You can use hashing to lookup some sort of rule-cache.
When you receive a packet belonging to a given combination of src-adress/
src-port/dst-adress/dst-port it is likely you will receive more packets
with that combination in the future. You can then create a cache entry for
that combination indexed with a hash. Each time you receive a packet you
would have to look-up this cache first. If you have a hit you would still
have to check it is not some other combination which hashes to the same
hash-value.
Something similair is used in routers to reduce the cost of looking up
routing rules, i think (correct me if i'm wrong :). I can imagine though
a router to have a lot more routing rules than someone is going to have
firewall rules.
Waldo Bastian