摘要 |
A rules engine (17) for the examination of selected fields in an addressed data packet has an access control list table (21) of which the entries each define an access control list rule (22), action (23) and a chain identifier (24). The access control list rule 22 may be a basic rule which refers to network addresses and transport layer port numbers. The engine also has an extension rule table (25) of which the entries each define an extension rule (27), a respective action (28) and a respective rule identifier (26). The extension rule (27) may refer to a particular TCP flag. When a packet arrives, the engine (17) searches both tables(21, 25). This search is made independently of the ordinary network layer or link layer address lookup. If there is a match in both table (21, 25) and the chain identifier (24) matches the extension rule identifier (26) the engine (17) prescribes the action (28) associated with the extension rule (27). If the chain identifier (24) of a matched access control list rule (22) does not match a rule identifier (26) of a matched extension rule (27) the engine (17) prescribes the action 23 associated with the basic rule (22). In the absence of a match with any access control list rule (22) the action on a packet is based on the result from the ordinary address lookup. |