Hi > > Speaking under fear of blasphemy I'm wondering what stops this becoming > > iptables proper? (ipv4 anyway)? OK, it would want linking to > > nf_conntrack instead of ip_conntrack and a v6 version doing type stuff, > > but it seems the biz. > > http://www.hipac.org/documentation/user_guide.html states some > incompatibilities with iptables. Yes, currently there are some negligible differences. Most of them can be worked around easily and will be fixed in future versions. > What's always resisted me from looking to it closely is that there is no > documentation about the implementation. Yes, that is true and a big problem. There are a lot of people that think that nf-HIPAC would rearrange the rules in some user-defined chains. But that is completely wrong. Nf-HiPAC used a completely different approach. The rules are translated into a very efficient data structure that does not have anything to do with iptables' representation of rules in tables and chains. I really need to add some documention about the algorithmic approach. > The reason why counters aren't supported > interests me too, I can't see why adding 1 to a 64-bit integer would > result in a noticeable performance drop. It does make a difference, because it means a write to an otherwise completely read-only ruleset. But independent from that, the netfilter developers agree that it is a bad approach to have counters enabled by default for each and every rule (refering to last years netfilter workshop). Future versions of iptables (or successors of iptables) won't come with counters enabled by default on all rules. It is very easy to add support for counters to nf-HiPAC. Just write an iptables match or target for it. > Also, is it not possible to make a B+ tree with the standard iptables? I > don't see why it shouldn't be possible. The jump to a new chain can be > seen as going deeper into the B+ tree. So it should be possible to > construct an iptables table structure that looks very similar to the B+ > tree of nf-hipac, for some given rule set. I guess this will be somewhat > slower than nf-hipac, but I'd like to see the performance difference... Sorry, but you seem to confuse some things. nf-HiPAC is not based on B+trees or any other kind of B-trees. nf-HiPAC does not rearrange the rules in some custom userdefined chains in order to achieve better performance. Instead nf-HiPAC translates the iptables representation of tables and chains into a completely different data structure that is much more efficient. And, trust me, the lookup data structure used in nf-HiPAC will be much faster than anything you can construct based on iptables and user-defined chains. Regards Michael Bellion
Attachment:
pgpvnc6yh7Sg6.pgp
Description: PGP signature
