forked from extern/shorewall_code
Additional optimization in level 4.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
3f42350a7b
commit
f15e6d3995
@ -3302,6 +3302,30 @@ sub optimize_level4( $$ ) {
|
||||
$progress = 1 if replace_references1 $chainref, $firstrule;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
#
|
||||
# Chain has more than one rule. If the last rule is a simple jump, then delete
|
||||
# all preceding rules that have the same target
|
||||
#
|
||||
my $rulesref = $chainref->{rules};
|
||||
my $lastref = $rulesref->[-1];
|
||||
|
||||
if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) {
|
||||
my $target = $lastref->{target};
|
||||
|
||||
pop @$rulesref; #Pop the last simple rule
|
||||
|
||||
while ( @$rulesref ) {
|
||||
my $rule1ref = $rulesref->[-1];
|
||||
|
||||
last unless ( $rule1ref->{target} || '' ) eq $target && ! $rule1ref->{targetopts};
|
||||
|
||||
pop @$rulesref;
|
||||
$progress = 1;
|
||||
}
|
||||
|
||||
push @$rulesref, $lastref; #Now restore the last simple rule
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -96,7 +96,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -106,7 +106,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -116,7 +116,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -126,7 +126,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -482,7 +482,7 @@
|
||||
</itemizedlist>
|
||||
|
||||
<blockquote>
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<para>If CONFIG_PATH is not given or if it is set to the empty
|
||||
value then the contents of /usr/share/shorewall/configpath are
|
||||
@ -814,7 +814,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<blockquote>
|
||||
<para>If this variable is not set or is given an empty value
|
||||
@ -1024,7 +1024,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<blockquote>
|
||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||
@ -1041,7 +1041,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
control your firewall after you enable this option.</para>
|
||||
</important>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<caution>
|
||||
<para>Do not use this option if the resulting log messages will
|
||||
@ -1538,6 +1538,23 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
chain are appended to it.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>An additional optimization was added in Shorewall 4.5.4.
|
||||
If the last rule in a chain is an unqualified jump to a simple
|
||||
target, then all immediately preceding rules with the same
|
||||
simple target are omitted.</para>
|
||||
|
||||
<para>For example, consider this chain:</para>
|
||||
|
||||
<programlisting> -A fw-net -p udp --dport 67:68 -j ACCEPT
|
||||
-A fw-net -p udp --sport 1194 -j ACCEPT
|
||||
-A fw-net -p 41 -j ACCEPT
|
||||
-A fw-net -j ACCEPT
|
||||
</programlisting>
|
||||
|
||||
<para>Since all of the rules are jumps to the simple target
|
||||
ACCEPT, this chain is totally optimized away and jumps to the
|
||||
chain are replace with jumps to ACCEPT.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -1677,7 +1694,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
role="bold">"</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -82,7 +82,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -92,7 +92,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -102,7 +102,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -112,7 +112,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -887,7 +887,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<blockquote>
|
||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||
@ -904,7 +904,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
control your firewall after you enable this option.</para>
|
||||
</important>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<caution>
|
||||
<para>Do not use this option if the resulting log messages will
|
||||
@ -1336,6 +1336,23 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
chain are appended to it.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>An additional optimization was added in Shorewall 4.5.4.
|
||||
If the last rule in a chain is an unqualified jump to a simple
|
||||
target, then all immediately preceding rules with the same
|
||||
simple target are omitted. </para>
|
||||
|
||||
<para>For example, consider this chain:</para>
|
||||
|
||||
<programlisting> -A fw-net -p udp --dport 67:68 -j ACCEPT
|
||||
-A fw-net -p udp --sport 1194 -j ACCEPT
|
||||
-A fw-net -p 41 -j ACCEPT
|
||||
-A fw-net -j ACCEPT
|
||||
</programlisting>
|
||||
|
||||
<para>Since all of the rules are jumps to the simple target
|
||||
ACCEPT, this chain is totally optimized away and jumps to the
|
||||
chain are replace with jumps to ACCEPT.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -1475,7 +1492,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
role="bold">"</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user