fixed compatibility to some iptables matches (e.g. physdev)
Version 0.9.0 (2005-09-26):
New Features:
ported everything to Linux kernel 2.6
kernel patch is now fairly non-intrusive: it only adds one simple function
to ip_tables.c. The rest of the patch introduces new files to the kernel
added support for SINGLE PATH lookup
using RCU: no locking during lookup required anymore
improved lookup performance, less overhead
removed support for counters
increased number of possible dimensions from 16 to 32
added support for hotdrop in extractor functions and hipac_match
added support for iptables 1.2.x and 1.3.x
added iptables match and target revision support
added native support for state UNTRACKED
added native support for ESTABLISHED,RELATED match
allow ranges in protocol dimension
changed semantic of parse_native_protocol: protocol definitions involving
0 now allowed
lots of changes to the nf-hipac userspace tool in order to increase
compatibility with iptables extensions (iptables matches and targets)
Bugfixes:
fixed delete-by-rule for rules which contain a chain target
fixed delete-by-rule for rules which contain an iptables target
fixed delete of user-defined chains
rules containing a state match were not rejected if the kernel fails
to load the nf-HiPAC connection tracking helper module
fixed memory leaks in nf-hipac userspace tool
fixed bug that triggered kernel warnings during module removal
fixed bug that triggered spinlock context warnings during rule listings
fixed rule listing deadlock
fixed bug that caused the HiPAC core to fail whenever allocs were made
that were not of size pow of 2. This bug caused panics on linux 2.6, but
never appeared on 2.4
Details about changes in the HiPAC algorithm core:
replaced btree implementation with better rlp implementation:
based on static binary search
enables arbitrary number of wildcard dimensions
removed support for BIT_U8 dimensions
directly return defined netfilter targets from hipac_match
Details about changes in the nf-HiPAC kernel module:
required changes for the linux kernel 2.6, e.g.:
module refcounting
extractor functions
iptables matches and targets support: switching to ipt_find_target
and ipt_find_match
netlink and socket changes
new kbuild language
added support for non-linear skbs
accept incomplete local ip packets
removed skb_ok function: checks now incorporated into extractor functions
complete reimplementation of netdev helper:
using netdev notifier
not based on veto functionality => patches to dev.c and netdevice.h
not required anymore
no locking required during lookup
rewrote parts of netlink based kernel <-> userspace communication:
using existing netlink_dump_* functionality instead of patching the
kernel
removed struct nfhp_err
removed 128KB allocs for skbs in kernel and userspace
changed netlink proto number from 7 to 26
added kernel thread to process the netlink messages and rule updates
replaced nf_change_prio_hook with nf_register_hook and nf_unregister_hook
in order to avoid kernel patch
changed default invocation order at netfilter hooks: nf-HiPAC is now
called before iptables
merged TCP_SPORT, TCP_DPORT, UDP_SPORT, UDP_DPORT into SPORT and DPORT
changed BIT_U8 to BIT_U16 dimensions in order to get rid of 8 bit support
moved state dimension to first dimension
moved fragment dimension below proto dimension
renamed tcp_flags: now called syn dimension
make sure that only the source and destination ip dimensions are wildcard
dimensions. This allows the use of additional non-wildcard 32-bit dimensions
proto match did not work for fragmented packets; this has been fixed
Version 0.1a (2002-12-30):
Bugfixes:
get_tcp_flags fixed (--syn and --not-syn now work properly)
minor bug in HiPAC statistics struct fixed: btree_type_stats_u16[]
and btree_type_stats_u8[] are now __u32
Version 0.1 (2002-12-08):
New Features:
support for 64 bit architectures: nf-HiPAC should now work on all architectures
supported by the linux kernel
dynamically change invocation order of iptables and nf-HiPAC via
/proc/net/nf-hipac without losing your rules:
nf-HiPAC invoked before iptables:
# echo nfhp-first > /proc/net/nf-hipac
iptables invoked before nf-HiPAC:
# echo ipt-first > /proc/net/nf-hipac
support for negation (!) in matches
autoloading of the kernel module nf_hipac.o
install and uninstall target added to Makefile
Bugfixes:
output of /proc/net/nf-hipac can be larger than 4K
interface matching code: now you can match arbitrary interfaces, existing
or non-existing ones, unload and reload the device driver and rename your
interfaces as you like without breaking the match
rules containing dns names expand to multiple rules containing all
ips that resolve to the dns name; if source and destination ip is a dns
name all combinations of ips are present in the expanded ruleset
catch-all matches aren't submitted to the kernel anymore
rudimentary in-kernel sanity checks of submitted rules
Version 0.0.2 (2002-09-04) :
New Features:
/proc/net/nf-hipac added:
algorithm statistics available via:
# cat /proc/net/nf-hipac
allows to dynamically limit the maximum memory usage:
# echo <size in MB> > /proc/net/nf-hipac
Bugfixes:
icmp type match fixed
fixed compilation error with some gcc versions
added correct memory handling
moved netlink protocol number from NETLINK_FIREWALL to 6
fixed 16 bit matches for btrees with more than 2944 elements