Re: [Fwbuilder-discussion] Slow policy compilation under Mac OS X
Brought to you by:
mikehorn
From: <va...@vk...> - 2007-10-11 05:33:53
|
On Oct 10, 2007, at 10:12 PM, t m wrote: > Hello, > > I seem to have developed a rather significant performance issue while > compiling my firewall rules. When I compile, the progress report will > run quickly then get stuck on the "Detecting rule shadowing" stage. > This will take about 20 minutes to complete, after which everything > completes fine. The system monitor show that, while compiling, the > fwb_ipt program is using close to 100% of one of my CPUs and a little > under 600MB of memory. > > My firewall isn't what I would consider to be very complex, and I'm > not sure what I would change to make my policies compile more quickly. > Does anyone have any ideas on what might be causing this? Is there a > way to skip the rule shadowing check in a pinch? rule shadowing detection considers all possible combinations of objects in source, destination and service. So if you have a rule with N1 objects in source, N2 in destination and N3 in service, it has to split this rule and create N1*N2*N3 elementary rules and analyze them all. Add another rule with many objects in source, destination and/or service and complexity of the analysis explodes. --vk |