Address grouping for distributed service rules

US 10,135,727 B2
Filed: 04/29/2016
Issued: 11/20/2018
Est. Priority Date: 04/29/2016
Status: Active Grant

First Claim

Patent Images

1. For a network controller that manages a flow-based managed forwarding element (MFE), a method comprising:

receiving a plurality of service rules for implementation by the MFE, wherein each service rule matches over a set of network addresses, wherein at least one network address is in the set of network addresses for at least two service rules;

grouping the network addresses into non-overlapping groups of network addresses, wherein each group of network addresses comprises addresses that are all matched by only a same set of service rules; and

generating flow entries that match over the groups of network addresses for the MFE to use to implement the service rules,wherein said receiving, grouping, and generating is performed by the network controller, which is executed by a set of hardware processing units on a computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide a method for a network controller that manages a flow-based managed forwarding element (MFE). The method receives multiple service rules for implementation by the MFE. Each service rule matches over a set of network addresses. At least one network address is in the set of network addresses for at least two service rules. The method groups the network addresses into non-overlapping groups of network addresses, each of which addresses that are all matched by only a same set of service rules. The method generates flow entries that match over the groups of network addresses for the MFE to use to implement the service rules.

179 Citations

23 Claims

1. For a network controller that manages a flow-based managed forwarding element (MFE), a method comprising:
- receiving a plurality of service rules for implementation by the MFE, wherein each service rule matches over a set of network addresses, wherein at least one network address is in the set of network addresses for at least two service rules;
  
  grouping the network addresses into non-overlapping groups of network addresses, wherein each group of network addresses comprises addresses that are all matched by only a same set of service rules; and
  
  generating flow entries that match over the groups of network addresses for the MFE to use to implement the service rules,wherein said receiving, grouping, and generating is performed by the network controller, which is executed by a set of hardware processing units on a computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the service rules are distributed firewall rules.
  - 3. The method of claim 2, wherein each distributed firewall rule matches over a set of source network addresses, a set of destination network addresses, a set of source ports, and a set of destination ports.
  - 4. The method of claim 1, wherein the network addresses are Internet Protocol (IP) addresses.
  - 5. The method of claim 1, wherein the network addresses are Media Access Control (MAC) addresses.
  - 6. The method of claim 1, wherein the set of network addresses are source addresses and each service rule additionally matches over a set of destination addresses, the method further comprising:
    - grouping the destination addresses into non-overlapping groups of destination addresses, wherein each group of destination addresses comprises destination addresses that are all matched by only a same set of service rules; and
      
      generating flow entries for the MFE to use to implement the service rules that match over the groups of destination addresses.
  - 7. The method of claim 6, wherein a particular network address is matched as a source address for a first rule and a destination address for a second rule.
  - 8. The method of claim 1, wherein grouping the network addresses into non-overlapping groups comprises:
    - identifying all of the network addresses that belong to at least one of the sets of network addresses;
      
      for each identified network address, determining a set of rules that match over the network address; and
      
      when a same set of rules is determined for a first network address and a second network address, grouping the first and second network addresses together.
  - 9. The method of claim 8, wherein grouping the network addresses into non-overlapping groups further comprises assigning an identifier to each group, the identifiers used to generate the flow entries.
  - 10. The method of claim 1, wherein generating flow entries comprises:
    - generating a first stage of flow entries for mapping the network address of a packet to a group of network addresses; and
      
      generating at least one additional stage of flow entries for mapping a packet to a highest-priority matching service rule.
  - 11. The method of claim 10, wherein the additional stage of flow entries matches over an identifier for the group of network addresses.
  - 12. The method of claim 10, wherein the additional stages of flow entries comprise a separate stage for each parameter over which the service rule maps, including the network addresses.
  - 13. The method of claim 12, wherein the additional stages of flow entries use conjunctive matching.
  - 14. The method of claim 1, wherein the network controller is a local controller that operates on a same physical machine as the MFE.
  - 15. The method of claim 14, wherein both the local controller and the MFE operate within virtualization software of the physical machine.
  - 16. The method of claim 14, wherein the local controller receives the plurality of service rules from a centralized controller, wherein the local controller is responsible for converting the plurality of service rules into a format useable by the MFE.

17. A non-transitory machine readable medium storing a network controller application which when executed by at least one processing unit manages a flow-based managed forwarding element (MFE), the network controller application comprising sets of instructions for:
- receiving a plurality of service rules for implementation by the MFE, wherein each service rule matches over a set of network addresses, wherein at least one network address is in the set of network addresses for at least two service rules;
  
  grouping the network addresses into non-overlapping groups of network addresses, wherein each group of network addresses comprises addresses that are all matched by only a same set of service rules; and
  
  generating flow entries that match over the groups of network addresses for the MFE to use to implement the service rules.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The non-transitory machine readable medium of claim 17, wherein the service rules are distributed firewall rules that each matches over a set of source network addresses, a set of destination network addresses, a set of source ports, and a set of destination ports.
  - 19. The non-transitory machine readable medium of claim 17, wherein the set of network addresses are source addresses and each service rule additionally matches over a set of destination addresses, the network controller application further comprising sets of instructions for:
    - grouping the destination addresses into non-overlapping groups of destination addresses, wherein each group of destination addresses comprises destination addresses that are all matched by only a same set of service rules; and
      
      generating flow entries for the MFE to use to implement the service rules that match over the groups of destination addresses.
  - 20. The non-transitory machine readable medium of claim 17, wherein the set of instructions for grouping the network addresses into non-overlapping groups comprises sets of instructions for:
    - identifying all of the network addresses that belong to at least one of the sets of network addresses;
      
      for each identfied network address, determining a set of rules that match over the network address; and
      
      when a same set of rules is determined for a first network address and a second network address, grouping the first and second network addresses together; and
      
      assigning an identifier to each group, the identifiers used to generate the flow entries.
  - 21. The non-transitory machine readable medium of claim 17, wherein the set of instructions for generating flow entries comprises sets of instructions for:
    - generating a first stage of flow entries for mapping the network address of a packet to a group of network addresses; and
      
      generating at least one additional stage of flow entries for mapping a packet to a highest-priority matching service rule.
  - 22. The non-transitory machine readable medium of claim 17, wherein the network controller application is a local controller agent that executes within virtualization software of a same physical machine as the MFE.
  - 23. The non-transitory machine readable medium of claim 22, wherein the plurality of service rules are received from a centralized controller, wherein the local controller is responsible for converting the plurality of service rules into a format useable by the MFE.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Gude, Natasha, Sevinc, Soner, Ganichev, Igor, Chalvadi, Anuprem
Primary Examiner(s)
Gilles, Jude Jean

Application Number

US15/143,477
Publication Number

US 20170317928A1
Time in Patent Office

935 Days
Field of Search

709238, 709204, 709223, 709245, 709226
US Class Current
CPC Class Codes

H04L 45/306   Route determination based o...

H04L 45/56   Routing software

H04L 45/64   using an overlay routing layer

H04L 45/72   Routing based on the source...

H04L 47/24   Traffic characterised by sp...

Address grouping for distributed service rules

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

179 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Address grouping for distributed service rules

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

179 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links