On Sat, 28 Jun 2003, Michael Bellion and Thomas Heinz wrote:
> You wrote:
> > Looks interesting. Is there experience about this in bridging firewall
> > scenarios? (With or without external patchset's like
> > http://ebtables.sourceforge.net/)
> Sorry for this answer being so late but we wanted to check whether
> nf-hipac works with the ebtables patch first in order to give you
> a definite answer. We tried on a sparc64 which was a bad decision
> because the ebtables patch does not work on sparc64 systems.
> We are going to test the stuff tomorrow on an i386 and tell you
> the results afterwards.
> In principle, nf-hipac should work properly whith the bridge patch.
> We expect it to work just like iptables apart from the fact that
> you cannot match on bridge ports. The iptables' in/out interface
> match in 2.4 works the way that it matches if either in/out dev
> _or_ in/out physdev. The nf-hipac in/out interface match matches
> solely on in/out dev.
Thanks for this information.
> > Further, you mention the performance reasons for this approach. I would
> > be very interested to see some figures.
> We have done some performance tests with an older release of nf-hipac.
> The results are available on http://www.hipac.org/
> Apart from that Roberto Nibali did some preliminary testing on nf-hipac.
> You can find his posting to linux-kernel here:
> Since there are currently no performance tests available for the
> new release we want to encourage people interested in firewall
> performance evaluation to include nf-hipac in their tests.
Yes, I had missed this when I quickly looked at the web page using lynx.
One obvious thing that's missing in your performance and Roberto's figures
is what *exactly* are the non-matching rules. Ie. do they only match IP
address, a TCP port, or what? (TCP port matching is about a degree of
complexity more expensive with iptables, I recall.)
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings