Traditional firewalls employ listed rules in both configuration and process phases to regulate network traffic. However, configuring a firewall with listed rules may create rule conflicts, and slows down the firewall. To overcome this problem, we have proposed a Tree-rule firewall in our previous study. Although the Tree-rule firewall guarantees no conflicts within its rule set and operates faster than traditional firewalls, keeping track of the state of network connections using hashing functions incurs extra computational overhead. In order to reduce this overhead, we propose a hybrid Tree-rule firewall in this paper. This hybrid scheme takes advantages of both Tree-rule firewalls and traditional listed-rule firewalls. The GUIs of our Tree-rule firewalls are utilized to provide a means for users to create conflict-free firewall rules, which are organized in a tree structure and called ‘tree rules’. These tree rules are later converted into listed rules that share the merit of being conflict-free. Finally, in decision making, the listed rules are used to verify against packet header information. The rules which have matched with most packets are moved up to the top positions by the core firewall. The mechanism applied in this hybrid scheme can significantly improve the functional speed of a firewall.

中文翻译：

---

用于高速数据传输的混合树规则防火墙

传统防火墙在配置和处理阶段都采用列出的规则来调节网络流量。但是，使用列出的规则配置防火墙可能会产生规则冲突，并降低防火墙速度。为了克服这个问题，我们在之前的研究中提出了树规则防火墙。尽管树规则防火墙保证其规则集中没有冲突并且运行速度比传统防火墙更快，但使用散列函数跟踪网络连接状态会产生额外的计算开销。为了减少这种开销，我们在本文中提出了一种混合树规则防火墙。这种混合方案同时利用了树规则防火墙和传统的列表规则防火墙。我们的树规则防火墙的 GUI 用于为用户提供一种创建无冲突防火墙规则的方法，它们以树结构组织，称为“树规则”。这些树规则后来被转换为列出的规则，这些规则具有无冲突的优点。最后，在决策制定中，列出的规则用于验证数据包头信息。与大多数数据包匹配的规则被核心防火墙上移到顶部位置。这种混合方案所采用的机制可以显着提高防火墙的运行速度。