Message IP address matching circuit and method
Technical Field
The invention relates to the field of network message data processing, in particular to a message IP address matching circuit and a message IP address matching method.
Background
The IP Address (Internet Protocol Address) is a unified Address format provided by the IP Protocol, and it allocates a logical Address to each network and each host on the Internet, so as to mask the difference of physical addresses. The IP message usually contains information such as message source IP and destination IP, and can realize message rule forwarding or storage by comparing and matching with IP address information in the strategy.
As a necessary step of network message data exchange, message IP address matching has a great influence on hardware resource occupation and processing time consumption, and the comparison and matching efficiency of the IP addresses influences the whole message processing and the operation of each subsequent module. In general, an IP address in a policy has more bits, occupies a part of bandwidth and hardware circuit in a comparison and matching process, has a large data redundancy, and additionally occupies a certain storage resource.
Disclosure of Invention
Aiming at the requirements and the defects of the prior art development, the invention provides a message IP address matching circuit and a message IP address matching method.
The invention discloses a message IP address matching circuit and a method, which solve the technical problems and adopt the following technical scheme: the message IP address matching circuit adopts a Hash mapping method and is simultaneously provided with two stages of judgment modules to form flow multiplexing, thereby realizing the rapid and efficient comparison matching operation of the message IP address represented by a subnet mask form or a start-stop address form; the message IP address matching circuit comprises a hash processing module, a hash collision module, an IP rule hash storage module, a primary judgment module, a mode one matching module, a mode two matching module and a secondary judgment module;
the hash processing module is used for performing hash operation processing on the high 16-bit part of the source IP address and the high 16-bit part of the destination IP address in the strategy, and outputting the obtained result to the hash collision module; meanwhile, carrying out hash operation processing on the high 16-bit part of the IP address and the high 16-bit part of the target IP in the real-time message, and outputting the obtained result to the hash collision module;
the hash collision module is used for identifying and recording the hash result which conflicts in the strategy, and outputting the hash result to the IP rule hash storage module; at the same time, the hash result with conflict in the message is identified and recorded, and the output is sent to the primary judgment module;
the IP rule hash storage module is used for storing hash results of high-order IP addresses in the strategy and sending the storage contents of the corresponding addresses to the primary judgment module according to the hash results;
the primary judging module is used for comparing the strategy IP address subjected to the hash processing with the real-time message IP address, if the items are matched, the result is respectively sent to the mode one matching module or the mode two matching module through mode selection, and if the items are not matched, the unmatched mark is directly output;
the first pattern matching module is used for comparing and matching the IP addresses expressed by the first pattern mode; the second pattern matching module is used for comparing and matching the IP addresses represented by the second pattern mode; the output results of the two are sent to a secondary judgment module;
and the secondary judging module is used for integrating the preceding stage result and sending the result into the hash processing module or outputting the result according to whether the message has the bidirectional IP address.
A message IP address matching method is specifically realized by the following steps:
firstly, a high-order IP address in the strategy is processed by Hash operation and Hash collision, and is stored into an IP rule Hash storage module together with a low-order IP address, an IP address mode, a subnet mask or a termination IP address and a processing strategy for primary judgment;
secondly, the IP address in the real-time message is processed by Hash operation and Hash collision, compared with the data in the IP rule Hash storage module by a primary judgment module, and sent to a mode one matching module or a mode two matching module for comparison and matching according to different IP address modes;
and thirdly, sending the results of the two mode matching modules in the second step into a second-stage judging module, and repeating the second step according to whether the message is a bidirectional IP address, a switching source IP address and a destination IP address or outputting the matching result to a later stage to finish the IP matching of the message.
Compared with the prior art, the message IP address matching circuit and the method have the beneficial effects that: the invention reduces the number of synchronization bits required to be compared by the IP address and improves the time sequence by adopting a Hash mapping method; meanwhile, two stages of judgment modules are arranged to form flow multiplexing, hardware resources are saved, and fast and efficient comparison matching operation can be carried out on the message IP addresses represented in the form of subnet masks or start and stop addresses.
Drawings
Fig. 1 is a schematic block diagram of a message IP address matching circuit.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clearly understood, the following describes a packet IP address matching circuit and method in detail with reference to specific embodiments.
Example (b):
in the packet IP address matching circuit described in this embodiment, a hash mapping method is adopted, and two stages of determination modules are simultaneously arranged to form pipeline multiplexing, so that a fast and efficient comparison matching operation is performed on a packet IP address represented in a subnet mask form or a start-stop address form.
As shown in fig. 1, the packet IP address matching circuit includes a hash processing module, a hash collision module, an IP rule hash storage module, a primary determination module, a mode one matching module, a mode two matching module, and a secondary determination module.
The hash processing module is used for performing hash operation processing on the high 16-bit part of the source IP address and the high 16-bit part of the destination IP address in the strategy, and storing the obtained result into the IP rule hash storage module through the hash collision module for primary judgment; and simultaneously, carrying out hash operation processing on the high 16-bit part of the IP address and the high 16-bit part of the target IP in the real-time message, and outputting the obtained result to the hash collision module.
The packet IP address matching circuit described in this embodiment implements a hash mapping circuit by using an MD5 algorithm.
The hash collision module is used for identifying and recording the hash result which conflicts in the strategy, and outputting the hash result to the IP rule hash storage module; and simultaneously, identifying and recording the hash result with conflict in the message, and outputting the hash result to the primary judgment module.
The hash collision module adopts a double-port RAM with the depth of 16 as a basic circuit of the hash collision circuit, and records and processes a collision hash result.
And the IP rule hash storage module is used for storing the hash result of the high-order IP address in the strategy and sending the storage content of the corresponding address to the primary judgment module according to the hash result.
The primary judging module is used for comparing the strategy IP address subjected to the hash processing with the real-time message IP address, if the items are matched, the result is respectively sent to the mode one matching module or the mode two matching module through mode selection, and if not, the unmatched mark is directly output.
The first pattern matching module is used for comparing and matching the IP addresses expressed by the first pattern mode; the second pattern matching module is used for comparing and matching the IP addresses represented by the second pattern mode; the output of the two is sent to a secondary judgment module.
And the secondary judging module is used for integrating the preceding stage result and sending the result into the hash processing module or outputting the result according to whether the message has the bidirectional IP address.
The mode selection in the primary judging module comprises a mode I and a mode II, wherein the mode I indicates that the current IP address is represented by using an IP address and a subnet mask mode; the mode two-finger uses the starting IP address and the ending IP address mode to represent the current IP address.
And the mode one matching module compares and matches the strategy IP address jointly determined by the low 16-bit IP address and the low 16-bit subnet mask and the real-time message IP address jointly determined by the low 16-bit IP address and the low 16-bit subnet mask.
And the mode-one matching module adopts a method of judging whether the two numbers are 0 or not according to the bitwise XOR to carry out size comparison.
The pattern two matching module firstly compares and matches the high 8 bits of the low 16 bits of the real-time message IP address with the corresponding bits of the strategy IP initial address, and then compares and matches the low 8 bits of the low 16 bits of the real-time message IP address with the corresponding bits of the strategy IP termination address, so that the number of synchronous bits in each time can be reduced, and the time sequence is improved.
Through the message IP address matching circuit, a message IP address matching method is realized, and the specific realization process of the message IP address matching method is as follows:
firstly, a high-order IP address in the strategy is processed by Hash operation and Hash conflict, and is stored into an IP rule Hash storage module together with a low-order IP address, an IP address mode, a subnet mask or a termination IP address and a processing strategy;
secondly, the IP address in the real-time message is processed by Hash operation and Hash collision, compared with the data in the IP rule Hash storage module by a primary judgment module, and sent to a mode one matching module or a mode two matching module for comparison and matching according to different IP address modes;
and thirdly, sending the results of the two mode matching modules in the second step into a second-stage judging module, and repeating the second step according to whether the message is a bidirectional IP address, a switching source IP address and a destination IP address or outputting the matching result to a later stage to finish the IP matching of the message.
The above embodiments are only specific examples of the present invention, and the scope of the present invention includes but is not limited to the above embodiments, and any suitable changes or substitutions that are consistent with the claims of the present invention and are made by those skilled in the art should fall within the scope of the present invention.