This auto-factorization of rules seems cool. > Dynamic rule sets: > nf-HiPAC offers fast dynamic rules et updates without stalling packet >classification in contrast to iptables which yields bad update performance > along with stalled packet processing during updates. Does it also remove the "upload rules in bulk" issue of iptables and make use of links lists (or trees) to upload small changes singly? I recall someone released a re-write a while ago that took care of this, but this seems to do rule-factoring too to reduce the number of check operations. Speaking under fear of blasphemy I'm wondering what stops this becoming iptables proper? (ipv4 anyway)? OK, it would want linking to nf_conntrack instead of ip_conntrack and a v6 version doing type stuff, but it seems the biz. Azez
