Abstract: Systems, devices, and methods are discussed for identifying security policies applicable to a received information packet based upon a dual bitmap scheme accounting for bit position mergers and/or policies common to multiple bit positions.

Abstract: Systems, devices, and methods are discussed for classifying a number of security policies in relation to criteria for applying those security policies to yield a dual bitmap scheme representing a correlation between security policies and one or more criteria.

Abstract: Systems and methods for programming a network device using a domain-specific language (DSL) are provided. According to one embodiment, source code in a form of a DSL, describing a slow-path task that is to be performed by a network device, is received by a processing resource. A determination is made regarding one or more types of processors are available within the network device to implement the slow-path task. For each portion of the source code, a preferred type of processor is determined by which the portion of the source code would be most efficiently implemented. When the preferred type of processor is available within the network device, executable code is generated targeting the preferred type of processor based on the portion of the source code; otherwise, intermediate code is generated in a form of a high-level programming language, targeting a general purpose processor of the network device.

Abstract: Systems and methods for programming a network device using a domain-specific language (DSL) are provided. According to one embodiment, source code in a form of a DSL, describing a slow-path task that is to be performed by a network device, is received by a processing resource. A determination is made regarding one or more types of processors are available within the network device to implement the slow-path task. For each portion of the source code, a preferred type of processor is determined by which the portion of the source code would be most efficiently implemented. When the preferred type of processor is available within the network device, executable code is generated targeting the preferred type of processor based on the portion of the source code; otherwise, intermediate code is generated in a form of a high-level programming language, targeting a general purpose processor of the network device.

Abstract: Systems and methods for generating design verification test cases using a restricted randomization process are provided. According to one embodiment, a processor of a hardware design verification system receives a set of restrictions and defines a scenario involving the values that is to be excluded from the test case. The processor also receives pre-assigned values for one or more variables. For each variable other than the one or more variables, the processor assigns a first random value to the variable that is within a valid range for the variable. The processor then identifies a conflict between a first pair of variables, and resolves the conflict by assigning a second random value to a first variable or a second variable of the first pair of variables within their respective valid ranges.

Abstract: Systems and methods for accelerating computer network policy searching are provided. According to one embodiment, a packet is received by a policy search engine (PSE) of a packet processing device. A set of candidate policies are identified from among multiple policies of the packet processing device by screening the multiple policies by a speculation unit of the PSE based on metadata associated with the received packet. Finally, a matching policy for the received packet is identified by a policy search processor (PSP) of the PSE by executing policy-search-specific instructions and general purpose instructions.

Abstract: Systems and methods for accelerating computer network policy searching are provided. According to one embodiment, a packet is received by a policy search engine (PSE) of a packet processing device. A set of candidate policies are identified from among multiple policies of the packet processing device by screening the multiple policies by a speculation unit of the PSE based on metadata associated with the received packet. Finally, a matching policy for the received packet is identified by a policy search processor (PSP) of the PSE by executing policy-search-specific instructions and general purpose instructions.

Abstract: Systems and methods for packet classification hardware acceleration are provided. According to one embodiment, a packet classification hardware accelerator system includes multiple packet classification hardware units, a memory and a cache subsystem. The packet classification hardware units are each capable of operation in parallel on a corresponding decision tree of multiple decision trees that have been derived from respective subsets of a common ruleset defining packet classification rules based on header fields of packets. The memory has stored therein non-leaf nodes, leaf nodes and rules associated with the decision trees. The cache subsystem is coupled in communication with packet classification hardware units and the memory and has stored therein (i) a cached portion of the non-leaf nodes distributed among multiple non-leaf node caches, (ii) a cached set of the leaf nodes in a leaf node cache and (iii) a cached set of the rules.

Abstract: The present invention discloses a rule matching method including: receiving a packet; detecting feature information in content of the packet, and determining whether the detected feature information in the packet conforms to a classification characteristic of one rule group among a plurality of preset rule groups; if yes, determining a state machine corresponding to the one rule group as a first state machine; and determining whether the first state machine is stored in an on-chip memory, and if yes, using the first state machine to match the packet to obtain a matching result; and if no, when an off-chip memory stores the first state machine, loading the first state machine from the off-chip memory into the on-chip memory, and using the first state machine to match the packet to obtain a matching result. Embodiments of the present invention enable a product to achieve better performance.

Abstract: Systems and methods for packet classification hardware acceleration are provided. According to one embodiment, a packet classification hardware accelerator system includes multiple packet classification hardware units, a memory and a cache subsystem. The packet classification hardware units are each capable of operation in parallel on a corresponding decision tree of multiple decision trees that have been derived from respective subsets of a common ruleset defining packet classification rules based on header fields of packets. The memory has stored therein non-leaf nodes, leaf nodes and rules associated with the decision trees. The cache subsystem is coupled in communication with packet classification hardware units and the memory and has stored therein (i) a cached portion of the non-leaf nodes distributed among multiple non-leaf node caches, (ii) a cached set of the leaf nodes in a leaf node cache and (iii) a cached set of the rules.

Abstract: The present invention discloses a rule matching method including: receiving a packet; detecting feature information in content of the packet, and determining whether the detected feature information in the packet conforms to a classification characteristic of one rule group among a plurality of preset rule groups; if yes, determining a state machine corresponding to the one rule group as a first state machine; and determining whether the first state machine is stored in an on-chip memory, and if yes, using the first state machine to match the packet to obtain a matching result; and if no, when an off-chip memory stores the first state machine, loading the first state machine from the off-chip memory into the on-chip memory, and using the first state machine to match the packet to obtain a matching result. Embodiments of the present invention enable a product to achieve better performance.