iptables-optimizer - python classes

Author: Johannes Hubertz johannes@hubertz.de Date: 2016-12-06 Version: 0.9.14 License: GNU General Public License version 3 or later

This little helper is intended to optimize a large ruleset in iptables packetfilter chains, optimization target is throughput.

All chains are partitioned now, sorting is done inside the partitions. Sequence of partitions is never changed, these are kept untouched for not destroying admistrators artwork.

You will need a wrapper script, f.e. iptables-optimizer

Comments, suggestions, improvements welcome!

Have Fun!

class iptables_optimizer.Chain(name, policy)

this is representation of one chain

append(line_list)

first fill in some content, line by line

find_ins_point(act, part_start)

find out, where to insert rule due to pkt-cntrs

make_partitions()

make_partitions creates a list of 2-Elements-lists, each representing a consecutive sequence with ACCEPT, DROP, or the like. One 2-Element-list is called a partition, it is [p_strt, p_ende], and taken form self.liste Numbers in partions are Element-Positions, not indices! It returns len(self.partitions), used for testing purpose.

mov_up(position, part_start)

move position upwards where it belongs to list_point is found in cntrs (value start with 0), insert_point in kernel(value starts with 1)

opti()

optimize this chain due to packet counters

class iptables_optimizer.Filter(groupname='filter', filename='reference-input')

this is a filter group, may be filter, mangle, nat, raw, optimizer looks on filter group only!

opti()

optimize all chains, one pass, and ready return sum of moved counts and partitions list for debugging

sequence()

keep track of all chainnames, predefined first with policy

show()

after sorting rules, print them out

exception iptables_optimizer.FilterLoadError

explicit error in case of wrong filename

iptables_optimizer.extract_pkt_cntr(cntrs)

given is a string: ‘[pkt_cntr:byt_cntr]’, we need pkt_cntr and byt_cntr as set of return value for comparison

class iptables_optimizer_tests.Chain_Test(methodName='runTest')

some first tests for class Chain

test_01_create_a_chainobject()

Chain_Test: create a chainobject

test_02_make_partitions_0()

Chain_Test: make partitions from no rules

test_03_make_partitions_1a()

Chain_Test: make partitions from one rule a

test_04_make_partitions_1d()

Chain_Test: make partitions from one rule d

test_05_make_partitions_1r()

Chain_Test: make partitions from one rule r

test_06_make_partitions_1l()

Chain_Test: make partitions from one rule l

test_07_make_partitions_2a()

Chain_Test: make partitions from two rules aa

test_08_make_partitions_2ad()

Chain_Test: make partitions from two rules ad

test_09_make_partitions_5ada()

Chain_Test: make partitions from five rules adaaa

test_10_empty_opti_0()

Chain_Test: optimize an empty chainobject

test_11_insert_three_aaa()

Chain_Test: optimize three rules aaa

test_12_insert_three_aar()

Chain_Test: optimize three rules aar

test_14_insert_five_rules_with_logdrop()

Chain_Test: optimize five rules aalaa

class iptables_optimizer_tests.Filter_Test(methodName='runTest')

some first tests for class Filter

test_01_filter_file_NOread()

Filter_Test: non existant input-file

test_02_filter_file_OKread()

Filter_Test: read reference-input

test_03_optimize_algorithm()

Filter_Test: optimize, check 30 moves and partitions

test_04_filter_output()

Filter_Test: check output for reference-input