1. Field
The present invention relates to a packet transfer controlling apparatus and packet transfer controlling method.
2. Description of the Related Art
Apparatuses such as network devices and computers connected to a network generally set an Access Control List (ACL) for the purpose of, for example, preventing unauthorized access via the network (for example, refer to Japanese Patent Application Laid-open No. 2004-173148). Also, such apparatuses as network devices and computers set the access control list for the purpose of, for example, changing a destination of packet transfer according to communication.
For example, as depicted in FIG. 7, a switch, which is a network device, sets an access control list on a receiving port side connecting to a Local Area Network (LAN). At this time, the switch sets the access control list with a rule described according to a pattern. Here, the pattern is a type indicating which information included in a packet is used as a comparison target for matching, that is, a type of information to be extracted from the packet in controlling a transfer of the packet. The switch then compares the information included in the packet input to the switch with the rule, thereby preventing unauthorized access or changing a server of a transfer destination. At this time, as denoted in FIG. 7 by way of example, the switch extracts information, such as so-called layer 2, layer 3, and layer 4 defined by Open Systems Interconnection (OSI) in sequence from the head of the packet. FIG. 7 is a drawing for explaining an access control list.
By using FIG. 8, the configuration of a conventional switch set with an access control list is briefly explained. FIG. 8 is a drawing for explaining a conventional technology. As depicted in FIG. 8, in the conventional switch, upon accepting an input of a packet from a receiving port, a packet analyzing unit extracts information included in the packet from the packet. Then, a pattern matching unit matches the extracted information with a pattern set in advance with a specific comparison value to see whether the extracted information matches the pattern and output its result. Then, a rule searching unit searches for a rule by using the comparison result, and an action searching unit searches for an action by using the found rule. Then, a switching unit controls packet transfer based on the found action.
Meanwhile, the conventional technology explained above has a problem of increasing latency in association with extraction of information.
That is, as explained above, in access control, the apparatus set with the access control list has to extract information for use in pattern matching from the packet. At this time, the conventional apparatus extracts information at an across-the-board depth irrespectively of the depth of information required for pattern matching (the position of the information represented by a depth from the head of the packet). For this reason, even when the depth required for pattern matching is shallow, the conventional apparatus does not allow the switching unit to perform packet transfer unless extracting information at the across-the-board depth and ending extraction. As a result, the conventional apparatus has a problem of increasing latency for the time of extracting unnecessary information.