iptables-optimizer version 0.9

Version 0.9 is out.

The main advantages are:

1. Partitiontables are printed to stderr by the python script.
2. undef policies each are a single partition
3. filter.show is completely rewritten for testablility

If the wrapper is called with any parameter, usually -v, it logs the partitiontable to syslog. This is a good chance to see what is going on in the chains every run of the iptables-optimizer:

#chainname  : moves  partitions
#INPUT      :     4  [1, 41][42, 53][54, 54]
#OUTPUT     :     4  [1, 42][43, 54][55, 55]
#logdrop    :     0  [1, 1][2, 2]

The column titled with chainname just names the chain described in this output line. moves is the count of rules, which changed their position within the chain. Within in the paired brackets the numbers show start and end of each partition, the number of opening brackets corresponds to the number of partitions in this chain.

These numbers are explained easily, they are reasoned by: (partitionlength = partiton-end - partition-start + 1)

chain   length   action(s)

INPUT       41   -j ACCEPT
INPUT       11   -j DROP
INPUT        1   -j logdrop
OUTPUT      42   -j ACCEPT
OUTPUT      11   -j DROP
OUTPUT       1   -j logdrop
logdrop      1   -j LOG
logdrop      1   -j DROP

Each line shows a partition in the way of thinking of iptables-optimizer. The pattern matching part of each rule is not important for it. Just the action part destinguishes which partition it belongs to. As a result, exchanging rules within a partition does not change security matters, just performance. Partition borders must not be changed in position or traversed on iptables-optimizer operations. Therefore the creation of the partitions is subject to the extensive tests.

The rules for dropping packets are for minimizing the logs, of course. This example is taken from a dns- and mailserver.

In the last weeks I got out, different python versions have different opinions about working with the subprocess module. As the iptables-optimizer didn't work on squeeze (python2.6) because it was written on wheezy (python2.7) I started some investigations. At last, for me the minor difficult solution was to remove all the subprocess calls and to keep the file operations pythonic only. All the rest, iptables-save, iptables-restore and logging is done in a shell wrapper now. At the pythoncamp I learned something about tox, which was soon adapted to iptables-optimizer. Now the tests show good results with python versions 2.6, 2.7 and 3.2.

So iptables-optimizer grew to a robust and good performing tool and can be called every minute.

Have fun!