Rule set conflict resolution

US 7,505,463 B2
Filed: 06/15/2004
Issued: 03/17/2009
Est. Priority Date: 06/15/2004
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a plurality of packet flow rules from multiple network services, wherein each packet flow rule comprises a packet filter and an action list including one or more prioritized actions, wherein each network service has a priority, and wherein the packet flow rules from each network service comprise a priority expressed either by longest prefix, or ordered precedence;

generating a unified rule set according to the received packet flow rules, wherein said generating comprises;

identifying conflicts between rule pairs, wherein each rule pair includes a higher priority rule and a lower priority rule; and

resolving the identified conflicts according to a priority relationship between the higher priority rule and the lower priority rule.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A flow manager may receive prioritized packet flow rules from multiple prioritized network services where each flow rule may comprise a packet filter and a prioritized action list. The priority for the flow rules from each network service may be expressed as either longest prefix or ordered precedence. The flow manager may generate a unified rule set according to the received packet flow rules by identifying conflict between pairs of rules and resolving the identified conflicts according the priority relationship two rules of each pair. When resolving conflicts between rules, the flow manager may append the action list of one rule to the action list of another rule, and may also create a new rule by combining the packet filters and actions lists of the conflicting rules.

200 Citations

43 Claims

1. A method, comprising:
- receiving a plurality of packet flow rules from multiple network services, wherein each packet flow rule comprises a packet filter and an action list including one or more prioritized actions, wherein each network service has a priority, and wherein the packet flow rules from each network service comprise a priority expressed either by longest prefix, or ordered precedence;
  
  generating a unified rule set according to the received packet flow rules, wherein said generating comprises;
  
  identifying conflicts between rule pairs, wherein each rule pair includes a higher priority rule and a lower priority rule; and
  
  resolving the identified conflicts according to a priority relationship between the higher priority rule and the lower priority rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein said resolving comprises modifying the action list of one or more of the conflicting rules.
  - 3. The method of claim 2, wherein said modifying comprises appending the actions of the lower priority conflicting rule to the actions of the higher priority conflicting rule if the packet set specified by the packet filter of the higher priority conflicting rule is equal to the packet set specified by the packet filter of the lower priority rule.
  - 4. The method of claim 2, wherein said modifying comprises prepending the actions of the higher priority conflicting rule to the actions of the lower priority conflicting rule if the set of packets specified by the packet filter of the higher priority conflicting rule is a superset of the set of packets specified by the packet filter of the lower priority rule.
  - 5. The method of claim 2, wherein said modifying comprises appending the actions of the lower priority conflicting rule to the actions of the higher priority conflicting rule if the packet set specified by the packet filter of the lower priority conflicting rule is a superset of the packet set specified by the packet filter of the higher priority rule.
  - 6. The method of claim 2, wherein said resolving comprises cloning one or more of the conflicting rules prior to modifying the action list of one or more of the conflicting rules.
  - 7. The method of claim 1, wherein said resolving comprises creating a new rule comprising a packet filter specifying a packet set representing the intersection of the packet sets specified by the packet filters of the conflicting rules if the set of packets specified by the packet filter of the lower priority conflicting rule intersects the set of packets specified by the packet filter of the higher priority conflicting rule, wherein the new rule further comprises an action list including the actions of the lower priority conflicting rule appended to the actions of the higher priority rule.
  - 8. The method of claim 1, wherein the priority of each of the rules is based upon one or more of the following:
    - a priority associated with the network service from which the rule originated;
      
      the length of the prefix specified by the packet filter of the rule; and
      
      the order in which the rule was received from its originating network service.
  - 9. The method of claim 1, wherein an action of a packet flow rule can specify one or more of the following:
    - dropping a packet specified by the packet filter of the packet flow rule;
      
      gathering statistical information about a packet specified by the packet filter of the packet flow rule;
      
      controlling timer functions associated with a packet specified by the packet filter of the packet flow rule;
      
      modifying a packet specified by the packet filter of the packet flow rule; and
      
      passing the packet on.
  - 10. The method of claim 1, wherein the network services comprise one or more of the following:
    - a firewall service;
      
      a service level agreement monitoring service;
      
      a load balancing service; and
      
      a fail over service.
  - 11. The method of claim 1, further comprising reordering one or more rules whose priority is expressed by longest prefix to reflect that same priority through ordered precedence.
  - 12. The method of claim 1 further comprising installing the unified rule set on a flow enforcement device configured to apply packet flows rules according to a longest prefix priority policy.
  - 13. The method of claim 1 further comprising installing the unified rule set on a flow enforcement device configured to apply packet flows rules according to an ordered precedence priority policy.
  - 14. The method of claim 1, further comprising:
    - receiving a new packet flow rule from a network service;
      
      inserting the new packet flow rule into the unified rule set according to the priority of the new packet flow rule;
      
      identifying one or more conflicts between the new packet flow rule and existing rules of the unified rule set; and
      
      resolving the identified conflicts according to a priority relation between the conflicting rules.

15. A device, comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory comprises program instructions configured to;
  
  receive a plurality of packet flow rules from multiple network services, wherein each packet flow rule comprises a packet filter and an action list including one or more prioritized actions, wherein each network service has a priority, and wherein the packet flow rules from each network service comprise a priority expressed either by longest prefix, or ordered precedence;
  
  generate a unified rule set according to the received packet flow rules, wherein said generating comprises;
  
  identify conflicts between rule pairs, wherein each rule pair includes a higher priority rule and a lower priority rule; and
  
  resolve the identified conflicts according to a priority relationship between the higher priority rule and the lower priority rule.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The device of claim 15, wherein in said resolving the program instructions are configured to modify the action list of one or more of the conflicting rules.
  - 17. The device of claim 16, wherein in said modifying the program instructions are configured to append the actions of the lower priority conflicting rule to the actions of the higher priority conflicting rule if the packet set specified by the packet filter of the higher priority conflicting rule is equal to the packet set specified by the packet filter of the lower priority rule.
  - 18. The device of claim 16, wherein in said modifying the program instructions are configured to prepend the actions of the higher priority conflicting rule to the actions of the lower priority conflicting rule if the set of packets specified by the packet filter of the higher priority conflicting rule is a superset of the set of packets specified by the packet filter of the lower priority rule.
  - 19. The device of claim 16, wherein in said modifying the program instructions are configured to append the actions of the lower priority conflicting rule to the actions of the higher priority conflicting rule if the packet set specified by the packet filter of the lower priority conflicting rule is a superset of the packet set specified by the packet filter of the higher priority rule.
  - 20. The device of claim 16, wherein in said resolving the program instructions are configured to clone one or more of the conflicting rules prior to modifying the action list of one or more of the conflicting rules.
  - 21. The device of claim 15, wherein in said resolving the program instructions are configured to create a new rule comprising a packet filter specifying a packet set representing the intersection of the packet sets specified by the packet filters of the conflicting rules if the set of packets specified by the packet filter of the lower priority conflicting rule intersects the set of packets specified by the packet filter of the higher priority conflicting rule, wherein the new rule further comprises an action list including the actions of the lower priority conflicting rule appended to the actions of the higher priority rule.
  - 22. The device of claim 15, wherein the priority of each of the rules is based upon one or more of the following:
    - a priority associated with the network service from which the rule originated;
      
      the length of the prefix specified by the packet filter of the rule; and
      
      the order in which the rule was received from its originating network service.
  - 23. The device of claim 15, wherein an action of a packet flow rule can specify one or more of the following:
    - dropping a packet specified by the packet filter of the packet flow rule;
      
      gathering statistical information about a packet specified by the packet filter of the packet flow rule;
      
      controlling timer functions associated with a packet specified by the packet filter of the packet flow rule;
      
      modifying a packet specified by the packet filter of the packet flow rule; and
      
      passing the packet on.
  - 24. The device of claim 15, wherein the network services comprise one or more of the following:
    - a firewall service;
      
      a service level agreement monitoring service;
      
      a load balancing service; and
      
      a fail over service.
  - 25. The device of claim 15, further comprising reordering one or more rules whose priority is expressed by longest prefix to reflect that same priority through ordered precedence.
  - 26. The device of claim 15, wherein the program instructions are further configured to install the unified rule set on a flow enforcement device configured to apply packet flows rules according to a longest prefix priority policy.
  - 27. The device of claim 15 wherein the program instructions are further configured to install the unified rule set on a flow enforcement device configured to apply packet flows rules according to an ordered precedence priority policy.
  - 28. The device of claim 15, wherein the program instructions are further configured to:
    - receive a new packet flow rule from a network service;
      
      insert the new packet flow rule into the unified rule set according to the priority of the new packet flow rule;
      
      identify one or more conflicts between the new packet flow rule and existing rules of the unified rule set; and
      
      resolve the identified conflicts according to a priority relation between the conflicting rules.

29. A system comprising:
- a plurality of network services;
  
  a flow enforcement device; and
  
  a flow manager configured to;
  
  receive a plurality of packet flow rules from the plurality of network services, wherein each packet flow rule comprises a packet filter and an action list including one or more prioritized actions, wherein each network service has a priority, and wherein the packet flow rules from each network service comprise a priority expressed either by longest prefix, or ordered precedence;
  
  generate a unified rule set according to the packet flow rules, wherein in said generating the flow manager if configured to;
  
  identify conflicts between rule pairs, wherein each rule pair includes a higher priority rule and a lower priority rule; and
  
  resolve the identified conflicts according to a priority relationship between the higher priority rule and the lower priority rule; and
  
  install the unified rule set to the flow enforcement device.

30. A computer accessible medium, comprising program instructions configured to implement:
- receiving a plurality of packet flow rules from multiple network services, wherein each packet flow rule comprises a packet filter and an action list including one or more prioritized actions, wherein each network service has a priority, and wherein the packet flow rules from each network service comprise a priority expressed either by longest prefix, or ordered precedence;
  
  generating a unified rule set according to the received packet flow rules, wherein said generating comprises;
  
  identifying conflicts between rule pairs, wherein each rule pair includes a higher priority rule and a lower priority rule; and
  
  resolving the identified conflicts according to a priority relationship between the higher priority rule and the lower priority rule.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 31. The computer accessible medium of claim 30, wherein in said resolving the program instructions are configured to implement modifying the action list of one or more of the conflicting rules.
  - 32. The computer accessible medium of claim 31, wherein in said modifying the program instructions are configured to implement appending the actions of the lower priority conflicting rule to the actions of the higher priority conflicting rule if the packet set specified by the packet filter of the higher priority conflicting rule is equal to the packet set specified by the packet filter of the lower priority rule.
  - 33. The computer accessible medium of claim 31, wherein in said modifying the program instructions are configured to implement prepending the actions of the higher priority conflicting rule to the actions of the lower priority conflicting rule if the set of packets specified by the packet filter of the higher priority conflicting rule is a superset of the set of packets specified by the packet filter of the lower priority rule.
  - 34. The computer accessible medium of claim 31, wherein in said modifying the program instructions are configured to implement appending the actions of the lower priority conflicting rule to the actions of the higher priority conflicting rule if the packet set specified by the packet filter of the lower priority conflicting rule is a superset of the packet set specified by the packet filter of the higher priority rule.
  - 35. The computer accessible medium of claim 31, wherein in said resolving the program instructions are configured to implement cloning one or more of the conflicting rules prior to modifying the action list of one or more of the conflicting rules.
  - 36. The computer accessible medium of claim 30, wherein in said resolving the program instructions are configured to implement creating a new rule comprising a packet filter specifying a packet set representing the intersection of the packet sets specified by the packet filters of the conflicting rules if the set of packets specified by the packet filter of the lower priority conflicting rule intersects the set of packets specified by the packet filter of the higher priority conflicting rule, wherein the new rule further comprises an action list including the actions of the lower priority conflicting rule appended to the actions of the higher priority rule.
  - 37. The computer accessible medium of claim 30, wherein the priority of each of the rules is based upon one or more of the following:
    - a priority associated with the network service from which the rule originated;
      
      the length of the prefix specified by the packet filter of the rule; and
      
      the order in which the rule was received from its originating network service.
  - 38. The computer accessible medium of claim 30, wherein an action of a packet flow rule can specify one or more of the following:
    - dropping a packet specified by the packet filter of the packet flow rule;
      
      gathering statistical information about a packet specified by the packet filter of the packet flow rule;
      
      controlling timer functions associated with a packet specified by the packet filter of the packet flow rule;
      
      modifying a packet specified by the packet filter of the packet flow rule; and
      
      passing the packet on.
  - 39. The computer accessible medium of claim 30, wherein the network services comprise one or more of the following:
    - a firewall service;
      
      a service level agreement monitoring service;
      
      a load balancing service; and
      
      a fail over service.
  - 40. The computer accessible medium of claim 30, wherein the program instructions are further configured to implement reordering one or more rules whose priority is expressed by longest prefix to reflect that same priority through ordered precedence.
  - 41. The computer accessible medium of claim 30, wherein the program instructions are further configured to implement installing the unified rule set on a flow enforcement device configured to apply packet flows rules according to a longest prefix priority policy.
  - 42. The computer accessible medium of claim 30, wherein the program instructions are further configured to implement installing the unified rule set on a flow enforcement device configured to apply packet flows rules according to an ordered precedence priority policy.
  - 43. The computer accessible medium of claim 30, wherein the program instructions are further configured to implement:
    - receiving a new packet flow rule from a network service;
      
      inserting the new packet flow rule into the unified rule set according to the priority of the new packet flow rule;
      
      identifying one or more conflicts between the new packet flow rule and existing rules of the unified rule set; and
      
      resolving the identified conflicts according to a priority relation between the conflicting rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Schuba, Christoph L., Goldschmidt, Jason L.
Primary Examiner(s)
Harper; Kevin C
Assistant Examiner(s)
Russell; Wanda Z

Application Number

US10/868,474
Publication Number

US 20050276262A1
Time in Patent Office

1,736 Days
Field of Search

370/230, 370/395.21, 370/392, 713/201, 709/223
US Class Current

370/392
CPC Class Codes

G06N 5/025   Extracting rules from data

H04L 47/10   Flow control; Congestion co...

H04L 47/20   Traffic policing

H04L 47/2441   relying on flow classificat...

Rule set conflict resolution

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

200 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Rule set conflict resolution

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

200 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links