From 0f02b497f6ebf47bbae660f8fa9af4ba18c6638b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 24 Nov 2011 11:11:59 -0800 Subject: [PATCH] Document optimize 16 in the manpages Signed-off-by: Tom Eastep --- manpages/shorewall.conf.xml | 63 ++++++++++++++++++++++++++++++++--- manpages6/shorewall6.conf.xml | 60 ++++++++++++++++++++++++++++++++- 2 files changed, 117 insertions(+), 6 deletions(-) diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index 8abfda79f..967520fb8 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -1506,13 +1506,66 @@ net all DROP infothen the chain name is 'net2all' Optimization category 8 - Added in Shorewall 4.4.9. When - set, causes chains with duplicate rules to be collapsed into a + set, causes chains with identical rules to be collapsed into a single chain. + - - Optimization category 8 adds significantly to the time - required to compile a large ruleset. - + + Optimization category 16 - Added in Shorewall 4.4.26. When + set, causes sequences of compatible rules + to be combined into a single rule. Rules are considered + compatible if they differ only in their destination ports and + comments. + + A sequence of combatible rules is often generated when + macros are invoked in sequence. + + The ability to combine adjacent rules is limited by two + factors: + + + + Destination port lists may only be combined up to a + maximum of 15 ports, where a port-pair counts as two + ports. + + + + Rules may only be combined until the length of their + concatinated comment reaches 255 characters. + + + + When either of these limits would be exceeded, the current + combined rule is emitted and the compiler attemts to combine + rules beginning with the one that would have exceeded the limit. + Adjacent combined comments are separated by ', '. Empty comments + at the front of a group of combined comments are replaced by + 'Others and'. Empty comments at the end of a group of combined + comments are replaced by 'and others'. + + + + Example 1: + + + Rules with comments "FOO", <empty> and "BAR" + would result in the combined comment "FOO and others, + BAR". + + + + + Example 2: + + + Rules with comments <empty>, "FOO" and "BAR" + would reult in the combined comment "Others and FOO, BAR". + Note: Optimize level 16 requires "Extended Multi-port + Match" in your iptables and kernel. + + + diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml index b3a724513..ebb569e29 100644 --- a/manpages6/shorewall6.conf.xml +++ b/manpages6/shorewall6.conf.xml @@ -1304,9 +1304,67 @@ net all DROP infothen the chain name is 'net2all' Optimization category 8 - Added in Shorewall 4.4.9. When - set, causes chains with duplicate rules to be collapsed into a + set, causes chains with identical rules to be collapsed into a single chain. + + + Optimization category 16 - Added in Shorewall 4.4.26. When + set, causes sequences of compatible rules + to be combined into a single rule. Rules are considered + compatible if they differ only in their destination ports and + comments. + + A sequence of combatible rules is often generated when + macros are invoked in sequence. + + The ability to combine adjacent rules is limited by two + factors: + + + + Destination port lists may only be combined up to a + maximum of 15 ports, where a port-pair counts as two + ports. + + + + Rules may only be combined until the length of their + concatinated comment reaches 255 characters. + + + + When either of these limits would be exceeded, the current + combined rule is emitted and the compiler attemts to combine + rules beginning with the one that would have exceeded the limit. + Adjacent combined comments are separated by ', '. Empty comments + at the front of a group of combined comments are replaced by + 'Others and'. Empty comments at the end of a group of combined + comments are replaced by 'and others'. + + + + Example 1: + + + Rules with comments "FOO", <empty> and "BAR" + would result in the combined comment "FOO and others, + BAR". + + + + + Example 2: + + + Rules with comments <empty>, "FOO" and "BAR" + would reult in the combined comment "Others and FOO, BAR". + Note: Optimize level 16 requires "Extended Multi-port + Match" in your iptables and kernel. + + + + The default value is zero which disables all