Some embodiments provide novel methods for performing services for machines operating in one or more datacenters. For instance, for a group of related guest machines (e.g., a group of tenant machines), some embodiments define two different forwarding planes: (1) a guest forwarding plane and (2) a service forwarding plane. The guest forwarding plane connects to the machines in the group and performs L2 and/or L3 forwarding for these machines. The service forwarding plane (1) connects to the service nodes that perform services on data messages sent to and from these machines, and (2) forwards these data messages to the service nodes. In some embodiments, the guest machines do not connect directly with the service forwarding plane. For instance, in some embodiments, each forwarding plane connects to a machine or service node through a port that receives data messages from, or supplies data messages to, the machine or service node. In such embodiments, the service forwarding plane does not have a port that directly receives data messages from, or supplies data messages to, any guest machine. Instead, in some such embodiments, data associated with a guest machine is routed to a port proxy module executing on the same host computer, and this other module has a service plane port. This port proxy module in some embodiments indirectly can connect more than one guest machine on the same host to the service plane (i.e., can serve as the port proxy module for more than one guest machine on the same host).

A network device includes a first network processor that forwards packets based on a first forwarding information table; a second network processor that forwards packets based on a second forwarding information table; a first group of ports operably connected to the first network processor; and a second group of ports operably connected to the second network processor. The first forwarding information table specifies that packets, received by the first network processor, that specify a destination device reachable by the first group of ports and the second group of ports are forwarded by a port of the first group of ports. The second forwarding information table specifies that packets, received by the second network processor, that specify the destination device reachable by the first group of ports and the second group of ports are forwarded by a port of the second group of ports.

Systems and methods for InfiniBand fabric optimizations to minimize SA access and startup failover times. A system can comprise one or more microprocessors, a first subnet, the first subnet comprising a plurality of switches, a plurality of host channel adapters, a plurality of hosts, and a subnet manager, the subnet manager running on one of the one or more switches and the plurality of host channel adapters. The subnet manager can be configured to determine that the plurality of hosts and the plurality of switches support a same set of capabilities. On such determination, the subnet manager can configure an SMA flag, the flag indicating that a condition can be set for each of the host channel adapter ports.

Methods and apparatus for efficient data transfer within a user space network stack. Unlike prior art monolithic networking stacks, the exemplary networking stack architecture described hereinafter includes various components that span multiple domains (both in-kernel, and non-kernel). For example, unlike traditional “socket” based communication, disclosed embodiments can transfer data directly between the kernel and user space domains. Direct transfer reduces the per-byte and per-packet costs relative to socket based communication. A user space networking stack is disclosed that enables extensible, cross-platform-capable, user space control of the networking protocol stack functionality. The user space networking stack facilitates tighter integration between the protocol layers (including TLS) and the application or daemon. Exemplary systems can support multiple networking protocol stack instances (including an in-kernel traditional network stack).

Methods and apparatus for dynamic packet pool configuration in networking stack architectures. Unlike prior art monolithic memory allocations, embodiments of the present disclosure enable packet pools associated with non-kernel space applications to dynamically allocate additional memory allocations to a given non-kernel space application, or conversely, de-allocate memory allocations to a given non-kernel space application. Variants also disclose the splitting up of a memory allocation into device accessible portions and kernel accessible portions. Other variants disclose sizing certain segment allocations so as to be a multiple of a physical address page size. Such a variant enables a single input/output (I/O) bus address lookup for the given segment so as to minimize look up costs associated with an I/O lookup for the given segment.

A relay device includes: multiple ports for transmitting and receiving a frame; at least one queue arranged for each of the ports, storing a transmission scheduled frame, and having a variable storage capacity; and a capacity controller controlling the storage capacity of each of queues for the ports. A distribution pattern of a value of the storage capacity allocated to each of the queues is defined as a capacity distribution pattern. The capacity distribution pattern includes a first pattern which is the capacity distribution pattern in an initial state and a second pattern which is different from the first pattern. The capacity controller switches the capacity distribution pattern from the first pattern to the second pattern when a predetermined switching condition is satisfied.

A switch receiving Ethernet packets is disclosed, including TCP packets and/or non-TCP packets. The Ethernet packets are forwarded to at least two ports by forwarding each TCP Present application relates to a switch receiving Ethernet packets, including TCP packets and/or non-TCP packets, and forwarding the Ethernet packets to at least two ports by forwarding each of the TCP packets to any one of the at least two ports and forwarding each stream of non-TCP packets to one corresponding port of the at least two ports.

A system (30) for protecting a server (20) from network attacks is provided. The system (30) comprises a data splitter (31) and a parameter extractor (33). The data splitter (31) is configured to receive network communications from a client (10); send network data comprising at least payload information included in the received network communications to the parameter extractor (33); and send network data comprising at least communication state information included in the received network communications to the server (20). The parameter extractor (33) is configured to apply predefined parameter extraction rules to network data received from the data splitter (31) in order to extract parameters, and to forward extracted parameters to the server (20). The system (30) is also configured to enforce unidirectional dataflow over at least part of the network connection path to the server (20) via the parameter extractor (33), such that dataflow to the server (20) over the network connection path is allowed, but dataflow in the opposite direction is not allowed for at least part of the network connection path. A server (20), data splitter (31) and parameter extractor (33) for use with the system (30) are also provided, and a corresponding method for protecting a server (20) from network attacks is provided.

A remote indirect memory access system and method for networked computer servers. The system comprises a network interface card having a network interface memory and a system memory operatively connected to the network interface card. The system memory has a plurality of electronic memory queues, wherein each of the memory queues corresponds to one of a plurality of receive processes in the computer server, with each of the memory queues having a corresponding head pointer and tail pointer. Each of the memory queues is assigned to receive electronic messages from a plurality of sender computers. The NIC comprises a tail pointer table, with the tail pointer table comprising initial memory location data of the tail pointers for the memory queues. The memory location data referenced by corresponding queue identifiers.

Technologies for processing network packets by a host interface of a network interface controller (NIC) of a compute device. The host interface is configured to retrieve, by a symmetric multi-purpose (SMP) array of the host interface, a message from a message queue of the host interface and process, by a processor core of a plurality of processor cores of the SMP array, the message to identify a long-latency operation to be performed on at least a portion of a network packet associated with the message. The host interface is further configured to generate another message which includes an indication of the identified long-latency operation and a next step to be performed upon completion. Additionally, the host interface is configured to transmit the other message to a corresponding hardware unit scheduler as a function of the subsequent long-latency operation to be performed. Other embodiments are described herein.