Idea

William Stearns wstearns@pobox.com
Wed, 29 Sep 1999 10:22:20 -0400 (EDT)


Good day, all,

On Wed, 29 Sep 1999, Paul Rusty Russell wrote:

> In message <19990928123105.A6492@aldem.net> you write:
> > 	But, in real life, some rules are hit often that other,
> > 	so why not to dynamically reorder them?
> 
> Didier Dhaenens's chop (chain optimization).  Haven't heard from
> Didier since his last release of chop in June.

	Mason (see .sig) has the ability to reorder rules; by using the
mark value, it is able to pull the packet counts from an ipchains listing
and append the counts to the rule files it creates.  It also safely
reorders the rules so that higher count rules migrate toward the top of
the list and lower count rules migrate down, without ever changing the
security of the ruleset (for example, it won't change the order of a DENY
rule and an ACCEPT rule).
	This is why I hope the mark value will continue to be available in
iptables - I need this unique number to match up the output lines in a
firewall listing to the original rules in the rule files.
	Cheers,
	- Bill

---------------------------------------------------------------------------
	"Microsoft has done more for the fault tolerance industry than any
other company.  They have made end-users very tolerant of faults". 
(Courtesy of "Deliduka, Bennet" <bennet.deliduka@state.vt.us>)
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com).  Mason, Buildkernel, named2hosts, 
and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/
--------------------------------------------------------------------------