CN106549944A - A kind of domain filter method based on linux kernel Hash table - Google Patents

A kind of domain filter method based on linux kernel Hash table Download PDF

Info

Publication number
CN106549944A
CN106549944A CN201610901018.8A CN201610901018A CN106549944A CN 106549944 A CN106549944 A CN 106549944A CN 201610901018 A CN201610901018 A CN 201610901018A CN 106549944 A CN106549944 A CN 106549944A
Authority
CN
China
Prior art keywords
linux kernel
hash table
method based
dns
domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610901018.8A
Other languages
Chinese (zh)
Inventor
赵冲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Feixun Data Communication Technology Co Ltd
Original Assignee
Shanghai Feixun Data Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Feixun Data Communication Technology Co Ltd filed Critical Shanghai Feixun Data Communication Technology Co Ltd
Priority to CN201610901018.8A priority Critical patent/CN106549944A/en
Publication of CN106549944A publication Critical patent/CN106549944A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4552Lookup mechanisms between a plurality of directories; Synchronisation of directories, e.g. metadirectories
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to technical field of network equipment, the domain filter method based on linux kernel Hash table of specially a kind of network equipment:Step 1, user is by order or function, it would be desirable to which the domain name of filtration is sent to linux kernel, and the configuration information that user is issued by linux kernel sets up a Hash table in linux kernel, then user configured domain name is stored in the Hash table;Can step 2, the DNS data bag of request reach the Internet of linux kernel, and the DNS data bag is parsed, Hash table is then searched, decide whether to filter according to match, and stability is high, the function of domain filter and efficiency are taken into account and more flexible, quick, convenient.

Description

A kind of domain filter method based on linux kernel Hash table
Technical field
The present invention relates to technical field of network equipment, specially a kind of network equipment based on linux kernel Hash table Domain filter method.
Background technology
The router of the existing network equipment, especially domestic, switch etc., typically have and are called " head of a family's control " Function, certainly, different product, possible title can be different, and digital controller can be directed to certain equipment, and arranging allows or prohibit Stop its upper some website, here, it is possible to the function of domain filter can be used, citing:Forbid this equipment of 192.168.2.100 Baidu.com is accessed, currently existing scheme there are three kinds:First, by arranging in/etc/hosts files, form is: " 192.168.2.1 phicomm.me ", so, dnsmasq processes can intercept LAN user access phicomm.me this Network address, is resolved to this IP address of 192.168.2.1;Second, by configuring iptables orders, using increasing income, website carries For xt_webstr, it can match the url for specifying, and logical operation is filtered or put to which;3rd, some companies can feel Above two method function limitation, so a matching module similar to xt_webstr oneself is developed simply, such as: Xt_domain, and configurations match rule, xt_domain modules parsing DNS data bag, with matching somebody with somebody are carried out by iptables The rule put is matched, and then decides whether to put logical, the first scheme, by, in/etc/hosts files, adding domain name With two tuples of IP address, Domain Hijacking is carried out, the function can only be said to be Domain Hijacking here, not possess filtration(Lose Abandon packet)Function, and do not support that asterisk wildcard is matched, it is such as to " * .baidu.com " form, helpless;Second side Case, using xt_webstr matching modules, realizes the function of domain filter, and precisely, the module is entered for http packets Row matching.It is that the URL to http bags is matched, and generally, URL format is http://www.baidu.com/a/ B/c/d/e.html, xt_webstr can be matched to the either segment of the URL.Due to being that URL is matched, therefore, The content matched somebody with somebody will increase, and the application of domain name is similarly used to https or ssh etc., it is impossible to be matched;The third side Case, can develop alone the most of short slabs for making up first two scheme in xt_domain modules, only to DNS bag (agreements: UDP, port numbers:53) parsed, with iptables, the domain name for obtaining is realized that the rule of write is matched, but, For housed device, if iptables rules are more, the forwarding performance of packet can be very affected, and this is by iptables The specific decision of rule, because iptables can only be searched on chain.That is, if 500 rules, it is worst in the case of, one Packet can carry out 500 matched and searcheds.Certainly, this shortcoming is applied equally to second scheme, because second scheme And realized by iptables rules, message filtering method, dress as disclosed in the patent of Publication No. CN101707619A Put and the network equipment, wherein method includes:Obtain source IP address, purpose IP address and the protocol type for receiving message;By breathing out The flow table index value that uncommon computing is generated is mapped to message in data stream list;In target stream record, according to the IP of the message IP address information in address information and target stream record generates target address information, and the IP address of the message is believed Breath is matched with the target address information;When the match is successful, it is that message establishment is corresponding with the flow table index value New stream record;When the match is successful, the message is closed according to the connection state information in the stream record for matching Method judges, and carries out filtration treatment to the message, and its filter method there is above-mentioned defect and deficiency.
The content of the invention
It is an object of the invention to provide a kind of stability is high, the function of domain filter and efficiency are taken into account but it is more flexible, quick, The easily domain filter method based on linux kernel Hash table.
The present invention above-mentioned technical purpose technical scheme is that:
A kind of domain filter method based on linux kernel Hash table, comprises the following steps that:
Step 1, user is by order or function, it would be desirable to which the domain name of filtration is sent to linux kernel, and linux kernel is by user The configuration information for issuing sets up a Hash table in linux kernel, then user configured domain name is stored in the Hash table;
Step 2, the DNS data bag of request reach the Internet of linux kernel, the DNS data bag is parsed, is then searched Can Hash table, decide whether to filter according to match.
In above-mentioned technical proposal, to provide a kind of method of domain filter based on the network equipment of linux kernel, can be real Now more complicated service logic, improves business logic processing efficiency, and the stability of system is higher, and data flow communication is also more suitable Profit, the function and efficiency of domain filter are taken into account and more flexible, quick, convenient.
Used as to the preferred of the present invention, the communication between user and linux kernel is realized by netlink mechanism.
Used as to the preferred of the present invention, when the network equipment starts, linux kernel creates netlink.
Used as to the preferred of the present invention, the application layer that user is located also creates netlink.
Used as to the preferred of the present invention, user is wished that the domain name for filtering is sent to Linux by netlink by consumer process Kernel, kernel will get the configuration, store in Hash table.
Used as to the preferred of the present invention, the network equipment forwards DNS data Bao Ruo through the NF_IP_ of Linux Internets FORWARD points, then hang over this point on one dns_filter Hook Function, when DNS data bag passes through this, Dns_filter functions can be triggered.
As to the preferred of the present invention, in dns_filter functions, DNS data bag parsed, is determined whether DNS messages, if it is continue parsing to the DNS data bag, get domain name to be accessed, and are then breathed out according to the domain name lookup Uncommon table, if it does, then abandoning, otherwise puts logical.
Used as to the preferred of the present invention, DNS messages adopt udp protocol and port is for 53.
As to the preferred of the present invention, when Hash table is searched, if supporting asterisk wildcard, need to carry out two-wheeled lookup.
Used as to the preferred of the present invention, described two-wheeled look for:The first round, complete matched and searched, i.e., complete character String matching, a character all can not be wrong;Second wheel, if the first round does not find, carries out Wildcard searches, matches wildcard The corresponding domain name configurations of hashkey of symbol.
The present invention based on the domain filter method of linux kernel Hash table have stability high, the function of domain filter and Efficiency take into account and it is more flexible, quick, convenient the advantages of.
Description of the drawings
Fig. 1 is schematic flow sheet when a kind of user of preferred embodiment of the invention is interacted with equipment.
Fig. 2 is a kind of packet flow process signal when by linux kernel Internet of preferred embodiment of the invention.
Specific embodiment
Below in conjunction with the accompanying drawings the preferred embodiment of the present invention is described in detail, but protection scope of the present invention is not limited to This.
As shown in Figure 1, 2, a kind of domain filter method based on linux kernel Hash table of the present embodiment, its concrete steps It is as described below:
Step 1, user is by order or function, it would be desirable to which the domain name of filtration is sent to linux kernel, and linux kernel is by user The configuration information for issuing sets up a Hash table in linux kernel, then user configured domain name is stored in the Hash table;
Step 2, the DNS data bag of request reach the Internet of linux kernel, the DNS data bag is parsed, is then searched Can Hash table, decide whether to filter according to match.
Communication between user and linux kernel realizes that by netlink mechanism netlink is to realize that user enters A kind of special interprocess communication (IPC) that journey is communicated with kernel process, and web application is most normal with kernel communication Interface, netlink are contained in header file linux/netlink.h.When the network equipment starts, linux kernel is created netlink。
The application layer that user is located also creates netlink.User is wished that the domain name for filtering passes through netlink by consumer process Linux kernel is sent to, kernel will get the configuration, store in Hash table.Network equipment forwarding DNS data Bao Ruo is passed through The NF_IP_FORWARD points of Linux Internets, then hang over this point on one dns_filter Hook Function, whenever DNS When packet passes through this, dns_filter functions can be triggered.In dns_filter functions, DNS data bag is solved Analysis, determines whether DNS messages, if it is continues parsing to the DNS data bag, gets domain name to be accessed, Ran Hougen According to the domain name lookup Hash table, if it does, then abandoning, otherwise put logical.DNS messages adopt udp protocol and port is for 53.Looking into When looking for Hash table, if supporting asterisk wildcard, need to carry out two-wheeled lookup.Described two-wheeled look for:The first round, match completely Search, i.e., complete string matching, a character all can not be wrong;Second wheel, if the first round does not find, is led to Search with symbol, match the corresponding domain name configurations of hashkey of asterisk wildcard.
Following is to the more careful elaboration of above-mentioned tentative programme:The present invention be directed to DNS data bag, does the parsing wrapped, The domain name for obtaining is done into a kind of method for matching with the configured domain name of user.Core concept is following two parts of points:
1. user is by order or function, it would be desirable to which the domain name of filtration is sent to linux kernel, the configuration that user is issued by kernel Information sets up a Hash table in kernel, and user configured domain name is stored in the Hash table.
2. the DNS data bag of request, reaches the Internet of linux kernel.Kernel module is write, the packet is solved Can analysis, searches Hash table, put logical or discarding according to match decision(Filter).
Function is described:The major function of the present invention there is provided a kind of new domain filter method, solve existing scheme spirit The low shortcoming of poor activity, efficiency.
Structure is described:The present invention needs to consider both sides content:
One, how by the configuration distributing of user to kernel, and in the orderly storage of kernel;
Two, to resolve packet, and the lookup matching of domain name is carried out according to the configuration in the first step.
Realize details:
1. the domain name for needing to filter is issued to linux kernel by user's space, herein, is realized in Linux using netlink mechanism Core is with the communication between consumer process.
When equipment starts, Linux kernel module creates netlink, and type is DNS_FILTER, and application layer is also with identical Type create netlink, could so realize kernel with the communication between consumer process, user is wished what is filtered by consumer process Domain name is sent to linux kernel by netlink, and kernel will get the configuration, store in Hash table.Here, if will Wildcard searches are supported, then needs to be individually created a hashkey, the hashkey has been correspondingly arranged the domain name of asterisk wildcard.It is similar Process, if the user desired that delete certain configuration, message is sent to kernel also by the netlink, then kernel is according to disappearing Breath type, determines whether to from Hash table delete the configuration.
2. for the network equipment(Such as:Router)For, forward DNS data bag always through the NF_ of Linux Internets IP_FORWARD points, whole domain filter module hang over this hook point on one dns_filter Hook Function, whenever data Bag can trigger dns_filter functions when this hook point.In dns_filter functions, packet is parsed, Determine whether DNS messages(Agreement UDP, port 53), parsing is continued to the packet if it is, domain to be accessed is got Name, such as:Www.baidu.com, then, according to the domain name lookup Hash table, if it does, then abandoning, otherwise puts logical.Searching During Hash table, if supporting asterisk wildcard, need to carry out two-wheeled lookup.The first round:Complete matched and searched, i.e., complete character string Matching, a character all can not be wrong.Second wheel:If the first round does not find, Wildcard searches are carried out, match asterisk wildcard The configuration of hashkey corresponding domain names.So, method simply easily extends, by the scheme using existing comparative maturity, such as Netlink carries out communication of the kernel with application process;Developer can be according to business demand, to the data in the message of netlink Part encapsulates, you can realize more complicated service logic;By the way of Hash lookup, search efficiency is much higher, especially When user is configured in a large number.
In addition, in order to preferably coordinate the domain filter method, making improvements to the stream prosecutor formula of linux kernel, improve Stream prosecutor formula be have mark fields in sk_buff first in linux kernel, while adding index fields, mark fields For carrying out the stream control of bandwidth object, index is signless integer, which is divided into two parts, and high 16 are used for carrying out service flow Control, low 16 are used for carrying out single IP streams control;Resettle packet to line up;Then, packet is controlled by flow control method again Whether team is gone out:Packet is controlled according to service flow control method, if packet can go out team, carries out bandwidth object successively Flow control method, list IP flow control methods are controlled, if three above-mentioned again flow control methods of packet any one can not go out team, Then requeue;Finally, the packet for going out team is given out a contract for a project after dispatching method of giving out a contract for a project is selected.
It is above-mentioned to set up the method that packet lines up and be:One is established containing 300 elements without symbol shaping array, each It is 32 without symbol shaping array, in each 9600 queue of correspondence(Wherein the 0th queue is the team for not carrying out flowing control Row), the position is 1, represents that the corresponding queue is used, and realizes quick selection team by the calculating without symbol shaping array Row.
Above-mentioned single IP flow control methods are IP address totally 32, now which are regarded as two parts, first 16 and latter 16, front 16 Position represented by array of pointers A that size is 65535, and array index represents front 16 place value of concrete IP, 16 afterwards And by the array of 65535 representing, but, which is dynamically distributes, afterwards in the array of 16, each knot in array Flag and index fields are included in structure, flag represents whether the IP will flow control, and index is an index value, is whole without symbol Number, when an IP packet enters fashionable, first obtains first 16 of the IP, using the value as the subscript of front 16 bit array, if number Group content is sky, then it represents that was not set up this first 16 corresponding latter 16 arrays, and needed to create;If array content is not Sky, then can access corresponding rear 16 bit arrays, be flowed further according to the flag and index of respective value according to the pointer content Control.
Above-mentioned single IP flow control methods quickly select comprising the following steps that for queue(The method for calculating index):
(1), whether be complete 1 referring initially to unsigned integer value, by with 0xffffffff with learn;
(2)If, unsigned integer value be complete 1, in peek group, next integer continues executing with step(1);
(3)If, unsigned integer value be not complete 1, calculate low 16 whether be complete 1;
(4)If, unsigned integer value be complete 1, the integer value is moved to right 16, it is otherwise constant;
(5), calculate unsigned integer value least-significant byte whether be complete 1;
(6)If, unsigned integer value be complete 1, the integer value is moved to right 4, it is otherwise constant;
(7), whether calculate low 2 of unsigned integer value be complete 1;
(8)If, unsigned integer value be complete 1, the integer value is moved to right 2, it is otherwise constant;
(9), whether calculate low 1 of unsigned integer value be 1, be not that then second is 1, then have found specific position, and Corresponding array index can be calculated;
(10), when IP does not flow control, corresponding position 0.
For example, when first packet of a connection arrives, module removes the flag, such as flag=for searching corresponding IP 1, represent that the IP needs to carry out stream control, otherwise return 0 and exit;Then, check whether index values are less than 0, mark is represented less than 0 Label also do not distribute, according to the quick value for selecting Queue Algorithm, calculating index of single IP stream controls;If index values are more than 0, represent Distributed, then directly used the value.Meanwhile, add index fields in the link tracking structure of kernel, when packet is obtained During index, the value is assigned to simultaneously to link the index of tracking.
Above-mentioned dispatching method of giving out a contract for a project is comprised the following steps that:
(1), each queue have point to previous and latter queue pointer, queue formed a doubly linked list, each queue It is to send a node in chained list, meanwhile, the queue for only having packet etc. to be sent can just add transmission chained list, work as team In row during no packet, queue is deleted from transmission chained list;
(2), send chained list set up a linked list head and a chained list node pointer of currently giving out a contract for a project, chained list node of currently being given out a contract for a project refers to The queue that pin is pointed to carries out packet and goes out team, checks whether the packet can send further according to flow control method, if it can, sending out The packet is given, otherwise the packet is joined the team again, and be the head for being put into queue, while chained list node pointer of currently being given out a contract for a project Move down;
(3), send chained list set up when packet is joined the team, it is fashionable when there is packet to enter, call function of joining the team, the letter Number detects the corresponding queue of the packet whether in dique chained list, if not, correspondence queue is added dique Chained list, while the chained list node pointer of currently giving out a contract for a project of dique chained list is pointed to the queue;Otherwise, directly dique chain The chained list node pointer of currently giving out a contract for a project of table points to the queue, when going out team and giving out a contract for a project, can preferentially send the data of the queue just joined the team Bag.
In concrete each queue, the computational algorithm of data packet stream control is as follows:
The calculating of bandwidth is the data length passed through in a second, inside kernel, does not have a concept of second, but jiffies, In linux kernel, 250 parts are generally divided within one second(Definition grand in kernel is seen), so a jiffies is exactly 1/250 Second, bandwidth is if a, then the flow of a jiffies is exactly a/250, has preservation last time packet to arrive in each queue Jiffies_last, the flow jiffies_byte of each jiffies(Byte), the byte number bytes for passing through is allowed now, The present maximum allowable byte number burst for passing through.In the queue, often carry out a packet, can all calculate present jiffies and The difference of jiffies_last, the difference are multiplied by jiffies_byte, along with the byte number bytes for allowing now to pass through, calculate Go out the byte number bytes that can pass through at present, if bytes is more than burst, bytes is equal to burst.Finally, by comparing The relation of data packet length and bytes, more than bytes, then difference goes out team;Then go out team less than bytes, send the packet, together When, bytes values deduct the data packet length.
Link tracking is a kind of technology of present fire wall, can realize high-performance by this section of words, because index is only needed Calculate once, later by the index indirect assignments for linking, concrete deployment is as follows:
First stage:The installation of module:
This stream control module provided in the way of kernel module, user can by insmod orders carry out according to.
Second stage:The setting of label:
Iptables extends a target, the target by calling the function of stream control module, obtain the control of single ip streams and The label of service flow control, i.e. index.Concrete mode is the link tracking rule of the FORWARD chains of the filter tables in iptables The target of extension then being added below, being so achieved that first packet of link can go to obtain label, other walk link Tracking, meanwhile, code is added in connection tracking module, make the index labels of packet be assigned to the label index for linking.This Whether two sections of meaning essence is exactly that flow control method modularity is set to standalone module.
The technical solution used in the present invention has the following technical effect that:
A kind of method of domain filter to be provided based on the network equipment of linux kernel, be capable of achieving more complicated business and patrol Volume, business logic processing efficiency is improved, the stability of system is higher, and data flow communication is also more smooth, the function of domain filter Take into account with efficiency and more flexible, quick, convenient, data flow communication is also more smooth, moreover it is possible to improve the arithmetic speed of equipment, equipment Physical property can also be lifted.
Preferred embodiment above is only explanation of the invention, and which is not limitation of the present invention, art technology Personnel can make the modification for not having creative contribution after this specification is read as needed to the present embodiment, but as long as All protected by Patent Law in scope of the presently claimed invention.

Claims (10)

1. a kind of domain filter method based on linux kernel Hash table, it is characterised in that carry out as follows:
Step 1, by order or function, it would be desirable to which the domain name of filtration is sent to linux kernel, linux kernel is by matching somebody with somebody for issuing Confidence breath sets up Hash table in linux kernel, then the domain name of configuration is stored in Hash table;
Step 2, the DNS data bag of request reach the Internet of linux kernel, and the DNS data bag is parsed, and search Hash Can table, decide whether to filter according to match.
2. a kind of domain filter method based on linux kernel Hash table according to claim 1, it is characterised in that:With Communication between family and linux kernel is realized by netlink mechanism.
3. a kind of domain filter method based on linux kernel Hash table according to claim 2, it is characterised in that:Net When network equipment starts, linux kernel creates netlink.
4. a kind of domain filter method based on linux kernel Hash table according to claim 3, it is characterised in that:With The application layer that family is located also creates netlink.
5. a kind of domain filter method based on linux kernel Hash table according to claim 4, it is characterised in that:With User is wished that the domain name for filtering is sent to linux kernel by netlink by family process, and kernel will get the configuration, storage To in Hash table.
6. a kind of domain filter method based on linux kernel Hash table according to claim 5, it is characterised in that:Net NF_IP_FORWARD points of the network device forwards DNS data Bao Ruo through Linux Internets, then hang over dns_filter by this point On Hook Function, when DNS data bag passes through this, dns_filter functions can be triggered.
7. a kind of domain filter method based on linux kernel Hash table according to claim 6, it is characterised in that: In dns_filter functions, DNS data bag is parsed, determine whether DNS messages, if it is, to the DNS data bag Continue parsing, get domain name to be accessed, according to the domain name lookup Hash table, if it does, then abandoning, otherwise put logical.
8. a kind of domain filter method based on linux kernel Hash table according to claim 7, it is characterised in that:DNS Message adopts udp protocol and port is for 53.
9. a kind of domain filter method based on linux kernel Hash table according to claim 8, it is characterised in that: When searching Hash table, if supporting asterisk wildcard, need to carry out two-wheeled lookup.
10. a kind of domain filter method based on linux kernel Hash table according to claim 9, it is characterised in that:Institute The two-wheeled stated look for:The first round, complete matched and searched, i.e., complete string matching, a character all can not be wrong;Second Wheel, if the first round does not find, carries out Wildcard searches, matches the corresponding domain name configurations of hashkey of asterisk wildcard.
CN201610901018.8A 2016-10-17 2016-10-17 A kind of domain filter method based on linux kernel Hash table Pending CN106549944A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610901018.8A CN106549944A (en) 2016-10-17 2016-10-17 A kind of domain filter method based on linux kernel Hash table

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610901018.8A CN106549944A (en) 2016-10-17 2016-10-17 A kind of domain filter method based on linux kernel Hash table

Publications (1)

Publication Number Publication Date
CN106549944A true CN106549944A (en) 2017-03-29

Family

ID=58369043

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610901018.8A Pending CN106549944A (en) 2016-10-17 2016-10-17 A kind of domain filter method based on linux kernel Hash table

Country Status (1)

Country Link
CN (1) CN106549944A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899604A (en) * 2017-03-14 2017-06-27 东软集团股份有限公司 The processing method and processing device of Packet Filtering rule
CN107943660A (en) * 2017-12-05 2018-04-20 福建星瑞格软件有限公司 A kind of method and computer equipment of the progress information of monitoring linux
CN109218454A (en) * 2017-04-13 2019-01-15 阿里巴巴集团控股有限公司 The response method and dns server of DNS request
EP3657741A4 (en) * 2017-07-20 2021-03-10 ZTE Corporation Data packet routing method and data packet routing device
CN112769973A (en) * 2020-12-25 2021-05-07 清华大学 Method for matching network address and network address conversion rule
CN114374622A (en) * 2021-12-31 2022-04-19 恒安嘉新(北京)科技股份公司 Shunting method based on fusion shunting equipment and fusion shunting equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103327025A (en) * 2013-06-28 2013-09-25 北京奇虎科技有限公司 Method and device for network access control
CN103354546A (en) * 2013-06-25 2013-10-16 亿赞普(北京)科技有限公司 Message filtering method and message filtering apparatus
CN103581363A (en) * 2013-11-29 2014-02-12 杜跃进 Method and device for controlling baleful domain name and illegal access
CN104917851A (en) * 2015-05-08 2015-09-16 亚信科技(南京)有限公司 Information processing method and DNS buffer server

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103354546A (en) * 2013-06-25 2013-10-16 亿赞普(北京)科技有限公司 Message filtering method and message filtering apparatus
CN103327025A (en) * 2013-06-28 2013-09-25 北京奇虎科技有限公司 Method and device for network access control
CN103581363A (en) * 2013-11-29 2014-02-12 杜跃进 Method and device for controlling baleful domain name and illegal access
CN104917851A (en) * 2015-05-08 2015-09-16 亚信科技(南京)有限公司 Information processing method and DNS buffer server

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899604A (en) * 2017-03-14 2017-06-27 东软集团股份有限公司 The processing method and processing device of Packet Filtering rule
CN106899604B (en) * 2017-03-14 2020-06-05 东软集团股份有限公司 Processing method and device for data packet filtering rules
CN109218454A (en) * 2017-04-13 2019-01-15 阿里巴巴集团控股有限公司 The response method and dns server of DNS request
EP3657741A4 (en) * 2017-07-20 2021-03-10 ZTE Corporation Data packet routing method and data packet routing device
US11381503B2 (en) 2017-07-20 2022-07-05 Zte Corporation Data packet routing method and data packet routing device
CN107943660A (en) * 2017-12-05 2018-04-20 福建星瑞格软件有限公司 A kind of method and computer equipment of the progress information of monitoring linux
CN112769973A (en) * 2020-12-25 2021-05-07 清华大学 Method for matching network address and network address conversion rule
CN114374622A (en) * 2021-12-31 2022-04-19 恒安嘉新(北京)科技股份公司 Shunting method based on fusion shunting equipment and fusion shunting equipment
CN114374622B (en) * 2021-12-31 2023-12-19 恒安嘉新(北京)科技股份公司 Shunting method based on fusion shunting equipment and fusion shunting equipment

Similar Documents

Publication Publication Date Title
CN106549944A (en) A kind of domain filter method based on linux kernel Hash table
CN105743793B (en) Bit index for network device components explicitly replicates (BIER) forwarding
CN108989212A (en) The Routing Protocol signaling and its relationship of multiple next-hops
CN108989213A (en) It is arranged using the selected structural path transmission LSP between dummy node
CN108989202A (en) The forwarding based on structural path context for dummy node
CN108989203A (en) Selected structural path of the notice for the service routing in dummy node
CN104243315B (en) Device and method for uniquely enumerating the path in analytic tree
CN105706401B (en) With the layer routing method and system based on table management across hardware module
CN104246700B (en) System and method for routing traffic between distinct infiniband subnets based on fat-tree routing
CN103999430B (en) Forwarding element for flexible and extensible flow processing in software-defined networks
CN104322019B (en) Service routing system, apparatus and method
CN104012063B (en) Controller for flexible and extensible flow processing in software-defined networks
CN103999431B (en) Flexible and expansible stream processing system in the network of software definition
CN104247348B (en) For the method and apparatus for the Packet Service that network is guided by exchange component
CN103746892B (en) A kind of SDN virtualization platform uplink signaling flow label processing method based on OpenFlow
CN107078957A (en) The link of network service function in communication network
CN105683929B (en) Method and apparatus for database and memory aware router
CN110035009B (en) Apparatus and method for processing packets within a network device, computer readable medium
CN109698788A (en) Flow forwarding method and flow forwarding device
CA2555545A1 (en) Interface bundles in virtual network devices
CN106789542A (en) A kind of implementation method of cloud data center security service chain
CN105681198B (en) A kind of business chain processing method, equipment and system
CN104394083B (en) Method, the method and its device and system of message forwarding of forwarding-table item processing
CN104168212B (en) The method and apparatus for sending message
CN105591974A (en) Message processing method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170329