Abstract: To activate side nodes, a traversal node is partitioned into deeper traversal nodes and leaf nodes. A limit is set on a number of leaf node policies. Each traversal node above the limit is cut into a deeper level with a new traversal node. Each traversal node at or below the limit is converted to a leaf node populated with a list of policies within the limit.

Abstract: Systems, devices, and methods are discussed for classifying a number of security policies in relation to criteria for applying those security policies to yield a dual bitmap scheme representing a correlation between security policies and one or more criteria.

Abstract: Systems, devices, and methods are discussed for identifying security policies applicable to a received information packet based upon a dual bitmap scheme accounting for bit position mergers and/or policies common to multiple bit positions.

Abstract: During high-speed network policy searching for data packets, an upper limit and a lower limit for a policy count are predefined for a ratio of the policy count to the sum of the policy count and the range count. A policy tree builder generates a policy tree image from a set of recursive operations on the raw policy set including an on-the-fly determination of whether a specific node is a leaf based on a leaf policy count limit, wherein for a selected dimension, the specific node is converted to the leaf if the policy count does not exceed the leaf policy count limit and the range count for the selected dimension does not exceed a product of the leaf policy count limit and a range count limit coefficient, and otherwise the specific node is converted to two or more child nodes. A network processor configures at least one set of registers, at least one set of tables, and at least one sequence of instructions according to the policy tree image.

Abstract: A raw policy set is received for the network processor and a dimension bitmap corresponding to the raw policy set. From the raw policy set, a policy tree builder generates a policy tree image from a set of recursive operations on the raw policy set including selecting boundaries of the raw policy set from cuts on a given dimension of the raw policy set, the dimension cut based on a dimension selection and a partition number selection for the raw policy set. Network processor hardware is configured according to the policy tree image including at least one set of registers, at least one set of tables, and at least one sequence of instructions. At runtime, the network processor applies the optimized policy set to processing of the packet session from the data communication network by the network processor hardware.

Abstract: A compiler (CPL) plugin comprises a TC to, responsive to a new DV test, read configuration settings and selects appropriate plugin processes based on the configuration settings. An API interface can generate images that control the special purpose processor during a stage of a plurality of stages for a CPL-related design verification (DV) test and call selected plugin processes. A common compiler module comprising a common function codebase. A DV specialized support module comprising a DV function only codebase, wherein the DV has access to the common compiler module. An RP specialized support module can comprise an RP function only codebase, wherein the codebase is common for both DV and RP, and wherein top-level APIs are designed for both DV and RP. Responsive to completing the DV test, TC disables the plugins and injects traffic for the DV test, and wherein TC reports testing results.

Abstract: A packet parser generates a key from TCP metadata of a data packet for a specific session. A packet cache stores recent network policy identifiers associated with a plurality of network sessions, wherein the key is used as an index to search the packet cache. The packet cache responsive to a cache miss, checks a TFO cookie field for a rule ID stored by the client during a previous session as generated by the network processor. If there is no rule ID, a classification pipeline is activated. On the other hand, responsive to a cache hit, or responsive to identifying a rule ID for the session from the TFO cookie, the classification pipeline is bypassed for the data packets of the specific session.

Abstract: A packet parser generates a key from TCP metadata of a data packet for a specific session. A packet cache stores recent network policy identifiers associated with a plurality of network sessions, wherein the key is used as an index to search the packet cache. The packet cache responsive to a cache miss, checks a TFO cookie field for a rule ID stored by the client during a previous session as generated by the network processor. If there is no rule ID, a classification pipeline is activated. On the other hand, responsive to a cache hit, or responsive to identifying a rule ID for the session from the TFO cookie, the classification pipeline is bypassed for the data packets of the specific session.

Abstract: Systems and methods for generating design verification test cases using a restricted randomization process are provided. According to one embodiment, a processor of a hardware design verification system receives a set of restrictions and defines a scenario involving the values that is to be excluded from the test case. The processor also receives pre-assigned values for one or more variables. For each variable other than the one or more variables, the processor assigns a first random value to the variable that is within a valid range for the variable. The processor then identifies a conflict between a first pair of variables, and resolves the conflict by assigning a second random value to a first variable or a second variable of the first pair of variables within their respective valid ranges.

Abstract: A mapping technique sets coalescing latency values for computing systems that use multiple data queues having a shared base timer. A computing system having at least one receive queue and at least one transmit queue receives user-provided coalescing latency values for the respective queues, and converts these user-provided latencies to coalescing latency hardware register values as well as a base timer register value for the shared base timer. The hardware register values for the coalescing latencies together with the shared base timer register value determine the coalescing latencies for the respective queues. This mapping technique allows a user to conveniently set coalescing latencies for multi-queue processing systems while shielding the user settings from hardware complexity.

Abstract: A mapping technique sets coalescing latency values for computing systems that use multiple data queues having a shared base timer. A computing system having at least one receive queue and at least one transmit queue receives user-provided coalescing latency values for the respective queues, and converts these user-provided latencies to coalescing latency hardware register values as well as a base timer register value for the shared base timer. The hardware register values for the coalescing latencies together with the shared base timer register value determine the coalescing latencies for the respective queues. This mapping technique allows a user to conveniently set coalescing latencies for multi-queue processing systems while shielding the user settings from hardware complexity.

Abstract: A mapping technique sets coalescing latency values for computing systems that use multiple data queues having a shared base timer. A computing system having at least one receive queue and at least one transmit queue receives user-provided coalescing latency values for the respective queues, and converts these user-provided latencies to coalescing latency hardware register values as well as a base timer register value for the shared base timer. The hardware register values for the coalescing latencies together with the shared base timer register value determine the coalescing latencies for the respective queues. This mapping technique allows a user to conveniently set coalescing latencies for multi-queue processing systems while shielding the user settings from hardware complexity.