Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

A method for profiling network traffic. The method includes capturing, from the network traffic using a packet capturing device, a plurality of packets, identifying a first portion of the plurality of packets as a first flow based at least on a common Internet Protocol (IP) address assigned to each packet of the first flow by a network address translation (NAT) device, extracting, by a hardware processor separate from the NAT device and based on an NAT profile of the NAT device, a first data item from the first flow, wherein the first data item is inserted into the first flow by the NAT device for identifying a first host device coupled to the NAT device, and determining, by the hardware processor based on the first data item, that the first flow is generated by the first host device.

A method performed by a computing system includes receiving a first request from a first pod being executed on the computing system, responding to the first request with an Internet Protocol (IP) address and a first port range, receiving a second request from a second pod being executed on the computing system, and responding to the second request with the Internet Protocol (IP) address and a second port range that is different than the first port range. The method further includes, with a networking service implemented within the kernel, processing network traffic between external entities and the first and second pods by updating source and destination IP addresses and ports of packets of the network traffic.

Aspects of the disclosure provide for a proxyless NAT infrastructure with dynamic port allocation. A proxyless NAT infrastructure is configured to perform NAT between a network of virtual machines (VMs) and a device external to the network, without a device, such as a NAT server or a router, acting as a proxy. A system can include a control plane for provisioning VMs of a network, including configuring each VM to perform NAT and initially assigning a number of ports for communicating with other devices. The control plane maintains a feedback loop—receiving data characterizing port usage and network traffic at ports allocated to the various VMs and scaling the port allocation for each VM based on the received data. The control plane can allocate additional ports as determined to be needed by a VM, and later retrieve the ports to be reused for other VMs.

Aspects of the disclosure provide for a proxyless NAT infrastructure with dynamic port allocation. A proxyless NAT infrastructure is configured to perform NAT between a network of virtual machines (VMs) and a device external to the network, without a device, such as a NAT server or a router, acting as a proxy. A system can include a control plane for provisioning VMs of a network, including configuring each VM to perform NAT and initially assigning a number of ports for communicating with other devices. The control plane maintains a feedback loop—receiving data characterizing port usage and network traffic at ports allocated to the various VMs and scaling the port allocation for each VM based on the received data. The control plane can allocate additional ports as determined to be needed by a VM, and later retrieve the ports to be reused for other VMs.

An extended service-function chain (SFC) proxy is hosted on a network node and connected to a service path formed by one or more network nodes hosting a chain of service-functions applied to packets traversing the service path. The packets each include a service header having a service path identifier and a service index. A packet of a traffic flow destined for a service-function is received from the service path and sent to the service-function. An indication to offload the traffic flow is received from the service-function. The indication is stored in a flow table having entries each identifying a respective traffic flow. A subsequent packet of the traffic flow is received from the service path. The flow table is searched for the indication to offload the traffic flow. Upon finding the indication, the service-function is bypassed, and the subsequent packet is forwarded along the service path.

A network system that facilitates financial transactions. A software defined network may operate to provide a variety of trading related services to a variety of customers with a low latency. Core or processor affinity for routing processes may improve speeds of routing. Data capture through a shared memory space may allow for a variety of analytics without introducing unacceptable delay.

A network system that facilitates financial transactions. A software defined network may operate to provide a variety of trading related services to a variety of customers with a low latency. Core or processor affinity for routing processes may improve speeds of routing. Data capture through a shared memory space may allow for a variety of analytics without introducing unacceptable delay.

A cable communications network provides an alternative communications path between a user equipment device and a data network to a cellular path for a communications session with a desired level of Quality of Service. A cable modem termination system, coupled to a wireless core network, e.g., a 5G core network, interacts with the wireless core network to attempt to establish a PDU session for a UE with a desired QoS level. The core sends a QoS service request message to the CMTS including a requested level of QoS, an IP address and port number for the session. The CMTS and cable modem, corresponding to the UE, negotiate and decide if the request desired QoS level can be supported over the cable between the CMTS and the cable mode for the session.