nf-hipac: High Performance Packet Classification for Netfilter

nf-hipac: High Performance Packet Classification for Netfilter

Post by Michael Bellion and Thomas Hein » Sat, 05 Jul 2003 20:00:19



Hi

We have released a new version of nf-hipac. We rewrote most of the code
and added a bunch of new features. The main enhancements are
user-defined chains, generic support for iptables targets and matches
and 64 bit atomic counters.

For all of you who don't know nf-hipac yet, here is a short overview:

nf-hipac is a drop-in replacement for the iptables packet filtering
module.
It implements a novel framework for packet classification which uses an
advanced algorithm to reduce the number of memory lookups per packet.
The module is ideal for environments where large rulesets and/or high
bandwidth networks are involved. Its userspace tool, which is also
called 'nf-hipac', is designed to be as compatible as possible to
'iptables -t filter'.

The official project web page is:
      http://www.hipac.org
The releases can be downloaded from:
      http://sourceforge.net/projects/nf-hipac

Features:
      - optimized for high performance packet classification with
        moderate memory usage
      - completely dynamic: data structure isn't rebuild from scratch
        when inserting or deleting rules, so fast updates are possible
      - very short locking times during rule updates: packet matching is
        not blocked
      - support for 64 bit architectures
      - optimized kernel-user protocol (netlink): improved rule listing
        speed
      - libnfhipac: netlink library for kernel-user communication
      - native match support for:
          + source/destination ip
          + in/out interface
          + protocol (udp, tcp, icmp)
          + fragments
          + source/destination ports (udp, tcp)
          + tcp flags
          + icmp type
          + connection state
          + ttl
      - match negation (!)
      - iptables compatibility: syntax and semantics of the userspace
        tool are very similar to iptables
      - coexistence of nf-hipac and iptables: both facilities can be used
        at the same time
      - generic support for iptables targets and matches (binary
        compatibility)
      - integration into the netfilter connection tracking facility
      - user-defined chains support
      - 64 bit atomic counters
      - kernel module autoloading
      - /proc/net/nf-hipac/info:
            + dynamically limit the maximum memory usage
            + change invokation order of nf-hipac and iptables
      - extended statistics via /proc/net/nf-hipac/statistics/*

We are currently working on extending the hipac algorithm to do
classification with several stages. The hipac algorithm will then be
capable of combining several classification problems in one data
structure, e.g. it will be possible to solve routing and firewalling
with one hipac lookup. The idea is to shorten the packet forwarding path
by combining fib_lookup and iptables filter lookup into one hipac query.
To further improve the performance in this scenario the upcoming flow
cache could be used to cache recent hipac results.

Enjoy,

+-----------------------+----------------------+
|   Michael Bellion     |     Thomas Heinz     |

+-----------------------+----------------------+

##########################################################################

# PLEASE remember a short description of the software and the LOCATION.  #
# This group is archived at http://stump.algebra.com/~cola/              #
##########################################################################

 
 
 

nf-hipac: High Performance Packet Classification for Netfilter

Post by Michael Bellion and Thomas Hein » Sat, 05 Jul 2003 20:00:22


Hi

We have released a new version of nf-hipac. We rewrote most of the code
and added a bunch of new features. The main enhancements are
user-defined chains, generic support for iptables targets and matches
and 64 bit atomic counters.

For all of you who don't know nf-hipac yet, here is a short overview:

nf-hipac is a drop-in replacement for the iptables packet filtering
module.
It implements a novel framework for packet classification which uses an
advanced algorithm to reduce the number of memory lookups per packet.
The module is ideal for environments where large rulesets and/or high
bandwidth networks are involved. Its userspace tool, which is also
called 'nf-hipac', is designed to be as compatible as possible to
'iptables -t filter'.

The official project web page is:
       http://www.hipac.org
The releases can be downloaded from:
       http://sourceforge.net/projects/nf-hipac

Features:
       - optimized for high performance packet classification with
         moderate memory usage
       - completely dynamic: data structure isn't rebuild from scratch
         when inserting or deleting rules, so fast updates are possible
       - very short locking times during rule updates: packet matching is
         not blocked
       - support for 64 bit architectures
       - optimized kernel-user protocol (netlink): improved rule listing
         speed
       - libnfhipac: netlink library for kernel-user communication
       - native match support for:
           + source/destination ip
           + in/out interface
           + protocol (udp, tcp, icmp)
           + fragments
           + source/destination ports (udp, tcp)
           + tcp flags
           + icmp type
           + connection state
           + ttl
       - match negation (!)
       - iptables compatibility: syntax and semantics of the userspace
         tool are very similar to iptables
       - coexistence of nf-hipac and iptables: both facilities can be
         used at the same time
       - generic support for iptables targets and matches (binary
         compatibility)
       - integration into the netfilter connection tracking facility
       - user-defined chains support
       - 64 bit atomic counters
       - kernel module autoloading
       - /proc/net/nf-hipac/info:
             + dynamically limit the maximum memory usage
             + change invokation order of nf-hipac and iptables
       - extended statistics via /proc/net/nf-hipac/statistics/*

We are currently working on extending the hipac algorithm to do
classification with several stages. The hipac algorithm will then be
capable of combining several classification problems in one data
structure, e.g. it will be possible to solve routing and firewalling
with one hipac lookup. The idea is to shorten the packet forwarding path
by combining fib_lookup and iptables filter lookup into one hipac query.
To further improve the performance in this scenario the upcoming flow
cache could be used to cache recent hipac results.

Enjoy,

+-----------------------+----------------------+
|   Michael Bellion     |     Thomas Heinz     |

+-----------------------+----------------------+

##########################################################################

# PLEASE remember a short description of the software and the LOCATION.  #
# This group is archived at http://stump.algebra.com/~cola/              #
##########################################################################

 
 
 

1. NF-HIPAC: High Performance Packet Classification for Netfilter

Hi,

nf-hipac aims to become a drop-in replacement for the iptables packet
filtering module. It implements a novel framework for packet classification
which uses an advanced algorithm to reduce the number of memory lookups per
packet. The module is ideal for environments where large rulesets and/or
high bandwidth networks are involved.

The algorithm code is designed in a way that it can be verified in userspace,
so the algorithm code itself can be considered correct. We are not able to
really verify the remaining files nfhp_mod.[ch] and the userspace tool
(nf-hipac.[ch]), but they are tested in depth and shouldn't contain any
critical bugs.

We have the results of some basic performance tests available on our web page.
The test compares the performance of the iptables filter table to the
performance of nf-hipac. Results are pretty impressive :-)

You can find the performance test results on our web page http://www.hipac.org
The releases can be downloaded from http://sourceforge.net/projects/nf-hipac/

Features:
    - optimized for high performance packet classification
      with moderate memory usage
    - completely dynamic:
        data structure isn't rebuild from scratch when inserting or
        deleting rules, so fast updates are possible
    - userspace tool syntax is very similar to the iptables syntax
    - kernel does not need to be patched
    - compatible to iptables: you can use iptables and nf-hipac at
      the same time:
        for example you could use the connection tracking module from
        iptables and match the states with nf-hipac
    - match support for:
        + source/destination ip
        + in/out interface
        + protocol (udp, tcp, icmp)
        + source/destination ports (udp, tcp)
        + icmp type
        + tcp flags
        + ttl
        + state match (conntrack module must be loaded)
   - /proc/net/nf-hipac:
        + algorithm statistics available via
            # cat /proc/net/nf-hipac
        + allows to dynamically limit the maximum memory usage
            # echo   >  /proc/net/nf-hipac

Enjoy,

+-----------------------+----------------------+
|   Michael Bellion     |     Thomas Heinz     |

+-----------------------+----------------------+

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

2. AT&T SysV Problem

3. nf-hipac: High Performance Packet Classification for Netfilter

4. Tool to monitor incoming network connection

5. NF-HIPAC: High Performance Packet Classification

6. Installing KDE 3.0 off the Red Hat 7.3 discs

7. nf-hipac v0.8 released

8. What is the /dev/ticlts device (and family) for?

9. Very high bandwith packet based interface and performance problems

10. high packet loss w/ packet size > 1024 byte

11. netfilter and packet manipulation

12. netfilter, libpcap and packet processing

13. netfilter: Redirecting incoming udp packets to other port