摘要:
A method and system for storing and searching for prefixes for rules, such as filter rules, in a computer system is disclosed. The method and system include providing a ternary content addressable memory (TCAM). The filter rules use range(s) of values in at least one dimension and correspond to prefix(es). The range(s) are described by prefix(es). Some filter rules may intersect. The method and system include providing priorities for the filter rules. The priorities include at least one different priority for the filter rules that intersect. The method and system also include storing the prefixes in the TCAM in block(s) in an order based upon the priorities of the filter rules. In another aspect, the method and system include searching the TCAM for a longest prefix match for a key and searching an additional storage for an almost exact match for the key in parallel with the TCAM. In this aspect, the method and system include returning the longest prefix match having a lowest or a highest location if the longest prefix match is found in the TCAM and the almost exact match is not found in the additional storage.
摘要:
A structure and technique for preventing collisions using a hash table in conjunction with a CAM to identify and prevent collisions of binary keys. A portion of the hash value of a binary key, which does not collide with a portion of the hash value of any other reference binary key, is used as an entry in the hash table. If two or more binary keys have identical values of the portions of the hash values, each of these binary keys are stored in their entirety, in the CAM. The key in the CAM provides a pointer to a data structure where the action associated with that binary key is stored. If the binary key is not found in the CAM, the binary key is hashed, and a specific entry in the hash table is selected using a portion of this hash value.
摘要:
The decision within a packet processing device to transmit a newly arriving packet into a queue to await further processing or to discard the same packet is made by a flow control method and system. The flow control is updated with a constant period determined by storage and flow rate limits. The update includes comparing current queue occupancy to a threshold. The outcome of the update is adjustment up or down of the transmit probability value. The value is stored for the subsequent period of flow control and packets arriving during that period are subject to a transmit or discard decision that uses that value.
摘要:
Computers are caused to provide a hash table wherein each entry is associated with a binary key and indexed by a selected portion of a hash value of the associated key, and points to a data structure location for storing non-selected portions of, or the entire hash value of, the binary key, and action data corresponding to the value of the binary key. Content addressable memory entries store a binary key, or a value unique to it, and an association to a corresponding action. Pointers to the data structure use selected portions of binary key hash values as an index when not selected portions of hash values of other binary keys, and associations are established between CAM entry and associated data structure locations when selected portions of the hash values of the binary keys are the same as selected portions of hash values of one or more other binary keys.
摘要:
Packetized voice, video, and data traffic (data frames) are received in a communication traffic sorter. The data frames have a dispatch priority corresponding to their transmission characteristics (flow) and a quality of service parameters. The communication traffic sorter analyzes information in data packets within each data frame and determines an optimum flow for the data frames. A data frame is assigned to a selected queue based on an analysis of the information in its data packets. A data frame may also be assigned to a queue based on a prior analysis of a data frame with like transmission characteristics. Results of analysis are stored and indexed to facilitate processing of subsequent data frames. The network access sorter has circuits to un-pack and re-pack the data frame, when called for, to allow user transmitted data to be processed to create a modified data frame. The data frame may then be dispatched with a second dispatch priority on a bus for distribution to end users where previously assigned quality of service is maintained or exceeded.
摘要:
A method and system for finding a longest prefix match for a key in a computer network is disclosed. The method and system include providing a main engine and providing an auxiliary engine. The main engine is for storing a first plurality of addresses and for searching the first plurality of addresses for the longest prefix match for the key. None of the first plurality of addresses is a prefix for another address of the first plurality of addresses. The auxiliary engine is for storing and searching a second plurality of addresses. A first address of the second plurality of addresses is capable of including the prefix for a second address of the first plurality of addresses or for a third address for the second plurality of addresses. None of the first plurality of addresses is the prefix for any of the second plurality of addresses. Each of the second plurality of addresses is distinct from each of the first plurality of addresses.
摘要:
A method and system for testing a plurality of filter rules in a computer system is disclosed. The plurality of filter rules are used with a key that is capable of matching at least one of the plurality of filter rules. The at least one filter rule corresponds to at least one action. The computer system has a cache including a plurality of bins and a decision tree. The method and system include searching a plurality of stored keys in the cache for the key. Preferably, this search of the cache for the key includes determining whether a stored key exactly matches the key. A plurality of stored filter rules corresponds to the plurality of stored keys. A plurality of stored actions corresponds to the plurality of stored filter rules. The cache stores each of the plurality of stored keys and at least one stored action in each bin of a portion of the bins. The method and system also include obtaining the at least one action from the cache if the key is found in plurality of stored keys and otherwise obtaining the at least one action using the decision tree. Preferably, searches of the decision tree and cache start simultaneously. The decision tree search is terminated if the key is found in the cache. The cache is written to if the at least one action is obtained using the decision tree, but preferably only if the at least one filter rule has a priority of one.
摘要:
A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.
摘要:
A method and system for encoding a set of range labels for each parameter field in a packet classification key in such a way as to require preferably only a single entry per rule in a final processing stage of a packet classifier. Multiple rules are sorted accorded to their respective significance. A range, based on a parameter in the packet header, is previously determined. Multiple rules are evaluated according to an overlapping of rules according to different ranges. Upon a determination that two or more rules overlap, each overlapping rule is expanded into multiple unique segments that identify unique range intersections. Each cluster of overlapping ranges is then offset so that at least one bit in a range for the rule remains unchanged. The range segments are then converted from binary to Gray code, which results in the ability to determine a CAM entry to use for each range.
摘要:
A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.