A computer network is a collection of interconnected computing devices that exchange data and share resources. In a packet-based network, such as the Internet, the computing devices communicate data by dividing the data into small blocks called packets. The packets are individually routed across the network from a source device to a destination device. The destination device extracts the data from the packets and assembles the data into its original form. Dividing the data into packets enables the source device to resend only those individual packets that may be lost during transmission.
Certain devices within the network, referred to as routers, maintain tables of routing information that describe available routes through the network. Each route defines a path between two locations on the network. Upon receiving incoming data packets, packet filters within the router compares header information, data, or both, contained by the packet to filtering rules of the filter to determine the fate of the packet. The filtering rules may specify, for example, particular source Internet Protocol (IP) address, destination IP addresses, protocol type, port number and other criteria for filtering packets. When the router identifies a packet that matches any of the filtering rules, the router performs an associated action to the packet depending on which filtering rule the packet matches. The action may include, for example, dropping the packet, remarking the packet as lower priority, counting packets that match the filtering rule, and the like. When the header information does not match any of the filtering rules the router identifies the destination for the packet according to the header information. Based on the header information, the router accesses one of the routing tables, selects an appropriate route for the packet and forwards the packet accordingly.
In general, a conventional router inserts static packet filters. The router may, for example, retrieve a description of the static filter from a configuration file and insert the static filter into a forwarding path of the router. For instance, the router may retrieve the description and insert the static filter upon startup or reboot of the router. Consequently, modification of the filters, such as insertion of a new filter or modification of existing filtering rules, typically requires updating the static configuration information of the configuration file and rebooting the router.