O'Reilly logo
  • Kaitlin J Rinke thinks this is interesting:

In an attempt to increase FireWall-1 throughput, Nokia implemented what is essentially a copy of the connection table at the device driver level. In what Nokia terms flowpath, incoming packets now get a connection table lookup at the same time they get a routing table lookup from the network interface device driver. The connection table lookup is done with the cached copy, not the FireWall-1 copy. If the packet matches an established connection, it is immediately forwarded on to its destination. If the packet does not match a connection table entry, it is passed up to the FireWall-1 kernel module, where it continues with the slowpath process as normal. Changes to the FireWall-1 connect...


Cover of Nokia Firewall, VPN, and IPSO Configuration Guide


Kind of like dCEF!