mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Additional optimization in level 4.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
3f42350a7b
commit
f15e6d3995
@ -3302,6 +3302,30 @@ sub optimize_level4( $$ ) {
|
|||||||
$progress = 1 if replace_references1 $chainref, $firstrule;
|
$progress = 1 if replace_references1 $chainref, $firstrule;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
#
|
||||||
|
# Chain has more than one rule. If the last rule is a simple jump, then delete
|
||||||
|
# all preceding rules that have the same target
|
||||||
|
#
|
||||||
|
my $rulesref = $chainref->{rules};
|
||||||
|
my $lastref = $rulesref->[-1];
|
||||||
|
|
||||||
|
if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) {
|
||||||
|
my $target = $lastref->{target};
|
||||||
|
|
||||||
|
pop @$rulesref; #Pop the last simple rule
|
||||||
|
|
||||||
|
while ( @$rulesref ) {
|
||||||
|
my $rule1ref = $rulesref->[-1];
|
||||||
|
|
||||||
|
last unless ( $rule1ref->{target} || '' ) eq $target && ! $rule1ref->{targetopts};
|
||||||
|
|
||||||
|
pop @$rulesref;
|
||||||
|
$progress = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
push @$rulesref, $lastref; #Now restore the last simple rule
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -96,7 +96,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -106,7 +106,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -116,7 +116,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -126,7 +126,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -482,7 +482,7 @@
|
|||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para/>
|
<para></para>
|
||||||
|
|
||||||
<para>If CONFIG_PATH is not given or if it is set to the empty
|
<para>If CONFIG_PATH is not given or if it is set to the empty
|
||||||
value then the contents of /usr/share/shorewall/configpath are
|
value then the contents of /usr/share/shorewall/configpath are
|
||||||
@ -814,7 +814,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para/>
|
<para></para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>If this variable is not set or is given an empty value
|
<para>If this variable is not set or is given an empty value
|
||||||
@ -1024,7 +1024,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para/>
|
<para></para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||||
@ -1041,7 +1041,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
control your firewall after you enable this option.</para>
|
control your firewall after you enable this option.</para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para/>
|
<para></para>
|
||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
<para>Do not use this option if the resulting log messages will
|
<para>Do not use this option if the resulting log messages will
|
||||||
@ -1538,6 +1538,23 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
chain are appended to it.</para>
|
chain are appended to it.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>An additional optimization was added in Shorewall 4.5.4.
|
||||||
|
If the last rule in a chain is an unqualified jump to a simple
|
||||||
|
target, then all immediately preceding rules with the same
|
||||||
|
simple target are omitted.</para>
|
||||||
|
|
||||||
|
<para>For example, consider this chain:</para>
|
||||||
|
|
||||||
|
<programlisting> -A fw-net -p udp --dport 67:68 -j ACCEPT
|
||||||
|
-A fw-net -p udp --sport 1194 -j ACCEPT
|
||||||
|
-A fw-net -p 41 -j ACCEPT
|
||||||
|
-A fw-net -j ACCEPT
|
||||||
|
</programlisting>
|
||||||
|
|
||||||
|
<para>Since all of the rules are jumps to the simple target
|
||||||
|
ACCEPT, this chain is totally optimized away and jumps to the
|
||||||
|
chain are replace with jumps to ACCEPT.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -1677,7 +1694,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
role="bold">"</emphasis></term>
|
role="bold">"</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -82,7 +82,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -92,7 +92,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -102,7 +102,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -112,7 +112,7 @@
|
|||||||
role="bold">none</emphasis>}</term>
|
role="bold">none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -887,7 +887,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para/>
|
<para></para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||||
@ -904,7 +904,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
control your firewall after you enable this option.</para>
|
control your firewall after you enable this option.</para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para/>
|
<para></para>
|
||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
<para>Do not use this option if the resulting log messages will
|
<para>Do not use this option if the resulting log messages will
|
||||||
@ -1336,6 +1336,23 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
chain are appended to it.</para>
|
chain are appended to it.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>An additional optimization was added in Shorewall 4.5.4.
|
||||||
|
If the last rule in a chain is an unqualified jump to a simple
|
||||||
|
target, then all immediately preceding rules with the same
|
||||||
|
simple target are omitted. </para>
|
||||||
|
|
||||||
|
<para>For example, consider this chain:</para>
|
||||||
|
|
||||||
|
<programlisting> -A fw-net -p udp --dport 67:68 -j ACCEPT
|
||||||
|
-A fw-net -p udp --sport 1194 -j ACCEPT
|
||||||
|
-A fw-net -p 41 -j ACCEPT
|
||||||
|
-A fw-net -j ACCEPT
|
||||||
|
</programlisting>
|
||||||
|
|
||||||
|
<para>Since all of the rules are jumps to the simple target
|
||||||
|
ACCEPT, this chain is totally optimized away and jumps to the
|
||||||
|
chain are replace with jumps to ACCEPT.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -1475,7 +1492,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
role="bold">"</emphasis></term>
|
role="bold">"</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para/>
|
<para></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user