Method and apparatus for high-speed network rule processing

6,154,446 A 6,173,364 Bl * 6,182,228 Bl * 6,185,680 Bl * 6,233,686 Bl *

* cited by examiner

Primary Examiner
(74) Attorney,
LLP

11/2000 Kadambietal 370/239

1/2001 Zenchelsky et al 711/118

1/2001 Boden et al 713/201

2/2001 Shimbo et al 713/160

5/2001 Zenchelsky et al 713/201

Larry D. Donaghue or Firm—Startler Johansen & Adeli

ABSTRACT

(57)

As Internet packet flow increases, the demand for high speed packet filtering has grown. The present invention introduces a high-speed rule processing method that may be used for packet filtering. The method pre-processes a set of packet filtering rules such that the rules may be searched in parallel by a set of independent search units. Specifically, the rules are divided into N orthogonal dimensions that comprise aspects of each packet that may be examined and tested. Each of the N dimensions are then divided into a set of dimension rule ranges. Each rule range is assigned a value that specifies the rules that may apply in that range. The rule preprocessing is completed by creating a search structure to be used for classifying a packet into one of the rule ranges in each of the N dimensions. Each search structure may be used by an independent search unit such that all N dimensions may be searched concurrently. The packet processing method of the present invention activates the N independent search units to search the N pre-processor created search structures. The output of each of the N search structures is then logically combined to select a rule to be applied.

20 Claims, 8 Drawing Sheets