DIRECT SERVICE MAPPING FOR NAT AND PNAT

US 20140294006A1
Filed: 03/29/2013
Published: 10/02/2014
Est. Priority Date: 03/29/2013
Status: Abandoned Application

First Claim

Patent Images

9. A firewall comprising:

an ingress interface that receives a packet having a source address, destination address, source port, and destination port;

a rule storage comprising a plurality of active rules, at least one active rule including a matching criteria service group including a plurality of rows of source and destination port combinations and a NAT service group;

a matching engine configured to;

compare the source port and destination port to the plurality of rows of source and destination port combinations, find a matching row, and determine an index of the matching row;

a translation engine configured to translate the source and destination ports of the packet to source and destination ports indicated by the NAT service group based on the index of the matching row; and

an egress interface configured to transmit the packet to the destination address.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various exemplary embodiments relate to a method of processing a packet at a firewall. The method includes: receiving a packet having a source address, destination address, source port, and destination port; comparing the packet to match criteria of a rule, wherein the match criteria includes at least one service group having a plurality of port combinations; matching both the source port and destination port with one of the plurality of port combinations; determining an index into the service group of the matching port combination; and translating a port of the packet based on the index into the service group and a NAT service group defined for the rule.

6 Citations

View as Search Results

20 Claims

9. A firewall comprising:
- an ingress interface that receives a packet having a source address, destination address, source port, and destination port;
  
  a rule storage comprising a plurality of active rules, at least one active rule including a matching criteria service group including a plurality of rows of source and destination port combinations and a NAT service group;
  
  a matching engine configured to;
  
  compare the source port and destination port to the plurality of rows of source and destination port combinations, find a matching row, and determine an index of the matching row;
  
  a translation engine configured to translate the source and destination ports of the packet to source and destination ports indicated by the NAT service group based on the index of the matching row; and
  
  an egress interface configured to transmit the packet to the destination address.
- View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 8, 10, 11, 12, 13)
- - 1. A method of processing a packet at a firewall, the method comprising:
    - receiving a packet having a source address, destination address, source port, and destination port;
      
      comparing the packet to match criteria of a rule, wherein the match criteria includes at least one service group having a plurality of port combinations;
      
      matching both the source port and destination port with one of the plurality of port combinations;
      
      determining an index into the service group of the matching port combination; and
      
      translating a port of the packet based on the index into the service group and a NAT service group defined for the rule.
  - 2. The method of claim 1, wherein the index into the service group is a row of the service group.
  - 3. The method of claim 2, wherein the index into the service group further includes an offset into a range of ports within the row.
  - 4. The method of claim 3, wherein the step of translating the port of the packet comprises adding the offset to the first port number in a range of port numbers in a row of the NAT service group.
  - 5. The method of claim 1, further comprising:
    - matching either the source address or destination address with an address of the match criteria of the rule; and
      
      translating the matching address of the packet based on a NAT option address of the rule.
  - 6. The method of claim 1, further comprising:
    - translating a network address of the packet based on the index into the service group and the rule,wherein the rule comprises a NAT option including a NAT host group and the NAT service group.
  - 7. The method of claim 1, further comprising:
    - translating a network address of the packet based on an index into a matching host group independently of the index into the matching service group,wherein the rule comprises the matching host group and a NAT option including a NAT host group and the NAT service group.
  - 8. The method of claim 1, further comprising configuring the rule via an operator interface.
  - 10. The firewall of claim 9, further comprising an operator interface configured to allow an operator to configure the active rules.
  - 11. The firewall of claim 9, wherein the index into the service group is a row of the service group.
  - 12. The firewall of claim 11, wherein the index into the service group further includes an offset into a range of ports within the row.
  - 13. The firewall of claim 9, wherein the translation engine is further configured to:
    - translate a network address of the packet based on the index into the service group and the at least one active rule, wherein the at least one active rule comprises a NAT option including a NAT host group and the NAT service group.

13-1. The firewall of claim 9, wherein the translation engine is further configured to:
- translate a network address of the packet based on an index into a matching host group independently of the index into the matching service group, wherein the active rule comprises the matching host group and a NAT option including a NAT host group and the NAT service group.

14. A non-transitory machine readable storage medium encoded with instructions executable by a processor of a firewall, the non-transitory machine readable storage medium comprising:
- instructions for receiving a packet having a source address, destination address, source port, and destination port;
  
  instructions for comparing the packet to match criteria of a rule, wherein the match criteria includes at least one service group having a plurality of port combinations;
  
  instructions for matching both the source port and destination port with one of the plurality of port combinations;
  
  instructions for determining an index into the service group of the matching port combination; and
  
  instructions for translating a port of the packet based on the index into the service group and a NAT service group defined for the rule.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory machine readable storage medium of claim 14, wherein the index into the service group is a row of the service group.
  - 16. The non-transitory machine readable storage medium of claim 15, wherein the index into the service group further includes an offset into a range of ports within the row.
  - 17. The non-transitory machine readable storage medium of claim 16, wherein the instructions for translating the port of the packet comprise instructions for adding the offset to the first port number in a range of port numbers in a row of the NAT service group.
  - 18. The non-transitory machine readable storage medium of claim 14, further comprising:
    - instructions for matching either the source address or destination address with an address of the match criteria of the rule; and
      
      instructions for translating the matching address of the packet based on a NAT option address of the rule.
  - 19. The non-transitory machine readable storage medium of claim 14, further comprising:
    - instructions for translating a network address of the packet based on the index into the service group and the rule, wherein the rule comprises a NAT option including a NAT host group and the NAT service group.
  - 20. The non-transitory machine readable storage medium of claim 14, further comprising:
    - instructions for translating a network address of the packet based on an index into a matching host group independently of the index into the matching service group, wherein the rule comprises the matching host group and a NAT option including a NAT host group and the NAT service group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent Canada Incorporated (Nokia Corporation)
Inventors
Rajsic, Carl J.

Application Number

US13/853,447
Publication Number

US 20140294006A1
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 45/74   Address processing for routing

H04L 61/2503   Translation of Internet pro...

H04L 61/2557   Translation policies or rules

DIRECT SERVICE MAPPING FOR NAT AND PNAT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DIRECT SERVICE MAPPING FOR NAT AND PNAT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links