In recent years, with the spread of IP networks as exemplified by the Internet, there have been many cases in which local area networks (LANs) are constructed in companies and homes, the LANs are connected to wide area networks through the Internet or the like, and packets are transferred. However, if a terminal accommodated in a LAN is connected to the external network, there is a risk that secret information such as privacy information is leaked or tampered due to unauthorized access from the external network, and thus guaranteeing the security in the LAN becomes an important topic.
Therefore, conventionally, a packet transfer processing device such as a router that relays and transfers packets between the LAN and the external network is configured to have a packet filtering function. The packet filtering function is a function of comparing receiving packets with preset filtering rules and determining whether or not the packets are permitted to pass. The filtering rules are defined by communication parameters used in transferring the packets, for example, a source address, a destination address, a protocol, a source port number, and a destination port number.
By the way, in order to achieve the packet filtering function, a very large number of filtering rules need to be stored as search rules in a search table; however, there is a limitation in the storage capacity of the search table. Therefore, in order to decrease the number of entries of the search rules stored in the search table, for example, the following device is suggested.
That is, when packets are normally dropped and only the necessary packets are passed, search rules do not need to be valid at all times and it is sufficient that they are valid during communication periods. Therefore, a valid flag that shows validity/invalidity of each of the search rules is prepared for each of the search rules stored in the search table. Then, when a central processing unit (CPU) sets a search rule in the search table at the time of starting the communication, the corresponding valid flag is set to “1” and the search rule is validated. On the other hand, when the communication ends, the valid flag is reset to “0” such that the search rule is not used thereafter, in order to prepare for addition of a next search rule. In this state, when new communication starts, the search rule corresponding to the valid flag that is set to “0”, that is, an invalid entry, is searched for and a new search rule is set in the search table, instead of the search rule that is not used. Therefore, contents of the entries of the search table are dynamically changed and a larger number of packets can be searched with a smaller memory area.
As a specific search circuit, there is a circuit that uses a plurality of rule comparing units in parallel and compares communication parameters of a received packet with filtering rules. If the circuit receives the packet, the circuit distributes and sends the communication parameters of the received packet to rule comparing units whose processing has ended, among the plurality of rule comparing units. In addition, whenever the circuit reads one filtering rule from the search table, the circuit supplies this filtering rule to all the rule comparing units. Whenever the communication parameters of the received packet are input, each rule comparing unit compares the communication parameters with all the filtering rules sequentially read from the search table. Then, if a filtering rule matching the communication parameter is detected, this filtering rule is output as the search result. It is to be noted that if a plurality of filtering rules matching the communication parameters are detected, the filtering rule having the highest priority is output as the search result (for example, refer to Patent Document 1).