[ANNOUNCE] Release of nf-HiPAC 0.9.0
Bart De Schuymer
bdschuym at pandora.be
Sun Oct 2 13:20:40 CEST 2005
Op wo, 28-09-2005 te 15:05 +0100, schreef Amin Azez:
> This auto-factorization of rules seems cool.
> > Dynamic rule sets:
> > nf-HiPAC offers fast dynamic rules et updates without stalling packet
> >classification in contrast to iptables which yields bad update performance
> > along with stalled packet processing during updates.
> Does it also remove the "upload rules in bulk" issue of iptables and
> make use of links lists (or trees) to upload small changes singly? I
> recall someone released a re-write a while ago that took care of this,
> but this seems to do rule-factoring too to reduce the number of check
> Speaking under fear of blasphemy I'm wondering what stops this becoming
> iptables proper? (ipv4 anyway)? OK, it would want linking to
> nf_conntrack instead of ip_conntrack and a v6 version doing type stuff,
> but it seems the biz.
http://www.hipac.org/documentation/user_guide.html states some
incompatibilities with iptables.
What's always resisted me from looking to it closely is that there is no
documentation about the implementation. I'm especially interested in how
the code deals with matches. The reason why counters aren't supported
interests me too, I can't see why adding 1 to a 64-bit integer would
result in a noticeable performance drop.
Also, is it not possible to make a B+ tree with the standard iptables? I
don't see why it shouldn't be possible. The jump to a new chain can be
seen as going deeper into the B+ tree. So it should be possible to
construct an iptables table structure that looks very similar to the B+
tree of nf-hipac, for some given rule set. I guess this will be somewhat
slower than nf-hipac, but I'd like to see the performance difference...
More information about the netfilter-devel