Using Network Processors for Packet Filtering

This paper presents a hardware/software design and implementation that uses modern networkprocessors as packet-filtering devices that can be used for advanced network applications such as firewalls, network address translation, intrusion detection, traffic shaping and others. Included are the motivation and design and implementation tradeoffs of a hierarchical and pipelined, packet-filter software package using the Intel IXP 1200 network processor. The approach adapts Linux netfilter/iptables software and interfaces as a framework for providing wirespeed packet filtering for modern high-speed networks with complex traffic demands. The Intel IXP 1200, contained on a PCI card in a standard off-the-self personal computer, provides a hardware base that allows for a three-level, hierarchical multiprocessor software architecture. Also included in this paper is an attempt to quantify performance improvements that can be expected from the next generation of Intel network processors and other similar devices using an extrapolation of the software parameters included in this packet filter design.