CN104283742B - Network data packet filter method based on FPGA - Google Patents
Network data packet filter method based on FPGA Download PDFInfo
- Publication number
- CN104283742B CN104283742B CN201410619192.4A CN201410619192A CN104283742B CN 104283742 B CN104283742 B CN 104283742B CN 201410619192 A CN201410619192 A CN 201410619192A CN 104283742 B CN104283742 B CN 104283742B
- Authority
- CN
- China
- Prior art keywords
- address
- data
- filtering
- fpga
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses a kind of network data packet filter method based on FPGA, first gather network packet, and be stored in a data buffer, its header information is extracted again, then the relevant information extracted is stored in SRAM, IP address at the same time will be extracted and goes to read filtering control bit information as the address for accessing SDRAM, draw explicitly by whether signal, data in data buffer are allowed its by whether, otherwise successful inquiring then data forwarding abandons.It is that IP data packet formats are transferred in bottom FPGA with dma mode by the configurating filtered rule set of host computer, is write by parsing and by filtering control bit information in SDRAM, for filtering inquiry.Above-mentioned design gives full play to the fast parallel calculating advantage of FPGA hardware, meets linear speed filtering requirement, realizes express network Packet Filtering and statistics display data stream relevant information.
Description
Technical field
The invention belongs to Internet technical field, and in particular to a kind of network data packet filter method based on FPGA.
Background technology
With the high speed development of network technology, the rapid growth of network traffic data, information sharing society each
Aspect plays more and more important role, and people also has to face because of internet while information sharing facility is enjoyed
The puzzlement that the illegal means such as some virus, the network attacks grown are brought, packet filtering system is just arisen at the historic moment.The network bandwidth
Raising, not poor and attack the variation of network application level, hiding proposes stern challenge to fire wall.
Conventional Packet Filtering is realized with software at present, but variation, the complication of network attack of virus
And the surge of network traffics increasingly turns into a bottleneck of packet filtering system performance, the filtering scheme based on software is not
Its line-speed processing requirement, and the protocol stack for the underlying operating system that places one's entire reliance upon can be met, is necessarily restricted by protocol stack.
The content of the invention
The technical problems to be solved by the invention are that existing software data packet filter method speed can not meet existing height
Fast network filtering demand, and a kind of network data packet filter method based on FPGA is provided.
To solve the above problems, the present invention is achieved by the following technical solutions:
A kind of network data packet filter method based on FPGA, comprises the following steps:
Step 1, pass through the configurating filtered rule set of host computer real-time online;
Filtering rule set is transferred in FPGA by step 2, host computer in the way of direct memory access;
Step 3, FPGA carry out parsing to filtering rule set and obtain all IP address and its corresponding filtering control bit information,
And using IP address as the addressable address of dynamic RAM, by its corresponding filtering control bit write-in dynamic RAM
Storage bit space, for filter inquiry;
Step 4, FPGA carry out data acquisition to network data, and the network packet collected storage is arrived into FPGA's
In data fifo buffer;
Step 5, the network packet progress feature extraction to being cached in data fifo buffer, and obtain the head of packet
Portion's information and IP address;
Step 6, by the header information extracted storage into SRAM and timing main frame show;
Step 7, using the IP address extracted as addressable address, go to access the storage bit space of dynamic RAM,
Go to read corresponding filtering control bit;
Step 8, whether forwarded for the network packet cached in step 4, then according to the filtering read in step 7
Control bit carry out inquiry judgement, with judge the network packet by whether;If the filtering control bit Query Result is passes through,
By the data forwarding in data fifo buffer, if the filtering control bit Query Result caches data fifo not pass through
Data in device are abandoned.
In above-mentioned steps 3 and 7, the read/write address of dynamic RAM needs to carry out address of cache, dynamic random storage
The reading of device and to write all be to access dynamic RAM using IP address as direct read/write address.
In above-mentioned steps 6, to the reading of network packet characteristic information in units of block, there are many numbers in one of block
According to structure.
The present invention discloses a kind of network data packet filter method based on FPGA.Using the parallel high-speed of FPGA hardware,
Host computer by pci bus can the configurating filtered rule set of real-time online to bottom hardware memory inside, filtering rule centralized procurement
Stored with position storage form, feature extraction is carried out to packet to be filtered, with reading of the IP address extracted as memory
Address (IP address direct addressin:IP address sets up linear mapping relation with storage bit space address) come read filtering control bit from
And realize Packet Filtering;In the case of limited storage space, mass data packet filtering can be realized using position storage method.Adopt
With IP address direct addressin method, filtering rule can be improved and search speed, the invention can realize magnanimity under high-speed network flow
Packet is rapidly and efficiently filtered.
The beneficial effects of the present invention are:It can be realized under high speed network environment, passed through using FPGA by the present invention
Host computer can very flexible configuration filtering rule set, and ensure the validity of filtering by IP address direct addressing method and be good for
Strong property, and related network information is shown by host computer friendly interface.
Brief description of the drawings
Fig. 1 is the packet filtering method overview flow chart of the preferred embodiment of the present invention.
Fig. 2 is the IP address direct addressin process schematic of the preferred embodiment of the present invention.
Fig. 3 is the Packet Filtering overall framework schematic diagram of the preferred embodiment of the present invention.
Embodiment
A kind of network data packet filter method based on FPGA of the present invention, as shown in figure 1, specifically comprising the following steps:
Step S1:Data acquisition realizes network packet using TEMAC (tri-state Ethernet MAC controller) IP kernel
Collection, and briefly realize packet number, byte number statistics.
Step S2:FIFO (First Input First Output) buffered data, buffer pool interface uses dual-port design, that is, read and write simultaneously
Carry out, be in addition the processing speed of quickening packet, improve network throughput, wrapped using in the data block of block read-write mode, i.e., 1
Containing multiple packets.Specifically related to step is as follows:
Step S21:Interface is write, writing address starts counting up from 0, temporarily sets data block size as 4K in the program, that is, write
Enter after a data block, address offset 4K, and to address latch, so that follow-up realize is added up;If writing address reaches 64MB,
Reset to 0;
Step S22:Interface is read, address is read and is started counting up from 0, but every time before reading, it is necessary to it is small that address is read in judgement
In write address to prevent from reading invalid data, but when wr_addr (write address) resets to 0, need to give notice signal, make reading
Address is less than write address condition not valid, i.e., when rd_addr (reading address) resets to 0, reads address again effective less than write address;
After read block, address offset 4K, and to the address latch, it is subsequently similar with write-in interface so that follow-up realize is added up.
Step S3:Network characterization, which is extracted, to be included reading network packet, extracts head corresponding information, and storage is right into SRAM
Regularly it is sent in host computer CPU afterwards.Comprise the following steps that:
Step S31:Reading network packet, extraction source IP, purpose IP, IP packet length, agreement, source port, destination interface,
That is 32+32+16+8+16+16=120b=15B is stored in SRAM as a data structure;
Step S32:Using a counter, extracting network characterization data structure, (4K/64, i.e. block size are more than 64
4K, minimum packet oneself is 64B), then the network characterization data in SRAM are read, by pci bus in register I/O modes
It is sent in host computer CPU, facilitates upper layer software (applications) statistics network feature;
Step S33:Counter reaches to reset after above-mentioned rated value, in case subsequent statistical.
In a preferred embodiment of the invention, the reading of the network packet in step S3 is in units of block, one of block
In have multiple data structures.
Step S4:Filtering rule set is extracted, the good filtering rule set of software merit rating (IP data packet formats) is passed through in host computer
Downloaded to by way of pci bus is with DMA in FPGA, then will remove data packet head letter by extracting filtering rule set module
Breath, retains IP address and corresponding filtering control bit information collection.
In a preferred embodiment of the invention, step S3 and S4 is concurrently performed.
Step S5:Stored filter control bit information collection extracts IP address and corresponding filtering into SDRAM, in step s 4
Control bit, using the IP address as SDRAM addressable address, by all < IP address, all filtering controls of filtering control bit > collection
In position write-in SDRAM.
Step S6:Access filtering is controlled, and the IP address that packet is extracted in step s3 is used as SDRAM reading address.
, must be right when being accessed with IP address in order to improve one IP address filtering control bit of the correspondence of each in the efficiency of storage, SDRAM
IP address, which map, obtains data bit width position, specific method such as figure where new IP address (row address) and filtering control bit
Shown in 2, with new IP address (row address) and filtering control bit position, so that it is determined that the filtering control being written in SDRAM
Position processed, obtain mutually should packet whether by filtering control bit, such as:Filtering control bit ' 1 ' represents to pass through, and filters control bit
' 0 ' represents not pass through.According to filtering control bit information determine FIFO in network packet by whether.
In a preferred embodiment of the invention, IP address used, same step when filtering rule set writes SDRAM in step s 5
S6 is equally also required to carry out IP address mapping, and principle and step S6 are similar.In addition, to SDRAM reading and being write in step S5 and S6
All it is to access SDRAM using IP address as direct read/write address, it can be ensured that do not cause packet and phase because of sequential entanglement
Control bit mapping incorrect order should be filtered.
Step S7:Data forwarding includes waiting filtering module signal, data packet discarding etc..Comprise the following steps that:
Step S71:Using FIFO buffer network packets, the signal of network packet filtering module is waited, regardless of whether
Hit, network packet filtering module can all provide clear and definite signal;
Step S72:If hit, read and abandoned after the packet in FIFO, and send host computer statistics aobvious relevant information
Show.If miss, read the data in FIFO and forwarded using TEMAC, and briefly realize packet number, byte number system
Meter.
Step S8:Data interaction includes register group I/O modes and dma mode.It is specific as follows:
Step S81:The network characterization extracted is such as:Source IP, purpose IP, IP packet length, agreement, source port, destination interface
Host computer is transferred to so as to statistics network information by register group I/O modes etc. information.
Step S82:The relevant information of packet discard send host computer to count and show in the step s 7.
Step S83:Host computer will be downloaded in SDRAM by the good filtering rule set of software merit rating, is that data filtering is carried
For rule set.
In a preferred embodiment of the invention, step S7 and S8 is concurrently to perform.
The present invention inventive concept be:Gathered data bag, packet is stored into a data buffer first, secondly
Its header information is extracted, then the relevant information extracted is stored in SRAM (SRAM), it is same with this
When will extract IP address as access SDRAM address (direct addressin) go read filtering control bit information, draw clearly lead to
Whether cross signal, data in data buffer are allowed its by whether, otherwise successful inquiring, data forwarding abandons.Extract
Relevant information timing transmission is counted and shown to host computer.By the configurating filtered rule set of host computer be IP data packet formats with
DMA (direct memory access) mode is transferred in bottom FPGA, (is moved by parsing and by filtering control bit information write-in SDRAM
State random access memory) in, for filtering inquiry.Control is filtered simultaneously downloads parallel perform with rule set.Above-mentioned design is fully sent out
The fast parallel calculating advantage of FPGA hardware is waved, linear speed filtering requirement is met, realizes that express network Packet Filtering and statistics are shown
Data flow relevant information.The overall framework schematic diagram of the above-mentioned network data packet filter method based on FPGA, as shown in Figure 3.
Above content is the further description for combining specific preferred embodiment to the present invention, it is impossible to assert this hair
Bright embodiment is only limitted to this, for the person of ordinary skill of the art, before present inventive concept is not departed from
Put, some simple deduction or replace can also be made, should all be considered as belonging to the protection model of claims of the present invention
Enclose.
Claims (2)
1. a kind of network data packet filter method based on FPGA, comprises the following steps:
Step 1, pass through the configurating filtered rule set of host computer real-time online;
Filtering rule set is transferred in FPGA by step 2, host computer in the way of direct memory access;
Step 3, FPGA are parsed to filtering rule set progress and are obtained all IP address and its corresponding filtering control bit information, and with
Its corresponding filtering control bit is write depositing for dynamic RAM by IP address as the addressable address of dynamic RAM
Storage space space, for filtering inquiry;
Step 4, FPGA carry out data acquisition to network data, and the network packet collected is stored into the FIFO numbers to FPGA
According in buffer;
Step 5, the network packet progress feature extraction to being cached in data fifo buffer, and obtain the head letter of packet
Breath and IP address;
Step 6, by the header information extracted storage into SRAM;
Step 7, using the IP address extracted as addressable address, go to access the storage bit space of dynamic RAM, go to read
Take corresponding filtering control bit;
Step 8, whether forward, then controlled according to the filtering read in step 7 for the network packet cached in step 4
Position carry out inquiry judgement, with judge the network packet by whether;, will if the filtering control bit Query Result is passes through
Data forwarding in data fifo buffer, if the filtering control bit Query Result is does not pass through, by data fifo buffer
In data abandon;
It is characterized in that:
In above-mentioned steps 3 and 7, the read/write address of dynamic RAM needs to carry out address of cache, dynamic RAM
Reading and writing all is to access dynamic RAM using IP address as direct read/write address.
2. a kind of network data packet filter method based on FPGA according to claim 1, it is characterised in that:Above-mentioned step
In rapid 6, to the reading of network packet characteristic information in units of block, there are multiple data structures in one of block.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410619192.4A CN104283742B (en) | 2014-11-05 | 2014-11-05 | Network data packet filter method based on FPGA |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410619192.4A CN104283742B (en) | 2014-11-05 | 2014-11-05 | Network data packet filter method based on FPGA |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104283742A CN104283742A (en) | 2015-01-14 |
| CN104283742B true CN104283742B (en) | 2017-08-08 |
Family
ID=52258248
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410619192.4A Expired - Fee Related CN104283742B (en) | 2014-11-05 | 2014-11-05 | Network data packet filter method based on FPGA |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104283742B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106130903B (en) * | 2016-07-08 | 2019-03-12 | 桂林电子科技大学 | SDN switch flow table encryption method based on FPGA |
| CN108881181A (en) * | 2018-05-30 | 2018-11-23 | 杭州迪普科技股份有限公司 | A kind of filter method and device of message |
| CN109688117B (en) * | 2018-12-11 | 2021-10-15 | 国家电网公司信息通信分公司 | High-capacity IP address intercepting method and equipment |
| CN110516332B (en) * | 2019-08-15 | 2021-06-11 | 浪潮电子信息产业股份有限公司 | Method and system for filtering parallel calculation results |
| CN113497798B (en) * | 2020-04-08 | 2023-01-06 | 北京中科网威信息技术有限公司 | FPGA-based data forwarding method for firewall |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050129033A1 (en) * | 2003-12-13 | 2005-06-16 | Gordy Stephen C. | Network tap for use with multiple attached devices |
| CN103780460B (en) * | 2014-01-15 | 2017-06-30 | 珠海市佳讯实业有限公司 | It is a kind of that the system that TAP device hardwares are filtered is realized by FPGA |
-
2014
- 2014-11-05 CN CN201410619192.4A patent/CN104283742B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN104283742A (en) | 2015-01-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104283742B (en) | Network data packet filter method based on FPGA | |
| CN101267361B (en) | A high-speed network data packet capturing method based on zero duplication technology | |
| CN103117948B (en) | Based on the hierarchical parallel express network TCP flow recombination method of FPGA | |
| CN105337991B (en) | A kind of integrated message flow is searched and update method | |
| CN102123090B (en) | IP (Internet protocol) fragment processing method based on two-level table storage and transport layer information inquiry | |
| CN102739473A (en) | Network detecting method using intelligent network card | |
| CN105023185B (en) | A kind of futures exchange disk mouth data real time parsing system based on FPGA | |
| CN104333533B (en) | A kind of packet zero-copy acquisition methods for industrial control system network | |
| CN103488717B (en) | Lock-free data gathering method and lock-free data gathering device | |
| WO2013040730A1 (en) | Ip lookup method and device, and route updating method and device | |
| CN106331196A (en) | Method and device for realizing NAT | |
| CN108536615A (en) | A kind of ping-pang cache controller and its design method | |
| CN107908357A (en) | Name data network Forwarding plane PIT storage organizations and its data retrieval method | |
| CN1700664A (en) | Linux kernel based high-speed network flow measuring unit and flow measuring method | |
| CN107241305A (en) | A kind of network protocol analysis system and its analysis method based on polycaryon processor | |
| CN107040405A (en) | Passive type various dimensions main frame Fingerprint Model construction method and its device under network environment | |
| CN108809748A (en) | Network audit collecting method and related device, equipment and storage medium | |
| CN106789733A (en) | A kind of device and method for improving large scale network flow stream searching efficiency | |
| CN104158770B (en) | A kind of method and apparatus of exchange data bag cutting and restructuring | |
| CN103780460B (en) | It is a kind of that the system that TAP device hardwares are filtered is realized by FPGA | |
| CN103414603B (en) | Ipv6 deep packet inspection method based on Hash method for folding | |
| CN104601583B (en) | A kind of online real-time anonymous system and method for IP flow datas | |
| CN110445730A (en) | The real-time acquisition and storage method of network data and device based on WinPcap | |
| CN102098291A (en) | FPGA (Field Programmable Gate Array)-based network security log processing method and device | |
| CN105516016B (en) | A kind of packet filtering system and packet filtering method based on stream using Tilera multinuclears accelerator card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170808 Termination date: 20201105 |