[ANNOUNCE] Release of nf-HiPAC 0.9.0
mbellion at hipac.org
Sun Oct 2 14:30:13 CEST 2005
> > Speaking under fear of blasphemy I'm wondering what stops this becoming
> > iptables proper? (ipv4 anyway)? OK, it would want linking to
> > nf_conntrack instead of ip_conntrack and a v6 version doing type stuff,
> > but it seems the biz.
> http://www.hipac.org/documentation/user_guide.html states some
> incompatibilities with iptables.
Yes, currently there are some negligible differences. Most of them can be
worked around easily and will be fixed in future versions.
> What's always resisted me from looking to it closely is that there is no
> documentation about the implementation.
Yes, that is true and a big problem.
There are a lot of people that think that nf-HIPAC would rearrange the rules
in some user-defined chains. But that is completely wrong. Nf-HiPAC used a
completely different approach. The rules are translated into a very efficient
data structure that does not have anything to do with iptables'
representation of rules in tables and chains.
I really need to add some documention about the algorithmic approach.
> The reason why counters aren't supported
> interests me too, I can't see why adding 1 to a 64-bit integer would
> result in a noticeable performance drop.
It does make a difference, because it means a write to an otherwise completely
But independent from that, the netfilter developers agree that it is a bad
approach to have counters enabled by default for each and every rule
(refering to last years netfilter workshop). Future versions of iptables (or
successors of iptables) won't come with counters enabled by default on all
It is very easy to add support for counters to nf-HiPAC. Just write an
iptables match or target for it.
> Also, is it not possible to make a B+ tree with the standard iptables? I
> don't see why it shouldn't be possible. The jump to a new chain can be
> seen as going deeper into the B+ tree. So it should be possible to
> construct an iptables table structure that looks very similar to the B+
> tree of nf-hipac, for some given rule set. I guess this will be somewhat
> slower than nf-hipac, but I'd like to see the performance difference...
Sorry, but you seem to confuse some things.
nf-HiPAC is not based on B+trees or any other kind of B-trees.
nf-HiPAC does not rearrange the rules in some custom userdefined chains in
order to achieve better performance.
Instead nf-HiPAC translates the iptables representation of tables and chains
into a completely different data structure that is much more efficient.
And, trust me, the lookup data structure used in nf-HiPAC will be much faster
than anything you can construct based on iptables and user-defined chains.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20051002/2713c050/attachment-0001.pgp
More information about the netfilter