Firewalls in logical networks
First Claim
1. A machine readable medium storing a distributed firewall application for execution by at least one processing unit of a particular node in a hosting system, the firewall application comprising sets of instructions for:
- receiving a first firewall configuration for a first logical network along with a first identifier, the first logical network connecting a first plurality of machines at least one of which resides on the particular node of the hosting system;
receiving a second firewall configuration for a second logical network along with a second identifier, the second logical network connecting a second plurality of machines at least one of which resides on the particular node of the hosting system; and
processing packets, received from a managed switching element located at the node and tagged with the first identifier using the first firewall configuration while processing packets received from the managed switching element and tagged with the second identifier using the second firewall configuration, wherein the managed switching element and the distributed firewall application receive the first and second identifiers from a same network controller.
1 Assignment
0 Petitions
Accused Products
Abstract
Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.
-
Citations
22 Claims
-
1. A machine readable medium storing a distributed firewall application for execution by at least one processing unit of a particular node in a hosting system, the firewall application comprising sets of instructions for:
-
receiving a first firewall configuration for a first logical network along with a first identifier, the first logical network connecting a first plurality of machines at least one of which resides on the particular node of the hosting system; receiving a second firewall configuration for a second logical network along with a second identifier, the second logical network connecting a second plurality of machines at least one of which resides on the particular node of the hosting system; and processing packets, received from a managed switching element located at the node and tagged with the first identifier using the first firewall configuration while processing packets received from the managed switching element and tagged with the second identifier using the second firewall configuration, wherein the managed switching element and the distributed firewall application receive the first and second identifiers from a same network controller. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for configuring a distributed firewall application implemented on a particular node in a hosting system, the method comprising:
-
receiving a first firewall configuration for a first logical network along with a first identifier, the first logical network connecting a first plurality of machines at least one of which resides on the particular node of the hosting system; receiving a second firewall configuration for a second logical network along with a second identifier, the second logical network connecting a second plurality of machines at least one of which resides on the particular node of the hosting system; and processing packets, received from a managed switching element located at the node and tagged with the first identifier using the first firewall configuration while processing packets received from the managed switching element and tagged with the second identifier using the second firewall configuration, wherein the managed switching element and the distributed firewall application receive the first and second identifiers from a same network controller. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification