DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
The amendment filed 11/2/21 has been accepted and entered.  Accordingly, claims 1, 10, and 16 have been amended.
Claims 1-20 are pending in this application. 
In view of the amendment filed 11/2/21, the previous objection to claims 1, 10, and 16 have been withdrawn. 

Response to Arguments
Applicant's arguments filed 11/2/21 have been fully considered but they are not persuasive. More specifically, Applicant argues that Wu et al. does not teach “responsive to validating the packet filter, associating the packet filter with a virtual network interface card (vNIC) of the virtual machine” because “Wu has no teachings that could be reasonable interpreted as validating the ‘filtering modules’” (see page 8).  Examiner respectfully disagrees with the Applicant.
Wu et al. teaches that hypervisor filtering modules are software components that interpose on I/O paths between VNICs of VMs and ports of virtual switches (par [0045]).  Further, Wu et al. teaches that each VM is connected through its VNIC to a respective virtual port provided by a virtual switch (par [0045]; FIG. 6).  As noted, the hypervisor filtering modules are associated with VNICs, which are associated with VM. Because Wu et al. teaches that hypervisor filtering modules are configured with filtering rules to introspect IP packets (par [0048]), the fact that association of the filtering modules with VM indicates that the packet filter has been validated.   Therefore, Wu et al. teaches “responsive to validating the packet filter, associating the packet filter with a virtual network interface card (vNIC) of the virtual machine”.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-4, 6, 10, 12-13, 15-16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Wu et al. (U.S. Patent Application Publication No. 2018/0063000), Li et al. (U.S. Patent Application Publication No. 2021/0029083), and further in view of Salkintzis (U.S. Patent Application Publication No. 2020/0092790).

Regarding Claim 1, Wu et al. teaches A method (Wu et al. teaches a computer-implemented method for optimizing connections over an extended network (par [0005])), comprising: receiving, by a hypervisor of a host computer system, a definition of a packet filter originated by a virtual machine running on the host computer system (Wu et al. teaches a host computer system in which a hypervisor filtering module is implemented (par [0045]); host computer includes a hypervisor that serves as an interface between VMs and physical resources available on host computer (par [0045]; FIG. 6); each VM includes a respective VNIC which is responsible for exchanging packets between that virtual machine and hypervisor (par [0045]); filter modules are associated with respective VNICs and perform filtering (par [0045]; FIG. 6); hypervisor filtering modules are configured with filtering rules to introspect IP packets leaving the VNICS of VMs (par [0048])); responsive to validating the packet filter, associating the packet filter with a vNIC of the virtual machine (Wu et al. teaches that filter modules are associated with respective VNICs (par [0045]; FIG. 6), indicating that packet filter is validated); receiving, by the hypervisor, a first network packet originated by the vNIC (Wu et al. teaches that filter modules perform filtering and encapsulation of packets originating in VNICs (par [0045]; FIG. 6); hypervisor filtering modules are configured with filtering rules to introspect IP packets leaving the VNICs of VMs and that packets sent by VMs to destinations that are not on the local networks may have the destination MAC address of the VMs’ default gateway (par [0048])); responsive to matching the first network packet to a network connection specified by the packet filter, causing the packet filter to forward the first network packet via the network connection (Wu et al. teaches that when the destination of a packet is not local or when the destination is on the same local subnet, the hypervisor filtering module that inspects the packet will not recognize the destination as a local address that needs to be diverted and will allow the packet to be routed according to its default path (par [0048])); receiving, by the hypervisor, a second network packet originated by the vNIC (Wu et al. teaches that filter modules perform filtering and encapsulation of packets originating in VNICs (par [0045]; FIG. 6); hypervisor filtering modules are configured with filtering rules to introspect IP packets leaving the VNICs of VMs and that packets sent by VMs to destinations that are not on the local networks may have the destination MAC address of the VMs’ default gateway (par [0048])); and responsive to failing to match the second network packet to the packet filter, causing a proxy application running on the host computer system to create a new network connection to a destination specified by the second network packet (Wu et al. teaches that the hypervisor filtering modules, according to the configured filtering rules, rewrite the destination MAC addresses of packets destined to local destinations to the MAC address of router (par [0048])).  
Although teaching that the hypervisor filtering modules perform using filtering rules as noted above, Wu et al. does not explicitly teach receiving, by a hypervisor of a host computer system, a definition of a packet filter originated by a virtual machine running on the host computer system.  Li et al. teaches such a limitation. 
Li et al. is directed to filter0based packet handling at virtual network adapters.  More specifically, Li et al. teaches that filter configuration is initiated by VM, thereby allowing application owning VNIC to define which packets to prioritize or segregate (par [0024]) and that the request is sent to virtual device backend module (par [0024]; FIG. 3).  Li et al. teaches that the virtual device backend module is located in hypervisor (FIG. 1). 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Wu et al. so that the hypervisor receives a definition of a packet filter originated by a virtual machine running on the host computer system, as taught by Li et al.  The modification would have allowed the system to enable VM to define which packets to prioritize or segregate (see Li et al., par [0024]). 
By teaching, the hypervisor rewrite the destination MAC addresses to the MAC address of router, Wu et al. teaches responsive to failing to match the second network packet to the packet filter, causing a proxy application running on the host computer system to create a new network connection to a destination specified by the second network packet as noted above.  However, Salkintzis teaches such a limitation more explicitly.
	Salkintzis is directed to data packet routing in a remote unit.  More specifically, Salkintzis teaches that in response to determining that the packet routing information does not match a network connection, the method includes requesting a new network connection and send data packet over the new connection (par [0134]; FIG. 7). 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Wu et al. and Li et al. so that a proxy application running on the host computer system creates a new network connection to a destination 

Regarding Claim 3, the combined teachings of Wu et al., Li et al., and Salkintzis teach The method of claim 1, and further, the references teach wherein matching the first network packet to the network connection specified by the packet filter further comprises: matching a link layer parameter specified by the first network packet to a corresponding network link layer parameter associated with the network connection (Wu et al. teaches the hypervisor filtering module is configured with information indicating that the detected VM is local to cloud computing system, and then the hypervisor filtering module introspects a packet (par [0052]); the hypervisor filtering module determines whether the destination MAC address of the packet should be rewritten because the destination IP address of the VM to which the packet is being sent is local to cloud computing system (par [0053]; FIG. 7), indicating matching destination IP address).  

Regarding Claim 4, the combined teachings of Wu et al., Li et al., and Salkintzis teach The method of claim 3, and further, the references teach wherein the link layer parameter is at least one of: a protocol, a destination address, or a port (Wu et al. teaches the hypervisor filtering module determines whether the destination MAC address of the packet should be rewritten because the destination IP address of the VM to which the packet is being sent is local to cloud computing system (par [0053]; FIG. 7)). 

Regarding Claim 6, the combined teachings of Wu et al., Li et al., and Salkintzis teach The method of claim 1, and further, the references teach further comprising: responsive to receiving an incoming network packet via the network connection, forwarding the incoming network packet to the vNIC (Li et al. teaches that ingress packets in PNIC queue is assigned to VNIC queue based on a match with filter (par [0049])).   The motivation to combine these references is same as that of claim 1. 

Regarding Claims 12-13, 15, and 18-20, Claims 12-13, 15, and 18-20 are directed to system and computer medium claims and they do not teach or further define over the limitations recited in claims 3-4 and 6.   Therefore, claims 12-13, 15, and 18-20 are also rejected for similar reasons set forth in claims 3-4 and 6.

Regarding Claims 10 and 16, Claims 10 and 16 are directed to system and computer medium claims and they do not teach or further define over the limitations recited in claim 1.   Therefore, claims 10 and 16 are also rejected for similar reasons set forth in claims 1.
	
Claims 2, 11, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Wu et al. (U.S. Patent Application Publication No. 2018/0063000), Li et al. (U.S. Patent Application Publication No. 2021/0029083), Salkintzis (U.S. Patent Application Publication No. 2020/0092790), and further in view of Nguyen (U.S. Patent No. 8,893,113).

Regarding Claim 2, the combined teachings of Wu et al., Li et al., and Salkintzis teach The method of claim 1, and further, the references teach wherein forwarding the first network packet further comprises: substituting a source address of the first network packet with a source address of a network interface card (NIC) associated with the network connection (Li et al. teaches hypervisor maintains a mapping between underlying hardware of host and virtual resources allocated to respective VMs (par [0012]); hardware includes physical network interface controllers (par [0012]); Wu et al. . However, Nguyen teaches such a limitation more explicitly. 
	Nguyen is directed to simultaneous operation of a networked device using multiple disparate networks.  More specifically, Nguyen teaches that the routing program exams and modifies if needed the source IP address to match the one on NIC, and re-inject the request packets back into the transport layer for routing (col. 4, lines 8-19). 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Wu et al., Li et al. and Salkintzis so that forwarding packet further comprises substituting a source address of the first network packet with a source address of a network interface card associated with the network connection, as taught by Nguyen.  The modification would have allowed the system to route the packet via best available route (see Nguyen, col. 1, line 53-col.2, line 4). 

Regarding Claims 11 and 17, Claims 11 and 17 are directed to system and computer medium claims and they do not teach or further define over the limitations recited in claim 2.   Therefore, claims 11 and 17 are also rejected for similar reasons set forth in claim 2.

Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Wu et al. (U.S. Patent Application Publication No. 2018/0063000), Li et al. (U.S. Patent Application Publication No. 2021/0029083), Salkintzis (U.S. Patent Application Publication No. 2020/0092790), and further in view of Jain (U.S. Patent Application Publication No. 2020/0319907).

Regarding Claim 5, the combined teachings of Wu et al., Li et al., and Salkintzis teach The method of claim 1, however, the references do not explicitly teach wherein the packet filter is a Berkley Packet filter (BPF).  Jain teaches such a limitation. 
	Jain is directed to cloud resource credential provisioning for services running in virtual machines and containers.  More specifically, Jain teaches that a cloud resource call comprises an outbound network call via an overlay network to a service container that is intercepted by an extended Berkley Packet Filter program (par [0030]). 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Wu et al., Li et al. and Salkintzis so that the packet filter is a Berkley Packet Filter, as taught by Jain.  The modification would have allowed the system to provide resource credential provisioning for a cloud computing environment in a secure, automatic and accurate manner (see Jain, par [0001]). 

Regarding Claim 14, Claim 14 is directed to a system claim and it does not teach or further define over the limitations recited in claim 5.   Therefore, claim 14 is also rejected for similar reasons set forth in claim 5.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Wu et al. (U.S. Patent Application Publication No. 2018/0063000), Li et al. (U.S. Patent Application Publication No. 2021/0029083), Salkintzis (U.S. Patent Application Publication No. 2020/0092790), and further in view of Schnackenberg et al. (U.S. Patent Application Publication No. 2007/0204337).

Regarding Claim 7, the combined teachings of Wu et al., Li et al., and Salkintzis teach The method of claim 1, however, the references do not explicitly teach wherein validating the packet filter further comprises: ascertaining that two or more rules encoded by the packet filter definition are not mutually-exclusive.  Schnackenberg et al. teaches such a limitation. 
	Schnackenberg et al. is directed to high-assurance file-driven content filtering for secure network server.  More specifically, Schnackenberg et al. teaches that a secure network server validates consistent filtering rules (par [0062]). 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Wu et al., Li et al. and Salkintzis so that the validating the packet filter comprises ascertaining that two or more rules encoded by the packet filter definition are not mutually-exclusive, as taught by Schnackenberg et al.  The modification would have allowed the system to filter data between networks (see Schnackenberg et al., par [0005]). 

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Wu et al. (U.S. Patent Application Publication No. 2018/0063000), Li et al. (U.S. Patent Application Publication No. 2021/0029083), Salkintzis (U.S. Patent Application Publication No. 2020/0092790), and further in view of Pankajakshan (U.S. Patent No. 7,792,021).

Regarding Claim 8, the combined teachings of Wu et al., Li et al., and Salkintzis teach The method of claim 1, however, the references do not explicitly teach wherein validating the packet filter further comprises: ascertaining that two or more rules encoded by the packet filter definition do not specify an infinite loop.  Pankajakshan teaches such a limitation. 
	Pankajakshan is directed to solutions for preventing routing loops and load balancing when connected to a multihomed autonomous system.  More specifically, Pankajakshan teaches rule “eBGP 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Wu et al., Li et al. and Salkintzis so that the validating the packet filter comprises ascertaining that two or more rules encoded by the packet filter definition do not specify an infinite loop, as taught by Pankajakshan.  The modification would have allowed the system to prevent routing loop (see Pankajakshan, col. 6, lines 10-21). 

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Wu et al. (U.S. Patent Application Publication No. 2018/0063000), Li et al. (U.S. Patent Application Publication No. 2021/0029083), Salkintzis (U.S. Patent Application Publication No. 2020/0092790), and further in view of Atluri et al. (U.S. Patent Application Publication No. 2010/0280999).

Regarding Claim 9, the combined teachings of Wu et al., Li et al., and Salkintzis teach The method of claim 1, however, the references do not explicitly teach wherein validating the packet filter further comprises: ascertaining that two or more rules encoded by the packet filter definition do not specify an infinite recursion. Atluri et al. teaches such a limitation. 
	Atluri et al. is directed to ensuring data persistence and consistency in enterprise storage backup systems.  More specifically, Atluri et al. teaches that the filter module ensures that the write associated to the paged memory is not duplicated to prevent a recursion loop (par [0057]), indicating that the rules are verified to not incur recursion. 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Wu et al., Li et al. and Salkintzis so that the . 

	
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to REBECCA E SONG whose telephone number is (571)270-3667. The examiner can normally be reached Monday-Friday: 8-4 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Edan Orgad can be reached on 5712727884. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/REBECCA E SONG/Primary Examiner, Art Unit 2414