High Performance Packet Filter for Linux Netfilter

nf-hipac logo

nf-HiPAC is a full featured packet filter for Linux which demonstrates the power and flexibility of HiPAC. HiPAC is a novel framework for packet classification which uses an advanced algorithm to reduce the number of memory lookups per packet. It is ideal for environments where large rulesets and/or high bandwidth networks are involved.

nf-HiPAC provides the same rich feature set as iptables, the popular Linux packet filter. The complexity of the sophisticated HiPAC packet classification algorithm is hidden behind an iptables compatible user interface which renders nf-HiPAC a drop-in replacement for iptables. Thereby, the iptables' semantics of the rules is preserved, i.e. you can construct your rules like you are used to. From a user's point of view there is no need to understand anything about the HiPAC algorithm.

The nf-HiPAC userspace tool is designed to be as compatible as possible to 'iptables -t filter'. It even supports the full power of iptables targets, matches and stateful packet filtering (connection tracking) besides the native nf-HiPAC matches. This makes a switch from iptables to nf-HiPAC very easy. Usually it is sufficient to replace the calls to iptables with calls to nf-hipac for your filter rules. MARA Systems is using nf-HiPAC in it's latest firewall product, GateMARA. Michael Bellion, one of the owners of MARA Systems, is the developer of the nf-HiPAC project.

Why another packet filter?

iptables, like most packet filters, uses a simple packet classification algorithm which traverses the rules in a chain linearly per packet until a matching rule is found (or not). Clearly, this approach lacks efficiency. As networks grow more and more complex and offer a wider bandwidth linear packet filtering is no longer an option, if many rules have to be matched per packet. Higher bandwidth means more packets per second which leads to shorter process times per packet. nf-HiPAC outperforms iptables regardless of the number of rules, i.e. the HiPAC classification engine does not impose any overhead even for very small rule sets.
Scalability to large rulesets
The performance of nf-HiPAC is nearly independent of the number of rules. nf-HiPAC with thousands of rules still outperforms iptables with 20 rules.
Dynamic rulesets
nf-HiPAC offers fast dynamic ruleset updates without stalling packet classification in contrast to iptables which yields bad update performance along with stalled packet processing during updates.