CN101605127A - Linux is based on the method for designing of the filtration system of stream - Google Patents
Linux is based on the method for designing of the filtration system of stream Download PDFInfo
- Publication number
- CN101605127A CN101605127A CNA2009100315068A CN200910031506A CN101605127A CN 101605127 A CN101605127 A CN 101605127A CN A2009100315068 A CNA2009100315068 A CN A2009100315068A CN 200910031506 A CN200910031506 A CN 200910031506A CN 101605127 A CN101605127 A CN 101605127A
- Authority
- CN
- China
- Prior art keywords
- stream
- need
- carry out
- filtering
- filter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides the method for designing of a kind of Linux, in the definition of stream, increase an attribute " Flow Behavior ", represent that this stream is need be dropped, accept, and still need carry out packet filtering based on the filtration system of stream; In the definition of stream, increase an attribute " filtering policy whether modified logo ", be illustrated in when handling this stream filtering policy and whether revise, need to respond if revise; Refine the same section in the filtering policy, do not filter if do not need convection current to carry out application layer protocol, then do not need to carry out the behavior that protocal analysis is judged this message, the bag that is dropped does not need to carry out protocal analysis; Filter is then flow through in the filtration of application layer if desired after protocal analysis; Therefore according to the difference of filtering policy, flow through filter and be applied to different places; When filtering condition changing, the stream that has existed is handled, and does not promptly judge according to this Flow Behavior.The present invention proposes idea of stream filtration, has improved performance of filtration module greatly.
Description
Technical field
The present invention relates to the method for designing of Linux, belong to the network security technology field based on the filtration system of stream.
Background technology
More and more in vogue along with the Internet network, network security problem is also more and more important, and people have studied the operation that guarantees network security of multiple filtration system for this reason.Present several operation systems, comprise Unix (linux), network operating system (CISCO IOS) or the like, a kind of method of packet filtering all is provided, has promptly checked the packet of each equipment of flowing through, checked the content of bag and then judge whether to abandon this packet according to predefined strategy; Owing to need check that also very big to the consumption of systematic function, when especially facing gigabit, 10,000,000,000 networks, packet filtering may become system bottleneck to each packet.Carry out overtesting on the linux of mips 600MHz CPU 1G memory, when the iptables rule reached 1,000, system responses was even not available very slowly.
Because the packet filtering that software is realized is very big to Effect on Performance,, be unacceptable for the enterprise of general scale so most of network firewall all is that its cost is very high with proprietary hardware realization.Each data has been checked in packet filtering, promptly think between each packet it is not get in touch, whether previous bag abandons, let pass, there is not any influence for a back bag, but in fact the data flow on the network all is associated, such as the visit of user A sometime www.g.cn website, then the mutual data flow of this application all is the HTTP message, and IP and port are all fixed, if the webmaster personnel only want using, the user filters, then all packets of this behavior all have identical filtercondition, these bags can be called a stream, if promptly interior first bag of stream is dropped, then other bags in the stream also will be dropped, first bag is accepted, and then other bags in the stream also will be accepted.If the operating time that a bag is shunted is far smaller than the time of this bag being filtered inspection, then this idea is feasible.And in fact linux kernel has carried out triage operator to bag, and Here it is, and the conntrack module is done, and promptly in the guard system whether filtercondition is not arranged, and each bag all will be gone into flow operation.Therefore judge that Flow Behavior can improve systematic function greatly, for instance, a network behavior stream may comprise a plurality of packets, several at least, hundreds of is individual at most, and all bags need be checked by packet filtering system before, and needs first packet of inspection based on general of the filtration system of stream, compare packet filtering, can promote several times of efficient to hundred times.
Summary of the invention
The present invention is directed to the deficiency of present packet filtering system, a kind of Linux is provided the method for designing based on the filtration system of stream, improve the performance of system.
Linux is based on the method for designing of the filtration system of stream, and characteristics are: increase an attribute " Flow Behavior " in the definition of stream, represent that this stream is need be dropped, accept, and still need carry out packet filtering; In the definition of stream, increase an attribute " filtering policy whether modified logo ", be illustrated in when handling this stream filtering policy and whether revise, need to respond if revise; Refine the same section in the filtering policy, do not filter if do not need convection current to carry out application layer protocol, then do not need to carry out the behavior that protocal analysis is judged this message, the bag that is dropped does not need to carry out protocal analysis; Filter is then flow through in the filtration of application layer if desired after protocal analysis; Therefore according to the difference of filtering policy, flow through filter and be applied to different places; When filtering condition changing, the stream that has existed is handled, and does not promptly judge according to this Flow Behavior.
Further, above-mentioned Linux specifically may further comprise the steps based on the method for designing of the filtration system of stream---
1. be input as the message that needs filtration, at first obtain corresponding stream (linux conntrack), if obtain less than accept message and do not handle, otherwise will is handled by failing to be sold at auction, if sign equals global flag, represent the not modification of life cycle inner filtration strategy of this stream, directly get Flow Behavior, do not need to carry out packet filtering; If sign is not equal to global flag, Flow Behavior then is set is " continuing to filter ", next step carries out packet filtering to this message, and the will of will failing to be sold at auction is changed to global flag;
2. when needs carry out packet filtering, obtain the result of packet filtering coupling; When not needing to carry out packet filtering, directly get Flow Behavior; If for accepting, Flow Behavior then is set is " acceptance " and accept this bag, if for abandoning, then put Flow Behavior and be " abandoning " and abandon this bag,, check promptly whether application protocol needs depth analysis if do not match, be then to accept message and do not do any operation, otherwise obtain overall default-action, and put Flow Behavior, determine message to accept still to abandon simultaneously by this action.
Substantive distinguishing features and obvious improvement that technical solution of the present invention is outstanding are mainly reflected in:
1) proposes idea of stream filtration, improved performance of filtration module greatly;
2) real time modifying of response filtering policy, the filtering policy after revising comes into force;
3) mode that proposition group is handled will have unified processing of bag of identical behavior, with the processing of each bag of replacing original needs; Such as when the routing forwarding, the access device of same stream all is identical, and the reader can propose routing forwarding scheme based on stream by this invention, to save the routing procedure of each bag.
Description of drawings
Below in conjunction with accompanying drawing technical solution of the present invention is described further:
Fig. 1: flow through the filter schematic flow sheet;
Fig. 2: packet filtering schematic flow sheet;
Fig. 3: filtering policy modification process schematic diagram.
Embodiment
Utilize the existing flow structure of Linux, proposed filtration thought, packet filtering is improved to flows through filter, improved systematic function greatly based on stream.Increase the definition of Flow Behavior, represent the processing method of this stream, three kinds of " abandoning ", " acceptance ", " continuing to filter " are arranged; In each stream, increase a flag bit and represent whether current filtering policy is revised; Check the stream that bag is corresponding,, then empty this sign, and Flow Behavior is changed to " continuing to filter " if it is masked as " filtering policy is revised "; Otherwise operate according to Flow Behavior; Operate according to Flow Behavior, if be " continue filter " then filtration step after continuing; If be " acceptance ", then need do not filter and directly accept this bag; If be " abandoning " then need not filter direct packet loss; When filtering condition changing, the notification filter module is put the flag bit of current all stream, represents that current filtering policy revises, and promptly stream needs filtration again, the change of real-time response filtercondition.
Increase an attribute in the definition of stream, " Flow Behavior " represents that this stream is need be dropped, accept, still need carry out packet filtering; Increase an attribute in the definition of stream, whether whether " filtering policy modified logo " be illustrated in when handling this stream filtering policy and revise, and needs to respond if revise; Refine the same section in the filtering policy, do not filter if do not need convection current to carry out application layer protocol, then do not need to carry out the behavior that protocal analysis just can be judged this message, those bags that are dropped just do not need to carry out protocal analysis; The filtration of application layer if desired then need be flow through filter after protocal analysis; Therefore according to the difference of filtering policy, flow through filter and need be applied to different places.When filtering condition changing, those streams that existed need special processing, promptly can not judge according to this Flow Behavior, otherwise abnormal conditions can appear, such as the QQ flow is a stream generally speaking, if behavior before is to allow, forbids and need change into now, then this stream need filter again, resets Flow Behavior.
In the stream definition, add two elements, the one, the will of failing to be sold at auction, the one, Flow Behavior, the will of failing to be sold at auction represents whether filtering policy is revised, here adopt a global flag to represent whether current filtering policy is revised, every modification once strategy adds 1 with this sign, and the will of failing to be sold at auction of each stream is initialized as this global flag; Flow Behavior has three values, and " abandoning ", " acceptance ", " continuing to filter " is initialized as " continuing to filter ".
Idiographic flow is: 1. be input as the message that needs filtration, at first obtain corresponding stream (linuxconntrack), if obtain less than accept message and do not handle, otherwise will is handled by failing to be sold at auction, if sign equals global flag, represent the not modification of life cycle inner filtration strategy of this stream, directly get Flow Behavior, do not need to carry out packet filtering; If sign is not equal to global flag, Flow Behavior then is set is " continuing to filter ", next step carries out packet filtering to this message, and the will of will failing to be sold at auction is changed to global flag; 2. when needs carry out packet filtering, obtain the result of packet filtering coupling; When not needing to carry out packet filtering, directly get Flow Behavior; If for accepting, Flow Behavior then is set is " acceptance " and accept this bag, if for abandoning, then put Flow Behavior and be " abandoning " and abandon this bag,, check promptly whether application protocol needs depth analysis if do not match, be then to accept message and do not do any operation, otherwise obtain overall default-action, and put Flow Behavior, determine message to accept still to abandon simultaneously by this action.
Fig. 1 is for flowing through the filter schematic diagram, be input as the message that needs filtration, at first obtain corresponding stream, if obtain less than accept message and do not handle, otherwise handle by the will of failing to be sold at auction, if sign equals global flag, represent the not modification of life cycle inner filtration strategy of this stream, directly get Flow Behavior, if sign is not equal to global flag, then put Flow Behavior and be " continuing to filter ", and the will of will failing to be sold at auction is changed to global flag; Handle by Flow Behavior,, abandon and then abandon this message, otherwise enter the bag handling process, see Fig. 2 if for accepting then accept this message;
Fig. 2 is the packet filtering schematic diagram, obtain the result of packet filtering coupling, if for accepting, then put Flow Behavior and be " acceptance " and accept this bag, if for abandoning, then put Flow Behavior and be " abandoning " and abandon this bag, if do not match, need check whether application protocol needs depth analysis, be then to accept message and do not do any operation; Otherwise obtain overall default-action, and put Flow Behavior, determine message to accept still to abandon simultaneously by this action.
Fig. 3 is the strategy modification flow process, only relates to flowing through the filter part herein, and this part is very simple, only need finish at last in strategy modification, increases progressively the global policies sign and gets final product, and each flows by relatively this indicates to determine whether the life cycle inner filtration strategy of this stream is revised.
Though the performance that flows through filter much larger than packet filtering, can only be used packet filtering under some scene, for example need the application protocol content match, can only take the packet filtering scheme; If filtering policy frequently changes, then flow through the filter scheme and also be degenerated to packet filtering.
If filtering policy can often not revised, when non-information filtering, can adopt and flow through the filter scheme.Under government bodies, this environment of enterprise, modification filtering policy that can be not frequent, application is flow through filter and can be improved systematic function greatly.
In addition, when using, also to check concrete scene, for example need the application protocol content match, can only take the packet filtering scheme; If filtering policy frequently changes, then flow through the filter scheme and also be degenerated to packet filtering.
In sum, the present invention proposes a kind of novel filtering model, the efficient that generally flows through filter is much larger than original packet filtering; Idea of stream filtration has improved performance of filtration module greatly; The real time modifying of response filtering policy, the filtering policy after revising comes into force; The mode that the proposition group is handled will have unified processing of bag of identical behavior, with the processing of each bag of replacing original needs; Such as when the routing forwarding, the access device of same stream all is identical, and the reader can propose routing forwarding scheme based on stream by this invention, to save the routing procedure of each bag.
What need understand is: above-mentioned explanation is not to be limitation of the present invention, and in the present invention conceived scope, the interpolation of being carried out, conversion, replacement etc. also should belong to protection scope of the present invention.
Claims (2)
1.Linux the method for designing based on the filtration system that flows is characterized in that: in the definition of stream, increase an attribute " Flow Behavior ", represent that this stream is need be dropped, accept, and still need carry out packet filtering; In the definition of stream, increase an attribute " filtering policy whether modified logo ", be illustrated in when handling this stream filtering policy and whether revise, need to respond if revise; Refine the same section in the filtering policy, do not filter if do not need convection current to carry out application layer protocol, then do not need to carry out the behavior that protocal analysis is judged this message, the bag that is dropped does not need to carry out protocal analysis; Filter is then flow through in the filtration of application layer if desired after protocal analysis; Therefore according to the difference of filtering policy, flow through filter and be applied to different places; When filtering condition changing, the stream that has existed is handled, and does not promptly judge according to this Flow Behavior.
2. Linux according to claim 1 is characterized in that: specifically may further comprise the steps based on the method for designing of the filtration system of stream---
1. be input as the message that need to filter, at first obtain corresponding stream, if obtain less than accept message and do not handle, otherwise handle by the will of failing to be sold at auction,, represent that the life cycle inner filtration strategy of this stream is not revised if sign equals global flag, directly get Flow Behavior, do not need to carry out packet filtering; If sign is not equal to global flag, Flow Behavior then is set is " continuing to filter ", next step carries out packet filtering to this message, and the will of will failing to be sold at auction is changed to global flag;
2. when needs carry out packet filtering, obtain the result of packet filtering coupling; When not needing to carry out packet filtering, directly get Flow Behavior; If for accepting, Flow Behavior then is set is " acceptance " and accept this bag, if for abandoning, then put Flow Behavior and be " abandoning " and abandon this bag,, check promptly whether application protocol needs depth analysis if do not match, be then to accept message and do not do any operation, otherwise obtain overall default-action, and put Flow Behavior, determine message to accept still to abandon simultaneously by this action.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009100315068A CN101605127A (en) | 2009-04-22 | 2009-04-22 | Linux is based on the method for designing of the filtration system of stream |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009100315068A CN101605127A (en) | 2009-04-22 | 2009-04-22 | Linux is based on the method for designing of the filtration system of stream |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101605127A true CN101605127A (en) | 2009-12-16 |
Family
ID=41470681
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2009100315068A Pending CN101605127A (en) | 2009-04-22 | 2009-04-22 | Linux is based on the method for designing of the filtration system of stream |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101605127A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102624624A (en) * | 2012-03-13 | 2012-08-01 | 网经科技(苏州)有限公司 | Implementation method for network address translator (NAT)-based fast channel forwarding system |
| CN104219165A (en) * | 2014-09-25 | 2014-12-17 | 中国人民解放军信息工程大学 | Business bandwidth control method and apparatus |
-
2009
- 2009-04-22 CN CNA2009100315068A patent/CN101605127A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102624624A (en) * | 2012-03-13 | 2012-08-01 | 网经科技(苏州)有限公司 | Implementation method for network address translator (NAT)-based fast channel forwarding system |
| CN102624624B (en) * | 2012-03-13 | 2014-11-26 | 网经科技(苏州)有限公司 | Implementation method for network address translator (NAT)-based fast channel forwarding system |
| CN104219165A (en) * | 2014-09-25 | 2014-12-17 | 中国人民解放军信息工程大学 | Business bandwidth control method and apparatus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wazirali et al. | SDN-openflow topology discovery: an overview of performance issues | |
| US8311045B2 (en) | System and method for selectively applying a service to a network packet using a preexisting packet header | |
| CN104115463B (en) | For processing the streaming method and system of network metadata | |
| EP2850780B1 (en) | Network feedback in software-defined networks | |
| US20160359695A1 (en) | Network behavior data collection and analytics for anomaly detection | |
| US20210194909A1 (en) | Analysis device, method and system for operational technology system and storage medium | |
| US9560119B2 (en) | Elastic scale out policy service | |
| CN110213198A (en) | The monitoring method and system of network flow | |
| CN110266556A (en) | The method and system of service exception in dynamic detection network | |
| JP2011087302A (en) | Device and method for bgp route monitoring, and program | |
| EP3200399B1 (en) | Automated mirroring and remote switch port analyzer (rspan)/encapsulated remote switch port analyzer (erspan) functions using fabric attach (fa) signaling | |
| CN105429879B (en) | Flow entry querying method, equipment and system | |
| US20180241699A1 (en) | Packet deduplication for network packet monitoring in virtual processing environments | |
| EP3200398B1 (en) | Automated mirroring and remote switch port analyzer (rspan)/encapsulated remote switch port analyzer (erspan) functions using fabric attach (fa) signaling | |
| CN111818182A (en) | Micro-service arranging and data aggregating method based on Spring closed gateway | |
| US20140214761A1 (en) | Systems and Methods for Accelerating Networking Functionality | |
| CN101605127A (en) | Linux is based on the method for designing of the filtration system of stream | |
| Wang et al. | Rule anomalies detecting and resolving for software defined networks | |
| US11223691B2 (en) | Service function chain (SFC) based multi-tenancy processing method | |
| Bonola et al. | StreaMon: A data-plane programming abstraction for software-defined stream monitoring | |
| da Silva et al. | An approach for CEP query shipping to support distributed IoT environments | |
| WO2017052589A1 (en) | Pre-processing of data packets with network switch application-specific integrated circuit | |
| CN102763376A (en) | Method and system for common group action filtering in telecom network environments | |
| US11770315B2 (en) | Artificial intelligence based device identification | |
| CN105323234A (en) | Service node capability processing method and device, service classifier and service controller |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20091216 |