CN115277605B - Message processing method and device of virtual switch, chip and electronic equipment - Google Patents
Message processing method and device of virtual switch, chip and electronic equipment Download PDFInfo
- Publication number
- CN115277605B CN115277605B CN202210885268.2A CN202210885268A CN115277605B CN 115277605 B CN115277605 B CN 115277605B CN 202210885268 A CN202210885268 A CN 202210885268A CN 115277605 B CN115277605 B CN 115277605B
- Authority
- CN
- China
- Prior art keywords
- message
- flow table
- connection
- processing
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/25—Routing or path finding in a switch fabric
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/70—Virtual switches
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The application provides a message processing method and device, a chip and electronic equipment of a virtual switch, wherein a state flow table is arranged on a fast path for matching messages, registered connected messages are matched once on the fast path, and the connection state of the messages is updated and the messages are processed according to preset processing rules; for the unregistered connected message, registering the state of the connection to which the message belongs in a slow path, acquiring a preset processing rule, and processing the message according to the preset processing rule. The virtual switch is realized to support the virtual firewall functionally and avoid repeated processing of the message, namely, matching and processing are completed once for the same message. The method overcomes the defect that network performance rollback of the virtual switch can be caused when the virtual switch is introduced into the security group function. Improving the network performance of the virtual switch. And because the message can be matched and processed at one time, complex hardware resources are not needed to realize the support of hardware unloading.
Description
Technical Field
The present application relates to the field of network data processing technologies, and in particular, to a method and apparatus for processing a packet in a virtual switch, a chip, and an electronic device.
Background
Currently in a virtualized on cloud scenario, a security group product needs to be provided for each virtual machine. The security group is a virtual firewall, and the virtual firewall can judge which messages can enter and exit the virtual machine according to rules configured by a user, so that basic protection capability is provided for the virtual machine, and the security of the virtual machine instance is improved.
Firewalls include stateless firewalls and stateful firewalls. Stateless firewalls can only filter, block, and pass messages through their tuples. The tuple of the message comprises a source IP address, a destination IP address, a source port, a destination port and a network protocol. Stateless firewalls do not care what state the current network connection is in. Compared with a stateless firewall, the stateful firewall has the advantages that the identification of the current network connection state is increased, and the message is filtered, blocked and released by synchronously using the tuple of the message. The identification of the network connection status is typically achieved by the CT module (connection tracker). In order to provide programmability for users, the security group scheme implemented based on the CT module splits connection tracking into two parts, namely matching (match) and action (action), so that a configuration mode can be provided for users to display specified messages to execute specific actions under specific connection states.
Such a scheme may provide good programmability, but the corresponding disadvantage is that the update of the connection state is in the action part. Specifically, after an action in a specific connection state is executed, the specific connection state is changed to a new connection state, and the action to be executed in the next step is confirmed based on the result of matching, since the action to be executed in the new connection state needs to be matched again. That is, the matching and processing cannot be completed once for the same message, the matching is required based on the initial connection state, the corresponding action is executed, the connection state is updated in the action, then the secondary matching is performed based on the new connection state, so as to find the action required to be executed correspondingly, and so on.
If a message is processed twice, receiving and processing a message corresponds to receiving two messages, and for OVS (Open vSwitch) virtual switches corresponds to doubling the pressure. The problem with this is that when the virtual switch turns on the security group function, the network performance of the virtual switch rolls back compared to without the security group function. The CT module is added to improve the functions and introduce the support of the security group functions, but the CT module also has influence on the network performance of the virtual switch, thereby causing performance rollback. Moreover, in terms of hardware offloading, complex hardware resources are required to enable support for hardware offloading.
Disclosure of Invention
The application provides a message processing method and device of a virtual switch, a chip, electronic equipment, a computer program product and a computer readable storage medium, which can overcome the technical defects in the prior art.
The technical scheme provided by the application comprises the following steps:
in a first aspect, the present application provides a method for processing a message of a virtual switch, where the method includes:
receiving and analyzing a message to extract tuple information of the message;
inquiring a flow table item of a stateful flow table according to tuple information of the message when the message is sent to a fast path for processing, wherein the stateful flow table is arranged on the fast path, and the flow table item of the stateful flow table comprises registered connection states and preset processing rules of the message corresponding to the connection;
if the flow table item in the stateful flow table is hit, updating the state of the connection to which the message belongs according to the hit flow table item, and processing the message according to the preset processing rule of the message;
if the flow table item of the stateful flow table is not hit, when the message is sent to a slow path for processing, registering the state of the connection to which the message belongs according to the tuple information of the message, and acquiring a preset processing rule of the message corresponding to the connection;
and processing the message according to the acquired preset processing rule of the message corresponding to the connection, and inserting the registered state of the connection to which the message belongs and the acquired preset processing rule of the message corresponding to the connection into the stateful flow table as a new flow table item.
In a second aspect, the present application provides a packet processing device of a virtual switch, including:
the receiving and analyzing module is used for receiving and analyzing the message so as to extract the tuple information of the message;
the query module is used for querying a flow table item of a stateful flow table according to the tuple information of the message when the message is sent to the fast path for processing, wherein the stateful flow table is arranged on the fast path, and the flow table item of the stateful flow table comprises the registered state of the connection and the preset processing rule of the message corresponding to the connection;
the updating module is used for updating the connection state of the message according to the hit flow table item if the flow table item in the stateful flow table is hit, and processing the message according to the preset processing rule of the message;
the registration and acquisition module is used for registering the state of the connection to which the message belongs according to the tuple information of the message when the message is sent to a slow path for processing if the flow entry of the stateful flow table is missed, and acquiring a preset processing rule of the message corresponding to the connection;
the processing and inserting module is used for processing the message according to the acquired preset processing rule of the message corresponding to the connection, and inserting the registered state of the connection to which the message belongs and the acquired preset processing rule of the message corresponding to the connection into the stateful flow table as a new flow table item.
In a third aspect, the present application provides a chip comprising: the message processing method comprises the steps of a message processing method of the virtual switch provided in the first aspect, wherein the message processing method comprises the steps of a memory and a processor, the memory is used for storing computer executable instructions, and the processor is used for executing the computer executable instructions, and the computer executable instructions are executed by the processor to realize the steps of the message processing method of the virtual switch provided in the first aspect.
In a fourth aspect, the application provides an electronic device comprising a chip according to the third aspect of the application.
In a fifth aspect, the present application provides a computer program product, which when executed by a processor implements the steps of the method for processing a message of the virtual switch provided in the first aspect.
In a sixth aspect, the present application provides a computer readable storage medium storing a computer program or instructions which, when executed by a processor, implement the steps of the method for processing a message of the virtual switch provided in the first aspect.
Drawings
Fig. 1 is a flow chart of a method for processing a message by a virtual switch according to a first embodiment of the present application;
fig. 2 is a schematic structural diagram of a message processing apparatus of a virtual switch according to a second embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to a third embodiment of the present application.
Detailed Description
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application. The present application may be embodied in many other forms than those herein described, and those skilled in the art will readily appreciate that the present application may be similarly embodied without departing from the spirit or essential characteristics thereof, and therefore the present application is not limited to the specific embodiments disclosed below.
The terminology used in the one or more embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the application. As used in one or more embodiments of the application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present application refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that, although the terms first, second, etc. may be used in one or more embodiments of the application to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first may also be referred to as a second, and similarly, a second may also be referred to as a first, without departing from the scope of one or more embodiments of the application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The application provides a message processing method and device of a virtual switch, a chip, an electronic device, a computer program product and a computer readable storage medium, and the message processing method and device, the chip, the electronic device and the computer program product are described in the following embodiments one by one.
Referring to fig. 1, fig. 1 is a flow chart illustrating a method for processing a message of a virtual switch according to a first embodiment of the present application, where the method includes:
step 102: and receiving and analyzing the message to extract the tuple information of the message.
Specifically, in the present application, the virtual switch has a security group (i.e., virtual firewall) function. And the virtual switch performs actions such as releasing, filtering, blocking and the like on the received message according to the virtual firewall. When the virtual switch receives the message, the message is parsed to extract the tuple information of the message, so as to identify the connection to which the message belongs. The connection may be a connection based on a network protocol such as TCP, UDP, ICMP, DCCP, SCTP, GRE. One connection may include multiple messages. The tuple information of the message may include information such as a source IP address, a destination IP address, a source port, a destination port, and a network protocol. The tuple information of the message may determine the connection to which the message belongs.
Step 104: and when the message is sent to a fast path for processing, inquiring a flow table item of a stateful flow table according to the tuple information of the message, wherein the stateful flow table is arranged on the fast path, and the flow table item of the stateful flow table comprises the registered connection state and the preset processing rule of the message corresponding to the connection.
Specifically, after receiving and analyzing the message, the virtual switch sends the message to the fast path for processing. The fast path may be in the user space of the operating system. The fast path includes a flow table for exact matching of messages. The virtual switch queries the flow table in the fast path according to the tuple information of the message to obtain a preset processing rule of the message, and processes (e.g., passes, filters, blocks, etc.) the message according to the preset processing rule. The flow table of the fast path may include a stateful flow table. The stateful flow table includes at least one flow entry. The flow entries of the stateful flow table may include the state of the registered connection and preset processing rules for the corresponding message of the connection.
In a modification of the first embodiment, the step of the virtual switch querying a flow table entry of the stateful flow table according to the tuple information of the packet may specifically include:
matching the tuple information of the message with the registered connection state included in the flow table entry of the stateful flow table;
if the flow table entry of the stateful flow table has a connection state matched with the tuple information of the message, hitting the flow table entry of the stateful flow table;
if the flow table entry of the stateful flow table does not have the connection state matched with the tuple information of the message, the flow table entry of the stateful flow table is not hit.
Step 106: if the flow table item in the stateful flow table is hit, the state of the connection to which the message belongs is updated according to the hit flow table item, and the message is processed according to the preset processing rule of the message.
Specifically, if a flow entry in the stateful flow table is hit, that is, if the flow entry in the stateful flow table has a state of a connection matching the tuple information of the packet, in other words, the packet intercepted by the virtual switch belongs to a registered connection, then, for a packet belonging to the registered connection, the virtual switch updates the state of the connection to which the packet belongs according to the hit flow entry. Updating the state of the connection to which the message belongs may include updating the statistics of the number of messages received by the connection to which the message belongs to count the number of messages connected.
The application sets the state flow table in the fast path for matching the message, directly updates the state of the connection to which the message belongs in the fast path, processes the message according to the preset processing rule of the message, realizes the function of supporting the virtual firewall, and simultaneously avoids the repeated processing of the message, namely, the matching and processing of the same message can be completed once without matching based on the initial connection state, executes the corresponding action, updates the connection state in the action, and then carries out secondary matching based on the new connection state so as to find the action required to be correspondingly executed, thereby improving the network performance of the virtual switch. Moreover, since matching and processing can be completed at one time, complex hardware resources are not required in terms of hardware offloading to achieve support for hardware offloading.
Step 108: if the flow table item of the stateful flow table is not hit, when the message is sent to a slow path for processing, registering the state of the connection to which the message belongs according to the tuple information of the message, and acquiring a preset processing rule of the message corresponding to the connection.
Specifically, if the flow table entry in the stateful flow table is missed, that is, the flow table entry in the stateful flow table does not have the state of the connection matched with the tuple information of the message, in other words, the message intercepted by the virtual switch belongs to the connection which is not registered, the virtual switch sends the message to the slow path for processing. The slow path is also in the user space of the operating system. The slow path includes a flow table for fuzzy matching of the messages. When the virtual switch sends the message into the slow path for processing, the state of the connection to which the message belongs is registered according to the tuple information of the message, and the preset processing rule of the message corresponding to the connection is obtained. Registering the state of the connection to which the message belongs may include creating a connection to which the message belongs to record the state of the connection to which the message belongs. The preset processing rules of the message can include releasing, filtering, blocking and other actions on the message. When the application processes the message corresponding to the connection which is not registered in the slow path, the virtual switch can support the virtual firewall in function by registering the state of the connection to which the registered message belongs.
Step 1010: and processing the message according to the acquired preset processing rule of the message corresponding to the connection, and inserting the registered state of the connection to which the message belongs and the acquired preset processing rule of the message corresponding to the connection into the stateful flow table as a new flow table item.
Specifically, after registering the state of the connection to which the message belongs and acquiring the preset processing rule of the message corresponding to the connection, the virtual switch processes the message according to the acquired preset processing rule of the message corresponding to the connection, and inserts the state of the registered connection to the message and the acquired preset processing rule of the message corresponding to the connection into the state flow table as a new flow table entry.
The message processing method of the virtual switch provided by the application is characterized in that a stateful flow table is arranged on a fast path for matching messages, so that the registered connected messages can be directly matched once on the fast path, the state of the connection to which the messages belong is updated, and the messages are processed according to the preset processing rule of the messages, namely, the matching and the processing can be completed once on the same message on the fast path; for the messages belonging to the connection which is not registered, registering the state of the connection to which the messages belong in a slow path, acquiring the preset processing rule of the corresponding messages of the connection and processing the messages according to the preset processing rule of the messages, namely, for the same message, completing matching and processing at one time in the slow path; therefore, the message processing method of the virtual switch provided by the application realizes that the virtual switch supports the virtual firewall in function and simultaneously avoids the repeated processing of the message, namely, the matching and processing can be completed once for the same message. And the connection state is updated in the action without matching based on the initial connection state, and then secondary matching is performed based on the new connection state so as to find the action required to be correspondingly executed. The method overcomes the defect that network performance rollback of the virtual switch can be caused when the virtual switch is introduced into the security group function. Improving the network performance of the virtual switch. Moreover, as the message can be matched and processed at one time, complex hardware resources are not needed in the aspect of hardware unloading so as to realize the support of hardware unloading.
Referring to fig. 2, fig. 2 is a schematic structural diagram of a message processing apparatus of a virtual switch according to a second embodiment of the present application.
It should be noted that, the technical solution of the packet processing device of the virtual switch provided by the second embodiment of the present application and the technical solution of the packet processing method of the virtual switch provided by the second embodiment of the present application belong to the same concept, and details of the technical solution of the packet processing device of the virtual switch, which are not described in detail, can be referred to the description of the technical solution of the packet processing method of the virtual switch.
The message processing device of the virtual switch provided by the second embodiment of the application comprises: the system comprises a receiving and analyzing module, a query module, an updating module, a registering and acquiring module and a processing and inserting module.
And the receiving and analyzing module is used for receiving and analyzing the message so as to extract the tuple information of the message.
Specifically, in the present application, the virtual switch has a security group (i.e., virtual firewall) function. The virtual switch executes actions such as releasing, filtering, blocking and the like on the received message through the virtual firewall. When the virtual switch receives the message, the message is parsed to extract the tuple information of the message, so as to identify the connection to which the message belongs. The connection may be a connection based on a network protocol such as TCP, UDP, ICMP, DCCP, SCTP, GRE. One connection may include multiple messages. The tuple information of the message may include information such as a source IP address, a destination IP address, a source port, a destination port, and a network protocol. The tuple information of the message may determine the connection to which the message belongs.
And the query module is used for querying a flow table item of a stateful flow table according to the tuple information of the message when the message is sent to the rapid path for processing, wherein the stateful flow table is arranged on the rapid path, and the flow table item of the stateful flow table comprises the registered state of the connection and the preset processing rule of the message corresponding to the connection.
Specifically, after receiving and analyzing the message, the virtual switch sends the message to the fast path for processing. The fast path may be in the user space of the operating system. The fast path includes a flow table for exact matching of messages. The virtual switch queries the flow table in the fast path according to the tuple information of the message to obtain a preset processing rule of the message, and processes (e.g., passes, filters, blocks, etc.) the message according to the preset processing rule. The flow table of the fast path may include a stateful flow table. The stateful flow table includes at least one flow entry. The flow entries of the stateful flow table may include the state of the registered connection and preset processing rules for the corresponding message of the connection.
In a modification of the second embodiment, the query module may further specifically include: the device comprises a matching unit, a first judging unit and a second judging unit.
And the matching unit is used for matching the tuple information of the message with the registered connection state included in the flow table entry of the stateful flow table.
And the first judging unit is used for hitting the flow table entry of the stateful flow table if the flow table entry of the stateful flow table has a connection state matched with the tuple information of the message.
And the second judging unit is used for missing the flow table entry of the stateful flow table if the flow table entry of the stateful flow table does not have the connection state matched with the tuple information of the message.
And the updating module is used for updating the connection state of the message according to the hit flow table item if the flow table item in the stateful flow table is hit, and processing the message according to the preset processing rule of the message.
Specifically, if a flow entry in the stateful flow table is hit, that is, if the flow entry in the stateful flow table has a state of a connection matching the tuple information of the packet, in other words, the packet intercepted by the virtual switch belongs to a registered connection, then, for a packet belonging to the registered connection, the virtual switch updates the state of the connection to which the packet belongs according to the hit flow entry. Updating the state of the connection to which the message belongs may include updating the statistics of the number of messages received by the connection to which the message belongs to count the number of messages connected.
The application sets the state flow table in the fast path for matching the message, directly updates the state of the connection to which the message belongs in the fast path, processes the message according to the preset processing rule of the message, realizes the function of supporting the virtual firewall, and simultaneously avoids the repeated processing of the message, namely, the matching and processing of the same message can be completed once without matching based on the initial connection state, executes the corresponding action, updates the connection state in the action, and then carries out secondary matching based on the new connection state so as to find the action required to be correspondingly executed, thereby improving the network performance of the virtual switch. Moreover, as the message can be matched and processed at one time, complex hardware resources are not needed in the aspect of hardware unloading so as to realize the support of hardware unloading.
And the registration and acquisition module is used for registering the state of the connection to which the message belongs according to the tuple information of the message when the message is sent to a slow path for processing if the flow entry of the stateful flow table is missed, and acquiring a preset processing rule of the message corresponding to the connection.
Specifically, if the flow table entry in the stateful flow table is missed, that is, the flow table entry in the stateful flow table does not have the state of the connection matched with the tuple information of the message, in other words, the message intercepted by the virtual switch belongs to the connection which is not registered, the virtual switch sends the message to the slow path for processing. The slow path is also in the user space of the operating system. The slow path includes a flow table for fuzzy matching of the messages. When the virtual switch sends the message into the slow path for processing, the state of the connection to which the message belongs is registered according to the tuple information of the message, and the preset processing rule of the message corresponding to the connection is obtained. Registering the state of the connection to which the message belongs may include creating a connection to which the message belongs to record the state of the connection to which the message belongs. The preset processing rules of the message can include releasing, filtering, blocking and other actions on the message. When the application processes the message corresponding to the connection which is not registered in the slow path, the virtual switch can support the virtual firewall in function by registering the state of the connection to which the registered message belongs.
The processing and inserting module is used for processing the message according to the acquired preset processing rule of the message corresponding to the connection, and inserting the registered state of the connection to which the message belongs and the acquired preset processing rule of the message corresponding to the connection into the stateful flow table as a new flow table item.
Specifically, after registering the state of the connection to which the message belongs and acquiring the preset processing rule of the message corresponding to the connection, the virtual switch processes the message according to the acquired preset processing rule of the message corresponding to the connection, and inserts the state of the registered connection to the message and the acquired preset processing rule of the message corresponding to the connection into the state flow table as a new flow table entry.
The message processing device of the virtual switch provided by the application can directly perform primary matching on the registered connected messages on the fast path by setting the stateful flow table on the fast path for the messages to be matched, update the state of the connection to which the messages belong and process the messages according to the preset processing rule of the messages, namely, the matching and the processing can be completed on the same message on the fast path once; for the messages belonging to the connection which is not registered, registering the state of the connection to which the messages belong in a slow path, acquiring the preset processing rule of the corresponding messages of the connection and processing the messages according to the preset processing rule of the messages, namely, for the same message, completing matching and processing at one time in the slow path; therefore, the message processing device of the virtual switch provided by the application realizes that the virtual switch supports the virtual firewall in function and simultaneously avoids repeated processing of the message, namely, matching and processing can be completed once for the same message. And the connection state is updated in the action without matching based on the initial connection state, and then secondary matching is performed based on the new connection state so as to find the action required to be correspondingly executed. The method overcomes the defect that network performance rollback of the virtual switch can be caused when the virtual switch is introduced into the security group function. Improving the network performance of the virtual switch. Moreover, as the message can be matched and processed at one time, complex hardware resources are not needed in the aspect of hardware unloading so as to realize the support of hardware unloading.
The above-mentioned functional modules in the message processing device of the virtual switch may be implemented in whole or in part by software, hardware, and combinations thereof. The functional modules can be embedded in a processor of a chip or can be stored in a memory of the chip in a hardware form or can be stored in a software form, so that the processor can call and execute the operations corresponding to the functional modules.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a chip according to a third embodiment of the present application.
The chip provided by the third embodiment of the application can comprise a processor, a memory and a network interface which are connected through a system bus. Wherein the processor of the chip is used to provide computing and control capabilities. The memory of the chip includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system (e.g., an on-chip operating system SoC), a computer program, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the chip is used for storing data such as fault information. The network interface of the chip is used for communicating with external devices through network connection. The computer program, when executed by the processor, may implement a method for processing a message of a virtual switch according to the first embodiment of the present application.
It will be appreciated by those skilled in the art that the structure shown in fig. 3 is merely a block diagram of a portion of the structure associated with the present inventive arrangements and is not limiting of the chip to which the present inventive arrangements are applied, and that a particular chip may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
Correspondingly, the application also provides a chip which can be a DPU (Data Processing Unit, data processor), a GPU (Graphics Processing Unit, graphics processor), a CPU (Central Processing Unit ) and the like. The chip includes a memory and a processor. The memory stores a computer program, and when the processor executes the computer program, the message processing method of the virtual switch provided by the first embodiment of the application is realized.
Correspondingly, the application also provides electronic equipment which can be a server, a server cluster and the like. The electronic device may include a chip as provided by the present decade ago.
Correspondingly, the application also provides a computer readable storage medium, on which a computer program is stored, which when being executed by a processor, implements the message processing method of the virtual switch provided by the first embodiment of the application.
Correspondingly, the application also provides a computer program product, comprising a computer program, wherein the computer program is executed by a processor to realize the message processing method of the virtual switch provided by the first embodiment of the application.
In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Computer readable instructions comprise computer program code which may be in source code form, object code form, executable file or some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the computer readable medium contains content that can be appropriately scaled according to the requirements of jurisdictions in which such content is subject to legislation and patent practice, such as in certain jurisdictions in which such content is subject to legislation and patent practice, the computer readable medium does not include electrical carrier signals and telecommunication signals.
It should be noted that, for the sake of simplicity of description, the foregoing method embodiments are all expressed as a series of combinations of actions, but it should be understood by those skilled in the art that the present embodiment is not limited by the order of actions described, as some steps may be performed in other order or simultaneously according to the present embodiment. Further, those skilled in the art will appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily all required for the embodiments described in the specification.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
The preferred embodiments of the present specification disclosed above are merely used to help clarify the present specification. Alternative embodiments are not intended to be exhaustive or to limit the application to the precise form disclosed. Obviously, many modifications and variations are possible in light of the teaching of the embodiments. The embodiments were chosen and described in order to best explain the principles of the embodiments and the practical application, to thereby enable others skilled in the art to best understand and utilize the application. This specification is to be limited only by the claims and the full scope and equivalents thereof.
Claims (9)
1. A method for processing a message of a virtual switch, comprising:
receiving and analyzing a message to extract tuple information of the message;
inquiring a flow table item of a stateful flow table according to tuple information of the message when the message is sent to a fast path for processing, wherein the stateful flow table is arranged on the fast path, and the flow table item of the stateful flow table comprises registered connection states and preset processing rules of the message corresponding to the connection;
if the flow table item in the stateful flow table is hit, updating the state of the connection to which the message belongs according to the hit flow table item, and processing the message according to the preset processing rule of the message;
if the flow table item of the stateful flow table is not hit, when the message is sent to a slow path for processing, registering the state of the connection to which the message belongs according to the tuple information of the message, and acquiring a preset processing rule of the message corresponding to the connection;
and processing the message according to the acquired preset processing rule of the message corresponding to the connection, and inserting the registered state of the connection to which the message belongs and the acquired preset processing rule of the message corresponding to the connection into the stateful flow table as a new flow table item.
2. The method of claim 1, wherein the step of querying the flow entries of the stateful flow table based on the tuple information of the message comprises:
matching the tuple information of the message with the registered connection state included in the flow table entry of the stateful flow table;
if the flow table entry of the stateful flow table has a connection state matched with the tuple information of the message, hitting the flow table entry of the stateful flow table;
if the flow table entry of the stateful flow table does not have the connection state matched with the tuple information of the message, the flow table entry of the stateful flow table is not hit.
3. The method of claim 1, wherein updating the state of the connection to which the message belongs comprises updating statistics of the number of messages received by the connection to which the message belongs.
4. The method of claim 1, wherein registering the state of the connection to which the message belongs comprises creating a connection to which the message belongs to record the state of the connection.
5. The method of claim 1, wherein the fast path and the slow path are both in a user space of an operating system, the fast path including a flow table for exact matching of the messages, the slow path including a flow table for fuzzy matching of the messages.
6. A message processing apparatus of a virtual switch, comprising:
the receiving and analyzing module is used for receiving and analyzing the message so as to extract the tuple information of the message;
the query module is used for querying a flow table item of a stateful flow table according to the tuple information of the message when the message is sent to the fast path for processing, wherein the stateful flow table is arranged on the fast path, and the flow table item of the stateful flow table comprises the registered state of the connection and the preset processing rule of the message corresponding to the connection;
the updating module is used for updating the connection state of the message according to the hit flow table item if the flow table item in the stateful flow table is hit, and processing the message according to the preset processing rule of the message;
the registration and acquisition module is used for registering the state of the connection to which the message belongs according to the tuple information of the message when the message is sent to a slow path for processing if the flow entry of the stateful flow table is missed, and acquiring a preset processing rule of the message corresponding to the connection;
the processing and inserting module is used for processing the message according to the acquired preset processing rule of the message corresponding to the connection, and inserting the registered state of the connection to which the message belongs and the acquired preset processing rule of the message corresponding to the connection into the stateful flow table as a new flow table item.
7. A chip comprising a memory for storing computer executable instructions and a processor for executing the computer executable instructions, which when executed by the processor implement the steps of the message processing method of a virtual switch as claimed in any one of claims 1 to 5.
8. An electronic device comprising the chip of claim 7.
9. A computer-readable storage medium storing a computer program or instructions which, when executed by a processor, implement the steps of the message processing method of a virtual switch according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210885268.2A CN115277605B (en) | 2022-07-26 | 2022-07-26 | Message processing method and device of virtual switch, chip and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210885268.2A CN115277605B (en) | 2022-07-26 | 2022-07-26 | Message processing method and device of virtual switch, chip and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115277605A CN115277605A (en) | 2022-11-01 |
| CN115277605B true CN115277605B (en) | 2023-10-17 |
Family
ID=83769372
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210885268.2A Active CN115277605B (en) | 2022-07-26 | 2022-07-26 | Message processing method and device of virtual switch, chip and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115277605B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103281246A (en) * | 2013-05-20 | 2013-09-04 | 华为技术有限公司 | Message processing method and network equipment |
| CN104869016A (en) * | 2015-04-28 | 2015-08-26 | 杭州华三通信技术有限公司 | Method and equipment for transmitting data message |
| CN106330715A (en) * | 2015-06-30 | 2017-01-11 | 杭州华三通信技术有限公司 | Message processing method and device |
| CN107659514A (en) * | 2017-09-19 | 2018-02-02 | 深圳乐腾无线科技有限公司 | A kind of accelerated method applied under WiFi |
| CN109831390A (en) * | 2019-01-21 | 2019-05-31 | 新华三云计算技术有限公司 | Message transmission control method and device |
| CN110677340A (en) * | 2019-10-16 | 2020-01-10 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN112615738A (en) * | 2020-12-09 | 2021-04-06 | 四川迅游网络科技股份有限公司 | Network acceleration method based on flow characteristics |
| CN113452615A (en) * | 2021-06-28 | 2021-09-28 | 烽火通信科技股份有限公司 | Method and device for improving matching efficiency of large-specification ACL |
| CN114629842A (en) * | 2022-03-30 | 2022-06-14 | 阿里巴巴(中国)有限公司 | Flow table processing method, electronic device, readable storage medium and product |
-
2022
- 2022-07-26 CN CN202210885268.2A patent/CN115277605B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103281246A (en) * | 2013-05-20 | 2013-09-04 | 华为技术有限公司 | Message processing method and network equipment |
| CN104869016A (en) * | 2015-04-28 | 2015-08-26 | 杭州华三通信技术有限公司 | Method and equipment for transmitting data message |
| CN106330715A (en) * | 2015-06-30 | 2017-01-11 | 杭州华三通信技术有限公司 | Message processing method and device |
| CN107659514A (en) * | 2017-09-19 | 2018-02-02 | 深圳乐腾无线科技有限公司 | A kind of accelerated method applied under WiFi |
| CN109831390A (en) * | 2019-01-21 | 2019-05-31 | 新华三云计算技术有限公司 | Message transmission control method and device |
| CN110677340A (en) * | 2019-10-16 | 2020-01-10 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN112615738A (en) * | 2020-12-09 | 2021-04-06 | 四川迅游网络科技股份有限公司 | Network acceleration method based on flow characteristics |
| CN113452615A (en) * | 2021-06-28 | 2021-09-28 | 烽火通信科技股份有限公司 | Method and device for improving matching efficiency of large-specification ACL |
| CN114629842A (en) * | 2022-03-30 | 2022-06-14 | 阿里巴巴(中国)有限公司 | Flow table processing method, electronic device, readable storage medium and product |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115277605A (en) | 2022-11-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112714138B (en) | Test method, device, equipment and storage medium based on attack flow | |
| US7882262B2 (en) | Method and system for inline top N query computation | |
| US8918876B2 (en) | Deviating behaviour of a user terminal | |
| CN108683553B (en) | Method and device for fault injection | |
| CN106775981B (en) | Process processing method and device and computer readable medium | |
| CN109885546A (en) | User behaviors log storage method, device and electronic equipment | |
| CN109376074A (en) | Obtain method and device, the storage medium, electronic device of log | |
| EP3117334A1 (en) | A method and system for generating durable host identifiers using network artifacts | |
| CN115277605B (en) | Message processing method and device of virtual switch, chip and electronic equipment | |
| US20040034703A1 (en) | System and method for decoding communications between nodes of a cluster server | |
| CN111083157A (en) | Method and device for processing message filtering rules | |
| US20120310952A1 (en) | Method and Apparatus for Streaming Netflow Data Analysis | |
| CN109510729B (en) | Implementation method for discovering application topological relation based on CMDB and Netstat | |
| US9942766B1 (en) | Caller validation for end service providers | |
| CN113098852B (en) | Log processing method and device | |
| CN112953841B (en) | Message distribution method and system | |
| CN109766282A (en) | A kind of Caton detection method, Caton detection device and terminal device | |
| CN109040089B (en) | Network policy auditing method, equipment and computer readable storage medium | |
| CN111327543A (en) | Message forwarding method and device, storage medium and electronic device | |
| CN110808972B (en) | Data stream identification method and device | |
| US11604877B1 (en) | Nested courses of action to support incident response in an information technology environment | |
| US6219804B1 (en) | Debugging client server programs from third party workstations | |
| US6223307B1 (en) | Debugging client server programs from third party workstations | |
| CN114979028B (en) | Data packet processing method, device and storage medium | |
| CN114338549B (en) | Data stream identification processing method, device, server and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |