System and method for IP packet filtering based on non-IP packet traffic attributes
First Claim
Patent Images
1. A method for control and management of communication traffic, comprising the steps of:
- expressing access rules as filters referencing system kernel data;
for outbound processing, determining source application indicia;
for inbound packet processing, executing a look-ahead function to determine target application indicia;
said look-ahead function being executed within an IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said inbound packet, said IP layer provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered;
responsive to said source or target application indicia, executing filter processing;
said filter processing including constructing and evaluating logical expressions including non-IP packet attributes of arbitrary length, and selectively using a set of logical operators, alternative filter selector fields, and value set; and
executing said determining and executing steps within a kernel filtering function upon encountering a filter selector field referencing kernel data not included in said packet.
2 Assignments
0 Petitions
Accused Products
Abstract
Control and management of communication traffic. IP packet filtering occurs in an operating system kernel implementation of, for example, the TCP/IP protocol suite. Access rules are expressed as filters referencing system kernel data; for outbound processing, source application indicia is determined; for inbound packet processing, a look-ahead function is executed to determine target application indicia; and responsive to the source or target application indicia, filter processing is executed.
85 Citations
39 Claims
-
1. A method for control and management of communication traffic, comprising the steps of:
-
expressing access rules as filters referencing system kernel data; for outbound processing, determining source application indicia; for inbound packet processing, executing a look-ahead function to determine target application indicia;
said look-ahead function being executed within an IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said inbound packet, said IP layer provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered;responsive to said source or target application indicia, executing filter processing;
said filter processing including constructing and evaluating logical expressions including non-IP packet attributes of arbitrary length, and selectively using a set of logical operators, alternative filter selector fields, and value set; andexecuting said determining and executing steps within a kernel filtering function upon encountering a filter selector field referencing kernel data not included in said packet. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for control and management of aspects of communication traffic within filtering, comprising the steps of:
-
receiving IP packet data into a TCP/IP protocol stack executing within a system kernel; for an inbound IP packet, executing a look-ahead function within an IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said IP inbound packet, said IP layer provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and executing filtering code within said IP layer of said system kernel with respect to non-IP packet data accessed within said system kernel outside of said TCP/IP protocol stack;
said filtering code constructing and evaluating logical expressions of arbitrary length, and selectively using a set of logical operators, alternative filter selector fields, and value set. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A method for centralizing system-wide communication management and control within filter rules, comprising the steps of:
-
providing filter statements syntax for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values; for an inbound packet, executing a look-ahead function within an IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said inbound packet, said IP layer provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered by said sockets layer; said selector referencing data that does not exist in IP packets; processing said filter statements, including constructing and evaluating logical expressions of arbitrary length including non-IP packet attributes, and selectively using a set of logical operators, alternative filter selector fields, and value set; executing said look-ahead function and processing said filter statements within a kernel filtering function upon encountering a filter selector field referencing kernel data not included in said packet. - View Dependent Claims (13, 14, 15)
-
-
16. A method for traversing a portion only of a protocol stack to disallow selective IP packet traffic, comprising the steps of:
-
receiving a packet in the system kernel of the operating system of a first node from an application, said kernel includihg a filter processor;
said filter processor for constructing and evaluating logical expressions of arbitrary length including non-IP packet attributes, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set;for inbound packet processing to a first node from a second node, executing a look-ahead function in an IP layer of said system kernel of said first node to determine a target application;
said system kernel including a TCP/IP protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said inbound packet, said IP layer upon encountering a filter selector field referencing kernel data not included in said inbound packet provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer source application indicia identifying the application layer application to which said packet would have been delivered;for both said inbound packet processing, and for outbound packet processing from said first node to said second node, executing within said kernel the steps of processing said packet by determining a task ID; responsive to said task ID, determining a corresponding work control block; determining a user ID, process or job identifier from said work control block; from the user ID, process or job identifier selectively determining attributes for said user process or job; and passing said attributes to said filter processor for managing and controlling communication traffic.
-
-
17. A method for expressing access rules as filters, comprising the steps of:
- providing a filter statements syntax for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values; and
said selector referencing data within a system kernel outside of a protocol stack that does not exist in IP packets for controlling access to an application; for an inbound IP packet, executing a look-ahead function within the IP layer of said protocol stack, said protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said IP inbound packet, said look-ahead function in said IP layer upon encountering a filter selector field referencing kernel data not included in said inbound IP packet provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and processing said filter statements within said IP layer of said protocol stack with respect to non-IP packet data accessed within said system kernel outside of said protocol stack by constructing and evaluating logical expressions including non-IP packet attributes of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set referencing said application layer application.
- providing a filter statements syntax for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values; and
-
18. A method for managing and controlling communication traffic by centralizing access rules in filters including non-IP packet attributes executing within and referencing data available in system kernels outside of a protocol stack having an IP layer, a transport layer, and a sockets layer, comprising the steps for outbound packet processing from a first node to a second node of:
-
receiving said packet in the kernel of the operating system of said first node from an application or process at said first node; processing said packet by determining a task ID; responsive to said task ID, determining a corresponding work control block; responsive to said work control block, determining a process or job identifier; responsive to said process or job identifier, determining job or process attributes; and executing said filters within said IP layer with respect to non-IP packet data accessed within said system kernel outside of said protocol stack by constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set. - View Dependent Claims (19)
-
-
20. A method for managing and controlling communication traffic by centralizing the access rules, comprising the steps for outbound packet processing from a first node to a second node of:
-
receiving said packet in the system kernel of the operating system of said first node from an application or process at said first node, said kernel including a filter processor for constructing and evaluating logical expressions including non-IP packet attributes of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields referencing kernel data outside of a protocol stack, and value set, said protocol stack including an IP layer, a transport layer, a sockets layer, and an application layer; processing said packet within said IP layer including referencing non-protocol stack portions of said system kernel; by determining a task ID; responsive to said task ID, determining a corresponding work control block; determining a user ID control block from said work control block; from the user ID control block determining attributes for said user; and passing said attributes to said filter processor for managing and controlling communication traffic. - View Dependent Claims (21)
-
-
22. A method for control and management of communication traffic with respect to a system node, comprising the steps of:
-
receiving at said system node an inbound packet; executing within a protocol stack of the system kernel of said system node a filtering function identifying for said inbound packet a filter including non-IP packet attributes referencing non-packet data, and constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set; responsive to said filter, executing a look-ahead function for identifying a target application for said inbound packet;
said look-ahead function executed within the IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said IP inbound packet, said IP layer provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; andexecuting said filtering function and said look-ahead function within said kernel upon encountering a filter selector field referencing kernel data not included in said packet. - View Dependent Claims (23)
-
-
24. System for control and management of communication traffic, comprising:
-
a system kernel including a filter function and stack data; said filter function including a filter including non-IP packet attributes selectively referencing said stack data for expressing access rules; said filter function being responsive to receipt of an outbound packet for determining a source application; said filter function being responsive to receipt of an inbound packet including a filter selector field referencing kernel data not included in said inbound packet for executing a look-ahead function within the IP layer of a TCP/IP protocol stack to determine a target application;
said protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said inbound packet, said IP layer provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; andsaid filter function being responsive to said source or target application for executing filter processing including constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields referencing kernel data not included in a packet, and value set.
-
-
25. A system for control and management of aspects of communication traffic within filtering, comprising:
-
a system kernel; a protocol stack including an IP layer, a transport layer, a sockets layer, and an application layer for executing within said IP layer of said system kernel, responsive to an inbound IP packet, a look-ahead function by which said IP layer provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and filtering code within said system kernel operable with respect to non-IP packet data accessed within said system kernel outside of said protocol stack for controlling and managing said aspects of communication traffic;
said filter code for constructing and evaluating logical expressions of arbitrary length including non-IP packet attributes, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set.
-
-
26. A system for centralizing system-wide communication management and control within filter rules including non-IP packet attributes, comprising:
-
filter statements having a syntax for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values; said selector referencing data that does not exist in IP packets; a look-ahead function within the IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer, which look-ahead function, responsive to encountering a filter selector field in an inbound packet referencing kernel data not included in said inbound packet, executes within said IP layer to provide to said transport layer said inbound packet, marked as deny, and receive back from said transport layer indicia, provided to said transport layer by said sockets layer, for identifying the application layer application to which said packet would have been delivered; and a filter processor for constructing and evaluating filter statements including logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields selectively referencing non-IP packet data accessed within said system kernel outside of said protocol stack, and value set.
-
-
27. A system for traversing a portion only of a TCP/IP protocol stack to disallow selective IP packet traffic, comprising:
-
a system kernel; a filter processor executing within said system kernel for constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields selectively referencing non-packet data accessed within said system kernel outside of said TCP/IP protocol stack, and value set; said filter processor responsive to an inbound packet for executing within an IP layer of said TCP/IP protocol stack a look-ahead function for determining a target application;
said TCP/IP protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer; and
which, for said inbound packet, upon encountering a filter selector field referencing kernel data not included in said inbound packet, said IP layer provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered;said filter processor responsive to both inbound and outbound packets for processing said packet by determining a task ID; responsive to said task ID, determining a corresponding work control block; determining a user ID, process or job identifier from said work control block; from the user ID, process or job identifier selectively determining attributes for said user process or job; and passing said attributes to said filter processor for managing and controlling communication traffic.
-
-
28. A system for expressing access rules as filters, comprising:
-
filter statements for accepting parameters in the form of a selector, each selector specifying selector field, operator, and a set of values; said selector referencing data that does not exist in IP packets for controlling access to an application; a look-ahead function executing within the IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for an inbound packet upon encountering a filter selector field referencing kernel data not included in said inbound packet, said look-ahead function provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and a filter processor for constructing and evaluating said filter statements as logical expressions of arbitrary length, each said logical expression selectively including said operator selected from a set of logical operators, alternative filter selector fields including non-IP packet attributes, and value set.
-
-
29. A system for managing and controlling communication traffic by centralizing access rules in filters including non-IP packet attributes executing within and referencing data available in system kernels, comprising:
-
a computer readable medium;
first code for receiving a packet in the kernel of the operating system of a first node from an application or process at said first node;
said kernel responsive to an inbound packet, for executing a look-ahead function within the IP layer of a TCP/IP protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said inbound packet, upon encountering a filter rule referencing kernel data not included in said inbound packet, said look-ahead function provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered;second code for processing said packet by determining a task ID; third code responsive to said task ID for determining a corresponding work control block; fourth code responsive to said work control block for determining a process or job identifier; fifth code responsive to said process or job identifier for determining job or process attributes; sixth code for executing said filters by constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set; and
whereinsaid first, second, third, fourth, fifth, and sixth code is recorded on said computer readable medium.
-
-
30. A system for control and management of communication traffic with respect to a system node, comprising:
-
a filtering function executing within the IP layer of a protocol stack of the system kernel of said system node identifying for an inbound packet a filter referencing non-packet data within said system kernel and outside of said protocol stack; a look-ahead function responsive to said filter referencing non-packet data within said system kernel and outside of said protocol stack for identifying a target application for said inbound packet;
said look-ahead function functioning within said IP layer of said protocol stack including said IP layer, a transport layer, and a sockets layer, and which, for said inbound packet, said IP layer provides to said transport layer said inbound packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application to which said packet would have been delivered; anda filter processor for constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set.
-
-
31. A computer program product for control and management of aspects of communication traffic within filtering, said computer program product comprising:
-
a computer readable medium; first program instructions to receive IP packet data into a TCP/IP protocol stack executing within a system kernel including, for processing an inbound IP packet, a look-ahead function within the IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said IP inbound packet, upon encountering a filter selector field referencing kernel data not included in said inbound IP packet, said IP layer provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; second program instructions to execute filtering code within said system kernel with respect to non-IP packet data accessed within said system kernel outside of said TCP/IP protocol stack by constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set; and
whereinsaid first and second program instructions are recorded on said medium.
-
-
32. A computer program product for centralizing system-wide communication management and control within filter rules, said computer program product comprising:
-
a computer readable medium; first program instructions to execute filter statements including non-IP packet attributes having a syntax for accepting parameters in the form of a selector, each selector specifying selector field, a logical operator selected from a set of a plurality of logical operators, and a set of values; and second program instructions to cause said selector to reference data within an operating system kernel outside, of a protocol stack and that does not exist in IP packets, said data including application layer indicia obtained for an incoming packet by a look-ahead function;
said look-ahead function executing within the IP layer of a protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, upon encountering a selector field referencing kernel data not included in said IP inbound packet, said look-ahead function provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and
whereinsaid first and second program instructions are recorded on said medium.
-
-
33. A computer program product for managing and controlling communication traffic by centralizing access rules in filters including non-IP packet attributes executing within and referencing data available in system kernels, said computer program product comprising:
-
a computer readable medium; first program instructions to receive said packet in the kernel of the operating system of said first node from a process at said first node; second program instructions to process said packet by determining a task ID; third program instructions, responsive to said task ID, to determine a corresponding work control block; fourth program instructions, responsive to said work control block, to determine a process or job identifier; fifth program instructions, responsive to said process or job identifier, to determine job or process attributes; and sixth program instructions to execute a filter processor within the IP layer of a protocol stack for constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields referencing non-IP packet attributes for accessing data within said system kernels and outside of said protocol stack, and value set; and
whereinsaid first, second, third, fourth, fifth, and sixth program instructions are recorded on said medium. - View Dependent Claims (34)
-
-
35. A computer program product for control and management of communication traffic, comprising:
-
a computer readable medium; first program instructions for expressing access rules as filters including non-IP packet attributes referencing system kernel data outside of a protocol stack; second program instructions, for outbound processing, for determining a source application; third program instructions, for inbound packet processing, for executing a look-ahead function to determine a target application;
said look-ahead function operating within the IP layer of said protocol stack, said protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer and which, for said IP inbound packet, upon encountering a filter selector field referencing kernel data not included in an inbound packet, said look-ahead function provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered;fourth program instructions, selectively responsive to said source and target applications, and upon encountering a filter selector field referencing kernel data not included in said inbound packet for executing filter processing including constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set; and
whereinsaid first, second, third, and fourth program instructions are recorded on said computer readable medium.
-
-
36. A computer program product for control and management of aspects of communication traffic within filtering, comprising:
-
a computer readable medium; first program instructions for receiving IP packet data into a TCP/IP protocol stack including an IP layer executing within a system kernel; second program instructions for executing filtering code within said IP layer of said system kernel with respect to non-IP packet data accessed within said system kernel outside of said TCP/IP protocol stack; said filtering code constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields including non-IP packet attributes, and value set; and
whereinsaid first and second program instructions are recorded on said computer readable medium.
-
-
37. A computer program element for centralizing system-wide communication management and control within filter rules, comprising:
-
a computer readable medium; first program instructions for providing filter statements syntax for accepting parameters in the form of a selector, each selector specifying selector field, a logical operator, and a set of values, second program instructions for executing filtering by constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including said logical operator selected from a set of logical operators, at least one said selector field including non-IP packet attributes accessed within a system kernel and outside of a protocol stack, and at least one said value; said selector referencing data that does not exist in IP packets including data obtained, for an inbound IP packet, by executing a look-ahead function within the IP layer of said protocol stack, said protocol stack including said IP layer, a transport layer, a sockets layer, and an application layer, and which, for said IP inbound packet, upon encountering a selector field referencing kernel data not included in said inbound IP packet, said look-ahead function provides to said transport layer said inbound IP packet, marked as deny, and receives back from said transport layer indicia, provided to said transport layer by said sockets layer, identifying the application layer application to which said packet would have been delivered; and
whereinsaid first and second program instructions are recorded on said computer readable medium.
-
-
38. A computer program product for managing and controlling communication traffic by centralizing access rules in filters on non-IP packet attributes executing within, and referencing data available in, system kernels, comprising:
-
a computer readable medium; first program instructions for receiving said packet in the system kernel of the operating system of said first node from an application or process at said first node; second program instructions for processing said packet by determining a task ID; third program instructions, responsive to said task ID, for determining a corresponding work control block; fourth program instructions, responsive to said work control block, for determining a process or job identifier; fifth program instructions, responsive to said process or job identifier, for determining job or process attributes; sixth program instructions for executing a filter processor within the IP level of a protocol stack with respect to non-IP packet data accessed within said system kernel outside of said protocol stack for constructing and evaluating logical expressions of arbitrary length, said logical expressions selectively including a set of logical operators, alternative filter selector fields, and value set; and
whereinsaid first, second, third, fourth, fifth, and sixth program instructions are recorded on said computer readable medium. - View Dependent Claims (39)
-
Specification