log entry 2012-11-09

iptables-optimizer

Latency of round about 300ms in a LAN environment is unusual. So investigations were done. Result: The lot of iptables in some machines were responsible. To reduce the ruleset seemed to be the only solution, but that's not easy and expensive. Because you cannot see from a rule, if it is used or not. Perhaps it's unused today or this week, possibly really important usage only happens once a month, f.e. the rules for HR to clear their banking affairs, i.e. your salaries?

At first, the iptables-module comment was used to have a distinct number within the kernel on each rule. That helps to identify rules which are not used. But it is extremely boring, to look on a self repeating screen showing iptables -nvxL And it doesn't help at all. It's frustrating.

What's the real reason for the latency? It is the kernels job for every traversing packet, to find a matching rule and pass it, or after having consulted all rules to log it and then drop. Having a fixed set of rules for a long time, most of them are unused most of the time. Traffic is passing only from few rules. Perhaps we could position the used rules on top of the lists?

That's it! Why not sort the rules on the values of their usagecounters? Some restrictions might be important! But, nevertheless I am electrified from the idea. No rest until first tries, which are encouraging.

Python can call anything on os-level. subproces is used for that. The idea grew to have it all in a single script:

iptables-save -c > file
sort the chains on the packetcounters respecting all restictions > sorted
iptables-restore < sorted

Initial commit was on 2012-11-09, pushed to https://github.com/sl0/opti

Have fun!

social