CN102316040B - The method and data stream classification device of a kind of access control list finding - Google Patents
The method and data stream classification device of a kind of access control list finding Download PDFInfo
- Publication number
- CN102316040B CN102316040B CN201110267933.3A CN201110267933A CN102316040B CN 102316040 B CN102316040 B CN 102316040B CN 201110267933 A CN201110267933 A CN 201110267933A CN 102316040 B CN102316040 B CN 102316040B
- Authority
- CN
- China
- Prior art keywords
- rule
- packet
- address
- source
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of data stream classification device, including:Rule index module, for preserving the regular feature tabular array of IP address limitation, and receive the packet that receive and control module is sent, after the packet for confirming to receive using feature tabular array meets any rule, storage location index value is calculated again, and rule is obtained from regular memory module according to storage location index value;Regular memory module, for preserving rule according to storage location index value, and rule is provided for rule index module;Receive and control module, after receiving packet, deliver a packet to rule index module.The present invention further simultaneously disclose a kind of accesses control list (ACL, Access Control List) lookup method, using the present invention can in the case where not improving cost and power consumption, meet the needs of high-speed searching.
Description
Technical field
The present invention relates to network switching technologies, more particularly to a kind of accesses control list (ACL, Access Control
List the method and data stream classification device) searched.
Background technology
What network flow gauge network performance was played a key effect is core router, and core router is usually using ACL
To control flow and improve network performance.ACL includes rule and respective action.Wherein, rule is used for the packet that will be received
It is divided into different stream, such as, agreement (IP, the Internet Protocol) address interconnected between source network and mesh can be utilized
IP address packet is divided into a data packet stream;Act for after shunting, being carried out to the packet in data packet stream
Corresponding processing, such as, priority or discarding of packet etc. can be improved.The composition of acl rule can be:The source of packet
IP address, purpose IP address, source medium access control (MAC, MediaAccess Control) address, target MAC (Media Access Control) address and
TCP sync marks etc., or the setting to every scope, such as, set rule schemata as:(source IP address prefix, purpose
IP address prefix, destination port range, destination interface scope, protocol number), specific rules content can be, such as
(111111111111111111111111*, 1111111111111111*, [4000,5000], [20000,30000], 0).
Acl lookup can be achieved by software in traditional core router, still, with developing rapidly for network, to trunk
Network traffics and network performance in network propose higher requirement, and substantial amounts of acl rule is configured with core router
Business need is realized, therefore, the needs of interface rate can not be met by carrying out acl lookup using only software.It is most popular at present
Solution method to be entered using three-state content addressing memory (TCAM, Ternary Content Addressable Memory)
Row hardware ACL is searched.Core router is used as searching modul by installing TCAM, to realize acl lookup, including:Core is route
Device first preserves acl rule in TCAM;After core router receives packet, carried out with packet and a plurality of acl rule
It is parallel that if packet meets any one in acl rule, subsequent treatment relatively is carried out according to action corresponding to rule, if
Packet does not meet any one in acl rule, then does route processing to packet.Nowadays, to the lookup of core router
Speed proposes higher requirement, for example requires to look up speed and reach 100Gbps, if still using existing technology, just needs
To increase multiple TCAM parallel searchs in core router, and TCAM costs itself are higher, and power consumption caused by TCAM lookups
It can be significantly increased with the increase for searching digit.
It can be seen that at present existing acl lookup method, can not in the case where not improving cost and power consumption, meet core
The demand of router high-speed searching.
The content of the invention
In view of this, it is an object of the invention to provide a kind of method of acl lookup and data stream classification device, do not carrying
In the case of high cost and power consumption, meets the needs of high-speed searching.
To reach above-mentioned purpose, the technical proposal of the invention is realized in this way:
The invention provides a kind of data stream classification device, the data stream classification device includes:Receive and control module, rule
Index module and regular memory module;Wherein,
Rule index module, for preserving the regular feature tabular array of IP address limitation, and receive control
The packet that molding block is sent, after the packet for confirming to receive using feature tabular array meets any rule, then calculate storage
Location index value, rule is obtained from regular memory module according to storage location index value;
Regular memory module, for preserving rule according to storage location index value, and rule are provided for rule index module
Then;
Receive and control module, after receiving packet, deliver a packet to rule index module.
In such scheme, the data stream classification device, further comprise:The TCAM searching moduls, connect for storing
Receive the rule that control module is sent;
Accordingly, the receive and control module, it is additionally operable into after writing pattern, acl rule is write, if being limited in rule
Purpose IP address prefix and/or source IP address prefix, then be sent to rule index module by rule;, will if not limiting
Rule is sent to TCAM searching moduls;
The rule index module, it is additionally operable to after receive and control module sends rule, before the source IP address in rule
Sew and/or purpose IP address prefix computation and preserve feature array.
In such scheme,
The rule index module, specifically for for only limit purpose IP address or only limit source IP address rule,
Purpose IP address prefix or source IP address prefix are calculated, feature array is finally saved in purpose IP feature tabular array
Or in source IP feature tabular array;Rule for limiting purpose IP address and source IP address, to purpose IP address prefix and source
The feature array that IP address prefix is calculated is saved in double IP feature tabular array.
In such scheme,
The rule index module, it is additionally operable to source IP address prefix and/or purpose IP address prefix computation using rule
Storage location index value.
In such scheme,
The receive and control module, specifically for received data packet, by packet it is parallel be sent to rule index module
And TCAM searching moduls, it is additionally operable to receive the lookup result of TCAM searching moduls return and the index knot of rule index module return
Fruit, if lookup result and indexed results are all the rule not met, route processing is carried out to packet;
Accordingly, the rule index module, specifically for after the packet that receive and control module is sent is received, judging
Whether received data bag has the rule met, is additionally operable to return to indexed results to receive and control module;
The TCAM searching moduls, are additionally operable to after the packet that receive and control module is sent is received, and search the packet
The rule met, if searching has the rule met, return to rule to receive and control module and be used as lookup result, if do not had
There is the rule met, then send the regular lookup result without matching to receive and control module.
In such scheme,
The receive and control module, it is additionally operable to compare the regular priority returned in indexed results and lookup result, selects
The rule for taking highest priority is final rule, then packet is handled according to rule, if indexed results are not have
Meet rule and lookup result at the same for without match rule, then route processing directly is done to packet.
Present invention also offers a kind of method of acl lookup, this method includes:
Data stream classification device is preserved the regular feature tabular array of IP address limitation and indexed according to storage location
Value preserves rule;
After the data stream classification device receives packet, received data bag symbol is confirmed using feature tabular array
Any rule is closed, then calculates storage location index value, data packet matched rule is extracted according to storage location index value.
In such scheme, the data stream classification device preserve IP address limitation regular feature tabular array it
Before, this method also includes:
Data stream classification device writes acl rule, if defining source IP address prefix in rule into after writing pattern
And/or purpose IP address prefix, then utilize source IP address prefix and/or purpose IP address prefix computation feature array;It is if regular
In without limiting IP address, then direct storage rule.
It is described using source IP address prefix and/or purpose IP address prefix computation feature array in such scheme, including:
Data stream classification device to only defining the rule of source IP address prefix or purpose IP address prefix, using source IP address prefix or
Feature array is simultaneously saved in purpose IP features tabular array or source IP feature tabular array by purpose IP address prefix computation;
Rule to defining purpose IP address prefix and source IP address prefix, utilize source IP address prefix and purpose IP address prefix meter
Calculate and preserve feature array, the feature array finally given is saved in double IP feature tabular array.
In such scheme, before the preservation rule according to storage location index value, this method also includes:Data flow classification
Device utilizes regular source IP address prefix and/or purpose IP address prefix computation storage location index value.
In such scheme, after the data stream classification device receives packet, this method also includes:Data flow classification fills
Put the packet that will be received with the rule that directly stores compare and it is parallel packet is calculated after with feature tabular array
Feature array be compared, if the rule with directly storing compares and is no symbol with result that feature tabular array compares
The rule of conjunction, then route processing is done to packet, terminate handling process;If packet meets any rule directly stored,
Extract data packet matched rule;If the feature array obtained after calculating meets the record in any feature data list,
Storage location index value is then calculated, data packet matched rule is extracted according to storage location index value.
In such scheme, after the data packet matched rule of the extraction, this method also includes:Data stream classification device ratio
The priority of the strictly all rules met compared with packet, the rule for choosing highest priority is final rule, then according to rule
Packet is handled.
The method and data stream classification device of acl lookup provided by the present invention, have the following advantages that and feature:Pass through
To first there are the rule that IP address limits and the rule classification limited without IP address, then calculate the regular spy of IP address limitation
Array is levied, after packet is received, it is only necessary to which the calculating of feature array is done to the packet received can determine whether there is symbol
The rule of the packet is closed, if then further carrying out accurate rule searching according to storage location index value, and to receiving
To the parallel rule searched in TCAM modules without IP address limitation of packet and small part memory module can not deposit
There is the rule that IP address limits, because the rule without IP address limitation only accounts for a seldom part, therefore this method in strictly all rules
Reduce TCAM utilization rate and reduce the workload of TCAM lookups, and then realize and do not improving the feelings of cost and power consumption
Under condition, meets the needs of high-speed searching.
Brief description of the drawings
Fig. 1 is the composition structural representation for the data stream classification device that the present invention realizes acl lookup;
Fig. 2 is the method flow schematic diagram of acl lookup of the present invention.
Embodiment
The present invention basic thought be:Data stream classification device preserves the regular feature array row of IP address limitation
Table and according to storage location index value preserve rule;After the data stream classification device receives packet, arranged using feature array
Table confirms that received data bag meets any rule, then calculates storage location index value, is extracted according to storage location index value
Data packet matched rule.
Here, the feature tabular array, is divided into three classes, including:Purpose IP features tabular array, source IP feature array row
Table and double IP feature tabular array.
Below in conjunction with the accompanying drawings and specific embodiment the present invention is further described in more detail.
As shown in figure 1, the data stream classification device of the present invention, including:Receive and control module 11, the and of rule index module 12
Regular memory module 13;Wherein,
Rule index module 12, for preserving the regular feature tabular array of IP address limitation, and receive
The packet that control module 11 is sent, after the packet for confirming to receive using feature tabular array meets any rule, then calculate
Storage location index value, rule is obtained from regular memory module 13 according to storage location index value;
Regular memory module 13, for preserving rule according to storage location index value, and carried for rule index module 12
For rule;
Receive and control module 11, after receiving packet, deliver a packet to rule index module 12.
The rule index module 12, preset three groups different Hash functions are additionally operable to, what every group of Hash function was included
Number is depending on actual conditions, and any two Hash functions differ in three groups;In actual applications, due to consideration that cloth
Grand filter (BF, Bloom Filter) space efficiency is high, so the use of BF being preferred scheme, can be realized by using BF
Preset three groups different Hash functions.
The data stream classification device, further comprises:TCAM searching moduls 14;
The TCAM searching moduls 14, the rule sent for storing receive and control module 11;Accordingly, it is described to receive control
Molding block 11, it is additionally operable into after writing pattern, acl rule is write, if defining purpose IP address prefix and/or source in rule
IP address prefix, then rule is sent to rule index module 12, if not limiting purpose IP address prefix and/or source IP address
Prefix, then rule is sent to TCAM searching moduls 14;The rule index module 12, it is additionally operable to send out in receive and control module 11
After regular, using the source IP address prefix in rule and/or purpose IP address prefix computation and feature array is preserved.
The TCAM searching moduls 14, are made up of TCAM.
The rule index module 12, specifically for for only limiting purpose IP address or only limiting the rule of source IP address
Then, calculated using first group of Hash function pair purpose IP address prefix or source IP address prefix, as a result as feature array,
Finally feature array is saved in purpose IP features tabular array or source IP feature tabular array.For limiting purpose IP address
With the rule of source IP address, it is respectively calculated using second group of Hash function pair purpose IP address prefix and source IP address prefix
Obtain two feature arrays;XOR calculating is carried out to purpose IP address prefix and source IP address prefix again, according to purpose IP address
The result that shorter length interception XOR calculates in prefix and source IP address prefix, the XOR result of calculation after interception is again with second
Group Hash functions are calculated, and obtain a feature array;Be calculated before three characteristics are finally combined into one
Feature array, the feature array finally given is saved in double IP feature tabular array;
Wherein, first group of Hash function and second group of Hash function, four Hash functions can be included;Actually should
In, the common BF that width is 1Bit can be utilized to realize.
The rule index module 12, it is additionally operable to source IP address prefix and/or purpose IP address prefix meter using rule
Storage location index value is calculated,, will according to storage location is calculated if the count value of result of calculation is not above count threshold
Rule is saved in regular memory module 13, if the count value of result of calculation exceedes count threshold, rule storage is arrived into TCAM
Searching modul 14;Accordingly, the regular memory module 13, specifically for receive rule index module 12 send rule and by
Rule is preserved according to storage location;The TCAM searching moduls 14, it is additionally operable to the rule received and storage rule index module 12 is sent
Then;
Wherein, the count threshold, the maximum allowable storage of same storage location preset in rule index module 12 is referred to
Regular number.
The rule index module 12, specifically for using the 3rd group of Hash function pair purpose IP address prefix or source IP
The XOR result of location prefix or purpose IP address prefix and source IP address prefix is calculated, and to the 3rd group any one
Hash functions are calculated same numerical value and counted, and the numerical value and count value that final each Hash functions are calculated are just
Represent storage location;
Wherein, the 3rd group of Hash function, in practical application, more Bit counting bloom filter can be used
(CBF, Counting Bloom Filter) realizes above-mentioned calculating, such as:3Bit CBF can be used.
The regular memory module 13, specifically for being stored once in each storage location according to storage location index value
Rule, order of the rule in the placement of each storage location is determined according to the number of repetition of each numerical value.
The receive and control module 11, after entering network connection mode, received data packet is parallel by packet
Be sent to rule index module 12 and TCAM searching moduls 14, be additionally operable to receive the lookup result that TCAM searching moduls 14 return
And the indexed results that rule index module 12 returns;Accordingly, the rule index module 12, specifically for receiving reception control
After the packet that molding block 11 is sent, judge whether received data bag has the rule met, be additionally operable to control mould to reception
Block 11 returns to indexed results;The TCAM searching moduls 14, are additionally operable to after the packet that receive and control module 11 is sent is received,
The rule that the packet is met is searched, if searching has the rule met, regular conduct is returned to receive and control module 11
Lookup result, if the rule not met, the regular lookup result without matching is sent to receive and control module 11.
The rule index module 12, purpose IP address and source IP address specifically for extracting packet, utilizes first
Group Hash functions calculate purpose IP address and the feature array of source IP address respectively, and feature array and purpose IP features array are arranged
Characteristic group in table, source IP feature tabular array compares respectively;Simultaneously using second group of Hash function pairs purpose IP address,
Source IP address and purpose IP address and source IP address XOR acquired results are calculated feature array, gained feature array with it is double
Feature array in IP feature tabular array is compared, if having one in three comparison results for matching, then it represents that to this
There is the rule of matching in packet, if mismatched, then it represents that the packet be not present the rule of matching.
The rule index module 12, opened specifically for the purpose IP address from packet and/or the first position of source IP address
Begin, purpose IP address prefix and/or source IP address prefix are taken out according to incremental quantity calculated, and with feature tabular array
All feature arrays compare, if the feature array matched, then it represents that to the packet exist matching rule, it is no
Then continue to compare, if after all taking out purpose IP address and/or source IP address calculating, still without the feature of matching
Array, then explanation not with data packet matched feature array.
The rule index module 12, specifically for after confirming without the rule of matching, being returned to receive and control module 11
The regular indexed results without matching are returned, if it is confirmed that there is the rule of matching, then the storage location index value of computation rule.
The rule index module 12, the purpose IP of the feature array for all matchings being calculated specifically for basis
Location prefix and/or source IP address prefix, to purpose IP address prefix or source IP address prefix or purpose IP address prefix and source IP
The XOR result of address prefix is calculated using the 3rd group of Hash function, finally according to the storage location index value of gained, from
Extracting rule and it is compared in regular memory module 13, if packet meets any one rule extracted, this is counted
Receive and control module 11 is returned to as indexed results according to the rule for wrapping met, if packet is not inconsistent with the rule extracted
Close, then the regular indexed results not met are returned to receive and control module 11.
The rule index module 12, it can be using each storage location index value for calculating gained, be stored from rule
Extracted in module 13, or according to the storage location that count value is minimum, extracted from regular memory module 13, specific root
Set according to actual conditions, such as:Be [2 (2), 4 (4), 6 (3), 7 (1)] by calculating gained storage location index value, then can be with
Rule searching is carried out to the storage location for being identified as 2,4,6 and 7, can also be according to count value minimum, flag 7 storage position
Put and do rule searching.
The receive and control module 11, if being additionally operable to the rule for having return in indexed results and lookup result, compare rope
Draw the regular priority returned in result and lookup result, the rule for choosing highest priority is final rule, then basis
Rule is handled packet, if indexed results are the rule and lookup result not met while are the rule not matched
Then, then route processing directly is done to packet.
The receive and control module 11, it is additionally operable to notification rule index module 12 and deletes the rule chosen;Accordingly, it is described
Rule index module 12, the regular notice that the deletion for being additionally operable to be sent according to receive and control module 11 is chosen, calculating will delete
Deposited rule storage location index value, this is then found to regular memory module 13 according to the storage location index value of gained
Deleted after rule;The regular memory module 13, is additionally operable to the deletion action according to rule index module 12, deletes the rule of storage
Then.
Based on above-mentioned data stream classification device, the method for acl lookup of the present invention is as shown in Fig. 2 comprise the following steps:
Step 201:Whether data stream classification device writes acl rule into after writing pattern, then limited in judgment rule
Source IP address prefix and/or purpose IP address prefix are determined, if only defining source IP address prefix or purpose IP address in rule
Prefix, then perform step 202;If defining purpose IP address prefix and source IP address prefix in rule, step 203 is performed.
Before step 201, it is necessary in data stream classification device preset three groups of different Hash (Hash) function, every group
The number that Hash functions are included is depending on actual conditions, and any two Hash functions differ in three groups;
Step 201 further comprises:If without restriction IP address, direct storage rule in rule.
Here, the directly storage rule refers to:Rule is saved in the TCAM of data stream classification device.
Step 202:Source IP address prefix or purpose IP address prefix computation in data stream classification device utilization rule are simultaneously
Feature array is preserved, then performs step 204.
Step 202 is specially:Data stream classification device is for only limiting purpose IP address or only limiting the rule of source IP address
Then, calculated using first group of Hash function pair purpose IP address prefix or source IP address prefix, as a result as feature array,
Finally feature array is saved in purpose IP features tabular array or source IP feature tabular array, then performs step 204.
Step 203:Source IP address prefix and purpose IP address prefix computation in data stream classification device utilization rule are simultaneously
Feature array is preserved, then performs step 204.
Step 203 is specially:Data stream classification device uses for limiting the rule of purpose IP address and source IP address
Two groups of Hash function pair purpose IP address prefixes and source IP address prefix are respectively calculated to obtain two feature arrays;Again to mesh
IP address prefix and source IP address prefix carry out XOR calculating, according to shorter in purpose IP address prefix and source IP address prefix
The result that calculates of length interception XOR, the XOR result of calculation after interception calculated with second group of Hash function, obtained again
One feature array;Be calculated before three characteristics are finally combined into a feature array, the spy that will be finally given
Sign array is saved in double IP feature tabular array, then performs step 204.
Step 204:Data stream classification device calculates storage location index value using rule, by rule storage to being calculated
Storage location in.
Here, it is described to be using rule calculating storage location index value:Data stream classification device uses the 3rd group of Hash letter
Several purpose IP address prefixes or source IP address prefix or the XOR knot of purpose IP address prefix and source IP address prefix to rule
Fruit is calculated, and same numerical value is calculated to the 3rd group of any one Hash function and counts, final each Hash
The numerical value and count value that function is calculated just form storage location index value;
Wherein, the count value, it is additionally operable to when it exceedes count threshold, directly preserves rule;Wherein, the counting door
Limit refers to:Regular number, particular number and the institute of the preset maximum allowable storage of same storage location of data stream classification device
Storage medium is related;
It is described to be into the storage location being calculated by rule storage:Numerical value in storage location index value is every
Individual storage location all preserves once regular, the order for determining to place in each storage location according to the count value of each numerical value;Than
Such as:It is [2 (1), 4 (3), 6 (2), 7 (2)] that one rule calculates acquired results by the 3rd group of Hash function, then it represents that this rules and regulations
Then it is identified as 2,4,6 and 7 opening position in storage location to store respectively once, 1,3,2 and 2 in bracket item represents aforementioned four
The order of opening position storage rule, it is specially:The place that 2 are identified as in storage location is placed on first order storage, is storing
The place that station location marker is 4 is placed on the 3rd order and stored, by that analogy.
Step 205:Data stream classification device judges whether received data bag has the rule met, if so, then holding
Row step 206;If it is not, doing route processing to packet, terminate handling process.
Before performing this step, data stream classification device is required connect in network, is placed in network connection mode.
Step 205 is specially:Data stream classification device compares the packet received with the rule directly stored and simultaneously
It is capable packet is calculated after be compared with the feature array of feature tabular array, if the rule with directly storing compare,
And the result compared with feature tabular array is without the rule met, then route processing is done to packet, terminates handling process;
If packet meets any rule directly stored, data packet matched rule is extracted, then performs step 207;If by
The feature array obtained after calculating meets the record in any feature data list, then performs step 206.
Wherein, it is described compare with rule that is directly storing for:Packet is sent to TCAM and searched directly by data stream classification device
The rule of storage is connect, specific TCAM look for prior art, do not repeated here;
It is described packet is calculated after be compared with the feature array of characteristic list for:Data stream classification device carries
The purpose IP address and source IP address of packet are taken, purpose IP address and source IP address are calculated respectively using first group of Hash function
Feature array, feature array and the characteristic group in purpose IP features tabular array, source IP feature tabular array are done respectively
Compare;Simultaneously data stream classification device using second group of Hash function pairs purpose IP address, source IP address and purpose IP address and
Feature array, gained feature array and the feature in double IP feature tabular array is calculated in source IP address XOR acquired results
Array is compared, if having one in three comparison results for matching, then it represents that the rule of matching to the packet be present, such as
Fruit mismatches, then it represents that the packet is not present the rule of matching.Wherein, the feature array that is calculated is specially:
Taken out since first position, according to incremental quantity purpose IP address and/or source IP address prefix calculated and with feature array
All feature arrays in list compare, if the feature array matched, then it represents that matching be present to the packet
Rule, otherwise continue to compare, if after all taking out purpose IP address and/or source IP address and calculating, still without
The feature array matched somebody with somebody, then explanation not with data packet matched feature array.
Step 206:Data stream classification device is searched using storage location index value and extracting rule.
Step 206 is further:The feature array for all matchings that data stream classification device is calculated according to step 205
Purpose IP address prefix and/or source IP address prefix, to purpose IP address prefix or source IP address prefix or purpose IP address
The XOR result of prefix and source IP address prefix is calculated using the 3rd group of Hash function, finally according to acquired results, is being deposited
Opening position search rule is stored up, if packet meets any one rule of storage location preservation, extracting rule, then performs step
Rapid 207;If packet is not met with the rule that storage location preserves, step 207 is directly performed.
Here, the search rule at storage location, can be that each storage location of gained is searched,
It the minimum storage location of count value can search according to, be set with specific reference to actual conditions, such as:By the 3rd group of Hash
It is [2 (2), 4 (4), 6 (3), 7 (1)] that function, which calculates acquired results, then the storage location that be identified as 2,4,6 and 7 can be carried out
Rule searching, rule searching can also be done at minimum, flag 7 storage location according to count value.
Step 207:Data stream classification device is handled packet.
Step 207 is specially:Data stream classification device compares the priority for the strictly all rules that packet is met, and chooses excellent
First level highest rule is final rule, and then packet is handled according to rule;Packet is handled, used
For prior art, therefore do not elaborate.
It can be achieved by above-mentioned steps, regular the sentencing for having IP address limitation completed using the feature tabular array of rule
Determine task, avoid and each regular comparison lookup is done to packet, so as to meet high-speed searching demand.
In addition, after the completion of above-mentioned steps 207, can also be according to being actually needed, rule has been deposited in deletion, is specially:Calculating will
That deletes has deposited the storage location index value of rule, then finds the rule to storage location according to the storage location index value of gained
Then delete afterwards.
In addition, in actual applications, data stream classification device in such scheme can according to demand, it is flexible as module
Be integrated in existing device, such as:Can as core router high-performance data flow point generic module, be integrated in core road
By in device.
It can be seen that using above-mentioned scheme, by will first have the rule that IP address limits and the rule point limited without IP address
Class stores, and after packet is received, parallel to packet carries out IP address limitation and looking into without IP address restriction rule
Look for, meet there is calculating of the rule searching that IP address limits by doing feature array to determine whether there is the rule of the packet
Then, if then further carrying out accurate rule searching according to storage location index value.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.
Claims (8)
1. a kind of data stream classification device, it is characterised in that the data stream classification device includes:Receive and control module, regular rope
Draw module and regular memory module;Wherein,
Rule index module, for preserving the regular feature tabular array of the Protocol IP address interconnected between network limitation,
And the packet that receive and control module is sent, utilize the source IP address prefix and/or purpose IP address prefix computation in rule
And feature array is preserved, and the source IP address prefix and/or purpose IP address prefix computation storage location index value of rule are utilized,
Rule is obtained from regular memory module according to storage location index value;
Regular memory module, for preserving rule according to storage location index value, and rule is provided for rule index module;
Three-state content addressing memory TCAM searching moduls, the rule sent for storing receive and control module;
Receive and control module, after receiving packet, acl rule is write, if defining purpose IP address prefix in rule
And/or source IP address prefix, then rule is sent to rule index module;If not limiting, rule is sent to TCAM and looked into
Look for module.
2. data stream classification device according to claim 1, it is characterised in that
The rule index module, specifically for for only limit purpose IP address or only limit source IP address rule, to mesh
IP address prefix or source IP address prefix calculated, feature array is finally saved in purpose IP features tabular array or source
In IP feature tabular array;Rule for limiting purpose IP address and source IP address, to purpose IP address prefix and source IP
The feature array that location prefix is calculated is saved in double IP feature tabular array.
3. data stream classification device according to claim 1, it is characterised in that
The receive and control module, specifically for received data packet, by packet it is parallel be sent to rule index module and
TCAM searching moduls, it is additionally operable to receive the lookup result of TCAM searching moduls return and the index knot of rule index module return
Fruit, if lookup result and indexed results are all the rule not met, route processing is carried out to packet;
Accordingly, the rule index module, specifically for after the packet that receive and control module is sent is received, judging to be connect
Whether the packet of receipts has the rule met, is additionally operable to return to indexed results to receive and control module;
The TCAM searching moduls, are additionally operable to after the packet that receive and control module is sent is received, and search the packet and are accorded with
The rule of conjunction, if searching has the rule met, return to rule to receive and control module and be used as lookup result, if do not accorded with
The rule of conjunction, then send the regular lookup result without matching to receive and control module.
4. data stream classification device according to claim 3, it is characterised in that
The receive and control module, it is additionally operable to compare the regular priority returned in indexed results and lookup result, chooses excellent
First level highest rule is final rule, and then packet is handled according to rule, if indexed results are not meet
Rule and lookup result simultaneously for without match rule, then route processing directly is done to packet.
5. a kind of method that access control list ACL is searched, it is characterised in that this method includes:
Data stream classification device enter write pattern after, write acl rule, if defined in rule source IP address prefix and/or
Purpose IP address prefix, then utilize source IP address prefix and/or purpose IP address prefix computation feature array;If do not have in rule
IP address is limited, then direct storage rule;
Data stream classification device preserves the regular feature tabular array of IP address limitation, and before the source IP address using rule
Sew and/or purpose IP address prefix computation storage location index value, rule is preserved according to storage location index value;
After the data stream classification device receives packet, the source IP address prefix and/or purpose IP address in rule are utilized
Prefix computation simultaneously preserves feature array, and the packet is compared with the rule directly stored and parallel packet counted
The feature array obtained after calculation is compared with the feature array of the feature tabular array, if obtained after calculating packet
Feature array meets the record in the feature data list, then utilizes the source IP address prefix and/or purpose IP address of rule
Prefix computation storage location index value, data packet matched rule is extracted according to storage location index value.
6. according to the method for claim 5, it is characterised in that described to utilize source IP address prefix and/or purpose IP address
Prefix computation feature array, including:Data stream classification device is to only defining source IP address prefix or purpose IP address prefix
Rule, purpose IP features array row are saved in using source IP address prefix or purpose IP address prefix computation and by feature array
In table or source IP feature tabular array;Rule to defining purpose IP address prefix and source IP address prefix, using source IP
Location prefix and purpose IP address prefix computation simultaneously preserve feature array, and the feature array finally given is saved in into double IP characteristics
In Groups List.
7. according to the method for claim 5, it is characterised in that methods described also includes:If the packet is with directly depositing
The result that the rule of storage is compared and compared with feature tabular array is without the rule met, then does route processing to packet,
Terminate handling process;If packet meets any rule directly stored, data packet matched rule is extracted.
8. according to the method for claim 7, it is characterised in that after the data packet matched rule of the extraction, this method
Also include:Data stream classification device compares the priority for the strictly all rules that packet is met, and chooses the rule of highest priority
For final rule, then packet is handled according to rule.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110267933.3A CN102316040B (en) | 2011-09-09 | 2011-09-09 | The method and data stream classification device of a kind of access control list finding |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110267933.3A CN102316040B (en) | 2011-09-09 | 2011-09-09 | The method and data stream classification device of a kind of access control list finding |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102316040A CN102316040A (en) | 2012-01-11 |
CN102316040B true CN102316040B (en) | 2017-12-26 |
Family
ID=45428872
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201110267933.3A Active CN102316040B (en) | 2011-09-09 | 2011-09-09 | The method and data stream classification device of a kind of access control list finding |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102316040B (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103377261A (en) * | 2012-04-28 | 2013-10-30 | 瑞昱半导体股份有限公司 | Access control list management device, executive device and method |
CN105791125B (en) * | 2014-12-26 | 2020-03-17 | 中兴通讯股份有限公司 | Method and device for writing data in ternary content addressable memory |
CN105812164B (en) * | 2014-12-31 | 2019-07-23 | 北京东土科技股份有限公司 | Rule index management implementation method and device based on TCAM multilevel flow table |
CN105245462A (en) * | 2015-11-04 | 2016-01-13 | 上海斐讯数据通信技术有限公司 | Control method for route indicator light and router |
CN108650181A (en) * | 2018-04-20 | 2018-10-12 | 济南浪潮高新科技投资发展有限公司 | A kind of IP packet strategy matching circuit and method |
CN111181974A (en) * | 2019-12-31 | 2020-05-19 | 国家计算机网络与信息安全管理中心 | Device and method for realizing flow preprocessing based on network processor |
CN111917738B (en) * | 2020-07-14 | 2022-03-18 | 华东计算技术研究所(中国电子科技集团公司第三十二研究所) | Processing method and system capable of supporting network high-level protocol |
CN112383479B (en) * | 2020-10-15 | 2022-03-22 | 国家计算机网络与信息安全管理中心 | Rule query method and device, computer equipment and storage medium |
CN112468413B (en) * | 2020-11-26 | 2023-04-25 | 迈普通信技术股份有限公司 | Message processing method and device, electronic equipment and storage medium |
CN115633097B (en) * | 2022-12-21 | 2023-04-28 | 新华三信息技术有限公司 | ACL (access control list) compression method and device |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101345694A (en) * | 2007-07-11 | 2009-01-14 | 上海未来宽带技术及应用工程研究中心有限公司 | Method for fast searching, positioning and matching access control list |
CN101707550A (en) * | 2009-11-30 | 2010-05-12 | 中兴通讯股份有限公司 | Method and equipment for determining data flow to be mirrored |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8477611B2 (en) * | 2010-03-03 | 2013-07-02 | Ewha University Industry Collaboration Foundation | Method and apparatus for packet classification using bloom filter |
-
2011
- 2011-09-09 CN CN201110267933.3A patent/CN102316040B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101345694A (en) * | 2007-07-11 | 2009-01-14 | 上海未来宽带技术及应用工程研究中心有限公司 | Method for fast searching, positioning and matching access control list |
CN101707550A (en) * | 2009-11-30 | 2010-05-12 | 中兴通讯股份有限公司 | Method and equipment for determining data flow to be mirrored |
Also Published As
Publication number | Publication date |
---|---|
CN102316040A (en) | 2012-01-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102316040B (en) | The method and data stream classification device of a kind of access control list finding | |
US20190036821A1 (en) | Efficient caching of TCAM rules in RAM | |
CN109921996B (en) | High-performance OpenFlow virtual flow table searching method | |
US10496680B2 (en) | High-performance bloom filter array | |
US8861347B2 (en) | Configurable access control lists using TCAM | |
US9098601B2 (en) | Ternary content-addressable memory assisted packet classification | |
CN103428093B (en) | Route prefix storing, matching and updating method and device based on names | |
US8510830B2 (en) | Method and apparatus for efficient netflow data analysis | |
Jedhe et al. | A scalable high throughput firewall in FPGA | |
CN102075404A (en) | Message detection method and device | |
US11362948B2 (en) | Exact match and ternary content addressable memory (TCAM) hybrid lookup for network device | |
EP3661153B1 (en) | Building decision tree for packet classification | |
CN102427428A (en) | Stream identifying method and device based on multi-domain longest match | |
US20140095782A1 (en) | Method and system for using range bitmaps in tcam access | |
US9654397B2 (en) | Method for looking up data in hash tables and associated network device | |
US7739445B1 (en) | Circuit, apparatus, and method for extracting multiple matching entries from a content addressable memory (CAM) device | |
CN106487769B (en) | Method and device for realizing Access Control List (ACL) | |
Lee et al. | High performance payload signature-based Internet traffic classification system | |
CN111200542B (en) | Network flow management method and system based on deterministic replacement strategy | |
US11968286B2 (en) | Packet filtering using binary search trees | |
Chang et al. | A high-speed and memory efficient pipeline architecture for packet classification | |
CN105721627B (en) | A kind of online de-identification method of IP network flow data | |
Zadnik et al. | Tracking elephant flows in internet backbone traffic with an fpga-based cache | |
CN103309950A (en) | Searching method for key value | |
CN104901947B (en) | One kind is based on TCAM serial numbers matching process and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20120111 Assignee: SHENZHEN ZTE MICROELECTRONICS TECHNOLOGY CO., LTD. Assignor: ZTE Corporation Contract record no.: 2015440020319 Denomination of invention: Access control list finding method and data stream classification device License type: Common License Record date: 20151123 |
|
LICC | Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model | ||
GR01 | Patent grant |