The geometric efficient matching algorithm for firewalls

Dmitry Rovniagin, Avishai Wool

Research output: Contribution to conferencePaperpeer-review

Abstract

Firewall packet matching can be viewed as a point location problem: Each packet (point) has 5 fields (dimensions) which need to be checked against every firewall rule in order to find the first matching rule. In this paper we consider a packet matching algorithm, which we call the Geometric Efficient Matching (GEM) algorithm. The GEM algorithm enjoys a logarithmic matching time performance, easily beating the linear time required by the naive matching algorithm. However, the algorithm's theoretical worst-case space complexity is O(n4) for a rule-base with n rules. Based on statistics from real firewall rule-bases, we created a model that generates random, but non-uniform, rule-bases. We evaluated GEM via extensive simulation using this rule-base generator. Subsequently, we integrated GEM into the code of the Linux iptables open-source firewall. Our GEM-iptables implementation supports a through-put which is at least 5-10 times higher than that of the unoptimized iptables. Our implementation was able to match over 30,000 packets-per-second even with 10 thousand rules.

Original languageEnglish
Pages153-156
Number of pages4
StatePublished - 2004
Event2004 23rd IEEE Convention of Electrical and Electronics Engineers in Israel, Proceedings - Tel-Aviv, Israel
Duration: 6 Sep 20047 Sep 2004

Conference

Conference2004 23rd IEEE Convention of Electrical and Electronics Engineers in Israel, Proceedings
Country/TerritoryIsrael
CityTel-Aviv
Period6/09/047/09/04

Fingerprint

Dive into the research topics of 'The geometric efficient matching algorithm for firewalls'. Together they form a unique fingerprint.

Cite this