公开(公告)号：US20250036439A1

公开(公告)日：2025-01-30

申请号：US18229644

申请日：2023-08-02

Applicant: VMware LLC

Inventor： Pierluigi Rolando ,  Peng Li ,  Boon S. Ang ,  Guolin Yang ,  Wenyi Jiang ,  Yuxiao Zhang ,  Raju Koganty ,  Subrahmanyam Manuguri ,  Kok Pyng Liew ,  Jin Heo ,  Srinath Suriyanarayanan Thillaisthanam

IPC: G06F9/455 ,  H04L41/0897

Abstract: Some embodiments provide a novel method for migrating virtual machines (VMs) from a first host computer to a second host computer. The first host computer is connected to a physical network interface card (PNIC) that performs middlebox service operations for flows associated with the VMs. At the PNIC, the method receives a notification that a VM is to be migrated from the first to the second host computer. The method configures an embedded hardware switch of the PNIC to forward a set of flows associated with the VM to a firewall of the PNIC. The embedded hardware switch was initially programmed to process the set of flows instead of the firewall. The method synchronizes flow cache information regarding the set of flows from the embedded hardware switch to the firewall. The method processes the set of flows at the firewall until the VM is migrated to the second host computer.

公开(公告)号：US20250039140A1

公开(公告)日：2025-01-30

申请号：US18229647

申请日：2023-08-02

Applicant: VMware LLC

Inventor： Pierluigi Rolando ,  Peng Li ,  Boon S. Ang ,  Guolin Yang ,  Wenyi Jiang ,  Yuxiao Zhang ,  Raju Koganty ,  Subrahmanyam Manuguri ,  Kok Pyng Liew ,  Jin Heo ,  Srinath Suriyanarayanan Thillaisthanam

IPC: H04L9/40

Abstract: Some embodiments provide a novel method for using connection tracking records to process data messages at a physical network interface card (PNIC) connected to a host computer. A first software firewall of the PNIC determines whether processing of a flow is passable to a second software firewall of the PNIC and to a third hardware firewall of the PNIC. The first software firewall creates a connection tracking record for the flow and data specifying whether processing of the flow is passable to the second software firewall and independently whether processing of the flow is passable to the third hardware firewall. The first software firewall provides the connection tracking record and said data to the second software firewall of the PNIC so that the second software firewall processes the flow or passes the connection tracking record and the data to the third hardware firewall if determination was that the flow is passable to the third hardware firewall.

公开(公告)号：US20250039139A1

公开(公告)日：2025-01-30

申请号：US18229646

申请日：2023-08-02

Applicant: VMware LLC

Inventor： Pierluigi Rolando ,  Peng Li ,  Boon S. Ang ,  Guolin Yang ,  Wenyi Jiang ,  Yuxiao Zhang ,  Raju Koganty ,  Subrahmanyam Manuguri ,  Kok Pyng Liew ,  Jin Heo ,  Srinath Suriyanarayanan Thillaisthanam

IPC: H04L9/40

Abstract: Some embodiments provide a novel method for updating firewall rules for data message flows processed at a physical network interface card (PNIC) connected to a host computer. A firewall of the PNIC receives an update to a particular firewall rule. The firewall identifies a particular data message flow that is processed at an embedded hardware switch of the PNIC using the particular firewall rule. The firewall updates a flow record associated with the particular data message flow to reflect the received update to the particular firewall rule. The firewall provides the updated flow record to the embedded hardware switch for the embedded hardware switch to process the particular flow according to the received update.

公开(公告)号：US20250039129A1

公开(公告)日：2025-01-30

申请号：US18229645

申请日：2023-08-02

Applicant: VMware LLC

Inventor： Pierluigi Rolando ,  Peng Li ,  Boon S. Ang ,  Guolin Yang ,  Wenyi Jiang ,  Yuxiao Zhang ,  Raju Koganty ,  Subrahmanyam Manuguri ,  Kok Pyng Liew ,  Jin Heo ,  Srinath Suriyanarayanan Thillaisthanam

IPC: H04L9/40 ,  G06F9/455

Abstract: Some embodiments provide a novel method for processing flows at an embedded hardware switch of a physical network interface card (PNIC) connected to a host computer. A firewall of the PNIC detects an end of a particular data message flow associated with a particular VM of the host computer. Processing of the particular data message flow was offloaded from the firewall to an embedded hardware switch of the PNIC. After detecting the end of the particular data message flow, the firewall ends offloading of the particular data message flow by deleting a first flow record stored at the embedded hardware switch for the particular data message flow. The firewall deletes a second flow record stored at the first firewall for the particular data message flow.

公开(公告)号：US20240231865A1

公开(公告)日：2024-07-11

申请号：US18150342

申请日：2023-01-05

Applicant: VMware LLC

Inventor： Ronak Doshi ,  Cheng-Chun Tu ,  Guolin Yang ,  Boon Seong Ang ,  Peng Li

IPC: G06F9/455 ,  H04L69/22

CPC classification number: G06F9/45533 ,  H04L69/22

Abstract: Described herein are systems, methods, and software to offload an eXpress Data Path (XDP) operation from a virtual machine to the hypervisor or smart network interface on the host. In one implementation, a method includes, in a virtual machine on a host, passing an XDP configuration for the virtual machine to a hypervisor on the host. The method further includes, in the hypervisor initiating a process to implement the XDP configuration, identifying a packet directed to the virtual machine, and applying the process to the packet to determine an action for the packet.

公开(公告)号：US20250039128A1

公开(公告)日：2025-01-30

申请号：US18229633

申请日：2023-08-02

Applicant: VMware LLC

Inventor： Pierluigi Rolando ,  Peng Li ,  Boon S. Ang ,  Guolin Yang ,  Wenyi Jiang ,  Yuxiao Zhang ,  Raju Koganty ,  Subrahmanyam Manuguri ,  Kok Pyng Liew ,  Jin Heo ,  Srinath Suriyanarayanan Thillaisthanam

IPC: H04L9/40 ,  G06F9/455

Abstract: Some embodiments provide a novel method for offloading firewall operations from a host computer executing a set of one or more virtual machines (VMs) to a physical network interface card (PNIC) connected to the host computer. The method configures, on the PNIC, a first firewall to determine actions to perform on flows associated with the set of VMs, and to offload processing of the flows to a flow-cache second firewall of the PNIC. The method configures, on the PNIC, the flow-cache second firewall to process a first set of flows based on a first set of actions determined by the first firewall, and to offload processing of a second set of flows to an embedded hardware switch of the PNIC. The method configures, on the PNIC, the embedded hardware switch to process the second set of flows based on a second set of actions determined by the first firewall.