CN113949664B - Circuit for network device and packet processing method - Google Patents

Circuit for network device and packet processing method Download PDF

Info

Publication number
CN113949664B
CN113949664B CN202010679973.8A CN202010679973A CN113949664B CN 113949664 B CN113949664 B CN 113949664B CN 202010679973 A CN202010679973 A CN 202010679973A CN 113949664 B CN113949664 B CN 113949664B
Authority
CN
China
Prior art keywords
acl
rules
rule
field
acl rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010679973.8A
Other languages
Chinese (zh)
Other versions
CN113949664A (en
Inventor
吴承祐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Realtek Semiconductor Corp
Original Assignee
Realtek Semiconductor Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Realtek Semiconductor Corp filed Critical Realtek Semiconductor Corp
Priority to CN202010679973.8A priority Critical patent/CN113949664B/en
Publication of CN113949664A publication Critical patent/CN113949664A/en
Application granted granted Critical
Publication of CN113949664B publication Critical patent/CN113949664B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/30Peripheral units, e.g. input or output ports
    • H04L49/3009Header conversion, routing tables or routing tags
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/18Multiprotocol handlers, e.g. single devices capable of handling multiple protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a circuit and a packet processing method used in a network device. The invention discloses a circuit used in a network device, which comprises a memory and an analyzer. The memory stores an ACL lookup table, wherein the ACL lookup table comprises a plurality of ACL rules, each ACL rule at least comprises a comparison field, a control field and a logic operation field, the comparison field comprises the comparison content of a communication protocol, the control field indicates whether the ACL rule needs to be combined with the next ACL rule, and the logic operation field indicates the logic operation used when the ACL rule needs to be combined with the next ACL rule. The analyzer is used for comparing the packets in sequence according to a plurality of ACL rules recorded by the ACL lookup table to generate at least one comparison result for determining the processing mode of the packets.

Description

Circuit for network device and packet processing method
Technical Field
The present invention relates to network devices, and more particularly to network switches or routers.
Background
After a network switch or router receives a packet, the network switch or router analyzes the header (header) of the packet to obtain information about each field in the header, and then performs table lookup or other processing on the information about the fields. Regarding the table lookup operation, the network switch or router internally sets a plurality of lookup tables, and the lookup tables include an access control serial rule (ACL rule) for finding out a packet having a specific field of a header of a specific Media Access Control (MAC) address, an Internet Protocol (IP) address, or other communication Protocol, and processing the packet according to the setting of the ACL rule.
In addition, because the circuit cannot check all fields of the header through the ACL rules due to hardware limitations such as memory size, the ACL rules are generally classified into Media Access Control (MAC), internet Protocol (IP), transmission Control Protocol (TCP), user Datagram Protocol (UDP), or other communication protocols, and specific fields of these communication protocols are compared.
However, the ACL rules have a limitation that when the circuit wants to compare fields of multiple communication protocols simultaneously, the required packet cannot be found if none of the ACL rules can just contain all the fields to be found. To solve this problem, it is common to send all packets meeting certain conditions to the processor to find out the required packets through software, which reduces the overall processing speed and burdens the processor if the number of packets is too large.
Disclosure of Invention
Therefore, the present invention provides a method for analyzing ACL rules of received packets, which adds a control field and a logic operation field in the ACL rules, so that a switch or a router can use hardware to perform a combination judgment of comparison results of the ACL rules, thereby solving the problems described in the prior art.
In one embodiment of the present invention, a circuit for use in a network device is disclosed, which comprises a plurality of ports, a memory, a packet buffer and an analyzer. The memory stores an ACL lookup table, wherein the ACL lookup table includes a plurality of ACL rules, wherein for at least a portion of the ACL rules, each of the at least a portion of the ACL rules includes at least a comparison field, a control field, and a logic operation field, the comparison field includes comparison content of a communication protocol, the control field indicates whether the ACL rule needs to be combined with a next ACL rule, and the logic operation field indicates a logic operation used when the ACL rule needs to be combined with the next ACL rule. The packet buffer is used for temporarily storing a packet received by one of the plurality of ports, and the analyzer is used for sequentially comparing the packet according to the plurality of ACL rules recorded by the ACL lookup table so as to generate at least one comparison result for determining the processing mode of the packet.
In another embodiment of the present invention, a packet processing method applied in a network device is disclosed, which includes: receiving a packet; comparing the group in sequence according to a plurality of ACL rules recorded by an ACL lookup table to generate at least one comparison result for determining the processing mode of the group; wherein, for at least a part of the plurality of ACL rules, each of the at least a part of the ACL rules at least comprises a comparison field, a control field and a logic operation field, the comparison field comprises comparison content of a communication protocol, the control field indicates whether the ACL rule needs to be combined with the next ACL rule, and the logic operation field indicates a logic operation used when the ACL rule needs to be combined with the next ACL rule.
Drawings
Fig. 1 is a schematic diagram of a network device according to an embodiment of the invention.
FIG. 2 is a diagram of an ACL lookup table according to an embodiment of the present invention.
Fig. 3 is a flow chart of analyzing a received packet according to an embodiment of the invention.
Detailed Description
Fig. 1 is a schematic diagram of a network device 100 according to an embodiment of the invention, where the network device 100 may be a switch or a router in this embodiment. As shown in fig. 1, the network device 100 includes a processor 102, a Memory controller 104, and a Dynamic Random Access Memory (DRAM) 106, wherein the circuit 110 includes a processor port 112, a plurality of ports 114 _1to 114_n, a packet buffer 120, a control circuit 130, an analyzer 140, a Memory 150 including at least one lookup table 152, and a Direct Memory Access (DMA) controller 160. Specifically, fig. 1 is only an example, and the network device 100 is not limited to being a switch or a router. In the circuit 110, the processor port 112 is connected to the processor 102 and the memory controller 104 through at least one bus 108, the ports 114_1 \/114 \/n are respectively connected to other electronic devices through a local area network or a wide area network, the packet buffer (or packet buffer) 120 is used to temporarily store packets coming from the outside and waiting for forwarding, and the memory controller 104 is used to receive instructions on the bus 108 and perform write or read operations on the DRAM 106.
In the present embodiment, the lookup table 152 includes an ACL lookup table, and the ACL lookup table includes a plurality of ACL rules. Fig. 2 is a diagram of an ACL lookup table 200 according to an embodiment of the invention. As shown in fig. 2, the lookup table 152 includes a plurality of ACL rules, and each ACL rule includes at least 4 fields of an icon, namely an index field, an alignment field, a control field and a logical operation field, wherein the index field is used to indicate an index value of each ACL, and the analyzer 140 performs the analysis sequentially according to the order of the index values. The match field indicates what needs to be matched, such as the MAC address, IP address, TCP port, UDP port, virtual Local Area Network (VLAN) status, ethernet type, …, etc., in the header of the received packet. The control field is used to indicate whether to combine with the next ACL rule, and as illustrated in fig. 2, the control field of the first ACL rule has a logic value "1", so that the comparison result of the MAC address in the first ACL rule needs to be combined with the comparison result of the IP address in the second ACL rule; in addition, the control field of the fourth ACL rule has a logic value of "0", so the comparison result of the fourth ACL rule on the VLAN status does not need to be combined with the comparison result of the fifth ACL rule on the ethernet judgment type. The logical operation field is used to indicate which logical operation manner the combination in the control field belongs to, for example, the logical operation manners such as "AND", "or", "AND", AND the description is given by taking fig. 2 as an example, because the logical operation fields of the first AND second ACL rules are "AND" operation, the comparison result of the MAC address in the first ACL rule, the comparison result of the IP address in the second ACL rule, AND the comparison result of the TCP port in the third ACL rule need to perform "AND" operation, that is, three comparison results need to be satisfied simultaneously; in addition, the logical operation field of the third and fourth ACL rules is blank or invalid, which means that the fourth and fifth ACL rules are judged independently without being combined with the previous ACL rule.
In the embodiment shown in fig. 2, the comparison field in each ACL rule only includes comparison contents corresponding to a single communication protocol, but the invention is not limited thereto.
It should be noted that the ACL rules in the ACL lookup table 200 shown in fig. 2 are only illustrated as examples and are not meant to limit the present invention. In addition, the ACL lookup table 200 further includes some relevant comparison details of the comparison fields, such as which range the MAC address determined by the first ACL rule is located in or conforms to certain MAC addresses, and the subsequent processing manner of the comparison result of the ACL rule (for example, which port the ACL address is transmitted to or the ACL packet is discarded/blocked), but since the present invention focuses on the control field and the logical operation field in the ACL lookup table 200, and the details of the comparison fields and the subsequent processing manner are well known to those skilled in the art, the present embodiment only describes the operations of the control field and the logical operation field.
Fig. 3 is a flow chart of analyzing a received packet according to an embodiment of the invention. At step 300, the process begins. In step 302, the circuit 110 receives a packet through one of the ports 114_1_ _ 114_ n and temporarily stores the packet in the packet buffer 120, and the analyzer 140 prepares to analyze the header content of the packet by using the ACL lookup table 200; several parameters that are preset internally by the analyzer 140 at this time are as follows: i =1, RESULT =0, OP = OR, where the parameter i represents the index value of the ACL rule, the parameter RESULT represents the alignment RESULT, and the parameter OP represents the logical operation. In step 304, the analyzer 140 selects the ith ACL rule according to the parameter i, and since the current parameter i is "1", the analyzer 140 retrieves the MAC address in the packet header to compare the first ACL rule, and generates a comparison RESULT _ i. In step 306, the analyzer 140 performs a logical operation (in this case, an OR operation) on the comparison RESULT _ i and the parameter RESULT, and updates the parameter RESULT by using the operation RESULT. In step 308, the analyzer 140 checks the control field of the ith ACL rule to determine whether to combine with the (i + 1) th ACL rule, if yes, the flow goes to step 310; if not, flow proceeds to block 312. At step 310, the analyzer 140 sets the parameters as follows: i = (i + 1), OP = OP (i), where OP (i) refers to a logical operation in the logical operation field of the ith ACL rule, i.e. OP (i) is an and operation as exemplified by the first ACL rule, and then the flow returns to step 302 to continue comparing the next ACL rule.
In the process of returning to step 302 to compare the second ACL rule (steps 302 to 306), the analyzer 140 loads the IP address recorded by the packet header from the packet buffer 120 AND analyzes the IP address of the packet to generate a comparison RESULT _ i (i.e., RESULT _ 2), AND the analyzer 140 performs a logical operation ("AND") on the comparison RESULT _2 AND the parameter RESULT AND updates the parameter RESULT using the operation RESULT. Then, the process goes back to step 302 after steps 308 and 310 to compare the third ACL rule. In the process of comparing the third ACL rules (steps 302 to 306), the analyzer 140 loads the TCP ports recorded by the packet headers from the packet buffer 120 AND analyzes the grouped TCP ports to generate a comparison RESULT _ i (i.e., RESULT _ 3), AND the analyzer 140 performs a logical operation ("AND" operation) on the comparison RESULT _3 AND the parameter RESULT, AND updates the parameter RESULT using the operation RESULT. Then, the flow proceeds to step 312 via step 308.
In step 312, the analyzer 140 uses the current parameter RESULT as a final comparison RESULT, and the analyzer 140 or the control circuit 130 determines a packet processing method according to the comparison RESULT, for example, the packet is transmitted from one of the ports 114 _1to 114 _nto another network device, the packet is discarded, or the packet is transmitted to the DRAM 106 so that the processor 102 further uses software to determine the packet processing method.
In addition, taking the ACL rule shown in fig. 2 as an example, after the analyzer 140 processes the third ACL rule, the analyzer 140 outputs the parameter RESULT as the final comparison RESULT, and the parameter RESULT at this time is the RESULT of performing the and operation on the comparison RESULT of the first, second, and third ACL rules. On the other hand, after the analyzer 140 processes the third ACL rule, the analyzer 140 continues to compare the fourth ACL rule line, and the process may return to step 302, and several parameters are reset as follows: i =4, RESULT =0, OP = OR.
In the above embodiment, by additionally setting the control field and the logical operation field in the ACL lookup table 200, the hardware (i.e., the analyzer 140) can directly compare the fields corresponding to the plurality of different communication protocols in the packet header to properly process the packet. In addition, since the analyzer 140 and the control circuit 130 can determine the subsequent processing of the packet, the probability that the packet needs to be transferred to the DRAM 106 and judged by software through the processor 102 can be greatly reduced, so as to increase the overall packet processing speed and reduce the burden on the processor 102.
The above-mentioned embodiments are only preferred embodiments of the present invention, and all equivalent changes and modifications made according to the claims of the present invention should be covered by the present invention.
Description of the reference numerals
100 network device
102 processor
104 memory controller
106:DRAM
108 bus
110: circuit
112 processor port
114 u 1 first Port
114 u 2 second port
114 u N port
120 packet buffer
130 control circuit
140 analyzer
150 internal memory
152 look-up table
160
200
300 to 312.

Claims (9)

1. A circuit for use in a network device, comprising:
a plurality of ports;
a memory storing an Access Control List (ACL) lookup table, wherein the ACL lookup table includes a plurality of ACL rules, wherein for at least a part of the ACL rules, each of the at least a part of the ACL rules at least includes a comparison field, a Control field and a logic operation field, the comparison field includes a comparison content of a communication protocol, the Control field indicates whether the ACL rule needs to be combined with a next ACL rule, and the logic operation field indicates a logic operation used when the ACL rule needs to be combined with the next ACL rule;
a packet buffer for temporarily storing a packet received by one of the plurality of ports; and
an analyzer for sequentially comparing the packet according to the plurality of ACL rules recorded in the ACL lookup table to generate at least one comparison result for determining the processing mode of the packet, wherein the analyzer sequentially compares the plurality of ACL rules from a first ACL rule of the plurality of ACL rules to the packet until a specific ACL rule is compared, and outputs the at least one comparison result, wherein the control field of the specific ACL rule indicates that the specific ACL rule does not need to be combined with the next ACL rule.
2. The circuit of claim 1, wherein the alignment fields of the ACL rules include alignment entries of different communication protocols.
3. The circuit of claim 2, wherein the plurality of alignment fields in the plurality of ACL rules include at least a portion of a Media Access Control (MAC) address, an Internet Protocol (IP) address, a Transmission Control Protocol (TCP) port, and a User Datagram Protocol (UDP) port.
4. The circuit of claim 2, wherein the alignment field in each ACL rule in the at least a portion of the ACL rules contains only alignment content corresponding to a single communication protocol.
5. The circuit of claim 1, wherein the operation of generating the at least one comparison result is performed only by the analyzer and not assisted by software via a processor.
6. The circuit of claim 1, wherein the network device is a switch or a router.
7. A packet processing method for use in a network device, comprising:
receiving a packet;
comparing the group in sequence according to a plurality of Access Control List (ACL) rules recorded in an ACL lookup table to generate at least one comparison result for determining the processing mode of the group;
wherein for at least a part of the plurality of ACL rules, each ACL rule of the at least a part of ACL rules at least includes a comparison field, a control field and a logic operation field, the comparison field includes comparison content of a communication protocol, the control field indicates whether the ACL rule needs to be combined with the next ACL rule, the logic operation field indicates a logic operation used when the ACL rule needs to be combined with the next ACL rule;
temporarily storing a packet received by one of the plurality of ports through the packet buffer;
comparing the group in sequence through an analyzer according to the plurality of ACL rules recorded by the ACL lookup table to generate at least one comparison result for determining the processing mode of the group; and
comparing the group by the analyzer using the plurality of ACL rules in sequence from a first ACL rule of the plurality of ACL rules until a specific ACL rule is compared, and outputting the at least one comparison result, wherein the control field of the specific ACL rule indicates that the specific ACL rule does not need to be combined with a next ACL rule.
8. The method of claim 7, wherein the alignment fields of the ACL rules contain alignment entries of different protocols.
9. The method of claim 8, wherein the alignment field of each of the at least a portion of the ACL rules contains only alignment information corresponding to a single communication protocol.
CN202010679973.8A 2020-07-15 2020-07-15 Circuit for network device and packet processing method Active CN113949664B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010679973.8A CN113949664B (en) 2020-07-15 2020-07-15 Circuit for network device and packet processing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010679973.8A CN113949664B (en) 2020-07-15 2020-07-15 Circuit for network device and packet processing method

Publications (2)

Publication Number Publication Date
CN113949664A CN113949664A (en) 2022-01-18
CN113949664B true CN113949664B (en) 2023-04-07

Family

ID=79326109

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010679973.8A Active CN113949664B (en) 2020-07-15 2020-07-15 Circuit for network device and packet processing method

Country Status (1)

Country Link
CN (1) CN113949664B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101146027A (en) * 2006-09-14 2008-03-19 中兴通讯股份有限公司 Method based on access control list category
CN101645913A (en) * 2008-08-07 2010-02-10 九旸电子股份有限公司 Method for generation entries of access control list
CN102427428A (en) * 2011-12-07 2012-04-25 西安电子科技大学 Stream identifying method and device based on multi-domain longest match
CN102480424A (en) * 2010-11-30 2012-05-30 瑞昱半导体股份有限公司 Device and method for processing network packet
CN109753819A (en) * 2018-12-26 2019-05-14 北京天融信网络安全技术有限公司 A kind for the treatment of method and apparatus of access control policy
WO2020007132A1 (en) * 2018-07-06 2020-01-09 电信科学技术研究院有限公司 Resource access control method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7474654B2 (en) * 2005-01-26 2009-01-06 Cisco Technology, Inc. Method and system for classification of packets based on meta-rules
US8429724B2 (en) * 2006-04-25 2013-04-23 Seagate Technology Llc Versatile access control system
US7688761B2 (en) * 2006-08-09 2010-03-30 Cisco Technology, Inc. Method and system for classifying packets in a network based on meta rules
US9882766B2 (en) * 2013-02-28 2018-01-30 Arista Networks, Inc. System and method for access control list conversion

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101146027A (en) * 2006-09-14 2008-03-19 中兴通讯股份有限公司 Method based on access control list category
CN101645913A (en) * 2008-08-07 2010-02-10 九旸电子股份有限公司 Method for generation entries of access control list
CN102480424A (en) * 2010-11-30 2012-05-30 瑞昱半导体股份有限公司 Device and method for processing network packet
CN102427428A (en) * 2011-12-07 2012-04-25 西安电子科技大学 Stream identifying method and device based on multi-domain longest match
WO2020007132A1 (en) * 2018-07-06 2020-01-09 电信科学技术研究院有限公司 Resource access control method and device
CN109753819A (en) * 2018-12-26 2019-05-14 北京天融信网络安全技术有限公司 A kind for the treatment of method and apparatus of access control policy

Also Published As

Publication number Publication date
CN113949664A (en) 2022-01-18

Similar Documents

Publication Publication Date Title
US20080198853A1 (en) Apparatus for implementing actions based on packet classification and lookup results
US8958418B2 (en) Frame handling within multi-stage switching fabrics
US6650642B1 (en) Network relaying apparatus and network relaying method capable of high-speed routing and packet transfer
US7782859B2 (en) Enhanced packet classification
US8559429B2 (en) Sequential frame forwarding
US7869411B2 (en) Compact packet operation device and method
US7664116B2 (en) Network based routing scheme
US7769858B2 (en) Method for efficiently hashing packet keys into a firewall connection table
US8798066B2 (en) Method for IPv6 longest prefix match
US20090135826A1 (en) Apparatus and method of classifying packets
CN106713144B (en) Reading and writing method of message outlet information and forwarding engine
US20180367431A1 (en) Heavy network flow detection method and software-defined networking switch
US7248584B2 (en) Network packet processing
US20220393908A1 (en) Message Encapsulation Method and Apparatus, and Message Decapsulation Method and Apparatus
US20210185153A1 (en) Hybrid Fixed/Programmable Header Parser for Network Devices
US20030053474A1 (en) Virtual egress packet classification at ingress
US20080080505A1 (en) Methods and Apparatus for Performing Packet Processing Operations in a Network
EP2898640B1 (en) Ultra low latency multi-protocol network device
EP1526699B1 (en) Method and system for accelerated packet processing
US11303640B2 (en) Circuit and packet processing method used in network device
CN113949664B (en) Circuit for network device and packet processing method
US9893997B2 (en) System and method for creating session entry
WO2023017315A1 (en) Network device that utilizes tcam configured to output multiple match indices
CN112165539B (en) IPv6 address translation method
JP4024943B2 (en) Network connection device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant