On 05/25/2013 11:57 AM, Tom Eastep wrote: > On 5/25/13 11:00 AM, "Dash Four" <[email protected]> wrote:
>> One optimisation bug: >> >> rules >> ~~~~~ >> ACCEPT $FW:+set1 net:+set2 ; user:root, switch:allow_set2=0 >> >> produces >> >> -A fw2net -m set --match-set set1 src -m set --match-set set2 dst -m >> owner --uid-owner 0 -m condition --condition allow_set2 -j ACCEPT >> >> It makes sense for the "condition" match, as well as owner and possibly >> any other match, bar nfacct matches, to have higher priority and be >> placed before the ipset matches, since they 1. could be checked quicker >> than ipset matches; and 2. there is no point checking the set matches if >> the "condition" match isn't satisfied. >> >> ipset matches are the most resource-consuming operations, so it makes >> sense to place them last, whenever possible (accounting matches >> excluded, of course). In other words, do this: >> >> -A fw2net -m condition --condition allow_set2 --uid-owner 0 -m set >> --match-set set1 src -m set --match-set set2 dst -m owner -j ACCEPT >> >> This will speed up the traversal of rules. Currently, it seems that >> ipset matches "enjoy" the highest priority and are placed first in a >> given iptables rule. I think they need to be defined to have less >> priority than that of "owner" and "condition" matches to start with. > > I'll take a look. Patch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 0313b47..0684751 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -613,6 +613,7 @@ use constant { UNIQUE => 1,
CONTROL => 16,
COMPLEX => 32,
NFACCT => 64,
+ EXPENSIVE => 128,
};
our %opttype = ( rule => CONTROL,
@@ -645,6 +646,9 @@ our %opttype = ( rule => CONTROL,
nfacct => NFACCT,
+ set => EXPENSIVE,
+ geoip => EXPENSIVE,
+
conntrack => COMPLEX,
jump => TARGET,
@@ -827,7 +831,7 @@ sub set_rule_option( $$$ ) {
if ( exists $ruleref->{$option} ) {
assert( defined( my $value1 = $ruleref->{$option} ) , $ruleref );
- if ( $opttype & ( MATCH | NFACCT ) ) {
+ if ( $opttype & ( MATCH | NFACCT | EXPENSIVE ) ) {
if ( $globals{KLUDGEFREE} ) {
unless ( reftype $value1 ) {
unless ( reftype $value ) {
@@ -1013,6 +1017,8 @@ sub format_rule( $$;$ ) {
# The code the follows can be destructive of the rule so we clone it
#
my $ruleref = $rulerefp->{complex} ? clone_rule( $rulerefp ) : $rulerefp;
+ my $nfacct = $rulerefp->{nfacct};
+ my $expensive;
for ( @{$ruleref->{matches}} ) {
my $type = $opttype{$_} || 0;
@@ -1031,10 +1037,27 @@ sub format_rule( $$;$ ) {
}
next;
+ } elsif ( $type == EXPENSIVE ) {
+ #
+ # Only emit expensive matches now if there are '-m nfacct' matches in the rule
+ #
+ if ( $nfacct ) {
+ $rule .= format_option( $_, pop_match( $ruleref, $_ ) );
+ } else {
+ $expensive = 1;
+ }
} else {
$rule .= format_option( $_, pop_match( $ruleref, $_ ) );
}
}
+ #
+ # Emit expensive matches last unless we had '-m nfacct' matches in the rule.
+ #
+ if ( $expensive ) {
+ for ( grep( ( $opttype{$_} || 0 ) == EXPENSIVE, @{$ruleref->{matches}} ) ) {
+ $rule .= format_option( $_, pop_match( $ruleref, $_ ) );
+ }
+ }
if ( $ruleref->{target} ) {
$rule .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
