Abstract: This invention relates to a method, system and computer program product for managing a service message in a service oriented architecture system including a service provider, a service consumer and a set of control services, the method, system and computer program product comprising the following steps: receiving a service message; selecting a group of rules from a set of rule groups depending on the type of service message; selecting a control service from a set of control services and instructing the selected control service according to one or more of the rules from the selected rules group applied to the service message.

Abstract: The invention is directed to techniques for managing filter rules applied to network traffic at a network device. A network device merges multiple filter rules associated with separate filter matching modules to reduce lookup cycles in a forwarding path of the network device. The network device may thus simultaneously apply multiple filter rules in a reduced number of clock cycles. A network device comprises an interface that receives packets from a network, a filter memory that stores a plurality of filters, and a plurality of filter matching modules that apply the filters to packets in a forwarding path of the network device. A filter control module merges two or more filters each associated with a different one of the filter matching modules into a single merged filter, and stores the merged filter to the filter memory. The network device applies the merged filter to packets in the forwarding path.

Abstract: A device may select a longest run of contiguous unwritten pages from multiple runs of contiguous unwritten pages provided in a ternary content addressable memory, and may write a rule on a page that is located at a middle portion of the longest run to create two runs of contiguous unwritten pages. The device may also receive a packet, and may apply the rule to the packet.

Abstract: A network device, such as a firewall, may be configured to filter network traffic. The filter may include regular expressions that are converted by the firewall into a format that can be stored in a ternary content addressable memory. In one exemplary implementation, the filter definition may include one or more input regular expressions that include variables that are compared to a result based on an equality/inequality relationship, where multiple variables are combined using logical operations selected from a set of logical operations including (but not limited to) logical AND and logical OR operations. The firewall may convert the input regular expressions into a format in which the equality/inequality relationships are converted to a pure equality relationship and the multiple variables are combined using only logical OR operations. The firewall may program the ternary content-addressable memory to implement the filter based on the converted one or more input regular expressions.

Abstract: The invention is directed to techniques for managing filter rules applied to network traffic at a network device. A network device merges multiple filter rules associated with separate filter matching modules to reduce lookup cycles in a forwarding path of the network device. The network device may thus simultaneously apply multiple filter rules in a reduced number of clock cycles. A network device comprises an interface that receives packets from a network, a filter memory that stores a plurality of filters, and a plurality of filter matching modules that apply the filters to packets in a forwarding path of the network device. A filter control module merges two or more filters each associated with a different one of the filter matching modules into a single merged filter, and stores the merged filter to the filter memory. The network device applies the merged filter to packets in the forwarding path.

Abstract: A network device allocates a particular number of memory blocks in a ternary content-addressable memory (TCAM) of the network device to each database of multiple databases, and creates a list of additional memory blocks in an external TCAM of the network device. The network device also receives, by the external TCAM, a request for an additional memory block to provide one or more rules from one of the multiple databases, and allocates, by the external TCAM and to the requesting database, an additional memory block from the list of additional memory blocks.

Abstract: Systems and methods consistent with the present invention provide better scheme for updating access control list (ACL) rule entries in a ternary content addressable memory (TCAM). In a firewall, ACL rules are scanned for each packet arriving in a router or switch to determine if a match exists between the packet and any of the patterns. Depending on the pattern matched, the corresponding action may be either to accept or to deny the packet. These rules are stored in a TCAM, and new or updated rules may be added to the TCAM. Systems and methods consistent with the present invention determine whether the new or updated rule has a dependency conflict with existing rules in the TCAM. If not, the rule can be inserted anywhere in the TCAM. Accordingly, the TCAM associated with a firewall's ACL can be updated more quickly and efficiently.

Abstract: This invention relates to a method, system and computer program product for managing a service message in a service oriented architecture system including a service provider, a service consumer and a set of control services, the method, system and computer program product comprising the following steps: receiving a service message; selecting a group of rules from a set of rule groups depending on the type of service message; selecting a control service from a set of control services and instructing the selected control service according to one or more of the rules from the selected rules group applied to the service message.