Speaker
Description
The Move-Recursively-Forward algorithm [1] has shown impressive results in speeding up packet classification for firewall rule sets. Its performance gains are generated by reordering firewall rules based on access patterns: frequently matched rules are promoted forward in the list, leveraging locality in network traffic to speed up classification without changing the intended firewall behavior. We applied this idea to the Linux nftables firewall and explored how well it scales across multiple CPU cores. Our initial prototype shows that this approach is feasible: under ideal conditions, testbed evaluations demonstrate improvements in throughput up to 5x greater than the default nftables implementation. Further, even under sub-optimal conditions, our prototype achieves similar performance to the static-list lookup.
In this talk, we will share our results, discuss key implementation details, and invite feedback from the community on potential pathways toward upstream integration.
[1]: V. Addanki, M. Pacut, A. Pourdamghani, G. Rétvári, S. Schmid and J. Vanerio, "Self-Adjusting Partially Ordered Lists," IEEE INFOCOM 2023 - IEEE Conference on Computer Communications, New York City, NY, USA, 2023, pp. 1-10, doi: 10.1109/INFOCOM53939.2023.10228937.