- optimized for high performance packet classification with moderate memory usage
- completely dynamic: data structure isn't rebuild from scratch when inserting or deleting rules, so fast updates are possible
- no locking required during packet matching
- packet matching is not blocked or otherwise affected during rule updates
- support for 64 bit architectures
- optimized kernel-user protocol (netlink): improved listing speed
- libnfhipac: netlink library for kernel-user communication
- native match support for:
- source/destination ip
- in/out interface
- protocol (udp, tcp, icmp)
- fragments
- source/destination ports (udp, tcp)
- icmp type
- tcp flags
- ttl
- connection state match
- match negation ("!")
- almost all native matches allow ranges
- iptables compatibility: syntax and semantics of the userspace tool are very similar to iptables
- coexistence of nf-HiPAC and iptables: both facilities can be used at the same time
- generic support for iptables targets and matches (binary compatibility)
- iptables target and match revision support
- support for iptables 1.2.x and 1.3.x
- integration into the netfilter connection tracking facility
- user-defined chains support
- kernel module autoloading
- non-intrusive kernel patch: only adds one simple function to ip_tables.c. The rest of the patch introduces new files to the kernel.
- /proc/net/nf-hipac/info:
- general information:
# cat /proc/net/nf-hipac/info - dynamically limit the maximum memory usage:
# echo <size in MB> > /proc/net/nf-hipac/info - nf-hipac invoked before iptables:
# echo nf-hipac-first > /proc/net/nf-hipac/info - iptables invoked before nf-hipac:
# echo iptables-first> /proc/net/nf-hipac/info
- general information:
- extended statistics via /proc/net/nf-hipac/statistics/* :
- general memory statistics:
# cat /proc/net/nf-hipac/statistics/mem - rlp statistics (per hook):
# cat /proc/net/nf-hipac/statistics/rlp_{input,forward,output} - dimtree statistics (per hook):
# cat /proc/net/nf-hipac/statistics/dimtree_{input,forward,output} - hipac rule statistics (per hook):
# cat /proc/net/nf-hipac/statistics/hipac_rules_{input,forward,output} - hipac chain statistics:
# cat /proc/net/nf-hipac/statistics/hipac_chains
- general memory statistics: