Implementing Sequential Tests In A Packet Filter - 3Com corebuilder 3500 Implementation Manual

Implementing
Sequential Tests in a
Packet Filter
Filter language expressions are normally evaluated to completion —
a packet is accepted if the value remaining on the top of the stack is
nonzero. Frequently, however, a single test is insufficient to filter packets
effectively. When more tests are warranted, you want to accept a packet
that satisfies one of two cases:
At least one criterion specified in two or more tests (that is, ORs the
results of the tests)
or
All criteria specified in two or more tests (that is, ANDs the results of
the tests)
The accept and reject instructions are used to implement sequential tests,
as shown in Figure 37.
In order to optimize a filter's performance, it is best to exit a filter as early
as possible. If you wait until the last instruction to make the forward or
filter decision, more processing is needed.
The accept and reject criteria allow you to exit a filter early. When using
these instructions, construct the packet filter so that tests that apply to
the majority of the network traffic are performed first. This ensures that
the filter is exited after the first instruction for the majority of packets.
Only a small number of packets will require additional tests.
For example, assume you want to create a filter that checks for particular
IPX attributes that you want to filter, but most of the traffic on your
network is IP traffic. In this case, it would be best to first check each
packet to see if it is a IP frame. If it is, you could accept the packet
immediately. Now only the smaller number of packets that contain IPX
information would be subjected to additional tests.
The Packet Filtering Language 233