WO2021151301A1 - Ovs-based data packet processing method and apparatus, computer device, and computer readable storage medium - Google Patents

Ovs-based data packet processing method and apparatus, computer device, and computer readable storage medium Download PDF

Info

Publication number
WO2021151301A1
WO2021151301A1 PCT/CN2020/119054 CN2020119054W WO2021151301A1 WO 2021151301 A1 WO2021151301 A1 WO 2021151301A1 CN 2020119054 W CN2020119054 W CN 2020119054W WO 2021151301 A1 WO2021151301 A1 WO 2021151301A1
Authority
WO
WIPO (PCT)
Prior art keywords
mask
data packet
flow
flow table
target
Prior art date
Application number
PCT/CN2020/119054
Other languages
French (fr)
Chinese (zh)
Inventor
覃华伟
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021151301A1 publication Critical patent/WO2021151301A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • H04L45/7453Address table lookup; Address filtering using hashing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/951Indexing; Web crawling techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Definitions

  • This application relates to the field of computer technology, and in particular to an OVS-based data packet processing method, device, computer equipment, and computer-readable storage medium.
  • OVS Openvswitch, Open Virtual Switch
  • OVS forms switch components through software, which can realize the processing functions of traditional physical switches for data packets and other network characteristics.
  • the inventor realizes that when the data packet is processed according to the flow table, there may be inaccurate matching between the flow table and the data packet. Inaccurate matching between the flow table and the data packet will reduce the accuracy of data packet processing. How to improve the accuracy of data packet processing has become a problem to be solved.
  • An OVS-based data packet processing method includes:
  • the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask table from the multiple ordinary streams Look up the target flow table of the data packet in the table;
  • the data packet is retrieved from the missing data according to the first mask, the first key information, and the preset flow mask table. Searching the target flow table of the data packet in the provincial flow table;
  • the processing instruction for the data packet is executed according to the target flow table of the data packet.
  • An OVS-based data packet processing device includes:
  • the obtaining module is used to obtain a data packet, the first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables and a default flow table, the plurality of ordinary flows
  • the table includes processing instructions for routing data to the virtual machine, and the default flow table includes processing instructions for routing data to the gateway;
  • An extraction module for extracting the first key information from the data packet
  • a judging module configured to judge whether there is an associated mask index of the first hash value in the preset mask index table
  • the first search module is configured to, when the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask table Searching for the target flow table of the data packet from the multiple ordinary flow tables;
  • the second searching module is configured to, when the target flow table of the data packet is not found from the multiple ordinary flow tables, according to the first mask, the first key information and the preset flow
  • the mask table searches the target flow table of the data packet from the default flow table
  • the execution module is configured to execute processing instructions for the data packet according to the target flow table of the data packet.
  • a computer device includes a processor, and the processor implements the following steps when the processor is configured to execute computer-readable instructions stored in a memory:
  • the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask table from the multiple ordinary streams Look up the target flow table of the data packet in the table;
  • the data packet is retrieved from the missing data according to the first mask, the first key information, and the preset flow mask table. Searching the target flow table of the data packet in the provincial flow table;
  • the processing instruction for the data packet is executed according to the target flow table of the data packet.
  • a fourth aspect of the present application provides a computer-readable storage medium having computer-readable instructions stored thereon, and when the computer-readable instructions are executed by a processor, the following steps are implemented:
  • the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask table from the multiple ordinary streams Look up the target flow table of the data packet in the table;
  • the data packet is retrieved from the missing data according to the first mask, the first key information, and the preset flow mask table. Searching the target flow table of the data packet in the provincial flow table;
  • the processing instruction for the data packet is executed according to the target flow table of the data packet.
  • the common flow table and the default flow table are matched with the data packet to reduce the occurrence of incorrect matching between the flow table and the data packet, thereby improving the accuracy of processing the data packet according to the flow table.
  • Fig. 1 is a flowchart of an OVS-based data packet processing method provided by an embodiment of the present application.
  • Fig. 2 is a structural diagram of an OVS-based data packet processing device provided by an embodiment of the present application.
  • Fig. 3 is a schematic diagram of a computer device provided by an embodiment of the present application.
  • the OVS-based data packet processing method of this application is applied to one or more computer devices.
  • the computer device is a device that can automatically perform numerical calculation and/or information processing in accordance with pre-set or stored instructions.
  • Its hardware includes, but is not limited to, a microprocessor, an application specific integrated circuit (Application Specific Integrated Circuit). Specific Integrated Circuit, ASIC), Programmable Gate Array (Field-Programmable Gate Array, FPGA), Digital Signal Processor (DSP), embedded devices, etc.
  • the computer device may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server.
  • the computer device can interact with the user through a keyboard, a mouse, a remote control, a touch panel, or a voice control device.
  • Fig. 1 is a flowchart of an OVS-based data packet processing method provided in Embodiment 1 of the present application.
  • the OVS-based data packet processing method is applied to a virtual switch in a computer device, and is used to process data packets according to a flow table to improve the accuracy of data packet processing.
  • the OVS-based data packet processing method includes:
  • the data packet, the first mask, the preset mask index table, the preset flow mask table, the multiple ordinary flow tables, and the default flow table can be read from a local database .
  • the data packet, the first mask, the preset mask index table, the preset flow mask table, the multiple ordinary flow tables, and the default flow table can be pulled from the network .
  • the data packet may come from a first virtual machine in the computer device or a first virtual machine in a virtual network where the computer device is located.
  • the multiple ordinary flow tables include processing instructions for routing data to the second virtual machine.
  • the flow table can be classified according to the mask. Each mask corresponds to a mask index, and the mask can be searched through the mask index. All mask indexes constitute the mask index table. All masks constitute the preset mask table.
  • the first key information is a prerequisite for searching the flow table.
  • the first key information includes the source IP, destination IP address, and IP mask of the data packet.
  • the value value of the first key information can be extracted from the key value corresponding to the first key information.
  • key information of the physical layer key information of the MAC layer, key information of the network layer, key information of the transport layer, etc. can be extracted.
  • the first hash value can be calculated by a preset hash algorithm.
  • the first hash value is calculated based on the MD5 algorithm according to the data packet, the first mask, and the first key information.
  • the preset mask index table uses hash values as the main key, and each hash value corresponds to a mask index.
  • the correlation mask index may be searched according to the first hash value.
  • the mask index corresponding to the first hash value is confirmed as the association mask index.
  • the association mask index does not exist in the preset mask index table.
  • the four virtual machines are a, b, c, and d
  • the three common flow tables are B, C, and D.
  • the common flow table B data packets can be directed from virtual machine a to virtual machine b.
  • the ordinary flow table C directs the data packet from the virtual machine a to the virtual machine c, and the data packet can be directed from the virtual machine a to the virtual machine d according to the ordinary flow table D.
  • the target flow table (such as B, C, or D) of the data packet can be searched from multiple common flow tables according to the first mask, the first key information, and the preset flow mask table, so as to remove the data packet from the target flow table.
  • the virtual machine a is forwarded to the virtual machine (such as b, c, d) corresponding to the target flow table.
  • the search for the target flow table of the data packet from the multiple ordinary flow tables according to the first mask, the first key information, and the preset flow mask table include:
  • the second mask matches the first mask
  • the second key information matches the first key information
  • the second key information matches the first key information from the multiple ordinary flow tables.
  • the target index value may be 1.
  • the maximum index value is the maximum value among all index values.
  • the target flow table of the data packet When the target flow table of the data packet is not found from the multiple ordinary flow tables, follow all data packets according to the first mask, the first key information, and the preset flow mask table. Look up the target flow table of the data packet in the default flow table.
  • gateway e the default flow table E
  • gateway e can direct data packets from virtual machine a to gateway e according to the default flow table E.
  • the target flow table of the data packet is not found from multiple ordinary flow tables (B, C, D), according to the first mask, the first key information and the preset flow mask table from the default flow table E Look up the target flow table of the packet.
  • the searching for the target flow table of the data packet from the default flow table according to the first mask, the first key information, and the preset flow mask table includes :
  • the first hash value matches the flow table.
  • the minimum index value may be zero.
  • the masks corresponding to the multiple given flow tables are the same.
  • the default flow table is searched With the packet.
  • the OVS-based data packet processing method when the target flow table of the data packet is found from the multiple ordinary flow tables, the OVS-based data packet processing method further includes:
  • the first hash value and the associated mask index are stored in association.
  • the OVS-based data packet processing method further includes:
  • the data packet When the target flow table of the data packet is not found in the default flow table, the data packet will be discarded or deleted, and will not be uploaded to the user layer through the upcall method.
  • the executing the processing instruction for the data packet according to the target flow table of the data packet includes:
  • the data packet is forwarded to the target gateway according to the target flow table of the data packet.
  • the target flow table of the data packet includes a basic field, a matching field, and an action field.
  • the basis automatically includes the flow table identifier, the effective time of the flow table, the entry to which the flow table belongs, and the like.
  • the matching field includes port number, layer 2 protocol type, link layer source or destination MAC address, source IP address, IP mask, destination IP address, etc.
  • the action field includes "output:port sends the data packet from the port interface", “enqueue:port:queue enqueues the data packet into the specified queue of the specified port”, and “all sends the data packet to other than the receiving interface” All interfaces", “drop drop packets", etc.
  • the action information of the flow table can be obtained from the action field, and the corresponding action can be executed according to the action information.
  • the OVS-based data packet processing method further includes:
  • the OVS-based data packet processing method of the first embodiment uses the normal flow table and the default flow table to match the data packet to reduce the occurrence of incorrect matching of the flow table and the data packet, thereby improving the accuracy of processing the data packet according to the flow table.
  • data packets are processed according to the flow table to improve the accuracy of data packet processing.
  • Fig. 2 is a structural diagram of an OVS-based data packet processing device provided in the second embodiment of the present application.
  • the OVS-based data packet processing device 20 is applied to a virtual switch in a computer device.
  • the OVS-based data packet processing device 20 is used to process data packets according to the flow table to improve the accuracy of data packet processing.
  • the OVS-based data packet processing device 20 may include an acquisition module 201, an extraction module 202, a calculation module 203, a judgment module 204, a first search module 205, a second search module 206, and an execution module 207.
  • the obtaining module 201 is configured to obtain a data packet, a first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables, and a default flow table.
  • the flow table includes processing instructions for routing data to the virtual machine, and the default flow table includes processing instructions for routing data to the gateway.
  • the data packet, the first mask, the preset mask index table, the preset flow mask table, the multiple ordinary flow tables, and the default flow table can be read from a local database .
  • the data packet, the first mask, the preset mask index table, the preset flow mask table, the multiple ordinary flow tables, and the default flow table can be pulled from the network .
  • the data packet may come from a first virtual machine in the computer device or a first virtual machine in a virtual network where the computer device is located.
  • the multiple ordinary flow tables include processing instructions for routing data to the second virtual machine.
  • the flow table can be classified according to the mask. Each mask corresponds to a mask index, and the mask can be searched through the mask index. All mask indexes constitute the mask index table. All masks constitute the preset mask table.
  • the extraction module 202 is configured to extract the first key information from the data packet.
  • the first key information is a prerequisite for searching the flow table.
  • the first key information includes the source IP, destination IP address, and IP mask of the data packet.
  • the value value of the first key information can be extracted from the key value corresponding to the first key information.
  • key information of the physical layer key information of the MAC layer, key information of the network layer, key information of the transport layer, etc. can be extracted.
  • the calculation module 203 is configured to calculate the first hash value of the data packet.
  • the first hash value can be calculated by a preset hash algorithm.
  • the first hash value is calculated based on the MD5 algorithm according to the data packet, the first mask, and the first key information.
  • the determining module 204 is configured to determine whether the associated mask index of the first hash value exists in the preset mask index table.
  • the preset mask index table uses hash values as the main key, and each hash value corresponds to a mask index.
  • the correlation mask index may be searched according to the first hash value.
  • the mask index corresponding to the first hash value is confirmed as the association mask index.
  • the association mask index does not exist in the preset mask index table.
  • the first search module 205 is configured to, when the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask The table searches the target flow table of the data packet from the multiple ordinary flow tables.
  • the four virtual machines are a, b, c, and d
  • the three common flow tables are B, C, and D.
  • the common flow table B data packets can be directed from virtual machine a to virtual machine b.
  • the ordinary flow table C directs the data packet from the virtual machine a to the virtual machine c, and the data packet can be directed from the virtual machine a to the virtual machine d according to the ordinary flow table D.
  • the target flow table (such as B, C, or D) of the data packet can be searched from multiple common flow tables according to the first mask, the first key information, and the preset flow mask table, so as to remove the data packet from the target flow table.
  • the virtual machine a is forwarded to the virtual machine (such as b, c, d) corresponding to the target flow table.
  • the search for the target flow table of the data packet from the multiple ordinary flow tables according to the first mask, the first key information, and the preset flow mask table include:
  • the second mask matches the first mask
  • the second key information matches the first key information
  • the second key information matches the first key information from the multiple ordinary flow tables.
  • the target index value may be 1.
  • the maximum index value is the maximum value among all index values.
  • the second searching module 206 is configured to, when the target flow table of the data packet is not found from the multiple ordinary flow tables, according to the first mask, the first key information and the preset The flow mask table searches the default flow table for the target flow table of the data packet.
  • gateway e the default flow table E
  • gateway e can direct data packets from virtual machine a to gateway e according to the default flow table E.
  • the target flow table of the data packet is not found from multiple ordinary flow tables (B, C, D), according to the first mask, the first key information and the preset flow mask table from the default flow table E Look up the target flow table of the packet.
  • the searching for the target flow table of the data packet from the default flow table according to the first mask, the first key information, and the preset flow mask table includes :
  • the first hash value matches the flow table.
  • the minimum index value may be zero.
  • the masks corresponding to the multiple given flow tables are the same.
  • the default flow table is searched With the packet.
  • the OVS-based data packet processing apparatus when the target flow table of the data packet is found from the multiple ordinary flow tables, the OVS-based data packet processing apparatus further includes a storage module for obtaining the target flow table of the data packet The fourth mask corresponding to the flow table;
  • the first hash value and the associated mask index are stored in association.
  • the OVS-based data packet processing device when the target flow table of the data packet is not found in the default flow table, the OVS-based data packet processing device further includes a deleting device for deleting the data packet , So that the data package is not uploaded to the user layer.
  • the data packet When the target flow table of the data packet is not found in the default flow table, the data packet will be discarded or deleted, and will not be uploaded to the user layer through the upcall method.
  • the execution module 207 is configured to execute processing instructions for the data packet according to the target flow table of the data packet.
  • the executing the processing instruction for the data packet according to the target flow table of the data packet includes:
  • the data packet is forwarded to the target gateway according to the target flow table of the data packet.
  • the target flow table of the data packet includes a basic field, a matching field, and an action field.
  • the basis automatically includes the flow table identifier, the effective time of the flow table, the entry to which the flow table belongs, and the like.
  • the matching field includes port number, layer 2 protocol type, link layer source or destination MAC address, source IP address, IP mask, destination IP address, etc.
  • the action field includes "output:port sends the data packet from the port interface", “enqueue:port:queue enqueues the data packet into the specified queue of the specified port”, and “all sends the data packet to other than the receiving interface” All interfaces", “drop drop packets", etc.
  • the action information of the flow table can be obtained from the action field, and the corresponding action can be executed according to the action information.
  • the OVS-based data packet processing apparatus further includes a forwarding module for passing the target The gateway determines the target virtual machine that the data packet needs to reach;
  • the OVS-based data packet processing device 20 of the second embodiment matches the data packet with the normal flow table and the default flow table, reducing the occurrence of incorrect matching of the flow table and the data packet, thereby improving the accuracy of processing data packets according to the flow table .
  • data packets are processed according to the flow table to improve the accuracy of data packet processing.
  • This embodiment provides a computer-readable storage medium.
  • the computer-readable storage medium may be volatile or nonvolatile.
  • the computer-readable storage medium stores computer-readable instructions, and the computer can When the read instruction is executed by the processor, the steps in the above-mentioned OVS-based data packet processing method embodiment are implemented, for example, steps 101-107 shown in Fig. 1:
  • a data packet Acquire a data packet, a first mask of the data packet, a preset mask index table, a preset flow mask table, multiple ordinary flow tables, and a default flow table, where the multiple ordinary flow tables include A processing instruction for routing data to a virtual machine, and the default flow table includes a processing instruction for routing data to a gateway;
  • each module in the above-mentioned device embodiment is realized, for example, the modules 201-207 in Fig. 2:
  • the obtaining module 201 is configured to obtain a data packet, a first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables, and a default flow table.
  • the flow table includes processing instructions for routing data to the virtual machine, and the default flow table includes processing instructions for routing data to the gateway;
  • the extraction module 202 is configured to extract the first key information from the data packet
  • the calculation module 203 is configured to calculate the first hash value of the data packet
  • the determining module 204 is configured to determine whether the associated mask index of the first hash value exists in the preset mask index table
  • the first search module 205 is configured to, when the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask Looking up the target flow table of the data packet from the multiple ordinary flow tables;
  • the second searching module 206 is configured to, when the target flow table of the data packet is not found from the multiple ordinary flow tables, according to the first mask, the first key information and the preset
  • the flow mask table searches the default flow table for the target flow table of the data packet
  • the execution module 207 is configured to execute processing instructions for the data packet according to the target flow table of the data packet.
  • FIG. 3 is a schematic diagram of a computer device provided in Embodiment 3 of this application.
  • the computer device 30 includes a memory 301, a processor 302, and computer-readable instructions 303 stored in the memory 301 and running on the processor 302, such as an OVS-based data packet processing program.
  • the processor 302 executes the computer-readable instructions 303, the steps in the above-mentioned OVS-based data packet processing method embodiment are implemented, for example, 101-107 shown in FIG. 1:
  • a data packet Acquire a data packet, a first mask of the data packet, a preset mask index table, a preset flow mask table, multiple ordinary flow tables, and a default flow table, where the multiple ordinary flow tables include A processing instruction for routing data to a virtual machine, and the default flow table includes a processing instruction for routing data to a gateway;
  • each module in the above-mentioned device embodiment is realized, for example, the modules 201-207 in Fig. 2:
  • the obtaining module 201 is configured to obtain a data packet, a first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables, and a default flow table.
  • the flow table includes processing instructions for routing data to the virtual machine, and the default flow table includes processing instructions for routing data to the gateway;
  • the extraction module 202 is configured to extract the first key information from the data packet
  • the calculation module 203 is configured to calculate the first hash value of the data packet
  • the determining module 204 is configured to determine whether the associated mask index of the first hash value exists in the preset mask index table
  • the first search module 205 is configured to, when the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask Looking up the target flow table of the data packet from the multiple ordinary flow tables;
  • the second searching module 206 is configured to, when the target flow table of the data packet is not found from the multiple ordinary flow tables, according to the first mask, the first key information and the preset
  • the flow mask table searches the default flow table for the target flow table of the data packet
  • the execution module 207 is configured to execute processing instructions for the data packet according to the target flow table of the data packet.
  • the computer-readable instruction 303 may be divided into one or more modules, and the one or more modules are stored in the memory 301 and executed by the processor 302 to complete the method.
  • the one or more modules may be a series of computer-readable instruction segments capable of completing specific functions, and the instruction segments are used to describe the execution process of the computer-readable instruction 303 in the computer device 30.
  • the computer-readable instruction 303 can be divided into the acquisition module 201, the extraction module 202, the calculation module 203, the judgment module 204, the first search module 205, the second search module 206, and the execution module 207 in FIG. Refer to the second embodiment for the specific functions of the module.
  • the schematic diagram 3 is only an example of the computer device 30, and does not constitute a limitation on the computer device 30. It may include more or less components than those shown in the figure, or combine certain components, or different components.
  • the computer device 30 may also include input and output devices, network access devices, buses, and so on.
  • the so-called processor 302 may be a central processing unit (Central Processing Unit, CPU), other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor can be a microprocessor or the processor 302 can also be any conventional processor, etc.
  • the processor 302 is the control center of the computer device 30, which uses various interfaces and lines to connect the entire computer device 30. Various parts.
  • the memory 301 can be used to store the computer-readable instructions 303, and the processor 302 executes or executes the computer-readable instructions or modules stored in the memory 301 and calls data stored in the memory 301 to implement Various functions of the computer device 30.
  • the memory 301 may mainly include a storage program area and a storage data area.
  • the storage program area may store an operating system, an application program required by at least one function (such as a sound playback function, an image playback function, etc.), etc.; the storage data area may Data and the like created in accordance with the use of the computer device 30 are stored.
  • the memory 301 may include a hard disk, a memory, a plug-in hard disk, a smart memory card (Smart Media Card, SMC), a Secure Digital (SD) card, a flash card (Flash Card), at least one disk storage device, a flash memory Devices, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), or other non-volatile/volatile storage devices.
  • a hard disk a memory
  • a plug-in hard disk a smart memory card (Smart Media Card, SMC), a Secure Digital (SD) card, a flash card (Flash Card), at least one disk storage device, a flash memory Devices, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), or other non-volatile/volatile storage devices.
  • a smart memory card Smart Media Card, SMC
  • SD Secure Digital
  • flash card Flash Card
  • at least one disk storage device a flash memory Devices, read-only memory
  • the integrated module of the computer device 30 is implemented in the form of a software function module and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • this application implements all or part of the processes in the above-mentioned embodiments and methods, and can also be completed by instructing relevant hardware through computer-readable instructions, and the computer-readable instructions can be stored in a computer-readable storage medium.
  • the computer-readable instruction when executed by the processor, it can implement the steps of the foregoing method embodiments.
  • the computer-readable instruction includes computer-readable instruction code
  • the computer-readable instruction code may be in the form of source code, object code, executable file, or some intermediate form.
  • the computer-readable medium may include: any entity or device capable of carrying the computer-readable instruction code, recording medium, U disk, mobile hard disk, magnetic disk, optical disk, computer memory, read-only memory (ROM), random access memory Take memory (RAM) and so on.
  • the OVS-based data packet processing method provided by this application further ensures the privacy and security of all the above-mentioned data
  • all the above-mentioned data can also be stored in a node of a blockchain.
  • ordinary flow tables and target flow tables, etc. these data can be stored in the blockchain node.
  • the blockchain referred to in this application is a new application mode of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm.
  • modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules can be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional modules in the various embodiments of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
  • the above-mentioned integrated modules can be implemented in the form of hardware, or in the form of hardware plus software functional modules.
  • the above-mentioned integrated modules implemented in the form of software functional modules may be stored in a computer readable storage medium.
  • the above-mentioned software function module is stored in a storage medium, and includes several instructions to make a computer device (which can be a personal computer, a server, or a network device, etc.) or a processor execute the OVS-based Part of the steps of the packet processing method.

Abstract

The present application relates to the technical field of computers and provides an OVS-based data packet processing method and related devices. The OVS-based data packet processing method comprises: extracting a first key information from a data packet; calculating a first hash value of the data packet; determining whether a mask index related to the first hash value is present in a pre-set mask index table; if no related mask index is present in the pre-set mask index table, searching, according to a first mask, the first key information, and the pre-set flow mask table, multiple general flow tables for a target flow table of the data packet; if no target flow table of the data packet is found from the multiple general flow tables, searching, according to the first mask, the first key information, and the pre-set flow mask table, the default flow table for a target flow table of the data packet; executing a processing instruction on the data packet according to the target flow table of the data packet. In the present application, data packets are processed according to a flow table, thereby enhancing the accuracy of data packet processing.

Description

基于OVS的数据包处理方法、装置、计算机设备及计算机可读存储介质OVS-based data packet processing method, device, computer equipment and computer readable storage medium
本申请要求于2020年8月7日提交中国专利局、申请号为CN202010788980.1,发明名称为“基于OVS的数据包处理方法及相关设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on August 7, 2020, with the application number CN202010788980.1 and the invention title "OVS-based data packet processing method and related equipment", the entire content of which is incorporated by reference Incorporated in this application.
技术领域Technical field
本申请涉及计算机技术领域,具体涉及一种基于OVS的数据包处理方法、装置、计算机设备及计算机可读存储介质。This application relates to the field of computer technology, and in particular to an OVS-based data packet processing method, device, computer equipment, and computer-readable storage medium.
背景技术Background technique
OVS(Openvswitch,开放虚拟交换机)是一种广泛应用于虚拟平台的开源软件。OVS通过软件的方式形成交换机部件,可以实现传统物理交换机对数据包的处理功能及其他网络特性。OVS (Openvswitch, Open Virtual Switch) is an open source software widely used in virtual platforms. OVS forms switch components through software, which can realize the processing functions of traditional physical switches for data packets and other network characteristics.
技术问题technical problem
发明人意识到当根据流表处理数据包时,可能会有流表与数据包匹配不准确的情况发生。流表与数据包匹配不准确会降低数据包处理的准确性。如何提升数据包处理的准确性成为待解决的问题。The inventor realizes that when the data packet is processed according to the flow table, there may be inaccurate matching between the flow table and the data packet. Inaccurate matching between the flow table and the data packet will reduce the accuracy of data packet processing. How to improve the accuracy of data packet processing has become a problem to be solved.
技术解决方案Technical solutions
一种基于OVS的数据包处理方法,所述基于OVS的数据包处理方法包括:An OVS-based data packet processing method, the OVS-based data packet processing method includes:
获取数据包、所述数据包的第一掩码、预设掩码索引表、预设流掩码表、多个普通流表和缺省流表,所述多个普通流表包括将数据路由至虚拟机的处理指令,所述缺省流表包括将数据路由至网关的处理指令;Obtain a data packet, the first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables, and a default flow table, where the plurality of ordinary flow tables includes routing the data A processing instruction to the virtual machine, the default flow table includes a processing instruction to route data to the gateway;
从所述数据包中提取第一关键信息;Extracting the first key information from the data packet;
计算所述数据包的第一哈希值;Calculating the first hash value of the data packet;
判断所述预设掩码索引表中是否存在所述第一哈希值的关联掩码索引;Judging whether there is an associated mask index of the first hash value in the preset mask index table;
当所述预设掩码索引表中不存在所述关联掩码索引时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表;When the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask table from the multiple ordinary streams Look up the target flow table of the data packet in the table;
当从所述多个普通流表中没有查找到所述数据包的目标流表时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表;When the target flow table of the data packet is not found from the multiple ordinary flow tables, the data packet is retrieved from the missing data according to the first mask, the first key information, and the preset flow mask table. Searching the target flow table of the data packet in the provincial flow table;
根据所述数据包的目标流表执行对所述数据包的处理指令。The processing instruction for the data packet is executed according to the target flow table of the data packet.
一种基于OVS的数据包处理装置,所述基于OVS的数据包处理装置包括:An OVS-based data packet processing device, the OVS-based data packet processing device includes:
获取模块,用于获取数据包、所述数据包的第一掩码、预设掩码索引表、预设流掩码表、多个普通流表和缺省流表,所述多个普通流表包括将数据路由至虚拟机的处理指令,所述缺省流表包括将数据路由至网关的处理指令;The obtaining module is used to obtain a data packet, the first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables and a default flow table, the plurality of ordinary flows The table includes processing instructions for routing data to the virtual machine, and the default flow table includes processing instructions for routing data to the gateway;
提取模块,用于从所述数据包中提取第一关键信息;An extraction module for extracting the first key information from the data packet;
计算模块,用于计算所述数据包的第一哈希值;A calculation module for calculating the first hash value of the data packet;
判断模块,用于判断所述预设掩码索引表中是否存在所述第一哈希值的关联掩码索引;A judging module, configured to judge whether there is an associated mask index of the first hash value in the preset mask index table;
第一查找模块,用于当所述预设掩码索引表中不存在所述关联掩码索引时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表;The first search module is configured to, when the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask table Searching for the target flow table of the data packet from the multiple ordinary flow tables;
第二查找模块,用于当从所述多个普通流表中没有查找到所述数据包的目标流表时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表;The second searching module is configured to, when the target flow table of the data packet is not found from the multiple ordinary flow tables, according to the first mask, the first key information and the preset flow The mask table searches the target flow table of the data packet from the default flow table;
执行模块,用于根据所述数据包的目标流表执行对所述数据包的处理指令。The execution module is configured to execute processing instructions for the data packet according to the target flow table of the data packet.
一种计算机设备,所述计算机设备包括处理器,所述处理器用于执行存储器中存储的计算机可读指令时实现如下步骤:A computer device includes a processor, and the processor implements the following steps when the processor is configured to execute computer-readable instructions stored in a memory:
获取数据包、所述数据包的第一掩码、预设掩码索引表、预设流掩码表、多个普通流表和缺省流表,所述多个普通流表包括将数据路由至虚拟机的处理指令,所述缺省流表包括将数据路由至网关的处理指令;Obtain a data packet, the first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables, and a default flow table, where the plurality of ordinary flow tables includes routing the data A processing instruction to the virtual machine, the default flow table includes a processing instruction to route data to the gateway;
从所述数据包中提取第一关键信息;Extracting the first key information from the data packet;
计算所述数据包的第一哈希值;Calculating the first hash value of the data packet;
判断所述预设掩码索引表中是否存在所述第一哈希值的关联掩码索引;Judging whether there is an associated mask index of the first hash value in the preset mask index table;
当所述预设掩码索引表中不存在所述关联掩码索引时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表;When the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask table from the multiple ordinary streams Look up the target flow table of the data packet in the table;
当从所述多个普通流表中没有查找到所述数据包的目标流表时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表;When the target flow table of the data packet is not found from the multiple ordinary flow tables, the data packet is retrieved from the missing data according to the first mask, the first key information, and the preset flow mask table. Searching the target flow table of the data packet in the provincial flow table;
根据所述数据包的目标流表执行对所述数据包的处理指令。The processing instruction for the data packet is executed according to the target flow table of the data packet.
本申请的第四方面提供一种计算机可读存储介质,其上存储有计算机可读指令,所述计算机可读指令被处理器执行时实现如下步骤:A fourth aspect of the present application provides a computer-readable storage medium having computer-readable instructions stored thereon, and when the computer-readable instructions are executed by a processor, the following steps are implemented:
获取数据包、所述数据包的第一掩码、预设掩码索引表、预设流掩码表、多个普通流表和缺省流表,所述多个普通流表包括将数据路由至虚拟机的处理指令,所述缺省流表包括将数据路由至网关的处理指令;Obtain a data packet, the first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables, and a default flow table, where the plurality of ordinary flow tables includes routing the data A processing instruction to the virtual machine, the default flow table includes a processing instruction to route data to the gateway;
从所述数据包中提取第一关键信息;Extracting the first key information from the data packet;
计算所述数据包的第一哈希值;Calculating the first hash value of the data packet;
判断所述预设掩码索引表中是否存在所述第一哈希值的关联掩码索引;Judging whether there is an associated mask index of the first hash value in the preset mask index table;
当所述预设掩码索引表中不存在所述关联掩码索引时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表;When the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask table from the multiple ordinary streams Look up the target flow table of the data packet in the table;
当从所述多个普通流表中没有查找到所述数据包的目标流表时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表;When the target flow table of the data packet is not found from the multiple ordinary flow tables, the data packet is retrieved from the missing data according to the first mask, the first key information, and the preset flow mask table. Searching the target flow table of the data packet in the provincial flow table;
根据所述数据包的目标流表执行对所述数据包的处理指令。The processing instruction for the data packet is executed according to the target flow table of the data packet.
有益效果Beneficial effect
本申请通过普通流表和缺省流表与数据包进行匹配,减少流表与数据包错误匹配的情况发生,从而提升根据流表处理数据包的准确性。In this application, the common flow table and the default flow table are matched with the data packet to reduce the occurrence of incorrect matching between the flow table and the data packet, thereby improving the accuracy of processing the data packet according to the flow table.
附图说明Description of the drawings
图1是本申请实施例提供的基于OVS的数据包处理方法的流程图。Fig. 1 is a flowchart of an OVS-based data packet processing method provided by an embodiment of the present application.
图2是本申请实施例提供的基于OVS的数据包处理装置的结构图。Fig. 2 is a structural diagram of an OVS-based data packet processing device provided by an embodiment of the present application.
图3是本申请实施例提供的计算机设备的示意图。Fig. 3 is a schematic diagram of a computer device provided by an embodiment of the present application.
本发明的实施方式Embodiments of the present invention
为了能够更清楚地理解本申请的上述目的、特征和优点,下面结合附图和具体实施例对本申请进行详细描述。需要说明的是,在不冲突的情况下,本申请的实施例及实施例中的特征可以相互组合。In order to be able to understand the above objectives, features and advantages of the application more clearly, the application will be described in detail below with reference to the accompanying drawings and specific embodiments. It should be noted that the embodiments of the application and the features in the embodiments can be combined with each other if there is no conflict.
在下面的描述中阐述了很多具体细节以便于充分理解本申请,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。In the following description, many specific details are set forth in order to fully understand the present application. The described embodiments are only a part of the embodiments of the present application, rather than all the embodiments.
除非另有定义,本文所使用的所有的技术和科学术语与属于本申请的技术领域的技术人员通常理解的含义相同。本文中在本申请的说明书中所使用的术语只是为了描述具体的实施例的目的,不是旨在于限制本申请。Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by those skilled in the technical field of this application. The terms used in the specification of the application herein are only for the purpose of describing specific embodiments, and are not intended to limit the application.
优选地,本申请的基于OVS的数据包处理方法应用在一个或者多个计算机设备中。所述计算机设备是一种能够按照事先设定或存储的指令,自动进行数值计算和/或信息处理的设备,其硬件包括但不限于微处理器、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程门阵列(Field-Programmable Gate Array,FPGA)、数字处理器(Digital Signal Processor,DSP)、嵌入式设备等。Preferably, the OVS-based data packet processing method of this application is applied to one or more computer devices. The computer device is a device that can automatically perform numerical calculation and/or information processing in accordance with pre-set or stored instructions. Its hardware includes, but is not limited to, a microprocessor, an application specific integrated circuit (Application Specific Integrated Circuit). Specific Integrated Circuit, ASIC), Programmable Gate Array (Field-Programmable Gate Array, FPGA), Digital Signal Processor (DSP), embedded devices, etc.
所述计算机设备可以是桌上型计算机、笔记本、掌上电脑及云端服务器等计算设备。所述计算机设备可以与用户通过键盘、鼠标、遥控器、触摸板或声控设备等方式进行人机交互。The computer device may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server. The computer device can interact with the user through a keyboard, a mouse, a remote control, a touch panel, or a voice control device.
实施例一Example one
图1是本申请实施例一提供的基于OVS的数据包处理方法的流程图。所述基于OVS的数据包处理方法应用于计算机设备中的虚拟交换机,用于根据流表处理数据包,提升数据包处理的准确性。Fig. 1 is a flowchart of an OVS-based data packet processing method provided in Embodiment 1 of the present application. The OVS-based data packet processing method is applied to a virtual switch in a computer device, and is used to process data packets according to a flow table to improve the accuracy of data packet processing.
如图1所示,所述基于OVS的数据包处理方法包括:As shown in Figure 1, the OVS-based data packet processing method includes:
101,获取数据包、所述数据包的第一掩码、预设掩码索引表、预设流掩码表、多个普通流表和缺省流表,所述多个普通流表包括将数据路由至虚拟机的处理指令,所述缺省流表包括将数据路由至网关的处理指令。101. Acquire a data packet, a first mask of the data packet, a preset mask index table, a preset flow mask table, multiple ordinary flow tables, and a default flow table, where the multiple ordinary flow tables include The data is routed to the processing instruction of the virtual machine, and the default flow table includes the processing instruction of the data route to the gateway.
可以从本地数据库读取所述数据包、所述第一掩码、所述预设掩码索引表、所述预设流掩码表、所述多个普通流表和所述缺省流表。The data packet, the first mask, the preset mask index table, the preset flow mask table, the multiple ordinary flow tables, and the default flow table can be read from a local database .
可以从网络中拉取所述数据包、所述第一掩码、所述预设掩码索引表、所述预设流掩码表、所述多个普通流表和所述缺省流表。The data packet, the first mask, the preset mask index table, the preset flow mask table, the multiple ordinary flow tables, and the default flow table can be pulled from the network .
所述数据包可以来自于所述计算机设备中的第一虚拟机或所述计算机设备所在的虚拟网络中的第一虚拟机。所述多个普通流表包括将数据路由至第二虚拟机的处理指令。The data packet may come from a first virtual machine in the computer device or a first virtual machine in a virtual network where the computer device is located. The multiple ordinary flow tables include processing instructions for routing data to the second virtual machine.
流表可以按照掩码分类。每个掩码对应一个掩码索引,可以通过掩码索引查找掩码。全部掩码索引组成所述掩码索引表。全部掩码组成所述预设掩码表。The flow table can be classified according to the mask. Each mask corresponds to a mask index, and the mask can be searched through the mask index. All mask indexes constitute the mask index table. All masks constitute the preset mask table.
102,从所述数据包中提取第一关键信息。102. Extract the first key information from the data packet.
所述第一关键信息是查找流表的前提。所述第一关键信息包括所述数据包的源IP、目的IP地址和IP掩码等。The first key information is a prerequisite for searching the flow table. The first key information includes the source IP, destination IP address, and IP mask of the data packet.
可以通过所述第一关键信息对应的key值提取第一关键信息的value值。The value value of the first key information can be extracted from the key value corresponding to the first key information.
具体地,可以提取物理层的关键信息、MAC层的关键信息、网络层的关键信息、传输层的关键信息等。Specifically, key information of the physical layer, key information of the MAC layer, key information of the network layer, key information of the transport layer, etc. can be extracted.
103,计算所述数据包的第一哈希值。103. Calculate the first hash value of the data packet.
可以通过预设哈希算法计算所述第一哈希值。The first hash value can be calculated by a preset hash algorithm.
具体地,基于MD5算法根据所述数据包、所述第一掩码和所述第一关键信息计算所述第一哈希值。Specifically, the first hash value is calculated based on the MD5 algorithm according to the data packet, the first mask, and the first key information.
基于SHA-1算法根据所述数据包计算所述第一哈希值。Calculate the first hash value according to the data packet based on the SHA-1 algorithm.
104,判断所述预设掩码索引表中是否存在所述第一哈希值的关联掩码索引。104. Determine whether the associated mask index of the first hash value exists in the preset mask index table.
所述预设掩码索引表以哈希值为主键,每个哈希值对应一个掩码索引。可以根据所述第一哈希值查找所述关联掩码索引。The preset mask index table uses hash values as the main key, and each hash value corresponds to a mask index. The correlation mask index may be searched according to the first hash value.
当从所述预设掩码索引表中查询到所述第一哈希值时,将所述第一哈希值对应的掩码索引确认为所述关联掩码索引。When the first hash value is queried from the preset mask index table, the mask index corresponding to the first hash value is confirmed as the association mask index.
当从所述预设掩码索引表中没有查询到所述第一哈希值时,所述预设掩码索引表中不存在所述关联掩码索引。When the first hash value is not queried from the preset mask index table, the association mask index does not exist in the preset mask index table.
105,当所述预设掩码索引表中不存在所述关联掩码索引时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表。105. When the associated mask index does not exist in the preset mask index table, use the first mask, the first key information, and the preset flow mask table from the multiple Look up the target flow table of the data packet in the ordinary flow table.
例如,四个虚拟机分别为a、b、c、d,三个普通流表分别为B、C、D,可以根据普通流表B将数据包从虚拟机a导向至虚拟机b,可以根据普通流表C将数据包从虚拟机a导向至虚拟机c,可以根据普通流表D将数据包从虚拟机a导向至虚拟机d。可以根据第一掩码、第一关键信息和预设流掩码表从多个普通流表中查找数据包的目标流表(如B、C或D),以根据目标流表将数据包从虚拟机a转发至目标流表对应的虚拟机(如b、c、d)。For example, the four virtual machines are a, b, c, and d, and the three common flow tables are B, C, and D. According to the common flow table B, data packets can be directed from virtual machine a to virtual machine b. The ordinary flow table C directs the data packet from the virtual machine a to the virtual machine c, and the data packet can be directed from the virtual machine a to the virtual machine d according to the ordinary flow table D. The target flow table (such as B, C, or D) of the data packet can be searched from multiple common flow tables according to the first mask, the first key information, and the preset flow mask table, so as to remove the data packet from the target flow table. The virtual machine a is forwarded to the virtual machine (such as b, c, d) corresponding to the target flow table.
在一具体实施例中,所述根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表包括:In a specific embodiment, the search for the target flow table of the data packet from the multiple ordinary flow tables according to the first mask, the first key information, and the preset flow mask table include:
获取所述预设掩码表的最大索引值和目标索引值,所述最大索引值大于所述目标索引值;Acquiring a maximum index value and a target index value of the preset mask table, where the maximum index value is greater than the target index value;
依所述最大索引值到所述目标索引值的顺序逐个从所述预设掩码表获取第二掩码,所述第二掩码对应所述多个普通流表中的多个指定流表;Acquire a second mask from the preset mask table one by one in the order from the maximum index value to the target index value, and the second mask corresponds to a plurality of designated flow tables in the plurality of ordinary flow tables ;
对于所述多个指定流表中的每个指定流表,获取所述指定流表的第二关键信息和所述指定流表的第二哈希值;For each designated flow table in the plurality of designated flow tables, acquiring the second key information of the designated flow table and the second hash value of the designated flow table;
从所述多个普通流表中查找所述第二掩码与所述第一掩码匹配、所述第二关键信息与所述第一关键信息匹配且所述第二哈希值与所述第一哈希值匹配的流表。Search from the plurality of ordinary flow tables for the second mask to match the first mask, the second key information to match the first key information, and the second hash value to match the first key information. The first hash value matches the flow table.
具体地,可以基于masked_flow_lookup方法从所述多个普通流表中查找所述第二掩码与所述第一掩码匹配、所述第二关键信息与所述第一关键信息匹配且所述第二哈希值与所述第一哈希值匹配的流表。Specifically, based on the masked_flow_lookup method, the second mask matches the first mask, the second key information matches the first key information, and the second key information matches the first key information from the multiple ordinary flow tables. A flow table whose hash value matches the first hash value.
所述目标索引值可以是1。所述最大索引值是全部索引值中的最大值。The target index value may be 1. The maximum index value is the maximum value among all index values.
106,当从所述多个普通流表中没有查找到所述数据包的目标流表时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表。106. When the target flow table of the data packet is not found from the multiple ordinary flow tables, follow all data packets according to the first mask, the first key information, and the preset flow mask table. Look up the target flow table of the data packet in the default flow table.
例如,网关e,缺省流表E,可以根据缺省流表E将数据包从虚拟机a导向网关e。当从多个普通流表(B、C、D)中没有查到数据包的目标流表时,根据第一掩码、第一关键信息和预设流掩码表从缺省流表E中查找数据包的目标流表。For example, gateway e, the default flow table E, can direct data packets from virtual machine a to gateway e according to the default flow table E. When the target flow table of the data packet is not found from multiple ordinary flow tables (B, C, D), according to the first mask, the first key information and the preset flow mask table from the default flow table E Look up the target flow table of the packet.
在一具体实施例中,所述根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表包括:In a specific embodiment, the searching for the target flow table of the data packet from the default flow table according to the first mask, the first key information, and the preset flow mask table includes :
获取所述预设掩码表的最小索引值;Obtaining the minimum index value of the preset mask table;
根据所述最小索引值从所述预设掩码表获取所述缺省流表对应的第三掩码;Obtaining a third mask corresponding to the default flow table from the preset mask table according to the minimum index value;
获取所述缺省流表中的多个给定流表;Acquiring multiple given flow tables in the default flow table;
对于所述多个给定流表中的每个给定流表,获取所述给定流表的第三关键信息和所述给定流表的第三哈希值;For each given flow table in the plurality of given flow tables, acquiring the third key information of the given flow table and the third hash value of the given flow table;
从所述多个给定流表中查找所述第三掩码与所述第一掩码匹配、所述第三关键信息与所述第一关键信息匹配且所述第三哈希值与所述第一哈希值匹配的流表。From the plurality of given flow tables, search for the third mask to match the first mask, the third key information to match the first key information, and the third hash value to match the first key information. The first hash value matches the flow table.
所述最小索引值可以是0。所述多个给定流表对应的掩码相同。The minimum index value may be zero. The masks corresponding to the multiple given flow tables are the same.
当从所述多个普通流表中没有查找到所述数据包的目标流表时,即所述数据包与所述多个普通流表不匹配时,才从所述缺省流表中查找与所述数据包。When the target flow table of the data packet is not found from the multiple ordinary flow tables, that is, when the data packet does not match the multiple ordinary flow tables, the default flow table is searched With the packet.
在另一实施例中,当从所述多个普通流表中查找到所述数据包的目标流表时,所述基于OVS的数据包处理方法还包括:In another embodiment, when the target flow table of the data packet is found from the multiple ordinary flow tables, the OVS-based data packet processing method further includes:
获取所述数据包的目标流表对应的第四掩码;Acquiring the fourth mask corresponding to the target flow table of the data packet;
将所述第四掩码的索引值确定为所述关联掩码索引;Determining the index value of the fourth mask as the associated mask index;
关联存储所述第一哈希值和所述关联掩码索引。The first hash value and the associated mask index are stored in association.
在另一实施例中,当从所述缺省流表中没有查找到所述数据包的目标流表时,所述基于OVS的数据包处理方法还包括:In another embodiment, when the target flow table of the data packet is not found in the default flow table, the OVS-based data packet processing method further includes:
删除所述数据包,使所述数据包不被上传至用户层。Delete the data package so that the data package is not uploaded to the user layer.
当从所述缺省流表中没有查找到所述数据包的目标流表时,所述数据包将被丢弃或被删除,不通过upcall方法上传至用户层。When the target flow table of the data packet is not found in the default flow table, the data packet will be discarded or deleted, and will not be uploaded to the user layer through the upcall method.
107,根据所述数据包的目标流表执行对所述数据包的处理指令。107. Execute a processing instruction for the data packet according to the target flow table of the data packet.
在一具体实施例中,所述根据所述数据包的目标流表执行对所述数据包的处理指令包括:In a specific embodiment, the executing the processing instruction for the data packet according to the target flow table of the data packet includes:
根据所述数据包的目标流表将所述数据包转发至目标网关。The data packet is forwarded to the target gateway according to the target flow table of the data packet.
所述数据包的目标流表包括基础字段、匹配字段和动作字段。所述基础自动包括流表标识、流表生效时间、流表所属表项等。所述匹配字段包括端口号、二层协议类型、链路层源或者目的MAC地址、源IP地址、IP掩码、目的IP地址等。所述动作字段包括“output:port 将数据包从port接口发送”、“enqueue:port:queue 将数据包入队到指定端口的指定队列里”、“all 将数据包发送到除接收接口外的所有接口”、“drop 丢弃数据包”等。可以从动作字段获取流表的动作信息,根据所述动作信息执行相应的动作。The target flow table of the data packet includes a basic field, a matching field, and an action field. The basis automatically includes the flow table identifier, the effective time of the flow table, the entry to which the flow table belongs, and the like. The matching field includes port number, layer 2 protocol type, link layer source or destination MAC address, source IP address, IP mask, destination IP address, etc. The action field includes "output:port sends the data packet from the port interface", "enqueue:port:queue enqueues the data packet into the specified queue of the specified port", and "all sends the data packet to other than the receiving interface" All interfaces", "drop drop packets", etc. The action information of the flow table can be obtained from the action field, and the corresponding action can be executed according to the action information.
在另一实施例中,在所述根据所述数据包的目标流表将所述数据包转发至目标网关之后,所述基于OVS的数据包处理方法还包括:In another embodiment, after the data packet is forwarded to the target gateway according to the target flow table of the data packet, the OVS-based data packet processing method further includes:
通过所述目标网关确定所述数据包需要到达的目标虚拟机;Determine the target virtual machine that the data packet needs to reach through the target gateway;
接收所述目标网关的普通流表;Receiving the ordinary flow table of the target gateway;
接收到与所述数据包哈希值相同的同流数据包时,根据接收的所述目标网关的普通流表将所述同流数据包转发至所述目标虚拟机。When receiving the same-stream data packet with the same hash value as the data packet, forward the same-stream data packet to the target virtual machine according to the received normal flow table of the target gateway.
实施例一的基于OVS的数据包处理方法通过普通流表和缺省流表与数据包进行匹配,减少流表与数据包错误匹配的情况发生,从而提升根据流表处理数据包的准确性。实施例一根据流表处理数据包,提升数据包处理的准确性。The OVS-based data packet processing method of the first embodiment uses the normal flow table and the default flow table to match the data packet to reduce the occurrence of incorrect matching of the flow table and the data packet, thereby improving the accuracy of processing the data packet according to the flow table. In the first embodiment, data packets are processed according to the flow table to improve the accuracy of data packet processing.
实施例二Example two
图2是本申请实施例二提供的基于OVS的数据包处理装置的结构图。所述基于OVS的数据包处理装置20应用于计算机设备中的虚拟交换机。所述基于OVS的数据包处理装置20用于根据流表处理数据包,提升数据包处理的准确性。Fig. 2 is a structural diagram of an OVS-based data packet processing device provided in the second embodiment of the present application. The OVS-based data packet processing device 20 is applied to a virtual switch in a computer device. The OVS-based data packet processing device 20 is used to process data packets according to the flow table to improve the accuracy of data packet processing.
如图2所示,所述基于OVS的数据包处理装置20可以包括获取模块201、提取模块202、计算模块203、判断模块204、第一查找模块205、第二查找模块206、执行模块207。As shown in FIG. 2, the OVS-based data packet processing device 20 may include an acquisition module 201, an extraction module 202, a calculation module 203, a judgment module 204, a first search module 205, a second search module 206, and an execution module 207.
获取模块201,用于获取数据包、所述数据包的第一掩码、预设掩码索引表、预设流掩码表、多个普通流表和缺省流表,所述多个普通流表包括将数据路由至虚拟机的处理指令,所述缺省流表包括将数据路由至网关的处理指令。The obtaining module 201 is configured to obtain a data packet, a first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables, and a default flow table. The flow table includes processing instructions for routing data to the virtual machine, and the default flow table includes processing instructions for routing data to the gateway.
可以从本地数据库读取所述数据包、所述第一掩码、所述预设掩码索引表、所述预设流掩码表、所述多个普通流表和所述缺省流表。The data packet, the first mask, the preset mask index table, the preset flow mask table, the multiple ordinary flow tables, and the default flow table can be read from a local database .
可以从网络中拉取所述数据包、所述第一掩码、所述预设掩码索引表、所述预设流掩码表、所述多个普通流表和所述缺省流表。The data packet, the first mask, the preset mask index table, the preset flow mask table, the multiple ordinary flow tables, and the default flow table can be pulled from the network .
所述数据包可以来自于所述计算机设备中的第一虚拟机或所述计算机设备所在的虚拟网络中的第一虚拟机。所述多个普通流表包括将数据路由至第二虚拟机的处理指令。The data packet may come from a first virtual machine in the computer device or a first virtual machine in a virtual network where the computer device is located. The multiple ordinary flow tables include processing instructions for routing data to the second virtual machine.
流表可以按照掩码分类。每个掩码对应一个掩码索引,可以通过掩码索引查找掩码。全部掩码索引组成所述掩码索引表。全部掩码组成所述预设掩码表。The flow table can be classified according to the mask. Each mask corresponds to a mask index, and the mask can be searched through the mask index. All mask indexes constitute the mask index table. All masks constitute the preset mask table.
提取模块202,用于从所述数据包中提取第一关键信息。The extraction module 202 is configured to extract the first key information from the data packet.
所述第一关键信息是查找流表的前提。所述第一关键信息包括所述数据包的源IP、目的IP地址和IP掩码等。The first key information is a prerequisite for searching the flow table. The first key information includes the source IP, destination IP address, and IP mask of the data packet.
可以通过所述第一关键信息对应的key值提取第一关键信息的value值。The value value of the first key information can be extracted from the key value corresponding to the first key information.
具体地,可以提取物理层的关键信息、MAC层的关键信息、网络层的关键信息、传输层的关键信息等。Specifically, key information of the physical layer, key information of the MAC layer, key information of the network layer, key information of the transport layer, etc. can be extracted.
计算模块203,用于计算所述数据包的第一哈希值。The calculation module 203 is configured to calculate the first hash value of the data packet.
可以通过预设哈希算法计算所述第一哈希值。The first hash value can be calculated by a preset hash algorithm.
具体地,基于MD5算法根据所述数据包、所述第一掩码和所述第一关键信息计算所述第一哈希值。Specifically, the first hash value is calculated based on the MD5 algorithm according to the data packet, the first mask, and the first key information.
基于SHA-1算法根据所述数据包计算所述第一哈希值。Calculate the first hash value according to the data packet based on the SHA-1 algorithm.
判断模块204,用于判断所述预设掩码索引表中是否存在所述第一哈希值的关联掩码索引。The determining module 204 is configured to determine whether the associated mask index of the first hash value exists in the preset mask index table.
所述预设掩码索引表以哈希值为主键,每个哈希值对应一个掩码索引。可以根据所述第一哈希值查找所述关联掩码索引。The preset mask index table uses hash values as the main key, and each hash value corresponds to a mask index. The correlation mask index may be searched according to the first hash value.
当从所述预设掩码索引表中查询到所述第一哈希值时,将所述第一哈希值对应的掩码索引确认为所述关联掩码索引。When the first hash value is queried from the preset mask index table, the mask index corresponding to the first hash value is confirmed as the association mask index.
当从所述预设掩码索引表中没有查询到所述第一哈希值时,所述预设掩码索引表中不存在所述关联掩码索引。When the first hash value is not queried from the preset mask index table, the association mask index does not exist in the preset mask index table.
第一查找模块205,用于当所述预设掩码索引表中不存在所述关联掩码索引时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表。The first search module 205 is configured to, when the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask The table searches the target flow table of the data packet from the multiple ordinary flow tables.
例如,四个虚拟机分别为a、b、c、d,三个普通流表分别为B、C、D,可以根据普通流表B将数据包从虚拟机a导向至虚拟机b,可以根据普通流表C将数据包从虚拟机a导向至虚拟机c,可以根据普通流表D将数据包从虚拟机a导向至虚拟机d。可以根据第一掩码、第一关键信息和预设流掩码表从多个普通流表中查找数据包的目标流表(如B、C或D),以根据目标流表将数据包从虚拟机a转发至目标流表对应的虚拟机(如b、c、d)。For example, the four virtual machines are a, b, c, and d, and the three common flow tables are B, C, and D. According to the common flow table B, data packets can be directed from virtual machine a to virtual machine b. The ordinary flow table C directs the data packet from the virtual machine a to the virtual machine c, and the data packet can be directed from the virtual machine a to the virtual machine d according to the ordinary flow table D. The target flow table (such as B, C, or D) of the data packet can be searched from multiple common flow tables according to the first mask, the first key information, and the preset flow mask table, so as to remove the data packet from the target flow table. The virtual machine a is forwarded to the virtual machine (such as b, c, d) corresponding to the target flow table.
在一具体实施例中,所述根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表包括:In a specific embodiment, the search for the target flow table of the data packet from the multiple ordinary flow tables according to the first mask, the first key information, and the preset flow mask table include:
获取所述预设掩码表的最大索引值和目标索引值,所述最大索引值大于所述目标索引值;Acquiring a maximum index value and a target index value of the preset mask table, where the maximum index value is greater than the target index value;
依所述最大索引值到所述目标索引值的顺序逐个从所述预设掩码表获取第二掩码,所述第二掩码对应所述多个普通流表中的多个指定流表;Acquire a second mask from the preset mask table one by one in the order from the maximum index value to the target index value, and the second mask corresponds to a plurality of designated flow tables in the plurality of ordinary flow tables ;
对于所述多个指定流表中的每个指定流表,获取所述指定流表的第二关键信息和所述指定流表的第二哈希值;For each designated flow table in the plurality of designated flow tables, acquiring the second key information of the designated flow table and the second hash value of the designated flow table;
从所述多个普通流表中查找所述第二掩码与所述第一掩码匹配、所述第二关键信息与所述第一关键信息匹配且所述第二哈希值与所述第一哈希值匹配的流表。Search from the plurality of ordinary flow tables for the second mask to match the first mask, the second key information to match the first key information, and the second hash value to match the first key information. The first hash value matches the flow table.
具体地,可以基于masked_flow_lookup方法从所述多个普通流表中查找所述第二掩码与所述第一掩码匹配、所述第二关键信息与所述第一关键信息匹配且所述第二哈希值与所述第一哈希值匹配的流表。Specifically, based on the masked_flow_lookup method, the second mask matches the first mask, the second key information matches the first key information, and the second key information matches the first key information from the multiple ordinary flow tables. A flow table whose hash value matches the first hash value.
所述目标索引值可以是1。所述最大索引值是全部索引值中的最大值。The target index value may be 1. The maximum index value is the maximum value among all index values.
第二查找模块206,用于当从所述多个普通流表中没有查找到所述数据包的目标流表时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表。The second searching module 206 is configured to, when the target flow table of the data packet is not found from the multiple ordinary flow tables, according to the first mask, the first key information and the preset The flow mask table searches the default flow table for the target flow table of the data packet.
例如,网关e,缺省流表E,可以根据缺省流表E将数据包从虚拟机a导向网关e。当从多个普通流表(B、C、D)中没有查到数据包的目标流表时,根据第一掩码、第一关键信息和预设流掩码表从缺省流表E中查找数据包的目标流表。For example, gateway e, the default flow table E, can direct data packets from virtual machine a to gateway e according to the default flow table E. When the target flow table of the data packet is not found from multiple ordinary flow tables (B, C, D), according to the first mask, the first key information and the preset flow mask table from the default flow table E Look up the target flow table of the packet.
在一具体实施例中,所述根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表包括:In a specific embodiment, the searching for the target flow table of the data packet from the default flow table according to the first mask, the first key information, and the preset flow mask table includes :
获取所述预设掩码表的最小索引值;Obtaining the minimum index value of the preset mask table;
根据所述最小索引值从所述预设掩码表获取所述缺省流表对应的第三掩码;Obtaining a third mask corresponding to the default flow table from the preset mask table according to the minimum index value;
获取所述缺省流表中的多个给定流表;Acquiring multiple given flow tables in the default flow table;
对于所述多个给定流表中的每个给定流表,获取所述给定流表的第三关键信息和所述给定流表的第三哈希值;For each given flow table in the plurality of given flow tables, acquiring the third key information of the given flow table and the third hash value of the given flow table;
从所述多个给定流表中查找所述第三掩码与所述第一掩码匹配、所述第三关键信息与所述第一关键信息匹配且所述第三哈希值与所述第一哈希值匹配的流表。From the plurality of given flow tables, search for the third mask to match the first mask, the third key information to match the first key information, and the third hash value to match the first key information. The first hash value matches the flow table.
所述最小索引值可以是0。所述多个给定流表对应的掩码相同。The minimum index value may be zero. The masks corresponding to the multiple given flow tables are the same.
当从所述多个普通流表中没有查找到所述数据包的目标流表时,即所述数据包与所述多个普通流表不匹配时,才从所述缺省流表中查找与所述数据包。When the target flow table of the data packet is not found from the multiple ordinary flow tables, that is, when the data packet does not match the multiple ordinary flow tables, the default flow table is searched With the packet.
在另一实施例中,当从所述多个普通流表中查找到所述数据包的目标流表时,基于OVS的数据包处理装置还包括存储模块,用于获取所述数据包的目标流表对应的第四掩码;In another embodiment, when the target flow table of the data packet is found from the multiple ordinary flow tables, the OVS-based data packet processing apparatus further includes a storage module for obtaining the target flow table of the data packet The fourth mask corresponding to the flow table;
将所述第四掩码的索引值确定为所述关联掩码索引;Determining the index value of the fourth mask as the associated mask index;
关联存储所述第一哈希值和所述关联掩码索引。The first hash value and the associated mask index are stored in association.
在另一实施例中,当从所述缺省流表中没有查找到所述数据包的目标流表时,所述基于OVS的数据包处理装置还包括删除装置,用于删除所述数据包,使所述数据包不被上传至用户层。In another embodiment, when the target flow table of the data packet is not found in the default flow table, the OVS-based data packet processing device further includes a deleting device for deleting the data packet , So that the data package is not uploaded to the user layer.
当从所述缺省流表中没有查找到所述数据包的目标流表时,所述数据包将被丢弃或被删除,不通过upcall方法上传至用户层。When the target flow table of the data packet is not found in the default flow table, the data packet will be discarded or deleted, and will not be uploaded to the user layer through the upcall method.
执行模块207,用于根据所述数据包的目标流表执行对所述数据包的处理指令。The execution module 207 is configured to execute processing instructions for the data packet according to the target flow table of the data packet.
在一具体实施例中,所述根据所述数据包的目标流表执行对所述数据包的处理指令包括:In a specific embodiment, the executing the processing instruction for the data packet according to the target flow table of the data packet includes:
根据所述数据包的目标流表将所述数据包转发至目标网关。The data packet is forwarded to the target gateway according to the target flow table of the data packet.
所述数据包的目标流表包括基础字段、匹配字段和动作字段。所述基础自动包括流表标识、流表生效时间、流表所属表项等。所述匹配字段包括端口号、二层协议类型、链路层源或者目的MAC地址、源IP地址、IP掩码、目的IP地址等。所述动作字段包括“output:port 将数据包从port接口发送”、“enqueue:port:queue 将数据包入队到指定端口的指定队列里”、“all 将数据包发送到除接收接口外的所有接口”、“drop 丢弃数据包”等。可以从动作字段获取流表的动作信息,根据所述动作信息执行相应的动作。The target flow table of the data packet includes a basic field, a matching field, and an action field. The basis automatically includes the flow table identifier, the effective time of the flow table, the entry to which the flow table belongs, and the like. The matching field includes port number, layer 2 protocol type, link layer source or destination MAC address, source IP address, IP mask, destination IP address, etc. The action field includes "output:port sends the data packet from the port interface", "enqueue:port:queue enqueues the data packet into the specified queue of the specified port", and "all sends the data packet to other than the receiving interface" All interfaces", "drop drop packets", etc. The action information of the flow table can be obtained from the action field, and the corresponding action can be executed according to the action information.
在另一实施例中,在所述根据所述数据包的目标流表将所述数据包转发至目标网关之后,所述基于OVS的数据包处理装置还包括转发模块,用于通过所述目标网关确定所述数据包需要到达的目标虚拟机;In another embodiment, after the data packet is forwarded to the target gateway according to the target flow table of the data packet, the OVS-based data packet processing apparatus further includes a forwarding module for passing the target The gateway determines the target virtual machine that the data packet needs to reach;
接收所述目标网关的普通流表;Receiving the ordinary flow table of the target gateway;
接收到与所述数据包哈希值相同的同流数据包时,根据接收的所述目标网关的普通流表将所述同流数据包转发至所述目标虚拟机。When receiving the same-stream data packet with the same hash value as the data packet, forward the same-stream data packet to the target virtual machine according to the received normal flow table of the target gateway.
实施例二的基于OVS的数据包处理装置20通过普通流表和缺省流表与数据包进行匹配,减少流表与数据包错误匹配的情况发生,从而提升根据流表处理数据包的准确性。实施例二根据流表处理数据包,提升数据包处理的准确性。The OVS-based data packet processing device 20 of the second embodiment matches the data packet with the normal flow table and the default flow table, reducing the occurrence of incorrect matching of the flow table and the data packet, thereby improving the accuracy of processing data packets according to the flow table . In the second embodiment, data packets are processed according to the flow table to improve the accuracy of data packet processing.
实施例三Example three
本实施例提供一种计算机可读存储介质,该计算机可读存储介质可以是易失性的,也可以是非易失性的,该计算机可读存储介质上存储有计算机可读指令,该计算机可读指令被处理器执行时实现上述基于OVS的数据包处理方法实施例中的步骤,例如图1所示的步骤101-107:This embodiment provides a computer-readable storage medium. The computer-readable storage medium may be volatile or nonvolatile. The computer-readable storage medium stores computer-readable instructions, and the computer can When the read instruction is executed by the processor, the steps in the above-mentioned OVS-based data packet processing method embodiment are implemented, for example, steps 101-107 shown in Fig. 1:
101,获取数据包、所述数据包的第一掩码、预设掩码索引表、预设流掩码表、多个普通流表和缺省流表,所述多个普通流表包括将数据路由至虚拟机的处理指令,所述缺省流表包括将数据路由至网关的处理指令;101. Acquire a data packet, a first mask of the data packet, a preset mask index table, a preset flow mask table, multiple ordinary flow tables, and a default flow table, where the multiple ordinary flow tables include A processing instruction for routing data to a virtual machine, and the default flow table includes a processing instruction for routing data to a gateway;
102,从所述数据包中提取第一关键信息;102. Extract the first key information from the data packet;
103,计算所述数据包的第一哈希值;103. Calculate the first hash value of the data packet.
104,判断所述预设掩码索引表中是否存在所述第一哈希值的关联掩码索引;104. Determine whether there is an associated mask index of the first hash value in the preset mask index table;
105,当所述预设掩码索引表中不存在所述关联掩码索引时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表;105. When the associated mask index does not exist in the preset mask index table, use the first mask, the first key information, and the preset flow mask table from the multiple Look up the target flow table of the data packet in the ordinary flow table;
106,当从所述多个普通流表中没有查找到所述数据包的目标流表时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表;106. When the target flow table of the data packet is not found from the plurality of ordinary flow tables, follow all data packets according to the first mask, the first key information, and the preset flow mask table. Searching the target flow table of the data packet in the default flow table;
107,根据所述数据包的目标流表执行对所述数据包的处理指令。107. Execute a processing instruction for the data packet according to the target flow table of the data packet.
或者,该计算机可读指令被处理器执行时实现上述装置实施例中各模块的功能,例如图2中的模块201-207:Or, when the computer-readable instruction is executed by the processor, the function of each module in the above-mentioned device embodiment is realized, for example, the modules 201-207 in Fig. 2:
获取模块201,用于获取数据包、所述数据包的第一掩码、预设掩码索引表、预设流掩码表、多个普通流表和缺省流表,所述多个普通流表包括将数据路由至虚拟机的处理指令,所述缺省流表包括将数据路由至网关的处理指令;The obtaining module 201 is configured to obtain a data packet, a first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables, and a default flow table. The flow table includes processing instructions for routing data to the virtual machine, and the default flow table includes processing instructions for routing data to the gateway;
提取模块202,用于从所述数据包中提取第一关键信息;The extraction module 202 is configured to extract the first key information from the data packet;
计算模块203,用于计算所述数据包的第一哈希值;The calculation module 203 is configured to calculate the first hash value of the data packet;
判断模块204,用于判断所述预设掩码索引表中是否存在所述第一哈希值的关联掩码索引;The determining module 204 is configured to determine whether the associated mask index of the first hash value exists in the preset mask index table;
第一查找模块205,用于当所述预设掩码索引表中不存在所述关联掩码索引时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表;The first search module 205 is configured to, when the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask Looking up the target flow table of the data packet from the multiple ordinary flow tables;
第二查找模块206,用于当从所述多个普通流表中没有查找到所述数据包的目标流表时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表;The second searching module 206 is configured to, when the target flow table of the data packet is not found from the multiple ordinary flow tables, according to the first mask, the first key information and the preset The flow mask table searches the default flow table for the target flow table of the data packet;
执行模块207,用于根据所述数据包的目标流表执行对所述数据包的处理指令。The execution module 207 is configured to execute processing instructions for the data packet according to the target flow table of the data packet.
实施例四Example four
图3为本申请实施例三提供的计算机设备的示意图。所述计算机设备30包括存储器301、处理器302以及存储在所述存储器301中并可在所述处理器302上运行的计算机可读指令303,例如基于OVS的数据包处理程序。所述处理器302执行所述计算机可读指令303时实现上述基于OVS的数据包处理方法实施例中的步骤,例如图1所示的101-107:FIG. 3 is a schematic diagram of a computer device provided in Embodiment 3 of this application. The computer device 30 includes a memory 301, a processor 302, and computer-readable instructions 303 stored in the memory 301 and running on the processor 302, such as an OVS-based data packet processing program. When the processor 302 executes the computer-readable instructions 303, the steps in the above-mentioned OVS-based data packet processing method embodiment are implemented, for example, 101-107 shown in FIG. 1:
101,获取数据包、所述数据包的第一掩码、预设掩码索引表、预设流掩码表、多个普通流表和缺省流表,所述多个普通流表包括将数据路由至虚拟机的处理指令,所述缺省流表包括将数据路由至网关的处理指令;101. Acquire a data packet, a first mask of the data packet, a preset mask index table, a preset flow mask table, multiple ordinary flow tables, and a default flow table, where the multiple ordinary flow tables include A processing instruction for routing data to a virtual machine, and the default flow table includes a processing instruction for routing data to a gateway;
102,从所述数据包中提取第一关键信息;102. Extract the first key information from the data packet;
103,计算所述数据包的第一哈希值;103. Calculate the first hash value of the data packet.
104,判断所述预设掩码索引表中是否存在所述第一哈希值的关联掩码索引;104. Determine whether there is an associated mask index of the first hash value in the preset mask index table;
105,当所述预设掩码索引表中不存在所述关联掩码索引时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表;105. When the associated mask index does not exist in the preset mask index table, use the first mask, the first key information, and the preset flow mask table from the multiple Look up the target flow table of the data packet in the ordinary flow table;
106,当从所述多个普通流表中没有查找到所述数据包的目标流表时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表;106. When the target flow table of the data packet is not found from the plurality of ordinary flow tables, follow all data packets according to the first mask, the first key information, and the preset flow mask table. Searching the target flow table of the data packet in the default flow table;
107,根据所述数据包的目标流表执行对所述数据包的处理指令。107. Execute a processing instruction for the data packet according to the target flow table of the data packet.
或者,该计算机可读指令被处理器执行时实现上述装置实施例中各模块的功能,例如图2中的模块201-207:Or, when the computer-readable instruction is executed by the processor, the function of each module in the above-mentioned device embodiment is realized, for example, the modules 201-207 in Fig. 2:
获取模块201,用于获取数据包、所述数据包的第一掩码、预设掩码索引表、预设流掩码表、多个普通流表和缺省流表,所述多个普通流表包括将数据路由至虚拟机的处理指令,所述缺省流表包括将数据路由至网关的处理指令;The obtaining module 201 is configured to obtain a data packet, a first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables, and a default flow table. The flow table includes processing instructions for routing data to the virtual machine, and the default flow table includes processing instructions for routing data to the gateway;
提取模块202,用于从所述数据包中提取第一关键信息;The extraction module 202 is configured to extract the first key information from the data packet;
计算模块203,用于计算所述数据包的第一哈希值;The calculation module 203 is configured to calculate the first hash value of the data packet;
判断模块204,用于判断所述预设掩码索引表中是否存在所述第一哈希值的关联掩码索引;The determining module 204 is configured to determine whether the associated mask index of the first hash value exists in the preset mask index table;
第一查找模块205,用于当所述预设掩码索引表中不存在所述关联掩码索引时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表;The first search module 205 is configured to, when the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask Looking up the target flow table of the data packet from the multiple ordinary flow tables;
第二查找模块206,用于当从所述多个普通流表中没有查找到所述数据包的目标流表时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表;The second searching module 206 is configured to, when the target flow table of the data packet is not found from the multiple ordinary flow tables, according to the first mask, the first key information and the preset The flow mask table searches the default flow table for the target flow table of the data packet;
执行模块207,用于根据所述数据包的目标流表执行对所述数据包的处理指令。The execution module 207 is configured to execute processing instructions for the data packet according to the target flow table of the data packet.
示例性的,所述计算机可读指令303可以被分割成一个或多个模块,所述一个或者多个模块被存储在所述存储器301中,并由所述处理器302执行,以完成本方法。所述一个或多个模块可以是能够完成特定功能的一系列计算机可读指令段,该指令段用于描述所述计算机可读指令303在所述计算机设备30中的执行过程。例如,所述计算机可读指令303可以被分割成图2中的获取模块201、提取模块202、计算模块203、判断模块204、第一查找模块205、第二查找模块206、执行模块207,各模块具体功能参见实施例二。Exemplarily, the computer-readable instruction 303 may be divided into one or more modules, and the one or more modules are stored in the memory 301 and executed by the processor 302 to complete the method. . The one or more modules may be a series of computer-readable instruction segments capable of completing specific functions, and the instruction segments are used to describe the execution process of the computer-readable instruction 303 in the computer device 30. For example, the computer-readable instruction 303 can be divided into the acquisition module 201, the extraction module 202, the calculation module 203, the judgment module 204, the first search module 205, the second search module 206, and the execution module 207 in FIG. Refer to the second embodiment for the specific functions of the module.
本领域技术人员可以理解,所述示意图3仅仅是计算机设备30的示例,并不构成对计算机设备30的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件,例如所述计算机设备30还可以包括输入输出设备、网络接入设备、总线等。Those skilled in the art can understand that the schematic diagram 3 is only an example of the computer device 30, and does not constitute a limitation on the computer device 30. It may include more or less components than those shown in the figure, or combine certain components, or different components. For example, the computer device 30 may also include input and output devices, network access devices, buses, and so on.
所称处理器302可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器302也可以是任何常规的处理器等,所述处理器302是所述计算机设备30的控制中心,利用各种接口和线路连接整个计算机设备30的各个部分。The so-called processor 302 may be a central processing unit (Central Processing Unit, CPU), other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or the processor 302 can also be any conventional processor, etc. The processor 302 is the control center of the computer device 30, which uses various interfaces and lines to connect the entire computer device 30. Various parts.
所述存储器301可用于存储所述计算机可读指令303,所述处理器302通过运行或执行存储在所述存储器301内的计算机可读指令或模块,以及调用存储在存储器301内的数据,实现所述计算机设备30的各种功能。所述存储器301可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等;存储数据区可存储根据计算机设备30的使用所创建的数据等。此外,存储器301可以包括硬盘、内存、插接式硬盘,智能存储卡(Smart Media Card, SMC),安全数字(Secure Digital, SD)卡,闪存卡(Flash Card)、至少一个磁盘存储器件、闪存器件、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)或其他非易失性/易失性存储器件。The memory 301 can be used to store the computer-readable instructions 303, and the processor 302 executes or executes the computer-readable instructions or modules stored in the memory 301 and calls data stored in the memory 301 to implement Various functions of the computer device 30. The memory 301 may mainly include a storage program area and a storage data area. The storage program area may store an operating system, an application program required by at least one function (such as a sound playback function, an image playback function, etc.), etc.; the storage data area may Data and the like created in accordance with the use of the computer device 30 are stored. In addition, the memory 301 may include a hard disk, a memory, a plug-in hard disk, a smart memory card (Smart Media Card, SMC), a Secure Digital (SD) card, a flash card (Flash Card), at least one disk storage device, a flash memory Devices, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), or other non-volatile/volatile storage devices.
所述计算机设备30集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实现上述实施例方法中的全部或部分流程,也可以通过计算机可读指令来指令相关的硬件来完成,所述的计算机可读指令可存储于一计算机可读存储介质中,该计算机可读指令在被处理器执行时,可实现上述各个方法实施例的步骤。其中,所述计算机可读指令包括计算机可读指令代码,所述计算机可读指令代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。所述计算机可读介质可以包括:能够携带所述计算机可读指令代码的任何实体或装置、记录介质、U盘、移动硬盘、磁碟、光盘、计算机存储器、只读存储器(ROM)、随机存取存储器(RAM)等。If the integrated module of the computer device 30 is implemented in the form of a software function module and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, this application implements all or part of the processes in the above-mentioned embodiments and methods, and can also be completed by instructing relevant hardware through computer-readable instructions, and the computer-readable instructions can be stored in a computer-readable storage medium. Here, when the computer-readable instruction is executed by the processor, it can implement the steps of the foregoing method embodiments. Wherein, the computer-readable instruction includes computer-readable instruction code, and the computer-readable instruction code may be in the form of source code, object code, executable file, or some intermediate form. The computer-readable medium may include: any entity or device capable of carrying the computer-readable instruction code, recording medium, U disk, mobile hard disk, magnetic disk, optical disk, computer memory, read-only memory (ROM), random access memory Take memory (RAM) and so on.
在另一实施例中,本申请所提供的基于OVS的数据包处理方法,为进一步保证上述所有出现的数据的私密和安全性,上述所有数据还可以存储于一区块链的节点中。例如普通流表及目标流表等等,这些数据均可存储在区块链节点中。In another embodiment, the OVS-based data packet processing method provided by this application further ensures the privacy and security of all the above-mentioned data, all the above-mentioned data can also be stored in a node of a blockchain. For example, ordinary flow tables and target flow tables, etc., these data can be stored in the blockchain node.
需要说明的是,本申请所指区块链是分布式数据存储、点对点传输、共识机制、加密算法等计算机技术的新型应用模式。It should be noted that the blockchain referred to in this application is a new application mode of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method can be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the modules is only a logical function division, and there may be other division methods in actual implementation.
所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules can be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能模块可以集成在一个处理模块中,也可以是各个模块单独物理存在,也可以两个或两个以上模块集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用硬件加软件功能模块的形式实现。In addition, the functional modules in the various embodiments of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware, or in the form of hardware plus software functional modules.
上述以软件功能模块的形式实现的集成的模块,可以存储在一个计算机可读取存储介质中。上述软件功能模块存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(processor)执行本申请各个实施例所述基于OVS的数据包处理方法的部分步骤。The above-mentioned integrated modules implemented in the form of software functional modules may be stored in a computer readable storage medium. The above-mentioned software function module is stored in a storage medium, and includes several instructions to make a computer device (which can be a personal computer, a server, or a network device, etc.) or a processor execute the OVS-based Part of the steps of the packet processing method.
对于本领域技术人员而言,显然本申请不限于上述示范性实施例的细节,而且在不背离本申请的精神或基本特征的情况下,能够以其他的具体形式实现本申请。因此,无论从哪一点来看,均应将实施例看作是示范性的,而且是非限制性的,本申请的范围由所附权利要求而不是上述说明限定,因此旨在将落在权利要求的等同要件的含义和范围内的所有变化涵括在本申请内。不应将权利要求中的任何附关联图标记视为限制所涉及的权利要求。此外,显然“包括”一词不排除其他模块或步骤,单数不排除复数。系统权利要求中陈述的多个模块或装置也可以由一个模块或装置通过软件或者硬件来实现。第一,第二等词语用来表示名称,而并不表示任何特定的顺序。For those skilled in the art, it is obvious that the present application is not limited to the details of the foregoing exemplary embodiments, and the present application can be implemented in other specific forms without departing from the spirit or basic characteristics of the present application. Therefore, no matter from which point of view, the embodiments should be regarded as exemplary and non-limiting. The scope of this application is defined by the appended claims rather than the above description, and therefore it is intended to fall into the claims. All changes in the meaning and scope of the equivalent elements of are included in this application. Any reference signs in the claims should not be regarded as limiting the claims involved. In addition, it is obvious that the word "including" does not exclude other modules or steps, and the singular does not exclude the plural. Multiple modules or devices stated in the system claims can also be implemented by one module or device through software or hardware. Words such as first and second are used to denote names, but do not denote any specific order.
最后应说明的是,以上实施例仅用以说明本申请的技术方案而非限制,尽管参照较佳实施例对本申请进行了详细说明,本领域的普通技术人员应当理解,可以对本申请的技术方案进行修改或等同替换,而不脱离本申请技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the application and not to limit them. Although the application has been described in detail with reference to the preferred embodiments, those of ordinary skill in the art should understand that the technical solutions of the application can be Make modifications or equivalent replacements without departing from the spirit and scope of the technical solution of the present application.

Claims (20)

  1. 一种基于OVS的数据包处理方法,其中,所述基于OVS的数据包处理方法包括:An OVS-based data packet processing method, wherein the OVS-based data packet processing method includes:
    获取数据包、所述数据包的第一掩码、预设掩码索引表、预设流掩码表、多个普通流表和缺省流表,所述多个普通流表包括将数据路由至虚拟机的处理指令,所述缺省流表包括将数据路由至网关的处理指令;Obtain a data packet, the first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables, and a default flow table, where the plurality of ordinary flow tables includes routing the data A processing instruction to the virtual machine, the default flow table includes a processing instruction to route data to the gateway;
    从所述数据包中提取第一关键信息;Extracting the first key information from the data packet;
    计算所述数据包的第一哈希值;Calculating the first hash value of the data packet;
    判断所述预设掩码索引表中是否存在所述第一哈希值的关联掩码索引;Judging whether there is an associated mask index of the first hash value in the preset mask index table;
    当所述预设掩码索引表中不存在所述关联掩码索引时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表;When the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask table from the multiple ordinary streams Look up the target flow table of the data packet in the table;
    当从所述多个普通流表中没有查找到所述数据包的目标流表时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表;When the target flow table of the data packet is not found from the multiple ordinary flow tables, the data packet is retrieved from the missing data according to the first mask, the first key information, and the preset flow mask table. Searching the target flow table of the data packet in the provincial flow table;
    根据所述数据包的目标流表执行对所述数据包的处理指令。The processing instruction for the data packet is executed according to the target flow table of the data packet.
  2. 如权利要求1所述的基于OVS的数据包处理方法,其中,所述根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表包括:The OVS-based data packet processing method according to claim 1, wherein the said first mask, said first key information, and said preset flow mask table are selected from said plurality of ordinary flow tables. The target flow table of the data packet searched in includes:
    获取所述预设掩码表的最大索引值和目标索引值,所述最大索引值大于所述目标索引值;Acquiring a maximum index value and a target index value of the preset mask table, where the maximum index value is greater than the target index value;
    依所述最大索引值到所述目标索引值的顺序逐个从所述预设掩码表获取第二掩码,所述第二掩码对应所述多个普通流表中的多个指定流表;Acquire a second mask from the preset mask table one by one in the order from the maximum index value to the target index value, and the second mask corresponds to a plurality of designated flow tables in the plurality of ordinary flow tables ;
    对于所述多个指定流表中的每个指定流表,获取所述指定流表的第二关键信息和所述指定流表的第二哈希值;For each designated flow table in the plurality of designated flow tables, acquiring the second key information of the designated flow table and the second hash value of the designated flow table;
    从所述多个普通流表中查找所述第二掩码与所述第一掩码匹配、所述第二关键信息与所述第一关键信息匹配且所述第二哈希值与所述第一哈希值匹配的流表。Search from the plurality of ordinary flow tables for the second mask to match the first mask, the second key information to match the first key information, and the second hash value to match the first key information. The first hash value matches the flow table.
  3. 如权利要求1所述的基于OVS的数据包处理方法,其中,所述根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表包括:The OVS-based data packet processing method according to claim 1, wherein the first mask, the first key information, and the preset flow mask table are selected from the default flow table. Finding the target flow table of the data packet includes:
    获取所述预设掩码表的最小索引值;Obtaining the minimum index value of the preset mask table;
    根据所述最小索引值从所述预设掩码表获取所述缺省流表对应的第三掩码;Obtaining a third mask corresponding to the default flow table from the preset mask table according to the minimum index value;
    获取所述缺省流表中的多个给定流表;Acquiring multiple given flow tables in the default flow table;
    对于所述多个给定流表中的每个给定流表,获取所述给定流表的第三关键信息和所述给定流表的第三哈希值;For each given flow table in the plurality of given flow tables, acquiring the third key information of the given flow table and the third hash value of the given flow table;
    从所述多个给定流表中查找所述第三掩码与所述第一掩码匹配、所述第三关键信息与所述第一关键信息匹配且所述第三哈希值与所述第一哈希值匹配的流表。From the plurality of given flow tables, search for the third mask to match the first mask, the third key information to match the first key information, and the third hash value to match the first key information. The first hash value matches the flow table.
  4. 如权利要求1所述的基于OVS的数据包处理方法,其中,当从所述多个普通流表中查找到所述数据包的目标流表时,所述基于OVS的数据包处理方法还包括:The OVS-based data packet processing method according to claim 1, wherein when the target flow table of the data packet is found from the multiple ordinary flow tables, the OVS-based data packet processing method further comprises :
    获取所述数据包的目标流表对应的第四掩码;Acquiring the fourth mask corresponding to the target flow table of the data packet;
    将所述第四掩码的索引值确定为所述关联掩码索引;Determining the index value of the fourth mask as the associated mask index;
    关联存储所述第一哈希值和所述关联掩码索引。The first hash value and the associated mask index are stored in association.
  5. 如权利要求1所述的基于OVS的数据包处理方法,其中,当从所述缺省流表中没有查找到所述数据包的目标流表时,所述基于OVS的数据包处理方法还包括:The OVS-based data packet processing method of claim 1, wherein, when the target flow table of the data packet is not found in the default flow table, the OVS-based data packet processing method further comprises :
    删除所述数据包,使所述数据包不被上传至用户层。Delete the data package so that the data package is not uploaded to the user layer.
  6. 如权利要求1所述的基于OVS的数据包处理方法,其中,所述根据所述数据包的目标流表执行对所述数据包的处理指令包括:The OVS-based data packet processing method according to claim 1, wherein the executing the processing instruction on the data packet according to the target flow table of the data packet comprises:
    根据所述数据包的目标流表将所述数据包转发至目标网关。The data packet is forwarded to the target gateway according to the target flow table of the data packet.
  7. 如权利要求6所述的基于OVS的数据包处理方法,其中,在所述根据所述数据包的目标流表将所述数据包转发至目标网关之后,所述基于OVS的数据包处理方法还包括:The OVS-based data packet processing method of claim 6, wherein after the data packet is forwarded to the target gateway according to the target flow table of the data packet, the OVS-based data packet processing method further include:
    通过所述目标网关确定所述数据包需要到达的目标虚拟机;Determine the target virtual machine that the data packet needs to reach through the target gateway;
    接收所述目标网关的普通流表;Receiving the ordinary flow table of the target gateway;
    接收到与所述数据包哈希值相同的同流数据包时,根据接收的所述目标网关的普通流表将所述同流数据包转发至所述目标虚拟机。When receiving the same-stream data packet with the same hash value as the data packet, forward the same-stream data packet to the target virtual machine according to the received normal flow table of the target gateway.
  8. 一种基于OVS的数据包处理装置,其中,所述基于OVS的数据包处理装置包括:An OVS-based data packet processing device, wherein the OVS-based data packet processing device includes:
    获取模块,用于获取数据包、所述数据包的第一掩码、预设掩码索引表、预设流掩码表、多个普通流表和缺省流表,所述多个普通流表包括将数据路由至虚拟机的处理指令,所述缺省流表包括将数据路由至网关的处理指令;The obtaining module is used to obtain a data packet, the first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables and a default flow table, the plurality of ordinary flows The table includes processing instructions for routing data to the virtual machine, and the default flow table includes processing instructions for routing data to the gateway;
    提取模块,用于从所述数据包中提取第一关键信息;An extraction module for extracting the first key information from the data packet;
    计算模块,用于计算所述数据包的第一哈希值;A calculation module for calculating the first hash value of the data packet;
    判断模块,用于判断所述预设掩码索引表中是否存在所述第一哈希值的关联掩码索引;A judging module, configured to judge whether there is an associated mask index of the first hash value in the preset mask index table;
    第一查找模块,用于当所述预设掩码索引表中不存在所述关联掩码索引时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表;The first search module is configured to, when the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask table Searching for the target flow table of the data packet from the multiple ordinary flow tables;
    第二查找模块,用于当从所述多个普通流表中没有查找到所述数据包的目标流表时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表;The second searching module is configured to, when the target flow table of the data packet is not found from the multiple ordinary flow tables, according to the first mask, the first key information and the preset flow The mask table searches the target flow table of the data packet from the default flow table;
    执行模块,用于根据所述数据包的目标流表执行对所述数据包的处理指令。The execution module is configured to execute processing instructions for the data packet according to the target flow table of the data packet.
  9. 一种计算机设备,其中,所述计算机设备包括处理器和存储器,所述处理器用于执行存储器中存储的计算机可读指令以实现如下步骤:A computer device, wherein the computer device includes a processor and a memory, and the processor is configured to execute computer-readable instructions stored in the memory to implement the following steps:
    获取数据包、所述数据包的第一掩码、预设掩码索引表、预设流掩码表、多个普通流表和缺省流表,所述多个普通流表包括将数据路由至虚拟机的处理指令,所述缺省流表包括将数据路由至网关的处理指令;Obtain a data packet, the first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables, and a default flow table, where the plurality of ordinary flow tables includes routing the data A processing instruction to the virtual machine, the default flow table includes a processing instruction to route data to the gateway;
    从所述数据包中提取第一关键信息;Extracting the first key information from the data packet;
    计算所述数据包的第一哈希值;Calculating the first hash value of the data packet;
    判断所述预设掩码索引表中是否存在所述第一哈希值的关联掩码索引;Judging whether there is an associated mask index of the first hash value in the preset mask index table;
    当所述预设掩码索引表中不存在所述关联掩码索引时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表;When the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask table from the multiple ordinary streams Look up the target flow table of the data packet in the table;
    当从所述多个普通流表中没有查找到所述数据包的目标流表时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表;When the target flow table of the data packet is not found from the multiple ordinary flow tables, the data packet is retrieved from the missing data according to the first mask, the first key information, and the preset flow mask table. Searching the target flow table of the data packet in the provincial flow table;
    根据所述数据包的目标流表执行对所述数据包的处理指令。The processing instruction for the data packet is executed according to the target flow table of the data packet.
  10. 如权利要求9所述的计算机设备,其中,所述根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表包括:The computer device according to claim 9, wherein the data is searched from the plurality of ordinary flow tables according to the first mask, the first key information, and the preset flow mask table The target flow table of the package includes:
    获取所述预设掩码表的最大索引值和目标索引值,所述最大索引值大于所述目标索引值;Acquiring a maximum index value and a target index value of the preset mask table, where the maximum index value is greater than the target index value;
    依所述最大索引值到所述目标索引值的顺序逐个从所述预设掩码表获取第二掩码,所述第二掩码对应所述多个普通流表中的多个指定流表;Acquire a second mask from the preset mask table one by one in the order from the maximum index value to the target index value, and the second mask corresponds to a plurality of designated flow tables in the plurality of ordinary flow tables ;
    对于所述多个指定流表中的每个指定流表,获取所述指定流表的第二关键信息和所述指定流表的第二哈希值;For each designated flow table in the plurality of designated flow tables, acquiring the second key information of the designated flow table and the second hash value of the designated flow table;
    从所述多个普通流表中查找所述第二掩码与所述第一掩码匹配、所述第二关键信息与所述第一关键信息匹配且所述第二哈希值与所述第一哈希值匹配的流表。Search from the plurality of ordinary flow tables for the second mask to match the first mask, the second key information to match the first key information, and the second hash value to match the first key information. The first hash value matches the flow table.
  11. 如权利要求9所述的计算机设备,其中,所述根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表包括:The computer device according to claim 9, wherein the data packet is searched from the default flow table according to the first mask, the first key information, and the preset flow mask table The target flow table includes:
    获取所述预设掩码表的最小索引值;Obtaining the minimum index value of the preset mask table;
    根据所述最小索引值从所述预设掩码表获取所述缺省流表对应的第三掩码;Obtaining a third mask corresponding to the default flow table from the preset mask table according to the minimum index value;
    获取所述缺省流表中的多个给定流表;Acquiring multiple given flow tables in the default flow table;
    对于所述多个给定流表中的每个给定流表,获取所述给定流表的第三关键信息和所述给定流表的第三哈希值;For each given flow table in the plurality of given flow tables, acquiring the third key information of the given flow table and the third hash value of the given flow table;
    从所述多个给定流表中查找所述第三掩码与所述第一掩码匹配、所述第三关键信息与所述第一关键信息匹配且所述第三哈希值与所述第一哈希值匹配的流表。From the plurality of given flow tables, search for the third mask to match the first mask, the third key information to match the first key information, and the third hash value to match the first key information. The first hash value matches the flow table.
  12. 如权利要求9所述的计算机设备,其中,当从所述多个普通流表中查找到所述数据包的目标流表时,所述处理器用于执行存储器中存储的计算机可读指令还实现如下步骤:The computer device according to claim 9, wherein when the target flow table of the data packet is found from the plurality of ordinary flow tables, the processor is configured to execute the computer-readable instructions stored in the memory to further implement The following steps:
    获取所述数据包的目标流表对应的第四掩码;Acquiring the fourth mask corresponding to the target flow table of the data packet;
    将所述第四掩码的索引值确定为所述关联掩码索引;Determining the index value of the fourth mask as the associated mask index;
    关联存储所述第一哈希值和所述关联掩码索引。The first hash value and the associated mask index are stored in association.
  13. 如权利要求9所述的计算机设备,其中,当从所述缺省流表中没有查找到所述数据包的目标流表时,所述处理器用于执行存储器中存储的计算机可读指令还实现如下步骤:The computer device according to claim 9, wherein, when the target flow table of the data packet is not found in the default flow table, the processor is configured to execute the computer-readable instructions stored in the memory to further implement The following steps:
    删除所述数据包,使所述数据包不被上传至用户层。Delete the data package so that the data package is not uploaded to the user layer.
  14. 如权利要求9所述的计算机设备,其中,所述根据所述数据包的目标流表执行对所述数据包的处理指令包括:9. The computer device according to claim 9, wherein the executing the processing instruction on the data packet according to the target flow table of the data packet comprises:
    根据所述数据包的目标流表将所述数据包转发至目标网关。The data packet is forwarded to the target gateway according to the target flow table of the data packet.
  15. 如权利要求14所述的计算机设备,其中,在所述根据所述数据包的目标流表将所述数据包转发至目标网关之后,所述处理器用于执行存储器中存储的计算机可读指令还实现如下步骤:The computer device according to claim 14, wherein, after the data packet is forwarded to the target gateway according to the target flow table of the data packet, the processor is configured to execute the computer-readable instructions stored in the memory and further To achieve the following steps:
    通过所述目标网关确定所述数据包需要到达的目标虚拟机;Determine the target virtual machine that the data packet needs to reach through the target gateway;
    接收所述目标网关的普通流表;Receiving the ordinary flow table of the target gateway;
    接收到与所述数据包哈希值相同的同流数据包时,根据接收的所述目标网关的普通流表将所述同流数据包转发至所述目标虚拟机。When receiving the same-stream data packet with the same hash value as the data packet, forward the same-stream data packet to the target virtual machine according to the received normal flow table of the target gateway.
  16. 一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机可读指令,其中,所述计算机可读指令被处理器执行时实现如下步骤:A computer-readable storage medium having computer-readable instructions stored thereon, wherein the computer-readable instructions implement the following steps when executed by a processor:
    获取数据包、所述数据包的第一掩码、预设掩码索引表、预设流掩码表、多个普通流表和缺省流表,所述多个普通流表包括将数据路由至虚拟机的处理指令,所述缺省流表包括将数据路由至网关的处理指令;Obtain a data packet, the first mask of the data packet, a preset mask index table, a preset flow mask table, a plurality of ordinary flow tables, and a default flow table, where the plurality of ordinary flow tables includes routing the data A processing instruction to the virtual machine, the default flow table includes a processing instruction to route data to the gateway;
    从所述数据包中提取第一关键信息;Extracting the first key information from the data packet;
    计算所述数据包的第一哈希值;Calculating the first hash value of the data packet;
    判断所述预设掩码索引表中是否存在所述第一哈希值的关联掩码索引;Judging whether there is an associated mask index of the first hash value in the preset mask index table;
    当所述预设掩码索引表中不存在所述关联掩码索引时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表;When the associated mask index does not exist in the preset mask index table, according to the first mask, the first key information, and the preset flow mask table from the multiple ordinary streams Look up the target flow table of the data packet in the table;
    当从所述多个普通流表中没有查找到所述数据包的目标流表时,根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表;When the target flow table of the data packet is not found from the multiple ordinary flow tables, the data packet is retrieved from the missing data according to the first mask, the first key information, and the preset flow mask table. Searching the target flow table of the data packet in the provincial flow table;
    根据所述数据包的目标流表执行对所述数据包的处理指令。The processing instruction for the data packet is executed according to the target flow table of the data packet.
  17. 如权利要求16所述的计算机可读存储介质,其中,所述根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述多个普通流表中查找所述数据包的目标流表包括:The computer-readable storage medium of claim 16, wherein the search is performed from the plurality of ordinary flow tables according to the first mask, the first key information, and the preset flow mask table The target flow table of the data packet includes:
    获取所述预设掩码表的最大索引值和目标索引值,所述最大索引值大于所述目标索引值;Acquiring a maximum index value and a target index value of the preset mask table, where the maximum index value is greater than the target index value;
    依所述最大索引值到所述目标索引值的顺序逐个从所述预设掩码表获取第二掩码,所述第二掩码对应所述多个普通流表中的多个指定流表;Acquire a second mask from the preset mask table one by one in the order from the maximum index value to the target index value, and the second mask corresponds to a plurality of designated flow tables in the plurality of ordinary flow tables ;
    对于所述多个指定流表中的每个指定流表,获取所述指定流表的第二关键信息和所述指定流表的第二哈希值;For each designated flow table in the plurality of designated flow tables, acquiring the second key information of the designated flow table and the second hash value of the designated flow table;
    从所述多个普通流表中查找所述第二掩码与所述第一掩码匹配、所述第二关键信息与所述第一关键信息匹配且所述第二哈希值与所述第一哈希值匹配的流表。Search from the plurality of ordinary flow tables for the second mask to match the first mask, the second key information to match the first key information, and the second hash value to match the first key information. The first hash value matches the flow table.
  18. 如权利要求16所述的计算机可读存储介质,其中,所述根据所述第一掩码、所述第一关键信息和所述预设流掩码表从所述缺省流表中查找所述数据包的目标流表包括:The computer-readable storage medium according to claim 16, wherein the search is performed from the default flow table according to the first mask, the first key information, and the preset flow mask table. The target flow table of the data packet includes:
    获取所述预设掩码表的最小索引值;Obtaining the minimum index value of the preset mask table;
    根据所述最小索引值从所述预设掩码表获取所述缺省流表对应的第三掩码;Obtaining a third mask corresponding to the default flow table from the preset mask table according to the minimum index value;
    获取所述缺省流表中的多个给定流表;Acquiring multiple given flow tables in the default flow table;
    对于所述多个给定流表中的每个给定流表,获取所述给定流表的第三关键信息和所述给定流表的第三哈希值;For each given flow table in the plurality of given flow tables, acquiring the third key information of the given flow table and the third hash value of the given flow table;
    从所述多个给定流表中查找所述第三掩码与所述第一掩码匹配、所述第三关键信息与所述第一关键信息匹配且所述第三哈希值与所述第一哈希值匹配的流表。From the plurality of given flow tables, search for the third mask to match the first mask, the third key information to match the first key information, and the third hash value to match the first key information. The first hash value matches the flow table.
  19. 如权利要求16所述的计算机可读存储介质,其中,当从所述多个普通流表中查找到所述数据包的目标流表时,所述计算机可读指令被处理器执行时还实现如下步骤:The computer-readable storage medium according to claim 16, wherein when the target flow table of the data packet is found from the plurality of ordinary flow tables, the computer-readable instruction also implements when being executed by the processor The following steps:
    获取所述数据包的目标流表对应的第四掩码;Acquiring the fourth mask corresponding to the target flow table of the data packet;
    将所述第四掩码的索引值确定为所述关联掩码索引;Determining the index value of the fourth mask as the associated mask index;
    关联存储所述第一哈希值和所述关联掩码索引。The first hash value and the associated mask index are stored in association.
  20. 如权利要求16所述的计算机可读存储介质,其中,当从所述缺省流表中没有查找到所述数据包的目标流表时,所述计算机可读指令被处理器执行时还实现如下步骤:The computer-readable storage medium according to claim 16, wherein, when the target flow table of the data packet is not found in the default flow table, the computer-readable instructions further implement when being executed by the processor The following steps:
    删除所述数据包,使所述数据包不被上传至用户层。Delete the data package so that the data package is not uploaded to the user layer.
PCT/CN2020/119054 2020-08-07 2020-09-29 Ovs-based data packet processing method and apparatus, computer device, and computer readable storage medium WO2021151301A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010788980.1A CN111953609B (en) 2020-08-07 2020-08-07 OVS-based data packet processing method and related equipment
CN202010788980.1 2020-08-07

Publications (1)

Publication Number Publication Date
WO2021151301A1 true WO2021151301A1 (en) 2021-08-05

Family

ID=73331868

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/119054 WO2021151301A1 (en) 2020-08-07 2020-09-29 Ovs-based data packet processing method and apparatus, computer device, and computer readable storage medium

Country Status (2)

Country Link
CN (1) CN111953609B (en)
WO (1) WO2021151301A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113347100B (en) * 2021-05-31 2022-06-17 平安科技(深圳)有限公司 Data stream transmission method and device, computer equipment and storage medium
CN114448891B (en) * 2022-01-26 2024-01-02 深圳星云智联科技有限公司 Method, device, equipment and medium for synchronizing flow table

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180097728A1 (en) * 2016-09-30 2018-04-05 Intel Corporation Virtual switch acceleration using resource director technology
CN109921996A (en) * 2018-12-29 2019-06-21 长沙理工大学 A kind of virtual flow stream searching method of high performance OpenFlow
CN110324245A (en) * 2018-03-31 2019-10-11 华为技术有限公司 A kind of method and device to be E-Packeted based on integrated flow table
CN111131050A (en) * 2019-12-31 2020-05-08 盛科网络(苏州)有限公司 Flow table matching method and device
US20200159654A1 (en) * 2016-04-01 2020-05-21 Intel Corporation Pipelined hash table with reduced collisions

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20150053620A (en) * 2013-11-08 2015-05-18 한국전자통신연구원 Apparatus and method for transmitting packet
CN105490946A (en) * 2014-09-18 2016-04-13 中兴通讯股份有限公司 Flow table processing method and device, open flow controller, and open flow switch
US11178051B2 (en) * 2014-09-30 2021-11-16 Vmware, Inc. Packet key parser for flow-based forwarding elements
CN105224692B (en) * 2015-11-03 2018-08-31 武汉烽火网络有限责任公司 Support the system and method for the SDN multilevel flow table parallel searchs of multi-core processor
CN112685612B (en) * 2020-12-31 2022-08-30 武汉思普崚技术有限公司 Feature code searching and matching method, device and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200159654A1 (en) * 2016-04-01 2020-05-21 Intel Corporation Pipelined hash table with reduced collisions
US20180097728A1 (en) * 2016-09-30 2018-04-05 Intel Corporation Virtual switch acceleration using resource director technology
CN110324245A (en) * 2018-03-31 2019-10-11 华为技术有限公司 A kind of method and device to be E-Packeted based on integrated flow table
CN109921996A (en) * 2018-12-29 2019-06-21 长沙理工大学 A kind of virtual flow stream searching method of high performance OpenFlow
CN111131050A (en) * 2019-12-31 2020-05-08 盛科网络(苏州)有限公司 Flow table matching method and device

Also Published As

Publication number Publication date
CN111953609A (en) 2020-11-17
CN111953609B (en) 2022-10-11

Similar Documents

Publication Publication Date Title
US11823178B2 (en) Optimization of high volume transaction performance on a blockchain
US11805191B2 (en) Efficient packet classification for dynamic containers
US10545945B2 (en) Change monitoring spanning graph queries
US20150358433A1 (en) Efficient packet classification for dynamic containers
US8638793B1 (en) Enhanced parsing and classification in a packet processor
US20120320788A1 (en) Method and Apparatus for Snoop-and-Learn Intelligence in Data Plane
JP6308601B2 (en) Packet processing method and device
JP2004172917A (en) Packet retrieving device, packet process retrieving method, and program
WO2021151301A1 (en) Ovs-based data packet processing method and apparatus, computer device, and computer readable storage medium
WO2022088666A1 (en) Service instance verification method and apparatus, electronic device, and storage medium
US10783153B2 (en) Efficient internet protocol prefix match support on No-SQL and/or non-relational databases
WO2020207248A1 (en) Stream classification method and device
CN107276916B (en) Switch flow table management method based on protocol non-perception forwarding technology
WO2022041889A1 (en) Fund routing method and apparatus, electronic device, and storage medium
CN109120454B (en) QoS flow rate limiting system and method
WO2022073513A1 (en) Information input assistance method and apparatus, electronic device and storage medium
CN110971391B (en) Message forwarding method and network equipment
CN116599892B (en) Server system, routing method, routing device, electronic equipment and storage medium
CN113141369A (en) Artificial intelligence-based firewall policy management method and related equipment
WO2021184726A1 (en) Vulnerability scanning method and apparatus, computer apparatus, and computer storage medium
JP2011172126A (en) Packet filtering system, packet filtering apparatus, and program
KR101665583B1 (en) Apparatus and method for network traffic high-speed processing
WO2022252634A1 (en) Data flow transmission method and apparatus, computer device, and storage medium
US20160337232A1 (en) Flow-indexing for datapath packet processing
WO2015187200A1 (en) Efficient packet classification for dynamic containers

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20916620

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20916620

Country of ref document: EP

Kind code of ref document: A1