On 5/25/13 11:00 AM, "Dash Four" <[email protected]> wrote:
> >Tom Eastep wrote: >> 4.5.17 RC 1 is now available for testing. >> >> Changes since Beta 3: >> >> 1) A 'local' zone now works correctly with 'destonly' specified on the >> loopback device. >> >That doesn't seem to work - see my previous email on the subject. I now >can't specify "local" as an option in my interfaces file. Please refer to the Beta 3 release announcement - 'local' is now a zone type rather than an interface option. > >> 2) Previously, trivial exclusion matches appeared at the end of an >> iptables rule rather than in their logical order. This has been >> corrected. >> >That is now fixed. Thanks. >> 3) The fw2fw (fw-fw) chain is now omitted when there is a 'local' >> zone. >> >That is now gone. Thanks. > > >One optimisation bug: > >rules >~~~~~ >ACCEPT $FW:+set1 net:+set2 ; user:root, switch:allow_set2=0 > >produces > >-A fw2net -m set --match-set set1 src -m set --match-set set2 dst -m >owner --uid-owner 0 -m condition --condition allow_set2 -j ACCEPT > >It makes sense for the "condition" match, as well as owner and possibly >any other match, bar nfacct matches, to have higher priority and be >placed before the ipset matches, since they 1. could be checked quicker >than ipset matches; and 2. there is no point checking the set matches if >the "condition" match isn't satisfied. > >ipset matches are the most resource-consuming operations, so it makes >sense to place them last, whenever possible (accounting matches >excluded, of course). In other words, do this: > >-A fw2net -m condition --condition allow_set2 --uid-owner 0 -m set >--match-set set1 src -m set --match-set set2 dst -m owner -j ACCEPT > >This will speed up the traversal of rules. Currently, it seems that >ipset matches "enjoy" the highest priority and are placed first in a >given iptables rule. I think they need to be defined to have less >priority than that of "owner" and "condition" matches to start with. I'll take a look. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
