CN102497372A - System and method based on Internet protocol (IP) message destination port filtering strategy - Google Patents
System and method based on Internet protocol (IP) message destination port filtering strategy Download PDFInfo
- Publication number
- CN102497372A CN102497372A CN2011104136083A CN201110413608A CN102497372A CN 102497372 A CN102497372 A CN 102497372A CN 2011104136083 A CN2011104136083 A CN 2011104136083A CN 201110413608 A CN201110413608 A CN 201110413608A CN 102497372 A CN102497372 A CN 102497372A
- Authority
- CN
- China
- Prior art keywords
- message
- filters
- fifo
- module
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a system and a method based on an Internet protocol (IP) message destination port filtering strategy. According to the system, the quintuple data of an IP message is read from a quintuple first in first output (FIFO) module, and is provided for a port filtering module; and the port filtering module filters destination ports, and stores the control information of a hit port in a destination result FIFO module for the processing of a subsequent module. The method comprises the following steps of: reading the quintuple data of the IP message from a quintuple FIFO step, providing the quintuple data for a port filtering step, filtering the destination ports in a port filtering step, and storing the control information of the hit port in a destination result FIFO step for the processing of a subsequent step. By the system and the method based on the IP message destination port filtering strategy, the method for filtering the destination port of an IP packet load which is a transmission control protocol (TCP) or a user datagram protocol (UDP) in a network protocol is implemented by adopting a field programmable gate array (FPGA), and a central processing unit (CPU) can be offloaded, so that the performance of a host is improved; moreover, certain targeted source and destination port numbers are filtered, so that the safety performance of a network is improved.
Description
Technical field
The invention belongs to network safety filed, be specifically related to a kind of system and method based on IP message destination interface filtering policy.
Background technology
Patent No. CN200810106399.6 (long-distance management device that achieve frame filters in a kind of GPON system) discloses the long-distance management device that achieve frame filters in a kind of GPON system.Only be operated in to existing GPON system and just only can realize under the MAC bridge mode inventing according to the problem of target MAC (Media Access Control) address filtering function.The long-distance management device that achieve frame filters in the GPON system that the present invention proposes; Set up a filtering frames table data management entity; Be provided with one or several module among mac address filter table module, IP address filtering table module, TCP/UDP ports filter table module, IGMP query message filtering module, the dhcp response packet filtering module in this management entity, can realize filtration to the GPON system that is operated under the various patterns to Frame.Simultaneously, can also be according to the instruction increase/deletion rule clauses and subclauses of control end.
Patent No. CN200680012308.1 (a kind of bridge-connection transmitting method and device) discloses a kind of bridge-connection transmitting method; With the corresponding Virtual Switch Instance (VSI) of combination of one or more ports and VLAN sign, message bridges forward, MAC address learning and the source port accomplished between the different VLAN filter.This method may further comprise the steps: receive message from input port, obtain the input VLAN ID VLAN sign and the target MAC (Media Access Control) address of this message; Confirm the output port and output VLAN sign of message, and E-Packet according to output port and output VLAN sign.The invention also discloses a kind of bridges forward device; Comprise the input port of the message that receives an above VLAN, output port and the retransmission unit of transmission message to an above VLAN; This retransmission unit obtains the input VLAN sign and the target MAC (Media Access Control) address of the message of input port reception; Confirm the output port and output VLAN sign of message, and export message to output port.Adopt method and apparatus of the present invention, can realize the bridges forward of Ethernet message between a plurality of VLAN.
But above-mentioned technology can't detect the source eye end mouth and the agreement of network packet, can not with some targetedly source eye end slogan filter out, thereby can't liberate CPU and improve the performance of main frame, also can't improve the security performance of network.
The present invention adopts FPGA to realize in the procotol that to IP bag load is the method that the destination interface of TCP or UDP filters, and can liberate CPU, thereby improve the performance of main frame.This method mainly detects the source eye end mouth and the agreement of network packet, with some source eye end slogan targetedly, it is filtered out, and improves the security performance of network.
Summary of the invention
The present invention overcomes the deficiency that prior art exists, and adopts FPGA to realize in the procotol that to IP bag load is the method that the destination interface of TCP or UDP filters, and can liberate CPU, thereby improves the performance of main frame.This method mainly detects the source eye end mouth and the agreement of network packet, with some source eye end slogan targetedly, it is filtered out, and improves the security performance of network.
The invention provides a kind of system based on IP message destination interface filtering policy; This strategy reads the IP message from the five-tuple fifo module five-tuple data offer the ports filter module; Carrying out destination interface by the ports filter module filters; And the control information that will hit port is stored in purpose as a result in the Fifo module, for subsequent module for processing.
System based on IP message destination interface filtering policy provided by the invention, ports filter module are used for the TCP filtration and UDP filters two parts function.
System based on IP message destination interface filtering policy provided by the invention, the TCP of ports filter module filters and UDP filters a shared controller.
System based on IP message destination interface filtering policy provided by the invention, five-tuple control FIFO, the five-tuple data that storage extracts from the initial IP message.
System based on IP message destination interface filtering policy provided by the invention, the special-purpose network interface card use of destination interface filtering module is searched LUT filtration concordance list mode and is come the packet filtering to IP.
System based on IP message destination interface filtering policy provided by the invention, the inner integrated LUT of the special-purpose network card chip of destination interface filtering module filters concordance list, and utilizes the inner RAM resource of special chip to realize that single port RAM stores this concordance list.
The present invention also provides a kind of method based on IP message destination interface filtering policy; This strategy reads the IP message from five-tuple FIFO step five-tuple data offer the ports filter step; Carrying out destination interface by the ports filter step filters; And the control information that will hit port is stored in purpose as a result in the Fifo step, handles for subsequent step.
Method based on IP message destination interface filtering policy provided by the invention, ports filter step are used for the TCP filtration and UDP filters two parts function.
Method based on IP message destination interface filtering policy provided by the invention, the TCP of ports filter step filters and UDP filters a shared controller.
Method based on IP message destination interface filtering policy provided by the invention, five-tuple control FIFO, the five-tuple data that storage extracts from the initial IP message.
Method based on IP message destination interface filtering policy provided by the invention, the special-purpose network interface card use of destination interface filtration step are searched LUT filtration concordance list mode and are come the packet filtering to IP.
Method based on IP message destination interface filtering policy provided by the invention, the inner integrated LUT of the special-purpose network card chip of destination interface filtration step filters concordance list, and utilizes the inner RAM resource of special chip to realize that single port RAM stores this concordance list.
Method based on IP message destination interface filtering policy provided by the invention, in the initialization procedure of special-purpose network interface card, upper layer software (applications) is set up this LUT concordance list through write operation.
Method based on IP message destination interface filtering policy provided by the invention in the process of method operation, when the user changes some regular the time, need be upgraded item corresponding in the concordance list, the consistency of maintenance filtering circuit simultaneously.
Method based on IP message destination interface filtering policy provided by the invention, the LUT write operation is 64.
Method based on IP message destination interface filtering policy provided by the invention; This concordance list is mapped to the memory address space of main frame; Internal memory mapping address is configured to a WriteMode, and the Memory write order that upper layer software (applications) can utilize method of operation to provide is operated it.
Method based on IP message destination interface filtering policy provided by the invention, each represents a port numbers, place value 1: expression requires to upload; 0: expression filters out.
Method based on IP message destination interface filtering policy provided by the invention, when opening the ports filter function, if five-tuple FIFO is not empty and purpose Fifo is discontented as a result, starting state machine then.
Compared with prior art; Beneficial effect of the present invention is: because load is that the destination interface of TCP or UDP filters and liberated CPU to IP bag; Filter out some source eye end slogan targetedly simultaneously, thereby improve the performance and the security performance that improves network of main frame.
Description of drawings
Fig. 1 is the object of the invention ports filter structural representation;
Fig. 2 is a view of the present invention;
Fig. 3 is a ports filter sequential chart of the present invention.
Embodiment
This strategy reads the IP message from five-tuple FIFO five-tuple data offer the ports filter module; Ports filter comprises that TCP filters and UDP filters two parts function; TCP filters and UDP filters a shared controller, because one group of five-tuple only possibly be a kind of agreement among TCP or the UDP.Filter if carry out destination interface, then carry out different filtrations, the control information of hitting port is stored in purpose as a result among the Fifo, for subsequent module for processing according to protocol type.If do not carry out ports filter, then be left intact, directly write data into purpose as a result among the Fifo, for subsequent module for processing.Structure is shown in Figure 1, destination interface filtration block diagram.
Wherein, PktHeadFifo is five-tuple control FIFO, the five-tuple data that storage extracts from the initial IP message.
Destination interface filters special-purpose network interface card and uses and search LUT and filter the concordance list mode and come the filtration to the IP message, mainly is divided into TCP and filters the filtration with UDP; Chip internal needs an integrated LUT to filter concordance list, and we utilize the inner RAM resource of special chip to realize that single port RAM stores this concordance list.
In the initialization procedure of special-purpose network interface card, upper layer software (applications) is set up this LUT concordance list through write operation.In the process of system operation,, need upgrade item corresponding in the concordance list simultaneously, the consistency of maintenance filtering circuit when the user changes some regular the time.Attention: the LUT write operation is 64.
Upper layer software (applications) is safeguarded concordance list for ease, and we are mapped to the memory address space of main frame with this concordance list, and internal memory mapping address is configured to a WriteMode, and the Memory write order that upper layer software (applications) can utilize operating system to provide is operated it.Each represents a port numbers, place value 1: expression requires to upload; 0: expression filters out.For example 64 bit data of address 020_0000~020_0007h are 0000_0000_0000_0010h, expression, and port numbers is that 4 ip wraps biography, port numbers is 0~3,5~63 all to filter out.
Enable when opening ports filter, if PktHeadFifo is not empty and DPFResultFifo is discontented, starting state machine then.
Its state machine is as shown in Figure 2,
State WAITLUTDATA: accomplish reading of data from concordance list.
State JUDGEHIT: judge whether to hit according to the data value that reads.
State WAIT1CYCLE: wait for one-period, accomplish above-mentioned processing.
State Wr1stWord: accomplish the first count data processing.
State Wr2ndWord: accomplish the second count data processing.
The ports filter sequential chart is as shown in Figure 3:
Above embodiment is only in order to technical scheme of the present invention to be described but not to its restriction; Although the present invention has been carried out detailed explanation with reference to the foregoing description; The those of ordinary skill in said field is to be understood that: still can specific embodiments of the invention make amendment or replacement on an equal basis; And do not break away from any modification of spirit and scope of the invention or be equal to replacement, it all should be encompassed in the middle of the claim scope of the present invention.
Claims (18)
1. system based on IP message destination interface filtering policy; This strategy reads the IP message from the five-tuple fifo module five-tuple data offer the ports filter module; Carrying out destination interface by the ports filter module filters; And the control information that will hit port is stored in purpose as a result in the Fifo module, for subsequent module for processing.
2. the system of claim 1 is characterized in that the ports filter module is used for the TCP filtration and UDP filters two parts function.
3. the system of claim 1-2 is characterized in that the TCP filtration and the UDP of ports filter module filters a shared controller.
4. the system of claim 1-3 is characterized in that five-tuple control FIFO, the five-tuple data that storage extracts from the initial IP message.
5. the system of claim 1-4, the special-purpose network interface card that it is characterized in that the destination interface filtering module uses to be searched LUT and filters the concordance list mode and come the packet filtering to IP.
6. the system of claim 1-5 is characterized in that, the inner integrated LUT of the special-purpose network card chip of destination interface filtering module filters concordance list, and utilizes the inner RAM resource of special chip to realize that single port RAM stores this concordance list.
7. method based on IP message destination interface filtering policy; This strategy reads the IP message from five-tuple FIFO step five-tuple data offer the ports filter step; Carrying out destination interface by the ports filter step filters; And the control information that will hit port is stored in purpose as a result in the Fifo step, handles for subsequent step.
8. the method for claim 7 is characterized in that the ports filter step is used for the TCP filtration and UDP filters two parts function.
9. the method for claim 7-8 is characterized in that the TCP filtration and the UDP of ports filter step filters a shared controller.
10. the method for claim 7-9 is characterized in that five-tuple control FIFO, the five-tuple data that storage extracts from the initial IP message.
11. the method for claim 7-10, the special-purpose network interface card that it is characterized in that the destination interface filtration step are used and are searched LUT and filter the concordance list mode and come the packet filtering to IP.
12. the method for claim 7-11 is characterized in that, the inner integrated LUT of the special-purpose network card chip of destination interface filtration step filters concordance list, and utilizes the inner RAM resource of special chip to realize that single-ended RAM stores this concordance list.
13. the method for claim 7-12 is characterized in that, in the initialization procedure of special-purpose network interface card, upper layer software (applications) is set up this LUT concordance list through write operation.
14. the method for claim 7-13 is characterized in that, in the process of method operation, when the user changes some regular the time, need upgrade item corresponding in the concordance list simultaneously, the consistency of maintenance filtering circuit.
15. the method for claim 7-14 is characterized in that, the LUT write operation is 64.
16. the method for claim 7-15 is characterized in that, this concordance list is mapped to the memory address space of main frame, and internal memory mapping address is configured to a WriteMode, and the Memory write order that upper layer software (applications) can utilize method of operation to provide is operated it.
17. the method for claim 7-16 is characterized in that, each represents a port numbers, place value 1: expression requires to upload; 0: expression filters out.
18. the method for claim 7-17 is characterized in that, when opening the ports filter function, if five-tuple FIFO is not empty and purpose Fifo is discontented as a result, starting state machine then.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011104136083A CN102497372A (en) | 2011-12-13 | 2011-12-13 | System and method based on Internet protocol (IP) message destination port filtering strategy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011104136083A CN102497372A (en) | 2011-12-13 | 2011-12-13 | System and method based on Internet protocol (IP) message destination port filtering strategy |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102497372A true CN102497372A (en) | 2012-06-13 |
Family
ID=46189157
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011104136083A Pending CN102497372A (en) | 2011-12-13 | 2011-12-13 | System and method based on Internet protocol (IP) message destination port filtering strategy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102497372A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103929358A (en) * | 2014-05-06 | 2014-07-16 | 大连梯耐德网络技术有限公司 | Message distribution system and method with logical relation matching function |
| CN105635088A (en) * | 2014-11-25 | 2016-06-01 | 中兴通讯股份有限公司 | Network data packet processing method and device |
| CN109495370A (en) * | 2018-12-29 | 2019-03-19 | 瑞斯康达科技发展股份有限公司 | A kind of message transmitting method and device based on VPLS |
| CN112737914A (en) * | 2020-12-28 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Message processing method and device, network equipment and readable storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1536497A (en) * | 2003-04-04 | 2004-10-13 | 上海广电应确信有限公司 | Flame-proof wall for imlementing packet filtering and its method for implementing packet filtering |
| CN101572891A (en) * | 2009-06-15 | 2009-11-04 | 东南大学 | System and method for filtering 3G data packet based on FPGA |
| CN101702723A (en) * | 2009-10-30 | 2010-05-05 | 曙光信息产业(北京)有限公司 | Method and device for filtering IP message |
| CN101707617A (en) * | 2009-12-04 | 2010-05-12 | 福建星网锐捷网络有限公司 | Message filtering method, device and network device |
| CN102045818A (en) * | 2009-10-15 | 2011-05-04 | 友劲科技股份有限公司 | Data message filtering method of wireless device |
| CN102098291A (en) * | 2010-12-17 | 2011-06-15 | 天津曙光计算机产业有限公司 | FPGA (Field Programmable Gate Array)-based network security log processing method and device |
| WO2011078687A1 (en) * | 2009-12-21 | 2011-06-30 | Tandberg Telecom As | Method and device for filtering media packets |
-
2011
- 2011-12-13 CN CN2011104136083A patent/CN102497372A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1536497A (en) * | 2003-04-04 | 2004-10-13 | 上海广电应确信有限公司 | Flame-proof wall for imlementing packet filtering and its method for implementing packet filtering |
| CN101572891A (en) * | 2009-06-15 | 2009-11-04 | 东南大学 | System and method for filtering 3G data packet based on FPGA |
| CN102045818A (en) * | 2009-10-15 | 2011-05-04 | 友劲科技股份有限公司 | Data message filtering method of wireless device |
| CN101702723A (en) * | 2009-10-30 | 2010-05-05 | 曙光信息产业(北京)有限公司 | Method and device for filtering IP message |
| CN101707617A (en) * | 2009-12-04 | 2010-05-12 | 福建星网锐捷网络有限公司 | Message filtering method, device and network device |
| WO2011078687A1 (en) * | 2009-12-21 | 2011-06-30 | Tandberg Telecom As | Method and device for filtering media packets |
| CN102098291A (en) * | 2010-12-17 | 2011-06-15 | 天津曙光计算机产业有限公司 | FPGA (Field Programmable Gate Array)-based network security log processing method and device |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103929358A (en) * | 2014-05-06 | 2014-07-16 | 大连梯耐德网络技术有限公司 | Message distribution system and method with logical relation matching function |
| CN105635088A (en) * | 2014-11-25 | 2016-06-01 | 中兴通讯股份有限公司 | Network data packet processing method and device |
| WO2016082380A1 (en) * | 2014-11-25 | 2016-06-02 | 中兴通讯股份有限公司 | Network data packet processing method and apparatus |
| CN109495370A (en) * | 2018-12-29 | 2019-03-19 | 瑞斯康达科技发展股份有限公司 | A kind of message transmitting method and device based on VPLS |
| CN109495370B (en) * | 2018-12-29 | 2020-11-24 | 瑞斯康达科技发展股份有限公司 | Message transmission method and device based on VPLS |
| CN112737914A (en) * | 2020-12-28 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Message processing method and device, network equipment and readable storage medium |
| CN112737914B (en) * | 2020-12-28 | 2022-08-05 | 北京天融信网络安全技术有限公司 | Message processing method and device, network equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8908564B2 (en) | Method for Media Access Control address learning and learning rate suppression | |
| CN102739473B (en) | Network detecting method using intelligent network card | |
| US10372637B2 (en) | Methods and apparatus for aggregating packet transfer over a virtual bus interface | |
| CN102904730A (en) | Intelligent acceleration network card capable of filtering and picking traffic according to protocol, port and IP address | |
| EP3282649A1 (en) | Data packet forwarding | |
| EP3313032B1 (en) | Cloud platform security realization | |
| WO2007006146A1 (en) | System and method of offloading protocol functions | |
| CN102752119A (en) | Interface realizing method for intelligent network card | |
| CN102497372A (en) | System and method based on Internet protocol (IP) message destination port filtering strategy | |
| CN103117948A (en) | Hierarchical parallel high-speed network transmission control protocol (TCP) flow recombination method based on field programmable gate array (FPGA) | |
| CN102710424A (en) | Gigabit/10-gigabit multifunctional network card and implementation method for same | |
| CN102904729A (en) | Intelligent boost network card supporting multiple applications according to protocol and port shunt | |
| CN101815014A (en) | Real-time network data capture method based on connection | |
| CN103812860B (en) | A kind of high speed network strategy matching method based on FPGA | |
| CN102970190B (en) | Network traffic monitoring system | |
| CN103077148A (en) | PCIE (Peripheral Component Interconnect Express)-based host communication method and host | |
| CN101599966A (en) | The data filtering method that a kind of multi-dummy machine is used | |
| CN106603376A (en) | Message processing method and virtual private network SSLVPN server | |
| CN103024042A (en) | Avionics full duplex switched Ethernet (AFDX) terminal protocol stack, and data receiving and sending method thereof | |
| US9594702B2 (en) | Multi-processor with efficient search key processing | |
| US20150264141A1 (en) | Communication apparatus, information processor, communication method, and computer-readable storage medium | |
| CN102750245B (en) | Message method of reseptance, message receiver module, Apparatus and system | |
| CN103780460B (en) | It is a kind of that the system that TAP device hardwares are filtered is realized by FPGA | |
| CN102098291A (en) | FPGA (Field Programmable Gate Array)-based network security log processing method and device | |
| CN201623727U (en) | Small single-unit firewall device based on network processor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120613 |