System and method for IP network address translation and IP filtering with dynamic address resolution
First Claim
Patent Images
1. Method for operating a gateway system, comprising the steps of:
- recognizing symbolic interface names in a statement file of rule statements;
generating from said rule statements a symbolic rule file;
responsive to a packet message including an interface name, selecting a corresponding symbolic rule file and resolving symbolic addresses obtained from said message;
said generating step further including the steps of;
generating an index portion of said symbolic rule file;
generating a binary rule portion of said symbolic rule file;
said index portion containing at least one offset pointer into said binary rule portion; and
said binary rule portion including at offsets indexed by each of said offset pointers at least one corresponding field for receiving a resolved address.
1 Assignment
0 Petitions
Accused Products
Abstract
IP network address translation (NAT) and IP filtering with dynamic address resolution in an Internet gateway system. Symbolic interface names are recognized in selected rule statements. An symbolic s-rule file is generated from these rule statements which includes symbolic interface names. During processing of a packet message, the s-rule file corresponding to the interface name in the packet message is processed, with symbolic addresses in the s-rule file resolved to the IP addresses obtained from the packet message.
-
Citations
9 Claims
-
1. Method for operating a gateway system, comprising the steps of:
-
recognizing symbolic interface names in a statement file of rule statements;
generating from said rule statements a symbolic rule file;
responsive to a packet message including an interface name, selecting a corresponding symbolic rule file and resolving symbolic addresses obtained from said message;
said generating step further including the steps of; generating an index portion of said symbolic rule file;
generating a binary rule portion of said symbolic rule file;
said index portion containing at least one offset pointer into said binary rule portion; and
said binary rule portion including at offsets indexed by each of said offset pointers at least one corresponding field for receiving a resolved address. - View Dependent Claims (2, 3, 4)
iteratively processing each said offset pointer to load into each said corresponding field an address obtained from said packet message.
-
-
3. The method of claim 2, further comprising the step executed following said processing step of:
loading said binary rule portion to an operating system kernal for executing said rule statements selectively to permit or deny said packet message.
-
4. The method of claim 1, the step for generating an index portion comprising the further steps of:
-
while more rule statements exist in said statement file, if this rule statement has a first symbolic address and if said index portion does not exist for said first symbolic address, creating said index portion for said first symbolic address; and
the step for generating a binary portion comprising the further step of; adding a current binary-offset to said index portion to provide said offset pointer and generating into said binary portion a binary form of said this rule.
-
-
5. Method for operating a gateway system, comprising the steps of:
-
recognizing symbolic interface names in a statement file of rule statements;
generating from said rule statements a symbolic rule file;
responsive to a packet message including an interface name, selecting a corresponding symbolic rule file and resolving symbolic addresses in said corresponding symbolic rule file to addresses obtained from said message;
said generating step further including the steps of; for each symbolic interface name, creating a symbolic rule file including an index-portion corresponding to said symbolic interface name and a binary rule portion, writing said index-portion to said symbolic rule file, and writing said binary rule portion to said symbolic rule file. - View Dependent Claims (6)
processing a message by obtaining an interface name from said packet message;
opening a first symbolic rule file corresponding to the interface name from said packet message;
opening a first symbolic rule file corresponding to the interface name from said packet message;
copying said first symbolic rule file to form a second symbolic rule file;
obtaining a first address from said packet message;
for each offset in said index-portion, locating a corresponding offset in said symbolic rule file and setting said corresponding offset to said first address; and
thereafterloading a portion of said second symbolic file containing said rules and said first address to said operating system kernal for executing said rules to selectively permit or deny said packet message.
-
-
7. A gateway system, comprising:
-
a rule statement file of rule statements, at least one said rule statement including a symbolic interface name;
a symbolic rule file genera ted from said rule statement including an index portion and a rules portion;
said index portion including offset pointers into said rules portion at locations for receiving resolved IP addresses;
are solved rule file corresponding to said symbolic interface name containing at locations in said rules portion indexed by said offset pointers resolved symbolic addresses obtained from a packet message; and
an operating system kernal responsive to said resolved rule file f or executing said rule statements to selectively deny or permit said packet message.
-
-
8. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for operating a gateway system, said method steps comprising:
-
recognizing symbolic interface names in a statement file of rule statements;
generating from said rule statements a symbolic rule file;
responsive to a packet message including an interface name, selecting a corresponding symbolic rule file and resolving symbolic addresses in said corresponding symbolic rule file to addresses obtained from said message;
said generating step further including for each symbolic interface name, creating a symbolic rule file including an index-portion corresponding to said symbolic interface name and a binary rule portion, writing said index-portion to said symbolic rule file, and writing said binary rule portion to said symbolic rule file.
-
-
9. An article of manufacture comprising:
-
a computer useable medium having computer readable program code moans embodied therein for operating a gateway system, the computer readable program means in said article of manufacture comprising;
computer readable program code means for causing a computer to effect recognizing symbolic interface names in a statement file of rule statements;
computer readable program code means for causing a computer to effect generating from said rule statements a symbolic rule file;
computer readable program code means for causing a computer to effect responsive to a packet message including an interface name, selecting a corresponding symbolic rule file and resolving symbolic addresses in said corresponding symbolic rule file to addresses obtained from said message; and
said computer readable program code means for causing a computer to effect generating from said rule statements a symbolic rule file further generating an index portion of said symbolic rule file and generating a binary rule portion of said symbolic rule file;
said index portion containing at least one offset pointer into said binary rule portion; and
said binary rule portion including at offsets indexed by each of said offset pointers at least one corresponding field for receiving a resolved address.
-
Specification