Methods and apparatus for virtualized hardware optimizations for user space networking
US-2019306282-A1 · Oct 3, 2019 · US
Per-application virtual private networking
US12348418B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12348418-B2 |
| Application number | US-202318358166-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 25, 2023 |
| Priority date | Apr 28, 2023 |
| Publication date | Jul 1, 2025 |
| Grant date | Jul 1, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Disclosed are approaches for providing per-application tunnel access, such as virtual private network (VPN) access, in LINUX based systems. In response to an application requesting a network connection, a process identifier of the application and an inode identifier representing a socket for the network connection are obtained. Then, a kernel space map is updated to include the process identifier of the application and the inode identifier. In response to the application making a network connection request, the inode identifier of the application is obtained based at least in part on a source network address, a source port number, a destination network address, and a destination port number. Then, the kernel space map is queried to obtain the process identifier of the application, wherein the inode identifier is a query parameter. Then, a routing policy is identified based at least in part on the process identifier.
First claim
Opening claim text (preview).
Therefore, the following is claimed: 1. A system, comprising: a computing device comprising a processor and a memory; and an operating system kernel stored in the memory and comprising a first set of machine-readable instructions that, when executed by the processor, cause the computing device to at least: in response to an application requesting a network connection, obtain a process identifier of the application and an inode identifier representing a socket for the network connection; and update a kernel space map to include the process identifier of the application and the inode identifier; and a tunnel client stored in the memory and comprising a second set of machine-readable instructions that, when executed by the processor, cause the computing device to at least: in response to the application making a network connection request, obtain the inode identifier of the application based at least in part on a source network address, a source port number, a destination network address, and a destination port number; query the kernel space map to obtain the process identifier of the application, wherein the inode identifier is a query parameter; and identify a routing policy based at least in part on the process identifier, wherein the routing policy specifies whether the packet is to be routed through a virtual private network (VPN). 2. The system of claim 1 , wherein the tunnel client further causes the computing device to apply the routing policy to the network connection. 3. The system of claim 1 , wherein the routing policy is further identified based at least in part on the destination network address. 4. The system of claim 1 , wherein the routing policy is further identified based at least in part on the destination port number. 5. The system of claim 1 , wherein the operating system kernel is a version of the LINUX kernel. 6. The system of claim 5 , wherein the second set of the machine-readable instructions of the tunnel client that cause the computing device to obtain the inode identifier further cause the computing device to invoke a system call provided by the LINUX kernel that accepts the source network address, the source port number, the destination network address, and the destination port number as arguments. 7. The system of claim 1 , wherein the packet is received from a network tunnel interface. 8. The system of claim 1 , wherein the first set of machine-readable instructions comprise an extended Berkely Packet Filter (eBPF) program. 9. A method, comprising: in response to an application requesting a network connection, obtaining a process identifier of the application and an inode identifier representing a socket for the network connection; updating a kernel space map to include the process identifier of the application and the inode identifier; in response to the application making a network connection request, obtaining the inode identifier of the application based at least in part on a source network address, a source port number, a destination network address, and a destination port number; querying the kernel space map to obtain the process identifier of the application, wherein the inode identifier is a query parameter; and identifying a routing policy based at least in part on the process identifier, wherein the routing policy specifies whether the packet is to be routed through a virtual private network (VPN). 10. The method of claim 9 , further comprising applying the routing policy to the network connection. 11. The method of claim 9 , wherein the routing policy is further identified based at least in part on the destination network address. 12. The method of claim 9 , wherein the routing policy is further identified based at least in part on the destination port number. 13. A non-transitory, computer-readable medium, storing an operating system kernel comprising a first machine-readable instructions that, when executed by the processor of a computing device, cause the computing device to at least: in response to an application requesting a network connection, obtain a process identifier of the application and an inode identifier representing a socket for the network connection; and update a kernel space map to include the process identifier of the application and the inode identifier; and a tunnel client comprising a second set of machine-readable instructions that, when executed by the processor of a computing device, cause the computing device to at least: in response to the application making a network connection request, obtain the inode identifier of the application based at least in part on a source network address, a source port number, a destination network address, and a destination port number; query the kernel space map to obtain the process identifier of the application, wherein the inode identifier is a query parameter; and identify a routing policy based at least in part on the process identifier, wherein the routing policy specifies whether the packet is to be routed through a virtual private network (VPN). 14. The non-transitory, computer-readable medium of claim 13 , wherein the tunnel client further causes the computing device to apply the routing policy to the network connection. 15. The non-transitory, computer-readable medium of claim 13 , wherein the routing policy is further identified based at least in part on the destination network address. 16. The non-transitory, computer-readable medium of claim 13 , wherein the routing policy is further identified based at least in part on the destination port number. 17. The non-transitory, computer-readable medium of claim 13 , wherein the operating system kernel is a version of the LINUX kernel. 18. The non-transitory, computer-readable medium of claim 17 , wherein the second set of the machine-readable instructions of the tunnel client that cause the computing device to obtain the inode identifier further cause the computing device to invoke a system call provided by the LINUX kernel that accepts the source network address, the source port number, the destination network address, and the destination port number as arguments. 19. The non-transitory, computer-readable medium of claim 13 , wherein the packet is received from a network tunnel interface. 20. The non-transitory, computer-readable medium of claim 13 , wherein the first set of machine-readable instructions comprise an extended Berkely Packet Filter (eBPF) program.
Assignees
Inventors
Classifications
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12348418B2 cover?
- Disclosed are approaches for providing per-application tunnel access, such as virtual private network (VPN) access, in LINUX based systems. In response to an application requesting a network connection, a process identifier of the application and an inode identifier representing a socket for the network connection are obtained. Then, a kernel space map is updated to include the process identifi…
- Who is the assignee on this patent?
- VMware LLC
- What technology area does this patent fall under?
- Primary CPC classification H04L45/74. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).