Rules engine for access control lists in network units
First Claim
1. A rules engine for the examination of selected fields in an addressed data packet, comprising:
- an access control list table containing entries each defining an access control list rule, a respective first action and a chain identifier; and
an extension rule table for entries each defining an extension rule, a respective second action and a respective rule identifier wherein the rules engine is operative;
(a) to search said access control list table to ascertain a match between an access control list rule and said addressed data packet;
(b) to search said extension rule table to ascertain a match between an extension rule and said addressed data packet;
in the event of a matched access control list rule matched to said addressed data packet to prescribe;
(ci) the respective second action associated with a matched extension rule in the event of correspondence between the associated chain identifier and a rule identifier identifying a match between that matched extension rule and said addressed data packet;
or (cii) the respective first action associated with said matched access control list rule in the absence of said correspondence.
8 Assignments
0 Petitions
Accused Products
Abstract
A rules engine for the examination of selected fields in an addressed data packet, has an access control list table of which the entries each define an access control list rule, an action and a chain identifier. The access control list rule is a basic rule which refers to a TCP flow. The engine also has an extension rule table of which the entries each define an extension rule, a respective action and a respective rule identifier. The extension rule may refer to a particular flag in a TCP header. When a packet arrives the engine searches both tales. This search is made independently of the usual address lookup. If there is a match in both tables, and the chain identifier matches the extension rule identifier the engine prescribes the action associated with the extension rule. If the chain identifier of a matched access control list rule does not match a rule identifier of a matched extension rule the engine prescribes the action associates with the access control list rule. In the absence of a match with any access control list rule the action on a packet is based on the result from a lookup engine.
17 Citations
11 Claims
-
1. A rules engine for the examination of selected fields in an addressed data packet, comprising:
-
an access control list table containing entries each defining an access control list rule, a respective first action and a chain identifier; and
an extension rule table for entries each defining an extension rule, a respective second action and a respective rule identifier wherein the rules engine is operative;
(a) to search said access control list table to ascertain a match between an access control list rule and said addressed data packet;
(b) to search said extension rule table to ascertain a match between an extension rule and said addressed data packet;
in the event of a matched access control list rule matched to said addressed data packet to prescribe;
(ci) the respective second action associated with a matched extension rule in the event of correspondence between the associated chain identifier and a rule identifier identifying a match between that matched extension rule and said addressed data packet;
or(cii) the respective first action associated with said matched access control list rule in the absence of said correspondence. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A network unit comprising:
-
(1) a multiplicity of ports for receiving and forwarding addressed data packets;
(2) a lookup engine for producing forwarding data in response to address data in an addressed data packet;
(3) a post-processing engine for executing a forwarding action based on said forwarding data;
(4) a rules engine comprising;
(a) an access control list table containing entries each defining an access control list rule, a respective first action and a chain identifier; and
(b) an extension rule table for entries each defining an extension rule, a respective second action and a respective rule identifier wherein the rules engine is operative;
(i) to search said access control list table to ascertain a match between an access control list rule and said addressed data packet;
(ii) to search said extension rule table to ascertain a match between an extension rule and said addressed data packet; and
in the event of a matched access control list rule matched to said addressed data packet to prescribe;
(iiia) the respective second action associated with a matched extension rule in the event of correspondence between the associated chain identifier and a rule identifier identifying a match between that matched extension rule and said addressed data packet;
or(iiib) the respective first action associated with said matched access control list rule in the absence of said correspondence; and
wherein said post-processing engine is operative to execute said respective action prescribed by said rules action. - View Dependent Claims (7, 8, 9, 10, 11)
-
Specification