Hi Jan Thank you, I downloaded it, but I have to check how to work with GIT. Now I am sorry I didn't upload this SW sooner. Some explanation of it can be found in this work http://biblio.irb.hr/prikazi-rad?&rad=310019 But it is pretty old. I am preparing document with 100 pages of explanation, for now it is in Croatian:-( But code is commented in English Basic idea behind this work is to have "static optimizator of iptables rules" or even some other with modifications. It takes only result of iptables-save, removes redundant rules, removes unnecessary elements e.g from multiport array, or even whole matching parameter, merge rules, reposition LOG rules later in file. This is not perfect, because network traffic is probably more important. I will try to generate some test input files, so you could see how does it work. All optimization actions are documented in generated files. Also, I have been doing some tests, and in config.txt you will see: ## Optimal size of multiport - port array port_array_size_optimal = 10 It means, it will merge 2 rules for example --dport 1:5 and --dport 21:25 into -m multiport --dports 1,2,3,4,5,21,22,23,24,25 but it will not merge them if they have more than 10 elements in array But, based on my recent tests, it should be port_array_size_optimal = 15 Because rule with --dport 1:5 takes e.g. ~0.2 us and rule with 15 elements in multiport array lasts ~0.4us, so it is pretty much the same Br Tihomir 2011/6/9 Jan Engelhardt <jengelh@xxxxxxxxxx>: > On Thursday 2011-06-09 15:18, Tihomir Katic wrote: >> >>I developed some firewall optimizer for iptables optimization. >> >>FIRO is parsing output of iptables-save command and removes redundant >>rules from it. Rules in each chain and table are optimized separately. >>Optimization procedure continues until there are no more rules to >>remove or to modify. As a result, FIRO generates new file with new set >>of rules for every successful optimization procedure. Also, it logs >>all actions and changes in separated files. >> >>List of optimization procedures: >> - Remove irrelevant rules >> - Remove redundant "shadowed after" rules >> - Remove redundant "shadowed before" rules >> - Remove last rules with same action as chain >> - Merge rules >> - Remove redundant parameters from rules >> - Remove redundant elements from parameters >> - Reposition of "logging" rules in chain >> >>This is free software, 1st published version, and I would appreciate >>every download, every test, every reported bug, suggestion, etc. >> >>Link to FIRO: >>http://valeria.zesoi.fer.hr/~tkatic > > Great idea. Consider > http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf for more things > to do in rulesets. > > Some of the suggestions are not a 1:1 conversion, such as replacing -s > 127.0.0.0/8 by -i lo. In this case, a warning is the most one can do in > an automated fashion, and actually sufficient. -- in the spirit of > checkpatch.pl. > > > Inbetween, I have created a git repo with Makefiles. If I feel lucky, > I'll also fix the build in a minute. > > git://dev.medozas.de/firo > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
