From: nf@hipac.org
To: linux-kernel@vger.kernel.org
Subject: [ANNOUNCE] NF-HIPAC: High Performance Packet Classification for Netfilter
Date: Thu, 26 Sep 2002 00:41:56 +0200 [thread overview]
Message-ID: <200209260041.56374.nf@hipac.org> (raw)
Hi,
nf-hipac aims to become a drop-in replacement for the iptables packet
filtering module. It implements a novel framework for packet classification
which uses an advanced algorithm to reduce the number of memory lookups per
packet. The module is ideal for environments where large rulesets and/or
high bandwidth networks are involved.
The algorithm code is designed in a way that it can be verified in userspace,
so the algorithm code itself can be considered correct. We are not able to
really verify the remaining files nfhp_mod.[ch] and the userspace tool
(nf-hipac.[ch]), but they are tested in depth and shouldn't contain any
critical bugs.
We have the results of some basic performance tests available on our web page.
The test compares the performance of the iptables filter table to the
performance of nf-hipac. Results are pretty impressive :-)
You can find the performance test results on our web page http://www.hipac.org
The releases can be downloaded from http://sourceforge.net/projects/nf-hipac/
Features:
- optimized for high performance packet classification
with moderate memory usage
- completely dynamic:
data structure isn't rebuild from scratch when inserting or
deleting rules, so fast updates are possible
- userspace tool syntax is very similar to the iptables syntax
- kernel does not need to be patched
- compatible to iptables: you can use iptables and nf-hipac at
the same time:
for example you could use the connection tracking module from
iptables and match the states with nf-hipac
- match support for:
+ source/destination ip
+ in/out interface
+ protocol (udp, tcp, icmp)
+ source/destination ports (udp, tcp)
+ icmp type
+ tcp flags
+ ttl
+ state match (conntrack module must be loaded)
- /proc/net/nf-hipac:
+ algorithm statistics available via
# cat /proc/net/nf-hipac
+ allows to dynamically limit the maximum memory usage
# echo > /proc/net/nf-hipac
Enjoy,
+-----------------------+----------------------+
| Michael Bellion | Thomas Heinz |
| <mbellion@hipac.org> | <creatix@hipac.org> |
+-----------------------+----------------------+
next reply other threads:[~2002-09-25 22:36 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-09-25 22:41 nf [this message]
2002-09-25 22:52 ` [ANNOUNCE] NF-HIPAC: High Performance Packet Classification for Netfilter David S. Miller
2002-09-26 0:10 ` Rik van Riel
2002-09-26 0:25 ` David S. Miller
2002-09-26 0:38 ` nf
2002-09-26 0:37 ` David S. Miller
2002-09-26 1:44 ` nf
2002-09-26 3:30 ` David S. Miller
2002-09-26 5:19 ` Rusty Russell
2002-09-26 5:40 ` David S. Miller
2002-09-26 15:27 ` James Morris
2002-09-26 20:52 ` David S. Miller
2002-09-27 3:00 ` Michael Richardson
2002-09-27 14:12 ` jamal
2002-09-28 1:30 ` David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200209260041.56374.nf@hipac.org \
--to=nf@hipac.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).