My experimentation with a Perl-based compiler for Shorewall is beginning
to bear fruit. Here is a timing from the main firewall at shorewall.net
using the Perl-based compiler. That compiler generates a script that
uses iptables-restore to configure Netfilter.
[EMAIL PROTECTED]:~/shorewall# shorewall restart .
Compiling...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Restarting Shorewall....
done.
real 0m2.403s
user 0m0.604s
sys 0m0.492s
[EMAIL PROTECTED]:~/shorewall# shorewall show log
Contrast that with the standard 3.4.1 compiler:
[EMAIL PROTECTED]:~/shorewall# time shorewall restart
Compiling...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Restarting Shorewall....
done.
real 0m7.054s
user 0m2.020s
sys 0m2.964s
[EMAIL PROTECTED]:~/shorewall#
The new compiler still uses the shell as its preprocessor to process the
'params' file, expand shell variables in configuration files and to
strip comments from those files. Approximately one second of the elapsed
time occurs before the Perl-based compiler even starts.
The compiler is far from complete -- no 'detect' features are supported
yet. Those will cause the generated script to run quite a bit slower
because the iptables-restore input must be reprocessed in the generated
script to add the rules that result from detected addresses.
Anyone wishing to play with it can do so as follows:
a) Install Shorewall 3.4.1.
b) Get a copy of the trunk/New SVN files.
c) Make a copy of your /etc/shorewall directory.
d) Modify the shorewall.conf file in the copied directory as follows:
1- Add 'EXPERIMENTAL=Yes'
2- Modify CONFIG_PATH to include the directory where you placed
the trunk/New files.
You can now use the copied directory as a testbed for the new compiler
as I've done above (e.g., cd to that directory and specify "." in your
'shorewall' commands).
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel
