CN116248588A

CN116248588A - Flow table rule unloading method and device for data packet of network card

Info

Publication number: CN116248588A
Application number: CN202211697547.2A
Authority: CN
Inventors: 郑理; 杨乃博; 文旭; 石禹; 顾雅涵; 王泽�
Original assignee: Tianyi Cloud Technology Co Ltd
Current assignee: Tianyi Cloud Technology Co Ltd
Priority date: 2022-12-28
Filing date: 2022-12-28
Publication date: 2023-06-09

Abstract

The embodiment of the invention provides a method and a device for unloading a flow table rule of a data packet of a network card, which are implemented by acquiring a first original flow table rule; the first native flow table rule includes a first native action domain; the first native action domain includes connection trace action information; determining, by the connection trace action information, a first hardware flow table rule for the first native flow table rule prior to performing connection trace; determining, by the first hardware flow table rule, a second hardware flow table rule for the first native flow table rule after performing connection tracking; and unloading the flow table rule for the data packet to the network card based on the first hardware flow table rule and the second hardware flow table rule, so that unloading of the flow table rule for the data packet to the network card in the form of a combined flow table can be avoided, the logic of the unloading process is simplified, and the flow table rule unloading efficiency of the data packet for the network card is improved.

Description

Flow table rule unloading method and device for data packet of network card

Technical Field

The present invention relates to the field of flow table rule unloading technology for data packets of a network card, and in particular, to a flow table rule unloading method for data packets of a network card, a flow table rule unloading device for data packets of a network card, an electronic device, and a computer readable storage medium.

Background

The hardware flow table exists in the intelligent network card hardware, and when the matching of the data packet with the hardware flow table fails, the data packet is uploaded to the software OVS to generate a flow table rule. The flow table rules include a matching field that is made up of packet message information and an action field that specifies the action that the packet should perform. After the generated flow table rule is converted and written into hardware, the data packet is matched with the hardware flow table to be directly forwarded, and then the hardware unloading can be realized.

Therefore, how to improve the flow table rule unloading efficiency of the data packet for the network card becomes a technical problem to be overcome by those skilled in the art.

Disclosure of Invention

The embodiment of the invention provides a method and a device for unloading a flow table rule of a data packet aiming at a network card, the network card, electronic equipment and a computer readable storage medium, so as to solve the problem of how to improve the efficiency of unloading the flow table rule of the data packet aiming at the network card.

The embodiment of the invention discloses a method for unloading a flow table rule of a data packet aiming at a network card, which can comprise the following steps:

acquiring a first native flow table rule; the first native flow table rule includes a first native action domain; the first native action domain includes connection trace action information;

Determining, by the connection trace action information, a first hardware flow table rule for the first native flow table rule prior to performing connection trace;

determining, by the first hardware flow table rule, a second hardware flow table rule for the first native flow table rule after performing connection tracking;

and unloading the flow table rule for the data packet to the network card based on the first hardware flow table rule and the second hardware flow table rule.

Optionally, the first native flow table rule includes a first native matching field, the first native matching field containing first regular message information and initial recycle information, the first native action field containing first other action information, and the step of determining, by the connection trace action information, a first hardware flow table rule for the first native flow table rule before performing connection trace may include:

determining a first insertion location identification characterizing an insertion location of the first hardware flow table rule;

determining a first hardware matching domain aiming at the first hardware flow table rule according to the first conventional message information;

generating a first jump factor for the first hardware flow table rule by the first insertion position identification and first flag information of the first native flow table rule before connection tracking is performed;

Determining a first jump position identification for characterizing a jump position of the first hardware flow table rule by using the first jump coefficient;

calculating a first hash value aiming at a first hardware flow table rule through the first conventional message information, and generating a first association mark by adopting the first hash value;

determining a first hardware action domain for the first hardware flow table rule using the first jump location identifier and the first association tag;

and determining the first hardware flow table rule by adopting the first hardware matching domain and the first hardware action domain.

Optionally, the step of determining, by the first hardware flow table rule, a second hardware flow table rule for the first native flow table rule after performing connection tracking may include:

acquiring a second native flow table rule corresponding to the first native flow table rule; the second native flow table rule includes a second native matching field, the second native matching field and the first native action field containing the same target recycling information for associating the second native flow table rule with the first native flow table rule;

Generating a first insertion coefficient through the initial recycle information and second flag information of the first native flow table rule after performing connection tracking;

determining a second insertion position identifier for representing the insertion position of the second hardware flow table rule by adopting the first insertion coefficient;

determining a second hardware matching domain for the second hardware flow table rule using the first association tag;

generating a second jump factor by the target recycle information and third flag information for the second native flow table rule;

determining a second jump position identifier for characterizing a jump position of the second hardware flow table rule by adopting the second jump coefficient;

calculating a second hash value aiming at a second hardware flow table rule according to the target recycling information and the first conventional message information, and generating a second association mark by adopting the second hash value;

determining a second hardware action domain for the second hardware flow table rule using the second jump location identifier, the second association tag and the first other action information;

and determining the second hardware flow table rule by adopting the second hardware matching domain and the second hardware action domain.

Optionally, the method may further include:

acquiring connection tracking quintuple information aiming at the first native flow table rule;

determining a connection tracking five-tuple information matching domain through the connection tracking five-tuple information, and determining a connection tracking five-tuple information action domain by adopting the first insertion coefficient;

and determining a connection tracking five-tuple flow table rule aiming at the connection tracking five-tuple information based on the connection tracking five-tuple information matching field and the connection tracking five-tuple information action field, and determining a third insertion position identifier for representing the insertion position of the connection tracking five-tuple flow table rule by adopting the first jump coefficient as a second insertion coefficient.

Optionally, the second native flow table rule includes a second native action domain, the second native matching domain including second regular message information and offloaded trace action state information; the second native action field includes second other action information and may further include:

determining a third hardware matching domain by adopting the second conventional message information;

determining a third hardware action domain by adopting the second other action information;

and determining a third hardware flow table rule based on the third hardware matching domain and the third hardware action domain, and determining a fourth insertion position identifier for representing the insertion position of the third hardware flow table rule by adopting the second jump coefficient as a third insertion coefficient.

Optionally, the target second hardware flow table rule has a corresponding counter for counting the first native flow table rule.

Optionally, the connection tracking five-tuple flow table rule has a corresponding first connection information database, the second hardware flow table rule has a corresponding second connection information database, the third hardware flow table rule has a corresponding third connection information database, the method is applied to a hardware offload module, the hardware offload module has a corresponding flow table rule offload software OVS-DPDK, and the step of offloading the flow table rule for the data packet to the network card based on the first hardware flow table rule and the second hardware flow table rule may include:

marking the first associated mark for the data packet based on the first hardware action domain;

when the first association mark is read, jumping to the first connection information database based on a first jumping position identification corresponding to the first association mark;

when the first connection information database does not have a connection tracking five-tuple flow table rule corresponding to the data packet, sending the data packet marked with the first association mark to flow table rule unloading software OVS-DPDK, wherein the flow table rule unloading software OVS-DPDK is used for executing the first native flow table rule on the data packet marked with the first association mark so as to unload the flow table rule aiming at the data packet to the network card;

When the first connection information database has a connection tracking five-tuple flow table rule corresponding to the data packet, jumping to the second connection information database based on the connection tracking five-tuple information action domain;

when the second connection information database has a second hardware flow table rule corresponding to the data packet, executing the first other action information based on the second hardware matching field and the second hardware action field, marking the second association mark for the data packet, and jumping to the third connection information database based on a second jumping position mark corresponding to the second association mark;

when the third connection information database has a third hardware flow table rule corresponding to the data packet, unloading the flow table rule for the data packet to the network card based on the third hardware flow table rule;

and when the third connection information database does not have the third hardware flow table rule corresponding to the data packet, sending the data packet marked with the second association mark to the flow table rule unloading software OVS-DPDK, wherein the flow table rule unloading software OVS-DPDK is used for executing the second native flow table rule on the data packet marked with the second association mark so as to unload the flow table rule aiming at the data packet to the network card.

The embodiment of the invention also discloses a device for unloading the flow table rule of the data packet of the network card, which can comprise:

the first primary flow table rule acquisition module is used for acquiring a first primary flow table rule; the first native flow table rule includes a first native action domain; the first native action domain includes connection trace action information;

a first hardware flow table rule determining module, configured to determine, according to the connection tracking action information, a first hardware flow table rule for the first native flow table rule before performing connection tracking;

a second hardware flow table rule determining module configured to determine, by the first hardware flow table rule, a second hardware flow table rule for the first native flow table rule after performing connection tracking;

and the flow table rule unloading module is used for unloading the flow table rule aiming at the data packet to the network card based on the first hardware flow table rule and the second hardware flow table rule.

Optionally, the first native flow table rule includes a first native matching field, the first native matching field containing first regular message information and initial recycling information, the first native action field containing first other action information, and the first hardware flow table rule determining module may include:

A first insertion location identification determination submodule for determining a first insertion location identification for characterizing an insertion location of the first hardware flow table rule;

a first hardware matching domain determining submodule, configured to determine a first hardware matching domain for the first hardware flow table rule according to the first regular packet information;

a first jump coefficient generation sub-module, configured to generate a first jump coefficient for the first hardware flow table rule according to the first insertion location identifier and first flag information of the first native flow table rule before performing connection tracking;

a first jump location identity determination submodule for determining a first jump location identity for characterizing a jump location of the first hardware flow table rule using the first jump coefficient;

the first association mark generation sub-module is used for calculating a first hash value aiming at a first hardware flow table rule through the first conventional message information and generating a first association mark by adopting the first hash value;

a first hardware action domain determination submodule, configured to determine a first hardware action domain for the first hardware flow table rule using the first jump location identifier and the first association flag;

And the first hardware flow table rule determining submodule is used for determining the first hardware flow table rule by adopting the first hardware matching domain and the first hardware action domain.

Optionally, the second hardware flow table rule determining module may include:

a second native flow table rule obtaining sub-module, configured to obtain a second native flow table rule corresponding to the first native flow table rule; the second native flow table rule includes a second native matching field, the second native matching field and the first native action field containing the same target recycling information for associating the second native flow table rule with the first native flow table rule;

a first insertion coefficient generation sub-module for generating a first insertion coefficient from the initial recycle information and second flag information of the first native flow table rule after performing connection tracking;

a second insertion position identification determining submodule, configured to determine a second insertion position identification for characterizing an insertion position of the second hardware flow table rule using the first insertion coefficient;

a second hardware matching domain determining submodule, configured to determine a second hardware matching domain for the second hardware flow table rule using the first association flag;

A second skip factor generation sub-module for generating a second skip factor from the target recycle information and third flag information for the second native flow table rule;

a second jump location identity determination submodule for determining a second jump location identity for characterizing a jump location of the second hardware flow table rule using the second jump coefficient;

a second association tag determination submodule, configured to calculate a second hash value for a second hardware flow table rule according to the target recirculation information and the first regular message information, and generate a second association tag using the second hash value;

a second hardware action domain determining submodule, configured to determine a second hardware action domain for the second hardware flow table rule using the second jump location identifier, the second association flag, and the first other action information;

and the second hardware flow table rule determining submodule is used for determining the second hardware flow table rule by adopting the second hardware matching domain and the second hardware action domain.

Optionally, the method may further include:

the connection tracking five-tuple information acquisition module is used for acquiring connection tracking five-tuple information aiming at the first native flow table rule;

The connection tracking quintuple information action domain determining module is used for determining a connection tracking quintuple information matching domain through the connection tracking quintuple information and determining the connection tracking quintuple information action domain by adopting the first insertion coefficient;

and the connection tracking five-tuple flow table rule determining module is used for determining the connection tracking five-tuple flow table rule aiming at the connection tracking five-tuple information based on the connection tracking five-tuple information matching domain and the connection tracking five-tuple information action domain, and determining a third insertion position identifier for representing the insertion position of the connection tracking five-tuple flow table rule by adopting the first jump coefficient as a second insertion coefficient.

the third hardware matching domain determining module is used for determining a third hardware matching domain by adopting the second conventional message information;

a third hardware action domain determining module, configured to determine a third hardware action domain using the second other action information;

And the third hardware flow table rule determining module is used for determining a third hardware flow table rule based on the third hardware matching domain and the third hardware action domain, and determining a fourth insertion position identifier for representing the insertion position of the third hardware flow table rule by adopting the second jump coefficient as a third insertion coefficient.

Optionally, the connection tracking five-tuple flow table rule has a corresponding first connection information database, the second hardware flow table rule has a corresponding second connection information database, the third hardware flow table rule has a corresponding third connection information database, the apparatus is applied to a hardware offload module, the hardware offload module has a corresponding flow table rule offload software OVS-DPDK, the flow table rule offload module includes:

a data packet marking sub-module configured to mark the data packet with the first association mark based on the first hardware action domain;

a first skip rotor module for skipping to the first connection information database based on a first skip position identification corresponding to the first association mark when the first association mark is read;

A first data packet sending sub-module, configured to send, when the first connection information database does not have a connection tracking five-tuple flow table rule corresponding to the data packet, the data packet marked with the first association flag to the flow table rule unloading software OVS-DPDK, where the flow table rule unloading software OVS-DPDK is configured to execute the first native flow table rule on the data packet marked with the first association flag, so as to unload the flow table rule for the data packet to the network card;

the second jump rotor module is used for jumping to the second connection information database based on the connection tracking five-tuple information action domain when the first connection information database has the connection tracking five-tuple flow table rule corresponding to the data packet;

a third jump rotor module, configured to, when the second connection information database has a second hardware flow table rule corresponding to the data packet, execute the first other action information based on the second hardware matching field and the second hardware action field, mark the second association mark for the data packet, and jump to the third connection information database based on a second jump position identifier corresponding to the second association mark;

A flow table rule unloading sub-module, configured to, when the third connection information database has a third hardware flow table rule corresponding to the data packet, unload, based on the third hardware flow table rule, the flow table rule for the data packet to the network card;

and the second data packet sending sub-module is used for sending the data packet marked with the second association mark to the flow table rule unloading software OVS-DPDK when the third connection information database does not have the third hardware flow table rule corresponding to the data packet, and the flow table rule unloading software OVS-DPDK is used for executing the second native flow table rule on the data packet marked with the second association mark so as to unload the flow table rule aiming at the data packet to the network card.

The embodiment of the invention also discloses a network card, which is provided with a flow table rule unloading system for the data packets of the network card, wherein the flow table rule unloading system is used for realizing the method according to the embodiment of the invention.

The embodiment of the invention also discloses electronic equipment, which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;

The memory is used for storing a computer program;

the processor is configured to implement the method according to the embodiment of the present invention when executing the program stored in the memory.

Embodiments of the present invention also disclose a computer-readable storage medium having instructions stored thereon, which when executed by one or more processors, cause the processors to perform the method according to the embodiments of the present invention.

The embodiment of the invention has the following advantages:

the embodiment of the invention obtains the rule of the first primary flow table; the first native flow table rule includes a first native action domain; the first native action domain includes connection trace action information; determining, by the connection trace action information, a first hardware flow table rule for the first native flow table rule prior to performing connection trace; determining, by the first hardware flow table rule, a second hardware flow table rule for the first native flow table rule after performing connection tracking; and unloading the flow table rule for the data packet to the network card based on the first hardware flow table rule and the second hardware flow table rule, so that unloading of the flow table rule for the data packet to the network card in the form of a combined flow table can be avoided, the logic of the unloading process is simplified, and the flow table rule unloading efficiency of the data packet for the network card is improved.

Drawings

Fig. 1 is a flowchart of a method for unloading a flow table rule of a data packet for a network card according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of a connection information database according to an embodiment of the present invention;

fig. 3 is a block diagram of a flow table rule uninstalling device for a data packet of a network card according to an embodiment of the present invention;

fig. 4 is a block diagram of a hardware structure of an electronic device according to embodiments of the present invention.

Detailed Description

In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.

Referring to fig. 1, a flowchart illustrating a method for unloading a flow table rule of a data packet for a network card according to an embodiment of the present invention may specifically include the following steps:

step 101, acquiring a first primary flow table rule; the first native flow table rule includes a first native action domain; the first native action domain includes connection trace action information;

step 102, determining a first hardware flow table rule for the first native flow table rule before performing connection tracking according to the connection tracking action information;

Step 103, determining a second hardware flow table rule for the first native flow table rule after performing connection tracking by the first hardware flow table rule;

and step 104, unloading the flow table rule for the data packet to the network card based on the first hardware flow table rule and the second hardware flow table rule.

In a specific implementation, the embodiment of the invention can be applied to a flow table rule unloading system of a data packet aiming at a network card, the flow table unloading system of the embodiment of the invention can be integrated in the network card, the flow table unloading system of the embodiment of the invention can comprise a flow table unloading module and a hardware unloading module, the flow table unloading module can be used for acquiring a first original flow table rule, determining a first hardware flow table rule aiming at the first original flow table rule before connection tracking is executed through connection tracking action information, and determining a second hardware flow table rule aiming at the first original flow table rule after connection tracking is executed through the first hardware flow table rule, so that the data packet can be unloaded to the network card based on the first hardware flow table rule and the second hardware flow table rule when passing through the hardware unloading module.

In practical applications, KVM (kernel-based virtual machine) is a complete virtualization solution, using which multiple unmodified Linux or Windows image virtual machines can be run, each with proprietary virtualization hardware: network cards, magnetic disks, graphics adapters, and the like.

The network card of the embodiment of the invention can be an intelligent network card, and can be but not limited to an intelligent network card loaded in a KVM virtual machine.

OVS-DPDK: DPDK is a collection of libraries and drivers for fast processing of X86 platform messages, and OVS (OpenvSwitch) has been widely used in cloud environments as a multi-layer virtual switch with its rich functionality. The main function of Open vSwitch is to provide network access for VMs on physical machines, which is more suitable for complex and varied cloud network environments than physical switches. The software OVS uses the CPU to receive, process and forward the data messages, and the processing capacity of the software CPU brings about performance bottlenecks along with the increase of the number of the messages and the increase of the complexity of message processing.

First package: and after the client request is sent, the first data packet sent from the server is received.

Illustratively, a first native FLOW table rule FLOW a of a native FLOW table of the first packet upstream OVS-DPDK connection trace may be obtained, where the first native FLOW table rule FLOW a may be a native FLOW table rule for a data packet, and the first native FLOW table rule FLOW a may include a first native matching field and a first native action field corresponding thereto.

Illustratively, FLOW a comprises: a FLOW a matching field and a FLOW a action field, wherein the FLOW a matching field includes first regular message information M1, initial recirculation information recirc_id (0), and the FLOW a action field includes: ct+recirc (idA) +act1 (other actions), the first native action domain of the embodiment of the present invention may contain connection tracking action information ct.

OVS CT connection trace (connection tracking): for OVS, ct (connrack) is just like a module of a third party, and the connrack module of the kernel is multiplexed, the kernel tracks all connection states and sessions of a machine, intercepts and analyzes each data packet flowing through the machine, establishes a connection information database connrack on the machine, continuously updates the database, and the stateless firewall filters the data packets based on five-tuple. The stateful firewall may filter packets outside of the five-tuple through the connection state.

The connection trace action information ct may be used to express a connection trace state for a data packet.

The embodiment of the invention can determine a first hardware FLOW table rule RTE_FLOW_A1 for the first native FLOW table rule FLOW A before connection tracking is performed through the connection tracking action information ct, and determine a second hardware FLOW table rule RTE_FLOW_A2 for the first native FLOW table rule FLOW A after connection tracking is performed through the first hardware FLOW table rule RTE_FLOW_A1.

For example, after receiving the first native FLOW table rule FLOW a, the FLOW table offload module may split the first native FLOW table rule FLOW a into two hardware FLOW tables rte_flow_a1 and rte_flow_a2 because the action field of the first native FLOW table rule FLOW a contains the ct action, and the FLOW table offload ct branch is entered: wherein rte_flow_a1 may be a FLOW table rule before looking up the CT connection table, and rte_flow_a1 may be a FLOW table rule after looking up the CT connection table.

After determining the first hardware FLOW table rule rte_flow_a1 and the second hardware FLOW table rule rte_flow_a2, embodiments of the present invention may offload the FLOW table to the network card based on the first hardware FLOW table rule rte_flow_a1 and the second hardware FLOW table rule rte_flow_a2.

In practical application, the flow table rule for the data packet is unloaded to the network card in the form of a combined flow table rule, the count of the original flow table rule is calculated based on the combined flow table rule, and each time the count is calculated by searching the association relation, the logic is complex.

On the basis of the above embodiments, modified embodiments of the above embodiments are proposed, and it is to be noted here that only the differences from the above embodiments are described in the modified embodiments for the sake of brevity of description.

In an alternative embodiment of the present invention, the first native flow table rule includes a first native matching field, the first native matching field containing first regular message information and initial recycling information, the first native action field containing first other action information, the step of determining, by the connection trace action information, a first hardware flow table rule for the first native flow table rule before performing connection trace includes:

In a specific implementation, the first native FLOW table rule FLOW a of the embodiment of the present invention may include a first native matching field, where the first native matching field includes first conventional message information M1 and initial recirculation information recirc_id (0), the matching field of the hardware FLOW table rule may use a corresponding table_id (N) to represent that the FLOW table rule should be inserted into an nth hardware table item (connection information database table), and use a jump (N) to represent that the jump to the nth hardware table item (connection information database table) in the action field, and may use mark (id) as a software upload matching item to identify rte_flow_a1 and rte_flow_a2 as belonging to FLOW a.

The embodiment of the invention can determine a first insertion position identification table_id (0) for representing the insertion position of a first hardware FLOW table rule RTE_FLOW_A1, after determining the first insertion position identification table_id (0), a first hardware matching domain aiming at the first hardware FLOW table rule RTE_FLOW_A1 can be determined as M1 through first conventional message information M1, and a first jump coefficient N1 aiming at the first hardware FLOW table rule RTE_FLOW_A1 is generated through the first insertion position identification table_id (0) and a first flag information flag (ct_pre) of the first native FLOW table rule FLOW A before connection tracking is executed; after determining the first jump coefficient N1, the embodiment of the present invention may determine, using the first jump coefficient N1, a first jump location identifier jump (N1) for characterizing a jump location of the first hardware FLOW table rule rte_flow_a1; calculating a first hash value hash (id 1) aiming at a first hardware FLOW table rule RTE_FLOW_A1 through first conventional message information M1, and generating a first association mark (id 1) by adopting the first hash value hash (id 1); determining a first hardware action domain jump (N1) +mark (id 1) for a first hardware FLOW table rule RTE_FLOW_A1 by adopting a first jump position identification jump (N1) and a first association mark (id 1); and determining a first hardware FLOW table rule RTE_FLOW_A1 by adopting a first hardware matching domain M1 and a first hardware action domain jump (N1) +mark (id 1), wherein a first insertion position for the first hardware matching domain M1 is identified as a table_id (0).

Illustratively, because of the first FLOW table rule that rte_flow_a1 passes through for a data packet, its table_id may be 0, reserving the other matching fields M1. Generating N1 by using recirc_id (0) of the FLOW A matching domain and flag (ct_pre) before ct, and then calculating according to M1 to obtain hash (id 1), RTE_FLOW_A1: table_id (0), first hardware match field match: m1, first hardware action field action: jump (N1) + mark (id 1).

The embodiment of the invention determines a first insertion position identifier for representing the insertion position of the first hardware flow table rule; determining a first hardware matching domain aiming at the first hardware flow table rule according to the first conventional message information; generating a first jump factor for the first hardware flow table rule by the first insertion position identification and first flag information of the first native flow table rule before connection tracking is performed; determining a first jump position identification for characterizing a jump position of the first hardware flow table rule by using the first jump coefficient; calculating a first hash value aiming at a first hardware flow table rule through the first conventional message information, and generating a first association mark by adopting the first hash value; determining a first hardware action domain for the first hardware flow table rule using the first jump location identifier and the first association tag; and determining the first hardware flow table rule by adopting the first hardware matching domain and the first hardware action domain, efficiently determining a first hardware flow table rule aiming at the first native flow table rule before connection tracking is executed, determining the first hardware matching domain containing a first jump position identification jump (N1), and determining the insertion position of the first hardware flow table rule in a connection information database table, and providing an implementation basis for unloading the flow table rule in a jump table mode.

In an alternative embodiment of the present invention, the step of determining, by the first hardware flow table rule, a second hardware flow table rule for the first native flow table rule after performing connection tracking includes:

In a specific implementation, the embodiment of the present invention may acquire a second native FLOW table rule FLOW B corresponding to the first native FLOW table rule FLOW a; the second native FLOW table rule FLOW B may be a native FLOW table rule having an association relationship with the first native FLOW table rule FLOW a, and in practical application, the second native matching field and the first native action field may include the same target recycling information recirc (idA). Therefore, the second native FLOW table rule FLOW B of the embodiment of the present invention may include a second native matching field, where the second native matching field and the first native action field contain the same target recycling information recirc (idA) used to associate the second native FLOW table rule FLOW B with the first native FLOW table rule FLOW a.

For example, the first native matching field of FLOW a may be M1, recirc_id (0), the first native action field may be ct+recirc (idA) +act1 (other actions), the second native matching field of FLOW B may be M2, recirc (idA), ct_state (+ est), and the second native matching field action field may be ACT2.

After the second native FLOW table rule is obtained, the embodiment of the invention can generate a first insertion coefficient N2 through initial recycle information recirc_id (0) and second flag information flag (ct_after) of the first native FLOW table rule FLOW A after connection tracking is executed, and then determine a second insertion position identification table_id (N2) for representing the insertion position of the second hardware FLOW table rule RTE_flow_A2 by adopting the first insertion coefficient N2; determining a second hardware matching domain mark (id 1) for a second hardware FLOW table rule rte_flow_a2 by using the first association mark (id 1); generating a second jump coefficient N3 by the target recycle information recirc (idA) and a third flag information Flag (FLOW) for the second native FLOW table rule FLOW B; determining a second jump position identification jump (N3) for characterizing the jump position of the second hardware FLOW table rule rte_flow_a2 using the second jump coefficient N3; calculating a second hash value hash (id 2) aiming at a second hardware FLOW table rule RTE_FLOW_A2 through target recirculation information recirc (idA) and first regular message information M1, and generating a second association mark (id 2) by adopting the second hash value hash (id 2); determining a second hardware action domain jump (N3) +mark (id 2) +ACT1 for a second hardware FLOW table rule RTE_FLOW_A2 by adopting a second jump position identification jump (N3), a second association mark (id 2) and first other action information ACT1; and determining a second hardware FLOW table rule RTE_FLOW_A2 by adopting a second hardware matching domain mark (id 1) and a second hardware action domain jump (N3) +mark (id 2) +ACT1, wherein a second insertion position mark aiming at the second hardware matching domain mark (id 1) is table_id (N2).

Illustratively, rte_flow_a2 generates N2 as a table_id by using a recirc_id (0) of a FLOW a matching field and a flag (ct_after) after ct, generates N3 by using an action field recirc (idA) and a next type Flag (FLOW), calculates a hash (id 1) according to M1, and calculates a hash (id 2) by using recirc (idA) and M1, to obtain rte_flow_a2: table_id (N2), second hardware match field match: mark (id 1), second hardware action field action: jump (N3) +mark (id 2) +ACT1.

According to the embodiment of the invention, the second native flow table rule corresponding to the first native flow table rule is obtained; the second native flow table rule includes a second native matching field, the second native matching field and the first native action field containing the same target recycling information for associating the second native flow table rule with the first native flow table rule; generating a first insertion coefficient through the initial recycle information and second flag information of the first native flow table rule after performing connection tracking; determining a second insertion position identifier for representing the insertion position of the second hardware flow table rule by adopting the first insertion coefficient; determining a second hardware matching domain for the second hardware flow table rule using the first association tag; generating a second jump factor by the target recycle information and third flag information for the second native flow table rule; determining a second jump position identifier for characterizing a jump position of the second hardware flow table rule by adopting the second jump coefficient; calculating a second hash value aiming at a second hardware flow table rule according to the target recycling information and the first conventional message information, and generating a second association mark by adopting the second hash value; determining a second hardware action domain for the second hardware flow table rule using the second jump location identifier, the second association tag and the first other action information; and determining the second hardware flow table rule by adopting the second hardware matching domain and the second hardware action domain, efficiently determining the second hardware flow table rule aiming at the first native flow table rule before connection tracking is executed, determining the second hardware matching domain containing a second jump position identification jump (N3), and determining the insertion position of the second hardware flow table rule in a connection information database table, thereby providing an implementation basis for unloading the flow table rule in a jump table mode.

In an alternative embodiment of the present invention, further comprising:

In a specific implementation, the embodiment of the present invention may obtain a connection tracking five-tuple CONN a for the first native FLOW table rule FLOW a, where CONN a may have corresponding CONN a connection tracking five-tuple information m_conn, for example, source ip, destination ip, protocol, source port, destination port, may determine that the connection tracking five-tuple information matching field is m_conn and by using the connection tracking five-tuple information m_conn, and determine that the connection tracking five-tuple information action field is jump (N2) by using a first insertion coefficient N2; and determining a connection tracking five-tuple FLOW table rule RTE_FLOW_CONN for the connection tracking five-tuple CONN A based on the connection tracking five-tuple information matching field M_CONN and the connection tracking five-tuple information action field jump (N2), wherein a third insertion position identifier for representing an insertion position of the connection tracking five-tuple FLOW table rule can be determined by adopting the first jump coefficient N1 as a second insertion coefficient due to the first jump coefficient N1, namely the third insertion position identifier for the connection tracking five-tuple information matching field M_CONN can be table_id (N1).

For example, the flow table unloading module receives CONN a, sets its recirc_id to 0, calculates N1 and N2 according to the flag (ct_pre) and the flag (ct_after), extracts the five-tuple (source ip, destination ip, protocol, source port, destination port) as the matching field m_conn, obtains the table_id (N1), and connects and tracks the five-tuple information matching field match). M_conn, connection tracking five-tuple information action field action: jump (N2).

The embodiment of the invention acquires the connection tracking five-tuple information aiming at the first original flow table rule; determining a connection tracking five-tuple information matching domain through the connection tracking five-tuple information, and determining a connection tracking five-tuple information action domain by adopting the first insertion coefficient; and determining a connection tracking five-tuple flow table rule aiming at the connection tracking five-tuple information based on the connection tracking five-tuple information matching domain and the connection tracking five-tuple information action domain, determining a third insertion position identifier for representing the insertion position of the connection tracking five-tuple flow table rule by adopting a first jump coefficient as a second insertion coefficient, efficiently determining the connection tracking five-tuple flow table rule, determining a connection tracking five-tuple information action domain jump (N2), and determining the insertion position of the connection tracking five-tuple flow table rule in a connection information database table, and providing an implementation basis for the follow-up unloading of the flow table rule in a jump table form.

In an alternative embodiment of the present invention, the second native flow table rule includes a second native action field containing second regular message information and offloaded trace action state information; the second native action field includes second other action information, further including:

In a specific implementation, the second native FLOW table rule FLOW B of the embodiment of the present invention may include a second native action domain, and the second native matching domain may include second regular message information M2, target recycle information recirc (idA), and offloaded trace action state information ct_state (+est).

The embodiment of the invention can adopt the second conventional message information M2 to determine the third hardware matching domain M2; determining a third hardware action field ACT2 by adopting second other action information ACT2; based on the third hardware matching field M2 and the third hardware action field ACT2, determining a third hardware FLOW table rule rte_flow_b, and since the second jump coefficient is N3, determining a fourth insertion position identifier for characterizing an insertion position of the third hardware FLOW table rule rte_flow_b using the second jump coefficient N3 as the third insertion coefficient, that is, the fourth insertion position identifier for the third hardware FLOW table rule rte_flow_b may be table_id (N3).

Illustratively, when the FLOW table uninstallation module receives FLOW B, N3 is generated as a table_id of rte_flow_b according to a matching field recirc (idA) and a Flag (FLOW), and rte_flow_b may be obtained: table_id (N3), third hardware match field match: m2, third hardware action field action: ACT2.

The embodiment of the invention determines a third hardware matching domain by adopting the second conventional message information; determining a third hardware action domain by adopting the second other action information; based on the third hardware matching domain and the third hardware action domain, determining a third hardware FLOW table rule, and adopting a second jump coefficient as a third insertion coefficient to determine a fourth insertion position identifier for representing the insertion position of the third hardware FLOW table rule, determining that the third hardware FLOW table rule RTE_FLOW_B has a corresponding relation with the first original FLOW table rule, and determining the insertion position of the third hardware FLOW table rule RTE_FLOW_B in a connection information database table, thereby providing an implementation basis for unloading the FLOW table rule in a jump table form.

In an alternative embodiment of the present invention, the target second hardware FLOW table rule rte_flow_a2 has a corresponding counter for counting the first native FLOW table rule FLOW a.

In a specific implementation, the embodiment of the invention can maintain separate counters for each hardware flow table and each connection, and because the software flow tables and the connection are corresponding to each other, the software flow tables and the connection can directly acquire the counters of the hardware and directly age, and because the original software flow table rules have corresponding flow table rules in the hardware and each hardware flow table has separate counters, the software flow table counts can be directly acquired from the hardware, and the statistics counting and aging flow are simplified.

In an optional embodiment of the invention, the connection tracking five-tuple flow table rule has a corresponding first connection information database, the second hardware flow table rule has a corresponding second connection information database, the third hardware flow table rule has a corresponding third connection information database, the method is applied to a hardware offload module having a corresponding flow table rule offload software OVS-DPDK, the step of offloading flow table rules for the data packet to the network card based on the first hardware flow table rule and the second hardware flow table rule comprises:

In practical applications, a connection information database (conntrack table) may be established based on ct, and the connection information database may be used to store the corresponding FLOW table rules, and since the first hardware FLOW table rule rte_flow_a1, the second hardware FLOW table rule rte_flow_a2, the connection tracking five-tuple FLOW table rule rte_flow_conn, and the third hardware FLOW table rule rte_flow_b have been determined previously, the connection tracking five-tuple FLOW table rule rte_flow_conn may have a corresponding first connection information database, the second hardware FLOW table rule rte_flow_a2 may have a corresponding second connection information database, and the third hardware FLOW table rule rte_flow_b may have a corresponding third connection information database. The hardware flow table rule may be a flow table rule prefixed to RTE, the use of table_id (N) in the hardware flow table rule matching field may represent the insertion of a flow table into an nth hardware table entry, and the use of jump (N) in the hardware flow table rule action field represents the jump to an nth hardware table entry.

The embodiment of the invention can be applied to a hardware unloading module, the hardware unloading module is provided with a corresponding FLOW table rule unloading software OVS-DPDK, after the id1 and the id2 are determined, the id1 and the id2 can be stored into the OVS-DPDK, and the id1 and the id2 are recorded in the OVS-DPDK, and the states are respectively non-executed FLOW A and executed FLOW A. If the corresponding hardware FLOW table rule cannot be queried after the data packet carrying the id1 is received subsequently, the FLOW table rule unloading is required to be executed based on the OVS-DPDK, then the FLOW A can be executed again through the OVS-DPDK based on the id1, if the data packet carrying the id2 is received, the data packet can be sent to an OVS-DPDK pipeline of the recirc (idA), and the FLOW B is executed after the OVS-DPDK is used for looking up the table.

Specifically, in the embodiment of the invention, the data packet can be marked with the id1 label, and the first association mark (id 1) is marked for the data packet based on the first hardware action domain jump (N1) +mark (id 1); when the first association mark (id 1) is read, jumping to a first connection information database based on a first jumping position identification jump (N1) corresponding to the first association mark (id 1); when the first connection information database does not have the connection tracking five-tuple FLOW table rule RTE_FLOW_CONN corresponding to the data packet, sending the data packet marked with the first association mark (id 1) to a software FLOW table unloading module, wherein the software FLOW table unloading module is used for executing a first native FLOW table rule FLOW A on the data packet marked with the first association mark (id 1) so as to unload a FLOW table of the data packet to a network card; when the first connection information database has a connection tracking five-tuple FLOW table rule RTE_FLOW_CONN corresponding to the data packet, jumping to the second connection information database based on the connection tracking five-tuple information action field jump (N2); when the second connection information database has a second hardware FLOW table rule rte_flow_a2 corresponding to the data packet, executing the first other action information ACT1 based on the second hardware matching field mark (id 1) and the second hardware action field jump (N3) +mark (id 2) +act1, marking the data packet with a second association mark (id 2), and jumping to the third connection information database based on a second jump position identification jump (N3) corresponding to the second association mark (id 2); when the third connection information database has a third hardware FLOW table rule RTE_FLOW_B corresponding to the data packet, unloading the FLOW table of the data packet to the network card based on the third hardware FLOW table rule RTE_FLOW_B; and when the third connection information database does not have the third hardware FLOW table rule RTE_FLOW_B corresponding to the data packet, sending the data packet marked with the second association mark (id 2) to a software FLOW table unloading module, wherein the software FLOW table unloading module is used for executing the second native FLOW table rule FLOW B on the data packet marked with the second association mark (id 2) so as to unload the FLOW table of the data packet to the network card.

Referring to fig. 2, fig. 2 is a schematic structural diagram of a connection information database according to an embodiment of the present invention, where the connection information database 201 may be an initial connection information database table0, where the initial connection information database table0 is used to store a first hardware matching field M1, and a first hardware action field action is a first hardware FLOW table rule rte_flow_a1 of jump (N1) +mark (id 1); the connection information database 202 is a first connection information database table N1, where the first connection information database table N1 may be used to store a connection tracking five-tuple FLOW table rule rte_flow_conn with a connection tracking five-tuple information matching field of m_conn and a connection tracking five-tuple information action field of jump (N2); the connection information database 203 is a second connection information database table N2, where the second connection information database table N2 is used to store a second hardware matching domain which is mark (id 1), and a second hardware action domain action which is jump (N3) +mark (id 2) +a second hardware FLOW table rule rte_flow_a2 of ACT 1; the connection information database 204 may be a third connection information database table N3, and the third connection information database table N3 may be configured to store a third hardware matching field M2, and a third hardware action field is a third hardware FLOW table rule rte_flow_b of ACT 2.

Labeling the data packet with an id1 tag, wherein the data packet is firstly matched with RTE_FLOW_A1 corresponding to the connection information database 201 through a hardware unloading module, and then is jumped to an entry of the connection information database 202 to perform connection searching and matching RTE_FLOW_CONN; if the connection information database 202 finds that the M_CONN of the RTE_FLOW_CONN can be matched with the five-tuple in the upper data packet, the connection information database 203 is skipped; if the m_conn of the rte_flow_conn can be matched with the five-tuple in the upper data packet, which is not found in the connection information database 202, the carried id1 is sent to the OVS-DPDK software for processing, at this time, the hardware FLOW table counter is not increased, and the FLOW a is re-executed by the OVS-DPDK software.

If the mark (id 1) of rte_flow_a2 matches the mark of the data packet in the connection information database 203, performing the rest of FLOW a and labeling id2, and then jumping to the connection information database 204;

and matching M2 according to the information of the data packet in the connection information database 204, if the searching is successful, executing the action ACT2 of RTE_FLOW_B, if the searching is failed, uploading the data packet carrying the id2 to the OVS-DPDK software, and executing FLOW B by the OVS-DPDK software.

In order that those skilled in the art will better understand the embodiments of the present invention, a complete example will be described below.

In practical application, the OVS connection tracking (conntrack) module may implement matching and action on the connection by extracting five-tuple information (source ip, destination ip, protocol, source port, destination port) of the data packet and maintaining and recording the state of the connection. The different phases of connection are identified by connection states, common states are: new, est. Because the OVS will perform a re-walking pipeline (recirc) operation each time a packet passes through the conntrack module, and each recirc will form a flow table, a packet will form several flow tables through the connection tracking module.

Because connection tracking is complex to implement, hardware typically only offloads traffic in the est state. The prior art generally adopts a method of combining flow table rules by software to realize connection tracking unloading: and merging all flow tables formed by connection tracking of one data packet, wherein the merged flow table does not have a connection state and ct action, and finally unloading the merged flow table to hardware.

The defects of the existing scheme are that:

1) The software integrated flow table scheme has larger change to the software OVS, needs to maintain the relation between the integrated flow table and the original flow table, increases the memory consumption and has poor compatibility.

2) The software original flow table and the combined flow table are in a many-to-many relation, and because only the combined flow table exists in hardware, the counting of the software original flow table needs to be calculated according to each combined flow table, and each counting is performed by searching the association relation, so that the logic is complex.

3) The time consumption for tracing a connection to be unloaded is increased and the unloading speed is reduced due to the fact that the parallel flow table needs to be added and the logic for establishing the association is needed to be built during unloading.

Therefore, a flow table rule unloading system for the data packet of the network card can be designed, and the flow table rule unloading system comprises an OVS-DPDK flow table unloading module and a hardware unloading module so as to overcome the problems.

Specifically, the primary flow table and connection trace of the over-the-air OVS-DPDK connection trace are as follows:

FLOW a, comprising: matching fields M1, recirc_id (0), action field: ct+recirc (idA) +ACT1 (other actions)

CONN a: connection five-tuple

FLOW B: matching field M2, recirc (idA), ct_state (+est), action field: ACT2.

The software FLOW table uninstallation module may be configured to, when FLOW a is received, enter the FLOW table uninstall ct branch because its action field contains ct action, split it into two hardware FLOW tables rte_flow_a1 and rte_flow_a2: wherein A1 is before searching the CT connection table, A2 is after searching the CT connection table, and the reason for splitting is that when the hardware unloading module performs the table searching, it can be distinguished whether failure is caused by that no connection is found or failure is caused by that no FLOW B is found. The use of table_id (N) in the hardware flow table matching field represents the insertion of the flow table into the nth hardware entry and the use of jump (N) in the action field represents the jump to the nth hardware entry. Mark (id) is used as the software upload match item identification A1 and A2 belong to FLOW a. Wherein the counting of FLOW a uses a hardware counter of rte_flow_a2; because of the first FLOW table that rte_flow_a1 passes through for a data packet, its table_id is 0, reserving the other matching fields M1. N1 is generated using the recirc_id (0) of the FLOW a matching field and the flag (ct_pre) before ct. Finally, calculating a hash (id 1) according to M1 to obtain RTE_FLOW_A1: table_id (0), match: m1, action: jump (N1) +mark (id 1); RTE_FLOW_A2 generates N2 as a table_id using the recirc_id (0) of the FLOW A matching field and the flag after ct (ct_after), and generates N3 using the action field recirc (idA) and the next type Flag (FLOW). And then calculating a hash (id 1) according to M1, recirc (idA) and M1 to calculate a hash (id 2), thereby obtaining RTE_FLOW_A2: table_id (N2), match: mark (id 1), action: jump (N3) +mark (id 2) +ACT1; id1 and id2 are recorded in the OVS-DPDK in the states of non-executed FLOW a and executed FLOW a, respectively. If the data packet carrying the id1 is received, executing the FLOW A again; if the data packet of id2 is received, the data packet is sent to the OVS-DPDK pipeline of recirc (idA), and the OVS-DPDK looks up the table and executes FLOW B.

The FLOW table unloading module may be further configured to, when receiving CONN a, set its recirc_id to 0, calculate to obtain N1 and N2 according to the flag (ct_pre) and the flag (ct_after), and extract the five-tuple (source ip, destination ip, protocol, source port, destination port) as the matching field m_conn to obtain rte_flow_conn: table_id (N1), match: m_conn, action: jump (N2).

The FLOW table unloading module may be further configured to generate, when receiving FLOW B, N3 as a table_id of rte_flow_b according to a matching field recirc (idA) and a Flag (FLOW), to obtain rte_flow_b: table_id (N3), match: m2, action: ACT2.

The hardware unloading module can be used for firstly matching the data packet with the corresponding RTE_FLOW_A1 when the data packet passes through the hardware unloading module, labeling the data packet with an id1 tag, and then jumping to an entry of N1 to perform connection searching;

M_CONN, which finds RTE_FLOW_CONN in N1, can match the five-tuple in the upper packet, jump to N2 table. If not found, carrying id1 is sent to the OVS-DPDK for processing, at the moment, a hardware FLOW table counter is not increased, and FLOW A is re-executed by the OVS-DPDK;

finding out that the mark (id 1) of RTE_FLOW_A2 matches the mark of the data packet in N2, and jumping to N3 after executing the rest actions of FLOW A and marking the label of id 2;

And in N3, according to the information of the data packet, M2 is matched, if the searching is successful, the action ACT2 of RTE_FLOW_B is executed, if the searching is failed, the carrying id2 is sent to the OVS-DPDK, and the OVS-DPDK executes FLOW B.

By the method, the integrated table is not used, the software flow table is directly converted and then unloaded to hardware, the relation between the integrated flow table and the original flow table is not required to be maintained, and the software memory is saved.

Because the corresponding flow table exists in the hardware of the original software flow table and each hardware flow table is provided with an independent counter, the software flow table count can be directly obtained from the hardware, and the statistical count and the aging flow are simplified.

The combined flow table needs to wait until the last flow table through which the data packet passes is generated, and then the unloading is performed; the unloading process of each flow table is independent, the unloading operation can be initiated while the flow table is generated, and the original serial operation is split into a plurality of sections of parallel operation, so that the unloading speed can be improved.

It should be noted that, for simplicity of description, the method embodiments are shown as a series of acts, but it should be understood by those skilled in the art that the embodiments are not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred embodiments, and that the acts are not necessarily required by the embodiments of the invention.

The embodiment of the invention also discloses a network card, which is provided with a flow table rule unloading system for the data packet of the network card, wherein the flow table rule unloading system is used for realizing each process of the flow table rule unloading method embodiment for the data packet of the network card when the flow table rule unloading system is executed, and the same technical effect can be achieved, so that repetition is avoided and repeated description is omitted.

Referring to fig. 3, a structural block diagram of a flow table rule uninstalling device for a data packet of a network card according to an embodiment of the present invention may specifically include the following modules:

a first native flow table rule obtaining module 301, configured to obtain a first native flow table rule; the first native flow table rule includes a first native action domain; the first native action domain includes connection trace action information;

a first hardware flow table rule determining module 302, configured to determine, according to the connection tracking action information, a first hardware flow table rule for the first native flow table rule before performing connection tracking;

a second hardware flow table rule determining module 303, configured to determine, by using the first hardware flow table rule, a second hardware flow table rule for the first native flow table rule after performing connection tracking;

And the flow table rule unloading module 304 is configured to unload the flow table rule for the data packet to the network card based on the first hardware flow table rule and the second hardware flow table rule.

Optionally, the second hardware flow table rule determining module may include:

Optionally, the method may further include:

For the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points.

In addition, the embodiment of the invention also provides electronic equipment, which comprises: the processor, the memory, store the computer program that can run on the processor on the memory, this computer program realizes each process of the above-mentioned flow table rule uninstallation method embodiment of the data packet to the network card when being carried out by the processor, and can reach the same technical effect, in order to avoid repetition, will not be repeated here.

The embodiment of the invention also provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements each process of the above embodiment of the method for unloading the flow table rule of the data packet for the network card, and can achieve the same technical effect, so that repetition is avoided and redundant description is omitted. Wherein the computer readable storage medium is selected from Read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic disk or optical disk.

Fig. 4 is a schematic hardware structure of an electronic device implementing various embodiments of the present invention.

The electronic device 400 includes, but is not limited to: radio frequency unit 401, network module 402, audio output unit 403, input unit 404, sensor 405, display unit 406, user input unit 407, interface unit 408, memory 409, processor 410, and power source 411. Those skilled in the art will appreciate that the electronic device structure shown in fig. 4 is not limiting of the electronic device and that the electronic device may include more or fewer components than shown, or may combine certain components, or a different arrangement of components. In the embodiment of the invention, the electronic equipment comprises, but is not limited to, a mobile phone, a tablet computer, a notebook computer, a palm computer, a vehicle-mounted terminal, a wearable device, a pedometer and the like.

It should be understood that, in the embodiment of the present invention, the radio frequency unit 401 may be used for receiving and transmitting signals during the process of receiving and transmitting information or communication, specifically, receiving downlink data from a base station and then processing the received downlink data by the processor 410; and, the uplink data is transmitted to the base station. Typically, the radio frequency unit 401 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier, a duplexer, and the like. In addition, the radio frequency unit 401 may also communicate with networks and other devices through a wireless communication system.

The electronic device provides wireless broadband internet access to the user through the network module 402, such as helping the user to send and receive e-mail, browse web pages, and access streaming media, etc.

The audio output unit 403 may convert audio data received by the radio frequency unit 401 or the network module 402 or stored in the memory 409 into an audio signal and output as sound. Also, the audio output unit 403 may also provide audio output (e.g., a call signal reception sound, a message reception sound, etc.) related to a specific function performed by the electronic device 400. The audio output unit 403 includes a speaker, a buzzer, a receiver, and the like.

The input unit 404 is used to receive an audio or video signal. The input unit 404 may include a graphics processor (Graphics Processing Unit, GPU) 4041 and a microphone 4042, the graphics processor 4041 processing image data of still pictures or video obtained by an image capturing device (e.g., a camera) in a video capturing mode or an image capturing mode. The processed image frames may be displayed on the display unit 406. The image frames processed by the graphics processor 4041 may be stored in memory 409 (or other storage medium) or transmitted via the radio frequency unit 401 or the network module 402. The microphone 4042 may receive sound and may be capable of processing such sound into audio data. The processed audio data may be converted into a format output that can be transmitted to the mobile communication base station via the radio frequency unit 401 in the case of a telephone call mode.

The electronic device 400 also includes at least one sensor 405, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor includes an ambient light sensor that can adjust the brightness of the display panel 4061 according to the brightness of ambient light, and a proximity sensor that can turn off the display panel 4061 and/or the backlight when the electronic device 400 is moved to the ear. As one of the motion sensors, the accelerometer sensor can detect the acceleration in all directions (generally three axes), and can detect the gravity and direction when stationary, and can be used for recognizing the gesture of the electronic equipment (such as horizontal and vertical screen switching, related games, magnetometer gesture calibration), vibration recognition related functions (such as pedometer and knocking), and the like; the sensor 405 may further include a fingerprint sensor, a pressure sensor, an iris sensor, a molecular sensor, a gyroscope, a barometer, a hygrometer, a thermometer, an infrared sensor, etc., which are not described herein.

The display unit 406 is used to display information input by a user or information provided to the user. The display unit 406 may include a display panel 4061, and the display panel 4061 may be configured in the form of a liquid crystal display (Liquid Crystal Display, LCD), an Organic Light-Emitting Diode (OLED), or the like.

The user input unit 407 may be used to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the electronic device. Specifically, the user input unit 407 includes a touch panel 4071 and other input devices 4072. The touch panel 4071, also referred to as a touch screen, may collect touch operations thereon or thereabout by a user (e.g., operations of the user on the touch panel 4071 or thereabout using any suitable object or accessory such as a finger, stylus, etc.). The touch panel 4071 may include two parts, a touch detection device and a touch controller. The touch detection device detects the touch azimuth of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch detection device, converts it into touch point coordinates, and sends the touch point coordinates to the processor 410, and receives and executes commands sent from the processor 410. In addition, the touch panel 4071 may be implemented in various types such as resistive, capacitive, infrared, and surface acoustic wave. The user input unit 407 may include other input devices 4072 in addition to the touch panel 4071. In particular, other input devices 4072 may include, but are not limited to, a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, a mouse, and a joystick, which are not described in detail herein.

Further, the touch panel 4071 may be overlaid on the display panel 4061, and when the touch panel 4071 detects a touch operation thereon or thereabout, the touch operation is transferred to the processor 410 to determine the type of touch event, and then the processor 410 provides a corresponding visual output on the display panel 4061 according to the type of touch event. Although in fig. 4, the touch panel 4071 and the display panel 4061 are two independent components for implementing the input and output functions of the electronic device, in some embodiments, the touch panel 4071 may be integrated with the display panel 4061 to implement the input and output functions of the electronic device, which is not limited herein.

The interface unit 408 is an interface to which an external device is connected to the electronic apparatus 400. For example, the external devices may include a wired or wireless headset port, an external power (or battery charger) port, a wired or wireless data port, a memory card port, a port for connecting a device having an identification module, an audio input/output (I/O) port, a video I/O port, an earphone port, and the like. The interface unit 408 may be used to receive input (e.g., data information, power, etc.) from an external device and transmit the received input to one or more elements within the electronic apparatus 400 or may be used to transmit data between the electronic apparatus 400 and an external device.

Memory 409 may be used to store software programs as well as various data. The memory 409 may mainly include a storage program area that may store an operating system, application programs required for at least one function (such as a sound playing function, an image playing function, etc.), and a storage data area; the storage data area may store data (such as audio data, phonebook, etc.) created according to the use of the handset, etc. In addition, memory 409 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device.

The processor 410 is a control center of the electronic device, connects various parts of the entire electronic device using various interfaces and lines, and performs various functions of the electronic device and processes data by running or executing software programs and/or modules stored in the memory 409 and invoking data stored in the memory 409, thereby performing overall monitoring of the electronic device. Processor 410 may include one or more processing units; preferably, the processor 410 may integrate an application processor that primarily handles operating systems, user interfaces, applications, etc., with a modem processor that primarily handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 410.

The electronic device 400 may also include a power supply 411 (e.g., a battery) for powering the various components, and preferably the power supply 411 may be logically connected to the processor 410 via a power management system that performs functions such as managing charging, discharging, and power consumption.

In addition, the electronic device 400 includes some functional modules, which are not shown, and are not described herein.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.

The embodiments of the present invention have been described above with reference to the accompanying drawings, but the present invention is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those having ordinary skill in the art without departing from the spirit of the present invention and the scope of the claims, which are to be protected by the present invention.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.

The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims

1. The method for unloading the flow table rule of the data packet of the network card is characterized by comprising the following steps:

2. The method of claim 1, wherein the first native flow table rule comprises a first native matching field containing first regular message information and initial recycle information, the first native action field containing first other action information, the step of determining a first hardware flow table rule for the first native flow table rule prior to performing connection tracking by the connection tracking action information comprising:

3. The method of claim 2, wherein the step of determining, by the first hardware flow table rule, a second hardware flow table rule for the first native flow table rule after performing connection tracking comprises:

4. A method according to claim 3, further comprising:

5. The method of claim 4, wherein the second native flow table rule comprises a second native action field, the second native matching field containing second regular message information and offloaded trace action state information; the second native action field includes second other action information, further including:

6. The method of claim 5, wherein the target second hardware flow table rule has a corresponding counter for counting the first native flow table rule.

7. The method of claim 6, wherein the connection trace five-tuple flow table rule has a corresponding first connection information database, the second hardware flow table rule has a corresponding second connection information database, the third hardware flow table rule has a corresponding third connection information database, the method being applied to a hardware offload module having a corresponding flow table rule offload software OVS-DPDK, the step of offloading flow table rules for the data packet to the network card based on the first hardware flow table rule and the second hardware flow table rule comprising:

8. A flow table rule offloading device for a data packet of a network card, comprising:

9. The apparatus of claim 8, wherein the first native flow table rule comprises a first native matching field, the first native matching field containing first regular message information and initial recycle information, the first native action field containing first other action information, the first hardware flow table rule determination module comprising:

10. The apparatus of claim 9, wherein the second hardware flow table rule determination module comprises:

11. The apparatus as recited in claim 10, further comprising:

12. The apparatus of claim 11, wherein the second native flow table rule comprises a second native action field, the second native matching field comprising second regular message information and offloaded trace action state information; the second native action field includes second other action information, further including:

13. A network card, characterized in that the network card is provided with a flow table rule offload system for data packets of the network card, the flow table rule offload system being adapted to implement the method according to any of claims 1-7.

14. An electronic device comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory communicate with each other via the communication bus;

the memory is used for storing a computer program;

the processor is configured to implement the method according to any one of claims 1-7 when executing a program stored on a memory.

15. A computer-readable storage medium having instructions stored thereon, which when executed by one or more processors, cause the processors to perform the method of any of claims 1-7.