Provided by: iptables-optimizer_0.9.14-1_all 
NAME
ip6tables-optimizer - optimize ip6tables filter-chains in kernel depending on their usage counters
SYNOPSIS
ip6tables-optimizer [-a] [-c] [-h] [-v[v]] [-w]
DESCRIPTION
ip6tables-optimizer is used to sort ip6tables-rules in relation to the values of their packet-counters.
And of course, administrators artwork is untouched. Sorting only happens in consecutive blocks of accept
or drop statements, never across their borders. Therefore these blocks are called partitions and so they
behave.
ip6tables-optimizer is shipped in three files, a shell wrapper, functions to be sourced from it and a
python exec. The sourced functions were neccessary because of testing them with shunit2, thanks to Karen
Ward for this wonderful tool. The wrapper is my tribute to the changing function of python subprocess in
different default python versions over some Debian releases.
It runs in four steps, working directory is /var/run, id=0 is neccessary:
1.) /var/cache/ip6tables-optimizer/auto-apply6 is checked for read and exec flags. If so, the file is
used as input on running ip6tables-restore, afterwards it is renamed. The renaming follows up a simple
datetime strategy, this action is logged as well. Thats my way of firing new rules into the machine.
They are copied using scp and after that marked as executable with chmod through ssh.
2) ip6tables-save -t filter -c > ip6tables-optimizer-save-output 2>ip6tables-optimizer-save-errors
3) ip6tables_optimizer.py ip6tables-optimizer-save-output >ip6tables-optimizer-output 2>ip6tables-
optimizer-partitions
4) ip6tables-restore [ -c ] ip6tables-optimizer-output >ip6tables-optimizer-restore-out 2>ip6tables-
optimizer-restore-err
Of course, you might want to run it by cron every now and then.
OPTIONS
-a If given, it prevents the ip6tables-optimizer from handling the file /var/cache/ip6tables-
optimizer/auto-apply6
-c This option will prevent ip6tables-optimizer to reset paket/byte counters on restoring the tables,
i.e these counters will be reloaded with the sorted rules. Intention is to support long term
debugging sessions, because the position of the rules to be obeyed will be more stable.
-h Shows a brief help message about valid optional arguments and exits 1
-v Verbose logging, i.e. reporting the steps and the number of rules. If given twice, the number of
moves and the partitions as well.
-w reports INPUT and OUTPUT chain only, useful on non forwarding machines.
FILES
/var/cache/ip6tables-optimizer keeps all the new rulesets, incomig new auto-apply6 is renamed to f.e.
auto-apply6-20140818-091958 and kept there. Feel free to clean up these files or keep them as you like
it.
/var/run keeps the temporary files, their names all are beginning with ip6tables-optimizer-
LOG
The handling of an executable file auto-apply6 is reported always. At least start and end of every
program run is reported via syslog. Single verbose flag shows the three steps and the corresponding
number of ip6tables commands. Two verbose flags additionally will show up the count of moves and the
partitions of the chains.
EXIT STATUS
ip6tables-optimizer usually returns a value of 0. Accidentially in case of error, f.e. if the ip6tables-
restore fails, it returns the triggering error.
COMPATIBILITY
ip6tables-optimizer should be compatible to any ip6tables implementations out in the wild. If not, keep
me informed, thanks. I'll do my very best.
HISTORY
ip6tables-optimizer has grown from first ideas over some more than two years and many errors to a
productive state. First tries to use subproces within the python soon led into problems using different
python versions on different debian releases. So these tasks were done on shell level, python testing and
shell testing improved the solution.
SEE ALSO
ip6tables(8) ip6tables-save(8) ip6tables-restore(8)
LICENSE
GNU General Public License version 3 or any newer version applies to ip6tables-optimizer.
AUTHOR
Johannes Hubertz <johannes@hubertz.de> wrote this in 2012 - 2016. Anytime comments are welcome.