HN Showcase
Back to browse
GitHub Repository

IPSet for strings: scalable pattern matching for packet payloads

3 starsC

500x faster string matching for Linux Netfilter (O(1) vs. O(N))

by landerrosette·Feb 15, 2026·4 points·0 comments
Visit ProjectView on HN

AI Analysis

●●●BangerWizardryBig BrainSolve My Problem

558x faster pattern matching in the kernel using Aho–Corasick, handles fragmentation correctly.

Strengths
  • Algorithmic breakthrough: O(1) vs. O(N) scales from 2 Mbps to 1+ Gbps with 3000 patterns
  • Solves real pain: xt_string forces speed/correctness trade-off; Strider gets both reliably
  • Production-ready: lockless RCU datapath, handles IP fragments, dynamic rule updates
Weaknesses
  • Niche audience: only valuable for admins with massive rulesets; 90% of users won't hit the wall
  • Kernel module maintenance burden: GPL'd, needs ongoing kernel compatibility work
Target Audience

Network security engineers, sysadmins managing high-volume firewall rules, kernel developers

Similar To

xt_string (kernel native, O(N), what this replaces) · Suricata (userspace IDS, but different architecture)

Post Description

I built a drop-in replacement for the kernel’s xt_string module.

xt_string scales linearly (O(N)), causing massive slowdowns with many rules. Strider uses Aho–Corasick for O(1) matching.

Key Features:

O(1) Algorithmic Complexity: Uses a compact, double-array trie-based Aho–Corasick automaton, sustaining above 1 Gbps when matching 3,000 patterns, while xt_string (KMP) drops below 2 Mbps.

Lockless Datapath: RCU-protected lookups ensure zero locking overhead on the packet processing hot path.

Correctness: Never misses patterns spanning across IP fragments (unlike xt_string’s fast Boyer–Moore mode).

Similar Projects

Security●●Solid

Poolnarc – catch hidden Linux cryptominers from two eBPF hooks

eBPF behavioral detection catches miners spoofing thread names without signature databases.

WizardryBig Brain
r3tr0
5112d ago