From: Michael Bellion and Thomas Heinz <nf@hipac.org>
To: linux-kernel@vger.kernel.org, netdev@oss.sgi.com
Subject: [ANNOUNCE] nf-hipac v0.8 released
Date: Wed, 25 Jun 2003 22:48:44 +0200 [thread overview]
Message-ID: <200306252248.44224.nf@hipac.org> (raw)
Hi
We have released a new version of nf-hipac. We rewrote most of the code
and added a bunch of new features. The main enhancements are
user-defined chains, generic support for iptables targets and matches
and 64 bit atomic counters.
For all of you who don't know nf-hipac yet, here is a short overview:
nf-hipac is a drop-in replacement for the iptables packet filtering module.
It implements a novel framework for packet classification which uses an
advanced algorithm to reduce the number of memory lookups per packet.
The module is ideal for environments where large rulesets and/or high
bandwidth networks are involved. Its userspace tool, which is also called
'nf-hipac', is designed to be as compatible as possible to 'iptables -t
filter'.
The official project web page is: http://www.hipac.org
The releases can be downloaded from: http://sourceforge.net/projects/nf-hipac
Features:
- optimized for high performance packet classification with moderate
memory usage
- completely dynamic: data structure isn't rebuild from scratch when
inserting or deleting rules, so fast updates are possible
- very short locking times during rule updates: packet matching is
not blocked
- support for 64 bit architectures
- optimized kernel-user protocol (netlink): improved rule listing
speed
- libnfhipac: netlink library for kernel-user communication
- native match support for:
+ source/destination ip
+ in/out interface
+ protocol (udp, tcp, icmp)
+ fragments
+ source/destination ports (udp, tcp)
+ tcp flags
+ icmp type
+ connection state
+ ttl
- match negation (!)
- iptables compatibility: syntax and semantics of the userspace tool
are very similar to iptables
- coexistence of nf-hipac and iptables: both facilities can be used
at the same time
- generic support for iptables targets and matches (binary
compatibility)
- integration into the netfilter connection tracking facility
- user-defined chains support
- 64 bit atomic counters
- kernel module autoloading
- /proc/net/nf-hipac/info:
+ dynamically limit the maximum memory usage
+ change invokation order of nf-hipac and iptables
- extended statistics via /proc/net/nf-hipac/statistics/*
We are currently working on extending the hipac algorithm to do classification
with several stages. The hipac algorithm will then be capable of combining
several classification problems in one data structure, e.g. it will be
possible to solve routing and firewalling with one hipac lookup. The idea is
to shorten the packet forwarding path by combining fib_lookup and iptables
filter lookup into one hipac query. To further improve the performance in
this scenario the upcoming flow cache could be used to cache recent hipac
results.
Enjoy,
+-----------------------+----------------------+
| Michael Bellion | Thomas Heinz |
| <mbellion@hipac.org> | <creatix@hipac.org> |
+-----------------------+----------------------+
next reply other threads:[~2003-06-25 20:34 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-25 20:48 Michael Bellion and Thomas Heinz [this message]
2003-06-25 21:03 ` [ANNOUNCE] nf-hipac v0.8 released Folkert van Heusden
2003-06-25 23:52 ` Thomas Heinz
2003-06-26 13:38 ` Daniel Egger
2003-06-26 14:20 ` Michael Bellion and Thomas Heinz
2003-06-26 14:45 ` Daniel Egger
2003-06-27 6:06 ` Pekka Savola
2003-06-28 20:04 ` Michael Bellion and Thomas Heinz
2003-06-29 6:26 ` Pekka Savola
2003-06-29 7:45 ` Roberto Nibali
2003-06-29 16:26 ` Michael Bellion and Thomas Heinz
2003-07-02 5:30 ` Pekka Savola
2003-07-02 12:26 ` Michael Bellion and Thomas Heinz
2003-07-02 13:08 ` P
2003-07-02 13:48 ` Michael Bellion and Thomas Heinz
2003-07-02 14:23 ` P
2003-07-02 16:57 ` Michael Bellion and Thomas Heinz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200306252248.44224.nf@hipac.org \
--to=nf@hipac.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).