Additional optimization in level 4.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-05-18 16:50:08 -07:00
parent 3f42350a7b
commit f15e6d3995
3 changed files with 74 additions and 16 deletions

View File

@ -3302,6 +3302,30 @@ sub optimize_level4( $$ ) {
$progress = 1 if replace_references1 $chainref, $firstrule; $progress = 1 if replace_references1 $chainref, $firstrule;
} }
} }
} else {
#
# Chain has more than one rule. If the last rule is a simple jump, then delete
# all preceding rules that have the same target
#
my $rulesref = $chainref->{rules};
my $lastref = $rulesref->[-1];
if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) {
my $target = $lastref->{target};
pop @$rulesref; #Pop the last simple rule
while ( @$rulesref ) {
my $rule1ref = $rulesref->[-1];
last unless ( $rule1ref->{target} || '' ) eq $target && ! $rule1ref->{targetopts};
pop @$rulesref;
$progress = 1;
}
push @$rulesref, $lastref; #Now restore the last simple rule
}
} }
} }
} }

View File

@ -96,7 +96,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -106,7 +106,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -116,7 +116,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -126,7 +126,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -482,7 +482,7 @@
</itemizedlist> </itemizedlist>
<blockquote> <blockquote>
<para/> <para></para>
<para>If CONFIG_PATH is not given or if it is set to the empty <para>If CONFIG_PATH is not given or if it is set to the empty
value then the contents of /usr/share/shorewall/configpath are value then the contents of /usr/share/shorewall/configpath are
@ -814,7 +814,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para/> <para></para>
<blockquote> <blockquote>
<para>If this variable is not set or is given an empty value <para>If this variable is not set or is given an empty value
@ -1024,7 +1024,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para/> <para></para>
<blockquote> <blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for <para>For example, using the default LOGFORMAT, the log prefix for
@ -1041,7 +1041,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
control your firewall after you enable this option.</para> control your firewall after you enable this option.</para>
</important> </important>
<para/> <para></para>
<caution> <caution>
<para>Do not use this option if the resulting log messages will <para>Do not use this option if the resulting log messages will
@ -1538,6 +1538,23 @@ net all DROP info</programlisting>then the chain name is 'net2all'
chain are appended to it.</para> chain are appended to it.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>An additional optimization was added in Shorewall 4.5.4.
If the last rule in a chain is an unqualified jump to a simple
target, then all immediately preceding rules with the same
simple target are omitted.</para>
<para>For example, consider this chain:</para>
<programlisting> -A fw-net -p udp --dport 67:68 -j ACCEPT
-A fw-net -p udp --sport 1194 -j ACCEPT
-A fw-net -p 41 -j ACCEPT
-A fw-net -j ACCEPT
</programlisting>
<para>Since all of the rules are jumps to the simple target
ACCEPT, this chain is totally optimized away and jumps to the
chain are replace with jumps to ACCEPT.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -1677,7 +1694,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">"</emphasis></term> role="bold">"</emphasis></term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -82,7 +82,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -92,7 +92,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -102,7 +102,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -112,7 +112,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -887,7 +887,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para/> <para></para>
<blockquote> <blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for <para>For example, using the default LOGFORMAT, the log prefix for
@ -904,7 +904,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
control your firewall after you enable this option.</para> control your firewall after you enable this option.</para>
</important> </important>
<para/> <para></para>
<caution> <caution>
<para>Do not use this option if the resulting log messages will <para>Do not use this option if the resulting log messages will
@ -1336,6 +1336,23 @@ net all DROP info</programlisting>then the chain name is 'net2all'
chain are appended to it.</para> chain are appended to it.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>An additional optimization was added in Shorewall 4.5.4.
If the last rule in a chain is an unqualified jump to a simple
target, then all immediately preceding rules with the same
simple target are omitted. </para>
<para>For example, consider this chain:</para>
<programlisting> -A fw-net -p udp --dport 67:68 -j ACCEPT
-A fw-net -p udp --sport 1194 -j ACCEPT
-A fw-net -p 41 -j ACCEPT
-A fw-net -j ACCEPT
</programlisting>
<para>Since all of the rules are jumps to the simple target
ACCEPT, this chain is totally optimized away and jumps to the
chain are replace with jumps to ACCEPT.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -1475,7 +1492,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">"</emphasis></term> role="bold">"</emphasis></term>
<listitem> <listitem>
<para/> <para></para>
</listitem> </listitem>
</varlistentry> </varlistentry>