JP6652070B2 - Data processing device, information entry management method, and information entry management program - Google Patents

Description

  The present invention relates to a data processing device, an information entry management method, and an information entry management program, and more particularly, to a data processing device that processes a received packet, an information entry management method, and an information entry management program as an example of data processing.

  A packet processing device, such as an Ethernet (registered trademark) switch, a router, or an OpenFlow (OpenFlow) switch, that transfers or discards a packet according to a certain rule generally receives and processes the packet. The following processing is executed.

  (1) First, a packet is received from a communication interface.

  (2) Next, information necessary to process the received packet is searched.

  (3) Finally, the received packet is processed based on the retrieved information.

  The process (2) is generally referred to as packet classification, and is a process of searching for a rule with the highest priority suitable for a received packet from a given rule set. The rule includes a match condition (for example, a range of addresses that match) and an action that is a process executed on a packet that matches the match condition. In addition, the rule may include priority and statistical information.

  Here, a technique relating to a packet classification method using a search tree is described in Non-patent Document 1 (“EffiCuts: Optimizing Packet Classification for Memory and Throwing Comm. Have been. The technique described in Non-Patent Document 1 treats a rule search problem of d fields as a subspace search problem in a d-dimensional space. The technique described in Non-Patent Document 1 is a technique for finding a rule that matches a received packet by cutting a search space and narrowing a search area every time a search tree is traced.

  Here, the nodes constituting the search tree represent a subspace of the d-dimensional space, and the root node represents the entire possible area (initial search area) in the d-dimensional space. Each rule is associated with every node that has a subspace that overlaps the d-dimensional subspace that each rule represents. If the number of rules associated with (included in) a node is greater than a predetermined fixed number (Binth), the node is cut in one or more dimensions to create a child node ( That is, the node is an intermediate node). On the other hand, when the number of rules associated with (included in) a certain node is equal to or smaller than a certain number (Binth), the node becomes a leaf node.

  An example of a search process using a search tree will be described with reference to FIGS. FIG. 23 is a schematic diagram illustrating an example of a rule set. The example shown in FIG. 23 assumes a rule search of two fields (dimension X and dimension Y), and shows a case where the possible ranges of dimension X and dimension Y are 0 to 255 and 0 to 127, respectively. . In FIG. 23, each rectangle indicates a two-dimensional subspace corresponding to the matching conditions of rules R1 to R7. If the rectangles overlap, it is assumed that the rule in which all the rectangles are displayed has higher priority.

  FIG. 24 is a schematic diagram illustrating an example of a search tree, and illustrates an example of a search tree for performing a rule search from rules R1 to R7 of the rule set illustrated in FIG. 23 (in the case of Binth = 2). In other words, FIG. 24 shows that, with respect to the example of the rule set shown in FIG. An example is shown in which the cut is made into two partial spaces. In FIG. 24, an ellipse indicates an intermediate node, and a rectangle indicates a leaf node.

  FIG. 25 is a table showing an example of information related to the nodes of the search tree, and shows a subspace represented by each node of the search tree in FIG. 24 and rules included in each node. As shown in FIG. 25, the subspace represented by the root node is the entire search space. Thus, the subspace represented by the root node has dimensions X and Y in the ranges of 0 ≦ X ≦ 255 and 0 ≦ Y ≦ 127, respectively, and the rules included in the root node are R1 to R7. In the process of arriving at the leaf node 4 from the root node, the search space is cut (Cut) into four on the X axis and cut (Cut) into two on the Y axis. The positions of the leaf nodes 4 at the X-axis and Y-axis cuts (Cut) are the fourth and first positions, respectively. Thus, the subspace represented by the leaf node 4 has dimensions X and Y in the range of 192 ≦ X ≦ 255 and 0 ≦ Y ≦ 63, respectively, and the rules included in the leaf node 4 are R5 and R7. .

  Here, for example, an example of the rule search process when packets having X and Y values of 230 and 30, respectively, will be described. First, the packet processing apparatus confirms the root node, and selects the node 1 (192 ≦ X ≦ 255) indicating the fourth subspace since the value of X of the received packet is 230. Next, the packet processing device checks the node 1 and selects the leaf node 4 (0 ≦ Y ≦ 63) indicating the first subspace because the value of Y of the received packet is 30. Leaf node 4 includes rules R5 and R7, as described above. The packet processing device performs a linear search from among these rules, and finds, for example, a rule R7 as a rule having the highest priority corresponding to the received packet.

  In the above description of the search processing, the case where there is one search tree is illustrated. Non-Patent Document 1 discloses an example in which a rule set is divided into a plurality of sub-rule sets by classifying using a rule feature, a search tree is constructed for each sub-rule set, and the search tree is used for search processing. Have been. When a search tree is constructed for each sub-rule set, the rule search process for the received packet is executed for each search tree of each sub-rule set, and a plurality of obtained rules (the number of obtained rules is ), The rule with the highest priority is selected.

  Also, a technique for improving the search performance by storing (cached) a search result of a rule search process using a search tree and reusing it is disclosed in Japanese Patent Application Laid-Open No. 2000-41065. Publication "Data Search Circuit"). In the technique described in Patent Literature 1, a search result by a search tree is registered in, for example, a completely matching cache entry search table implemented as a hash table. If a cache entry that exactly matches the packet exists in the cache entry search table when the packet is received, the search result based on the search tree stored in the cache entry is used, and the search processing using the search tree is omitted. Is done.

  Here, in a configuration in which the search result is cached in the cache entry search table and used, when a rule set is changed (that is, a rule is added, changed, or deleted to the search tree), the cache is cached. Search results must also be updated appropriately. If it is not updated properly, the received packet will be processed according to the search result in the old rule set, and communication processing and control based on rules will not be performed correctly.

  Patent Document 2 (Japanese Patent No. 4646823) discloses a technique for reducing the load of deleting a cache entry that has cached a search result by a search tree from a cache entry search table in accordance with a change in the search tree (routing table). Publication No. “Router device, route determination method in router device”). In the technique described in Patent Document 2, a counter value is provided in a routing entry stored in a routing table and indicating a correspondence between a destination address of a packet and a route, and when the routing entry is updated, The counter value is incremented.

  Then, the device disclosed in Patent Document 2 receives a packet, and processes the packet using a cache entry (including a search result of a routing table (that is, information of a routing entry)) corresponding to the packet. . In this process, the device refers to the counter value of the routing entry to determine whether the routing entry has been updated. The device deletes the cache entry when an update is detected. As a result, the device can reduce the load for specifying the cache entry to be deleted, and can reduce the load for deleting the cache entry.

JP 2000-41065 A Japanese Patent No. 4646823

Balajee Vamanan, Gwendolyn Voskuilen and T.W. N. Vijaykumar; "EffiCuts: Optimizing Packet Classification for Memory and Throughput", Proceedings of the ACM SIGCOMM 2010 conference, 2010. p. 207-218

  As described above, a rule set is divided into sub-rule sets, a search tree is constructed for each sub-rule set, and a search result is also cached and reused in a packet classification method used for search. As a result, improvement in processing performance can be expected. On the other hand, in order to perform communication processing and control based on the latest rule set, it is necessary to appropriately update cached information according to a change to a search tree group.

  However, the technique disclosed in Patent Document 2 is based on a single search tree. When the technique is applied to a case where a plurality of search trees exist, a process is performed each time a packet is received to check whether or not there is an update by referring to the counter value for each of all the search trees. Therefore, when there are a plurality of search trees, the number of data references in the packet reception processing increases, which causes a problem that the processing performance deteriorates. Such a problem becomes more remarkable when a computer including a CPU (Central Processing Unit) and a memory having a hierarchical memory configuration including a cache memory performs the above-described processing.

  That is, a counter value exists for each node in the search tree, and each packet is typically adapted to rules contained in different nodes. For this reason, memory access to the counter value is executed for a discrete area (address) in the memory address space. When memory access is performed on discrete areas, it is difficult to obtain a memory access delay concealment effect of the cache memory. As a result, the problem that the time required for packet processing becomes longer occurs more remarkably.

[Object of the present invention]
The present invention has been made in view of such a problem. That is, the present invention provides a data processing apparatus capable of reducing the load required for searching for an information entry even when a plurality of search trees are used for searching for an information entry used for data processing (for example, packet processing). And the like is one of the main purposes.

  In order to solve the above-described problem, a data processing device or the like according to one embodiment of the present invention mainly employs the following configuration.

(1) A data processing device according to one embodiment of the present invention includes:
A first information entry for determining a method of processing data to be processed is determined by using one or a plurality of search trees from a set of first information entries each including data identification information to be applied. In the case where the data is processed using the searched first information entry, an intermediate node and a leaf node which are nodes constituting each search tree are associated with a search space of the data identification information. A search result of the first information entry by the search tree obtained at the time of the search is stored as a second information entry, and when the data is processed, the second information entry relating to the data is A data processing device that processes the data using the second information entry if the data is stored;
Search tree initialization means for grouping one or more of the search trees and selecting a base search tree in each search tree group;
For each of the intermediate nodes and leaf nodes constituting the search tree, update history information indicating the update history of the node and shared update history information indicating the update history of any of the nodes constituting the search tree Search tree storage means for storing;
When the content of the first information entry is operated, the update history information of the node associated with the search space overlapping with the operation target data identification information as the data identification information of the first information entry is updated. Updating means for updating the shared update history information of the node associated with the search space overlapping the operation target data identification information for the base search tree of the search tree group to which the search tree including the node belongs. ,
As the second information entry, a node identifier, which is obtained as a search result of the first information entry by the search tree and indicates a node reached by a search in each search tree, the update history information of the node, and the sharing Information entry storage means for storing a cache with update history information;
When performing data processing using the second information entry, the cache of the shared update history information of the node related to the second information entry stored in the information entry storage unit and the latest shared information of the node The update history information is compared for each of the base search trees, and when there is a mismatch between the two, the information entry for each of the search trees of the search tree group to which the base search tree including the node belongs belongs. The cache of the update history information of each of the nodes related to the second information entry stored in the storage unit is compared with the latest update history information of each of the nodes. Re-evaluation means for determining that the second information entry stored in the information entry storage means is invalid.

(2) The information entry management method according to one aspect of the present invention is characterized in that:
A first information entry for determining a method of processing data to be processed is determined by using one or a plurality of search trees from a set of first information entries each including data identification information to be applied. In the case where the data is processed using the searched first information entry, an intermediate node and a leaf node which are nodes constituting each search tree are associated with a search space of the data identification information. A search result of the first information entry by the search tree obtained at the time of the search is stored as a second information entry, and when the data is processed, the second information entry relating to the data is An information entry management method for processing the data using the second information entry when the information is stored, wherein one or more of the search trees are grouped. Loop, select a base search tree in each search tree group,
For each of the intermediate nodes and leaf nodes constituting the search tree, update history information indicating the update history of the node and shared update history information indicating the update history of any of the nodes constituting the search tree Remember,
When the content of the first information entry is operated, the update history information of the node associated with the search space overlapping with the operation target data identification information as the data identification information of the first information entry is updated. And, for the base search tree of the search tree group to which the search tree including the node belongs, updating the shared update history information of the node associated with the search space overlapping the operation target data identification information,
As the second information entry, a node identifier, which is obtained as a search result of the first information entry by the search tree and indicates a node reached by a search in each search tree, the update history information of the node, and the sharing Store cache with update history information,
When performing data processing using the second information entry, the cache of the shared update history information of the node related to the stored second information entry and the latest shared update history information of the node are stored. Comparing each of the base search trees, and if there is a mismatch between the two, the search tree of the search tree group to which the base search tree including the node belongs belongs to the stored second search tree. The cache of the update history information of each of the nodes related to the information entry is compared with the latest update history information of each of the nodes. If there is a mismatch between the two, the stored second information entry is By determining that it is invalid, the second information entry is reevaluated.

  (3) An information entry management program according to an aspect of the present invention implements the information entry management method described in (2) above as a program executable by a computer.

  The object of the present invention is also achieved by a data processing device having the above configuration, a computer readable recording medium storing the information entry management program for realizing a data processing method by a computer, and the like.

  According to the present invention, the following effects can be obtained.

  That is, according to the present invention, even when a plurality of search trees are used for searching for information entries used for data processing (for example, packet processing), the load required for searching for information entries can be reduced.

FIG. 1 is a block diagram showing an example of a block configuration of a data processing device according to an embodiment of the present invention. FIG. 2 is a block diagram showing an example of a detailed block configuration of a search tree control unit of the data processing device shown in FIG. FIG. 3 is a block diagram showing an example of a detailed block configuration of the cache table control unit of the data processing device shown in FIG. FIG. 4 is a table for explaining a configuration example of a rule used in the data processing device shown in FIG. FIG. 5 is a table for explaining a configuration example of information relating to a search tree and information relating to a node used in the data processing apparatus shown in FIG. FIG. 6 is a table showing an example of information on a cache table and a cache entry stored in the cache table storage unit of the data processing device shown in FIG. FIG. 7 shows an operation of the search tree initialization unit in the search tree control unit of the data processing device shown in FIG. 1 when initializing the search tree and the rule set stored in the search tree storage unit and the rule storage unit, respectively. It is a flowchart which shows an example. FIG. 8 is a flowchart illustrating an example of an operation when the search tree initialization unit in the search tree control unit of the data processing device illustrated in FIG. 1 performs a search tree construction process. FIG. 9 is a flowchart illustrating an example of a detailed operation of the search tree construction sub-process A executed in step S112 of the flowchart of FIG. FIG. 10 illustrates an example of an operation when the rule updating unit in the search tree control unit of the data processing device illustrated in FIG. 1 updates the search tree and the rule set stored in the search tree storage unit and the rule storage unit, respectively. It is a flowchart shown. FIG. 11 is a flowchart illustrating an example of a detailed operation of the rule update sub-process A1 executed in step S136 of the flowchart of FIG. FIG. 12 is a flowchart illustrating an example of a detailed operation of the rule update sub-process A2 executed in step S143 of the flowchart of FIG. FIG. 13 is a flowchart illustrating an example of a detailed operation of the rule update sub-process B executed in step S137 of the flowchart of FIG. FIG. 14 is a flowchart illustrating an example of a detailed operation of the rule update sub-process C executed in step S139 of the flowchart of FIG. FIG. 15 is a diagram illustrating an example in which the search tree search unit in the search tree control unit of the data processing apparatus illustrated in FIG. 1 refers to a search tree and a rule set stored in the search tree storage unit and the rule storage unit, respectively. 9 is a flowchart illustrating an example of an operation when searching for a rule that conforms to. FIG. 16 is a flowchart showing an example of the detailed operation of the rule search sub-process A executed in step S181 of the flowchart in FIG. FIG. 17 is a flowchart illustrating an example of an operation when the packet processing unit of the data processing device illustrated in FIG. 1 receives a packet. FIG. 18 is a flowchart illustrating an example of an operation when the cache entry creation unit in the cache table control unit of the data processing device illustrated in FIG. 1 creates a cache entry. FIG. 19 is a flowchart illustrating an example of an operation when the cache entry search unit in the cache table control unit of the data processing device illustrated in FIG. 1 searches for a cache entry. FIG. 20 is a flowchart illustrating an example of an operation when the cache entry reevaluation unit in the cache table control unit of the data processing device illustrated in FIG. 1 reevaluates the cache entry. FIG. 21A is an explanatory diagram (1/2) illustrating an example of a sub-rule set when a search tree initialization unit in a search tree control unit of the data processing device illustrated in FIG. 1 divides a rule set based on rule characteristics. It is. FIG. 21B is an explanatory diagram (2/2) illustrating an example of a sub-rule set when the search tree initialization unit in the search tree control unit of the data processing device illustrated in FIG. 1 divides the rule set based on the feature of the rule. It is. FIG. 22 is a table illustrating an example of a search tree group created by a search tree initialization unit in the search tree control unit of the data processing device illustrated in FIG. FIG. 23 is a schematic diagram illustrating an example of a rule set. FIG. 24 is a schematic diagram illustrating an example of a search tree. FIG. 25 is a table illustrating an example of information related to the nodes of the search tree. FIG. 26 is a diagram illustrating a hardware configuration of an information processing device capable of realizing the data processing device according to the embodiment of the present invention.

  Hereinafter, preferred embodiments of a data processing device and the like according to the present invention will be described with reference to the accompanying drawings. Hereinafter, an embodiment of a data processing device and an information entry management method according to the present invention will be described. Such an information entry management method may be implemented as an information entry management program executable by a computer. Such an information entry management program may be recorded on a computer-readable recording medium. In addition, the drawing reference numerals attached to the following drawings are provided for convenience of each element as an example to facilitate understanding, and are not intended to limit the present invention to the illustrated embodiments.

  Prior to a detailed description of an embodiment of the present invention, an outline of a data processing device and the like according to the present invention will be described first.

  A data processing device according to an embodiment of the present invention includes a first information entry for determining a method of processing data to be processed, a set of first information entries including data identification information to which the data is applied. Is searched using one or more search trees.

  When processing the data using the searched first information entry, the data processing apparatus searches for an intermediate node and a leaf node, which are nodes constituting each search tree, in association with the search space of the data identification information. I do. Then, a search result of the first information entry by the search tree is stored as a second information entry. When processing the data, if the data processing apparatus stores the second information entry relating to the data, the data processing apparatus processes the data using the second information entry.

  The data processing apparatus includes a search tree initialization unit (search tree initialization means) that groups one or more search trees and selects a base search tree in each search tree group.

  Further, the data processing device includes a search tree storage unit (search tree storage unit) that executes the following processing. That is, the search tree storage unit (search tree storage unit) configures, for each of the intermediate nodes and leaf nodes constituting the search tree, update history information indicating an update history of the node, and configures the search tree. To store the shared update history information indicating the update history of any of the above nodes.

  In addition, the data processing device includes an update unit (update unit) that performs the following processing. In other words, when the content of the first information entry is operated, the updating unit associates the node associated with the search space overlapping the operation target data identification information that is the data identification information in the operated first information entry. Update the update history information of. The update unit updates the shared update history information of the node associated with the search space overlapping with the operation target data identification information for the base search tree of the search tree group to which the search tree including the node belongs. I do.

  Further, the data processing device includes an information entry storage unit (information entry storage unit) that executes the following processing. That is, the information entry storage unit obtains, as a search result of the first information entry by the search tree, a node identifier indicating a node reached by a search in each search tree, update history information of the node, and shared update history information. , Is stored as the second information entry.

  Further, the data processing device includes a re-evaluation unit (re-evaluation unit) that executes the following processing. That is, when performing the data processing using the second information entry, the reevaluation unit includes a cache of the node's shared update history information regarding the second information entry stored in the information entry storage unit, Is compared with the latest shared update history information for each of the base search trees. As a result of the comparison process, when there is a mismatch between the two, the reevaluation unit determines, for each search tree of the search tree group to which the base search tree including the node belongs, the second search information stored in the second information entry storage unit. Then, the cache of the update history information of each node relating to the second information entry is compared with the latest update history information of each node. When there is a mismatch between the two, the reevaluation unit determines that the second information entry stored in the second information entry storage unit is invalid.

[Description of Embodiment]
In the following description of the present embodiment, as an example, a case will be described in which packet processing is performed as data processing and rules are used as information entries used in the data processing. In the present embodiment, an example is shown in which an IPv4 (Internet Protocol version 4) packet is handled as a packet (communication packet). However, the present invention is not limited to the packet processing as described above, and is widely applicable to other general data processing.

[Configuration Example of Embodiment]
First, a configuration example of the present embodiment will be described with reference to FIG. FIG. 1 is a block diagram showing an example of a block configuration of a data processing device according to an embodiment of the present invention. The data processing device 1 illustrated in FIG. 1 includes a search tree control unit 10, a search tree storage unit 20, a rule storage unit 30, a cache table control unit 40, a cache table storage unit 50, a packet processing unit 60, , A communication IF unit 70, and a data processing device control unit 80.

  The search tree control unit 10 manages the search tree stored in the search tree storage unit 20 and the rules stored in the rule storage unit 30. Specifically, the search tree control unit 10 is, for example, a unit that performs search tree initialization, search, addition of rules, and the like.

  Although details will be described later, the search tree storage unit 20 is mainly used when searching for a rule (that is, one type of information entry, first information entry) corresponding to a received packet (that is, one type of data to be processed). The search tree is stored. The search tree stored in the search tree storage unit 20 includes one or a plurality of nodes. The node is either an intermediate node or a leaf node. Further, the search tree storage unit 20 stores information related to search tree grouping. The number of search trees stored in the search tree storage unit 20 is usually two or more, but may be one. The search tree storage unit 20 stores the search tree using a memory, for example. An identifier for uniquely identifying each search tree, each node, and each search tree group is assigned, and the identifier is used in an operation such as reference.

  The rule storage unit 30 stores a set (rule set, sub-rule set) of rules (that is, a type of information entry, a first information entry) that is information for packet processing. The rule storage unit 30 stores, for example, a set of rules using a memory. The rule storage unit 30 stores a set of rules in a memory using, for example, a data structure such as an array or a hash table. An identifier for uniquely identifying each rule, each rule set, and each sub-rule set is assigned, and the identifier is used at the time of an operation such as reference.

  The cache table control unit 40 manages cache entries stored in the cache table storage unit 50. The cache table control unit 40 performs, for example, creation and search of a cache entry.

  The cache table storage unit 50 is a unit that stores a cache entry (that is, a type of information entry, a second information entry) that includes (caches) a result of a search using a search tree. The cache table storage unit 50 functions as, for example, an information entry storage unit. The cache table storage unit 50 stores a cache entry using a memory, for example. The cache table storage unit 50 stores a cache entry in a memory using, for example, a data structure of a hash table. Each cache entry is assigned an identifier for uniquely identifying the cache entry, and the identifier is used for operations such as reference.

  The packet processing unit 60 receives a packet (that is, a type of data to be processed) from the communication IF unit 70, and processes the received packet. At that time, the packet processing unit 60 uses the search tree control unit 10 and the cache table control unit 40 to search for an information entry (node, rule, cache entry) used for processing the packet, and uses the search result. Process the packet. Note that the packet processing unit 60 may function as a data processing execution unit that processes a type (packet) of data to be processed.

  The communication IF unit 70 is an interface for connecting the data processing device 1 to a communication network (not shown in FIG. 1), and a communication protocol used in the communication network (hereinafter simply referred to as “protocol”). In some cases).

  The data processing device control unit 80 controls the data processing device 1 to process a packet according to a rule set or a sub-rule set. For example, when the data processing device 1 starts up, the data processing device control unit 80 gives an instruction to the search tree initialization unit 11 (FIG. 2) to pass an initial rule set and to perform initialization. The data processing device control unit 80 may read the initial rule set from a storage device (not shown in FIG. 1) included in the data processing device 1. Further, the data processing device control unit 80 may receive the initial rule set from another control device (not shown in FIG. 1). When receiving a rule update command from a user via a user interface (not shown in FIG. 1), the data processing device control unit 80 instructs the search tree control unit 10 to update the rule. I do. Further, the data processing device control unit 80 may instruct the search tree control unit 10 to update the rule when receiving a rule update instruction from another control device (not shown in FIG. 1). Good.

  Next, rules used in the data processing device 1 of the present embodiment shown in FIG. 1 will be described with reference to the table of FIG. FIG. 4 is a table for explaining a configuration example of a rule used in the data processing device 1 shown in FIG. 1. FIG. 4 shows a configuration example of a rule stored in the rule storage unit 30 of the data processing device 1 in FIG. Is shown.

  As shown in the item column 31 of the table of FIG. 4, each rule is configured to include a match condition and a priority, which are a kind of data identification information indicating an application target, and further include an action, statistical information, and a deletion flag. . As shown in the description column 32 of the table in FIG. 4, the match condition of each rule defines the condition of the field value of the packet that conforms to the rule. For example, in the present embodiment, the following five fields (5 tuples) are used as match conditions (a type of data identification information). That is, those five fields are a start destination IP address and an end destination IP address, a start source IP address and an end source IP address, a start destination port number and an end destination port number, a start source port number and The end source port number, start protocol number, and end protocol number.

  For example, in the present embodiment, the following specific examples are shown in the example column 33 of the table of FIG. 4 as an example of the match condition. That is, in such a specific example, the (start and end) destination IP addresses are in the range of '0.0.0.0' to '255.255.255.255'. The (start and end) source IP addresses are in the range from '10 .0.0.0 'to '10 .255.255.255'. The (start and end) destination port number is '80'. The (start and end) source port numbers are in the range of '0' to '65535'. The protocol number is '17'. However, the present invention is not limited to only such a field configuration.

  The priority of each rule is used to select a rule to be adopted when a plurality of rules match a certain packet. The priority of each rule is, for example, a numerical value (for example, a non-negative integer) representing the priority of each rule, as shown in the description column 32 of the table in FIG. 4, and a higher numerical value may indicate a higher priority. . For example, a non-negative integer ‘100’ is set for the priority of the rule shown in the example column 33 of the table of FIG.

  Further, the action of each rule defines the processing content (processing method) to be executed on a packet conforming to the rule, as shown in the description column 32 of the table in FIG. When the action of the rule for the matched packet involves transmission and reception of the packet, the packet is output to the communication IF unit 70 as shown in the example column 33 of the table in FIG. The number of actions included in each rule is not limited to one, and may be zero or two or more. An example of a rule action is shown below. However, the present embodiment is not limited to the following processing as a rule action.

  (A) The packet is output from the designated communication IF unit 70.

  (B) Change the destination MAC (Media Access Control) address of the packet to the specified value.

  (C) Change the source MAC address of the packet to the specified value.

  (D) Change the destination IP address of the packet to the specified value.

  (E) Change the source IP address of the packet to the specified value.

  (F) Change the destination port number of the packet to the specified value.

  (G) Change the source port number of the packet to the specified value.

  (H) Add a VLAN (Virtual Local Area Network) tag to the packet.

  (I) Delete the VLAN tag of the packet.

  (J) Change the VLAN tag of the packet.

  (K) Discard the packet.

  Next, as shown in the description column 32 of the table of FIG. 4, the statistical information of each rule indicates a statistical value of a packet group that has been processed in conformity with the rule. The statistical information of each rule is, for example, a total transmission packet size, a total reception packet size, a transmission packet number, a reception packet number, and the like, as shown in an example column 33 of the table in FIG.

  Further, as shown in the explanation column 32 of the table in FIG. 4, the deletion flag of each rule indicates whether the deletion processing is postponed because the deletion is requested for the rule but the rule is in use. Is a flag indicating

  Next, information on the search tree and information on the nodes stored in the search tree storage unit 20 in the data processing device 1 of the present embodiment shown in FIG. 1 will be described with reference to the table in FIG.

  The search tree storage unit 20 stores a set of search trees, a search tree group list, and a set of nodes. FIG. 5 is a table illustrating a configuration example of information related to a search tree and information related to a node used in the data processing device 1 illustrated in FIG. FIG. 5 shows a configuration example of the information on the search tree and the information on the nodes stored in the search tree storage unit 20 of the data processing device 1 in FIG. Part (A) in FIG. 5 illustrates information about the search tree and information about the search tree group list. FIG. 5B illustrates information on nodes. The node in the present embodiment is either an intermediate node or a leaf node. In the part (B) of FIG. 5, as shown in the node type column 24, the information that is common to both the intermediate node and the leaf node is “common to the intermediate node and leaf node”, and the information that only the intermediate node has is “ The information that only the leaf nodes have in the "intermediate node" portion is shown in the "leaf node" portion.

  The node partial space shown in the item column 25 of the part (B) of FIG. 5 is information on a partial space represented by the node, which is a search target of the node. The information of this subspace corresponds to the information described in the “subspace represented by node” column in FIG. 25 in the example of the general search tree described above with reference to FIGS. In the example shown in FIG. 25, the case where the number of dimensions of the search space is two is shown. On the other hand, since the matching condition of the rule in the present embodiment is 5 tuples (5 Tuples) as described above, the number of dimensions of the search space in the present embodiment is five.

  Therefore, in the “intermediate node” of the node type column 24 in the part (B) of FIG. 5, the “dimension to cut (Cut)” and the “number of cuts (Cut)” shown in the item column 25 change the search space into five dimensions. This is information used when a child node is created by cutting. For example, in the example of FIG. 25, the information of the “dimension to cut (Cut)” and the “number of cuts (Cut)” regarding the root node are ‘X axis’ and ‘4’, respectively. In the example of FIG. 25, the information of the “dimension to cut (Cut)” and the “number of cuts (Cut)” regarding the node 1 are ‘Y axis’ and ‘2’, respectively. When a search tree is created, a cut may be performed on a plurality of dimensions at a certain node at the same time. In this case, a set of “dimensions to cut” and “number of cuts” is stored for each of a plurality of dimensions.

  Further, as for the information relating to the search tree, as shown in the type column 21 in the part (A) of FIG. 5, information relating to each of the search trees and information relating to a search tree group obtained by grouping one or a plurality of search trees. And are stored. As shown in the item column 22 and the description column 23, information on each search tree includes a root node identifier indicating a root node (root node), a subrule set identifier indicating a corresponding subrule set, and a search tree to which the search tree belongs. A search tree group identifier indicating a group is included. The information on the search tree group includes a search tree identifier list indicating each search tree to which the search tree belongs, and a base search tree identifier indicating a base search tree as a base.

  Next, a cache table and a cache entry used in the embodiment according to the present invention will be described. The cache entry is used to store and reuse a search result of a rule that matches a received packet using a search tree. As an input to the search tree search process, a field group (5 fields, that is, 5 tuples in this embodiment) used as a rule match condition in the received packet is used. Hereinafter, the value of the field group is referred to as a “key”. When the same key set is used to perform a rule search based on the same rule set, the same rule is obtained. Therefore, in the present embodiment, the data processing device 1 creates and uses a cache entry for each key. Hereinafter, a group of packets having the same key is referred to as a “flow”.

  FIG. 6 is a table showing an example of information related to the cache table and the cache entry stored in the cache table storage unit 50 of the data processing device 1 shown in FIG. 1. FIG. 4 shows an example of information relating to an entry. Part (B) of FIG. 6 shows an example of the cache entry node state. Each of (A) and (B) in FIG. 6 shows a configuration example of information related to a cache entry used in the present embodiment. In the present embodiment, an example is shown in which a cache entry is stored using an open address (Open Address) type hash table. However, the present embodiment is not limited to such an open address type hash table.

  The bucket list of the cache table (Bucket List) can be realized, for example, as an array of cache entries. In this case, the M-th cache entry of the N-th bucket (Bucket) can be referred to by accessing the (N-1) * (M-1) -th element in the bucket list (Bucket List). it can. The information related to the cache entry includes information about a busy flag, a key, a rule identifier, a last use time, and a node status list, as shown in the item column 51 of FIG.

  As shown in the description column 52 of FIG. 6A, the in-use flag is a flag indicating whether or not the cache entry is in use. If the in-use flag is on, it indicates that the cache entry is in use. The key is a key related to the flow represented by the cache entry, and is used as a search key for searching in the hash table. The rule identifier is an identifier of a rule that matches a packet corresponding to the cache entry. The last use time is information indicating the time when the cache entry was last used. The node state list is a list of states (for each search tree) of the node to which the flow represented by the cache entry belongs when the cache entry is used last, as shown in part (B) of FIG. Is shown.

  That is, the node state list of the cache entry shown in FIG. 6B stores information of the node (each search tree) that has finally reached when a rule is searched using the key of the cache entry. As shown in the item column 53 in FIG. 6B, the node state of the cache entry includes a search tree identifier, a node identifier, an update counter cache, and a shared update counter cache.

  As shown in the description column 54 in FIG. 6B, the search tree identifier of the node state indicates the identifier of the search tree indicated by the node state. The node identifier in the node state is an identifier of a node to which the flow represented by the cache entry belongs in the search tree. The update counter cache and the shared update counter cache in the node state respectively store the value of the update counter and the value of the shared update counter of the node when the cache entry was last used. Note that the shared update counter cache is used only for nodes of the base search tree.

  Next, a detailed configuration example of the search tree control unit 10 of the data processing device 1 shown in FIG. 1 will be described with reference to the block configuration diagram of FIG. FIG. 2 is a block diagram showing an example of a detailed block configuration of the search tree control unit 10 of the data processing device 1 shown in FIG. As shown in FIG. 2, the search tree control unit 10 includes a search tree initialization unit 11, a rule update unit 12, a search tree search unit 13, and an update counter acquisition unit 14.

  The search tree initialization unit 11 initializes information on the search tree and the rules stored in the search tree storage unit 20 and the rule storage unit 30, respectively, based on the rule set (initial rule set) used in the initial state. I do. The initial rule set may be stored in advance in a storage device (not shown in FIG. 2) included in the data processing device 1. Further, the initial rule set may be provided from another control device (not shown in FIG. 2).

  Further, the rule updating unit 12 may be configured to search the search tree and the rule stored in the search tree storage unit 20 and the rule storage unit 30, respectively, in response to a request from the data processing device control unit 80 illustrated in FIG. This is a part for updating information relating to (a type of information entry). The rule updating unit 12 functions as, for example, an updating unit. The rule update unit 12 receives the operation type (any of addition, change, and deletion) and the rule included in the request from the data processing device control unit 80 as parameters. When the operation type included in the request from the data processing device control unit 80 is rule update (rule change), it is possible to request a change in the priority and action of the corresponding rule, but the match condition must be changed. Can not.

  The search tree search unit 13 searches for a rule that matches the specified key, for example, in response to a request from the packet processing unit 60 illustrated in FIG. The search tree search unit 13 receives a key (search key) to be used for the search from the packet processing unit 60 as a parameter related to the search. The search tree search unit 13 determines the identifier of the highest-priority rule that matches the search key (when the highest-priority rule is detected), and the node (intermediate node or leaf) finally reached in the search in the search tree. A list of identifiers (for each search tree) of the node) is returned to the request source.

  The update counter obtaining unit 14 obtains the latest value of the update counter of the designated node and the latest value of the shared update counter in response to, for example, a request from the packet processing unit 60 shown in FIG.

  Next, a detailed configuration example of the cache table control unit 40 of the data processing device 1 shown in FIG. 1 will be described with reference to the block configuration diagram of FIG. FIG. 3 is a block diagram showing an example of a detailed block configuration of the cache table control unit 40 of the data processing device 1 shown in FIG. As shown in FIG. 3, the cache table control unit 40 includes a cache entry creation unit 41, a cache entry search unit 42, and a cache entry reevaluation unit 43.

  The cache entry creation unit 41 creates a cache entry, for example, in response to a request from the packet processing unit 60 of the data processing device 1 shown in FIG. When there is no free space in the bucket corresponding to the specified key, the cache entry creation unit 41 deletes one cache entry in the bucket and creates a new cache entry.

  Further, the cache entry searching unit 42 searches for a cache entry in response to a request from the packet processing unit 60 of the data processing device 1 shown in FIG. 1, for example. The cache entry search unit 42 receives the key as a parameter, searches for a cache entry corresponding to the received key, and returns the searched cache entry to the request source.

  The cache entry re-evaluation unit 43 re-evaluates the cache entry in response to a request from the packet processing unit 60 of the data processing device 1 shown in FIG. 1, for example. The cache entry reevaluation unit 43 receives the identifier of the cache entry. Here, the re-evaluation of the cache entry means that the search tree search result (the rule matching the flow represented by the cache entry) stored as the specified cache entry is valid even in the state of the latest rule set. Is to make sure. The cache entry re-evaluation unit 43 checks whether or not a certain cache entry is valid in the state of the latest rule set, and stores a node state list including the following information stored as the cache entry, And the latest value of the node's update counter and shared update counter.

(A) a node to which the flow belongs in each search tree;
(B) the value of the update counter of each node when the cache entry is used last;
(C) The value of the shared update counter of each node when the cache entry is used last (only the node of the base search tree is valid).

[Operation Example of Embodiment]
Next, an example of each of the following operations in the data processing device 1 illustrated in FIGS. 1 to 3 as a configuration example of the present embodiment will be described in detail with reference to the drawings.
(A) search tree initialization processing,
(B) rule update processing,
(C) rule search processing,
(D) packet processing,
(E) cache entry creation processing,
(F) cache entry search processing;
(G) Cache entry reevaluation processing.

<(A) Search tree initialization processing>
First, an operation example of the search tree initialization processing will be described with reference to the flowcharts of FIGS. FIG. 7 shows that the search tree initialization unit 11 in the search tree control unit 10 of the data processing apparatus 1 shown in FIG. 1 initializes the search tree and the rule set stored in the search tree storage unit 20 and the rule storage unit 30, respectively. 9 is a flowchart showing an example of an operation when the operation is changed. The operation of the search tree initialization process illustrated in the flowchart of FIG. 7 may be started, for example, when the data processing device 1 is started, or may be started in response to an initialization request from the data processing device control unit 80. Good. At the start of the operation of the search tree initialization processing, the search tree initialization unit 11 in the search tree control unit 10 is given a rule set (that is, an initial rule set) used in the initial state as a parameter.

  In the flowchart of FIG. 7, the search tree initialization unit 11 divides an initial rule set given as a parameter into sub-rule sets using characteristics of each rule, and stores the sub-rule set in the rule storage unit 30 (step S101). ). The division into the sub-rule sets may be performed using a well-known technique. For example, the division method described in Non-Patent Document 1 may be used.

  In the method of dividing into sub-rule sets, first, for each field used as a match condition of a rule, a threshold for determining the magnitude of the match condition in the corresponding field is set. For example, a threshold value “0.5” is set for the protocol number field (possible values 0 to 255). If “(end protocol number) − (start protocol number)” of a certain rule is equal to or more than “127 (= 255 * 0.5 (integer part))”, the search tree initialization unit 11 The rule determines that the protocol number is large. If the value is less than 127, the search tree initialization unit 11 determines that the rule is small for the protocol number.

  In the method for dividing into sub-rule sets, the search tree initialization unit 11 performs magnitude determination on each field (5 tuples) of each rule. Next, the search tree initialization unit 11 sets a rule group having the same magnitude determination result in each field as one sub-rule set. The search tree initialization unit 11 forms one sub-rule set by a rule group in which only the fields of the destination IP address and the destination port number are large and the remaining fields are small. However, a rule group in which the number of fields having small match conditions is four or more is collectively regarded as one sub-rule set. 21A and 21B illustrate a configuration example of the sub-rule set. An example of the configuration of this sub-rule set is shown in the two drawings of FIGS. 21A and 21B, and FIG. 21B shows a continuation of FIG. 21A. That is, since FIGS. 21A and 21B are drawings to be understood as a continuous drawing, both drawings are collectively referred to as FIG. 21 below. For convenience of explanation, legends having the same contents are provided in the upper part of FIGS. 21A and 21B. However, in the case where both figures of FIG. 21A and FIG. 21B are viewed integrally (that is, when both figures are viewed with the upper end of FIG. 21B connected to the lower end of FIG. 21A), the legend at the top of FIG. 21B is omitted. May be treated as FIG. 21 is a diagram illustrating an example of a sub-rule set when the search tree initialization unit 11 in the search tree control unit 10 of the data processing device 1 illustrated in FIG. 1 divides a rule set based on rule characteristics. FIG. In FIG. 21, the rule includes five fields of a source IP address (IPS), a destination IP address (IPD), a (communication) protocol (P), a source port (TPS), and a destination port (TPD). 5 shows an example of the configuration of a sub-rule set in the case of (5 tuples). In FIG. 21, a field in which the match condition is specified in each field is indicated by a hatched rectangle.

  In the example of the sub-rule set configuration of FIG. 21, (a) in FIG. 21 (FIG. 21A) is a sub-rule set of 'subset 5' as a rule group in which the specification of the match condition is large for all five fields (five tuples). Indicates the presence of Further, FIG. 21 (FIG. 21A) portion (b) shows five rule sub-sets of “subset 1-1” to “subset 1-5” as a rule group in which the number of fields with a small matching condition designation is one. Indicates when a ruleset exists. For example, in the case of “subset 1-1”, as indicated by hatching, the field of the source IP address is a small field.

  Further, FIG. 21 (FIG. 21A) part (c) is a rule group in which the number of fields for which the specification of the match condition is small is two, and the ten sub-sets of 'subset 2-1' to 'subset 2-10' are This shows a case where a rule set exists. For example, in the case of “subset 2-1”, as indicated by hatching, two fields of the source IP address and the destination IP address are small fields. Also, (d) of FIG. 21 (FIG. 21B) shows a rule group in which the number of fields for which the specification of the match condition is small is three, and the ten sub-rules of “subset 3-1” to “subset 3-10” This shows the case where the set exists. For example, in the case of “subset 3-1”, as indicated by hatching, three fields of the source IP address, the destination IP address, and the protocol are small fields.

  Further, part (e) of FIG. 21 (FIG. 21B) is accommodated in one sub-rule set of 'subset 4' as a rule group in which the number of fields for which the match condition is specified is small is four or more. Is shown. For example, even when the four fields of the source IP address, the destination IP address, the protocol, and the source port are small fields, the fields of the source IP address, the destination IP address, the protocol, the source port, and the destination port are also used. Even when the five fields are small fields, they are collectively accommodated in one sub-rule set called “subset 4”.

  Returning to the description of the flowchart in FIG. 7, the search tree initialization unit 11 next builds a search tree for each sub-rule set (step S102). Details of the operation will be described later. Thereafter, the search tree initialization unit 11 determines a search tree group and a base search tree of each search tree group (step S103). Here, the search tree initialization unit 11 groups the search trees according to a predetermined grouping criterion using the characteristics of the rules included in each search tree, for example. Such a grouping criterion may be, for example, the following grouping criterion that gives the granularity of a rule match condition (a type of data identification information).

  (A) Grouping criterion A: A search tree (a search tree for 'subset 5' in part (a) of FIG. 21) accommodating a rule group in which match conditions are specified in all five fields constitutes a search tree group by itself. I do.

  (B) Grouping criterion B: A search tree (a search tree for 'subset 4' in (e) of FIG. 21) which accommodates a rule group having a small number of match fields and a field number of 4 or more is also independently searched. Tree groups may be configured.

  (C) Grouping criterion C: a search tree accommodating a rule group having a small number of fields (for example, one) with a small specification of a match condition (a search tree for 'subset 1-1' in part (b) of FIG. 21) To 'subset 1-5' search trees) are included in different search tree groups.

  (D) Grouping criterion D: Search trees having similar large and small patterns specified in the match condition are included in the same search tree group, and search trees that are not similar are included in another search tree group.

    (D-1) For example, a field with a small match condition designation is represented by "0" and a large field is represented by "1", and a 5-bit binary sequence is created for each search tree from the large and small pattern designated by the match condition. Then, the similarity determination regarding the two search trees is performed using the Hamming distance (specifically, the quantified Hamming distance) between the 5-bit binary sequences created for each search tree.

    (D-2) For example, the binary sequence for 'subset 2-5' in FIG. 21C is '10011', and the binary sequence for 'subset 3-7' in FIG. 21D is '10001'. And the Hamming distance between them is '1'. In addition, the binary sequence for "subset 2-7" in part (c) of FIG. 21 is "10110", and the hamming distance with the binary sequence for subset 2-5 is "2". Therefore, as a search tree accommodated in the same search tree group as the search tree for 'subset 2-5', the search tree for 'subset 3-7' having a smaller Hamming distance is the search tree for 'subset 2-7'. More desirable.

  (E) Grouping criterion E: The number of search trees included in each search tree group is set to be as equal as possible (excluding the groups based on the grouping criterion A and the grouping criterion B).

  FIG. 22 shows an example of a search tree group indicating a result of grouping by the search tree initialization unit 11 in the example of the sub-rule set configuration of FIG. FIG. 22 is a table showing an example of a search tree group created by the search tree initialization unit 11 in the search tree control unit 10 of the data processing device 1 shown in FIG. In the case of the sub-rule set configuration example in FIG. 21, by applying the above-described grouping criteria A to E, the sub-rule set is divided into search tree groups 1 to It is grouped into seven search tree groups of group 7.

  For example, as shown in the use grouping criterion column 113 in FIG. 22, the search tree group 1 is grouped by applying the grouping criterion C, D, and E to the sub-rule set illustrated in FIG. Search tree is included. That is, as shown in the belonging search tree column 112 in FIG. 22, the search tree group 1 includes “subset 1-1”, “subset 2-1”, “subset 2-2”, “subset 2-2” in FIG. 5 'search trees 1' and 'subset 3-3' belong. Similarly, search tree group 2 includes search trees grouped by applying grouping criteria C, D, and E to the sub-rule set illustrated in FIG. That is, as shown in the belonging search tree column 112 in FIG. 22, the search tree group 2 includes “subset 1-2”, “subset 2-5”, “subset 2-6”, and “subset 3” in FIG. 7 'and five search trees of' subset 3-9 'belong. In addition, one search tree of the ‘subset 5’ belongs to the search tree group 6 by applying the grouping criterion A. One search tree of 'subset 4' belongs to search tree group 7 by applying grouping criterion B.

  Further, for example, the search tree initialization unit 11 determines, from among the determined search tree groups, a search tree having the smallest (small) number of fields whose match condition is specified as the base search tree of the search tree group. Select as In the example of FIG. 22, the search tree initialization unit 11 determines, for example, a search tree for “subset 1-1” (a search tree whose number of fields having a small match condition is “1”) as a base search tree of the search tree group 1. ).

  Next, an example of the operation in which the search tree initialization unit 11 constructs a search tree for each sub-rule set in step S102 in FIG. 7 will be described with reference to the flowcharts in FIGS. FIG. 8 is a flowchart illustrating an example of an operation when the search tree initialization unit 11 in the search tree control unit 10 of the data processing device 1 illustrated in FIG. 1 performs a search tree construction process. 11 shows an example of the operation when constructing a search tree.

  In the flowchart of FIG. 8, the search tree initialization unit 11 first assigns a root node of the search tree to be constructed (step S111). Specifically, the search tree initialization unit 11 allocates a data area for storing information of a root node to the search tree storage unit 20, and sets the following information for the root node.

(A) Leaf node flag: off,
(B) parent node identifier: invalid value,
(C) Subspace: The entire search space below,
(C-1) Destination IP address: 0.0.0.0 to 255.255.255.255,
(C-2) Source IP address: 0.0.0.0 to 255.255.255.255,
(C-3) Protocol number: 0 to 255,
(C-4) Destination port number: 0 to 65535,
(C-5) Source port number: 0 to 65535,
(D) Update counter and shared update counter: 0.

  Next, the search tree initialization unit 11 executes a search tree construction sub-process A described later for the assigned root node (step S112). At that time, the search tree initialization unit 11 uses the root node and all the rules included in the processing target sub-rule set as parameters.

  Next, the detailed operation of the search tree construction sub-process A executed in step S112 of the flowchart of FIG. 8 will be described using the flowchart of FIG. FIG. 9 is a flowchart illustrating an example of a detailed operation of the search tree construction sub-process A executed in step S112 of the flowchart of FIG. The search tree construction sub-process A includes, as parameters, a processing target node (for example, a node identifier format, hereinafter referred to as a “processing target node”) and a set of rules included in the node (for example, a rule identifier list format, Hereinafter, it is described as 'rule set to be processed').

  In the flowchart of FIG. 9, the search tree initialization unit 11 first checks whether the number of rules included in the rule set to be processed is equal to or smaller than a predetermined number (Binth) (step S121). If the number of rules is not equal to or smaller than the fixed number (Binth) (NO in step S121), the search tree initialization unit 11 determines the dimension for cutting (Cut) the subspace represented by the processing target node and the number of cuts (Cut). It is determined (step S122). Here, the dimension to cut (Cut) and the number of cuts (Cut) may be determined using a known technique. For example, as such a technique, see Non-Patent Document 1 and the documents referred to by Non-Patent Document 1. The described division method may be used.

  In the division method described in Non-Patent Document 1 and the document referred to by Non-Patent Document 1, the matching condition of each rule of the processing target rule set is limited to a common part with the subspace of the processing target node. For example, when the protocol number of a certain rule is 10 to 20 and the protocol number of the subspace of the processing target node is 15 to 25, the protocol number of the match condition of the rule is determined to be 15 to 20. .

  Further, the division method calculates the number of unique ranges for each dimension (field). For example, when there are three rules and the protocol numbers of the match conditions of each rule are 15 to 20, 16 to 20, and 17 to 17, respectively, the number of unique ranges is three. Further, when the protocol numbers of the match conditions of each rule are 15 to 20, 15 to 20, and 17 to 17, respectively, the number of unique ranges is 2 (that is, the first and second unique ranges). The second is the same protocol number). Then, in the division method, a dimension having a number of unique ranges larger than the average of the number of unique ranges for all dimensions is selected as a dimension to be cut (Cut).

  In the division method, the upper limit of the number of cuts is determined from spfac (Special Factor), which is a parameter for adjusting the memory usage, and the size of the rule set to be processed (the number of rules). I do. For example, in the division method, a value obtained by integrating the square root of the number of rules and the parameter spfac is set as the upper limit of the number to be cut. Then, in the division method, when the number of cuts is 2, the average value and the maximum value of the number of rules included in each child node are obtained.

  Further, in the division method, the number of cuts is increased, and the average value and the maximum value of the number of rules included in each child node at that time are obtained. Then, even if the value to be cut (Cut) reaches the upper limit value or the number of cuts (Cut) is increased, the division method has a large average value and a maximum value of the number of rules included in each child node. The number of cuts (Cut) when the change stops appearing is determined as the number of cuts (Cut) of the processing target node.

  Returning to the description of the flowchart of FIG. Next, the search tree initialization unit 11 obtains the result when the subspace represented by the processing target node is cut (Cut) based on the cut (Cut) method (the dimension to be cut and the number of cuts) determined in step S122. A child node is assigned to each of the subspaces (step S123). Specifically, the search tree initialization unit 11 causes the search tree storage unit 20 to allocate a data area for storing information of each child node, and sets the following information for each child node. When the number of rules included in the subspace obtained as a result of the cut is 0, a child node representing the subspace does not need to be assigned.

(A) Leaf node flag: off,
(B) parent node identifier: identifier of the processing target node,
(C) subspace information: subspace represented by the child node;
(D) Update counter and shared update counter: 0.

  Next, the search tree initialization unit 11 executes the main search tree construction sub-process A of steps S121 to S123 for each child node assigned in step S123 (step S124). At this time, the search tree initialization unit 11 uses a child node to be processed and a set of rules included in the child node as parameters.

  If the number of rules is equal to or smaller than the fixed number (Binth) in step S121 (YES in step S121), the search tree initialization unit 11 sets up the processing target node as a leaf node (step S125). . Specifically, the search tree initialization unit 11 changes or adds the following settings to the processing target node.

(A) Leaf node flag: ON,
(B) Rule identifier list: A list of rule identifiers included in the child node.

<(B) Rule update processing>
Next, an operation example of the rule update process will be described with reference to the flowcharts of FIGS. FIG. 10 illustrates a case where the rule updating unit 12 in the search tree control unit 10 of the data processing apparatus 1 illustrated in FIG. 1 updates the search tree and the rule set stored in the search tree storage unit 20 and the rule storage unit 30, respectively. 5 is a flowchart showing an example of the operation of FIG. The operation of the rule update process exemplified in the flowchart of FIG. 10 may be started, for example, by a request from the data processing device control unit 80. The rule update unit 12 receives an operation type (any of addition, change, and deletion) and a rule (hereinafter, referred to as a “process target rule”) as parameters related to the rule update process.

  In the flowchart of FIG. 10, the rule update unit 12 first selects a processing target sub-rule set including the processing target rule (step S131). The selection of the sub-rule set is performed by the same method as the method used in step S101 of the flowchart of FIG.

  Next, the rule update unit 12 checks whether the current operation requested as a parameter is a rule deletion (step S132). If the requested current operation is rule deletion (YES in step S132), the rule updating unit 12 sets the deletion flag of the processing target rule stored in the rule storage unit 30 to ON. (Step S134), the process proceeds to step S135. On the other hand, when the requested current operation is not the rule deletion (NO in step S132), the rule updating unit 12 updates the sub-rule set to be processed according to the request by the parameter (step S133). ), And proceed to step S135. As a specific update process, in the case of adding a rule, the rule updating unit 12 causes the rule storage unit 30 to newly store the processing target rule as an element of the processing target sub-rule set. In the case of a rule change, the rule update unit 12 changes the information (priority and action) of the processing target rule stored in the rule storage unit 30 as one element of the processing target sub-rule set.

  Next, the rule updating unit 12 checks whether the current operation requested as a parameter is a rule addition (step S135). If the requested current operation is to add a rule (YES in step S135), the rule update unit 12 determines a root node of the search tree of the processing target sub-rule set (that is, the processing target search tree), which will be described later. After executing the rule update sub-process A1 (step S136), the process proceeds to step S138. On the other hand, when the requested current operation is not a rule addition (NO in step S135), the rule update unit 12 executes a rule update sub-process B described below for the root node of the search tree to be processed. Thereafter (step S137), the process proceeds to step S138.

  Thereafter, the rule update unit 12 selects a base search tree for the search tree to be processed (step S138). Specifically, the rule update unit 12 refers to the search tree group list stored in the search tree storage unit 20, and acquires the base search tree identifier of the search tree group to which the processing target search tree belongs. Next, the rule update unit 12 executes a later-described rule update sub-process C for the root node of the base search tree selected in step S138 (step S139).

  Although details will be described later, the update counter of the node including the processing target rule in the processing target search tree is updated by the rule updating sub-processing A1 in step S136 and the rule updating sub-processing B in step S137. Further, by the rule update sub-process C in step S139, the shared update counter of the node including the processing target rule is updated in the base search tree of the search tree group to which the processing target search tree belongs.

  Next, the detailed operation of the rule update sub-process A1 executed in step S136 of the flowchart of FIG. 10 will be described with reference to the flowchart of FIG. FIG. 11 is a flowchart illustrating an example of a detailed operation of the rule update sub-process A1 executed in step S136 of the flowchart of FIG. In the rule update sub-process A1, a processing target node (processing target node) and a rule to be added to the node (processing target rule) are given.

  In the flowchart of FIG. 11, the rule update unit 12 first checks whether the processing target node is a leaf node (step S141). The confirmation as to whether or not the node is a leaf node is performed by confirming whether or not the leaf node flag of the processing target node is on. If the processing target node is not a leaf node (NO in step S141), the rule update unit 12 selects a child node group including the processing target rule (step S142). Whether or not a certain child node includes the processing target rule is determined by whether or not there is an overlap (overlapping part) between the subspace represented by the child node and the subspace represented by the match condition of the processing target rule (that is, common). (Whether or not there is a portion).

  Next, the rule update unit 12 executes a later-described rule update sub-process A2 for each of the child nodes (including unassigned child nodes) selected in step S142 (step S143). At this time, the rule updating unit 12 uses the selected child node (as a new processing target node), the current processing target node (as a parent node of the new processing target node), and the processing target rule as parameters. I do.

  Thereafter, the rule update unit 12 checks whether there is any child node newly assigned in any of the rule update sub-processes A2 executed once or more than once in step S143 (step S144). As a result of the check, if there is no newly assigned child node (NO in step S144), the rule update unit 12 ends the rule update sub-process A1. On the other hand, when there is a newly assigned child node (YES in step S144), the rule update unit 12 updates the update counter of the processing target node (step S145). Specifically, the rule updating unit 12 changes the value of the update counter of the processing target node to a value obtained by adding “1” to the current value.

  Also, in step S141, if the processing target node is a leaf node (YES in step S141), the rule updating unit 12 determines in advance that the number of rules corresponding to the processing target node (leaf node) after the rule has been added. It is checked whether the number is equal to or less than a predetermined number (Binth) (step S146). If the number of rules is equal to or smaller than the certain number (Binth) (YES in step S146), the rule updating unit 12 adds the identifier of the processing target rule to the rule identifier list of the processing target node (leaf node) ( Step S147), and the process proceeds to step S145 described above.

  On the other hand, when the number of rules is not equal to or smaller than the fixed number (Binth) (NO in step S146), the rule update unit 12 changes the processing target node (leaf node) to an intermediate node (set as an intermediate node) Then, after a new child node is created (step S148), the process proceeds to step S145 described above. In step S148, specifically, the rule update unit 12 changes the leaf node flag of the processing target node to off. Further, in order to create a child node, the rule updating unit 12 uses FIG. 9 as parameters with the identifier of the processing target node and the rule set obtained by adding the identifier of the processing target rule to the rule identifier list of the processing target node. The search tree construction sub-process A described above is executed.

  Next, the detailed operation of the rule update sub-process A2 executed in step S143 of the flowchart of FIG. 11 will be described using the flowchart of FIG. FIG. 12 is a flowchart illustrating an example of a detailed operation of the rule update sub-process A2 executed in step S143 of the flowchart of FIG. In the rule update sub-process A2, a processing target node (processing target node), an identifier of a parent node of the processing target node, a partial space represented by the processing target node, and a rule to be added to the node (processing target rule) Are given as parameters.

  In the flowchart of FIG. 12, the rule update unit 12 first checks whether a data area for a processing target node has been allocated (step S151). If the data area has been allocated (YES in step S151), the rule update unit 12 executes the rule update sub-process A1 shown in FIG. 11 using the processing target node and the processing target rule as parameters (step S152). ). On the other hand, if the data area has not been allocated (NO in step S151), the rule update unit 12 allocates a data area for the processing target node and sets up the data area as a leaf node (step S153). Specifically, the rule updating unit 12 causes the search tree storage unit 20 to allocate a data area for storing information on the processing target node, and sets the following information for the node.

(A) Leaf node flag: ON,
(B) parent node identifier: parent node identifier given as a parameter,
(C) subspace: a subspace given as a parameter,
(D) Update counter and shared update counter: 0,
(E) Rule identifier list: The identifier of the rule to be processed.

  Next, the detailed operation of the rule update sub-process B executed in step S137 of the flowchart of FIG. 10 will be described using the flowchart of FIG. FIG. 13 is a flowchart illustrating an example of a detailed operation of the rule update sub-process B executed in step S137 of the flowchart of FIG. In the rule update sub-process B, a processing target node (processing target node) and a rule to be deleted or changed (processing target rule) are received as parameters.

  In the flowchart of FIG. 13, the rule update unit 12 first checks whether the processing target node is a leaf node (step S161). Whether or not the node is a leaf node is determined based on whether or not the leaf node flag of the processing target node is on. When the processing target node is not a leaf node (N in step S161), the rule updating unit 12 selects a child node group including the processing target rule (step S162). Whether a certain child node includes the processing target rule is determined by whether there is a part overlapping the subspace represented by the child node and the subspace represented by the matching condition of the processing target rule (that is, there is a common part). Or not).

  Next, the rule update unit 12 executes the rule update sub-process B for each of the child nodes (only assigned child nodes) selected in step S162 (step S163).

  If the processing target node is a leaf node in step S161 (YES in step S161), the rule update unit 12 updates the rule identifier list of the processing target node (leaf node) (step S164). Specifically, when the requested current operation is rule deletion, the rule update unit 12 deletes the identifier of the processing target rule from the rule identifier list. If the requested current operation is a rule update, this operation can be omitted. Thereafter, the rule update unit 12 updates the update counter of the processing target node (leaf node) (Step S165). Specifically, the rule update unit 12 changes the value of the update counter of the processing target node (leaf node) to a value obtained by adding “1” to the current value.

  Next, the detailed operation of the rule update sub-process C executed in step S139 of the flowchart of FIG. 10 will be described using the flowchart of FIG. FIG. 14 is a flowchart illustrating an example of a detailed operation of the rule update sub-process C executed in step S139 of the flowchart of FIG. In this rule update sub-process C, a node to be processed (process target node) and a rule to be added to the node (process target rule) are given as parameters.

  In the flowchart of FIG. 14, the rule update unit 12 first checks whether the processing target node is a leaf node (step S171). Whether or not the node is a leaf node is determined based on whether or not the leaf node flag of the processing target node is on. If the processing target node is not a leaf node (NO in step S171), the rule update unit 12 selects a child node group including the processing target rule (step S172). Whether a certain child node includes a processing target rule depends on whether there is a part overlapping the subspace represented by the child node and the subspace represented by the match condition of the processing target rule (that is, there is a common part). Or not).

  Next, the rule update unit 12 executes the rule update sub-process C for each of the child nodes selected in step S172 (only assigned child nodes) (step S173).

  Thereafter, the rule update unit 12 checks whether the following condition is satisfied. That is, the rule updating unit 12 determines that the child node selected in step S172 has a child node to which a data area has not been allocated (that is, a child node in which the number of related rules is 0), and that the requested current operation is Is a rule addition, and the condition that the subspace represented by the unassigned child node overlaps with the subspace represented by the match condition of the processing target rule is checked (step S174). There is a child node to which the data area has not been allocated, and the current operation requested is a rule addition, and the subspace represented by the unallocated child node and the subspace represented by the match condition of the processing target rule If there is a portion that overlaps (YES in step S174), the rule update unit 12 updates the shared update counter of the processing target node (step S175), and ends the rule update sub-process C. Specifically, the rule update unit 12 changes the value of the shared update counter of the processing target node to a value obtained by adding “1” to the current value. On the other hand, in step S174, if there is no child node to which the data area has not been assigned, or if the requested current operation is not a rule addition (NO in step S174), the rule update unit 12 The rule update sub-process C ends. In step S174, even when there is no overlapping part between the partial space represented by the unassigned child node and the partial space represented by the match condition of the processing target rule, the rule updating unit 12 terminates the rule updating sub-process C. You may.

  If the processing target node is a leaf node in step S171 (YES in step S171), the rule update unit 12 updates the shared update counter of the processing target node (leaf node) (step S176). Then, the present rule update sub-process C ends. Specifically, the rule update unit 12 changes the value of the shared update counter of the processing target node (leaf node) to a value obtained by adding “1” to the current value. In parallel with the execution of the rule update sub-process C shown in the flowchart of FIG. 14 (that is, step S139 of FIG. 10), the rule update unit 12 performs a process of deleting a rule whose deletion wait flag is on, for example, periodically. To run. The rule update unit 12 causes the rule storage unit 30 to delete a rule whose deletion flag is on and a reference counter is 0 among the rules stored in the rule storage unit 30.

<(C) Rule search processing>
Next, an operation example of the rule search processing will be described with reference to the flowcharts of FIGS. FIG. 15 shows that the search tree search unit 13 in the search tree control unit 10 of the data processing apparatus 1 shown in FIG. 1 refers to the search tree and the rule set stored in the search tree storage unit 20 and the rule storage unit 30, respectively. 6 is a flowchart illustrating an example of an operation when searching for a rule that matches a given key. The operation of the present rule search process illustrated in the flowchart of FIG. 15 is started, for example, by a request from the packet processing unit 60. As a parameter related to the present rule search process, the search tree search unit 13 uses a key to be used for the search. (Search key).
In the present rule search process, the search tree search unit 13 sends the identifier of the highest priority rule (if searched) matching the search key given as a parameter to the request source (for example, the packet processing unit 60). return. The search tree search unit 13 also returns a list of identifiers (for each search tree) of nodes (intermediate nodes or leaf nodes) finally reached in the search in the search tree to the request source.

  In the flowchart of FIG. 15, the search tree search unit 13 first executes a later-described rule search sub-process A for each search tree (step S181). Next, the search tree search unit 13 selects the rule with the highest priority from the set of rules found in each search tree obtained in step S181. The search tree search unit 13 returns the selected rule to the request source as a rule that matches the search key received as a parameter (step S182). In addition, the search tree search unit 13 also returns a list of identifiers (for each search tree) of nodes (intermediate nodes or leaf nodes) finally reached by the search, which are obtained for each search tree in step S181.

  Next, the detailed operation of the rule search sub-process A executed in step S181 of the flowchart of FIG. 15 will be described using the flowchart of FIG. FIG. 16 is a flowchart showing an example of the detailed operation of the rule search sub-process A executed in step S181 of the flowchart in FIG. In the rule search sub-process A, the search tree search unit 13 uses, as parameters, a search tree to be processed (for example, a search tree identifier format, hereinafter referred to as a “process target search tree”), and a key ( Search key). In the rule search sub-process A, the search tree search unit 13 returns the searched rule, the identifier of the node finally reached by the search, as a result of the search, to the request source. Note that the node to be processed in the rule search sub-process A is referred to as a “process target node”.

  In the flowchart of FIG. 16, the search tree search unit 13 first selects the root node of the search tree to be processed as the node to be processed (step S191). Next, the search tree search unit 13 checks whether the processing target node is a leaf node (step S192). Whether or not the node is a leaf node is determined based on whether or not the leaf node flag of the processing target node is on.

  If the processing target node is not a leaf node (NO in step S192), the search tree search unit 13 selects a child node corresponding to the search key received as a parameter (step S193). Next, the search tree search unit 13 checks whether a data area has been allocated to the child node selected in step S193 (step S194). If the data area has been allocated (YES in step S194), the search tree search unit 13 selects the child node as a processing target node (step S195), and returns to step S192.

  On the other hand, if the data area has not been allocated in step S194 (NO in step S194), the search tree search unit 13 has finally reached the main search because there is no rule corresponding to the search key. This rule search sub-process A ends with the node as the current process target node.

  Further, in step S192, if the processing target node is a leaf node (YES in step S192), the search tree search unit 13 stores a rule based on the rule identifier list of the processing target node (leaf node). With reference to the unit 30, a rule related to this leaf node is acquired (step S196). Further, the search tree search unit 13 performs, for example, a linear search process in the rule group, selects a rule with the highest priority matching the search key from the rule group, and selects a rule matching the search key. Output as After that, the search tree search unit 13 ends the rule search sub-process A. In this case, the node finally reached in this search is the current processing target node (leaf node).

<(D) Packet processing>
Next, an operation example of the packet processing will be described with reference to the flowchart in FIG. FIG. 17 is a flowchart illustrating an example of an operation when the packet processing unit 60 of the data processing device 1 illustrated in FIG. 1 receives a packet. The packet processing operation illustrated in the flowchart of FIG. 17 is started when the communication IF unit 70 of the data processing device 1 receives a packet (processing target packet) and the packet processing unit 60 is notified of the reception of the packet. You.

  In the flowchart of FIG. 17, the packet processing unit 60 first extracts a key (search key) used for rule search from the received processing target packet (step S201). Specifically, the packet processing unit 60 extracts the source IP address, the destination IP address, the protocol number, the source port number, and the destination port number from the received packet as a search key. Next, the packet processing unit 60 requests the cache entry search unit 42 of the cache table control unit 40 shown in FIG. 3 using the search key extracted in step S201 as a parameter to search for a cache entry (step S202). .

  The packet processing unit 60 checks whether a cache entry (processing target cache entry) corresponding to the search key passed as a parameter is detected as a result of the request to the cache entry search unit 42 (step S203). If the processing target cache entry is detected (YES in step S203), the packet processing unit 60 requests the cache entry re-evaluation unit 43 of the cache table control unit 40 shown in FIG. Is re-evaluated (step S204). As a result of the re-evaluation, the cache entry reevaluation unit 43 determines whether the processing target cache entry has been updated (if a rule that matches the search key is detected) or deleted (if the rule that matches the search key does not match). If not detected), return one of the following.

  Upon receiving the re-evaluation result from the cache entry re-evaluation unit 43, the packet processing unit 60 checks whether a rule matching the search key has been detected in step S204 (step S205). If a rule that matches the search key is detected (YES in step S205), the packet processing unit 60 processes the processing target packet according to the action of the matching rule (step S206).

  On the other hand, if no rule that matches the search key is detected in step S205 (NO in step S205), the packet processing unit 60 executes a process for a packet to be processed when the matching rule is unknown (step S205). Step S207). Specifically, for example, the packet processing unit 60 executes one or a combination of the following processes.

(A) Discard the packet.
(B) A log is output to the effect that the matching rule of the packet is unknown.
(C) Notify the data processing device control unit 80 that the matching rule of the packet is unknown.
(D) Notify another device (for example, a network management device; not shown in FIGS. 1 to 3) that the matching rule of the packet is unknown.

  Further, when the processing target cache entry is not detected in step S203 (NO in step S203), the packet processing unit 60 requests the search tree search unit 13 of the search tree control unit 10 shown in FIG. Then, a rule matching the search key is searched (step S208). The packet processing unit 60 checks whether a rule matching the search key has been searched as a result of the request to the search tree search unit 13 (step S209). When a rule that matches the search key is not found (NO in step S209), the packet processing unit 60 proceeds to step S207 and executes the above-described processing when the matching rule is unknown.

  On the other hand, if a rule that matches the search key is found (YES in step S209), the packet processing unit 60 requests the cache entry creation unit 41 of the cache table control unit 40 shown in FIG. A cache entry for processing the target packet is created and stored in the cache table storage unit 50 (step S210). When requesting the cache entry creation unit 41, the packet processing unit 60 receives, as parameters, the search key extracted in step S201, the identifier of the rule found in step S208, and the search tree search unit 13 in step S208. The returned list of node identifiers is passed to the cache entry creation unit 41.

  Thereafter, the packet processing unit 60 proceeds to step S206, and processes the processing target packet according to the action indicated by the matching rule searched in step S208.

<(E) Cache entry creation processing>
Next, an operation example of the cache entry creation processing will be described with reference to the flowchart in FIG. FIG. 18 is a flowchart illustrating an example of an operation when the cache entry creation unit 41 in the cache table control unit 40 of the data processing device 1 illustrated in FIG. 1 creates a cache entry. The operation of the present cache entry creation processing illustrated in the flowchart of FIG. 18 is started based on a request from the packet processing unit 60, for example. The cache entry creation unit 41 uses the key (search key), the rule identifier, and the identifier (search tree) of the node finally reached in the search of the search tree using the key as parameters related to the cache entry creation processing. Every) and receive.

  In the flowchart of FIG. 18, the cache entry creation unit 41 first calculates a hash value of a key received as a parameter, and selects a bucket of the hash table corresponding to the key based on the calculation result ( Step S221). Next, the cache entry creation unit 41 checks whether or not the bucket selected in step S221 has an empty space (step S222). Whether or not a bucket is empty can be confirmed by checking the in-use flag for each cache entry in the bucket.

  If there is a vacancy in the selected bucket (Bucket) (YES in step S222), the process proceeds to step S224. If there is no free space in the selected bucket (Bucket) (NO in step S222), the cache entry creation unit 41 deletes any one of the cache entries in the bucket (Bucket). (Step S223), and it moves to step S224. Here, the cache entry creation unit 41 can delete the cache entry by setting the in-use flag of the cache entry to off. At that time, the cache entry creation unit 41 decrements the reference counter of the matching rule of the cache entry by one. Further, the cache entry creation unit 41 may select, for example, a cache entry with the oldest last use time as a deletion target.

  In step S224, the cache entry creation unit 41 selects and sets up one of the empty cache entries in the bucket (Step S224). Specifically, the cache entry creation unit 41 sets the following information for the selected cache entry. Further, the cache entry creating unit 41 increases the reference counter of the rule given as a parameter by one.

(A) In-use flag: ON,
(B) key: a key given as a parameter,
(C) rule identifier: an identifier of a rule given as a parameter,
(D) Last use time: time at the time of execution of processing,
(E) Node state. Node identifier (for each search tree): node identifier given as a parameter,
(F) Node state. Update counter cache (for each search tree): a value obtained by requesting the update counter obtaining unit 14 shown in FIG. 2 based on the node identifier,
(G) Node state. Shared update counter cache (for each base search tree): A value obtained by requesting the update counter obtaining unit 14 shown in FIG. 2 based on the node identifier.

<(F) Cache entry search processing>
Next, an operation example of the cache entry search process will be described with reference to the flowchart in FIG. FIG. 19 is a flowchart illustrating an example of an operation when the cache entry search unit 42 in the cache table control unit 40 of the data processing device 1 illustrated in FIG. 1 searches for a cache entry. The operation of the cache entry search process illustrated in the flowchart of FIG. 19 is started, for example, based on a request from the packet processing unit 60. Note that the cache entry creation unit 41 receives a key (search key) as a parameter related to the present cache entry search processing.

  In the flowchart of FIG. 19, the cache entry search unit 42 first calculates a hash value of a key received as a parameter. The cache entry search unit 42 selects a bucket of the hash table corresponding to the key based on the calculation result (Step S231). Next, the cache entry search unit 42 selects the first cache entry in the bucket selected in step S231 (step S232).

  Next, the cache entry searching unit 42 determines whether the in-use flag of the selected cache entry is on and whether the key of the cache entry matches the key given as a parameter of the present cache entry search process. Confirm (step S233). If the in-use flag of the cache entry is on and the key of the cache entry matches the key given as a parameter of the present cache entry search process (YES in step S233), the cache entry search unit 42 , It is determined that a search for a cache entry that matches the key has been successful. In this case, the cache entry search unit 42 ends the present cache entry search process, and returns the identifier of the cache entry to the request source as a search result.

  On the other hand, in step S233, if the in-use flag of the cache entry is on and the key of the cache entry does not match the key given as a parameter of the cache entry search process (NO in step S233) ), The cache entry search unit 42 checks whether or not the selected cache entry is the last cache entry in the bucket (Step S234). If the selected cache entry is the last cache entry in the bucket (YES in step S234), the cache entry search unit 42 ends the cache entry search processing. The cache entry search unit 42 notifies the request source that a cache entry matching the key could not be searched as a result of the search. Note that, even when the in-use flag of the selected cache entry is off (NO in step S233), the processes in step S234 and thereafter are executed in the same manner as described above.

  If the cache entry is not the last cache entry in the bucket (NO in step S234) in step S234, the cache entry search unit 42 selects the next cache entry in the bucket (Bucket). (Step S235), and the process returns to step S233.

<(G) Cache entry reevaluation process>
Next, an operation example of the cache entry reevaluation process will be described with reference to the flowchart in FIG. FIG. 20 is a flowchart illustrating an example of an operation when the cache entry reevaluation unit 43 in the cache table control unit 40 of the data processing device 1 illustrated in FIG. 1 reevaluates a cache entry. The operation of the present cache entry reevaluation process illustrated in the flowchart of FIG. 20 is started based on, for example, a request from the packet processing unit 60. The cache entry re-evaluation unit 43 receives the identifier of the cache entry to be re-evaluated (processing target cache entry) as a parameter related to the cache entry re-evaluation processing.

  In the flowchart of FIG. 20, the cache entry reevaluation unit 43 first refers to the node state list of the cache entry to be processed. The cache entry reevaluation unit 43 requests the update counter acquisition unit 14 of the search tree control unit 10 shown in FIG. 2 to update the latest shared update counter value (for each base search tree) of the node to which the flow represented by the processing target cache entry belongs. ) Is acquired (step S241). Next, the cache entry reevaluation unit 43 compares the latest shared update counter value acquired in step S241 with the shared update counter value of each base search tree for the processing target cache entry stored in the cache table storage unit 50. It is checked whether there is a difference between them (step S242).

  If there is no difference between the latest shared update counter value and the shared update counter value of each base search tree for the processing target cache entry stored in the cache table storage unit 50 (NO in step S242), the process proceeds to step S247. I do. On the other hand, if there is a difference between the latest shared update counter value and the shared update counter value of each base search tree for the processing target cache entry stored in the cache table storage unit 50 (YES in step S242), the cache is updated. The entry reevaluation unit 43 performs the following processing. That is, the cache entry re-evaluation unit 43 determines that, among the processing target cache entries, information on the nodes in the search tree group having a difference between the matching rule and the shared update counter value may be invalid. I do. Then, the cache entry reevaluation unit 43 refers to the node state list of the processing target cache entry, requests the update counter acquisition unit 14 of the search tree control unit 10 shown in FIG. 2 to determine the flow represented by the processing target cache entry. The latest update counter value (for each search tree) of the node to which the node belongs is acquired (step S243). At this time, the cache entry reevaluation unit 43 sets the search tree group in the search tree group to which the base search tree whose difference has been detected in step S242 belongs as the update counter value (for each search tree).

  Next, the cache entry reevaluation unit 43 determines that the difference between the latest update counter value acquired in step S243 and the update counter value of each search tree for the processing target cache entry stored in the cache table storage unit 50 is It is confirmed whether or not there is (step S244). If there is no difference between the latest update counter value and the update counter value of each search tree for the processing target cache entry stored in the cache table storage unit 50 (NO in step S244), the process proceeds to step S247.

  On the other hand, in step S244, when there is a difference between the latest update counter value and the update counter value of each search tree related to the processing target cache entry stored in the cache table storage unit 50 (YES in step S244). The cache entry reevaluation unit 43 executes the following processing. That is, the cache entry re-evaluation unit 43 determines that the information on the node of the search tree having a difference between the matching rule and the update counter value in the processing target cache entry is invalid. Then, the cache entry reevaluation unit 43 requests the search tree search unit 13 of the search tree control unit 10 shown in FIG. 2 to search again for a rule that matches the key of the cache entry to be processed (step S245). . At this time, the cache entry reevaluation unit 43 passes a list of the identifiers of the search trees determined to have a difference in the update counter value in step S244 to the search tree search unit 13. The search tree search unit 13 that has received the list of identifiers of the search tree may perform a search process by limiting a search target to the search tree. Further, the cache entry reevaluation unit 43 passes the list of node identifiers included in the node state list of the processing target cache entry to the search tree search unit 13. The search tree search unit 13 that has received the list of node identifiers may start the search processing of the search tree not from the root node but from the node identified by the received node identifier.

  Thereafter, the cache entry reevaluation unit 43 updates the processing target cache entry based on the information of the rule searched in step S245 (step S246). Specifically, when a rule that matches the key cannot be searched in step S245, the cache entry reevaluation unit 43 sets the in-use flag of the processing target cache entry to off, and sets the processing target cache entry to off. Delete an entry. At that time, the cache entry reevaluation unit 43 decrements the reference counter of the previous matching rule by one.

  On the other hand, when a rule that matches the key can be searched for, the cache entry reevaluation unit 43 sets the identifier of the searched matching rule as the rule identifier of the processing target cache entry. At that time, the cache entry reevaluation unit 43 decrements the reference counter of the previous matching rule by one and increases the reference counter of the new matching rule by one. Further, the cache entry re-evaluation unit 43 sets the time at the time of processing as the last use time of the cache entry to be processed. Further, when the latest shared update counter value and the latest update counter value have been acquired in steps S241 and S243, the cache entry reevaluation unit 43 determines whether the acquired latest shared update counter value and the latest update counter value have been acquired. The values are respectively stored in the shared update counter cache and the update counter cache of the cache entry to be processed.

  If there is no difference between the latest shared update counter value and the shared update counter value of each base search tree stored in the processing target cache entry in step S242 (NO in step S242), or step S244. In the case where there is no difference between the latest update counter value and the update counter value of each search tree stored in the processing target cache entry (NO in step S244), the cache entry re-evaluation unit 43 Execute the processing of That is, in step S247, the cache entry reevaluation unit 43 evaluates that the processing target cache entry is valid, and sets the last use time of the processing target cache entry to the time at which the processing is executed (step S247). ).

  When ending the present cache entry reevaluation process, the cache entry reevaluation unit 43 checks whether the cache entry to be processed has been updated (if a rule matching the key has been found) or deleted (key Is returned to the requesting source, if any rule that matches is not found).

(Effects of the present embodiment)
As described in detail above, the present embodiment has the following effects.

  According to the present embodiment, search tree initialization section 11 of search tree control section 10 shown in FIG. 2 divides a rule set into sub-rule sets based on the characteristics of the rules, and To build. Further, the search tree initialization unit 11 groups search trees based on the characteristics of each sub-rule set, and determines a base search tree for each search tree group. A search tree node stored in the search tree storage unit 20 illustrated in FIG. 1 has information on an update counter and a shared update counter.

  Further, the rule updating unit 12 of the search tree control unit 10 illustrated in FIG. 2, when updating (adding, changing, deleting) a rule, represents a node (which represents a subspace overlapping with a subspace indicated by a match condition of a processing target rule). Group), the update counter of the node is updated in the search tree for the sub-rule set including the rule to be processed. Further, the search tree control unit 10 updates the shared update counter of the node in the base search tree of the search tree group to which the search tree belongs. The cache entry stored in the cache table storage unit 50 illustrated in FIG. 1 includes information on a node to which the flow represented by the cache entry belongs (for each search tree; information including a cache of a node update counter and a shared update counter). . The information is updated by the cache entry creation unit 41 and the cache entry reevaluation unit 43 each time the cache entry is used.

  Further, when processing a received packet, if a cache entry for the packet (flow) exists, the packet processing unit 60 illustrated in FIG. 1 re-evaluates the cache entry and uses it.

  Also, the cache entry reevaluation unit 43 of the cache table control unit 40 shown in FIG. 3 stores the value of the stored update counter cache (a type of cache of update history information) for the node (group) to which the flow represented by the cache entry belongs. ) Is compared with the value of the latest update counter (a type of latest update history information) of the node. If there is an inconsistency between the two, the cache entry re-evaluation unit 43 determines that a re-search for a matching rule is necessary. At this time, the cache entry reevaluation unit 43 calculates the value of the stored shared update counter cache (a kind of cache of the shared update history information) and the value of the latest shared update counter of the node (belonging to the base search tree). (A type of the latest shared update history information). The cache entry re-evaluation unit 43 treats the value of the update counter cache (a kind of cache of the update history information) as invalid in the search tree group to which the node belongs only when there is inconsistency between the two. In this case, the cache entry reevaluation unit 43 compares the stored value of the update counter cache described above with the value of the latest update counter of the node.

  Therefore, according to the present embodiment, the following effects are expected even when a search tree for searching for an information entry used for packet processing (a type of data processing) includes a plurality of search trees. can do.

  More specifically, a search result (first information entry) based on a search tree and a cache entry (second information entry) that caches the search result when a rule set (a type of a set of information entries) is updated. ) Is assumed (cache entry reevaluation processing). According to the present embodiment, at the time of the synchronization process, the shared update counter (a type of shared update history information) and the update counter (a type of shared update history information) need to be confirmed each time a packet (a type of data to be processed) is received. The number of times of confirmation of (a type of history information) can be reduced from the number of search trees to the number of base search trees. As a result, the number of memory accesses in the processing of a packet (a type of data to be processed) can be reduced. Furthermore, the access destination memory address area is limited (access discreteness is reduced), and the effect of concealing memory access delay is easily obtained by the cache memory. As a result, the performance of packet processing (a type of data processing) can be stabilized and speeded up. As described above, according to the data processing device 1 of the present embodiment, even when a plurality of search trees are used for searching for information entries used for data processing (for example, packet processing), the load required for searching for information entries is increased. Can be reduced.

  In the above description, when there is no rule that matches the received packet (NO in step S209, NO in step S205), the data processing device 1 does not create or delete the cache entry corresponding to the flow of the packet. (Step S207). However, the present invention described using the present embodiment is not limited to this. As another example, for example, in step S207, the data processing device 1 may create or maintain a cache entry storing information indicating that there is no matching rule in addition to the above. Thereby, the data processing device 1 can reduce the number of executions of the search tree search when a packet without a matching rule is received.

  In the above description, an example has been described in which the search tree has a tree structure and the number of parent nodes of nodes other than the root node is one. However, the present invention described using the present embodiment is not limited to this. As another example, a node may have multiple parent nodes. In this case, the search tree is not a pure tree but a graph. The state in which a node has a plurality of parent nodes occurs when there is an overlap in the subspaces represented by the plurality of parent nodes. Such duplication occurs when a child node group of a certain node is created by giving an overlap to part or all of the subspace represented by each child node. Such a method of creating a child node group may be performed as part of search processing optimization. In the search processing, when there is an overlap in the subspaces of the child node group and the search key is included in the overlapping subspace, a plurality of child nodes including the subspace may be searched.

In the above description, at the time of rule update, the data processing device 1 always updates the shared update counter of the base tree. However, the present invention described using the present embodiment is not limited to this. As another example, when updating a rule, the data processing device 1 may perform processing so as not to update the shared update counter of the base tree when a predetermined condition is satisfied. In that case, a shared update counter non-update flag is provided in the information on the node, and the data processing device 1 turns on the flag of the information on the updated node without updating the shared update counter. Further, the flag is added to the node state of the cache entry, and when creating the cache entry, the data processing device 1 stores the value of the flag of the node in the cache entry. When re-evaluating the cache entry in step S204, the cache entry re-evaluation unit 43 refers to the flag. Then, when there is a node whose flag is on, the cache entry reevaluation unit 43 omits steps S241 and S242 for the search tree group to which the node belongs, and performs the processing assuming that YES was obtained in step S242. As described above, the use of the shared update counter has the effect of reducing the number of times the shared update counter and the update counter need to be checked each time a packet is received, but may cause False Positive. That is, even if the cache entry is not affected by the update, if the cache update refers to the shared update counter, the change of the shared update counter is detected, and the acquisition and comparison processing of the update counter of each search tree is performed. Doing so can occur. For a cache entry that is not affected by the update, no difference (inconsistency) exists in the comparison of the update counters, so that the search tree is not re-searched, but a load of update counter acquisition and comparison processing occurs. By not updating the shared update counter of the base tree when the predetermined condition is satisfied, it is possible to suppress the occurrence of such False Positive and the associated load. As the predetermined condition, for example, one or a combination of the following (1) and (2) can be used.
(1) When the subspace of the rule to be updated overlaps with the subspace of many nodes in the base tree (that is, when the number of nodes whose shared update counter is updated by the rule update is large)
(2) When the number of cache entries using a node related to the rule to be updated is small The number of cache entries using a certain node can be confirmed by the following method, for example. That is, a reference counter is added to the information on the node. Then, the reference counter is incremented by one when a cache entry using and referring to the node is created, and decremented by one when the cache entry ends use and reference of the node. As a result, the number of cache entries using a certain node can be confirmed.

  In the above description, the data processing device 1 selects the base tree from the search trees used for searching for rules. However, the present invention described using the present embodiment is not limited to this. As another example, a search tree (search tree for a shared update counter) different from the search tree for search may be added to each search tree group, and the search tree for the shared update counter may be used as a base tree. The search tree for the shared update counter does not contain rules, and its construction may be independent of the initial rule set of the search tree group. For example, the dimension and the number of Cuts at each node in the construction of the search tree for the shared update counter may be given in advance.

<Configuration of hardware and software program (computer program)>
Hereinafter, a hardware configuration capable of realizing the above-described embodiment will be described.

  In the following description, the data processing device 1 described in the above embodiment will be simply referred to as “data processing device”. In addition, each component of the data processing device may be simply described as “a component of the data processing device”.

  The data processing device described in the above embodiment may be configured by one or a plurality of dedicated hardware devices. In this case, each component shown in each of the above-described drawings (FIGS. 1 to 3) is realized using hardware (an integrated circuit or a storage device on which processing logic is mounted) in which some or all of the components are integrated. Is also good.

  When the data processing device is realized by dedicated hardware, the components of the data processing device may be realized by, for example, a circuit configuration that can provide respective functions. Such a circuit configuration includes, for example, an integrated circuit such as a SoC (System on a Chip), a chip set realized using the integrated circuit, and the like. In this case, the data held by the components of the data processing apparatus may be, for example, a RAM (Random Access Memory) area or a flash memory area integrated as a SoC, or a storage device (semiconductor storage device or the like) connected to the SoC. May be stored.

  In this case, a well-known communication network (for example, a communication bus or the like) may be adopted as a communication line for connecting each component of the data processing device. Further, the communication line connecting the components may connect the components in a peer-to-peer manner.

  Further, the above-described data processing device may be configured by general-purpose hardware 2600 as illustrated in FIG. 26 and various software programs (computer programs) executed by the hardware. In this case, the data processing device may be constituted by an arbitrary number of general-purpose hardware devices and software programs. That is, an individual hardware device may be assigned to each component configuring the data processing device, and a plurality of components may be realized using one hardware device.

  The arithmetic device 2601 in FIG. 26 is an arithmetic processing device such as a general-purpose CPU (Central Processing Unit) or a microprocessor. The arithmetic device 2601 may read out various software programs stored in, for example, a nonvolatile storage device 2603 described later into the storage device 2602, and execute processing according to the software program. In this case, the functions of the components of the data processing device in the above embodiment are realized using a software program executed by the arithmetic device 2601.

  The storage device 2602 is a memory device such as a RAM or a ROM, which can be referred to from the arithmetic device 2601, and stores software programs, various data, and the like. Note that the storage device 2602 may be a volatile memory device or a nonvolatile memory device. The storage device 2602 may temporarily store data held by the components of the data processing device.

  Note that the storage device 2602 or the arithmetic device 2601 may be provided with a cache memory 2602a that can be accessed relatively faster than the storage device 2602. The hardware 2600 can configure a computer having a hierarchical memory configuration including a CPU and a cache memory.

  The non-volatile storage device 2603 is a non-volatile storage device such as a magnetic disk drive or a semiconductor storage device using a flash memory. The nonvolatile storage device 2603 can store various software programs, data, and the like.

  The network interface 2606 is an interface device that connects to a communication network, and may employ, for example, a wired or wireless LAN connection interface device. For example, the data processing device may acquire a communication packet via various communication networks via the network interface 2606.

  The drive device 2604 is, for example, a device that processes reading and writing of data from and to a recording medium 2605 described below.

  The recording medium 2605 is any recording medium on which data can be recorded, such as an optical disk, a magneto-optical disk, and a semiconductor flash memory.

  The input / output interface 2607 is a device that controls input / output with an external device.

  The data processing device according to the present invention described in the above-described embodiment or a component thereof is, for example, a software program capable of realizing the functions described in the above-described embodiment with respect to a hardware device illustrated in FIG. May be realized by supplying More specifically, for example, the present invention may be realized when the arithmetic device 2601 executes a software program supplied to the hardware device. In this case, an operating system running on such a hardware device, middleware such as database management software, network software, or a virtual environment base, etc., may execute a part of each process.

  In the above-described embodiment, each unit shown in each of the drawings can be realized as a software module, which is a function (processing) unit of a software program executed by the above-described hardware. However, the division of each software module shown in these drawings is a configuration for convenience of explanation, and various configurations can be assumed at the time of implementation.

  For example, when each component of the data processing device illustrated in FIGS. 1 to 3 is realized as a software module, the software module is stored in the nonvolatile storage device 2603. Then, when the arithmetic device 2601 executes each process, these software modules are read out to the storage device 2602.

  Further, these software modules may be configured to be able to mutually transmit various data by an appropriate method such as a shared memory or inter-process communication. With such a configuration, these software modules are communicably connected to each other.

  Further, the software program may be recorded on the recording medium 2605. In this case, the software program may be configured to be stored in the non-volatile storage device 2603 via the drive device 2604 as needed at the stage of shipping or operating the components of the data processing device.

  In the above case, the method of supplying various software programs to the hardware is such that the software is installed in the apparatus using an appropriate jig at a manufacturing stage before shipment or a maintenance stage after shipment. A method may be adopted. In addition, as a method of supplying various software programs, a general procedure may be adopted at present, such as a method of downloading from the outside via a communication line such as the Internet.

  In such a case, the present invention can be considered to be constituted by a code constituting the software program or a computer-readable recording medium in which the code is recorded. In this case, the recording medium is not limited to a medium independent of the hardware device, but includes a recording medium in which a software program transmitted via a LAN, the Internet, or the like is downloaded and stored or temporarily stored.

  The components of the data processing device described above are configured by a virtual environment in which the hardware devices illustrated in FIG. 26 are virtualized, and various software programs (computer programs) executed in the virtual environment. You may. In this case, the components of the hardware device illustrated in FIG. 26 are provided as virtual devices in the virtualized environment. Also in this case, the present invention can be realized with the same configuration as the case where the hardware device illustrated in FIG. 26 is configured as a physical device.

  The configuration of the preferred embodiment of the present invention has been described above. However, it should be noted that such embodiments are merely examples of the present invention and do not limit the present invention in any way. It will be readily apparent to those skilled in the art that various modifications and changes can be made in accordance with the particular application without departing from the spirit of the invention.

  That is, the present invention can apply various aspects that can be understood by those skilled in the art within the scope of the present invention.

  This application claims priority based on Japanese Patent Application No. 2015-022010 filed on February 6, 2015, the disclosure of which is incorporated herein in its entirety.

Reference Signs List 1 data processing device 10 search tree control unit 11 search tree initialization unit 12 rule update unit 13 search tree search unit 14 update counter acquisition unit 20 search tree storage unit 21 type column 22 item column 23 description column 24 node type column 25 item column 26 description column 30 rule storage unit 31 item column 32 description column 33 example column 40 cache table control unit 41 cache entry creation unit 42 cache entry search unit 43 cache entry reevaluation unit 50 cache table storage unit 51 item column 52 description column 53 item Column 54 Description column 60 Packet processing unit 70 Communication IF unit 80 Data processing device control unit 111 Search tree group column 112 Membership search tree column 113 Use grouping reference column

Claims (10)

A first information entry for determining a method of processing data to be processed is determined by using one or a plurality of search trees from a set of first information entries each including data identification information to be applied. In the case where the data is processed using the searched first information entry, an intermediate node and a leaf node which are nodes constituting each search tree are associated with a search space of the data identification information. A search result of the first information entry by the search tree obtained at the time of the search is stored as a second information entry, and when the data is processed, the second information entry relating to the data is A data processing device that processes the data using the second information entry if the data is stored;
Search tree initialization means for grouping one or more search trees and selecting a base search tree in each search tree group;
For each of the intermediate nodes and the leaf nodes constituting the search tree, update history information indicating the update history of the node and shared update history information indicating the update history of any of the nodes constituting the search tree are: Search tree storage means for storing;
When the content of the first information entry is operated, update history information of the node associated with a search space overlapping with the operation target data identification information that is the data identification information of the first information entry is updated. Updating means for updating the shared update history information of the node associated with the search space overlapping with the operation target data identification information for the base search tree of the search tree group to which the search tree including the node belongs. ,
As the second information entry, a node identifier obtained as a search result of the first information entry by the search tree and indicating a node reached by a search in each search tree, the update history information of the node, and the sharing Information entry storage means for storing a cache with update history information;
When performing data processing using the second information entry, a cache of the shared update history information of the node related to the second information entry stored in the information entry storage unit and the latest shared information of the node The update history information is compared for each of the base search trees, and when there is a mismatch between the two, the information entry for each of the search trees of the search tree group to which the base search tree including the node belongs belongs. The cache of the update history information of each of the nodes related to the second information entry stored in the storage unit is compared with the latest update history information of each of the nodes. The inconsistency is detected in at least the update history information among the information contained in the second information entry stored in the information entry storage means. Is information relating to node data processing apparatus and a revaluation unit determines that invalid. The re-evaluation unit, when determining that the second information entry stored in the information entry storage unit is invalid, updates the second information entry stored in the information entry storage unit. The first information entry is re-searched for the search tree to which the node in which the value of the history information cache is inconsistent with the value of the latest update history information, and the information is obtained using the result of the re-search. The data processing device according to claim 1, wherein the second information entry stored in the entry storage unit is updated. The re-evaluation means may perform a re-search for the first information entry by comparing a value of the cache of the update history information and a value of the latest update history information with respect to the second information entry stored in the information entry storage means. Instead of starting from the node at the root of the search tree to which the node having the inconsistency belongs, starts from the node indicated by the node identifier cache for the second information entry stored in the information entry storage means. The data processing device according to claim 2. The search tree initializing means, when grouping one or more search trees, based on a grouping criterion predetermined using characteristics of the first information entry included in each search tree, The data processing device according to claim 1, wherein the search trees are grouped. The data processing device according to claim 4, wherein the search tree initialization unit uses a granularity of the data identification information included in the first information entry as the grouping criterion. The update history information and the shared update history information each include an update counter for counting the number of updates and a shared update counter, and a state in which there is a difference between the value of the node and the value of the cache is regarded as inconsistent. The data processing device according to claim 1. A first information entry for determining a method of processing data to be processed is determined by using one or a plurality of search trees from a set of first information entries each including data identification information to be applied. In the case where the data is processed using the searched first information entry, an intermediate node and a leaf node which are nodes constituting each search tree are associated with a search space of the data identification information. A search result of the first information entry by the search tree obtained at the time of the search is stored as a second information entry, and when the data is processed, the second information entry relating to the data is If stored, an information entry management method for processing the data using the second information entry,
Grouping one or more search trees, selecting a base search tree in each search tree group,
For each of the intermediate nodes and the leaf nodes constituting the search tree, update history information indicating the update history of the node and shared update history information indicating the update history of any of the nodes constituting the search tree are: Remember,
When the content of the first information entry is operated, update history information of the node associated with a search space overlapping with the operation target data identification information that is the data identification information of the first information entry is updated. And updating the shared update history information of the node associated with the search space overlapping with the operation target data identification information for the base search tree of the search tree group to which the search tree including the node belongs,
As the second information entry, a node identifier obtained as a search result of the first information entry by the search tree and indicating a node reached by a search in each search tree, the update history information of the node, and the sharing Store cache with update history information,
When performing data processing using the second information entry, the cache of the shared update history information of the node related to the second information entry stored by storing the second information entry, and the node Is compared with the latest shared update history information for each of the base search trees. If there is a mismatch between the two, each of the search trees of the search tree group to which the base search tree including the node belongs belongs. Is compared with the cache of the update history information of each of the nodes relating to the stored second information entry and the latest update history information of each of the nodes. An information entry management method for re-evaluating the second information entry by determining that the stored second information entry is invalid. The re-evaluation of the second information entry may include, when it is determined that the stored second information entry is invalid, the value of the cache of the update history information relating to the stored second information entry. And a value of the latest update history information, the search tree to which the node having the inconsistency belongs is searched again for the first information entry, and the stored second search information is used using a result of the search again. 8. The information entry management method according to claim 7, wherein the second information entry is updated. The re-evaluation of the second information entry includes re-searching the first information entry by re-evaluating a cache value of the update history information relating to the stored second information entry and a value of the latest update history information. And starting from the node indicated by the cache of the node identifier related to the stored second information entry, instead of starting from the root node of the search tree to which the node having the inconsistency belongs. Information entry management method described in. A first information entry for determining a method of processing data to be processed is determined by using one or a plurality of search trees from a set of first information entries each including data identification information to be applied. In the case where the data is processed using the searched first information entry, an intermediate node and a leaf node which are nodes constituting each search tree are associated with a search space of the data identification information. A search result of the first information entry by the search tree obtained at the time of the search is stored as a second information entry, and when the data is processed, the second information entry relating to the data is If stored, an information entry management program that processes the data using the second information entry,
A search tree initialization process for grouping one or more search trees and selecting a base search tree in each search tree group;
For each of the intermediate nodes and the leaf nodes constituting the search tree, update history information indicating the update history of the node and shared update history information indicating the update history of any of the nodes constituting the search tree are: A search tree storage process for storing;
When the content of the first information entry is operated, update history information of the node associated with a search space overlapping with the operation target data identification information that is the data identification information of the first information entry is updated. And updating the shared update history information of the node associated with the search space overlapping with the operation target data identification information for the base search tree of the search tree group to which the search tree including the node belongs. ,
As the second information entry, a node identifier obtained as a search result of the first information entry by the search tree and indicating a node reached by a search in each search tree, the update history information of the node, and the sharing A second information entry storage process of storing a cache with the update history information;
When performing the data processing using the second information entry, the cache of the shared update history information of the node related to the second information entry stored by the second information entry storage processing and the latest The shared update history information is compared for each of the base search trees, and when there is a mismatch between the two, for each of the search trees of the search tree group to which the base search tree including the node belongs, The cache of the update history information of each of the nodes related to the second information entry stored in the second information entry storage process is compared with the latest update history information of each of the nodes. If there is, the second information entry stored by the second information entry storage process is re-evaluated to be determined to be invalid. Information entry management program to be executed process and, to the computer.

Images