CN113949664B - Circuit for network device and packet processing method - Google Patents
Circuit for network device and packet processing method Download PDFInfo
- Publication number
- CN113949664B CN113949664B CN202010679973.8A CN202010679973A CN113949664B CN 113949664 B CN113949664 B CN 113949664B CN 202010679973 A CN202010679973 A CN 202010679973A CN 113949664 B CN113949664 B CN 113949664B
- Authority
- CN
- China
- Prior art keywords
- acl
- rules
- rule
- field
- acl rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/30—Peripheral units, e.g. input or output ports
- H04L49/3009—Header conversion, routing tables or routing tags
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/18—Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a circuit and a packet processing method used in a network device. The invention discloses a circuit used in a network device, which comprises a memory and an analyzer. The memory stores an ACL lookup table, wherein the ACL lookup table comprises a plurality of ACL rules, each ACL rule at least comprises a comparison field, a control field and a logic operation field, the comparison field comprises the comparison content of a communication protocol, the control field indicates whether the ACL rule needs to be combined with the next ACL rule, and the logic operation field indicates the logic operation used when the ACL rule needs to be combined with the next ACL rule. The analyzer is used for comparing the packets in sequence according to a plurality of ACL rules recorded by the ACL lookup table to generate at least one comparison result for determining the processing mode of the packets.
Description
Technical Field
The present invention relates to network devices, and more particularly to network switches or routers.
Background
After a network switch or router receives a packet, the network switch or router analyzes the header (header) of the packet to obtain information about each field in the header, and then performs table lookup or other processing on the information about the fields. Regarding the table lookup operation, the network switch or router internally sets a plurality of lookup tables, and the lookup tables include an access control serial rule (ACL rule) for finding out a packet having a specific field of a header of a specific Media Access Control (MAC) address, an Internet Protocol (IP) address, or other communication Protocol, and processing the packet according to the setting of the ACL rule.
In addition, because the circuit cannot check all fields of the header through the ACL rules due to hardware limitations such as memory size, the ACL rules are generally classified into Media Access Control (MAC), internet Protocol (IP), transmission Control Protocol (TCP), user Datagram Protocol (UDP), or other communication protocols, and specific fields of these communication protocols are compared.
However, the ACL rules have a limitation that when the circuit wants to compare fields of multiple communication protocols simultaneously, the required packet cannot be found if none of the ACL rules can just contain all the fields to be found. To solve this problem, it is common to send all packets meeting certain conditions to the processor to find out the required packets through software, which reduces the overall processing speed and burdens the processor if the number of packets is too large.
Disclosure of Invention
Therefore, the present invention provides a method for analyzing ACL rules of received packets, which adds a control field and a logic operation field in the ACL rules, so that a switch or a router can use hardware to perform a combination judgment of comparison results of the ACL rules, thereby solving the problems described in the prior art.
In one embodiment of the present invention, a circuit for use in a network device is disclosed, which comprises a plurality of ports, a memory, a packet buffer and an analyzer. The memory stores an ACL lookup table, wherein the ACL lookup table includes a plurality of ACL rules, wherein for at least a portion of the ACL rules, each of the at least a portion of the ACL rules includes at least a comparison field, a control field, and a logic operation field, the comparison field includes comparison content of a communication protocol, the control field indicates whether the ACL rule needs to be combined with a next ACL rule, and the logic operation field indicates a logic operation used when the ACL rule needs to be combined with the next ACL rule. The packet buffer is used for temporarily storing a packet received by one of the plurality of ports, and the analyzer is used for sequentially comparing the packet according to the plurality of ACL rules recorded by the ACL lookup table so as to generate at least one comparison result for determining the processing mode of the packet.
In another embodiment of the present invention, a packet processing method applied in a network device is disclosed, which includes: receiving a packet; comparing the group in sequence according to a plurality of ACL rules recorded by an ACL lookup table to generate at least one comparison result for determining the processing mode of the group; wherein, for at least a part of the plurality of ACL rules, each of the at least a part of the ACL rules at least comprises a comparison field, a control field and a logic operation field, the comparison field comprises comparison content of a communication protocol, the control field indicates whether the ACL rule needs to be combined with the next ACL rule, and the logic operation field indicates a logic operation used when the ACL rule needs to be combined with the next ACL rule.
Drawings
Fig. 1 is a schematic diagram of a network device according to an embodiment of the invention.
FIG. 2 is a diagram of an ACL lookup table according to an embodiment of the present invention.
Fig. 3 is a flow chart of analyzing a received packet according to an embodiment of the invention.
Detailed Description
Fig. 1 is a schematic diagram of a network device 100 according to an embodiment of the invention, where the network device 100 may be a switch or a router in this embodiment. As shown in fig. 1, the network device 100 includes a processor 102, a Memory controller 104, and a Dynamic Random Access Memory (DRAM) 106, wherein the circuit 110 includes a processor port 112, a plurality of ports 114 _1to 114_n, a packet buffer 120, a control circuit 130, an analyzer 140, a Memory 150 including at least one lookup table 152, and a Direct Memory Access (DMA) controller 160. Specifically, fig. 1 is only an example, and the network device 100 is not limited to being a switch or a router. In the circuit 110, the processor port 112 is connected to the processor 102 and the memory controller 104 through at least one bus 108, the ports 114_1 \/114 \/n are respectively connected to other electronic devices through a local area network or a wide area network, the packet buffer (or packet buffer) 120 is used to temporarily store packets coming from the outside and waiting for forwarding, and the memory controller 104 is used to receive instructions on the bus 108 and perform write or read operations on the DRAM 106.
In the present embodiment, the lookup table 152 includes an ACL lookup table, and the ACL lookup table includes a plurality of ACL rules. Fig. 2 is a diagram of an ACL lookup table 200 according to an embodiment of the invention. As shown in fig. 2, the lookup table 152 includes a plurality of ACL rules, and each ACL rule includes at least 4 fields of an icon, namely an index field, an alignment field, a control field and a logical operation field, wherein the index field is used to indicate an index value of each ACL, and the analyzer 140 performs the analysis sequentially according to the order of the index values. The match field indicates what needs to be matched, such as the MAC address, IP address, TCP port, UDP port, virtual Local Area Network (VLAN) status, ethernet type, …, etc., in the header of the received packet. The control field is used to indicate whether to combine with the next ACL rule, and as illustrated in fig. 2, the control field of the first ACL rule has a logic value "1", so that the comparison result of the MAC address in the first ACL rule needs to be combined with the comparison result of the IP address in the second ACL rule; in addition, the control field of the fourth ACL rule has a logic value of "0", so the comparison result of the fourth ACL rule on the VLAN status does not need to be combined with the comparison result of the fifth ACL rule on the ethernet judgment type. The logical operation field is used to indicate which logical operation manner the combination in the control field belongs to, for example, the logical operation manners such as "AND", "or", "AND", AND the description is given by taking fig. 2 as an example, because the logical operation fields of the first AND second ACL rules are "AND" operation, the comparison result of the MAC address in the first ACL rule, the comparison result of the IP address in the second ACL rule, AND the comparison result of the TCP port in the third ACL rule need to perform "AND" operation, that is, three comparison results need to be satisfied simultaneously; in addition, the logical operation field of the third and fourth ACL rules is blank or invalid, which means that the fourth and fifth ACL rules are judged independently without being combined with the previous ACL rule.
In the embodiment shown in fig. 2, the comparison field in each ACL rule only includes comparison contents corresponding to a single communication protocol, but the invention is not limited thereto.
It should be noted that the ACL rules in the ACL lookup table 200 shown in fig. 2 are only illustrated as examples and are not meant to limit the present invention. In addition, the ACL lookup table 200 further includes some relevant comparison details of the comparison fields, such as which range the MAC address determined by the first ACL rule is located in or conforms to certain MAC addresses, and the subsequent processing manner of the comparison result of the ACL rule (for example, which port the ACL address is transmitted to or the ACL packet is discarded/blocked), but since the present invention focuses on the control field and the logical operation field in the ACL lookup table 200, and the details of the comparison fields and the subsequent processing manner are well known to those skilled in the art, the present embodiment only describes the operations of the control field and the logical operation field.
Fig. 3 is a flow chart of analyzing a received packet according to an embodiment of the invention. At step 300, the process begins. In step 302, the circuit 110 receives a packet through one of the ports 114_1_ _ 114_ n and temporarily stores the packet in the packet buffer 120, and the analyzer 140 prepares to analyze the header content of the packet by using the ACL lookup table 200; several parameters that are preset internally by the analyzer 140 at this time are as follows: i =1, RESULT =0, OP = OR, where the parameter i represents the index value of the ACL rule, the parameter RESULT represents the alignment RESULT, and the parameter OP represents the logical operation. In step 304, the analyzer 140 selects the ith ACL rule according to the parameter i, and since the current parameter i is "1", the analyzer 140 retrieves the MAC address in the packet header to compare the first ACL rule, and generates a comparison RESULT _ i. In step 306, the analyzer 140 performs a logical operation (in this case, an OR operation) on the comparison RESULT _ i and the parameter RESULT, and updates the parameter RESULT by using the operation RESULT. In step 308, the analyzer 140 checks the control field of the ith ACL rule to determine whether to combine with the (i + 1) th ACL rule, if yes, the flow goes to step 310; if not, flow proceeds to block 312. At step 310, the analyzer 140 sets the parameters as follows: i = (i + 1), OP = OP (i), where OP (i) refers to a logical operation in the logical operation field of the ith ACL rule, i.e. OP (i) is an and operation as exemplified by the first ACL rule, and then the flow returns to step 302 to continue comparing the next ACL rule.
In the process of returning to step 302 to compare the second ACL rule (steps 302 to 306), the analyzer 140 loads the IP address recorded by the packet header from the packet buffer 120 AND analyzes the IP address of the packet to generate a comparison RESULT _ i (i.e., RESULT _ 2), AND the analyzer 140 performs a logical operation ("AND") on the comparison RESULT _2 AND the parameter RESULT AND updates the parameter RESULT using the operation RESULT. Then, the process goes back to step 302 after steps 308 and 310 to compare the third ACL rule. In the process of comparing the third ACL rules (steps 302 to 306), the analyzer 140 loads the TCP ports recorded by the packet headers from the packet buffer 120 AND analyzes the grouped TCP ports to generate a comparison RESULT _ i (i.e., RESULT _ 3), AND the analyzer 140 performs a logical operation ("AND" operation) on the comparison RESULT _3 AND the parameter RESULT, AND updates the parameter RESULT using the operation RESULT. Then, the flow proceeds to step 312 via step 308.
In step 312, the analyzer 140 uses the current parameter RESULT as a final comparison RESULT, and the analyzer 140 or the control circuit 130 determines a packet processing method according to the comparison RESULT, for example, the packet is transmitted from one of the ports 114 _1to 114 _nto another network device, the packet is discarded, or the packet is transmitted to the DRAM 106 so that the processor 102 further uses software to determine the packet processing method.
In addition, taking the ACL rule shown in fig. 2 as an example, after the analyzer 140 processes the third ACL rule, the analyzer 140 outputs the parameter RESULT as the final comparison RESULT, and the parameter RESULT at this time is the RESULT of performing the and operation on the comparison RESULT of the first, second, and third ACL rules. On the other hand, after the analyzer 140 processes the third ACL rule, the analyzer 140 continues to compare the fourth ACL rule line, and the process may return to step 302, and several parameters are reset as follows: i =4, RESULT =0, OP = OR.
In the above embodiment, by additionally setting the control field and the logical operation field in the ACL lookup table 200, the hardware (i.e., the analyzer 140) can directly compare the fields corresponding to the plurality of different communication protocols in the packet header to properly process the packet. In addition, since the analyzer 140 and the control circuit 130 can determine the subsequent processing of the packet, the probability that the packet needs to be transferred to the DRAM 106 and judged by software through the processor 102 can be greatly reduced, so as to increase the overall packet processing speed and reduce the burden on the processor 102.
The above-mentioned embodiments are only preferred embodiments of the present invention, and all equivalent changes and modifications made according to the claims of the present invention should be covered by the present invention.
Description of the reference numerals
100 network device
102 processor
104 memory controller
106:DRAM
108 bus
110: circuit
112 processor port
114 u 1 first Port
114 u 2 second port
114 u N port
120 packet buffer
130 control circuit
140 analyzer
150 internal memory
152 look-up table
160
200
300 to 312.
Claims (9)
1. A circuit for use in a network device, comprising:
a plurality of ports;
a memory storing an Access Control List (ACL) lookup table, wherein the ACL lookup table includes a plurality of ACL rules, wherein for at least a part of the ACL rules, each of the at least a part of the ACL rules at least includes a comparison field, a Control field and a logic operation field, the comparison field includes a comparison content of a communication protocol, the Control field indicates whether the ACL rule needs to be combined with a next ACL rule, and the logic operation field indicates a logic operation used when the ACL rule needs to be combined with the next ACL rule;
a packet buffer for temporarily storing a packet received by one of the plurality of ports; and
an analyzer for sequentially comparing the packet according to the plurality of ACL rules recorded in the ACL lookup table to generate at least one comparison result for determining the processing mode of the packet, wherein the analyzer sequentially compares the plurality of ACL rules from a first ACL rule of the plurality of ACL rules to the packet until a specific ACL rule is compared, and outputs the at least one comparison result, wherein the control field of the specific ACL rule indicates that the specific ACL rule does not need to be combined with the next ACL rule.
2. The circuit of claim 1, wherein the alignment fields of the ACL rules include alignment entries of different communication protocols.
3. The circuit of claim 2, wherein the plurality of alignment fields in the plurality of ACL rules include at least a portion of a Media Access Control (MAC) address, an Internet Protocol (IP) address, a Transmission Control Protocol (TCP) port, and a User Datagram Protocol (UDP) port.
4. The circuit of claim 2, wherein the alignment field in each ACL rule in the at least a portion of the ACL rules contains only alignment content corresponding to a single communication protocol.
5. The circuit of claim 1, wherein the operation of generating the at least one comparison result is performed only by the analyzer and not assisted by software via a processor.
6. The circuit of claim 1, wherein the network device is a switch or a router.
7. A packet processing method for use in a network device, comprising:
receiving a packet;
comparing the group in sequence according to a plurality of Access Control List (ACL) rules recorded in an ACL lookup table to generate at least one comparison result for determining the processing mode of the group;
wherein for at least a part of the plurality of ACL rules, each ACL rule of the at least a part of ACL rules at least includes a comparison field, a control field and a logic operation field, the comparison field includes comparison content of a communication protocol, the control field indicates whether the ACL rule needs to be combined with the next ACL rule, the logic operation field indicates a logic operation used when the ACL rule needs to be combined with the next ACL rule;
temporarily storing a packet received by one of the plurality of ports through the packet buffer;
comparing the group in sequence through an analyzer according to the plurality of ACL rules recorded by the ACL lookup table to generate at least one comparison result for determining the processing mode of the group; and
comparing the group by the analyzer using the plurality of ACL rules in sequence from a first ACL rule of the plurality of ACL rules until a specific ACL rule is compared, and outputting the at least one comparison result, wherein the control field of the specific ACL rule indicates that the specific ACL rule does not need to be combined with a next ACL rule.
8. The method of claim 7, wherein the alignment fields of the ACL rules contain alignment entries of different protocols.
9. The method of claim 8, wherein the alignment field of each of the at least a portion of the ACL rules contains only alignment information corresponding to a single communication protocol.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010679973.8A CN113949664B (en) | 2020-07-15 | 2020-07-15 | Circuit for network device and packet processing method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010679973.8A CN113949664B (en) | 2020-07-15 | 2020-07-15 | Circuit for network device and packet processing method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113949664A CN113949664A (en) | 2022-01-18 |
CN113949664B true CN113949664B (en) | 2023-04-07 |
Family
ID=79326109
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010679973.8A Active CN113949664B (en) | 2020-07-15 | 2020-07-15 | Circuit for network device and packet processing method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113949664B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101146027A (en) * | 2006-09-14 | 2008-03-19 | 中兴通讯股份有限公司 | Method based on access control list category |
CN101645913A (en) * | 2008-08-07 | 2010-02-10 | 九旸电子股份有限公司 | Method for generation entries of access control list |
CN102427428A (en) * | 2011-12-07 | 2012-04-25 | 西安电子科技大学 | Stream identifying method and device based on multi-domain longest match |
CN102480424A (en) * | 2010-11-30 | 2012-05-30 | 瑞昱半导体股份有限公司 | Device and method for processing network packet |
CN109753819A (en) * | 2018-12-26 | 2019-05-14 | 北京天融信网络安全技术有限公司 | A kind for the treatment of method and apparatus of access control policy |
WO2020007132A1 (en) * | 2018-07-06 | 2020-01-09 | 电信科学技术研究院有限公司 | Resource access control method and device |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7474654B2 (en) * | 2005-01-26 | 2009-01-06 | Cisco Technology, Inc. | Method and system for classification of packets based on meta-rules |
US8429724B2 (en) * | 2006-04-25 | 2013-04-23 | Seagate Technology Llc | Versatile access control system |
US7688761B2 (en) * | 2006-08-09 | 2010-03-30 | Cisco Technology, Inc. | Method and system for classifying packets in a network based on meta rules |
US9882766B2 (en) * | 2013-02-28 | 2018-01-30 | Arista Networks, Inc. | System and method for access control list conversion |
-
2020
- 2020-07-15 CN CN202010679973.8A patent/CN113949664B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101146027A (en) * | 2006-09-14 | 2008-03-19 | 中兴通讯股份有限公司 | Method based on access control list category |
CN101645913A (en) * | 2008-08-07 | 2010-02-10 | 九旸电子股份有限公司 | Method for generation entries of access control list |
CN102480424A (en) * | 2010-11-30 | 2012-05-30 | 瑞昱半导体股份有限公司 | Device and method for processing network packet |
CN102427428A (en) * | 2011-12-07 | 2012-04-25 | 西安电子科技大学 | Stream identifying method and device based on multi-domain longest match |
WO2020007132A1 (en) * | 2018-07-06 | 2020-01-09 | 电信科学技术研究院有限公司 | Resource access control method and device |
CN109753819A (en) * | 2018-12-26 | 2019-05-14 | 北京天融信网络安全技术有限公司 | A kind for the treatment of method and apparatus of access control policy |
Also Published As
Publication number | Publication date |
---|---|
CN113949664A (en) | 2022-01-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20080198853A1 (en) | Apparatus for implementing actions based on packet classification and lookup results | |
US8958418B2 (en) | Frame handling within multi-stage switching fabrics | |
US6650642B1 (en) | Network relaying apparatus and network relaying method capable of high-speed routing and packet transfer | |
US7782859B2 (en) | Enhanced packet classification | |
US8559429B2 (en) | Sequential frame forwarding | |
US7869411B2 (en) | Compact packet operation device and method | |
US7664116B2 (en) | Network based routing scheme | |
US7769858B2 (en) | Method for efficiently hashing packet keys into a firewall connection table | |
US8798066B2 (en) | Method for IPv6 longest prefix match | |
US20090135826A1 (en) | Apparatus and method of classifying packets | |
CN106713144B (en) | Reading and writing method of message outlet information and forwarding engine | |
US20180367431A1 (en) | Heavy network flow detection method and software-defined networking switch | |
US7248584B2 (en) | Network packet processing | |
US20220393908A1 (en) | Message Encapsulation Method and Apparatus, and Message Decapsulation Method and Apparatus | |
US20210185153A1 (en) | Hybrid Fixed/Programmable Header Parser for Network Devices | |
US20030053474A1 (en) | Virtual egress packet classification at ingress | |
US20080080505A1 (en) | Methods and Apparatus for Performing Packet Processing Operations in a Network | |
EP2898640B1 (en) | Ultra low latency multi-protocol network device | |
EP1526699B1 (en) | Method and system for accelerated packet processing | |
US11303640B2 (en) | Circuit and packet processing method used in network device | |
CN113949664B (en) | Circuit for network device and packet processing method | |
US9893997B2 (en) | System and method for creating session entry | |
WO2023017315A1 (en) | Network device that utilizes tcam configured to output multiple match indices | |
CN112165539B (en) | IPv6 address translation method | |
JP4024943B2 (en) | Network connection device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |