[Top] [All Lists]

Re: [ANNOUNCE] nf-hipac v0.8 released

To: Pekka Savola <pekkas@xxxxxxxxxx>
Subject: Re: [ANNOUNCE] nf-hipac v0.8 released
From: Michael Bellion and Thomas Heinz <nf@xxxxxxxxx>
Date: Sat, 28 Jun 2003 22:04:42 +0200
Cc: linux-kernel@xxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx
References: <Pine.LNX.4.44.0306270900260.3068-100000@xxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1
Hi Pekka

You wrote:
Looks interesting. Is there experience about this in bridging firewall scenarios? (With or without external patchset's like

Sorry for this answer being so late but we wanted to check whether
nf-hipac works with the ebtables patch first in order to give you
a definite answer. We tried on a sparc64 which was a bad decision
because the ebtables patch does not work on sparc64 systems.
We are going to test the stuff tomorrow on an i386 and tell you
the results afterwards.

In principle, nf-hipac should work properly whith the bridge patch.
We expect it to work just like iptables apart from the fact that
you cannot match on bridge ports. The iptables' in/out interface
match in 2.4 works the way that it matches if either in/out dev
_or_ in/out physdev. The nf-hipac in/out interface match matches
solely on in/out dev.

Further, you mention the performance reasons for this approach. I would be very interested to see some figures.

We have done some performance tests with an older release of nf-hipac.
The results are available on

Apart from that Roberto Nibali did some preliminary testing on nf-hipac.
You can find his posting to linux-kernel here:

Since there are currently no performance tests available for the
new release we want to encourage people interested in firewall
performance evaluation to include nf-hipac in their tests.


|   Michael Bellion     |     Thomas Heinz     |
| <mbellion@xxxxxxxxx>  |  <creatix@xxxxxxxxx> |

<Prev in Thread] Current Thread [Next in Thread>