FIG. 1 depicts conventional networks 10 and 20 which may be connected to the Internet 30. Each network 10 and 20 includes host 12, 14 and 16 and 22 and 24, respectively. Each network 10 and 20 also includes a switch 18 and 26, respectively, and may include one or more servers such as the servers 17, 19 and 28, respectively. In addition, each network 10 and 20 may include one or more gateways 13 and 25, respectively, to the Internet 30. Not explicitly shown are routers and other portions of the networks 10 and 20 which may also control traffic through the networks 10 and 20 and which will be considered to be inherently depicted by the switches 18 and 26, respectively, and the networks 10 and 20 in general.
FIG. 2 depicts a portion of a typical switch 50, which may be used for the switches 18 and 26 and/or a router (not shown). The switch 50 includes a network processor 52 and storage 54. The switch 50 typically also includes other components (not shown). The network processor 52 manages functions of the switch, including the classification of packets using the rules described below. The storage 54 retains data relating to the rules.
Referring to FIGS. 1 and 2, in order to manage communications in a network, such as the network 10 or 20, filter rules are used. Filter rules are typically employed by switches, routers and other portions of the network to perform packet classification. Each filter rule is used to classify packets which are being transmitted via a network in order to determine how the packet should be treated and what services should be performed. For example, a filter rule may be used in testing packets entering the network from an outside source to ensure that attempts to break into the network can be thwarted. For example, traffic from the Internet 30 entering the network 10 may be tested in order to ensure that packets from unauthorized sources are denied entrance. Similarly, packets from one portion of a network may be prevented from accessing another portion of the network. For example, a packet from some of the hosts 12, 14 or 16 may be prevented access to either the server 17 or the server 19. The fact that the host attempted to contact the server may also be recorded so that appropriate action can be taken by the owner of the network. Such filter rules may also be used to transmit traffic based on the priorities of packets. For example, packets from a particular host, such as the host 12, may be transmitted because the packets have higher priority even when packets from the hosts 14 or 16 may be dropped. The filter rules may also be used to ensure that new sessions are not permitted to be started when congestion is high even though traffic from established sessions is transmitted. Other functions could be achieved based on the filter rule.
Filter rules also typically have a priority. The filter rules can also interact based on the priority for each of the filter rules. The priority of filter rules can be used to determine the action taken when a key matches the ranges for two or more filter rules. In such a case, the filter rule having a higher priority controls the action taken. For example, a first rule may be a default rule, which treats most cases. A second rule can be an exception to the first rule. The second rule would typically have a higher priority than the first rule to ensure that where a packet matches both the first and the second rule, the second rule will be enforced. In a conventional system, all of the filter rules are placed in a list based upon their priority. Also in a conventional system, each filter rule has a different priority reflected by its position in the list. Thus, in a conventional system the number of priorities is the same as the number of filter rules. Thus, in a conventional system, the number of priorities of filter rules is large
In order to determine whether a particular rule will operate on a particular packet, a key is tested. The key that is typically used is the Internet Protocol (IP) header of the packet and other headers of the packet. The IP header typically contains the IP Source Address (SA) the IP Destination Address (DA) and a Type or Protocol (P) field. The IP packet payload typically encapsulates another header and payload structure and the inner structure is typically Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or another standard structure. The header of the TCP, UDP, or other standard structure in turn contains Source Port (SP) and Destination Port (DP) values. These fields are typically ordered as SA, DA, SP, DP and P and are thirty-two, thirty-two, sixteen, sixteen and eight bits, respectively. Rules typically operate on one or more of these fields. For example, based on the source and/or destination addresses, the rule may determine whether a packet from a particular host is allowed to reach a particular destination address.
Furthermore, the key often contains additional bits other than the above fields. For example, a TCP SYN packet, which starts a session, may be characterized differently than a TCP DATA packet for an existing session. This characterization is accomplished using bits in addition to the above fields. The additional bits may be used by a filter rule which manages traffic through a network. For example, when the network is congested, the filter rule may proactively drop the TCP SYN packet while transmitting TCP packets for existing sessions. These operations allow the network to continue to operate and help reduce congestion. In order to perform this function, however, the rule examines the SYN bit in the TCP header to determine whether the packet is part of the Synchronization process of TCP. Thus, the filter rules typically operate using a key that includes at least some fields of the IP header and other headers of a packet and may include additional bits.
In testing a key, it is determined whether to enforce a filter rule against a particular packet and thus classify the packet. The key is tested by determining whether certain fields for key are within the range(s) of the rule. Each rule contains a range of values or one exact value in one or more dimensions. Each dimension corresponds to a field of the key (typically the IP header or other header). One type of filter rule field range may be a single value. In such a case, the key would have to exactly match the value for the rule to operate on the packet. Other rules have some field ranges that consist of all the binary values with a certain number of contiguous bits starting with the most significant bit fixed and other contiguous bits ending with the least significant bit arbitrary. In such a case the fixed bits are called a prefix. The prefix is a binary number containing a number of ones and zeroes (1 or 0) followed by place holders, or wildcards (*). The lower bound of the range is obtained by replacing all of the wildcards by zeros. The upper bound of the range is determined by replacing all of the wildcards by a one. Other rules have arbitrary ranges. Arbitrary ranges are ranges that cannot be expressed using a single prefix. However, an arbitrary range can be expressed using multiple prefixes.
A variety of mechanisms can be used in searching the filter rules for a match for the key. For example, if a particular dimension of a filter rule requires an exact match, then the search may include searching a table of hashed values for the filter rule. The search of other filter rules for a match to a key may require traversing a binary decision tree or other mechanism. Depending upon the mechanism used to search the filter rules as well as the filter rules the efficiency of the search may vary.
Accordingly, what is needed is a system and method for improving the efficiency of searches of the filter rules for a match to the key. The present invention addresses such a need.