Context-aware distributed firewall

What is claimed is: 1 . A computing device serving as a host machine for operating data compute nodes (DCNs), the computing device executing a computer program comprising sets of instructions for: receiving a firewall rule; inserting a node that correspond to the received firewall rule into a search tree structure; identifying a set of firewall rules that are relevant to a particular DCN by using the search tree structure; and performing firewall filtering for the particular DCN based on the identified relevant rules. 2 . The computing device of claim 1 , wherein the search tree structure is a binary prefix tree. 3 . The computing device of claim 1 , wherein the computer program is part of a virtualization software running on the computing device for operating a plurality of DCNs that includes the particular DCN. 4 . The computing device of claim 1 , wherein the search tree structure is for identifying relevant rules that use CIDR (Classless Inter-Domain Routing) blocks to specify source and destination address fields. 5 . The computing device of claim 4 , wherein performing firewall filtering for the particular DCN is further based on firewall rules that are do not use CIDR (Classless Inter-Domain Routing) blocks to specify source and destination address fields. 6 . The computing device of claim 4 , wherein the inserted node correspond to a CIDR block that is used to specify the received firewall rule. 7 . The computing device of claim 1 , wherein the firewall rule is received from a network manager of a datacenter in which the computing device is situated, wherein the received firewall rule is specified by the network manager for protecting DCNs in the datacenter. 8 . A computing device serving as a host machine for operating data compute nodes (DCNs), the computing device executing a computer program comprising sets of instructions for: receiving a firewall rule; locating a node that corresponds to the received firewall rule in a search tree structure and associating the received firewall rule with the located node; identifying a set of firewall rules that are relevant to a particular DCN by using the search tree structure; and performing firewall filtering for the particular DCN based on the identified relevant rules. 9 . The computing device of claim 8 , wherein the search tree structure is a binary prefix tree. 10 . The computing device of claim 8 , wherein locating the node that corresponds to the received firewall rule comprises traversing the search tree structure according to a binary string of a CIDR (Classless Inter-Domain Routing) block that is used to specify the received rule. 11 . The computing device of claim 8 , wherein the search tree structure is for identifying relevant rules that use CIDR (Classless Inter-Domain Routing) blocks to specify source and destination address fields. 12 . The computing device of claim 11 , wherein performing firewall filtering for the particular DCN is further based on firewall rules that are do not use CIDR (Classless Inter-Domain Routing) blocks to specify source and destination address fields. 13 . The computing device of claim 11 , wherein the located node correspond to a CIDR block that is used to specify the received firewall rule. 14 . The computing device of claim 8 , wherein the firewall rule is received from a network manager of a datacenter in which the computing device is situated, wherein the received firewall rule is specified by the network manager for protecting DCNs in the datacenter. 15 . A method comprising: receiving a query for firewall rules applicable to a particular IP address; traversing a prefix tree of firewall rules, the prefix tree comprising a plurality of nodes that each corresponding to a CIDR (Classless Inter-Domain Routing) block, wherein each of at least some of the nodes is associated with one or more firewall rules that are specified using the CIDR block of the node, wherein said traversing comprises traversing nodes according to a binary string of the particular IP address; identifying the firewall rules associated with the traversed nodes as firewall rules that are relevant to the particular IP address; and performing firewall filtering for the particular IP address based on the identified relevant rules. 16 . The method of claim 15 , wherein identifying the firewall rules associated with the traversed nodes comprises collecting firewall rules from at least two different traversed nodes. 17 . The method of claim 15 , wherein each CIDR block correspond to an IP subnet. 18 . The method of claim 15 , wherein each of the traversed nodes corresponds to a CIDR block that encompasses the particular IP address. 19 . The method of claim 15 , wherein each node is associated with a suffix substring, wherein traversing the prefix tree comprises selecting a child node of a currently traversed node associated with a suffix substring that matches corresponding bits in the binary string of the particular IP address. 20 . The method of claim 19 , wherein said traversing terminates when none of the child nodes of the currently traversed node is associated with a suffix substring that matches the corresponding bits in the binary string of the particular IP address. 21 . The method of claim 15 , wherein a firewall rule that specifies a CIDR block as source or destination address is associated with a node in the prefix tree that corresponds to the CIDR block.