From c941cf4bb56fe17e31fd4672e04fedc4a2cbba4b Mon Sep 17 00:00:00 2001 From: Christian Ruppert Date: Fri, 1 Apr 2022 16:41:05 +0200 Subject: [PATCH 1/2] Run iptables -w check against a usually small chain The iptablesw check, that's just looking for whether -w is supported or not, previousely caused iptables to list all rules, each time you do a shorewall check or shorewall start/reload. That might be quite a lot, depending on the amount of rules you have. It is also no necessary to parse each rule just to check for -w. Let's switch to the usually much smaller INPUT chain, to reduce the overhead --- Shorewall/Perl/Shorewall/Config.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index d823ae997..558a0b5cc 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5818,7 +5818,7 @@ sub get_capabilities($) # # Determine if iptables supports the -w option # - $iptablesw = qt1( "$iptables -w -L -n") ? '-w' : ''; + $iptablesw = qt1( "$iptables -w -n -L INPUT") ? '-w' : ''; my $iptables_restore=$iptables . '-restore'; From 8b0d829531ae1801b89feb7c3a646e0558ca00aa Mon Sep 17 00:00:00 2001 From: Christian Ruppert Date: Sat, 2 Apr 2022 11:49:25 +0200 Subject: [PATCH 2/2] Check for wait option if we don't have capabilities Only check for iptables --wait option if we don't already have existing capabilities. If we have some and they're not up2date / don't match, it will issue a warning anyway. If a valid capabilities file exists, it will already cover whether we can use --wait or not, that's what WAIT_OPTION is for. Signed-off-by: Christian Ruppert --- Shorewall/Perl/Shorewall/Config.pm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 558a0b5cc..ae3efcf4f 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -5816,9 +5816,10 @@ sub get_capabilities($) fatal_error "Can't find $toolname executable" unless $iptables = which $toolname; } # - # Determine if iptables supports the -w option + # Determine if iptables supports the -w option unless we already have + # existing capabilities # - $iptablesw = qt1( "$iptables -w -n -L INPUT") ? '-w' : ''; + $iptablesw = qt1( "$iptables -w -n -L INPUT") ? '-w' : '' unless $_[0]; my $iptables_restore=$iptables . '-restore';