Data packet systems of various kinds are known in the art. Such systems generally serve to source and/or receive, process, and/or route data packets. Many such systems make use of a plurality of data packet filters to facilitate such functionality in an appropriate and controlled manner.
For example, to support a Packet Data Serving Node (PDSN) application, data packet filters are typically deployed to support such purposes as:                Intrusion detection and/or prevention;        Network isolation for disabling external nodes from accessing parts of an access network;        Restricting the kinds of applications that a given mobile user can access;        Restricting improper forwarding of mobile-to-mobile node traffic hosted by a shared Packet Data Serving Node;        Billing and other accounting activities;to name a few.        
Such filters are often specified using various fields that are present in packet headers. For example, data packet filters can be defined using headers of Open Systems Interconnection (OSI) Layers 1 through 7 though more typically such filters are based on the network layer of Internet Protocol headers. It is also possible, of course, to define a data packet filter, in whole or in part, based on the payload being carried by the packet. For example, data packet filters designed to detect and/or counter virus attacks may be so characterized.
Modern data packet systems often include multiple network entities that share a common chassis. Such farm-styled architectures, for example, accommodate a variety of physical cards to each effect one or more applications or purposes. As a result, various such processing platforms are often at least potentially in-line with respect to a flow of data packets through such a data packet system.
At present, data packet filters are typically installed at one central location within such a data packet system. This approach, unfortunately, can compromise the performance of the data packet system and, even worse, may even fail with respect to providing a desired level of effective control. A centralized location can yield suboptimal results for various reasons.
For example, in some cases, the centralized location may require a software implementation of a given data packet filter. A software implementation, however, may be unduly slow or otherwise unacceptably computationally intensive. As another example, the sheer bulk (and/or processing load) of data packet filters in a given data packet system may cause a centralized installation scheme to constitute a bottleneck with respect to data packet flow.
It should also be noted that a given element such as a Packet Data Serving Node typically comprises an ultimately capacity-limited platform. For example, some Packet Data Serving Nodes are presently capable of supporting about 40,000 simultaneous packet data sessions. As the centralized number of packet data filters installed in that Packet Data Serving Node increases, however, this capacity tends to diminish.
Skilled artisans will appreciate that elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. For example, the dimensions and/or relative positioning of some of the elements in the figures may be exaggerated relative to other elements to help to improve understanding of various embodiments of the present invention. Also, common but well-understood elements that are useful or necessary in a commercially feasible embodiment are often not depicted in order to facilitate a less obstructed view of these various embodiments of the present invention. It will also be understood that the terms and expressions used herein have the ordinary meaning as is accorded to such terms and expressions with respect to their corresponding respective areas of inquiry and study except where specific meanings have otherwise been set forth herein.