RU2710302C1 - Method of organizing operation of network equipment components for processing network packets (4 versions) - Google Patents

Abstract

FIELD: wireless communication equipment.

SUBSTANCE: invention relates to network communication technologies. Method for a given network packet excludes loading into processor those rules, under which this packet can not approach, and provide loading only those rules, under which this packet is suitable, minimizing the number of data transfers between the central processor and other components of the system. That is, significant increase in network equipment throughput with a given configuration, which is located at the boundary of network segments. Method characterizes interaction of the processor with other components of the system, which leads to an increase in the number of network packets, which can be transmitted from one segment of the network to the other per a unit of time, while observing the security policy established by the network administrator.

EFFECT: high efficiency of network equipment for processing network packets in accordance with a given configuration, which is achieved by implementing a method of interacting components of network equipment.

23 cl, 10 dwg

Description

FIELD OF THE INVENTION

The invention relates to network communication technologies, in particular, to methods for effectively solving network packet processing problems, such as routing, filtering, policy based routing (PBR), network address translation - NAT), etc., as well as any combination of these tasks.

State of the art

Currently, an approach is widely used in which modern network equipment is built on the basis of universal hardware components. This is due to the fact that the production process of such components is well established, as a result of which their cost is quite small compared to specialized equipment. An example of universal hardware hardware components is x86 and x64 general purpose compatible central processing units (CPUs), random access memory (RAM), network cards (NICs), etc.

In this case, network equipment is configured by the network administrator using a high-level configuration language by writing a set of rules in accordance with which the network equipment organizes its activities. A set of such rules will hereinafter be referred to as network equipment configuration. An example of a network equipment configuration is a routing table for networks operating on the basis of IPv4 / IPv6 protocols, access control list (ACL), etc.

Universal hardware components have standardized interfaces for interacting with each other, so they are easily interchangeable. If necessary, you can replace some existing component with a newer one, and thereby improve the performance of the entire system. However, in recent years there has been a multiple increase in the bandwidth of network adapters, while the increase in the performance of central processors and RAM is undergoing stagnation. As a result, it becomes impossible to increase the performance of network equipment by simply replacing hardware components.

Therefore, under the current conditions, the task of optimizing the costs arising from the interaction of different hardware components comes to the fore, and not the task of accelerating a single hardware component. This task is associated with the most efficient use of computing power available at present.

One of the important problems hindering the efficient use of the computing power of network equipment is the slow data transfer speed between the central processor and RAM. In fact, the processor is idle for the entire time interval between the moment of sending the request for the next data block and the moment of receiving the requested data block.

When processing network packets, a significant part of requests for RAM is associated with the need to load rules into the central processor. With an increase in the number of rules, the number of queries to RAM increases, and the costs associated with processing each network packet increase accordingly. As a result, with a large number of rules, the processing time of network packets becomes unacceptably long.

Despite the fact that equipment based on universal hardware components is not oriented toward the fulfillment of network packet processing tasks, nevertheless, it is quite capable of effectively solving such problems. However, this requires the development of such an approach to processing network packets that would minimize the costs associated with the interaction of the hardware components of this equipment.

The current level of technology provides various ways of organizing the operation of network equipment components for data processing.

Patents that are based on the operation of the so-called OpenFlow-compatible equipment, namely the following inventions, are selected as patent patents:

1. Patent RU 2 589 340 C2, IPC H04L 12/70, 07/10/2016. - Network system and method for obtaining VLAN tag data.

2. Patent RU 2 628 476 C1, IPC H04L 12/70, 08/17/2017. A switching device, a controller, a method for configuring a switching device, and a method and system for processing a packet.

3. Patent RU 2 609 086 C2, IPC H04L 12/70, 01/30/2017. - Network packet forwarding device (options), a method for configuring a network packet forwarding device (options), and a packet forwarding method.

4. Patent RU 2 554 543 C2, IPC H04L 12/00, H04L 12/70, 06/27/2015. - Communication unit, communication system, communication method and recording medium.

As described in Patent RU 2 628 476, “Switching device, controller, method for configuring a switching device and method and system for processing a packet”, OpenFlow is a control protocol between an OpenFlow controller (OpenFlow Controller, for short, a controller) and an OpenFlow switch (OpenFlow Switch, for brevity is a switch).

The controller controls the behavior of the switch, preferably using a flow table. The table of flows is stored in the switch and is formed from a set of records about flows (Flow Entry). Each stream record includes, as a rule, Match Fields and Instructions.

Typically, the correspondence field indicates the information that needs to be matched (which can be information such as various header fields of the packet or the port ID from which the switch receives the packet) and provides the assigned value of the information that needs to be matched, and the assigned value is used for comparison with the actual value of the information that pertains to the package and which needs to be matched, and the commands include many types of commands, which include the Action used to indicate to perform some operation on the package. "

Thus, all the above patent analogues have the same attribute with the claimed invention that packets are processed in accordance with a set of rules (in OpenFlow it is called Flow Table), where each rule (in OpenFlow it is called Flow Entry) in a set consists of fields packages (in OpenFlow it is called Match Fields) and actions (in OpenFlow it is called Instructions).

As follows from the protocol description, OpenFlow is a control protocol between the controller and the switch that describes the switch's capabilities for processing network packets. Moreover, the implementation of such capabilities in specific software and hardware systems can be different and can be optimized in accordance with the characteristics of a particular equipment. Thus, patents-analogues are aimed at solving problems arising from the operation of already implemented OpenFlow-compatible software and hardware systems.

Unlike analog patents, the claimed invention describes new methods for implementing software and hardware systems for processing network packets, including OpenFlow-compatible complexes. Thus, patents-analogues and the claimed invention are aimed at solving various problems. This is the novelty of the invention, in contrast to existing inventions.

Closest to the claimed technical solution is Patent RU 2 609 086 C2, IPC H04L 12/70, 01/30/2017. - Network packet forwarding device (options), a method for configuring a network packet forwarding device (options), and a packet forwarding method. This technical solution is taken as a prototype.

The patent prototype describes a way to correct a flaw in the OpenFlow standard version 1.0, namely the inability to use multiple tables (Flow Table). As a solution, it is proposed to run the network packet through the same table several times, but each time with different field values (Match Fields), specifically with a different value for the "Port ID from which the switch receives the packet" field. The value of this field is changed by sending the packet to the hardware loop. The packet is sent to the network and immediately returned, but through a different port. Thus, the patent prototype allows you to simulate several tables using one, by splitting the entries (Flow Entry) in it into groups, with each group of entries responding only to packets received from a specific port on the switch.

Despite the advantages, the prototype has disadvantages. The number of tables simulated in this way is limited by the number of ports in the switch. This significantly limits the administrator’s ability to configure the switch. In addition, multiple runs of the same network packets through the same table negatively affect the bandwidth of the switch, in the worst case, when simulating N tables, the bandwidth of the switch will drop N times.

Unlike the prototype patent, the claimed invention offers the administrator more flexible tools for configuring network equipment, while the throughput of network equipment, regardless of its configuration, will always remain high.

As an example, we take the same problem that was solved in the prototype patent, but reformulated in terms of our patent, namely: the organization of rules in the form of several sets of rules.

In the prototype patent, a hardware loop was used to send the network packet for processing to the following table. In our patent, in order to send a network packet for processing to the next set of rules, it is enough to create a nonterminal rule with an action, for example, JUMP (see example 2 and tables 6, 7), which will go to the first rule from the next set, i.e. Change the order in which rules are applied to the package. Note that non-terminal rules are used only at the stage of configuring network equipment.

The present invention allows you to convert all the original rule sets into one set of primitive terminal rules and build an index of these rules. At the stage of processing packets, the converted rules are already used, and, as shown in the “Disclosure of the Invention” section, the equipment throughput does not depend on the number of source rules or the number of sets of source rules.

Thus, the present invention is applicable, inter alia, to create OpenFlow-compatible equipment that supports work with multiple tables (Flow Table) and provides at the same time no less (possibly more) performance than similar equipment that supports work with only one table .

In addition, the present invention is applicable to the creation of other software and hardware systems that process network packets in accordance with a given set of rules.

The technical goal of the claimed invention is to increase the number of network packets that can be transferred from one segment in the network to another in a unit of time, while observing the security policy established by the network administrator. That is, the goal is to increase the throughput of network equipment with a given configuration, which is located on the border of network segments.

The classic approach to achieving this goal is to increase the number of instances of network equipment and organize the balancing of traffic between these instances. For example, instead of a single firewall, two firewalls and a traffic balancer can be used to evenly distribute the flow of network packets between firewalls, which, at best, will double the throughput of the entire system. Obviously, the disadvantage of this approach is its high cost: equipment must be purchased, it is necessary to allocate a place in the server room for it, bring power supply, organize its cooling, and so on.

Therefore, the aim of the claimed invention is to increase the throughput of the equipment without increasing the number of copies. This is equivalent to an increase in the number of network packets processed per unit of time by a unit of network equipment. This value will be called the efficiency of network equipment.

Thus, the technical result achieved by using the claimed invention is to increase the efficiency of network equipment for processing network packets in accordance with a given configuration.

As a result of the implementation of the proposed method for organizing the interaction of network equipment components, the following tasks are solved:

1) the number of data transfers between the central processor and other components of the system is minimized;

2) it is not required to use new configuration tools from the network equipment administrator;

3) no replacement or modification of existing system components is required.

The technical result is achieved through the implementation of the method of organizing the interaction of components of network equipment, which is characterized by the following essential features:

1) (the presence of an action or set of actions) The method involves the presence of a preliminary preparatory stage of the equipment. This stage consists in simulating the processing of those packets that could theoretically come to network equipment with a given configuration. During this simulation, it becomes known through which rules a network packet will go through when it enters network equipment. Combining together the rules that belong to the same network packet path allows you to get a set of converted rules that are on the one hand equivalent to the original ones and, on the other hand, are simpler, which allows you to build their index and perform an efficient search on them.

2) (the procedure for performing actions in time) The method assumes that the preparatory stage is carried out before the first packet is received from the network. This means that between the moment when the administrator sets a new configuration for the equipment and the moment when the equipment actually starts working in accordance with the new configuration, some time passes, in practice, up to several seconds. Obviously, in some cases this is a drawback, because it does not allow you to change the configuration of the equipment very often (several times per second). However, it should be noted that the costs of the preparatory phase are one-time, while the positive effect of this stage lasts all the time the equipment is in operation until the new configuration is applied. Therefore, if the configuration of the equipment changes relatively rarely, the proposed method is fully justified.

3) (conditions for the implementation of actions; mode; use of devices) The method involves the possibility of connecting an additional hardware component to existing network equipment based on universal hardware components. In the framework of the claimed invention describes the principle of operation of an additional device that can effectively convert a set of arbitrary rules into a set of terminal primitive rules. This additional device can be used to minimize the time required to complete the preparatory phase, which expands the scope of applicability of the claimed invention. In the event that the use of an additional device is difficult or impractical, the method involves the possibility of performing the preparatory phase using only the available hardware components.

The invention is illustrated by the following figures.

FIG. 1 is a block diagram of the architecture of a modern computing system based on an x86 or x64 compatible general-purpose processor;

FIG. 2 is a flowchart of network equipment in processing a network packet;

FIG. 3 is a flowchart of network equipment in processing a network packet, illustrating the operation of the invention according to an “fully hardware solution” embodiment;

FIG. 4 is a block diagram of the architecture of a modern computing system based on an x86 or x64 compatible general-purpose processor, illustrating the implementation of the invention according to a fully hardware solution embodiment;

FIG. 5 is a block diagram of a rule converter in the proposed method;

FIG. 6 is a block diagram of a rule combining module in a rule converter;

FIG. 7 is a flowchart of a method using a fully hardware solution that performs the functions of converting, storing, and searching for rules (option 1);

FIG. 8 is a flowchart of a method using a hardware solution that performs the functions of converting and searching for rules, with the storage of the original and primitive terminal rules in RAM (option

2);

FIG. 9 is a flowchart of a method using a hardware solution that performs the functions of only transforming rules (option 3);

FIG. 10 is a flow chart of a method involving a reduction in the number of additional plug-in hardware components (option 4).

Disclosure of invention

To disclose the claimed invention, the following terms and definitions are used.

Field - the value of a property or attribute, represented in numerical form.

Package - a specially designed message transmitted over communication lines.

Package fields - a set of all fields that are in any way related to the package in the process of processing it. A packet field is not necessarily information stored in the packet itself, such as, for example, the network protocol number. The packet field may be the information necessary for processing the packet and stored in the network equipment, such as, for example, the timestamp of receiving the packet or the number of the rule applied to the packet at a given time.

A rule is a collection of checks and an ordered set of actions performed in relation to the fields of a package.

Validation (rules) - a predicate that takes one or more fields of a packet and returns a Boolean value (1 (validation passed) or 0 (validation failed)). An example of verification is the verification that the sum of all fields in a packet is an even number.

It is said that a package matches a rule if all rule checks applied to the fields of the package return a positive result.

An action (rules) is an operation performed on the fields of a package. An example of an action is to write some fields of a package to a log.

The following checks are called primitive:

1. Check that the packet field is equal to the specified value.

2. Checking that the packet field has the specified prefix.

3. Check that the packet field is in the specified range.

A rule is called primitive if all of its checks are primitive.

Verdict - an action that changes the order in which rules are applied to a package.

A verdict is called terminal if it completes the process of applying rules to a package.

A rule is called terminal if it contains a terminal verdict.

Configuration (network equipment) - an ordered set of rules that determine the algorithm for processing network packets.

Two configurations are equivalent to each other if, when applying these sets to any package, they have the same effect on it.

By a packet we will call a set of rules ordered in chronological order, under which a packet came up during its processing by network equipment.

The general main features of the proposed method for organizing the operation of network equipment components for processing network packets are as follows.

Modern computing systems based on x86 and x64 compatible processors are arranged as follows (Fig. 1):

- the central processor 100 has an integrated memory controller 101, therefore, is connected directly to the RAM slots RAM 102 via the corresponding bus 103;

- the chipset 104 is connected through various types of buses 105 to the slots for peripheral devices 106, including NIC 107 network adapters;

- a central processing unit CPU 100 and a chipset 104 are connected to each other by an internal bus 108.

When the network packet 109 arrives at the NIC 107, it is forwarded to the RAM 102 via the DMA 110 (Direct Memory Access) mechanism.

The circuit of FIG. Figure 2 shows that with a large number of rules, processing a network packet can take considerable time.

The DMA 200 mechanism allows you to transfer data between RAM 202 and peripheral devices NIC 201 without the participation of the CPU 203, allowing him to engage in other tasks at this time. Thus, the central processing unit CPU 203 starts processing the network packet 204 when the network packet 204 is already in the RAM 202.

In this case, a significant part of the time when processing the network packet 204 is spent on loading the rules 205 from the RAM 202 into the CPU 203. This is because the CPU 203 does not know in advance which rules should be applied to the network packet 204. Therefore, the CPU 203 requests from the RAM 202 one by one all the rules from 1 to N, where N is the number of rules, until there is a terminal rule under which the network packet 204 will fit.

With an increase in the number of rules N in the configuration of network equipment, the number of rule downloads from RAM increases. This has negative consequences, in particular, there are numerous downtimes 206 that prevent the efficient use of the processor, during which the processor expects to receive data from the memory, and also significantly increases the load on the memory bus, thereby interfering with the work of other processes in the system, since it is multi-core a processor can perform several tasks at once. Thus, the throughput of network equipment is highly dependent on how many rules are in its configuration.

The problem to which this invention is directed is to develop a method for the processor to interact with other system components, leading to an increase in the number of network packets that can be transferred from one segment in the network to another per unit of time, while observing the security policy established by the network administrator .

The claimed invention is carried out using a device connected to the processor, or implemented in whole or in part in software, and performing processing of requests from the processor. It allows for a relatively short fixed period of time from a given set of packet fields to determine which rules a network packet is suitable for, that is, to determine those rules that must be loaded into the processor to apply them to a network packet. The claimed invention complements the existing hardware and software systems, allowing their components to perform their tasks more efficiently.

The circuit of FIG. 3 shows how a device for implementing the method can significantly reduce the processing time of a network packet according to one embodiment of the invention — a “fully hardware solution” (see Fig. 7). The mechanism for receiving packets from the network card 301 into the RAM 303 is still carried out using direct access to the memory 300. However, in this embodiment, the processor 304 does not access the RAM 303 in order to find suitable rules. Instead, the processor sends a request to device 302 in the form of fields in packet 306. Device 302, using internal modules, quickly searches for those rules from the network equipment configuration for which network packet 305 is suitable. Note that at this time, the rules do not apply to the packet, however , the search for rules takes into account those changes that could occur if the application of the rules took place. Having found the necessary rules, the device 302 generates and sends to the processor 304 a set of actions 307 that it performs with respect to the network packet 305. One idle 308, which is the processing time of the request of the processor 304 by the device 302, is much less than numerous downtimes (see block 206 in FIG. .2), which is the time for receiving several rules from the main memory 303. In addition, in such an embodiment of the invention, the memory bus is not used for transmitting the rules, and therefore, it can be used for transmitting other information. Thus, the device for implementing the method can significantly increase the throughput of network equipment, and at the same time, throughput becomes already independent of the number of rules in the configuration of network equipment.

In FIG. 4 is a block diagram illustrating an apparatus for implementing the invention.

The device for implementing the method in this case is a separate PCI board 400 connected directly to the processor 407 (if this is possible), or to the chipset 408 (otherwise) via the PCIe bus 406.

Before using the device 400 to implement the method, it is necessary to carry out the procedure for its configuration, which is as follows:

1. A rule generator 404 is transmitted a pre-formed set of source rules by means of a DMA transfer, which is stored in the corresponding buffer 401.

2. The rule converter 404 converts the set of source rules into a set of primitive terminal rules, which is stored in the corresponding buffer 402.

3. A packet classifier 405, based on terminal primitive rules, builds an index of rules 403.

In the event of a change in the set of source rules, a procedure for reconfiguring the device 400 for implementing the method may be performed. At the same time, during the reconfiguration, the device continues to operate normally.

After the successful completion of the setup, the device for implementing the method can be used to search for the rules necessary for processing network packets. For this, the processor 407 sends to the packet classifier 405 sets of field fields of a packet that was previously received from the network adapter 410 and placed in the RAM 409. The packet classifier 405 uses the rule index 403, which he constructed at the device setup stage, in order to determine the position the desired rule in the buffer of terminal primitive rules 402. The processor does not need to pass checks of the found rule to the processor, since the checks are used only to find the rules. Therefore, the packet classifier 405 transfers to the processor only the actions of the found rule.

The possibility of constructing an index of rules from a set of terminal primitive rules has been repeatedly described in open sources, for example, in [1,2]. Note that the search time in such an index does not depend on the number of rules in the configuration of network equipment, but depends only on the number of inspected fields of the network packet. Since this number is a constant throughout the operation of the network equipment, the search time in the index of rules is limited from above by a relatively small fixed time.

However, the possibility of transforming a set of arbitrary rules into an equivalent set of terminal primitive rules has never been described before. However, the terminality and primitiveness of all the rules in the set is a prerequisite for constructing an index of rules and, accordingly, for the operation of the entire device for implementing the method. Therefore, it is the rule converter 404 that is the main source of novelty of the claimed invention.

In FIG. 5 is a block diagram of a rule converter as part of a device for implementing the method of FIG. 4.

A general description of the attributes of a rule converter.

Being one of the main components of the device for implementing the method, the rule converter has a number of important properties.

The developed rule converter (Fig. 5) allows you to simulate the process of applying the original set of rules to all network packets that theoretically can get into the network equipment. This allows you to determine the paths of various packages even before they get into the system.

The package path can easily be converted into a primitive terminal rule. To do this, checks for the equality of packet fields to those values that led to the formation of the packet path are used as rule checks. And as the actions of the rule, the concatenation of all actions from the package path is used.

Formally, searching for all paths of packets with their subsequent transformation into primitive terminal rules is enough to implement a converter for implementing the method. But in practice, this approach is not feasible, since the number of different packets that theoretically can get into the network equipment is too large.

Therefore, an important property of the developed converter is the ability to group network packets that have the same path into sets that can be described using primitive predicates. Thus, the number of final primitive terminal rules will no longer depend on the number of possible packets, but on the number of possible packet paths, the number of which is much smaller.

Finally, the developed converter allows you to optimize the actions included in the rules from the package path. If several actions change the same field of the package, then, in some cases, they can be replaced by an equivalent action. For example, a pair of actions “adding the number 1” and “subtracting the number 6” can be replaced with one action “subtracting the number 5”. This reduces the number of actions in the resulting primitive terminal rules.

The converter of FIG. 5 works as follows.

The input to the rule converter is the original rules that are placed in the buffer 500. The output of the converter is the terminal primitive rules stored in the buffer 510.

Before starting the conversion, the calculation order controller 505 initializes the registers with initial values. The register of the base rule 508 is initialized by a rule that matches any packet, and which does not perform any actions on the packet. The register of the rule 502 selector is initialized with a value indicating the first rule from the set of source rules 500. The register of the current path 504 is initialized empty way. These three registers fully describe the current state of the calculation order controller 505 and can be stored at any time in the state store of the controller 507 or retrieved from it. The current rule register (503) is not in the controller state. Before starting the conversion, the state store of the controller 507 does not contain any states.

The rule converter is based on an iterative principle. At the beginning of each iteration, rule decoder 501 extracts a rule from the source rule buffer 500 that is indicated by the register of rule selector 502, converts it into a form suitable for subsequent calculations and places it in the register of the current rule 503. Further actions depend on the verdict of the current rule.

If the current rule is terminal, then the result of the rule combining module 506 is passed to the optimization and compression module of the rules 509. The optimization and compression module of the rules 509 can discard the new rule if this rule can never work, for example, if it describes an empty set of packages. Also, the module for optimization and compression of rules 509 can combine the new rule with one of the available terminal primitive rules. Finally, a new rule can be added to the end of the terminal primitive rule 510 buffer.

If the current rule is not terminal, then the following occurs. The state of the controller is placed in the state store of the controller 507 in order to later be able to continue calculating the packet path that does not contain the current rule. The value of the register of the basic rule 508 is replaced by the result of the operation of the module combining the rules 506, the register of the current path 504 is supplemented by the value of the register of the selector of rules 502, and the register of the selector of rules 502 is modified in accordance with the verdict of the current rule. This ends the iteration.

Processing of the current packet path ends when one of the events occurs:

1. The register of the rule 502 selector points to the end of the source rule buffer 500.

2. The register of the basic rule 508 contains a rule under which no packet can fall.

After that, the state of all registers is replaced by those values that were previously stored in the state store of the controller 507 and the controller continues processing the packet path that does not contain a nonterminal path that caused the controller to change states.

The rule converter ends after processing all possible packet paths.

Of all the modules of the rule converter, the most complex is the module for combining rules 506. It allows, on the basis of a pair of ordered rules A and B, to form rule C, which has the following properties. Firstly, only packets that fit rules A and B at the same time are suitable for rule C, taking into account the changes that rule A exerts on the packet fields. Secondly, the actions of rule C are equivalent to those actions that are contained simultaneously in rules A and B.

In FIG. 6 is a flow diagram of a rule combining module 506 in a rule converter, which is shown in FIG. 5.

In FIG. 6 shows checks of the base rule 600 and the actions of the base rule 602, which correspond to the values in the register of the base rule 508 in FIG. 5. Checks of the current rule 601 and the actions of the current rule 603 correspond to the values in the register of the current rule 503 in FIG. 5.

The rule combining module applies the actions of the basic rule to the checks of the current rule 601 in the reverse order in the corresponding module 604, which allows one to obtain a set of checks 606 that describe the set of packets that could theoretically reach the current rule along the path from which the basic rule was generated. The obtained set of checks 606 is then combined with the checks of the base rule 600 in the corresponding module 607 in order to obtain the resulting set of checks 608.

To calculate the final set of actions 609, it is sufficient to combine the set of actions of the basic and current rules, and, if possible, optimize it. This work takes place in the corresponding module 605.

An example of package fields and a corresponding set of checks and actions.

Without loss of generality, we assume that a packet has only one field (table 1). In practice, the packet fields are attributes such as the network layer addresses of the sender and receiver, the protocol number of the transport layer, the addresses of the transport layer (ports) of the sender and receiver, and other attributes.

Table 2 presents a variant of the list of checks that are used in further examples of the invention. In practice, more complex logical expressions containing arithmetic, bit, and other operations performed on several fields of a packet can be used as checks.

Table 3 presents a variant of the list of actions that are used in further examples of the invention. In practice, more complex operations can be used as actions, for example, initializing a packet field with a random number.

Consider embodiments of the claimed invention in accordance with the above conditions. Let us construct examples of the transformation of initial arbitrary rules into sets of primitive terminal rules equivalent to them. The examples demonstrate the principles on which the operation of the converter for implementing the method is based.

Example 1 (tables 4 and 5) - a set of source rules contains one nonterminal rule (with the LOG action).

It is easy to see that rule No. 1 from table 4 was converted into rules No. 1 and 2 in table 5. Moreover, rule No. 1 from table 5 is a combination of rules No. 1 and 2 from table 4, and rule No. 2 from table 5 is a combination rules No. 1 and 3 from table 5.

Example 2 (tables 6 and 7) - a set of source rules contains one nonterminal rule that changes the order of applying the rules to a package (with the JUMP action), and one nonterminal rule that changes the value of the package field (with the action MARK = MARK + X). Together, these rules form a control construct called a loop in high-level programming languages.

The condition for exiting the loop is a label value less than 100. In this case, each iteration of the loop, the label is increased by 50. Therefore, a packet cannot perform more than two iterations in a loop.

Table 7 - An equivalent set of primitive terminal rules

Analyzing the paths of the packets, it can be found that, for example, a packet with label 11 has a path consisting of rules No. 1, 2, 1, 2, 3 from table 6. Converting this path to a primitive terminal rule gives rule No. 1 from table 7.

Example 3 (tables 8 and 9) - the initial set of rules contains a non-primitive nonterminal rule (with the MARK% X = Y check and the LOG action).

Since the label can take values only from the range from 0 to 255, it is obvious that only three labels can give the number 5 as a result of dividing by 100, namely the labels with the values 5, 105 and 205. Accordingly, rule No. 1 from table 8 is converted to three rules No. 1, 2, 3 from table 9.

Thus, based on the foregoing, for implementing the method of organizing the operation of network equipment components for processing network packets, the following 4 embodiments of the invention are proposed in this technical solution.

The main embodiment of the claimed invention uses a separate hardware component - a hardware accelerator that performs the functions of conversion, storage and search of rules (Option 1). The hardware component may be implemented in software.

Emulation of a hardware component, on the one hand, minimizes the cost of introducing the claimed invention into existing network equipment, but, on the other hand, the software implementation has lower performance than hardware. As a compromise, one of the following embodiments of the invention can be used, which involves the implementation of part of the functionality in hardware, and the remaining part in software.

The circuit of FIG. 7 illustrates a method for the implementation of which a fully hardware solution is used that performs the functions of transforming, storing and searching for rules (Option 1).

An embodiment involves the presence of an additional plug-in component - hardware accelerator 703, which takes on some of the tasks associated with making decisions on further actions applied to network packet 709, thereby relieving the load from other system components, such as central processor 705, RAM 704, system buses, and so on, in particular, hardware accelerator 703 takes on the task of transforming a set of source rules 706 into a set of primitive terminal rules, the task of constructing ind KSA based on the converted rules, the task store the converted rules and regulations of the index, the query processing tasks received from the processor 705, to find the rules under which suits a given network packet 709 received from the NIC 702.

- The implementation option requires a preliminary preparatory stage 700 of the equipment. This step consists in converting the administrator’s rules to the one that is best suited for processing network packets 709 received on the network card 702. During the preliminary stage 700 of the operation of the network equipment, the central processor 705 initiates a DMA transfer of the original rules 706 from the main memory 704 to hardware accelerator 703. Hardware accelerator 703 converts these rules to a primitive terminal form and builds an index on their basis. A block diagram of a device for implementing the method is shown in FIG. 4. Upon completion of this process, hardware accelerator 703 notifies the central processor 705 by means of a hardware interrupt that it is ready to process requests.

- The implementation option assumes that the preparatory step 700 is carried out in advance, before the start of the main stage 701 of the equipment. This means that the network equipment cannot start processing network packets 709 in accordance with a given set of rules until the hardware accelerator 703 performs the necessary preparatory steps and notifies the central processor 705 of this. Such a delay is necessary, since it is for by completing the preparatory step 700, the network equipment is subsequently capable of processing network packets much faster in the main operation step 701.

- The embodiment assumes that the search for the rules for which the network packet 709 is suitable is carried out in the hardware accelerator 703. For this, the central processor 705 generates and sends a search request for the rules for the hardware accelerator 703. The request consists only of a set of fields 707 of the processed packets 709, which are found in sets of checks of the original rules. The hardware accelerator 703 searches for the rules for which the network packet 709 is suitable, using the sets of fields 707 received from the central processor 705 and the rule index constructed at the preparatory stage 700 of the equipment.

- The implementation option assumes that during the main stage 701 of the equipment from the hardware accelerator 703 to the Central processor 705 are transferred sets of actions 708 associated with the found primitive terminal rules. Since the set of actions 708 of the terminal primitive rule contains all the actions of the original rules from the path of the packet 709, the central processor 705 can immediately process the network packet 709 without accessing other components of the system, while receiving a processed network packet 710, which can be transmitted back to the network using the network adapter 702.

- The implementation option assumes that the RAM 704 is used by the processor 705 to store the rules only at a preliminary stage 700 of the equipment. During the preliminary step 700, the storage of the rules 706 in the RAM 704 is necessary for organizing their DMA transfer to the hardware accelerator 703. During the main stage 701 of the operation of the network equipment, the storage of the rules 706 in the RAM 704 is not required, since the processor 705 receives all the necessary information for processing network packets 709 directly from hardware accelerator 703.

Thus, increasing the efficiency of network equipment for processing network packets in accordance with a given configuration is achieved due to the rule index constructed at the preparatory stage 700. The rule index is a more convenient form of representing terminal rules for a more efficient search; the search time in the rule index is limited from above by a relatively small fixed time. An increase in the throughput of network equipment is due to the fact that the search time in the constructed index does not depend on the number of rules in the configuration of network equipment. Only the inspected fields of the network packet are taken into account, the number of which is constant throughout the operation of the network equipment.

The circuit of FIG. 8 illustrates a method for the implementation of which a hardware solution is used that performs the functions of transforming and searching for rules, storing the source and primitive terminal rules in RAM (Option 2).

An embodiment involves the presence of an additional plug-in component - hardware accelerator 803. Hardware accelerator 803 takes on some of the tasks associated with processing network packets 811, thereby relieving the load from other system components, such as central processor 805, RAM 804, system buses, and etc. In particular, hardware accelerator 803 takes on the task of transforming the set of source rules 806 into a set of primitive terminal rules 807, the task of constructing an index based on the converted rules, the task of storing the index of rules, the task of processing requests from the processor 805, to find the rules under which matches the given network packet 811.

- The implementation option requires a preliminary preparatory stage 800 of the equipment. This step consists in converting the administrator rules to the type that is best suited for processing network packets 811 received on the network card 802. During the preparatory stage 800 of the network equipment, the central processor 805 initiates a DMA transfer of the original rules 806 from the main memory 804 to hardware accelerator 803. Hardware accelerator 803 converts these rules 806 to a primitive terminal form and builds an index on their basis. Upon completion of this process, hardware accelerator 803 notifies prices 805-sectoral processor through hardware interrupt its willingness to process requests. The central processor 805 initiates the reverse DMA transfer of the rules 807, already converted to the primitive terminal form, from the hardware accelerator 803 to the RAM 804.

- The implementation option assumes that the preparatory stage 800 is carried out in advance, before the start of the main stage 801 of the equipment. This means that the network equipment cannot start processing network packets 811 in accordance with a given set of rules until the hardware accelerator 803 performs the necessary preparatory actions and notifies the central processor 805 of this. Such a delay is necessary, since it is for by completing the preparatory step 800, the network equipment is subsequently capable of processing network packets 811 much faster in the main operation step 801.

- The embodiment assumes that the search for the rules for which the network packet 811 is suitable is carried out in the hardware accelerator 803. For this, the central processor 805 generates a search request for the rules for the hardware accelerator 803. The request consists of only a set of fields 808 of the processed packets 811 that are encountered in the sets of checks of the initial rules 806. The hardware accelerator 803 searches for the rules for which the network packet 811 is suitable, using the obtained sets of fields 808 and the rule index constructed at the preparatory stage 800 r bots equipment.

- The embodiment assumes that during the main operation stage 801, from the hardware accelerator 803, only the numbers 809 of the primitive terminal rules are passed to the processed packets 811. Using these rule numbers 809, the central processor 805 calculates the positions of the action sets 810 associated with the found primitive terminal rules in random access memory 804 and requests them. Having received the action sets 810, the central processor 805 applies them to the network packets 811, while receiving processed network packets 812, which are then sent to the network by the network adapter 802.

- The embodiment assumes that the RAM 804 is used by the processor 805 to store both the original 806 and the primitive terminal rules 807. Storing the rules in the RAM 804 allows you to simplify the design of the hardware accelerator 803, however, it requires additional treatment associated with transferring the action sets 810 to each network packet 811 to RAM 804 from the central processor 805 during the main operation 801.

Thus, increasing the efficiency of network equipment for processing network packets in accordance with a given configuration is achieved due to the rule index constructed at the preparatory stage 800. The rule index is a more convenient form of representing terminal rules for a more efficient search; the search time in the rule index is limited from above by a relatively small fixed time. An increase in the throughput of network equipment is due to the fact that the search time in the constructed index does not depend on the number of rules in the configuration of network equipment. Only the inspected fields of the network packet are taken into account, the number of which is constant throughout the operation of the network equipment.

The circuit of FIG. 9 illustrates a method for the implementation of which a hardware solution is used that performs the functions of only rule translation (Option 3).

- The implementation option involves the presence of an additional plug-in component - hardware accelerator 903. Hardware accelerator 903 takes on some of the tasks associated with processing network packets 906, thereby relieving the load from other system components, such as central processor 905, random access memory 904, system buses etc. In particular, hardware accelerator 903 takes on the task of transforming a set of source rules 907 into a set of primitive terminal rules 908.

- The implementation option requires a preliminary preparatory stage 900 of the equipment. This stage consists in converting the administrator rules to the type that is best suited for processing network packets 906. During the preliminary preparatory stage 900 for the operation of network equipment, the central processor 905 initiates DMA — the transfer of the original rules 907 from random access memory 904 to hardware accelerator 903. Hardware the accelerator 903 converts these rules to a primitive terminal form 908 and notifies the central processor 905 through a hardware interrupt. The central processor 905 initiates a DMA reverse transfer of the already converted rules 908 from the hardware accelerator 903 to the main memory 904. Then, the central processor 905 constructs an index 909 of terminal primitive rules 908 in the main memory 904.

- The implementation option assumes that the preparatory phase 900 is carried out in advance, before the start of the main stage 901 of the equipment. This means that the network equipment cannot start processing network packets 906 in accordance with a given set of rules 907 until the hardware accelerator 903 performs the necessary preparatory actions and notifies the central processor 905 of this. Such a delay is necessary, since due to the implementation of the preparatory stage 900, the network equipment is subsequently capable of processing network packets 906 much faster at the main operation stage 901.

- The embodiment assumes that the search for the rules for which the network packet 906 is suitable is carried out by the interaction of the processor 905 and the RAM 904. For this, the central processor 905 forms a set of fields 910 of the processed packets 906 and uses them as a key for the rule index 909 constructed at the preparatory stage 900 equipment operation and stored in random access memory 904.

- The implementation option assumes that during the main stage 901 of the equipment between the hardware accelerator 903 and RAM 904 data transfer is absent. Since the rule index 909 is stored in RAM 904, the central processor 905 also obtains the numbers of the found rules 911 from the RAM 904. Using these 911 rule numbers, the CPU 905 calculates the positions of the action sets 912 associated with the found primitive terminal rules 908 in the RAM 904 and asks for them. After receiving the action sets 912, the central processor 905 applies them to the network packets 906, while receiving processed network packets 913, which are then sent to the network by the network adapter 902.

- The embodiment assumes that the RAM 904 is used by the processor 905 to store the original rules 907, the converted rules 908, and to store the index of the rules 909. Storing the rules in the RAM 904 simplifies the design of the hardware accelerator 903, however, it requires several additional calls for each network packet 906 to RAM 904 from the side of the central processor 905 during a milestone 901.

Thus, an increase in the efficiency of network equipment for processing network packets in accordance with a given configuration is achieved due to the rule index 909 constructed at the preparatory stage 900. The rule index 909 is a more convenient form of representing terminal rules for more efficient search, the search time in the rule index is limited from above relatively short fixed time. An increase in the throughput of network equipment is due to the fact that the search time in the constructed index does not depend on the number of rules in the configuration of network equipment. Only the inspected fields of the network packet are taken into account, the number of which is constant throughout the operation of the network equipment.

The circuit of FIG. 10 illustrates a method in which a fully software solution is used (Option 4).

An embodiment involves reducing the number of additional plug-in hardware components.

- An implementation option involves the presence of a preliminary preparatory stage 1000 of equipment operation. This step consists in converting the administrator’s rules to the type that is best suited for processing network packets 1005 by the network adapter 1002. During the preliminary preparatory stage 1000 of the operation of the network equipment, the central processor 1004 converts the original rules 1006 to a primitive terminal form and builds in random access memory 1003 index 1008 of terminal primitive rules 1007.

- The implementation option assumes that the preparatory stage 1000 is carried out in advance, before the start of the main stage 1001 of the equipment. This means that the network equipment cannot begin processing network packets 1005 in accordance with a predetermined set of rules 1006 until the central processor 1004 performs the necessary preparatory steps. Such a delay is necessary, since it is precisely due to the implementation of the preparatory stage 1000 that the network equipment is capable of subsequently processing network packets 1005 much faster at the main operation stage 1001.

- The embodiment assumes that the search for the rules for which the network packet 1005 fits is carried out by the interaction of the processor 1004 and RAM 1003. For this, the central processor 1004 forms a set of fields 1009 of the processed packets and uses them as a key for the rule index 1008, built on preparatory stage 1000 of the equipment and stored in RAM 1003.

- The embodiment assumes that during the main operation stage 1001 of the equipment, data is transferred only between the central processor 1004 and the main memory 1003. Since the index of rules 1008 is stored in the main memory 1003, the numbers of the found rules 1010 are also received by the central processor 1004 from the main memory 1003 Using these rule numbers 1010, the CPU 1004 calculates the positions of the action sets 1011 associated with the found primitive terminal rules 1007 in the RAM 1003 and the Shiva them. Having received the action sets 1011, the central processor 1004 applies them to the network packets 1005, while receiving processed network packets 1012, which are then sent to the network by the network adapter 1002.

- An embodiment assumes that the RAM 1003 is used by the processor 1004 to store the original rules 1006, the converted rules 1007 and to store the index of the rules 1008. Storing the rules 1006 and 1007 and the index of the rules 1008 in RAM 1003 and the conversion of the original rules 1006 to a primitive terminal form using the central processor 1004 allows you to completely remove the need for a hardware accelerator, however, it increases the time taken to complete the preparatory stage 1000 of equipment operation, and requires no waged on additional requests for each network packet 1005 to the RAM 1003 by the CPU 1004 during the main stage of operation in 1001.

Thus, an increase in the efficiency of network equipment for processing network packets in accordance with a given configuration is achieved due to the rule index 1008 constructed at the preparatory stage 1000. The rule index 1008 is a more convenient form of representing terminal rules for more efficient search, the search time in the rule index is limited from above relatively short fixed time. An increase in the throughput of network equipment is due to the fact that the search time in the constructed index does not depend on the number of rules in the configuration of network equipment. Only the inspected fields of the network packet are taken into account, the number of which is constant throughout the operation of the network equipment.

Thus, with the help of this invention, it is possible to solve the problem, which consists in developing a method for the processor to interact with other system components, leading to an increase in the number of network packets that can be transferred from one segment of the network to another in a unit of time, while observing the security policy, set by the network administrator.

Moreover, the method does not require the use of new configuration tools from the network equipment administrator and does not require replacement or modification of existing system components.

The technical result is achieved through the implementation of a method for organizing the interaction of network equipment components, which for a given network packet eliminates loading into the processor those rules that this package cannot match, and ensures that only the rules that this package is suitable for are downloaded, minimizing the number of data transfers between the central processor and other components of the system. That is, a significant increase in the throughput of network equipment with a given configuration, which is located at the boundary of network segments, is provided.

Sources of information

1. Madhi D., Ramasamy K., 2007, "Network routing algorithms, protocols, and architectures", Morgan Kaufmann, USA, pp. 1-957.

2. Varghese G., 2005, "Network Algorithmics An Interdisciplinary Approach to Designing Fast Networked Devices", Morgan Kaufmann, USA. p. 1-491.

3. Patent RU 2 589 340 C2, IPC H04L 12/70, 07/10/2016. - Network system and method for obtaining VLAN tag data.

4. Patent RU 2 628 476 C1, IPC H04L 12/70, 08/17/2017. A switching device, a controller, a method for configuring a switching device, and a method and system for processing a packet.

5. Patent RU 2 609 086 C2, IPC H04L 12/70, 01/30/2017. - Network packet forwarding device (options), a method for configuring a network packet forwarding device (options), and a packet forwarding method.

6. Patent RU 2 554 543 C2, IPC H04L 12/00, H04L 12/70, 06/27/2015. - Communication unit, communication system, communication method and recording medium.

Claims (23)

1. The method of organizing the operation of network equipment components for processing network packets, implemented using a fully hardware solution that performs the functions of converting, storing and searching for the rules necessary for processing network packets according to a given set of packet fields, the method includes the following: hardware the accelerator 703 converts the set of source rules 706 into a set of primitive terminal rules, builds an index of rules to determine the position of the desired rule in the buffer of primitive terminal rules, storing the transformed rules and the index of rules, processing requests from the processor 705 to find the rules for which the given network packet 709 is suitable, while the request uses a set of fields 707 of the processed packets, a set of actions is used as the response to the request 708, associated with the found primitive terminal rules, the application of which to the packet gives a processed network packet 710. 2. The method according to claim 1, in which: a preliminary preparatory step 700 of the network equipment for converting administrator rules is performed, the central processor 705 initiates a DMA transfer of the original rules 706 from the RAM 704 to the hardware accelerator 703, the hardware accelerator 703 converts these rules to a primitive terminal form and builds an index on their basis and notifies the central processor 705 by means of a hardware interrupt about its readiness to process requests. 3. The method according to p. 1, in which: the preparatory step 700 is performed in advance, before the main stage 701 of the equipment, the network equipment performs processing of network packets 709 in accordance with a given set of rules after the hardware accelerator 703 performs the necessary preparatory action and reports this to the central processor 705. 4. The method according to claim 1, in which: the search for the rules for which the network packet 709 is suitable is carried out in the hardware accelerator 703, for this the central processor 705 generates and sends a search request for the rules for the hardware accelerator 703, the request consists only of a set of fields 707 processed packets 709, which are found in sets of checks of the original rules, hardware accelerator 703 searches for the rules for which the network packet 709 fits, using the sets of fields 707 received from the central processor 705 and the rule index built on preparatory phase 700 equipment operation. 5. The method according to p. 1, in which: during the main stage 701 of operation of the equipment, sets of actions 708 associated with the found primitive terminal rules are transferred from the hardware accelerator 703 to the central processor 705, since the set of actions 708 of the terminal primitive rule contains all the actions the original rules from the packet path 709, the central processor 705 can immediately process the network packet 709 without resorting to other components of the system, while receiving a processed network packet 710, which can be transmitted of inverse to the network using a network adapter 702. 6. The method according to p. 1, in which: the RAM 704 is used by the processor 705 to store the rules only at the preliminary stage 700 of equipment operation, during the preliminary stage 700 the storage of the rules 706 in the RAM 704 is necessary for organizing their DMA transfer to the hardware accelerator 703, during the main stage 701 of the operation of network equipment, the storage of rules 706 in RAM 704 is not required, since the processor 705 receives all the necessary information for processing network packets 709 directly from the hardware will accelerate A 703. 7. A method of organizing the operation of components of network equipment for processing network packets, implemented using a hardware solution that performs the functions of converting and searching for rules, storing in RAM the original and primitive terminal rules necessary for processing network packets according to a given set of packet fields, in which an additional plug-in component - hardware accelerator 803 converts a set of source rules into a set of primitive terminal rules, constructs an index of rules for To determine the position of the desired rule in the buffer of primitive terminal rules, store the rule index, process requests received from the processor 805, search for the rules that the given network packet 811 executes, while the query uses a set of fields 808 of the processed packets as a response to the request the rule numbers 809 are used, which can be used to obtain a set of actions 810, the application of which to the packet gives a processed network packet 812. 8. The method according to claim 7, in which it is assumed that there is a preliminary preparatory stage 800 for the operation of the equipment, which consists in converting administrator rules, while during the preparatory stage 800 for the operation of network equipment, the central processor 805 initiates a DMA transfer of the original rules 806 from the RAM 804 into hardware accelerator 803, which converts these rules 806 to a primitive terminal form and builds an index on their basis, upon completion of this process, hardware accelerator 803 notifies the central second processor 805 through a hardware interrupt its willingness to process requests, the CPU 805 initiates reverse DMA-forwarding is already converted to a primitive form of the terminal 807 of the rules of the hardware accelerator 803 into the RAM 804. 9. The method of claim 7, wherein the preparatory step 800 is performed well in advance of the start of the main operation step 801 of the equipment, which means that the network equipment starts processing network packets 811 in accordance with a predetermined set of rules after the hardware accelerator 803 executes necessary preparatory actions and will notify the central processor 805 of this. 10. The method according to claim 7, in which the search for the rules for which the network packet 811 is suitable is carried out in the hardware accelerator 803, for this the central processor 805 generates a search request for the rules for the hardware accelerator 803, the request consists only of a set of fields 808 of the processed packets 811, which are found in the sets of checks of the original rules 806, the hardware accelerator 803 searches for the rules for which the network packet 811 fits, using the obtained sets of fields 808 and the rule index built at the preparatory stage 800 is equipped and I. 11. The method according to claim 7, in which during the main operation stage 801 the hardware from the hardware accelerator 803 are transmitted to the central processor 805 only the numbers 809 of the primitive terminal rules, which processed packets 811 came up using these rule numbers 809, the central processor 805 calculates the position of the action sets 810 associated with the found primitive terminal rules in the RAM 804, and requests them, having received the action sets 810, the central processor 805 applies them to the network packets 811, receiving brabotannye network packets 812, which are then sent to the network the network adapter 802. 12. The method of claim 7, wherein the RAM 804 is used by the processor 805 to store both the source 806 and the primitive terminal rules 807. 13. A method of organizing the operation of components of network equipment for processing network packets, implemented using a hardware solution that performs the function of only converting rules, storing in RAM the original and primitive terminal rules necessary for processing network packets according to a given set of packet fields, and performing a search rules through the interaction of the central processor and RAM, in which an additional plug-in component - hardware accelerator 903 during preparatory About the stage carries out the transformation of the set of source rules 907 into a set of primitive terminal rules 908. 14. The method according to p. 13, in which it is assumed that there is a preliminary preparatory stage 900 for the operation of the equipment, which consists in converting the rules of the administrator, while during the preliminary preparatory stage 900 for the operation of the network equipment, the central processor 905 initiates a DMA transfer of the original rules 907 from the RAM 904 into a hardware accelerator 903, which converts these rules to a primitive terminal form 908 and notifies the central processor 905 by hardware interrupt, the trailing processor 905 initiates the reverse DMA transfer of the already transformed rules 908 from the hardware accelerator 903 to the main memory 904, then the central processor 905 builds in the main memory 904 an index 909 of terminal primitive rules 908, designed to quickly determine the position of the desired rule in the transformed rules buffer. 15. The method according to p. 13, in which the preparatory step 900 is performed in advance, before the start of the main stage 901 of the equipment, while the network equipment starts processing network packets 906 in accordance with a given set of rules 907 after the hardware accelerator 903 performs the necessary preparatory actions and will inform the central processor 905 about this. 16. The method according to p. 13, in which the search for the rules for which the network packet 906 is suitable is carried out by the interaction of the processor 905 and RAM 904, for this the central processor 905 generates a set of fields 910 of the processed packets 906 and uses them as a key for the index rule 909, built at the preparatory stage 900 of the equipment and stored in random access memory 904. 17. The method according to p. 13, in which during the main stage 901 of operation of the equipment between the hardware accelerator 903 and the random access memory 904 there is no data transfer, since the rule index 909 is stored in the random access memory 904, the central processor 905 also obtains the numbers of the found rules 911 from RAM 904, using these rule numbers 911, the central processor 905 calculates the positions of the action sets 912 associated with the found primitive terminal rules 908 in the RAM 904, and queries them for the action sets 912, the central processor 905 applies them to the network packets 906, while receiving processed network packets 913, which are then sent to the network by the network adapter 902. 18. The method according to p. 13, in which the RAM 904 is used by the processor 905 to store the original rules 907, the converted rules 908 and to store the index of the rules 909, while the rules are stored in RAM 904 and additional access to the RAM 904 from CPU 905 during milestone 901. 19. A method of organizing the operation of network equipment components for processing network packets without using a hardware accelerator in which the preliminary preparatory stage 1000 of the equipment is performed, administrator rules are converted and network packets 1005 are processed by the network adapter 1002, during the preliminary preparatory stage 1000 of the network equipment operation processor 1004 converts the original rules 1006 to a primitive terminal form and builds index 1 in RAM 1003 008 terminal primitive rules 1007, designed to quickly determine the position of the desired rule in the buffer of primitive terminal rules. 20. The method according to p. 19, in which the preparatory stage 1000 is performed in advance, before the main stage 1001 of the equipment, and the network equipment starts processing network packets 1005 in accordance with a given set of rules 1006 after the central processor 1004 performs the necessary preparatory actions. 21. The method according to p. 19, in which the search for the rules for which the network packet 1005 is suitable is carried out by the interaction of the processor 1004 and RAM 1003, for this the central processor 1004 forms a set of fields 1009 of the processed packets and uses them as a key for the rule index 1008, built at the preparatory stage 1000 of the equipment and stored in random access memory 1003. 22. The method according to p. 19, in which during the main stage 1001 of operation of the equipment, data is transferred only between the central processor 1004 and the main memory 1003, since the index of rules 1008 is stored in the main memory 1003, the central processor 1004 also receives the numbers of the found rules 1010 from random access memory 1003, using these rule numbers 1010, the central processor 1004 calculates the positions of the action sets 1011 associated with the found primitive terminal rules 1007 in the random access memory 1003 and requests them, semi Having completed the action sets 1011, the central processor 1004 applies them to the network packets 1005, while receiving processed network packets 1012, which are then sent to the network by the network adapter 1002. 23. The method according to p. 19, in which the RAM 1003 is used by the processor 1004 to store the original rules 1006, the converted rules 1007 and to store the index of the rules 1008 and the conversion of the original rules 1006 to a primitive terminal form is performed using the central processor 1004.

Images