LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

LWN.net Weekly Edition for August 28, 2008

Fedora, Red Hat, and distributor security

LWN.net Weekly Edition for August 21, 2008

Standards, the kernel, and Postfix

In defense of Ubuntu

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

High Performance Packet Classification for Netfilter

From:  nf@hipac.org
To:  netfilter-devel@lists.netfilter.org, netfilter@lists.netfilter.org
Subject:  [NF-HIPAC RELEASE] High Performance Packet Classification for Netfilter
Date:  Sat, 24 Aug 2002 22:31:14 +0200

Hi,

nf-hipac aims to become a drop-in replacement for the iptables
packet filtering module. It implements a novel framework for
packet classification which uses an advanced algorithm to
reduce the number of memory lookups per packet.
The module is ideal for environments where large rulesets and/or
high bandwidth networks are involved.

The project started in August 2001, but this is the first public release
of nf-hipac. The algorithm code itself is designed in a way that it can be
verified in userspace, so the algorithm code can be considered correct.
The remaining files nfhp_mod.[ch] and the userspace tool (nf-hipac.[ch]) are
not tested in depth and might contain bugs.

More information about the project can soon be found at http://www.hipac.org
The releases will be published on http://sourceforge.net/projects/nf-hipac/

We'd love to get some feedback from you. What do you think about
the tool, in which scenario are you using nf-hipac, what is missing,
what should be improved? Please send your e-mail to <nf@hipac.org>.

Features:
    - optimized for high performance packet classification
      with moderate memory usage
    - completely dynamic:
        data structure isn't rebuild from scratch when inserting or
        deleting rules, so fast updates are possible
    - userspace tool syntax is very similar to the iptables syntax
    - kernel does not need to be patched
    - compatible to iptables: you can use iptables and nf-hipac at
      the same time:
        for example you could use the connection tracking module from
        iptables and match the states with nf-hipac
    - match support for:
        + source/destination ip
        + in/out interface
        + protocol (udp, tcp, icmp)
        + source/destination ports (udp, tcp)
        + icmp type
        + tcp flags
        + ttl
        + state match (conntrack module must be loaded)

You can download the release from: 
http://sourceforge.net/project/showfiles.php?group_id=59021

Enjoy,

+-----------------------+----------------------+
|   Michael Bellion     |     Thomas Heinz     |
| <mbellion@hipac.org>  |  <creatix@hipac.org> |
+-----------------------+----------------------+

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds