It's icky, because of the packet and byte counters on each rule.
Since my firewall chains allow more than one rule to match
(ie. accounting rules) you can't simply cache the final policy unless
it was the default and no rules were matched. This is not likely to
be the common case.
If we're allowed to play fast and loose with the counters, then this
is very possible.
I'll play with it and try to figure out what the best implementation
of ip_chain_scope is (I'm assuming it returns a bitset like
#define IP_FW_REQUIRE_SRC_PORT_MATCH 0x01
#define IP_FW_REQUIRE_DST_PORT_MATCH 0x02
#define IP_FW_REQUIRE_PROTO_MATCH 0x04
#define IP_FW_REQUIRE_SRC_IP_MATCH 0x08
#define IP_FW_REQUIRE_DST_IP_MATCH 0x10
...etc..
or -1 if you're not allowed to cache...).
I'll try to throw it together by the weekend.
Rusty.
-- .sig lost in the mail.