Abstract: For a managed network, some embodiments provide a method for a set of service nodes in an active-active service node cluster in conjunction with a host computer hosting a destination data compute node (DCN) to improve the efficiency of directing a return data message to a service node storing state information for the flow to which the data message belongs. A primary service node in some embodiments receives a data message in a particular data message flow addressed to a destination DCN, performs a service on the data message and forwards the data message, along with information identifying the primary service node, to a host computer on which the destination DCN executes. The host computer generates an entry in a reverse forwarding table including identifying information for the particular data message flow and the primary service node to use to forward data messages in the particular data message flow to the primary service node.

Abstract: Some embodiments of the invention provide a novel method for interfacing between a first tuple-based controller and a second controller using a message-based protocol. The method of some embodiments identifies a set of changed tuples stored in a set of output tables, generates a set of messages based on the changed tuples, and sends the generated set of messages to a second controller. In some embodiments, the first and second controllers are parts of a network control system that manages forwarding elements to implement a logical network.

Abstract: Some embodiments provide a method for efficient data message transfer across a hypervisor, service DCN, and containers implementing partner network services. The method allocates memory to a service DCN that operates a set of containers for providing partner network services for data messages received by the service DCN. The service DCN and the containers share the allocated memory and the method stores data messages received by the service DCN in the allocated memory. The method then accesses the data message stored in the shared memory from a set of partner network service containers to perform the partner network services. In some embodiments, the host machine or a process of the host machine on which the service DCN executes also shares the allocated memory. The host machine process, in some embodiments is a kernel process.

Abstract: Some embodiments provide a method for handling failure at one of several peer centralized components of a logical router. At a first one of the peer centralized components of the logical router, the method detects that a second one of the peer centralized components has failed. In response to the detection, the method automatically identifies a network layer address of the failed second peer. The method assumes responsibility for data traffic to the failed peer by broadcasting a message on a logical switch that connects all of the peer centralized components and a distributed component of the logical router. The message instructs recipients to associate the identified network layer address with a data link layer address of the first peer centralized component.

Abstract: Some embodiments provide a novel method for authorizing network requests for a machine in a network. In some embodiments, the method is performed by security agents that execute on virtual machines operating on a host machine. In some embodiments, the method captures a network request (e.g., network control packets, socket connection request, etc.) from a primary application executing on the machine. The method identifies an extended context for the network request and determines whether the network request is authorized based on the extended context. The method then processes the network request according to the determination. The extended context of some embodiments includes identifications for primary and secondary applications associated with the network request. Alternatively, or conjunctively, some embodiments include identifications for primary and secondary users associated with the network request.

Abstract: Some embodiments of the invention provide a novel method of tunneling data packets. The method establishes a tunnel between a first forwarding element and a second forwarding element. For each data packet directed to the second forwarding element from the first forwarding element, the method encapsulates the data packet with a header that includes a tunnel option. The method then sends the data packet from the first forwarding element to the second forwarding element through the established tunnel. In some embodiments, the data packet is encapsulated using a protocol that is adapted to change with different control plane implementations and the implementations' varying needs for metadata.

Abstract: Network firewalls operate based on rules that define how a firewall should handle traffic passing through the firewall. At their most basic, firewall rules may indicate that certain network traffic should be denied from passing through a network firewall or indicate that certain network traffic should be allowed to pass through the network firewall. Manners of handling network traffic beyond simply allowing or denying the network traffic may also be defined by the rules. For instance, a rule may indicate that certain network traffic should be routed to a specific system. Thus, if an administrator of a network firewall determines that certain network traffic should be handled in a certain way by a network firewall, the administrator need only implement a firewall rule defining how that network traffic should be handled in the network firewall.

Abstract: For a multi-tenant environment, some embodiments of the invention provide a novel method for (1) embedding a specific path for a tenant's data message flow through a network in tunnel headers encapsulating the data message flow, and then (2) using the embedded path information to direct the data message flow through the network. In some embodiments, the method selects the specific path from two or more viable such paths through the network for the data message flow.

Abstract: A method for visualizing network flows of a network is provided. The method monitors network flows between a group of machines in a network. The method associates identifiers with the monitored network flows. The method aggregates the monitored network flows into a set of groups based on the associated identifiers. The method displays a set of flow records for the each group of the set of groups.

Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.

Abstract: Some embodiments provide a managed network for implementing a logical network for a tenant. The managed network includes a first set of host machines and a second set of host machines. The first set of host machines is for hosting virtual machines (VMs) for the logical network. Each of the first set of host machines operates a managed forwarding element that implements a first logical router for the tenant logical network and a second logical router to which the first logical router connects. The implementation of the second logical router is for processing packets entering and exiting the tenant logical network. The second set of host machines is for hosting L3 gateways for the second logical router. The L3 gateways connect the tenant logical network to at least one external network.

Abstract: A system for network virtualization in which physical network resources in different physical contexts are configured to implement one or more distributed logical network elements, at least some of the physical network resources implementing the distributed logical network elements configured according the physical context of those network resources. The local configuration of a physical locale is a version of the logical configuration that is modified specifically for the physical locale. Such modification is based on locale identifiers that are assigned to the physical locales. Some systems use locale-specific information to modify next-hop preference. Some system use locally modified configurations to determine the placement of VMs.

Abstract: A managed hardware forwarding element (MHFE) that performs packet forwarding operations for a logical network is described. The MHFE receives configuration data for the logical network that defines a logical router and a set of logical switches for logically connecting several end machines that operate on different host machines to several physical machines that are connected to the MHFE. The logical router also includes multiple routing components. The MHFE also receives a first forwarding table and a second forwarding table. The first forwarding table stores linking data for each logical port of each logical switch in the set of logical switches that identifies a corresponding routing component in the logical router. The second forwarding table stores a set of routes for each routing component of the logical router. The MHFE uses the first and second forwarding tables to perform packet forwarding operations at the MHFE.

Abstract: Example methods are provided for secure communication protocol processing in a network environment. The method may comprise, in response to detecting a first transport protocol packet that is addressed from a first endpoint to a second endpoint and includes unencrypted payload data and a first sequence number, generating and sending a first secure communication protocol packet that includes encrypted payload data and a second sequence number. The method may also comprise, in response detecting a second transport protocol packet that includes the first sequence number, determining that the second transport protocol packet is a retransmission of the first transport protocol packet. The method may further comprise generating and sending a second secure communication protocol packet that includes the second sequence number associated with the first sequence number.

Abstract: Some embodiments provide a method for presenting packets captured in a network. The method identifies a first set of packets from a first packet group of multiple captured packet groups. The method identifies a second set of packets, that corresponds to the first set of packets, from a second packet group of the multiple captured packet groups. The method displays representations of the multiple captured packet groups. At least one of the first set of packets and the second set of packets are presented with a different appearance from other packets of their respective packet group.

Abstract: A control system including several controllers for managing several switching elements. A first controller registers a second controller for receiving a notification when a data tuple changes in a network information base (NIB) storage of the first controller that stores data for managing a set of switching elements. The first controller changes the data tuple in the NIB. The first controller sends the notification to the second controller of the change to the data tuple in the NIB. The first and second controllers operate on two different computing devices. Each controller receives logical control plane data for specifying logical datapath sets and converts the logical control plane data to physical control plane data for enabling the switching elements to implement the logical datapath sets.

Abstract: In one aspect, a method useful for implementing high availability (HA) enhancements to a computer network, comprising the steps of: providing a first edge device of a local area network (LAN); providing a second edge device of the LAN; providing a gateway system to the LAN from a wide area network; detecting that an HA cable between the first edge device and the second edge device is disconnected; establishing a network connection between the gateway system and the second edge device; with the gateway system: determining that the first edge device is active and passing network traffic, implementing a network tunneling protocol with second edge device.

Abstract: In one exemplary aspect, an edge-gateway multipath method includes the step of providing an edge device in a local network communicatively coupled with a cloud-computing service in a cloud-computing network. A set of wide area network (WAN) links connected to the edge device are automatically detected. The WAN links are automatically measured without the need for an external router. The edge device is communicatively coupled with a central configuration point in the cloud-computing network. The method further includes the step of downloading, from the central configuration point, an enterprise-specific configuration data into the edge device. The enterprise-specific configuration data includes the gateway information. The edge device is communicatively coupled with a gateway in the cloud-computing network. The communicatively coupling of the edge device with the gateway includes a multipath (MP) protocol.

Abstract: Some embodiments provide a system that implements a set of tools to define a set of one or more logical forwarding elements from a number of physical forwarding elements and a scalable framework to retrieve statistics relating each logical forwarding element. In some embodiments, the statistics relate to the logical ports of a logical forwarding element. The system of some embodiments allows a network administrator to retrieve a total packet count and byte count for one or more logical ports of the logical forwarding element, even though the logical ports may be distributed across multiple physical forwarding elements.

Abstract: Techniques for transferring connection data for a migrated virtual computing instance are described. The connection data transfer process includes the steps of, responsive to determining the virtual computing instance is to be migrated, transmitting the connection data, from a first memory buffer shared between a first instance of a service virtual computing instance and a first hardware abstraction layer executing in a source host, to a second memory buffer shared between a second instance of the service virtual computing instance and a second hardware abstraction layer executing in a destination host; responsive to determining the virtual computing instance is stopped in the source host, packing connection data changes including changes made to the connection data at the source host during a time period beginning when the connection data is copied and ending when the virtual computing instance is stopped; and transmitting the connection data changes to the destination host.