Abstract: A method for performing stateful processing of a packet at a flow-based managed forwarding element (MFE) is provided. The method sends a first packet from the MFE to a connection tracker that stores headers of a set of original direction packets that each established a new connection. The method receives, from the connection tracker, the first packet with the header of an original direction packet associated with the first packet appended to the first packet. The header of the original direction packet includes (i) a second set of IP addresses different than a first set of IP addresses of the first packet and (ii) stateful connection status information. The method replaces a first set of IP addresses of the first packet with the second set of IP addresses and performs a matching operation on the packet based on the second set of IP addresses and the stateful connection status information.

Abstract: A method of revalidating a connection tracking table of a flow-based managed forwarding element (MFE) that stores a set of firewall rules associated with each of a set of network connections and a connection table that stores a firewall rule identification and a set of state values associated with each of said network connections. The method receives a change in one or more firewall rules stored at the MFE. The method receives a packet that requires stateful firewall rule check on a particular connection after the change in the firewall rules. When the rule identification retrieved from the connection table is not the same as the new firewall rule associated with the particular connection, the method updates the firewall rule identification and the set of state values associated the particular connection using the new firewall rule identification associated with the particular connection.

Abstract: Certain embodiments described herein are generally directed to configuring an extended Berkeley Packet Filter (eBPF) fast path. In some embodiments, a fixed-length array of actions is generated and loaded into the eBPF fast path, where each element of the array indicates a type of action for execution on a packet received by the eBPF fast path. In some embodiments, the eBPF fast path is loaded with a number of eBPF programs, each configured to execute a different type of action.

Abstract: A method for performing stateful processing of a packet at a flow-based managed forwarding element (MFE) is provided. The method sends a first packet from the MFE to a connection tracker that stores headers of a set of original direction packets that each established a new connection. The method receives, from the connection tracker, the first packet with the header of an original direction packet associated with the first packet appended to the first packet. The header of the original direction packet includes (i) a second set of IP addresses different than a first set of IP addresses of the first packet and (ii) stateful connection status information. The method replaces a first set of IP addresses of the first packet with the second set of IP addresses and performs a matching operation on the packet based on the second set of IP addresses and the stateful connection status information.

Abstract: A method of revalidating a connection tracking table of a flow-based managed forwarding element (MFE) that stores a set of firewall rules associated with each of a set of network connections and a connection table that stores a firewall rule identification and a set of state values associated with each of said network connections. The method receives a change in one or more firewall rules stored at the MFE. The method receives a packet that requires stateful firewall rule check on a particular connection after the change in the firewall rules. When the rule identification retrieved from the connection table is not the same as the new firewall rule associated with the particular connection, the method updates the firewall rule identification and the set of state values associated the particular connection using the new firewall rule identification associated with the particular connection.

Abstract: Certain embodiments described herein are generally directed to configuring an extended Berkeley Packet Filter (eBPF) fast path. In some embodiments, a fixed-length array of actions is generated and loaded into the eBPF fast path, where each element of the array indicates a type of action for execution on a packet received by the eBPF fast path. In some embodiments, the eBPF fast path is loaded with a number of eBPF programs, each configured to execute a different type of action.

Abstract: Some embodiments provide a method for performing stateful processing of a packet at a flow-based managed forwarding element (MFE). The method receives a packet at the MFE without stateful connection status information. The method sends the packet to a module separate from the MFE that stores stateful connection information for a plurality of connections. The method receives the packet from the module with stateful connection status information appended to the packet. The method performs an action on the packet based on the appended stateful connection status information.

Abstract: Some embodiments provide a method for performing stateful processing of a packet at a flow-based managed forwarding element (MFE). The method receives a packet at the MFE without stateful connection status information. The method sends the packet to a module separate from the MFE that stores stateful connection information for a plurality of connections. The method receives the packet from the module with stateful connection status information appended to the packet. The method performs an action on the packet based on the appended stateful connection status information.