1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
DAG for rule generation
a { b c d } e { f g } x;
h { f g } z;
i { b c } y;
precompute common subexpressions == separate into chains
caution: actions are commutative with subexpressions:
{ f g } x is not the same as { f g } z
visit nodes in a dag: when the end of the path is reached, enter a rule into
an assembler-like list of tuples
chain | if | src ip | dst ip | proto | src port | dst port | options... | action
ports ignored for non tcp/udp (i.e. they're NULL)
NULL values are assumed to be any: if they were assumed to be none, then
all rules missing a value would be no-ops. leaving a specifier out meaning
less specifity seems more intuitive.
options inclue icmp type, special flags, iptables modifiers
apply peephole optimisations:
* redundant rules that are more specific than later rules with the same action
potential for shadowing warning
* rule reordering with other rules having the same action
pattern: "if" expression "then" action;
##factorisation
common actions
E1 A; = ( E1 | E2 ) A
E2 A;
sib specifiers
S { I1 I2 } = ( P(S I1) | P(S I2) )
chains/braces
{ E } = ( E )
specifier lists
S1 I1 S2 I2 = ( P(S1I1) & P(S2I2) )
negations
! {E} = ! ( E )
negations
! S = ! P(S)
S { ! I } = ! P(SI)
S { ! I1 I2 } = ( !P(SI1) & P(SI2) )
associativity
( E1 o E2 ) o E3 = E1 o ( E2 o E3 )
comutativity
E1 o E2 = E2 o E1
|
