diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index de875d628..08568d2b7 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -123,10 +123,6 @@ our %EXPORT_TAGS = (
ALL_RESTRICT
ALL_COMMANDS
NOT_RESTORE
- OPTIMIZE_POLICY_MASK
- OPTIMIZE_POLICY_MASK2n4
- OPTIMIZE_RULESET_MASK
- OPTIMIZE_MASK
unreachable_warning
state_match
@@ -453,17 +449,6 @@ our $ipset_rules;
#
use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
-#
-# Optimization masks
-#
-use constant {
- OPTIMIZE_POLICY_MASK => 0x02 , # Call optimize_policy_chains()
- OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
- OPTIMIZE_RULESET_MASK => 0x1C , # Call optimize_ruleset()
- };
-
-use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK };
-
use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 };
our %dscpmap = ( CS0 => 0x00,
@@ -1226,8 +1211,7 @@ sub push_rule( $$ ) {
my $ruleref = transform_rule( $_[1], $complete );
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
-
- $ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
+ $ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
push @{$chainref->{rules}}, $ruleref;
$chainref->{referenced} = 1;
@@ -1957,7 +1941,7 @@ sub use_forward_chain($$) {
my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets};
- return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
+ return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
#
# Use it if we already have jumps to it
#
@@ -2033,7 +2017,7 @@ sub use_input_chain($$) {
my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets};
- return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
+ return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
#
# We must use the interfaces's chain if the interface is associated with multiple Zones
#
@@ -2113,7 +2097,7 @@ sub use_output_chain($$) {
my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets};
- return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
+ return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
#
# We must use the interfaces's chain if the interface is associated with multiple Zones
#
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 85194adf6..355b6e763 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -199,6 +199,12 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
CONFIG_CONTINUATION
DO_INCLUDE
NORMAL_READ
+
+ OPTIMIZE_POLICY_MASK
+ OPTIMIZE_POLICY_MASK2n4
+ OPTIMIZE_RULESET_MASK
+ OPTIMIZE_USE_FIRST
+ OPTIMIZE_ALL
) , ] ,
protocols => [ qw (
TCP
@@ -411,6 +417,17 @@ use constant {
SCTP => 132,
UDPLITE => 136,
};
+#
+# Optimization masks
+#
+use constant {
+ OPTIMIZE_POLICY_MASK => 0x02 , # Call optimize_policy_chains()
+ OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
+ OPTIMIZE_RULESET_MASK => 0x1C , # Call optimize_ruleset()
+ OPTIMIZE_ALL => 0x1F , # Maximum value for documented categories.
+
+ OPTIMIZE_USE_FIRST => 0x1000 # Always use interface 'first' chains -- undocumented
+ };
our %helpers = ( amanda => UDP,
ftp => TCP,
@@ -5659,9 +5676,15 @@ sub get_configuration( $$$$ ) {
$config{$default} = 'none' if "\L$config{$default}" eq 'none';
}
- $val = numeric_value $config{OPTIMIZE};
+ if ( ( $val = $config{OPTIMIZE} ) =~ /^all$/i ) {
+ $config{OPTIMIZE} = $val = OPTIMIZE_ALL;
+ } elsif ( $val =~ /^none$/i ) {
+ $config{OPTIMIZE} = $val = 0;
+ } else {
+ $val = numeric_value $config{OPTIMIZE};
- fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ( 4096 ^ -1 ) ) <= 31;
+ fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ~OPTIMIZE_USE_FIRST ) <= OPTIMIZE_ALL;
+ }
require_capability 'XMULTIPORT', 'OPTIMIZE level 16', 's' if $val & 16;
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 4dba39d1c..0622deda9 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2434,7 +2434,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
fatal_error "Rules may not override a NONE policy";
}
#
- # Handle Optimization
+ # Handle Optimization level 1 when specified alone
#
if ( $optimize == 1 && $section == NEW_SECTION ) {
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf
index 5fccbd48a..afb3ae13b 100644
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -190,7 +190,7 @@ MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
-OPTIMIZE=31
+OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf
index 85da92c07..3c56f3e98 100644
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -201,7 +201,7 @@ MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
-OPTIMIZE=31
+OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf
index 4aecb8047..06ab0f54e 100644
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -199,7 +199,7 @@ MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
-OPTIMIZE=31
+OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf
index 8fff1a702..b0fdb02cf 100644
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -202,7 +202,7 @@ MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
-OPTIMIZE=31
+OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 62e6bb734..584fe8fd9 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -1755,6 +1755,10 @@ LOG:info:,bar net fw
of two. To enable multiple optimization categories, simply add their
corresponding numbers together.
+ Beginning with Shorewall 4.5.20, you may specify OPTIMIZE=All
+ to enable all optimization categories, and you may also specify
+ OPTIMIZE=None to disable optimization.
+
Optimization category 1 - Traditionally, Shorewall has
@@ -1774,6 +1778,12 @@ LOG:info:,bar net fw
or DEST column). A wildcard rule is considered to be redundant
when it has the same ACTION and Log Level as the applicable
policy.
+
+
+ Optimization level 1 is ignored when optimization level
+ 4 is also selected, since level 4 performs similar
+ optimizations in a more robust way.
+
diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf
index 0eb436018..767f08f30 100644
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -173,7 +173,7 @@ MODULE_SUFFIX=ko
MUTEX_TIMEOUT=60
-OPTIMIZE=31
+OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf
index 6c8d6642d..6ca292c39 100644
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -173,7 +173,7 @@ MODULE_SUFFIX=ko
MUTEX_TIMEOUT=60
-OPTIMIZE=31
+OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
index 75af20d5e..935796ab8 100644
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -173,7 +173,7 @@ MODULE_SUFFIX=ko
MUTEX_TIMEOUT=60
-OPTIMIZE=31
+OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
index c6786e14a..c7e7a3f4d 100644
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -173,7 +173,7 @@ MODULE_SUFFIX=ko
MUTEX_TIMEOUT=60
-OPTIMIZE=31
+OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 9b05c18d8..0d08d7524 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -1516,6 +1516,10 @@ LOG:info:,bar net fw
of two. To enable multiple optimization categories, simply add their
corresponding numbers together.
+ Beginning with Shorewall 4.5.20, you may specify OPTIMIZE=All
+ to enable all optimization categories, and you may also specify
+ OPTIMIZE=None to disable optimization.
+
Optimization category 1 - Traditionally, Shorewall has
@@ -1535,6 +1539,12 @@ LOG:info:,bar net fw
or DEST column). A wildcard rule is considered to be redundant
when it has the same ACTION and Log Level as the applicable
policy.
+
+
+ Optimization level 1 is ignored when optimization level
+ 4 is also selected, since level 4 performs similar
+ optimizations in a more robust way.
+