On Sat, Nov 18, 2006 at 07:18:51PM +0000, Andrew Suffield wrote:
> On Sat, Nov 18, 2006 at 09:44:41AM -0800, Tom Eastep wrote:
> > Andrew Suffield wrote:
> >
> > >
> > > It appears to work - but takes a little over 3 minutes to compile on
> > > the server I normally use for this (1 minute user, 2 minutes
> > > system). Admittedly that server's only got a C3 processor (poor
> > > cooling in that cupboard), but that's still a long way from 10
> > > seconds. I could use a faster server instead, but I have to wonder if
> > > I'm missing something.
> >
> > I assume that you are using a light-weight shell?
>
> Using dash instead of bash shaves maybe 10 seconds off it - not really
> sure why the difference is so small, as I'd have expected more like 30
> or 40 seconds, but it won't do anything about the 2 minutes spent
> inside the kernel (probably fork/exec, although I haven't measured
> it).
Or I'm just being an idiot.
When -e <directory-name> is included, only the SHOREWALL_SHELL and
VERBOSITY settings from /etc/shorewall/shorewall.conf are used and
these apply only to the compiler itself. The settings used by the
compiled firewall script are determined by the contents of
<directory name>/shorewall.conf.
Would be the appropriate realisation. I successfully managed to run
/sbin/shorewall and the generated firewall script under dash, but not
/usr/share/shorewall/compiler. It would probably be wise for that
distinction to be noted in the template shorewall.conf, so that other
absent-minded people get reminded.
New time after changing that one too:
real 0m45.249s
user 0m11.645s
sys 0m32.814s
Still five times slower than your laptop... but perhaps it's not as
old as you think, and these processors really are not fast. It's
roughly equivalent to a 450MHz P3 (except with modern storage and
network performance, appalling floating point performance, but vastly
lower heat output - no fans on these things). Faster would be nice,
but I can live with this.
Time to restart shorewall-lite is still about a minute, and that's all
spent running iptables - no surprise there, and short of doing
something evil with iptables-restore, I don't expect it to change. For
me at least, it's not currently worth the effort. Might be something
to think about next time the beast gets rewritten.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
