Exploiting Advanced Packet Classification

Algorithms to Increase the Performance of

Packet Filters With Complex Tests
Fadi Makhouli
Humboldt-University of Berlin, Germany
makhouli@informatik.hu-berlin.de
AbstractPacket classification is an important functionality in
network security applications such firewalls, intrusion detection
systems, and routers.

I. I NTRODUCTION
To meet the throughput gain requirement
II. E XISTING W ORK
III. P ROBLEM S TATEMENT
In this section, we at first define the PACKET C LASSIFICATION
P ROBLEM and the extended version of it, before introducing the main idea behind our approach. This enables us
to subsequentlyin the next sectionget across an abstract
description of our idea in formal terms, as well as the concrete
way of implementation.
A. The Packet Classification Problem
Implemented in packet classifiers, packet classification is
the process of classifying a network packet based on predetermined rule set and the packet header values. A list of rules
R = hR0 , . . . , Rn ialso called a rule setis an ordered
list, in which each rule Ri consists of match part Ci also
called a check, a corresponding action ai that is executed
upon selecting the rule, and a unique priority: its index in the
rule set. Each packet p has a header H = (H1 , . . . , HF )
D1 DF , where Hi is the ith header value in the
ith domain Di , and F the header dimension. In practice,
domains are often integer values, representing for example
IP-addresses, or transport layer protocol numbers. The match
part Ci of a rule Ri in the rule set R consists of F checks
Cij : Dj {true, false} with
Ci = Ci1 CiF .
For a packet to satisfy a specific rule, all of the header
values must be checked with a positive resultthat is, j
j
{1, ..., F } : Cm
(Hj ) = true. Typically, checks are often
range or equality teststhink of routers determining the path
based on belonging to a particular subnet.
Based on the above-mentioned definitions, the PACKET
C LASSIFICATION P ROBLEM can be stated as follows: given a
packet p and a rule set R, find the rule Rm with the highest
priority in R matching ps header H; i.e.,
j
min{m | j {1, ..., F } : Cm
(Hj ) = true}

For example, a firewall operating on the edge of a network, could be set up to drop TCP packets with destination
IP-address 141.158.44.12 and port 8080. A corresponding
iptables-rule for this specification would be the following:
--src 141.158.44.12 -p tcp --dport 8080 -j DROP

B. Extended Packet Classification Problem

In addition to applying simple and range equality tests,
real-life packet classifiers like iptables, and ipfw, give
users the possibility to extend rules to more sophisticated
matching criteria [1,2]. For instant, firewalls are often set
up to filter packets with particular payload-content by using
some matching strategy, i.e. deep packet inspection. We call
tests of this kind complex checks and refer to the previously
mentioned tests in the basic packet classification problem as
simple checks. Thereupon, extending a rule Ri to l complex
checks results in the following match part:
Ci = Ci1 CiF Ki1 Kil ,
where Kij is the jth complex check. For instance, if we extend
the previous iptables-rule to reject packets containing the
string evil, it would look like:
--src 141.158.44.12 -p tcp --dport 8080 --string
"evil" -j DROP

The basic solution to both problems is to apply a linear search

on the rule set returning a matching index, which is very
efficient in terms of memory usage resulting in trivial rule
updates as rules changes, and a simple data structure. The
downside of this approach is the lack of classification speed as
the rule set becomes larger. In practice, many packet classifiers
such as iptables implement this solution [2]. To reduce the
complexity of the problem, advanced algorithms exploit the
rule set by translating it to a search-able data structure which
can be traversed subsequently in the classification process.
Unfortunately, these algorithms do not solve the extended
packet classification problem, since they are limited to simple
and range equality tests, which makes them unsuitable for
applying complex checks. To our knowledge, existing software
packet classifier tackles the extended packet classification
problem by implementing a linear search over the set of
rules. In contrast, our approach aims to combine the high
classification performance of advanced matching algorithms

with the ability of testing packet header values against complex

criteria.
C. Extended Packet Classification Problem with alternatives
In general, packet classifiers returns at most one single
matching rule. Since rule set usually contains multiple rules
matching a packet header, there might be needs to choose
a different matching rule with a lower priorityalso called
alternative. Accordingly, the extended packet classification
problem with alternatives can be defined as follows: given
a packet p and a rule set R of size N , find an ordered list
R = hRi1 , . . . , RiM i of the first M rules with the highest
priorities matching ps header H; i.e.,
Rij R\R Rm R : Cij (H) = true = m < ij ,
with j {1, . . . , M } {1, . . . , N }.
(was tun hier?)While working on the idea introduced in
this work, we implicitly modified advanced classification algorithm to solve the extended packet classification problem
with alternatives for rules not containing complex part. The
extended packet classification problem with alternatives is a
general problem of the one without alternatives, we. This led
us to give rather a general solution to the problem Initially, The
idea introduced in this paper does implicitly solve the extended
classification problem with alternatives to a particular class of
advanced classification algorithms.
IV. O UR APPROACH
The key challenge in using a high classification performance
algorithm while still providing semantic expressiveness, is
to overcome the barrier that complex checks are not simple
or range equality tests but can rather be any possible test.
However, if the traversable data structure built for an advanced
algorithm is exploited, we can reach our goal, with some
additional effort. In this section, we address the problem from
section III and propose our new approach as a solution. Next,
we illustrate it by giving a practical example.
A. Classes of Advanced Classification Algorithms
The idea behind this work is to divide the classification
process in two parts: at first, we apply the classification with
the modified version of a given advanced algorithm matching
the given packet only against the simple part of the rules. Of
course, this is not the desired, final result to solve the problem,
since we must still execute the complex checks.
Let A be an algorithm translating a rule set R into a searchable data structure SR,A , then A0 is the modified version of
A returning a list of the first k highly prioritized rules. Let H
be a packet header and R a rule set. In order to present our
idea, we denote the following:
linear(R, H) is sequential computation. In case we want
to restrict the linear search or the computation of, we write
linearcomplex (R, H) and classif ycomplex (SR,A0 , H), respectively.
linearcomplex (R, H)

linearcomplex (R, H)
classif y(R, H) = linear(classif y(SR,A0 , H), H)
(0) how do we solve the problem (informal) (1) it is important to maintain the correctness of (*) (2) abstract algorithm (3)
2 categories of advanced algorithm: story of Bitvector, story
of HyperSplit (maybe refer to cutting-class)
R EFERENCES
[1] Ipfw firewall. https://www.freebsd.org/doc/handbook/firewalls-ipfw.html.
Last accessed: July 3, 2016.
[2] The netfilter.org project. www.netfilter.org. Last accessed: July 1, 2016.