CN106790170A - A kind of packet filtering method and device - Google Patents

A kind of packet filtering method and device Download PDF

Info

Publication number
CN106790170A
CN106790170A CN201611248795.3A CN201611248795A CN106790170A CN 106790170 A CN106790170 A CN 106790170A CN 201611248795 A CN201611248795 A CN 201611248795A CN 106790170 A CN106790170 A CN 106790170A
Authority
CN
China
Prior art keywords
packet filtering
rule
classification
field
field value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611248795.3A
Other languages
Chinese (zh)
Other versions
CN106790170B (en
Inventor
谭天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPtech Information Technology Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201611248795.3A priority Critical patent/CN106790170B/en
Publication of CN106790170A publication Critical patent/CN106790170A/en
Application granted granted Critical
Publication of CN106790170B publication Critical patent/CN106790170B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a kind of packet filtering method and device, and methods described includes:Some pre-configured packet filtering rules are divided into some rules of classification by the network equipment;Wherein, each rule of classification corresponds to different preset fields respectively, and by corresponding preset field, the corresponding field value in some packet filtering rules is constituted each rule of classification;The network equipment extracts the target data bag that receives and corresponds to the field value of each preset field, and each field value that will extract rule of classification corresponding respectively carries out PARALLEL MATCHING;Then the common factor of the matching result of the corresponding rule of classification of each field value is calculated, the packet filtering rules that the target data bag is matched are determined based on the common factor, and packet filtering treatment is performed to the target data bag based on the corresponding packet filtering strategy of the packet filtering rules.Present application addresses prior art when being pre-processed to packet filtering rules because the quantity increase of packet filtering rules, the problem for causing matching efficiency to decline.

Description

A kind of packet filtering method and device
Technical field
The application is related to network safety filed, more particularly to a kind of packet filtering method and device.
Background technology
In network safety filed, packet filtering rules are the rule filtered to the packet for passing in and out network of user configuring Then, generally it is made up of fields such as source IP address, purpose IP address, port numbers, agreements.Different bag of the network equipment according to configuration Filtering rule and take different filtering policys.In order that the network equipment can rapidly according to packet filtering rules matched data Bag, it usually needs pre-processed packet filtering rules.The network equipment is received according to the matching of pretreated packet filtering rules Packet.
Because packet filtering rules are a multidimensional datas of multiple field compositions, may be split during pretreatment Some of which field, so as to cause the increase of packet filtering rules quantity, in this case, the network equipment is receiving data Bao Hou, can successively remove matched data bag, until the match is successful according to each packet filtering rules.It can be seen that, the number of packet filtering rules After amount increases, the network equipment can be caused to increase according to the workload of packet filtering rules matched data bag, the matching of whole process Efficiency declines.
The content of the invention
In view of this, the application provides a kind of packet filtering method and device, is used to solve prior art to wrapping Because the quantity of packet filtering rules increases during filter rule pretreatment, the problem for causing matching efficiency to decline.
Specifically, the application is achieved by the following technical solution:
A kind of packet filtering method, be applied to the network equipment, and the network equipment is pre-configured by several predetermined words The some packet filtering rules that section is constituted, including:
The some packet filtering rules are divided into some rules of classification corresponding to each preset field;Wherein, respectively Rule of classification corresponds to different preset fields respectively;Each rule of classification was wrapped by corresponding preset field at described some Corresponding field value is constituted in filter rule;
The target data bag that extraction is received corresponds to the field value of each preset field;
Each field value that to extract rule of classification corresponding respectively carries out PARALLEL MATCHING;
The common factor of the matching result of the corresponding rule of classification of each field value is calculated, based on the common factor for calculating Determine the packet filtering rules that the target data bag is matched, and based on the corresponding packet filtering strategy of the packet filtering rules for matching Packet filtering treatment is performed for the target data bag.
It is described that some packet filtering rules are divided into corresponding to each predetermined word in the packet filtering method Some rules of classification of section, including:
Each preset field is chosen to be aiming field successively;
Field value of each packet filtering rules corresponding to the aiming field is extracted respectively;
Based on each packet filtering rules for extracting correspond to the aiming field field value, and with the field value Corresponding packet filtering rules mark, creates the rule of classification corresponding to the aiming field.
In the packet filtering method, also include:
Each rule of classification is processed respectively based on default algorithm so that the rule of classification after treatment is more suitable for and carries Each field value got is matched.
In the packet filtering method, also include:
When the multiple preset fields that there is correlation in each preset field, the packet that will be respectively created for the plurality of preset field Rule is merged;And,
When any rule of classification for creating includes multiple identical field values, then by corresponding to the plurality of field value Packet filtering rules mark merge.
In the packet filtering method, the pre-configured different matching thread of each rule of classification difference;
Each field value that will be extracted rule of classification corresponding respectively carries out PARALLEL MATCHING, including:
Each field value that will be extracted submits the pre-configured matching thread of most corresponding rule of classification to respectively, by Each field value recorded in the corresponding rule of classification of field value that the matching thread will be received is matched respectively; Wherein, each thread that matches is for each field value has been respectively created corresponding bitmap tables;The bitmap tables include that several are used In bit of record matching result;Each bit mark respectively with the packet filtering rules recorded in the rule of classification is relative Should;
Each field value recorded in the corresponding rule of classification of each field value that each matching thread will be extracted Matching result, record is to corresponding bit in the bitmap tables.
In the packet filtering method, when bit value in the bitmap tables is 1, it is right with the bit to represent The packet filtering rules answered are matched;
The common factor of the matching result for calculating the corresponding rule of classification of each field value, described in calculating Common factor determines the packet filtering rules that the target data bag is matched, including:
Bitmap tables corresponding with each field value are carried out into step-by-step and computing;Wherein, bit in the bitmap tables The priority orders put in order corresponding to the packet filtering rules;
Step-by-step is defined as the target data with the bit corresponding packet filtering rules that first value after computing is 1 The packet filtering rules that bag is matched.
A kind of Packet Filtering device, be applied to the network equipment, and the network equipment is pre-configured by several predetermined words The some packet filtering rules that section is constituted, including:
Division unit, for some packet filtering rules to be divided into some packets corresponding to each preset field Rule;Wherein, each rule of classification corresponds to different preset fields respectively;Each rule of classification is by corresponding preset field in institute Corresponding field value is constituted in stating some packet filtering rules;
Extraction unit, the field value of each preset field is corresponded to for extracting the target data bag for receiving;
Matching unit, each field value for that will extract rule of classification corresponding respectively carries out PARALLEL MATCHING;
Computing unit, the common factor of the matching result for calculating the corresponding rule of classification of each field value, based on meter The common factor for calculating determines the packet filtering rules that the target data bag is matched, and based on the packet filtering rules pair for matching The packet filtering strategy answered performs packet filtering treatment for the target data bag.
In the Packet Filtering device, the division unit is further used for:
Each preset field is chosen to be aiming field successively;
Field value of each packet filtering rules corresponding to the aiming field is extracted respectively;
Based on each packet filtering rules for extracting correspond to the aiming field field value, and with the field value Corresponding packet filtering rules mark, creates the rule of classification corresponding to the aiming field.
In the Packet Filtering device, described device also includes:
Processing unit, for being processed each rule of classification respectively based on default algorithm so that the packet after treatment Rule is more suitable for being matched with each field value extracted.
In the Packet Filtering device, it is characterised in that described device also includes:
Combining unit, for that will be the plurality of preset field when there are related multiple preset fields in each preset field The rule of classification being respectively created is merged;And,
When any rule of classification for creating includes multiple identical field values, then by corresponding to the plurality of field value Packet filtering rules mark merge.
In the Packet Filtering device, the pre-configured different matching thread of each rule of classification difference;The matching Unit, is further used for:
Each field value that will be extracted submits the pre-configured matching thread of most corresponding rule of classification to respectively, by Each field value recorded in the corresponding rule of classification of field value that the matching thread will be received is matched respectively; Wherein, each thread that matches is for each field value has been respectively created corresponding bitmap tables;The bitmap tables include that several are used In bit of record matching result;Each bit mark respectively with the packet filtering rules recorded in the rule of classification is relative Should;
Each field value recorded in the corresponding rule of classification of each field value that each matching thread will be extracted Matching result, record is to corresponding bit in the bitmap tables.
In the Packet Filtering device, when bit value in the bitmap tables is 1, it is right with the bit to represent The packet filtering rules answered are matched;The computing unit, is further used for:
Bitmap tables corresponding with each field value are carried out into step-by-step and computing;Wherein, bit in the bitmap tables The priority orders put in order corresponding to the packet filtering rules;
Step-by-step is defined as the target data with the bit corresponding packet filtering rules that first value after computing is 1 The packet filtering rules that bag is matched.
In the embodiment of the present application, the pre-configured some packet filterings rule being made up of several preset fields of the network equipment Then, some packet filtering rules are divided into some rules of classification corresponding to each preset field;Wherein, each packet rule Different preset fields are then corresponded to respectively;Each rule of classification is by corresponding preset field in some packet filtering rules In corresponding field value constitute;The network equipment extracts the target data bag for receiving and is taken corresponding to the field of each preset field Value, and each field value that will extract rule of classification corresponding respectively carries out PARALLEL MATCHING;Then each field is calculated to take The common factor of the matching result of the corresponding rule of classification of value, determines that the target data bag is matched based on the common factor for calculating The packet filtering rules for arriving, and performed for the target data bag based on the corresponding packet filtering strategy of the packet filtering rules for matching Packet filtering is processed.
Because in this application, be divided into some pre-configured packet filtering rules corresponding to each predetermined word by the network equipment Some rules of classification of section, then concurrently correspond to each according to some rules of classification to the target data message that receives The field value of preset field is matched, and can effectively improve matching efficiency.
Brief description of the drawings
Fig. 1 is a kind of flow chart of the packet filtering method shown in the application;
Fig. 2 is a kind of schematic diagram of the packet parallel filtering shown in the application;
Fig. 3 is a kind of schematic diagram of the bitmap tables shown in the application;
Fig. 4 is a kind of embodiment block diagram of the Packet Filtering device shown in the application;
Fig. 5 is a kind of hardware structure diagram of the Packet Filtering device shown in the application.
Specific embodiment
In order that those skilled in the art more fully understand the technical scheme in the embodiment of the present invention, and make of the invention real Applying the above-mentioned purpose of example, feature and advantage can be more obvious understandable, below in conjunction with the accompanying drawings to prior art and the present invention Technical scheme in embodiment is described in further detail.
Packet filtering rules are generally made up of fields such as source IP address, purpose IP address, port numbers, agreements, network equipment root The packet for passing in and out network is filtered according to the pre-configured packet filtering rules of user.In order that the efficiency of Packet Filtering is more High, it will usually which that packet filtering rules are pre-processed, the network equipment is received according to the matching of pretreated packet filtering rules Packet.
Because packet filtering rules are the multidimensional datas of multiple field compositions, may be split wherein during pretreatment Some fields, cause the increase of packet filtering rules quantity.For example:There is A in present packet filtering rules, tri- fields of B, C, its In, B field is not suitable for being matched with the mode for comparing because being configured to the mode for mask.Now need to be split as It is suitable for the scope for comparing, B field is split as 3 scopes:[x1, y1], [x2, y2], [x3, y3].Regular quantity is by original One for coming is changed into 3, respectively A, [x1, y1], C;A, [x2, y2], C;A, [x3, y3], C.If C fields are also required to split Into 3 scopes, then total regular quantity will become 9.
It can be seen that, the network equipment is changed into 9 in the data packet matched packet filtering rules that will be received from original 1, increases Add workload of the network equipment when packet is filtered, cause the matching efficiency of whole process to decline.
To solve the above problems, the different field in packet filtering rules is divided into some rules of classification by the application, After receiving packet, the field value that packet corresponds to each field is extracted, be then based on some rules of classification concurrently Field value in the packet that extracts is matched, the efficiency of Packet Filtering can be effectively improved.
It is a kind of flow chart of the packet filtering method shown in the application referring to Fig. 1, the executive agent of the embodiment is The network equipment, the pre-configured some packet filtering rules being made up of several preset fields of the network equipment;Methods described bag Include following steps:
Step 101:The some packet filtering rules are divided into some rules of classification corresponding to each preset field; Wherein, each rule of classification corresponds to different preset fields respectively;If each rule of classification is by corresponding preset field described Corresponding field value is constituted in dry bar packet filtering rules.
Step 102:The target data bag that extraction is received corresponds to the field value of each preset field.
Step 103:Each field value that to extract rule of classification corresponding respectively carries out PARALLEL MATCHING.
Step 104:The common factor of the matching result of the corresponding rule of classification of each field value is calculated, based on what is calculated The packet filtering rules for determining that the target data bag is matched of occuring simultaneously, and based on the corresponding bag of the packet filtering rules for matching Filtering policy performs packet filtering treatment for the target data bag.
In the embodiment of the present application, may be advised because of packet filtering when packet filtering rules are pre-processed for prior art Field in then splits and causes the increased problem of packet filtering rules quantity, and the network equipment can will be pre-configured pre- by several If some packet filtering rules that field is constituted are divided into some rules of classification corresponding to each preset field.
In a kind of implementation method for showing, the network equipment can successively elect the preset field in packet filtering rules as mesh Marking-up section, extracts field value of each packet filtering rules corresponding to the aiming field respectively, is then based on each field for extracting Value, and packet filtering rules corresponding with field value mark, create the rule of classification corresponding to the aiming field.
For example:One the packet filtering rules comprising n preset field can be expressed as:
Rule={ field1, field2, field3... ..., fieldn, wherein, fieldiI-th field is represented, the word The particular content of section herein and need not be concerned about.
The packet filtering rules set being made up of m bar packet filtering rules can be expressed as:
The network equipment can include n the 1st preset field choosing of the packet filtering rules of preset field by above-mentioned m articles first It is aiming field, field value of each packet filtering rules corresponding to above-mentioned aiming field is then extracted respectively, obtains:
The network equipment obtain correspond to above-mentioned aiming field field value after, can based on above-mentioned field value and with Above-mentioned field value corresponding packet filtering rules mark establishment should correspond to the 1st corresponding to the rule of classification of the aiming field The rule of classification of preset field can be expressed as:
After obtaining corresponding to the 1st rule of classification of preset field, the network equipment can then by packet filtering rules 2nd preset field elects aiming field as, obtains the rule of classification for corresponding to the 2nd preset field.The network equipment is by packet filtering Each preset field of rule is chosen to be aiming field successively, obtains the rule of classification corresponding to each preset field, and it is right to obtain altogether Should be in the n bar rules of classification of each preset field.
J-th strip rule of classification is represented by:
Pre-configured packet filtering rules are being divided into the network equipment some rules of classification corresponding to each preset field Afterwards, the target data bag that will can be received extracts the field value of each preset field, then according to each rule of classification concurrently The field value of each preset field to extracting is matched, and improves the efficiency of Packet Filtering.
In addition, after packet filtering rules are divided into some rules of classification, can respectively carry out pre- place to each rule of classification Reason, without considering further that the contact in packet filtering rules between field, therefore, packet filtering rules will not be caused because of pretreatment The increase of quantity.
In a kind of implementation method for showing, to make the in hgher efficiency of follow-up data packet filtering, can be right to what is marked off Should be pre-processed in the rule of classification of each preset field, after processing is completed, the network equipment can be according to pretreated point Group rule-based filtering packet.Because the lookup matching process of each rule of classification is separate therefore pre- for each rule of classification Treatment can be in different ways.The network equipment can be best suitable for the rule of classification for the use of each rule of classification to be carried out quickly The mode of lookup, for example, including that hash is processed and k-d tree treatment to the processing mode of rule of classification.
In a kind of implementation method for showing, when the multiple predetermined words that there is correlation in each preset field of packet filtering rules Duan Shi, the network equipment can be pre-processed to each preset field in the same fashion;Wherein, above-mentioned related multiple is preset Field, the field processed in the same rule of classification that specifically refers to put together;For example, all of wildcard masking Field is processed in being just placed on a rule of classification.
In this case, the network equipment will can enter for the rule of classification that multiple preset fields of the correlation are respectively created Row merges so that the plurality of related preset field, can be processed in same rule of classification.
In follow-up lookup matching process, the network equipment extracts the word that target data bag corresponds to the plurality of preset field After section value, lookup matching can be carried out in a rule of classification.If the match is successful, that is, above-mentioned target data bag pair In the field value that the plurality of preset field should be corresponded in the field value of the plurality of preset field is located at rule of classification.
A rule of classification will be merged into for the rule of classification that related multiple preset fields are created, it is possible to reduce packet rule Number then, is easy to management of the network equipment to rule of classification, and is beneficial to lift follow-up calculating corresponding to each rule of classification Matching result common factor efficiency.
In a kind of implementation method for showing, after packet filtering rules are divided into several rules of classification by the network equipment, together It is possible that some field value identical situations in one rule of classification, or, after being pre-processed to rule of classification, There is identical situation by the field value for splitting.
In this case, special treatment can not be generally done, in subsequent match, all identical fields is found out and is taken Value and its corresponding packet filtering rules.
On the other hand, the network equipment can be by the packet filtering rules corresponding to identical field value in same rule of classification Mark is merged.For example, two tuples in j-th strip rule of classification are:Wherein, 0<I≤m, 0<j ≤n。
If two field valuesFollowing form can be then merged into:
Now, when being matched to the rule of classification, as long as matchingJust can determine to match simultaneously and wrap Filter rule RuleiAnd Rulei+k
It can be seen that, packet filtering rules mark of the network equipment in by same rule of classification corresponding to identical field value After merging so that the process of the field value extracted according to rule of classification matching is highly efficient, and then improves whole data The efficiency of the process of packet filtering.
In the embodiment of the present application, some pre-configured packet filtering rules are being divided into some packets by network equipment After rule, can concurrently be corresponded to target data bag by each rule of classification each default when target data bag is received The field value of field is matched.The mode of network equipment PARALLEL MATCHING can have been come by hardware (such as, logical device) Into, it is also possible to completed by software, be not particularly limited in this example.
In a kind of implementation method for showing, as a example by being realized by software, the network equipment can be each rule of classification point Different matching threads are not configured, and each matching thread is responsible for a matching for rule of classification.
It is a kind of schematic diagram of the packet parallel filtering shown in the application, as shown in Fig. 2 network is received referring to Fig. 2 After target data bag, field value of the target data bag corresponding to each preset field in packet filtering rules can be extracted.Carrying After the completion of taking, each field value that the network equipment will can be extracted carries out PARALLEL MATCHING with corresponding rule of classification respectively.
Because the network equipment is that each rule of classification has been respectively configured different matching threads in this example, therefore will can extract To each field value submit the pre-configured matching thread of most its corresponding rule of classification to respectively, by the matching thread will receive To the corresponding rule of classification of field value in each field value for recording matched respectively.
In a kind of implementation method for showing, the rule of classification shown in Fig. 2 can be by pretreated rule of classification, Each matching thread can be more quickly completed matching based on pretreated rule of classification.
Wherein, each matching thread can be respectively created corresponding bitmap tables for each field value;Wrapped in the bitmap tables Several are included for bit of record matching result, each bit respectively with the mark of the packet filtering rules of record in rule of classification Sensible correspondence.
It is a kind of schematic diagram of the bitmap tables shown in the application referring to Fig. 3, as shown in figure 3, when the network equipment is pre-configured During m bar packet filtering rules, the bitmap tables of each matching thread creation include m bit for record matching result, each Bit corresponds to a mark for packet filtering rules respectively.
Each field value recorded in the corresponding rule of classification of each field value that each matching thread will be extracted Matching result, record is to corresponding bit in above-mentioned bitmap tables.
In the embodiment of the present application, when the matching of the corresponding rule of classification of each field value for obtaining target data bag After result, the network equipment can be calculated according to the matching result corresponding to each rule of classification and occured simultaneously, and based on the friendship for calculating Collection determines the packet filtering rules that the target data bag is matched.
It is that each rule of classification is respectively configured different matching threads still with the network equipment in a kind of implementation method for showing As a example by, referring to Fig. 2, each field recorded in the corresponding rule of classification of each field value that each matching thread will be extracted takes The matching result of value, recorded it is each matching thread creation bitmap tables in it is corresponding bit.
The network equipment, can be by each word of target data bag when the common factor of the matching result that each matching thread is obtained is calculated Each bitmap tables that section value matches completion in each matching thread carry out step-by-step and computing, obtain have recorded step-by-step and computing knot The target bitmap tables of fruit.
Wherein, target bitmap tables include bit of the step-by-step of m record and operation result.If certain in bitmap tables When individual bit value is 1, it is corresponding packet filtering rules that expression is matched with the bit, then value is 1 in target bitmap tables Bit corresponding packet filtering rules be the final packet filtering rules for matching of above-mentioned target data bag.
In a kind of implementation method for showing, because the pre-configured some packet filtering rules of the network equipment are generally all by excellent What first level was ranked up, and match the rule for avoiding the need for matching again low priority after the rule of high priority , therefore bit in above-mentioned target bitmap tables put in order, and is also generally correspond with the pre-configured packet filtering of the network equipment The priority orders of rule.
In this case, if in the result of the step-by-step recorded in above-mentioned target bitmap tables and computing, there is multiple Value is bit of 1, then can by the bit corresponding packet filtering rules that first value in target bitmap tables is 1, It is defined as the packet filtering rules that above-mentioned target data bag is matched.
After the packet filtering rules that above-mentioned target data bag is matched are determined, can be according to the packet filtering rule for matching Then corresponding packet filtering strategy, packet filtering treatment is performed for above-mentioned target data bag.Wherein, packet filtering treatment generally can be with Including abandoning or forwarding.
Certainly, if the pre-configured packet filtering rules of the network equipment, do not support priority, now, above-mentioned target Bit in bitmap tables put in order is unrelated with the priority orders of above-mentioned packet filtering rules, in such a case, it is possible to By step-by-step packet filtering rules corresponding with the bit that all values in target bitmap tables after computing are 1, it is defined as above-mentioned target The data packet matched packet filtering rules for arriving.
It is visible by various embodiments above, pre-configured some packet filtering rules being made up of several preset fields The network equipment, above-mentioned some packet filtering rules can be divided into some rules of classification corresponding to each preset field;Its In, each rule of classification corresponds to different preset fields respectively, and each rule of classification is by corresponding preset field above-mentioned some Corresponding field value is constituted in bar packet filtering rules;The network equipment extracts the target data after target data bag is received Corresponding to the field value of each preset field, and each field value that will extract rule of classification corresponding respectively carries out bag PARALLEL MATCHING;Then the common factor of the matching result of the corresponding rule of classification of each field value is calculated, should based on what is calculated Common factor determines the packet filtering rules that the target data bag is matched, and based on the corresponding packet filtering of the packet filtering rules for matching Strategy performs packet filtering treatment for the target data bag.
On the one hand, because the application is divided into some points corresponding to each preset field to pre-configured packet filtering rules Group rule, therefore, when being pre-processed respectively for each rule of classification, even if the either field in rule of classification is split, Field after fractionation only has an impact to the rule of classification, without being impacted to other rules of classification, efficiently avoid bag The overall increase of the quantity of filtering rule.
On the other hand, in the application, each field value of the target data bag that the network equipment will be extracted is corresponding Rule of classification carries out PARALLEL MATCHING, is then calculated according to each matching result and occured simultaneously, and determines bag that the target data bag is matched Filter rule, by PARALLEL MATCHING, can significantly improve matching efficiency.
Embodiment with the application packet filtering method is corresponding, present invention also provides for performing above method reality Apply the embodiment of the device of example.
It is a kind of embodiment block diagram of the Packet Filtering device shown in the application referring to Fig. 4:
As shown in figure 4, the Packet Filtering device 40 includes:
Division unit 410, for some packet filtering rules to be divided into some corresponding to each preset field Rule of classification;Wherein, each rule of classification corresponds to different preset fields respectively;Each rule of classification is by corresponding preset field Corresponding field value is constituted in some packet filtering rules.
Extraction unit 420, the field value of each preset field is corresponded to for extracting the target data bag for receiving.
Matching unit 430, each field value for that will extract rule of classification corresponding respectively carries out parallel Match somebody with somebody.
Computing unit 440, the common factor of the matching result for calculating the corresponding rule of classification of each field value, is based on The common factor for calculating determines the packet filtering rules that the target data bag is matched, and based on the packet filtering rules for matching Corresponding packet filtering strategy performs packet filtering treatment for the target data bag.
In this example, the division unit 410, is further used for:
Each preset field is chosen to be aiming field successively;
Field value of each packet filtering rules corresponding to the aiming field is extracted respectively;
Based on each packet filtering rules for extracting correspond to the aiming field field value, and with the field value Corresponding packet filtering rules mark, creates the rule of classification corresponding to the aiming field.
In this example, described device also includes:
Processing unit 450, for being processed each rule of classification respectively based on default algorithm so that dividing after treatment Group rule is more suitable for being matched with each field value extracted.
In this example, described device also includes:
Combining unit 460, for that will be the plurality of predetermined word when there are related multiple preset fields in each preset field The rule of classification that section is respectively created is merged;And,
When any rule of classification for creating includes multiple identical field values, then by corresponding to the plurality of field value Packet filtering rules mark merge.
In this example, the pre-configured different matching thread of each rule of classification difference;The matching unit 430, further For:
Each field value that will be extracted submits the pre-configured matching thread of most corresponding rule of classification to respectively, by Each field value recorded in the corresponding rule of classification of field value that the matching thread will be received is matched respectively; Wherein, each thread that matches is for each field value has been respectively created corresponding bitmap tables;The bitmap tables include that several are used In bit of record matching result;Each bit mark respectively with the packet filtering rules recorded in the rule of classification is relative Should;
Each field value recorded in the corresponding rule of classification of each field value that each matching thread will be extracted Matching result, record is to corresponding bit in the bitmap tables.
In this example, when bit value in the bitmap tables is 1, packet filtering rules corresponding with the bit are represented Matching;The computing unit 440, is further used for:
Bitmap tables corresponding with each field value are carried out into step-by-step and computing;Wherein, bit in the bitmap tables The priority orders put in order corresponding to the packet filtering rules;
Step-by-step is defined as the target data with the bit corresponding packet filtering rules that first value after computing is 1 The packet filtering rules that bag is matched.
The embodiment of the application Packet Filtering device can be using on network devices.Device embodiment can be by soft Part is realized, it is also possible to realized by way of hardware or software and hardware combining.As a example by implemented in software, as a logical meaning On device, be to be read corresponding computer program instructions in nonvolatile memory by the processor of the network equipment where it Get and run in internal memory what is formed.From for hardware view, as shown in figure 5, the network where the application Packet Filtering device A kind of hardware structure diagram of equipment, except the processor shown in Fig. 5, internal memory, network interface and nonvolatile memory it Outward, the network equipment in embodiment where device can also include it generally according to the actual functional capability of the Packet Filtering device His hardware, repeats no more to this.
The function of unit and the implementation process of effect correspond to step in specifically referring to the above method in said apparatus Implementation process, will not be repeated here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is referring to method reality Apply the part explanation of example.Device embodiment described above is only schematical, wherein described as separating component The unit of explanation can be or may not be physically separate, and the part shown as unit can be or can also It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality Selection some or all of module therein is needed to realize the purpose of application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
The preferred embodiment of the application is the foregoing is only, is not used to limit the application, all essences in the application Within god and principle, any modification, equivalent substitution and improvements done etc. should be included within the scope of the application protection.

Claims (12)

1. a kind of packet filtering method, be applied to the network equipment, and the network equipment is pre-configured by several preset fields The some packet filtering rules for constituting, it is characterised in that including:
The some packet filtering rules are divided into some rules of classification corresponding to each preset field;Wherein, each packet Rule corresponds to different preset fields respectively;Each rule of classification is advised by corresponding preset field in some packet filterings Corresponding field value is constituted in then;
The target data bag that extraction is received corresponds to the field value of each preset field;
Each field value that to extract rule of classification corresponding respectively carries out PARALLEL MATCHING;
The common factor of the matching result of the corresponding rule of classification of each field value is calculated, is determined based on the common factor for calculating The packet filtering rules that the target data bag is matched, and be directed to based on the corresponding packet filtering strategy of the packet filtering rules for matching The target data bag performs packet filtering treatment.
2. method according to claim 1, it is characterised in that described that some packet filtering rules are divided into correspondence In some rules of classification of each preset field, including:
Each preset field is chosen to be aiming field successively;
Field value of each packet filtering rules corresponding to the aiming field is extracted respectively;
Correspond to the field value of the aiming field based on each packet filtering rules for extracting, and it is corresponding with the field value Packet filtering rules mark, create corresponding to the aiming field rule of classification.
3. method according to claim 2, it is characterised in that methods described also includes:
Each rule of classification is processed respectively based on default algorithm so that the rule of classification after treatment is more suitable for and extracts Each field value matched.
4. method according to claim 2, it is characterised in that methods described also includes:
When the multiple preset fields that there is correlation in each preset field, the rule of classification that will be respectively created for the plurality of preset field Merge;And,
When any rule of classification for creating includes multiple identical field values, then by the bag corresponding to the plurality of field value Filtering rule mark is merged.
5. method according to claim 2, it is characterised in that the pre-configured different matched line of each rule of classification difference Journey;
Each field value that will be extracted rule of classification corresponding respectively carries out PARALLEL MATCHING, including:
Each field value that will be extracted submits the pre-configured matching thread of most corresponding rule of classification to respectively, by this Each field value recorded in the corresponding rule of classification of the field value that will receive with thread is matched respectively;Its In, each matching thread has been respectively created corresponding bitmap tables for each field value;The bitmap tables include that several are used for Bit of record matching result;Each bit mark respectively with the packet filtering rules recorded in the rule of classification is relative Should;
The matching of each field value recorded in the corresponding rule of classification of each field value that each matching thread will be extracted As a result, record is to corresponding bit in the bitmap tables.
6. method according to claim 5, it is characterised in that when bit value in the bitmap tables is 1, represent Packet filtering rules matching corresponding with the bit;
The common factor of the matching result for calculating the corresponding rule of classification of each field value, based on the common factor for calculating Determine the packet filtering rules that the target data bag is matched, including:
Bitmap tables corresponding with each field value are carried out into step-by-step and computing;Wherein, the row of bit in the bitmap tables Row order corresponds to the priority orders of the packet filtering rules;
Step-by-step is defined as the target data bag with the bit corresponding packet filtering rules that first value after computing is 1 The packet filtering rules being fitted on.
7. a kind of Packet Filtering device, be applied to the network equipment, and the network equipment is pre-configured by several preset fields The some packet filtering rules for constituting, it is characterised in that including:
Division unit, for some packet filtering rules to be divided into some packet rule corresponding to each preset field Then;Wherein, each rule of classification corresponds to different preset fields respectively;Each rule of classification is by corresponding preset field described Corresponding field value is constituted in some packet filtering rules;
Extraction unit, the field value of each preset field is corresponded to for extracting the target data bag for receiving;
Matching unit, each field value for that will extract rule of classification corresponding respectively carries out PARALLEL MATCHING;
Computing unit, the common factor of the matching result for calculating the corresponding rule of classification of each field value, based on calculating The common factor determine the packet filtering rules that the target data bag is matched, it is and corresponding based on the packet filtering rules for matching Packet filtering strategy performs packet filtering treatment for the target data bag.
8. device according to claim 7, it is characterised in that the division unit, is further used for:
Each preset field is chosen to be aiming field successively;
Field value of each packet filtering rules corresponding to the aiming field is extracted respectively;
Correspond to the field value of the aiming field based on each packet filtering rules for extracting, and it is corresponding with the field value Packet filtering rules mark, create corresponding to the aiming field rule of classification.
9. device according to claim 8, it is characterised in that described device also includes:
Processing unit, for being processed each rule of classification respectively based on default algorithm so that the rule of classification after treatment It is more suitable for being matched with each field value extracted.
10. device according to claim 8, it is characterised in that described device also includes:
Combining unit, for that when there are related multiple preset fields in each preset field, will distinguish for the plurality of preset field The rule of classification of establishment is merged;And,
When any rule of classification for creating includes multiple identical field values, then by the bag corresponding to the plurality of field value Filtering rule mark is merged.
11. devices according to claim 8, it is characterised in that the pre-configured different matched line of each rule of classification difference Journey;The matching unit, is further used for:
Each field value that will be extracted submits the pre-configured matching thread of most corresponding rule of classification to respectively, by this Each field value recorded in the corresponding rule of classification of the field value that will receive with thread is matched respectively;Its In, each matching thread has been respectively created corresponding bitmap tables for each field value;The bitmap tables include that several are used for Bit of record matching result;Each bit mark respectively with the packet filtering rules recorded in the rule of classification is relative Should;
The matching of each field value recorded in the corresponding rule of classification of each field value that each matching thread will be extracted As a result, record is to corresponding bit in the bitmap tables.
12. devices according to claim 11, it is characterised in that when bit value in the bitmap tables is 1, table Show packet filtering rules matching corresponding with the bit;The computing unit, is further used for:
Bitmap tables corresponding with each field value are carried out into step-by-step and computing;Wherein, the row of bit in the bitmap tables Row order corresponds to the priority orders of the packet filtering rules;
Step-by-step is defined as the target data bag with the bit corresponding packet filtering rules that first value after computing is 1 The packet filtering rules being fitted on.
CN201611248795.3A 2016-12-29 2016-12-29 Data packet filtering method and device Active CN106790170B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611248795.3A CN106790170B (en) 2016-12-29 2016-12-29 Data packet filtering method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611248795.3A CN106790170B (en) 2016-12-29 2016-12-29 Data packet filtering method and device

Publications (2)

Publication Number Publication Date
CN106790170A true CN106790170A (en) 2017-05-31
CN106790170B CN106790170B (en) 2020-05-12

Family

ID=58927502

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611248795.3A Active CN106790170B (en) 2016-12-29 2016-12-29 Data packet filtering method and device

Country Status (1)

Country Link
CN (1) CN106790170B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109347747A (en) * 2018-11-13 2019-02-15 锐捷网络股份有限公司 A kind of data processing method and device
CN109802872A (en) * 2019-03-19 2019-05-24 北京信而泰科技股份有限公司 A kind of message capturing method, device and equipment
CN110909149A (en) * 2018-09-17 2020-03-24 北京国双科技有限公司 Data filtering method and device
CN111262812A (en) * 2018-11-30 2020-06-09 比亚迪股份有限公司 Data packet screening method and device
CN111897644A (en) * 2020-08-06 2020-11-06 成都九洲电子信息系统股份有限公司 Network data fusion matching method based on multiple dimensions
CN112685611A (en) * 2020-12-31 2021-04-20 恒安嘉新(北京)科技股份公司 Data filtering method and device, storage medium and electronic equipment
CN114189572A (en) * 2021-12-16 2022-03-15 深圳市领创星通科技有限公司 Packet detection rule matching method, device, network element and storage medium
CN114268451A (en) * 2021-11-15 2022-04-01 中国南方电网有限责任公司 Method, device, equipment and medium for constructing power monitoring network security buffer area
CN114615231A (en) * 2022-03-04 2022-06-10 北京理工大学 Network packet processing method and system based on name extraction
WO2023019403A1 (en) * 2021-08-16 2023-02-23 北京小米移动软件有限公司 Ip data packet transmission method and apparatus and readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040151382A1 (en) * 2003-02-04 2004-08-05 Tippingpoint Technologies, Inc. Method and apparatus for data packet pattern matching
CN1545254A (en) * 2003-11-13 2004-11-10 中兴通讯股份有限公司 A method of fast data packet filtering
CN103401777A (en) * 2013-08-21 2013-11-20 中国人民解放军国防科学技术大学 Parallel search method and system of Openflow

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040151382A1 (en) * 2003-02-04 2004-08-05 Tippingpoint Technologies, Inc. Method and apparatus for data packet pattern matching
CN1545254A (en) * 2003-11-13 2004-11-10 中兴通讯股份有限公司 A method of fast data packet filtering
CN103401777A (en) * 2013-08-21 2013-11-20 中国人民解放军国防科学技术大学 Parallel search method and system of Openflow

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110909149B (en) * 2018-09-17 2022-06-03 北京国双科技有限公司 Data filtering method and device
CN110909149A (en) * 2018-09-17 2020-03-24 北京国双科技有限公司 Data filtering method and device
CN109347747A (en) * 2018-11-13 2019-02-15 锐捷网络股份有限公司 A kind of data processing method and device
CN109347747B (en) * 2018-11-13 2021-12-17 锐捷网络股份有限公司 Data processing method and device
CN111262812A (en) * 2018-11-30 2020-06-09 比亚迪股份有限公司 Data packet screening method and device
CN109802872B (en) * 2019-03-19 2021-07-30 北京信而泰科技股份有限公司 Message capturing method, device and equipment
CN109802872A (en) * 2019-03-19 2019-05-24 北京信而泰科技股份有限公司 A kind of message capturing method, device and equipment
CN111897644A (en) * 2020-08-06 2020-11-06 成都九洲电子信息系统股份有限公司 Network data fusion matching method based on multiple dimensions
CN111897644B (en) * 2020-08-06 2024-01-30 成都九洲电子信息系统股份有限公司 Multi-dimensional-based network data fusion matching method
CN112685611A (en) * 2020-12-31 2021-04-20 恒安嘉新(北京)科技股份公司 Data filtering method and device, storage medium and electronic equipment
WO2023019403A1 (en) * 2021-08-16 2023-02-23 北京小米移动软件有限公司 Ip data packet transmission method and apparatus and readable storage medium
CN114268451A (en) * 2021-11-15 2022-04-01 中国南方电网有限责任公司 Method, device, equipment and medium for constructing power monitoring network security buffer area
CN114268451B (en) * 2021-11-15 2024-04-16 中国南方电网有限责任公司 Method, device, equipment and medium for constructing safety buffer zone of power monitoring network
CN114189572A (en) * 2021-12-16 2022-03-15 深圳市领创星通科技有限公司 Packet detection rule matching method, device, network element and storage medium
CN114615231A (en) * 2022-03-04 2022-06-10 北京理工大学 Network packet processing method and system based on name extraction

Also Published As

Publication number Publication date
CN106790170B (en) 2020-05-12

Similar Documents

Publication Publication Date Title
CN106790170A (en) A kind of packet filtering method and device
US20080232359A1 (en) Fast packet filtering algorithm
JP5961354B2 (en) Method and apparatus for efficient netflow data analysis
CN105187436B (en) A kind of packet filtering mainframe network control method based on hash table
CN103281246A (en) Message processing method and network equipment
CN108681572A (en) Date storage method, device and the electronic equipment of block chain
CN105335855A (en) Transaction risk identification method and apparatus
CN103617226B (en) A kind of matching regular expressions method and device
CN106533947B (en) Message processing method and device
CN108718297A (en) Ddos attack detection method, device, controller and medium based on BP neural network
CN106897196A (en) The determination method and device of access path between Website page
CN103309873B (en) The processing method of data, apparatus and system
CN106302236A (en) A kind of method of data distribution and access device
CN107483341B (en) Method and device for rapidly forwarding firewall-crossing messages
CN111131041A (en) VPN flow obtaining method and device based on NetFlow and BGP
CN106063228A (en) Consistent hashing using exact matching with application to hardware load balancing
CN106657128B (en) Data packet filtering method and device based on wildcard mask rule
CN104753934B (en) By the method that the more communication party&#39;s data stream separations of unknown protocol are Point-to-Point Data stream
CN106682134A (en) Method, device and system for writing data pairs in LevelDB databases
CN106657443A (en) IP address duplication eliminating method and device
CN106936719A (en) A kind of IP messages strategy matching method
CN106844533A (en) A kind of packet method for congregating and device
CN106933934A (en) The connection method of tables of data and device
CN104463627B (en) Data processing method and device
CN106919627A (en) The treating method and apparatus of hot word

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210611

Address after: 310051 05, room A, 11 floor, Chung Cai mansion, 68 Tong Xing Road, Binjiang District, Hangzhou, Zhejiang.

Patentee after: Hangzhou Dip Information Technology Co.,Ltd.

Address before: 6 / F, Zhongcai building, 68 Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee before: Hangzhou DPtech Technologies Co.,Ltd.