a new version of iptabes

a new version of iptabes

[hamid jafarian]

hello ...

I was developed a new version of iptables .. this version is based on the 
requirements of firewalls with 25,000 rules or may be more..

Your version of iptables with continues memory for rule storage and linear 
search in the classification activities, can only manage firewalls with less 
than 1000 rules ( base on my tests ) but in my version, there is a very good 
chance for increasing the search activities: in this version you can use 
different classification algorithms to classify the packets ( up now only 
"linear" & "tuple" ). this algorithms can be developed like of targets and 
matches independent of the core .. and with a command option ( -C ) you can 
change the classification algorithm of a chain .. every chain (in this 
development) could have his own algorithm .. by this we can hope that the 
iptables will never be old.
You know that the classification algorithms (like of HiCuts & BV & Hypercuts 
) are developed to manage the classifying process of the packets.
 Another feature of this develop is using of link list instead of continues 
memory for rule storage. By this strategy, adding or deleting a rule just 
need to exchange the information of that rule between the user and kernel 
space, but in your version, you should exchange all of the database between 
the user and kernel space and also, do some expensive memory management 
activities ( free old database and allocate new memory for the new database, 
copy all of the database from the user space to the kernel space and also 
transform all of the rules, from user form to kernel form ) in the kernel 
space. your iptables is not appropriate for interactive firewalls but in 
this version, interactivity is a base feature.
 By this .. i was transformed all of the rule management activities from 
user space to the kernel space ..
 This version is very flexible and powerful and can be used instead of the 
current version of iptables.
 I also was done some tests on the new version. if you like i can give you 
the results of this tests and also if you wish, give you this version for 
testing, using and (may) replacing the current version with this powerful 
version.

this version is developed only for IPV4 .. and the code that is used and 
changed for the user space is 1.2.9 ..
in the coding of this version, i was used form many new and appropriate 
structures for easy to understand and change ... like of your style for 
coding in the user space ( using macroes for IPV4 and IPV6 coding) we can 
use this style for coding the IPV6.

IMPORTANT: the "iptables" command is not changed and you can use from the 
iptables and all of the current matches and targets without any changes or 
new information, and also the commands of iptabes-save and iptables-restore 
is changed to work with this new version.

this version is a GOOD CHANCE ............

be happy ..
 ... hamid jafarian ...
 -- 
H.T.

Re: a new version of iptabes

[Pablo Neira]

hamid jafarian wrote:
> You know that the classification algorithms (like of HiCuts & BV & Hypercuts 
> ) are developed to manage the classifying process of the packets.

cool, where's your version ?

--
Pablo

Re: a new version of iptabes

[hamid jafarian]

On Apr 7, 2005 1:25 PM, Pablo Neira <pablo@eurodev.net> wrote: 
> 
> hamid jafarian wrote:
> > You know that the classification algorithms (like of HiCuts & BV & 
> Hypercuts
> > ) are developed to manage the classifying process of the packets.
> 
> cool, where's your version ?
> 
> --
> Pablo
> 

easy .. beside me ...
all of the files in the user space and also for the kernel space have been 
changed .. and also been test
if you want .. i will give you the files and also installation help .... but 
to whom and also how

-- 
H.T.

Re[2]: a new version of iptabes

[Maciej Soltysiak]

Hello hamid,

Saturday, April 9, 2005, 9:55:50 AM, you wrote:

> On Apr 7, 2005 1:25 PM, Pablo Neira <pablo@eurodev.net> wrote: 
>> cool, where's your version ?

> if you want .. i will give you the files and also installation help .... but
> to whom and also how
To show your work please refer to FAQ 4.4:
http://www.iptables.org/documentation/FAQ/netfilter-faq-4.html#ss4.4

Post the patch here or make a website with the patch and installation docs.
You want this to be public, right?

--
Regards,
Maciej

Re: Re[2]: a new version of iptabes

[hamid jafarian]

On 4/9/05, Maciej Soltysiak <solt@dns.toxicfilms.tv> wrote: 
> 
> Hello hamid,
> 
> Saturday, April 9, 2005, 9:55:50 AM, you wrote:
> 
> > On Apr 7, 2005 1:25 PM, Pablo Neira <pablo@eurodev.net> wrote:
> >> cool, where's your version ?
> 
> > if you want .. i will give you the files and also installation help .... 
> but
> > to whom and also how
> 
> make a website with the patch and installation
> 
> --
> Regards,
> Maciej

 hello ...

go here ..
http://www.geocities.com/hamidreza_jm/

-- 
H.T.

Re: Re[2]: a new version of iptabes

[hamid jafarian]

On 4/13/05, hamid jafarian <hamid.jafarian@gmail.com> wrote: 
> 
> 
> 
> On 4/9/05, Maciej Soltysiak <solt@dns.toxicfilms.tv> wrote: 
> > 
> > Hello hamid,
> > 
> > Saturday, April 9, 2005, 9:55:50 AM, you wrote:
> > 
> > > On Apr 7, 2005 1:25 PM, Pablo Neira < pablo@eurodev.net> wrote:
> > >> cool, where's your version ?
> > 
> > > if you want .. i will give you the files and also installation help 
> > .... but
> > > to whom and also how 
> > 
> > make a website with the patch and installation
> > 
> > --
> > Regards,
> > Maciej
> 
>  hello ...
> 
> go here ..
> http://www.geocities.com/hamidreza_jm/
> 
> -- 
> H.T. 



hello again ........ Sir Netfilter developers ...
 after two month .. if you could use from the new version ... reply to me 
your ideas about it ..
 or not please delete it from you computer ..
 tanks .. 

-- 
H.T.

Re: a new version of iptabes

[Amin Azez]

I am inetersted in what you have done but haven't yet had time to look
at it in detail.

Guessing at why you have not had much response:

I see that it may be difficult to supply smaller patches to move over to
your code a bit at a time, but it would be harder for people familiar
with current iptables to change everything in one go to something they
are not familiar with.

You work looks like it would bring impressive benefits to the kernel, so
I make these suggestions and I hope some other more experienced
developers could comment;

To ease adoption of your work, break it into smaller patches which
provide the new features independantly.

Perhaps the first useful feature would be linked lists instead of
continuous memory, and has the direct benefit of reducing startup time
for systems with a lot of rules. This is a distinct benefit.

Next, and as people will then be familiar with your work, introduce more
patches which add different classifiers etc.

As goes with many other patches, you may have to keep them up to date
with newer kernels as people adopt them in their own time.

I have to do the same with my link-layer stuff in conntrack which it
looks like will eventually get replaced with some cross-marking between
iptables, ebtables and arptables.

I think your work is useful and beneficial and encourage you to present
it as seperate patches and to add them to pom-ng if you can (I will
discuss how to do this if you need it). Once it is in pom-ng, or at
least available as a set of up-to-date patches it becomes easier for
other people to try it out.

I certainly am interested in your work and intend to make use of it and
give feedback.

I am currently using kernel 2.6.11 and 2.6.12 with iptables 1.3.1

Earlier versions are too old, are you able to re-work you patches for
later kernels and in 2 parts as suggested?

Amin

hamid jafarian wrote:
> On 4/13/05, hamid jafarian <hamid.jafarian@gmail.com> wrote: 
> 
>>
>>
>>On 4/9/05, Maciej Soltysiak <solt@dns.toxicfilms.tv> wrote: 
>>
>>>Hello hamid,
>>>
>>>Saturday, April 9, 2005, 9:55:50 AM, you wrote:
>>>
>>>
>>>>On Apr 7, 2005 1:25 PM, Pablo Neira < pablo@eurodev.net> wrote:
>>>>
>>>>>cool, where's your version ?
>>>
>>>>if you want .. i will give you the files and also installation help 
>>>
>>>.... but
>>>
>>>>to whom and also how 
>>>
>>>make a website with the patch and installation
>>>
>>>--
>>>Regards,
>>>Maciej
>>
>> hello ...
>>
>>go here ..
>>http://www.geocities.com/hamidreza_jm/
>>
>>-- 
>>H.T. 
> 
> 
> 
> 
> hello again ........ Sir Netfilter developers ...
>  after two month .. if you could use from the new version ... reply to me 
> your ideas about it ..
>  or not please delete it from you computer ..
>  tanks .. 
> 

Re: a new version of iptabes

[Amin Azez]

Hamid, I see you have deleted your patches from your server.

I hope you will consider to publish them again.

I was please 2 months ago when you published these and hope to help have
it worked into the standard linux kernel.

Azez


hamid jafarian wrote:
> On 4/13/05, hamid jafarian <hamid.jafarian@gmail.com> wrote: 
> 
>>
>>
>>On 4/9/05, Maciej Soltysiak <solt@dns.toxicfilms.tv> wrote: 
>>
>>>Hello hamid,
>>>
>>>Saturday, April 9, 2005, 9:55:50 AM, you wrote:
>>>
>>>
>>>>On Apr 7, 2005 1:25 PM, Pablo Neira < pablo@eurodev.net> wrote:
>>>>
>>>>>cool, where's your version ?
>>>
>>>>if you want .. i will give you the files and also installation help 
>>>
>>>.... but
>>>
>>>>to whom and also how 
>>>
>>>make a website with the patch and installation
>>>
>>>--
>>>Regards,
>>>Maciej
>>
>> hello ...
>>
>>go here ..
>>http://www.geocities.com/hamidreza_jm/
>>
>>-- 
>>H.T. 
> 
> 
> 
> 
> hello again ........ Sir Netfilter developers ...
>  after two month .. if you could use from the new version ... reply to me 
> your ideas about it ..
>  or not please delete it from you computer ..
>  tanks .. 
>