When processing network traffic, a network node may perform packet filtering to apply policies specified by a network administrator to provide an additional layer of security in the network. For example, a packet filter may selectively forward or drop packets based on the source address, destination port, protocol, or another property of each packet. Due to its simplicity, packet filtering provides an inexpensive yet effective method for policing incoming and outgoing network traffic.
In order to accelerate the packet filtering process and minimize power consumption due to unnecessary processing, many packet filters include a cache that maintains the results of recently-applied packet filtering rules. In this manner, the packet filter may access a cached result for a particular packet, rather than traversing the entire set of filtering rules to determine which rule to apply. To ensure that the correct packet filtering rule is applied, however, packet filters generally implement a time-consuming, expensive process for removing and replacing outdated results in the cache.