Many existing packet filter implementations use rule set guided packet classification to discriminate incoming network traffic. However, these implementations often rely on slow linear search through the rule set, which diminishes the achievable throughput. Therefore, we propose RuleBender, a rule set transformation technique that encodes decision tree search structures into the transformed rule set, which in turn can be traversed significantly faster. To this end, RuleBender uses the widely supported jump action feature, that enables the redirection of the matching flow to another rule in the otherwise linearly traversed rule set. That way, incoming packets are directed to small sub rule sets that can be searched quickly. In contrast to related work, RuleBender is not restricted to rules that exclusively define geometric matching criteria such as range or subnet tests, but instead inherently supports complex tasks such as payload inspection. RuleBender-generated rule sets can lead to throughput increases up to 13x when compared to the unmodified rule sets, and up to 4x when compared to related work.
