DIRECT SERVICE MAPPING FOR NAT AND PNAT
First Claim
Patent Images
9. A firewall comprising:
- an ingress interface that receives a packet having a source address, destination address, source port, and destination port;
a rule storage comprising a plurality of active rules, at least one active rule including a matching criteria service group including a plurality of rows of source and destination port combinations and a NAT service group;
a matching engine configured to;
compare the source port and destination port to the plurality of rows of source and destination port combinations, find a matching row, and determine an index of the matching row;
a translation engine configured to translate the source and destination ports of the packet to source and destination ports indicated by the NAT service group based on the index of the matching row; and
an egress interface configured to transmit the packet to the destination address.
2 Assignments
0 Petitions
Accused Products
Abstract
Various exemplary embodiments relate to a method of processing a packet at a firewall. The method includes: receiving a packet having a source address, destination address, source port, and destination port; comparing the packet to match criteria of a rule, wherein the match criteria includes at least one service group having a plurality of port combinations; matching both the source port and destination port with one of the plurality of port combinations; determining an index into the service group of the matching port combination; and translating a port of the packet based on the index into the service group and a NAT service group defined for the rule.
6 Citations
20 Claims
-
9. A firewall comprising:
-
an ingress interface that receives a packet having a source address, destination address, source port, and destination port; a rule storage comprising a plurality of active rules, at least one active rule including a matching criteria service group including a plurality of rows of source and destination port combinations and a NAT service group; a matching engine configured to;
compare the source port and destination port to the plurality of rows of source and destination port combinations, find a matching row, and determine an index of the matching row;a translation engine configured to translate the source and destination ports of the packet to source and destination ports indicated by the NAT service group based on the index of the matching row; and an egress interface configured to transmit the packet to the destination address. - View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 8, 10, 11, 12, 13)
-
-
13-1. The firewall of claim 9, wherein the translation engine is further configured to:
translate a network address of the packet based on an index into a matching host group independently of the index into the matching service group, wherein the active rule comprises the matching host group and a NAT option including a NAT host group and the NAT service group.
-
14. A non-transitory machine readable storage medium encoded with instructions executable by a processor of a firewall, the non-transitory machine readable storage medium comprising:
-
instructions for receiving a packet having a source address, destination address, source port, and destination port; instructions for comparing the packet to match criteria of a rule, wherein the match criteria includes at least one service group having a plurality of port combinations; instructions for matching both the source port and destination port with one of the plurality of port combinations; instructions for determining an index into the service group of the matching port combination; and instructions for translating a port of the packet based on the index into the service group and a NAT service group defined for the rule. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification