Tom Eastep wrote: > 4.5.17 RC 1 is now available for testing. > > Changes since Beta 3: > > 1) A 'local' zone now works correctly with 'destonly' specified on the > loopback device. > That doesn't seem to work - see my previous email on the subject. I now can't specify "local" as an option in my interfaces file.
> 2) Previously, trivial exclusion matches appeared at the end of an > iptables rule rather than in their logical order. This has been > corrected. > That is now fixed. > 3) The fw2fw (fw-fw) chain is now omitted when there is a 'local' > zone. > That is now gone. One optimisation bug: rules ~~~~~ ACCEPT $FW:+set1 net:+set2 ; user:root, switch:allow_set2=0 produces -A fw2net -m set --match-set set1 src -m set --match-set set2 dst -m owner --uid-owner 0 -m condition --condition allow_set2 -j ACCEPT It makes sense for the "condition" match, as well as owner and possibly any other match, bar nfacct matches, to have higher priority and be placed before the ipset matches, since they 1. could be checked quicker than ipset matches; and 2. there is no point checking the set matches if the "condition" match isn't satisfied. ipset matches are the most resource-consuming operations, so it makes sense to place them last, whenever possible (accounting matches excluded, of course). In other words, do this: -A fw2net -m condition --condition allow_set2 --uid-owner 0 -m set --match-set set1 src -m set --match-set set2 dst -m owner -j ACCEPT This will speed up the traversal of rules. Currently, it seems that ipset matches "enjoy" the highest priority and are placed first in a given iptables rule. I think they need to be defined to have less priority than that of "owner" and "condition" matches to start with. ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
