CN109450811B - Flow control method and device and server - Google Patents

Flow control method and device and server Download PDF

Info

Publication number
CN109450811B
CN109450811B CN201811450342.8A CN201811450342A CN109450811B CN 109450811 B CN109450811 B CN 109450811B CN 201811450342 A CN201811450342 A CN 201811450342A CN 109450811 B CN109450811 B CN 109450811B
Authority
CN
China
Prior art keywords
action
flow
flow table
forwarded
flag value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811450342.8A
Other languages
Chinese (zh)
Other versions
CN109450811A (en
Inventor
王剑
唐强
金凯斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Cloud Technologies Co Ltd
Original Assignee
New H3C Cloud Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Cloud Technologies Co Ltd filed Critical New H3C Cloud Technologies Co Ltd
Priority to CN201811450342.8A priority Critical patent/CN109450811B/en
Publication of CN109450811A publication Critical patent/CN109450811A/en
Application granted granted Critical
Publication of CN109450811B publication Critical patent/CN109450811B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a flow control method, a flow control device and a server, which expand various behaviors in the flow forwarding process, including learning and not learning of a control source MAC address, storing and not storing an output port corresponding to the flow to be forwarded, supporting processing of a flow table jump function, not forwarding the flow to be forwarded in a current-stage flow table and the like, and also supporting hiding the behaviors before jumping to a next flow table so as to avoid the influence of the expansion function on the matching of the next flow table. Therefore, on the basis of the flow control function of the virtual switch, more flexible and rich configuration can be further supported, and the expandability of flow forwarding control of the virtual switch in an actual service scene is enhanced.

Description

Flow control method and device and server
Technical Field
The disclosure relates to the technical field of cloud computing, in particular to a flow control method, a flow control device and a server.
Background
In order to connect virtual machine networks, virtual switches (Vswitch) have been created, which implement most of the functions of physical switches, for example, two-layer network functions of physical switches can be implemented by software. One type of virtual switch that is currently used is an OVS (open vswitch, open source virtual switch).
After the virtual machine flow table is successfully issued, the multi-stage flow tables are stored in the flow table of the OVS, and the OVS performs matching control on the flow to be forwarded by inquiring the flow table. However, the existing OVS flow forwarding mode has many functional defects, so that the OVS cannot realize flexible and rich configuration for the flow control function of the virtual machine in many actual service scenarios, and the function expandability is weak.
Disclosure of Invention
In order to overcome the above-mentioned deficiencies in the prior art, the present disclosure provides a flow control method, a flow control device and a server to solve or improve the above-mentioned problems.
In order to achieve the above purpose, the embodiments of the present disclosure adopt the following technical solutions:
in a first aspect, the present disclosure provides a flow control method applied to a virtual switch, where the method includes:
receiving traffic to be forwarded;
judging whether the flow to be forwarded is matched with any flow table item in a flow table of a virtual switch or not, wherein each flow table item in the flow table comprises a matching field and an action field, the matching field comprises a matching condition matched with the flow to be forwarded, the action field comprises a corresponding execution action when the flow to be forwarded meets the matching condition of the matching field, and the execution action comprises at least one of a first action of whether to prohibit learning a source MAC address or not, a second action of whether to save an output port corresponding to the flow to be forwarded or not, a third action of whether to jump to a next-stage flow table or not, a fourth action of whether to not to forward the flow to be forwarded in the current-stage flow table or not, and a fifth action of whether to hide the first action to the fourth action before jumping to the next-stage flow table;
and when the flow to be forwarded is successfully matched with any flow table entry in the flow table, executing the execution action in the action domain in the flow table entry.
In a second aspect, an embodiment of the present disclosure further provides a flow control apparatus, which is applied to a virtual switch, and the apparatus includes:
the receiving module is used for receiving the flow to be forwarded;
a judging module, configured to judge whether the to-be-forwarded traffic matches any one of flow table entries in a flow table of a virtual switch, where each of the flow table entries includes a matching field and an action field, the matching field includes a matching condition matching the to-be-forwarded traffic, the action field includes a corresponding execution action when the to-be-forwarded traffic satisfies the matching condition of the matching field, and the execution action includes at least one of a first action of whether to prohibit learning a source MAC address, a second action of whether to save an egress port corresponding to the to-be-forwarded traffic, a third action of whether to jump to a next-stage flow table, a fourth action of whether to not forward the to-be-forwarded traffic in a current-stage flow table, and a fifth action of whether to hide the first to fourth actions before jumping to the next-stage flow table;
and the action execution module is used for executing the execution action in the action domain in the flow table entry when the flow to be forwarded is successfully matched with any flow table entry in the flow table.
In a third aspect, an embodiment of the present disclosure further provides a server, where the server includes:
a storage medium;
a processor; and
the flow control device described above, stored in the storage medium and comprising computer executable instructions executed by the processor.
In a fourth aspect, an embodiment of the present disclosure further provides a readable storage medium, where a computer program is stored, and when the computer program is executed, the flow control method is implemented.
Compared with the prior art, the method has the following beneficial effects:
the flow control method, the flow control device and the server expand various behaviors in the flow forwarding process, including learning and not learning of a control source MAC address, storing and not storing an output port corresponding to the flow to be forwarded, supporting processing of a flow table jump function, not forwarding the flow to be forwarded in a current-stage flow table and the like, and also supporting hiding the behaviors before jumping to a next flow table so as to avoid the influence of the expansion function on the matching of the next flow table. Therefore, on the basis of the flow control function of the virtual switch, more flexible and rich configuration can be further supported, and the expandability of flow forwarding control of the virtual switch in an actual service scene is enhanced.
Drawings
To more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present disclosure and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings may be obtained from the drawings without inventive effort.
Fig. 1 is a schematic view of an application scenario of a flow control method according to an embodiment of the present disclosure;
fig. 2 is a schematic flow chart of a flow control method according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of a virtual firewall deployment provided by an embodiment of the present disclosure;
FIG. 4 is a schematic diagram of a virtual machine configuration drainage rule provided by an embodiment of the present disclosure;
fig. 5 is a schematic diagram of an ingress direction index table provided in an embodiment of the present disclosure;
fig. 6 is a schematic view of a flow guide for out-direction redirection according to an embodiment of the present disclosure;
fig. 7 is a schematic diagram of an outgoing direction index table provided in an embodiment of the present disclosure;
fig. 8 is a schematic diagram of an egress port setting flow table according to an embodiment of the present disclosure;
fig. 9 is a functional block diagram of a flow control device according to an embodiment of the present disclosure;
fig. 10 is a block diagram of a server for implementing the flow control method according to an embodiment of the present disclosure.
Icon: 100-a server; 110-a bus; 120-a processor; 130-a storage medium; 140-bus interface; 150-a network adapter; 160-a user interface; 200-a flow control device; 210-a receiving module; 220-a judgment module; 230-action execution module.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. The components of the embodiments of the present disclosure, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present disclosure, presented in the figures, is not intended to limit the scope of the claimed disclosure, but is merely representative of selected embodiments of the disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
In order to better understand the technical solution of the present disclosure, an application scenario of the flow control method according to the embodiment of the present disclosure is described below. As shown in fig. 1, a Virtual switch (Vswitch) and at least one Virtual Machine (Virtual Machine), such as Virtual Machine A, B, C, are running on the server 100. The virtual switch is internally provided with a plurality of virtual ports for connecting the virtual machine ports and the physical ports, the virtual machine ports are arranged on a virtual network card of the virtual machine, and the physical ports are arranged on a physical network card. The physical port connecting the physical network card on the server 100 communicates with an external physical network. The virtual port connected to the virtual network card is connected to the virtual machine on the server 100, and is used to implement data exchange between the virtual machine and an external network or between the virtual machines. In general, one virtual switch may manage all virtual machines on one server 100 (as shown in fig. 1), or may simultaneously manage virtual machines on multiple servers 100 in a distributed management manner. The virtual network card is usually set on a virtual machine, and one virtual machine may set one or more virtual network cards. When the virtual machine is provided with a plurality of virtual network cards, the virtual machine can be connected with different virtual networks.
It will be appreciated that the application scenario shown in fig. 1 is merely illustrative, and that server 100 may also include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1.
In the above application scenario, the forwarding process of the traffic generally includes: the virtual switch stores a Media Access Control (MAC) table, which includes a correspondence between MAC addresses of the respective virtual machines and the connected virtual ports. If the virtual machine A sends the flow to the virtual machine B, the virtual switch receives the flow sent by the virtual machine A through the virtual port A and detects whether the MAC address of the virtual machine A exists in the MAC table. If the MAC address of the virtual machine A does not exist, the MAC address of the virtual machine A is learned, and the corresponding relation between the MAC address of the virtual machine A and the virtual port A connected with the virtual machine A is recorded in an MAC table. On the contrary, if the MAC table is detected to have the MAC address of the virtual machine B and the corresponding virtual port, the destination virtual port connected to the virtual machine B, that is, the virtual port B, is found according to the destination MAC address in the traffic (that is, the MAC address of the virtual machine B), and then the traffic is forwarded from the virtual port B to the virtual machine B. In addition, if it is detected that the MAC address of the virtual machine B does not exist in the MAC table, a broadcast ARP request including a destination IP is sent to each virtual machine, the virtual machine B compares whether the destination IP is the same as its own IP after receiving the broadcast ARP request, if so, the virtual switch feeds back ARP reply information including a source MAC address of the virtual machine B (for example, in a unicast manner), and at this time, the virtual switch updates the source MAC address of the ARP reply information sent by the virtual machine B and a corresponding virtual port (i.e., virtual port B) into its own MAC table, and then forwards the traffic sent by the virtual machine a to the virtual machine B through the virtual port B according to the above method.
When the OVS receives the traffic, the OVS matches the traffic with entries in the flow table one by one, and processes the traffic according to the action recorded in the hit entry, taking the OVS as an example. For example, in the application scenario shown in fig. 1, when the OVS receives traffic sent by the virtual machine a through the virtual port a, the processing flow of the traffic generally includes protocol parsing, table entry lookup, and action execution. The protocol analysis is to analyze the protocol head and tail of the traffic by a program, so as to obtain behavior information of the traffic in the generation and transmission processes, for example, time, source address, destination address, protocol version, status code, etc. of the traffic. The table item searching is to search a preset flow table according to the analyzed behavior information to obtain a hit table item; finally, the actions described in the hit table entry are executed, for example, the traffic is forwarded through the specified virtual port, and the traffic is discarded, so that the processing flow of the traffic is completed.
However, the above traffic forwarding manner has many defects, so that flexible and rich configuration cannot be realized for the flow control function of the OVS for the virtual machine in many actual service scenarios, and the function expandability is weak. For example, in the above process, the OVS cannot control the update of the MAC table, i.e. cannot prohibit learning the source MAC address, and as long as it is detected that there is no MAC address in the MAC table, the MAC address is learned into the MAC table, which results in many useless MAC addresses being stored in the MAC table. However, due to the limitation of the storage capacity of the MAC table itself, when a large number of unnecessary MAC addresses are stored, the overall performance of the OVS is affected, and in addition, if the unnecessary MAC addresses are to be cleaned up in the later period, a large amount of work is also required.
For example, in the process of flow processing, the OVS cannot perform flow table skipping, and only when there is an action to perform flow table skipping in the flow table that is issued by the user actively, the OVS cannot perform flow table skipping, which is not favorable for expanding and optimizing the function of the subsequent flow table.
Based on the above technical problem, the present inventors propose the following technical solution to solve or improve the above problem. It should be noted that the above prior art solutions have shortcomings, which are the results of practical and careful study by the inventor, and therefore, the discovery process of the above problems and the solutions proposed by the following embodiments of the present application for the above problems should be the contribution of the inventor to the present application in the process of the present application.
The flow control method shown in fig. 2, which is performed by the virtual switch shown in fig. 1, will be described in detail with reference to fig. 1. It should be understood that, in other embodiments, the order of some steps in the flow control method described in this embodiment may be interchanged according to actual needs, or some steps may be omitted or deleted. The detailed steps of the flow control method are described below.
Step S110, receiving traffic to be forwarded.
In this embodiment, the traffic to be forwarded may be traffic sent by one virtual machine to another virtual machine, for example, the traffic sent by virtual machine a to virtual machine B in fig. 1, and an address in the traffic to be forwarded may specifically include an IP address, a MAC address, or another address that can uniquely identify a virtual machine. The address may include a Source address, i.e., an address of a Source virtual machine (Source VM), and may also include a Destination address, i.e., an address of a Destination virtual machine (Destination VM).
Step S120, determining whether the flow to be forwarded matches any flow table entry in the flow tables of the virtual switch.
In this embodiment, the OVS may be provided with at least two stages of flow tables, each flow table includes at least one flow table entry, each flow table entry includes a matching field and an action field, the matching field includes a matching condition matching the flow to be forwarded, and the action field includes a corresponding execution action when the flow to be forwarded satisfies the matching condition of the matching field. The executing action may include at least one of a first action of prohibiting learning the source MAC address, a second action of saving an output port corresponding to the traffic to be forwarded, a third action of jumping to a next-stage flow table, a fourth action of not forwarding the traffic to be forwarded at the current-stage flow table, and a fifth action of hiding the first to fourth actions before jumping to the next-stage flow table.
After receiving the traffic to be forwarded, the virtual switch performs protocol analysis on the traffic to be forwarded first, and may analyze a protocol header and a protocol trailer of the traffic to be forwarded to obtain behavior information of the traffic to be forwarded in a generation and transmission process, for example, time, a source address, a destination address, a protocol version, a status code, and the like of the traffic. And then, searching a preset flow table according to the analyzed behavior information, matching the behavior information with each matching domain of each flow table entry in the flow table, and obtaining the flow table entry matched with the behavior information when the matching is successful.
Step S130, when the flow to be forwarded is successfully matched with any flow entry in the flow table, executing an execution action in the action domain in the flow entry.
In one embodiment, if the action field in the matched flow entry includes a first action, the value of a first preset flag bit of the register is set as a flag value corresponding to the first action, and the virtual switch does not learn the source MAC address in the traffic to be forwarded according to the set flag value.
In another embodiment, if the action domain in the matched flow entry includes the second action, the value of the second preset flag bit of the register is set to the flag value corresponding to the second action, and the virtual switch is caused to store the egress port corresponding to the traffic to be forwarded in the register according to the set flag value.
In another embodiment, if the action field in the matched flow entry includes a third action, the value of a third preset flag bit of the register is set to a flag value corresponding to the third action, and the virtual switch is caused to jump to a next-stage flow table according to the set flag value to match the to-be-forwarded traffic.
In another embodiment, if the action field in the matched flow table entry includes a fourth action, the value of a fourth preset flag bit of the register is set to a flag value corresponding to the fourth action, and the virtual switch does not forward the traffic to be forwarded in the traffic processing process of the current-stage flow table according to the set flag value.
In another embodiment, if the action field in the matched flow table entry includes a fifth action, the value of the fifth preset flag bit of the register is set as the flag value corresponding to the fifth action, and the virtual switch is enabled to hide the flag value corresponding to the first action, the second action, the third action, or the fourth action included in the action field in the current-stage flow table in the register before jumping to the next-stage flow table according to the set flag value.
It will be appreciated that the action field in a flow entry may include multiple execution actions at the same time, i.e., when the action field in a matching flow entry includes multiple execution actions. For example, when the action domain in the matched flow table entry simultaneously includes a first action, a second action, a third action, a fourth action, and a fifth action, the value of each preset flag bit in the register is set as the flag value corresponding to the first action, the second action, the third action, the fourth action, and the fifth action, and according to the set flag values, the virtual switch does not learn the source MAC address in the flow to be forwarded, stores the output port corresponding to the flow to be forwarded in the register, does not forward the flow to be forwarded in the flow processing process of the current-stage flow table, jumps to the next-stage flow table to match the flow to be forwarded, and hides the flag value corresponding to the action in the register before jumping to the next-stage flow table.
Alternatively, the flag values of the first action, the second action, the third action, the fourth action, and the fifth action may be stored in a certain storage area (for example, reg0) of the register of the virtual switch. For example, in an alternative embodiment, Flag values Flag corresponding to the above-mentioned first action, second action, third action, fourth action and fifth action may be stored in binary bits for reg0, and setting information of the Flag values of each executed action is exemplarily shown in table 1:
Figure BDA0001886548720000091
Figure BDA0001886548720000101
table1 setting table of each Flag value Flag
Illustratively, the setting positions of the storage of the Flag values Flag of the respective execution actions in the reg0 of the register are shown in table 2:
flag value Storage location
no learn First bit of Reg0
save outport Second bit Reg0
goto next Third position of Reg0
no output Fourth position of Reg0
stash Fifth position of Reg0
Table2 storage location table of Flag values Flag
In this way, the virtual switch can execute different actions according to the setting of the Flag of each execution action, when the values of the flags of all execution actions are set to 0, the corresponding action corresponding to the Flag is not executed, otherwise, when the Flag of the execution action is set to 1, the corresponding action is executed. For example, if the action field in the matching flow table entry includes the first action, the value of the first bit in reg0 of the register is set to 1, i.e., the source MAC address of the traffic to be forwarded may not be learned. Otherwise, when the first bit value in reg0 of the register is set to 0, it indicates that the source MAC address of the traffic to be forwarded needs to be learned.
It should be noted that, since the value of Flag needs to be set according to the configuration of the user before entering the flow table processing flow, Flag needs to be stored in 8 Regx reserved with 32 bits in the OVS, and cannot be stored in other positions, so as to avoid the user from performing random setting.
In addition, in the multi-stage flow table design, when the traffic to be forwarded needs to be protected, identification information VFW _ id of a Virtual Firewall (VFW) and port numbers out _ port of some Virtual ports need to be stored. As an implementation, the present embodiment still uses regx of the register to store these extension values. The specific design is shown in table 3.
Register area Storing value
Reg1[1..16] out_port
Reg2 VFW_id
Table3 multi-stage flow table extended value storage table
Where out _ port is the egress port number, in OVS, the egress port number generally has sixteen bits, so that sixteen bits of Regx are used, and therefore the first 16 bits of Reg1 can be used to store the port number. VFW _ id is identification information VFW _ id of the virtual firewall, Reg2 may be used to store VFW _ id. Thus, in the multi-stage flow table, Reg1 represents the port number, and Reg2 represents the VFW _ id value of the virtual firewall set by the user, including the VFW _ id set by the virtual machine and the VFW _ id of the virtual firewall itself.
Therefore, on the basis of the above description, it is assumed that the virtual machine a sends the flow L to the virtual machine B, the first-stage flow Table is Table1, and the second-stage flow Table is Table2, where the matching priority of Table1 is higher than that of Table2, that is, in the matching process of the flow L, the flow L may be first matched with each flow Table entry of Table1, and the flow L is matched with each flow Table entry of Table2 only when the matching fails, which is further explained below with reference to the application scenario shown in fig. 1.
If the action field in the flow Table entry of Table1 matched by traffic L includes the first action, then the flag value on the first bit (first preset flag bit) of Reg0 in the register is set to 1, and the source MAC address in traffic L is not learned according to the set flag value 1.
If the action domain in the flow Table entry of Table1 matched with the flow L includes the second action, the flag value on the second bit (the second preset flag bit) of Reg0 in the register is set to 1, and the output port corresponding to the flow L, that is, the port number out _ port of the virtual port B connected to the virtual machine B, is saved in Reg1[1..16] of the register according to the set flag value 1.
If the action field in the flow Table entry of Table1 matched with the flow L includes the third action, the flag value on the third bit (the third preset flag bit) of Reg0 in the register is set to 1, and the flow L is matched by jumping to Table2 according to the set flag value 1.
If the action field in the flow Table entry of Table1 matched with the flow L includes the fourth action, the flag value on the fourth bit (fourth preset flag bit) of Reg0 in the register is set to 1, and the flow L is not sent in Table1 according to the set flag value 1.
If the action field in the flow Table entry of Table1 matched with the flow L includes the fifth action, the flag value on the fifth bit (the fifth preset flag bit) of Reg0 in the register is set to 1, and the flag value corresponding to the first action, the second action, the third action, or the fourth action included in the action field of Table1 is hidden according to the set flag value 1, that is, the flag value of 1 on the first, the second, the third, and the fourth bits of Reg0 needs to be hidden before jumping to the next-stage flow Table2, and the flag value of 1 on the first, the second, the third, and the fourth bits of Reg0 is restored and set after returning from the next-stage flow Table 2.
Specifically, the specific implementation manner of hiding the flag value corresponding to the first action, the second action, the third action, or the fourth action included in the action domain of Table1 according to the set flag value 1 may be: before jumping to the next-stage flow Table2, the flag value that is originally 1 on the first preset flag bit, the second preset flag bit, the third preset flag bit or the fourth preset flag bit is temporarily set to 0, and after returning to the current-stage flow Table1 from the next-stage flow Table2, the value that is originally 1 but is currently 0 on the first preset flag bit, the second preset flag bit, the third preset flag bit and the fourth preset flag bit is reset to 1.
That is, the first action, the second action, the third action, or the fourth action of the turned-on function may be temporarily turned off before jumping from Table1 to the next-stage flow Table2, based on the flag value 1 set in the fifth bit (fifth preset flag bit) of the Reg0, and the temporarily turned-off first action, second action, third action, or fourth action may be resumed after returning from the next-stage flow Table2 to Table 1. In this way, it is possible to avoid that the first action, the second action, the third action, or the fourth action expanded in the current-stage flow Table1 affects the specific execution action of the next-stage flow Table2 after the jump to the next-stage flow Table 2. Meanwhile, after jumping back to the current-stage flow Table1 from the next-stage flow Table2, the extended first action, second action, third action, or fourth action of the current-stage flow Table1 is recovered, so that the subsequent first action, second action, third action, or fourth action, which needs to be executed continuously and is extended by the current-stage flow Table1, is closed without being affected by the jump.
Based on the above description, it can be seen that there is an association relationship between the second action, the third action, the fourth action, and the fifth action, when a flow table needs to be jumped, it is necessary to first save an output port corresponding to a flow, and not forward the flow in the current-stage flow table, and meanwhile hide a flag value set in the current-stage flow table before jumping to the next-stage flow table, that is, the second action, the third action, the fourth action, and the fifth action generally need to be set simultaneously.
Therefore, the embodiment expands various behaviors in the flow forwarding process, including learning and not learning of the control source MAC address, storing and not storing the output port corresponding to the flow to be forwarded, and supports processing of the flow table jump function and not forwarding the flow to be forwarded in the current-stage flow table, and the like, and also supports hiding the behaviors before jumping to the next flow table to avoid the influence of the expansion function on the matching of the next flow table. Therefore, on the basis of the flow control function of the virtual switch, more flexible and rich configuration can be further supported, and the expandability of flow forwarding control of the virtual switch in an actual service scene is enhanced.
The flow control method provided by the embodiment of the present disclosure is exemplarily described below with reference to fig. 3 to 8. Referring to fig. 3, when it is required to protect traffic sent by a virtual machine, a Virtual Firewall (VFW) may be hung down to a virtual switch in the form of a Virtual Machine (VM). The VFW runs in the server 100 as a special virtual machine, and the created VFW may have the same security protection as a traditional physical firewall. When access flow between VMs of the internal virtual machine in the server 100 needs to be subjected to security protection, an administrator can configure a corresponding security policy on the VFW, the VFW can automatically configure a flow guiding policy in the OVS and can store the flow guiding policy in the OVS in a flow table form, the OVS can match the flow according to the content of the flow table, so that a message of a specific VM can be guided into the VFW, the VFW performs security protection processing on the flow between the VMs, and finally, the flow processed by the VFW returns to the OVS to be normally forwarded. Through the scheme, in the virtual environment, the VFW can be used for protecting the flow between the VMs in the server 100, and the phenomenon that the flow is forwarded to external processing to cause the performance waste of the server 100 and a physical switch is avoided.
Under the deployment architecture shown in fig. 3, after performing traffic protection processing, the VFW sends the processed traffic to the OVS, and it is easy to see that the VFW temporarily becomes a source virtual machine of the OVS, however, at this time, the OVS does not need to learn the MAC address of the port of the VFW, and therefore, the source MAC address of the traffic sent by the VFW should be configured without learning.
Next, the multi-stage flow table is optimized according to the first to fifth actions extended as described above, and a process of flow control in a flow forwarding process between VMs after a user configures the flow table is analyzed. Referring to fig. 4, the OVS is respectively connected to VM0, VM1, VM2, VM3, VM4, VFW1, and VFW2 through corresponding virtual ports, and for the drainage rule configured in fig. 4, the corresponding drainage flow Table refers to fig. 5 to fig. 8, which respectively include an ingress direction drainage Table1, an egress direction redirection drainage Table2, an egress direction drainage Table3, and an egress port setting flow Table 10. Wherein, Table1 includes A, B, C, D, E, F flow Table entries, Table2 includes G, H, J, K, L, M flow Table entries, Table3 includes N, O, P flow Table entries, and Table10 includes Q, R, S flow Table entries.
Among Table1, Table2, Table3, and Table10, the portion before the arrow is the matching field, and the portion after the arrow is the action field. Wherein, input represents an input port, setVFW _ id represents VFW protected in a current flow Table item, Xnormal represents first action to fifth action which needs to be executed, respmit (10) represents jumping to Table10, goto n ext represents jumping to a next-level flow Table, default represents default matching, out _ port represents an output port, action represents action execution, output out forwards flow from the output port, and drop represents discarding flow.
If the VM1 sends traffic to the VM3, the process of matching the communication flow tables of the VM1 and the VM3 is as follows:
the process a: the input of the traffic sent by VM1 is VM1, and the output is VM3_ port, and after the traffic enters OVS, the traffic starts to match each flow Table in OVS, first Table1 is matched, and according to the matching condition, input is VM1, the a flow Table entry in Table1 is successfully matched. Then, each action included in the action domain is executed respectively;
and a process b: set VFW _ id is VFW1_ id, and traffic sent by VM1 is configured to need to be forwarded to VFW1 for protection processing;
and c, process c: xnormal (save _ out, no _ output), which saves the egress port corresponding to the traffic sent by VM1, and does not forward the traffic sent by VM1 in Table 1. That is, the flag values on the second bit and the fourth bit of Reg0 of the register are set to 1, so that the virtual port VM3_ port connected with VM3 on the OVS is saved in Reg1[1..16] of the register shown in Table2 according to the set flag value 1, and meanwhile, the traffic sent by VM1 is not forwarded in Table 1;
and a process d: a resume (10) which jumps to Table10, successfully matches the Q flow Table entry in Table10 according to the matching condition VFW _ id being VFW1_ id, then sets an output port being VFW1_ port, newly sets the output port corresponding to the flow sent by VM1 as a virtual port VFW1_ port connected with VFW1 on OVS, and then jumps back to Table 1;
the process e is as follows: goto next, the flag value of three bits of Reg0 of the register is set to 1, so as to jump to the next-level flow Table2 according to the set flag value 1, the M flow Table entry in Table2 is successfully matched according to the matching condition outport ═ VFW1_ port, and then jump to the next-level flow Table3, the P flow Table entry in Table3 is successfully matched according to the matching condition outport ═ VFW1_ port, and then action: output out (NXM _ NX _ Reg [1..16 ]): forward the traffic into VFW 1;
a process f: VFW1 performs protection processing on the received traffic, and sends the traffic after protection processing to the OVS, where input of the traffic sent by VFW1 to the OVS is VFW1, and output is VM3_ port. Secondly, matching the flow Table again by the OVS according to the flow sent by the VFW1, firstly matching Table1, successfully matching the B flow Table entry in Table1 according to the matching condition inport ═ VFW1, and then respectively executing each action included in the action domain;
procedure g: xnormal (no _ spare, save _ out, stash, gonext, no _ output), sets the flag value on the first to fifth bits of Reg0 of the register to 1, so as to save the output port corresponding to the flow sent by VFW1, not forward the flow sent by VFW1 in Table1, jump to the next-stage flow Table2, and hide the above actions before jumping to Table2, according to the set flag value 1, not learn the source MAC address in the flow sent by VFW 1;
the process h is as follows: jumping to the next-level flow Table2, according to the matching condition out _ port being VM3_ port, VFW _ id being VFW1_ id successfully matching the J flow entry in Table2, then go next, entering the next-level flow Table3, according to the matching condition out _ port being VM3_ port successfully matching the P flow entry in Table3, then action, output out (NXM _ NX _ REG [1..16 ]): the traffic is forwarded into VM 3.
In another example, if VM1 sends traffic to VM4, the VM1-VM4 communication flow table matching process is:
the process a: the input of the traffic sent by VM1 is VM1, and the output is VM4_ port, and after the traffic enters OVS, the traffic starts to match each flow Table in OVS, first Table1 is matched, and according to the matching condition, input is VM1, the a flow Table entry in Table1 is successfully matched. Then, each action included in the action domain is executed respectively;
and a process b: set VFW _ id is VFW1_ id, and traffic sent by VM1 is configured to need to be forwarded to VFW1 for protection processing;
and c, process c: xnormal (save _ out, no _ output), which saves the egress port corresponding to the traffic sent by VM1, and does not forward the traffic sent by VM1 in Table 1. That is, the flag values on the second bit and the fourth bit of Reg0 of the register are set to 1, so that the virtual port VM4_ port connected to VM4 on the OVS is saved in Reg1[1..16] of the register shown in Table2 above according to the set flag value 1, while traffic sent by VM1 is not forwarded in Table 1;
and a process d: a resume (10) which jumps to Table10, successfully matches the Q flow Table entry in Table10 according to the matching condition VFW _ id being VFW1_ id, then sets an output port being VFW1_ port, newly sets the output port corresponding to the flow sent by VM1 as a virtual port VFW1_ port connected with VFW1 on OVS, and then jumps back to Table 1;
the process e is as follows: goto next, setting the flag value of the register Reg0 in three bits to 1, so as to jump to the next-stage flow Table2 according to the set flag value 1, successfully matching the M flow Table entry in Table2 according to the matching condition output ═ VM1_ output, then jumping to the next-stage flow Table3, successfully matching the P flow Table entry in Table3 according to the matching condition output ═ VM1_ output, and then action: output out (NXM _ NX _ Reg [1..16 ]): forward the traffic into VFW 1;
a process f: VFW1 performs protection processing on the received traffic, and sends the traffic after protection processing to the OVS, where input of the traffic sent by VFW1 to the OVS is VFW1, and output is VM4_ port. Secondly, matching the flow Table again by the OVS according to the flow sent by the VFW1, firstly matching Table1, successfully matching the B flow Table entry in Table1 according to the matching condition inport ═ VFW1, and then respectively executing each action included in the action domain;
procedure g: xnormal (no _ spare, save _ out, stash, gonext, no _ output), sets the flag value on the first to fifth bits of Reg0 of the register to 1, so as to save the output port corresponding to the flow sent by VFW1, not forward the flow sent by VFW1 in Table1, jump to the next-stage flow Table2, and hide the above actions before jumping to Table2, according to the set flag value 1, not learn the source MAC address in the flow sent by VFW 1;
the process h is as follows: after jumping to the next-level flow Table2, successfully matching the L flow Table entry in Table2 according to a matching condition out _ port-VM 4_ port, and then setting VFW _ id-VFW 2_ id, where the flow sent by VM1 is configured to be forwarded to VFW1 for protection processing;
a process i: a resume (10) which jumps to Table10, successfully matches the R flow Table entry in Table10 according to the matching condition VFW _ id being VFW2_ id, then sets outport being VFW2_ port, sets the output port outport corresponding to the flow sent by VFW1 as the virtual port VFW2_ port connected with VFW2 on the OVS, and then jumps back to Table 2;
and j: go to next, enter next-stage flow Table3, successfully match P flow Table entry in Table3 according to matching condition output ═ VFW2_ output, then action: output (NXM _ NX _ REG [1..16 ]): forward the traffic into VFW 2;
and a process k: VFW2 performs protection processing on the received traffic, and sends the traffic after protection processing to the OVS, where input of the traffic sent by VFW2 to the OVS is VFW2, and output is VM4_ port. Secondly, matching the flow Table again by the OVS according to the flow sent by the VFW2, firstly matching Table1, successfully matching the E flow Table entry in Table1 according to the matching condition inport ═ VFW2, and then respectively executing each action included in the action domain;
the process l comprises the following steps: xnormal (no _ spare, save _ out, stash, gonext, no _ output), sets the flag value on the first to fifth bits of Reg0 of the register to 1, so as to save the output port corresponding to the flow sent by VFW2, not forward the flow sent by VFW2 in Table1, jump to the next-stage flow Table2, and hide the above actions before jumping to Table2, according to the set flag value 1, not learn the source MAC address in the flow sent by VFW 2;
and m is as follows: jumping to the next-level flow Table2, according to the matching condition out _ port being VM4_ port, VFW _ id being VFW2_ id successfully matching the K flow Table entry in Table2, then go to next, entering the next-level flow Table3, according to the matching condition out _ port being VM4_ port successfully matching the P flow Table entry in Table3, then action being output out (NXM _ NX _ REG [1..16 ]): the traffic is forwarded into VM 4.
It should be noted that, regarding other examples, for example, the VM1 sends traffic to the VM2, the VM2 sends traffic to the VM3, and the VM2 sends traffic to the VM4, which may be implemented by combining the above examples, and details are not repeated here.
Thus, in the whole application scenario, the various actions extended by the present disclosure are used, including that when VFW1 sends traffic to the OVS, the OVS does not learn the source MAC address in the traffic, the OVS saves the egress port corresponding to the traffic and selects not to forward the traffic in the current stage flow table each time the flow table is jumped, and in addition, the set action is hidden before jumping to the next flow table to avoid the influence of the set action on the matching of the next flow table, thereby enhancing the scalability of traffic forwarding control in the actual traffic scenario by the OVS.
Further, referring to fig. 9, an embodiment of the present disclosure further provides a flow control device 200 applied to a virtual switch. It should be noted that the basic principle and the technical effects of the flow control device provided in this embodiment are the same as those of the foregoing method embodiment, and for the sake of brief description, reference may be made to the corresponding contents in the foregoing method embodiment for the parts that are not mentioned in this embodiment. The flow control device 200 includes:
the receiving module 210 is configured to receive traffic to be forwarded. It is understood that the receiving module 210 can be used to execute the step S110, and for the detailed implementation of the receiving module 210, reference can be made to the contents related to the step S110.
The determining module 220 is configured to determine whether the flow to be forwarded matches any flow table entry in the flow tables of the virtual switch, where each flow table entry in the flow tables includes a matching field and an action field, the matching field includes a matching condition matching the flow to be forwarded, the action field includes a corresponding execution action when the flow to be forwarded satisfies the matching condition of the matching field, and the execution action includes at least one of a first action of prohibiting learning a source MAC address, a second action of saving an egress port corresponding to the flow to be forwarded, a third action of jumping to a next-stage flow table, a fourth action of not forwarding the flow to be forwarded in the current-stage flow table, and a fifth action of hiding the first to fourth actions before jumping to the next-stage flow table. It is understood that the determining module 220 can be used to perform the step S120, and for the detailed implementation of the determining module 220, reference can be made to the above-mentioned contents related to the step S120.
And the action execution module 230 is configured to execute an execution action in an action domain in the flow table entry when the flow to be forwarded is successfully matched with any flow table entry in the flow table. It is understood that the action performing module 230 may be configured to perform the step S130, and for the detailed implementation of the action performing module 230, reference may be made to the content related to the step S130.
Optionally, if the action field in the matched flow entry includes the first action, the action executing module 230 is specifically configured to: setting the value of a first preset flag bit of a register as a flag value corresponding to a first action; and enabling the virtual switch not to learn the source MAC address in the flow to be forwarded according to the set flag value.
Optionally, if the action field in the matched flow entry includes the second action, the action executing module 230 is specifically configured to: setting the value of a second preset flag bit of the register as a flag value corresponding to a second action; and enabling the virtual switch to store the output port corresponding to the flow to be forwarded in a register according to the set flag value.
Optionally, if the action field in the matched flow entry includes a third action, the action executing module 230 is specifically configured to: setting the value of a third preset flag bit of the register as a flag value corresponding to a third action; and jumping the virtual switch to the next-stage flow table according to the set flag value to match the flow to be forwarded.
Optionally, if the action field in the matched flow entry includes a fourth action, the action executing module 230 is specifically configured to: setting the value of a fourth preset flag bit of the register as a flag value corresponding to a fourth action; and according to the set flag value, the virtual switch does not forward the flow to be forwarded in the flow processing process of the current-stage flow table.
Optionally, if the action field in the matched flow entry includes a fifth action, the action executing module 230 is specifically configured to: if the action domain in the matched flow table entry comprises a fifth action, setting the value of a fifth preset flag bit of the register as a flag value corresponding to the fifth action; and enabling the virtual switch to hide the flag value corresponding to the first action, the second action, the third action or the fourth action included in the action domain in the current-stage flow table in a register before jumping to the next-stage flow table according to the set flag value.
Further, referring to fig. 10, an embodiment of the present disclosure further provides a server 100 for implementing the flow control method, and in this embodiment, the server 100 may be implemented by a bus 110 as a general bus architecture. The bus 110 may include any number of interconnecting buses and bridges depending on the specific application of the server 100 and the overall design constraints. Bus 110 connects various circuits together, including processor 120, storage medium 130, and bus interface 140. Alternatively, the server 100 may connect a network adapter 150 or the like via the bus 110 using the bus interface 140. The network adapter 150 may be used to implement signal processing functions of a physical layer in the server 100 and implement transmission and reception of radio frequency signals through an antenna. The user interface 160 may connect external devices such as: a keyboard, a display, a mouse or a joystick, etc. The bus 110 may also connect various other circuits such as timing sources, peripherals, voltage regulators, or power management circuits, which are well known in the art, and therefore, will not be described in detail.
Alternatively, the server 100 may be configured as a general purpose processing system, such as what is commonly referred to as a chip, including: one or more microprocessors providing processing functions, and an external memory providing at least a portion of storage medium 130, all connected together with other support circuits through an external bus architecture.
Alternatively, the server 100 may be implemented using: an ASIC (application specific integrated circuit) having a processor 120, a bus interface 140, a user interface 160; and at least a portion of the storage medium 130 integrated in a single chip, or the server 100 may be implemented using: one or more FPGAs (field programmable gate arrays), PLDs (programmable logic devices), controllers, state machines, gate logic, discrete hardware components, any other suitable circuitry, or any combination of circuitry capable of performing the various functions described throughout this application.
Among other things, processor 120 is responsible for managing bus 110 and general processing (including the execution of software stored on storage medium 130). Processor 120 may be implemented using one or more general-purpose processors and/or special-purpose processors. Examples of processor 120 include microprocessors, microcontrollers, DSP processors, and other circuits capable of executing software. Software should be construed broadly to mean instructions, data, or any combination thereof, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise.
Storage medium 130 is shown separate from processor 120 in fig. 10, however, one skilled in the art will readily appreciate that storage medium 130, or any portion thereof, may be located outside server 100. Storage medium 130 may include, for example, a transmission line, a carrier waveform modulated with data, and/or a computer product separate from the wireless node, which may be accessed by processor 120 via bus interface 140. Alternatively, the storage medium 130, or any portion thereof, may be integrated into the processor 120, e.g., may be a cache and/or general purpose registers.
The processor 120 may execute the above embodiments, specifically, the storage medium 130 may store the flow rate control device 200 therein, and the processor 120 may be configured to execute the flow rate identification device 200.
Further, an embodiment of the present application also provides a non-volatile computer storage medium, where the computer storage medium stores computer-executable instructions, and the computer-executable instructions may execute the flow control method in any of the method embodiments.
In the embodiments provided in the present disclosure, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present disclosure may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
Alternatively, all or part of the implementation may be in software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions described in accordance with the embodiments of the disclosure are, in whole or in part, generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as an electronic device, server, data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
It will be evident to those skilled in the art that the disclosure is not limited to the details of the foregoing illustrative embodiments, and that the present disclosure may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the disclosure being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.

Claims (13)

1. A flow control method is applied to a virtual switch, and comprises the following steps:
receiving traffic to be forwarded;
judging whether the flow to be forwarded is matched with any flow table entry in a flow table of a virtual switch or not, wherein each flow table entry in the flow table comprises a matching field and an action field, the matching field comprises a matching condition matched with the flow to be forwarded, the action field comprises a corresponding execution action when the flow to be forwarded meets the matching condition of the matching field, and the execution action comprises at least one of a first action of forbidding learning a source MAC address, a second action of saving an outlet port corresponding to the flow to be forwarded, a third action of jumping to a next-stage flow table, a fourth action of not forwarding the flow to be forwarded at the current-stage flow table and a fifth action of hiding the first action to the fourth action before jumping to the next-stage flow table;
and when the flow to be forwarded is successfully matched with any flow table entry in the flow table, executing an execution action in an action domain in the flow table entry, wherein the value of a preset flag bit in a register of the virtual switch is set as a flag value corresponding to the execution action, and the virtual switch executes the execution action according to the set flag value.
2. The flow control method according to claim 1, wherein the step of executing the action in the action field in the flow table entry when the flow to be forwarded is successfully matched with any flow table entry in the flow table comprises:
if the action domain in the matched flow table entry comprises the first action, setting the value of a first preset flag bit of a register as a flag value corresponding to the first action;
and enabling the virtual switch not to learn the source MAC address in the flow to be forwarded according to the set flag value.
3. The flow control method according to claim 1, wherein the step of executing the action in the action field in the flow table entry when the flow to be forwarded is successfully matched with any flow table entry in the flow table comprises:
if the action domain in the matched flow table entry comprises the second action, setting the value of a second preset flag bit of the register as a flag value corresponding to the second action;
and enabling the virtual switch to store the output port corresponding to the flow to be forwarded in a register according to the set flag value.
4. The flow control method according to claim 1, wherein the step of executing the action in the action field in the flow table entry when the flow to be forwarded is successfully matched with any flow table entry in the flow table comprises:
if the action domain in the matched flow table entry comprises the third action, setting the value of a third preset flag bit of the register as a flag value corresponding to the third action;
and jumping the virtual switch to a next-stage flow table according to the set flag value to match the flow to be forwarded.
5. The flow control method according to claim 1, wherein the step of executing the action in the action field in the flow table entry when the flow to be forwarded is successfully matched with any flow table entry in the flow table comprises:
if the action domain in the matched flow table entry comprises the fourth action, setting the value of a fourth preset flag bit of the register as a flag value corresponding to the fourth action;
and enabling the virtual switch not to forward the flow to be forwarded in the flow processing process of the current-stage flow table according to the set flag value.
6. The flow control method according to claim 1, wherein the step of executing the action in the action field in the flow table entry when the flow to be forwarded is successfully matched with any flow table entry in the flow table comprises:
if the action domain in the matched flow table entry comprises the fifth action, setting the value of a fifth preset flag bit of a register as a flag value corresponding to the fifth action;
and enabling the virtual switch to hide the flag value corresponding to the first action, the second action, the third action or the fourth action included in the action domain in the current-stage flow table in a register before jumping to the next-stage flow table according to the set flag value.
7. A flow control apparatus applied to a virtual switch, the apparatus comprising:
the receiving module is used for receiving the flow to be forwarded;
a judging module, configured to judge whether the to-be-forwarded traffic matches any one of flow table entries in a flow table of a virtual switch, where each of the flow table entries includes a matching field and an action field, the matching field includes a matching condition matching the to-be-forwarded traffic, the action field includes a corresponding execution action when the to-be-forwarded traffic satisfies the matching condition of the matching field, and the execution action includes at least one of a first action of prohibiting learning a source MAC address, a second action of saving an egress port corresponding to the to-be-forwarded traffic, a third action of jumping to a next-stage flow table, a fourth action of not forwarding the to-be-forwarded traffic in a current-stage flow table, and a fifth action of hiding the first to fourth actions before jumping to the next-stage flow table;
and the action execution module is used for executing the execution action in the action domain in the flow table item when the flow to be forwarded is successfully matched with any flow table item in the flow table, wherein the value of a preset flag bit in a register of the virtual switch is set as a flag value corresponding to the execution action, and the virtual switch executes the execution action according to the set flag value.
8. A flow control apparatus according to claim 7, wherein if the action field in the matching flow table entry comprises the first action, the action execution module is specifically configured to:
setting the value of a first preset flag bit of a register as a flag value corresponding to the first action;
and enabling the virtual switch not to learn the source MAC address in the flow to be forwarded according to the set flag value.
9. A flow control device according to claim 7, wherein if the action field in the matching flow table entry comprises the second action, the action execution module is specifically configured to:
setting the value of a second preset flag bit of the register as a flag value corresponding to the second action;
and enabling the virtual switch to store the output port corresponding to the flow to be forwarded in a register according to the set flag value.
10. A flow control device according to claim 7, wherein if the action field in the matching flow table entry comprises the third action, the action execution module is specifically configured to:
setting the value of a third preset flag bit of the register as a flag value corresponding to the third action;
and jumping the virtual switch to a next-stage flow table according to the set flag value to match the flow to be forwarded.
11. A flow control device according to claim 7, wherein if the action field in the matched flow table entry comprises the fourth action, the action execution module is specifically configured to:
setting the value of a fourth preset flag bit of a register as a flag value corresponding to the fourth action;
and enabling the virtual switch not to forward the flow to be forwarded in the flow processing process of the current-stage flow table according to the set flag value.
12. A flow control device according to claim 7, wherein if the action field in the matched flow table entry comprises the fifth action, the action execution module is specifically configured to:
if the action domain in the matched flow table entry comprises the fifth action, setting the value of a fifth preset flag bit of a register as a flag value corresponding to the fifth action;
and hiding the flag value corresponding to the first action, the second action, the third action or the fourth action included in the action domain in the current-stage flow table in a register before jumping to the next-stage flow table by the virtual switch according to the set flag value.
13. A server, characterized in that the server comprises:
a storage medium;
a processor; and
the flow control device of any one of claims 7-12, stored in the storage medium and comprising computer-executable instructions executed by the processor.
CN201811450342.8A 2018-11-30 2018-11-30 Flow control method and device and server Active CN109450811B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811450342.8A CN109450811B (en) 2018-11-30 2018-11-30 Flow control method and device and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811450342.8A CN109450811B (en) 2018-11-30 2018-11-30 Flow control method and device and server

Publications (2)

Publication Number Publication Date
CN109450811A CN109450811A (en) 2019-03-08
CN109450811B true CN109450811B (en) 2022-08-12

Family

ID=65555365

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811450342.8A Active CN109450811B (en) 2018-11-30 2018-11-30 Flow control method and device and server

Country Status (1)

Country Link
CN (1) CN109450811B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113595924B (en) * 2021-06-28 2024-03-15 济南浪潮数据技术有限公司 Two-layer drainage method, system and device based on openflow protocol
CN113630315A (en) * 2021-09-03 2021-11-09 中国联合网络通信集团有限公司 Network drainage method and device, electronic equipment and storage medium

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6395867B2 (en) * 2014-06-03 2018-09-26 華為技術有限公司Huawei Technologies Co.,Ltd. OpenFlow communication method and system, control unit, and service gateway
CN104243316B (en) * 2014-09-25 2018-07-24 新华三技术有限公司 A kind of host learning method and device
CN104320340A (en) * 2014-10-21 2015-01-28 杭州华三通信技术有限公司 Method and device for defining study source MAC address in network by software
CN105874758B (en) * 2014-11-28 2019-07-12 华为技术有限公司 Memory pool access method, interchanger and multicomputer system
CN104660469B (en) * 2015-02-15 2018-11-16 华为技术有限公司 A kind of method for detecting connectivity and relevant device of double layer network
CN105591909A (en) * 2015-10-21 2016-05-18 杭州华三通信技术有限公司 Method and device for improvement of message forwarding performance
CN105610617A (en) * 2015-12-29 2016-05-25 合肥工业大学 QoS management mechanism for distinguishing user priorities in WLAN based on SDN and AP (Access Point) virtualization technique
CN106936777B (en) * 2015-12-29 2020-02-14 中移(苏州)软件技术有限公司 Cloud computing distributed network implementation method and system based on OpenFlow
CN105763465B (en) * 2016-01-29 2019-01-22 新华三技术有限公司 A kind of distributed group interflow amount control method and device
CN105847157B (en) * 2016-03-21 2018-12-18 中国人民解放军国防科学技术大学 Communication means end to end between mark network based on SDN
EP3465997B1 (en) * 2016-05-25 2023-03-15 Telefonaktiebolaget LM Ericsson (PUBL) Packet forwarding using vendor extension in a software-defined networking (sdn) system
CN107623635B (en) * 2017-10-30 2020-07-21 深圳市德赛微电子技术有限公司 Intelligent matching method for network switching chip to identify flow table
CN108023814A (en) * 2017-11-30 2018-05-11 北京邮电大学 SDN control plane failure emergency systems and method
CN108540387A (en) * 2018-06-06 2018-09-14 新华三云计算技术有限公司 Method for network access control and device
CN108900420B (en) * 2018-06-26 2019-09-13 新华三云计算技术有限公司 Ductility limit speed method, apparatus and server

Also Published As

Publication number Publication date
CN109450811A (en) 2019-03-08

Similar Documents

Publication Publication Date Title
CN112486627B (en) Virtual machine migration method and device
KR102162730B1 (en) Technologies for distributed routing table lookup
EP3057270A1 (en) Technologies for modular forwarding table scalability
US10394784B2 (en) Technologies for management of lookup tables
CN109831390B (en) Message forwarding control method and device
US9866479B2 (en) Technologies for concurrency of cuckoo hashing flow lookup
US9148387B2 (en) Hardware hash table virtualization in multi-packet processor networking systems
CN103095546B (en) A kind of method, device and data center network processing message
US9569561B2 (en) Label masked addressable memory
CN108781184B (en) System and method for providing partitioning of classified resources in a network device
US9906449B2 (en) System and method for reduced forwarding information storage
CN109450811B (en) Flow control method and device and server
CN109921995B (en) Method for configuring address table, FPGA and network equipment applying FPGA
CN115426312B (en) Method and device for managing, optimizing and forwarding identifiers in large-scale multi-modal network
US11516133B2 (en) Flow cache management
US11126249B1 (en) Power reduction methods for variable sized tables
US9021098B1 (en) Allocation of interface identifiers within network device having multiple forwarding components
CN111526134A (en) Message detection system, method and device
US10003555B1 (en) Power management of routing tables using vertical scaling
CN113986560A (en) Method for realizing P4 and OvS logic multiplexing in intelligent network card/DPU
CN111464443B (en) Message forwarding method, device, equipment and storage medium based on service function chain
CN104702508A (en) Method and system for dynamically updating table items
CN111327543A (en) Message forwarding method and device, storage medium and electronic device
CN107517161B (en) Network processor table lookup method, network processor and table lookup system
CN111865794B (en) Logical port association method, system, equipment and data transmission system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant