Re: [ANNOUNCE] nf-hipac v0.8 released

Pekka Savola (pekkas@netcore.fi)
Sun, 29 Jun 2003 09:26:55 +0300 (EEST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: rmoser: "File System conversion -- ideas"
Previous message: Daniel Egger: "Re: bkbits.net is down"

Hi,

On Sat, 28 Jun 2003, Michael Bellion and Thomas Heinz wrote:
> You wrote:
> > Looks interesting. Is there experience about this in bridging firewall
> > scenarios? (With or without external patchset's like
> > http://ebtables.sourceforge.net/)
>
> Sorry for this answer being so late but we wanted to check whether
> nf-hipac works with the ebtables patch first in order to give you
> a definite answer. We tried on a sparc64 which was a bad decision
> because the ebtables patch does not work on sparc64 systems.
> We are going to test the stuff tomorrow on an i386 and tell you
> the results afterwards.
>
> In principle, nf-hipac should work properly whith the bridge patch.
> We expect it to work just like iptables apart from the fact that
> you cannot match on bridge ports. The iptables' in/out interface
> match in 2.4 works the way that it matches if either in/out dev
> _or_ in/out physdev. The nf-hipac in/out interface match matches
> solely on in/out dev.

Thanks for this information.

> > Further, you mention the performance reasons for this approach. I would
> > be very interested to see some figures.
>
> We have done some performance tests with an older release of nf-hipac.
> The results are available on http://www.hipac.org/
>
> Apart from that Roberto Nibali did some preliminary testing on nf-hipac.
> You can find his posting to linux-kernel here:
> http://marc.theaimsgroup.com/?l=linux-kernel&m=103358029605079&w=2
>
> Since there are currently no performance tests available for the
> new release we want to encourage people interested in firewall
> performance evaluation to include nf-hipac in their tests.

Yes, I had missed this when I quickly looked at the web page using lynx.
Thanks.

One obvious thing that's missing in your performance and Roberto's figures
is what *exactly* are the non-matching rules. Ie. do they only match IP
address, a TCP port, or what? (TCP port matching is about a degree of
complexity more expensive with iptables, I recall.)

-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Next message: rmoser: "File System conversion -- ideas"
Previous message: Daniel Egger: "Re: bkbits.net is down"