WO2018023498A1 - 网络接口卡、计算设备以及数据包处理方法 - Google Patents

网络接口卡、计算设备以及数据包处理方法 Download PDF

Info

Publication number
WO2018023498A1
WO2018023498A1 PCT/CN2016/093095 CN2016093095W WO2018023498A1 WO 2018023498 A1 WO2018023498 A1 WO 2018023498A1 CN 2016093095 W CN2016093095 W CN 2016093095W WO 2018023498 A1 WO2018023498 A1 WO 2018023498A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
nic
data
external network
virtual switch
Prior art date
Application number
PCT/CN2016/093095
Other languages
English (en)
French (fr)
Inventor
吴天议
张忠军
甘涛
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP19208469.7A priority Critical patent/EP3694159A1/en
Priority to EP16911095.4A priority patent/EP3340547B1/en
Priority to PCT/CN2016/093095 priority patent/WO2018023498A1/zh
Priority to CN202010950859.4A priority patent/CN112217747A/zh
Priority to CN201680088008.5A priority patent/CN109479028B/zh
Publication of WO2018023498A1 publication Critical patent/WO2018023498A1/zh
Priority to US15/927,102 priority patent/US10623310B2/en
Priority to US16/817,275 priority patent/US20200213222A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/64Routing or path finding of packets in data switching networks using an overlay routing layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • H04L45/7452Multiple parallel or consecutive lookup operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/30Peripheral units, e.g. input or output ports
    • H04L49/3009Header conversion, routing tables or routing tags
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/90Buffering arrangements

Definitions

  • the present invention relates to the field of computer technology, and in particular, to a network interface card (English name: network interface card, abbreviation: NIC), a computing device for processing a data packet, and a data packet respectively executed by the NIC and the computing device.
  • a network interface card English name: network interface card, abbreviation: NIC
  • a computing device for processing a data packet and a data packet respectively executed by the NIC and the computing device.
  • VM virtual machine
  • VS virtual switch
  • SDN software defined networking
  • the hardware resources on each computing device need to support at least running multiple VMs, virtual switches, and virtual machine monitors.
  • the virtual machine monitor is also called virtual machine manager (English name: virtual machine manager) ) or management program (English full name: hypervisor).
  • the hardware resources of each computing device are limited. If the virtual switch that is responsible for the data exchange task occupies too much hardware resources, it is easy to affect the operation of the VM on the computing device and reduce the working efficiency.
  • the present application provides a data packet processing method to improve packet processing efficiency.
  • a first aspect of the present application provides a data packet processing method, the method being applied to a computing device, where the computing device includes a network interface card NIC and a host, the NIC establishes a communication connection with the host, and the NIC establishes communication with an external network.
  • the host running a virtual machine VM
  • the method comprising: the NIC receiving source The first data packet of the data stream sent by the VM; the NIC queries the flow table set according to the matching information of the first data packet; if the flow table corresponding to the data flow cannot be matched, the NIC runs virtual to the host
  • the switch forwards the first data packet.
  • the virtual switch obtains a flow table corresponding to the data flow from the SDN controller, so that the flow table corresponding to the data flow is added to the flow. Table collection.
  • the monitoring module running on the virtual switch or the host After the virtual switch obtains the flow table corresponding to the data flow by using the first data packet, the monitoring module running on the virtual switch or the host stores the flow table corresponding to the data flow into the flow table set.
  • the NIC After receiving a data packet, the NIC queries the flow table set according to the matching information of the data packet. If the flow table corresponding to the data flow of the data packet cannot be obtained, the data packet is the data flow of the data packet. The first data packet, or the data packet is not the first data packet of the data stream, but the flow table corresponding to the data flow in the flow table collection has aged.
  • the data packet processing method the NIC performs a matching action between the flow table and the data packet, improves the processing efficiency of the data packet, and sends the data packet that cannot be matched to the flow table to the virtual switch to obtain the corresponding flow table for The NIC processes the subsequent data packets of the data stream.
  • the NIC is configured with an external network port of the NIC, where the external network port of the NIC is used to establish a communication connection with the external network, and the virtual switch is configured on the host. At least one virtual switch port, each virtual switch port corresponding to a VM running on the host, and before the NIC receives the first data packet, the method further includes: the NIC receiving configuration information of the virtual switch port; Configuration information of the virtual switch port, at least one NIC port is configured on the NIC, and each NIC port is connected to a VM running on the host through a single root-input/output virtualization SR-I/OV technology.
  • the configuration of the virtual switch port and the NIC port can be completed prior to the packet processing method provided by the first aspect, and the configuration information of the virtual switch port can be sent to the NIC by the NIC driver running on the host.
  • the flow table corresponding to the data stream includes routing information of the data packet of the data stream, and the first packet is forwarded to the virtual switch
  • the method further includes: the NIC querying the flow table set according to the matching information of the first data packet, acquiring a flow table corresponding to the data flow, and forwarding according to the routing information of the data flow of the data flow
  • the first data packet is to the external network.
  • the NIC After the monitoring module running on the virtual switch or the host stores the flow table corresponding to the data flow in the flow table set, the NIC queries the flow table set according to the matching information of the first data packet, and the flow table set at this time A flow table corresponding to the data stream is already stored in the flow table. After the first data packet is sent to the virtual switch, the NIC may periodically match the first data packet with the flow table in the flow table set, or the flow table corresponding to the data flow is stored in the flow table set. Thereafter, a notification message is sent to the NIC, instructing the NIC to perform a match between the first data packet and the flow table in the flow table set.
  • the implementation does not require the virtual switch to perform matching of the first data packet with the flow table, which reduces the workload of the virtual switch.
  • the flow table corresponding to the data stream includes routing information of the data packet of the data stream, where the virtual switch is configured with a virtual switch externally a network port, after forwarding the first data packet to the virtual switch, the method further includes: receiving, by the NIC, a first data packet returned by the virtual switch, where the returned first data packet includes a port corresponding to the external network
  • the port identifier is a virtual switch external network port identifier or a NIC external network port identifier, and the port identifier is added by the virtual switch according to the routing information of the data packet of the flow table corresponding to the data flow; the NIC forwards according to the port identifier The first data packet is to the external network.
  • the implementation does not need to match the NIC with the first data packet, thereby improving the processing efficiency of the data packet.
  • the virtual switch communicates with the NIC through a queue, the queue corresponds to an external network, and the first data is forwarded to the virtual switch After the packet, the method further includes: the NIC receiving the first data packet from the queue; the NIC forwarding the first data packet to the external network according to the queue information of the queue.
  • the implementation does not need to match the NIC with the first data packet. Compared with the foregoing third implementation manner, the NIC does not need to convert the port identifier, which further improves the processing efficiency of the data packet.
  • a NIC for performing the data packet processing method provided by the first aspect of the present application.
  • the NIC includes: a host interface, a network interface, and a processing chip, the network interface is configured to communicate with an external network, and the network interface establishes a communication connection with the processing chip, and the host interface uses Communicating with the host, and the host interface establishes a communication connection with the processing chip, the host runs a VM; the host interface is configured to receive a first data packet of a data stream sent by the source VM; and the processing chip is configured to be configured according to the first The matching information of the data packet is used to query the flow table set; if the flow table corresponding to the data flow cannot be matched, the first data packet is forwarded to the virtual switch running on the host; wherein the virtual switch receives the first data packet After the data packet, the flow table corresponding to the data flow is obtained from the SDN controller, so that the flow table corresponding to the data flow is added to the flow table set.
  • the NIC can perform the matching action between the flow table and the data packet, improve the processing efficiency of the data packet, and the NIC sends the data packet that cannot be matched to the flow table to the virtual switch, so as to obtain the corresponding flow table for the NIC to the data.
  • the processing of subsequent packets of the stream can perform the matching action between the flow table and the data packet, improve the processing efficiency of the data packet, and the NIC sends the data packet that cannot be matched to the flow table to the virtual switch, so as to obtain the corresponding flow table for the NIC to the data.
  • the NIC is configured with a NIC external network port, where the NIC external network port corresponds to the network interface, and the virtual switch running on the host is configured with at least one virtual a switch port, each virtual switch port corresponding to a VM running on the host; the processing chip is further configured to receive configuration information of the virtual switch port, and configure at least one NIC on the NIC according to the configuration information of the virtual switch port Port, each NIC port is connected to a VM running on the host through SR-I/OV technology.
  • the processing chip is further configured to query the flow table set according to the matching information of the first data packet, and obtain the corresponding data stream
  • the flow table, the flow table corresponding to the data flow includes routing information of the data packet of the data flow, and forwards the first data packet to the external network according to the routing information of the data packet of the data flow.
  • the virtual switch does not need to match the first data packet, which reduces the workload of the virtual switch.
  • the virtual switch is configured with a virtual switch external network port; the processing chip is further configured to receive the first returned by the virtual switch a data packet, where the returned first data packet includes a port identifier corresponding to the external network, where the port identifier is a virtual switch external network port identifier or a NIC external network port identifier, and the port identifier is corresponding to the data stream by the virtual switch.
  • the routing information of the data packet of the flow table is added; and is further configured to forward the first data packet to the external network according to the port identifier.
  • the NIC does not need to match the first data packet with the flow table, and the data packet is improved. Processing efficiency.
  • the virtual switch communicates with the NIC through a queue, and the queue corresponds to an external network; the processing chip is further configured to use the queue Receiving the first data packet, and forwarding the first data packet to the external network according to the queue information of the queue.
  • the NIC does not need to match the first data packet with the flow table, and compared with the foregoing third implementation manner, the NIC does not need to convert the port identifier, thereby further improving the processing efficiency of the data packet.
  • the third aspect of the present application provides a data packet processing method, where the method is applied to a computing device, where the computing device includes a network interface card NIC and a host, and the NIC establishes a communication connection with the host, and the NIC establishes a communication connection with the external network.
  • the host runs the virtual machine VM
  • the method includes: the NIC receiving the second data packet of the data stream sent by the source VM; the NIC querying the flow table set according to the matching information of the second data packet, and acquiring the flow table corresponding to the data flow
  • the flow table corresponding to the data flow includes routing information of the data packet of the data flow; the NIC forwards the second data packet to the external network according to the routing information of the data packet of the data flow.
  • the packet processing method performs the matching action between the flow table and the data packet by the NIC, thereby improving the processing efficiency of the data packet.
  • the NIC is connected to the VM running on the host by using an SR-I/OV technology; the NIC receives the second data packet by connecting with the source VM .
  • the NIC is configured with an external network port of the NIC, where the external network port of the NIC is used to establish a communication connection with the external network, and the data flow is The routing information of the data packet indicates the external network port of the NIC.
  • At least one virtual switch port is configured on the virtual switch running on the host, and each virtual switch port corresponds to a VM running on the host, and the NIC receives the second data packet.
  • the method further includes: the NIC receiving the configuration information of the virtual switch port; configuring, according to the configuration information of the virtual switch port, at least one NIC port on the NIC, each NIC port adopting the SR-I/OV technology and the A VM connection running on the host.
  • the method further includes: the NIC receiving the third data packet of the data stream; the NIC querying the flow table set according to the matching information of the third data packet; In the case of the flow table corresponding to the data flow, the NIC forwards the third data packet to the virtual switch running on the host; wherein, after receiving the third data packet, the virtual switch acquires the data from the SDN controller. Flow corresponding to the flow table, so that the flow table corresponding to the data flow is added to the flow table set.
  • the method further includes: the NIC, according to the third data packet The matching information queries the flow table set, obtains a flow table corresponding to the data flow, and forwards the third data packet to the external network according to the routing information of the data packet of the data flow.
  • the virtual switch is configured with a virtual switch external network port, and after forwarding the third data packet to the virtual switch, the method is The method further includes: receiving, by the NIC, a third data packet returned by the virtual switch, where the returned third data packet includes a port identifier corresponding to the external network, where the port identifier is a virtual switch external network port identifier or a NIC external network port identifier.
  • the port identifier is added by the virtual switch according to the routing information of the data packet of the data stream; the NIC forwards the third data packet to the external network according to the port identifier.
  • the virtual switch communicates with the NIC through a queue, the queue corresponds to an external network, and the third data is forwarded to the virtual switch.
  • the method further includes: the NIC receiving the third data packet from the queue; the NIC forwarding the third data packet to the external network according to the queue information of the queue.
  • the method before the NIC forwards the second data packet to the external network, the method further includes: the NIC is The second data packet adds an overlay header to generate an overlay data packet, the overlay header includes a virtual scalable local area network VXLAN header, or a network virtualization NVGRE header using a universal route, or a stateless transmission tunnel STT header; the NIC applies the second Sending the data packet to the external network includes the NIC transmitting the overlay data packet to the external network.
  • the NIC also needs to add an overlay header for the third data packet.
  • the NIC is exemplarily proposed as the The second data packet encapsulates the overlay header.
  • the NIC sends the data packet of the data stream to the external network, it also encapsulates the overlay header.
  • the NIC implements encapsulation of the overlay header, which reduces the workload of the host.
  • the method before the NIC queries the flow table set according to the matching information of the second data packet, the method further includes: The NIC performs a security group check on the second data packet, and after determining that the security group check of the second data packet is passed, performing the step of querying the flow table set according to the matching information of the second data packet.
  • the NIC also needs to check the security group of the third data packet before querying the flow according to the matching information of the third data packet. Table collection.
  • the security group check of the second data packet by the NIC is exemplarily provided. In fact, before the NIC matches other data packets of the data flow, the security group check is also required.
  • the NIC further implements a security group check on the second data packet, which improves the security of data packet transmission and reception, and further reduces the workload of the host.
  • a fourth aspect of the present application provides a NIC for performing the packet processing method provided by the foregoing third aspect.
  • the NIC includes: a host interface, a network interface, and a processing chip, the network interface is configured to communicate with an external network, and the network interface establishes a communication connection with the processing chip, the host interface is configured to communicate with the host, and the host interface and the processing chip Establishing a communication connection, the host running a VM; the host interface is configured to receive a second data packet of the data stream sent by the source VM; the processing chip is configured to query the flow table set according to the matching information of the second data packet, and obtain the a flow table corresponding to the data flow, the flow table corresponding to the data flow includes routing information of the data packet of the data flow; and forwarding the second data packet to the external network according to the routing information of the data packet of the data flow.
  • the NIC is connected to the VM running on the host by using an SR-I/OV technology; the host interface is configured to receive the connection by using the source VM The second data packet.
  • the NIC is configured with a NIC external network port, where the NIC external network port corresponds to the network interface, and the virtual host runs on the host Configure at least one virtual switch port on the switch, and each virtual switch port corresponds to a VM running on the host; the processing chip is further configured to receive configuration information of the virtual switch port, and configure at least one NIC port on the NIC according to the configuration information of the virtual switch port, and each NIC port passes the SR -I/OV technology is connected to a VM running on this host.
  • the network interface is further configured to receive a third data packet of the data stream, where the processing chip is further configured to The matching information of the three data packets is used to query the flow table set; and is also used to forward the third data packet to the virtual switch running on the host if the flow table corresponding to the data flow cannot be matched; wherein the virtual switch is After receiving the third data packet, the flow table corresponding to the data flow is obtained from the SDN controller, so that the flow table corresponding to the data flow is added to the flow table set.
  • the processing chip is further configured to query the flow table set according to the matching information of the third data packet, and obtain the data flow corresponding to a flow table, and forwarding the third data packet to the external network according to the routing information of the data packet of the data flow.
  • the processing chip is further configured to receive a third data packet returned by the virtual switch, where the virtual switch is configured with a virtual switch externally a network port, where the returned third data packet includes a port identifier corresponding to the external network, where the port identifier is a virtual switch external network port identifier or a NIC external network port identifier, and the port identifier is determined by the virtual switch according to the data flow.
  • the routing information of the data packet is added, and the third data packet is forwarded to the external network according to the port identifier.
  • the virtual switch communicates with the NIC through a queue, and the queue corresponds to an external network; the processing chip is further configured to use the queue Receiving the third data packet; and further configured to forward the third data packet to the external network according to the queue information of the queue.
  • the processing chip is further configured to add an overlay header to the second data packet to generate an overlay data packet
  • the overlay header includes a virtual scalable local area network VXLAN header, or a network virtualization NVGRE header using a universal route, or a stateless transport tunnel STT header; and is also used to send the overlay data packet to the external network through the network interface.
  • the processing chip is further used to query the flow table set according to the matching information of the second data packet.
  • the second data packet performs a security group check. After determining that the security group check of the second data packet is passed, performing the step of querying the flow table set according to the matching information of the second data packet.
  • a fifth aspect of the present application provides a computing device, including a network interface card NIC and a host, the computing device including a network interface card NIC and a host, the NIC establishing a communication connection with the host, and running a virtual machine on the host a VM and a virtual switch, the NIC is configured with an external network port of the NIC, where the external network port of the NIC is used to establish a communication connection with the external network;
  • the host is configured to send configuration information to the NIC;
  • the NIC is configured to use the configuration information according to the configuration Configuring at least one NIC port on the NIC, each NIC port is connected to a VM running on the host by using SR-I/OV technology;
  • the NIC is further configured to receive a second data packet of the data stream sent by the source VM And querying the flow table set according to the matching information of the second data packet, and acquiring a flow table corresponding to the data flow, where the flow table corresponding to the data flow includes routing information of the data packet
  • the NIC is further configured to receive a third data packet of the data stream, and query the flow table set according to the matching information of the third data packet, where When the flow table corresponding to the data stream is matched, the third data packet is forwarded to the host; the host is configured to obtain, after receiving the third data packet, a flow table corresponding to the data flow from the SDN controller, So that the flow table corresponding to the data flow is added to the flow table set.
  • the NIC sends the third data packet to a virtual switch running on the host.
  • the host is configured to obtain, after receiving the third data packet, a flow table corresponding to the data flow from the SDN controller, so that the flow table corresponding to the data flow is added to the flow table set.
  • the NIC is further configured to query the flow table set according to the matching information of the third data packet, and obtain the corresponding data flow The flow table, and the routing information of the data packet according to the data stream, forwards the third data packet to the external network.
  • the NIC After the flow table corresponding to the data flow is added to the flow table set, the NIC queries the flow table set according to the matching information of the third data packet.
  • the virtual switch is configured with a virtual switch external network port; the host is further configured to generate a returned third data packet, where The returned third data packet includes a port identifier corresponding to the external network, and the port identifier is a virtual switch external network port identifier or a NIC external network port identifier, and the port identifies routing information of the data packet according to the data flow by the host.
  • the NIC is further configured to receive the returned third data packet, and forward the third data packet to the external network according to the port identifier.
  • the host After receiving the third data packet sent by the NIC, the host generates the returned third data packet.
  • the virtual switch communicates with the NIC through a queue, and the queue corresponds to an external network; the host is further configured to use the third The data packet is sent to the queue; the NIC is further configured to receive the third data packet from the queue, and forward the third data packet to the external network according to the queue information of the queue.
  • the NIC is further configured to add an overlay header to the second data packet to generate an overlay data packet, where
  • the overlay header includes a virtual scalable local area network VXLAN header, or a network virtualized NVGRE header using a universal route, or a stateless transport tunnel STT header; and is also used to send the overlay data packet to the external network.
  • the NIC is further configured to: before the flow table set is queried according to the matching information of the second data packet The second data packet performs a security group check. After determining that the security group check of the second data packet is passed, performing the step of querying the flow table set according to the matching information of the second data packet.
  • a sixth aspect of the present application provides a packet processing method, which is applied to the computing device provided by the aforementioned fifth aspect.
  • the method includes: the host NIC sends configuration information; the NIC configures at least one NIC port on the NIC according to the configuration information, and each NIC port is connected to a VM running on the host by using SR-I/OV technology; the NIC Receiving a second data packet of the data stream sent by the source VM, querying the flow table set according to the matching information of the second data packet, and acquiring a flow table corresponding to the data flow, where the flow table corresponding to the data flow includes the data packet of the data flow Routing information; the NIC forwards the second data packet to the external network according to the routing information of the data packet of the data stream.
  • the method further includes: receiving, by the NIC, a third data packet of the data stream, and querying the flow table set according to the matching information of the third data packet, where If the flow table corresponding to the data flow cannot be matched, the third data packet is forwarded to the host; after receiving the third data packet, the host obtains the flow table corresponding to the data flow from the SDN controller, so as to facilitate A flow table corresponding to the data flow is added to the flow table set.
  • the method further includes: the NIC according to the third data packet The matching information queries the flow table set, obtains a flow table corresponding to the data flow, and forwards the third data packet to the external network according to the routing information of the data packet of the data flow.
  • the virtual switch is configured with a virtual switch external network port; after the NIC forwards the third data packet to the host, The method further includes: the host generating a returned third data packet, where the returned third data packet includes a port identifier corresponding to the external network, where the port identifier is a virtual switch external network port identifier or a NIC external network port identifier, The port identifier is added by the host according to the routing information of the data packet of the data stream; the NIC receives the returned third data packet, and forwards the third data packet to the external network according to the port identifier.
  • the virtual switch communicates with the NIC through a queue, where the queue corresponds to an external network; and the NIC forwards the third to the host After the data packet, the method further includes: the host sending the third data packet to the queue; the NIC receiving the third data packet from the queue, and forwarding the third data packet to the queue according to the queue information of the queue External network.
  • the NIC forwarding the second data packet to the external network specifically includes: the NIC is the second data
  • the overlay header is added to generate an overlay packet, and the overlay header includes a virtual scalable local area network VXLAN header, or a network virtualized NVGRE header using a universal route, or a stateless transmission tunnel STT header, and the overlay data packet is sent to the external The internet.
  • the sixth implementation manner of the sixth aspect before the NIC queries the flow table set according to the matching information of the second data packet, The data packet performs a security group check, and after determining that the security group check of the second data packet is passed, performing the step of querying the flow table set according to the matching information of the second data packet.
  • a seventh aspect of the present application provides a configuration method, where the configuration method is applied to a host, and the host establishes a communication connection with the NIC, where the host runs a VM, a virtual switch, and an NIC driver, and the virtual switch running on the host is configured at least a virtual switch port, each virtual switch port corresponding to a VM running on the host, the method comprising: the NIC driver sending the configuration information to the NIC, the configuration information indicating that at least one NIC port is configured on the NIC, each The NIC port is connected to a VM running on the host through SR-I/OV technology.
  • the NIC is also configured with an external network port of the NIC, and the external network port of the NIC is used to connect the NIC to the external network.
  • the configuration of the external network port of the NIC may be implemented by using the configuration information, or the configuration of the external network port of the NIC may be implemented before the NIC receives the configuration information.
  • the eighth aspect of the present application provides a data packet processing method, which is applied to a host that executes the configuration method provided by the seventh aspect of the present application, and the host performs the data packet processing method provided by the fifth aspect of the present application.
  • the method includes: receiving, by the virtual switch running on the host, a third data packet; the virtual switch acquiring a flow table corresponding to the data flow from the SDN controller; the virtual switch or the monitoring module running by the host, the flow corresponding to the data flow
  • the table is added to the flow table set such that the NIC processes subsequent data packets of the data flow according to the flow table corresponding to the data flow in the flow table set.
  • the method further includes: the virtual switch sending a notification message to the NIC, where The notification message is used to notify the NIC that the flow table corresponding to the data flow has been added to the flow table set, so that the NIC processes the third data packet according to the flow table corresponding to the data flow in the flow table set.
  • the flow table corresponding to the data stream includes routing information of the data packet of the data stream, and the method further includes: the data packet of the virtual switch according to the data stream The routing information generates a returned third data packet, where the returned third data packet includes a port identifier corresponding to the external network, and the port identifier is a virtual switch external network port identifier or NIC.
  • the external network port is identified such that the NIC forwards the third data packet to the external network according to the port identifier.
  • the virtual switch communicates with the NIC through a queue, and the queue corresponds to the external network; the method further includes: the virtual switch sending the third data packet to the The queue sends the queue information of the queue to the NIC, so that the NIC forwards the third data packet from the external network port of the NIC to the external network according to the queue information of the queue.
  • a ninth aspect of the present application provides a host including a processor, a memory, and a bus, wherein the processor and the memory establish a communication connection through the bus, and when the processor is running, perform the configuration method provided in the foregoing seventh aspect.
  • a tenth aspect of the present application provides a host including a processor, a memory, and a bus, wherein the processor and the memory establish a communication connection through the bus, and when the processor is running, performing the foregoing eighth or eighth aspect A packet processing method provided by any of the implementations.
  • a storage medium in which program code is stored, and when the program code is executed by the computing device, the configuration method provided by the seventh aspect is executed.
  • the storage medium includes, but is not limited to, a flash memory, a hard disk (English: hard disk drive, HDD), or a solid state drive (English: solid state drive, abbreviated as SSD).
  • the twelfth aspect of the present application provides a storage medium storing program code, when the program code is executed by the computing device, executing data provided by any one of the eighth aspect or the eighth aspect Packet processing method.
  • the storage medium includes, but is not limited to, a flash memory, an HDD, or an SSD.
  • a computer program product which may be a software installation package, and when the software installation package is executed by the computing device, the configuration method provided by the seventh aspect is performed.
  • a computer program product which may be a software installation package, and when the software installation package is executed by the computing device, performing any one of the eighth aspect or the eighth aspect The method of packet processing provided by the method.
  • FIG. 1 is a schematic diagram of a data center architecture in the prior art
  • FIG. 2a is a schematic diagram of an SDN architecture provided by an embodiment of the present application.
  • 2b is a schematic structural diagram of a computing device in an SDN in the prior art
  • 2c is a schematic structural diagram of a computing device provided by an embodiment of the present application.
  • FIG. 3 is a schematic structural diagram of another computing device according to an embodiment of the present disclosure.
  • FIG. 4 is a schematic flowchart of a data packet processing method according to an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of another computing device according to an embodiment of the present disclosure.
  • FIG. 5b is a schematic structural diagram of another computing device according to an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of another computing device according to an embodiment of the present disclosure.
  • FIG. 5 is a schematic structural diagram of another computing device according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic structural diagram of an NIC according to an embodiment of the present application.
  • FIG. 6b is a schematic structural diagram of another NIC according to an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of another NIC according to an embodiment of the present application.
  • first, second, etc. are used in this application to distinguish each object, such as a first data packet, a second data packet, etc., but there is no logical or temporal dependency between each of the "first” and "second”. .
  • the data packet consists of matching information and payload (English full name: payload).
  • the matching information is used to match the matching domain of the flow table.
  • a flow table (English name: flow table) is used to control a data flow in an SDN, and may also be referred to as an SDN flow table.
  • a flow table conforming to the OpenFlow protocol or a flow table conforming to other protocols may be used.
  • the flow table includes at least a matching domain and an execution domain for matching with a data packet, the execution domain is used to indicate an action that the data packet matching the upstream table should perform.
  • the execution domain includes the action identifier of the data packet, such as forwarding, discarding, and sending the SDN controller.
  • the execution domain also includes routing information of the data packet, such as the destination port identifier of the data packet.
  • the data stream (English data: data flow) indicates a series of data packets that can match the same flow table. Specifically, the matching information of the data packet in the same data stream can match the matching domain of the flow table corresponding to the data flow.
  • a virtual switch is a switching device implemented by a software installed on a computing device and is commonly used in SDN.
  • Common virtual switches include Open vSwitch, abbreviated OVS, which is a virtual switch for an open source project.
  • the overlay type data packet refers to a data packet processed by the overlay encapsulation technology.
  • the specific overlay encapsulation technology includes a virtual extensible local area network (VXLAN) technology, which uses universal routing. Network virtualization using generic routing encapsulation (abbreviation: NVGRE) technology and stateless transport tunneling (English name: stateless transport tunneling, abbreviation: STT) technology.
  • the Overlay type data packet includes two parts, an overlay header and an original data packet, and the original data packet refers to a data packet sent by the VM or a data packet sent to the VM through a port of the virtual switch, and the overlay header is superimposed on the original data packet. To transmit the overlay type data packet in the overlay network. Different overlay packaging techniques correspond to different overlay headers.
  • the application includes two sets of flow tables, that is, a virtual switch accessible flow table set and a NIC accessible flow table set.
  • the virtual switch can access the flow table in the flow table set for use by the virtual switch
  • the NIC can access the flow table in the flow table set for use by the NIC.
  • the virtual switch accessible flow table set is generally stored in a storage device of the computing device
  • the NIC accessible flow table set may be stored in the storage device of the computing device, or may be stored in the storage inside the NIC. In the device.
  • the computing device is virtualized in its storage device.
  • the switch can access the flow table set and the NIC accessible flow table set to open a memory space.
  • the NIC-accessible flow table set is stored in the storage device of the computing device as an example. Those skilled in the art can directly derive the case that the NIC-accessible flow table set is stored in the NIC.
  • an exemplary SR-IOV NIC is directly connected to the VM, and other technologies that support direct connection between the NIC and the VM may be used in actual use.
  • FIG. 2a is a schematic diagram of an SDN architecture applied in the embodiment of the present application.
  • the centralized SDN controller is schematically used in FIG. 2a.
  • the SDN controller may also be distributed to each computing device in a distributed manner.
  • the hardware layers on each computing device are provided with NICs, processors, and storage devices.
  • the processor may be a central processing unit (English: central processing unit, abbreviated: CPU)
  • the storage device includes a volatile memory (English: volatile memory), such as random access memory (English: random-access memory, abbreviation: RAM), and non-volatile memory (English: non-volatile memory), such as read-only memory (English: read-only memory, abbreviation: ROM), flash memory, HDD or SSD.
  • Each host runs with its hardware layer supporting virtual switches within the software layer and the operation of multiple VMs.
  • the host and the NIC in each computing device establish a communication connection, and the host communicates with the external network through the NIC.
  • the NIC first obtains the VM data packet sent to the host from the external network, and then sends the VM packet to the host, and then sends the VM packet to the host. Packets sent by the VM running on the host to the external network are first sent to the NIC and then sent to the external network through the NIC.
  • the following takes the computing device 1 as an example to show the difference between the packet processing flow in the prior art and the data packet processing flow provided by the present application.
  • the virtual switch in the computing device 1 receives the data packet from the VM
  • the virtual switch matches the data packet with the flow table in the virtual switch accessible flow table set, and matches according to the An indication of the flow table on the packet is sent to the NIC connected to the virtual switch.
  • the main operating pressure in the data packet processing process is concentrated on the virtual switch, and the operation of the virtual switch depends on the resources of the hardware layer on the computing device, and the processing occupied by the virtual switch.
  • the NIC in the computing device 1 matches the data packet with the flow table in the NIC-accessible flow table set, and according to the matching.
  • the indication of the flow table sends the data packet to the destination VM or external network connected to the NIC.
  • the flow table in the flow table collection of the NIC can be obtained from the host. If the NIC cannot match the received data packet to the upstream table, the NIC sends the data packet to the virtual switch, and the virtual switch requests the SDN controller to obtain the data packet.
  • VMs on the computing device 1 in FIG. 2c are connected to the NIC.
  • VMs on the computing device 1 in FIG. 2c are connected to the NIC.
  • only some VMs may be connected to the NIC, and other VMs are connected to the virtual switch, and the specific VMs are configured. It is not limited to having to be all connected to the NIC.
  • the computing device in FIG. 2a and FIG. 2c can be implemented by the computing device 200 shown in FIG. 3, and its organizational structure is shown in FIG. 3.
  • the computing device 200 includes a host and a NIC 206.
  • the NIC 206 processes the host through the host bus 208.
  • the device 202 and the memory 204 establish a communication connection, and the NIC 206, the processor 202, and the memory 204 can also communicate by other means such as wireless transmission.
  • Computing device 200 communicates with an external network via NIC 206.
  • the host runs at least one VM and a virtual switch, and the program code for implementing the method on the host side in the packet processing method provided in FIG. 4 is saved in the storage device 204 and executed by the processor 202.
  • the NIC 206 performs the method on the NIC side in the packet processing method provided in FIG.
  • the present application further provides a data packet processing method, where the computing device in the foregoing SDN architecture executes the method during operation, and a schematic flowchart thereof is shown in FIG. 4 .
  • Step 402 The host of the computing device receives the first configuration information, where the first configuration information indicates that a virtual switch external network port and at least one virtual switch port are established on the virtual switch, and each virtual switch port corresponds to a VM running on the host.
  • the VS external network port establishes a communication connection with the NIC, and the virtual switch sends a message destined for the external network from the virtual switch external network port to the NIC, and the NIC will The message is sent to the external network.
  • Step 404 The host generates second configuration information, and sends the second configuration information to the NIC of the computing device.
  • the intercepting module running on the host acquires the first configuration information, and sends the first configuration information to the NIC driver running on the host, where the NIC driver generates the second configuration information according to the first configuration information. And sent to the NIC.
  • the first configuration information is similar in function to the second configuration information, and the NIC driver converts the primary configuration information to conform to the specifications of the NIC driver and NIC communication.
  • Step 406 The NIC configures at least one NIC port on the NIC according to the second configuration information, and each NIC port is connected to a VM running on the host by using SR-I/OV technology.
  • the NIC external network port Before step 406, the NIC external network port can also be configured on the NIC.
  • the configuration of the NIC external network port may be completed before or after step 406, or the configuration of the NIC external network port may be completed in step 406 according to the second configuration information.
  • the NIC port can be a port of a virtual function (English name: virtual function, abbreviated as VF) defined by the SR-I/OV technology.
  • VF virtual function
  • the NIC external network port is used to communicate with the external network.
  • Steps 402 to 406 are optional steps, and steps 402 to 406 are the configuration process of the virtual switch and the NIC. Steps 402 to 406 are performed once before each step 408 and subsequent steps of step 408 are performed.
  • the VM running on the host is connected to the NIC through the NIC port. Although the VS port corresponding to the VM is established on the virtual switch, the VM running on the host does not. Connect to the virtual switch.
  • the destination of the data packet is described as a scenario of the external network, so the data packet received by the virtual switch corresponds to the VS external network port.
  • the destination of the data packet received by the virtual switch may also be a VM running on the computing device.
  • At least one queue that the virtual switch communicates with the NIC needs to be configured, and the virtual switch will be configured for the virtual switch.
  • the data packet received from the NIC is returned to the NIC.
  • the queue There are two ways to configure the queue. As shown in Figure 5b, the virtual switch communicates with the NIC through a queue.
  • the virtual switch Sending all packets destined for the NIC to the queue; second, as shown in Figure 5c, the virtual switch communicates with the NIC through multiple queues, at least one of which is used for the virtual switch Messages sent through the VS external network port are sent to the NIC, and the remaining queues of the multiple queues are used to send messages corresponding to the VS port to the NIC.
  • the configuration process does not require the perception of the upper management device.
  • the computing device connects the VM that should be connected to the virtual switch to the NIC.
  • the upper management device does not need to modify the configuration information, which improves the compatibility of the configuration process and reduces the difficulty of implementation. .
  • Step 408 the NIC receives the first data packet sent by the source VM.
  • the NIC receives the first data packet through the NIC port.
  • Step 410 The NIC performs a security group check on the first data packet, and determines that the security group check of the first data packet passes.
  • the first data packet cannot match any rule of the static security group, the first data packet cannot pass the security group check, and the first packet is processed according to the second preset rule.
  • the data packet for example, discards the first data packet.
  • a static security group with a whitelist is set. If a static security group is configured as a blacklist, the first data packet belongs to a static security group but cannot match the static security group. Any of the rules, the first packet is checked by the static security group. If the source VM belongs to a static security group, and the first data packet can match at least one rule of the static security group, the first data packet cannot be checked by the static security group.
  • a dynamic security group first determine whether the source VM belongs to the dynamic security group. If the source VM belongs to the dynamic security group, query the connection tracking table according to the first data packet (English name: connection track table) Confirming which connection the first data packet belongs to, and determining the status of the connection of the first data packet and the processing action corresponding to the first data packet, if the processing of the first data packet To indicate that the first data packet is matched with the flow table in the NIC-accessible flow table set, the first data packet is checked by the dynamic security group.
  • the first data packet English name: connection track table
  • the above static security group and dynamic security group can be set at the same time. At this time, the data packets that pass the static security group check and the dynamic security group check pass the security group check.
  • Step 412 The NIC queries the NIC accessible flow table set according to the matching information of the first data packet. If the NIC can not access any of the flow table sets, step 414, step 416, step 4181 or step 4182 to step 4184 or steps 4185 to 4186 are performed. If the matching NIC can access the flow table in the flow table set, step 420 is performed.
  • the first data packet is the first data packet of the data flow in which the first data packet is located, or the first data packet.
  • the packet is not the first packet of the data stream, but the flow table corresponding to the data stream has been deleted in the NIC accessible flow table set.
  • the NIC can access the flow table corresponding to the data flow in which the first data packet is already stored in the flow table set.
  • Step 414 The NIC forwards the first data packet to the virtual switch by using a host port.
  • the host port can be a port of the physical function defined by the SR-I/OV technology (English name: physical function, abbreviation: PF).
  • Step 416 After receiving the first data packet, the virtual switch acquires a flow table corresponding to the data flow, and the flow table corresponding to the data flow is added to the NIC accessible flow table set.
  • the virtual switch After acquiring the first data packet, the virtual switch sends the first data packet to the SDN controller, and the virtual switch accesses the flow table set to receive a flow table corresponding to the data flow generated by the SDN controller according to the first data packet.
  • the virtual switch may access the flow table set, and may also store information required to generate the flow table corresponding to the data flow, for example, a slow table (English name: slow table), and the virtual switch generates corresponding data streams according to the information.
  • the flow table can be used without sending the first data packet to the SDN controller.
  • the virtual switch stores the flow table corresponding to the data flow into the virtual switch accessible flow table set and the NIC accessible flow table set.
  • the monitoring module running on the host monitors the virtual switch to obtain a flow table corresponding to the data flow, and the monitoring module stores the flow table corresponding to the data flow into the NIC accessible flow table set.
  • the SDN controller Since the flow table corresponding to the data stream is generated by the SDN controller, the SDN controller does not need to know the host.
  • the VM running on is actually connected to the NIC. Therefore, the routing information of the data packet of the data stream may specifically include a VS external network port identifier, and the VS external network port corresponds to the NIC external network port, and the routing information of the data packet of the data stream indicates the NIC external network port.
  • step 416 there are three optional schemes for sending the first data packet to its destination, which are step 4181, step 4182 to step 4184, and step 4185 to step 4186. After the actual step 416, the three options can be performed. Any of the programs.
  • Step 4181 The NIC queries the NIC-accessible flow table set according to the matching information of the first data packet, obtains a flow table corresponding to the data flow, and forwards the first data packet according to the routing information of the data packet of the data flow to The external network.
  • the NIC needs to have a corresponding relationship between the VS external network port identifier and the external network port identifier of the NIC, and the NIC obtains the VS external network port identifier included in the routing information of the data packet of the data stream, and then identifies the VS port identifier. Convert to the NIC external network port ID and send the first packet from the NIC external network port.
  • the virtual switch or the monitoring module stores the flow table corresponding to the data stream to the NIC-accessible flow table set, and sends a notification message to the NIC, where the notification message is used to notify the NIC of the flow table corresponding to the data flow.
  • the notification message is used to notify the NIC of the flow table corresponding to the data flow.
  • the NIC can match the flow table corresponding to the data flow in the NIC accessible flow table set according to the matching information of the first data packet.
  • the NIC periodically matches the flow table of the NIC-accessible flow table set according to the matching information of the first data packet.
  • the NIC is configured according to the NIC.
  • the matching information of the first data packet may match the flow table corresponding to the data flow in the NIC accessible flow table set.
  • the optional step 4181 does not require the virtual switch to match the first data packet with the flow table corresponding to the data flow, thereby reducing the workload of the virtual switch.
  • Step 4182 The virtual switch matches the first data packet with a flow table corresponding to the data flow in the virtual switch accessible flow table set, and obtains routing information of the data packet of the data flow.
  • Step 4183 The virtual switch generates a returned first data packet according to the routing information of the data packet of the data flow, and sends the returned first data packet to the NIC, where the returned first data packet includes Corresponding to the port identifier of the external network, the port identifier is a virtual switch external network port identifier or a NIC external network port identifier.
  • Step 4184 the NIC receives the returned first data packet, and forwards the second data packet to the external network according to the port identifier.
  • the routing information of the data packet of the data stream in step 416 may specifically include a VS external network port identifier.
  • the virtual switch adds the routing information of the data packet to the returned first data packet, and sends the routing information to the NIC through the queue.
  • the NIC needs to have a corresponding relationship between the VS external network port identifier and the NIC external network port identifier.
  • the NIC converts the VS external network port identifier into the NIC external network.
  • the port identifier is sent to the external network through the NIC external network port.
  • the virtual switch has a lower load, which improves the working efficiency of the host.
  • the virtual switch obtains the routing information of the data packet of the data stream, and converts the VS external network port identifier included in the routing information of the data packet of the data stream into an external network port of the NIC. And adding the NIC external network port to the returned first data packet, and sending the returned first data packet to the NIC through the queue.
  • the virtual switch needs to have a corresponding relationship between the VS external network port identifier and the NIC external network port identifier.
  • the NIC sends the first data packet to the external network through the external network port of the NIC. In this implementation mode, the NIC does not need to convert the port identifier, and the data packet can be processed more efficiently.
  • Step 4185 the virtual switch sends the first data packet to a queue corresponding to the external network.
  • Step 4186 The NIC receives the first data packet from a queue corresponding to the external network, and the NIC forwards the first data packet from the external network port of the NIC to the external network according to the queue information of the queue corresponding to the external network.
  • the virtual switch communicates with the NIC through a plurality of queues, wherein queue 1 is used for communication between the VS external network port and the NIC.
  • the virtual switch matches the first data packet with the flow table corresponding to the data flow in the virtual switch accessible flow table set, and obtains the routing information of the data packet of the data flow, for example, the VS external network port identifier. Then the virtual machine switch sends the first data packet to queue 1.
  • the NIC obtains the first data packet from the queue 1, and the NIC driver running on the host sends queue information to the NIC, where the queue information is used to notify the NIC that the first data packet is from the queue 1. Since queue 1 corresponds to the external network port of the NIC, the NIC sends the first data packet to the external network through the external network port of the NIC. Compared with the foregoing two alternatives, the virtual switch and the NIC do not need to convert the routing information of the data packet into the external network port identifier of the NIC, thereby improving the forwarding efficiency of the data packet.
  • the NIC After confirming that the first data packet needs to be sent from the external network port of the NIC, the NIC further adds a first overlay header to the first data packet to generate a first overlay data packet.
  • the first overlay header includes a virtual scalable local area network VXLAN header, or a network virtualized NVGRE header using a universal route, or a stateless transport tunnel STT header.
  • Step 420 The NIC forwards the first data packet to the external network according to the routing information included in the matching flow table.
  • the NIC matches, according to the matching information of the first data packet, a flow table corresponding to the data flow in which the first data packet is located in the NIC accessible flow table set, and according to the data packet route of the data flow included in the flow table.
  • the information forwards the first data packet to the external network.
  • the NIC Since in step 412, the NIC is able to match the first data packet to the flow table in the NIC-accessible flow table set, so the first data packet is not the first data packet of the data flow.
  • step 420 after obtaining the flow table corresponding to the data flow in which the first data packet is located, according to the network setting of the data flow in which the first data packet is located, optionally, adding a first overlay header to the first data packet to generate
  • the first overlay packet includes a VXLAN header, or an NVGRE header, or an STT header, and then sends the first overlay packet to the external network.
  • step 4181 or step 4184 or step 4186 or step 420 if the NIC continues to receive subsequent data packets of the data stream, for example, the second data packet, if the flow table corresponding to the data stream is still stored in the NIC accessible flow table In the set, the NIC forwards the second overlay data packet to the external network according to the routing information of the data packet of the data stream, where the second overlay data packet includes the second data packet and a second overlay header corresponding to the second data packet.
  • the flow table in the flow table set may be updated over time due to the NIC access.
  • step 414 step 416, step 4181 or step 4182 to step 4184 or step 4185 to step 4186 are performed on the subsequent data packet.
  • the data packet processing method offloads the matching function of the data packet and the flow table to the NIC, thereby reducing the workload of the virtual switch, so that the hardware layer resources of the host can better serve the VM, thereby improving the working efficiency of the computing device. .
  • FIG. 5d a schematic structural diagram of another computing device provided by the present application is different from FIG. 5a, FIG. 5b or FIG. 5c.
  • VM-1 to VM-n are connected to the NIC
  • -n+m is connected to the virtual switch.
  • VM-n+1 to VM-n+m may have been configured before performing the configuration process of the virtual switch and the NIC in FIG. 4, or in the configuration process of the virtual switch and the NIC of FIG.
  • VM-n+1 to VM-n+m are connected to the virtual switch
  • VM-1 to VM-n are connected to the NIC.
  • part of the VM-1 to VM-n+m can be configured according to the load condition of the host or according to the information carried in the configuration information received by the host.
  • the VM is connected to the NIC, and the remaining VMs are connected to the virtual switch.
  • the data packets received by the NIC may come from VM-1 to VM-n or VM-n+1 to VM-n+m. If the data packet comes from VM-1 to VM-n, the packet processing method in FIG. 4 described above is performed on the data packet, and if the data packet comes from VM-n+1 to VM-n+m, the data packet is The matching with the flow table has been completed on the virtual switch, and the NIC processes the data packet according to the matching result. In this case, the flow table corresponding to the data stream in which the data packet sent from VM-n+1 to VM-n+m is located is not stored in the NIC accessible flow table set.
  • the present application also provides a NIC 600 that can be a NIC provided in any of the preceding figures.
  • the organization structure of the NIC 600 is as shown in FIG. 6a, and includes a host interface 602, a network interface 604, and a processing chip 606.
  • Network interface 604 is used to communicate with an external network and network interface 604 establishes a communication connection with processing chip 606.
  • the host interface 602 is used to communicate with a virtual switch, VM, NIC driver, etc. running on a host to which the NIC 600 is connected, and the host interface 602 establishes a communication connection with the processing chip 606.
  • the NIC port, the NIC external network port, and the host port established on the NIC are virtual ports, and the host is a virtual port.
  • the port and NIC port actually communicate with the host through the host interface 602, and the NIC external network port communicates with the external network through the network interface 604.
  • host interface 602 may actually be the interface of the NIC 600 to the bus connection of the computing device.
  • the host interface 602 is configured to obtain configuration information from a host connected to the NIC.
  • the configuration information is sent to the processing chip 606.
  • the processing chip 606 is configured to connect the NIC 600 to the VM running on the host according to the configuration information, and establish a NIC external network port.
  • the above is the function of each unit in the NIC 600 during the configuration process of the NIC 600.
  • the NIC 600 can also be used for processing the data packet, refer to step 408 in the foregoing packet processing method and the steps subsequent to step 408.
  • the host interface 602 is further configured to receive the first data packet sent by the source VM, and refer to step 408.
  • the host interface 602 sends the received first data packet to the processing chip 606.
  • step 410 and step 412 for the processing of the first data packet.
  • the processing chip 606 is further configured to perform step 412 to determine that the first data packet cannot match any of the flow table of the NIC accessible flow table, and perform step 414 and subsequent steps.
  • the processing chip 606 performs any one of three alternatives, which respectively correspond to the part executed in the foregoing step 4181, the step 4182 to the step 4184, and the NIC side in the step 4185 to the step 4186.
  • the processing chip 606 queries the NIC-accessible flow table set according to the matching information of the first data packet, and obtains a flow table corresponding to the data flow in which the first data packet is located, that is, obtains the
  • the routing information of the data packet includes the VS external network port identifier, and the VS external network port identifier is converted into the NIC external network port identifier.
  • Option 2 corresponds to the part executed by the NIC side in the foregoing steps 4182 to 4184.
  • the processing chip 606 receives the returned first data packet, and the processing chip 606 obtains the NIC external network port identifier according to the port identifier carried in the returned first data packet. If the port is identified as a virtual switch external network port identification, processing chip 606 converts the virtual switch port identification to a NIC external network port identification. This port ID may also be the NIC external network port ID.
  • Option 3 corresponds to the portion of the foregoing step 4185 to step 4186 where the NIC side performs.
  • the processing chip 606 receives the first data packet from a queue corresponding to the VS external network port. Since the processing chip 606 is pre-configured with the corresponding relationship between the queue and the external network port of the NIC, the processing chip 606 can obtain the NIC external network port identifier.
  • the processing chip 606 performs step 412 and determines that the first data packet can match the flow table in the NIC-accessible flow table set, and obtains routing information of the data packet of the data flow included in the matching flow table.
  • the routing information of the data packet of the data stream may include a VS external network port identifier, and the processing chip 606 converts the VS external network port identifier into a NIC external network port identifier, and sends the first data packet from the NIC external network port.
  • the processing chip 606 may add a first overlay header to the first data packet to generate a first overlay data packet, and then generate a first overlay data packet.
  • the first overlay packet is sent to the external network.
  • the NIC provided above implements the flow table matching function, and the data packets in the NIC-accessible flow table set are not sent to the virtual switch for processing, thereby reducing the load on the host and improving the working efficiency of the host connected to the NIC. .
  • the processing chip 606 can be implemented by an application-specific integrated circuit (ASIC) or a programmable logic device (abbreviated as PLD).
  • ASIC application-specific integrated circuit
  • PLD programmable logic device
  • the above PLD may be a complex programmable logic device (English: complex programmable logic device, abbreviation: CPLD), a field programmable gate array (English: field programmable gate array, abbreviated: FPGA), general array logic (English: general array logic, Abbreviation: GAL) or any combination thereof.
  • the processing chip 606 may include an overlay chip 6062, a flow table matching chip 6064, and a security group check chip 6066.
  • the overlay chip 6062 is used to encapsulate the overlay header.
  • the security group check chip 6066 is configured to determine whether the data packet passes the security group check and send the data packet checked by the security group to the flow table matching chip 6064.
  • the flow table matching chip 6064 is configured to match the data packet with a flow table stored in the NIC-accessible flow table set.
  • the Overlay chip 6062 and the security group check chip 6066 are optional components.
  • the processing chip 606 can also be implemented by a processor, a storage device, and a logic chip, which can be implemented by a PLD or an ASIC.
  • the processor and the logic chip each perform a part of functions, and the functions of the two can be allocated in various ways. Exemplarily, as shown in FIG. 6c, when the processor in the processing chip 606 is working, the code in the memory is read for reading the information required for performing the security group check, and the information required for the security group check is sent.
  • the processor is further configured to read the flow table in the NIC accessible flow table set, and send the flow table in the NIC accessible flow table set to the logic A chip for the logic chip to match the data packet with the flow table.
  • the processor is further configured to obtain information required to encapsulate the overlay header and send it to the logic chip for the logic chip to package the overlay header.
  • the logic chip may also be composed of an overlay chip, a flow table matching chip, and a security group check chip.
  • the overlay sub-chip and the security group check sub-chip are optional components.
  • the processor in the processing chip 606 of the NIC 600 shown in FIG. 6c is used to acquire information required for flow table matching or information required for security group inspection or information required to encapsulate the overlay header, and send it to the logic chip.
  • the security group checks the sub-chip to complete the security group check of the data packet according to the information required by the security group check, and the flow table matching sub-chip completes the flow table matching of the data packet according to the information required by the flow table matching, and the overlay sub-chip is used according to the
  • the information sent by the processor encapsulates the overlay header.
  • the present application also provides a data packet processing method, which is executed by the NIC in any of the foregoing figures.
  • the method refers specifically to the portion of the packet processing method corresponding to FIG. 4 that is executed on the NIC side.
  • the present application also provides a configuration method in which the host in any of the preceding figures executes the method.
  • the method refers specifically to step 402 and step 404 in the packet processing method corresponding to FIG. 4.
  • the present application also provides a data packet processing method, which is executed when the host is running in any of the foregoing figures.
  • the method refers specifically to the method performed by the host side after step 408 in the packet processing method corresponding to FIG. 4 .
  • the flow table corresponding to the data stream is stored in a part of the NIC accessible flow table set, and then the notification message is sent to the NIC, or step 4182 and step 4183, or step 4185.
  • the methods described in connection with the present disclosure can be implemented by a processor executing software instructions.
  • the software instructions can be composed of corresponding software modules, which can be stored in RAM, flash memory, ROM, erasable programmable read only memory (English: erasable programmable read only memory, abbreviation: EPROM), electrically erasable Programming an audio-only memory (English): hard disk, optical disk, or any other form of storage medium known in the art.
  • the functions described herein may be implemented in hardware or software.
  • the functions may be stored in a computer readable medium or transmitted as one or more instructions or code on a computer readable medium.
  • a storage medium may be any available media that can be accessed by a general purpose or special purpose computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请公开了一种数据包处理方法,该方法运用于软件定义网络SDN中的计算设备。计算设备中的NIC接收到数据流的数据包后,根据数据包的匹配信息查询流表集合,如果在流表集合中匹配上流表,则根据该流表处理该数据包,如果在流表集合中无法匹配任一流表,则NIC将该数据包发送至虚拟交换机,以使虚拟交换机获取该数据包所在数据流对应的流表,并将该流表存入流表集合以供该NIC能够直接处理该数据包所在数据流的后续数据包。本申请提供的方法降低了虚拟交换机的工作负担,提升了计算设备的工作效率。

Description

网络接口卡、计算设备以及数据包处理方法 技术领域
本申请涉及计算机技术领域,尤其涉及一种网络接口卡(英文全称:network interface card,缩写:NIC),一种用于处理数据包的计算设备,以及该NIC、该计算设备分别执行的数据包处理方法。
背景技术
云计算环境中,由于需要对数量较高的用户提供服务,因此用于提供云服务的数据中心中的计算设备的数量往往较多,而每个计算设备上又运行了多个虚拟机(英文全称:virtual machine,缩写:VM),如图1中的VM-1至VM-n。VM与其他计算设备上运行的VM或同一计算设备上的VM之间通过虚拟交换机(英文全称:virtual switch,缩写:VS)通信,软件定义网络(英文全称:software defined networking,缩写:SDN)控制器对各个计算设备上的虚拟交换机集中进行控制。当前常见的虚拟交换机包括open vSwitch,SDN控制器通常通过OpenFlow协议定义的流表(英文全称:flow table)对各个虚拟交换机进行控制。
每个计算设备上的硬件资源至少需要支持运行多个VM、虚拟交换机以及虚拟机监视器(英文全称:virtual machine monitor),虚拟机监视器又称为虚拟机管理器(英文全称:virtual machine manager)或管理程序(英文全称:hypervisor)。每台计算设备的硬件资源有限,如果负担了数据交换任务的虚拟交换机占用的硬件资源太多,则容易影响计算设备上VM的运行,降低工作效率。
发明内容
本申请提供了一种数据包处理方法,以提升数据包处理效率。
本申请的第一方面,提供了一种数据包处理方法,该方法应用于计算设备,该计算设备包括网络接口卡NIC和主机,该NIC与该主机建立通信连接,该NIC与外部网络建立通信连接,该主机运行虚拟机VM,该方法包括:该NIC接收源 VM发出的数据流的第一数据包;该NIC根据该第一数据包的匹配信息查询流表集合;在无法匹配到该数据流对应的流表情况下,该NIC向该主机上运行的虚拟交换机转发该第一数据包;其中,该虚拟交换机在接收到该第一数据包后,从SDN控制器获取该数据流对应的流表,以便于该数据流对应的流表被加入到该流表集合。
该虚拟交换机通过该第一数据包获取了该数据流对应的流表后,由该虚拟交换机或主机上运行的监控模块将该数据流对应的流表存入该流表集合。
实际运行中,该NIC接收一个数据包后,根据该数据包的匹配信息查询流表集合,如果无法获取该数据包所在数据流对应的流表,说明该数据包为该数据包所在数据流的首个数据包,或该数据包不是所在数据流的首个数据包,但该流表集合中该数据流对应的流表已经老化。
该数据包处理方法,由该NIC执行流表与数据包的匹配动作,提升了数据包的处理效率,并且将无法匹配到流表的数据包发送至虚拟交换机,以获取对应的流表用于NIC对该数据流后续的数据包的处理。
结合第一方面,在第一方面的第一种实现方式中,该NIC上配置有NIC外部网络端口,该NIC外部网络端口用于与外部网络建立通信连接,该主机上运行的虚拟交换机上配置至少一个虚拟交换机端口,每个虚拟交换机端口对应该主机上运行的一个VM,该NIC接收该第一数据包前,该方法还包括:该NIC接收该虚拟交换机端口的配置信息;该NIC根据该虚拟交换机端口的配置信息,在该NIC上配置至少一个NIC端口,每个NIC端口通过单根-输入/输出虚拟化SR-I/OV技术与该主机上运行的一个VM连接。
虚拟交换机端口以及NIC端口的配置可以在第一方面提供的数据包处理方法之前完成,并且可以由该主机上运行的NIC驱动向该NIC发送该虚拟交换机端口的配置信息。
结合第一方面的第一种实现方式,在第一方面的第二种实现方式中,该数据流对应的流表包括该数据流的数据包的路由信息,在向该虚拟交换机转发该第一数据包之后,该方法还包括:该NIC根据该第一数据包的匹配信息查询该流表集合,获取该数据流对应的流表,并根据该数据流的数据包的路由信息转发 该第一数据包至该外部网络。
该虚拟交换机或主机上运行的监控模块将该数据流对应的流表存入该流表集合后,由该NIC根据该第一数据包的匹配信息查询该流表集合,此时该流表集合中已经存有该数据流对应的流表。该NIC可以在将该第一数据包发送至该虚拟交换机之后,定期将该第一数据包与该流表集合中的流表进行匹配,或者该数据流对应的流表存入该流表集合后,向该NIC发送通知消息,指示该NIC执行该第一数据包与该流表集合中的流表的匹配。
该实现方式无须该虚拟交换机执行该第一数据包与流表的匹配,降低了该虚拟交换机的工作负担。
结合第一方面的第一种实现方式,在第一方面的第三种实现方式中,该数据流对应的流表包括该数据流的数据包的路由信息,该虚拟交换机上配置有虚拟交换机外部网络端口,在向该虚拟交换机转发该第一数据包之后,该方法还包括:该NIC接收该虚拟交换机返回的第一数据包,该返回的第一数据包中包含对应于该外部网络的端口标识,该端口标识为虚拟交换机外部网络端口标识或NIC外部网络端口标识,该端口标识由该虚拟交换机根据该数据流对应的流表的数据包的路由信息添加;该NIC根据该端口标识,转发该第一数据包到该外部网络。
该实现方式无须该NIC与该第一数据包的匹配,提升了数据包的处理效率。
结合第一方面的第一种实现方式,在第一方面的第四种实现方式中,该虚拟交换机与该NIC通过队列通信,该队列对应该外部网络;在向该虚拟交换机转发该第一数据包之后,该方法还包括:该NIC从该队列接收该第一数据包;该NIC根据该队列的队列信息,转发该第一数据包至该外部网络。
该实现方式无须该NIC与该第一数据包的匹配,与前述第三种实现方式相比,也无需该NIC对端口标识的转换,进一步提升了数据包的处理效率。
本申请的第二方面,提供了一种NIC,该NIC用于执行本申请第一方面提供的数据包处理方法。该NIC包括:主机接口、网络接口和处理芯片,该网络接口用于与外部网络通信且该网络接口与该处理芯片建立通信连接,该主机接口用 于与主机通信且该主机接口与该处理芯片建立通信连接,该主机运行VM;该主机接口,用于接收源VM发出的数据流的第一数据包;该处理芯片,用于根据该第一数据包的匹配信息查询流表集合;在无法匹配到该数据流对应的流表情况下,向该主机上运行的虚拟交换机转发该第一数据包;其中,该虚拟交换机在接收到该第一数据包后,从SDN控制器获取该数据流对应的流表,以便于该数据流对应的流表被加入到该流表集合。
该NIC能够执行流表与数据包的匹配动作,提升了数据包的处理效率,并且该NIC将无法匹配到流表的数据包发送至虚拟交换机,以获取对应的流表用于NIC对该数据流后续的数据包的处理。
结合第二方面,在第二方面的第一种实现方式中,该NIC上配置有NIC外部网络端口,该NIC外部网络端口对应于该网络接口,该主机上运行的虚拟交换机上配置至少一个虚拟交换机端口,每个虚拟交换机端口对应该主机上运行的一个VM;该处理芯片,还用于接收该虚拟交换机端口的配置信息,根据该虚拟交换机端口的配置信息,在该NIC上配置至少一个NIC端口,每个NIC端口通过SR-I/OV技术与该主机上运行的一个VM连接。
结合第二方面的第一种实现方式,在第二方面的第二种实现方式中,该处理芯片,还用于根据该第一数据包的匹配信息查询该流表集合,获取该数据流对应的流表,该数据流对应的流表包括该数据流的数据包的路由信息,并根据该数据流的数据包的路由信息转发该第一数据包至该外部网络。
该实现方式中,无须该虚拟交换机与该第一数据包的匹配,降低了该虚拟交换机的工作负担。
结合第二方面的第一种实现方式,在第二方面的第三种实现方式中,该虚拟交换机上配置有虚拟交换机外部网络端口;该处理芯片,还用于接收该虚拟交换机返回的第一数据包,该返回的第一数据包中包含对应于该外部网络的端口标识,该端口标识为虚拟交换机外部网络端口标识或NIC外部网络端口标识,该端口标识由该虚拟交换机根据该数据流对应的流表的数据包的路由信息添加;还用于根据该端口标识,转发该第一数据包到该外部网络。
该实现方式中,该NIC无须将该第一数据包与流表进行匹配,提升了数据包 的处理效率。
结合第二方面的第一种实现方式,在第二方面的第四种实现方式中,该虚拟交换机与该NIC通过队列通信,该队列对应该外部网络;该处理芯片,还用于从该队列接收该第一数据包,并根据该队列的队列信息,转发该第一数据包至该外部网络。
该实现方式中,该NIC无须将该第一数据包与流表进行匹配,并且与前述第三种实现方式相比,该NIC也无须对端口标识进行转换,进一步提升了数据包的处理效率。
本申请第三方面提供了一种数据包处理方法,该方法应用于计算设备,该计算设备包括网络接口卡NIC和主机,该NIC与该主机建立通信连接,该NIC与外部网络建立通信连接,该主机运行虚拟机VM,该方法包括:该NIC接收源VM发出的数据流的第二数据包;该NIC根据该第二数据包的匹配信息查询流表集合,获取该数据流对应的流表,该数据流对应的流表包括该数据流的数据包的路由信息;该NIC根据该数据流的数据包的路由信息,转发该第二数据包到该外部网络。
该数据包处理方法,由该NIC执行流表与数据包的匹配动作,提升了数据包的处理效率。
结合第三方面,在第三方面的第一种实现方式中,该NIC通过SR-I/OV技术与该主机上运行的VM连接;该NIC通过与该源VM的连接接收该第二数据包。
结合第三方面的第一种实现方式,在第三方面的第二种实现方式中,该NIC上配置有NIC外部网络端口,该NIC外部网络端口用于与外部网络建立通信连接,该数据流的数据包的路由信息指示该NIC外部网络端口,该主机上运行的虚拟交换机上配置至少一个虚拟交换机端口,每个虚拟交换机端口对应该主机上运行的一个VM,该NIC接收该第二数据包前,该方法还包括:该NIC接收该虚拟交换机端口的配置信息;根据该虚拟交换机端口的配置信息,在该NIC上配置至少一个NIC端口,每个NIC端口通过SR-I/OV技术与该主机上运行的一个VM连接。
结合第三方面的第二种实现方式,在第三方面的第三种实现方式中,该NIC 接收源VM发出数据流的第二数据包前,该方法还包括:该NIC接收该数据流的第三数据包;该NIC根据该第三数据包的匹配信息查询该流表集合;在无法匹配到该数据流对应的流表情况下,该NIC向该主机上运行的虚拟交换机转发该第三数据包;其中,该虚拟交换机在接收到该第三数据包后,从SDN控制器获取该数据流对应的流表,以便于该数据流对应的流表被加入到该流表集合。
结合第三方面的第三种实现方式,在第三方面的第四种实现方式中,在向该虚拟交换机转发该第三数据包之后,该方法还包括:该NIC,根据该第三数据包的匹配信息查询该流表集合,获取该数据流对应的流表,并根据该数据流的数据包的路由信息转发该第三数据包至该外部网络。
结合第三方面的第三种实现方式,在第三方面的第五种实现方式中,该虚拟交换机上配置有虚拟交换机外部网络端口,在向该虚拟交换机转发该第三数据包之后,该方法还包括:该NIC接收该虚拟交换机返回的第三数据包,该返回的第三数据包中包含对应于该外部网络的端口标识,该端口标识为虚拟交换机外部网络端口标识或NIC外部网络端口标识,该端口标识由该虚拟交换机根据该数据流的数据包的路由信息添加;该NIC根据该端口标识,转发该第三数据包到该外部网络。
结合第三方面的第三种实现方式,在第三方面的第六种实现方式中,该虚拟交换机与该NIC通过队列通信,该队列对应该外部网络;在向该虚拟交换机转发该第三数据包之后,该方法还包括:该NIC从该队列接收该第三数据包;该NIC根据该队列的队列信息,转发该第三数据包至该外部网络。
结合第三方面或第三方面的前述任一种实现方式,在第三方面的第七种实现方式中,该NIC转发该第二数据包到该外部网络前,该方法还包括:该NIC为该第二数据包添加overlay头,生成overlay数据包,该overlay头包括虚拟可扩展局域网VXLAN头,或使用通用路由的网络虚拟化NVGRE头,或无状态传输隧道STT头;该NIC将该第二数据包发送至该外部网络包括:该NIC将该overlay数据包发送至该外部网络。
需要说明的是,如果该数据流的数据包均采用了overlay技术,该NIC也需要对将为该第三数据包添加overlay头。本实现方式中,示例性的提出了该NIC为该 第二数据包封装overlay头,实际上该NIC发送该数据流的数据包至该外部网络前,也会为其封装overlay头。
该实现方式中,该NIC实现了对overlay头的封装,降低了主机的工作负担。
结合第三方面或第三方面的前述任一种实现方式,在第三方面的第八种实现方式中,该NIC根据该第二数据包的匹配信息查询流表集合之前,该方法还包括:该NIC对该第二数据包进行安全组检查,在确定该第二数据包的安全组检查通过之后,执行根据该第二数据包的匹配信息查询该流表集合的步骤。
需要说明的是,如果该数据流的数据包均设置了安全组,,该NIC也需要对确定该第三数据包的安全组检查通过后,才根据该第三数据包的匹配信息查询该流表集合。本实现方式中,示例性的提出了该NIC对该第二数据包的安全组检查,实际上该NIC匹配该数据流的其他数据包之前,也需要对其进行安全组检查。
该实现方式中,该NIC还实现了对该第二数据包的安全组检查,提升了数据包收发的安全的同时,进一步降低了主机的工作负担。
本申请的第四方面提供了一种NIC,该NIC用于执行前述第三方面提供的数据包处理方法。该NIC包括:主机接口、网络接口和处理芯片,该网络接口用于与外部网络通信且该网络接口与该处理芯片建立通信连接,该主机接口用于与主机通信且该主机接口与该处理芯片建立通信连接,该主机运行VM;该主机接口,用于接收源VM发出的数据流的第二数据包;该处理芯片,用于根据该第二数据包的匹配信息查询流表集合,获取该数据流对应的流表,该数据流对应的流表包括该数据流的数据包的路由信息;以及根据该数据流的数据包的路由信息,转发该第二数据包到该外部网络。
结合第四方面,在第四方面的第一种实现方式中,该NIC通过SR-I/OV技术与该主机上运行的VM连接;该主机接口,用于通过与该源VM的连接接收该第二数据包。
结合第四方面的第一种实现方式,在第四方面的第二种实现方式中,该NIC上配置有NIC外部网络端口,该NIC外部网络端口对应于该网络接口,该主机上运行的虚拟交换机上配置至少一个虚拟交换机端口,每个虚拟交换机端口对应 该主机上运行的一个VM;该处理芯片,还用于接收该虚拟交换机端口的配置信息,并根据该虚拟交换机端口的配置信息,在该NIC上配置至少一个NIC端口,每个NIC端口通过SR-I/OV技术与该主机上运行的一个VM连接。
结合第四方面的第二种实现方式,在第四方面的第三种实现方式中,该网络接口,还用于接收该数据流的第三数据包;该处理芯片,还用于根据该第三数据包的匹配信息查询该流表集合;还用于在无法匹配到该数据流对应的流表情况下,向该主机上运行的虚拟交换机转发该第三数据包;其中,该虚拟交换机在接收到该第三数据包后,从SDN控制器获取该数据流对应的流表,以便于该数据流对应的流表被加入到该流表集合。
结合第四方面的第三种实现方式,在第四方面的第四种实现方式中,该处理芯片,还用于根据该第三数据包的匹配信息查询该流表集合,获取该数据流对应的流表,并根据该数据流的数据包的路由信息转发该第三数据包至该外部网络。
结合第四方面的第三种实现方式,在第四方面的第五种实现方式中,该处理芯片,还用于接收该虚拟交换机返回的第三数据包,该虚拟交换机上配置有虚拟交换机外部网络端口,该返回的第三数据包中包含对应于该外部网络的端口标识,该端口标识为虚拟交换机外部网络端口标识或NIC外部网络端口标识,该端口标识由该虚拟交换机根据该数据流的数据包的路由信息添加,以及根据该端口标识,转发该第三数据包到该外部网络。
结合第四方面的第三种实现方式,在第四方面的第六种实现方式中,该虚拟交换机与该NIC通过队列通信,该队列对应该外部网络;该处理芯片,还用于从该队列接收该第三数据包;还用于根据该队列的队列信息,转发该第三数据包至该外部网络。
结合第四方面或第四方面的前述任一种实现方式,在第四方面的第七种实现方式中,该处理芯片,还用于为该第二数据包添加overlay头,生成overlay数据包,该overlay头包括虚拟可扩展局域网VXLAN头,或使用通用路由的网络虚拟化NVGRE头,或无状态传输隧道STT头;还用于通过该网络接口将该overlay数据包发送至该外部网络。
结合第四方面或第四方面的前述任一种实现方式,在第四方面的第八种实现方式中,该处理芯片根据该第二数据包的匹配信息查询流表集合之前,还用于对该第二数据包进行安全组检查,在确定该第二数据包的安全组检查通过之后,执行根据该第二数据包的匹配信息查询该流表集合的步骤。
本申请的第五方面提供了一种计算设备,该计算设备包括网络接口卡NIC和主机,该计算设备包括网络接口卡NIC和主机,该NIC与该主机建立通信连接,该主机上运行虚拟机VM和虚拟交换机,该NIC上配置有NIC外部网络端口,该NIC外部网络端口用于与外部网络建立通信连接;该主机,用于向该NIC发送配置信息;该NIC,用于根据该配置信息,在该NIC上配置至少一个NIC端口,每个NIC端口通过SR-I/OV技术与该主机上运行的一个VM连接;该NIC,还用于接收源VM发出的数据流的第二数据包,根据该第二数据包的匹配信息查询流表集合,获取该数据流对应的流表,该数据流对应的流表包括该数据流的数据包的路由信息;还用于根据该数据流的数据包的路由信息,转发该第二数据包到该外部网络。
结合第五方面,在第五方面的第一种实现方式中,该NIC,还用于接收该数据流的第三数据包,根据该第三数据包的匹配信息查询该流表集合,在无法匹配到该数据流对应的流表情况下,向该主机转发该第三数据包;该主机,用于在接收到该第三数据包后,从SDN控制器获取该数据流对应的流表,以便于该数据流对应的流表被加入到该流表集合。
具体的,该NIC向该主机上运行的虚拟交换机发送该第三数据包。
该主机,用于在接收到该第三数据包后,从SDN控制器获取该数据流对应的流表,以便于该数据流对应的流表被加入到该流表集合。
结合第五方面的第一种实现方式,在第五方面的第二种实现方式中,该NIC,还用于根据该第三数据包的匹配信息查询该流表集合,获取该数据流对应的流表,以及根据该数据流的数据包的路由信息转发该第三数据包至该外部网络。
该NIC在该数据流对应的流表被加入到该流表集合后,根据该第三数据包的匹配信息查询该流表集合。
结合第五方面的第一种实现方式,在第五方面的第三种实现方式中,该虚拟交换机上配置有虚拟交换机外部网络端口;该主机,还用于生成返回的第三数据包,该返回的第三数据包中包含对应于该外部网络的端口标识,该端口标识为虚拟交换机外部网络端口标识或NIC外部网络端口标识,该端口标识由该主机根据该数据流的数据包的路由信息添加;该NIC,还用于接收该返回的第三数据包,并根据该端口标识,转发该第三数据包到该外部网络。
该主机在接收到该NIC在发来的该第三数据包之后,生成该返回的第三数据包。
结合第五方面的第一种实现方式,在第五方面的第四种实现方式中,该虚拟交换机与该NIC通过队列通信,该队列对应该外部网络;该主机,还用于将该第三数据包发送至该队列;该NIC,还用于从该队列接收该第三数据包,以及根据该队列的队列信息,转发该第三数据包至该外部网络。结合第五方面或第五方面的前述任一种实现方式,在第五方面的第五种实现方式中,该NIC,还用于为该第二数据包添加overlay头,生成overlay数据包,该overlay头包括虚拟可扩展局域网VXLAN头,或使用通用路由的网络虚拟化NVGRE头,或无状态传输隧道STT头;还用于将该overlay数据包发送至该外部网络。
结合第五方面或第五方面的前述任一种实现方式,在第五方面的第六种实现方式中,该NIC根据该第二数据包的匹配信息查询流表集合之前,还用于对该第二数据包进行安全组检查,在确定该第二数据包的安全组检查通过之后,执行根据该第二数据包的匹配信息查询该流表集合的步骤。
本申请的第六方面提供了一种数据包处理方法,该方法运用于前述第五方面提供的计算设备。该方法包括:主机NIC发送配置信息;该NIC根据该配置信息,在该NIC上配置至少一个NIC端口,每个NIC端口通过SR-I/OV技术与该主机上运行的一个VM连接;该NIC接收源VM发出的数据流的第二数据包,根据该第二数据包的匹配信息查询流表集合,获取该数据流对应的流表,该数据流对应的流表包括该数据流的数据包的路由信息;该NIC根据该数据流的数据包的路由信息,转发该第二数据包到该外部网络。
结合第六方面,在第六方面的第一种实现方式中,该方法还包括:该NIC接收该数据流的第三数据包,根据该第三数据包的匹配信息查询该流表集合,在无法匹配到该数据流对应的流表情况下,向该主机转发该第三数据包;该主机在接收到该第三数据包后,从SDN控制器获取该数据流对应的流表,以便于该数据流对应的流表被加入到该流表集合。
结合第六方面的第一种实现方式,在第六方面的第二种实现方式中,在该NIC向该主机转发该第三数据包之后,该方法还包括:该NIC根据该第三数据包的匹配信息查询该流表集合,获取该数据流对应的流表,以及根据该数据流的数据包的路由信息转发该第三数据包至该外部网络。
结合第六方面的第一种实现方式,在第六方面的第三种实现方式中,该虚拟交换机上配置有虚拟交换机外部网络端口;在该NIC向该主机转发该第三数据包之后,该方法还包括:该主机生成返回的第三数据包,该返回的第三数据包中包含对应于该外部网络的端口标识,该端口标识为虚拟交换机外部网络端口标识或NIC外部网络端口标识,该端口标识由该主机根据该数据流的数据包的路由信息添加;该NIC接收该返回的第三数据包,并根据该端口标识,转发该第三数据包到该外部网络。
结合第六方面的第一种实现方式,在第六方面的第四种实现方式中,该虚拟交换机与该NIC通过队列通信,该队列对应该外部网络;在该NIC向该主机转发该第三数据包之后,该方法还包括:该主机将该第三数据包发送至该队列;该NIC从该队列接收该第三数据包,以及根据该队列的队列信息,转发该第三数据包至该外部网络。
结合第六方面或第六方面的前述任一种实现方式,在第六方面的第五种实现方式中,该NIC转发该第二数据包到该外部网络具体包括:该NIC为该第二数据包添加overlay头,生成overlay数据包,该overlay头包括虚拟可扩展局域网VXLAN头,或使用通用路由的网络虚拟化NVGRE头,或无状态传输隧道STT头,并将该overlay数据包发送至该外部网络。
结合第六方面或第六方面的前述任一种实现方式,在第六方面的第六种实现方式中,该NIC根据该第二数据包的匹配信息查询流表集合之前,还对该第二 数据包进行安全组检查,在确定该第二数据包的安全组检查通过之后,执行根据该第二数据包的匹配信息查询该流表集合的步骤。
本申请的第七方面,提供了一种配置方法,该配置方法应用于主机,该主机与NIC建立通信连接,该主机运行VM、虚拟交换机和NIC驱动,该主机上运行的虚拟交换机上配置至少一个虚拟交换机端口,每个虚拟交换机端口对应该主机上运行的一个VM,该方法包括:该NIC驱动向该NIC发送该配置信息,该配置信息指示在该NIC上配置至少一个NIC端口,每个NIC端口通过SR-I/OV技术与该主机上运行的一个VM连接。
该NIC上还配置了NIC外部网络端口,该NIC外部网络端口用于该NIC与外部网络连接。可选的,可以通过该配置信息实现该NIC外部网络端口的配置,或在该NIC接收该配置信息之前实现该NIC外部网络端口的配置。
本申请的第八方面,提供了一种数据包处理方法,该方法应用于执行了本申请第七方面提供的配置方法的主机,该主机运行时执行本申请第五方面提供的数据包处理方法中主机侧的部分。该方法包括:该主机上运行的虚拟交换机接收第三数据包;该虚拟交换机从SDN控制器获取该数据流对应的流表;该虚拟交换机或该主机运行的监控模块将该数据流对应的流表加入到流表集合,以使得该NIC根据该流表集合中的该数据流对应的流表,处理该数据流的后续数据包。
结合第八方面,在第八方面的第一种实现方式中,在该数据流对应的流表被加入到该流表集合后,该方法还包括:该虚拟交换机向该NIC发送通知消息,该通知消息用于通知该NIC该数据流对应的流表已经加入到流表集合,以使得该NIC根据该流表集合中的该数据流对应的流表,处理该第三数据包。
结合第八方面,在第八方面的第二种实现方式中,该数据流对应的流表包括该数据流的数据包的路由信息,该方法还包括:该虚拟交换机根据该数据流的数据包的路由信息生成返回的第三数据包,该返回的第三数据包中包含对应于该外部网络的端口标识,该端口标识为虚拟交换机外部网络端口标识或NIC 外部网络端口标识,以使该NIC根据该端口标识转发该第三数据包到该外部网络。
结合第八方面,在第八方面的第三种实现方式中,该虚拟交换机与该NIC通过队列通信,该队列对应该外部网络;该方法还包括:该虚拟交换机将该第三数据包发送至该队列;该NIC驱动将该队列的队列信息发送至该NIC,以使该NIC根据该队列的队列信息,从该NIC外部网络端口转发该第三数据包至该外部网络。
本申请第九方面提供了一种主机,该主机包括处理器、存储器、总线,该处理器和该存储器通过该总线建立通信连接,该处理器运行时,执行前述第七方面提供的配置方法。
本申请第十方面提供了一种主机,该主机包括处理器、存储器、总线,该处理器和该存储器通过该总线建立通信连接,该处理器运行时,执行前述第八方面或第八方面的任一种实现方式提供的数据包处理方法。
本申请的第十一方面,提供了一种存储介质,该存储介质中存储了程序代码,该程序代码被计算设备运行时,执行第七方面提供的配置方法。该存储介质包括但不限于快闪存储器、硬盘(英文:hard disk drive,缩写:HDD)或固态硬盘(英文:solid state drive,缩写:SSD)。
本申请的第十二方面,提供了一种存储介质,该存储介质中存储了程序代码,该程序代码被计算设备运行时,执行第八方面或第八方面的任一种实现方式提供的数据包处理方法。该存储介质包括但不限于快闪存储器、HDD或SSD。
本申请的第十三方面,提供了一种计算机程序产品,该计算机程序产品可以为一个软件安装包,该软件安装包被计算设备运行时,执行第七方面提供的配置方法。
本申请的第十四方面,提供了一种计算机程序产品,该计算机程序产品可以为一个软件安装包,该软件安装包被计算设备运行时,执行第八方面或第八方面的任一种实现方式提供的数据包处理方法。
附图说明
为了更清楚地说明本申请实施例的技术方案,下面将对实施例中所需要使用的附图作以简单地介绍,显而易见的,下面描述中的附图是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1为现有技术中数据中心架构的示意图;
图2a为本申请实施例提供的SDN架构的示意图;
图2b为现有技术中SDN中的计算设备的组织结构示意图;
图2c为本申请实施例提供的计算设备的组织结构示意图;
图3为本申请实施例提供的又一计算设备的组织结构示意图;
图4为本申请实施例提供的数据包处理方法的流程示意图;
图5a为本申请实施例提供的另一计算设备的组织结构示意图;
图5b为本申请实施例提供的另一计算设备的组织结构示意图;
图5c为本申请实施例提供的另一计算设备的组织结构示意图;
图5d为本申请实施例提供的另一计算设备的组织结构示意图;
图6a为本申请实施例提供的NIC的组织结构示意图;
图6b为本申请实施例提供的又一NIC的组织结构示意图;
图6c为本申请实施例提供的又一NIC的组织结构示意图。
具体实施方式
下面结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。
本申请中采用术语第一、第二等来区分各个对象,例如第一数据包、第二数据包等,但各个“第一”、“第二”之间不具有逻辑或时序上的依赖关系。
贯穿本说明书,数据包由匹配信息和载荷(英文全称:payload)构成。其中,匹配信息用于与流表的匹配域进行匹配。
贯穿本说明书,流表(英文全称:flow table)用于在SDN中控制数据流,也可以称为SDN流表,具体可以采用符合OpenFlow协议的流表或符合其他协议的流表。流表至少包括匹配域和执行域,该匹配域用于与数据包进行匹配,该执行域用于指示匹配上流表的数据包应该执行的动作。执行域包括了数据包的动作标识,例如转发、丢弃、上送SDN控制器等,执行域还包括了数据包的路由信息,例如数据包的目的端口标识等。
贯穿本说明书,数据流(英文全称:data flow)指示能够匹配相同流表的一系列数据包。具体的,同一数据流中的数据包的匹配信息,均可以匹配上该数据流对应的流表的匹配域。
贯穿本说明书,虚拟交换机为安装在计算设备上的,通过软件实现的交换设备,常用于SDN中。常见的虚拟交换机包括Open vSwitch,缩写为OVS,OVS为一个开源项目提供的虚拟交换机。
贯穿本说明书,overlay类型数据包指代采用了overlay封装技术处理的数据包,具体的overlay封装技术包括了虚拟可扩展局域网(英文全称:virtual extensible local area network,缩写:VXLAN)技术,使用通用路由的网络虚拟化(英文全称:network virtualization using generic routing encapsulation,缩写:NVGRE)技术和无状态传输隧道(英文全称:stateless transport tunneling,缩写:STT)技术。Overlay类型数据包包括两个部分,overlay头和原始数据包,该原始数据包指代VM发出的数据包或经过虚拟交换机的端口发往VM的数据包,该overlay头叠加在该原始数据包上,以用于该overlay类型数据包在overlay网络中传输。不同的overlay封装技术对应于不同的overlay头。
贯穿本说明书,流表集合中包括了一个或多个流表。本申请中包括两个流表集合,即虚拟交换机可访问流表集合和NIC可访问流表集合。虚拟交换机可访问流表集合中的流表供虚拟交换机使用,NIC可访问流表集合中的流表供NIC使用。具体的,如图2c所示,虚拟交换机可访问流表集合一般存储于计算设备的存储设备中,NIC可访问流表集合可以存储于计算设备的存储设备中,也可以存储于NIC内部的存储设备中。若虚拟交换机可访问流表集合和NIC可访问流表集合均存储于计算设备的存储设备中,计算设备在其存储设备中为虚拟交 换机可访问流表集合和NIC可访问流表集合分别开辟一块内存空间。本申请的附图中,以NIC可访问流表集合存储于计算设备的存储设备中为例进行介绍,本领域技术人员可以直接推导出NIC可访问流表集合存储于NIC内部的情况。
贯穿本说明书,示例性的采用了SR-IOV的NIC与VM直连的技术,在实际使用中也可以采用其他支持NIC与VM直连的技术。
本申请实施例所应用的SDN架构
图2a为本申请实施例所应用的SDN架构的示意图,图2a中示意性的采用了集中式的SDN控制器,实际中SDN控制器也可以分布式的部署于各个计算设备。
各个计算设备上的硬件层设置有NIC,处理器以及存储设备。本申请中,将每个计算设备除NIC之外的部分称之为主机。其中,处理器可以为中央处理器(英文:central processing unit,缩写:CPU),存储设备包括易失性存储器(英文:volatile memory),例如随机存取存储器(英文:random-access memory,缩写:RAM),以及非易失性存储器(英文:non-volatile memory),例如只读存储器(英文:read-only memory,缩写:ROM)、快闪存储器、HDD或SSD等。每个主机运行时,其硬件层支持软件层内的虚拟交换机以及多个VM的运行。每个计算设备内的主机和NIC建立通信连接,主机通过NIC与外部网络通信,例如首先由NIC从外部网络获取发往该主机上运行的VM数据包,然后发送至主机上运行的VM,而该主机上运行的VM发往外部网络的数据包首先发送至NIC,然后通过NIC发送至外部网络。
下面以计算设备1为例展示现有技术中的数据包处理流程与本申请提供的数据包处理流程的区别。如图2b,现有技术中,计算设备1内的虚拟交换机从VM接收到数据包后,由该虚拟交换机将该数据包与虚拟交换机可访问流表集合中的流表进行匹配,并根据匹配上的流表的指示,将该数据包发送至与该虚拟交换机相连的NIC。由以上数据包的处理流程可见,现有技术中,数据包处理过程中主要的运行压力集中在虚拟交换机上,而虚拟交换机的运行依赖于计算设备上的硬件层的资源,虚拟交换机占用的处理器和存储设备资源越多,计算设备上能够用于VM运行的资源就越少,而如果限定虚拟交换机能够占用的硬件层的资源的上限,那么随着数据流量的增大,虚拟交换机的性能将难以保证。
如图2c,本申请提供的数据包处理流程中,计算设备1内的NIC从VM接收到数据包后,将该数据包与NIC可访问流表集合中的流表进行匹配,并根据匹配上的流表的指示,将该数据包发送至与该NIC相连的目的VM或外部网络。该NIC可访问流表集合内的流表来源于主机,NIC如果无法将收到的数据包匹配上流表,就会将该数据包发送至虚拟交换机,虚拟交换机向SDN控制器请求获取该数据包对应的流表,并将获取的该数据包对应的流表发送至NIC可访问流表集合,以供NIC在接下来的数据包处理过程中使用。
由以上数据包的处理流程可见,在本申请提供的数据包处理流程中,数据包的处理过程中的一部分运行压力被转移到了NIC上,而NIC作为一个硬件设备,不仅处理效率高,并且其运行无需占用硬件层的其他资源。
需要说明的是,示意性的,图2c中的计算设备1上的所有VM都与NIC相连,实际上也可以只有部分VM与NIC相连,其他部分VM与虚拟交换机相连,具体VM的配置方式并不限定于必须全部都与NIC相连。
图2a和图2c中的计算设备可以通过图3所示的计算设备200实现,其组织结构示意图如图3所示,计算设备200包括了主机以及NIC206,NIC206通过主机的总线208与主机的处理器202以及存储器204建立通信连接,NIC206、处理器202和存储器204之间也可以通过无线传输等其他手段实现通信。计算设备200通过NIC206与外部网络通信。
工作状态下,主机运行了至少一个VM以及虚拟交换机,且用于实现图4提供的数据包处理方法中主机侧的方法的程序代码保存在存储设备204中,并由处理器202执行。工作状态下,NIC206执行图4提供的数据包处理方法中NIC侧的方法。
本申请还提供了一种数据包处理方法,前述SDN架构中的计算设备运行时执行该方法,其流程示意图如图4所示。
步骤402,计算设备的主机接收第一配置信息,该第一配置信息指示在虚拟交换机上建立虚拟交换机外部网络端口以及至少一个虚拟交换机端口,每个虚拟交换机端口对应该主机上运行的一个VM。
如图5a或图5b或图5c所示,VS外部网络端口与NIC建立通信连接,该虚拟交换机将目的地为外部网络的报文从虚拟交换机外部网络端口发送至该NIC,并由该NIC将该报文发送至该外部网络。
步骤404,该主机生成第二配置信息,并将该第二配置信息发送至计算设备的NIC。
具体的,该主机上运行的拦截模块,获取该第一配置信息,将该第一配置信息发送至该主机上运行的NIC驱动,该NIC驱动根据该第一配置信息,生成该第二配置信息,并发送至该NIC。该第一配置信息与该第二配置信息的功能类似,该NIC驱动对其转换主要为了符合NIC驱动与NIC通信的规范。
步骤406,该NIC根据该第二配置信息,在该NIC上配置至少一个NIC端口,每个NIC端口通过SR-I/OV技术与该主机上运行的一个VM连接。
步骤406前,该NIC上配置还可以配置NIC外部网络端口。该NIC外部网络端口的配置可以在步骤406之前或之后完成,或者该NIC外部网络端口的配置可以在步骤406中,根据该第二配置信息完成。
NIC端口具体可以为SR-I/OV技术定义的虚拟功能(英文全称:virtual function,缩写:VF)的端口。NIC外部网络端口用于与外部网络通信。
步骤402至步骤406为可选步骤,且步骤402至步骤406为该虚拟交换机和该NIC的配置过程,无须每次执行步骤408及步骤408的后续步骤前都执行一次步骤402至步骤406。如图5a或图5b或图5c,通过该配置过程,主机上运行的VM通过NIC端口与NIC连接,虚拟交换机上虽然建立了与VM一一对应的VS端口,但主机上运行的VM并不与虚拟交换机连接。
本申请中描述数据包的目的地为外部网络的场景,因此虚拟交换机接收到的数据包对应于VS外部网络端口。实际上虚拟交换机接收到的数据包的目的地还可能为计算设备上运行的VM。
如图5b,该虚拟交换机和该NIC的配置过程中,或该虚拟交换机和该NIC的配置过程之前或之后,还需要配置该虚拟交换机与该NIC通信的至少一个队列,用于该虚拟交换机将从NIC接收到的数据包返回给该NIC。队列的配置有两种方式,其一如图5b所示,该虚拟交换机与该NIC通过一个队列通信,该虚拟交换机 将需要发往该NIC的全部数据包发送至该队列;其二如图5c所示,该虚拟交换机与该NIC通过多个队列通信,这多个队列中有至少一个队列用于将该虚拟交换机通过VS外部网络端口发出的报文发送至该NIC,这多个队列中的其余队列用于将对应于VS端口的报文发送至该NIC。
该配置过程无须上层管理设备的感知,由该计算设备将本应连接于虚拟交换机的VM连接于NIC上,无须上层管理设备对配置信息进行修改,提升了配置过程的兼容性和降低了实现难度。
步骤408,该NIC接收源VM发出的第一数据包。
该NIC通过NIC端口接收该第一数据包。
步骤410,该NIC对该第一数据包进行安全组检查,确定该第一数据包的安全组检查通过。
确定该源VM是否属于某一静态安全组,若确定该源VM属于某一静态安全组,则判断该第一数据包能否匹配上该静态安全组的任一规则,若该第一数据包能够匹配上该静态安全组的至少一条规则,则该第一数据包通过静态安全组检查。若该源VM不属于任一静态安全组,则无需对该第一数据包进行静态安全组检查,根据第一预设规则直接对该第一数据包进行处理,例如将该第一数据包与NIC可访问流表集合中的流表进行匹配。若该源VM属于某一静态安全组,但该第一数据包无法匹配该静态安全组的任一规则,则该第一数据包无法通过安全组检查,根据第二预设规则处理该第一数据包,例如丢弃该第一数据包。
以上为设置有白名单的静态安全组的场景,如果设置的为黑名单的静态安全组,与白名单的场景相反,如果该第一数据包属于某一静态安全组但无法匹配该静态安全组的任一规则,则该第一数据包通过静态安全组检查。而如果该源VM属于某一静态安全组,且该第一数据包可以匹配该静态安全组的至少一条规则,则该第一数据包无法通过静态安全组检查。
可选的,若设置有动态安全组,则首先判断该源VM是否属于动态安全组,如果该源VM属于动态安全组,则根据该第一数据包查询连接跟踪表(英文全称:connection track table),确认该第一数据包属于哪个连接,并确定该第一数据包该连接的状态以及该第一数据包对应的处理动作,如果该第一数据包的处理动 作指示将该第一数据包与NIC可访问流表集合中的流表进行匹配,则该第一数据包通过动态安全组检查。
以上静态安全组和动态安全组可以同时设置,此时通过静态安全组检查和动态安全组检查的数据包才通过了安全组检查。
步骤412,该NIC根据该第一数据包的匹配信息查询NIC可访问流表集合。若无法匹配NIC可访问流表集合中的任一流表,则执行步骤414、步骤416、步骤4181或步骤4182至步骤4184或步骤4185至步骤4186。若能够匹配NIC可访问流表集合中的流表,则执行步骤420。
如果该第一数据包的匹配信息无法匹配NIC可访问流表集合中的任一流表,则该第一数据包为该第一数据包所在的数据流的首个数据包,或该第一数据包不是该数据流的首个数据包,但该数据流对应的流表在NIC可访问流表集合中已经被删除。
如果该第一数据包的匹配信息能够匹配NIC可访问流表集合中的流表,则说明NIC可访问流表集合中已经存有该第一数据包所在的数据流对应的流表。
步骤414,该NIC通过主机端口向该虚拟交换机转发该第一数据包。
该主机端口可以为SR-I/OV技术定义的物理功能(英文全称:physical function,缩写:PF)的端口。
步骤416,该虚拟交换机在接收到该第一数据包后,获取该数据流对应的流表,该数据流对应的流表被加入到该NIC可访问流表集合。
该虚拟交换机获取该第一数据包后,将该第一数据包发送至SDN控制器,虚拟交换机可访问流表集合接收SDN控制器根据该第一数据包生成的该数据流对应的流表。虚拟交换机可访问流表集合中,还可能存储有生成该数据流对应的流表所需的信息,例如慢表(英文全称:slow table),则该虚拟交换机根据该信息生成该数据流对应的流表即可,无须将该第一数据包发送至SDN控制器。
该虚拟交换机将该数据流对应的流表存入虚拟交换机可访问流表集合和NIC可访问流表集合。或者,该主机上运行的监控模块监控该虚拟交换机获取该数据流对应的流表,该监控模块将该数据流对应的流表存入NIC可访问流表集合。
由于该数据流对应的流表由SDN控制器生成,而SDN控制器无须知道主机 上运行的VM实际连接于NIC。因此该数据流的数据包的路由信息具体可以包括VS外部网络端口标识,而VS外部网络端口与NIC外部网络端口对应,该数据流的数据包的路由信息指示NIC外部网络端口。
步骤416后,将该第一数据包发送至其目的地有三种可选的方案,分别为步骤4181、步骤4182至步骤4184和步骤4185至步骤4186,实际步骤416后可以执行这三种可选方案中的任一种。
步骤4181,该NIC根据该第一数据包的匹配信息查询该NIC可访问流表集合,获取该数据流对应的流表,并根据该数据流的数据包的路由信息转发该第一数据包至该外部网络。
这种情况下,该NIC需要存有VS外部网络端口标识与NIC外部网络端口标识的对应关系,该NIC获取该数据流的数据包的路由信息包括的VS外部网络端口标识后,将VS端口标识转换为NIC外部网络端口标识,并将该第一数据包从该NIC外部网络端口发出。
步骤416中该虚拟交换机或该监控模块将该数据流对应的流表存储到NIC可访问流表集合后,向该NIC发送通知消息,该通知消息用于通知该NIC该数据流对应的流表已经存储于NIC可访问流表集合。该NIC接收到该通知信息后,根据该第一数据包的匹配信息在该NIC可访问流表集合中可以匹配上该数据流对应的流表。
或者,该NIC在步骤414后,周期性的根据该第一数据包的匹配信息匹配该NIC可访问流表集合的流表,在步骤416执行完毕后该NIC的下一次匹配中,该NIC根据该第一数据包的匹配信息在该NIC可访问流表集合中可以匹配上该数据流对应的流表。
可选步骤4181无须虚拟交换机将该第一数据包和该数据流对应的流表进行匹配,降低了虚拟交换机的工作负担。
步骤4182,该虚拟交换机将该第一数据包与该虚拟交换机可访问流表集合中的该数据流对应的流表进行匹配,获取该数据流的数据包的路由信息。
步骤4183,该虚拟交换机,根据该数据流的数据包的路由信息生成返回的第一数据包,将该返回的第一数据包发送至该NIC,该返回的第一数据包中包含 对应于该外部网络的端口标识,该端口标识为虚拟交换机外部网络端口标识或NIC外部网络端口标识。
步骤4184,该NIC接收该返回的第一数据包,并根据该端口标识,转发该第二数据包到该外部网络。
步骤416中该数据流的数据包的路由信息具体可以包括VS外部网络端口标识。
步骤4183中可选的,如图5b,该虚拟交换机将该数据流的数据包的路由信息添加到该返回的第一数据包中,并通过队列发送至该NIC。这种情况下,该NIC需要存有VS外部网络端口标识与NIC外部网络端口标识的对应关系,该NIC接收到该返回的第一数据包后,将该VS外部网络端口标识转换为NIC外部网络端口标识,并将该第一数据包通过NIC外部网络端口发送至外部网络。这种实施方式下该虚拟交换机的负载更低,提升了主机的工作效率。
步骤4183中可选的,如图5b,该虚拟交换机获取将该数据流的数据包的路由信息后,将该数据流的数据包的路由信息包括的VS外部网络端口标识转换为NIC外部网络端口,并将NIC外部网络端口添加到该返回的第一数据包中,并通过队列将该返回的第一数据包发送至该NIC。这种情况下,该虚拟交换机需要存有VS外部网络端口标识与NIC外部网络端口标识的对应关系。该NIC接收到该返回的第一数据包后,将该第一数据包通过NIC外部网络端口发送至外部网络。这种实施方式下,NIC无须对端口标识进行转换,可以更高效的处理数据包。
步骤4185,该虚拟交换机将该第一数据包发送至该外部网络对应的队列。
步骤4186,该NIC从该外部网络对应的队列接收该第一数据包,并该NIC根据该外部网络对应的队列的队列信息,从该NIC外部网络端口转发该第一数据包至该外部网络。
如图5c,该虚拟交换机与该NIC通过多个队列通信,其中队列1用于VS外部网络端口与NIC之间的通信。该虚拟交换机将该第一数据包与该虚拟交换机可访问流表集合中的该数据流对应的流表进行匹配,获取该数据流的数据包的路由信息后,例如为VS外部网络端口标识,则该虚拟机交换机将该第一数据包发送至队列1。
该NIC从队列1获取该第一数据包,该主机上运行的NIC驱动向该NIC发送队列信息,该队列信息用于通知该NIC该第一数据包来自队列1。由于队列1与NIC外部网络端口对应,则该NIC通过NIC外部网络端口将该第一数据包发送至外部网络。这种实施方式与前述两种可选方案相比,虚拟交换机和NIC均无需将该数据流的数据包的路由信息转换为NIC外部网络端口标识,提升了数据包的转发效率。
在这三种可选方案中确认了该第一数据包需要从NIC外部网络端口发出后,可选的,该NIC还为该第一数据包添加第一overlay头,生成第一overlay数据包,该第一overlay头包括虚拟可扩展局域网VXLAN头,或使用通用路由的网络虚拟化NVGRE头,或无状态传输隧道STT头。
需要说明的是,实际中根据网络设置决定是否为该第一数据包添加overlay头,不一定所有发往外部网络的数据包都需要采用overlay技术。
步骤420,该NIC根据匹配上的流表中包括的路由信息,转发该第一数据包到该外部网络。
该NIC根据该第一数据包的匹配信息,在该NIC可访问流表集合中匹配上该第一数据包所在数据流对应的流表,根据该流表包括的该数据流的数据包的路由信息转发该第一数据包到该外部网络。
由于步骤412中,该NIC能够将该第一数据包匹配上NIC可访问流表集合中的流表,因此该第一数据包不是所在数据流的首个数据包。
步骤420中,获取第一数据包所在数据流对应的流表后,根据该第一数据包所在数据流的网络设置,可选的,还可以为该第一数据包添加第一overlay头以生成第一overlay数据包,该第一overlay头包括VXLAN头,或NVGRE头,或STT头,再将第一overlay数据包发送至该外部网络。
步骤4181或步骤4184或步骤4186或步骤420之后,该NIC继续接收该数据流的后续数据包的情况下,例如第二数据包,如果该数据流对应的流表仍存储于NIC可访问流表集合中,则NIC根据该数据流的数据包的路由信息转发第二overlay数据包到该外部网络,该第二overlay数据包包括该第二数据包和该第二数据包对应的第二overlay头。而实际中由于NIC可访问流表集合中的流表可能随着时间更新, 因此虽然在步骤416中该数据流对应的流表被加入到该NIC可访问流表集合,但NIC根据该后续数据包的匹配信息无法匹配NIC可访问流表集合中的任一流表,这种情况下对该后续数据包执行步骤414、步骤416、步骤4181或步骤4182至步骤4184或步骤4185至步骤4186。
该数据包处理方法,将数据包与流表的匹配功能卸载至NIC上执行,降低了虚拟交换机的工作负担,使得主机的硬件层资源可以更好的服务于VM,提升了计算设备的工作效率。
参考图5d,为本申请提供的另一计算设备的结构示意图,与图5a、图5b或图5c不同,该计算设备中VM-1至VM-n连接于NIC,VM-n+1至VM-n+m连接于虚拟交换机。VM-n+1至VM-n+m可以在执行图4中虚拟交换机和该NIC的配置过程之前就已经配置完毕,或在图4的虚拟交换机和该NIC的配置过程中,有选择的将VM-n+1至VM-n+m连接于虚拟交换机,将VM-1至VM-n连接于NIC,具体可以依据主机的负载情况或根据主机接收到的配置信息中携带的信息来配置一部分VM连接于NIC,其余部分VM连接于虚拟交换机。
图5d的场景下,NIC接收到的数据包可能来自VM-1至VM-n或VM-n+1至VM-n+m。如果该数据包来自VM-1至VM-n,则对该数据包执行前述图4中的数据包处理方法,如果该数据包来自VM-n+1至VM-n+m,则该数据包在虚拟交换机上已经完成与流表的匹配,NIC根据匹配结果处理该数据包。这种情况下,从VM-n+1至VM-n+m发出的数据包所在数据流对应的流表,不会被存入NIC可访问流表集合。
本申请还提供了一种NIC600,该NIC600可以为前述任一附图提供的NIC。该NIC600的组织结构示意图如图6a所示,包括主机接口602,网络接口604以及处理芯片606。网络接口604用于与外部网络通信且网络接口604与处理芯片606建立通信连接。主机接口602用于与NIC600所连接的主机上运行的虚拟交换机、VM、NIC驱动等通信且主机接口602与处理芯片606建立通信连接。前述数据包处理方法中,NIC上建立的NIC端口、NIC外部网络端口和主机端口为虚拟端口,主机 端口与NIC端口实际通过主机接口602实现与主机的通信,NIC外部网络端口通过网络接口604实现与外部网络的通信。参考图3,主机接口602实际可以为NIC600与计算设备的总线连接的接口。
主机接口602,用于从该NIC连接的主机获取配置信息。将该配置信息发送至处理芯片606。
处理芯片606,用于根据该配置信息将NIC600与该主机上运行的VM连接,并且建立NIC外部网络端口。
具体的,参考前述步骤406。
以上为NIC600的配置过程中NIC600中各个单元的功能,NIC600还可以用于数据包的处理,参考前述数据包处理方法中的步骤408及其步骤408之后的步骤。
主机接口602,还用于接收源VM发出的第一数据包,参考步骤408。
主机接口602将接收到的该第一数据包发送至处理芯片606。
处理芯片606接收到该第一数据包后,对该第一数据包的处理参考前述步骤410、步骤412。
处理芯片606,还用于执行步骤412,确定该第一数据包无法匹配NIC可访问流表集合中的任一流表的情况下,执行步骤414及后续步骤。
步骤414后,处理芯片606执行三种可选方案之任一,这三种可选方案分别对应于前述步骤4181、步骤4182至步骤4184中NIC侧执行的部分、步骤4185至步骤4186中NIC侧执行的部分。
可选方案一,对应前述步骤4181,处理芯片606根据该第一数据包的匹配信息查询该NIC可访问流表集合,获取该第一数据包所在的数据流对应的流表,也即获取该数据流的数据包的路由信息包括的VS外部网络端口标识,将VS外部网络端口标识转换为NIC外部网络端口标识。
可选方案二,对应前述步骤4182至步骤4184中NIC侧执行的部分。处理芯片606接收该返回的第一数据包,处理芯片606根据该返回的第一数据包中携带的端口标识获取NIC外部网络端口标识。如果该端口标识为虚拟交换机外部网络端口标识,则处理芯片606将该虚拟交换机端口标识转换为NIC外部网络端口标识。该端口标识也可能为NIC外部网络端口标识。
可选方案三,对应前述步骤4185至步骤4186中NIC侧执行的部分。处理芯片606从对应于VS外部网络端口的队列接收该第一数据包,由于处理芯片606预先配置有该队列与NIC外部网络端口的对应关系,因此处理芯片606可以获得NIC外部网络端口标识。
处理芯片606执行步骤412,并确定该第一数据包能够匹配NIC可访问流表集合中的流表的情况下,获取匹配上的流表中包括的该数据流的数据包的路由信息。该数据流的数据包的路由信息可以包括VS外部网络端口标识,处理芯片606将VS外部网络端口标识转换为NIC外部网络端口标识,并将该第一数据包从NIC外部网络端口发送出去。
获取第一数据包所在数据流对应的流表后,根据该数据流的网络设置,可选的,处理芯片606可以为该第一数据包添加第一overlay头,生成第一overlay数据包,再将第一overlay数据包发送至该外部网络。
以上提供的NIC实现了流表匹配功能,对于在NIC可访问流表集合中的数据包,将无需发送至虚拟交换机进行处理,降低了主机的负荷,提升了与该NIC相连的主机的工作效率。
处理芯片606可以通过专用集成电路(英文:application-specific integrated circuit,缩写:ASIC)实现,或可编程逻辑器件(英文:programmable logic device,缩写:PLD)实现。上述PLD可以是复杂可编程逻辑器件(英文:complex programmable logic device,缩写:CPLD),现场可编程门阵列(英文:field programmable gate array,缩写:FPGA),通用阵列逻辑(英文:generic array logic,缩写:GAL)或其任意组合。
具体的,如图6b所示,处理芯片606可以包括overlay芯片6062、流表匹配芯片6064以及安全组检查芯片6066。其中,overlay芯片6062用于封装overlay头。安全组检查芯片6066用于确定数据包是否通过安全组检查,并将通过安全组检查的数据包通过发送至流表匹配芯片6064。流表匹配芯片6064用于将数据包与存储于NIC可访问流表集合中的流表进行匹配。Overlay芯片6062与安全组检查芯片6066为可选组件。
处理芯片606还可以通过处理器、存储设备以及逻辑芯片实现,该逻辑芯片可以由PLD或ASIC实现。该处理芯片606运行时,该处理器和该逻辑芯片各执行一部分功能,两者功能的分配可以有多种。示例性的,如图6c所示,处理芯片606内的处理器工作时,读取存储器内的代码,用于读取进行安全组检查所需的信息,并将安全组检查所需的信息发送至逻辑芯片,以供逻辑芯片对该数据包进行安全组检查,处理器还用于读取NIC可访问流表集合中的流表,并将NIC可访问流表集合中的流表发送至逻辑芯片,以供逻辑芯片将数据包与该流表进行匹配。处理器还用于获取封装overlay头所需的信息,并发送给至逻辑芯片,以供逻辑芯片封装overlay头。
在图6c所示的NIC600的处理芯片606中,逻辑芯片也可以由overlay子芯片、流表匹配子芯片、安全组检查子芯片构成。overlay子芯片、安全组检查子芯片为可选组件。图6c所示的NIC600的处理芯片606中处理器用于获取流表匹配所需的信息或安全组检查所需的信息或封装overlay头所需的信息,并发送至该逻辑芯片。安全组检查子芯片根据安全组检查所需的信息完成数据包的安全组检查,,而流表匹配子芯片根据流表匹配所需的信息完成数据包的流表匹配,overlay子芯片用于根据处理器发来的信息封装overlay头。
本申请还提供了一种数据包处理方法,前述任一附图中的NIC运行时执行该方法。该方法具体参考图4对应的数据包处理方法中NIC侧执行的部分。
本申请还提供了一种配置方法,前述任一附图中的主机运行时执行该方法。该方法具体参考图4对应的数据包处理方法中的步骤402和步骤404。
本申请还提供了一种数据包处理方法,前述任一附图中主机运行时执行该方法。该方法具体参考图4对应的数据包处理方法中的步骤408后主机侧执行的方法。具体包括,步骤416、步骤4181中将该数据流对应的流表存储到NIC可访问流表集合后向该NIC发送通知消息的部分,或步骤4182和步骤4183,或步骤4185。
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详 述的部分,可以参见其他实施例的相关描述。
结合本申请公开内容所描述的方法可以由处理器执行软件指令的方式来实现。软件指令可以由相应的软件模块组成,软件模块可以被存放于RAM、快闪存储器、ROM、可擦除可编程只读存储器(英文:erasable programmable read only memory,缩写:EPROM)、电可擦可编程只读存储器(英文:electrically erasable programmable read only memory,缩写:EEPROM)、硬盘、光盘或者本领域熟知的任何其它形式的存储介质中。
本领域技术人员应该可以意识到,在上述一个或多个示例中,本申请所描述的功能可以用硬件或软件来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。存储介质可以是通用或专用计算机能够存取的任何可用介质。
以上该的具体实施方式,对本申请的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上该仅为本申请的具体实施方式而已,并不用于限定本申请的保护范围,凡在本申请的技术方案的基础之上,所做的任何修改、改进等,均应包括在本申请的保护范围之内。

Claims (35)

  1. 一种数据包处理方法,其特征在于,所述方法应用于计算设备,所述计算设备包括网络接口卡NIC和主机,所述NIC与所述主机建立通信连接,所述NIC与外部网络建立通信连接,所述主机运行虚拟机VM,所述方法包括:
    所述NIC接收源VM发出的数据流的第一数据包;
    所述NIC根据所述第一数据包的匹配信息查询流表集合;
    在无法匹配到所述数据流对应的流表情况下,所述NIC向所述主机上运行的虚拟交换机转发所述第一数据包;
    其中,所述虚拟交换机在接收到所述第一数据包后,从软件定义网络SDN控制器获取所述数据流对应的流表,以便于所述数据流对应的流表被加入到所述流表集合。
  2. 如权利要求1所述的数据包处理方法,其特征在于,所述NIC上配置有NIC外部网络端口,所述NIC外部网络端口用于与外部网络建立通信连接,所述主机上运行的虚拟交换机上配置至少一个虚拟交换机端口,每个虚拟交换机端口对应所述主机上运行的一个VM,所述NIC接收所述第一数据包前,所述方法还包括:
    所述NIC接收所述虚拟交换机端口的配置信息;
    所述NIC根据所述虚拟交换机端口的配置信息,在所述NIC上配置至少一个NIC端口,每个NIC端口通过单根-输入/输出虚拟化SR-I/OV技术与所述主机上运行的一个VM连接。
  3. 如权利要求2所述的数据包处理方法,其特征在于,所述数据流对应的流表包括所述数据流的数据包的路由信息,在向所述虚拟交换机转发所述第一数据包之后,所述方法还包括:
    所述NIC根据所述第一数据包的匹配信息查询所述流表集合,获取所述数据流对应的流表,并根据所述数据流的数据包的路由信息转发所述第一数据包至所述外部网络。
  4. 如权利要求2所述的数据包处理方法,其特征在于,所述数据流对应的流表包括所述数据流的数据包的路由信息,所述虚拟交换机上配置有虚拟交换 机外部网络端口,在向所述虚拟交换机转发所述第一数据包之后,所述方法还包括:
    所述NIC接收所述虚拟交换机返回的第一数据包,所述返回的第一数据包中包含对应于所述外部网络的端口标识,所述端口标识为虚拟交换机外部网络端口标识或NIC外部网络端口标识,所述端口标识由所述虚拟交换机根据所述数据流对应的流表的数据包的路由信息添加;
    所述NIC根据所述端口标识,转发所述第一数据包到所述外部网络。
  5. 如权利要求2所述的数据包处理方法,其特征在于,所述虚拟交换机与所述NIC通过队列通信,所述队列对应所述外部网络;
    在向所述虚拟交换机转发所述第一数据包之后,所述方法还包括:
    所述NIC从所述队列接收所述第一数据包;
    所述NIC根据所述队列的队列信息,转发所述第一数据包至所述外部网络。
  6. 一种网络接口卡NIC,其特征在于,所述NIC包括:主机接口、网络接口和处理芯片,所述网络接口用于与外部网络通信且所述网络接口与所述处理芯片建立通信连接,所述主机接口用于与主机通信且所述主机接口与所述处理芯片建立通信连接,所述主机运行VM;
    所述主机接口,用于接收源VM发出的数据流的第一数据包;
    所述处理芯片,用于根据所述第一数据包的匹配信息查询流表集合;在无法匹配到所述数据流对应的流表情况下,向所述主机上运行的虚拟交换机转发所述第一数据包;
    其中,所述虚拟交换机在接收到所述第一数据包后,从软件定义网络SDN控制器获取所述数据流对应的流表,以便于所述数据流对应的流表被加入到所述流表集合。
  7. 如权利要求6所述的NIC,其特征在于,所述NIC上配置有NIC外部网络端口,所述NIC外部网络端口对应于所述网络接口,所述主机上运行的虚拟交换机上配置至少一个虚拟交换机端口,每个虚拟交换机端口对应所述主机上运行 的一个VM;
    所述处理芯片,还用于接收所述虚拟交换机端口的配置信息,根据所述虚拟交换机端口的配置信息,在所述NIC上配置至少一个NIC端口,每个NIC端口通过单根-输入/输出虚拟化SR-I/OV技术与所述主机上运行的一个VM连接。
  8. 如权利要求7所述的NIC,其特征在于,所述处理芯片,还用于根据所述第一数据包的匹配信息查询所述流表集合,获取所述数据流对应的流表,所述数据流对应的流表包括所述数据流的数据包的路由信息,并根据所述数据流的数据包的路由信息转发所述第一数据包至所述外部网络。
  9. 如权利要求7所述的NIC,其特征在于,所述虚拟交换机上配置有虚拟交换机外部网络端口;
    所述处理芯片,还用于接收所述虚拟交换机返回的第一数据包,所述返回的第一数据包中包含对应于所述外部网络的端口标识,所述端口标识为虚拟交换机外部网络端口标识或NIC外部网络端口标识,所述端口标识由所述虚拟交换机根据所述数据流对应的流表的数据包的路由信息添加;还用于根据所述端口标识,转发所述第一数据包到所述外部网络。
  10. 如权利要求7所述的NIC,其特征在于,所述虚拟交换机与所述NIC通过队列通信,所述队列对应所述外部网络;
    所述处理芯片,还用于从所述队列接收所述第一数据包,并根据所述队列的队列信息,转发所述第一数据包至所述外部网络。
  11. 一种数据包处理方法,其特征在于,所述方法应用于计算设备,所述计算设备包括网络接口卡NIC和主机,所述NIC与所述主机建立通信连接,所述NIC与外部网络建立通信连接,所述主机运行虚拟机VM,所述方法包括:
    所述NIC接收源VM发出的数据流的第二数据包;
    所述NIC根据所述第二数据包的匹配信息查询流表集合,获取所述数据流对应的流表,所述数据流对应的流表包括所述数据流的数据包的路由信息;
    所述NIC根据所述数据流的数据包的路由信息,转发所述第二数据包到所述外部网络。
  12. 如权利要求11所述的数据包处理方法,其特征在于,所述NIC通过单根-输入/输出虚拟化SR-I/OV技术与所述主机上运行的VM连接;
    所述NIC通过与所述源VM的连接接收所述第二数据包。
  13. 如权利要求12所述的数据包处理方法,其特征在于,所述NIC上配置有NIC外部网络端口,所述NIC外部网络端口用于与外部网络建立通信连接,所述主机上运行的虚拟交换机上配置至少一个虚拟交换机端口,每个虚拟交换机端口对应所述主机上运行的一个VM,所述NIC接收所述第二数据包前,所述方法还包括:
    所述NIC接收所述虚拟交换机端口的配置信息;
    根据所述虚拟交换机端口的配置信息,在所述NIC上配置至少一个NIC端口,每个NIC端口通过单根-输入/输出虚拟化SR-I/OV技术与所述主机上运行的一个VM连接。
  14. 如权利要求13所述的数据包处理方法,其特征在于,所述NIC接收源VM发出数据流的第二数据包前,所述方法还包括:
    所述NIC接收所述数据流的第三数据包;
    所述NIC根据所述第三数据包的匹配信息查询所述流表集合;
    在无法匹配到所述数据流对应的流表情况下,所述NIC向所述主机上运行的虚拟交换机转发所述第三数据包;
    其中,所述虚拟交换机在接收到所述第三数据包后,从软件定义网络SDN控制器获取所述数据流对应的流表,以便于所述数据流对应的流表被加入到所述流表集合。
  15. 如权利要求14所述的数据包处理方法,其特征在于,在向所述虚拟交换机转发所述第三数据包之后,所述方法还包括:
    所述NIC根据所述第三数据包的匹配信息查询所述流表集合,获取所述数据流对应的流表,并根据所述数据流的数据包的路由信息转发所述第三数据包至所述外部网络。
  16. 如权利要求14所述的数据包处理方法,其特征在于,所述虚拟交换机 上配置有虚拟交换机外部网络端口,在向所述虚拟交换机转发所述第三数据包之后,所述方法还包括:
    所述NIC接收所述虚拟交换机返回的第三数据包,所述返回的第三数据包中包含对应于所述外部网络的端口标识,所述端口标识为虚拟交换机外部网络端口标识或NIC外部网络端口标识,所述端口标识由所述虚拟交换机根据所述数据流的数据包的路由信息添加;
    所述NIC根据所述端口标识,转发所述第三数据包到所述外部网络。
  17. 如权利要求14所述的数据包处理方法,其特征在于,所述虚拟交换机与所述NIC通过队列通信,所述队列对应所述外部网络;
    在向所述虚拟交换机转发所述第三数据包之后,所述方法还包括:
    所述NIC从所述队列接收所述第三数据包;
    所述NIC根据所述队列的队列信息,转发所述第三数据包至所述外部网络。
  18. 如权利要求11至17任一所述的数据包处理方法,其特征在于,所述NIC转发所述第二数据包到所述外部网络前,所述方法还包括:
    所述NIC为所述第二数据包添加overlay头,生成overlay数据包,所述overlay头包括虚拟可扩展局域网VXLAN头,或使用通用路由的网络虚拟化NVGRE头,或无状态传输隧道STT头;
    所述NIC将所述第二数据包发送至所述外部网络包括:
    所述NIC将所述overlay数据包发送至所述外部网络。
  19. 如权利要求11至18任一所述的数据包处理方法,其特征在于,所述NIC根据所述第二数据包的匹配信息查询流表集合之前,所述方法还包括:
    所述NIC对所述第二数据包进行安全组检查,在确定所述第二数据包的安全组检查通过之后,执行根据所述第二数据包的匹配信息查询所述流表集合的步骤。
  20. 一种网络接口卡NIC,其特征在于,所述NIC包括:主机接口、网络接口和处理芯片,所述网络接口用于与外部网络通信且所述网络接口与所述处理 芯片建立通信连接,所述主机接口用于与主机通信且所述主机接口与所述处理芯片建立通信连接,所述主机运行VM;
    所述主机接口,用于接收源VM发出的数据流的第二数据包;
    所述处理芯片,用于根据所述第二数据包的匹配信息查询流表集合,获取所述数据流对应的流表,所述数据流对应的流表包括所述数据流的数据包的路由信息;以及根据所述数据流的数据包的路由信息,转发所述第二数据包到所述外部网络。
  21. 如权利要求20所述的NIC,其特征在于,所述NIC通过单根-输入/输出虚拟化SR-I/OV技术与所述主机上运行的VM连接;
    所述主机接口,用于通过与所述源VM的连接接收所述第二数据包。
  22. 如权利要求21所述的NIC,其特征在于,所述NIC上配置有NIC外部网络端口,所述NIC外部网络端口对应于所述网络接口,所述主机上运行的虚拟交换机上配置至少一个虚拟交换机端口,每个虚拟交换机端口对应所述主机上运行的一个VM;
    所述处理芯片,还用于接收所述虚拟交换机端口的配置信息,并根据所述虚拟交换机端口的配置信息,在所述NIC上配置至少一个NIC端口,每个NIC端口通过单根-输入/输出虚拟化SR-I/OV技术与所述主机上运行的一个VM连接。
  23. 如权利要求22所述的NIC,其特征在于,所述网络接口,还用于接收所述数据流的第三数据包;
    所述处理芯片,还用于根据所述第三数据包的匹配信息查询所述流表集合;还用于在无法匹配到所述数据流对应的流表情况下,向所述主机上运行的虚拟交换机转发所述第三数据包;
    其中,所述虚拟交换机在接收到所述第三数据包后,从软件定义网络SDN控制器获取所述数据流对应的流表,以便于所述数据流对应的流表被加入到所述流表集合。
  24. 如权利要求23所述的NIC,其特征在于,所述处理芯片,还用于根据所述第三数据包的匹配信息查询所述流表集合,获取所述数据流对应的流表,并根据所述数据流的数据包的路由信息转发所述第三数据包至所述外部网络。
  25. 如权利要求23所述的NIC,其特征在于,所述处理芯片,还用于接收所述虚拟交换机返回的第三数据包,所述虚拟交换机上配置有虚拟交换机外部网络端口,所述返回的第三数据包中包含对应于所述外部网络的端口标识,所述端口标识为虚拟交换机外部网络端口标识或NIC外部网络端口标识,所述端口标识由所述虚拟交换机根据所述数据流的数据包的路由信息添加,以及根据所述端口标识,转发所述第三数据包到所述外部网络。
  26. 如权利要求23所述的NIC,其特征在于,所述虚拟交换机与所述NIC通过队列通信,所述队列对应所述外部网络;
    所述处理芯片,还用于从所述队列接收所述第三数据包,并根据所述队列的队列信息,转发所述第三数据包至所述外部网络。
  27. 如权利要求20至26任一所述的NIC,其特征在于,所述处理芯片,还用于为所述第二数据包添加overlay头,生成overlay数据包,所述overlay头包括虚拟可扩展局域网VXLAN头,或使用通用路由的网络虚拟化NVGRE头,或无状态传输隧道STT头;还用于将所述overlay数据包发送至所述外部网络。
  28. 如权利要求20至27任一所述的NIC,其特征在于,所述处理芯片根据所述第二数据包的匹配信息查询流表集合之前,还用于对所述第二数据包进行安全组检查,在确定所述第二数据包的安全组检查通过之后,执行根据所述第二数据包的匹配信息查询所述流表集合的步骤。
  29. 一种计算设备,其特征在于,所述计算设备包括网络接口卡NIC和主机,所述NIC与所述主机建立通信连接,所述主机上运行虚拟机VM和虚拟交换机,所述NIC上配置有NIC外部网络端口,所述NIC外部网络端口用于与外部网络建立通信连接;
    所述主机,用于向所述NIC发送配置信息;
    所述NIC,用于根据所述配置信息,在所述NIC上配置至少一个NIC端口,每个NIC端口通过单根-输入/输出虚拟化SR-I/OV技术与所述主机上运行的一个VM连接;
    所述NIC,还用于接收源VM发出的数据流的第二数据包,根据所述第二数 据包的匹配信息查询流表集合,获取所述数据流对应的流表,所述数据流对应的流表包括所述数据流的数据包的路由信息;还用于根据所述数据流的数据包的路由信息,转发所述第二数据包到所述外部网络。
  30. 如权利要求29所述的计算设备,其特征在于,所述NIC,还用于接收所述数据流的第三数据包,根据所述第三数据包的匹配信息查询所述流表集合,在无法匹配到所述数据流对应的流表情况下,向所述主机转发所述第三数据包;
    所述主机,用于在接收到所述第三数据包后,从软件定义网络SDN控制器获取所述数据流对应的流表,以便于所述数据流对应的流表被加入到所述流表集合。
  31. 如权利要求30所述的计算设备,其特征在于,所述NIC,还用于根据所述第三数据包的匹配信息查询所述流表集合,获取所述数据流对应的流表,以及根据所述数据流的数据包的路由信息转发所述第三数据包至所述外部网络。
  32. 如权利要求30所述的计算设备,其特征在于,所述虚拟交换机上配置有虚拟交换机外部网络端口;
    所述主机,还用于生成返回的第三数据包,所述返回的第三数据包中包含对应于所述外部网络的端口标识,所述端口标识为虚拟交换机外部网络端口标识或NIC外部网络端口标识,所述端口标识由所述主机根据所述数据流的数据包的路由信息添加;
    所述NIC,还用于接收所述返回的第三数据包,并根据所述端口标识,转发所述第三数据包到所述外部网络。
  33. 如权利要求30所述的计算设备,其特征在于,所述虚拟交换机与所述NIC通过队列通信,所述队列对应所述外部网络;
    所述主机,还用于将所述第三数据包发送至所述队列;
    所述NIC,还用于从所述队列接收所述第三数据包,以及根据所述队列的队列信息,转发所述第三数据包至所述外部网络。
  34. 如权利要求29至33任一所述的计算设备,其特征在于,所述NIC,还用于为所述第二数据包添加overlay头,生成overlay数据包,所述overlay头包括虚拟可扩展局域网VXLAN头,或使用通用路由的网络虚拟化NVGRE头,或无状态传 输隧道STT头;还用于将所述overlay数据包发送至所述外部网络。
  35. 如权利要求29至34任一所述的计算设备,其特征在于,所述NIC根据所述第二数据包的匹配信息查询流表集合之前,还用于对所述第二数据包进行安全组检查,在确定所述第二数据包的安全组检查通过之后,执行根据所述第二数据包的匹配信息查询所述流表集合的步骤。
PCT/CN2016/093095 2016-08-03 2016-08-03 网络接口卡、计算设备以及数据包处理方法 WO2018023498A1 (zh)

Priority Applications (7)

Application Number Priority Date Filing Date Title
EP19208469.7A EP3694159A1 (en) 2016-08-03 2016-08-03 Network interface card, computing device, and data packet processing method
EP16911095.4A EP3340547B1 (en) 2016-08-03 2016-08-03 Network interface card and data packet processing method
PCT/CN2016/093095 WO2018023498A1 (zh) 2016-08-03 2016-08-03 网络接口卡、计算设备以及数据包处理方法
CN202010950859.4A CN112217747A (zh) 2016-08-03 2016-08-03 网络接口卡、计算设备以及数据包处理方法
CN201680088008.5A CN109479028B (zh) 2016-08-03 2016-08-03 网络接口卡、计算设备以及数据包处理方法
US15/927,102 US10623310B2 (en) 2016-08-03 2018-03-21 Network interface card, computing device, and data packet processing method
US16/817,275 US20200213222A1 (en) 2016-08-03 2020-03-12 Network Interface Card, Computing Device, and Data Packet Processing Method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/093095 WO2018023498A1 (zh) 2016-08-03 2016-08-03 网络接口卡、计算设备以及数据包处理方法

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/927,102 Continuation US10623310B2 (en) 2016-08-03 2018-03-21 Network interface card, computing device, and data packet processing method

Publications (1)

Publication Number Publication Date
WO2018023498A1 true WO2018023498A1 (zh) 2018-02-08

Family

ID=61072235

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/093095 WO2018023498A1 (zh) 2016-08-03 2016-08-03 网络接口卡、计算设备以及数据包处理方法

Country Status (4)

Country Link
US (2) US10623310B2 (zh)
EP (2) EP3340547B1 (zh)
CN (2) CN109479028B (zh)
WO (1) WO2018023498A1 (zh)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110417573A (zh) * 2019-05-20 2019-11-05 华为技术有限公司 一种数据传送的方法及系统
CN110912825A (zh) * 2018-09-18 2020-03-24 阿里巴巴集团控股有限公司 一种报文的转发方法、装置、设备及系统
CN112019431A (zh) * 2019-05-29 2020-12-01 阿里巴巴集团控股有限公司 一种转发规则的处理方法、装置及设备
WO2021164398A1 (zh) * 2020-02-20 2021-08-26 华为技术有限公司 报文处理系统、方法、机器可读存储介质以及程序产品
CN114338457A (zh) * 2021-12-23 2022-04-12 绿盟科技集团股份有限公司 网卡切换有效性的测试系统、方法、装置、设备和介质
CN116723162A (zh) * 2023-08-10 2023-09-08 浪潮电子信息产业股份有限公司 一种网络首包处理方法、系统、装置、介质及异构设备

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10812632B2 (en) * 2015-02-09 2020-10-20 Avago Technologies International Sales Pte. Limited Network interface controller with integrated network flow processing
CN109074330B (zh) * 2016-08-03 2020-12-08 华为技术有限公司 网络接口卡、计算设备以及数据包处理方法
CN109479028B (zh) 2016-08-03 2020-09-25 华为技术有限公司 网络接口卡、计算设备以及数据包处理方法
CN110050447B (zh) * 2017-06-30 2021-02-12 华为技术有限公司 一种数据处理方法、网络接口卡及服务器
CN111010702B (zh) * 2018-10-08 2021-06-29 华为技术有限公司 时延敏感网络通信方法及其装置
CN111865801B (zh) * 2019-04-24 2021-10-22 厦门网宿有限公司 一种基于Virtio端口传输数据的方法和系统
CN110149231B (zh) * 2019-05-21 2022-05-31 优刻得科技股份有限公司 更新虚拟交换机的方法、装置、存储介质和设备
CN114363256B (zh) * 2020-09-28 2024-10-18 华为云计算技术有限公司 基于网卡的报文解析方法以及相关装置
US11743365B2 (en) * 2020-10-20 2023-08-29 Nokia Solutions And Networks Oy Supporting any protocol over network virtualization
CN114979028B (zh) * 2021-02-26 2024-02-23 中移(苏州)软件技术有限公司 一种数据包处理方法、装置以及存储介质
CN114363021B (zh) * 2021-12-22 2023-11-03 绿盟科技集团股份有限公司 网络靶场系统、网络靶场系统的虚拟网络实现方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102780608A (zh) * 2011-05-13 2012-11-14 国际商业机器公司 用于分布式虚拟交换机的私有虚拟局域网方法和系统
US20140108632A1 (en) * 2012-10-15 2014-04-17 Cisco Technology, Inc. System and method for efficient use of flow table space in a network environment
CN104205080A (zh) * 2012-03-21 2014-12-10 微软公司 为联网设备虚拟化卸载分组处理
CN104660574A (zh) * 2013-11-22 2015-05-27 华为技术有限公司 数据中心的配置方法、控制实体和转发实体

Family Cites Families (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8116320B2 (en) * 2006-08-07 2012-02-14 Adc Telecommunications, Inc. Mapping external port using virtual local area network
US8396005B2 (en) 2008-12-02 2013-03-12 Electronics And Telecommunications Research Institute High-speed IP flow mediation apparatus using network processor
WO2012044700A1 (en) 2010-10-01 2012-04-05 Huawei Technologies Co., Ltd. System and method for controlling the input/output of a virtualized network
US9083651B2 (en) * 2011-12-07 2015-07-14 Citrix Systems, Inc. Controlling a network interface using virtual switch proxying
US9225635B2 (en) 2012-04-10 2015-12-29 International Business Machines Corporation Switch routing table utilizing software defined network (SDN) controller programmed route segregation and prioritization
CN103856573B (zh) 2012-12-04 2017-06-13 华为技术有限公司 一种互联网协议ip地址的配置方法、装置及系统
US9008097B2 (en) 2012-12-31 2015-04-14 Mellanox Technologies Ltd. Network interface controller supporting network virtualization
CN203490899U (zh) 2013-01-05 2014-03-19 刘遥 多屏移动终端
US9210074B2 (en) 2013-05-03 2015-12-08 Alcatel Lucent Low-cost flow matching in software defined networks without TCAMs
CN103346981B (zh) 2013-06-28 2016-08-10 华为技术有限公司 虚拟交换方法、相关装置和计算机系统
US9426060B2 (en) 2013-08-07 2016-08-23 International Business Machines Corporation Software defined network (SDN) switch clusters having layer-3 distributed router functionality
CN104468358B (zh) * 2013-09-25 2018-05-11 新华三技术有限公司 分布式虚拟交换机系统的报文转发方法及设备
US9596212B2 (en) 2013-11-11 2017-03-14 The Boeing Company Apparatus, method, and system for hardware-based filtering in a cross-domain infrastructure
US9912582B2 (en) 2013-11-18 2018-03-06 Telefonaktiebolaget Lm Ericsson (Publ) Multi-tenant isolation in a cloud environment using software defined networking
US9288135B2 (en) * 2013-12-13 2016-03-15 International Business Machines Corporation Managing data flows in software-defined network using network interface card
US20150169345A1 (en) 2013-12-18 2015-06-18 International Business Machines Corporation Software-defined networking (sdn) for management of traffic between virtual processors
CN104731521B (zh) * 2013-12-23 2018-02-16 伊姆西公司 用于配置数据中心的方法及设备
CN103916314A (zh) 2013-12-26 2014-07-09 杭州华为数字技术有限公司 报文转发控制方法和相关装置及物理主机
WO2015100656A1 (zh) 2013-12-31 2015-07-09 华为技术有限公司 一种实现虚拟机通信的方法和装置
CN103873374B (zh) * 2014-03-27 2017-08-11 新华三技术有限公司 虚拟化系统中的报文处理方法及装置
US10374972B2 (en) 2014-05-13 2019-08-06 Telefonaktiebolaget Lm Ericsson (Publ) Virtual flow network in a cloud environment
US9450884B2 (en) 2014-06-11 2016-09-20 Alcatel-Lucent Software defined networking based congestion control
US9692698B2 (en) * 2014-06-30 2017-06-27 Nicira, Inc. Methods and systems to offload overlay network packet encapsulation to hardware
US9917769B2 (en) 2014-11-17 2018-03-13 Telefonaktiebolaget Lm Ericsson (Publ) Method and system for virtualizing flow tables in a software-defined networking (SDN) system
JP6424632B2 (ja) * 2015-01-08 2018-11-21 富士通株式会社 負荷算出方法、負荷算出プログラム及び負荷算出装置
CN105871663B (zh) 2015-01-19 2019-04-05 环旭电子股份有限公司 无线以太网络控制方法以及无线以太网络系统
US20170031704A1 (en) 2015-07-31 2017-02-02 Hewlett-Packard Development Company, L.P. Network port profile for virtual machines using network controller
US10333897B2 (en) * 2015-10-23 2019-06-25 Attala Systems Corporation Distributed firewalls and virtual network services using network packets with security tags
CN105718301B (zh) 2016-01-15 2018-10-09 浪潮集团有限公司 一种基于vSwitch的虚拟机证书迁移方法
US10230633B2 (en) 2016-01-21 2019-03-12 Red Hat, Inc. Shared memory communication in software defined networking
CN106155551A (zh) 2016-06-30 2016-11-23 努比亚技术有限公司 信息处理方法和终端
CN109074330B (zh) 2016-08-03 2020-12-08 华为技术有限公司 网络接口卡、计算设备以及数据包处理方法
CN109479028B (zh) 2016-08-03 2020-09-25 华为技术有限公司 网络接口卡、计算设备以及数据包处理方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102780608A (zh) * 2011-05-13 2012-11-14 国际商业机器公司 用于分布式虚拟交换机的私有虚拟局域网方法和系统
CN104205080A (zh) * 2012-03-21 2014-12-10 微软公司 为联网设备虚拟化卸载分组处理
US20140108632A1 (en) * 2012-10-15 2014-04-17 Cisco Technology, Inc. System and method for efficient use of flow table space in a network environment
CN104660574A (zh) * 2013-11-22 2015-05-27 华为技术有限公司 数据中心的配置方法、控制实体和转发实体

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3340547A4 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110912825A (zh) * 2018-09-18 2020-03-24 阿里巴巴集团控股有限公司 一种报文的转发方法、装置、设备及系统
CN110912825B (zh) * 2018-09-18 2022-08-02 阿里巴巴集团控股有限公司 一种报文的转发方法、装置、设备及系统
US11677686B2 (en) 2018-09-18 2023-06-13 Alibaba Group Holding Limited Packet forwarding method, apparatus, device, and system
CN110417573A (zh) * 2019-05-20 2019-11-05 华为技术有限公司 一种数据传送的方法及系统
CN112019431A (zh) * 2019-05-29 2020-12-01 阿里巴巴集团控股有限公司 一种转发规则的处理方法、装置及设备
WO2021164398A1 (zh) * 2020-02-20 2021-08-26 华为技术有限公司 报文处理系统、方法、机器可读存储介质以及程序产品
CN114338457A (zh) * 2021-12-23 2022-04-12 绿盟科技集团股份有限公司 网卡切换有效性的测试系统、方法、装置、设备和介质
CN114338457B (zh) * 2021-12-23 2023-12-01 绿盟科技集团股份有限公司 网卡切换有效性的测试系统、方法、装置、设备和介质
CN116723162A (zh) * 2023-08-10 2023-09-08 浪潮电子信息产业股份有限公司 一种网络首包处理方法、系统、装置、介质及异构设备
CN116723162B (zh) * 2023-08-10 2023-11-03 浪潮电子信息产业股份有限公司 一种网络首包处理方法、系统、装置、介质及异构设备

Also Published As

Publication number Publication date
CN112217747A (zh) 2021-01-12
EP3694159A1 (en) 2020-08-12
EP3340547A4 (en) 2018-11-14
US20200213222A1 (en) 2020-07-02
US10623310B2 (en) 2020-04-14
CN109479028A (zh) 2019-03-15
EP3340547A1 (en) 2018-06-27
CN109479028B (zh) 2020-09-25
EP3340547B1 (en) 2019-11-27
US20180212869A1 (en) 2018-07-26

Similar Documents

Publication Publication Date Title
WO2018023499A1 (zh) 网络接口卡、计算设备以及数据包处理方法
WO2018023498A1 (zh) 网络接口卡、计算设备以及数据包处理方法
US12095882B2 (en) Accelerated network packet processing
EP3611883B1 (en) Secure forwarding of tenant workloads in virtual networks
US10649798B2 (en) Virtual switching method, related apparatus, and computer system
US20230269182A1 (en) Flow table processing method and related device
US20190020627A1 (en) Flow table processing method and apparatus
EP3671452A1 (en) System and method for user customization and automation of operations on a software-defined network
CN105612719B (zh) 使用封装头部中的元数据的高级网络虚拟化
US9736211B2 (en) Method and system for enabling multi-core processing of VXLAN traffic
CN110838992B (zh) 在不同网络堆栈中的内核模块间传送分组的系统和方法
WO2014063129A1 (en) Providing a virtual security appliance architecture to a virtual cloud infrastructure
JP2015039166A (ja) 仮想スイッチを有するネットワークインタフェースカードおよびトラフィックフローポリシの適用
US20140280827A1 (en) Scalable distributed control plane for network switching systems
US10419341B2 (en) Forwarding entry establishment method and apparatus
EP3062480B1 (en) Network service processing method and apparatus

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 2016911095

Country of ref document: EP

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16911095

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE