ULTRIX The Packet Filter: An Efficient Mechanism for User-Level Code

This document describes The Packet Filter, a kernel-resident network packet demultiplexer implemented as a pseudodevice driver within the ULTRIX operating system (Version 4.0 or higher, as of June 1990).

The paper addresses the common dilemma in network protocol implementation: kernel-resident code offers high performance but is difficult to develop, debug, and maintain, while user-level code is easier but typically suffers from poor performance due to excessive context switches and system calls for packet demultiplexing.

The Packet Filter aims to provide an efficient mechanism for user-level network code by combining the performance benefits of kernel-residency with the flexibility of user-level control. Key aspects include:

• Functionality: It provides a raw interface to network data link layers (like Ethernet), allowing user processes to transmit and receive raw packets.
• Packet Selection: User processes bind a "filter" (a predicate defined in a small stack-based language) to a packet filter port. This allows them to specify exactly which packets they wish to receive based on arbitrary, dynamically variable criteria within the packet header, eliminating the need for kernel modifications to support new protocols.
• Efficiency: Being kernel-resident, it delivers packets with minimal system calls and context switches. Received packets can be batched to further amortize overhead. Access control is managed through filter priorities.
• Practical Value: The packet filter has been in production use for several years, facilitating the development of various user-level network protocols (e.g., Pup, V-system IKP/VMTP, RARP) and network monitoring tools, insulating them from underlying OS changes.
• Performance: While kernel-resident protocol implementations are generally faster (e.g., 2-3 times faster for bulk data transfer compared to packet filter-based VMTP), the packet filter significantly outperforms pure user-level demultiplexing. The paper concludes it offers "decent performance while retaining the flexibility of a user-level demultiplexer," especially in systems where context-switching is expensive.
• Limitations: The filter language primarily handles fixed-offset headers, and further optimizations (like compiling filters to machine code) are suggested as future improvements.