Hi
Version 0.1 of nf-hipac is out. Here is a short summary of the
improvements:
- support for all kernel architectures especially 64 bit architectures
- dynamically change invokation order of iptables and nf-hipac via
/proc/net/nf-hipac without losing your rules
- support for negation (!) in matches
- autoloading of the kernel module nf_hipac.o
- install and uninstall target added to Makefile
- all outstanding bugs are fixed in this release
The official project web page ist: http://www.hipac.org
The releases can be downloaded from: http://sourceforge.net/projects/nf-hipac/
For all of you who don't know nf-hipac yet, here is a short overview:
nf-hipac is a very efficient packet filter implemented on top of the
netfilter framework which is included in the linux 2.4 kernel. Its
userspace tool, which is also called 'nf-hipac', is designed to be as
compatible as possible to 'iptables -t filter', although it still lacks
some of its features. For details see the Mini-HowTo
(http://www.hipac.org/documentation/howto.htm).
'nf-hipac' uses the same hooks inside the linux 2.4 kernel's network
stack like 'iptables -t filter' does. The userspace tool is used to
define a set of rules where each rule consists of a number of
classifiers (matches) and one connected action (target). One advantage
of the compatibility to iptables is that users are able to use the full
power of stateful packet filtering (connection tracking) besides the
usual stateless matches.
Features:
- optimized for high performance packet classification
with moderate memory usage
- completely dynamic:
data structure isn't rebuild from scratch when inserting or
deleting rules, so fast updates are possible
- userspace tool syntax is very similar to the iptables syntax
- kernel does not need to be patched
- support for 64 bit architectures: nf-hipac should now work on all
architectures supported by the linux kernel
- compatible to iptables: you can use iptables and nf-hipac at
the same time:
for example you could use the connection tracking module from
iptables and match the states with nf-hipac
- match support for:
+ source/destination ip
+ in/out interface
+ protocol (udp, tcp, icmp)
+ source/destination ports (udp, tcp)
+ icmp type
+ tcp flags
+ ttl
+ state match (ip_conntrack module must be loaded manually)
- match negation (!)
- autoloading of the kernel module nf_hipac.o
- /proc/net/nf-hipac:
+ algorithm statistics available via
# cat /proc/net/nf-hipac
+ allows to dynamically limit the maximum memory usage
# echo <size in MB> > /proc/net/nf-hipac
- nf-hipac invoked before iptables:
# echo nfhp_first > /proc/net/nf-hipac
- iptables invoked before nf-hipac:
# echo ipt_first > /proc/net/nf-hipac
Enjoy,
+-----------------------+----------------------+
| Michael Bellion | Thomas Heinz |
| <mbellion@hipac.org> | <creatix@hipac.org> |
+-----------------------+----------------------+
