Routers must perform packet classi cation at high speeds to e ciently implement functions such as rewalls. The classication can be based on an arbitrary number of pre x and range elds in the packet header. The classi cation required for rewalls is beyond the capabilities o ered by standard Operating System classi ers such as BPF 12 , DPF 7 , PathFinder 1 and others. In fact, there are theoretical results that show the general rewall classi cation problem has poor worst case cost:for searching over N arbitrary lters using k packet elds, either the worst-case search time is log N k,1 or the worstcase storage is ON k .In this paper, we re-examine two basic mechanisms that have been dismissed in the literature as being too ine cient: backtracking search and set pruning trees. We nd using real databases that the time for backtracking search i s m uch better than the worst case bound; instead of logN k,1 , the search time is only roughly twice the optimal search time 1 . Similarly, w e nd that set pruning trees using a DAG optimization have m uch better storage costs than the worst case bound; it has memory requirements similar to the RFC s c heme of Gupta and McKeown 10 . We also propose several new techniques to further improve the two basic mechanisms. Our major ideas are a novel compression algorithm, the ability t o trade smoothly between backtracking and set pruning, and algorithms to e ectively make use of hardware if hardware is available. We quantify the performance gain of each technique using real databases. We show that on real rewall databases our schemes, with the accompanying optimizations, are close to optimal in time and storage.