Tom Eastep wrote: > My experimentation with a Perl-based compiler for Shorewall is beginning > to bear fruit. Here is a timing from the main firewall at shorewall.net > using the Perl-based compiler. That compiler generates a script that > uses iptables-restore to configure Netfilter. > > [EMAIL PROTECTED]:~/shorewall# shorewall restart . > Compiling... > Shorewall configuration compiled to /var/lib/shorewall/.restart > Restarting Shorewall.... > done. > > real 0m2.403s > user 0m0.604s > sys 0m0.492s > [EMAIL PROTECTED]:~/shorewall# shorewall show log > > Contrast that with the standard 3.4.1 compiler: > > [EMAIL PROTECTED]:~/shorewall# time shorewall restart > Compiling... > Shorewall configuration compiled to /var/lib/shorewall/.restart > Restarting Shorewall.... > done. > > real 0m7.054s > user 0m2.020s > sys 0m2.964s > [EMAIL PROTECTED]:~/shorewall# > > The new compiler still uses the shell as its preprocessor to process the > 'params' file, expand shell variables in configuration files and to > strip comments from those files. Approximately one second of the elapsed > time occurs before the Perl-based compiler even starts. > > The compiler is far from complete -- no 'detect' features are supported > yet. Those will cause the generated script to run quite a bit slower > because the iptables-restore input must be reprocessed in the generated > script to add the rules that result from detected addresses. > > Anyone wishing to play with it can do so as follows: > > a) Install Shorewall 3.4.1. > b) Get a copy of the trunk/New SVN files. > c) Make a copy of your /etc/shorewall directory. > d) Modify the shorewall.conf file in the copied directory as follows: > > 1- Add 'EXPERIMENTAL=Yes' > 2- Modify CONFIG_PATH to include the directory where you placed > the trunk/New files.
I forgot one step:
e) Create a symbolic link /usr/share/shorewall/Shorewall which points to the
Directory containing the trunk/New files. On my system, I have:
[EMAIL PROTECTED]:~/shorewall# ll /usr/share/shorewall/Shorewall
lrwxrwxrwx 1 root root 33 2007-03-15 09:37 /usr/share/shorewall/Shorewall ->
/home/teastep/shorewall/trunk/New
[EMAIL PROTECTED]:~/shorewall#
And in my shorewall.conf copy:
CONFIG_PATH=/etc/shorewall:/home/teastep/shorewall/trunk/New:/usr/share/shorewall
---------------------------------
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
