nowe zabawki dla sieciowców...
Paweł Sikora
pluto w agmk.net
Pon, 26 Wrz 2005, 14:02:07 CEST
****************************************************************************
[ podział iptable_nat.ko w 2.6.14 ]
[NETFILTER]: Fix invalid module autoloading by splitting iptable_nat
When you've enabled conntrack and NAT as a module (standard case in all
distributions), and you've also enabled the new conntrack netlink
interface, loading ip_conntrack_netlink.ko will auto-load iptable_nat.ko.
This causes a huge performance penalty, since for every packet you iterate
the nat code, even if you don't want it.
This patch splits iptable_nat.ko into the NAT core (ip_nat.ko) and the
iptables frontend (iptable_nat.ko). Threfore, ip_conntrack_netlink.ko will
only pull ip_nat.ko, but not the frontend. ip_nat.ko will "only" allocate
some resources, but not affect runtime performance.
This separation is also a nice step in anticipation of new packet filters
(nf-hipac, ipset, pkttables) being able to use the NAT core.
****************************************************************************
[ conntrack ]
is a commandline program for listing, querying, deleting,
updating entries in the connection tracking table. It also
supports real-time tracing of connection tracking state changes
(conntrack events).
ftp://ftp.netfilter.org/pub/conntrack/conntrack-0.81.tar.bz2
****************************************************************************
[ nf-HiPAC version 0.9.0 ]
nf-HiPAC is a full featured packet filter for Linux which demonstrates the
power and flexibility of HiPAC. HiPAC is a novel framework for packet
classification which uses an advanced algorithm to reduce the number of
memory lookups per packet. It is ideal for environments involving large rule
sets and/or high bandwidth networks.
nf-HiPAC provides the same rich feature set as iptables, the popular Linux
packet filter. The complexity of the sophisticated HiPAC packet
classification algorithm is hidden behind an iptables compatible user
interface which renders nf-HiPAC a drop-in replacement for iptables. Thereby,
the iptables' semantics of the rules is preserved, i.e. you can construct your
rules like you are used to. From a user's point of view there is no need to
understand anything about the HiPAC algorithm.
The nf-hipac user space tool is designed to be as compatible as possible to
'iptables -t filter'. It even supports the full power of iptables targets,
matches and stateful packet filtering (connection tracking) besides the native
nf-HiPAC matches. This makes a switch from iptables to nf-HiPAC very easy.
Usually it is sufficient to replace the calls to iptables with calls to
nf-hipac for your filter rules.
Why another packet filter?
Performance:
iptables, like most packet filters, uses a simple packet classification
algorithm which traverses the rules in a chain linearly per packet until a
matching rule is found (or not). Clearly, this approach lacks efficiency.
As networks grow more and more complex and offer a wider bandwidth linear
packet filtering is no longer an option if many rules have to be matched
per packet. Higher bandwidth means more packets per second which leads to
shorter process times per packet. nf-HiPAC outperforms iptables regardless
of the number of rules, i.e. the HiPAC classification engine does not
impose any overhead even for very small rule sets.
Scalability to large rule sets:
The performance of nf-HiPAC is nearly independent of the number of rules.
nf-HiPAC with thousands of rules still outperforms iptables with 20 rules.
Dynamic rule sets:
nf-HiPAC offers fast dynamic rules et updates without stalling packet
classification in contrast to iptables which yields bad update performance
along with stalled packet processing during updates.
More information about the project can be found at: http://www.hipac.org
The releases are published on: http://sourceforge.net/projects/nf-hipac/
****************************************************************************
--
The only thing necessary for the triumph of evil
is for good men to do nothing.
- Edmund Burke
Więcej informacji o liście dyskusyjnej pld-devel-pl