1. Field of the Invention
The present invention relates generally to data communications, and specifically to apparatus and methods for filtering data packets received from a network.
2. Description of the Related Art
The meanings of certain acronyms and abbreviations used herein are given in Table 1.
TABLE 1Acronyms and AbbreviationsCPUCentral Processing UnitCTConnection TrackingDDoSDistributed Denial of ServiceDMADirect Memory AccessFTPFile Transmission ProtocolIETFInternet Engineering Task ForceIPInternet ProtocolNATNetwork Address TranslationNICNetwork Interface ControllerOVSOpen V- SwitchPCIePeripheral Component Interconnect ExpressQPQueue PairRAMRandom Access MemoryRDMARemote Direct Memory AccessRFCRequest For CommentsSCTPStream Control Transmission ProtocolSFWStateful FirewallSR-IOVSingle-Root I/O VirtualizationTCPTransmission Control ProtocolUDPUser Datagram ProtocolVMVirtual MachineVMMVirtual Machine MonitorvNICVirtual NICWQEWork Queue Element
A network interface controller (NIC) is a device that manages and transfers communications between a host computer (referred to alternatively simply as a “host”) and a network, such as a local area network or switch fabric. The NIC directs packets from the network to their destination in the computer, for example by placing the packets in a buffer of a destination application in the computer memory, and directs outgoing packets to the network.
Some NICs are capable of filtering packets received from the network, and can thus perform access control and firewall functions on behalf of the host computer. For example, U.S. Patent Application Publication 2015/0358290 describes a method for stateful packet classification that uses hardware resources for performing stateful connection flow handshaking. To classify an incoming packet from a network, some embodiments perform stateless look-up operations for the incoming packet in hardware and forward the result of the stateless look-up to the software. The software in turn uses the result of the stateless look-up to perform the stateful connection flow handshaking and to determine the result of the stateful packet classification.