A matching algorithm of Netfilter connection tracking based on IP flow

Author

Zhang, Ke ; Wang, Juan ; Ren, Dasen

Author_Institution

Comput. & Network Center, Guizhou Univ. for Nat., Guiyang

fYear

2008

Firstpage

199

Lastpage

203

Abstract

In order to improve the performance of Netfilter firewall framework of Linux while packets are being matched under the stateful inspection, the thesis, which is based on the analysis of the mechanism of stateful inspection firewall and the data structure of Netfilter connection tracking hash table, puts forward a matching algorithm of connection tracking based on IP flow. The algorithm, through revising the data structure of head node of hash table, adds a pointer pointing to the node of collision list matched successfully last time, to reduce the time which the later packets of related connection uses to traverse collision list. The simulating experiment indicates that the algorithm is able to improve the efficiency of Netfilter firewall stateful inspection.

Keywords

IP networks; Linux; authorisation; cryptography; data structures; file organisation; IP flow; Linux; Netfilter connection tracking; Netfilter firewall framework; data structure; hash table; matching algorithm; stateful inspection firewall; Algorithm design and analysis; Application software; Computer networks; Data flow computing; Data structures; Electronic mail; Inspection; Kernel; Linux; Performance analysis; IP flow; Netfilter; connection tracking; stateful inspection;

fLanguage

English

Publisher

ieee

Conference_Titel

Anti-counterfeiting, Security and Identification, 2008. ASID 2008. 2nd International Conference on

Conference_Location

Guiyang

Print_ISBN

978-1-4244-2584-6

Electronic_ISBN

978-1-4244-2585-3

Type

conf

DOI

10.1109/IWASID.2008.4688360

Filename

4688360