About | Current Status | Documentation | Performance Tests | Downloads | About Us

Version 0.9.1 (2005-10-11):

Bugfixes:
  • fixed bug in netdev helper
  • fixed gcc 3.4 and 4.0 compile errors and warnings
  • fixed compatibility to some iptables matches (e.g. physdev)

Version 0.9.0 (2005-09-26):

New Features:
  • ported everything to Linux kernel 2.6
  • kernel patch is now fairly non-intrusive: it only adds one simple function to ip_tables.c. The rest of the patch introduces new files to the kernel
  • added support for SINGLE PATH lookup
  • using RCU: no locking during lookup required anymore
  • improved lookup performance, less overhead
  • removed support for counters
  • increased number of possible dimensions from 16 to 32
  • added support for hotdrop in extractor functions and hipac_match
  • added support for iptables 1.2.x and 1.3.x
  • added iptables match and target revision support
  • added native support for state UNTRACKED
  • added native support for ESTABLISHED,RELATED match
  • allow ranges in protocol dimension
  • changed semantic of parse_native_protocol: protocol definitions involving 0 now allowed
  • lots of changes to the nf-hipac userspace tool in order to increase compatibility with iptables extensions (iptables matches and targets)
Bugfixes:
  • fixed delete-by-rule for rules which contain a chain target
  • fixed delete-by-rule for rules which contain an iptables target
  • fixed delete of user-defined chains
  • rules containing a state match were not rejected if the kernel fails to load the nf-HiPAC connection tracking helper module
  • fixed memory leaks in nf-hipac userspace tool
  • fixed bug that triggered kernel warnings during module removal
  • fixed bug that triggered spinlock context warnings during rule listings
  • fixed rule listing deadlock
  • fixed bug that caused the HiPAC core to fail whenever allocs were made that were not of size pow of 2. This bug caused panics on linux 2.6, but never appeared on 2.4
Details about changes in the HiPAC algorithm core:
  • replaced btree implementation with better rlp implementation:
    • based on static binary search
    • enables arbitrary number of wildcard dimensions
    • removed support for BIT_U8 dimensions
  • directly return defined netfilter targets from hipac_match
Details about changes in the nf-HiPAC kernel module:
  • required changes for the linux kernel 2.6, e.g.:
    • module refcounting
    • extractor functions
    • iptables matches and targets support: switching to ipt_find_target and ipt_find_match
    • netlink and socket changes
    • new kbuild language
  • added support for non-linear skbs
  • accept incomplete local ip packets
  • removed skb_ok function: checks now incorporated into extractor functions
  • complete reimplementation of netdev helper:
    • using netdev notifier
    • not based on veto functionality => patches to dev.c and netdevice.h not required anymore
    • no locking required during lookup
  • rewrote parts of netlink based kernel <-> userspace communication:
    • using existing netlink_dump_* functionality instead of patching the kernel
    • removed struct nfhp_err
    • removed 128KB allocs for skbs in kernel and userspace
  • changed netlink proto number from 7 to 26
  • added kernel thread to process the netlink messages and rule updates
  • replaced nf_change_prio_hook with nf_register_hook and nf_unregister_hook in order to avoid kernel patch
  • changed default invocation order at netfilter hooks: nf-HiPAC is now called before iptables
  • merged TCP_SPORT, TCP_DPORT, UDP_SPORT, UDP_DPORT into SPORT and DPORT
  • changed BIT_U8 to BIT_U16 dimensions in order to get rid of 8 bit support
  • moved state dimension to first dimension
  • moved fragment dimension below proto dimension
  • renamed tcp_flags: now called syn dimension
  • make sure that only the source and destination ip dimensions are wildcard dimensions. This allows the use of additional non-wildcard 32-bit dimensions
  • removed superfluous connection tracking configure option

Version 0.8.0 (2003-06-25):

General Changes:
  • major rewrite of most of the code
New Features:
  • optimized kernel-user protocol (netlink): improved rule listing speed
  • libnfhipac: netlink library for kernel-user communication
  • added native match support for fragments
  • generic support for iptables targets and matches (binary compatibility)
  • user-defined chains support
  • 64 bit atomic counters
  • kernel modules autoloading
  • /proc/net/nf-hipac/info:
    • general information:
      # cat /proc/net/nf-hipac/info
    • dynamically limit the maximum memory usage:
      # echo <size in MB> > /proc/net/nf-hipac/info
    • nf-hipac invoked before iptables:
      # echo nf-hipac-first > /proc/net/nf-hipac/info
    • iptables invoked before nf-hipac:
      # echo iptables-first> /proc/net/nf-hipac/info
  • extended statistics via /proc/net/nf-hipac/statistics/* :
    • general memory statistics:
      # cat /proc/net/nf-hipac/statistics/mem
    • btree statistics (per hook):
      # cat /proc/net/nf-hipac/statistics/btree_{input,forward,output}
    • dimtree statistics (per hook):
      # cat /proc/net/nf-hipac/statistics/dimtree_{input,forward,output}
    • hipac rule statistics (per hook):
      # cat /proc/net/nf-hipac/statistics/hipac_rules_{input,forward,output}
    • hipac chain statistics:
      # cat /proc/net/nf-hipac/statistics/hipac_chains
Bugfixes:
  • check for invalid tcp/udp/icmp headers added
  • proto match did not work for fragmented packets; this has been fixed

Version 0.1a (2002-12-30):

Bugfixes:
  • get_tcp_flags fixed (--syn and --not-syn now work properly)
  • minor bug in HiPAC statistics struct fixed: btree_type_stats_u16[] and btree_type_stats_u8[] are now __u32

Version 0.1 (2002-12-08):

New Features:
  • support for 64 bit architectures: nf-HiPAC should now work on all architectures supported by the linux kernel
  • dynamically change invocation order of iptables and nf-HiPAC via
    /proc/net/nf-hipac without losing your rules:
    • nf-HiPAC invoked before iptables:
      # echo nfhp-first > /proc/net/nf-hipac
    • iptables invoked before nf-HiPAC:
      # echo ipt-first > /proc/net/nf-hipac
  • support for negation (!) in matches
  • autoloading of the kernel module nf_hipac.o
  • install and uninstall target added to Makefile
Bugfixes:
  • output of /proc/net/nf-hipac can be larger than 4K
  • interface matching code: now you can match arbitrary interfaces, existing or non-existing ones, unload and reload the device driver and rename your interfaces as you like without breaking the match
  • rules containing dns names expand to multiple rules containing all ips that resolve to the dns name; if source and destination ip is a dns name all combinations of ips are present in the expanded ruleset
  • catch-all matches aren't submitted to the kernel anymore
  • rudimentary in-kernel sanity checks of submitted rules

Version 0.0.2 (2002-09-04) :

New Features:
  • /proc/net/nf-hipac added:
    • algorithm statistics available via:
      # cat /proc/net/nf-hipac
    • allows to dynamically limit the maximum memory usage:
      # echo <size in MB> > /proc/net/nf-hipac
Bugfixes:
  • icmp type match fixed
  • fixed compilation error with some gcc versions
  • added correct memory handling
  • moved netlink protocol number from NETLINK_FIREWALL to 6
  • fixed 16 bit matches for btrees with more than 2944 elements

Version 0.0.1 (2002-08-24):

First public release