COOPERATED APPROACH TO NETWORK PACKET FILTERING

US 20140331221A1
Filed: 10/28/2010
Published: 11/06/2014
Est. Priority Date: 10/28/2010
Status: Active Grant

First Claim

Patent Images

1. A network interface apparatus in a computer system, comprising:

a first virtual function of a plurality of virtual functions, the first virtual function owned by a first virtual machine present in the computer system;

a first simple filtering agent, associated with the first virtual function, to enforce one or more inbound simple filter rules at a first filtering level for a first network packet of a plurality of network packets received from a network, wherein at least one of the one or more inbound simple filter rules blocks the first network packet from reaching the first virtual machine in response to the first network packet failing at least one of the one or more inbound simple filter rules;

a second virtual function of the plurality of virtual functions, the second virtual function owned by a virtual machine monitor present in the computer system; and

a side bounce filtering agent to forward the first network packet to the second virtual function in response to first network packet being blocked by the at least one of the one or more inbound simple filter rules.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus, system, method, and machine-readable medium are disclosed. In one embodiment the apparatus is a network interface controller that includes one virtual function owned by a virtual machine present in the computer system. The controller includes a simple filtering agent that is associated with the first virtual function. The agent enforces simple filter rules for received network packets. The simple filter rules are capable of blocking the network packets from reaching the virtual machine. The apparatus also includes another virtual function that is owned by a virtual machine monitor present in the computer system. The controller also includes a side bounce filtering agent to forward the first network packet to the second virtual function if the first packet is blocked by the at least one of the one or more simple filter rules.

28 Citations

View as Search Results

24 Claims

1. A network interface apparatus in a computer system, comprising:
- a first virtual function of a plurality of virtual functions, the first virtual function owned by a first virtual machine present in the computer system;
  
  a first simple filtering agent, associated with the first virtual function, to enforce one or more inbound simple filter rules at a first filtering level for a first network packet of a plurality of network packets received from a network, wherein at least one of the one or more inbound simple filter rules blocks the first network packet from reaching the first virtual machine in response to the first network packet failing at least one of the one or more inbound simple filter rules;
  
  a second virtual function of the plurality of virtual functions, the second virtual function owned by a virtual machine monitor present in the computer system; and
  
  a side bounce filtering agent to forward the first network packet to the second virtual function in response to first network packet being blocked by the at least one of the one or more inbound simple filter rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network interface apparatus of claim 1, further comprising:
    - the second virtual function allowing the first network packet blocked by the first simple filtering agent to enter a virtual Ethernet bridge in the virtual machine monitor, the virtual Ethernet bridge toenforce one or more complex filtering rules at a second filtering level for the first network packet, wherein at least one of the one or more complex filtering rules is capable of verifying the first network packet; and
      
      reroute the first network packet through the second virtual function to the first virtual function, in response to the first network packet being verified.
  - 3. The network interface apparatus of claim 1, further comprising:
    - an arbitrator to route the first network packet from the network to one of the plurality of virtual functions, and to route one or more packets received from at least one of the plurality of virtual functions to the network.
  - 4. The network interface apparatus of claim 1, further comprising:
    - a third virtual function of the plurality of virtual functions, the third virtual function owned by a second virtual machine present in the computer system.
  - 5. The network interface apparatus of claim 1, wherein each virtual function of the plurality of virtual functions comprises a queue pair to handle incoming and outgoing network packets of the plurality of network packets.
  - 6. The network interface of claim 1, further comprising:
    - the first simple filtering agent further operable to enforce one or more outbound simple filter rules at the first filtering level for a second network packet of a plurality of network packets sent to the network, wherein at least one of the one or more outbound simple filter rules blocks the sent network packet from reaching the network in response to the sent network packet failing at least one of the one or more outbound simple filter rules; and
      
      the side bounce filtering agent to forward the sent network packet to the second virtual function in response to the sent network packet being blocked by the at least one of the one or more outbound simple filter rules.
  - 7. The network interface apparatus of claim 6, further comprising:
    - the second virtual function to allow the second network packet blocked by the first simple filtering agent to enter a virtual Ethernet bridge in the virtual machine monitor, the virtual Ethernet bridge toenforce one or more complex filtering rules at a second filtering level for the second network packet, wherein at least one of the one or more complex filtering rules is capable of verifying the second network packet; and
      
      reroute the second network packet through the second virtual function to the network, in response to the second network packet being verified.

8. A computer system, comprising:
- a processor;
  
  a system memory;
  
  a virtual machine monitor to assign time slices of compute time of the processor, a portion of system memory, and a set of I/O resources to each of a plurality of virtual machines;
  
  a first virtual machine of the plurality of virtual machines; and
  
  a network interface controller, the network interface controller including;
  
  a first virtual function of a plurality of virtual functions, the first virtual function owned by the first virtual machine;
  
  a first simple filtering agent, associated with the first virtual function, to enforce one or more inbound simple filter rules at a first filtering level for a first network packet of a plurality of network packets received from a network, wherein at least one of the one or more inbound simple filter rules blocks the first network packet from reaching the first virtual machine in response to the first network packet failing at least one of the one or more inbound simple filter rules;
  
  a second virtual function of the plurality of virtual functions, the second virtual function owned by the virtual machine monitor; and
  
  a side bounce filtering agent to forward the first network packet to the second virtual function in response to first network packet being blocked by the at least one of the one or more inbound simple filter rules.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the second virtual function is further operable to:
    - allow the first network packet blocked by the first simple filtering agent to enter a virtual Ethernet bridge in the virtual machine monitor, the virtual Ethernet bridge toenforce one or more complex filtering rules at a second filtering level for the first network packet, wherein at least one of the one or more complex filtering rules is capable of verifying the first network packet; and
      
      reroute the first network packet through the second virtual function to the first virtual function, in response to the first network packet being verified.
  - 10. The system of claim 8, wherein the network interface controller further comprises:
    - an arbitrator to route the first network packet from the network to one of the plurality of virtual functions, and to route one or more packets received from at least one of the plurality of virtual functions to the network.
  - 11. The system of claim 8, further comprising:
    - a second virtual machine;
      
      wherein the network interface controller further comprises a third virtual function of the plurality of virtual functions, the third virtual function owned by the second virtual machine.
  - 12. The system of claim 8, wherein each virtual function of the plurality of virtual functions comprises a queue pair to handle incoming and outgoing network packets of the plurality of network packets.
  - 13. The system of claim 8, further comprising:
    - the first simple filtering agent further operable to enforce one or more outbound simple filter rules at the first filtering level for a second network packet of a plurality of network packets sent to the network, wherein at least one of the one or more outbound simple filter rules blocks the sent network packet from reaching the network in response to the sent network packet failing at least one of the one or more outbound simple filter rules; and
      
      the side bounce filtering agent further operable to forward the sent network packet to the second virtual function in response to the sent network packet being blocked by the at least one of the one or more outbound simple filter rules.
  - 14. The system of claim 13, further comprising:
    - the second virtual function further operable to allow the second network packet blocked by the first simple filtering agent to enter a virtual Ethernet bridge in the virtual machine monitor, the virtual Ethernet bridge toenforce one or more complex filtering rules at a second filtering level for the second network packet, wherein at least one of the one or more complex filtering rules is capable of verifying the second network packet; and
      
      reroute the second network packet through the second virtual function to the network, in response to the second network packet being verified.

15. A method, comprising:
- enforcing one or more inbound simple filter rules at a first filtering level for a first network packet of a plurality of network packets received from a network at a first simple filtering agent within a first virtual function owned by a first virtual machine in a computer system, wherein at least one of the one or more inbound simple filter rules blocks the first network packet from reaching the first virtual machine in response to the first network packet failing at least one of the one or more inbound simple filter rules; and
  
  rerouting the first network packet to a second virtual function in response to first network packet being blocked by the at least one of the one or more inbound simple filter rules, wherein the second virtual function is owned by a virtual machine monitor.
- View Dependent Claims (16, 18, 19)
- - 16. The method of claim 15, further comprising:
    - allowing the first network packet blocked by the first simple filtering agent to enter a virtual Ethernet bridge in the virtual machine monitor; and
      
      enforcing one or more complex filtering rules at a second filtering level for the first network packet at the virtual Ethernet bridge, wherein at least one of the one or more complex filtering rules is capable of verifying the first network packet; and
      
      rerouting the first network packet through the second virtual function to the first virtual function, in response to the first network packet being verified.
  - 18. The method of claim 15, further comprising:
    - enforcing one or more outbound simple filter rules at the first filtering level for a second network packet of a plurality of network packets sent to the network, wherein at least one of the one or more outbound simple filter rules blocks the sent network packet from reaching the network in response to the sent network packet failing at least one of the one or more outbound simple filter rules; and
      
      forwarding the sent network packet to the second virtual function in response to the sent network packet being blocked by the at least one of the one or more outbound simple filter rules.
  - 19. The method of claim 18, further comprising:
    - allowing the second network packet blocked by the first simple filtering agent to enter a virtual Ethernet bridge in the virtual machine monitor, the virtual Ethernet bridge to enforce one or more complex filtering rules at a second filtering level for the second network packet.

17. The method of 15, further comprising:
- an arbitrator routing the first network packet from the network to one of the plurality of virtual functions, and routing one or more packets received from at least one of the plurality of virtual functions to the network.

20. A machine-readable medium having stored thereon instructions, which if executed by a machine causes the machine to perform a method comprising:
- enforcing one or more inbound simple filter rules at a first filtering level for a first network packet of a plurality of network packets received from a network at a first simple filtering agent within a first virtual function owned by a first virtual machine in a computer system, wherein at least one of the one or more inbound simple filter rules blocks the first network packet from reaching the first virtual machine in response to the first network packet failing at least one of the one or more inbound simple filter rules; and
  
  rerouting the first network packet to a second virtual function in response to first network packet being blocked by the at least one of the one or more inbound simple filter rules, wherein the second virtual function is owned by a virtual machine monitor.
- View Dependent Claims (21, 23, 24)
- - 21. The machine-readable medium of claim 20, wherein the performed method further comprises:
    - allowing the first network packet blocked by the first simple filtering agent to enter a virtual Ethernet bridge in the virtual machine monitor;
      
      enforcing one or more complex filtering rules at a second filtering level for the first network packet at the virtual Ethernet bridge, wherein at least one of the one or more complex filtering rules is capable of verifying the second network packet; and
      
      rerouting the second network packet through the second virtual function to the network, in response to the second network packet being verified.
  - 23. The machine-readable medium of claim 20, wherein the performed method further comprises:
    - enforcing one or more outbound simple filter rules at the first filtering level for a second network packet of a plurality of network packets sent to the network, wherein at least one of the one or more outbound simple filter rules blocks the sent network packet from reaching the network in response to the sent network packet failing at least one of the one or more outbound simple filter rules; and
      
      forwarding the sent network packet to the second virtual function in response to the sent network packet being blocked by the at least one of the one or more outbound simple filter rules.
  - 24. The machine-readable medium of claim 23, wherein the performed method further comprises:
    - allowing the second network packet, blocked by the first simple filtering agent, to enter a virtual Ethernet bridge in the virtual machine monitor, the virtual Ethernet bridgeenforcing one or more complex filtering rules at a second filtering level for the received network packet, wherein at least one of the one or more complex filtering rules is capable of verifying the second network packet; and
      
      rerouting the second network packet through the second virtual function to the network, in response to the second network packet being verified.

22. The machine-readable medium of 20, wherein the performed method further comprises:
- an arbitrator routing the first network packet from the network to one of the plurality of virtual functions, and the arbitrator routing one or more packets received from at least one of the plurality of virtual functions to the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Dong, Yaozu, Tian, Kun

Granted Patent

US 9,276,875 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 9/45533   Hypervisors; Virtual machin...

H04L 45/00   Routing or path finding of ...

H04L 45/76   Routing in software-defined...

H04L 49/00   Packet switching elements

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

COOPERATED APPROACH TO NETWORK PACKET FILTERING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

COOPERATED APPROACH TO NETWORK PACKET FILTERING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links