CN113114594A - Strategy generation method and device and storage medium - Google Patents
Strategy generation method and device and storage medium Download PDFInfo
- Publication number
- CN113114594A CN113114594A CN202110308773.6A CN202110308773A CN113114594A CN 113114594 A CN113114594 A CN 113114594A CN 202110308773 A CN202110308773 A CN 202110308773A CN 113114594 A CN113114594 A CN 113114594A
- Authority
- CN
- China
- Prior art keywords
- policy
- strategy
- data packet
- basic
- flow table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/30—Peripheral units, e.g. input or output ports
- H04L49/3009—Header conversion, routing tables or routing tags
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/31—Programming languages or programming paradigms
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses a strategy generation method and device and a storage medium, and relates to the field of computer science. The method can solve the problem that the strategy application of the whole network is difficult to compile, test, debug and reuse due to the mutual influence of the combination process among strategy modules in the prior art. The method comprises the following steps: acquiring a data packet, at least one basic strategy corresponding to the data packet and a preset combination mode of the at least one basic strategy; executing at least one basic strategy on the data packet according to a preset combination mode of the at least one basic strategy to generate a strategy flow table of the data packet; and calling a northbound interface of the SDN controller to issue the policy flow table to a corresponding switch through the southbound interface of the SDN controller, so that the switch transmits the data packet according to the policy flow table. The embodiment of the application is applied to a network system.
Description
Technical Field
The embodiment of the application relates to the field of computer science, in particular to a policy generation method and device and a storage medium.
Background
In software-defined networking (SDN), various policies are represented as application modules running individually on a controller. To realize management control of the network, multiple policies are usually combined together to process the same traffic, which requires combining multiple policy modules. The strategy in the prior art is mainly written by a traditional compiler of C language, and the strategy application of the whole network is difficult to write, test, debug and reuse due to the fact that the abstraction level of the language is low, the coupling with the hardware implementation of the bottom data plane is strong, and the combination process among strategy modules is easy to influence each other.
Disclosure of Invention
The application provides a strategy generation method and device and a storage medium, which can solve the problem that in the prior art, the strategy application of the whole network is difficult to write, test, debug and reuse because the combination processes among strategy modules are easy to influence each other.
In order to achieve the purpose, the technical scheme is as follows:
in a first aspect, a policy generation method is provided, where the method includes: acquiring a data packet, at least one basic strategy corresponding to the data packet and a preset combination mode of the at least one basic strategy; executing at least one basic strategy on the data packet according to a preset combination mode of the at least one basic strategy to generate a strategy flow table of the data packet; and calling a northbound interface of the SDN controller to issue the policy flow table to a corresponding switch through the southbound interface of the SDN controller, so that the switch transmits the data packet according to the policy flow table.
In the method, the basic strategy is defined by using a Python type mode, so that the abstract level of the strategy is improved, the complexity caused by adopting a C language which is a traditional compiler to compile the strategy is avoided, and the strategy is simpler and more convenient to compile, test and debug. In addition, the basic strategies defined by the Python type mode are combined and utilized according to the preset combination mode, so that the reuse of the strategies is easier to realize on the premise that the strategies cannot be influenced mutually in the strategy combination process, and more complex and diversified strategies are obtained to meet the requirements of users.
In a second aspect, a policy generation apparatus is provided, the apparatus including: the device comprises an acquisition unit, a processing unit and a sending unit.
The device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a data packet, at least one basic strategy corresponding to the data packet and a preset combination mode of the at least one basic strategy; the base policy is defined based on the way of the Python class.
And the processing unit is used for executing the at least one basic strategy on the data packet according to the preset combination mode of the at least one basic strategy acquired by the acquisition unit and generating a strategy flow table of the data packet.
And the sending unit is used for calling a northbound interface of the SDN controller to issue the policy flow table generated by the processing unit to a corresponding switch through the southbound interface of the SDN controller, so that the switch transmits the data packet according to the policy flow table.
It can be understood that, the policy generating apparatus provided above is configured to execute the method corresponding to the first aspect provided above, and therefore, the beneficial effects that can be achieved by the policy generating apparatus may refer to the beneficial effects of the method corresponding to the first aspect above and the beneficial effects of the corresponding schemes in the following detailed description, which are not described herein again.
In a third aspect, a policy generating apparatus is provided, where the policy generating apparatus includes a processor configured to execute program instructions, so that the policy generating apparatus executes the method of the first aspect.
In a fourth aspect, there is provided a computer readable storage medium having computer program code stored therein, which when run on a policy generation apparatus, causes the policy generation apparatus to perform the method of the first aspect described above.
In a fifth aspect, there is provided a computer program product having stored thereon the above-mentioned computer software instructions, which, when run on a policy generation apparatus, cause the policy generation apparatus to execute a program of the method of the above-mentioned first aspect.
Drawings
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Fig. 1 is a schematic structural diagram of a network system according to an embodiment of the present invention;
fig. 2 is a schematic hardware structure diagram of a communication device according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a policy generation method according to an embodiment of the present application;
fig. 4 is a second schematic flowchart of a policy generation method according to an embodiment of the present application;
fig. 5 is a third schematic flowchart of a policy generation method according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a policy generation apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a computer program product of a policy generation method according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments.
It should be noted that in the embodiments of the present application, words such as "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
It should be noted that in the embodiments of the present application, "of", "corresponding" and "corresponding" may be sometimes used in combination, and it should be noted that the intended meaning is consistent when the difference is not emphasized.
In the embodiments of the present application, the terms "first", "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present application, "a plurality" means two or more unless otherwise specified.
SDN is a new network architecture. The control plane of the switch is separated from the data plane by utilizing an OpenFlow protocol and is realized in a software mode instead, so that the centralized management of the control planes scattered on each network device becomes possible. In SDN, various network and security policies are represented as application modules running on a controller one by one. To realize management control of the network, multiple policies are usually combined together to process the same traffic, which requires combining multiple policy modules. The strategy in the prior art is mainly written by a traditional compiler of C language, and the strategy application of the whole network is difficult to write, test, debug and reuse due to the fact that the abstraction level of the language is low, the coupling with the hardware implementation of the bottom data plane is strong, and the combination process among strategy modules is easy to influence each other.
Therefore, the embodiments of the present application provide a policy generation method to solve the above technical problem. First, referring to fig. 1, an embodiment of the present invention provides a schematic structural diagram of a network system, where the system includes a policy generation device 11, an SDN controller 12, and a switch 13. Wherein, the policy generation device 11 communicates with the SDN controller 12 through a northbound interface provided by the SDN controller 12; the switch 13 communicates with the SDN controller 12 through a southbound interface provided by the SDN controller 12.
The policy generation means 11 may be a stand-alone computer device, such as a server; or a chip in a computer device.
Optionally, the devices mentioned in the embodiment of the present application, such as the policy generation apparatus 11, the SDN controller 12, and the switch 13, may be implemented by the communication device shown in fig. 2.
The communication device includes a processor 21, a communication bus 24, and at least one transceiver (illustrated in fig. 2 as including transceiver 23 for exemplary purposes only).
The controller can be a neural center and a command center of the communication device. The controller can generate an operation control signal according to the instruction operation code and the timing signal to complete the control of instruction fetching and instruction execution.
A memory may also be provided in processor 21 for storing instructions and data. In some embodiments, the memory in the processor 21 is a cache memory. The memory may hold instructions or data that have just been used or recycled by the processor 21. If the processor 21 needs to use the instruction or data again, it can be called directly from the memory. Avoiding repeated accesses reduces the latency of the processor 21 and thus increases the efficiency of the system.
In some embodiments, the processor 21 may include one or more interfaces. The interface may include an integrated circuit (I2C) interface, a universal asynchronous receiver/transmitter (UART) interface, a Mobile Industry Processor Interface (MIPI), a general-purpose input/output (GPIO) interface, a Subscriber Identity Module (SIM) interface, and/or a Universal Serial Bus (USB) interface, a Serial Peripheral Interface (SPI) interface, and/or the like.
The communication bus 24 may include a path to transfer information between the aforementioned components.
The transceiver 23 may be any device, such as a transceiver, for communicating with other devices or communication networks, such as an ethernet, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), etc.
Optionally, the communication device may also include a memory 22.
The memory 22 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disk read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be self-contained and coupled to the processor via a communication bus 24. The memory may also be integral to the processor.
The memory 22 is used for storing computer-executable instructions for executing the scheme of the application, and is controlled by the processor 21 to execute. The processor 21 is configured to execute computer-executable instructions stored in the memory 22, so as to implement the region identification method provided by the following embodiments of the present application.
Optionally, the computer-executable instructions in the embodiment of the present invention may also be referred to as application program codes, which is not specifically limited in this embodiment of the present invention.
In particular implementations, processor 21 may include one or more CPUs such as CPU0 and CPU1 in fig. 2, for example, as one embodiment.
In particular implementations, the communication device may include multiple processors, such as processor 21 and processor 25 in fig. 2, for example, as an example. Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
The following specifically explains the technical solution provided by the embodiments of the present application with a policy generation apparatus as an execution subject, with reference to the drawings of the specification.
The technical principle of the strategy generation method provided by the embodiment of the application is as follows: firstly, acquiring one or more basic strategies defined by a Python type-based mode corresponding to a data packet and a preset combination mode of serial combination or parallel combination of the basic strategies; based on a serial combination mode or a parallel combination mode of the basic strategies, the strategies are executed on the data packet to obtain a strategy flow table of the data packet, a northbound interface of the SDN controller is called to enable the strategy flow table to be connected to a switch through a southbound interface of the SDN controller in a small method mode, and therefore the problems that in the prior art, due to the fact that combination processes among strategy modules are easy to influence each other, strategy application of the whole network is difficult to write, test, debug and reuse are solved.
Referring to fig. 3, a policy generation method provided in the embodiment of the present invention specifically includes:
s31, the strategy generation device acquires the data packet, at least one basic strategy corresponding to the data packet and a preset combination mode of the at least one basic strategy; the base policy is defined based on the way of the Python class.
Illustratively, the packet is received by the switch and transmitted to the policy generation device through a southbound interface and a northbound interface of the SDN controller.
In the method, the strategies are represented by classes, and all the strategies are subclasses of the strategy classes. After the basic strategies are combined in a preset combination mode, the obtained new strategies are still subclasses of the strategy class.
Optionally, the basic policy includes: any one of drop, identity, modify, fwd, match, and flood; wherein drop means directly dropping an incoming packet; the identity indicates that the input data packet is not processed; the modification is used for modifying the input data packet, and modifying the value of a field name f in the data packet into v; fwd represents forwarding the input data packet out of the appointed port of the switch; match indicates that the data packets are filtered, and all data packets with v values matching the field names f are returned; flood means flooding.
Illustratively, the following is explained with respect to the basic policy described above:
1) drop is the simplest basic strategy. After the basic strategy is executed on the input data packet, the output is an empty set, namely, the input data packet is directly discarded.
2) The identity indicates that the incoming packet is not processed, and the output is a set of packets { p }, where p is the incoming packet. identity is used mainly in combination with other underlying policies.
3) The modification (f ═ v) is for modifying an input packet, outputting the modified packet as a set including a single packet, and modifying the value of the field name f of the packet to v. modify is a subclass of policy classes in which there are map members that hold all field names f that need to be modified and the modified value v. When the modify policy is executed, the value of the field name f of the input packet is modified to v for all f and v in the map.
4) fwd (port) indicates that the incoming packet is forwarded out of the designated port of the switch, where port is the designated egress port. Its function output is a set of packets { p ' }, where p ' is substantially identical to the input packet p, except that p's egress port is designated as a port. fwd is a special case of a modifier, and fwd (port) is equivalent to a modifier (port).
5) match (f ═ v) indicates that the incoming packets are filtered and all packets with a matching field name f and a value of v are returned. match is a subclass of policy class, in which there is a map member for storing all field names f and values v that need to be matched. When the match policy is executed, for all f and v in the map, returning the value of the field name f in the input data packet as a set of v data packets.
6) And (3) flood: indicating flooding. The output data packet set contains multiple copies of data packet p, and the output port of each copy corresponds to one port (except the input port) of the switch. Generating a minimum spanning tree of the whole network by a topology module, and modifying the strategy of the minimum spanning tree when the structure of the minimum spanning tree is changed: for each switch on the spanning tree, as it receives the packet, it is forwarded to each port (except the ingress port) on the spanning tree.
And S32, the strategy generating device executes at least one basic strategy on the data packet according to the preset combination mode of the at least one basic strategy, and generates a strategy flow table of the data packet.
Specifically, the preset combination mode is any one of a serial combination mode and a parallel combination mode.
For example, assuming A, B is 2 strategies, when strategy C is the result of the serial combination of a and B, it can be expressed as C ═ a > > B. The execution process of the expression comprises the following steps: and executing the previous strategy A to obtain the operation result. And taking the operation result of the A as the input of the next strategy B, and executing the strategy B to obtain the operation result of the B. This result is taken as the final run result C of a > > B. When strategy C is the result of the operation of a and B in parallel, it can be expressed as C ═ a + B. The execution process of the expression comprises the following steps: policy A, B is executed separately, resulting in the operational results of A and B. The A, B operation results are then combined to obtain the final operation result C of A + B.
And S33, the strategy generation device calls a northbound interface of the SDN controller to issue the strategy flow table to the corresponding switch through the southbound interface of the SDN controller, so that the switch transmits the data packet according to the strategy flow table.
Further, the policy generation apparatus according to the embodiment of the present invention constructs a Python-based network and security function formal description language (PyNPPL) operation framework, where various network and security policies (including a base policy and other policies combined according to multiple base policies) are defined based on Python; such as traffic monitoring, route forwarding, or firewalls, etc.; the PyNPPL operation framework explains the network and the security policies to generate a policy flow table, and the policy flow table is issued to a switch in the SDN network through a southbound interface such as OpenFlow by calling a northbound interface provided by the SDN controller.
In the method, the basic strategy is defined by using a Python type mode, so that the abstract level of the strategy is improved, the complexity caused by adopting a C language which is a traditional compiler to compile the strategy is avoided, and the strategy is simpler and more convenient to compile, test and debug. In addition, the basic strategies defined by the Python type mode are combined and utilized according to the preset combination mode, so that the reuse of the strategies is easier to realize on the premise that the strategies cannot be influenced mutually in the strategy combination process, and more complex and diversified strategies are obtained to meet the requirements of users.
In an implementation manner, referring to fig. 4 in combination with fig. 3, when the preset combination manner between the policies is a serial combination manner, S32 specifically includes:
s321a, the policy generating device sequentially executes at least one basic policy on the data packet according to a preset sequence based on the first preset rule, and generates a policy flow table of the data packet; the first preset rule is that the result of executing the former strategy is used as the input of executing the latter strategy.
Illustratively, the eval method is defined in the policy class, and receives a parameter p, where the parameter p is a set of packets, and the eval method returns the set of packets p1 after execution. When an object of a policy class is executed, the eval method of the object is invoked. The initial parameter p is a data packet reported by the switch through the SDN controller, and a set p1 of the data packet obtained after the eval method is executed is output after the policy is executed.
In practical application, through the overloading of the strategy class right shift operator (>), the serial operator in the network and security function formalized description language is realized. The execution of the Python language on the serial combination c3 ═ c1> > c2 of the policies c1, c2 can be defined by the following equation:
c3.eval(p1)=c2.eval(c1.eval(p))
further, the serial combination mode is mainly implemented by a sequential class and a heavy load of a right shift operator. The concrete explanation is as follows:
the sequential class is a subclass of policy classes in which policy policies members are defined for storing individual policies that are combined serially. When a sequential class is executed, all the strategies in the policies members are executed in sequence, wherein the operation result of the last strategy is used as the input of the next strategy, and the operation result of the last strategy is finally returned.
In addition, in order to realize the ">" in the network and security function formalized description language, the embodiment of the invention carries out overload on the right shift method in the policy class. The following four cases are mainly divided:
1) when the two strategies c1 and c2 for serial combination are not the strategy of the sequential class, the right shift method returns a new strategy of the sequential class, and the polices members of the strategy are 2 strategies for serial combination in sequence. I.e. adding strategies c1 and c2 in the sequential class and c3 ═ c1> > c2 in the polices members.
2) When only the former c1 in the serial combination c1> > c2 is the policy of the sequential class, the latter c2 is added to the end of the policies member of policy c1 and the policy of the sequential class is returned.
3) When only the latter c2 in the serial combination c1> > c2 is the strategy of the sequential class, the right shift method returns a new strategy of the sequential class, and the polices members of the sequential class are the polices members of the former c1 and the latter c2 in turn.
4) When both c1 and c2 are policies of the sequential class, the policy in the latter polices member is added to the last of the former polices member and returned to the former.
It should be noted that, the above-mentioned serial combination manner of two policies is only exemplarily described, but the embodiment of the present application is not limited to two policies, and may also be more than 3 policies, and its implementation manner may refer to the serial combination manner of the two policies, and is not described herein again.
In the implementation mode, at least one strategy is combined in a serial mode to obtain the final execution result of the data packet, and a user does not need to combine a plurality of strategy modules manually, so that the workload of the user is reduced.
In an implementation manner, referring to fig. 5 in combination with fig. 3, when the preset combination manner between the policies is a parallel combination manner, S32 specifically includes:
s322a, the policy generating device executes each policy of the at least one basic policy in parallel with the packet, and generates an execution result of each policy.
S322b, the policy generation device merges the execution results of all policies and generates a policy flow table of the packet.
In practical application, by overloading the policy class with an operator (+), parallel operators in a network and security function formalized description language are realized. The execution procedure of the Python language for the parallel combination c3 ═ c1+ c2 of the policies c1, c2 can be defined by the following equation:
c3.eval(p1)=c1.eval(p)∪c2.eval(p)
illustratively, the implementation of parallel operators is largely classified into parallel classes and overloading of addition operators. The parallel class is a subclass of policy classes in which policies members are defined for storing individual policies that are combined in parallel. When a parallel class is executed, all the strategies in the policies members are executed in sequence, the executed results are collected, and finally the operation result of the last strategy is returned.
In order to realize the "+" in the network and security function formalized description language, the embodiment of the invention reloads the addition method in the policy class. When the two strategies for parallel combination are not parallel types, the addition method returns a new strategy for parallel types, and the polices member of the new strategy is an object of 2 parallel combinations. When only one is a parallel class, another policy is added to the polices member of the parallel class and the parallel class is returned. When 2 are all parallel class, the strategy in the latter polices member is added to the former polices member and returns to the former.
It should be noted that, the above-mentioned two policies are only exemplarily described in a parallel combination manner, but the embodiment of the present application is not limited to two policies, and may also be more than 3 policies, and the implementation manner of the embodiment may refer to the parallel combination manner of the two policies, and is not described herein again.
In the implementation mode, at least one strategy is combined in a parallel mode to obtain the final execution result of the data packet, and a user does not need to combine a plurality of strategy modules manually, so that the workload of the user is reduced.
In the embodiment of the present application, the policy generation apparatus may be divided into functional modules according to the method embodiment, for example, each functional module may be divided for each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.
Fig. 6 is a schematic structural diagram of a policy generating apparatus 11 according to an embodiment of the present application. The policy generation apparatus 11 specifically includes an acquisition unit 601, a processing unit 602, and a sending unit 603.
Specifically, the obtaining unit 601 is configured to obtain a data packet, at least one basic policy corresponding to the data packet, and a preset combination manner of the at least one basic policy; the base policy is defined based on the way of the Python class.
The processing unit 602 is configured to execute at least one basic policy on the data packet according to the preset combination manner of the at least one basic policy acquired by the acquiring unit 601, and generate a policy flow table of the data packet.
A sending unit 603, configured to invoke a northbound interface of the SDN controller in the software defined network, and send the policy flow table generated by the processing unit 602 to a corresponding switch through the southbound interface of the SDN controller, so that the switch transmits the data packet according to the policy flow table.
Optionally, the preset combination mode is any one of a serial combination mode and a parallel combination mode.
Optionally, in a case that the preset combination manner is a serial combination manner, the processing unit 602 is specifically configured to sequentially execute at least one basic policy on the data packets according to a preset sequence based on a first preset rule, and generate a policy flow table of the data packets; the first preset rule is that the result of executing the former strategy is used as the input of executing the latter strategy.
Optionally, in a case that the preset combination manner is a parallel combination manner, the processing unit 602 is specifically configured to execute each policy of the at least one basic policy in parallel on the data packet, and generate an execution result of each policy.
The processing unit 602 is further configured to combine execution results of all policies, and generate a policy flow table of the packet.
Optionally, the basic policy includes: any one of drop, identity, modify, fwd, match, and flood; wherein drop means directly dropping an incoming packet; the identity indicates that the input data packet is not processed; the modification is used for modifying the input data packet, and modifying the value of a field name f in the data packet into v; fwd represents forwarding the input data packet out of the appointed port of the switch; match indicates that the data packets are filtered, and all data packets with v values matching the field names f are returned; flood means flooding.
Of course, the policy generating device 11 provided in the embodiment of the present application includes, but is not limited to, the above modules, for example, the policy generating device 11 may further include the storage unit 604. The storage unit 604 may be used for storing the program code of the policy generating device 11, and may also be used for storing data generated by the policy generating device 11 during operation, such as data in a write request.
Here, the system architecture and the service scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not constitute a limitation to the technical solution provided in the embodiment of the present application, and it is known by a person of ordinary skill in the art that the technical solution provided in the embodiment of the present application is also applicable to similar technical problems along with the evolution of the network architecture and the appearance of a new service scenario.
Fig. 7 schematically illustrates a conceptual partial view of a computer program product comprising a computer program for executing a computer process on a computing device provided by an embodiment of the application.
In one embodiment, the computer program product is provided using a signal bearing medium 410. The signal bearing medium 410 may include one or more program instructions that, when executed by one or more processors, may provide the functions or portions of the functions described above with respect to fig. 2. Thus, for example, referring to the embodiment shown in FIG. 2, one or more features of S21-S23 may be undertaken by one or more instructions associated with the signal bearing medium 410. Further, the program instructions in FIG. 7 also describe example instructions.
In some examples, signal bearing medium 410 may include a computer readable medium 411, such as, but not limited to, a hard disk drive, a Compact Disc (CD), a Digital Video Disc (DVD), a digital tape, a memory, a read-only memory (ROM), a Random Access Memory (RAM), or the like.
In some implementations, the signal bearing medium 410 may comprise a computer recordable medium 412 such as, but not limited to, a memory, a read/write (R/W) CD, a R/W DVD, and the like.
In some implementations, the signal bearing medium 410 may include a communication medium 413, such as, but not limited to, a digital and/or analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communications link, a wireless communication link, etc.).
The signal bearing medium 410 may be conveyed by a wireless form of communication medium 413, such as a wireless communication medium compliant with the IEEE802.41 standard or other transport protocol. The one or more program instructions may be, for example, computer-executable instructions or logic-implementing instructions.
In some examples, a policy generation apparatus such as described with respect to fig. 6 may be configured to provide various operations, functions, or actions in response to being programmed by one or more of computer readable medium 411, computer recordable medium 412, and/or communication medium 413.
Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical functional division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another device, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may be one physical unit or a plurality of physical units, that is, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partially contributed to by the prior art, or all or part of the technical solutions may be embodied in the form of a software product, where the software product is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
The above description is only an embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (13)
1. A policy generation method, comprising:
acquiring a data packet, at least one basic strategy corresponding to the data packet and a preset combination mode of the at least one basic strategy; the basic strategy is defined based on a Python type mode;
executing the at least one basic strategy on the data packet according to a preset combination mode of the at least one basic strategy to generate a strategy flow table of the data packet;
calling a northbound interface of a Software Defined Network (SDN) controller to issue the policy flow table to a corresponding switch through the southbound interface of the SDN controller, so that the switch transmits the data packet according to the policy flow table.
2. The policy generation method according to claim 1, wherein the preset combination mode is any one of a serial combination mode and a parallel combination mode.
3. The method according to claim 1 or 2, wherein, when the preset combination mode is a serial combination mode, the executing the at least one basic policy on the packet according to the preset combination mode of the at least one basic policy to generate the policy flow table of the packet includes:
based on a first preset rule, sequentially executing the at least one basic strategy on the data packet according to a preset sequence, and generating a strategy flow table of the data packet; the first preset rule is that the result of executing the former strategy is used as the input of executing the latter strategy.
4. The method according to claim 1 or 2, wherein, when the preset combination manner is a parallel combination manner, the executing the at least one basic policy on the packet according to the preset combination manner of the at least one basic policy to generate the policy flow table of the packet includes:
executing each strategy in the at least one basic strategy in parallel by the data packet to generate an execution result of each strategy;
and combining the execution results of all the strategies to generate a strategy flow table of the data packet.
5. The policy generation method according to claim 1, wherein the base policy comprises: any one of drop, identity, modify, fwd, match, and flood;
wherein drop represents directly dropping an incoming packet; the identity indicates that the input data packet is not processed; the modification expression is used for modifying an input data packet and modifying the value of a field name f in the data packet into v; the fwd represents that the input data packet is forwarded out from a designated port of the switch; the match represents that the data packets are filtered, and all the data packets with the matching field name f and the value of v are returned; the flood represents flooding.
6. A policy generation apparatus, comprising:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a data packet, at least one basic strategy corresponding to the data packet and a preset combination mode of the at least one basic strategy; the basic strategy is defined based on a Python type mode;
the processing unit is used for executing the at least one basic strategy on the data packet according to the preset combination mode of the at least one basic strategy acquired by the acquiring unit and generating a strategy flow table of the data packet;
and the sending unit is used for calling a northbound interface of a Software Defined Network (SDN) controller to send the strategy flow table generated by the processing unit to a corresponding switch through a southbound interface of the SDN controller, so that the switch transmits the data packet according to the strategy flow table.
7. The policy generation apparatus according to claim 6, wherein the preset combination mode is any one of a serial combination mode and a parallel combination mode.
8. The policy generation apparatus according to claim 6 or 7, wherein, in the case where the preset combination is a serial combination,
the processing unit is specifically configured to sequentially execute the at least one basic policy on the data packet according to a preset sequence based on a first preset rule, and generate a policy flow table of the data packet; the first preset rule is that the result of executing the former strategy is used as the input of executing the latter strategy.
9. The policy generation apparatus according to claim 6 or 7, wherein, in the case where the preset combination is a parallel combination,
the processing unit is specifically configured to execute each policy of the at least one basic policy in parallel with the data packet, and generate an execution result of each policy;
the processing unit is further configured to combine execution results of all policies and generate a policy flow table of the data packet.
10. The policy generation apparatus according to claim 6, wherein the base policy comprises: any one of drop, identity, modify, fwd, match, and flood;
wherein drop represents directly dropping an incoming packet; the identity indicates that the input data packet is not processed; the modification expression is used for modifying an input data packet and modifying the value of a field name f in the data packet into v; the fwd represents that the input data packet is forwarded out from a designated port of the switch; the match represents that the data packets are filtered, and all the data packets with the matching field name f and the value of v are returned; the flood represents flooding.
11. A policy generation apparatus, characterized in that the structure of the policy generation apparatus comprises a processor for executing program instructions to make the policy generation apparatus execute the policy generation method according to any one of claims 1 to 5.
12. A computer-readable storage medium, having stored therein computer program code which, when run on a policy generation apparatus, causes the policy generation apparatus to perform a policy generation method according to any one of claims 1-5.
13. A computer program product having stored thereon computer software instructions for causing a policy generation means to perform a policy generation method according to any one of claims 1 to 5 when said computer software instructions are run on said policy generation means.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110308773.6A CN113114594B (en) | 2021-03-23 | 2021-03-23 | Strategy generation method and device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110308773.6A CN113114594B (en) | 2021-03-23 | 2021-03-23 | Strategy generation method and device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113114594A true CN113114594A (en) | 2021-07-13 |
| CN113114594B CN113114594B (en) | 2023-04-07 |
Family
ID=76711979
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110308773.6A Active CN113114594B (en) | 2021-03-23 | 2021-03-23 | Strategy generation method and device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113114594B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230104129A1 (en) * | 2021-10-04 | 2023-04-06 | Juniper Networks, Inc. | Network policy generation for continuous deployment |
| US11700237B2 (en) | 2018-09-28 | 2023-07-11 | Juniper Networks, Inc. | Intent-based policy generation for virtual networks |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105406992A (en) * | 2015-10-28 | 2016-03-16 | 浙江工商大学 | Business requirement transformation and deployment method for SDN (Software Defined Network) |
| US20160255051A1 (en) * | 2015-02-26 | 2016-09-01 | International Business Machines Corporation | Packet processing in a multi-tenant Software Defined Network (SDN) |
| US20170093924A1 (en) * | 2015-09-29 | 2017-03-30 | The Trustees Of The University Of Pennsylvania | Methods, systems, and computer readable media for generating software defined networking (sdn) policies |
| CN108494574A (en) * | 2018-01-18 | 2018-09-04 | 清华大学 | Network function parallel processing architecture in a kind of NFV |
| CN109547437A (en) * | 2018-11-23 | 2019-03-29 | 北京奇安信科技有限公司 | A kind of drainage processing method and processing device in secure resources pond |
| CN109918152A (en) * | 2019-03-18 | 2019-06-21 | 中科麦迪人工智能研究院(苏州)有限公司 | Task executing method, device, server and storage medium based on policy flow |
| CN111162939A (en) * | 2019-12-25 | 2020-05-15 | 广东省新一代通信与网络创新研究院 | Network equipment control method and device, computing equipment and network system |
-
2021
- 2021-03-23 CN CN202110308773.6A patent/CN113114594B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160255051A1 (en) * | 2015-02-26 | 2016-09-01 | International Business Machines Corporation | Packet processing in a multi-tenant Software Defined Network (SDN) |
| US20170093924A1 (en) * | 2015-09-29 | 2017-03-30 | The Trustees Of The University Of Pennsylvania | Methods, systems, and computer readable media for generating software defined networking (sdn) policies |
| CN105406992A (en) * | 2015-10-28 | 2016-03-16 | 浙江工商大学 | Business requirement transformation and deployment method for SDN (Software Defined Network) |
| CN108494574A (en) * | 2018-01-18 | 2018-09-04 | 清华大学 | Network function parallel processing architecture in a kind of NFV |
| CN109547437A (en) * | 2018-11-23 | 2019-03-29 | 北京奇安信科技有限公司 | A kind of drainage processing method and processing device in secure resources pond |
| CN109918152A (en) * | 2019-03-18 | 2019-06-21 | 中科麦迪人工智能研究院(苏州)有限公司 | Task executing method, device, server and storage medium based on policy flow |
| CN111162939A (en) * | 2019-12-25 | 2020-05-15 | 广东省新一代通信与网络创新研究院 | Network equipment control method and device, computing equipment and network system |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11700237B2 (en) | 2018-09-28 | 2023-07-11 | Juniper Networks, Inc. | Intent-based policy generation for virtual networks |
| US20230104129A1 (en) * | 2021-10-04 | 2023-04-06 | Juniper Networks, Inc. | Network policy generation for continuous deployment |
| US11870642B2 (en) * | 2021-10-04 | 2024-01-09 | Juniper Networks, Inc. | Network policy generation for continuous deployment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113114594B (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113114594B (en) | Strategy generation method and device and storage medium | |
| US9614789B2 (en) | Supporting multiple virtual switches on a single host | |
| CN104348677A (en) | Deep packet inspection method and equipment and coprocessor | |
| US20210336883A1 (en) | Systems for providing an lpm implementation for a programmable data plane through a distributed algorithm | |
| US9225545B2 (en) | Determining a path for network traffic between nodes in a parallel computer | |
| CN110266679B (en) | Container network isolation method and device | |
| US11398981B2 (en) | Path creation method and device for network on chip and electronic apparatus | |
| US11915034B2 (en) | Sidecar-based integration capabilities for containerized applications | |
| CN115913937B (en) | Container multi-network card network configuration method, device, equipment and storage medium | |
| US20120140640A1 (en) | Apparatus and method for dynamically processing packets having various characteristics | |
| CN113660127B (en) | Networking control method, device and equipment based on easy mesh networking | |
| CN112637081A (en) | Bandwidth speed limiting method and device | |
| CN113986969A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN115033407B (en) | System and method for collecting and identifying flow suitable for cloud computing | |
| CN114697387A (en) | Data packet transmission method, device and storage medium | |
| CN115964195A (en) | DDS theme process communication mode configuration method and device | |
| CN112019361A (en) | Migration method and device of access control list, storage medium and electronic equipment | |
| CN114338193B (en) | Traffic arrangement method and device and ovn traffic arrangement system | |
| KR102280343B1 (en) | Internet Of Things Device with pairs of ethernet port | |
| CN114205172A (en) | Table item issuing method and message forwarding method | |
| CN116800605B (en) | Network implementation method, system, equipment and medium for running virtual machine in container | |
| CN112367258B (en) | Method for realizing service chain function based on Openstack architecture | |
| CN117714398B (en) | Data transmission system, method, electronic equipment and storage medium | |
| CN108694571A (en) | A kind of method for processing business and device based on multi-process | |
| Monaco | Enabling Seamless Autoscaling of Service Function Chains in Kubernetes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |