Provided by: iptables-optimizer_0.9.13-2_all bug


       iptables-optimizer   -   optimize   iptables  filter-chains  in  kernel
       depending on their usage counters


       iptables-optimizer [-a] [-c] [-h] [-v[v]] [-w]


       iptables-optimizer is used to sort iptables-rules in  relation  to  the
       values  of their packet-counters. And of course, administrators artwork
       is untouched.  Sorting only happens in consecutive blocks of accept  or
       drop statements, never across their borders. Therefore these blocks are
       called partitions and so they behave.

       iptables-optimizer  is  shipped  in  three  files,  a  shell   wrapper,
       functions  to  be  sourced  from  it  and  a  python  exec. The sourced
       functions were neccessary because of testing them with shunit2,  thanks
       to Karen Ward for this wonderful tool. The wrapper is my tribute to the
       changing function of python  subprocess  in  different  default  python
       versions over some Debian releases.

       It  runs  in  four  steps,  working  directory  is  /var/run,  id=0  is

       1.) /var/cache/iptables-optimizer/auto-apply is checked  for  read  and
       exec  flags.  If  so,  the  file  is used as input on running iptables-
       restore, afterwards it is renamed. The renaming  follows  up  a  simple
       datetime  strategy,  this  action  is  logged  as well. Thats my way of
       firing new rules into the machine.  They are copied using scp and after
       that marked as executable with chmod through ssh.

       2)   iptables-save   -t   filter  -c  >  iptables-optimizer-save-output

       3)   iptables-optimizer-save-output   >iptables-
       optimizer-output 2>iptables-optimizer-partitions

       4)   iptables-restore   [  -c  ]  iptables-optimizer-output  >iptables-
       optimizer-restore-out 2>iptables-optimizer-restore-err

       Of course, you might want to run it by cron every now and then.


       -a     If given, it prevents the iptables-optimizer from  handling  the
              file /var/cache/iptables-optimizer/auto-apply

       -c     This  option will prevent iptables-optimizer to reset paket/byte
              counters on restoring the tables, i.e  these  counters  will  be
              reloaded  with  the  sorted  rules. Intention is to support long
              term debugging sessions, because the position of the rules to be
              obeyed will be more stable.

       -h     Shows  a  brief  help message about valid optional arguments and
              exits 1

       -v     Verbose logging, i.e. reporting the  steps  and  the  number  of
              rules. If given twice, the number of moves and the partitions as

       -w     reports INPUT and OUTPUT chain only, useful  on  non  forwarding


       /var/cache/iptables-optimizer  keeps  all the new rulesets, incomig new
       auto-apply is renamed  to  f.e.   auto-apply-20140818-091958  and  kept
       there. Feel free to clean up these files or keep them as you like it.

       /var/run  keeps the temporary files, their names all are beginning with



       The handling of an executable file auto-apply is  reported  always.  At
       least start and end of every program run is reported via syslog. Single
       verbose flag shows the three steps  and  the  corresponding  number  of
       iptables  commands.  Two  verbose  flags  additionally will show up the
       count of moves and the partitions of the chains.


       iptables-optimizer usually returns a value of 0. Accidentially in  case
       of error, f.e. if the iptables-restore fails, it returns the triggering


       iptables-optimizer should be compatible to any iptables implementations
       out  in  the  wild.  If  not, keep me informed, thanks. I'll do my very


       iptables-optimizer has grown from first ideas over some more  than  two
       years  and  many  errors  to  a  productive  state.  First tries to use
       subproces within the python soon  led  into  problems  using  different
       python  versions on different debian releases. So these tasks were done
       on shell level, python testing and shell testing improved the solution.


       iptables(8) iptables-save(8) iptables-restore(8)


       GNU General Public License version 3 or any newer  version  applies  to


       Johannes  Hubertz  <>  wrote  this  in  2012 - 2015.
       Anytime comments are welcome.