CN108449445A - A kind of range type message match circuit and method - Google Patents

A kind of range type message match circuit and method Download PDF

Info

Publication number
CN108449445A
CN108449445A CN201810329873.5A CN201810329873A CN108449445A CN 108449445 A CN108449445 A CN 108449445A CN 201810329873 A CN201810329873 A CN 201810329873A CN 108449445 A CN108449445 A CN 108449445A
Authority
CN
China
Prior art keywords
address
data
rule
message
mark
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810329873.5A
Other languages
Chinese (zh)
Inventor
王子彤
姜凯
聂林川
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinan Inspur Hi Tech Investment and Development Co Ltd
Original Assignee
Jinan Inspur Hi Tech Investment and Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan Inspur Hi Tech Investment and Development Co Ltd filed Critical Jinan Inspur Hi Tech Investment and Development Co Ltd
Priority to CN201810329873.5A priority Critical patent/CN108449445A/en
Publication of CN108449445A publication Critical patent/CN108449445A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention provides a kind of range type message match circuits and method, circuit to include:Rule parsing module, regular memory module, rule match module and packet parsing module;Rule parsing module analytic message strategy extracts five-tuple data and message rule, and five-tuple data include 5 mark datas, existence range type data in mark data;Conversion is carried out to five-tuple data and forms storage mark, storage location of the label message rule in regular memory module is identified using storage;Packet parsing module parses message to be matched and extracts current five-tuple data, and zero setting is carried out to the part identification data of current five-tuple data, and carrying out conversion to the current five-tuple data after zero setting forms storage mark to be matched;Rule match module exists in a storage module when target storage position is marked as storage mark to be matched, and the object message rule stored under target storage position and message to be matched are exported.Technical solution through the invention, matching efficiency are higher.

Description

A kind of range type message match circuit and method
Technical field
The present invention relates to information technology field, more particularly to a kind of range type message match circuit and method.
Background technology
In the network switching equipment, it usually needs using special message match circuit or be integrated with the core of message match circuit Piece carries out rule match to message.
At present, it usually needs the message strategy corresponding to each message to be matched is stored in message match circuit.When When the message amount of dealing is excessive, message match circuit then needs to store a large amount of message rule, needs to occupy a large amount of storage Resource and Internet resources, when treating matching message and being matched, matching efficiency is relatively low.
Invention content
An embodiment of the present invention provides a kind of range type message match circuit and method, matching efficiency are higher.
In a first aspect, the present invention provides a kind of range type message match circuits, including:
Rule parsing module, regular memory module, rule match module and packet parsing module;Wherein,
The rule parsing module is carried for parsing the message strategy that host computer issues with extracting the message strategy Five-tuple data and message rule, wherein the five-tuple data include 5 and source IP address, purpose IP address, agreement Number, five one-to-one mark datas of data entry such as source port and destination interface, and exist in each mark data At least one range type data;Conversion processing is carried out to the five-tuple data according to default transformation rule to form storage mark Know;The message rule is stored to the regular memory module, and mark the message rule to exist using storage mark Storage location in the rule memory module;
The packet parsing module, for receiving and parsing through message to be matched to extract entrained by the message to be matched Current five-tuple data, and at least one target data entry corresponding at least one range type data is to described The part identification data of current five-tuple data carries out zero setting processing, and to zero setting, treated according to the default transformation rule The current five-tuple data carry out conversion processing and are identified with forming storage to be matched;
The rule match module, it is labeled with the presence or absence of target storage position in the regular memory module for detecting It is identified for the storage to be matched, if so, the object message rule stored under the target storage position is read, and will be described Object message rule and the message output to be matched.
Preferably,
The rule parsing module, including:First conversion unit;Wherein,
First conversion unit, in the corresponding mark number of the source IP address and the destination IP address According to data type be subnet mask when, by the five-tuple data it is every 8 make or operation to form one 8 storages Mark.
Preferably,
The rule parsing module, including:Second conversion unit;Wherein,
Second conversion unit includes the first beginning IP address for the mark data corresponding to the source IP address It includes that the secondth start ip address and second are whole that the mark data corresponding to IP address and the destination IP address is terminated with first Only when IP address, reads first start ip address or described first terminate the first high n bit address of IP address, described in reading Second start ip address or it is described second terminate IP address the second high n bit address, by described the first of reading the high n bit address, The corresponding mark data of three data entry institutes such as the second high n bit address and protocol number, source port and destination interface It is combined, every 8 of the data splitting that combination obtains are made or operation stores mark to form one 8 references, and is raw At the flag data of one 8 expression address conflicts, by the reference storage mark and the flag data makees or operation To obtain storage mark;By the low m bit address of first start ip address, it is described first terminate IP address low m bit address, The low m bit address of second start ip address, the low m bit address of the second termination IP address are stored with the message rule Storage position of the message rule in the memory module is marked to the regular memory module, and using the storage mark It sets, wherein m and n is 4 integral multiple.
Preferably,
The rule match module, including:At first detection unit, second detection unit, third detection unit and data Manage unit;Wherein,
The first detection unit, it is labeled with the presence or absence of target storage position in the regular memory module for detecting It is identified for the storage to be matched, if so, triggering the second detection unit;
The second detection unit, for detecting the current five-tuple data under the triggering of the first detection unit Whether the low m bit address of the current source IP address of middle carrying is located at the low m bit address and described the of first start ip address Between one terminates the low m bit address of IP address, if so, triggering the third detection unit;
The third detection unit, for detecting the current five-tuple data under the triggering of the second detection unit The low m bit address of the current purpose IP address of middle carrying whether be located at second start ip address low m bit address with it is described Between second terminates the low m bit address of IP address, if so, triggering the data processing unit;
The data processing unit, for being read under the target storage position under the triggering of the third detection unit The object message rule of storage, and the object message rule and the message to be matched are exported.
Second aspect, an embodiment of the present invention provides it is a kind of using any message match circuit in first aspect into The matched method of row message, including:
What the message strategy issued using rule parsing module parsing host computer was carried with extracting the message strategy Five-tuple data and message rule, wherein the five-tuple data include 5 and source IP address, purpose IP address, agreement Number, five one-to-one mark datas of data entry such as source port and destination interface, and exist in each mark data At least one range type data;Conversion processing is carried out to the five-tuple data according to default transformation rule to form storage mark Know;The message rule is stored to the regular memory module, and mark the message rule to exist using storage mark Storage location in the rule memory module;
Message to be matched is received and parsed through using the packet parsing module to extract entrained by the message to be matched Current five-tuple data, and at least one target data entry corresponding at least one range type data is to described The part identification data of current five-tuple data carries out zero setting processing, and to zero setting, treated according to the default transformation rule The current five-tuple data carry out conversion processing and are identified with forming storage to be matched;
It is detected using the rule match module labeled with the presence or absence of target storage position in the regular memory module It is identified for the storage to be matched, if so, the object message rule stored under the target storage position is read, and will be described Object message rule and the message output to be matched.
Preferably,
When the rule parsing module includes first conversion unit,
The basis presets transformation rule and carries out conversion processing to the five-tuple data to form storage mark, including: Using first conversion unit the source IP address and the destination IP address corresponding mark data data When type is subnet mask, every 8 of the five-tuple data are made or operation is identified with the storage for forming one 8.
Preferably,
When the rule parsing module includes second conversion unit,
The basis presets transformation rule and carries out conversion processing to the five-tuple data to form storage mark, including: Include that the first beginning IP address and first are whole using mark data of second conversion unit corresponding to the source IP address Only the mark data corresponding to IP address and the destination IP address includes that the secondth start ip address and second terminate IP address When, the first high n bit address of first start ip address or the first termination IP address is read, second starting is read Second high n bit address of IP address or the second termination IP address, by described the first of reading the high n bit address, described second The corresponding mark data of three data entry institutes such as high n bit address and protocol number, source port and destination interface is combined, will Combine obtained data splitting every 8 make or operation stores mark to form one 8 references, and generate one 8 Expression address conflict flag data, by it is described with reference to storage mark with the flag data work or operation to be stored Mark;The low m bit address of first start ip address, described first are terminated to the low m bit address, second described of IP address The low m bit address of beginning IP address, the low m bit address of the second termination IP address are stored with the message rule to the rule Memory module, and mark storage location of the message rule in the memory module using the storage mark, wherein m And n is 4 integral multiple.
Preferably,
Include the first detection unit, the second detection unit, third detection in the rule match module When unit and the data processing unit,
It is described to be deposited with the presence or absence of target using described detected in the regular memory module using the rule match module Storage space, which is set, is marked as the storage mark to be matched, if so, reading the object message stored under the target storage position Rule, and the object message rule and the message to be matched are exported, including:
It is detected using the first detection unit labeled with the presence or absence of target storage position in the regular memory module It is identified for the storage to be matched, if so, triggering the second detection unit;
The current five-tuple data are detected under the triggering of the first detection unit using the second detection unit Whether the low m bit address of the current source IP address of middle carrying is located at the low m bit address and described the of first start ip address Between one terminates the low m bit address of IP address, if so, triggering the third detection unit;
The current five-tuple data are detected under the triggering of the second detection unit using the third detection unit The low m bit address of the current purpose IP address of middle carrying whether be located at second start ip address low m bit address with it is described Between second terminates the low m bit address of IP address, if so, triggering the data processing unit;
It is read under the target storage position under the triggering of the third detection unit using the data processing unit The object message rule of storage, and the object message rule and the message to be matched are exported.
An embodiment of the present invention provides a kind of message match circuit and methods, and the message match circuit is by rule parsing mould Block, regular memory module, rule match module and packet parsing module composition, utilization scope type data describe five-tuple data Mark data corresponding to middle one or more data entry a so that message rule can correspond to have same characteristics A kind of message to be matched can then be reduced and be deposited in regular memory module when needing to match large batch of clear text The quantity of the message rule of storage saves storage resource;Meanwhile rule parsing module can utilize default transformation rule to advise message Then corresponding five-tuple data are converted to obtain storage mark, and are existed using obtained storage mark label message rule Storage location in regular memory module, packet parsing module utilize identical preset rules to report to be matched in the follow-up process After current five-tuple data corresponding to text are converted to obtain currently stored mark, then can according to it is currently stored mark with And the corresponding storage mark of each message rule institute stored in regular memory module, it is checked quickly soon in regular memory module Find the message rule to match with the message to be matched, and by with matching message and with the report to match with matching message Literary rule output.In conclusion technical solution through the invention, can save storage resource, and more can quickly search To message rule corresponding with message to be matched, matching efficiency is higher.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is the present invention Some embodiments for those of ordinary skill in the art without creative efforts, can also basis These attached drawings obtain other attached drawings.
Fig. 1 is a kind of structural schematic diagram for range type message match circuit that one embodiment of the invention provides;
Fig. 2 is the structural schematic diagram for another range type message match circuit that one embodiment of the invention provides;
Fig. 3 is a kind of flow chart for range type message matching method that one embodiment of the invention provides.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments, based on the embodiments of the present invention, those of ordinary skill in the art The every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
As shown in Figure 1, an embodiment of the present invention provides a kind of range type message match circuits, including:
Rule parsing module 101, regular memory module 102, rule match module 103 and packet parsing module 104;Its In,
The rule parsing module 101 is taken for parsing the message strategy that host computer issues with extracting the message strategy The five-tuple data and message rule of band, wherein the five-tuple data include 5 and source IP address, purpose IP address, association Five one-to-one mark datas of data entry such as view number, source port and destination interface, and deposited in each mark data In at least one range type data;Conversion processing is carried out to the five-tuple data according to default transformation rule to form storage mark Know;The message rule is stored to the regular memory module 102, and the message rule is marked using storage mark Storage location in the regular memory module 102;
The packet parsing module 103 is taken for receiving and parsing through message to be matched with extracting the message to be matched The current five-tuple data of band, and at least one target data entry pair corresponding at least one range type data The part identification data of the current five-tuple data carries out zero setting processing, and is handled zero setting according to the default transformation rule The current five-tuple data afterwards carry out conversion processing and are identified with forming storage to be matched;
The rule match module 104 whether there is target storage position for detecting in the regular memory module 102 It is marked as the storage mark to be matched, if so, the object message rule stored under the target storage position is read, and By the object message rule and the message output to be matched.
Embodiment as shown in Figure 1, the message match circuit is by rule parsing module, regular memory module, rule match Module and packet parsing module composition, utilization scope type data are right to describe one or more data entry institutes in five-tuple data The mark data answered a so that message rule can correspond to one kind message to be matched with same characteristics, when needs pair When large batch of clear text is matched, then the quantity of the message rule stored in regular memory module can be reduced, saved Storage resource;Meanwhile rule parsing module can utilize default transformation rule to the five-tuple data corresponding to message rule into Row conversion is to obtain storage mark, and the storage position using obtained storage mark label message rule in regular memory module It sets, packet parsing module treats the current five-tuple number corresponding to matching message using identical preset rules in the follow-up process According to being converted to obtain currently stored mark after, then can be according to storing in currently stored mark and regular memory module The corresponding storage of each message rule institute identifies, and is quickly found in regular memory module and the message phase to be matched The message rule matched, and will be exported with matching message and with this with the message rule that matching message matches.In conclusion logical Technical scheme of the present invention is crossed, storage resource can be saved, and more can quickly find corresponding with message to be matched Message rule, matching efficiency are higher.
It, can be using n*8 binary data come respectively as protocol number, source port and destination in above-described embodiment The corresponding mark data of mouth institute, when the mark corresponding to any of protocol number, source port and destination interface data entry When data when range type data, you can by the binary number data whole zero setting corresponding to corresponding data entry, characterization carries the model The scope of application of the message rule corresponding to the five-tuple data of type data is enclosed to corresponding data entry without limitation;Citing comes It says, using one 8 binary data as the mark data corresponding to protocol number, when 8 binary data whole When being 0, then illustrates to carry the message rule corresponding to the five-tuple data of 8 bit binary data and be suitable for the agreement Number.
Specifically, in a kind of mode in the cards, the rule parsing module, including:First conversion unit (attached drawing In be not shown);Wherein,
First conversion unit, in the corresponding mark number of the source IP address and the destination IP address According to data type be subnet mask when, by the five-tuple data it is every 8 make or operation to form one 8 storages Mark.
In the above embodiment of the present invention, the first conversion unit can specifically calculate storage mark by following formula: ADDR[7:0]=SIP [31:24]^SIP[23:16]^SIP[15:8]^SIP[7:0]^DIP[31:24]^DIP[23:16]^DIP [15:8]^DIP[7:0]^PROTOCOL[7:0]^SPORT[15:8]^SPORT[7:0]^DPORT[15:8]^DPORT[7:0]。
Understandable, packet parsing module also can treat working as matching message carrying according to corresponding range type data After part identification data in first five tuple data carries out zero setting processing, (or above-mentioned formula) calculates to be matched through the above way Corresponding to the current five-tuple data that message carries.
As shown in Fig. 2, in the mode of alternatively possible realization, the rule parsing module 101, including:Second conversion Unit 1011;Wherein,
Second conversion unit 1011 includes the first beginning IP for the mark data corresponding to the source IP address Address and first terminate corresponding to IP address and the destination IP address mark data include the secondth start ip address and the When two termination IP address, the first high n bit address of first start ip address or the first termination IP address is read, is read Second high n bit address of second start ip address or the second termination IP address, by described the first of reading the high ground n The corresponding mark number of three data entry institutes such as location, the second high n bit address and protocol number, source port and destination interface According to combined, every 8 of the data splitting that combination obtains are made or operation is identified with reference the storage for forming one 8, and The flag data for generating one 8 expression address conflicts is made described or transported with the flag data with reference to storage mark It calculates to obtain storage mark;The low m bit address of first start ip address, described first are terminated to low m ground of IP address Location, the low m bit address of second start ip address, described second terminate the low m bit address of IP address and the message rule It stores to the regular memory module 102, and mark the message rule in the memory module 102 using storage mark In storage location, wherein m and n is 4 integral multiple.
Correspondingly, referring to FIG. 2, in an embodiment of the invention, the rule match mould 104, including:First detection Unit 1041, second detection unit 1042, third detection unit 1043 and data processing unit 1044;Wherein,
The first detection unit 1041 stores position for detecting in the regular memory module 102 with the presence or absence of target It sets and is marked as the storage mark to be matched, if so, triggering the second detection unit 1042;
The second detection unit 1042, it is described when first five for being detected under the triggering of the first detection unit 1041 Whether the low m bit address of the current source IP address carried in tuple data is located at the low m bit address of first start ip address Between the low m bit address for terminating IP address with described first, if so, triggering the third detection unit 1043;
The third detection unit 1043, it is described when first five for being detected under the triggering of the second detection unit 1042 Whether the low m bit address of the current purpose IP address carried in tuple data is located at low m ground of second start ip address Between location and the low m bit address of the second termination IP address, if so, triggering the data processing unit 1044;
The data processing unit 1044 is deposited for reading the target under the triggering of the third detection unit 1043 Storage space sets the object message rule of lower storage, and the object message rule and the message to be matched are exported.
In above-described embodiment, corresponding storage address is generated by the second conversion unit, passes through regular mould in subsequent process First detection unit, second detection unit and third detection unit under block are wanted to coordinate, can be more quick and accurately in rule The message rule corresponding to message to be matched is found in storage circuit.
As shown in figure 3, utilizing the message provided in any embodiment of the present invention matching an embodiment of the present invention provides a kind of Circuit carries out the matched method of message, including:
Step 301, the message strategy issued using rule parsing module parsing host computer is to extract the message plan The five-tuple data and message rule slightly carried, wherein the five-tuple data include 5 and source IP address, destination IP Five one-to-one mark datas of data entry such as location, protocol number, source port and destination interface, and each mark data In there are at least one range type data;Conversion processing is carried out according to default transformation rule to the five-tuple data to deposit to be formed Storage mark;The message rule is stored to the regular memory module, and mark the message to advise using storage mark The then storage location in the regular memory module;
Step 302, message to be matched is received and parsed through using the packet parsing module to extract the message to be matched Entrained current five-tuple data, and at least one target data item corresponding at least one range type data Mesh carries out zero setting processing to the part identification data of the current five-tuple data, and according to the default transformation rule to zero setting The current five-tuple data that treated carry out conversion processing and are identified with forming storage to be matched;
Step 303, it is detected in the regular memory module using the rule match module and stores position with the presence or absence of target It sets and is marked as the storage mark to be matched, if so, the object message rule stored under the target storage position is read, And the object message rule and the message to be matched are exported.
In one embodiment of the invention, when the rule parsing module includes first conversion unit,
The basis presets transformation rule and carries out conversion processing to the five-tuple data to form storage mark, including: Using first conversion unit the source IP address and the destination IP address corresponding mark data data When type is subnet mask, every 8 of the five-tuple data are made or operation is identified with the storage for forming one 8.
In one embodiment of the invention, when the rule parsing module includes second conversion unit,
The basis presets transformation rule and carries out conversion processing to the five-tuple data to form storage mark, including: Include that the first beginning IP address and first are whole using mark data of second conversion unit corresponding to the source IP address Only the mark data corresponding to IP address and the destination IP address includes that the secondth start ip address and second terminate IP address When, the first high n bit address of first start ip address or the first termination IP address is read, second starting is read Second high n bit address of IP address or the second termination IP address, by described the first of reading the high n bit address, described second The corresponding mark data of three data entry institutes such as high n bit address and protocol number, source port and destination interface is combined, will Combine obtained data splitting every 8 make or operation stores mark to form one 8 references, and generate one 8 Expression address conflict flag data, by it is described with reference to storage mark with the flag data work or operation to be stored Mark;The low m bit address of first start ip address, described first are terminated to the low m bit address, second described of IP address The low m bit address of beginning IP address, the low m bit address of the second termination IP address are stored with the message rule to the rule Memory module, and mark storage location of the message rule in the memory module using the storage mark, wherein m And n is 4 integral multiple.
Include the first detection unit, second inspection in the rule match module in one embodiment of the invention When surveying unit, the third detection unit and the data processing unit,
It is described to be deposited with the presence or absence of target using described detected in the regular memory module using the rule match module Storage space, which is set, is marked as the storage mark to be matched, if so, reading the object message stored under the target storage position Rule, and the object message rule and the message to be matched are exported, including:
It is detected using the first detection unit labeled with the presence or absence of target storage position in the regular memory module It is identified for the storage to be matched, if so, triggering the second detection unit;
The current five-tuple data are detected under the triggering of the first detection unit using the second detection unit Whether the low m bit address of the current source IP address of middle carrying is located at the low m bit address and described the of first start ip address Between one terminates the low m bit address of IP address, if so, triggering the third detection unit;
The current five-tuple data are detected under the triggering of the second detection unit using the third detection unit The low m bit address of the current purpose IP address of middle carrying whether be located at second start ip address low m bit address with it is described Between second terminates the low m bit address of IP address, if so, triggering the data processing unit;
It is read under the target storage position under the triggering of the third detection unit using the data processing unit The object message rule of storage, and the object message rule and the message to be matched are exported.
In conclusion each embodiment of the present invention at least has the advantages that:
1, in one embodiment of the invention, the message match circuit is by rule parsing module, regular memory module, rule match Module and packet parsing module composition, utilization scope type data are right to describe one or more data entry institutes in five-tuple data The mark data answered a so that message rule can correspond to one kind message to be matched with same characteristics, when needs pair When large batch of clear text is matched, then the quantity of the message rule stored in regular memory module can be reduced, saved Storage resource;Meanwhile rule parsing module can utilize default transformation rule to the five-tuple data corresponding to message rule into Row conversion is to obtain storage mark, and the storage position using obtained storage mark label message rule in regular memory module It sets, packet parsing module treats the current five-tuple number corresponding to matching message using identical preset rules in the follow-up process According to being converted to obtain currently stored mark after, then can be according to storing in currently stored mark and regular memory module The corresponding storage of each message rule institute identifies, and is quickly found in regular memory module and the message phase to be matched The message rule matched, and will be exported with matching message and with this with the message rule that matching message matches.In conclusion logical Technical scheme of the present invention is crossed, storage resource can be saved, and more can quickly find corresponding with message to be matched Message rule, matching efficiency are higher.
2, in one embodiment of the invention, corresponding storage address is generated by the second conversion unit, is passed through in subsequent process First detection unit, second detection unit and third detection unit under rule module are wanted to coordinate, can be more quick and accurate The message rule corresponding to message to be matched is found in regular storage circuit.
It should be noted that herein, such as first and second etc relational terms are used merely to an entity Or operation is distinguished with another entity or operation, is existed without necessarily requiring or implying between these entities or operation Any actual relationship or order.Moreover, the terms "include", "comprise" or its any other variant be intended to it is non- It is exclusive to include, so that the process, method, article or equipment including a series of elements includes not only those elements, But also include other elements that are not explicitly listed, or further include solid by this process, method, article or equipment Some elements.In the absence of more restrictions, the element limited by sentence " including one ", is not arranged Except there is also other identical factors in the process, method, article or apparatus that includes the element.
Finally, it should be noted that:The foregoing is merely presently preferred embodiments of the present invention, is merely to illustrate the skill of the present invention Art scheme, is not intended to limit the scope of the present invention.Any modification for being made all within the spirits and principles of the present invention, Equivalent replacement, improvement etc., are included within the scope of protection of the present invention.

Claims (8)

1. a kind of range type message match circuit, which is characterized in that including:
Rule parsing module, regular memory module, rule match module and packet parsing module;Wherein,
The rule parsing module, for parsing the message strategy that host computer issues to extract five yuan of the message strategy carrying Group data and message rule, wherein the five-tuple data include 5 and source IP address, purpose IP address, protocol number, source Five one-to-one mark datas of data entry such as port and destination interface, and have at least one in each mark data A range type data;Conversion processing is carried out to the five-tuple data according to default transformation rule to form storage mark;By institute It states message rule to store to the regular memory module, and marks the message rule in the rule using storage mark Storage location in memory module;
The packet parsing module, it is current entrained by the message to be matched to extract for receiving and parsing through message to be matched Five-tuple data, and at least one target data entry corresponding at least one range type data is to described current The part identification datas of five-tuple data carries out zero setting processing, and to zero setting, that treated is described according to the default transformation rule Current five-tuple data carry out conversion processing and are identified with forming storage to be matched;
The rule match module is marked as institute for detecting in the regular memory module with the presence or absence of target storage position Storage to be matched mark is stated, if so, read the object message rule stored under the target storage position, and by the target Message rule and the message output to be matched.
2. range type message match circuit according to claim 1, which is characterized in that
The rule parsing module, including:First conversion unit;Wherein,
First conversion unit, for the source IP address and the destination IP address corresponding mark data When data type is subnet mask, every 8 of the five-tuple data are made or operation is to form one 8 storage marks Know.
3. range type message match circuit according to claim 1, which is characterized in that
The rule parsing module, including:Second conversion unit;Wherein,
Second conversion unit includes the first beginning IP address and for the mark data corresponding to the source IP address Mark data corresponding to one termination IP address and the destination IP address includes that the secondth start ip address and second terminate IP When address, the first high n bit address of first start ip address or the first termination IP address is read, reads described second Start ip address or described second terminate IP address the second high n bit address, by described the first of reading the high n bit address, described The corresponding mark data phase group of three data entry institutes such as the second high n bit address and protocol number, source port and destination interface It closes, every 8 of the data splitting that combination obtains is made or operation stores mark to form one 8 references, and generates one The reference storage mark is made with the flag data or operation is to obtain by the flag data of a 8 expression address conflicts It is identified to storage;The low m bit address of first start ip address, described first are terminated to the low m bit address, described of IP address The low m bit address of second start ip address, the low m bit address of the second termination IP address are stored with the message rule to institute Regular memory module is stated, and storage location of the message rule in the memory module is marked using the storage mark, Wherein, m and n is 4 integral multiple.
4. range type message match circuit according to claim 3, which is characterized in that
The rule match module, including:First detection unit, second detection unit, third detection unit and data processing list Member;Wherein,
The first detection unit is marked as institute for detecting in the regular memory module with the presence or absence of target storage position Storage mark to be matched is stated, if so, triggering the second detection unit;
The second detection unit is taken for being detected under the triggering of the first detection unit in the current five-tuple data Whether the low m bit address of the current source IP address of band is located at the low m bit address and described first of first start ip address eventually Only between the low m bit address of IP address, if so, triggering the third detection unit;
The third detection unit is taken for being detected under the triggering of the second detection unit in the current five-tuple data Whether the low m bit address of the current purpose IP address of band is located at the low m bit address and described second of second start ip address Between the low m bit address for terminating IP address, if so, triggering the data processing unit;
The data processing unit is stored for being read under the triggering of the third detection unit under the target storage position Object message rule, and the object message rule and the message to be matched are exported.
5. a kind of carrying out the matched method of message using any message match circuit in Claims 1-4 4, feature exists In, including:
The message strategy issued using rule parsing module parsing host computer is to extract five yuan of the message strategy carrying Group data and message rule, wherein the five-tuple data include 5 and source IP address, purpose IP address, protocol number, source Five one-to-one mark datas of data entry such as port and destination interface, and have at least one in each mark data A range type data;Conversion processing is carried out to the five-tuple data according to default transformation rule to form storage mark;By institute It states message rule to store to the regular memory module, and marks the message rule in the rule using storage mark Storage location in memory module;
It is current entrained by the message to be matched to extract to receive and parse through message to be matched using the packet parsing module Five-tuple data, and at least one target data entry corresponding at least one range type data is to described current The part identification datas of five-tuple data carries out zero setting processing, and to zero setting, that treated is described according to the default transformation rule Current five-tuple data carry out conversion processing and are identified with forming storage to be matched;
It is detected in the regular memory module using the rule match module and is marked as institute with the presence or absence of target storage position Storage to be matched mark is stated, if so, read the object message rule stored under the target storage position, and by the target Message rule and the message output to be matched.
6. according to the method described in claim 5, it is characterized in that,
When the rule parsing module includes first conversion unit,
The basis presets transformation rule and carries out conversion processing to the five-tuple data to form storage mark, including:It utilizes First conversion unit the source IP address and the destination IP address corresponding mark data data type When being subnet mask, every 8 of the five-tuple data are made or operation is identified with the storage for forming one 8.
7. according to the method described in claim 5, it is characterized in that,
When the rule parsing module includes second conversion unit,
The basis presets transformation rule and carries out conversion processing to the five-tuple data to form storage mark, including:It utilizes Mark data of second conversion unit corresponding to the source IP address includes that the first beginning IP address and first terminate IP When mark data corresponding to address and the destination IP address includes the secondth start ip address and the second termination IP address, The the first high n bit address for reading first start ip address or the first termination IP address, reads second starting ip Second high n bit address of address or the second termination IP address, by described the first of reading the high n bit address, the second high n The corresponding mark data of three data entry institutes such as bit address and protocol number, source port and destination interface is combined, by group Close obtained data splitting every 8 make or operation stores mark to form one 8 references, and generate one 8 The reference storage mark is made with the flag data or operation is to obtain storing mark by the flag data for indicating address conflict Know;The low m bit address of first start ip address, described first are terminated into the low m bit address of IP address, second starting The low m bit address of IP address, the low m bit address of the second termination IP address are stored to the rule with the message rule and are deposited Module is stored up, and storage location of the message rule in the memory module is marked using the storage mark, wherein m and n It is 4 integral multiple.
8. the method according to the description of claim 7 is characterized in that
Include the first detection unit, the second detection unit, the third detection unit in the rule match module And when the data processing unit,
It is described to store position with the presence or absence of target using described detected in the regular memory module using the rule match module It sets and is marked as the storage mark to be matched, if so, the object message rule stored under the target storage position is read, And export the object message rule and the message to be matched, including:
It is detected in the regular memory module using the first detection unit and is marked as institute with the presence or absence of target storage position Storage mark to be matched is stated, if so, triggering the second detection unit;
It is detected under the triggering of the first detection unit using the second detection unit and is taken in the current five-tuple data Whether the low m bit address of the current source IP address of band is located at the low m bit address and described first of first start ip address eventually Only between the low m bit address of IP address, if so, triggering the third detection unit;
It is detected in the current five-tuple data and is taken under the triggering of the second detection unit using the third detection unit Whether the low m bit address of the current purpose IP address of band is located at the low m bit address and described second of second start ip address Between the low m bit address for terminating IP address, if so, triggering the data processing unit;
It is read under the triggering of the third detection unit using the data processing unit and is stored under the target storage position Object message rule, and the object message rule and the message to be matched are exported.
CN201810329873.5A 2018-04-13 2018-04-13 A kind of range type message match circuit and method Pending CN108449445A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810329873.5A CN108449445A (en) 2018-04-13 2018-04-13 A kind of range type message match circuit and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810329873.5A CN108449445A (en) 2018-04-13 2018-04-13 A kind of range type message match circuit and method

Publications (1)

Publication Number Publication Date
CN108449445A true CN108449445A (en) 2018-08-24

Family

ID=63199833

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810329873.5A Pending CN108449445A (en) 2018-04-13 2018-04-13 A kind of range type message match circuit and method

Country Status (1)

Country Link
CN (1) CN108449445A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113329099A (en) * 2021-06-29 2021-08-31 中国农业银行股份有限公司 Message parsing method, device, medium, equipment and program product
CN115225327A (en) * 2022-06-17 2022-10-21 北京启明星辰信息安全技术有限公司 Intrusion detection method with pre-matching rules based on FPGA network card

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170563A (en) * 2007-11-30 2008-04-30 杭州华三通信技术有限公司 A method and device for matching message rule
US20100293139A1 (en) * 2009-05-13 2010-11-18 Peng Li Method, widget terminal and server for synchronizing data
US20140156829A1 (en) * 2012-12-02 2014-06-05 At&T Intellectual Property L, L.P. Methods, Systems, and Products for Personalized Monitoring of Data
CN104184732A (en) * 2014-08-25 2014-12-03 浪潮集团有限公司 Hardware implementation method for matching IP address with IP range strategy
CN104579970A (en) * 2013-10-29 2015-04-29 国家计算机网络与信息安全管理中心 Strategy matching method and device of IPv6 message
CN106936719A (en) * 2017-05-17 2017-07-07 济南浪潮高新科技投资发展有限公司 A kind of IP messages strategy matching method
CN107707485A (en) * 2017-10-23 2018-02-16 济南浪潮高新科技投资发展有限公司 A kind of range type IP message strategy matching circuits and method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170563A (en) * 2007-11-30 2008-04-30 杭州华三通信技术有限公司 A method and device for matching message rule
US20100293139A1 (en) * 2009-05-13 2010-11-18 Peng Li Method, widget terminal and server for synchronizing data
US20140156829A1 (en) * 2012-12-02 2014-06-05 At&T Intellectual Property L, L.P. Methods, Systems, and Products for Personalized Monitoring of Data
CN104579970A (en) * 2013-10-29 2015-04-29 国家计算机网络与信息安全管理中心 Strategy matching method and device of IPv6 message
CN104184732A (en) * 2014-08-25 2014-12-03 浪潮集团有限公司 Hardware implementation method for matching IP address with IP range strategy
CN106936719A (en) * 2017-05-17 2017-07-07 济南浪潮高新科技投资发展有限公司 A kind of IP messages strategy matching method
CN107707485A (en) * 2017-10-23 2018-02-16 济南浪潮高新科技投资发展有限公司 A kind of range type IP message strategy matching circuits and method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113329099A (en) * 2021-06-29 2021-08-31 中国农业银行股份有限公司 Message parsing method, device, medium, equipment and program product
CN115225327A (en) * 2022-06-17 2022-10-21 北京启明星辰信息安全技术有限公司 Intrusion detection method with pre-matching rules based on FPGA network card
CN115225327B (en) * 2022-06-17 2023-10-27 北京启明星辰信息安全技术有限公司 Intrusion detection method with pre-matching rule based on FPGA network card

Similar Documents

Publication Publication Date Title
CN104579940B (en) Search the method and device of accesses control list
CN100454902C (en) Method for implementing multi-area stream classifying
CN107786440B (en) Method and device for forwarding data message
CN111181857B (en) Message processing method and device, storage medium and optical network terminal
CN100388725C (en) Method of refreshing hardware table item
CN106713144B (en) Reading and writing method of message outlet information and forwarding engine
CN107707565B (en) UDF message parsing chip
CN113806403B (en) Method for reducing search matching logic resources in intelligent network card/DPU
CN110442570A (en) A kind of BitMap high speed fuzzy search method
CN108449445A (en) A kind of range type message match circuit and method
CN110300065A (en) A kind of application traffic identification method and system based on software defined network
CN105591914A (en) Openflow flow table look-up method and device
CN106301970A (en) A kind of chip implementing method using forward table convergence to consume with minimizing TCAM list item
CN102307250A (en) Method and device for searching IP (Internet Protocol) address
CN105591989A (en) Chip realization method for reporting protocol message to CPU
CN109951430B (en) Data processing method and device
CN106027459A (en) ACL (access control list) query method and device
CN101848248A (en) Rule searching method and device
CN103825824A (en) Message processing method and message processing device
CN104009924B (en) Message processing method and device based on TCAM and FPGA
CN106027427A (en) HASH average distribution method and device based on FPGA
CN103581023A (en) Method and device for realizing longest mask matching
CN111950000B (en) Access control method and device
CN103581020B (en) The method of a kind of message forwarding, Apparatus and system
CN105634999B (en) A kind of aging method and device of Media Access Control address

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180824