System and method for IP packet filtering based on non-IP packet traffic attributes
First Claim
Patent Images
1. A method for control and management of communication traffic, comprising the steps of:
- expressing access rules as filters referencing system kernel data;
for outbound processing, determining source application indicia;
for inbound packet processing, executing a look-ahead function to determine target application indicia; and
responsive to said source or target application indicia, executing filter processing.
2 Assignments
0 Petitions
Accused Products
Abstract
Control and management of communication traffic. IP packet filtering occurs in an operating system kernel implementation of, for example, the TCP/IP protocol suite. Access rules are expressed as filters referencing system kernel data; for outbound processing, source application indicia is determined; for inbound packet processing, a look-ahead function is executed to determine target application indicia; and responsive to the source or target application indicia, filter processing is executed.
63 Citations
53 Claims
-
1. A method for control and management of communication traffic, comprising the steps of:
-
expressing access rules as filters referencing system kernel data;
for outbound processing, determining source application indicia;
for inbound packet processing, executing a look-ahead function to determine target application indicia; and
responsive to said source or target application indicia, executing filter processing. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for control and management of aspects of communication traffic within filtering, comprising the steps of:
-
receiving IP packet data into a TCP/IP protocol stack executing within a system kernel executing filtering code within said system kernel with respect to non-IP packet data accessed within said system kernel outside of said TCP/IP protocol stack. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A method for centralizing system-wide communication management and control within filter rules, comprising the steps of:
-
providing filter statements syntax for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values; and
said selector referencing data that does not exist in IP packets. - View Dependent Claims (19, 20, 21)
-
-
22. A method for traversing a portion only of a protocol stack to disallow selective IP packet traffic, comprising the steps of:
-
receiving a packet in the kernel of the operating system of a first node from an application, said kernel including a filter processor;
for inbound packet processing to a first node from a second node, executing a look-ahead function in the system kernel of said first node to determining a target application;
for both said inbound packet processing, and for outbound packet processing from said first node to said second node, executing within said kernel the steps of processing said packet by determining a task ID;
responsive to said task ID, determining a corresponding work control block;
determining a user ID, process or job identifier from said work control block;
from the user ID, process or job identifier selectively determining attributes for said user process or job; and
passing said attributes to said filter processor for managing and controlling communication traffic.
-
-
23. A method for expressing access rules as filters, comprising the steps of:
-
providing a filter statements syntax for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values; and
said selector referencing data that does not exist in IP packets for controlling access to an application.
-
-
24. A method for managing and controlling communication traffic by centralizing access rules in filters executing within and referencing data available in system kernels, comprising the steps for outbound packet processing from a first node to a second node of:
-
receiving said packet in the kernel of the operating system of said first node from an application or process at said first node;
processing said packet by determining a task ID;
responsive to said task ID, determining a corresponding work control block;
responsive to said work control block, determining a process or job identifier;
responsive to said process or job identifier, determining job or process attributes. - View Dependent Claims (25, 26, 27, 28)
-
-
29. A method for managing and controlling communication traffic by centralizing the access rules, comprising the steps for outbound packet processing from a first node to a second node of:
-
receiving said packet in the kernel of the operating system of said first node from an application or process at said first node, said kernel including a filter processor;
processing said packet by determining a task ID;
responsive to said task ID, determining a corresponding work control block;
determining a user ID control block from said work control block;
from the user ID control block determining attributes for said user; and
passing said attributes to said filter processor for managing and controlling communication traffic. - View Dependent Claims (30, 31, 32, 33)
-
-
34. A method for control and management of communication traffic with respect to a system node, comprising the steps of:
-
receiving at said system node an inbound packet; and
executing within a protocol stack of the system kernel of said system node a filtering function identifying for said inbound packet a filter referencing non-packet data; and
responsive to said filter, executing a look-ahead function for identifying a target application for said inbound packet. - View Dependent Claims (35)
-
-
36. System for control and management of communication traffic, comprising:
-
a system kernel including a filter function and stack data;
said filter function including a filter selectively referencing said stack data for expressing access rules;
said filter function being responsive to receipt of an outbound packet for determining a source application;
said filter function being responsive to receipt of an inbound packet processing for executing a look-ahead function to determine a target application; and
said filter function being responsive to said source or target application for executing filter processing.
-
-
37. A system for control and management of aspects of communication traffic within filtering, comprising:
-
a system kernel;
a protocol stack executing within said system kernel for receiving IP packet data; and
filtering code within said system kernel operable with respect to non-IP packet data accessed within said system kernel outside of said protocol stack for controlling and managing said aspects of communication traffic.
-
-
38. A system for centralizing system-wide communication management and control within filter rules, comprising:
-
filter statements having a syntax for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values; and
said selector referencing data that does not exist in IP packets.
-
-
39. A system for traversing a portion only of a protocol stack to disallow selective IP packet traffic, comprising:
-
a system kernel;
a filter processor executing within said system kernel;
said filter processor responsive to an inbound packet for executing a look-ahead function for determining a target application;
said filter processor responsive to both inbound and outbound packets for processing said packet by determining a task ID;
responsive to said task ID, determining a corresponding work control block;
determining a user ID, process or job identifier from said work control block;
from the user ID, process or job identifier selectively determining attributes for said user process or job; and
passing said attributes to said filter processor for managing and controlling communication traffic.
-
-
40. A system for expressing access rules as filters, comprising:
-
a filter statements for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values; and
said selector referencing data that does not exist in IP packets for controlling access to an application.
-
-
41. A system for managing and controlling communication traffic by centralizing access rules in filters executing within and referencing data available in system kernels, comprising:
-
code for receiving a packet in the kernel of the operating system of a first node from an application or process at said first node;
code for processing said packet by determining a task ID;
code responsive to said task ID for determining a corresponding work control block;
code responsive to said work control block for determining a process or job identifier; and
code responsive to said process or job identifier for determining job or process attributes.
-
-
42. A system for managing and controlling communication traffic by centralizing access rules, comprising:
-
a first system node;
a second system node;
a kernel of the operating system of said first system node including a kernel filter processor;
said kernel for receiving from an application or process at said first system node a packet for communication to said second system node;
said kernel further for processing said packet by determining a task ID;
responsive to said task ID, determining a corresponding work control block;
determining a user ID control block from said work control block;
from the user ID control block determining attributes for said user; and
passing said attributes to said system kernel filter processor for managing and controlling communication traffic.
-
-
43. A system for control and management of communication traffic with respect to a system node, comprising:
-
a filtering function executing within a protocol stack of the system kernel of said system node identifying for an inbound packet a filter referencing non-packet data; and
a look-ahead function responsive to said filter for identifying a target application for said inbound packet.
-
-
44. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for control and management of communication traffic, said method steps comprising:
-
expressing access rules as filters referencing system kernel data;
for outbound processing, determining a source application;
for inbound packet processing, executing a look-ahead function to determine a target application; and
responsive to said source or target application, executing filter processing.
-
-
45. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for control and management of aspects of communication traffic within filtering, said method steps comprising:
-
receiving IP packet data into a TCP/IP protocol stack executing within a system kernel executing filtering code within said system kernel with respect to non-IP packet data accessed within said system kernel outside of said TCP/IP protocol stack.
-
-
46. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for centralizing system-wide communication management and control within filter rules, said method steps comprising:
-
providing filter statements syntax for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values; and
said selector referencing data that does not exist in IP packets.
-
-
47. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for managing and controlling communication traffic by centralizing access rules in filters executing within and referencing data available in system kernels, said method steps comprising:
-
receiving said packet in the kernel of the operating system of said first node from an application or process at said first node;
processing said packet by determining a task ID;
responsive to said task ID, determining a corresponding work control block;
responsive to said work control block, determining a process or job identifier;
responsive to said process or job identifier, determining job or process attributes. - View Dependent Claims (48)
-
-
49. A computer program product or computer program element for control and management of communication traffic according to the steps comprising:
-
expressing access rules as filters referencing system kernel data;
for outbound processing, determining a source application;
for inbound packet processing, executing a look-ahead function to determine a target application; and
responsive to said source or target application, executing filter processing.
-
-
50. A computer program product or computer program element for control and management of aspects of communication traffic within filtering according to steps comprising:
-
receiving IP packet data into a TCP/IP protocol stack executing within a system kernel executing filtering code within said system kernel with respect to non-IP packet data accessed within said system kernel outside of said TCP/IP protocol stack.
-
-
51. A computer program product or computer program element for centralizing system-wide communication management and control within filter rules according to method steps comprising:
-
providing filter statements syntax for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values; and
said selector referencing data that does not exist in IP packets.
-
-
52. A computer program product or computer program element for managing and controlling communication traffic by centralizing access rules in filters executing within and referencing data available in system kernels according to method steps comprising:
-
receiving said packet in the kernel of the operating system of said first node from an application or process at said first node;
processing said packet by determining a task ID;
responsive to said task ID, determining a corresponding work control block;
responsive to said work control block, determining a process or job identifier;
responsive to said process or job identifier, determining job or process attributes. - View Dependent Claims (53)
-
Specification