From 7bdd69d151222d16fb740c7e35b38054b2ec3c09 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 31 Jan 2018 14:58:01 -0800 Subject: [PATCH] Optimization category 8 tweaks - Document cost of the category in shorewall.conf(5) - Omit DONT_DELETE chains from consideration right off the bat Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 16 +++++++++++----- Shorewall/manpages/shorewall.conf.xml | 11 ++++++++++- 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index bcf698962..365310a5d 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -3857,7 +3857,10 @@ sub optimize_level8( $$$ ) { %renamed = (); while ( $progress ) { - my @chains = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} ) ); + my @chains = ( sort { level8_compare($a, $b) } ( grep $_->{referenced} && + @{$_->{rules}} && + ! $_->{builtin}, + values %{$tableref} ) ); my @chains1 = @chains; my $chains = @chains; my %rename; @@ -3877,12 +3880,15 @@ sub optimize_level8( $$$ ) { # Shift the current $chainref off of @chains1 # shift @chains1; - # - # Skip empty chains - # + for my $chainref1 ( @chains1 ) { - next unless @{$chainref1->{rules}}; + # + # Skip chain if it can't be deleted + # next if $chainref1->{optflags} & DONT_DELETE; + # + # Chains identical? + # if ( $chainref->{digest} eq $chainref1->{digest} ) { progress_message " Chain $chainref1->{name} combined with $chainref->{name}"; $progress = 1; diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 70319e325..f4381f4ef 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -2147,6 +2147,14 @@ LOG:info:,bar net fw Optimization category 8 - Added in Shorewall 4.4.9. When set, causes chains with identical rules to be collapsed into a single chain. + + + While Optimization category 8 can significantly reduce + the size of the generated iptables ruleset, it can also take + significant system resources during compilation. If you find + that compilation takes an unreasonably long time, try + disabling this category by setting OPTIMIZE=23. + @@ -2219,7 +2227,8 @@ LOG:info:,bar net fw In versions prior to 5.1.0, the default value is zero which disables all optimizations. Beginning with Shorewall 5.1.0, the - default value is All which enables all optimizations. + default value is All which enables + all optimizations.