My experimentation with a Perl-based compiler for Shorewall is beginning to bear fruit. Here is a timing from the main firewall at shorewall.net using the Perl-based compiler. That compiler generates a script that uses iptables-restore to configure Netfilter. root@lists:~/shorewall# shorewall restart . Compiling... Shorewall configuration compiled to /var/lib/shorewall/.restart Restarting Shorewall.... done. real 0m2.403s user 0m0.604s sys 0m0.492s root@lists:~/shorewall# shorewall show log Contrast that with the standard 3.4.1 compiler: root@lists:~/shorewall# time shorewall restart Compiling... Shorewall configuration compiled to /var/lib/shorewall/.restart Restarting Shorewall.... done. real 0m7.054s user 0m2.020s sys 0m2.964s root@lists:~/shorewall# The new compiler still uses the shell as its preprocessor to process the ''params'' file, expand shell variables in configuration files and to strip comments from those files. Approximately one second of the elapsed time occurs before the Perl-based compiler even starts. The compiler is far from complete -- no ''detect'' features are supported yet. Those will cause the generated script to run quite a bit slower because the iptables-restore input must be reprocessed in the generated script to add the rules that result from detected addresses. Anyone wishing to play with it can do so as follows: a) Install Shorewall 3.4.1. b) Get a copy of the trunk/New SVN files. c) Make a copy of your /etc/shorewall directory. d) Modify the shorewall.conf file in the copied directory as follows: 1- Add ''EXPERIMENTAL=Yes'' 2- Modify CONFIG_PATH to include the directory where you placed the trunk/New files. You can now use the copied directory as a testbed for the new compiler as I''ve done above (e.g., cd to that directory and specify "." in your ''shorewall'' commands). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> My experimentation with a Perl-based compiler for Shorewall is beginning > to bear fruit. Here is a timing from the main firewall at shorewall.net > using the Perl-based compiler. That compiler generates a script that > uses iptables-restore to configure Netfilter. > > root@lists:~/shorewall# shorewall restart . > Compiling... > Shorewall configuration compiled to /var/lib/shorewall/.restart > Restarting Shorewall.... > done. > > real 0m2.403s > user 0m0.604s > sys 0m0.492s > root@lists:~/shorewall# shorewall show log > > Contrast that with the standard 3.4.1 compiler: > > root@lists:~/shorewall# time shorewall restart > Compiling... > Shorewall configuration compiled to /var/lib/shorewall/.restart > Restarting Shorewall.... > done. > > real 0m7.054s > user 0m2.020s > sys 0m2.964s > root@lists:~/shorewall# > > The new compiler still uses the shell as its preprocessor to process the > ''params'' file, expand shell variables in configuration files and to > strip comments from those files. Approximately one second of the elapsed > time occurs before the Perl-based compiler even starts. > > The compiler is far from complete -- no ''detect'' features are supported > yet. Those will cause the generated script to run quite a bit slower > because the iptables-restore input must be reprocessed in the generated > script to add the rules that result from detected addresses. > > Anyone wishing to play with it can do so as follows: > > a) Install Shorewall 3.4.1. > b) Get a copy of the trunk/New SVN files. > c) Make a copy of your /etc/shorewall directory. > d) Modify the shorewall.conf file in the copied directory as follows: > > 1- Add ''EXPERIMENTAL=Yes'' > 2- Modify CONFIG_PATH to include the directory where you placed > the trunk/New files.I forgot one step: e) Create a symbolic link /usr/share/shorewall/Shorewall which points to the Directory containing the trunk/New files. On my system, I have: root@lists:~/shorewall# ll /usr/share/shorewall/Shorewall lrwxrwxrwx 1 root root 33 2007-03-15 09:37 /usr/share/shorewall/Shorewall -> /home/teastep/shorewall/trunk/New root@lists:~/shorewall# And in my shorewall.conf copy: CONFIG_PATH=/etc/shorewall:/home/teastep/shorewall/trunk/New:/usr/share/shorewall --------------------------------- -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> > I forgot one step: > > e) Create a symbolic link /usr/share/shorewall/Shorewall which points to the > Directory containing the trunk/New files. On my system, I have: > > root@lists:~/shorewall# ll /usr/share/shorewall/Shorewall > lrwxrwxrwx 1 root root 33 2007-03-15 09:37 /usr/share/shorewall/Shorewall -> > /home/teastep/shorewall/trunk/New > root@lists:~/shorewall# > > And in my shorewall.conf copy: > > CONFIG_PATH=/etc/shorewall:/home/teastep/shorewall/trunk/New:/usr/share/shorewallAfter I sent this, I realized that the way I had done this was not the way I intended. Using the current contents of SVN, do it this way instead: e) Create a symbolic link /usr/share/shorewall/Shorewall which points to the Directory containing the trunk/New/Shorewall files. On my system, I have: ---------- root@lists:~/shorewall# ll /usr/share/shorewall/Shorewall lrwxrwxrwx 1 root root 33 2007-03-15 09:37 /usr/share/shorewall/Shorewall -> /home/teastep/shorewall/trunk/New/Shorewall ---------- root@lists:~/shorewall# And in my shorewall.conf copy: CONFIG_PATH=/etc/shorewall:/home/teastep/shorewall/trunk/New:/usr/share/shorewall -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel