A computer network is a collection of interconnected computing devices that exchange data and share resources. In a packet-based network, such as the Internet, the computing devices communicate data by dividing the data into small blocks called packets. The packets are individually routed across the network from a source device to a destination device. The destination device extracts the data from the packets and assembles the data into its original form.
Certain devices within the network, such as routers, maintain routing information that describes routes through the network. Each route defines a path between two locations on the network. From the routing information, the routers may generate forwarding information, which is used by the routers to relay packet flows through the network and, more particularly to select specific next hops for each packet flows. In reference to forwarding a packet, the “next hop” from a network router typically refers to a neighboring device along a given route. Conventional routers often maintain the forwarding information in the form of one or more forwarding tables, radix trees or similar data structures. Upon receiving an incoming packet, the router examines information within the packet to select a next hop for the packet in accordance with one of the forwarding tables.
Routers and other network devices, such as firewalls, gateways, and switches, often apply filters when processing packet flows. For example, a router may compare header information within each packet to a set of filtering rules, which specific “terms” or “criteria” and one or more actions. The filtering rules may specify, for example, particular source IP addresses, destination IP addresses, and other criteria for identifying packets as well as one or more actions to perform on packets that match the specified criteria. Specifically, the router identifies packets that match the filtering rules and performs the one or more actions on the packets depending on which filtering rule(s) the packets match. The actions may include dropping the packet, remarking the packet as lower priority, counting packets that match the filtering rule, replicating the packet for logging or further analysis, and the like. For example, a filter may be installed within a router to cause the router to drop packets having a source IP address of a device that has been identified as sourcing a denial of service (DoS). Conventional routers typically apply the filters to packet flows based on the interfaces from with the flows are received, i.e., on an interface-by-interface basis. For instance, the router may apply an interface-specific filter to each of the packet flows received by a given interface. Alternatively, or in addition, the routers may apply packet filters to all packet flows regardless of the interface from which the packet.