System and method for multi-stage packet filtering on a networked-enabled device

US 20070083924A1
Filed: 10/08/2005
Published: 04/12/2007
Est. Priority Date: 10/08/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for packet filtering in a network-enabled device according to a set of filtering rules wherein filtering rules are applied early in the processing of incoming communications packets, comprising:

filtering incoming data packets using the filtering rules in a plurality of stages wherein the first stage is triggered by the receipt of a data packet by the network-enabled device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multi-stage packet filtering method and system. The multi-stage packet filtering according to the invention applies a set of filtering rules early in the processing of incoming communications packets by filtering incoming data packets using the filtering rules in a plurality of stages wherein the first stage is triggered by the receipt of a data packet by the device. Filtering rules that cannot be applied in the first stage may be deferred to a pre-memory allocation stage. Thus, preferable leaving only rules that must be executed in conjunction with protocol processing to be filtered at a filtering stage executed in a protocol processing filtering stage.

178 Citations

16 Claims

1. A method for packet filtering in a network-enabled device according to a set of filtering rules wherein filtering rules are applied early in the processing of incoming communications packets, comprising:
- filtering incoming data packets using the filtering rules in a plurality of stages wherein the first stage is triggered by the receipt of a data packet by the network-enabled device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of packet filtering in a network-enabled device of claim 1 wherein the filtering rules includes rules classified based on whether the filtering rule is a dynamic rule that tests a packet against dynamic variables or a static rule that tests a packet against constants or variables that do not change during a session of the network-enabled device wherein the first stage executes as part of an interrupt service routine for handling the incoming data packet applies static rules.
  - 3. The method of packet filtering in a network-enabled device of claim 2 further comprising applying any of the static filtering that could not be applied during the interrupt service routine due to timing constraints during a pre-memory allocation packet filtering stage.
  - 4. The method of packet filtering in a network-enabled device of claim 2 wherein filtering rules that include dynamic variables are applied during a pre-memory allocation packet filtering stage.
  - 5. The method of packet filtering in a network-enabled device of claim 2 wherein memory allocation for incoming packets is performed in the interrupt service routine triggered by an incoming data packet and the first stage of packet filtering is performed prior to the memory allocation.
  - 6. The method of packet filtering in a network-enabled device of claim 1 in which a plurality of packet filtering rules are protocol specific and in which the protocol specific packet filtering rules are classified as those filtering rules that depend on traffic history and those filtering rules that do not depend on traffic history wherein the method further comprises:
    - applying the filtering rules that do not depend on traffic history in a pre-memory allocation packet filtering stage; and
      
      applying the filtering rules that do depend on traffic history during a protocol specific packet filtering stage.
  - 7. The method of packet filtering in a network-enabled device of claim 6 wherein the protocol specific filtering rules are specific to the TCP communications protocol and are applicable to filter TCP packets and wherein the filtering rules that do not depend on traffic history are stateless TCP packet filtering rules and the filtering rules that do depend on traffic history are stateful TCP packet filtering rules.
  - 8. The method of packet filtering in a network-enabled device of claim 1 wherein the packet filtering rules are classified by a first property being as to whether the filtering rule depends on traffic history and a second property as to whether the filtering rule includes dynamic variables, the method further comprising:
    - applying the filtering rules that do not depend on traffic history and which do not include dynamic variables in the first stage;
      
      applying the filtering rules that do not depend on traffic history and which do include dynamic variables in a pre-memory allocation stage;
      
      applying the filtering rules that do depend on traffic history in a protocol specific packet filtering stage.

9. A network-enabled device having a central processing unit and a memory for storing software modules having instructions controlling the central processing unit, the network-enabled device implementing packet filtering system according to a set of filtering rules wherein filtering rules are applied as early as possible, the software modules comprising instructions for:
- filtering incoming data packets using the filtering rules in a plurality of stages wherein the first stage is triggered by the receipt of a data packet by the network-enabled device.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The network-enabled device implementing packet filtering system according to a set of filtering rules of claim 9 wherein the filtering rules includes rules classified based on whether the filtering rule is a dynamic rule that tests a packet against dynamic variables or a static rule that tests a packet against constants or variables that do not change during a session of the network-enabled device wherein the first stage executes as part of an interrupt service routine for handling the incoming data packet applies static rules.
  - 11. The network-enabled device implementing packet filtering system according to a set of filtering rules of claim 10 wherein the software modules further comprise instructions for applying any of the static filtering that could not be applied during the interrupt service routine due to timing constraints during a pre-memory allocation packet filtering stage.
  - 12. The network-enabled device implementing packet filtering system according to a set of filtering rules of claim 10 wherein software modules comprise instructions causing the filtering rules that include dynamic variables to be applied during a pre-memory allocation packet filtering stage.
  - 13. The network-enabled device implementing packet filtering system according to a set of filtering rules of claim 10 wherein the software modules comprise instructions causing the memory allocation for incoming packets to be performed in the interrupt service routine triggered by an incoming data packet and the first stage of packet filtering is performed prior to the memory allocation.
  - 14. The network-enabled device implementing packet filtering system according to a set of filtering rules of claim 9 in which a plurality of packet filtering rules are protocol specific and in which the protocol specific packet filtering rules are classified as those filtering rules that depend on traffic history and those filtering rules that do not depend on traffic history wherein the software modules further comprising instructions for:
    - applying the filtering rules that do not depend on traffic history in a pre-memory allocation packet filtering stage or; and
      
      applying the filtering rules that do depend on traffic history in during a protocol specific packet filtering stage.
  - 15. The network-enabled device implementing packet filtering system according to a set of filtering rules of claim 14 wherein the protocol specific filtering rules are specific to the TCP communications protocol and are applicable to filter TCP packets and wherein the filtering rules that do not depend on traffic history are stateless TCP packet filtering rules and the filtering rules that do depend on traffic history are stateful TCP packet filtering rules.
  - 16. The network-enabled device implementing packet filtering system according to a set of filtering rules of claim 9 wherein the packet filtering rules are classified by a first property being as to whether the filtering rule depends on traffic history and a second property as to whether the filtering rule includes dynamic variables, the software module further comprising instructions for:
    - applying the filtering rules that do not depend on traffic history and which do not include dynamic variables in the first stage;
      
      applying the filtering rules that do not depend on traffic history and which do include dynamic variables in a pre-memory allocation stage;
      
      applying the filtering rules that do depend on traffic history in a protocol specific packet filtering stage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hongqian Lu
Original Assignee
Hongqian Lu
Inventors
Lu, HongQian

Application Number

US11/246,736
Publication Number

US 20070083924A1
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

System and method for multi-stage packet filtering on a networked-enabled device

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

178 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for multi-stage packet filtering on a networked-enabled device

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

178 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links