## Abstract

Firewall packet matching can be viewed as a point location problem: Each packet (point) has 5 fields (dimensions) which need to be checked against every firewall rule in order to find the first matching rule. In this paper we consider a packet matching algorithm, which we call the Geometric Efficient Matching (GEM) algorithm. The GEM algorithm enjoys a logarithmic matching time performance, easily beating the linear time required by the naive matching algorithm. However, the algorithm's theoretical worst-case space complexity is O(n^{4}) for a rule-base with n rules. Based on statistics from real firewall rule-bases, we created a model that generates random, but non-uniform, rule-bases. We evaluated GEM via extensive simulation using this rule-base generator. Subsequently, we integrated GEM into the code of the Linux iptables open-source firewall. Our GEM-iptables implementation supports a through-put which is at least 5-10 times higher than that of the unoptimized iptables. Our implementation was able to match over 30,000 packets-per-second even with 10 thousand rules.

Original language | English |
---|---|

Pages | 153-156 |

Number of pages | 4 |

State | Published - 2004 |

Event | 2004 23rd IEEE Convention of Electrical and Electronics Engineers in Israel, Proceedings - Tel-Aviv, Israel Duration: 6 Sep 2004 → 7 Sep 2004 |

### Conference

Conference | 2004 23rd IEEE Convention of Electrical and Electronics Engineers in Israel, Proceedings |
---|---|

Country/Territory | Israel |

City | Tel-Aviv |

Period | 6/09/04 → 7/09/04 |