JP2013236245A - Packet filter circuit and packet filtering device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To realize downsizing and speeding up in a packet filter circuit and a packet filtering device.SOLUTION: A packet filtering circuit 10 which compares a plurality of match conditions and a received packet to filter packets, includes a buffer circuit 11, a mismatch determination circuit 13, and a partial match determination circuit 14. The mismatch determination circuit 13 divides collation data included in a packet into several bit groups and compares them with part of the match conditions for each divided part. If at least any bit group of the divided collation data does not agree with the match conditions, the mismatch determination circuit 13 determines that the collation data and the match conditions do not agree. When no disagreement is found by the mismatch determination circuit 13, the partial match determination circuit 14 compares the collation data with regard to a match condition among the plurality of match conditions which agrees with part of bit groups of the collation data.

Description

  The present invention relates to a packet filter circuit and a packet filtering device, and more particularly to a technique for realizing miniaturization and high speed.

  In recent years, wireless communication devices have become widespread, communication speeds have increased, and communication traffic has increased. In order to realize high-speed communication, high-speed packet filtering is also required. A packet filter circuit that performs packet filtering is provided with a dedicated memory circuit such as a TCAM (Ternary Content Addressable Memory), thereby achieving high speed.

  In addition, the communication function and communication speed of small communication devices have been improved, and the number of devices that constitute a network in the home is also increasing. Therefore, there is a need for a packet filtering device that can be used in embedded devices and that is small in size and achieves low power consumption.

  Usually, the packet filter circuit is composed of a packet buffer for storing packets and a match determination circuit in which one or more match conditions are registered in advance. This packet filter circuit is used in routers and servers. The technique described in Non-Patent Document 1 below includes a packet buffer, a match determination circuit, and a mismatch determination circuit. The coincidence determination circuit sequentially compares the collation data with each coincidence condition. The mismatch determination circuit determines a mismatch between the verification data and each match condition by one memory access. Therefore, in the technique described in Non-Patent Document 1, when the received packet and each match condition do not match, before each matching by the match determination circuit is completed, the mismatch determination circuit determines the mismatch, High speed is realized.

Naoki Miura, 5 others, "High-speed packet filter circuit using mismatch judgment circuit", IEICE Technical Report, IEICE, March 2009, 108, 478, p.101 -106

  The mismatch determination circuit described in Non-Patent Document 1 uses a memory to compare verification data with a matching condition in order to achieve high speed. In Non-Patent Document 1, the determination result of “match” or “mismatch” is stored in each address of the memory. At this time, the address storing the determination result “match” corresponds to the value of the match condition. The determination result “mismatch” is stored in other addresses. The packet filter circuit determines whether the value of the verification data is “mismatch” or “match” by referring to the determination result stored at each address of the memory as the read address of the memory.

  Thus, in Non-Patent Document 1, it is necessary to secure a larger memory area as the range of values that can be taken by collation data increases. For example, if the collation data is n bits, a memory area for storing 2 ^ n ("^" indicates power) determination results is required. Therefore, in order to reduce the required memory area, the n-bit collation data is divided into m bits and collated (m <n). Since the memory area required for the m-bit collation is 2 ^ m, according to this method, the memory area required for storing the determination result is changed from 2 ^ n to (n / m) × 2 ^ m. Can be reduced.

  However, in the above case, since determination is performed by dividing every m bits, there is a case where data that should be determined to be inconsistent cannot be determined to be inconsistent. For example, when the matching condition is 16 bits 0x1234 and 0x4567 ("0x" indicates a hexadecimal number), the collation data 0x1237 should be originally determined as a mismatch. However, in the mismatch determination circuit, if it is determined by dividing every 4 bits, in this case, it is not determined that there is a mismatch. Therefore, when the mismatch determination circuit does not determine that there is a mismatch, it is necessary to wait for the comparison process between the matching data and the matching condition by the match determination circuit, and packet filtering is delayed.

  Therefore, there is a need for a technology for further speeding up the packet filter circuit.

  Other problems and novel features will become apparent from the description of the specification and the accompanying drawings.

  A packet filter circuit according to an embodiment performs packet filtering based on a comparison result between a plurality of matching conditions and a received packet, and includes a buffer circuit, a mismatch determination circuit, and a partial match determination circuit. . The buffer circuit holds the received packet. The mismatch determination circuit divides the verification data included in the packet into several bit groups, and compares each divided portion with a part of the matching condition. The mismatch determination circuit determines that the match data does not match the match condition when the match condition does not match at least one of the bit groups of the divided check data. The partial match determination circuit determines whether or not the matching data matches the matching condition for a matching condition that matches a part of the bit group of the matching data among the plurality of matching conditions when the mismatch judgment circuit does not determine that there is a mismatch. Determine whether. The buffer circuit processes the packet according to the determination result by the mismatch determination circuit and the partial match determination circuit.

  The packet filter circuit according to the embodiment compares the collation data with a plurality of coincidence conditions for each predetermined bit group in the mismatch determination circuit, and if the mismatch determination circuit does not determine a mismatch, And the time required for comparison with the matching condition can be shortened, and the efficiency of packet filtering is improved.

It is a functional block diagram which shows the structure of the packet filtering apparatus 51 in related technology. It is a figure which shows the matching condition 61 in related technology, and the determination method by the mismatch determination circuit 54. FIG. In related technology, it is a figure which shows the condition where the mismatch determination circuit 54 cannot determine a mismatch. 1 is a diagram illustrating a configuration of a packet filtering device 1. FIG. 2 is a functional block diagram showing a configuration of a packet filter circuit 10. FIG. 1 is a diagram illustrating a configuration of a packet filter circuit 10. FIG. It is a figure which shows the detail of the memory which comprises the 1st matching condition holding | maintenance part 21a. FIG. 4 is a diagram showing an example of stored contents of a partial match determination condition holding memory 23. It is a figure which shows an example of matching conditions, and the comparative example of collation data and matching conditions in this embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In the following description, the same parts are denoted by the same reference numerals. Their names and functions are also the same. Therefore, detailed description thereof will not be repeated.

<1.1 Details of configuration of related technology>
Here, in order to compare with this embodiment, the structure of a related technique is demonstrated.

  FIG. 1 is a functional block diagram showing a configuration of a packet filtering device 51 in the related art. The packet filtering device 51 holds a plurality of matching conditions (such as an IP address that permits packet transfer) for determining whether or not to transfer a packet. The packet filtering device 51 determines whether the matching data included in the packet (a part of the packet to be compared with the matching condition, for example, the transmission destination address included in the header of the packet) matches the matching condition. Process. With packet processing, for example, when the collation data matches the matching condition, the packet filtering device 51 performs processing such as packet transfer. Further, the packet filtering device 51 performs processing such as discarding the packet when the collation data does not match all the matching conditions.

  As shown in FIG. 1, the packet filtering device 51 includes a buffer circuit 52, a match determination circuit 53, a mismatch determination circuit 54, and an OR circuit 55.

  The buffer circuit 52 stores packets received by the packet filtering device 51 from an external communication device. The packet filtering device 51 starts packet filtering in response to a determination request from an external communication device. The packet filtering device 51 processes the packet according to the determination results by the match determination circuit 53 and the mismatch determination circuit 54.

  The coincidence determination circuit 53 holds a plurality of coincidence conditions, receives the collation data from the buffer circuit 52, sequentially compares the collation data with the plurality of coincidence conditions, and whether or not any of the coincidence conditions is met. Determine. The coincidence determination circuit 53 outputs a coincidence determination signal to the buffer circuit 52 when it is determined that there is a coincidence condition that matches the collation data. The coincidence determination circuit 53 compares all the coincidence conditions with the collation data, and outputs a mismatch coincidence signal to the OR circuit 55 when it is determined that there is no coincidence condition that coincides with the collation data.

  The mismatch determination circuit 54 determines whether or not the verification data and the matching condition are mismatched. The mismatch determination circuit 54 includes a memory, and stores a determination result of match or mismatch in association with the memory address. The mismatch determination circuit 54 refers to an address based on the verification data to determine whether the verification data does not match the matching condition. In this case, a memory area corresponding to the number of bits of the matching condition is required.

  For example, if the matching condition is 16 bits, a memory area for storing 2 ^ 16 determination results is required. Therefore, in this related technique, in order to reduce the memory area, the matching condition is divided into four for every four bits, and the range of values that can be taken in each divided portion is used as a memory address to match or not match each address. Stores the judgment result. In this case, the necessary memory area is 4 × 2 ^ 4. Details will be described later.

  The OR circuit 55 receives the output results of the mismatch determination circuit 54 and the match determination circuit 53, and outputs a mismatch determination signal to the buffer circuit 52 when a mismatch determination signal is output in either of them.

  In the related art, when the collation data does not match the matching condition, the mismatch determination circuit 54 obtains a determination result by referring to the memory address. On the other hand, the matching determination circuit 53 sequentially compares the matching data with each matching condition. Therefore, the determination result of the mismatch determination circuit 54 tends to be output earlier than the match determination circuit 53. However, since the mismatch determination circuit 54 divides the match condition and compares it with the collation data, the collation data and the match condition may not match even if the mismatch determination circuit 54 does not determine a mismatch. is there. In this case, the mismatch cannot be determined until all the matching conditions are compared with the matching data by the match determination circuit 53, and the processing is delayed.

<1.2 Disagreement Determination Method of Disagreement Determination Circuit 54 in Related Technology>
FIG. 2 is a diagram illustrating a matching condition 61 and a determination method by the mismatch determination circuit 54 in the related art.

  For example, as shown in FIG. 2, the matching conditions 61 are “0x1234” (first matching condition 61a) and “0x4567” (second matching condition 61b).

  The mismatch determination circuit 54 divides the match condition 61 into four, and stores the match or mismatch determination result in association with the index value of the memory address for each part (first match condition holding unit 71, A second matching condition holding unit 72, a third matching condition holding unit 73, and a fourth matching condition holding unit 74). For example, the first matching condition holding unit 71 stores the first 4-bit determination result of the matching condition 61 in association with the memory address. In the example of FIG. 2, the first four bits of the matching condition 61 are “1” for the first matching condition 61 a and “4” for the second matching condition 61 b. Therefore, the first matching condition holding unit 71 stores the determination result “matching” in association with the index values “1” and “4” of the memory addresses. Similarly for the second matching condition holding unit 72, the third matching condition holding unit 73, and the fourth matching condition holding unit 74, the determination result of each part of the matching condition 61 is associated with the index value of the memory address. Stored.

  By doing so, the mismatch determination circuit 54 requires 4 × 2 ^ 4 regions to determine whether the matching data does not match the match condition 61.

<1.3 Situations in which the mismatch determination circuit 54 of the related technology cannot determine the mismatch>
FIG. 3 is a diagram illustrating a situation in which the mismatch determination circuit 54 cannot determine a mismatch in the related art.

  In FIG. 3, the matching conditions are “0x1234” and “0x4567” as in FIG. When the value of the matching data 76 is “0x1237”, the mismatch determination circuit 54 determines whether the matching data 76 does not match each matching condition as shown in FIG. That is, based on the value “0x1” shown in the first 4 bits of the collation data 76, the determination result “match” is read from the memory with reference to the memory address index of the first match condition 71 holding unit. . Similarly, it is determined whether the bit group of every 4 bits of the collation data 76 matches or does not match a part of the matching condition.

  The OR circuit 75 includes at least one of the first matching condition holding unit 71, the second matching condition holding unit 72, the third matching condition holding unit 73, and the fourth matching condition holding unit 74. If a mismatch is read out, “mismatch” is output. However, in this case, since “match” is read from any memory, the OR circuit 75 outputs “match” without outputting the determination result “mismatch”.

  As described above, when each bit group of the collation data is compared with each part of the coincidence condition, even if the collation data and the coincidence condition are actually inconsistent, the “mismatch” may not be output from the inconsistency determination circuit 54. is there. Therefore, in order to determine the mismatch in the packet filtering device 51, it is necessary to wait for a determination result by the match determination circuit 53.

<2.1 Outline of Configuration of Packet Filtering Device 1 of Present Embodiment>
Next, an outline of the configuration of the packet filtering device 1 of the present embodiment will be described first with reference to the drawings.

FIG. 4 is a diagram illustrating a configuration of the packet filtering device 1.
As shown in FIG. 4, the packet filtering device 1 includes an MPU (Micro-Processing Unit) 2, a RAM (Random Access Memory) 3, a ROM (Read Only Memory) 4, a communication module 5, and a packet filter circuit 10. Including.

  The MPU 2 includes a processor and controls operations of the communication module 5 and the packet filter circuit 10 to control packet filtering processing of the packet filtering device 1.

  The RAM 3 is a memory area that holds programs, data, and the like read from the ROM 4 for use in the processing of the MPU 2.

The ROM 4 stores programs and data.
The communication module 5 is a communication interface for communicating with an external communication device. The communication module 5 corresponds to a communication interface using, for example, a wired LAN (Local Area Network) or a wireless LAN (IEEE 802.11n).

  The packet filter circuit 10 holds the packet received by the communication module 5, and performs packet filtering according to whether or not the collation data (such as a part of the packet header) included in the packet matches the matching condition. The matching condition is data to be compared with the verification data in order to perform processing such as whether to transfer or discard the packet in the packet filter circuit 10. For example, if the collation data is a destination IP address included in the packet header, each matching condition is an IP address of an information communication device that the packet filtering device 1 permits packet transfer. In the present embodiment, the packet is transferred when the collation data matches one of the plurality of matching conditions, and the packet is discarded when they do not match.

  In this embodiment, in order to compare the matching data with each of the plurality of matching conditions, the matching conditions are divided into a plurality of bit groups (in this embodiment, the matching data and the matching conditions are 16-bit data). The mismatch condition is divided every 4 bits), and the mismatch determination circuit 13 holds it as the mismatch determination condition 21 in the memory. In the partial match determination circuit 14, a part of the match condition (12 bits of the match condition) is held in the memory as the partial match determination condition 22.

  As shown in FIG. 4, the packet filter circuit 10 includes a buffer circuit 11, a determination result output circuit 12, a mismatch determination circuit 13, and a partial match determination circuit 14. The packet filter circuit 10 performs packet filtering in response to the MPU 2 determination request. Details will be described later.

<2.2 Configuration of Packet Filter Circuit 10>
FIG. 5 is a functional block diagram showing the configuration of the packet filter circuit 10.

  As illustrated in FIG. 5, the packet filter circuit 10 receives a packet received by the communication module 5 and starts packet filtering by receiving a packet determination request from the MPU 2.

  The buffer circuit 11 holds the packet, receives a packet determination request, and outputs a determination start signal to the partial match determination circuit 14 and the mismatch determination circuit 13. The buffer circuit 11 performs processing according to the determination result output from the determination result output circuit 12 described later. For example, the buffer circuit 11 performs processing such as packet transfer when the matching data matches the matching condition, and performs processing such as discarding the packet when the matching data does not match.

  The mismatch determination circuit 13 determines whether or not the collation data and the match condition are mismatched. As described above, the mismatch determination circuit 13 divides the match condition into a plurality of bit groups and holds it as the mismatch determination condition 21, and compares the collation data with each part of the match condition in parallel by predetermined bits. To do. Although details of the mismatch determination circuit 13 will be described later, the mismatch determination circuit 13 outputs a mismatch determination signal to the determination result output circuit 12 when at least one of the comparison results of the respective bit groups of the verification data does not match. On the other hand, the mismatch determination circuit 13 indicates the index value of the address of the memory holding the partial match determination condition 22 in the partial match determination circuit 14 if the comparison results of the respective bit groups of the matching data match. The value is output to the partial match determination circuit 14.

  The partial match determination circuit 14 determines whether the matching data matches the matching condition. As described above, the partial match determination circuit 14 holds the match condition as the partial match determination condition 22. Although the details of the partial match determination circuit 14 will be described later, the partial match determination circuit 14 determines whether the match result of the plurality of match conditions when all the comparison results of the bit groups of the match data match in the mismatch determination circuit 13. The matching condition that matches a part of the data bit group is sequentially compared with the collation data. In this way, the partial match determination circuit 14 limits the range of the matching condition for comparison with the matching data to a part and determines whether the matching data matches the matching condition. Therefore, the packet filtering device 1 can reduce the number of comparisons when the matching data and the matching condition do not match as compared with the case where all matching conditions and the matching data are compared as in the related art.

  The determination result output circuit 12 outputs whether the matching data matches the matching condition based on the comparison result between the matching data and the matching condition by the mismatch determination circuit 13 and the partial match determination circuit 14. Although details will be described later, the determination result output circuit 12 outputs a match determination signal to the buffer circuit 11 when the mismatch determination circuit 13 does not determine a mismatch and the partial match determination circuit 14 determines a match. . The determination result output circuit 12 outputs a mismatch determination signal to the buffer circuit 11 when the mismatch determination circuit 13 determines a mismatch or when the partial match determination circuit 14 determines a mismatch.

<2.3 Details of Packet Filter Circuit 10>
Next, a detailed configuration of the packet filter circuit 10 will be described with reference to the drawings.

FIG. 6 is a diagram illustrating a configuration of the packet filter circuit 10.
<2.3.1 Buffer Circuit 11>
As shown in FIG. 6, the buffer circuit 11 holds collation data. In the example of FIG. 6, the collation data is 16 bits, divided into 4 bit groups (4 bit groups of A, B, C, and D) every 4 bits and output to the mismatch determination circuit 13.

  In the example shown in the drawing, when the bit group “A” of the collation data is the first bit group and the three bit groups “B”, “C”, and “D” are the second bit group, the buffer circuit 11 The second bit group is output to the comparator 49.

<2.3.2 Mismatch Determination Circuit 13>
The mismatch determination circuit 13 compares each bit group of the collation data with each part of the matching condition in parallel and outputs a comparison result. The mismatch determination circuit 13 includes a first mismatch determination unit 30, a second mismatch determination unit 31, a third mismatch determination unit 32, a fourth mismatch determination unit 33, and a NOR circuit 34. The mismatch determination circuit 13 uses the first mismatch determination unit 30, the second mismatch determination unit 31, the third mismatch determination unit 32, and the fourth mismatch determination unit 33 to parallelize each bit group of the collation data. Compare with matching conditions.

  The first mismatch determination unit 30 includes a latch circuit 40, a DEC (decoder) 80, and a first match condition holding unit 21a. In the illustrated example, the first mismatch determination unit 30 outputs a match or mismatch with a part of the corresponding matching condition for the “A” bit group of the matching data.

  The latch circuit 40 holds data of a part of bit groups (bit group “A”) of the collation data.

  The first matching condition holding unit 21a is configured by a memory, stores a matching or mismatching determination result by associating a possible value of a part of the matching condition with an index address.

Details of the memory holding the first matching condition holding unit 21a will be described.
FIG. 7 is a diagram showing details of the memory constituting the first matching condition holding unit 21a.

  The memory constituting the first coincidence condition holding unit 21a includes an address 21e, a determination result storage area 21f, and a condition number 21g. In the first matching condition holding unit 21a shown in FIG. 6, the address 21e is omitted.

  The address 21e is associated with a possible value in the “A” bit group of the collation data. In this embodiment, since the bit group of “A” in the collation data is 4 bits, addresses “0” to “15” are prepared in the address 21e.

  The determination result 21f is an area that stores a determination result that is associated with a value that can be taken in the bit group “A” of the collation data indicated by the address 21e and that matches or does not match the matching condition. .

  The condition number 21g stores the value of the index address to be referred to in the memory that holds the partial match determination condition 22 described later for the one that stores the determination result of “match” in the determination result 21f. For the determination result 21f that stores the determination result of “mismatch”, the condition number 21g does not store a value.

Returning to FIG.
The DEC 80 activates the memory area of the address corresponding to the value held in the latch circuit 40 with respect to the memory constituting the first matching condition holding unit 21a.

  The first mismatch determination unit 30 reads the determination result 21f of the memory area corresponding to the address activated by the DEC 80, outputs it to the NOR circuit 34, and reads the condition number 21g to the selector 46 of the partial match determination circuit 14. Output. In the present embodiment, the mismatch determination circuit 13 includes the first mismatch determination unit 30, the second mismatch determination unit 31, the third mismatch determination unit 32, and the fourth mismatch determination unit 33 in the NOR circuit 34. When a determination result of “mismatch” is output from at least one of them, it is determined that there is a mismatch. Therefore, if the determination result 21f corresponding to the “A” bit group of the collation data is “mismatch” in the memory constituting the first matching condition holding unit 21a, the signal HI is output.

  The second mismatch determination unit 31 includes a latch circuit 41, a DEC 81, and a second match condition holding unit 21b. In the example shown in the drawing, the second mismatch determination unit 31 outputs a match or mismatch with a part of the corresponding matching condition for the “B” bit group of the collation data.

  The latch circuit 41 holds data of a part of bit groups (bit group “B”) of the collation data.

  The second matching condition holding unit 21b is configured by a memory, stores a matching or mismatching determination result by associating a possible value of a part of the matching condition with an index address. The memory configuring the second matching condition holding unit 21b is configured by an address 21e and a determination result 21f when FIG. 7 is used. The memory constituting the second matching condition holding unit 21b associates the possible values of the “B” bit group of the collation data with the index address, and displays the determination result “match” or “mismatch” in the determination result 21f. Store.

  The third mismatch determination unit 32 and the fourth mismatch determination unit 33 have the same configuration as the second mismatch determination unit 31. The difference is that the second mismatch determination unit 31 performs a process of comparing the “B” bit group of the collation data with the match condition, whereas the third mismatch determination unit 32 performs “C” of the collation data. The fourth mismatch determination unit 33 processes the “D” bit group of the collation data.

  The third mismatch determination unit 32 includes a latch circuit 42, a DEC 82, and a third match condition holding unit 21c. Similar to the second matching condition holding unit 21b, the memory constituting the third matching condition holding unit 21c includes an address 21e and a determination result 21f. The memory constituting the third matching condition holding unit 21c associates the possible value of the “C” bit group of the collation data with the index address, and displays the determination result “match” or “mismatch” in the determination result 21f. Store.

  The fourth mismatch determination unit 33 includes a latch circuit 43, a DEC 83, and a fourth match condition holding unit 21d. The memory constituting the fourth coincidence condition holding unit 21d associates the values that can be taken by the “D” bit group of the collation data with the index address, and determines the decision result “match” or “mismatch” in the decision result 21f. Store.

  The NOR circuit 34 outputs the determination result in the mismatch determination circuit 13. In the present embodiment, the signal HI is output from the first mismatch determination unit 30 or the like when the first mismatch determination unit 30 or the like determines that there is a mismatch, but as the output of the mismatch determination circuit 13 Is determined to be inconsistent, the NOR circuit 34 outputs a signal LOW. Therefore, when “match” is read in any of the first match condition holding unit 21a and the like, the output signal of the NOR circuit 34 becomes the signal HI.

<2.3.3 Partial Match Determination Circuit 14>
The partial match determination circuit 14 determines whether the matching data matches the matching condition. The partial match determination circuit 14 determines the range of the matching condition to be compared with the matching data when the first bit group of the matching data (the “A” bit group of the matching data) matches the matching condition in the mismatch matching circuit 13. , Narrow down to those that match the first bit group of the collation data.

  The partial match determination circuit 14 includes a partial match determination condition holding memory 23, a latch circuit 44, a control circuit 45, a selector 46, a comparison circuit 47, an AND circuit 48, a comparator 49, and a DEC 84.

  The selector 46 receives the output of the condition number 21g of the first matching condition holding unit 21a and the value indicated in the address field of the partial matching determination condition holding memory 23 to be described later, and controls one of the values to be described later. The signal is output to the latch circuit 44 under the control of the circuit 45.

The latch circuit 44 holds the value output from the selector 46.
The DEC 84 activates the memory area of the index address corresponding to the value held in the latch circuit 44 for the partial match determination condition holding memory 23. The latch circuit 44 stores the value of the index address that is activated in the partial match determination condition 22.

Here, the details of the partial match determination condition holding memory 23 will be described.
FIG. 8 is a diagram showing an example of the contents stored in the partial match determination condition holding memory 23.

  The partial match determination condition holding memory 23 includes an address 22a, an address field 22b, and a data field 22c.

  An address 22 a indicates an index address in the partial match determination condition holding memory 23.

  The data field 22c stores a part of the matching condition for comparison with the second bit group of the collation data (the bit group of “B”, “C”, and “D” in the example of FIG. 6). The value stored in the data field 22c is compared with the second bit group of the collation data in the comparator 49.

  The address field 22b stores the value of the index address to be referred to next in the partial match determination condition holding memory 23 when the value stored in the data field 22c does not match the second bit group of the collation data. It is an area for. For example, in the example of FIG. 8, the record “k” indicated by the address 22a is indicated as “k + 1” in the address field 22b. Therefore, when the value of the data field 22c corresponding to “k” in the address 22a does not match the second bit group of the collation data, each data of the index address indicated by “k + 1” in the address 22a is referred to next. Is done. If “0” is indicated in the address field 22b, it indicates that there is no matching condition to be referred to next.

Returning to FIG.
In the partial match determination condition holding memory 23, the value of the address field 22b of the memory area activated by the DEC 84 is output to the comparison circuit 47 and the selector 46.

  The comparison circuit 47 refers to the value of the address field 22b of the partial match determination condition holding memory 23, and determines whether there is a match condition to be compared next or whether there is a match condition to be compared. In the present embodiment, in the comparison between the collation data and the matching condition, if there is no matching condition to be compared next, the value of the address field 22b is set to “0”. Therefore, the comparison circuit 47 determines whether the value output from the address field 22b of the partial match determination condition holding memory 23 matches “0”, and if it matches “0” (YES in the comparison circuit 47), Since there is no other matching condition to be compared, a signal indicating the end of determination is output to the determination result output circuit 12. Further, when the value output from the address field 22b of the partial match determination condition holding memory 23 is not “0” (NO in the comparison circuit 47), the comparison circuit 47 has another match condition to be compared. A signal is output to the circuit 48.

  The comparator 49 receives the second bit group of the collation data (the collation data 92 concerning the second bit group) from the buffer circuit 11. The comparator 49 receives the value of the data field 22c of the partial match determination condition holding memory 23 (part 91 of the match condition). These collation data are compared with the value of the data field 22c to determine whether or not they match. The comparator 49 outputs the determination result to the AND circuit 48 and the determination result output circuit 12.

  The AND circuit 48 outputs to the control circuit 45 whether or not to continue the comparison process between the collation data using the partial match determination condition holding memory 23 and the match condition. The AND circuit 48 receives the output of the comparison result from the comparator 49 and the determination result of the comparison circuit 47. When the comparator 49 does not match the matching data and the matching condition, and the comparing circuit 47 determines that there is a matching condition to be compared next, the AND circuit 48 matches the matching data and the data field. In order to continue the comparison with the value of 22c, a signal is output to the control circuit 45.

  The control circuit 45 receives the output result from the AND circuit 48 and controls the output of the selector 46. When there is no signal output from the AND circuit 48, the control circuit 45 sets the output of the selector 46 to the condition number 21 g of the first matching condition holding unit 21 a output from the mismatch determination circuit 13. When the signal is output from the AND circuit 48, the control circuit 45 sets the value of the address field 22 b of the partial match determination condition holding memory 23 as the output of the selector 46.

<2.3.4 Determination Result Output Circuit 12>
The determination result output circuit 12 receives the determination results of the mismatch determination circuit 13 and the partial match determination circuit 14 and outputs a match determination signal or a mismatch determination signal to the buffer circuit 11. Determination result output circuit 12 includes an AND circuit 93, a NOT circuit 94, an OR circuit 95, and an AND circuit 96.

  The AND circuit 96 outputs a coincidence determination signal when the mismatch determination circuit 13 determines that there is no mismatch and the comparator 49 determines that there is a match.

  The OR circuit 95 receives the outputs of the AND circuit 93 and the NOT circuit 94, and outputs a mismatch determination signal if at least one of the signals is HI. The NOT circuit 94 outputs a signal HI when the mismatch determination circuit 13 determines that there is a mismatch (the output of the mismatch determination circuit 13 is a signal LOW). The AND circuit 93 is not determined to be inconsistent by the mismatch determination circuit 13 and is determined by the comparison circuit 47 that there is no other matching condition to be compared with the matching data (YES in the comparison circuit 47, and the matching data matches the matching condition). When the comparison is completed), and when the comparison data does not match the matching condition in the comparator 49, the signal HI is output.

<3 Comparison example between matching data and matching conditions>
Although the present embodiment has been described above, a comparative example of the collation data and the matching condition will be described here.

  FIG. 9 is a diagram illustrating an example of the matching condition and a comparison example between the matching data and the matching condition in the present embodiment.

  As shown in FIG. 9, the collation data is “0x4123”. The matching conditions are “0x0123”, “0x2234”, “0x3012”, etc., respectively. In the first matching condition holding unit 21a, a determination result of matching or mismatching in the determination result 21f is stored for the bit group “A” of the collation data, and a partial matching determination condition to be referred to is stored in the condition number 21g The value of the index address of the memory 23 is stored.

  Since the collation data is “0x4123”, the mismatch determination circuit 13 does not determine a mismatch in each part of the collation data. The mismatch determination circuit 13 outputs the value of the condition number 21g corresponding to the index address “4” of the first match condition holding unit 21a to the selector 46.

  The partial match determination circuit 14 refers to the address 22a and the address field 22b of the partial match determination condition holding memory 23, and sequentially matches the match conditions indicated by “k”, “k + 1”, and “k + 2” of the address 22a in the comparator 49. Compare with verification data. As a result of the comparison, it is determined that the collation data “0x4123” does not match any of the matching conditions.

  As described above, according to the present embodiment, the matching data is compared with the matching condition for a plurality of matching conditions that match a part of the bit group of the matching data. Therefore, when all of the plurality of matching conditions and the matching data do not match, there is no need to wait for comparison between the matching data and all the matching conditions as in the related art.

  The partial match determination condition holding memory 23 of the partial match determination circuit 14 can be realized by a RAM. Therefore, the packet filtering device 1 can perform packet filtering by sequence control using a table held in the RAM, and the circuit can be reduced in size. This embodiment is suitable, for example, for an embedded LSI, and can be easily mounted on a microcomputer having a built-in memory, an ASSP (Application Specific Standard Product), or a SoC (System-on-a-chip). The downsizing makes it possible to apply the packet filter circuit of the present embodiment to mobile devices.

  In addition, when the RAM is used, the address to be activated is designated, so that the power consumption of the packet filter circuit can be reduced as compared with the case where all the memory areas are activated in order to compare the collation data with the matching condition. Can be achieved.

  Each embodiment has been described above, but it goes without saying that these embodiments may be combined.

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the present invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Needless to say.

  1 packet filtering device, 2 MPU, 3 RAM, 4 ROM, 5 communication module, 10 packet filter circuit, 11 buffer circuit, 12 judgment result output circuit, 13 mismatch judgment circuit, 14 partial match judgment circuit, 21 mismatch judgment condition, 22 Partial match determination condition, 21a First match condition holding unit, 21b Second match condition holding unit 21b, 21c Third match condition holding unit 21c, 21d Fourth match condition holding unit 21d, 22 Partial match determination condition, 23 partial match determination condition holding memory, 30 first mismatch determination section, 31 second mismatch determination section, 32 third mismatch determination section, 33 fourth mismatch determination section, 34 NOR circuit, 40 latch circuit, 41 latch Circuit, 42 latch circuit, 43 latch circuit, 44 latch circuit, 45 control circuit, 46 selector 47, comparison circuit, 48 AND circuit, 49 comparator, 51 packet filtering device, 52 buffer circuit, 53 match determination circuit, 54 mismatch determination circuit, 55 OR circuit, 61 match condition, 71 first match condition holding unit, 72 second matching condition holding unit, 73 third matching condition holding unit, 74 fourth matching condition holding unit, 75 OR circuit, 76 collation data, 80 DEC, 81 DEC, 82 DEC, 83 DEC, 84 comparator 91 Matching condition part 92 Matching data 93 AND circuit 94 NOT circuit 95 OR circuit 96 AND circuit

Claims (7)

A packet filter circuit that performs packet filtering based on a comparison result between a plurality of matching conditions and a received packet,
A buffer circuit for holding received packets;
The first bit group of the collation data composed of the first and second bit groups included in the packet is compared with the first part of each matching condition, and the second bit group is A mismatch determination circuit that determines that the match data does not match the match condition when the match data does not match the match data in at least one of the bit groups compared to the second part of the match condition;
When both of the first and second bit groups match each part of the matching condition, the first part of the plurality of matching conditions is the first bit group of the matching data. A partial match determination circuit for determining whether or not the matching data matches the matching condition,
The buffer circuit processes a packet according to a determination result by the mismatch determination circuit and the partial match determination circuit;
Packet filter circuit. The partial match determination circuit includes:
A second memory for storing each of the second portions of the plurality of matching conditions as a partial matching determination condition;
The mismatch determination circuit includes:
Each of the values of the first part of the plurality of matching conditions is associated with the storage address in the second memory of the value of the second part corresponding to the value of the first part as a mismatch judgment condition A first memory for storing, and when the first bit group of the collation data matches the first portion, the storage address associated with the matching value is read and output And
The partial match determination circuit performs the determination by reading the second portion from the second memory based on the storage address output by the mismatch determination circuit.
The packet filter circuit according to claim 1. The second memory is
For each address, an address field indicating an address to be accessed next in the second memory, and a data field for storing a value of the second part of the matching condition,
When there are a plurality of values of the second portion corresponding to the values of the first portion of the plurality of matching conditions, the partial match determination circuit sequentially stores the data field according to the address indicated in the address field. Making the determination by outputting a stored value;
The packet filter circuit according to claim 2. The partial match determination circuit includes:
The second bit group of the verification data is received from the buffer circuit, and the received second bit group is compared with the value stored in the data field at the address specified in the second memory. Including a comparator that outputs a match or mismatch result,
When the comparison result by the comparator does not match, the matching data is compared with the matching condition according to a value indicated in the address field of the second memory.
The packet filter circuit according to claim 3. The packet filter circuit includes:
A determination result output circuit that outputs a match signal to the buffer circuit when the mismatch determination circuit does not determine a mismatch and the partial match determination circuit determines a match;
The packet filter circuit according to claim 1. The packet filter circuit includes:
A determination result output circuit that outputs a mismatch signal to the buffer circuit when the mismatch determination circuit determines that there is a mismatch, or when the partial match determination circuit determines that there is a mismatch;
The packet filter circuit according to claim 1. A packet filtering device that performs packet filtering based on a comparison result between a plurality of matching conditions and a received packet,
A buffer unit for holding received packets;
The first bit group of the collation data composed of the first and second bit groups included in the packet is compared with the first part of each matching condition, and the second bit group is A mismatch determination unit that compares with the second part of the match condition and determines that the match data and the match condition do not match if the match data does not match in at least one of the bit groups;
When both of the first and second bit groups match each part of the matching condition, the first part of the plurality of matching conditions is the first bit group of the matching data. A matching part for determining whether or not the matching condition is matched with the matching data,
The buffer unit processes a packet according to a determination result by the mismatch determination unit and the partial match determination unit.
Packet filtering device.

Images