Provided by: iptables-optimizer_0.9.13-2_all
ip6tables-optimizer - optimize ip6tables filter-chains in kernel depending on their usage counters
ip6tables-optimizer [-a] [-c] [-h] [-v[v]] [-w]
ip6tables-optimizer is used to sort ip6tables-rules in relation to the values of their packet-counters. And of course, administrators artwork is untouched. Sorting only happens in consecutive blocks of accept or drop statements, never across their borders. Therefore these blocks are called partitions and so they behave. ip6tables-optimizer is shipped in three files, a shell wrapper, functions to be sourced from it and a python exec. The sourced functions were neccessary because of testing them with shunit2, thanks to Karen Ward for this wonderful tool. The wrapper is my tribute to the changing function of python subprocess in different default python versions over some Debian releases. It runs in four steps, working directory is /var/run, id=0 is neccessary: 1.) /var/cache/ip6tables-optimizer/auto-apply6 is checked for read and exec flags. If so, the file is used as input on running ip6tables-restore, afterwards it is renamed. The renaming follows up a simple datetime strategy, this action is logged as well. Thats my way of firing new rules into the machine. They are copied using scp and after that marked as executable with chmod through ssh. 2) ip6tables-save -t filter -c > ip6tables-optimizer-save-output 2>ip6tables-optimizer- save-errors 3) ip6tables_optimizer.py ip6tables-optimizer-save-output >ip6tables-optimizer-output 2>ip6tables-optimizer-partitions 4) ip6tables-restore [ -c ] ip6tables-optimizer-output >ip6tables-optimizer-restore-out 2>ip6tables-optimizer-restore-err Of course, you might want to run it by cron every now and then.
-a If given, it prevents the ip6tables-optimizer from handling the file /var/cache/ip6tables-optimizer/auto-apply6 -c This option will prevent ip6tables-optimizer to reset paket/byte counters on restoring the tables, i.e these counters will be reloaded with the sorted rules. Intention is to support long term debugging sessions, because the position of the rules to be obeyed will be more stable. -h Shows a brief help message about valid optional arguments and exits 1 -v Verbose logging, i.e. reporting the steps and the number of rules. If given twice, the number of moves and the partitions as well. -w reports INPUT and OUTPUT chain only, useful on non forwarding machines.
/var/cache/ip6tables-optimizer keeps all the new rulesets, incomig new auto-apply6 is renamed to f.e. auto-apply6-20140818-091958 and kept there. Feel free to clean up these files or keep them as you like it. /var/run keeps the temporary files, their names all are beginning with ip6tables- optimizer-
The handling of an executable file auto-apply6 is reported always. At least start and end of every program run is reported via syslog. Single verbose flag shows the three steps and the corresponding number of ip6tables commands. Two verbose flags additionally will show up the count of moves and the partitions of the chains.
ip6tables-optimizer usually returns a value of 0. Accidentially in case of error, f.e. if the ip6tables-restore fails, it returns the triggering error.
ip6tables-optimizer should be compatible to any ip6tables implementations out in the wild. If not, keep me informed, thanks. I'll do my very best.
ip6tables-optimizer has grown from first ideas over some more than two years and many errors to a productive state. First tries to use subproces within the python soon led into problems using different python versions on different debian releases. So these tasks were done on shell level, python testing and shell testing improved the solution.
ip6tables(8) ip6tables-save(8) ip6tables-restore(8)
GNU General Public License version 3 or any newer version applies to ip6tables-optimizer.
Johannes Hubertz <firstname.lastname@example.org> wrote this in 2012 - 2015. Anytime comments are welcome.