公开(公告)号：US11916880B1

公开(公告)日：2024-02-27

申请号：US16448459

申请日：2019-06-21

Applicant: Amazon Technologies, Inc.

Inventor： Stewart Allen ,  Dheerendra Talur ,  Venkat Maithreya Paritala ,  Joseph Magerramov ,  Anthony Liguori

IPC: H04L9/40 ,  G06F9/455

CPC classification number: H04L63/0263 ,  G06F9/45558 ,  H04L63/0236 ,  H04L63/101 ,  G06F2009/45595

Abstract: Techniques for compiling firewall rules into byte code or assembly code that can be loaded into cache memory of a processor and executed to evaluate received data packets. Rather than representing firewall rules in mid- or high-level languages stored in main memory, the techniques described herein include compiling the firewall rules into bytecode or assembly code, and distributing the code to the data plane. A packet-processing device may load the code representing the firewall rules into instruction cache of the processor. Further, the packet-processing device receives a data packet and extracts packet context data indicating attributes of the packet, and load the packet context data into a data cache of the processor. The processor can then execute the byte code or assembly code representing the firewall rules to evaluate the packet context data without having to access main memory to determine whether allow or block the data packet.

公开(公告)号：US11119739B1

公开(公告)日：2021-09-14

申请号：US16448523

申请日：2019-06-21

Applicant: Amazon Technologies, Inc.

Inventor： Stewart Allen ,  Dheerendra Talur ,  Venkat Maithreya Paritala ,  Joseph Magerramov ,  Anthony Liguori

IPC: H04L29/06 ,  G06F9/455 ,  H04L29/08 ,  H04L12/753 ,  G06F8/41 ,  G06F9/30

Abstract: Techniques for compiling firewall rules into byte code or assembly code that can be loaded into cache memory of a processor and executed to evaluate received data packets. Rather than representing firewall rules in mid- or high-level languages stored in main memory, the techniques described herein include compiling the firewall rules into bytecode or assembly code, and distributing the code to the data plane. A packet-processing device may load the code representing the firewall rules into instruction cache of the processor. Further, the packet-processing device receives a data packet and extracts packet context data indicating attributes of the packet, and load the packet context data into a data cache of the processor. The processor can then execute the byte code or assembly code representing the firewall rules to evaluate the packet context data without having to access main memory to determine whether allow or block the data packet.