SUPPORTING ACCESS CONTROL LIST RULES THAT APPLY TO TCP SEGMENTS BELONGING TO 'ESTABLISHED' CONNECTION

摘要

Embodiments presented herein provide a TCAM-based access control list that supports disjunction operations in rules. According to one embodiment, a numeric range table is tied to the access control list. Each entry in the numeric range table includes an encode field that provides for scanning TCP flags in a TCP header of an incoming Ethernet frame. Further, each entry provides a first mask and a second mask used to test for desired set and unset TCP flags in a given frame. Each entry also provides an operation field that performs a disjunction operation that compares the first mask, the second mask, and set TCP flags in a given frame.