Abstract: A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.

Abstract: A wire-speed forwarding platform and method for supporting multifield classification of a packet fragmented into a plurality of fragments in the wire-speed forwarding platform, comprising: receiving a fragment of the fragmented packet at the forwarding platform and deriving a key from one or more fields of the received fragment; and performing multifield classification of the received fragment by matching the key to a rule out of a plurality of rules, the rule comprising a plurality of fields including at least one field for specifying whether the received fragment's fragmentation characteristics are to be applied when performing the multifield classification.

Abstract: A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.

Abstract: A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.

Abstract: A wire-speed forwarding platform and method for supporting multifield classification of a packet fragmented into a plurality of fragments in the wire-speed forwarding platform, comprising: receiving a fragment of the fragmented packet at the forwarding platform and deriving a key from one or more fields of the received fragment; and performing multifield classification of the received fragment by matching the key to a rule out of a plurality of rules, the rule comprising a plurality of fields including at least one field for specifying whether the received fragment's fragmentation characteristics are to be applied when performing the multifield classification.

Abstract: A wire-speed forwarding platform and method for supporting multifield classification of a packet fragmented into a plurality of fragments in the wire-speed forwarding platform, comprising: receiving a fragment of the fragmented packet at the forwarding platform and deriving a key from one or more fields of the received fragment; and performing multifield classification of the received fragment by matching the key to a rule out of a plurality of rules, the rule comprising a plurality of fields including at least one field for specifying whether the received fragment's fragmentation characteristics are to be applied when performing the multifield classification.

Abstract: A method and system for determining whether to enforce a plurality of filter rules for a packet including a key in a computer network is disclosed. Each of the plurality of filter rules has a priority. The method and system include accumulating statistics for each of the plurality of filter rules. The statistics indicate a frequency of enforcement for each of the plurality of filter rules. The method and system also include placing the plurality of filter rules in an order for testing against the key. The order is based on the frequency of each filter rule of the portion of the plurality of filter rules. Consequently, more frequently enforced filter rules may be tested first.

Abstract: A method and system for storing a plurality of filter rules in a computer system is disclosed. The plurality of filter rules uses at least one range of values in at least one dimension. The method and system include separating a portion of the plurality of filter rules into a plurality of pure subsets of filter rules. Each of the plurality of pure subsets of filter rules includes at least one of the plurality of filter rules. The method and system also include combining a portion of the plurality of pure subsets of filter rules to provide a combined subset and determining whether an efficiency of utilizing the plurality of filter rules is improved by combining the portion of the plurality of pure subsets of filter rules. The method and system further includes storing the plurality of filter rules including storing the portion of the plurality of subsets of filter rules as the combined subset if the efficiency of searching the plurality of filter rules is improved.

Abstract: A method and system for downloading software managed trees (SMTs) in a network processing system provides dynamic update of frame classifiers while maintaining proper network protocol processing. The network processing system includes a general purpose processor acting as control point processor and a plurality of network processors. The new SMT is built by an application on the control point processor and downloaded to one or more of the network processors. The new SMT is placed in a separate memory location accessible to the network processors, rather then overwriting the existing SMT. The active tree pointers are then changed to transfer control to the new SMT.

Abstract: A method and apparatus for defining the types of actions that are to be applied to packets processed by a network processor device such as an IP router, switch, and the like. The apparatus includes an interface for configuring a packet classifier device in the network processor by enabling user specification of packet classification rules, each rule having one or more action types, and further, by enabling definition of one or more associated set of action attributes (characteristics) that may be associated with individual action types.

Abstract: A method and system for storing a plurality of filter rules in a computer system is disclosed. The plurality of filter rules uses at least one range of values in at least one dimension. The method and system include separating a portion of the plurality of filter rules into a plurality of pure subsets of filter rules. Each of the plurality of pure subsets of filter rules includes at least one of the plurality of filter rules. The method and system also include combining a portion of the plurality of pure subsets of filter rules to provide a combined subset and determining whether an efficiency of utilizing the plurality of filter rules is improved by combining the portion of the plurality of pure subsets of filter rules. The method and system further includes storing the plurality of filter rules including storing the portion of the plurality of subsets of filter rules as the combined subset if the efficiency of searching the plurality of filter rules is improved.

Abstract: A method and apparatus for processing network frames using static and dynamic classifiers provides a flexible and modifiable frame classification system. Static and Dynamic classifiers are used in combination within a network processing system to provide the range capability and hardware assist capability of the static classifier, along with the incremental modifications possible with a dynamic classifier. The dynamic classifier is searched first for rules directing processing of a received frame. The static classifier is searched only if a dynamic classifier key for the frame is not found, or the dynamic key actions indicated that the static classifier should also be searched.

Abstract: A wire-speed forwarding platform and method for supporting multifield classification of a packet fragmented into a plurality of fragments in the wire-speed forwarding platform, comprising: receiving a fragment of the fragmented packet at the forwarding platform and deriving a key from one or more fields of the received fragment; and performing multifield classification of the received fragment by matching the key to a rule out of a plurality of rules, the rule comprising a plurality of fields including at least one field for specifying whether the received fragment's fragmentation characteristics are to be applied when performing the multifield classification.

Abstract: A method and system for testing a plurality of filter rules in a computer system is disclosed. The plurality of filter rules are used with a key that is capable of matching at least one of the plurality of filter rules. The at least one filter rule corresponds to at least one action. The computer system has a cache including a plurality of bins and a decision tree. The method and system include searching a plurality of stored keys in the cache for the key. Preferably, this search of the cache for the key includes determining whether a stored key exactly matches the key. A plurality of stored filter rules corresponds to the plurality of stored keys. A plurality of stored actions corresponds to the plurality of stored filter rules. The cache stores each of the plurality of stored keys and at least one stored action in each bin of a portion of the bins.

Abstract: A method and system for determining whether to enforce a plurality of filter rules for a packet including a key in a computer network is disclosed. Each of the plurality of filter rules has a priority. The method and system include accumulating statistics for each of the plurality of filter rules. The statistics indicate a frequency of enforcement for each of the plurality of filter rules. The method and system also include placing the plurality of filter rules in an order for testing against the key. The order is based on the frequency of each filter rule of the portion of the plurality of filter rules. Consequently, more frequently enforced filter rules may be tested first.

Abstract: This process accepts rule domination declarations and subjects rules to a computer program which either finds a type of administrative error (cyclic domination) or assigns a priority number to each rule so that any two rules which intersect (some key fits both rules) have necessarily different priority numbers. In the case that priority numbers are assigned, the process goes on to check for a second type of administrative error, namely inclusion of a first rule in a second (every key which fits the first rule also fits the second), and with the second having higher priority (so that the first is never referenced). If neither error occurs, then the number of different priority numbers is minimized. Every key when tested by such a rule set with neither error must fit either no rules at all or must fit exactly one rule with highest priority. In the latter case, the action of the unambiguously determined rule can then be applied to the packet represented by the key.

Abstract: A method and system for testing a plurality of filter rules in a computer system is disclosed. The plurality of filter rules is used with a key. Each of the plurality of filter rules is capable of being described using a plurality of bits corresponding to a portion of the key. The plurality of bits can include at least one binary value, at least one wildcard, and at least one boundary symbol. The at least one binary value can be a zero or a one. The method and system include selecting a portion of the plurality of filter rules that the key can match by testing part of the key against a portion of the plurality of bits and explicitly testing the key against the portion of the plurality of filter rules. A first bit of the portion of the plurality of bits has a first maximum number of the at least one binary symbol for the plurality of filter rules.

Abstract: The effectiveness of a Network Processor to process data at media speed is enhanced by partitioning a Rules Database, used to filter and/or forward frames, into at least one set of Almost-Exact Rules and Other Rules. The Almost-Exact Rules are processed by a Full Match (FM) Tree Search Algorithm and the Other Rules are processed by a Software Managed Tree (SMT) algorithm.

Abstract: A classification system includes a software managed tree testing bits from a key which labels an item. The bits are chosen by application of the Choice Bit Algorithm to the Rules in a Database of Rules. A controller including logic parses an unknown Key for bits to be tested in the decision nodes of a binary tree. Tests dictated by the tree are conducted in a predetermined way until all but one Rule from the database or all but a few Rules from the database are eliminated from consideration, whereupon the Key is fully tested by the one remaining Rule or in a lattice constructed of the remaining plurality of Rules, to determine an action to enforce on the item. Certain compare tests are used in the binary tree for the case that otherwise identical or similar rules are applied to integer ranges of key values which do not fall upon power of 2 boundaries.