Research And Design Of Packet Classification Based On Netfilter

Qos is highly desired in the next generation of network. Many mechanisms, like firewalls and VPN, are aimed to this target. Meanwhile, they are commonly based on high performance packet classification. Considering of safety and opensource, many applications are developed in Linux platform. Netfilter/iptables was introduced in, becoming the first packet filter framework in Linux kernel. However, it is far from perfect. For one thing, usage of na?ve linear packet classification algorithm results in low performance when rule sets grow larger. For another, many detailed implementations are low efficency, especially the way for kernel-user space communication, leading to interruption of packet classification.Due to fast growing of new services, rule sets are getting bigger, the Netfilter/iptables framework haven't had the capability to meet the requirements any longer. By researching on the general packet classification algorithms and analyzing the improvements of iptables, this thesis presents an efficient packet classification system based on Netfilter, including the following working points:1. Realizing a high-performance packet classification algorithm, based on reduction of multi-dimension packet classification problem to range location problem, in Linux kernel. Furthermore, this thesis is extended this algorithm to solve the non-terminal packet classification problem introduced by iptables.2. Using Netlink for kerner-user space communication. Committing one rule instead of the whole rule set, this method achieves no-interruption of packet classification. Meanwhile, through proc I/O, users can require the statistical information of the kernel algorithm, as well as set the max memory bound.3. Full usage of Netfilter and other existed data structures in Linux kernel. The main advantage is allowing capture packets directly from the kernel to avoid changing the kernel and keep the system's stability. On the other hand, it also bring about the compatibility of new framework and Netfilter/iptables.The final tests confirmed that the packet classification system based on Netfilter mechanism constructed in this thesis is better performed than the old Netfilter/iptables and with higher stability in all circumstance.