公开(公告)号：US09391958B2

公开(公告)日：2016-07-12

申请号：US14318830

申请日：2014-06-30

Applicant: JUNIPER NETWORKS, INC.

Inventor： Venkatasubramanian Swaminathan ,  Deepak Goel ,  Jianhui Huang ,  John Keen ,  Jean-Marc Frailong ,  Srinivasan Jagannadhan ,  Srilakshmi Adusumalli

IPC: H04L29/06

CPC classification number: H04L63/0263 ,  H04L63/02 ,  H04L63/0209

Abstract: A firewall device may include a forwarding component that includes a filter block. The filter block may obtain a first hardware-implemented filter, where a hardware implementation limits the first hardware-implemented filter to a maximum quantity of rules; determine whether a last rule associated with the accessed hardware-implemented filter includes a split-filter action, where the split-filter action identifies a second hardware-implemented filter; and link the second hardware-implemented filter to the first hardware-implemented filter to make the second hardware-implemented filter a logical continuation of the first hardware-implemented filter, in response to determining that the last rule includes the split-filter action. The filter block may further determine whether a particular rule of the first hardware-implemented filter includes a next-filter action, where the next filter action identifies a third hardware-implemented filter; and process the third hardware-implemented filter independently of the sequence of hardware attachment points.

Abstract translation: 防火墙设备可以包括包括过滤器块的转发组件。 滤波器块可以获得第一硬件实现的滤波器，其中硬件实现将第一硬件实现的滤波器限制为最大数量的规则; 确定与所访问的硬件实现的过滤器相关联的最后规则是否包括拆分过滤器动作，其中分割过滤器动作标识第二硬件实现的过滤器; 以及响应于确定所述最后一个规则包括所述分割过滤器动作，将所述第二硬件实现的过滤器链接到所述第一硬件实现的过滤器，以使得所述第二硬件实现的过滤器是所述第一硬件实现的过滤器的逻辑延续。 滤波器块还可以确定第一硬件实现的滤波器的特定规则是否包括下一个滤波器动作，其中下一个滤波器动作识别第三硬件实现的滤波器; 并且独立于硬件连接点的顺序处理第三个硬件实现的过滤器。