CN112511450B - Flow control equipment and method - Google Patents
Flow control equipment and method Download PDFInfo
- Publication number
- CN112511450B CN112511450B CN202011205168.8A CN202011205168A CN112511450B CN 112511450 B CN112511450 B CN 112511450B CN 202011205168 A CN202011205168 A CN 202011205168A CN 112511450 B CN112511450 B CN 112511450B
- Authority
- CN
- China
- Prior art keywords
- flow control
- rule
- address
- memory
- read
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a flow control device and a method, wherein the device comprises a programmable device and a memory group; the programmable device is loaded with a rule matching module, a selection module and a control module; the rule matching module is used for analyzing a storage address to be read/written after receiving a read/write instruction; the selection module is used for determining a target memory matched with the storage address and a target address of the flow control rule to be read/written according to a self-defined storage rule; the storage rule is used for defining address bits of storage addresses, which characterize a memory identifier, and address bits of addresses, which characterize a flow control rule, wherein the number of the addresses of the memory identifier is determined by the number of the memories; and the control module is used for controlling the target memory to read/write the flow control rule to be read/written on the target address. By using the flow control equipment, the regular storage capacity of the flow control equipment can be effectively expanded.
Description
Technical Field
The invention relates to the field of internet communication, in particular to flow control equipment and a flow control method.
Background
The flow control equipment can screen out suspicious flow in the network, thereby ensuring the safety of network communication. Before screening the flow, the flow control device needs to download and store the corresponding screening rule in the DDR thereof in advance.
In the related art, in order to increase the flow screening efficiency, a plurality of rule matching modules are usually arranged in the flow control device, and the flow entering the device can be shunted to the plurality of rule matching modules to search for matching in parallel corresponding to a plurality of DDRs storing the same rule, so that the screening efficiency is improved. However, in practice, because the rules stored in the DDRs in each rule matching module are identical, the storage resources of the DDRs cannot be effectively and fully utilized, and the number of the rules stored in the flow control device is limited, which cannot reach the number of the rules required for traffic screening.
Disclosure of Invention
The invention provides a flow control device and a method, which can effectively enlarge the regular storage capacity of the flow control device.
In order to achieve the technical effects, the embodiment of the invention discloses the following technical scheme:
in a first aspect, a flow control device is provided, where the device includes a programmable device and a memory bank connected in sequence, and a memory in the memory bank is used to store different flow control rules; the programmable device is loaded with a rule matching module, a selection module and at least one control module, and the number of the control modules is the same as that of the memories;
the rule matching module is used for analyzing a storage address to be read/written after receiving a read/write instruction;
the selection module is used for determining a target memory matched with the storage address and a target address of the flow control rule to be read/written according to a self-defined storage rule; the storage rule is used for defining address bits of storage addresses, which characterize a memory identifier, and address bits of addresses, which characterize a flow control rule, wherein the number of the addresses of the memory identifier is determined by the number of the memories;
and the control module is used for controlling the target memory to read/write the flow control rule to be read/written on the target address.
In a second aspect, a flow control method is provided, where the method is applied to the above apparatus, and the method includes:
after receiving a read/write command, resolving a storage address to be read/written;
determining a target memory matched with the memory address and a target address of the flow control rule to be read/written according to a self-defined memory rule; the storage rule is used for defining address bits of storage addresses, which characterize a memory identifier, and address bits of addresses, which characterize a flow control rule, wherein the number of the addresses of the memory identifier is determined by the number of the memories;
and controlling the destination memory to read/write the flow control rule to be read/written on the target address.
The technical scheme provided by the embodiment of the invention can have the following beneficial effects:
the invention provides a flow control device and a method, wherein the device comprises more than one memory, when writing/reading rules, a target memory is determined by marking address bits in the memory address of the rules, and the rules are written/read in the memory address of the target memory, so that different rules can be stored in different memories, the memory resources of the memories are fully utilized, and the rule storage capacity of the flow control device is expanded.
Drawings
Fig. 1 is an application scenario of a flow control device provided in the present invention.
Fig. 2 is a flow monitoring device according to an exemplary embodiment of the present invention.
FIG. 3 illustrates a memory address in accordance with an exemplary embodiment of the present invention.
FIG. 4 is a table illustrating address bits for identification and memory correspondence in accordance with an exemplary embodiment of the present invention.
FIG. 5 is another flow monitoring device in accordance with an exemplary embodiment of the present invention.
FIG. 6 is an encapsulated address shown in accordance with an exemplary embodiment of the present invention.
FIG. 7 is another flow monitoring device in accordance with an exemplary embodiment of the present invention.
FIG. 8 is another flow monitoring device in accordance with an exemplary embodiment of the present invention.
FIG. 9 illustrates another flow monitoring device in accordance with an exemplary embodiment of the present invention.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the embodiments of the present invention more comprehensible, the technical solutions in the embodiments of the present invention are described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, an application scenario of the flow control device provided in the present invention is shown. To ensure network communication security and to limit traffic from known dangerous IPs, the traffic in the network needs to be screened. The method comprises the steps that a flow control device is accessed in a network, information of known dangerous IP (Internet protocol), namely a flow control rule, is prestored in the device, when the flow in the network flows through the flow control device, the flow in the network can be matched with the prestored flow control rule, the flow control device can return the flow which does not hit the rule, namely the flow which does not come from the known dangerous IP, to the network, and the flow which hits the rule, namely the suspicious flow, is reported to a server, so that the server can make the next judgment and processing.
In conventional solutions, the flow control device is typically equipped with a memory to store the above-mentioned flow control rules. In order to increase the efficiency of traffic screening, a flow control device is usually equipped with a plurality of memories, and the same flow control rule is stored in each memory. Multiple flows entering the device may be shunted to each memory while matching screens. Although the flow screening efficiency is improved to a certain extent, since each memory in the device stores the same flow control rule, the rule storage capacity of the device is only the rule storage capacity of one memory, and the rule storage capacity of the device cannot be expanded by increasing the number of the memories, the requirement of the flow control rule with the increasing storage number cannot be met.
The invention provides a flow control device, which can effectively enlarge the regular storage capacity of the device, and the flow control device comprises a programmable device 100 and a memory group 200 which are connected in sequence as shown in figure 2. There are at least two memories 210 in the memory bank, memory 0 through memory n in FIG. 2, where the integer n > 0.
The programmable device 100 is loaded with a rule matching module 110, a selection module 120, and control modules 130, wherein the number of control modules 130 is the same as the number of memories 210.
The rule matching module 110 is configured to, after receiving the read/write instruction, parse a storage address of the flow control rule to be read/written;
the selecting module 120 is configured to determine, according to a customized storage rule, a target memory 210 matched with the storage address and a target address of a flow control rule to be read/written; wherein the storage rule is used to define address bits characterizing the address of the memory 210 and address bits characterizing the address of the flow control rule in the storage address, and the number of the addresses identified by the memory 210 is determined by the number of the memory 210;
the control module 130 is configured to control the target memory 210 to perform a read/write operation on the flow control rule to be read/written at the target address.
The type of the Programmable device and the memory can be determined and selected by those skilled in the art according to design requirements, for example, the Programmable device may be an FPGA (Field Programmable Gate Array) chip; the memory may be a DDR (Double Data Rate) memory.
The present invention provides a flow control apparatus and method which may be applied to the apparatus shown in figure 2, although other configurations of apparatus are not excluded. When writing/reading rules, the method determines the target memory by the marked address bits in the memory address of the rules, and writes/reads the rules in the memory address of the target memory, so that different rules can be stored in different memories, the memory resources of the memories are fully utilized, and the rule storage capacity of the flow control equipment is expanded.
As an example, the flow control rule may include 256-bit data of five tuple information, five tuple interest bits, user priority, and the like. The five-tuple information includes a source IP address (sip), a destination IP address (dip), a source port (port), a destination port (dport), and a transport layer protocol (protocol). When the rule matching module 110 receives a read/write instruction, that is, it needs to read/write the flow control rule in the memory of the flow control device, the rule matching module 110 parses out the memory address to be read/written, which is specifically implemented as follows:
the rule matching module 110 parses the received flow control rule to obtain 256-bit data of the quintuple information, the quintuple interest bit, the user priority and the like, performs hash calculation on the quintuple information (sip, dip, sport, dport and protocol) in the received flow control rule, and uses the obtained hash value as a storage address for storing the flow control rule in the memory 210.
Generally, the flow control rule includes ipv4 and ipv6 rules, and a hash value obtained by hashing quintuple information of the rule is 28 bits in total and serves as a storage address of the flow control rule. As shown in FIG. 3, the memory address has 0-27 bits of address, for a total of 28 address bits.
When hash collision occurs (the hash values obtained by hash calculation of five-tuple information of different rules are the same), the flow control rules with the same hash values are usually associated by using a linked list. If the hash values of the flow control rule A and the flow control rule B are i, the hash value i serving as a storage address can only store one rule correspondingly. If the address i is used for storing the flow control rule A, the rule flow B needs to be stored in another address j, at this time, the flow control rule A and the flow control rule B can be associated by adopting a linked list, the flow control rule A can be found to be stored in the address i through the linked list, and the flow control rule B is pointed to according to the node of the linked list and stored in the address j. As shown in fig. 3, if the flow control rule in the linked list is ipv4 rule, the 0-27 bits of the storage address specifying ipv4 rule are 0, 1, and 0 as the head of the linked list respectively; if the flow control rule in the linked list is an ipv6 rule, the 26 th bit and the 27 th bit in the 0-27bit storage address of the ipv6 rule are respectively 0 and 0 as the head of the linked list; the chain table tails of the ipv4 rule and the ipv6 rule are both expressed by the 27 th bit being 1 in the storage address.
The selection module 110 may determine the target memory 210 to which the flow control rule is to be written and the target address according to a customized storage rule and the storage address, where the storage rule is used to define address bits characterizing a memory identifier and address bits characterizing an address of the flow control rule in the storage address, for example, the storage rule may define one or more address bits in the storage address as address bits identifying the memory 210, and may also define address bits in the storage address used to identify an address of the flow control rule. The number of addresses identified by the memory is determined by the number of memories. One address bit may identify both memories, such as when bit 0 in the memory address is defined as the address bit identifying memory 210, then bit 0 takes a0 to represent memory 0 and bit 0 takes a1 to represent memory 1. When the memory bank 200 has n memories 210, m address bits in the memory address are defined as the address bits identifying the memory 210, where 2^ m is greater than n.
In an alternative embodiment, when n is 12, i.e. there are 12 memories 210 in the memory bank 200, the storage rule defines the low 4 bits and the 25 th and 26 th bits in the memory address as the address bits for identifying the memories 210. The correspondence of the address bits for identification to the memory 210 is shown in FIG. 4. Since the lower 4 bits, i.e., 0-3 bits, can identify 16 (2^4) memories 210, but there are only 12 memories 210 in the memory bank 200, the 25 th and 26 th bits are needed for auxiliary identification. Specifically, as shown in fig. 4, when the lower 4 bits are 0-5 (for convenience, binary is converted into decimal, e.g. 0011 is the lower 4 bits, and 3 is the corresponding decimal), respectively, corresponding to 0-5 of the memory; when the lower 4 bits are respectively 8-13, the lower 4 bits respectively correspond to the memories 6-11; when the low 4bit is 6, and the 25 th bit and the 26 th bit are 0-2 respectively, they correspond to memories 0-2 respectively; when the low 4bit is 7, and the 25 th bit and the 26 th bit are 0-2 respectively, they correspond to memories 3-5 respectively; when the low 4 bits are 14, and the 25 th bit and the 26 th bit are 0-2, respectively, corresponding to the memories 6-8; when the low 4 bits are 15, and the 25 th and 26 th bits are 0-2, respectively, they correspond to memories 9-11, respectively. In the above example, if the hash value i of the flow control rule a is 0100000000000000000000001111, the selection module 110 can find out that the flow control rule a should be read/written in the memory 10 according to the lower 4 bits, i.e. 1111, and the 25 th to 26 th bits, i.e. 01 of i and according to the correspondence table between the address bits and the memory as shown in fig. 4.
The address bits for the identification and auxiliary identification memory 210 may be user-defined, such as bits 5-8 of the user-definable memory address being the address bits for the identification memory 210 and bits 2 lower being the address bits for the auxiliary identification. When changing the amount of memory 210 in the memory bank 200, the user may also define that other address bits in the memory address identify the memory 210. If there are 8 memories 210 in the memory bank 200, the user can define the lower 3 bits as the address bits for identifying the memories 210, etc., and the invention is not limited thereto.
As described above, each flow control rule has 256 bits, and the amount of data that can be stored in each address in the existing memory is usually less than 256 bits, so the flow control rule needs to be split into at least two segments, and each segment is stored in a different storage address. Specifically, each address in the memory can store 64-bit data, and the flow control rule needs to be split into 4 segments, which are stored in 4 different addresses respectively. The selection module further includes a packaging submodule 121 (as shown in fig. 5) configured to determine, according to the relationship correspondence table shown in fig. 4, a target memory 210 to which the flow control rule is to be written, through the lower 4 bits and the 25 th and 26 th bits of the storage address; and packaging the storage address based on the self-defined storage rule. The self-defined storage rule is further used for defining address bits used as read-back bits, address bits for representing the storage addresses, address bits of the storage addresses of each segment of the flow control rule, and address bits used as control bits. The encapsulated address is shown in fig. 6, wherein the lower 3 bits are defined as read-back bits, which are used as read-back sequence and take all values of 0; the upper 6 bits are defined as control bits for identifying read/write instructions. And after the encapsulation submodule determines the target memory, encapsulating the 4 th to 27 th bits in the memory address into the 5 th to 28 th bits of the encapsulation address. As described above, when one address stores 64-bit data, each flow control rule needs to be split into 4 segments, which are stored in different addresses, respectively, so that the 3 rd to 4 th bits of the encapsulated address are taken as segment storage address bits. If the hash value i calculated by the flow control rule a is used as a storage address, bits 4 to 27 in the storage address are 010000000000000000000000 (indicated by a), the encapsulation submodule encapsulates the bits 4 to 27 into bits 5 to 28 in the encapsulation address, and bits 3 to 4 are used as fragment storage address bits, so that the 4 fragments into which the flow control rule a is divided are stored in a00, a01, a10 and a11, respectively.
After the encapsulation is completed, the encapsulation submodule further generates a plurality of new read/write instructions according to the storage address and the storage address of each segment of the flow control rule, namely 3 rd to 28 th bits, and sends the new read/write instructions to the control modules corresponding to the target memories respectively. As in the above example, the encapsulation submodule sends 4 read/write commands to the control module 10 corresponding to the memory 10, where the 4 commands correspond to 4 memory addresses (a00, a01, a10, and a11) in the memory 10.
The control module 130 controls the memory 210 to read/write the flow control rule segments in the corresponding memory addresses according to the read/write commands. As in the above example, the control module 10 controls the memory 10 to read/write the segment of the flow control rule a (a1, a2, A3, a4) in the memory addresses a00, a01, a10 and a11, respectively, according to the received 4 read/write instructions.
In a preferred scheme, the programmable device can be further loaded with arbitration modules 140, as shown in fig. 7, the number of the arbitration modules 140 is the same as the number of the control modules 130 and the number of the memories 210, and is used for supporting simultaneous reading/writing of the flow control rules in the memories 210 corresponding to the arbitration modules 140. As in the above example, the flow control rule a and the flow control rule C are both stored in the memory 10, and the arbitration module 10 corresponding to the memory 10 can support reading/writing the flow control rule a and the flow control rule C in the memory 10 at the same time, thereby speeding up the reading/writing efficiency.
When the flow control device executes the write command, the rule matching module 110 further obtains a flow control rule to be written, and sends the flow control rule to the selection module; the control module is further configured to obtain the flow control rule from the selection module and write the flow control rule into the target address. After the above steps are performed by each module in the programmable device 100, a corresponding flow control rule may be written in a corresponding storage address in the memory 210 in the memory group 200. The target memory is determined by the marked address bits in the storage address of the rule, and the rule is written in the storage address of the target memory, so that different rules can be stored in different memories. Specifically, as can be seen from the above, bits 3-28 in the package address are the storage addresses of the flow control rule, so that there are a total of 2^26 storage addresses in the memory, where 1 rule is stored every 4 addresses, so that the storage capacity of the flow control rule of each memory is 2^ 26/4. Since different rules may be stored in different memories, the rule storage capacity of the traffic control device is n x 2 a 26/4, where n is the number of memories 210. Preferably, when the number of the memories 210 is 12, the rule storage capacity of the flow control device is 12 × 2^26/4, that is, 201326592 rules, which meets the requirement of the flow control device on the rule storage capacity, fully utilizes the storage resources of the memories, and expands the rule storage capacity of the flow control device.
When the flow control device executes the read instruction, after the modules in the programmable device 100 perform the above steps, the flow control rule may be searched for in the corresponding storage address in the memory 210 in the memory group 200. The specific implementation of the memory 210 returning the output result to the rule matching module is as follows:
since the flow control rule is divided into several segments and stored in different storage addresses, the output result returned by each address of the memory 210 is the segment of the flow control rule. The control module 130 returns the corresponding flow control rule segment output by the memory 210 to the selection module 120. As shown in fig. 8, the selection module 120 further includes a conversion sub-module 122, and the conversion sub-module 122 is configured to restore the flow control rule fragments to the flow control rules. As in the above example, the memory 10 returns the segments A1, A2, A3, A4 of the flow control rule A, the control module 10 returns the segments to the translation submodule 122, and the translation submodule 122 may restore the segments A1, A2, A3, A4 to the flow control rule A.
In a preferred embodiment, as shown in fig. 8, the programmable device 100 further includes an arbitration module 140, which supports reading a plurality of flow control rules simultaneously in a memory 210 corresponding to the arbitration module 140. Therefore, the memory 210 outputs not only a plurality of segments of the same flow control rule but also a plurality of segments of different flow control rules. As in the above example, the flow control rule a and the flow control rule C are both stored in the memory 10, and the arbitration module 10 corresponding to the memory 10 can support reading the flow control rule a and the flow control rule C simultaneously in the memory 10, and the memory 10 will return the segment of the flow control rule a (a1, a2, A3, a4) and the segment of the flow control rule C (C1, C2, C3, C4) simultaneously. Since the rule matching module can only send/receive single-path data and cannot send/receive multiple-path data at the same time, the results returned by multiple paths need to be combined into one-path result.
The conversion sub-module 122 is not only used to respectively restore a plurality of fragments of the same flow control rule to the flow control rule, but also used to combine a plurality of restored flow control rules into a read result and return the read result to the rule matching module. As in the above example, the conversion submodule, in addition to restoring the segments a1, a2, A3, a4 of the flow control rule a to the flow control rule a and the segments C1, C2, C3, C4 of the flow control rule C to C, merges the restored flow control rule a and flow control rule C into a read result a + C and returns the read result a + C to the rule matching module.
In addition to the above-described case where the same memory simultaneously returns a plurality of flow control rule segments, there is also a case where a plurality of memories simultaneously return a plurality of flow control rule segments. To avoid directly processing large-bit-width data, the conversion submodule 122 preferably further includes a first-level conversion submodule 1221 and a second-level conversion submodule 1222. Preferably, as shown in fig. 9, when there are 12 memories 210 in the memory group 200 of the flow control device, there are 4 primary conversion sub-modules 1221 for converting the parallel results returned by the 3 memories into primary serial results; the secondary conversion submodule 1222 is configured to convert the 4 parallel primary serial results converted by the primary conversion submodule 1221 into secondary serial results, and return the secondary serial results to the rule matching module 110. The parallel data is converted in two stages, so that direct processing of large-bit-width data can be effectively avoided, the resources of programmable devices are saved, and the time sequence is optimized. The two-stage conversion may be, for example, a method of converting 3-way parallel results into one-way serial results and then converting 4-way one-way serial results into two-way serial results, or a method of converting 2-way parallel results into one-way serial results and then converting 6-way one-way serial results into two-way serial results, and the invention is not limited herein.
In a preferred embodiment, the programmable device further includes a register (not shown), and the register stores a polling sequence number. The polling sequence number is used to identify the temporal order of the read instructions received by the rule matching module 110. The rule matching module determines whether the polling serial number exists in the register before analyzing the storage address of the flow control rule, and stops analyzing the storage address if the polling serial number does not exist in the register; if so, adding the current polling sequence number to the resolved address. For example, in the above example, the rule matching module 110 receives the read instructions of the two flow control rules a and C in sequence, the rule matching module 110 first queries whether the register has the polling sequence number, if so, analyzes the flow control rule a to obtain the storage address i, adds the current round searching sequence number in the register to the storage address, if so, obtains 5i, and sends the storage address carrying the polling sequence number to the selection module 120; the rule matching module 110 queries whether the register has a polling sequence number, if so, analyzes the flow control rule C to obtain a storage address k, adds the current round searching sequence number in the register to the storage address, if 6, obtains 6k, and sends the storage address carrying the polling sequence number to the selecting module 120, and the subsequent execution steps are as described above and are not described again.
When the memory 210 returns the output result to the rule matching module, the specific process is as described above, and in one read result merged by the conversion submodule 122, each restored flow control rule carries the polling sequence number, in the above example, the conversion submodule 122 merges the restored flow control rule a and the flow control rule C into 5A +6C, or may merge into 6C +5A, and the ordering among the flow control rules in the read result is related to the timing sequence of the converted submodule obtaining the restored flow control rule. For example, although the flow control device executes the read instruction of flow control rule a first and then executes the read instruction of flow control rule C, the query result of flow control rule C may be returned first when the memory 210 returns the result, resulting in that the finally merged read result is 6C + 5A. In order to ensure that the result is output by the first sent read instruction, when the rule matching module reads the read result, the restored flow control rules are read from small to large according to the wheel searching sequence number carried by each flow control rule in the read result. And after the rule matching module reads the reading results in sequence, the polling sequence number carried by the flow control rule is written into the register.
The invention provides a flow control device and a method, wherein the device comprises more than one memory, when writing/reading rules, a target memory is determined by a marked address bit in a regular memory address, and the rules are written/read in the memory address of the target memory, so that different rules can be stored in different memories, the memory resource of the memory is fully utilized, and the rule storage capacity of the flow control device is expanded.
In addition, the present invention also provides a flow control method, which is applied to the above flow control device, and the method is specifically implemented as follows:
after receiving a read/write command, resolving a storage address to be read/written;
determining a target memory matched with the memory address and a target address of the flow control rule to be read/written according to a self-defined memory rule; the storage rule is used for defining address bits of addresses which characterize memory identification and address bits of addresses which characterize flow control rules in storage addresses, and the number of the addresses of the memory identification is determined by the number of the memories;
and controlling the destination memory to read/write the flow control rule to be read/written on the target address.
Claims (10)
1. A flow control device is characterized by comprising a programmable device and a memory group which are sequentially connected, wherein at least two memories are arranged in the memory group; the programmable device is loaded with rule matching modules, selection modules and control modules, and the number of the control modules is the same as that of the memories;
the rule matching module is used for analyzing a storage address to be read/written after receiving a read/write instruction;
the selection module is used for determining a target memory matched with the storage address and a target address of the flow control rule to be read/written according to a self-defined storage rule; the storage rule is used for defining address bits of storage addresses, which characterize a memory identifier, and address bits of addresses, which characterize a flow control rule, wherein the number of the addresses of the memory identifier is determined by the number of the memories;
and the control module is used for controlling the target memory to read/write the flow control rule to be read/written on the target address.
2. The device according to claim 1, wherein the storage address parsed by the rule matching module is a hash value of quintuple information of the flow control rule;
the flow control rule comprises quintuple information, a quintuple interest bit and user priority;
the quintuple information is a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol.
3. The apparatus of claim 2, wherein the flow control rules comprise ipv4 and ipv6 rules, wherein the memory address has 28 address bits, and wherein the address bits characterizing the memory identification are the 4 th, 25 th and 26 th lower bits of the memory address.
4. The device of claim 3, wherein the flow control rule is split into at least two segments, each segment being stored in a different address of a memory, and wherein the selection module comprises an encapsulation submodule configured to determine a target memory and encapsulate the memory address based on the customized memory rule, and wherein the customized memory rule is further configured to define address bits as read-back bits, address bits characterizing the memory address, address bits of the memory address of each segment of the flow control rule, and address bits as control bits.
5. The apparatus according to claim 4, wherein the encapsulation sub-module is further configured to generate a new read/write instruction according to the storage address and the storage address of each segment of the flow control rule, and send the new read/write instruction to the control module corresponding to each target memory.
6. The apparatus according to claim 5, wherein when the rule matching module executes a read instruction, the control module is further configured to return a fragment of the read flow control rule, and the selection module further includes a conversion sub-module, and the conversion sub-module is configured to restore the fragment of the flow control rule to the flow control rule and merge at least one restored flow control rule into a read result, and return the read result to the rule matching module.
7. The device of claim 6, wherein when the rule matching module executes a read command, the rule matching module is further configured to add a current polling sequence number to the parsed storage address, where the polling sequence number is used to identify a time sequence of the read command received by the rule matching module; the read result carries the polling serial number corresponding to each restored flow control rule, and the rule matching module is further used for sequentially reading each restored flow control rule according to the polling serial number.
8. The apparatus of claim 7, wherein the programmable device further comprises a register, wherein the polling sequence number is stored in the register; the rule matching module is further configured to:
before adding the current polling sequence number into the analyzed storage address, determining that the polling sequence number exists in the register, and if the polling sequence number does not exist, stopping analyzing the storage address; and
and after reading the read results in sequence according to the polling sequence numbers, writing the polling sequence numbers into the register.
9. The device according to claim 1, wherein when the rule matching module executes a write instruction, the rule matching module is further configured to obtain a flow control rule to be written, and send the flow control rule to the selection module; the control module is further configured to obtain the flow control rule from the selection module and write the flow control rule into the target address.
10. A flow control method applied to the apparatus as claimed in any one of claims 1 to 9, the method comprising:
after receiving a read/write command, resolving a storage address to be read/written;
determining a target memory matched with the memory address and a target address of the flow control rule to be read/written according to a self-defined memory rule; the storage rule is used for defining address bits of storage addresses, which characterize a memory identifier, and address bits of addresses, which characterize a flow control rule, wherein the number of the addresses of the memory identifier is determined by the number of the memories;
and controlling the destination memory to read/write the flow control rule to be read/written on the target address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011205168.8A CN112511450B (en) | 2020-11-02 | 2020-11-02 | Flow control equipment and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011205168.8A CN112511450B (en) | 2020-11-02 | 2020-11-02 | Flow control equipment and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112511450A CN112511450A (en) | 2021-03-16 |
| CN112511450B true CN112511450B (en) | 2022-05-31 |
Family
ID=74954972
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011205168.8A Active CN112511450B (en) | 2020-11-02 | 2020-11-02 | Flow control equipment and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112511450B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8079084B1 (en) * | 2007-08-10 | 2011-12-13 | Fortinet, Inc. | Virus co-processor instructions and methods for using such |
| CN103023728A (en) * | 2013-01-15 | 2013-04-03 | 中国人民解放军信息工程大学 | Flow monitoring method |
| CN103188231A (en) * | 2011-12-30 | 2013-07-03 | 北京锐安科技有限公司 | Multi-core printed circuit board access control list (ACL) rule matching method |
| CN103227751A (en) * | 2013-05-14 | 2013-07-31 | 盛科网络(苏州)有限公司 | Method and device for improving spatial utilization ratio of forwarding table item |
| CN104156380A (en) * | 2014-03-04 | 2014-11-19 | 深圳信息职业技术学院 | Distributed memory Hash indexing method and system |
| CN107171960A (en) * | 2017-06-28 | 2017-09-15 | 华信塞姆(成都)科技有限公司 | A kind of maintaining method of distributed dynamic two-layer retransmitting table |
| CN107248939A (en) * | 2017-05-26 | 2017-10-13 | 中国人民解放军理工大学 | Network flow high-speed associative method based on hash memories |
| CN110083307A (en) * | 2019-03-29 | 2019-08-02 | 华为技术有限公司 | Date storage method, memory and server |
| CN111356166A (en) * | 2018-12-20 | 2020-06-30 | 福建雷盾信息安全有限公司 | Flow monitoring method |
-
2020
- 2020-11-02 CN CN202011205168.8A patent/CN112511450B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8079084B1 (en) * | 2007-08-10 | 2011-12-13 | Fortinet, Inc. | Virus co-processor instructions and methods for using such |
| CN103188231A (en) * | 2011-12-30 | 2013-07-03 | 北京锐安科技有限公司 | Multi-core printed circuit board access control list (ACL) rule matching method |
| CN103023728A (en) * | 2013-01-15 | 2013-04-03 | 中国人民解放军信息工程大学 | Flow monitoring method |
| CN103227751A (en) * | 2013-05-14 | 2013-07-31 | 盛科网络(苏州)有限公司 | Method and device for improving spatial utilization ratio of forwarding table item |
| CN104156380A (en) * | 2014-03-04 | 2014-11-19 | 深圳信息职业技术学院 | Distributed memory Hash indexing method and system |
| CN107248939A (en) * | 2017-05-26 | 2017-10-13 | 中国人民解放军理工大学 | Network flow high-speed associative method based on hash memories |
| CN107171960A (en) * | 2017-06-28 | 2017-09-15 | 华信塞姆(成都)科技有限公司 | A kind of maintaining method of distributed dynamic two-layer retransmitting table |
| CN111356166A (en) * | 2018-12-20 | 2020-06-30 | 福建雷盾信息安全有限公司 | Flow monitoring method |
| CN110083307A (en) * | 2019-03-29 | 2019-08-02 | 华为技术有限公司 | Date storage method, memory and server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112511450A (en) | 2021-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109962832B (en) | Message processing method and device | |
| KR100933916B1 (en) | Apparatus and Method for Classifier Identification | |
| CN101411136B (en) | Method of performing table lookup operation with table index that exceeds CAM key size | |
| US7177978B2 (en) | Generating and merging lookup results to apply multiple features | |
| US7689485B2 (en) | Generating accounting data based on access control list entries | |
| US6717946B1 (en) | Methods and apparatus for mapping ranges of values into unique values of particular use for range matching operations using an associative memory | |
| US7246102B2 (en) | Method of improving the lookup performance of three-type knowledge base searches | |
| US8111697B1 (en) | Methods and apparatus for packet classification based on multiple conditions | |
| US10303544B1 (en) | Data plane error detection for ternary content-addressable memory (TCAM) of a forwarding element | |
| US7796513B2 (en) | Packet classification using modified range labels | |
| US10616101B1 (en) | Forwarding element with flow learning circuit in its data plane | |
| US7889741B1 (en) | Methods and apparatus for packet classification based on multiple conditions | |
| US7403526B1 (en) | Partitioning and filtering a search space of particular use for determining a longest prefix match thereon | |
| US7864776B2 (en) | Method and equipment for making a routing decision dependent on a quality-of-service class | |
| US7080195B2 (en) | Merging indications of matching items of multiple groups and possibly associated with skip conditions to identify winning entries of particular use for implementing access control lists | |
| CN102014065A (en) | Method for analyzing packet headers, header analysis preprocessing device and network processor | |
| CN110661713B (en) | Message forwarding method and device | |
| CN105939397B (en) | A kind of transmission method and device of message | |
| CN112511450B (en) | Flow control equipment and method | |
| US7788445B2 (en) | Intelligent allocation of programmable comparison operations for reducing the number of associative memory entries required | |
| US20170230246A1 (en) | Method and apparatus for processing service node ability, service classifier and service controller | |
| US7523251B2 (en) | Quaternary content-addressable memory | |
| US11436047B2 (en) | System and method for processing information hierarchy management | |
| Matoušek et al. | Memory efficient IP lookup in 100 GBPS networks | |
| CN109347747B (en) | Data processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |