Network address translation techniques for selective network traffic diversion
First Claim
1. A method in a client computing system for conveying network traffic for a plurality of distributed applications, each distributed application comprising a client portion executing on the client computer system and a server portion executing on a separate server computing system, the method comprising:
- activating a private application network client for exchanging network traffic for the distributed application with the server computing system;
in response to activation of the private application network client, activating a distinguished network driver;
in the distinguished network driver;
receiving a first network packet generated by one of the client portions;
comparing the header of the first network packet to a plurality of interception rules to identify a distributed application to which the first network packet corresponds;
contacting a tunnel client to obtain a mapped port number to which to forward the first network packet;
generating a mapping for the first network packet containing information from the first network packet'"'"'s header and the obtained mapped port number;
using the generated mapping to mangle the first network packet for delivery to the tunnel client at the obtained mapped port number;
in the tunnel client;
receiving the mangled first network packet at a selected socket listening on the mapped port number;
forwarding the contents of the mangled first network packet via a selected tunnel channel to a selected server portion of the identified distributed application;
receiving response data from the selected server portion of the identified distributed application via the selected tunnel channel;
writing the receiving response data to the selected socket;
in the distinguished network driver;
receiving a second network packet generated by writing the receiving response data to the selected socket;
comparing the generated mapping to the header of the second network packet to recognize the second networkpacket as being related to the first network packet; and
using the generated mapping to mangle the second network packet for delivery to the source of the first network packet.
2 Assignments
0 Petitions
Accused Products
Abstract
A facility for diverting a network packet to a diverted destination is described. The facility selects for diversion a network packet that has been submitted for delivery and whose delivery is not yet complete. The network packet has a destination address, a destination port, a source address, and a source port, all with initial values. In the network packet, the facility: substitutes the initial value of the destination port in the source port; substitutes an address for the diverted destination in the destination address; and substitutes a port for the diverted destination in the destination port. After the substitution, the facility releases the network packet for delivery to the diverted destination.
-
Citations
47 Claims
-
1. A method in a client computing system for conveying network traffic for a plurality of distributed applications, each distributed application comprising a client portion executing on the client computer system and a server portion executing on a separate server computing system, the method comprising:
-
activating a private application network client for exchanging network traffic for the distributed application with the server computing system;
in response to activation of the private application network client, activating a distinguished network driver;
in the distinguished network driver;
receiving a first network packet generated by one of the client portions;
comparing the header of the first network packet to a plurality of interception rules to identify a distributed application to which the first network packet corresponds;
contacting a tunnel client to obtain a mapped port number to which to forward the first network packet;
generating a mapping for the first network packet containing information from the first network packet'"'"'s header and the obtained mapped port number;
using the generated mapping to mangle the first network packet for delivery to the tunnel client at the obtained mapped port number;
in the tunnel client;
receiving the mangled first network packet at a selected socket listening on the mapped port number;
forwarding the contents of the mangled first network packet via a selected tunnel channel to a selected server portion of the identified distributed application;
receiving response data from the selected server portion of the identified distributed application via the selected tunnel channel;
writing the receiving response data to the selected socket;
in the distinguished network driver;
receiving a second network packet generated by writing the receiving response data to the selected socket;
comparing the generated mapping to the header of the second network packet to recognize the second networkpacket as being related to the first network packet; and
using the generated mapping to mangle the second network packet for delivery to the source of the first network packet. - View Dependent Claims (2)
-
-
3. A method in a first network node upon which a client for a selected application is executing, comprising, in a network driver:
-
capturing a packet sent by the client for the selected application and addressed to a second network node that is distinct from the first network node, a server for the selected application executing upon the second network node; and
passing the captured packet to a data tunneling program executing on the first network node. - View Dependent Claims (4, 5, 6)
-
-
7. A first network node upon which a client for a selected application is executing, comprising:
-
a packet capture subsystem that captures a packet sent by the client for the selected application and addressed to a second network node that is distinct from the first network node, a server for the selected application executing upon the second network node; and
a packet passing subsystem that passes the captured packet to a data tunneling program executing on the first network node.
-
-
8. A computer-readable medium whose contents cause a first network node upon which a client for a selected application is executing to selectively redirect network traffic by, in a network driver:
-
capturing a packet sent by the client for the selected application and addressed to a second network node that is distinct from the first network node, a server for the selected application executing upon the second network node; and
passing contents of the captured packet to a data tunneling program executing on the first network node.
-
-
9. A method in a computing system for diverting a network packet to a diverted destination, comprising:
-
selecting for diversion a first network packet that has been submitted for delivery and whose delivery is not yet complete, the first network packet having a destination address having an initial value, a destination port having an initial value, a source address having an initial value, and a source port having an initial value;
in the first network packet, substituting the initial value of the destination address in the source address;
in the first network packet, substituting an address for the diverted destination in the destination address;
in the first network packet, substituting a port for the diverted destination in the destination port; and
after substitution within the first network packet is completed, releasing the first network packet for delivery to the diverted destination. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A computer-readable medium whose contents cause a computing system to divert a network packet to a diverted destination by:
-
selecting for diversion a first network packet that has been submitted for delivery and whose delivery is not yet complete, the first network packet having a destination address having an initial value, a destination port having an initial value, a source address having an initial value, and a source port having an initial value;
in the first network packet, substituting the initial value of the destination port in the source port;
in the first network packet, substituting an address for the diverted destination in the destination address;
in the first network packet, substituting a port for the diverted destination in the destination port; and
after substitution within the first network packet is completed, releasing the first network packet for delivery to the diverted destination.
-
-
27. A computing system for diverting a network packet to a diverted destination, comprising:
-
a packet selection subsystem that selects for diversion a first network packet that has been submitted for delivery and whose delivery is not yet complete, the first network packet having a destination address having an initial value, a destination port having an initial value, a source address having an initial value, and a source port having an initial value;
a substitution subsystem that substitutes, in the first network packet;
the initial value of the destination port in the source port, an address for the diverted destination in the destination address, and a port for the diverted destination in the destination port; and
a packet release subsystem that releases the first network packet for delivery to the diverted destination after substitution within the first network packet is completed.
-
-
28. A method in a computing system for generating a rule collection data structure, comprising:
for each of a plurality of distributed applications;
creating a rule;
storing in the created rule information characterizing the header information of request packets sent by clients of the distributed application. - View Dependent Claims (29, 30, 31, 32, 33)
-
34. A computer-readable medium whose contents cause a computing system to generate a rule collection data structure by:
for each of a plurality of distributed applications;
creating a rule;
storing in the created rule information characterizing the header information of request packets sent by clients of the distributed application.
-
35. One or more computer memories collectively containing a mapping data structure, the mapping data structure corresponding to a network packet earlier mangled in a forward direction, and comprising:
-
a destination address corresponding to a destination address of the network packet, with which the source address of the network packet was replaced during mangling;
a destination port corresponding to a destination port of the network packet;
a source address corresponding to a source address of the network packet;
a source port corresponding a source port of the network packet;
a mapped destination address with which the destination address of the network packet was replaced during mangling; and
a mapped destination port with which the destination port of the network packet was replaced during mangling, such that the contents of the mapping data structure may be used to mangle a response to the earlier-mangled network packet in a backward direction, and such that the contents of the mapping data structure may be used to mangle in a forward direction a subsequent network packet having the same destination address, destination port, source address, and source port as the earlier-mangled network packet. - View Dependent Claims (36)
-
-
37. One or more computer memories collectively containing a rule collection data structure, the data structure comprising a plurality of entries, each entry corresponding to a particular distributed application and comprising:
-
(1) information characterizing the header information of request packets sent by clients of the distributed application; and
(2) either (a) information specifying a manner for forwarding request packets sent by clients of the distributed application to a distributed application request packet router, or (b) an indication that information specifying a manner for forwarding request packets sent by clients of the distributed application to a distributed application request packet router should be obtained from a distributed application request packet router, such that the contents of the data structure can be use to identify and forward to a distributed application request packet router request packets sent by clients of a plurality of distributed applications. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45)
-
-
46. One or more generated data signals collectively conveying a mangled network packet data structure generated from an original network packet data structure, the mangled network packet data structure comprising:
-
a destination address field containing a value corresponding to an address at which a diversion target program is listening;
a destination port field containing a value corresponding to a port on which the diversion target program is listening;
a source address field containing a value corresponding to a destination address field of the original network packet data structure; and
a source port field containing a value corresponding to a source port field of the original network packet data structure, such that the mangled network packet data structure may be received by the diversion target program and its correspondence to the original network packet data structure discerned.
-
-
47. One or more generated data signals collectively conveying a second network packet data structure generated from a first network packet data structure, the second network packet data structure comprising:
-
a destination address field containing a first value retrieved from a network address translation mapping matched by the first network packet data structure;
a destination port field containing a value corresponding to a destination port field of the first network packet data structure;
a source address field containing a value corresponding to a destination address field of the first network packet data structure; and
a source port field containing a second value retrieved from the network address translation mapping matched by the first network packet data structure, such that the mangled network packet data structure may be received by a program that formerly sent a third network packet data structure comprising;
a destination address field containing a value corresponding to the source address field of the second network packet data structure;
a destination port field containing a value corresponding to the source port field of the second network packet data structure;
a source address field containing a value corresponding to the destination address field of the second network packet data structure; and
a source port field containing a value corresponding to the destination port field of the second network packet data structure.
-
Specification