With rapid development of network technologies, there are more network-based applications, and the applications are increasingly complex. When network communication is performed using these applications, some security problems inevitably occur. For example, network resource leakage is caused when an unauthorized user accesses some confidential network resources. Therefore, to ensure network security, flow control needs to be performed on a data packet transmitted in a network.
Currently, flow control is basically performed using an access control list (ACL). However, before flow control is performed using the ACL, an administrator needs to manually configure multiple rules and storage sequences of the multiple rules in the ACL. Each rule includes a match condition and an action indicator. The match condition may include source address information, destination address information, and a protocol type. The source address information may include a source Internet Protocol (IP) address, a source port number, and the like. The destination address information may include a destination IP address, a destination port number, and the like. Afterward, a packet switching device such as a switch or a router may perform flow control according to the multiple rules configured by the administrator. The packet switching device receives a data packet. The packet switching device successively compares source address information, destination address information, and a protocol type that are carried in the data packet with a match condition in the rules in the ACL, and if determining that the source address information, the destination address information, and the protocol type that are carried in the data packet are the same as the match condition in a currently compared rule, the packet switching device determines that a target rule is found, and processes the data packet according to an action indicator in the target rule; if acknowledging that the source address information, the destination address information, and the protocol type that are carried in the data packet are different from the match condition in the currently compared rule, the packet switching device continues to make a comparison with a next rule in the ACL, to implement flow control.
Because the multiple rules and the storage sequences of the multiple rules are all manually configured by the administrator, as the administrator updates the rules continuously, a redundant rule and an invalid rule may occur in the multiple rules. Consequently, accuracy of flow control is reduced. A redundant rule is a phenomenon in which at least two rules matching a same flow and including a same action indicator exist in the multiple rules. An invalid rule is a means that at least two rules in the multiple rules match a same flow but have different action indicators, and a storage sequence of a rule having a larger flow range precedes to that of a rule having a smaller flow range. Consequently, the rule ranks in the back in terms of sequence cannot be matched. The flow range is a range covered by a match condition.