While debugging a problem for one of the users, I started looking into ways to improve speed of shadowing detection which was always very slow. The policy of the firewall object of this particular user has about 100 rules but each rule uses large group of addresses and large number of services, which leads to a huge number of possible combinations compiler needs to check in order to find if rules shadow each other. On my machine this file compiled in 17 minutes, which was too long. The code that does shadowing detection is old, was written mostly to get the algorithm right and was never optimized. Fortunately it turns out there was great potential for optimization.
The new build of v3.0.2 (build 628) includes optimized version which works about 5 times faster! Please give it a try and let me know how it works for you.
I would also appreciate if you could post your statistics here in comments or to the mailing list fwbuilder-discussion, such as total number of rules and compile times before and after the change.
Subscribe to:
Post Comments (Atom)
Posts
1 comments:
Our iptables ruleset has almost 200 rules, with hundreds of objects and many addresses in large groups.
We were never able to use the shadowing detection before - it was simply too long. I ran our ruleset through this build and it completed in reasonable time, and I was able to clean up some shadowing.
It's definitely FASTER.
Post a Comment