diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index a2c4d098a..40f370e7e 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -3302,6 +3302,30 @@ sub optimize_level4( $$ ) {
$progress = 1 if replace_references1 $chainref, $firstrule;
}
}
+ } else {
+ #
+ # Chain has more than one rule. If the last rule is a simple jump, then delete
+ # all preceding rules that have the same target
+ #
+ my $rulesref = $chainref->{rules};
+ my $lastref = $rulesref->[-1];
+
+ if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) {
+ my $target = $lastref->{target};
+
+ pop @$rulesref; #Pop the last simple rule
+
+ while ( @$rulesref ) {
+ my $rule1ref = $rulesref->[-1];
+
+ last unless ( $rule1ref->{target} || '' ) eq $target && ! $rule1ref->{targetopts};
+
+ pop @$rulesref;
+ $progress = 1;
+ }
+
+ push @$rulesref, $lastref; #Now restore the last simple rule
+ }
}
}
}
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 72e6e7910..0dc3b55d5 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -96,7 +96,7 @@
role="bold">none}
-
+
@@ -106,7 +106,7 @@
role="bold">none}
-
+
@@ -116,7 +116,7 @@
role="bold">none}
-
+
@@ -126,7 +126,7 @@
role="bold">none}
-
+
@@ -482,7 +482,7 @@
-
+
If CONFIG_PATH is not given or if it is set to the empty
value then the contents of /usr/share/shorewall/configpath are
@@ -814,7 +814,7 @@ net all DROP infothen the chain name is 'net2all'
-
+
If this variable is not set or is given an empty value
@@ -1024,7 +1024,7 @@ net all DROP infothen the chain name is 'net2all'
-
+
For example, using the default LOGFORMAT, the log prefix for
@@ -1041,7 +1041,7 @@ net all DROP infothen the chain name is 'net2all'
control your firewall after you enable this option.
-
+
Do not use this option if the resulting log messages will
@@ -1538,6 +1538,23 @@ net all DROP infothen the chain name is 'net2all'
chain are appended to it.
+
+ An additional optimization was added in Shorewall 4.5.4.
+ If the last rule in a chain is an unqualified jump to a simple
+ target, then all immediately preceding rules with the same
+ simple target are omitted.
+
+ For example, consider this chain:
+
+ -A fw-net -p udp --dport 67:68 -j ACCEPT
+ -A fw-net -p udp --sport 1194 -j ACCEPT
+ -A fw-net -p 41 -j ACCEPT
+ -A fw-net -j ACCEPT
+
+
+ Since all of the rules are jumps to the simple target
+ ACCEPT, this chain is totally optimized away and jumps to the
+ chain are replace with jumps to ACCEPT.
@@ -1677,7 +1694,7 @@ net all DROP infothen the chain name is 'net2all'
role="bold">"
-
+
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index c22d921a8..0c8859834 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -82,7 +82,7 @@
role="bold">none}
-
+
@@ -92,7 +92,7 @@
role="bold">none}
-
+
@@ -102,7 +102,7 @@
role="bold">none}
-
+
@@ -112,7 +112,7 @@
role="bold">none}
-
+
@@ -887,7 +887,7 @@ net all DROP infothen the chain name is 'net2all'
-
+
For example, using the default LOGFORMAT, the log prefix for
@@ -904,7 +904,7 @@ net all DROP infothen the chain name is 'net2all'
control your firewall after you enable this option.
-
+
Do not use this option if the resulting log messages will
@@ -1336,6 +1336,23 @@ net all DROP infothen the chain name is 'net2all'
chain are appended to it.
+
+ An additional optimization was added in Shorewall 4.5.4.
+ If the last rule in a chain is an unqualified jump to a simple
+ target, then all immediately preceding rules with the same
+ simple target are omitted.
+
+ For example, consider this chain:
+
+ -A fw-net -p udp --dport 67:68 -j ACCEPT
+ -A fw-net -p udp --sport 1194 -j ACCEPT
+ -A fw-net -p 41 -j ACCEPT
+ -A fw-net -j ACCEPT
+
+
+ Since all of the rules are jumps to the simple target
+ ACCEPT, this chain is totally optimized away and jumps to the
+ chain are replace with jumps to ACCEPT.
@@ -1475,7 +1492,7 @@ net all DROP infothen the chain name is 'net2all'
role="bold">"
-
+