status of nf-HIPAC integration ?

status of nf-HIPAC integration ?

[Steven Van Acker]

Hello,

for some time now we have been using the nf-HIPAC patch in our firewalls' kernels
and I'm glad to say it works nicely. Our firewalls still run 2.4.x kernels. Ever 
since the introduction of x-tables in the 2.6.x branch, the nf-HIPAC patch no 
longer applies.

I found a patch at 
http://www.kernelproject.org/people/jhpark/nf-hipac-0.9.1-to-linux-2.6.16.16.patch
by Jeho-Park, which should allow me to compile 2.6.16.16 with nf-HIPAC. 

Has anyone tried this patch ?

I'm not sure what the future of nf-HIPAC is. I'd like it very much if the 
mainstream kernel came with nf-HIPAC by default, but I see no indications that 
anything is moving in that direction.

Is nf-HIPAC still being worked on ?
Is it still on the TODO-list to integrate nf-HIPAC into the mainstream kernel ?

kind regards,
-- Steven Van Acker

-- 
My amazon wishlist:
http://www.amazon.com/gp/registry/1DB4XNEIEQBPB

Re: status of nf-HIPAC integration ?

[Jeho Park]

hi steven


Steven Van Acker wrote:

>Hello,
>
>for some time now we have been using the nf-HIPAC patch in our firewalls' kernels
>and I'm glad to say it works nicely. Our firewalls still run 2.4.x kernels. Ever 
>since the introduction of x-tables in the 2.6.x branch, the nf-HIPAC patch no 
>longer applies.
>
>I found a patch at 
>http://www.kernelproject.org/people/jhpark/nf-hipac-0.9.1-to-linux-2.6.16.16.patch
>by Jeho-Park, which should allow me to compile 2.6.16.16 with nf-HIPAC. 
>
>Has anyone tried this patch ?
>
>  
>
yes, i applied that patch to the standard linux 2.6.16.16 ~ 2.6.16.18 
and 2.6.17.3
the patch include original nf-hipac patch v 0.9.2 and somewhat bit 
changes which as you know, stemed from x-tables

todays, i tested thputs with smartbits (nf-hipac vs iptables) in the 
kernel 2.6.17.3
result URL:
http://www.kernelproject.org/people/jhpark/fw_thput_test1.htm

the result looks somewhat ugly because thput result is much low.
but as you refer my result, you can compare thput of the iptables with 
that of the nf-hipac in the kernel 2.6.17.3

test variable is like this : rule number, packet size, ...

the patch include original nf-hipac patch v 0.9.2 and somewhat bit 
changes which as you know, stemed from x-tables

thanks

---
jeho park <jhpark-nf@kernelproject.org>

>I'm not sure what the future of nf-HIPAC is. I'd like it very much if the 
>mainstream kernel came with nf-HIPAC by default, but I see no indications that 
>anything is moving in that direction.
>
>Is nf-HIPAC still being worked on ?
>Is it still on the TODO-list to integrate nf-HIPAC into the mainstream kernel ?
>
>kind regards,
>-- Steven Van Acker
>
>  
>

Re: status of nf-HIPAC integration ?

[Patrick McHardy]

Jeho Park wrote:
> todays, i tested thputs with smartbits (nf-hipac vs iptables) in the
> kernel 2.6.17.3
> result URL:
> http://www.kernelproject.org/people/jhpark/fw_thput_test1.htm
> 
> the result looks somewhat ugly because thput result is much low.
> but as you refer my result, you can compare thput of the iptables with
> that of the nf-hipac in the kernel 2.6.17.3

That indeed looks ugly (for iptables). How was the ruleset structured?
Could you put it on your page please?

Re: status of nf-HIPAC integration ?

[Jeho Park]

Patrick McHardy wrote:

>Jeho Park wrote:
>  
>
>>todays, i tested thputs with smartbits (nf-hipac vs iptables) in the
>>kernel 2.6.17.3
>>result URL:
>>http://www.kernelproject.org/people/jhpark/fw_thput_test1.htm
>>
>>the result looks somewhat ugly because thput result is much low.
>>but as you refer my result, you can compare thput of the iptables with
>>that of the nf-hipac in the kernel 2.6.17.3
>>    
>>
>
>That indeed looks ugly (for iptables). How was the ruleset structured?
>Could you put it on your page please?
>
>
>
>
>  
>
i uploaded the scripts.



rule 1000 hipac script:
http://www.kernelproject.org/people/jhpark/fw_forward1000_hp


rule 1000 iptables script:
http://www.kernelproject.org/people/jhpark/fw_forward1000_ipt


rule 2000 hipac script:
http://www.kernelproject.org/people/jhpark/fw_forward2000_hp


rule 2000 iptables script: 
http://www.kernelproject.org/people/jhpark/fw_forward2000_ipt



and above all, i fixed some my mistake. the router was not zeon dual
core but pentium-4 2.4G


so i fixed the result document (
http://www.kernelproject.org/people/jhpark/fw_thput_test1.htm
) 



p.s: 


the commands,  ipt and hp, in the scripts above are somewhat
changed iptables and nf-hipac command.


because i want to access any firewall ruleset with its unique ID for
convience, so i modified netfilter,


hipac kernel code and their user commands (iptables, nf-hipac)




thanks 



--


jeho park <jhpark-nf@kernelproject.org>