System and method for IP packet filtering based on non-IP packet traffic attributes

US 7,209,962 B2
Filed: 07/30/2001
Issued: 04/24/2007
Est. Priority Date: 07/30/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method for control and management of communication traffic, comprising the steps of:

expressing access rules as filters referencing system kernel data;

for outbound processing, determining source application indicia;

for inbound packet processing, executing a look-ahead function to determine target application indicia;

said look-ahead function being executed within an IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said inbound packet, said IP layer provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered;

responsive to said source or target application indicia, executing filter processing;

said filter processing including constructing and evaluating logical expressions including non-IP packet attributes of arbitrary length, and selectively using a set of logical operators, alternative filter selector fields, and value set; and

executing said determining and executing steps within a kernel filtering function upon encountering a filter selector field referencing kernel data not included in said packet.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Control and management of communication traffic. IP packet filtering occurs in an operating system kernel implementation of, for example, the TCP/IP protocol suite. Access rules are expressed as filters referencing system kernel data; for outbound processing, source application indicia is determined; for inbound packet processing, a look-ahead function is executed to determine target application indicia; and responsive to the source or target application indicia, filter processing is executed.

85 Citations

View as Search Results

39 Claims

1. A method for control and management of communication traffic, comprising the steps of:
- expressing access rules as filters referencing system kernel data;
  
  for outbound processing, determining source application indicia;
  
  for inbound packet processing, executing a look-ahead function to determine target application indicia;
  
  said look-ahead function being executed within an IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said inbound packet, said IP layer provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered;
  
  responsive to said source or target application indicia, executing filter processing;
  
  said filter processing including constructing and evaluating logical expressions including non-IP packet attributes of arbitrary length, and selectively using a set of logical operators, alternative filter selector fields, and value set; and
  
  executing said determining and executing steps within a kernel filtering function upon encountering a filter selector field referencing kernel data not included in said packet.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein said protocol stack is a TCP/IP protocol stack, and said filter processing including the steps of:
    - determining a task or thread identifier;
      
      based on said task or thread identifier, determining a process or job identifier; and
      
      based on said process or job identifier, determining job or process attributes for filter processing.
  - 3. The method of claim 2, further comprising the step of determining from said task identifier a work control block containing said process or job identifier.
  - 4. The method of claim 1, wherein said protocol stack is a TCP/IP protocol stack, and said filter processing including the steps of:
    - determining a user identifier; and
      
      based on said user identifier, determining user attributes for filter processing.
  - 5. The method of claim 1, wherein said protocol stack is a TCP/IP protocol stack, and further comprising the steps of:
    - delivering to said filters infrastructure access rules for defining security context.
  - 6. The method of claim 5, said infrastructure including logging, auditing, and filter rule load controls.

7. A method for control and management of aspects of communication traffic within filtering, comprising the steps of:
- receiving IP packet data into a TCP/IP protocol stack executing within a system kernel;
  
  for an inbound IP packet, executing a look-ahead function within an IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said IP inbound packet, said IP layer provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and
  
  executing filtering code within said IP layer of said system kernel with respect to non-IP packet data accessed within said system kernel outside of said TCP/IP protocol stack;
  
  said filtering code constructing and evaluating logical expressions of arbitrary length, and selectively using a set of logical operators, alternative filter selector fields, and value set.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, said non-IP packet data including context data regarding said IP packet.
  - 9. The method of claim 8, said context data including packet arrival interface indicia.
  - 10. The method of claim 7, said non-IP packet data including data specific to a task generating said non-IP packet data.
  - 11. The method of claim 7, said non-IP packet data including data specific to a task that will receive said IP packet.

12. A method for centralizing system-wide communication management and control within filter rules, comprising the steps of:
- providing filter statements syntax for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values;
  
  for an inbound packet, executing a look-ahead function within an IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said inbound packet, said IP layer provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered by said sockets layer;
  
  said selector referencing data that does not exist in IP packets;
  
  processing said filter statements, including constructing and evaluating logical expressions of arbitrary length including non-IP packet attributes, and selectively using a set of logical operators, alternative filter selector fields, and value set;
  
  executing said look-ahead function and processing said filter statements within a kernel filtering function upon encountering a filter selector field referencing kernel data not included in said packet.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, wherein said protocol stack is a TCP/IP protocol stack, and said parameters selectively including userid, user profile, user class, user group, user group authority, user special authority, job name, process name, job group, job class, job priority, other job or process attributes, and date &
    - time.
  - 14. The method of claim 12, wherein said protocol stack is a TCP/IP protocol stack, and said filters statements being provided within, a user interface to said system.
  - 15. The method of claim 12, wherein said protocol stack is a TCP/IP protocol stack, and further comprising the steps of:
    - establishing a tunnel between two IP address limiting traffic to applications bound to ports at each end of said tunnel;
      
      said filtering code accessing filtering attributes further limiting traffic selectively to job indicia; and
      
      operating said filtering code within a kernel filtering function upon encountering a filter selector field referencing kernel data not included in said traffic.

16. A method for traversing a portion only of a protocol stack to disallow selective IP packet traffic, comprising the steps of:
- receiving a packet in the system kernel of the operating system of a first node from an application, said kernel includihg a filter processor;
  
  said filter processor for constructing and evaluating logical expressions of arbitrary length including non-IP packet attributes, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set;
  
  for inbound packet processing to a first node from a second node, executing a look-ahead function in an IP layer of said system kernel of said first node to determine a target application;
  
  said system kernel including a TCP/IP protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said inbound packet, said IP layer upon encountering a filter selector field referencing kernel data not included in said inbound packet provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer source application indicia identifying the application layer application to which said packet would have been delivered;
  
  for both said inbound packet processing, and for outbound packet processing from said first node to said second node, executing within said kernel the steps ofprocessing said packet by determining a task ID;
  
  responsive to said task ID, determining a corresponding work control block;
  
  determining a user ID, process or job identifier from said work control block;
  
  from the user ID, process or job identifier selectively determining attributes for said user process or job; and
  
  passing said attributes to said filter processor for managing and controlling communication traffic.

17. A method for expressing access rules as filters, comprising the steps of:
- providing a filter statements syntax for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values; and
  
  said selector referencing data within a system kernel outside of a protocol stack that does not exist in IP packets for controlling access to an application;
  
  for an inbound IP packet, executing a look-ahead function within the IP layer of said protocol stack, said protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said IP inbound packet, said look-ahead function in said IP layer upon encountering a filter selector field referencing kernel data not included in said inbound IP packet provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and
  
  processing said filter statements within said IP layer of said protocol stack with respect to non-IP packet data accessed within said system kernel outside of said protocol stack by constructing and evaluating logical expressions including non-IP packet attributes of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set referencing said application layer application.

18. A method for managing and controlling communication traffic by centralizing access rules in filters including non-IP packet attributes executing within and referencing data available in system kernels outside of a protocol stack having an IP layer, a transport layer, and a sockets layer, comprising the steps for outbound packet processing from a first node to a second node of:
- receiving said packet in the kernel of the operating system of said first node from an application or process at said first node;
  
  processing said packet by determining a task ID;
  
  responsive to said task ID, determining a corresponding work control block;
  
  responsive to said work control block, determining a process or job identifier;
  
  responsive to said process or job identifier, determining job or process attributes; and
  
  executing said filters within said IP layer with respect to non-IP packet data accessed within said system kernel outside of said protocol stack by constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set.
- View Dependent Claims (19)
- - 19. The method of claim 18, further comprising the steps for inbound packet processing from said second node to said first node of:
    - initially operating said kernel at said first node upon encountering a filter selector field referencing kernel data not included in said inbound packet to determine a target application for said inbound packet at said first node by executing a look-ahead function within said IP layer of said protocol stack and which, for said inbound packet, said IP layer provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered.

20. A method for managing and controlling communication traffic by centralizing the access rules, comprising the steps for outbound packet processing from a first node to a second node of:
- receiving said packet in the system kernel of the operating system of said first node from an application or process at said first node, said kernel including a filter processor for constructing and evaluating logical expressions including non-IP packet attributes of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields referencing kernel data outside of a protocol stack, and value set, said protocol stack including an IP layer, a transport layer, a sockets layer, and an application layer;
  
  processing said packet within said IP layer including referencing non-protocol stack portions of said system kernel;
  
  by determining a task ID;
  
  responsive to said task ID, determining a corresponding work control block;
  
  determining a user ID control block from said work control block;
  
  from the user ID control block determining attributes for said user; and
  
  passing said attributes to said filter processor for managing and controlling communication traffic.
- View Dependent Claims (21)
- - 21. The method of claim 20, further comprising the steps for inbound packet processing from said second node to said first node of:
    - initially operating said kernel at said first node to determine a target application for said packet at said first node by executing a look-ahead function within said IP layer of said TCP/IP protocol stack, said TCP/IP protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said inbound packet, said IP layer provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered.

22. A method for control and management of communication traffic with respect to a system node, comprising the steps of:
- receiving at said system node an inbound packet;
  
  executing within a protocol stack of the system kernel of said system node a filtering function identifying for said inbound packet a filter including non-IP packet attributes referencing non-packet data, and constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set;
  
  responsive to said filter, executing a look-ahead function for identifying a target application for said inbound packet;
  
  said look-ahead function executed within the IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said IP inbound packet, said IP layer provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and
  
  executing said filtering function and said look-ahead function within said kernel upon encountering a filter selector field referencing kernel data not included in said packet.
- View Dependent Claims (23)
- - 23. The look-ahead function of the method of claim 22 wherein said protocol stack is a TCP/IP protocol stack, and further comprising the steps of:
    - passing to a transport layer function identified by an IP header a packet marked deny for determining which user-level process or job is to receive said packet;
      
      receiving from said transport layer an application layer task identifier for said user-level process or job; and
      
      thereafterpassing said packet marked by said task identifier to said transport layer for delivery to said application layer task.

24. System for control and management of communication traffic, comprising:
- a system kernel including a filter function and stack data;
  
  said filter function including a filter including non-IP packet attributes selectively referencing said stack data for expressing access rules;
  
  said filter function being responsive to receipt of an outbound packet for determining a source application;
  
  said filter function being responsive to receipt of an inbound packet including a filter selector field referencing kernel data not included in said inbound packet for executing a look-ahead function within the IP layer of a TCP/IP protocol stack to determine a target application;
  
  said protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said inbound packet, said IP layer provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and
  
  said filter function being responsive to said source or target application for executing filter processing including constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields referencing kernel data not included in a packet, and value set.

25. A system for control and management of aspects of communication traffic within filtering, comprising:
- a system kernel;
  
  a protocol stack including an IP layer, a transport layer, a sockets layer, and an application layer for executing within said IP layer of said system kernel, responsive to an inbound IP packet, a look-ahead function by which said IP layer provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and
  
  filtering code within said system kernel operable with respect to non-IP packet data accessed within said system kernel outside of said protocol stack for controlling and managing said aspects of communication traffic;
  
  said filter code for constructing and evaluating logical expressions of arbitrary length including non-IP packet attributes, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set.

26. A system for centralizing system-wide communication management and control within filter rules including non-IP packet attributes, comprising:
- filter statements having a syntax for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values;
  
  said selector referencing data that does not exist in IP packets;
  
  a look-ahead function within the IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer, which look-ahead function, responsive to encountering a filter selector field in an inbound packet referencing kernel data not included in said inbound packet, executes within said IP layer to provide to said transport layer said inbound packet, marked as deny, and receive back from said transport layer indicia, provided to said transport layer by said sockets layer, for identifying the application layer application to which said packet would have been delivered; and
  
  a filter processor for constructing and evaluating filter statements including logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields selectively referencing non-IP packet data accessed within said system kernel outside of said protocol stack, and value set.

27. A system for traversing a portion only of a TCP/IP protocol stack to disallow selective IP packet traffic, comprising:
- a system kernel;
  
  a filter processor executing within said system kernel for constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields selectively referencing non-packet data accessed within said system kernel outside of said TCP/IP protocol stack, and value set;
  
  said filter processor responsive to an inbound packet for executing within an IP layer of said TCP/IP protocol stack a look-ahead function for determining a target application;
  
  said TCP/IP protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer; and
  
  which, for said inbound packet, upon encountering a filter selector field referencing kernel data not included in said inbound packet, said IP layer provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered;
  
  said filter processor responsive to both inbound and outbound packets forprocessing said packet by determining a task ID;
  
  responsive to said task ID, determining a corresponding work control block;
  
  determining a user ID, process or job identifier from said work control block;
  
  from the user ID, process or job identifier selectively determining attributes for said user process or job; and
  
  passing said attributes to said filter processor for managing and controlling communication traffic.

28. A system for expressing access rules as filters, comprising:
- filter statements for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values;
  
  said selector referencing data that does not exist in IP packets for controlling access to an application;
  
  a look-ahead function executing within the IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for an inbound packet upon encountering a filter selector field referencing kernel data not included in said inbound packet, said look-ahead function provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and
  
  a filter processor for constructing and evaluating said filter statements as logical expressions of arbitrary length, each said logical expression selectively including said operator selected from a set of logical operators, alternative filter selector fields including non-IP packet attributes, and value set.

29. A system for managing and controlling communication traffic by centralizing access rules in filters including non-IP packet attributes executing within and referencing data available in system kernels, comprising:
- a computer readable medium;
  
  first code for receiving a packet in the kernel of the operating system of a first node from an application or process at said first node;
  
  said kernel responsive to an inbound packet, for executing a look-ahead function within the IP layer of a TCP/IP protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said inbound packet, upon encountering a filter rule referencing kernel data not included in said inbound packet, said look-ahead function provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered;
  
  second code for processing said packet by determining a task ID;
  
  third code responsive to said task ID for determining a corresponding work control block;
  
  fourth code responsive to said work control block for determining a process or job identifier;
  
  fifth code responsive to said process or job identifier for determining job or process attributes;
  
  sixth code for executing said filters by constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set; and
  
  whereinsaid first, second, third, fourth, fifth, and sixth code is recorded on said computer readable medium.

30. A system for control and management of communication traffic with respect to a system node, comprising:
- a filtering function executing within the IP layer of a protocol stack of the system kernel of said system node identifying for an inbound packet a filter referencing non-packet data within said system kernel and outside of said protocol stack;
  
  a look-ahead function responsive to said filter referencing non-packet data within said system kernel and outside of said protocol stack for identifying a target application for said inbound packet;
  
  said look-ahead function functioning within said IP layer of said protocol stack including said IP layer, a transport layer, and a sockets layer, and which, for said inbound packet, said IP layer provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application to which said packet would have been delivered; and
  
  a filter processor for constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set.

31. A computer program product for control and management of aspects of communication traffic within filtering, said computer program product comprising:
- a computer readable medium;
  
  first program instructions to receive IP packet data into a TCP/IP protocol stack executing within a system kernel including, for processing an inbound IP packet, a look-ahead function within the IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said IP inbound packet, upon encountering a filter selector field referencing kernel data not included in said inbound IP packet, said IP layer provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered;
  
  second program instructions to execute filtering code within said system kernel with respect to non-IP packet data accessed within said system kernel outside of said TCP/IP protocol stack by constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set; and
  
  whereinsaid first and second program instructions are recorded on said medium.

32. A computer program product for centralizing system-wide communication management and control within filter rules, said computer program product comprising:
- a computer readable medium;
  
  first program instructions to execute filter statements including non-IP packet attributes having a syntax for accepting parameters in the form of a selector, each selector specifying selector field, a logical operator selected from a set of a plurality of logical operators, and a set of values; and
  
  second program instructions to cause said selector to reference data within an operating system kernel outside, of a protocol stack and that does not exist in IP packets, said data including application layer indicia obtained for an incoming packet by a look-ahead function;
  
  said look-ahead function executing within the IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, upon encountering a selector field referencing kernel data not included in said IP inbound packet, said look-ahead function provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and
  
  whereinsaid first and second program instructions are recorded on said medium.

33. A computer program product for managing and controlling communication traffic by centralizing access rules in filters including non-IP packet attributes executing within and referencing data available in system kernels, said computer program product comprising:
- a computer readable medium;
  
  first program instructions to receive said packet in the kernel of the operating system of said first node from a process at said first node;
  
  second program instructions to process said packet by determining a task ID;
  
  third program instructions, responsive to said task ID, to determine a corresponding work control block;
  
  fourth program instructions, responsive to said work control block, to determine a process or job identifier;
  
  fifth program instructions, responsive to said process or job identifier, to determine job or process attributes; and
  
  sixth program instructions to execute a filter processor within the IP layer of a protocol stack for constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields referencing non-IP packet attributes for accessing data within said system kernels and outside of said protocol stack, and value set; and
  
  whereinsaid first, second, third, fourth, fifth, and sixth program instructions are recorded on said medium.
- View Dependent Claims (34)
- - 34. The computer program product of claim 33, wherein said protocol stack is a TCP/IP protocol stack, and said computer program product further comprising for inbound packet processing from said second node to said first node:
    - seventh program instructions to initially operate said kernel at said first node to determine a target application for said packet at said first node by executing a look-ahead function within the IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said IP inbound packet, said IP layer provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and
      
      whereinsaid seventh program instructions are recorded on said medium.

35. A computer program product for control and management of communication traffic, comprising:
- a computer readable medium;
  
  first program instructions for expressing access rules as filters including non-IP packet attributes referencing system kernel data outside of a protocol stack;
  
  second program instructions, for outbound processing, for determining a source application;
  
  third program instructions, for inbound packet processing, for executing a look-ahead function to determine a target application;
  
  said look-ahead function operating within the IP layer of said protocol stack, said protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said IP inbound packet, upon encountering a filter selector field referencing kernel data not included in an inbound packet, said look-ahead function provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered;
  
  fourth program instructions, selectively responsive to said source and target applications, and upon encountering a filter selector field referencing kernel data not included in said inbound packet for executing filter processing including constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set; and
  
  whereinsaid first, second, third, and fourth program instructions are recorded on said computer readable medium.

36. A computer program product for control and management of aspects of communication traffic within filtering, comprising:
- a computer readable medium;
  
  first program instructions for receiving IP packet data into a TCP/IP protocol stack including an IP layer executing within a system kernel;
  
  second program instructions for executing filtering code within said IP layer of said system kernel with respect to non-IP packet data accessed within said system kernel outside of said TCP/IP protocol stack;
  
  said filtering code constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields including non-IP packet attributes, and value set; and
  
  whereinsaid first and second program instructions are recorded on said computer readable medium.

37. A computer program element for centralizing system-wide communication management and control within filter rules, comprising:
- a computer readable medium;
  
  first program instructions for providing filter statements syntax for accepting parameters in the form of a selector, each selector specifying selector field, a logical operator, and a set of values,second program instructions for executing filtering by constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including said logical operator selected from a set of logical operators, at least one said selector field including non-IP packet attributes accessed within a system kernel and outside of a protocol stack, and at least one said value;
  
  said selector referencing data that does not exist in IP packets including data obtained, for an inbound IP packet, by executing a look-ahead function within the IP layer of said protocol stack, said protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer, and which, for said IP inbound packet, upon encountering a selector field referencing kernel data not included in said inbound IP packet, said look-ahead function provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and
  
  whereinsaid first and second program instructions are recorded on said computer readable medium.

38. A computer program product for managing and controlling communication traffic by centralizing access rules in filters on non-IP packet attributes executing within, and referencing data available in, system kernels, comprising:
- a computer readable medium;
  
  first program instructions for receiving said packet in the system kernel of the operating system of said first node from an application or process at said first node;
  
  second program instructions for processing said packet by determining a task ID;
  
  third program instructions, responsive to said task ID, for determining a corresponding work control block;
  
  fourth program instructions, responsive to said work control block, for determining a process or job identifier;
  
  fifth program instructions, responsive to said process or job identifier, for determining job or process attributes;
  
  sixth program instructions for executing a filter processor within the IP level of a protocol stack with respect to non-IP packet data accessed within said system kernel outside of said protocol stack for constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set; and
  
  whereinsaid first, second, third, fourth, fifth, and sixth program instructions are recorded on said computer readable medium.
- View Dependent Claims (39)
- - 39. The computer program product of claim 38, further comprising for inbound packet processing from said second node to said first node:
    - seventh program instructions initially operating said kernel at said first node to determine a target application for said packet at said first node by executing a look-ahead function within said IP layer of said protocol stack, said protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said IP inbound packet, said IP layer provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and
      
      whereinsaid seventh program instructions are recorded on said computer readable medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Boden, Edward B.
Primary Examiner(s)
Jaroenchonwanit, Bunjob
Assistant Examiner(s)
LESNIEWSKI, VICTOR D

Application Number

US09/919,185
Publication Number

US 20030028674A1
Time in Patent Office

2,094 Days
Field of Search

709/223, 709/224, 709/230, 709/232, 709234-236
US Class Current

709/223
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/104   Grouping of entities

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/22   Parsing or analysis of headers

System and method for IP packet filtering based on non-IP packet traffic attributes

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

85 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for IP packet filtering based on non-IP packet traffic attributes

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links