A Prototype for In Situ Packet Filtering

Author

William Watson Cline, College of William and Mary

Date Thesis Awarded

5-2006

Access Type

Honors Thesis -- Access Restricted On-Campus Only

Degree Name

Bachelors of Science (BS)

Department

Computer Science

Advisor

Phil Kearns

Committee Members

Rex K. Kincaid

Dimitris S. Nikolopoulos

Abstract

Traditional packet-filtering firewalls control network traffic based on pre-defined rules. These rules operate on packet envelope information, such as the IP or Ethernet headers. Some new firewall applications use "deep filtering," operating on packet payloads. This requires quick access to the full contents of network packets, as well as the ability to modify those contents while the packet is in transit. The Linux kernel includes tools or performing both "shallow" header-based filtering and deep filtering. However, the current deep filtering implementation is too slow for some applications. We present a modified implementation of the Netfilter Project's I"-QUEU module with the goal of higher performance. Our prototype yields a modest but substantial speed improvement. We discuss this prototype and present suggestions for further improvements.,The license granted by the author do not apply to the contents of Appendix A: Selected code from original implementation and Appendix B: Selected code for new implementation.

Recommended Citation

Cline, William Watson, "A Prototype for In Situ Packet Filtering" (2006). Undergraduate Honors Theses. William & Mary. Paper 591.
https://scholarworks.wm.edu/honorstheses/591

Creative Commons License

This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.

Comments

Migrated from Dspace in 2016.