In this paper, we discussed the architecture and implementation of the fairly fast packet filter. FFPF provides a complete monitoring platform that caters to most applications. It was shown to be both more flexible and more efficient than existing approaches. Speed is gained by minimising both packet copying and context switching, pushing processing to the lowest levels, and executing computationally expensive functions as native code. It was demonstrated that FFPF outperforms Linux socket filters even for traditional applications that make no use of FFPF's more advanced features. The concepts of flows and flow groups, the concatenation of expressions, the buffering mechanism that favours fast flows and the minimisation of copying are generic mechanisms that may serve as the basis for fast packet processing in any OS.
In a future version of FFPF, we will explore the notion of flow groups further. Specifically, readers that are `too slow' will be automatically placed in a separate flow group, lest they hinder fast applications. Also, we will shortly release a version of the architecture for use in application domains other than monitoring. For instance, in addition to packet reception, this version will be able to block, edit and (re)transmit packets, allowing for uses such as firewalling, network address translation and routing. Most of the required functionality is implemented, but currently not enabled in FFPF. Finally, we are in the process of developing a distributed version of FFPF.