Simon Matter wrote:

> My question is whether it's possible to use perl for some kind of
> Shorewall-accelerator. I mean if it would be possible to create a simple
> shell to perl converter which then runs perl instead of the shell and does
> exactly the same, then it could be used whenever perl is available,
> otherwise a shell would be used.

If we look at overall performance, the compiler and the generated script need
to be considered separately.

I don't believe that the fact that the generated script is interpreted using a
Bourne shell is a significant contributing factor to its performance. The bulk
of the time is spent in fork() and exec() while launching iptables 1000s of
times. So I think that we're safe in leaving that part alone.

The compiler is a different issue.

One problem is that some of the things needed to make Shorewall generate
iptables-restore input would be very slow if implemented in the shell.

Even though Perl is a somewhat quirky language, it works really well for
writing the compiler part of Shorewall. But the Perl version of the compiler
employs quite different algorithms from those used in the shell.

My belief is that a shell->Perl translator capable of translating the current
Shorewall shell code would comprise a much larger project then Shorewall
itself. One example of what it would need to do:

        Because the shell provides exactly one hash table (it's symbol table),
        the current Shorewall code manufactures symbols on the fly (using       
        'eval') in an attempt to provide some of the same function that Perl
        hashes do. It would take a very smart program to see through what the
        current code is doing and create Perl hashes instead.

Another factor concerning the current code is that it is beginning to get
somewhat fragile. Today's Shorewall is doing many things that were not
envisioned in the original design. The shell also tends to promote some bad
programming practices, owing to the fact that all symbols are global (and I
didn't start from the beginning setting the -u option). As a consequence, it
is getting more and more difficult to extend the code to do new things without
breaking old things.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Reply via email to