Optimization category 8 tweaks

- Document cost of the category in shorewall.conf(5) - Omit DONT_DELETE chains from consideration right off the bat Signed-off-by: Tom Eastep <teastep@shorewall.net>
2018-01-31 14:58:01 -08:00 · 2018-01-31 14:58:01 -08:00 · 7bdd69d151
commit 7bdd69d151
parent a08f0cfe10
2 changed files with 21 additions and 6 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -3857,7 +3857,10 @@ sub optimize_level8( $$$ ) {
    %renamed = ();

    while ( $progress ) {
-	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) );
+	my @chains   = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} &&
+							   @{$_->{rules}}        &&
+							   ! $_->{builtin},
+							   values %{$tableref} ) );
 	my @chains1  = @chains;
 	my $chains   = @chains;
 	my %rename;
@ -3877,12 +3880,15 @@ sub optimize_level8( $$$ ) {
 	    # Shift the current $chainref off of @chains1
 	    #
 	    shift @chains1;
-	    #
-	    # Skip empty chains
-	    #
+
 	    for my $chainref1 ( @chains1 ) {
-		next unless @{$chainref1->{rules}};
+		#
+		# Skip chain if it can't be deleted
+		#
 		next if $chainref1->{optflags} & DONT_DELETE;
+		#
+		# Chains identical?
+		#
 		if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		    progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		    $progress = 1;
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@ -2147,6 +2147,14 @@ LOG:info:,bar                        net                    fw</programlisting>
              <para>Optimization category 8 - Added in Shorewall 4.4.9. When
              set, causes chains with identical rules to be collapsed into a
              single chain.</para>
+
+              <warning>
+                <para>While Optimization category 8 can significantly reduce
+                the size of the generated iptables ruleset, it can also take
+                significant system resources during compilation. If you find
+                that compilation takes an unreasonably long time, try
+                disabling this category by setting OPTIMIZE=23.</para>
+              </warning>
            </listitem>

            <listitem>
@ -2219,7 +2227,8 @@ LOG:info:,bar                        net                    fw</programlisting>

          <para>In versions prior to 5.1.0, the default value is zero which
          disables all optimizations. Beginning with Shorewall 5.1.0, the
-          default value is All which enables all optimizations.</para>
+          default value is <emphasis role="bold">All</emphasis> which enables
+          all optimizations.</para>
        </listitem>
      </varlistentry>