JP3443356B2 - Packet classifier - Google Patents

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a packet classification device for a system that examines a key field which is a part of a received packet and selects corresponding data according to the content of the key field. The present invention relates to a packet classifying device for finding a rule that a packet satisfies all conditions from a rule set, which is a set of rules defining conditions to be satisfied.

[0002]

2. Description of the Related Art Generally speaking, a packet classification device is provided with a compile processing function and a search processing function for creating data to be searched. These processing functions will be described by using a packet classification device for packet filtering that uses an access control list as a conventional packet classification device.

First, in the compile processing function, the access control list (ACL) is converted into an internal representation to create data as shown in FIG. 10, that is, an ACL internal representation. ACL here
Is a series of rules that define a condition that each key value must satisfy, and a set of actions that specify whether to pass or reject a packet that satisfies them. Each line of the ACL internal representation corresponds to one rule of ACL. Fields such as destination address, source address, destination port number, source port number, protocol field, and TCP flag are used as keys.

The rules specify conditions for each key using matching methods such as exact match matching, prefix matching and area matching. In the perfect match, the condition is represented by the key value u, and the match is successful when the key value of the received packet is u. In prefix matching, the condition is expressed as a pair of key prefix value v and prefix length pl, v / pl,
If the pl bit of the key value of the received packet is v, the matching is successful. For example, in prefix matching against a destination address, the condition 123.45.67 / 24 succeeds in matching with a packet in which the higher 24 bits of the destination address is 123.45.67. In addition, a method of selecting a rule having the longest prefix length as a matching result when a plurality of rules succeed in matching in ACL is called longest prefix matching. Further, in the area matching, the condition is a set of key value pairs {[w ₁₁ , w ₁₂ ], [w ₂₁ , w ₂₂ ], ..., [w _n1 ,
w _n2 ]}, and the key value k is _i such that w _i1 ≧ k ≧ w _i2
Matches successfully if exists. For example, in the area matching of the destination port number, the filter predicate {[10,30],
[50, 60]} indicates that the destination port number p of the received packet is
If 10 ≧ p ≧ 30 or 50 ≧ p ≧ 60, the collation is successful.

Generally, the matching method to be adopted is predetermined for each rule key. In FIG. 10, d is the destination address, s is the source address, dp is the destination port number,
sp is the source port number, p is the protocol field, T
CP is a TCP flag, 1 for action
Indicates passing and 0 indicates rejection. The numbers 1 to m on the left side of the figure represent rule numbers, and the arrows on the right side of the figure represent the order of search. In rule 1, when the destination address is 1.2.3.4, the source address is 1.2.5.8, the destination port number is 10 to 40, the source port number is 80, the protocol field is 10, and the TCP flag is 1, the packet Indicates that the passage of the vehicle is permitted.

Next, in the search processing, as shown by the arrow in FIG. 10, when a received packet is given, the rules are examined in order from the top of the ACL internal representation, and the key value of the packet is checked by the matching method according to each key. If a rule is found that all keys are successfully matched, it is determined whether to pass or drop the packet according to the description of the action.

In these conventional packet classifiers, firstly, the ACL is checked in order from the top, and therefore the search processing time may increase as the number of rules increases. In the worst case, it will take time to examine all the rules. Therefore, in order to reduce the search processing time, a method of hardwareizing the search processing has been proposed, but the problem that the search processing time becomes long depending on the number of rules remains. In order to solve this problem, packet classification using a routing table has been proposed.
In this classification, there is a method of using a digital search tree such as Patricia tree. Here, a Patricia tree which is a typical digital search tree will be described as an example.

First, 27 types of A to Z and null are considered as headings to be held in the digital search tree, and the binary notation of each code is set to 00001 to 11010 and 00000. In the binary notation of this code, the leftmost bit is bit 0, and the bits to the right are bit 1, 2, 3, and 4 in that order. FIG. 11 is a Patricia tree having 12 headings of null, A, C, E, G, H, I, N, P, R, S, and T. In the figure, large circles indicate nodes, small circles indicate leaves, and lines connecting nodes or between nodes and leaves indicate branches. The number written above the circle of a node or leaf represents the number for identifying the node or leaf, and the number written in the circle of the node is the check bit position (the digit of the search key to be checked at that node). ), The symbol under the circle of the leaf indicates the heading of the leaf. Node 0 is the root of the digital search tree, and the rectangle pointing to the root is the head.
In a Patricia tree, when a search key is given, the nodes are traced along the branches in order from the root of the search key, and when the bit at the check bit position is 0 with respect to the search key, it descends to the node on the left side and that bit is 1 Time goes down to the right node. When this operation is repeated, if a leaf having a heading equal to the search key exists in the search tree, that leaf can be reached. For example, in order to search for H, the code 01000 of H is used as a search key, and the value of the search key bit at the check bit position designated by the node is sequentially searched from the root node of the tree to trace the node. In this case, if bit 0 of the search key is examined at the first node, it is 0, so the node goes to the lower left node. When bit 1 is checked at the next node, it is 1 so go to the node at the lower right. As described above, when the bits 0, 1, 2, and 4 of the respective search keys are examined by tracing the order of the nodes 0, 1, 4, and 9, it is understood that the leaf of the heading H is reached.

When the rule set is converted into the Patricia tree of FIG. 11 by the compiling process, the searching process is performed as follows. That is, in FIG. 11, the search key is I (reference numeral 0100).
1) When searching for leaves, since the search key bits 0, 1, 2 are 0, 1, 0 respectively, follow the order of nodes 0, 1, 4
Reach node 9. When the bit 4 of the search key is examined at the node 9, it is 1 and the leaf 18 is reached. Since the heading of the leaf 18 is I and is equal to the search key, it can be seen that the leaf to be obtained has been reached. At this time, when the heading of the arrived leaf is not equal to the search key, it is found that the leaf to be searched does not exist in this digital search tree.

In this method, since the search processing time does not depend on the number of rules, the problem that the search processing time becomes long has been solved, but it is still necessary to use the longest prefix matching as a rule condition. Search time will be long because of track or pointer operation,
When region matching is used as a rule condition, there is a problem that a digital search tree such as a Patricia tree cannot be used as it is. In order to solve the former problem, a method using associative memory has been proposed. However, in addition to solving the latter problem, the number of rules increases because the amount of hardware increases. There is a problem that it is difficult to apply when there are many cases.

[0011]

In view of the above-mentioned circumstances, an object of the present invention is to provide a search processing time that does not depend on the number of rules, and that uses longest prefix matching and area matching for rule conditions. The object of the present invention is to provide a packet classification device that can perform search processing at high speed with relatively little hardware.

[0012]

The above objects of the present invention are as follows.
In the packet classification device as described above, a compile function for converting a rule set into a domain descriptor and an expansion table in advance, and an expansion table entry value located at an address determined by the packet key value and the domain descriptor value. A packet classifying device characterized by having a search function for determining the position of the next key and the address of the domain descriptor according to To be achieved.

In the present invention, the domain descriptor is data which defines the correspondence between the key value and the expansion table entry for the entire domain of the key value. The expansion table is a table in which the address of a domain descriptor used when searching for a rule set excluding a rule whose key value corresponding to the entry does not satisfy the condition is entered.

In such a packet classifying apparatus of the present invention, the compiling function has a function of converting a key into a fixed length by dividing the key when the length is long and concatenating the keys when the length is short. You can

Further, the compiling function has a function of generating a domain descriptor holding the identifiers of the corresponding expansion table entries for all the values of the key, and the searching function has the domain descriptor based on the value of the key. The function to obtain the address of the expansion table entry can be provided from.

The compiling function divides the key values into groups at regular intervals and indicates whether or not the value of the identifier of the expansion table entry corresponding to the smallest key in each group and the expansion table entry change. It has a function to generate a domain descriptor that holds a data pair with bitmap data, and a search function has the function of interpreting the data pair of the domain descriptor based on the value of the key to obtain the address of the expansion table entry. Can be equipped.

Further, the compiling function has a function of generating a domain descriptor consisting of a key value of which the expansion table entry changes when the expansion table has few entries,
The search function may include a function of comparing the key value of the packet and the key value held in the domain descriptor to obtain the address of the entry in the expansion table.

Also, the compiling function is a function for generating a development table in which the same domain descriptor is put together when the rule sets formed by excluding the rules whose packets may not satisfy all conditions from the rule sets are the same. The look-up function may include the function of determining the position of the next key and the address of the domain descriptor by using the key of the packet and the expansion table.

Further, the compiling function has a function of holding the value of the entry as the value of the entry of the preceding expansion table when the number of entries of the expansion table is 1, and excluding the expansion table and the domain descriptor. The look-up function may include a function of determining the position of the next key and the address of the domain descriptor by using the key value of the packet and the expansion table.

As a specific system to which the present invention can be applied, there are a routing table search in a communication device such as a router, filtering in a firewall, QoS control, and flow detection in IP switching. In searching the routing table,
The key is the destination address field, and the rule is the set of destination address, netmask and destination link. In the rule, the prefix of the destination address is specified by the net mask. In a communication device such as a router, a rule set is held as a routing table, a rule in which the prefix of the destination address field of the received packet is equal to the prefix of the destination address of the rule is searched, and when multiple rules are applicable, The maximum rule of the netmask is selected and the packet is transferred to the transfer destination link of the rule.

In the filtering by the firewall, the destination address, the source address, the destination port number, the source port number, the protocol field, the TCP
Fields such as flags are used as keys. The rule specifies the condition corresponding to each key and specifies whether the packet should pass or be discarded when all the conditions are satisfied. The firewall holds the rule set as an access control list, searches for a rule whose key of the received packet satisfies all conditions, and determines whether to pass or discard the packet according to the designation of the rule.

In the flow control in the QoS control and the IP switching, the source address and the destination address of the packet are used as keys. The rule specifies the condition to be satisfied by each key, and information on the network resource to be allocated to the packet when all the conditions are satisfied. The key of the received packet is searched for a rule that satisfies all the conditions, and the network resource is assigned to the packet according to the specification of the rule.

[0023]

DESCRIPTION OF THE PREFERRED EMBODIMENTS [Embodiment 1] Next, an embodiment of the packet classification device of the present invention will be described. In this embodiment, the compiling function converts the rule set into the domain descriptor and the expansion table in advance, and the search function reads the data of the expansion table entry at the address determined by the packet key value and the domain descriptor value. The position of the next key and the address of the domain descriptor are determined according to the value of the data, the data generated by the compiling function is traced according to the value of the key of the received packet, and the result data is output. Thus, when a rule set and a packet defining a set of conditions that each key should satisfy and an action for a packet that satisfies all of them are given, it is possible to find a rule that satisfies all the conditions from the rule set.

As rule set R = {r ₁ , r ₂ }, r ₁ : p _1,0 [x ₀ ≧ 2] p _1,1 [x ₁ = 6] a ₁ r ₂ : p _2,0 [3 ≦ x ₀ ≦ 5] p _2,1 [x ₁ ≧ 5] a ₂ will be described as an example to describe a method of creating the domain descriptor and the expansion table. Here, p _{j, i} is the (predicate corresponding to the i-th key rule r _j) the i predicate r _j, x _k is the value of the k-th key, a _j is the rule r _j It is an action.

The domain descriptor and the expansion table are given by the partial calculation of the function sieve (R, i, x _i ) which returns the rule set for which the condition for a certain key value x _i is true for the rule set R. . For example, the function sieve (R, 0, x ₀ ) = sieve
({R ₁ , r ₂ }, 0, x ₀ ) is

[Equation 1] It is expressed as. This expression means that if the condition in () of each row is satisfied, the set of rows is returned as a result. The partial calculation of this function sieve (R, 0, x ₀ ) is x ₀
Advance the above calculation as much as possible before knowing the value of
It means to simplify the rest of the calculations that can only be done with a value of ₀ . In the following, the result of the partial calculation is sie
It is expressed as veR, 0 (x ₀ ).

In the following, a partial calculation of the function sieve (R, 0, x ₀ ) will be exemplified for the case where the key length is 3 bits. In this case, the domain (domain) D ₀ of the x ₀ is D ₀ = _{0, ...,
7}. FIG. 1 is a diagram showing a configuration example of a domain descriptor. D ₀ depends on the possible values of p _1,0 (T or F), as shown, in two intervals I ⁰ _1,0 and I
It can be divided into ¹ _1,0 . Similarly, according to p _2,0 ,
As shown, it can be divided into three intervals, I ⁰ _2,0 , I ¹ _2,0 and I ² _2,0 . In the figure, when the domain of x ₀ is divided by the boundaries of all intervals, four subdomains D ⁰ ₀ = {0, 1}, D ¹ ₀ =
{2}, D ² ₀ = {3,4,5}, D ³ ₀ = {6, 7} can be obtained.
Examining the values of p _1,0 and p _2,0 in each subdomain, if the value of x ₀ is within that subdomain, then x ₁
We can see the rule that packets are not matched regardless of the value of. For example, in D ⁰ ₀ , p _1,0 and p _2,0
Are both F, no rules r ₁ and r ₂ match regardless of the value of x ₁ . The subdomain rule set in FIG. 1 is a set of rules excluding such rules.

The domain descriptor is data that gives a subdomain identifier from a key value, and gives a series of subdomain identifiers as shown in FIG. That is, the vector [0,0,1,2,2,2,3] in the figure becomes the domain descriptor,
For example, the value 2 of the third element (the fourth element because this vector starts from the 0th element) is the subdomain identifier for the value 3 of the key.

From FIG. 1, the partial calculation R ₀ = sieve {r ₁ , r ₂ }, 0 (x ₀ ) is

[Equation 2] become that way.

R ₀ of this equation gives a set of rules which can be obtained by excluding, from the rule set R, the rules in which the packet may not satisfy all the conditions, with respect to the possible values of the key. The expansion table is a table with the address of the domain descriptor corresponding to each set as an entry, so the domain description that can be obtained by performing a partial calculation of the function sieve (R ₀ , 1, x ₁ ) for each set in the same way as above The expansion table is obtained by creating a table in which the child addresses are arranged. As a result, in the compiling process, the data shown in FIG. 2 is created. This data is sie
It is called a ve expansion tree. In each block of FIG. 2, the first line is a domain descriptor, and the second and subsequent lines are expansion tables.

In the search process, first, the key 0 of the received packet
The domain descriptor of the partial calculation sieve {r ₁ , r ₂ }, 0 (x ₀ ) is read according to the value of. In the block of sieve {r ₁ , r ₂ }, 0 (x ₀ ) in FIG. 2, for example, when the value of key 0 is 2, the second domain descriptor (the rightmost one is the 0th one, so it is 3 The value of 1) is read as the subdomain identifier. Next, a pointer to sieve {r ₁ }, 1 (x ₁ ) is read out as the _first value (second from the top because the top is 0th) of the expansion table. Furthermore, the domain identifier of sieve {r ₁ }, 1 (x ₁ ) is read according to the value of key 1 of the received packet, and the expansion table is read according to that value. Now, assuming that the value of key 1 is 6, the subdomain identifier is 1, so the first in the expansion table is read and a pointer to r ₁ is obtained. That is, when the values of the keys 0 and 1 of the received packet are 2 and 6, respectively, it is notified that this packet matches the rule r ₁ . In this way, by reading the domain descriptor and the expansion table entry as many times as the number of keys (2 in the above example), a rule that succeeds in matching can be obtained.

[Embodiment 2] In another compile process, a key is a continuous bit string having a fixed length of 8 bits. In this case, if the packet field length is not 8 bits, a rule that can be used by converting the condition for each field into a key condition is used. At this time, if necessary, the fields are combined or divided and converted into a key predicate. 1 when splitting a field into multiple keys
There may be multiple rules. The following is an example of combining and dividing flag bits, multi-byte fields, and multiple-length prefix fields.

In the case of flag bits, a plurality of bits having the same byte length are put together into one key. For example, r ₁ : p _1,1 [x ₁ = 1] p _1,2 [x ₂ = 0] a ₁ as r _{1 ′} : p _{1 ′, 1} [x _{1 ′} = (10) ₂ ] a ₁ To do. Here, bit 0 of the x _{1 'is} x _2, bit 1 x
_{Is 1} .

In the case of a multi-byte field, it is divided into a plurality of keys. For example, r ₁ : p _1,1 [x ₁ > 300] a ₁ is replaced with r _{1 ′} : p _{1 ′, 1} [x _{1 ′} = 1] p _{1 ′, 2} [x _{1 ″} > 44] a ₁ r _{1 "} : P _{1", 1} [x _{1 '} > 1] p _{1 ", 2} [x _1" ≥0] a ₁ where x ₁ is 2-byte data and x _1'
The upper 1 byte, x 1 of x _{1 "is} a lower one byte.

In the case of a multiple length prefix, it is divided into a plurality of keys and expressed by an inequality. For example, r ₁ : p _1,1 [x ₁ = (112 *) ₁₆ ] a ₁ is replaced by r _{1 ′} : p _{1 ′, 1} [x _{1 ′} = (11) ₁₆ ] p _{1 ′, 2} [(20) ₁₆ ≤ x _{1 "} ≤ (2f) ₁₆ ] a ₁ where * is a wild card and x ₁ is 2
A byte data, x 1 _'is the top 1 byte of x _1, x
_{1 "} is the lower 1 byte.

[Third Embodiment] In still another compilation process, data having the structure shown in FIG. 3 is created. In the figure,
The value of the key is 8 bits and one word in the memory is 32 bits. In the search process, as shown in the figure, the value of the upper 6 bits of the key specifies the memory word of the domain descriptor, and the value of the lower 2 bits of the key specifies the position within the word. In this way, the 8-bit data obtained by designating the key value becomes the subdomain identifier, which designates the position of the entry in the expansion table. The expansion table entry holds the address of the next domain descriptor or the storage address of the action information of the rule.

[Fourth Embodiment] In still another compilation process, data having the structure shown in FIG. 4 is created. As shown in the example of Fig. 1, this data is an interval descriptor even if it does not hold a vector of subdomain identifier values [0,0,1,2,2,2,3,3]. Represents the boundary of. In other words, if the subdomain identifier has changed, if it holds a bit string of 0, and if not, if it holds a bit string [0,0,1,1,0,0,1,0], then obtain the subdomain identifier. It is based on what you can do. That is, in the above bit string, the subdomain identifier corresponding to the bit is obtained from the number of 1s from bit 0 to each bit.

FIG. 4 shows, in a 32-bit word memory,
3 shows a data structure configured to obtain a subdomain identifier with one reference. In this domain descriptor, a pair of a bitmap formed by dividing the above bit string by 8 bits and an offset representing the value of the sub domain identifier of the first bit is used. In this case, the top four keys
A bit selects one word in the domain descriptor, and when the bit 4 is 1, the upper half word is selected, and when the bit 4 is 0, the lower half word offset and bitmap are selected. Select the bit position of the bitmap with the lower 3 bits of the key. The value obtained by adding an offset to the number of 1s from bit 0 of the bitmap to the selected bit becomes the subdomain identifier. When this data structure is used, the memory size of the domain descriptor is 64 bytes, which is 1/4 of that in the case of FIG.

[Fifth Embodiment] In still another compilation process, data having the structure shown in FIG. 5 is created. This data is a data structure of a domain descriptor in an index format applicable when the number of subdomains is 4 or less. In this case, it holds the value of the key that gives the subdomain boundaries. In the search process, the subdomain identifier is obtained by comparing the value of the key with the value of each boundary and determining which boundary the value is.

[Sixth Embodiment] In still another compilation process, data having the structure shown in FIG. 4 or 5 is created according to the number of subdomains. Further, flag data indicating whether the data of the next domain identifier is in the format of FIG. 4 or the format of FIG. 5 is held in the entry of the expansion table. In the search process, the data format of the domain descriptor is discriminated according to this flag data, and the search process of the fourth or fifth embodiment is switched.

[Embodiment 7] In still another compilation processing, the domain identifier and the expansion table (both are combined
(called eve) is created, as shown in FIG. 6, data in which the next sieve is shared is created. That is, as is the case with the example of FIG. 1, even if the subdomains are different, the rule sets that are the inputs of the next sieve may be the same. In the compilation process, such subdomains are detected and the contents of the expansion table entries are made the same.

[Embodiment 8] In still another compilation process, as shown in FIG. 7, the number of entries in the expansion table is 1
Exclude the sieve such as, and create the data that holds the value of that entry as the value of the entry in the expansion table in the previous stage.

[Embodiment 9] In still another compiling process, a development table having the instruction word shown in FIG. 8 as an entry is created. In the search processing, the processors are arranged and operated in a one-dimensional array as shown in FIG. Each processor is
As shown in the figure, the value of the key and the command word are input, and the command word for the processor at the next stage is output. This command is an entry in the expansion table.

These processors operate according to the following procedure. (1) An instruction word consisting of data indicating the type of the domain descriptor, the storage address of the domain descriptor, the designation of the key position, the designation of the processor, the end of the search, etc. is externally received. (2) Fetch fields for specifying the domain descriptor type, domain descriptor storage address, and key position from the command word. (3) Receive the value of the key specified by the key position and set it as x _k . (4) Read the value of the domain descriptor (the value of the subdomain identifier) corresponding to x _k according to the type of the domain descriptor. At this time, the start address of the domain descriptor is given by the address field of the instruction word. (5) Read the expansion table entry (next command word) according to the value of the subdomain identifier. (6) When the position of the terminator or processor of the next instruction word is 1, the next instruction word is output and the execution of the instruction word is finished,
Return to (1). If not, return to (2).

These processors have a chunk memory for storing the domain descriptor and the expansion table as a local memory. When the memory of the domain descriptor and the expansion table is divided and the memory access of the domain descriptor and the expansion table is pipelined, the processor can output for each memory access.

When arranging the processors by the number of keys,
Assign to each processor the execution of sieve that corresponds to one key each. If the compiler always sets the value of the processor position to 1, the processor will follow the procedure (6) above.
Always configure a loop that returns to step (1). At this time, if an instruction word having the address of the sieve of the root of the sieve expansion tree is input to the first processor, each processor will get 1
Executes sieve using one key, and the processor at the final stage uses the rule identifier (if the packet is executable) or 0
Outputs an instruction word that has (when the packet cannot be executed) in the address field. As shown in FIG. 9, when the key values of packets that arrive consecutively are given to the processors one after another and the command word is given to the head processor every time the packets arrive, the system as a whole is systolic at execution time intervals of 1 sieve. To work. Further, if the processor is configured by a pipeline of two stages, systolic operation can be performed at time intervals of one memory access.

As shown in FIG. 8, the instruction word of the processor has a field for designating the position of the key and the position of the processor. Therefore, a plurality of sieves having different key positions to be processed are assigned to the same processor. It is possible. When the number of processors or the memory capacity of each processor is not sufficient, the following allocation method can be adopted. That is, let p be the number of processors and s be the number of sieves on the bus from the root to the leaves of the sieve expansion tree.
Then, in this case, if the number of sieves equal to the smallest integer greater than s / p is allocated to the same processor in order from the root, the number of allocated sieves per processor is averaged.

Since the memory is distributed to each processor, even if the entire system has a memory capacity capable of holding all chunk data of the sieve expansion tree, a memory shortage occurs in a specific processor when the above allocation is attempted. Due to this, there may occur a sieve that cannot be allocated. In such a case, the sieve can be assigned to another processor at the expense of execution time.

[0048]

As described above, according to the present invention, the following effects can be obtained. That is, in the search process, AC
Instead of examining L in order from the top, the pairs of domain identifiers and expansion tables corresponding to the key fields (sieve) are examined in order, so the number of sieves to be examined does not depend on the number of rules, so the number of rules is large. However, the search processing time does not increase. Further, even when using a condition that conforms to the longest prefix matching in the rule, it is only necessary to check the sieves in order, so backtracking or extra pointers do not lengthen the search time. Even in the case of region matching, it is possible to use it as it is because it is only necessary to examine the sieves in order. Therefore,
According to the present invention, it is possible to realize a packet classification device that can be applied to a large number of rules with a small amount of hardware.

[Brief description of drawings]

FIG. 1 is a diagram illustrating details of a configuration example of a domain descriptor according to a first embodiment.

FIG. 2 is a diagram showing a configuration example of a domain descriptor and a development table in the first embodiment.

FIG. 3 is a diagram showing a configuration example of a domain descriptor and a development table in the third embodiment.

FIG. 4 is a diagram showing a configuration example of a domain descriptor and a development table in the fourth embodiment.

FIG. 5 is a diagram showing a configuration example of a domain descriptor in the fifth embodiment.

FIG. 6 is a diagram showing a configuration example of a series of pairs of domain descriptors and expansion tables in the seventh embodiment.

FIG. 7 is a diagram showing a configuration example of a series of sets of domain descriptors and expansion tables in the eighth embodiment.

FIG. 8 is a diagram showing a configuration example of an instruction word according to the ninth embodiment.

FIG. 9 is a diagram illustrating a configuration example of a processor array according to a ninth embodiment.

FIG. 10 is a diagram showing an example of a conventional access control list.

FIG. 11 is a diagram showing an example of a conventional Patricia tree.

[Explanation of symbols]

r rule R rule set p rule predicate the value of the x key I interval D domain DD domain descriptor UT expansion table

Claims (9)

(57) [Claims] 1. A packet classification device for finding a rule that a packet satisfies all conditions from a rule set, which is a set of rules defining conditions to be satisfied by a key field. A compile function for converting, and a search function for determining the position of the next key and the address of the domain descriptor according to the value of the entry of the expansion table located at the address determined by the value of the key of the packet and the value of the domain descriptor, The packet classification device, wherein the search function traces the data generated by the compiling function according to the value of the key of the received packet. 2. The compiling function has a function of converting a key into a fixed length by dividing the key when the length is long and connecting the keys when the length is short.
The packet classification device described in 1. 3. The compiling function has a function of generating a domain descriptor holding an identifier of a corresponding expansion table entry for all values of the key, and the searching function has a domain descriptor based on the value of the key. 3. The packet classification device according to claim 1, further comprising a function for obtaining an address of an entry in the expansion table from the packet classification device. 4. The compiling function divides the key values into groups at regular intervals, and for each group, indicates whether the value of the identifier of the expansion table entry corresponding to the smallest key and the expansion table entry change. It has a function to generate a domain descriptor that holds a data pair with bitmap data, and a search function has the function of interpreting the data pair of the domain descriptor based on the value of the key to obtain the address of the expansion table entry. The packet classification device according to claim 1 or 2, further comprising: 5. The compiling function has a function of generating a domain descriptor consisting of a key value of which the expansion table entry changes when the expansion table has a small number of entries, and the searching function includes a packet key value. 2. The method according to claim 1, further comprising a function of comparing the value of the key held in the domain descriptor with the address of the entry in the expansion table.
Or the packet classification device according to 2. 6. The compile function comprises the compile function according to claim 4 and the compile function according to claim 5, wherein the compile function functions according to the number of subdomains, and the search function corresponds with the function according to any one of the above. 3. The packet classification device according to claim 1, further comprising a function of obtaining an address of an entry in the expansion table. 7. A function for compiling, when a rule set formed by excluding a rule in which a packet may not satisfy all conditions from the rule set is the same, and generating a development table summarized in the same domain descriptor. 7. The search function according to claim 1, further comprising the function of determining the position of the next key and the address of the domain descriptor by using the key of the packet and the expansion table. The described packet classification device. 8. The compiling function has a function of, when the number of entries in the expansion table is 1, holding the value of the entry as the value of the entry of the expansion table in the preceding stage, and excluding the expansion table and the domain descriptor, 8. The search function according to claim 1, wherein the search function has a function of determining the position of the next key and the address of the domain descriptor by using the key value of the packet and the expansion table. Packet classifier. 9. The search function has a function of interpreting and executing an instruction word including data indicating a domain descriptor type, a domain descriptor storage address, a key position designation, a processor designation, a search end, and the like. The packet classification device according to any one of claims 1 to 7, wherein