CN115834340A - Rule storage method and device, electronic equipment and storage medium - Google Patents
Rule storage method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115834340A CN115834340A CN202211338517.2A CN202211338517A CN115834340A CN 115834340 A CN115834340 A CN 115834340A CN 202211338517 A CN202211338517 A CN 202211338517A CN 115834340 A CN115834340 A CN 115834340A
- Authority
- CN
- China
- Prior art keywords
- rule
- node
- bit
- rules
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The embodiment of the application provides a rule storage method, a rule storage device, electronic equipment and a storage medium, wherein the method comprises the following steps: constructing a rule decision tree by using rules included in the global rule set, and acquiring a discarded rule set; determining a plurality of rule subtrees from the rule decision tree, wherein the heights of the rule subtrees are less than or equal to a preset height threshold; adding part of rules included in the discarding rule set to leaf nodes meeting backfill conditions in a plurality of rule subtrees, wherein the backfill conditions comprise: the value of the added rule at the bit indicated by the path node is a wildcard, or the added rule and the other rule in the leaf node to which the rule is added have the same value at the bit indicated by the path node; determining a common rule of each rule sub-tree; the common rules for each rule sub-tree and the remaining rules in the drop rule set are stored in the TCAM. By applying the technical scheme provided by the embodiment of the application, the number of redundant rules can be reduced, and the cost of rule matching is reduced.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a rule storage method and apparatus, an electronic device, and a storage medium.
Background
In the devices with packet classification function such as switch, router, firewall, etc., the data packet is classified and forwarded through the rules in ACL (Access Control List), flow table, forwarding table or routing table, so as to implement differentiated service of the data packet. The ACL, the flow table, the forwarding table, or the routing table is a set of a series of rules, and the electronic device divides the rules in the ACL into a plurality of rule sets using a decision tree, and further stores the plurality of rule sets in a TCAM (Ternary Content Addressable Memory). However, because the rules in the ACL, the flow table, the forwarding table, or the routing table have the "don't care" status, a rule may have a plurality of rule sets, which causes the problem of rule redundancy, and increases the overhead of rule matching.
Disclosure of Invention
An object of the embodiments of the present application is to provide a rule storage method, an apparatus, an electronic device, and a storage medium, so as to reduce the number of redundant rules and reduce the overhead of rule matching. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present application provides a rule storage method, where the method includes:
utilizing rules included in a global rule set to construct a rule decision tree and obtain a discard rule set, wherein in the rule decision tree, the value of a bit indicated by a parent node of a rule included in each sub-tree under the parent node is the same and is not a wildcard, and the rule included in the rule decision tree and the rule included in the discard rule set form the global rule set;
determining a plurality of rule subtrees from the rule decision tree, wherein the heights of the rule subtrees are less than or equal to a preset height threshold value, and the rules included in the rule subtrees are the same as the rules included in the rule decision tree;
adding a portion of the rules included in the set of discard rules to leaf nodes in the plurality of rule subtrees that satisfy a backfill condition, the backfill condition comprising: the value of the bit of the added rule indicated by the path node is a wildcard, or the value of the added rule is the same as the value of the bit of the other rule in the leaf node to which the rule is added indicated by the path node, wherein the path node is a node between the root node of the rule decision tree and the leaf node to which the rule is added;
determining a common rule of each rule sub-tree;
storing the common rules of each rule sub-tree and the remaining rules in the discard rule set in a TCAM.
In a second aspect, an embodiment of the present application provides a rule storage device, where the rule storage device includes:
the system comprises a construction module and a discarding module, wherein the construction module is used for constructing a rule decision tree by using rules included in a global rule set and acquiring the discarding rule set, the values of the bits, indicated by a parent node, of the rules included in each sub-tree under the parent node in the rule decision tree are the same and are not wildcards, and the rules included in the rule decision tree and the rules included in the discarding rule set form the global rule set;
a first determining module, configured to determine, from the rule decision tree, a plurality of rule sub-trees, where heights of the rule sub-trees are less than or equal to a preset height threshold, and rules included in the plurality of rule sub-trees are the same as rules included in the rule decision tree;
an adding module, configured to add a part of rules included in the discarding rule set to leaf nodes in the rule subtrees that satisfy a backfill condition, where the backfill condition includes: the value of the bit of the added rule indicated by the path node is a wildcard, or the value of the added rule is the same as the value of the bit of the other rule in the leaf node to which the rule is added indicated by the path node, wherein the path node is a node between the root node of the rule decision tree and the leaf node to which the rule is added;
a second determining module for determining a common rule of each rule sub-tree;
and the storage module is used for storing the public rule of each rule subtree and the rest rules in the discarding rule set in the TCAM.
In a third aspect, embodiments provide an electronic device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: implementing any of the method steps described above.
In some embodiments, the electronic device further comprises a forwarding chip;
the processor, further caused by the machine executable instructions to: storing the public rule of each rule sub-tree in a public rule table in a Ternary Content Addressable Memory (TCAM), and storing the rest rules in the discarding rule set in a physical table in the TCAM; storing the rules included in each rule subtree into a block rule table in a Random Access Memory (RAM); the RAM is also internally stored with a main rule table; a plurality of rules with the same common rule are stored in the block rule table; the main rule table at least comprises two fields of a splitting position set and a base address, the rule in the block rule table belongs to a subtree determined by the splitting position set, the splitting position set is used for positioning and searching the position of a rule corresponding to a key value in the block rule table, the base address is used for positioning the block rule table, the value of a non-wildcard character bit in the public rule is the same as the value of the same bit of all rules in the block rule table pointed by the base address, and the index of the public rule table is the same as the index of the same block rule table in the main rule table;
the forwarding chip is used for extracting a target search key value from the data packet to be classified when the data packet to be classified is received; matching in the physical table by using the target search key value to obtain a second rule; matching in the public rule table by using the target search key value to obtain a main index of a target table item in the main rule table; positioning a block rule table based on a base address included in a target table item pointed by the main index; determining a secondary index of a first rule in the located block rule table based on the target lookup key value and a split position set included in the target table entry pointed to by the primary index; selecting one rule with the highest priority from the first rule and the second rule pointed by the secondary index; and according to the selected rule, carrying out packet classification processing on the data packet to be classified.
In a fourth aspect, the present application provides a machine-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements any of the method steps described above.
Embodiments of the present application further provide a computer program product containing instructions, which when run on a computer, cause the computer to perform any one of the above-mentioned rule storage methods.
The embodiment of the application has the following beneficial effects:
in the technical solution provided in the embodiment of the present application, a rule decision tree is first constructed based on a condition that a bit value of a rule included in each sub-tree under a parent node indicated by the parent node is the same and is not a wildcard, and rules included in different leaf nodes in the rule decision tree are not overlapped, that is, there is no redundant rule in the rule decision tree; thirdly, the rule decision tree is divided into a plurality of rule subtrees, part of rules included in the discarding rule set are added to leaf nodes meeting backfill conditions in the rule subtrees by taking the rule subtrees as units, instead of taking the whole rule decision tree as units, all rules included in the discarding rule set are added to each leaf node of the rule decision tree, so that the number of redundant rules is reduced, and leaf node expansion caused by rule copying is reduced; the common rules for each rule sub-tree are then stored in the TCAM, along with the remaining rules in the drop rule set. Since the number of redundant rules in the rule subtree is reduced, the overhead of rule matching is reduced.
Of course, not all advantages described above need to be achieved at the same time in the practice of any one product or method of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the description below are only some embodiments of the present application, and other embodiments can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a schematic structural diagram of a decision tree based on the HiCuts algorithm in the related art;
fig. 2 is a schematic flowchart of a rule storage method according to an embodiment of the present application;
FIG. 3 is a first structural diagram of a rule decision tree according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a first refinement of step S21 in FIG. 2;
FIG. 5 is a second detailed diagram of step S21 in FIG. 2;
FIG. 6 is a diagram illustrating a second structure of a rule decision tree according to an embodiment of the present application;
FIG. 7 is a detailed view of step S22 in FIG. 2;
FIG. 8 is a diagram illustrating a third structure of a rule decision tree according to an embodiment of the present application;
FIG. 9 is a detailed view of step S23 in FIG. 2;
FIG. 10 is a diagram illustrating an exemplary set of casting rules backfilled to a rule sub-tree according to an embodiment of the present disclosure;
FIG. 11 is a diagram illustrating common rule generation for a rule sub-tree according to an embodiment of the present application;
fig. 12 is a schematic diagram of a correspondence relationship between a common rule table, a main rule table, and a block rule table according to an embodiment of the present application;
fig. 13 is a schematic flowchart of a packet classification method according to an embodiment of the present application;
FIG. 14 is a schematic structural diagram of a rule storage device according to an embodiment of the present application;
fig. 15 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described clearly and completely with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the description herein are intended to be within the scope of the present disclosure.
The words appearing in the examples of the present application are explained below.
Rule: including at least one match field, one action field, and Priority (Priority). The matching field may also be referred to as a matching field, and the action field may also be referred to as an action field. The rules in the rule set are sequentially arranged in descending order according to the priority.
Matching field: a field matching with a lookup key (key value). The electronic device may classify the matching field according to the target object, such as a destination IP field, a source IP field, a destination port field, or a source port field, where the target object in the destination IP field is a destination IP, the source IP field is a source IP, the destination port field is a destination port, and the source port field is a source port. The electronic device may also classify the matching fields according to the type of the stored value, such as a prefix field, an accurate field, a range field, a wildcard field, and the like, where the type of the value stored in the prefix field is a prefix value, and the prefix field may also be referred to as a prefix field; the type of the value stored in the precision field is a precision value, and the precision field can also be called a precision domain; the type of the value stored in the range field is a range, and the range field can also be called a range domain; the type of value stored by the wildcard class field is wildcard (, which may also be referred to as a wildcard field.
An action field: including the execution of the rule matching to indicate the next operation on the packet, such as forwarding the packet or discarding the packet.
In consideration of restricting network traffic, improving network performance, and network security, the electronic device needs to provide differentiated services for the data packets during data packet transmission. Electronic equipment with packet classification functions such as a switch, a router, a firewall and the like can realize the differentiated service based on an ACL, a flow table, a forwarding table or a routing table, namely, the data packet is classified and forwarded through rules in the ACL, the flow table, the forwarding table or the routing table, so that the differentiated service is provided for the data packet.
The ACL, the flow table, the forwarding table or the routing table are a set of a series of rules, and the electronic equipment completes the control and the filtration of the data packet by matching the data packet with the rules in the ACL, the flow table, the forwarding table or the routing table. The rule is a judgment statement describing a packet matching condition, and includes an effective time period of the packet, an IP (Internet Protocol) type, a source/destination IP address, a wildcard thereof, a mask, and the like. The electronic device matches the data packet based on the rules in the ACL, the flow table, the forwarding table, or the routing table, and determines the specific processing mode of the data packet, such as forwarding the data packet or discarding the data packet.
In order to increase the speed of matching the data packet with the rule, the electronic device stores the rule in the TCAM. TCAM is a high speed lookup hardware in which each bit has three states, '0', '1', and ' don't care ', enabling both exact and fuzzy match lookups to be performed simultaneously. However, TCAMs also have the disadvantages of small capacity, high cost, etc. To store a large number of complex rules in a limited TCAM, the electronic device optimizes the rule storage using a decision tree. When storing the rule, the electronic device first uses the decision tree to establish an index for the rule, where the specific rule is a leaf node of the decision tree and is stored in a RAM (Random Access Memory), and the established index is stored in a TCAM. When searching the rule, the electronic device first searches the index of the rule in the TCAM, and then searches the specific hit rule in the RAM. The index is the storage location of the rule.
Decision trees are a basic classification method, which divides a rule set into two parts by adding constraint conditions, thereby dividing a complex rule set into a plurality of simple rule sets. But this redundancy of rules reduces the speed of rule matching due to the ' don't care ' state present in the rule, which results in that one rule may exist in multiple rule sets.
Take a decision tree based on HiCuts algorithm as an example. The HiCuts algorithm is a single-dimensional cutting decision tree algorithm, when the electronic equipment runs the HiCuts algorithm, a threshold value binth is set firstly, and the binth is used for judging whether a node of a decision tree is a leaf node or not; when the number of rules contained in a node is greater than binth, the electronic equipment selects a constraint condition, and divides the node including a rule set into equal parts as possible to serve as child nodes of the node, wherein for the rule with the constraint condition of ' don't care ', the electronic equipment puts a copy of the rule in each child node; and then, cutting in a circulating mode until all the child nodes contain the child nodes with the rule quantity smaller than the binth, and the child nodes with the rule quantity smaller than the binth are leaf nodes of the decision tree.
For example, as shown in fig. 1 for a decision tree based on HiCuts algorithm, the electronic device sets binth =4; at a root node, the electronic equipment divides rules R1-R6 into 4 nodes by using a constraint condition x, wherein the rules R3, R4 and R6 do not care about the constraint condition x, and then the rules R3, R4 and R6 are inserted into each child node (node 1-4) of the root node, wherein the number of the rules in the nodes 1-3 is less than or equal to 4, and therefore the nodes 1-3 are used as leaf nodes; the number of rules included in the node 4 is 5,5> < 4 >, and the electronic device divides the rules included in the node 4 into 2 nodes using the constraint y, the rules R3, R4, and R6 are "don't care" for the constraint y, then the rules R3, R4, and R6 are inserted into each child node of the node 4 (i.e., the nodes 5-6), the number of rules in the nodes 5-6 is less than or equal to 4, and therefore, the nodes 5-6 serve as leaf nodes.
As can be seen from the decision tree shown in fig. 1, because a ' don't care ' state exists in a rule, the rule is copied to a plurality of leaf nodes, which further causes expansion of the leaf nodes, and increases overhead when a specific rule is matched.
In order to reduce leaf node expansion caused by rule replication, that is, to reduce the number of redundant rules and to reduce overhead when matching specific rules, embodiments of the present application provide a rule storage method, where the method may be applied to electronic devices such as a switch, a router, or a firewall.
In the rule storage method provided by the embodiment of the application, the electronic device first constructs a rule decision tree based on the condition that the bit values of the rules included in each sub-tree under a parent node in the parent node are the same and are not wildcard characters, and the rules included in different leaf nodes in the rule decision tree are not overlapped, that is, no redundant rule exists in the rule decision tree; thirdly, the electronic equipment divides the rule decision tree into a plurality of rule subtrees, and adds part of rules included in the discarded rule set to leaf nodes meeting backfill conditions in the rule subtrees by taking the rule subtrees as units, instead of adding all rules included in the discarded rule set to each leaf node of the rule decision tree by taking the whole rule decision tree as units, so that the number of redundant rules is reduced, and leaf node expansion caused by rule copying is reduced; the electronic device then stores the common rules for each rule sub-tree and the remaining rules in the drop rule set in the TCAM.
The electronic equipment only fills a part of rules in the discarding rule set into leaf nodes of the rule subtree, and directly stores a part of rules which are not filled into the leaf nodes in the discarding rule set into the TCAM, so that the quantity of redundant rules in the rule subtree can be reduced, the storage space of the TCAM can be utilized to the maximum extent, and the cost when the rules are matched based on the rule subtree is reduced under the condition of improving the utilization rate of the TCAM.
In the embodiment of the present application, the rule searching process is a process of matching the data packet with the matching field of each rule. The matching fields of the typical rule are the IP length, input logical interface identifier, message digest identifier, VPN (Virtual Private Network) identifier, source IP address, etc. of rules 1 to 3 shown in table 1. The match field of each rule may be viewed as a bit string, each bit being potentially '0', '1' or ' a ', representing respectively deny, allow and don't care, a wildcard.
TABLE 1
| Rules are set | IP length | Input logical interface identification | Message abstract identification | VPN identification | Source IP address |
| R 1 | * | 0 | 1 | * | * |
| R 2 | * | 1 | 1 | 1 | * |
| R 3 | * | 1 | 1 | 0 | * |
In the embodiment of the present application, the rule may include one or more matching fields of a scope class field, a prefix class field, an exact class field, and a wildcard class field, such as the rule R shown in table 1 1 -R N 。
TABLE 2
| Rules | Source IP | Destination IP | Source port | Destination port | Transmission protocol | Movement of |
| R 1 | 10.0.8.3/24 | 10.1.6.20/16 | * | 22 | TCP | Receiving |
| R 2 | 10.0.3.8/24 | * | 80 | 0~1024 | TCP | Rejection of |
| R 3 | 10.1.0.0/16 | 10.1.8.15/24 | 0~1024 | 0~2048 | UDP | Receiving |
| … | … | … | … | … | … | … |
| R N | * | * | * | * | * | Refuse to |
In Table 2, the fields storing prefix values 10.0.8.3/24, 10.1.6.20/16, 10.1.0.0/16, 10.1.8.15/24 are prefix class fields; fields with the storage ranges of 0-1024 and 0-2048 are range type fields; the field storing the precision values 22, 80 is a precision class field; and the field for storing the wildcard characters is a wildcard class field.
In this embodiment of the present application, before executing the rule storage method provided in this embodiment of the present application, the electronic device may perform the following processing on each rule in the rule set:
for the prefix class field included in the rule, the value of the highest bit of the prefix length is set as the prefix value, and the values of other bits are set as wildcards. For example, rule R shown in Table 2 2 In the source IP field, the prefix length is 24, the prefix value is 10.0.3.8, and then the values of the 24 highest bits in the source IP field are set as the prefix value, that is, 10.0.3, and the values of the other bits are set as x, as shown in table 3, at this time, rule R is used 2 The source IP may be represented as 10.0.3, in binary: 0000 1010.0000 0000.000 0011.********.
TABLE 3
| Rules | Source IP | Destination IP | Source port | Destination port | Transmission protocol | Movement of |
| R 2 | 10.0.3.* | * | 80 | 0~1024 | TCP | Rejection of |
For the range type field included by the rule, the range of the range type field is divided into a plurality of continuous and uninterrupted sub-ranges, the value of each bit corresponding to each sub-range is set as the equivalent prefix value corresponding to the sub-range, each sub-range can be equivalently represented as a prefix value, and the value set of all the sub-ranges is completely the same as the original range value set. For example, for a range [2,5], the range may be divided into 2 sub-ranges as follows: [2,3], [4,5], subrange [2,3] can be equivalently represented by a binary prefix value of 001, and subrange [4,5] can be equivalently represented by a binary prefix value of 010. Wherein, the bit of the character can be 0 or 1.
For the precision class field included in the rule, the value of each bit in the precision class field is set to a precision value. For example, rule R shown in Table 3 2 The source port field is an accurate class field, and the value of each bit in the source port field is set to an accurate value, i.e., 80. At this time, rule R 2 The source port may be represented as 80, in binary as: 0101 0000.
For the wildcard class field that the rule includes, the value of each bit in the wildcard class field is set to x. For example, rule R shown in Table 3 2 In the IP field, the destination IP field is a wildcard type field, and the value of each bit in the destination IP field is set to x.
In this embodiment of the application, the electronic device may directly set the range type field, the prefix type field, the precision type field, and the wildcard type field in the rule according to the above specification.
In this embodiment, for the convenience of TCAM storage, the electronic device may convert the rule into a key (key value) and a mask (mask), and the key and the mask are used to represent the rule. The key value (value) is used for indicating the specific value of the key, the mask indicates whether the corresponding bit in the key is concerned, 1 indicates concerned, and 0 indicates not concerned.
For example, the electronic device may convert the rules into the form of keys and masks according to the following conversion method:
for the prefix field, the prefix length is L, the key is a prefix value, the first L bits of the mask have a value of 1, and the remaining bits have a value of 0. For example, the source IP is 10.1.0.0/16, the converted key is 0x0A010000 in hexadecimal, and the mask is 0xFFFF0000 in hexadecimal;
for the range field, the range of the range field is divided into a plurality of continuous and uninterrupted sub-ranges, so that each sub-range can be equivalently expressed as a prefix, and the value sets of all the sub-ranges are completely the same as the original range value set;
for the accurate field, key is an accurate value, and mask is 1;
for the wildcard class field, key and mask are all 0.
For any bit I value of the rule R, the relationship with key and mask is as follows:
r [ I ] =0, which means mask [ I ] =1, key [ I ] =0;
r [ I ] =1, which means mask [ I ] =1, key [ I ] =1;
r [ I ] = represents mask [ I ] =0, key [ I ] =0 or key [ I ] =1.
The following describes in detail the rule storage method provided in the embodiments of the present application with specific embodiments.
Referring to fig. 2, fig. 2 is a first schematic flow chart of a rule storage method provided in the embodiment of the present application, where the method includes the following steps:
and S21, constructing a rule decision tree by using the rules included in the global rule set, and acquiring a discarded rule set.
In the rule decision tree, the value of a bit indicated by a parent node of a rule included in each subtree under the parent node is the same and is not a wildcard, and the rule included in the rule decision tree and the rule included in the discarding rule set form a global rule set. Under this condition, the rules included in different leaf nodes in the rule decision tree do not overlap.
In the embodiment of the present application, the electronic device uses all rules having a matching field and an action field as a global rule set, where the global rule set is a set of all rules for packet classification pre-stored in the electronic device, such as rules in an ACL, a flow table, a forwarding table, or a routing table. The rule decision tree includes a plurality of nodes, each non-leaf node including: information such as bit of one or more sub-trees, rules and quantity thrown to a discarding rule set, and the like; each leaf node includes one or more rules.
In the rule decision tree, one parent node includes one or more subtrees, each subtree includes one or more rules. All rules included in a subtree have the same value of bit indicated by the corresponding parent node, and are not x, e.g., both 1 or both 0. In this case, the rules included in different leaf nodes in the rule decision tree do not overlap, so that there are no redundant rules in the rule decision tree. For rules where the value of the bit indicated by the node is not of interest, i.e. rules where the value of the bit indicated by the node is x, the electronic device adds such rules to the set of dropping rules. After the rule decision tree is constructed, the rules included in the rule decision tree and the rules included in the discarded rule set form a global rule set.
Specifically, a rule decision tree is constructed, a manner of discarding a rule set is obtained, and a detailed description is given later, which is introduced here.
Step S22, determining a plurality of rule subtrees from the rule decision tree.
The height of the rule subtrees is less than or equal to a preset height threshold, and the rules included by the rule subtrees are the same as the rules included by the rule decision tree.
In the embodiment of the present application, the rule decision tree includes a plurality of rule subtrees, that is, the rules included in the rule decision tree are divided into a plurality of rule subtrees. The height of the rule subtree represents the maximum level of the nodes that the rule subtree comprises. It is assumed that the decision tree shown in fig. 1 is a rule sub-tree comprising 3 levels of nodes, i.e. the root node of the first level, the nodes 1-4 of the second level and the nodes 5-6 of the third level, so that the maximum level of the rule sub-tree is 3, i.e. the height of the rule sub-tree is 3.
The height threshold of the rule subtree is preset in the electronic equipment, and the height threshold is preset. The preset height threshold value can be set according to actual requirements. For example, when the TCAM capacity is large, the preset height threshold may be set to a small value, such as 2 or 3, so that each rule sub-tree includes fewer rules, and when it is determined that a data packet matches a rule of a certain rule sub-tree, a matching rule may be quickly determined from the fewer rules, thereby improving the rule matching efficiency. For another example, when the TCAM capacity is small, the preset height threshold may be set to a large value, such as 5, 6, etc., so that each rule sub-tree includes more rules, so that the TCAM can store common rules of all rule sub-trees, implement matching of all rules, and ensure integrity of matching.
And step S23, adding part of rules included in the discarding rule set to leaf nodes meeting backfill conditions in a plurality of rule subtrees.
Wherein the backfill conditions include: the value of the bit of the added rule indicated by the path node is a wildcard, or the value of the added rule is the same as the value of the bit of the other rule in the leaf node to which the rule is added, wherein the path node is a node between the root node of the rule decision tree and the leaf node to which the rule is added.
In this embodiment, for each rule, if a value of the rule is one or the value of the rule is the same as values of other rules in the leaf node at a bit indicated by each route node from one leaf node to a root node, the leaf node is a leaf node satisfying a backfill condition, and the electronic device may add the rule to the leaf node. This process may be referred to as regular backfilling.
For example, as shown in fig. 3, fig. 3 shows only one rule sub-tree included in the rule decision tree, i.e. rule sub-tree 1, and the rule decision tree may also include other rule sub-trees, which is not limited thereto. In FIG. 3, the leaf nodes of rule sub-tree 1 include rule R 1 And R 2 ,P 0 、P 1 And P 2 For bit, P, indicated by the node 0 Bit indicated by the root node of the rule decision tree. R 1 And R 2 At P 0 、P 1 And P 2 Are the same, e.g. R 1 And R 2 At P 0 And P 1 All of which are 0, in P 2 The values at (a) are all 1. The electronic device obtains the rule R from the discard rule set 3 If R is 3 When any one of the following conditions is satisfied, R is 3 Added to rule R 1 And R 2 In the leaf node, the specific conditions are as follows:
1) At P 0 And P 1 Has a value of 0 at P 2 The value of (b) is 1;
2) At P 0 Is of value P 1 Has a value of 0 at P 2 The value of (b) is 1;
3) At P 0 Has a value of 0 at P 1 Is of value P 2 The value of (b) is 1;
4) At P 0 And P 1 Has a value of 0 at P 2 Is a value of;
5) At P 0 And P 1 Is of value P 2 Has a value of 1;
6) At P 0 And P 2 Is of value P 1 Is 0;
7) At P 1 And P 2 Is of value P 0 Is 0;
8) At P 0 、P 1 And P 2 All values of (a) are.
In this embodiment, the backfilling condition may further include: the leaf node comprises a number of rules less than or equal to a fourth preset number threshold. The fourth preset quantity threshold represents the maximum rule quantity allowed to be stored by the leaf nodes, the fourth preset quantity threshold can be set according to actual requirements, and in order to improve rule matching efficiency, the fourth preset quantity threshold is not too large, so that excessive time consumption is avoided when rules contained in the leaf nodes are compared one by one after the leaf nodes are found. The backfill condition may also include other information, which is not limited.
In the embodiment of the application, after part of rules included in the discarding rule set are added to the plurality of rule subtrees, the sum of the number of the remaining rules and the number of the plurality of rule subtrees is less than or equal to the capacity of the TCAM. For example, the capacity of TCAM is C, the number of rule subtrees is M, and the number of rules included in the discarding rule set after backfilling is T', M + T ≦ C. In order to fully utilize the efficient searching performance of the TCAM and improve the rule matching efficiency, M + T' = C, at the moment, the number of rules which are backfilled to a rule sub-tree in the discarding rule set is R = T + M-C, and T is the number of rules included in the discarding rule set before backfilling.
In the embodiment of the application, the rule decision tree is stored in a RAM (random access memory) which is allocated for the rule decision tree in advance. After part of rules included in the discarding rule set are added to the plurality of rule subtrees, if the RAM allocated for the rule decision tree is full, and the sum of the number of the remaining rules in the discarding rule set and the number of the plurality of rule subtrees is greater than the capacity of the TCAM, the electronic device can write the remaining part of rules in the discarding rule set into the TCAM according to the write-in strategy, wherein the sum of the number of the rules written into the TCAM and the number of the plurality of rule subtrees is equal to the capacity of the TCAM; for rules in the discard rule set that are not written to the TCAM, the electronic device may discard the portion of the rules.
The write strategy can be set according to actual requirements. For example, the write strategy may be any of:
1. and selecting the rules according to the sequence of the time for writing the discarding rule set, and writing the selected rules into the TCAM.
2. The rules are randomly selected and the selected rules are written to the TCAM.
Step S24, common rules for each rule sub-tree are determined.
In the embodiment of the present application, the common rule of one rule subtree may be understood as the common rule of all rules in the rule subtree. The electronic device, after backfilling portions of the rules in the drop rule set to the rule subtrees, for each rule subtree, the electronic device determines common rules for the rule subtree.
Step S25, the common rules of each rule sub-tree and the remaining rules in the discard rule set are stored in the TCAM.
For each rule sub-tree, the electronic device stores the common rules of the rule sub-tree in the TCAM, and additionally stores the remaining rules in the discard rule set in the TCAM.
In the technical scheme provided by the embodiment of the application, the electronic device compresses the global rule set, and stores the public rules of the rule subtrees in the TCAM, instead of storing all the rules in the TCAM, so that the requirement on the capacity of the TCAM is reduced, and the cost of rule storage is reduced.
In addition, the electronic device only fills a part of rules in the discarding rule set into leaf nodes of the rule subtree, and directly stores a part of rules in the discarding rule set, which are not filled into the leaf nodes, in the TCAM, so that the number of redundant rules in the rule subtree can be reduced, the storage space of the TCAM can be utilized to the maximum extent, and the overhead of rule matching based on the rule subtree is reduced under the condition of improving the utilization rate of the TCAM.
In some embodiments, as shown in fig. 4, the step S21 may include steps S41 to S44.
And S41, taking the global rule set as a rule set to be split, taking the node containing the rule set to be split in the rule decision tree as a target node, and taking the global rule set as a root node of the rule decision tree.
In the embodiment of the application, when the rule decision tree is initially constructed, the electronic device takes the global rule set as the rule set to be split, and when the rule set is subsequently split, all rules included in one sub-tree form the rule set to be split. The rule decision tree contains nodes of the rule set to be split, namely target nodes. When the rule decision tree is initially constructed, the root node of the rule decision tree is a target node.
And step S42, determining the target bit of the rule splitting in the rule set to be split as the bit indicated by the target node.
In the embodiment of the application, the electronic device may determine the target bit by adopting different splitting modes, so as to split the rule set to be split into one or more rule sets. The splitting manner may include, but is not limited to, a random splitting manner, an equilibrium splitting manner, an unbalanced splitting manner, and the like.
When a random splitting mode is adopted, the electronic equipment can randomly select a bit as a target bit of regular splitting, namely the target bit is a random bit.
When a balanced splitting mode is adopted, the electronic equipment selects the bit with the minimum rule number and with the concentrated value of rules to be split, and if only one bit with the minimum rule number and with the concentrated value of rules is selected, the bit is used as a target bit; if there are a plurality of bits with the minimum rule number, then, from the plurality of bits, a bit with the minimum difference between the rule number with the value of 0 and the rule number with the value of 1 is selected as a target bit, that is, the target bit is a bit with the minimum rule number with the value of 0 and the minimum difference between the rule number with the value of 1.
As shown in table 1, the number of rules with a value of 0 is 0 and is the minimum at the bit position where the input logic interface identifier and the message digest identifier are located, the difference between the number of rules with a value of 0 and the number of rules with a value of 1 is 2-1=1, and the difference between the number of rules with a value of 0 and the number of rules with a value of 1 is 3-0=3,3>1 at the bit position where the message digest identifier is located.
And splitting the rule set by adopting a balanced splitting mode, so that the number of rules included by each leaf node of the finally established rule decision tree is balanced. When the rule is searched, the search key needs to be matched with the rule in the leaf node one by one. Based on this, the time consumed by searching the rule can be balanced by adopting a balanced splitting mode, and further, the computing resource balance is achieved.
When an unbalanced splitting mode is adopted, the electronic equipment selects the bit with the minimum rule number and with the concentrated value of rules to be split as a target bit, and if only one bit with the minimum rule number and with the concentrated value of rules to be split is available, the bit is used as the target bit; if there are a plurality of bits with the minimum rule number, then, from the plurality of bits, a bit with the maximum difference between the rule number with 0 and the rule number with 1 is selected as a target bit, that is, the target bit is a bit with the minimum rule number with 0 and the maximum difference between the rule number with 1.
As shown in table 1, the number of rules with a value of x is 0 and is the smallest at the bit position where the input logic interface identifier and the message digest identifier are located, the difference between the number of rules with a value of 0 and the number of rules with a value of 1 is 2-1=1, and the difference between the number of rules with a value of 0 and the number of rules with a value of 1 is 3-0=3,3>1 at the bit position where the message digest identifier is located.
The rule set is split in an unbalanced splitting mode, and after the rule decision tree is constructed, only one child node may exist in one node.
Step S43, adding the rule with the target bit value of 1 in the rule set to be split into the first side child node of the target node, adding the rule with the target bit value of 0 in the rule set to be split into the second side child node of the target node, and adding the rule with the target bit value of the rule set to be split as a wildcard in the rule decision tree into the discarding rule set.
In the embodiment of the application, the first side is a left side, the second side is a right side, and correspondingly, the first side child node is a left node, and the second side child node is a right node; or, the first side is the right side, and the second side is the left side, and correspondingly, the first side child node is the right node, and the second side child node is the left node.
After determining the rule set to be split, the target node and the target bit, the electronic equipment adds the rule with the value of the target bit being 1 to a first side child node of the target node, adds the rule with the value of the target bit being 0 to a second side child node of the target node, throws the rule with the value of the target bit being x out of the rule set to be split, and adds the rule into the discarding rule set.
Taking the first side as the right side and the second side as the left side as an example, as shown in table 1, the electronic device determines that the bit where the VPN identifier is located is the target bit, and sets the value of the bit where the VPN identifier is located to be 0 according to rule R 3 Adding the bit value of the VPN identification into the left child node of the target node to be a rule R of 1 2 Adding the right child node to the target node; rule R for setting value of bit where VPN mark is located to be x 1 And throwing out the rule set to be split and adding the rule set to a discarding rule set.
Step S44, taking the rule set included by the child node with the rule number larger than or equal to the first preset number threshold value as a new rule set to be split, taking the node including the rule set to be split in the rule decision tree as a new target node, and re-executing the step S42 until the rule number included by the child node is smaller than the first preset number threshold value.
In this embodiment of the application, the first preset number threshold may be set according to an actual requirement, for example, the first preset number threshold may be 2,3, or 4.
In step S43, the electronic device splits the rule set to be split into two rule sets, namely, the rule set included in the first side child node and the rule set included in the second side child node. For each child node obtained in step S43, the electronic device may determine whether the number of rules included in the child node is greater than or equal to a first preset number threshold; if so, taking the rule set included in the child node as a new rule set to be split, taking the child node (i.e. the node in the rule decision tree that includes the rule set to be split) as a new target node, and re-executing step S42 to continue splitting the rule set included in the child node; if not, the splitting of the rule set included by the child node is finished.
In the embodiment of the present application, the electronic device circularly executes the above steps S42 to S44 to complete the construction of the rule decision tree, and construct the obtained rule decision tree.
According to the technical scheme, the electronic equipment can select a corresponding splitting mode such as a random splitting mode, a balanced splitting mode or a non-balanced splitting mode according to different requirements, different requirements are met, time consumed by the searching rules is balanced, the requirement of computing resource balance is met, leaf node expansion caused by rule copying is reduced, and expenditure when the specific rules are matched is reduced.
In some embodiments, the electronic device may use the above-mentioned multiple splitting methods to complete the construction of the rule decision tree. For example, the electronic device may use a balanced splitting manner and an unbalanced splitting manner to complete the construction of the rule decision tree, in which case, as shown in fig. 5, the step S21 may include steps S51 to S58.
And S51, taking the global rule set as a rule set to be split, taking a node containing the rule set to be split in the rule decision tree as a first target node, and taking the global rule set as a root node of the rule decision tree.
Step S52, determining a first target bit of the rule splitting in the rule set to be split as a bit indicated by a first target node, wherein the first target bit is a bit with the smallest number of rules with wildcard values in each bit and the largest difference between the number of rules with 0 values and the number of rules with 1 values.
Step S53, adding a rule of which the value of the first target bit in the rule set to be split is 1 into a first side child node of the first target node, adding a rule of which the value of the first target bit in the rule set to be split is 0 into a second side child node of the target node, and adding a rule of which the value of the first target bit in the rule set to be split is a wildcard character into a discarding rule set.
Step S54, taking the rule set included in the child node whose rule number is greater than or equal to the second preset number threshold as a new rule set to be split, taking the node including the rule set to be split in the rule decision tree as a new first target node, and re-executing step S52 until the rule number included in the child node is less than the second preset number threshold.
The second preset number threshold may be set according to actual requirements, for example, the second preset number threshold may be 2,3, or 4.
Step S55, taking a rule set included in a child node whose number of included rules is smaller than a second preset number threshold as a new rule set to be split, and taking a node including the rule set to be split in the rule decision tree as a second target node.
And step S56, determining a second target bit of the rule splitting in the rule set to be split as a bit indicated by a second target node, wherein the second target bit is a bit with the minimum rule quantity taking a wildcard character in each bit and the minimum difference value between the rule quantity taking a value of 0 and the rule quantity taking a value of 1.
Step S57, adding the rule of which the value of the second target bit in the rule set to be split is 1 into the first side node of the second target node, adding the rule of which the value of the second target bit in the rule set to be split is 0 into the second side node of the target node, and adding the rule of which the value of the second target bit in the rule set to be split is a wildcard character into the discarding rule set.
Step S58, taking the rule set included in the child node whose included rule number is greater than or equal to the third preset number threshold as a new rule set to be split, taking the node including the rule set to be split in the rule decision tree as a new second target node, and re-executing step S56 until the rule number included in the child node is less than the third preset number threshold.
The third preset number threshold may be set according to actual requirements, for example, the third preset number threshold may be 2,3, or 4.
The descriptions of the above steps S51-S58 are similar to the descriptions of the above steps S41-S44, and refer to the related descriptions of the steps S41-S44.
The electronic device completes the construction of the rule decision tree by executing the steps S51 to S58. The process of constructing a rule decision tree is shown in fig. 6. In FIG. 6, th max Indicating a second predetermined number threshold, th leaf Representing a third preset number threshold. The electronic equipment sets the type of the root node as head, and performs non-equilibrium splitting on the global rule set according to the steps S51-S54 until the number of rules included in the node is less than Th max And the number of rules is smaller than Th max The type of the time node is set to MAX; then, the electronic device performs balanced splitting on the rule set included in the node with the node type MAX according to the steps S55 to S58 until the number of rules in the node is less than Th leaf And the number of rules is smaller than Th leaf The type of the node in time is set to leaf. At this time, the electronic device completes the construction of the rule decision tree, and the rules thrown by each node form a discarding rule set.
Here, the node type is set merely for convenience of distinguishing the two splitting stages of the unbalanced splitting and the balanced splitting, and is not limited.
According to the technical scheme, the electronic equipment firstly adopts an unbalanced splitting mode to split the rule set, and then adopts a balanced splitting mode to split the rule set, so that the construction of the rule decision tree is completed, namely, the time balance consumed by searching the rule is met, the requirement of computing resource balance is met, the requirement of reducing leaf node expansion caused by rule copying and the requirement of reducing the cost when the specific rule is matched is also met.
In some embodiments, as shown in fig. 7, the step S22 may include steps S71 to S73.
Step S71, traverse the nodes downward from the root node of the rule decision tree.
Step S72, if the height from the traversed node to the leaf node is greater than the preset height threshold, continuing to perform the step of traversing the node downwards until the height from the traversed node to the leaf node is less than or equal to the preset height threshold.
In step S73, a sub-tree starting from the node traversed when the downward traversal node ends is used as the rule sub-tree.
In the embodiment of the application, the nodes are traversed downwards from the root node of the rule decision tree, and the electronic equipment judges whether the height from the traversed current node to the leaf node is greater than a preset height threshold value or not; if so, namely the height is greater than the preset height threshold, continuously traversing the node from the node downwards, and continuously judging whether the height from the traversed current node to the leaf node is greater than the preset height threshold; if not, namely the height is less than or equal to the preset height threshold, the downward traversal of the node is finished, and the subtree starting from the node is used as a rule subtree. Based on the rule decision tree structure, the electronic equipment can divide one rule decision tree into a plurality of rule subtrees, and the backfilling of subsequent rules is facilitated.
E.g. the rule decision tree shown in fig. 8, th in fig. 8 min Representing a preset height threshold. The electronic equipment sets the type of the root node as head, and detects whether the height from the traversed node to the leaf node is greater than Th or not according to the steps S71-S73 min The height from the traversed node to the leaf node is less than or equal to Th min Then, the type of the traversed node is set as MIN, and the subtree starting from the MIN node is a regular subtree.
Here, the node type is set merely for convenience of distinguishing the nodes of the rule subtree, and is not limited.
In the embodiment of the application, the electronic device may also divide a rule decision tree into a plurality of rule subtrees in other manners. For example, the electronic device traverses the nodes upward starting from the leaf nodes of the rule decision tree; if the height from the traversed node to the leaf node is smaller than a preset height threshold, continuing to execute the step of traversing the node upwards until the height from the traversed node to the leaf node is larger than or equal to the preset height threshold; the subtree starting from the node traversed to when traversing up the node ends is a regular subtree. Here, one leaf node exists in one regular subtree.
In some embodiments, as shown in fig. 9, the step S23 may include steps S91 to S93.
Step S91, determining, for each rule sub-tree, the number of leaf nodes meeting the backfill condition corresponding to each rule included in the discarding rule set in the rule sub-tree, as the backfill cost corresponding to each rule.
The backfill cost indicates the number of leaf nodes that need to add a copy of the rule when the rule is inserted back into the rule sub-tree. And for each rule subtree, for each rule included in the discarding rule set, the electronic equipment determines the leaf nodes meeting the backfill condition corresponding to the rule in the rule subtree, and counts the number of the leaf nodes meeting the backfill condition as the backfill cost corresponding to the rule.
In some embodiments, the electronic device may traverse from a root node of the rule decision tree down to leaf nodes, determine leaf nodes meeting backfill conditions corresponding to each rule based on information recorded by each node, such as a bit indicated by the node and rules thrown at the node, determine to which rule sub-tree the rule may be backfilled, and further determine a backfill cost corresponding to the rule. In the embodiment of the present application, a rule backfilled to the same rule sub-tree is recorded as a throwing rule set, and as shown in fig. 10, n rule sub-trees correspond to n throwing rule sets.
In other embodiments, the electronic device may determine the throwing position of each rule based on information recorded by each node, such as a bit indicated by the node and a rule thrown at the node, start to traverse downward to a leaf node from the node at the throwing position of the rule decision tree, determine the leaf node meeting a backfill condition corresponding to each rule based on information recorded by each node, such as the bit indicated by the node and the rule thrown at the node, determine to which rule subtree the rule may be refilled, and further determine a backfill cost corresponding to the rule. .
For each rule, after determining a rule sub-tree into which the rule can be backfilled, the electronic device calculates the number of leaf nodes meeting backfilling conditions corresponding to the rule in the rule sub-tree as backfilling cost.
Step S92, determining the target rule with the minimum backfill cost and the target rule sub-tree with the minimum backfill cost corresponding to the target rule.
And step S93, adding the target rule to the leaf nodes meeting the backfill condition in the target rule subtree, and returning to execute the step S91.
After determining the backfill cost of each rule in each rule sub-tree, the electronic equipment determines the rule with the minimum backfill cost as a target rule and the target rule sub-tree with the minimum backfill cost corresponding to the target rule; and for the target rule subtree corresponding to the target rule when the backfill overhead is minimum, the electronic equipment adds the target rule to the leaf node meeting the backfill condition in the target rule subtree. After that, the electronic device executes step S91 to recalculate the backfill cost. And executing the steps S91-S93 in a circulating manner until the number of the backfilling rules meets the requirement, if the number of the rules backfilled to the rule subtree in the discarding rule set reaches T + M-C, T is the number of the rules included in the discarding rule set before backfilling, C is the capacity of the TCAM, and M is the number of the rule subtrees.
In the embodiment of the application, the electronic equipment backfills the rule to the leaf node in the rule subtree with the minimum backfilling cost by calculating the backfilling cost, so that the leaf node expansion caused by rule copying is reduced in the leaf node with the minimum backfilling cost in the rule filling, and the cost when the specific rule is matched is reduced.
In some embodiments, the step S24 may be: for each bit of all rules within each rule sub-tree:
if the value of one bit of all the rules included in each rule subtree is 1, setting the value of the bit of the public rule of the rule subtree to be 1;
if the value of one bit of all rules included in each rule sub-tree is 0, setting the value of the bit of the common rule of the rule sub-tree to be 0;
and if the value of one bit of all the rules included in each rule subtree is not 1 and/or the value of one bit of all the rules included in each rule subtree is not 0, setting the value of the bit of the common rule of the rule subtree as a wildcard.
A schematic diagram of common rule generation for a rule subtree such as that shown in fig. 11. The 4 rules comprised by a rule sub-tree, rules 0-3, are shown in FIG. 11. In FIG. 11, bit P 0 If the values of the rules 0-3 are all 0, the electronic equipment will share the bit P of the public rule 0 Is set to 0; bit P 1 If the values of the rules 0-3 are all 1, the electronic equipment will use the bit P of the public rule 1 Is set to 1; at the other bits of the bit stream,rule 0-3 does not satisfy both of the above cases, the electronic device sets the value of these bits of the common rule to x.
In the embodiment of the application, the bit width of the public rule is the same as that of the rule, and after all the bits of the public rule are set, the public rule is generated. The generated common rules are stored in the TCAM.
In the technical scheme provided by the embodiment of the application, the electronic equipment extracts the common rules of all the rules in each rule sub-tree, that is, one common rule can represent a plurality of rules, and the common rules are stored in the TCAM, so that the requirement on the capacity of the TCAM is reduced, a TCAM with smaller capacity can be used for realizing larger-scale rule search, and the cost and the power consumption for packet classification are saved.
In addition, in the technical scheme provided by the embodiment of the application, the electronic device extracts the common bit of all the rules in the rule subtree as the common rule of the rule subtree by using the above mode, so that the rule which cannot be matched with the common rule cannot be generated in the corresponding rule subtree, and the situation of possible occurrence of false positive is reduced.
In some embodiments, for each block rule table, the electronic device may determine a bit of 1 or 0 in all rules in the block rule table; if the number of bit bits of 1 or 0 is larger than a preset value, randomly selecting bit bits of the preset value from the bit bits of 1 or 0; aiming at each selected bit, if the bit in all the rules is 1, setting the value of the bit of the public rule corresponding to the block rule table as 1; if the bit in all the rules is 0, setting the value of the bit of the public rule corresponding to the block rule table as 0; except the selected bit, the values of other bits of the common rule corresponding to the block rule table are all set to be x. In this case, the bits concerned in the common rules are reduced, which is helpful for compressing the TCAM, further reducing the need for TCAM capacity. The size of the preset value can be set according to actual requirements.
In the embodiment of the application, after backfilling part of rules in the discarding rule set to the rule subtrees, the electronic device stores the common rules of each rule subtree and the remaining rules in the discarding rule set in the TCAM, and stores the specific rules included in each rule subtree in the RAM.
In the technical scheme provided by the embodiment of the application, the electronic equipment compresses the rules, and a large number of rules are stored in the TCAM and the RAM. In addition, by dividing rule subtrees, calculating backfill overhead, backfilling rules and the like, as many rules as possible are stored in the TCAM, the rule matching speed is improved, the rule replication rate during the construction of the rule decision tree is reduced, and the contradiction between the effective TCAM capacity and the high-speed searching requirement is effectively solved.
And based on the residual rules in the discarding rule set stored in the TCAM, the electronic equipment carries out packet classification processing. In some embodiments, the electronic device performs step S25 described above before performing the packet classification process. In one example, the step S25 may be: the common rules of each rule sub-tree are stored in a common rules table in the TCAM, and the remaining rules in the discard rule set are stored in a physical table in the TCAM. In addition, before performing the packet classification processing, the electronic device may store the rules included in each rule sub-tree to a block rule table in the RAM; the RAM is also internally stored with a main rule table; a plurality of rules with the same common rule are stored in the block rule table; the main rule table at least comprises two fields of a splitting position set and a base address, rules in the block rule table belong to a subtree determined by the splitting position set, the splitting position set is used for positioning and searching the position of a rule corresponding to a key value in the block rule table, the base address is used for positioning the block rule table, the value of a non-wildcard bit in a public rule is the same as the value of the same bit of all rules in the block rule table pointed by the base address, and the index of the public rule table is the same as that of the same block rule table corresponding to the main rule table.
In the embodiment of the application, one or more common rule tables, one or more main rule tables and one or more block rule tables can be stored in the electronic device. The common rule table and the main rule table are in one-to-one correspondence, for the table entries of the common rule table and the table entries of the main rule table with the same index, the common rule table and the main rule table correspond to the same block rule table, one table entry in the main rule table corresponds to one block rule table, and when the main rule table comprises a plurality of table entries, the main rule table corresponds to the plurality of block rule tables. Taking a common rule table and a main rule table as an example, the corresponding relationship among the common rule table, the main rule table, and the block rule table is shown in fig. 12. Wherein the index is used to indicate the location of the entry in the table.
The common rule table is built in the TCAM, and the common rule table may also be referred to as a TCAM table, and one entry in the TCAM table is a common rule of a plurality of rules in one block rule table, such as Head 0-n in fig. 12. In the embodiment of the application, a plurality of rules in one block rule table form one rule block.
A TCAM table has a corresponding master rule table stored in RAM, such as L0-Ln in FIG. 12. The main rule table may be a linear table, or other form of table supported by RAM, which may also be referred to as a main (main) table. One table entry in the main table stores a split position set (split bits) of a rule block and a base address of a lower table, wherein the lower table is a block rule table storing the rule block, and the offset of the table entry corresponding to each rule block in the main table is the same as the offset of the table entry corresponding to the rule block in the TCAM table. The offset is an index, such as the main index in fig. 12.
A rule block includes a plurality of rules constituting a block rule table and stored in the RAM, and rules 0 to 3 as in fig. 12 constitute a rule block stored in the block rule table 0 in the RAM. The Block rule table may be a linear table, or other form of table supported by RAM, and the Block rule table may also be referred to as a Block (Block) table, such as Block table 0 and Block table n in fig. 12. The base address and the set of split locations of a block table are stored in an entry in the main table. The splitting position set consists of a plurality of bits, and if the number of the bits included in the splitting position set is S, the size of the Block table is the power S of 2, namely the Block table includes the rule of the power S of 2. For example, S =2,2 to the power of 2 =4, then the Block table includes 4 rules. In the case that the electronic device knows the splitting position set of a rule block, the electronic device extracts the values of the S bits of each rule in the rule block to form an offset (offset) of each rule, where the offset is an index of the rule in the block table, such as the sub-index in fig. 12.
The common rule table, the master rule table, and the block rule table may be collectively referred to as an algorithm table.
Based on the public rule table, the main rule table, the block rule table, and the physical table, when receiving a data packet to be classified, the electronic device performs packet classification processing, as shown in fig. 13, including the following steps:
step S131, extracting the target search key value from the data packet to be classified.
In the embodiment of the application, the electronic device receives a data packet input by a user or a data packet input to the electronic device by other devices, and the data packet received by the electronic device is a data packet to be classified. After the electronic device acquires the data packet to be classified, key information forming a key can be extracted from the packet header of the data packet to be classified, and a search key, namely a target search key, is formed by using the extracted key information.
Step S132, matching is carried out in the physical table by using the target search key value, and a second rule is obtained.
In the embodiment of the application, after the target search key is obtained, the electronic device uses the target search key to perform matching on the physical table to obtain the matching rule. In the embodiment of the present application, matching the target search key with one rule in the physical table may be understood as: the target lookup key is the same as the rule in the same bit value, or the rule in the same bit value.
Step S133, matching in the public rule table by using the target search key value, and obtaining the main index of the target table entry in the main rule table.
After obtaining the target lookup key, the electronic device matches in the public rule table by using the target lookup key to obtain an index of the table entry where the matched public rule is located, where the index is an index of the target table entry in the main rule table. In the embodiment of the present application, matching the target search key with the public rule may be understood as: the target search key and the public rule have the same value of the same bit, or the public rule has the same value of the bit.
Step S134, positioning a block rule table based on a base address included in a target table item pointed by a main index;
the public rule table is in one-to-one correspondence with the main rule table, and the indexes of the public rule table and the main rule table corresponding to the same block rule table are the same. After obtaining the main index from the TCAM, the electronic equipment reads a target table item corresponding to the main index in the main rule table to obtain a base address and a splitting position set of the block rule table; thereby locating the block rule table at the read base address.
In step S135, a secondary index of the first rule in the located block rule table is determined based on the target lookup key value and the split position set included in the target table entry pointed by the primary index.
As described in step S134, the electronic device reads the target table entry corresponding to the main index in the main rule table, and may obtain the base address and the split position set of the block rule table. And the electronic equipment extracts and reads the value of each bit indicated by the target splitting position set from the target searching key, and forms a secondary index by the extracted value of each bit, wherein the secondary index is the offset of the matched rule in the positioned block rule table. For the sake of distinction and understanding, the matching rule in the located block rule table is referred to as the first rule and is not limiting.
The execution order of step S134 and step S135 is not limited in the embodiment of the present application.
In step S136, the rule with the highest priority is selected from the first rule and the second rule pointed by the secondary index.
In the embodiment of the application, after obtaining the first rule and the second rule, the electronic device selects a rule with the highest priority from the first rule and the second rule. Wherein, the number of the first rule can be one or more.
In some embodiments, the step S146 may be: respectively checking a first rule and a second rule pointed by the secondary index based on the target search key value; and selecting one rule with the highest priority from the rules which are determined by verification and are matched with the target search key value. The check here may be an integrity check or a locality check, which is not limited herein.
In the embodiment of the application, after the electronic equipment finds the rule matched with the target search key from the public rule table, the main rule table, the block rule table and the physical table, each found rule is verified with the target search key respectively, matching of the rule and the target search key is ensured, and accuracy of packet classification processing on the data packets to be classified is improved.
And step S137, carrying out packet classification processing on the data packet to be classified according to the selected rule.
For example, if the action of the selected rule is forwarding, the electronic device forwards the data packet to be classified; or, if the action of the selected rule is discarding, the electronic device discards the data packet to be classified; or, if the action of the selected rule is deep packet inspection, the electronic device performs deep packet inspection on the data packet to be classified, and processes, such as forwarding or discarding, the data packet to be classified based on the inspection result.
In the embodiment of the application, the electronic device is provided with the TCAM and the RAM, the electronic device stores a common rule of a plurality of rules in the TCAM, and stores a specific rule in the RAM, so that the requirement on the capacity of the TCAM can be reduced. The electronic equipment searches public rules stored in a TCAM with higher performance to eliminate most rules; and subsequently, carrying out packet classification processing on the data packet to be classified by using the rule left after the elimination in the RAM. Compared with a packet classification method purely using a TCAM, the technical scheme provided by the embodiment of the application combines the TCAM and the RAM to finish packet classification processing, can use the TCAM with smaller capacity to realize larger-scale rule search, and saves the packet classification cost and power consumption.
Corresponding to the rule storage method, an embodiment of the present application further provides a rule storage device, as shown in fig. 14, where the device includes:
a constructing module 141, configured to construct a rule decision tree by using rules included in the global rule set, and obtain a discard rule set, where in the rule decision tree, a value of a bit indicated by each sub-tree under a parent node in the rule decision tree is the same and is not a wildcard, and the rules included in the rule decision tree and the rules included in the discard rule set form the global rule set;
a first determining module 142, configured to determine a plurality of rule subtrees from the rule decision tree, where a height of the rule subtree is less than or equal to a preset height threshold, and rules included in the plurality of rule subtrees are the same as the rules included in the rule decision tree;
an adding module 143, configured to add a part of the rules included in the discarding rule set to leaf nodes in the multiple rule subtrees, where the leaf nodes meet a backfill condition that includes: the value of the added rule at the bit indicated by the path node is a wildcard, or the added rule and the other rules in the leaf nodes added with the rule have the same value at the bit indicated by the path node, and the path node is a node between the root node of the rule decision tree and the leaf node added with the rule;
a second determining module 144 for determining common rules for each rule sub-tree;
a storing module 145 for storing the common rules of each rule sub-tree and the remaining rules in the set of discard rules in a ternary content addressable memory TCAM.
In some embodiments, the building module 141 may be specifically configured to:
taking the global rule set as a rule set to be split, taking a node containing the rule set to be split in the rule decision tree as a target node, and taking the global rule set as a root node of the rule decision tree;
determining a target bit of rule splitting in a rule set to be split as a bit indicated by a target node;
adding a rule with a target bit value of 1 in the rule set to be split into a first side child node of a target node, adding a rule with a target bit value of 0 in the rule set to be split into a second side child node of the target node, and adding a rule with a target bit value of a wildcard in the rule set to be split into a discarding rule set;
and taking the rule set included by the child node with the rule quantity larger than or equal to the first preset quantity threshold value as a new rule set to be split, taking the node including the rule set to be split in the rule decision tree as a new target node, re-executing the step of determining the target bit of rule splitting in the rule set to be split as the bit indicated by the target node until the rule quantity included by the child node is smaller than the first preset quantity threshold value.
In some embodiments, the target bit is a bit with the smallest number of rules with wildcard values among the bits, and the smallest difference between the number of rules with 0 and the number of rules with 1; alternatively, the first and second electrodes may be,
the target bit is the bit with the smallest quantity of the rules with the wildcard character value in each bit and the largest difference between the quantity of the rules with the value of 0 and the quantity of the rules with the value of 1.
In some embodiments, the building module 141 may be specifically configured to:
taking the global rule set as a rule set to be split, taking a node containing the rule set to be split in the rule decision tree as a first target node, and taking the global rule set as a root node of the rule decision tree;
determining a first target bit of rule splitting in a rule set to be split as a bit indicated by a first target node, wherein the first target bit is one of the bits with the minimum rule number taking a wildcard as a value, and the maximum difference value between the rule number taking a value of 0 and the rule number taking a value of 1;
adding a rule of which the value of a first target bit in the rule set to be split is 1 into a first side child node of a first target node, adding a rule of which the value of the first target bit in the rule set to be split is 0 into a second side child node of the target node, and adding a rule of which the value of the first target bit in the rule set to be split is a wildcard into a discarding rule set;
taking a rule set included by a child node with the rule number larger than or equal to a second preset number threshold value as a new rule set to be split, taking a node including the rule set to be split in the rule decision tree as a new first target node, and re-executing the step of determining a first target bit of rule splitting in the rule set to be split as a bit indicated by the first target node until the rule number included by the child node is smaller than the second preset number threshold value;
taking a rule set included by the child node with the rule quantity smaller than a second preset quantity threshold value as a new rule set to be split, and taking a node including the rule set to be split in the rule decision tree as a second target node;
determining a second target bit of the rule splitting in the rule set to be split as a bit indicated by a second target node, wherein the second target bit is a bit with the smallest number of rules with wildcard values in each bit and the smallest difference between the number of rules with 0 values and the number of rules with 1 values;
adding a rule with the value of a second target bit being 1 in the rule set to be split into a first side node of a second target node, adding a rule with the value of the second target bit being 0 in the rule set to be split into a second side node of the target node, and adding a rule with the value of the second target bit being a wildcard in the rule set to be split into a discarding rule set;
and taking the rule set included by the child node with the rule quantity larger than or equal to the third preset quantity threshold value as a new rule set to be split, taking the node including the rule set to be split in the rule decision tree as a new second target node, and re-executing the step of determining the second target bit of the rule split in the rule set to be split as the bit indicated by the second target node until the rule quantity included by the child node is smaller than the third preset quantity threshold value.
In some embodiments, the first determining module 142 may be specifically configured to:
traversing the nodes downwards from the root node of the rule decision tree;
if the height from the traversed node to the leaf node is greater than the preset height threshold, continuing to execute the step of traversing the node downwards until the height from the traversed node to the leaf node is less than or equal to the preset height threshold;
and taking a subtree starting from the node traversed by the node when the node is traversed downwards as a rule subtree.
In some embodiments, the adding module 143 may be specifically configured to:
determining the quantity of leaf nodes meeting backfill conditions corresponding to each rule included in a discarding rule set in each rule sub-tree as backfill cost corresponding to each rule aiming at each rule sub-tree;
determining a target rule with the minimum backfill overhead and a target rule sub-tree corresponding to the target rule with the minimum backfill overhead;
adding the target rule to leaf nodes meeting the backfilling condition in the target rule subtree;
and returning and executing the steps of determining the quantity of leaf nodes which meet the backfill condition and correspond to each rule included in the discarding rule set in each rule sub-tree as the backfill cost corresponding to each rule.
In some embodiments, the backfill conditions further comprise: the number of rules included by the leaf node is less than or equal to a fourth preset number threshold; and/or the presence of a gas in the gas,
after part of rules included in the discarding rule set are added to the plurality of rule subtrees, the sum of the number of the remaining rules and the number of the plurality of rule subtrees is less than or equal to the capacity of the TCAM.
In some embodiments, the second determining module 144 may specifically be configured to:
if the value of one bit of all rules included in each rule sub-tree is 1, setting the value of the bit of the common rule of the rule sub-tree to be 1;
if the value of one bit of all rules included in each rule sub-tree is 0, setting the value of the bit of the common rule of the rule sub-tree to be 0;
and if the value of one bit of all the rules included in each rule sub-tree is not 1 and/or the value of one bit of all the rules included in each rule sub-tree is not 0, setting the value of the bit of the common rule of the rule sub-tree as a wildcard.
In some embodiments, the rule includes at least one matching field of a prefix class field, a scope class field, an exact class field, and a wildcard class field; the rule storage device may further include a processing module, configured to perform the following processing on each rule in the global rule set before constructing the rule decision tree using the rules included in the global rule set:
for a prefix field included by the rule, setting the value of the highest bit of the prefix length as a prefix value, and setting the values of other bits as wildcards;
for the range field included by the rule, splitting the range field into a plurality of sub-ranges, and setting the value of the bit corresponding to each sub-range as the equivalent prefix value corresponding to the sub-range;
setting the value of each bit as an accurate value for the accurate class field included in the rule;
for the wildcard class field included in the rule, the value of each bit is set to a wildcard character.
In some embodiments, the storing module 145 may be specifically configured to store the common rule of each rule sub-tree in a common rule table in the TCAM, and store the remaining rules in the discarding rule set in a physical table in the TCAM;
the storage module is also used for storing the rules included by each rule subtree into a block rule table in the RAM; the RAM is also internally stored with a main rule table; a plurality of rules with the same common rule are stored in the block rule table; the main rule table at least comprises a splitting position set and a base address, rules in the block rule table belong to a subtree determined by the splitting position set, the splitting position set is used for positioning and searching the position of a rule corresponding to a key value in the block rule table, the base address is used for positioning the block rule table, the value of a non-wildcard bit in a public rule is the same as the value of the same bit of all the rules in the block rule table pointed by the base address, and the indexes of the public rule table and the main rule table corresponding to the same block rule table are the same;
the rule storage device may further include:
the extraction module is used for extracting a target search key value from the data packet to be classified;
the first matching module is used for matching in the physical table by using the target search key value to obtain a second rule;
the second matching module is used for matching in the public rule table by using the target search key value to obtain a main index of a target table item in the main rule table;
the positioning module is used for positioning the block rule table based on the base address included in the target table item pointed by the main index;
a third determining module, configured to determine, based on the target lookup key value and a split position set included in a target entry pointed by the primary index, a secondary index of the first rule in the located block rule table;
the processing module is used for selecting a rule with the highest priority from the first rule and the second rule pointed by the secondary index; and according to the selected rule, carrying out packet classification processing on the data packet to be classified.
In the technical solution provided in the embodiment of the present application, a rule decision tree is first constructed based on a condition that a bit value of a rule included in each sub-tree under a parent node in the parent node is the same and is not a wildcard character, and rules included in different leaf nodes in the rule decision tree are not overlapped, that is, there is no redundant rule in the rule decision tree; thirdly, the rule decision tree is divided into a plurality of rule subtrees, part of rules included in the discarding rule set are added to leaf nodes meeting backfill conditions in the rule subtrees by taking the rule subtrees as units, instead of taking the whole rule decision tree as units, all rules included in the discarding rule set are added to each leaf node of the rule decision tree, so that the number of redundant rules is reduced, and leaf node expansion caused by rule copying is reduced; the common rules for each rule sub-tree are then stored in the TCAM, along with the remaining rules in the drop rule set. The number of redundant rules in the rule subtree is reduced, so that the rule matching cost is reduced.
In correspondence with the above rule storage method, an embodiment of the present application further provides an electronic device, as shown in fig. 15, including a processor 151 and a machine-readable storage medium 152, where the machine-readable storage medium 152 stores machine-executable instructions executable by the processor 151, and the processor 151 is caused by the machine-executable instructions to: implementing any of the above rule storage method steps.
In some embodiments, the electronic device may further include a forwarding chip;
a processor, further caused by the machine executable instructions to: storing the public rule of each rule sub-tree in a public rule table in the TCAM, and storing the rest rules in the discarding rule set in a physical table in the TCAM; storing the rules included in each rule subtree into a block rule table in the RAM; the RAM is also internally stored with a main rule table; a plurality of rules with the same common rule are stored in the block rule table; the main rule table at least comprises a splitting position set and a base address, rules in the block rule table belong to a subtree determined by the splitting position set, the splitting position set is used for positioning and searching the position of a rule corresponding to a key value in the block rule table, the base address is used for positioning the block rule table, the value of a non-wildcard bit in a public rule is the same as the value of the same bit of all the rules in the block rule table pointed by the base address, and the indexes of the public rule table and the main rule table corresponding to the same block rule table are the same;
the forwarding chip is used for extracting a target search key value from the data packet to be classified when the data packet to be classified is received; matching in the physical table by using the target search key value to obtain a second rule; matching in the public rule table by using the target search key value to obtain a main index of a target table item in the main rule table; positioning a block rule table based on a base address included in a target table item pointed by a main index; determining a secondary index of the first rule in the located block rule table based on the target search key value and a split position set included in a target table item pointed by the primary index; selecting one rule with the highest priority from the first rule and the second rule pointed by the secondary index; and according to the selected rule, carrying out packet classification processing on the data packet to be classified.
The machine-readable storage medium may include Random Access Memory (RAM) and may also include Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the machine-readable storage medium may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In yet another embodiment provided by the present application, there is also provided a machine-readable storage medium having stored therein a computer program which, when executed by a processor, implements any of the above-described rule storage method steps.
In yet another embodiment provided herein, there is also provided a computer program product containing instructions that, when executed on a computer, cause the computer to perform any of the rule storage method steps described above.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus, electronic device, storage medium, and computer program product embodiments, the description is relatively simple because they are substantially similar to the method embodiments, and reference may be made to some descriptions of the method embodiments for relevant points.
The above description is only for the preferred embodiment of the present application and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.
Claims (23)
1. A method of rule storage, the method comprising:
utilizing rules included in a global rule set to construct a rule decision tree and obtain a discard rule set, wherein in the rule decision tree, the value of a bit indicated by a parent node of a rule included in each subtree under the parent node is the same and is not a wildcard, and the rule included in the rule decision tree and the rule included in the discard rule set form the global rule set;
determining a plurality of rule subtrees from the rule decision tree, wherein the heights of the rule subtrees are less than or equal to a preset height threshold value, and the rules included in the rule subtrees are the same as the rules included in the rule decision tree;
adding a portion of the rules included in the set of discard rules to leaf nodes in the plurality of rule subtrees that satisfy a backfill condition comprising: the value of the bit of the added rule indicated by the path node is a wildcard character, or the value of the added rule is the same as the value of the bit of the other rule in the leaf node to which the rule is added, wherein the path node is a node between the root node of the rule decision tree and the leaf node to which the rule is added;
determining a common rule of each rule sub-tree;
storing the common rules of each rule sub-tree and the remaining rules in the set of discard rules in a Ternary Content Addressable Memory (TCAM).
2. The method according to claim 1, wherein the step of constructing a rule decision tree using the rules included in the global rule set and obtaining the discard rule set comprises:
taking a global rule set as a rule set to be split, and taking a node containing the rule set to be split in a rule decision tree as a target node, wherein the global rule set is contained in a root node of the rule decision tree;
determining a target bit of the rule splitting in the rule set to be split as a bit indicated by the target node;
adding a rule of which the value of the target bit in the rule set to be split is 1 into a first side child node of the target node, adding a rule of which the value of the target bit in the rule set to be split is 0 into a second side child node of the target node, and adding a rule of which the value of the target bit in the rule set to be split is a wildcard into a discard rule set;
taking a rule set included in a child node with the rule quantity larger than or equal to a first preset quantity threshold value as a new rule set to be split, taking a node including the rule set to be split in the rule decision tree as a new target node, and re-executing the step of determining the target bit of rule splitting in the rule set to be split as the bit indicated by the target node until the rule quantity included in the child node is smaller than the first preset quantity threshold value.
3. The method according to claim 2, wherein the target bit is a bit with the smallest number of rules with wildcard values in each bit, and the smallest difference between the number of rules with 0 and the number of rules with 1; alternatively, the first and second electrodes may be,
the target bit is the bit with the smallest number of rules with wildcard values in each bit and the largest difference between the number of rules with 0 and the number of rules with 1.
4. The method according to claim 1, wherein the step of constructing a rule decision tree using the rules included in the global rule set and obtaining the discard rule set comprises:
taking a global rule set as a rule set to be split, and taking a node containing the rule set to be split in a rule decision tree as a first target node, wherein the global rule set is contained in a root node of the rule decision tree;
determining a first target bit of the rule splitting in the rule set to be split as a bit indicated by the first target node, wherein the first target bit is a bit with the smallest number of rules taking a wildcard as a value in each bit and the largest difference between the number of rules taking a value of 0 and the number of rules taking a value of 1;
adding a rule of which the value of the first target bit in the rule set to be split is 1 to a first side child node of the first target node, adding a rule of which the value of the first target bit in the rule set to be split is 0 to a second side child node of the target node, and adding a rule of which the value of the first target bit in the rule set to be split is a wildcard character to a discarding rule set;
taking a rule set included by a child node with the rule quantity larger than or equal to a second preset quantity threshold value as a new rule set to be split, taking a node including the rule set to be split in the rule decision tree as a new first target node, and re-executing the step of determining a first target bit of rule splitting in the rule set to be split as a bit indicated by the first target node until the rule quantity included by the child node is smaller than the second preset quantity threshold value;
taking a rule set included by child nodes with the number of included rules smaller than a second preset number threshold as a new rule set to be split, and taking nodes including the rule set to be split in the rule decision tree as second target nodes;
determining a second target bit of the rule splitting in the rule set to be split as a bit indicated by the second target node, wherein the second target bit is a bit with the smallest number of rules taking a wildcard character as a value in each bit, and the smallest difference between the number of rules taking a value of 0 and the number of rules taking a value of 1;
adding a rule of which the value of the second target bit in the rule set to be split is 1 to a first side node of the second target node, adding a rule of which the value of the second target bit in the rule set to be split is 0 to a second side node of the target node, and adding a rule of which the value of the second target bit in the rule set to be split is a wildcard character to a discarding rule set;
and taking the rule set included by the child node with the rule quantity larger than or equal to a third preset quantity threshold value as a new rule set to be split, taking the node including the rule set to be split in the rule decision tree as a new second target node, and re-executing the step of determining a second target bit of rule splitting in the rule set to be split as a bit indicated by the second target node until the rule quantity included by the child node is smaller than the third preset quantity threshold value.
5. The method of claim 1, wherein the step of determining a plurality of rule sub-trees from the rule decision tree comprises:
traversing nodes downwards from a root node of the rule decision tree;
if the height from the traversed node to the leaf node is greater than a preset height threshold, continuing to execute the step of traversing the node downwards until the height from the traversed node to the leaf node is less than or equal to the preset height threshold;
and taking a subtree starting from the node traversed by the node when the node is traversed downwards as a rule subtree.
6. The method of claim 1, wherein the step of adding the portion of the rules included in the set of discarding rules to the leaf nodes in the plurality of rule subtrees that satisfy a backfill condition comprises:
determining the quantity of leaf nodes meeting backfill conditions corresponding to each rule included in the discarding rule set in each rule sub-tree as backfill cost corresponding to each rule aiming at each rule sub-tree;
determining a target rule with the minimum backfill overhead and a target rule sub-tree corresponding to the target rule with the minimum backfill overhead;
adding the target rule to leaf nodes meeting backfill conditions in the target rule subtree;
and returning to execute the step of determining the quantity of leaf nodes meeting the backfill condition corresponding to each rule included in the discarding rule set in each rule sub-tree as the backfill cost corresponding to each rule.
7. The method of claim 1 or 6, wherein the backfill conditions further comprise: the number of rules included by the leaf node is less than or equal to a fourth preset number threshold; and/or the presence of a gas in the gas,
and after part of rules included in the discarding rule set are added into the plurality of rule subtrees, the sum of the number of the remaining rules and the number of the plurality of rule subtrees is less than or equal to the capacity of the TCAM.
8. The method of claim 1, wherein the step of determining the common rules for each rule sub-tree comprises:
if the value of one bit of all rules included in each rule sub-tree is 1, setting the value of the bit of the common rule of the rule sub-tree to be 1;
if the value of one bit of all rules included in each rule sub-tree is 0, setting the value of the bit of the common rule of the rule sub-tree to be 0;
and if the value of one bit of all the rules included in each rule sub-tree is not 1 and/or the value of one bit of all the rules included in each rule sub-tree is not 0, setting the value of the bit of the common rule of the rule sub-tree as a wildcard.
9. The method of any of claims 1-6 and 8, wherein the rule comprises at least one matching field of a prefix class field, a scope class field, a precision class field, and a wildcard class field;
before the constructing a rule decision tree using the rules included in the global rule set, the method further includes:
performing the following processing on each rule in the global rule set:
for the prefix field included in the rule, setting the value of the highest bit of the prefix length as a prefix value, and setting the values of other bits as wildcards;
for the range field included by the rule, splitting the range field into a plurality of sub-ranges, and setting the value of the bit corresponding to each sub-range as the equivalent prefix value corresponding to the sub-range;
setting the value of each bit as an accurate value for the accurate class field included in the rule;
for the wildcard class field included in the rule, the value of each bit is set to a wildcard character.
10. The method according to any of claims 1-6 and 8, wherein the step of storing the common rules of each rule sub-tree and the remaining rules of the set of discard rules in a ternary content addressable memory TCAM comprises: storing the public rule of each rule subtree in a public rule table in a Ternary Content Addressable Memory (TCAM), and storing the rest rules in the discarding rule set in a physical table in the TCAM;
the method further comprises the following steps:
storing the rules included in each rule subtree into a block rule table in a Random Access Memory (RAM); the RAM is also internally stored with a main rule table; a plurality of rules with the same common rule are stored in the block rule table; the main rule table at least comprises two fields of a splitting position set and a base address, the rule in the block rule table belongs to a subtree determined by the splitting position set, the splitting position set is used for positioning and searching the position of a rule corresponding to a key value in the block rule table, the base address is used for positioning the block rule table, the value of a non-wildcard character bit in the public rule is the same as the value of the same bit of all rules in the block rule table pointed by the base address, and the index of the public rule table is the same as the index of the same block rule table in the main rule table;
when a data packet to be classified is received, extracting a target search key value from the data packet to be classified;
matching in the physical table by using the target search key value to obtain a second rule;
matching in the public rule table by using the target search key value to obtain a main index of a target table item in the main rule table;
positioning a block rule table based on a base address included in a target table item pointed by the main index;
determining a secondary index of a first rule in the located block rule table based on the target lookup key value and a split position set included in the target table entry pointed to by the primary index;
selecting one rule with the highest priority from the first rule and the second rule pointed by the secondary index;
and according to the selected rule, carrying out packet classification processing on the data packet to be classified.
11. A rule storage device, the device comprising:
the system comprises a construction module, a discarding rule set and a rule decision tree, wherein the construction module is used for constructing a rule decision tree by utilizing rules included in the global rule set and acquiring the discarding rule set, the values of the rules included in each sub-tree under a parent node in the rule decision tree are the same at the bit indicated by the parent node and are not wildcards, and the rules included in the rule decision tree and the rules included in the discarding rule set form the global rule set;
a first determining module, configured to determine, from the rule decision tree, a plurality of rule sub-trees, where heights of the rule sub-trees are less than or equal to a preset height threshold, and rules included in the plurality of rule sub-trees are the same as rules included in the rule decision tree;
an adding module, configured to add a part of rules included in the discarding rule set to leaf nodes in the multiple rule subtrees that satisfy a backfill condition, where the backfill condition includes: the value of the bit of the added rule indicated by the path node is a wildcard, or the value of the added rule is the same as the value of the bit of the other rule in the leaf node to which the rule is added indicated by the path node, wherein the path node is a node between the root node of the rule decision tree and the leaf node to which the rule is added;
a second determining module for determining a common rule of each rule sub-tree;
a storage module for storing the common rules of each rule sub-tree and the remaining rules in the discard rule set in a ternary content addressable memory TCAM.
12. The apparatus according to claim 11, wherein the building block is specifically configured to:
taking a global rule set as a rule set to be split, and taking a node containing the rule set to be split in a rule decision tree as a target node, wherein the global rule set is contained in a root node of the rule decision tree;
determining a target bit of the rule splitting in the rule set to be split as a bit indicated by the target node;
adding a rule of which the value of the target bit in the rule set to be split is 1 into a first side child node of the target node, adding a rule of which the value of the target bit in the rule set to be split is 0 into a second side child node of the target node, and adding a rule of which the value of the target bit in the rule set to be split is a wildcard into a discard rule set;
taking a rule set included in a child node with the rule quantity larger than or equal to a first preset quantity threshold value as a new rule set to be split, taking a node including the rule set to be split in the rule decision tree as a new target node, and re-executing the step of determining the target bit of rule splitting in the rule set to be split as the bit indicated by the target node until the rule quantity included in the child node is smaller than the first preset quantity threshold value.
13. The apparatus of claim 12, wherein the target bit is a bit with the smallest number of rules with wildcard values in each bit, and the smallest difference between the number of rules with value 0 and the number of rules with value 1; alternatively, the first and second electrodes may be,
the target bit is the bit with the smallest number of rules with wildcard values in each bit and the largest difference between the number of rules with 0 and the number of rules with 1.
14. The apparatus according to claim 11, wherein the building block is specifically configured to:
taking a global rule set as a rule set to be split, and taking a node containing the rule set to be split in a rule decision tree as a first target node, wherein the global rule set is contained in a root node of the rule decision tree;
determining a first target bit of the rule splitting in the rule set to be split as a bit indicated by the first target node, wherein the first target bit is a bit with the smallest number of rules taking a wildcard as a value in each bit and the largest difference between the number of rules taking a value of 0 and the number of rules taking a value of 1;
adding a rule of which the value of the first target bit in the rule set to be split is 1 to a first side child node of the first target node, adding a rule of which the value of the first target bit in the rule set to be split is 0 to a second side child node of the target node, and adding a rule of which the value of the first target bit in the rule set to be split is a wildcard character to a discarding rule set;
taking a rule set included by a child node with the rule quantity larger than or equal to a second preset quantity threshold value as a new rule set to be split, taking a node including the rule set to be split in the rule decision tree as a new first target node, and re-executing the step of determining a first target bit of rule splitting in the rule set to be split as a bit indicated by the first target node until the rule quantity included by the child node is smaller than the second preset quantity threshold value;
taking a rule set included by child nodes with the number of included rules smaller than a second preset number threshold as a new rule set to be split, and taking nodes including the rule set to be split in the rule decision tree as second target nodes;
determining a second target bit of the rule splitting in the rule set to be split as a bit indicated by a second target node, wherein the second target bit is a bit with the smallest number of rules with wildcard values in each bit and the smallest difference between the number of rules with the value of 0 and the number of rules with the value of 1;
adding a rule of which the value of the second target bit in the rule set to be split is 1 to a first side node of the second target node, adding a rule of which the value of the second target bit in the rule set to be split is 0 to a second side node of the target node, and adding a rule of which the value of the second target bit in the rule set to be split is a wildcard character to a discarding rule set;
and taking the rule set included by the child node with the rule quantity larger than or equal to a third preset quantity threshold value as a new rule set to be split, taking the node including the rule set to be split in the rule decision tree as a new second target node, and re-executing the step of determining a second target bit of rule splitting in the rule set to be split as a bit indicated by the second target node until the rule quantity included by the child node is smaller than the third preset quantity threshold value.
15. The apparatus of claim 11, wherein the first determining module is specifically configured to:
traversing nodes downwards from a root node of the rule decision tree;
if the height from the traversed node to the leaf node is greater than a preset height threshold, continuing to execute the step of traversing the node downwards until the height from the traversed node to the leaf node is less than or equal to the preset height threshold;
and taking a subtree starting from the node traversed by the node when the node is traversed downwards as a rule subtree.
16. The apparatus according to claim 11, wherein the adding module is specifically configured to:
for each rule sub-tree, determining the quantity of leaf nodes meeting backfill conditions corresponding to each rule in the discarding rule set in the rule sub-tree as backfill cost corresponding to each rule;
determining a target rule with the minimum backfill overhead and a target rule sub-tree corresponding to the target rule with the minimum backfill overhead;
adding the target rule to leaf nodes meeting backfill conditions in the target rule subtree;
and returning to execute the step of determining the quantity of leaf nodes meeting the backfill condition corresponding to each rule included in the discarding rule set in each rule sub-tree as the backfill cost corresponding to each rule.
17. The apparatus of claim 11 or 16, wherein the backfill conditions further comprise: the number of rules included by the leaf node is less than or equal to a fourth preset number threshold; and/or the presence of a gas in the gas,
after part of rules included in the discarding rule set are added to the rule subtrees, the sum of the number of remaining rules and the number of the rule subtrees is less than or equal to the capacity of the TCAM.
18. The apparatus of claim 11, wherein the second determining module is specifically configured to:
if the value of one bit of all the rules included in each rule subtree is 1, setting the value of the bit of the public rule of the rule subtree to be 1;
if the value of one bit of all rules included in each rule sub-tree is 0, setting the value of the bit of the common rule of the rule sub-tree to be 0;
and if the value of one bit of all the rules included in each rule sub-tree is not 1 and/or the value of one bit of all the rules included in each rule sub-tree is not 0, setting the value of the bit of the common rule of the rule sub-tree as a wildcard.
19. The apparatus of any of claims 11-16 and 18, wherein the rule comprises at least one matching field of a prefix class field, a scope class field, a precision class field, and a wildcard class field; the apparatus further comprises a processing module configured to, before the rule included in the global rule set is used to construct a rule decision tree, perform the following processing for each rule in the global rule set:
for the prefix field included in the rule, setting the value of the highest bit of the prefix length as a prefix value, and setting the values of other bits as wildcards;
for the range field included by the rule, splitting the range field into a plurality of sub-ranges, and setting the value of the bit corresponding to each sub-range as the equivalent prefix value corresponding to the sub-range;
setting the value of each bit as an accurate value for the accurate class field included in the rule;
for the wildcard class field included in the rule, the value of each bit is set to a wildcard character.
20. The apparatus according to any of claims 11-16 and 18, wherein the storing module is specifically configured to store the common rules of each rule sub-tree in a common rule table in a ternary content addressable memory, TCAM, and store the remaining rules in the discard rule set in a physical table in the TCAM;
the storage module is further used for storing the rules included in each rule sub-tree into a block rule table in a Random Access Memory (RAM); the RAM is also internally stored with a main rule table; a plurality of rules with the same common rule are stored in the block rule table; the main rule table at least comprises two fields of a splitting position set and a base address, the rule in the block rule table belongs to a subtree determined by the splitting position set, the splitting position set is used for positioning and searching the position of a rule corresponding to a key value in the block rule table, the base address is used for positioning the block rule table, the value of a non-wildcard character bit in the public rule is the same as the value of the same bit of all rules in the block rule table pointed by the base address, and the index of the public rule table is the same as the index of the same block rule table in the main rule table;
the device further comprises:
the extraction module is used for extracting a target search key value from the data packet to be classified;
the first matching module is used for matching in the physical table by using the target search key value to obtain a second rule;
the second matching module is used for matching in the public rule table by using the target search key value to obtain a main index of a target table item in the main rule table;
the positioning module is used for positioning the block rule table based on the base address included in the target table item pointed by the main index;
a third determining module, configured to determine, based on the target lookup key value and a split location set included in the target table entry pointed by the primary index, a secondary index of the first rule in the located block rule table;
the processing module is used for selecting a rule with the highest priority from the first rule and the second rule pointed by the secondary index; and according to the selected rule, carrying out packet classification processing on the data packet to be classified.
21. An electronic device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 9.
22. The electronic device of claim 21, further comprising a forwarding chip;
the processor, further caused by the machine executable instructions to: storing the public rule of each rule sub-tree in a public rule table in a Ternary Content Addressable Memory (TCAM), and storing the rest rules in the discarding rule set in a physical table in the TCAM; storing the rules included in each rule subtree into a block rule table in a Random Access Memory (RAM); the RAM is also internally stored with a main rule table; a plurality of rules with the same common rule are stored in the block rule table; the main rule table at least comprises two fields of a splitting position set and a base address, the rules in the block rule table belong to a subtree determined by the splitting position set, the splitting position set is used for positioning and searching the position of the rule corresponding to a key value in the block rule table, the base address is used for positioning the block rule table, the value of the non-wildcard character bit in the public rule is the same as the value of the same bit of all the rules in the block rule table pointed by the base address, and the indexes of the public rule table and the main rule table corresponding to the same block rule table are the same;
the forwarding chip is used for extracting a target search key value from the data packet to be classified when the data packet to be classified is received; matching in the physical table by using the target search key value to obtain a second rule; matching in the public rule table by using the target search key value to obtain a main index of a target table item in the main rule table; positioning a block rule table based on a base address included in a target table item pointed by the main index; determining a secondary index of a first rule in the located block rule table based on the target lookup key value and a split position set included in the target table entry pointed to by the primary index; selecting one rule with the highest priority from the first rule and the second rule pointed by the secondary index; and according to the selected rule, carrying out packet classification processing on the data packet to be classified.
23. A machine readable storage medium, characterized in that a computer program is stored in the machine readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of the claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211338517.2A CN115834340A (en) | 2022-10-28 | 2022-10-28 | Rule storage method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211338517.2A CN115834340A (en) | 2022-10-28 | 2022-10-28 | Rule storage method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115834340A true CN115834340A (en) | 2023-03-21 |
Family
ID=85525743
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211338517.2A Pending CN115834340A (en) | 2022-10-28 | 2022-10-28 | Rule storage method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115834340A (en) |
-
2022
- 2022-10-28 CN CN202211338517.2A patent/CN115834340A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kogan et al. | SAX-PAC (scalable and expressive packet classification) | |
| US7702630B2 (en) | Longest prefix match lookup using hash function | |
| US7684400B2 (en) | Logarithmic time range-based multifield-correlation packet classification | |
| US8732110B2 (en) | Method and device for classifying a packet | |
| CN103858386B (en) | For performing the method and apparatus for wrapping classification by the decision tree of optimization | |
| US20150131666A1 (en) | Apparatus and method for transmitting packet | |
| CN104579941A (en) | Message classification method in OpenFlow switch | |
| US10148571B2 (en) | Jump on a match optimization for longest prefix match using a binary search tree | |
| Priya et al. | Hierarchical packet classification using a Bloom filter and rule-priority tries | |
| CN101388030A (en) | Database and database processing methods | |
| CN102405622A (en) | Methods and devices for binary tree construction, compression and lookup | |
| JP3881663B2 (en) | Packet classification apparatus and method using field level tree | |
| CN107276916B (en) | Switch flow table management method based on protocol non-perception forwarding technology | |
| CN106789727B (en) | Message classification method and device | |
| KR100965552B1 (en) | Method for Generating Packet Classification Table by Using Range Cutting and Packet Classification Method and Packet Classifier | |
| Lim et al. | Two-dimensional packet classification algorithm using a quad-tree | |
| CN108566335B (en) | Network topology generation method based on NetFlow | |
| CN115865843A (en) | Rule storage method, message processing method, device, electronic equipment and medium | |
| Lim et al. | High-speed packet classification using binary search on length | |
| CN115834340A (en) | Rule storage method and device, electronic equipment and storage medium | |
| EP1657859B1 (en) | Protocol speed increasing device | |
| KR100662254B1 (en) | Apparatus and Method for Packet Classification in Router | |
| CN112437065A (en) | Strategy conflict detection and solution method based on graphic representation under SDN environment | |
| CN115714752A (en) | Packet classification method and device, forwarding chip and electronic equipment | |
| Hsu et al. | Multi-inherited search tree for dynamic IP router-tables |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |