[nf@hipac.org: [ANNOUNCE] NF-HIPAC: High Performance Packet Classification for Netfilter]

[mcmanus at ducksong.com (Patrick R. McManus)]

yesterday someone (I'm sorry, I forget who) on this list was asking
about the scaling properties of a linux box running NAT for a T3
(plus) worth of data.

The short answer: on any modern PC that's no problem.. plenty of bus
speed and processor.. one quick hint to max out available
bandwidth: put the nics on different irq's and run an SMP box with
those irq tied (via the /proc/irq/X/smp_affinity stuff) to the
different processors.. but you won't have any trouble routing 50Mb/s
on any ol PCI bus-pentium-something system. This just isn't a lot of data.

The only gotcha might be if you had dozens of
ipchains/iptables/ipfirewall rules.. that can start to be a cpu issue..
I'll forward the annoucement below of a iptables replacement that
claims to do rule processing much better for high numbers of rules.. I
haven't installed it yet.

-Pat


----- Forwarded message from nf at hipac.org -----

From: nf at hipac.org
To: linux-kernel at vger.kernel.org
Subject: [ANNOUNCE] NF-HIPAC: High Performance Packet Classification for Netfilter
Date: 	Thu, 26 Sep 2002 00:41:56 +0200
User-Agent: KMail/1.4.3
X-Mailing-List: 	linux-kernel at vger.kernel.org

Hi,

nf-hipac aims to become a drop-in replacement for the iptables packet 
filtering module. It implements a novel framework for packet classification 
which uses an advanced algorithm to reduce the number of memory lookups per 
packet. The module is ideal for environments where large rulesets and/or
high bandwidth networks are involved.

The algorithm code is designed in a way that it can be verified in userspace, 
so the algorithm code itself can be considered correct. We are not able to 
really verify the remaining files nfhp_mod.[ch] and the userspace tool 
(nf-hipac.[ch]), but they are tested in depth and shouldn't contain any 
critical bugs.

We have the results of some basic performance tests available on our web page. 
The test compares the performance of the iptables filter table to the 
performance of nf-hipac. Results are pretty impressive :-)

You can find the performance test results on our web page http://www.hipac.org
The releases can be downloaded from http://sourceforge.net/projects/nf-hipac/

Features:
    - optimized for high performance packet classification
      with moderate memory usage
    - completely dynamic:
        data structure isn't rebuild from scratch when inserting or
        deleting rules, so fast updates are possible
    - userspace tool syntax is very similar to the iptables syntax
    - kernel does not need to be patched
    - compatible to iptables: you can use iptables and nf-hipac at
      the same time:
        for example you could use the connection tracking module from
        iptables and match the states with nf-hipac
    - match support for:
        + source/destination ip
        + in/out interface
        + protocol (udp, tcp, icmp)
        + source/destination ports (udp, tcp)
        + icmp type
        + tcp flags
        + ttl
        + state match (conntrack module must be loaded)
   - /proc/net/nf-hipac:
        + algorithm statistics available via
            # cat /proc/net/nf-hipac
        + allows to dynamically limit the maximum memory usage
            # echo   >  /proc/net/nf-hipac

Enjoy,

+-----------------------+----------------------+
|   Michael Bellion     |     Thomas Heinz     |
| <mbellion at hipac.org>  |  <creatix at hipac.org> |
+-----------------------+----------------------+

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

----- End forwarded message -----