Computer system and network interface with hardware based rule checking for embedded firewall
First Claim
1. A method of managing packet transmission at an interface between a network and a host system the method comprising:
- parsing an incoming packet comprising a data payload destined for a memory location in a host system;
generating one or more pointers to data fields in the parsed incoming packet;
storing the incoming packet in a buffer memory;
using the one or more pointers to retrieve data associated with the data fields from the buffer memory;
applying rules to the retrieved data; and
controlling the transfer of the data payload from the buffer memory to the memory location in the host system associated with the application running on the host system based on the outcome of the applying one or more rules to the retrieved data;
wherein each rule comprises a rule data value, the rule data value being masked and processed in parallel by rule parameters comprising of;
an “
equal to”
rule parameter for determining whether the masked rule data value is equal to the retrieved data;
a “
not equal to”
rule parameter for determining whether the masked rule data value is not equal to the retrieved data;
a “
greater than”
rule parameter for determining whether the masked rule data value is greater than the retrieved data; and
a “
less than”
rule parameter for determining whether the masked rule data value is less than the retrieved data.
6 Assignments
0 Petitions
Accused Products
Abstract
A data processing system adapted for high-speed network communications, a method for managing a network interface and a network interface for such system, are provided, in which processing of packets received over the network is achieved by embedded logic at the network interface level. Incoming packets on the network interface are parsed and classified as they are stored in a buffer memory. Functional logic coupled to the buffer memory on the network interface is enabled to access any data field within a packet in a single cycle, using pointers and packet classification information produced by the parsing and classifying step. Results of operations on the data fields in the packets are available before the packets are transferred out of the buffer memory. A data processing system, a method for management of a network interface and a network interface are also provided by the present invention that include an embedded firewall at the network interface level of the system, which protects against inside and outside attacks on the security of data processing system. Furthermore, a data processing system, a method for management of a network interface and a network interface are a provided by the present invention that support class of service management for packets incoming from the network, by applying priority rules at the network interface level of the system.
112 Citations
20 Claims
-
1. A method of managing packet transmission at an interface between a network and a host system the method comprising:
-
parsing an incoming packet comprising a data payload destined for a memory location in a host system;
generating one or more pointers to data fields in the parsed incoming packet;storing the incoming packet in a buffer memory; using the one or more pointers to retrieve data associated with the data fields from the buffer memory; applying rules to the retrieved data; and controlling the transfer of the data payload from the buffer memory to the memory location in the host system associated with the application running on the host system based on the outcome of the applying one or more rules to the retrieved data; wherein each rule comprises a rule data value, the rule data value being masked and processed in parallel by rule parameters comprising of; an “
equal to”
rule parameter for determining whether the masked rule data value is equal to the retrieved data;a “
not equal to”
rule parameter for determining whether the masked rule data value is not equal to the retrieved data;a “
greater than”
rule parameter for determining whether the masked rule data value is greater than the retrieved data; anda “
less than”
rule parameter for determining whether the masked rule data value is less than the retrieved data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system to manage packet transmission at an interface between a network and a host system, the system comprising:
-
a packet parser to generate a pointer to data fields in the incoming packet, wherein the incoming packet comprises a data payload destined for a memory location in the host system; a packet index queue to store the pointers to the data fields; a packet data buffer to store the parsed incoming packet; a packet index fetch engine to retrieve data associated with the data fields from the packet data buffer by using the pointers from the packet index queue; and a rule check engine to apply rules match operations on the retrieved data associated with the data fields and to control the transfer of the data payload from the buffer memory to the memory location in the host system associated with the application running on the host system based on the outcome of each rule match operation; wherein the rule check engine comprises a rule match block and a rule action block; wherein the rule match block comprises; a packet data register to store the retrieved data associated with the data fields for comparison; and a rule data register to specify a rule to be compared with the retrieved data associated with the data fields; wherein the rule in the rule data register to be compared with the retrieved data in the packet data register comprises a rule data value, the rule data value being masked and processed in parallel by rule parameters comprising of; an “
equal to”
rule parameter to determine whether the rule data value in the rule data register is equal to the retrieved data in the packet data register;a “
not equal to”
rule parameter to determine whether the rule data value in the rule data register is not equal to the retrieved data in the packet data register;a “
greater than”
rule parameter to determine whether the rule data value in the rule data register is greater than the retrieved data in the packet data register; anda “
less than”
rule parameter to determine whether the rule data value in the rule data register is less than the retrieved data in the packet data register. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer readable media with instructions to cause a microprocessor at a host system to perform the steps of:
-
parsing an incoming packet comprising a data payload destined for a memory location in the host system associated with an application running on the host system; generating one or more pointers to data fields in the parsed incoming packet; storing the incoming packet in a buffer memory;
using the one or more pointers to retrieve data associated with the data fields from the buffer memory;applying rules to the retrieved data associated with the data fields; and
controlling the transfer of the data payload from the buffer memory to the memory location in the host memory associated with the application running on the host system based on the outcome of the applying one or more rules to the retrieved data;wherein each rule comprises a rule data value, the rule data value being masked and processed in parallel by rule parameters comprising of; an “
equal to”
rule parameter for determining whether the masked rule data value is equal to the retrieved data;a “
not equal to”
rule parameter for determining whether the masked rule data value is not equal to the retrieved data;a “
greater than”
rule parameter for determining whether the masked rule data value is greater than the retrieved data; anda “
less than”
rule parameter for determining whether the masked rule data value is less than the retrieved data.
-
Specification