Published on Nov 30, 2023
We propose a stateless packet filtering technique based on Finite-State Automata (FSA). FSAs provide a comprehensive framework with well-defined composition operations that enable the generation of stateless filters from high-level specifications and their compilation into efficient executable code without resorting to various opportunistic optimization algorithms.
In contrast with most traditional approaches, memory safety and termination can be enforced with minimal run-time overhead even in cyclic filters, thus enabling full parsing of complex protocols and supporting recursive encapsulation relationships. PACKET filters are a class of packet manipulation programs used to classify network traffic in accordance to a set of user-provided rules; they are a basic component of many networking applications such as shapers, sniffers, demultiplexers, firewalls and more.
A stateless packet filter can be expressed as a set of predicates on packet fields, joined by boolean operators; often these predicates are not completely independent from one another and the evaluation of the whole set can be short-circuited.
One of the most important questions in designing generators for high-performance filters is therefore how to efficiently organize the predicate set to reduce the amount of processing required to come to a match/mismatch decision.
By considering packet filtering as a regular language recognition problem and exploiting the related mathematical framework to express and organize predicates as finite-state automata, SPAF achieves by construction a reduction of the amount of redundancy along any execution path in the resulting program: any packet field is examined at most once.
This property emerges from the model and it always holds even in cases that are hard to treat with conventional techniques, such as large-scale boolean composition. Moreover, thanks to their simple and regular structure, finite automata also double as an internal representation directly translatable into an optimized executable form without requiring a full-blown compiler. Finally, safety (both in terms of termination and memory access integrity) can be enforced with very low runtime overhead.
BPF ( Berkeley Packet Filter) Approach
CFG-based approach
FILTER GENERATION TECHNIQUE
• Minimum 1.1 GHz PROCESSOR should be on the computer .
• 128 MB RAM.
• 20 GB HDD.
• 1.44 MB FDD.
• 52x CD-ROM Drive .
• MONITORS at 800x600 minimum resolution at 256 colors minimum.
• I/O, One or two button mouse and standard 101-key keyboard.
• Operating System : Windows 95/98/2000/NT4.0.
• Technology : JAVA, JFC(Swing)
Development IDE : Eclipse 3.x