| CPC H04L 63/0254 (2013.01) [H04L 43/028 (2013.01); H04L 63/0263 (2013.01); H04L 69/22 (2013.01); H04L 69/326 (2013.01)] | 20 Claims |
|
1. A non-transitory machine-readable medium storing a program which when executed by one or more processing units statefully classifies network packets belonging to transport layer connections, the program comprising sets of instructions for:
receiving, from a physical network interface controller (PNIC), (i) an incoming packet and (ii) a set of identifiers generated for the incoming packet by a stateless lookup operation performed at the PNIC using identifiers of a transport layer connection to which the incoming packet belongs;
determining whether a connection-tracking data storage stores any record for the transport layer connection;
when the data storage stores a record for the transport layer connection, performing a first stateful operation on the incoming packet based on a first action specified by the stored record; and
when the data storage does not store any record for the transport layer connection, (i) using the received set of identifiers generated by the PNIC to identify a rule applicable to the incoming packet, (ii) performing a second stateful operation on the incoming packet based on a second action specified by the identified rule, and (iii) storing a new record in the connection-tracking data storage for the transport layer connection to which the incoming packet belongs, the new record for use in performing stateful operations on subsequent packets belonging to the transport layer connection.
|