You would have to have a complete dataset from every packet that passesnetfilter to run any kind of rule analysis. Knowing which rule droppeda packet isn't the same as knowing exactly which condition of that rulecaused the drop. Could be iface, dport, sport, etc. You would almosthave to duplicate the logic of netfilter itself to do any meaningfulanalysis at this level. However I think a simpler but still useful toolcould be created by using the packet and byte count kept by netfilterto sort rules within chains Jeff I agree with Jeff here. In fact I have been thinking about this for some time.. I even attempted something with bash script to do this...but my scripting capability is not up to par.. Upon really thinking about it.... if I could just do a continuous iptables -vxnL I would be happy. Perhaps some added counters for in which the the differences are shown from the last time it is last checked... say like a 5-10 second delay? Sort of a iptop heh.... an iptables in... top like display... This is my dream! SBlaze ===== In the absence of order there will be chaos. __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/
