CN113114594B - Strategy generation method and device and storage medium - Google Patents

Abstract

Translated fromChinese

本申请的实施例公开一种策略生成方法及装置、存储介质，涉及计算机科学领域。能够解决现有技术中由于策略模块间的组合过程容易相互影响，使得整个网络的策略应用难以编写，测试，调试和重用的问题。该方法包括：获取数据包、该数据包对应的至少一个基础策略以及至少一个基础策略的预设组合方式；按照至少一个基础策略的预设组合方式，将数据包执行至少一个基础策略，生成数据包的策略流表；调用软件定义网络SDN控制器的北向接口将策略流表，通过SDN控制器的南向接口下发至对应的交换机，以使交换机按照策略流表传输数据包。本申请实施例应用于网络系统。

The embodiment of the present application discloses a policy generation method, device, and storage medium, and relates to the field of computer science. It can solve the problem in the prior art that the strategy application of the entire network is difficult to write, test, debug and reuse because the combination process between the strategy modules is easy to influence each other. The method includes: obtaining a data packet, at least one basic strategy corresponding to the data packet, and a preset combination method of at least one basic strategy; executing at least one basic strategy on the data packet according to the preset combination method of at least one basic strategy to generate data Packet policy flow table; call the northbound interface of the software-defined network SDN controller to send the policy flow table to the corresponding switch through the southbound interface of the SDN controller, so that the switch transmits the data packet according to the policy flow table. The embodiment of the present application is applied to a network system.

Description

Translated fromChinese

一种策略生成方法及装置、存储介质Method, device, and storage medium for policy generation

技术领域technical field

本申请的实施例涉及计算机科学领域，尤其涉及一种策略生成方法及装置、存储介质。The embodiments of the present application relate to the field of computer science, and in particular, to a method and device for generating a strategy, and a storage medium.

背景技术Background technique

在软件定义网络(software-defined networking，SDN)中，各种策略表现为一个个运行在控制器上的应用模块。为实现对网络的管理控制，通常需要将多种策略组合在一起对同一流量进行处理，这就需要利用多个策略模块进行组合。而现有技术中的策略主要采用C语言这种传统编译器来编写，由于该语言的抽象层次较低，与底层数据平面的硬件实现耦合性较强，策略模块间的组合过程容易相互影响，使得整个网络的策略应用难以编写，测试，调试和重用。In software-defined networking (SDN), various strategies are represented as application modules running on the controller. In order to realize the management and control of the network, it is usually necessary to combine multiple policies to process the same traffic, which requires the combination of multiple policy modules. However, the strategies in the prior art are mainly written by traditional compilers such as C language. Since the abstraction level of this language is low, the coupling with the hardware implementation of the underlying data plane is strong, and the combination process between strategy modules is easy to influence each other. Makes policy application across the network difficult to write, test, debug and reuse.

发明内容Contents of the invention

本申请提供一种策略生成方法及装置、存储介质，能够解决现有技术中由于策略模块间的组合过程容易相互影响，使得整个网络的策略应用难以编写，测试，调试和重用的问题。The present application provides a policy generation method, device, and storage medium, which can solve the problem in the prior art that the policy application of the entire network is difficult to write, test, debug, and reuse because the combination process between policy modules is easy to influence each other.

为达到上述目的，本申请采用如下技术方案：In order to achieve the above object, the application adopts the following technical solutions:

第一方面，提供一种策略生成方法，该方法包括：获取数据包、该数据包对应的至少一个基础策略以及至少一个基础策略的预设组合方式；按照至少一个基础策略的预设组合方式，将数据包执行至少一个基础策略，生成数据包的策略流表；调用软件定义网络SDN控制器的北向接口将策略流表，通过SDN控制器的南向接口下发至对应的交换机，以使交换机按照策略流表传输数据包。In the first aspect, a policy generation method is provided, the method includes: obtaining a data packet, at least one basic policy corresponding to the data packet, and a preset combination mode of the at least one basic policy; according to the preset combination mode of the at least one basic policy, Execute at least one basic policy on the data packet to generate a policy flow table for the data packet; call the northbound interface of the software-defined network SDN controller to send the policy flow table to the corresponding switch through the southbound interface of the SDN controller, so that the switch Data packets are transmitted according to the policy flow table.

在上述方法中，利用Python类的方式定义基础策略，提高了策略的抽象层次，避免了采用C语言这种传统编译器编写策略带来的复杂性，使得策略的编写、测试、调试的实现更为简便。另外，按照预设组合方式组合利用Python类的方式定义的基础策略，能够保证在策略组合的过程中策略间不会相互影响的前提下，更易实现策略的重用，从而获得更加复杂且多样的策略，以满足用户的需求。In the above method, the basic strategy is defined in the form of Python class, which improves the abstraction level of the strategy, avoids the complexity brought by the traditional compiler writing strategy using C language, and makes the realization of strategy writing, testing and debugging easier. for simplicity. In addition, combining the basic strategies defined by the Python class according to the preset combination method can ensure that the strategies will not affect each other in the process of strategy combination, and it is easier to realize the reuse of strategies, so as to obtain more complex and diverse strategies. , to meet the needs of users.

第二方面，提供一种策略生成装置，该装置包括：获取单元、处理单元以及发送单元。In a second aspect, an apparatus for generating a policy is provided, and the apparatus includes: an acquisition unit, a processing unit, and a sending unit.

获取单元，用于获取数据包、数据包对应的至少一个基础策略以及至少一个基础策略的预设组合方式；基础策略基于Python类的方式定义。The obtaining unit is used to obtain the data packet, at least one basic strategy corresponding to the data packet, and a preset combination method of at least one basic strategy; the basic strategy is defined based on a Python class.

处理单元，用于按照获取单元获取的至少一个基础策略的预设组合方式，将数据包执行至少一个基础策略，生成数据包的策略流表。The processing unit is configured to execute at least one basic policy on the data packet according to the preset combination mode of the at least one basic policy acquired by the obtaining unit, and generate a policy flow table of the data packet.

发送单元，用于调用软件定义网络SDN控制器的北向接口将处理单元生成的策略流表，通过SDN控制器的南向接口下发至对应的交换机，以使交换机按照策略流表传输数据包。The sending unit is used to call the northbound interface of the SDN controller to send the policy flow table generated by the processing unit to the corresponding switch through the southbound interface of the SDN controller, so that the switch transmits data packets according to the policy flow table.

可以理解地，上述提供的策略生成装置用于执行上文所提供的第一方面对应的方法，因此，其所能达到的有益效果可参考上文第一方面对应的方法以及下文具体实施方式中对应的方案的有益效果，此处不再赘述。It can be understood that the policy generation device provided above is used to implement the method corresponding to the first aspect provided above, therefore, the beneficial effects that it can achieve can refer to the method corresponding to the first aspect above and the specific implementation below The beneficial effects of the corresponding solution will not be repeated here.

第三方面，提供了一种策略生成装置，该策略生成装置的结构中包括处理器，处理器用于执行程序指令，使得该策略生成装置执行第一方面的方法。A third aspect provides a policy generation device, which includes a processor in its structure, and the processor is used to execute program instructions, so that the policy generation device executes the method of the first aspect.

第四方面，提供一种计算机可读存储介质，该计算机可读存储介质中存储有计算机程序代码，当计算机程序代码在策略生成装置上运行时，使得该策略生成装置执行上述第一方面的方法。In a fourth aspect, there is provided a computer-readable storage medium, where computer program code is stored in the computer-readable storage medium, and when the computer program code is run on the policy generation device, the policy generation device is made to execute the method of the above-mentioned first aspect .

第五方面，提供一种计算机程序产品，该计算机程序产品储存有上述计算机软件指令，当计算机软件指令在策略生成装置上运行时，使得该策略生成装置执行如上述第一方面的方法的程序。According to a fifth aspect, a computer program product is provided, the computer program product stores the above computer software instructions, and when the computer software instructions are run on the policy generation device, the policy generation device executes the program of the method according to the first aspect above.

附图说明Description of drawings

下面将结合本申请实施例中的附图，对本申请实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本申请一部分实施例，而不是全部的实施例。基于本申请中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the application with reference to the drawings in the embodiments of the application. Apparently, the described embodiments are only some of the embodiments of the application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.

图1为本发明实施例提供的一种网络系统的结构示意图；FIG. 1 is a schematic structural diagram of a network system provided by an embodiment of the present invention;

图2为本发明实施例提供的一种通信设备的硬件结构示意图；FIG. 2 is a schematic diagram of a hardware structure of a communication device provided by an embodiment of the present invention;

图3为本申请实施例提供的一种策略生成方法的流程示意图之一；FIG. 3 is one of the schematic flowcharts of a method for generating a policy provided in an embodiment of the present application;

图4为本申请实施例提供的一种策略生成方法的流程示意图之二；FIG. 4 is the second schematic flow diagram of a strategy generation method provided by the embodiment of the present application;

图5为本申请实施例提供的一种策略生成方法的流程示意图之三；Fig. 5 is the third schematic flow diagram of a policy generation method provided by the embodiment of the present application;

图6为本申请实施例提供的一种策略生成装置的结构示意图；FIG. 6 is a schematic structural diagram of a policy generation device provided by an embodiment of the present application;

图7为本申请实施例提供的策略生成方法的计算机程序产品的结构示意图。FIG. 7 is a schematic structural diagram of a computer program product of a policy generation method provided by an embodiment of the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图，对本申请实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本申请一部分实施例，而不是全部的实施例。The following will clearly and completely describe the technical solutions in the embodiments of the application with reference to the drawings in the embodiments of the application. Apparently, the described embodiments are only some of the embodiments of the application, not all of them.

需要说明的是，本申请实施例中，“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言，使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。It should be noted that, in the embodiments of the present application, words such as "exemplary" or "for example" are used as examples, illustrations or descriptions. Any embodiment or design scheme described as "exemplary" or "for example" in the embodiments of the present application shall not be interpreted as being more preferred or more advantageous than other embodiments or design schemes. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete manner.

还需要说明的是，本申请实施例中，“的(英文：of)”，“相应的(英文：corresponding，relevant)”和“对应的(英文：corresponding)”有时可以混用，应当指出的是，在不强调其区别时，其所要表达的含义是一致的。It should also be noted that, in the embodiments of the present application, "的 (English: of)", "corresponding (English: corresponding, relevant)" and "corresponding (English: corresponding)" can sometimes be used in combination. It should be pointed out that , when the difference is not emphasized, the meanings they want to express are consistent.

在本申请的实施例中，术语“第一”、“第二”仅用于描述目的，而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此，限定有“第一”、“第二”的特征可以明示或者隐含地包括一个或者更多个该特征。在本申请的描述中，除非另有说明，“多个”的含义是两个或两个以上。In the embodiments of the present application, the terms "first" and "second" are used for description purposes only, and cannot be understood as indicating or implying relative importance or implicitly specifying the quantity of indicated technical features. Thus, a feature defined as "first" and "second" may explicitly or implicitly include one or more of these features. In the description of the present application, unless otherwise specified, "plurality" means two or more.

SDN是一种新型网络架构。它利用OpenFlow协议将交换机的控制平面从数据平面中分离，改以软件方式实现，从而使得将分散在各个网络设备上的控制平面进行集中化管理成为可能，该架构可使网络管理员在不改动硬件设备的前提下，以中央控制方式用程序重新规划网络，为控制网络流量提供了新方案，也为核心网络和应用创新提供了良好平台。在SDN中，各种网络与安全策略表现为一个个运行在控制器上的应用模块。为实现对网络的管理控制，通常需要将多种策略组合在一起对同一流量进行处理，这就需要利用多个策略模块进行组合。而现有技术中的策略主要采用C语言这种传统编译器来编写，由于该语言的抽象层次较低，与底层数据平面的硬件实现耦合性较强，策略模块间的组合过程容易相互影响，使得整个网络的策略应用难以编写，测试，调试和重用。SDN is a new network architecture. It uses the OpenFlow protocol to separate the control plane of the switch from the data plane and implement it in software, which makes it possible to centralize the management of the control plane scattered on various network devices. Under the premise of hardware equipment, the network is re-planned by programs in a central control mode, which provides a new solution for controlling network traffic, and also provides a good platform for core network and application innovation. In SDN, various network and security policies are represented as application modules running on the controller. In order to realize the management and control of the network, it is usually necessary to combine multiple policies to process the same traffic, which requires the combination of multiple policy modules. However, the strategies in the prior art are mainly written by traditional compilers such as C language. Since the abstraction level of this language is low, the coupling with the hardware implementation of the underlying data plane is strong, and the combination process between strategy modules is easy to influence each other. Makes policy application across the network difficult to write, test, debug and reuse.

因此，本申请实施例提供一种策略生成方法，来解决上述技术问题。首先，参照图1，本发明实施例提供一种网络系统的结构示意图，该系统包括策略生成装置11、SDN控制器12以及交换机13。其中，策略生成装置11通过SDN控制器12提供的北向接口与SDN控制器12进行通信；交换机13通过SDN控制器12提供的南向接与SDN控制器12进行通信。Therefore, an embodiment of the present application provides a policy generation method to solve the above technical problem. First, referring to FIG. 1 , an embodiment of the present invention provides a schematic structural diagram of a network system, and the system includes apolicy generating device 11 , anSDN controller 12 and aswitch 13 . Wherein, thepolicy generation device 11 communicates with theSDN controller 12 through the northbound interface provided by theSDN controller 12 ; theswitch 13 communicates with theSDN controller 12 through the southbound interface provided by theSDN controller 12 .

策略生成装置11可以是独立的计算机设备，比如服务器；或者，计算机设备中的芯片。Thepolicy generation device 11 may be an independent computer device, such as a server; or, a chip in the computer device.

可选的，本申请实施例所提及的设备，例如策略生成装置11、SDN控制器12以及交换机13等，均可以由图2所示的通信设备来实现。Optionally, the devices mentioned in the embodiment of the present application, such as thepolicy generation device 11, theSDN controller 12, and theswitch 13, etc., can all be implemented by the communication device shown in FIG. 2 .

该通信设备包括处理器21，通信总线24以及至少一个收发器(图2中仅是示例性的以包括收发器23为例进行说明)。The communication device includes aprocessor 21, a communication bus 24 and at least one transceiver (thetransceiver 23 is used as an example in FIG. 2 for illustration).

处理器21可以包括一个或多个处理单元，例如：处理器21可以包括应用处理器(application processor，AP)，调制解调处理器，图形处理器(graphics processingunit，GPU)，图像信号处理器(image signal processor，ISP)，视频处理单元(videoprocessing unit，VPU)控制器，存储器，视频编解码器，数字信号处理器(digital signalprocessor，DSP)，基带处理器，和/或神经网络处理器(neural-network processing unit，NPU)等。其中，不同的处理单元可以是独立的器件，也可以集成在一个或多个处理器中。Theprocessor 21 may include one or more processing units, for example: theprocessor 21 may include an application processor (application processor, AP), a modem processor, a graphics processing unit (graphics processing unit, GPU), an image signal processor ( image signal processor (ISP), video processing unit (videoprocessing unit, VPU) controller, memory, video codec, digital signal processor (digital signal processor, DSP), baseband processor, and/or neural network processor (neural -network processing unit, NPU), etc. Wherein, different processing units may be independent devices, or may be integrated in one or more processors.

其中，控制器可以是通信设备的神经中枢和指挥中心。控制器可以根据指令操作码和时序信号，产生操作控制信号，完成取指令和执行指令的控制。Wherein, the controller may be the nerve center and command center of the communication device. The controller can generate an operation control signal according to the instruction opcode and timing signal, and complete the control of fetching and executing the instruction.

处理器21中还可以设置存储器，用于存储指令和数据。在一些实施例中，处理器21中的存储器为高速缓冲存储器。该存储器可以保存处理器21刚用过或循环使用的指令或数据。如果处理器21需要再次使用该指令或数据，可从所述存储器中直接调用。避免了重复存取，减少了处理器21的等待时间，因而提高了系统的效率。A memory may also be provided in theprocessor 21 for storing instructions and data. In some embodiments, the memory inprocessor 21 is a cache memory. The memory may hold instructions or data that theprocessor 21 has just used or recycled. If theprocessor 21 needs to use the instruction or data again, it can be called directly from the memory. Repeated access is avoided, and the waiting time of theprocessor 21 is reduced, thus improving the efficiency of the system.

在一些实施例中，处理器21可以包括一个或多个接口。接口可以包括集成电路(inter-integrated circuit，I2C)接口，通用异步收发传输器(universal asynchronousreceiver/transmitter，UART)接口，移动产业处理器接口(mobile industry processorinterface，MIPI)，通用输入输出(general-purpose input/output，GPIO)接口，用户标识模块(subscriber identity module，SIM)接口，和/或通用串行总线(universal serialbus，USB)接口，串行外设接口(serial peripheral interface，SPI)接口等。In some embodiments,processor 21 may include one or more interfaces. The interface may include an integrated circuit (inter-integrated circuit, I2C) interface, a universal asynchronous receiver/transmitter (universal asynchronous receiver/transmitter, UART) interface, a mobile industry processor interface (mobile industry processor interface, MIPI), a general-purpose input and output (general-purpose input/output, GPIO) interface, subscriber identity module (subscriber identity module, SIM) interface, and/or universal serial bus (universal serialbus, USB) interface, serial peripheral interface (serial peripheral interface, SPI) interface, etc.

通信总线24可包括一通路，在上述组件之间传送信息。Communication bus 24 may include a path for communicating information between the components described above.

收发器23，使用任何收发器一类的装置，用于与其他设备或通信网络通信，如以太网，无线接入网(radio access network，RAN)，无线局域网(wireless local areanetworks，WLAN)等。Thetransceiver 23 is used for communicating with other devices or communication networks, such as Ethernet, radio access network (radio access network, RAN), wireless local area network (wireless local area networks, WLAN), etc., using any device such as a transceiver.

可选的，该通信设备还可以包括存储器22。Optionally, the communication device may further include amemory 22 .

存储器22可以是只读存储器(read-only memory，ROM)或可存储静态信息和指令的其他类型的静态存储设备，随机存取存储器(random access memory，RAM)或者可存储信息和指令的其他类型的动态存储设备，也可以是电可擦可编程只读存储器(electricallyerasable programmable read-only memory，EEPROM)、只读光盘(compact disc read-only memory，CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质，但不限于此。存储器可以是独立存在，通过通信总线24与处理器相连接。存储器也可以和处理器集成在一起。Memory 22 may be read-only memory (read-only memory, ROM) or other types of static storage devices that can store static information and instructions, random access memory (random access memory, RAM) or other types that can store information and instructions It can also be an electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage ( including compact discs, laser discs, optical discs, digital versatile discs, blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and can be stored by a computer Any other medium, but not limited to. The memory may exist independently and be connected to the processor through the communication bus 24 . Memory can also be integrated with the processor.

其中，存储器22用于存储执行本申请方案的计算机执行指令，并由处理器21来控制执行。处理器21用于执行存储器22中存储的计算机执行指令，从而实现本申请下述实施例提供的区域识别方法。Wherein, thememory 22 is used to store computer-executed instructions for implementing the solution of the present application, and the execution is controlled by theprocessor 21 . Theprocessor 21 is configured to execute the computer-executed instructions stored in thememory 22, so as to implement the area identification method provided in the following embodiments of the present application.

可选的，本发明实施例中的计算机执行指令也可以称之为应用程序代码，本发明实施例对此不作具体限定。Optionally, the computer-executed instructions in this embodiment of the present invention may also be referred to as application code, which is not specifically limited in this embodiment of the present invention.

在具体实现中，作为一种实施例，处理器21可以包括一个或多个CPU，例如图2中的CPU0和CPU1。In a specific implementation, as an embodiment, theprocessor 21 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 2 .

在具体实现中，作为一种实施例，通信设备可以包括多个处理器，例如图2中的处理器21和处理器25。这些处理器中的每一个可以是一个单核(single-CPU)处理器，也可以是一个多核(multi-CPU)处理器。这里的处理器可以指一个或多个设备、电路、和/或用于处理数据(例如计算机程序指令)的处理核。In a specific implementation, as an embodiment, the communication device may include multiple processors, for example, theprocessor 21 and theprocessor 25 in FIG. 2 . Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).

下面结合说明书附图，以策略生成装置为执行主体对本申请实施例所提供的技术方案进行具体阐述。The technical solutions provided by the embodiments of the present application will be described in detail below with reference to the drawings in the description and with the policy generation device as the execution body.

本申请实施例所提供的策略生成方法的技术原理为：首先，获取数据包对应的基于Python类的方式定义的一种或多种基础策略及其为串行组合或并行组合的预设组合方式；基于这些基础策略的串行组合方式或者并行组合方式，将数据包执行这些策略，以获取该数据包的策略流表，并调用SDN控制器的北向接口将该策略流表，通过SDN控制器的南向接口小法至交换机，从而解决现有技术中由于策略模块间的组合过程容易相互影响，使得整个网络的策略应用难以编写，测试，调试和重用的问题。The technical principle of the policy generation method provided by the embodiment of the present application is as follows: First, obtain one or more basic policies defined in a Python-based manner corresponding to the data packet and its preset combination mode of serial combination or parallel combination ;Based on the serial combination or parallel combination of these basic policies, execute these policies on the data packet to obtain the policy flow table of the data packet, and call the northbound interface of the SDN controller to pass the policy flow table through the SDN controller The southbound interface is small to the switch, so as to solve the problem in the prior art that it is difficult to write, test, debug and reuse the policy application of the entire network because the combination process between the policy modules is easy to influence each other.

参照图3，本发明实施例所提供的一种策略生成方法具体包括：Referring to Fig. 3, a policy generation method provided by an embodiment of the present invention specifically includes:

S31、策略生成装置获取数据包、数据包对应的至少一个基础策略以及至少一个基础策略的预设组合方式；基础策略基于Python类的方式定义。S31. The policy generation device acquires the data packet, at least one basic policy corresponding to the data packet, and a preset combination mode of the at least one basic policy; the basic policy is defined based on a Python class.

示例性的，数据包由交换机接收，并通过SDN控制器的南向接口以及北向接口传输至策略生成装置。Exemplarily, the data packet is received by the switch, and transmitted to the policy generation device through the southbound interface and the northbound interface of the SDN controller.

在本方法中，使用类来表示策略，所有的策略均是策略类的子类。对基础策略进行预设组合方式组合后，得到新的策略仍然是策略类的子类。In this method, a class is used to represent a strategy, and all strategies are subclasses of the strategy class. After the basic strategy is combined in a preset combination mode, the new strategy is still a subclass of the strategy class.

可选的，基础策略包括：drop、identity、modify、fwd、match以及flood的任一项；其中，drop表示直接丢弃输入的数据包；identity表示不对输入的数据包进行处理；modify表示是用于对输入的数据包进行修改，将数据包中字段名f的值修改为v；fwd表示将输入的数据包从交换机的指定端口转发出去；match表示对数据包进行过滤，返回匹配字段名f的值为v的所有数据包；flood表示洪泛。Optionally, the basic strategy includes: any one of drop, identity, modify, fwd, match, and flood; among them, drop means to directly discard the input data packet; identity means not to process the input data packet; modify means to use Modify the input data packet, modify the value of the field name f in the data packet to v; fwd means forward the input data packet from the specified port of the switch; match means filter the data packet, and return the value of the matching field name f All packets with value v; flood means flooding.

示例性的，下面针对上述基础策略进行解释说明：Exemplarily, the following explains the basic strategy above:

1)drop为最简单的基础策略。在对输入数据包执行本基础策略后，输出是空集，即直接丢弃输入的数据包。1) drop is the simplest basic strategy. After executing this basic policy on the input data packets, the output is an empty set, that is, the input data packets are discarded directly.

2)identity表示不对输入的数据包进行处理，其输出为数据包集合{p}，其中p为输入的数据包。identity主要是与其它基础策略组合使用。2) identity means that the input data packet is not processed, and its output is a data packet set {p}, where p is the input data packet. identity is mainly used in combination with other basic strategies.

3)modify(f＝v)是用于对输入的数据包进行修改，输出为包含单个数据包的集合，将数据包的字段名f的值修改为v。modify是策略类的子类，其中有map成员，用于保存所有需要修改的字段名f和修改的值v。在modify策略执行的时，对于所有在map中的f和v，将输入的数据包的字段名f的值修改为v。3) modify(f=v) is used to modify the input data packet, output as a set containing a single data packet, and modify the value of the field name f of the data packet to v. modify is a subclass of the strategy class, which has a map member, which is used to save all field names f and modified values v that need to be modified. When the modify policy is executed, for all f and v in the map, modify the value of the field name f of the input data packet to v.

4)fwd(port)表示将输入的数据包从交换机的指定端口转发出去，其中port为指定的出端口。其函数输出为数据包集合{p'}，其中p'与输入数据包p基本一致，区别只在于将p的出端口指定为port。fwd是一种modify的特殊情况，fwd(port)与modify(port＝port)等价。4) fwd(port) indicates that the input data packet is forwarded from the designated port of the switch, where port is the designated outgoing port. The function output is a data packet set {p'}, where p' is basically the same as the input data packet p, the only difference is that the output port of p is designated as port. fwd is a special case of modify, and fwd(port) is equivalent to modify(port=port).

5)match(f＝v)表示对输入的数据包进行过滤，返回匹配字段名f的值为v的所有数据包。match是策略类的子类，其中有map成员，用于保存所有需要匹配的字段名f和值v。在match策略执行时，对于所有在map中的f和v，返回输入数据包中的字段名f的值为v数据包的集合。5) match(f=v) indicates that the input data packets are filtered, and all data packets whose matching field name f has a value of v are returned. match is a subclass of the strategy class, which has a map member, which is used to save all the field names f and values v that need to be matched. When the match strategy is executed, for all f and v in the map, the value of the field name f in the input data packet is returned to the collection of v data packets.

6)flood：表示洪泛。其输出的数据包集合包含多个数据包p的副本，每个副本的出端口对应交换机的一个端口(除入端口外)。由拓扑模块生成全网的最小生成树，当最小生成树的结构发生变化时，修改自身的策略：对于生成树上的每一个交换机，当其收到数据包时，转发给在生成树上的每一个端口(除入端口外)。6) flood: Indicates flooding. The output data packet set contains multiple copies of the data packet p, and the output port of each copy corresponds to a port of the switch (except for the input port). The topology module generates the minimum spanning tree of the entire network. When the structure of the minimum spanning tree changes, it modifies its own strategy: for each switch on the spanning tree, when it receives a data packet, it forwards it to the switch on the spanning tree. Every port (except incoming ports).

S32、策略生成装置按照至少一个基础策略的预设组合方式，将数据包执行至少一个基础策略，生成数据包的策略流表。S32. The policy generation device executes the at least one basic policy on the data packet according to the preset combination of the at least one basic policy, and generates a policy flow table of the data packet.

具体的，预设组合方式为串行组合方式以及并行组合方式中的任一种。Specifically, the preset combination mode is any one of a serial combination mode and a parallel combination mode.

示例性的，假定A、B是2个策略，当策略C为A和B串行组合的运行结果时，则可表示为C＝A>>B。该表达式的执行过程：执行前一个策略A，得到其运行的结果。将A运行结果作为后一个策略B的输入，再执行策略B，得到B的运行结果。将此结果作为A>>B的最终运行结果C。当策略C为A和B并行组合的运行结果，则可表示为C＝A+B。该表达式的执行过程：分别执行策略A、B，得到A和B的运行结果。再将A、B的运行结果进行合并，将此结果作为A+B的最终运行结果C。Exemplarily, assuming that A and B are two strategies, when strategy C is the running result of the serial combination of A and B, it can be expressed as C=A>>B. The execution process of this expression: Execute the previous strategy A and get the result of its operation. The operation result of A is used as the input of the next strategy B, and then strategy B is executed to obtain the operation result of B. Use this result as the final running result C of A>>B. When strategy C is the running result of parallel combination of A and B, it can be expressed as C=A+B. The execution process of the expression: Execute strategies A and B respectively, and obtain the operation results of A and B. Then merge the running results of A and B, and use this result as the final running result C of A+B.

S33、策略生成装置调用软件定义网络SDN控制器的北向接口将策略流表，通过SDN控制器的南向接口下发至对应的交换机，以使交换机按照策略流表传输数据包。S33. The policy generation device invokes the northbound interface of the SDN controller to deliver the policy flow table to the corresponding switch through the southbound interface of the SDN controller, so that the switch transmits the data packet according to the policy flow table.

进一步的，本发明实施例的策略生成装置通过构建一个基于Python的网络与安全功能形式化描述语言(python network policy programming language，PyNPPL)运行框架，该框架中基于Python来定义各种网络与安全策略(包括基础策略以及根据多个基础策略组合的其他策略)；如流量监控、路由转发或防火墙等；PyNPPL运行框架对这些网络与安全策略进行解释处理，生成策略流表，通过调用SDN控制器提供的北向接口将策略流表经由OpenFlow等南向接口下发到SDN网络中的交换机上。Further, the policy generation device in the embodiment of the present invention constructs a Python-based network and security function formal description language (python network policy programming language, PyNPPL) operating framework, in which various network and security policies are defined based on Python. (including basic policies and other policies based on the combination of multiple basic policies); such as traffic monitoring, routing forwarding or firewalls, etc.; the PyNPPL operating framework interprets and processes these network and security policies, generates policy flow tables, and provides them by calling the SDN controller The northbound interface of the device sends the policy flow table to the switch in the SDN network through the southbound interface such as OpenFlow.

在上述方法中，利用Python类的方式定义基础策略，提高了策略的抽象层次，避免了采用C语言这种传统编译器编写策略带来的复杂性，使得策略的编写、测试、调试的实现更为简便。另外，按照预设组合方式组合利用Python类的方式定义的基础策略，能够保证在策略组合的过程中策略间不会相互影响的前提下，更易实现策略的重用，从而获得更加复杂且多样的策略，以满足用户的需求。In the above method, the basic strategy is defined in the form of Python class, which improves the abstraction level of the strategy, avoids the complexity brought by the traditional compiler writing strategy using C language, and makes the realization of strategy writing, testing and debugging easier. for simplicity. In addition, combining the basic strategies defined by the Python class according to the preset combination method can ensure that the strategies will not affect each other in the process of strategy combination, and it is easier to realize the reuse of strategies, so as to obtain more complex and diverse strategies. , to meet the needs of users.

在一种实现方式中，结合图3，参照图4，当策略间的预设组合方式为为串行组合方式的情况下，S32具体包括：In one implementation, referring to FIG. 3 and referring to FIG. 4, when the preset combination mode between strategies is a serial combination mode, S32 specifically includes:

S321a、策略生成装置基于第一预设规则，按照预设顺序将数据包依次执行至少一个基础策略，生成数据包的策略流表；第一预设规则为执行前一策略的结果作为执行后一策略的输入。S321a. Based on the first preset rule, the policy generation device sequentially executes at least one basic policy on the data packet according to the preset order to generate a policy flow table of the data packet; the first preset rule is the result of executing the previous policy as the result of executing the next policy input to the strategy.

示例性的，策略类中定义了eval方法，该方法接收一个参数p，参数p为数据包的集合，eval方法执行后返回数据包的集合p1。当一个策略类的对象被执行时，会调用该对象的eval方法。初始的参数p为交换机通过SDN控制器上报的数据包，eval方法执行后得到的数据包的集合p1即为执行完策略后的输出。Exemplarily, the eval method is defined in the policy class, and the method receives a parameter p, which is a collection of data packets, and returns the collection p1 of data packets after the eval method is executed. When an object of a policy class is executed, the object's eval method is called. The initial parameter p is the data packet reported by the switch through the SDN controller, and the set p1 of the data packets obtained after the execution of the eval method is the output after the policy is executed.

在实际应用中，通过对策略类右移运算符(>>)的重载，实现了网络与安全功能形式化描述语言中的串行运算符。采用Python语言对策略c1，c2的串行组合c3＝c1>>c2的执行过程可以由下式定义：In practical application, by overloading the right shift operator (>>) of the strategy class, the serial operator in the formal description language of network and security functions is realized. The execution process of the serial combination c3=c1>>c2 of strategies c1 and c2 using Python language can be defined by the following formula:

c3.eval(p1)＝c2.eval(c1.eval(p))c3.eval(p1)=c2.eval(c1.eval(p))

进一步的，串行组合方式的实现主要分为顺序sequential类以及右移运算符的重载。具体解释为：Further, the implementation of the serial combination method is mainly divided into the sequential class and the overload of the right shift operator. Specifically explained as:

sequential类是策略类的子类，其中定义了策略policies成员用于存储被串行组合的各个策略。当一个sequential类的被执行的时候，会依次执行policies成员中的各个策略，其中将上一个策略的运行结果作为下一个策略的输入，最终返回最后一个策略的运行结果。The sequential class is a subclass of the policy class, which defines the policy policies member for storing each policy that is serially combined. When a sequential class is executed, each policy in the policies member will be executed sequentially, and the running result of the previous policy will be used as the input of the next policy, and finally the running result of the last policy will be returned.

另外，为了实现网络与安全功能形式化描述语言中“>>”，本发明实施例对于策略类里的右移方法进行了重载。主要分为以下四种情况：In addition, in order to realize the ">>" in the formal description language of network and security functions, the embodiment of the present invention overloads the right shift method in the policy class. Mainly divided into the following four situations:

1)当两个进行串行组合的策略c1和c2均不是sequential类的策略时，右移方法返回一个新的sequential类的策略，其policies成员依次为2个串行组合的策略。即在sequential类中添加策略c1和c2，并在policies成员中添加c3＝c1>>c2。1) When the two strategies c1 and c2 for serial combination are not strategies of the sequential class, the right shift method returns a new strategy of the sequential class, and its policies members are successively 2 strategies of the serial combination. That is, add policies c1 and c2 in the sequential class, and add c3=c1>>c2 in the policies member.

2)当串行组合c1>>c2中只有前者c1是sequential类的策略时，将后者c2添加到策略c1的policies成员的最后，并返回该sequential类的策略。2) When only the former c1 is a policy of the sequential class in the serial combination c1>>c2, add the latter c2 to the end of the policies member of the policy c1, and return the policy of the sequential class.

3)当串行组合c1>>c2中只有后者c2是sequential类的策略时，右移方法返回一个新的sequential类的策略，其policies成员依次为前者c1和后者c2的policies成员。3) When only the latter c2 is a policy of the sequential class in the serial combination c1>>c2, the right shift method returns a new policy of the sequential class, and its policies members are the policies members of the former c1 and the latter c2 in turn.

4)当c1和c2均是sequential类的策略时，将后者policies成员里的策略添加到前者的policies成员的最后，并返回前者。4) When both c1 and c2 are policies of the sequential class, add the policy in the policies member of the latter to the end of the policies member of the former, and return the former.

需要说明的是，上述仅示例性的说明的两个策略的串行组合方式，但本申请实施例不限于两个策略，也可以是3个以上的策略，其实现方式可参照上述两个策略的的串行组合方式，此处不再赘述。It should be noted that the serial combination of the two strategies described above is only exemplary, but the embodiment of the present application is not limited to two strategies, and may also be more than three strategies, and its implementation can refer to the above two strategies The serial combination method will not be repeated here.

本实现方式中，将至少一个策略通过串行组合方式，获取数据包的最终执行结果，无需用户手工合并多个策略模块，从而减少用户的工作量。In this implementation, at least one policy is serially combined to obtain the final execution result of the data package, without requiring the user to manually merge multiple policy modules, thereby reducing the workload of the user.

在一种实现方式中，结合图3，参照图5，当策略间的预设组合方式为为并行组合方式的情况下，S32具体包括：In one implementation, referring to FIG. 3 and referring to FIG. 5 , when the preset combination mode between strategies is a parallel combination mode, S32 specifically includes:

S322a、策略生成装置将数据包并列执行至少一个基础策略中每个策略，生成每个策略的执行结果。S322a. The policy generation device executes each policy in the at least one basic policy in parallel with the data packets, and generates an execution result of each policy.

S322b、策略生成装置合并所有策略的执行结果，生成数据包的策略流表。S322b. The policy generation device combines the execution results of all policies to generate a policy flow table of the data packet.

在实际应用中，通过对策略类加运算符(+)的重载，实现了网络与安全功能形式化描述语言中的并行运算符。采用Python语言对策略c1，c2的并行组合c3＝c1+c2的执行过程可以由下式定义：In practical application, by overloading the plus operator (+) of the policy class, the parallel operators in the formal description language of network and security functions are realized. The execution process of the parallel combination c3=c1+c2 of strategies c1 and c2 using Python language can be defined by the following formula:

c3.eval(p1)＝c1.eval(p)∪c2.eval(p)c3.eval(p1)=c1.eval(p)∪c2.eval(p)

示例性的，并行运算符的实现主要分为并行parallel类以及对加运算符的重载。parallel类是策略类的子类，其中定义了policies成员用于存储被并行组合的各个策略。当一个parallel类的被执行的时候，会依次执行policies成员中的各个策略，将执行的结果取并集，最终返回最后一个策略的运行结果。Exemplarily, the realization of the parallel operator is mainly divided into the parallel parallel class and the overload of the addition operator. The parallel class is a subclass of the policy class, which defines the policies member for storing each policy combined in parallel. When a parallel class is executed, each strategy in the policies member will be executed in turn, the execution results will be combined, and finally the operation result of the last strategy will be returned.

为了实现网络与安全功能形式化描述语言中“+”，本发明实施例对于策略类里的加方法进行了重载。当两个进行并行组合的策略均不是parallel类时，加方法返回一个新的parallel类的策略，其policies成员为2个并行组合的对象。当只有一个是parallel类时，将另一个策略添加到parallel类的policies成员里，并返回parallel类。当2个均是parallel类时，将后者policies成员里的策略添加到前者的policies成员里，并返回前者。In order to realize the "+" in the formal description language of network and security functions, the embodiment of the present invention overloads the plus method in the strategy class. When neither of the two policies for parallel combination is of the parallel class, the add method returns a new policy of the parallel class, whose policies members are two parallel combination objects. When only one is the parallel class, add another policy to the policies member of the parallel class and return the parallel class. When both are parallel classes, add the policy in the policies member of the latter to the policies member of the former, and return the former.

需要说明的是，上述仅示例性的说明的两个策略的并行组合方式，但本申请实施例不限于两个策略，也可以是3个以上的策略，其实现方式可参照上述两个策略的的并行组合方式，此处不再赘述。It should be noted that the parallel combination of the two strategies described above is only exemplary, but the embodiment of the present application is not limited to two strategies, and may also be more than three strategies, and its implementation can refer to the above two strategies The parallel combination method will not be repeated here.

本实现方式中，将至少一个策略通过并行组合方式，获取数据包的最终执行结果，无需用户手工合并多个策略模块，从而减少用户的工作量。In this implementation mode, at least one policy is combined in parallel to obtain the final execution result of the data package, and the user does not need to manually merge multiple policy modules, thereby reducing the workload of the user.

本申请实施例可以根据上述方法实施例对策略生成装置进行功能模块的划分，例如，可以对应各个功能划分各个功能模块，也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现，也可以采用软件功能模块的形式实现。需要说明的是，本申请实施例中对模块的划分是示意性的，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式。The embodiment of the present application may divide the function modules of the policy generation device according to the above method embodiments. For example, each function module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The above-mentioned integrated modules can be implemented in the form of hardware or in the form of software function modules. It should be noted that the division of modules in the embodiment of the present application is schematic, and is only a logical function division, and there may be other division methods in actual implementation.

如图6所示，为本申请实施例提供的一种策略生成装置11的结构示意图。该策略生成装置11具体包括获取单元601、处理单元602以及发送单元603。As shown in FIG. 6 , it is a schematic structural diagram of apolicy generating device 11 provided in the embodiment of the present application. Thepolicy generating device 11 specifically includes an acquiringunit 601 , aprocessing unit 602 and a sendingunit 603 .

具体的，获取单元601，用于获取数据包、数据包对应的至少一个基础策略以及至少一个基础策略的预设组合方式；基础策略基于Python类的方式定义。Specifically, the acquiringunit 601 is configured to acquire the data packet, at least one basic policy corresponding to the data packet, and a preset combination mode of the at least one basic policy; the basic policy is defined based on a Python class.

处理单元602，用于按照获取单元601获取的至少一个基础策略的预设组合方式，将数据包执行至少一个基础策略，生成数据包的策略流表。Theprocessing unit 602 is configured to execute at least one basic policy on the data packet according to the preset combination mode of the at least one basic policy acquired by the obtainingunit 601, and generate a policy flow table of the data packet.

发送单元603，用于调用软件定义网络SDN控制器的北向接口将处理单元602生成的策略流表，通过SDN控制器的南向接口下发至对应的交换机，以使交换机按照策略流表传输数据包。The sendingunit 603 is configured to call the northbound interface of the SDN controller to send the policy flow table generated by theprocessing unit 602 to the corresponding switch through the southbound interface of the SDN controller, so that the switch transmits data according to the policy flow table Bag.

可选的，预设组合方式为串行组合方式以及并行组合方式中的任一种。Optionally, the preset combination mode is any one of a serial combination mode and a parallel combination mode.

可选的，在预设组合方式为串行组合方式的情况下，处理单元602，具体用于基于第一预设规则，按照预设顺序将数据包依次执行至少一个基础策略，生成数据包的策略流表；第一预设规则为执行前一策略的结果作为执行后一策略的输入。Optionally, when the preset combination mode is a serial combination mode, theprocessing unit 602 is specifically configured to sequentially execute at least one basic policy on the data packets in a preset order based on the first preset rule, and generate Strategy flow table; the first preset rule is the result of executing the previous strategy as the input for executing the latter strategy.

可选的，在预设组合方式为并行组合方式的情况下，处理单元602，具体用于将数据包并列执行至少一个基础策略中每个策略，生成每个策略的执行结果。Optionally, when the preset combination mode is a parallel combination mode, theprocessing unit 602 is specifically configured to execute each policy in at least one basic policy in parallel with the data packets, and generate an execution result of each policy.

处理单元602，还用于合并所有策略的执行结果，生成数据包的策略流表。Theprocessing unit 602 is further configured to combine execution results of all policies to generate a policy flow table of the data packet.

可选的，基础策略包括：drop、identity、modify、fwd、match以及flood的任一项；其中，drop表示直接丢弃输入的数据包；identity表示不对输入的数据包进行处理；modify表示是用于对输入的数据包进行修改，将数据包中字段名f的值修改为v；fwd表示将输入的数据包从交换机的指定端口转发出去；match表示对数据包进行过滤，返回匹配字段名f的值为v的所有数据包；flood表示洪泛。Optionally, the basic strategy includes: any one of drop, identity, modify, fwd, match, and flood; among them, drop means to directly discard the input data packet; identity means not to process the input data packet; modify means to use Modify the input data packet, modify the value of the field name f in the data packet to v; fwd means forward the input data packet from the specified port of the switch; match means filter the data packet, and return the value of the matching field name f All packets with value v; flood means flooding.

当然，本申请实施例提供的策略生成装置11包括但不限于上述模块，例如策略生成装置11还可以包括存储单元604。存储单元604可以用于存储该策略生成装置11的程序代码，还可以用于存储策略生成装置11在运行过程中生成的数据，如写请求中的数据等。Of course, thepolicy generation device 11 provided in the embodiment of the present application includes but is not limited to the above-mentioned modules, for example, thepolicy generation device 11 may further include astorage unit 604 . Thestorage unit 604 may be used to store the program code of thepolicy generating device 11, and may also be used to store data generated by thepolicy generating device 11 during operation, such as data in a write request.

这里，本申请实施例描述的系统架构以及业务场景是为了更加清楚的说明本申请实施例的技术方案，并不构成对于本申请实施例提供的技术方案的限定，本领域普通技术人员可知，随着网络架构的演变和新业务场景的出现，本申请实施例提供的技术方案对于类似的技术问题，同样适用。Here, the system architecture and business scenarios described in the embodiments of the present application are for more clearly illustrating the technical solutions of the embodiments of the present application, and do not constitute limitations on the technical solutions provided by the embodiments of the present application. With the evolution of the network architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.

图7示意性地示出本申请实施例提供的计算机程序产品的概念性局部视图，所述计算机程序产品包括用于在计算设备上执行计算机进程的计算机程序。Fig. 7 schematically shows a conceptual partial view of a computer program product provided by an embodiment of the present application, where the computer program product includes a computer program for executing a computer process on a computing device.

在一个实施例中，计算机程序产品是使用信号承载介质410来提供的。所述信号承载介质410可以包括一个或多个程序指令，其当被一个或多个处理器运行时可以提供以上针对图2描述的功能或者部分功能。因此，例如，参考图2中所示的实施例，S21-S23的一个或多个特征可以由与信号承载介质410相关联的一个或多个指令来承担。此外，图7中的程序指令也描述示例指令。In one embodiment, a computer program product is provided using signal bearing media 410 . The signal-bearing medium 410 may include one or more program instructions that, when executed by one or more processors, may provide the functions or parts of the functions described above with respect to FIG. 2 . Thus, for example, with reference to the embodiment shown in FIG. 2 , one or more features of S21 - S23 may be undertaken by one or more instructions associated with signal bearing medium 410 . Additionally, the program instructions in FIG. 7 also describe example instructions.

在一些示例中，信号承载介质410可以包含计算机可读介质411，诸如但不限于，硬盘驱动器、紧密盘(CD)、数字视频光盘(DVD)、数字磁带、存储器、只读存储记忆体(read-only memory，ROM)或随机存储记忆体(random access memory，RAM)等等。In some examples, signal bearing medium 410 may comprise computer readable medium 411 such as, but not limited to, a hard drive, compact disc (CD), digital video disc (DVD), digital tape, memory, read-only memory (read only memory) -only memory, ROM) or random access memory (random access memory, RAM) and so on.

在一些实施方式中，信号承载介质410可以包含计算机可记录介质412，诸如但不限于，存储器、读/写(R/W)CD、R/W DVD、等等。In some implementations, signal bearing media 410 may comprise computer recordable media 412 such as, but not limited to, memory, read/write (R/W) CDs, R/W DVDs, and the like.

在一些实施方式中，信号承载介质410可以包含通信介质413，诸如但不限于，数字和/或模拟通信介质(例如，光纤电缆、波导、有线通信链路、无线通信链路、等等)。In some implementations, signal bearing media 410 may includecommunication media 413 such as, but not limited to, digital and/or analog communication media (eg, fiber optic cables, waveguides, wired communication links, wireless communication links, etc.).

信号承载介质410可以由无线形式的通信介质413(例如，遵守IEEE802.41标准或者其它传输协议的无线通信介质)来传达。一个或多个程序指令可以是，例如，计算机可执行指令或者逻辑实施指令。The signal bearing medium 410 may be conveyed by a wireless form of communication medium 413 (eg, a wireless communication medium complying with the IEEE 802.41 standard or other transmission protocols). One or more program instructions may be, for example, computer-executable instructions or logic-implementing instructions.

在一些示例中，诸如针对图6描述的策略生成装置可以被配置为，响应于通过计算机可读介质411、计算机可记录介质412、和/或通信介质413中的一个或多个程序指令，提供各种操作、功能、或者动作。In some examples, a policy generation apparatus such as that described with respect to FIG. Various operations, functions, or actions.

通过以上的实施方式的描述，所属领域的技术人员可以清楚地了解到，为描述的方便和简洁，仅以上述各功能模块的划分进行举例说明，实际应用中，可以根据需要而将上述功能分配由不同的功能模块完成，即将装置的内部结构划分成不同的功能模块，以完成以上描述的全部或者部分功能。Through the description of the above embodiments, those skilled in the art can clearly understand that for the convenience and brevity of the description, only the division of the above-mentioned functional modules is used as an example for illustration. In practical applications, the above-mentioned functions can be allocated according to needs It is completed by different functional modules, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above.

在本申请所提供的几个实施例中，应该理解到，所揭露的装置和方法，可以通过其它的方式实现。例如，以上所描述的装置实施例仅仅是示意性的，例如，所述模块或单元的划分，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式，例如多个单元或组件可以结合或者可以集成到另一个装置，或一些特征可以忽略，或不执行。另一点，所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口，装置或单元的间接耦合或通信连接，可以是电性，机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the modules or units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be Incorporation or may be integrated into another device, or some features may be omitted, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是一个物理单元或多个物理单元，即可以位于一个地方，或者也可以分布到多个不同地方。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The unit described as a separate component may or may not be physically separated, and the component displayed as a unit may be one physical unit or multiple physical units, that is, it may be located in one place, or may be distributed to multiple different places . Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外，在本申请各个实施例中的各功能单元可以集成在一个处理单元中，也可以是各个单元单独物理存在，也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现，也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时，可以存储在一个可读取存储介质中。基于这样的理解，本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来，该软件产品存储在一个存储介质中，包括若干指令用以使得一个设备(可以是单片机，芯片等)或处理器(processor)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括：U盘、移动硬盘、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a readable storage medium. Based on this understanding, the technical solution of the embodiment of the present application is essentially or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the software product is stored in a storage medium Among them, several instructions are included to make a device (which may be a single-chip microcomputer, a chip, etc.) or a processor (processor) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: various media capable of storing program codes such as U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk.

以上所述，仅为本申请的具体实施方式，但本申请的保护范围并不局限于此，任何在本申请揭露的技术范围内的变化或替换，都应涵盖在本申请的保护范围之内。因此，本申请的保护范围应以所述权利要求的保护范围为准。The above is only a specific implementation of the application, but the protection scope of the application is not limited thereto, and any changes or replacements within the technical scope disclosed in the application should be covered within the protection scope of the application . Therefore, the protection scope of the present application should be determined by the protection scope of the claims.

Claims (6)

1. A policy generation method, comprising:

acquiring a data packet, at least one basic strategy corresponding to the data packet and a preset combination mode of the at least one basic strategy; the basic strategy is defined based on a Python type mode;

executing the at least one basic strategy on the data packet according to a preset combination mode of the at least one basic strategy to generate a strategy flow table of the data packet;

calling a northbound interface of a Software Defined Network (SDN) controller to issue the policy flow table to a corresponding switch through the southbound interface of the SDN controller, so that the switch transmits the data packet according to the policy flow table;

the preset combination mode is any one of a serial combination mode and a parallel combination mode;

when the preset combination mode is a serial combination mode, the executing the at least one basic policy on the data packet according to the preset combination mode of the at least one basic policy to generate a policy flow table of the data packet includes:

based on a first preset rule, sequentially executing the at least one basic strategy on the data packet according to a preset sequence, and generating a strategy flow table of the data packet; the first preset rule is that the result of executing the previous strategy is used as the input of executing the next strategy;

the realization of the serial combination mode is mainly divided into a sequential type and the overloading of a right shift operator, and specifically comprises the following steps:

the sequential class is a subclass of the strategy class, wherein strategy policies members are defined for storing various strategies which are combined in series; when a sequential class is executed, each strategy in the policies members is executed in sequence, wherein the operation result of the previous strategy is used as the input of the next strategy, and the operation result of the last strategy is finally returned;

when the preset combination mode is a parallel combination mode, the executing, by the preset combination mode of the at least one basic policy, the at least one basic policy on the data packet to generate a policy flow table of the data packet includes:

executing each strategy in the at least one basic strategy in parallel by the data packet to generate an execution result of each strategy;

merging execution results of all policies to generate a policy flow table of the data packet;

the implementation of the parallel combination mode is mainly divided into parallel classes and reloading to the addition operator, and specifically comprises the following steps:

the parallel class is a subclass of the strategy class, wherein policies members are defined for storing various strategies which are combined in parallel; when a parallel class is executed, all the strategies in the policies members are executed in sequence, the executed results are merged, and finally the operation result of the last strategy is returned.

2. The policy generation method according to claim 1, wherein the base policy comprises: any one of drop, identity, modify, fwd, match, and flood;

wherein drop represents directly dropping an incoming packet; the identity indicates that the input data packet is not processed; the modification expression is used for modifying an input data packet and modifying the value of a field name f in the data packet into v; the fwd represents that the input data packet is forwarded out from a designated port of the switch; the match represents that the data packets are filtered, and all the data packets with the matching field name f and the value of v are returned; the flood represents flooding.

3. A policy generation apparatus, comprising:

the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a data packet, at least one basic strategy corresponding to the data packet and a preset combination mode of the at least one basic strategy; the basic strategy is defined based on a Python type mode;

the processing unit is used for executing the at least one basic strategy on the data packet according to the preset combination mode of the at least one basic strategy acquired by the acquiring unit and generating a strategy flow table of the data packet;

a sending unit, configured to invoke a northbound interface of a software defined network SDN controller to issue the policy flow table generated by the processing unit to a corresponding switch through a southbound interface of the SDN controller, so that the switch transmits the data packet according to the policy flow table;

the preset combination mode is any one of a serial combination mode and a parallel combination mode;

in the case that the preset combination mode is a serial combination mode,

the processing unit is specifically configured to sequentially execute the at least one basic policy on the data packet according to a preset sequence based on a first preset rule, and generate a policy flow table of the data packet; the first preset rule is that the result of executing the previous strategy is used as the input of executing the next strategy; the serial combination mode is mainly divided into a sequential type and the heavy load of a right shift operator, and specifically comprises the following steps:

the sequential class is a subclass of the strategy class, wherein strategy policies members are defined for storing various strategies which are combined in series; when a sequential class is executed, each strategy in the policies members is executed in sequence, wherein the operation result of the previous strategy is used as the input of the next strategy, and the operation result of the last strategy is finally returned;

when the preset combination mode is a parallel combination mode, the processing unit is specifically configured to execute each policy of the at least one basic policy in parallel on the data packet, and generate an execution result of each policy;

the processing unit is further configured to merge execution results of all policies and generate a policy flow table of the data packet;

the parallel combination mode is mainly divided into parallel parallels and reloading for an addition operator, and specifically comprises the following steps:

the parallel class is a subclass of the policy class, wherein policies members are defined for storing various policies which are combined in parallel; when a parallel class is executed, all the strategies in the policies members are executed in sequence, the executed results are collected, and finally the operation result of the last strategy is returned.

4. The policy generation apparatus according to claim 3, wherein the base policy comprises: any one of drop, identity, modify, fwd, match, and flood;

wherein drop represents directly dropping an incoming packet; the identity indicates that the input data packet is not processed; the modification representation is used for modifying an input data packet, and the value of a field name f in the data packet is modified into v; the fwd represents that an input data packet is forwarded out from a specified port of the switch; the match represents that the data packets are filtered, and all the data packets with the matching field name f and the value v are returned; the flood represents flooding.

5. A policy generation apparatus, characterized in that the structure of the policy generation apparatus comprises a processor for executing program instructions to make the policy generation apparatus execute the policy generation method according to claim 1 or 2.

6. A computer-readable storage medium, having stored therein computer program code which, when run on a policy generation apparatus, causes the policy generation apparatus to execute a policy generation method according to claim 1 or 2.

Images