between this rule and the base rule
# #
$duplicate = 1; last if $bad_key;
#
# Increment $adjacent so that the continue block won't set it to zero
#
$adjacent++;
} continue {
$adjacent--;
} }
#
# This rule is a duplicate
#
$duplicate = 1;
#
# Increment $adjacent so that the continue block won't set it to zero
#
$adjacent++;
} continue {
$adjacent--;
} }
} }
@ -4471,7 +4490,7 @@ sub get_conntrack( $ ) {
# Return an array of keys for the passed rule. 'conntrack', 'comment' & 'origin' are omitted; # Return an array of keys for the passed rule. 'conntrack', 'comment' & 'origin' are omitted;
# #
sub get_keys1( $ ) { sub get_keys1( $ ) {
my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 ); my %skip = ( comment => 1, origin => 1 , digest => 1, 'conntrack --ctstate' => 1 );
sort grep ! $skip{$_}, keys %{$_[0]}; sort grep ! $skip{$_}, keys %{$_[0]};
} }