From: Thomas Heinz <creatix@hipac.org>
To: "David S. Miller" <davem@davemloft.net>
Cc: netfilter-devel@lists.netfilter.org, shemminger@osdl.org
Subject: Re: iptables as a state machine
Date: Fri, 01 Oct 2004 22:26:16 +0200 [thread overview]
Message-ID: <415DBD68.3040404@hipac.org> (raw)
In-Reply-To: <20041001124608.6a6b374c.davem@davemloft.net>
[-- Attachment #1: Type: text/plain, Size: 1339 bytes --]
You wrote:
> Thanks for the correction.
You're welcome.
>>This approach was already considered very early in history
>>of packet classification. Even more complex matchings as
>>context free grammars have been used. Nonetheless, even
>>regular expressions have been found to not being able to
>>cope with high performance demands of todays rule bases.
>
> Any pointers to papers on this topic?
http://citeseer.ist.psu.edu/rd/0%2C56411%2C1%2C0.25%2CDownload/http://citeseer.ist.psu.edu/compress/0/papers/cs/364/http:zSzzSzwww.cs.wustl.eduzSzcszSztechreportszSz1995zSzwucs-95-21.ps.gz/jayaram95efficient.ps
This paper describes the use of an optimized LR parser
for packet classification. Note that it's from 1995.
As for regular expressions, any theoretical computer
science textbook describes the way how to construct
deterministic finite automata from regular expressions
and how to compute the equivalent minimal automaton.
This approach is for example also implemented by flex.
One of the first approaches towards packet
classification was the design of dedicated virtual
machines similar to what is used in compiler
technology.
As the demand for high performance packet classification
grew, one came up with the so-called packet classification
problem which is the foundation of todays firewalling
rule sets.
Regards,
Thomas
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 251 bytes --]
next prev parent reply other threads:[~2004-10-01 20:26 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-01 2:39 iptables as a state machine David S. Miller
2004-10-01 3:47 ` shemminger
2004-10-01 4:01 ` David S. Miller
2004-10-01 8:24 ` Thomas Heinz
2004-10-01 19:46 ` David S. Miller
2004-10-01 20:26 ` Thomas Heinz [this message]
2004-10-01 20:33 ` Stephen Hemminger
2004-10-01 11:12 ` Henrik Nordstrom
2004-10-01 12:06 ` Henrik Nordstrom
2004-10-02 8:44 ` Roberto Nibali
2004-10-02 14:42 ` Henrik Nordstrom
2004-10-04 10:04 ` Jozsef Kadlecsik
2004-10-04 15:51 ` Stephen Hemminger
2004-10-01 20:06 ` Gonzalo A. Arana
2004-10-02 21:01 ` Tobias DiPasquale
2004-10-02 21:52 ` Thomas Heinz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=415DBD68.3040404@hipac.org \
--to=creatix@hipac.org \
--cc=davem@davemloft.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=shemminger@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.