a new version of iptabes

[hamid jafarian <hamid.jafarian@gmail.com>]

hello ...

I was developed a new version of iptables .. this version is based on the 
requirements of firewalls with 25,000 rules or may be more..

Your version of iptables with continues memory for rule storage and linear 
search in the classification activities, can only manage firewalls with less 
than 1000 rules ( base on my tests ) but in my version, there is a very good 
chance for increasing the search activities: in this version you can use 
different classification algorithms to classify the packets ( up now only 
"linear" & "tuple" ). this algorithms can be developed like of targets and 
matches independent of the core .. and with a command option ( -C ) you can 
change the classification algorithm of a chain .. every chain (in this 
development) could have his own algorithm .. by this we can hope that the 
iptables will never be old.
You know that the classification algorithms (like of HiCuts & BV & Hypercuts 
) are developed to manage the classifying process of the packets.
 Another feature of this develop is using of link list instead of continues 
memory for rule storage. By this strategy, adding or deleting a rule just 
need to exchange the information of that rule between the user and kernel 
space, but in your version, you should exchange all of the database between 
the user and kernel space and also, do some expensive memory management 
activities ( free old database and allocate new memory for the new database, 
copy all of the database from the user space to the kernel space and also 
transform all of the rules, from user form to kernel form ) in the kernel 
space. your iptables is not appropriate for interactive firewalls but in 
this version, interactivity is a base feature.
 By this .. i was transformed all of the rule management activities from 
user space to the kernel space ..
 This version is very flexible and powerful and can be used instead of the 
current version of iptables.
 I also was done some tests on the new version. if you like i can give you 
the results of this tests and also if you wish, give you this version for 
testing, using and (may) replacing the current version with this powerful 
version.

this version is developed only for IPV4 .. and the code that is used and 
changed for the user space is 1.2.9 ..
in the coding of this version, i was used form many new and appropriate 
structures for easy to understand and change ... like of your style for 
coding in the user space ( using macroes for IPV4 and IPV6 coding) we can 
use this style for coding the IPV6.

IMPORTANT: the "iptables" command is not changed and you can use from the 
iptables and all of the current matches and targets without any changes or 
new information, and also the commands of iptabes-save and iptables-restore 
is changed to work with this new version.

this version is a GOOD CHANCE ............

be happy ..
 ... hamid jafarian ...
 -- 
H.T.