In a cloud computing environment, there are complex multi-tenant scenarios and multiple tenants have different virtual machine (English full name: virtual machine, VM for short) policies for sending and receiving packets. To implement isolation between virtual machines, and to set a rule of sending and receiving a packet for the virtual machines according to a tenant's requirements, a rule of sending and receiving a packet by a virtual machine is specified by using a security group (English: security group).
A security group generally contains multiple packet sending and receiving rules. A security group in some cloud computing environments may have only packet sending rules or only packet receiving rules. In addition, multiple virtual machines may be added to each security group. Packets sent or received by the multiple virtual machines need to comply with rules in the security group. For example, a total of M virtual machines are added to a security group. The security group has N rules. In an existing SDN, to enable a packet sent by a virtual machine to match the N rules in the security group, an SDN controller needs to deliver a security group matching flow table. Each security group matching flow table delivered by the SDN controller includes at least two matching fields, and this leads to complex matching of the security group matching flow table.