Apparatus, system, and method for applying firewall rules at dynamic offsets within packets in kernel space

Assignee

• Juniper Networks, Inc. · US

Inventors

• Prashant Singh · Bengaluru, IN
• Sreekanth Rupavatharam · San Jose, US
• Hariprasad Shanmugam · Gatineau, CA
• Erin C. MacNeil · Sunnyvale, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L69/329
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A disclosed method may include (1) receiving a packet at a tunnel driver in kernel space on a routing engine of a network device, (2) identifying, at the tunnel driver, metadata of the packet that indicates whether at least one firewall filter had already been correctly applied to the packet before the packet arrived at the tunnel driver, (3) determining, based at least in part on the metadata of the packet, that the firewall filter had not been correctly applied to the packet before the packet arrived at the tunnel driver, and then in response to determining that the firewall filter had not been correctly applied to the packet, (4) invoking at least one firewall filter hook that applies at least one firewall rule on the packet before the packet is allowed to exit kernel space on the routing engine. Various other apparatuses systems, and methods are also disclosed.