Abstract: A method of enforcing security rules for a packet on a host is provided. The method at a security service dispatcher, determines a dispatching action on a packet for each of a group of security services. Each security service is for enforcing a set of security rules on each packet. The method for each security service, sends the packet to the security service when the dispatch rule for the security service indicates that the set of security rules of the security service has to be enforced on the packet. The method for each security service, bypasses the enforcement of the security rules of the security service when the dispatch rule for the security service indicates that the set of security rules of the security service has to be bypassed for the packet.

Abstract: A method for performing stateful processing of a packet at a flow-based managed forwarding element (MFE) is provided. The method sends a first packet from the MFE to a connection tracker that stores headers of a set of original direction packets that each established a new connection. The method receives, from the connection tracker, the first packet with the header of an original direction packet associated with the first packet appended to the first packet. The header of the original direction packet includes (i) a second set of IP addresses different than a first set of IP addresses of the first packet and (ii) stateful connection status information. The method replaces a first set of IP addresses of the first packet with the second set of IP addresses and performs a matching operation on the packet based on the second set of IP addresses and the stateful connection status information.

Abstract: A method of revalidating a connection tracking table of a flow-based managed forwarding element (MFE) that stores a set of firewall rules associated with each of a set of network connections and a connection table that stores a firewall rule identification and a set of state values associated with each of said network connections. The method receives a change in one or more firewall rules stored at the MFE. The method receives a packet that requires stateful firewall rule check on a particular connection after the change in the firewall rules. When the rule identification retrieved from the connection table is not the same as the new firewall rule associated with the particular connection, the method updates the firewall rule identification and the set of state values associated the particular connection using the new firewall rule identification associated with the particular connection.

Abstract: A method for performing stateful processing of a packet at a flow-based managed forwarding element (MFE) is provided. The method sends a first packet from the MFE to a connection tracker that stores headers of a set of original direction packets that each established a new connection. The method receives, from the connection tracker, the first packet with the header of an original direction packet associated with the first packet appended to the first packet. The header of the original direction packet includes (i) a second set of IP addresses different than a first set of IP addresses of the first packet and (ii) stateful connection status information. The method replaces a first set of IP addresses of the first packet with the second set of IP addresses and performs a matching operation on the packet based on the second set of IP addresses and the stateful connection status information.

Abstract: A method of enforcing security rules for a packet on a host is provided. The method at a security service dispatcher, determines a dispatching action on a packet for each of a group of security services. Each security service is for enforcing a set of security rules on each packet. The method for each security service, sends the packet to the security service when the dispatch rule for the security service indicates that the set of security rules of the security service has to be enforced on the packet. The method for each security service, bypasses the enforcement of the security rules of the security service when the dispatch rule for the security service indicates that the set of security rules of the security service has to be bypassed for the packet.

Abstract: A method of revalidating a connection tracking table of a flow-based managed forwarding element (MFE) that stores a set of firewall rules associated with each of a set of network connections and a connection table that stores a firewall rule identification and a set of state values associated with each of said network connections. The method receives a change in one or more firewall rules stored at the MFE. The method receives a packet that requires stateful firewall rule check on a particular connection after the change in the firewall rules. When the rule identification retrieved from the connection table is not the same as the new firewall rule associated with the particular connection, the method updates the firewall rule identification and the set of state values associated the particular connection using the new firewall rule identification associated with the particular connection.

Abstract: Certain embodiments described herein are generally directed to normalizing service rules across multiple virtual interfaces (VIFs). For example, certain embodiments described herein relate to a method for managing service rules. The method may include receiving a plurality of service rules for a set of VIFs, wherein each service rule corresponds to at least one network address and grouping the network addresses into non-overlapping groups of network addresses, wherein the grouping is performed over the service rules corresponding to the set of VIFs. In certain embodiments, flow entries may be generated based on the grouping of the network addresses.

Abstract: Certain embodiments described herein are generally directed to a hypervisor-wide data structure that holds service rule address information for multiple VIFs in a compact way, which can later be processed per-VIF, in order to perform VIF-specific address group updates. For example, certain embodiments described herein provide a network controller that maintains a global hash table for multiple VIFs that maps network addresses to groups of one or more service rules. In certain embodiments, a network address to service rules table for each VIF may be derived based on the global hash table by using set intersections.

Abstract: Some embodiments provide a method for a network controller that manages a flow-based managed forwarding element (MFE). The method receives multiple service rules for implementation by the MFE. Each service rule matches over a set of network addresses. At least one network address is in the set of network addresses for at least two service rules. The method groups the network addresses into non-overlapping groups of network addresses, each of which addresses that are all matched by only a same set of service rules. The method generates flow entries that match over the groups of network addresses for the MFE to use to implement the service rules.

Abstract: Certain embodiments described herein are generally directed to a hypervisor-wide data structure that holds service rule address information for multiple VIFs in a compact way, which can later be processed per-VIF, in order to perform VIF-specific address group updates. For example, certain embodiments described herein provide a network controller that maintains a global hash table for multiple VIFs that maps network addresses to groups of one or more service rules. In certain embodiments, a network address to service rules table for each VIF may be derived based on the global hash table by using set intersections.

Abstract: Certain embodiments described herein are generally directed to normalizing service rules across multiple virtual interfaces (VIFs). For example, certain embodiments described herein relate to a method for managing service rules. The method may include receiving a plurality of service rules for a set of VIFs, wherein each service rule corresponds to at least one network address and grouping the network addresses into non-overlapping groups of network addresses, wherein the grouping is performed over the service rules corresponding to the set of VIFs. In certain embodiments, flow entries may be generated based on the grouping of the network addresses.

Abstract: Some embodiments provide a method for a network controller that manages a flow-based managed forwarding element (MFE). The method receives multiple service rules for implementation by the MFE. Each service rule matches over a set of network addresses. At least one network address is in the set of network addresses for at least two service rules. The method groups the network addresses into non-overlapping groups of network addresses, each of which addresses that are all matched by only a same set of service rules. The method generates flow entries that match over the groups of network addresses for the MFE to use to implement the service rules.