FIREWALLS IN LOGICAL NETWORKS
First Claim
1. A method for configuring a logical firewall in a hosting system comprising a set of nodes, the logical firewall part of a logical network comprising a set of logical forwarding elements, the method comprising:
- receiving a configuration for the firewall that specifies packet processing rules for the firewall;
identifying a plurality of the nodes on which to implement the logical forwarding elements; and
distributing the firewall configuration for implementation on the identified nodes.
1 Assignment
0 Petitions
Accused Products
Abstract
Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.
-
Citations
21 Claims
-
1. A method for configuring a logical firewall in a hosting system comprising a set of nodes, the logical firewall part of a logical network comprising a set of logical forwarding elements, the method comprising:
-
receiving a configuration for the firewall that specifies packet processing rules for the firewall; identifying a plurality of the nodes on which to implement the logical forwarding elements; and distributing the firewall configuration for implementation on the identified nodes. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A machine readable medium storing a distributed firewall application for execution by at least one processing unit of a node in a hosting system, the program comprising sets of instructions for:
-
receiving a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application; determining whether to allow the packet based on a received set of processing rules to apply to the packet; and when the packet is allowed, sending the packet back to the managed switching element through the software port. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A machine readable medium storing a distributed firewall application for execution by at least one processing unit of a node in a hosting system, the program comprising sets of instructions for:
-
receiving a first firewall configuration for a first logical network along with a first identifier; receiving a second firewall configuration for a second logical network along with a second identifier; and processing packets tagged with the first identifier using the first firewall configuration while processing packets tagged with the second identifier using the second firewall configuration. - View Dependent Claims (18, 19, 20)
-
-
21. The machine readable medium of 20, wherein the managed switching element and the distributed firewall application receive the first and second identifiers from a same network controller.
Specification