Juniper Networks, Inc.
Determining synchronization of filter rules (e.g., on iptable filter tables on Linux kernal) across firewall filter application restarts

Abstract:

Filter synchronization across a restart of a firewall filter application for converting filter information for filters into corresponding iptables filter table rules, is ensured by (1) computing a hash value for filter information derived from a filter using the filter or information derived from the filter, (2) determining an iptables filter table rule using the filter information for the filter, (3) associating the hash value with the corresponding iptables filter table rule, and (4) adding the determined iptables filter table rule and the hash value to iptables filter table rules in a Linux kernel. When a restart of the firewall filter application is detected, (1) a current instance of filter information derived from a current instance of the filter is obtained, (2) a hash value for the current instance of filter information is computed using the current instance of the filter or information derived from the current instance of the filter, (3) the hash value for the filter information is obtained from the iptables rules, and (4) whether the hash value for the current instance of the filter information is the same as the hash value for the filter information is determined. If it is determined that the hash value for the current instance of the filter information is not the same as the hash value for the filter information, then (1) a new iptables rule for the current instance of the filter information is determined, and (2) the iptables filter rule and the hash value in the iptables rules is replaced with the new iptables rule and the hash value for the current instance of the filter information.