[ANNOUNCE] nf-hipac v0.8 released

[Michael Bellion and Thomas Heinz <nf@hipac.org>]

Hi

We have just released a new version of nf-hipac. You might wonder why
this lasted so long. Well, we did a major rewrite of most of the code,
added a bunch of new features and did heavy userspace testing of the
algorithmic core. 


For all of you who don't know nf-hipac yet, here is a short overview:

nf-hipac is a drop-in replacement for the iptables packet filtering module.
It implements a novel framework for packet classification which uses an
advanced algorithm to reduce the number of memory lookups per packet.
The module is ideal for environments where large rulesets and/or high
bandwidth networks are involved. Its userspace tool, which is also called 
'nf-hipac', is designed to be as compatible as possible to 'iptables -t 
filter'.

The official project web page is:    http://www.hipac.org
The releases can be downloaded from: http://sourceforge.net/projects/nf-hipac


Here is a short overview of the new features:

  - generic support for iptables targets and matches:
       nf-hipac is now binary compatible to iptables targets and
       matches.

  - support for user defined chains:
       This was a real challenge.

  - 64 bit atomic counters:
       We avoided cache ping-pong on SMP machines.

  - nf-hipac connection tracking helper:
       This is basically a dummy module which avoids that you
       manually load ip_conntrack.

  - extended proc statistics

  - libnfhipac:
       We've implemented a very lightweight userspace library which
       does the netlink communication for you, so writing an alternative
       userspace tool for nf-hipac is simplified. [you still have to
       construct the rule which is sent to the kernel]

  - new netlink based protocol:
       Apart from that it was necessary to redesign the protocol
       to support the new features we have improved the listing speed
       by putting as many rules/chains in a packet as possible.

 - non-terminal rule support:
       The nf-hipac rule target is optional.

Basically, nf-hipac now offers the same functionality as iptables -t filter
apart from the RETURN target which is missing and some minor
user-defined chain related issues.

Unfortunately we discovered an alignment bug in the btree layer
(the only part we haven't rewritten) which breaks architectures
requiring strict alignment for pointers (like alpha).
Sparc64 again seems to work fine.


Enjoy,

+-----------------------+----------------------+
|   Michael Bellion     |     Thomas Heinz     |
| <mbellion@hipac.org>  |  <creatix@hipac.org> |
+-----------------------+----------------------+