DATAPATH PROCESSING OF SERVICE RULES WITH QUALIFIERS DEFINED IN TERMS OF DYNAMIC GROUPS
First Claim
1. A method of performing a service on a data message having a set of attributes, the method comprising:
- selecting a rule that includes (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute set, said rule identifier defined by reference to at least one group identifier;
determining that the data message'"'"'s attribute set matches the rule'"'"'s identifier, said determining comprising determining that at least one data message attribute is within a group storage structure identified by the group identifier; and
based on the service parameter, performing the service on the data message as the data message'"'"'s attribute set matches the rule'"'"'s identifier.
1 Assignment
0 Petitions
Accused Products
Abstract
Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.
25 Citations
20 Claims
-
1. A method of performing a service on a data message having a set of attributes, the method comprising:
-
selecting a rule that includes (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute set, said rule identifier defined by reference to at least one group identifier; determining that the data message'"'"'s attribute set matches the rule'"'"'s identifier, said determining comprising determining that at least one data message attribute is within a group storage structure identified by the group identifier; and based on the service parameter, performing the service on the data message as the data message'"'"'s attribute set matches the rule'"'"'s identifier. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 18, 19, 20)
-
-
12. A non-transitory machine readable medium storing a program for performing a service on a data message having a set of attributes, the program comprising sets of instructions for:
-
selecting a rule that includes (1) a service parameter for performing a service on data messages, and (2) a rule identifier for matching to data message attribute set, said rule identifier defined by reference to at least one group identifier; determining whether the data message'"'"'s attribute set matches the rule'"'"'s identifier, said determining comprising determining whether at least one data message attribute is within a group identified by the group identifier; and when the data message'"'"'s attribute set matches the rule'"'"'s identifier, performing the service on the data message based on the service parameter. - View Dependent Claims (13, 14, 15, 16, 17)
-
Specification