Parallel Implementation of Linux Packet Filtering

Parallel Implementation of Linux Packet Filtering

Keyvan Karimi, Arash Ahmadi, Mahmood Ahmadi


Packet filtering specifies which type of traffic is allowed to/from organizational network. Each data packet is compared against a rule set. The number of comparisons that must be performed is increased when the size of the rule set is increased. In high bandwidth networks the packet filtering becomes a time consuming task which can reduce the overall throughput. To solve this problem a wide range of researches have been done to improve the overall throughput of packet filtering firewalls. In this paper, comparison of data packet against the rule set for IPTables is performed in user-space by employing parallel processing capability of Graphics Processing Unit. The results show that the CPU-GPU parallel code brings higher throughput over CPU version of IPTables code. The overall throughput for 80 bytes packet size and rule set size of 10,000 is about 400,000 Packets-Per-Second which is 43 times faster than CPU version code.


GPU, IPTables, Packet Filtering, Parallel Processing, Throughput, Packet Delay