CN112260951A - Expectation connection processing method, expectation connection processing device, readable storage medium, and electronic device - Google Patents
Expectation connection processing method, expectation connection processing device, readable storage medium, and electronic device Download PDFInfo
- Publication number
- CN112260951A CN112260951A CN202010962157.8A CN202010962157A CN112260951A CN 112260951 A CN112260951 A CN 112260951A CN 202010962157 A CN202010962157 A CN 202010962157A CN 112260951 A CN112260951 A CN 112260951A
- Authority
- CN
- China
- Prior art keywords
- hash
- connection
- preset
- expected
- preset number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 34
- 238000012545 processing Methods 0.000 title claims description 20
- 230000006870 function Effects 0.000 claims abstract description 58
- 238000004364 calculation method Methods 0.000 claims abstract description 35
- 238000000034 method Methods 0.000 claims abstract description 19
- 238000004590 computer program Methods 0.000 claims description 5
- 238000010276 construction Methods 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 10
- 230000000694 effects Effects 0.000 description 6
- 230000009471 action Effects 0.000 description 4
- 230000006854 communication Effects 0.000 description 3
- 238000001914 filtration Methods 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
- H04L45/7453—Address table lookup; Address filtering using hashing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure relates to an expected connection processing method, apparatus, readable storage medium, and electronic device, the method comprising: acquiring attribute information of the newly-built connection when the newly-built connection is received; performing hash calculation on the attribute information based on a preset number of hash functions of a preset bloom filter to obtain a preset number of hash values; acquiring element values of corresponding position points of a preset number of hash values in an integer array of a preset bloom filter; and locking the expected connection hash table when the element values of the position points corresponding to the preset number of hash values are all non-zero so as to determine whether the newly-built connection is the expected connection by hash query in the hash table. The embodiment of the disclosure filters part of unexpected connections based on the preset bloom filter to reduce the locking times of the hash table and the operation that the corresponding hash query matches the expected connection, and avoids frequent hash table locking under a multi-core forwarding architecture to perform hash lookup operation based on the hash table, thereby improving new construction and forwarding performance.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an expected connection processing method and an expected connection processing apparatus in a multi-core forwarding architecture, and a computer-readable storage medium and an electronic device for implementing the expected connection processing method.
Background
With the increasing of internet application types and the changing of application forms, a plurality of security threats are coming out. Under the circumstance, the network security equipment is widely applied to the actual environment, and in order to adapt to the change of the current requirement, the architecture of the network security equipment is also greatly changed, and the network security equipment is evolved into parallel processing of a plurality of CPUs from the processing of a traditional single central multi-core processor (CPU for short).
Due to the rich and diverse applications and the popularization of networks, the functional requirements on network security equipment are higher and higher, the network security equipment needs to analyze application layer data, and some communication protocols are sub-connected. The child connection is negotiated during the interaction of the parent connection, and in order for the child connection to use the same security policy as the parent connection, the network security device needs to identify the child connection. In the related art, when a parent connection negotiates a child connection, expected connection data including at least ip (internet protocol) information and port information of the child connection is generated and inserted into an expected connection hash table, and when a new connection is established, whether the new connection is an expected (expect) connection is determined by looking up the expected connection hash table.
However, for a network security device with a multi-core forwarding architecture, usually, multi-core CPUs operate concurrently, and the expected connection hash table is shared by the multi-core CPUs, so that when the new connection is found and determined in the expected connection hash table, the expected connection hash table needs to be frequently locked in the finding process, and new creation and forwarding performance is seriously affected.
Disclosure of Invention
In order to solve the technical problem or at least partially solve the technical problem, the present disclosure provides an expected connection processing method in a multi-core forwarding architecture, an expected connection processing apparatus in a multi-core forwarding architecture, and a computer-readable storage medium and an electronic device implementing the expected connection processing method.
In a first aspect, an embodiment of the present disclosure provides an expected connection processing method under a multi-core forwarding architecture, including:
when a new connection is received, acquiring attribute information of the new connection;
performing hash calculation on the attribute information based on a preset number of hash functions of a preset bloom filter to obtain a preset number of hash values;
acquiring element values of corresponding position points of the preset number of hash values in the integer array of the preset bloom filter; the element values of the position points with the preset number are preset in the integer array of the preset bloom filter; the element values of the position points with the preset number are determined by matching the hash values with the preset number, which are obtained by performing hash calculation on the attribute information expected to be connected by the hash functions with the preset number;
and locking the expected connection hash table when the element values of the position points corresponding to the preset number of hash values are all non-zero, so as to query whether the newly-built connection is the expected connection in the expected connection hash table in a hash mode.
In some embodiments of the present disclosure, the attribute information should include a source IP, a destination port, and an IP protocol number.
In some embodiments of the present disclosure, the value of the preset number is 2 to 5; and/or the preset number of hash functions are different.
In some embodiments of the present disclosure, the performing a hash calculation on the attribute information by using a preset number of hash functions based on a preset bloom filter to obtain the preset number of hash values includes:
performing hash calculation on the source IP, the destination port and the IP protocol number based on a first hash function to obtain a first hash value;
performing hash calculation on the source IP, the destination port and the IP protocol number based on a second hash function to obtain a second hash value;
performing hash calculation on the source IP, the destination port and the IP protocol number based on a third hash function to obtain a third hash value;
the obtaining of the element values of the position points corresponding to the hash values of the preset number in the integer array of the preset bloom filter includes:
acquiring a first element value, a second element value and a third element value of a position point of the first hash value, the second hash value and the third hash value respectively corresponding to the integer array of the preset bloom filter;
correspondingly, when all the element values of the position points corresponding to the preset number of hash values are non-zero, locking the expected connection hash table to query whether the newly-created connection is an expected connection in the expected connection hash table in a hash manner, including:
and locking the expected connection hash table when the first element value, the second element value and the third element value are all one, so as to hash in the expected connection hash table to inquire whether the newly-established connection is an expected connection.
In some embodiments of the present disclosure, further comprising:
and when at least one of the first element value, the second element value and the third element value is zero, not locking the expected connection hash table to end the hash query.
In some embodiments of the present disclosure, the length of the integer array of the preset bloom filter is a 1-byte integer or a 2-byte integer.
In some embodiments of the present disclosure, further comprising:
before the newly-built connection is received, recording the number of elements in the expected connection hash table based on an atomic variable;
and when the newly-built connection is received, if the element number recorded by the atomic variable is zero, locking the expected connection hash table.
In a second aspect, an embodiment of the present disclosure provides an expected connection processing apparatus under a multi-core forwarding architecture, including:
the information acquisition module is used for acquiring the attribute information of the newly-built connection when receiving the newly-built connection;
the hash calculation module is used for carrying out hash calculation on the attribute information based on a preset number of hash functions of a preset bloom filter to obtain a preset number of hash values;
the bloom filter module is used for acquiring element values of corresponding position points of the preset number of hash values in the integer array of the preset bloom filter; the element values of the position points with the preset number are preset in the integer array of the preset bloom filter; the element values of the position points with the preset number are determined by matching the hash values with the preset number, which are obtained by performing hash calculation on the attribute information expected to be connected by the hash functions with the preset number;
and the hash query module is used for locking the expected connection hash table when all the element values of the position points corresponding to the preset number of hash values are non-zero, so as to query whether the newly-built connection is the expected connection in the expected connection hash table.
In a third aspect, the disclosed embodiments provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the expected connection processing method according to any one of the above embodiments.
In a fourth aspect, an embodiment of the present disclosure provides an electronic device, including:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the steps of the expected connection processing method of any of the above embodiments via execution of the executable instructions.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
in the embodiment of the disclosure, when a new connection is received, attribute information of the new connection is acquired, hash calculation is performed on the attribute information based on a preset number of hash functions of a preset bloom filter to obtain a preset number of hash values, element values of corresponding position points of the preset number of hash values in an integer array of the preset bloom filter are acquired, and when the element values of the corresponding position points of the preset number of hash values are all non-zero, a hash table expected to be connected is locked, so as to query whether the new connection is an expected connection or not in the hash table expected to be connected in hash; in this way, in the scheme of this embodiment, before the hash query of the expected connection hash table is used to determine whether the newly-built connection is the expected connection, the preset bloom filter may filter out some unexpected connections to reduce the subsequent locking times of the hash table and the operation that the corresponding hash query matches the expected connection, so as to avoid frequently locking the hash table under the multi-core forwarding architecture to perform the hash lookup operation based on the hash table, and further improve the new-built and forwarding performance.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a flowchart of an expected connection processing method under a multi-core forwarding architecture according to an embodiment of the present disclosure;
fig. 2 is a flowchart of an expected connection processing method under a multi-core forwarding architecture according to an embodiment of the present disclosure;
fig. 3 is a flowchart of an expected connection processing method under a multi-core forwarding architecture according to an embodiment of the present disclosure;
fig. 4 is a schematic diagram of an expected connection processing apparatus under a multi-core forwarding architecture according to an embodiment of the present disclosure;
fig. 5 is a schematic diagram of an electronic device for implementing an expected connection processing method in a multi-core forwarding architecture according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
In the related art, in the network security device with the multi-core forwarding architecture, the expected connection hash table is shared by the multi-core CPUs, and the multi-core CPUs may perform operations such as insertion, search, deletion and the like on the expected connection hash table, so that a locking protection critical code is required, and locking causes multi-core CPU competition in a large concurrency scene, thereby having a large influence on new construction and forwarding performance. Wherein, usually, a new connection is created, and forwarding represents forwarding the message.
In order to solve the technical problem or at least partially solve the technical problem, embodiments of the present disclosure provide an expected connection processing method in a multi-core forwarding architecture, where the expected connection processing method may be executed by a network security device. As shown in fig. 1, the expected connection processing method may include the steps of:
step S101: and when receiving the new connection, acquiring the attribute information of the new connection.
Illustratively, the new connection may be a sub-connection or other connection. A connection represents a complete communication process between two hosts in a network. A connection typically contains messages in two directions: the original direction message sent from the source host to the destination host and the reverse direction message sent from the destination host back to the source host can be understood with reference to the prior art, and are not described herein again. The attribute information may include, but is not limited to, one or more of the source IP, destination port, and IP protocol number of the connection, such as a TCP/IP protocol number.
In this embodiment, when receiving a new connection, the network security device may obtain attribute information of the new connection, such as a source IP, a destination port, and an IP protocol number.
Step S102: and performing hash calculation on the attribute information based on a preset number of hash functions of a preset bloom filter to obtain the preset number of hash values.
Step S103: and acquiring element values of corresponding position points of the preset number of hash values in the integer array of the preset bloom filter. The element values of the position points with the preset number are preset in the integer array of the preset bloom filter; the element values of the position points with the preset number are determined by matching the hash values with the preset number, which are obtained by performing hash calculation on the attribute information expected to be connected by the hash functions with the preset number.
It will be appreciated that a Bloom Filter (Bloom Filter) may contain K hash functions and an array of m-bit integers. The initial element values for all position points of the integer array may be 0. For each element in the set, the elements can be mapped sequentially through K hash functions, each mapping generates a hash value, each hash value corresponds to a position point in the integer array, and the addition of the element is completed by adding 1 to the element value of the position point in the integer array corresponding to each hash value after mapping. Then, if the element X is queried to exist in the set, K hash values obtained by mapping the element X through K hash functions may correspond to K location points in the integer array. If one of the K location points is 0, it can be determined that the element X must not exist in the set. Conversely, if K points are all non-zero, then the element X is likely to be present in the set. More details about bloom filters can be understood with reference to the prior art and are not described in detail herein.
In this embodiment, for example, the value of the preset number K of the hash functions is 3, and for example, the element values of 3 location points may be preset in the integer array of the preset bloom filter. The element values of the 3 location points are determined by matching 3 hash values obtained by hashing expected connection attribute information such as a source IP, a destination port and an IP protocol number by 3 hash functions.
That is, the expected connection is added to the bloom filter in advance in such a manner that 1 is added to the element values of 3 position points corresponding to 3 hash values obtained by hashing based on the attribute information of the expected connection, such as the source IP, the destination port, and the IP protocol number, in the integer array of the bloom filter.
For example, when adding one piece of attribute information of a desired connection (including a source IP, a destination port, and an IP protocol number), for example, based on 3 Hash functions Hash1, Hash2, and Hash3, respectively, calculate corresponding Hash values Hash1 (attribute information) 2, Hash2 (attribute information) 4, and Hash3 (attribute information) 7, then add 1 to the element values of the grids with position point subscripts "2", "4", "7" (counted from left to right) in the integer array shown in table 1, as shown in table 1.
TABLE 1
| 0 | 1 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 0 |
Then, when receiving the new connection, obtaining attribute information of the new connection, such as a source IP, a destination port and an IP protocol number. In step S102, Hash calculation may be performed on attribute information of the newly-established connection, such as a source IP, a destination port, and an IP protocol number, based on the 3 Hash functions Hash1, Hash2, and Hash3, to obtain another 3 Hash values, and element values of corresponding position points of the another 3 Hash values in the integer array of the preset bloom filter are obtained. For example, the corresponding position points of the 3 hash values mapped in the integer array of the bloom filter shown in table 1 are "2", "4", "7" by hashing, and since the element values of these position points are all 1, it can be considered that the newly created connection is or is very likely to be the expected connection.
Step S104: and locking the expected connection hash table when the element values of the position points corresponding to the preset number of hash values are all non-zero, so as to query whether the newly-built connection is the expected connection in the expected connection hash table in a hash mode.
For example, when it is determined that the new connection is, or is most likely, an expected connection, due to uncertainty, the expected connection hash table may be locked to perform a complete hash lookup in the expected connection hash table to determine whether the new connection is the expected connection. When the newly created connection is determined not to be the expected connection, namely, the unexpected connection, the expected connection hash table does not need to be locked. If the query determines that the newly created connection is the expected connection, the first, second, and third element values described above may all be decremented.
In this way, in the expected connection processing method of this embodiment, before determining whether the new connection is an expected connection based on the expected connection hash table hash query, a part of unexpected connections may be filtered based on the preset bloom filter to reduce the number of subsequent locks on the hash table and the operation that the corresponding hash query matches the expected connection, so as to avoid frequently locking the hash table in the multi-core forwarding architecture to perform hash lookup operations based on the hash table, and further improve new creation and forwarding performance.
In some embodiments of the present disclosure, the predetermined number K of hash functions may take a value of 2 to 5, for example, 3 to 4, but is not limited thereto. In this embodiment, three fast hash functions may be used. The inventor finds that a balance between filtering effect and performance can be achieved based on three to four hash functions. In a specific implementation process, the number of hash functions can be adjusted to achieve better performance under different environments. The smaller the number of hash functions, the poorer the filtering effect, but the higher the speed, the greater the number, the better the filtering effect, but the slower the speed, 3 to 4 are more balanced choices.
In some embodiments of the present disclosure, the preset number of hash functions are all different, for example, three fast hash functions adopted in this embodiment are all different. Through different hash functions, the hash operation speed and the hash effect when the connection processing method of the embodiment is executed can be balanced, so that better performance is achieved. The specific selection of different hash functions may be set as needed, and this embodiment does not limit this.
Illustratively, in some embodiments of the present disclosure, three different hash functions are illustrated. The connection processing method may specifically include the following exemplary steps:
step S200: and when receiving the new connection, acquiring a source IP, a destination port and an IP protocol number of the new connection.
Step S201: and performing hash calculation on the source IP, the destination port and the IP protocol number based on a first hash function to obtain a first hash value.
Step S202: and performing hash calculation on the source IP, the destination port and the IP protocol number based on a second hash function to obtain a second hash value.
Step S203: and performing hash calculation on the source IP, the destination port and the IP protocol number based on a third hash function to obtain a third hash value.
Specifically, for example, based on 3 different Hash functions Hash1, Hash2, and Hash3, the Hash value Hash1(key1) ═ 2, Hash2(key2) ═ 4, and Hash3(key3) ═ 7 can be calculated respectively. The keys 1, 2, and 3 each include attribute information of the newly-created connection, i.e., source IP, destination port, and IP protocol number.
Step S204: and acquiring a first element value, a second element value and a third element value of the position point of the first hash value, the second hash value and the third hash value respectively corresponding to the integer array of the preset bloom filter.
For example, the Hash value Hash1(key1) ═ 2, Hash2(key2) ═ 4, and Hash3(key3) ═ 7 may be obtained, where the first element value 1, the second element value 1, and the third element value 1 of the corresponding position points "2", "4", "7" in the integer array of the bloom filter shown in table 1 are respectively obtained.
Step S205: and locking the expected connection hash table when the first element value, the second element value and the third element value are all one, so as to hash in the expected connection hash table to inquire whether the newly-established connection is an expected connection.
For example, since the Hash value Hash1(key1) is 2, the Hash2(key2) is 4, and the Hash3(key3) is 7, the corresponding first element value, second element value, and third element value are all 1, at this time, the expected connection Hash table may be locked, so as to Hash in the expected connection Hash table whether the newly-created connection is an expected connection, for example, complete Hash query is performed to complete matching of IP, port, and the like, and determine whether the newly-created connection is an expected connection, which are standard operations of Hash query, and reference may be made to the prior art, and details are not described herein.
In the expected connection processing method of this embodiment, before determining whether the newly created connection is an expected connection based on the hash query of the expected connection hash table, a part of unexpected connections may be filtered based on the preset bloom filter to reduce the number of locking times of the hash table and the operation that the corresponding hash query matches the expected connection, so as to avoid frequently locking the hash table in the multi-core forwarding architecture to perform the hash lookup operation based on the hash table, and further improve the new creation and forwarding performance.
On the basis of the above embodiments, some embodiments of the present disclosure may further include: and when at least one of the first element value, the second element value and the third element value is zero, not locking the expected connection hash table to end the hash query.
For example, if the calculated Hash value Hash1(key1) is 2, Hash2(key2) is 3, and Hash3(key3) is 7, as shown in table 1, the corresponding second element value is 0, which indicates that the newly created connection is not in the expected connection Hash table, that is, the newly created connection is not an expected connection, and therefore the newly created connection Hash table is not locked to end the Hash query. Therefore, part of unexpected connections can be filtered out to reduce the locking times of the hash table and the operation that the corresponding hash query matches the expected connections, so that the hash table is prevented from being frequently locked under a multi-core forwarding architecture to perform hash lookup operation based on the hash table, and the new building and forwarding performance can be improved.
In a specific example embodiment, the expected connection processing method process of the embodiment of the present disclosure may include the following steps:
step 1): newly building a bloom filter, wherein the element value of each position point of the integer array is 0 initially, when the expected connection is added, performing three times of fast hash function calculation on the source IP, the destination port and the TCP/UDP protocol number of the expected connection, adding 1 to the element values of the three position points of the corresponding hit integer array of the obtained three hash values, and conversely, subtracting 1 from the corresponding element values when the expected connection is deleted.
Step 2): when a new connection arrives, a source IP, a destination port and a TCP/UDP protocol number of the new connection are obtained and calculated as a first Hash function Hash1 to obtain a first Hash value, the element value of the first Hash value Hash1 key1 at the corresponding position point of the integer array of the bloom filter is searched for to be 0, the current new connection is definitely not in the expected connection Hash table, the searching process is finished, and if the corresponding element value is 1, the second Hash function is searched for.
Step 3): and (3) calculating by using a second Hash function Hash2 based on the source IP, the destination port and the TCP/UDP protocol number of the newly-built connection to obtain a second Hash value, searching for the element value of the second Hash value Hash2[ key2] at the corresponding position point of the integer array of the bloom filter to be 0, indicating that the currently-built connection is definitely not in the expected connection Hash table, finishing the searching process, and searching for a third Hash function if the corresponding element value is 1.
Step 4): and (3) calculating a third Hash value by using a third Hash function Hash3 based on the source IP, the destination port and the TCP/UDP protocol number of the newly-built connection, searching for the element value of the third Hash value Hash3[ key3] at the corresponding position point of the integer array of the bloom filter to be 0, indicating that the currently-built connection is definitely not in the expected connection Hash table, finishing the searching process, and locking the expected connection Hash table if the corresponding element value is 1 so as to perform complete Hash query to complete the matching of IP, port and the like.
If the matching is successful, the element values of the corresponding position points of the Hash values Hash1[ key1], Hash2[ key2] and Hash3[ key3] in the bloom filter integer array can be respectively reduced by 1, so that the steps can be repeated in the next calculation. The keys 1, 2 and 3 all contain the attribute information of the newly-built connection, namely, the source IP, the destination port and the TCP/UDP protocol number.
According to the scheme of the embodiment, part of unexpected connections can be filtered out based on the bloom filter so as to reduce the locking times of the hash table of the expected connections and the operation of correspondingly matching the expected connections, so that the hash table is prevented from being frequently locked under a multi-core forwarding architecture to perform lookup operation based on the hash table, and further the new creation and forwarding performance is improved.
Optionally, in some embodiments of the present disclosure, the length of the integer array of the preset bloom filter may be a 1-byte integer or a 2-byte integer, but is not limited thereto. The range of 1 byte integers is 0-255 and the range of 2 byte integers is 0-65535. In this embodiment, the number of elements of the integer array of the Bloom Filter (Bloom Filter) may be 2-byte integers, which may prevent overflow when the concurrency amount is large and the hash collision is serious, and may use 1-byte integers when the concurrency amount is not large and the hash collision is not serious, so as to save space. These details can be set as needed, for example, it can be determined according to hardware and network load, the more the number of elements, the less the collision, the better the hash effect, but the more the occupied resources. These parameters can be determined according to the specific implementation environment, and the embodiment is not limited thereto.
Optionally, on the basis of any of the above embodiments, as shown in fig. 3, some embodiments of the present disclosure may further include the following steps:
step S301: and recording the number of elements in the expected connection hash table based on an atomic variable before the new connection is received.
Step S302: and when the newly-built connection is received, if the element number recorded by the atomic variable is zero, locking the expected connection hash table.
In this embodiment, the number of elements in the expected connection hash table may be recorded by using one atomic variable, and when the number of elements is 0, hash lookup is not performed, so that unnecessary locking operation is avoided, thereby avoiding frequent locking of the hash table under a multi-core forwarding architecture to perform hash lookup operation based on the hash table, and further improving new creation and forwarding performance.
It should be noted that although the various steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that these steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc. Additionally, it will also be readily appreciated that the steps may be performed synchronously or asynchronously, e.g., among multiple modules/processes/threads.
Based on the same concept, an expected connection processing apparatus under a multi-core forwarding architecture is further provided in the embodiments of the present disclosure, as shown in fig. 4, the expected connection processing apparatus may include: the information obtaining module 401 is configured to obtain attribute information of a new connection when the new connection is received. A hash calculation module 402, configured to perform a hash calculation on the attribute information based on a preset number of hash functions of a preset bloom filter to obtain a preset number of hash values. A bloom filter module 403, configured to obtain element values of position points corresponding to the preset number of hash values in the integer array of the preset bloom filter. The element values of the position points with the preset number are preset in the integer array of the preset bloom filter; the element values of the position points with the preset number are determined by matching the hash values with the preset number, which are obtained by performing hash calculation on the attribute information expected to be connected by the hash functions with the preset number. A hash query module 404, configured to lock the expected connection hash table when all the element values of the location points corresponding to the preset number of hash values are non-zero, so as to query whether the newly-created connection is an expected connection in the expected connection hash table.
The expected connection processing apparatus of this embodiment may filter out some unexpected connections based on the preset bloom filter to reduce the subsequent locking times of the hash table and the operation that the corresponding hash query matches the expected connection before determining whether the new connection is the expected connection based on the expected connection hash table hash query, thereby avoiding frequent locking of the hash table in the multi-core forwarding architecture to perform hash lookup operation based on the hash table, and further improving new creation and forwarding performance.
In some embodiments of the present disclosure, the attribute information includes at least, but is not limited to, a source IP, a destination port, and an IP protocol number.
In some embodiments of the present disclosure, the value of the preset number may be 2 to 5, but is not limited thereto. In some embodiments of the present disclosure, the predetermined number of hash functions may all be different.
In some embodiments of the present disclosure, the hash calculation module 402 performs hash calculation on the attribute information based on a preset number of hash functions of a preset bloom filter to obtain the preset number of hash values, which may specifically include: performing hash calculation on the source IP, the destination port and the IP protocol number based on a first hash function to obtain a first hash value; performing hash calculation on the source IP, the destination port and the IP protocol number based on a second hash function to obtain a second hash value; and performing hash calculation on the source IP, the destination port and the IP protocol number based on a third hash function to obtain a third hash value. The bloom filter module 403 obtains the element values of the corresponding position points of the preset number of hash values in the integer array of the preset bloom filter, and specifically may include: and acquiring a first element value, a second element value and a third element value of the position point of the first hash value, the second hash value and the third hash value respectively corresponding to the integer array of the preset bloom filter. Correspondingly, when the element values of the position points corresponding to the preset number of hash values are all non-zero, the hash query module 404 locks the expected connection hash table to query whether the newly-created connection is an expected connection in the expected connection hash table in a hash manner, which may specifically include: and locking the expected connection hash table when the first element value, the second element value and the third element value are all one, so as to hash in the expected connection hash table to inquire whether the newly-established connection is an expected connection.
In some embodiments of the disclosure, the hash query module 404 is further configured to not lock the expected connection hash table to end the hash query if at least one of the first, second, and third element values is zero.
In some embodiments of the present disclosure, the length of the integer array of the preset bloom filter may be a 1-byte integer or a 2-byte integer.
In some embodiments of the present disclosure, the method may further include, before receiving the new connection, recording the number of elements in the expected connection hash table based on an atomic variable; the hash query module 404 is further configured to, when the new connection is received, not lock the expected connection hash table if the number of elements recorded in the atomic variable is zero.
The specific manner in which the above-mentioned embodiments of the apparatus, and the corresponding technical effects brought about by the operations performed by the respective modules, have been described in detail in the embodiments related to the method, and will not be described in detail herein.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units. The components shown as modules or units may or may not be physical units, i.e. may be located in one place or may also be distributed over a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the wood-disclosed scheme. One of ordinary skill in the art can understand and implement it without inventive effort.
The embodiments of the present disclosure also provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the expected connection processing method under the multi-core forwarding architecture described in any of the foregoing embodiments.
By way of example, and not limitation, such readable storage media can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
The embodiment of the disclosure also provides an electronic device, which includes a processor and a memory, wherein the memory is used for storing the executable instruction of the processor. Wherein the processor is configured to execute the steps of the expected connection processing method under the multi-core forwarding architecture in any of the above embodiments via execution of the executable instructions.
An electronic device 600 according to this embodiment of the invention is described below with reference to fig. 5. The electronic device 600 shown in fig. 5 is only an example and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention. The electronic device 600 may be a network security device such as, but not limited to, a security router, a firewall, and the like.
As shown in fig. 5, the electronic device 600 is embodied in the form of a general purpose computing device. The components of the electronic device 600 may include, but are not limited to: at least two processing units 610 such as a CPU (not shown), at least one memory unit 620, a bus 630 connecting different system components including the memory unit 620 and the processing units 610, a display unit 640, and the like. In some examples, the display unit 640 (not shown) may not be included.
Wherein the storage unit stores program codes, and the program codes can be executed by the processing unit 610, so that the processing unit 610 executes the steps according to various exemplary embodiments of the present invention described in the connection processing method part under the multi-core forwarding architecture described above in this specification. For example, the processing unit 610 may perform the steps of the method as shown in fig. 1.
The storage unit 620 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)6201 and/or a cache memory unit 6202, and may further include a read-only memory unit (ROM) 6203.
The memory unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The electronic device 600 may also communicate with one or more external devices 700 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 600, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 600 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 650. Also, the electronic device 600 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via the network adapter 660. The network adapter 660 may communicate with other modules of the electronic device 600 via the bus 630. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, or a network device, etc.) to execute the steps of the connection processing method under the multi-core forwarding architecture according to the embodiments of the present disclosure.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. An expectation-connection processing method, comprising:
when a new connection is received, acquiring attribute information of the new connection;
performing hash calculation on the attribute information based on a preset number of hash functions of a preset bloom filter to obtain a preset number of hash values;
acquiring element values of corresponding position points of the preset number of hash values in the integer array of the preset bloom filter; the element values of the position points with the preset number are preset in the integer array of the preset bloom filter; the element values of the position points with the preset number are determined by matching the hash values with the preset number, which are obtained by performing hash calculation on the attribute information expected to be connected by the hash functions with the preset number;
and locking the expected connection hash table when the element values of the position points corresponding to the preset number of hash values are all non-zero, so as to query whether the newly-built connection is the expected connection in the expected connection hash table in a hash mode.
2. The expected connection processing method according to claim 1, wherein the attribute information includes a source IP, a destination port, and an IP protocol number.
3. The expected connection processing method according to claim 2, wherein the preset number takes a value of 2 to 5; and/or the preset number of hash functions are different.
4. The expected connection processing method according to claim 3, wherein the hashing the attribute information by a preset number of hash functions based on a preset bloom filter to obtain the preset number of hash values includes:
performing hash calculation on the source IP, the destination port and the IP protocol number based on a first hash function to obtain a first hash value;
performing hash calculation on the source IP, the destination port and the IP protocol number based on a second hash function to obtain a second hash value;
performing hash calculation on the source IP, the destination port and the IP protocol number based on a third hash function to obtain a third hash value;
the obtaining of the element values of the position points corresponding to the hash values of the preset number in the integer array of the preset bloom filter includes:
acquiring a first element value, a second element value and a third element value of a position point of the first hash value, the second hash value and the third hash value respectively corresponding to the integer array of the preset bloom filter;
correspondingly, when all the element values of the position points corresponding to the preset number of hash values are non-zero, locking the expected connection hash table to query whether the newly-created connection is an expected connection in the expected connection hash table in a hash manner, including:
and locking the expected connection hash table when the first element value, the second element value and the third element value are all one, so as to hash in the expected connection hash table to inquire whether the newly-established connection is an expected connection.
5. The expected connection processing method according to claim 4, further comprising:
and when at least one of the first element value, the second element value and the third element value is zero, not locking the expected connection hash table to end the hash query.
6. The expected connection processing method according to any one of claims 1 to 5, wherein the length of the integer array of the preset bloom filter is 1-byte integer or 2-byte integer.
7. The expected connection processing method according to any one of claims 1 to 5, further comprising:
before the newly-built connection is received, recording the number of elements in the expected connection hash table based on an atomic variable;
and when the newly-built connection is received, if the element number recorded by the atomic variable is zero, locking the expected connection hash table.
8. An expectation-connection processing apparatus comprising:
the information acquisition module is used for acquiring the attribute information of the newly-built connection when receiving the newly-built connection;
the hash calculation module is used for carrying out hash calculation on the attribute information based on a preset number of hash functions of a preset bloom filter to obtain a preset number of hash values;
the bloom filter module is used for acquiring element values of corresponding position points of the preset number of hash values in the integer array of the preset bloom filter; the element values of the position points with the preset number are preset in the integer array of the preset bloom filter; the element values of the position points with the preset number are determined by matching the hash values with the preset number, which are obtained by performing hash calculation on the attribute information expected to be connected by the hash functions with the preset number;
and the hash query module is used for locking the expected connection hash table when all the element values of the position points corresponding to the preset number of hash values are non-zero, so as to query whether the newly-built connection is the expected connection in the expected connection hash table.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of processing an expected connection as claimed in any one of claims 1 to 7.
10. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the steps of the expected connection processing method of any of claims 1-7 via execution of the executable instructions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010962157.8A CN112260951A (en) | 2020-09-14 | 2020-09-14 | Expectation connection processing method, expectation connection processing device, readable storage medium, and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010962157.8A CN112260951A (en) | 2020-09-14 | 2020-09-14 | Expectation connection processing method, expectation connection processing device, readable storage medium, and electronic device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112260951A true CN112260951A (en) | 2021-01-22 |
Family
ID=74232225
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010962157.8A Pending CN112260951A (en) | 2020-09-14 | 2020-09-14 | Expectation connection processing method, expectation connection processing device, readable storage medium, and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112260951A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114614948A (en) * | 2022-03-16 | 2022-06-10 | 广州物联网研究院 | LoRa networking method and system |
| CN114786141A (en) * | 2022-04-29 | 2022-07-22 | 恒玄科技(上海)股份有限公司 | Message filtering method and device in Bluetooth wireless mesh network |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070248084A1 (en) * | 2006-04-20 | 2007-10-25 | Alcatel | Symmetric connection detection |
| US20100070514A1 (en) * | 2008-09-15 | 2010-03-18 | Coremetrics,Inc. | System and method of using a bloom filter in a web analytics application |
| CN101771600A (en) * | 2008-12-30 | 2010-07-07 | 北京天融信网络安全技术有限公司 | Method for concurrently processing join in multi-core systems |
| CN110263038A (en) * | 2019-06-11 | 2019-09-20 | 中国人民大学 | A kind of Hash multi-table join implementation method based on grouping vector |
| CN111062013A (en) * | 2019-12-18 | 2020-04-24 | 北京爱奇艺科技有限公司 | Account filtering method and device, electronic equipment and machine-readable storage medium |
| CN111563199A (en) * | 2020-04-26 | 2020-08-21 | 北京奇艺世纪科技有限公司 | Data processing method and device |
-
2020
- 2020-09-14 CN CN202010962157.8A patent/CN112260951A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070248084A1 (en) * | 2006-04-20 | 2007-10-25 | Alcatel | Symmetric connection detection |
| US20100070514A1 (en) * | 2008-09-15 | 2010-03-18 | Coremetrics,Inc. | System and method of using a bloom filter in a web analytics application |
| CN101771600A (en) * | 2008-12-30 | 2010-07-07 | 北京天融信网络安全技术有限公司 | Method for concurrently processing join in multi-core systems |
| CN110263038A (en) * | 2019-06-11 | 2019-09-20 | 中国人民大学 | A kind of Hash multi-table join implementation method based on grouping vector |
| CN111062013A (en) * | 2019-12-18 | 2020-04-24 | 北京爱奇艺科技有限公司 | Account filtering method and device, electronic equipment and machine-readable storage medium |
| CN111563199A (en) * | 2020-04-26 | 2020-08-21 | 北京奇艺世纪科技有限公司 | Data processing method and device |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114614948A (en) * | 2022-03-16 | 2022-06-10 | 广州物联网研究院 | LoRa networking method and system |
| CN114786141A (en) * | 2022-04-29 | 2022-07-22 | 恒玄科技(上海)股份有限公司 | Message filtering method and device in Bluetooth wireless mesh network |
| CN114786141B (en) * | 2022-04-29 | 2023-11-21 | 恒玄科技(上海)股份有限公司 | Message filtering method and device in Bluetooth wireless mesh network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11061878B2 (en) | Parallel build of non-partitioned join hash tables and non-enforced N:1 join hash tables | |
| US9672220B2 (en) | Index record-level locking for record-oriented file systems | |
| US10698898B2 (en) | Front end bloom filters in distributed databases | |
| US9069791B2 (en) | Database virtualization | |
| US9270636B2 (en) | Neighbor lookup operations in a network node | |
| US11797534B2 (en) | Efficient SQL-based graph random walk | |
| CN112260951A (en) | Expectation connection processing method, expectation connection processing device, readable storage medium, and electronic device | |
| US20150052575A1 (en) | Steering Traffic Among Multiple Network Services Using a Centralized Dispatcher | |
| US20230146488A1 (en) | Universal pointers for data exchange in a computer system having independent processors | |
| US6182202B1 (en) | Generating computer instructions having operand offset length fields for defining the length of variable length operand offsets | |
| EP0814582A2 (en) | Data routing | |
| US9710479B2 (en) | Providing record-level alternate-index upgrade locking | |
| US10303791B2 (en) | Efficient join on dynamically compressed inner for improved fit into cache hierarchy | |
| CN109871260B (en) | Multi-dimensional service current limiting method and system based on shared memory between containers | |
| CN114840498B (en) | Method and device for realizing memory key value data management based on Java technology | |
| US11435926B2 (en) | Method, device, and computer program product for managing storage system | |
| KR102363757B1 (en) | IP address comparison method and device | |
| US11288244B2 (en) | Tree deduplication | |
| CN116600031B (en) | Message processing method, device, equipment and storage medium | |
| US9348859B2 (en) | Providing record-level sharing (RLS) to local data sets | |
| WO2020153154A1 (en) | Retrieval device and hash table creation method | |
| US11537431B1 (en) | Task contention reduction via policy-based selection | |
| EP3374882A1 (en) | File system with distributed entity state | |
| Chen et al. | OptimusPrime: Unleash Dataplane Programmability through a Transformable Architecture | |
| CN115934761A (en) | Database middleware query optimization method based on Counting bloom filter |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210122 |
|
| RJ01 | Rejection of invention patent application after publication |