nf-HiPAC: High Performance Firewall for Linux Netfilter

implement better algorithmic core: The new core will dramatically reduce memory usage while at the same time improving the running time of insert and delete operations. The lookup performance will be improved radically too, especially for bigger rulesets. The concepts and the design are already developed, but the implementation is still in its very early stages
add support for transactions
add support for ipv6
add support for MAC matches
add functionality similar to iptables-restore
add native support for set of ranges (e.g. ippools). Each native match is not a single range but instead a set of ranges, which makes a single rule more expressive
consider making HiPAC available for NAT and mangle tables
consider removing "rule prefix mismatch" limitation
the next big step in the far future will be to extend the HiPAC algorithm to do classification with several stages. The HiPAC algorithm will then be capable of combining several classification problems in one data structure, e.g. it will be possible to solve routing, firewalling and traffic control with one HiPAC lookup. The idea is to shorten the packet forwarding path by combining e.g. fib_lookup and iptables filter lookup into one HiPAC query

fix handling of jump rules containing iptables matches (currently only some known iptables matches are allowed in jump rules)
in the current version the number of rule updates per second is limited by the number of synchronize_rcu() calls per second. This slows down rule updates dramatically. Future releases will work around this problem and will offer full rule update speed again

Current Status