CN106657128B - Data packet filtering method and device based on wildcard mask rule - Google Patents
Data packet filtering method and device based on wildcard mask rule Download PDFInfo
- Publication number
- CN106657128B CN106657128B CN201710008116.3A CN201710008116A CN106657128B CN 106657128 B CN106657128 B CN 106657128B CN 201710008116 A CN201710008116 A CN 201710008116A CN 106657128 B CN106657128 B CN 106657128B
- Authority
- CN
- China
- Prior art keywords
- bit
- wildcard mask
- rule
- rules
- wildcard
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Abstract
The application provides a data packet filtering method and device based on a wildcard mask rule, and the method can comprise the following steps: extracting a numerical value of a preset bit from a received data packet to be filtered, and generating a corresponding index value from the extracted numerical value according to a preset algorithm; determining all wildcard mask rules corresponding to the index values according to a rule index table corresponding to predefined wildcard mask rules; determining a wildcard mask rule matching the data packet to be filtered among all wildcard mask rules corresponding to the index value; and filtering the data packet to be filtered according to a filtering strategy corresponding to the wildcard mask rule matched with the data packet to be filtered. Through the technical scheme of the application, on the one hand, the requirement on the rule cache space of the network equipment is reduced, on the other hand, the rule matching efficiency of the data packets to be filtered can be improved, and the filtering efficiency of the data packets to be filtered is facilitated to be improved.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for filtering a data packet based on a wildcard mask rule.
Background
In the field of network security, a packet filtering algorithm filters data packets entering and exiting a network according to rules configured by a user, wherein the data packets are filtered according to filtering strategies corresponding to the rules matched with the data packets. Conventional packet filtering algorithms configure rules in the form of ranges (e.g., IP address ranges, port ranges, etc.). As the user's requirements change, some or all of the fields in the rule (typically the IP address field) need to be configured in the form of a wildcard mask.
In the related technology, the wildcard is firstly split into a plurality of disjoint ranges according to the positions of the wildcard in the rule, then the original rule is split into a plurality of rules expressed based on the ranges according to the obtained ranges, and then the data packets entering and exiting the network are filtered according to the rules expressed based on the ranges.
However, in general, the number of ranges split by the rule represented by the wildcard mask is large, so that the number of the split rules is increased sharply, the matching efficiency of the rules is reduced, and the filtering efficiency of the data packet to be filtered is further reduced.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for filtering a data packet based on a wildcard mask rule, which do not need to split the wildcard mask rule into a plurality of rules based on range representation, and avoid a situation that the number of the split rules is increased sharply, thereby improving the efficiency of matching the rules corresponding to the data packet to be filtered, and further improving the filtering efficiency of the data packet to be filtered.
In order to achieve the above purpose, the present application provides the following technical solutions:
according to a first aspect of the present application, a method for filtering a data packet based on a wildcard mask rule is provided, which includes:
extracting a numerical value of a preset bit from a received data packet to be filtered, and generating a corresponding index value from the extracted numerical value according to a preset algorithm;
determining all wildcard mask rules corresponding to the index values according to a rule index table corresponding to predefined wildcard mask rules; the rule index table comprises a plurality of predefined mapping relation pairs of index values and wildcard mask rules, and each index value is obtained by calculating a numerical value corresponding to the preset bit in the mapped wildcard mask rules according to the preset algorithm;
determining a wildcard mask rule matching the data packet to be filtered among all wildcard mask rules corresponding to the index value;
and filtering the data packet to be filtered according to a filtering strategy corresponding to the wildcard mask rule matched with the data packet to be filtered.
According to a second aspect of the present application, a data packet filtering apparatus based on a wildcard mask rule is provided, which includes:
the extraction unit is used for extracting a numerical value of a preset bit from the received data packet to be filtered and generating a corresponding index value according to the extracted numerical value by a preset algorithm;
the first determining unit is used for determining all wildcard mask rules corresponding to the index values according to a rule index table corresponding to predefined wildcard mask rules; the rule index table comprises a plurality of predefined mapping relation pairs of index values and wildcard mask rules, and each index value is obtained by calculating a numerical value corresponding to the preset bit in the mapped wildcard mask rules according to the preset algorithm;
a second determining unit, configured to determine a wildcard mask rule matching the data packet to be filtered, among all wildcard mask rules corresponding to the index value;
and the filtering unit is used for filtering the data packet to be filtered according to a filtering strategy corresponding to the wildcard mask rule matched with the data packet to be filtered.
As can be seen from the above technical solutions, in the technical solution of the present application, a corresponding rule index table is created for all wildcard mask rules through a preset algorithm, and only the index value corresponding to a data packet to be filtered needs to be determined through the preset algorithm, so that the wildcard mask rule corresponding to the data packet to be filtered can be quickly selected from all the wildcard mask rules matched with the index value (compared with the number of all predefined wildcard mask rules, the number of the wildcard mask rules corresponding to the index value is greatly reduced), and the wildcard mask rule does not need to be split into a huge number of range rules, so that on one hand, the requirement for a rule cache space of a network device (the cache space is used for storing the huge number of range rules) is reduced, and on the other hand, the rule matching efficiency of the data packet to be filtered can be improved, and the filtering efficiency of the data packet to be filtered is improved.
Drawings
Fig. 1 is a flowchart illustrating a method for filtering a data packet based on a wildcard mask rule according to an exemplary embodiment of the present application.
FIG. 2A is a flow chart illustrating defining an index according to an exemplary embodiment of the present application.
Fig. 2B is a diagram illustrating statistical slicing of bit usage times according to an exemplary embodiment of the present application.
Fig. 3 is a schematic structural diagram of an electronic device according to an exemplary embodiment of the present application.
Fig. 4 is a block diagram of a data packet filtering apparatus based on a wildcard mask rule according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In the related art, when some or all fields (usually IP address fields) in a rule are configured in the form of a wildcard mask, the wildcard is split into multiple disjoint ranges according to the location of the wildcard in the rule, then the original rule is split into multiple rules based on range representation according to the obtained ranges, and then the data packets entering and leaving the network are filtered according to the rules based on range representation.
For example, a wildcard mask rule consists of two parts, value (value) and mask (mask), assuming the specific form as follows:
value:1 0 0 1 1 1 0 1 0 1 0 0 1 1 1 0 1 1 0 0 1 1 1 0 1 1 0 1 0 0 0 1
mask:1 0 1 0 0 1 0 0 1 0 1 0 1 1 1 0 0 1 1 1 1 1 0 0 1 0 0 1 0 1 1 1
the number of bit is 1-32 from left to right, all the bits with 1 value in the mask represent that the value of the bit depends on the value of the corresponding bit in the value, and all the bits with 0 value in the mask represent that the value of the bit can be any value (0 or 1). In the rule, if a packet to be filtered can match the rule, the value of bit 1, 3, 6, 9, 11, 13, 14, 15, 18, 19, 20, 21, 22, 25, 28, 30, 31, 32 is required to be the same as the value of the corresponding bit in the value. As can be seen from the representation of the wildcard mask, if the wildcard mask rule is split into disjoint ranges, the number of the split ranges is relatively large.
Therefore, in the related art, when the rules corresponding to the data packets to be filtered are matched, the rules need to be matched one by one in a huge number of rules, so that the matching efficiency of the rules is reduced, and the filtering efficiency of the data packets to be filtered is further reduced.
Therefore, the present application solves the above technical problems in the related art by improving a manner of matching a wildcard mask rule. For further explanation of the present application, the following examples are provided:
fig. 1 is a flowchart illustrating a method for filtering a data packet based on a wildcard mask rule according to an exemplary embodiment of the present application, which may be applied to a filtering device. As shown in fig. 1, the method may include the steps of:
In this embodiment, the rule index table includes a plurality of predefined mapping relationship pairs of index values and a wildcard mask rule, and each index value is calculated by a numerical value corresponding to the preset bit in the mapped wildcard mask rule according to the preset algorithm. Wherein, the preset algorithm may be: sorting the extracted numerical values according to a preset sequence; and generating the sorted numerical values into corresponding index values. In the technical solution of the present application, the binary system represented by the sorted numerical values may be converted into a decimal system, and of course, other algorithms may also be adopted, for example, the binary system value corresponding to the preset bit is directly used as the index value, and the like, and only the index values calculated according to different numerical values need to be different (that is, the numerical values and the index values are in one-to-one correspondence), which is not limited in the present application.
In this embodiment, the values of all predefined wildcard mask rules on the preset bit distinguish arbitrary wildcard mask rules without inclusion relation from each other. Because the wildcard mask rule is a binary character string, the value of each bit is 0 or 1, when the values of the two wildcard mask rules on the same bit are different, the two wildcard mask rules can be distinguished; when more wildcard mask rules exist, the wildcard mask rules can be distinguished from each other by selecting more bits, so that the values of the wildcard mask rules on the selected bits or other related values calculated based on the values can be used as index values corresponding to the wildcard mask rules to point to the corresponding wildcard mask rules, through the difference between the values of the wildcard mask rules on the selected bits.
The selection method of these bits may specifically include: determining whether there is a packet that satisfies the following condition: the grouping comprises a plurality of wildcard mask rules without inclusion relation; wherein all predefined wildcard mask rules are initially divided into the same group; when any group meeting the condition exists, selecting a segmentation bit corresponding to the group, and dividing the wildcard mask rule in the group into two groups according to the value of each wildcard mask rule in the group in the selected segmentation bit; and when no grouping meeting the condition exists, respectively counting the use times corresponding to each selected split bit, and sequentially selecting k split bits as the preset bit according to the sequence from large to small of the use times, wherein k is a positive integer. For the statistics of the number of times of use, the corresponding split bit of each packet can be respectively determined, and the number of the corresponding packets of each split bit is further counted to be used as the number of times of use of the bit; the segmentation bit corresponding to each group can distinguish the wildcard mask rule in the group from all other wildcard mask rules.
In the technical scheme of the application, the split bit in any one of the groups can be selected through the following formula:
bit[i]zero represents the regular number of 0 bits of the ith bit in any of the packets; bit [ i ]]One represents the number of rules that the ith bit is 1 in any packet; bit [ i ]]Star represents the regular number of i-th bits in any of the packets as wildcards. The segmentation bit selected by the formula can make the grouping result tend to be distributed evenly and reduce the number of the selected segmentation bit.
In this embodiment, in one case, the same index value may correspond to only one wildcard mask rule, and when the index value is generated by calculation according to the value extracted from the data packet to be filtered, it needs to be further determined whether the wildcard mask rule corresponding to the index value matches the data packet to be filtered. In another case, the same index value may correspond to multiple wildcard mask rules, and thus a wildcard mask rule matching the data packet to be filtered needs to be determined among the multiple wildcard mask rules. However, even though there may be a case where the same index value corresponds to a plurality of wildcard mask rules, when the wildcard mask rules corresponding to the data packets to be filtered are matched, the number of matching times can be reduced (because the number of wildcard mask rules corresponding to the index value is already greatly reduced compared to the number of all predefined wildcard mask rules), thereby improving the rule matching efficiency of the data packets to be filtered. In another case, when the content corresponding to the index value is empty, that is, there is no corresponding wildcard mask rule, it may be determined that there is no matching rule for the data packet to be filtered, and the data packet may not be filtered.
And 104, filtering the data packet to be filtered according to a filtering strategy corresponding to the wildcard mask rule matched with the data packet to be filtered.
As can be seen from the above technical solutions, in the technical solution of the present application, a corresponding rule index table is created for all wildcard mask rules through a preset algorithm, and only the index value corresponding to a data packet to be filtered needs to be determined through the preset algorithm, so that the wildcard mask rule corresponding to the data packet to be filtered can be quickly selected from all the wildcard mask rules matched with the index value (compared with the number of all predefined wildcard mask rules, the number of the wildcard mask rules corresponding to the index value is greatly reduced), and the wildcard mask rule does not need to be split into a huge number of range rules, so that on one hand, the requirement for a rule cache space of a network device (the cache space is used for storing the huge number of range rules) is reduced, and on the other hand, the rule matching efficiency of the data packet to be filtered can be improved, and the filtering efficiency of the data packet to be filtered is improved.
When the technical scheme based on the application is realized, the processing process can be divided into two stages: 1) the first stage is as follows: creating a rule index table; 2) and a second stage: and matching rules. These two stages are described in detail below.
1) Creating a rule index Table
Referring to fig. 2A, fig. 2A is a flowchart illustrating a process of creating a rule index table according to an exemplary embodiment of the present application, and as shown in fig. 2A, the defining process may include the following steps:
In this embodiment, all the wildcard mask rules are counted first, the value of each bit of the wildcard mask rules is counted, and then the split bit is selected according to the formula. After the one-time segmentation bit is selected, whether a group meeting the following conditions exists is judged: a plurality of wildcard mask rules with no containment relationships are contained in a group (all predefined wildcard mask rules are initially partitioned into the same group); when any group meeting the conditions exists, continuing to select the segmentation bit corresponding to the group, and dividing the wildcard mask rule in the group into two groups according to the value of each wildcard mask rule in the group on the selected segmentation bit; and when no grouping meeting the condition exists, respectively counting the use times corresponding to each selected split bit, and sequentially selecting k split bits as the preset bit according to the sequence from large to small of the use times, wherein k is a positive integer. For the statistics of the number of times of use, the corresponding split bit of each packet can be respectively determined, and the number of the corresponding packets of each split bit is further counted to be used as the number of times of use of the bit; the segmentation bit corresponding to each group can distinguish the wildcard mask rule in the group from all other wildcard mask rules.
The formula for selecting the bit bits to be split is as follows:
bit[i]zero represents the regular number of 0 bits of the ith bit in any of the packets; bit [ i ]]One represents the number of rules that the ith bit is 1 in any packet; bit [ i ]]Star represents the regular number of the i-th bit in any packet being a wildcard; and when the minimum value in the calculation result corresponds to a plurality of bits, selecting any one bit as a splitting bit. The splitting bit selected by the formula can make the grouping result tend to be evenly distributed (two groups after splitting containAs close as possible) and reduces the number of selected sliced bits.
For example, assume that there are a, b, c, d, and e 5 wildcard mask rules, as shown in table 1:
TABLE 1
Counting the value of all the wildcard mask rules on each bit, wherein the statistical result is shown in table 2:
| bit_stat[1].zero | 2 |
| bit_stat[1].one | 3 |
| bit_stat[1].star | 0 |
| bit_stat[2].zero | 3 |
| bit_stat[2].one | 0 |
| bit_stat[2].star | 2 |
| bit_stat[3].zero | 0 |
| bit_stat[3].one | 3 |
| bit_stat[3].star | 2 |
| bit_stat[4].zero | 0 |
| bit_stat[4].one | 0 |
| bit_stat[4].star | 5 |
| bit_stat[5].zero | 3 |
| bit_stat[5].one | 1 |
| bit_stat[5].star | 1 |
| bit_stat[6].zero | 2 |
| bit_stat[6].one | 3 |
| bit_stat[6].star | 0 |
| bit_stat[7].zero | 2 |
| bit_stat[7].one | 2 |
| bit_stat[7].star | 1 |
| bit_stat[8].zero | 0 |
| bit_stat[8].one | 4 |
| bit_stat[8].star | 1 |
TABLE 2
Wherein the number of the bit is 1-8 from left to right, and bit-i represents the ith bit; bit _ stat [ i ] zero represents the number of rules with a bit-i value of 0; bit _ stat [ i ] one represents the number of rules with a bit-i value of 1;
bit _ stat [ i ] star represents the regular number of wildcards for bit-i.
All wildcard masking rules are initially divided into the same group, such as group0 (group 0) ═ a, b, c, d, e }. According to the above formula
And selecting a splitting bit. Wherein each bit is according to | bit [ i ]].zero-bit[i].one|+2bit[i]Star calculation yields respectively: 1. 7, 10, 4, 1, 2 and 6. It can be seen that the value 1 of the 1 st and 6 th bits is the minimum value, and the 1 st bit or the 6 th bit may be selected here, which is not limited in this application. For example, the 1 st bit is selected, and since the values of the rules b and d on the 1 st bit are 0, and the values of the rules a, c and e on the 1 st bit are 1, the 1 st bit can divide the group0 into two groups of groups 1 (group 1) ═ b, d, and group2 (packet 2) { a, c, e }. Then, the group1 and the group2 are segmented, and the segmentation process is similar to the process of segmenting the group0, and is not described in detail herein. Finally, group1 can be divided into group3 (group 3) ═ b } and group4 (group 4) ═ d } by any of the 5 th, 6 th, and 7 th bits (assuming that the 5 th bit is selected); the group2 may be split into group5 (group 5) ═ { c } and group6 (group 6) } a, e by the 6 th bit. Since the remaining groups group3, group4, group5 all contain only one wildcard mask rule, while rule e in group6 contains rule a, no further slicing is required. At this time, all the selected split bits, i.e., the 1 st, 5 th, and 6 th bits are counted.
When the preset bit is selected, the using times corresponding to each selected split bit are respectively counted, and k split bits are sequentially selected as the preset bit according to the sequence from large to small using times, wherein k is a positive integer. In the technical scheme of the application, k split bits with the largest number of use times can be used as preset bits (because the more times the same split bit is used, the more wildcard mask rules can be evenly distributed as much as possible by the split bits), the number "k" is a configurable numerical value, in an actual network environment, dynamic adjustment can be performed according to the memory size of the filtering device and the number of the wildcard mask rules, and generally, the larger the value of "k" is, the larger the occupied memory space is, but the higher the matching efficiency of the wildcard mask rules is. Assuming that k is 3, as shown in fig. 2B: group3 and group4 both correspond to the 1 st and 5 th bits; both group5 and group6 correspond to the 1 st and 6 th bits. Therefore, the number of times of using the 1 st bit is determined to be 4; the using frequency of the 5 th bit is 2; the number of times of using the 6 th bit is 2, that is, the 1 st, 5 th and 6 th bits are used as preset bits.
And step 204, extracting the numerical value on the preset bit and calculating the index value according to a preset algorithm.
In this embodiment, the preset algorithm may be: sorting the extracted numerical values according to a preset sequence, and sorting the numerical valuesThe binary system represented by the value of (a) is converted to decimal. Of course, other algorithms may be adopted, for example, binary values corresponding to preset bits are directly used as index values, and the like, and only the index values calculated according to different values are required to be different (that is, the values and the index values are in one-to-one correspondence), which is not limited in the present application. Specifically, the index value is calculated by using the bit values corresponding to the selected k bits. Assume that the k bits selected are: bit-x1, bit-x2<xi<xk. The value of the corresponding bit in the wildcard mask rule is:
the mask value is:
represents the value of bit-xi in value,
indicates the value of bit-xi in mask. When the values in M are all 1 (i.e., there are no wildcards), the corresponding index values are:
where index denotes an index value.
When there are r values of 0 (i.e. r wildcards) in M, it corresponds to 2rAn index value. When r is 1, and
then, the corresponding 2 index values are:
similarly, when r is 2, and
then, the corresponding 4 index values are:
for example, the preset sequence is assumed to be arranged from small to large according to the number, and of course, any other sequence may be adopted, and the application is not limited thereto. With the above example, the predetermined sequence is 1, 5, and 6.
The mask values of the 1 st, 5 th and 6 th bits in rule a are all 1, and the value values corresponding to the 1 st, 5 th and 6 th bits are 1, 0 and 1, respectively, so that the index value is: 1X 22+0×21+1×20=5;
The mask values of the 1 st, 5 th and 6 th bits in rule b are all 1, and the value values corresponding to the 1 st, 5 th and 6 th bits are 0, 0 and 0 respectively, so that the index values are: 0X 22+0×21+0×20=0;
The mask values of the 1 st, 5 th and 6 th bits in the rule c are all 1, and the value values corresponding to the 1 st, 5 th and 6 th bits are 1, 0 and 0 respectively, so that the index values are: 1X 22+0×21+0×20=4;
The mask values of the 1 st, 5 th and 6 th bits in the rule d are all 1, and the value values corresponding to the 1 st, 5 th and 6 th bits are 0, 1 and 1 respectively, so that the index values are: 0X 22+1×21+1×20=3;
In rule e, the mask value of the 1 st and 6 th bits is 1, the mask value of the 5 th bit is 0 (that is, the value of the 5 th bit may be 0 or 1, so corresponding to two index values), and the value values corresponding to the 1 st, 5 th and 6 th bits are 1, 1 and 1 respectively, so the index values are: 1X 22+0×21+1×20=5;1×22+1×21+1×20=7。
After the index value is calculated, a rule index table is created according to the index value obtained by calculation, that is, a mapping relationship between the index value and a wildcard mask rule is established, as shown in table 3:
| index value | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| Rules | b | - | - | d | c | a、e | - | e |
TABLE 3
At this point, the stage of creating the rule index table is complete.
2) Matching rules
In the technical scheme of the application, when a data packet to be filtered is received, a numerical value of a preset bit in the data packet to be filtered is extracted, the extracted numerical value is calculated according to a preset algorithm to generate a corresponding index value, and then all wildcard mask rules corresponding to the index value are determined according to a rule index table established in the stage.
For example, assume that the received data packets to be filtered are: 10110011. in the above example, the predetermined bits are the 1 st, 5 th and 6 th bits, so the values of the 1 st, 5 th and 6 th bits of the data packet to be filtered are extracted as 1, 0 and 0, respectively. Then the index value corresponding to the packet to be filtered is calculated as: 1X 22+0×21+0×204. According to the mapping relation recorded in table 3, it is determined that the index value 4 corresponds to the rule c, and thus the data packet to be filtered is matched with the rule c. It can be seen that, except for the 4 th bit of the data packet to be filtered, other bits are equal to the value corresponding to the rule c (except for the 4 th bit in the rule c, mask values of other bits are all 1, that is, values of other bits depend on the value), but since the mask value of the 4 th bit of the rule c is 0, that is, the value of the 4 th bit may be 0 or 1, the data packet to be filtered is finally matched to the rule c.
After all the wildcard mask rules matched with the index values are determined according to the rule index table, the wildcard mask rule corresponding to the data packet to be filtered is determined in all the wildcard mask rules corresponding to the index values, and then the data packet to be filtered is filtered according to the filtering strategy corresponding to the matched wildcard mask rule. In the technical scheme of the application, a corresponding rule index table is created for all the wildcard mask rules through a preset algorithm, and only the index value corresponding to the data packet to be filtered needs to be determined through the preset algorithm, so that the wildcard mask rule corresponding to the data packet to be filtered can be quickly selected from all the wildcard mask rules matched with the index value (compared with the number of all the predefined wildcard mask rules, the number of the wildcard mask rules corresponding to the index value is greatly reduced, such as the rules a and e corresponding to the index value 5), and the wildcard mask rule is not required to be split into the range rules of the number, so that on one hand, the requirement on the rule cache space of the network device is reduced (the cache space is used for storing the range rules of the large number), on the other hand, the rule matching efficiency of the data packet to be filtered can be improved, and the filtering efficiency of the data packet to be filtered is improved.
Fig. 3 shows a schematic structural diagram of an electronic device according to an exemplary embodiment of the present application. Referring to fig. 3, at the hardware level, the electronic device includes a processor 302, an internal bus 304, a network interface 306, a memory 308, and a non-volatile storage 310, but may also include hardware required for other services. The processor 302 reads a corresponding computer program from the non-volatile memory 310 into the memory 302 and then runs the computer program to form a data packet filtering device based on the wildcard mask rule on a logic level. Of course, besides the software implementation, the present application does not exclude other implementations, such as logic devices or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
Referring to fig. 4, in a software implementation, the apparatus for filtering a data packet based on a wildcard mask rule may include an extracting unit 401, a first determining unit 402, a second determining unit 403, and a filtering unit 404. Wherein:
the extracting unit 401 extracts a preset bit value from the received data packet to be filtered, and generates a corresponding index value according to the extracted value by a preset algorithm;
a first determining unit 402, configured to determine all wildcard mask rules corresponding to the index values according to a rule index table corresponding to predefined wildcard mask rules; the rule index table comprises a plurality of predefined mapping relation pairs of index values and wildcard mask rules, and each index value is obtained by calculating a numerical value corresponding to the preset bit in the mapped wildcard mask rules according to the preset algorithm;
a second determining unit 403, configured to determine a wildcard mask rule matching the data packet to be filtered, among all wildcard mask rules corresponding to the index values;
and the filtering unit 404 is configured to perform filtering processing on the data packet to be filtered according to a filtering policy corresponding to the wildcard mask rule matched with the data packet to be filtered.
Optionally, the values of all predefined wildcard mask rules on the preset bit enable arbitrary wildcard mask rules without inclusion relationship to be distinguished from each other.
Optionally, the preset bit is selected in the following manner:
determining whether there is a packet that satisfies the following condition: the grouping comprises a plurality of wildcard mask rules without inclusion relation; wherein all predefined wildcard mask rules are initially divided into the same group;
when any group meeting the condition exists, selecting a segmentation bit corresponding to the group, and dividing the wildcard mask rule in the group into two groups according to the value of each wildcard mask rule in the group in the selected segmentation bit;
and when no grouping meeting the condition exists, respectively counting the use times corresponding to each selected split bit, and sequentially selecting k split bits as the preset bit according to the sequence from large to small of the use times, wherein k is a positive integer.
Optionally, the sliced bit in any packet may be selected by the following formula:
wherein bit [ i ] zero represents the regular number of the ith bit of 0 in any packet;
bit [ i ] one represents the number of rules that the ith bit in any packet is 1;
bit [ i ] star represents the regular number of wildcard bits in the ith bit in any packet.
Optionally, the preset algorithm is:
sorting the extracted numerical values according to a preset sequence;
and generating the sorted numerical values into corresponding index values.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (6)
1. A data packet filtering method based on a wildcard mask rule is characterized by comprising the following steps:
extracting a numerical value of a preset bit from a received data packet to be filtered, and generating a corresponding index value from the extracted numerical value according to a preset algorithm; wherein the preset bit is selected in the following manner:
determining whether there is a packet that satisfies the following condition: the grouping comprises a plurality of wildcard mask rules without inclusion relation; wherein all predefined wildcard mask rules are initially divided into the same group;
when any group meeting the condition exists, selecting a segmentation bit corresponding to the group, and dividing the wildcard mask rule in the group into two groups according to the value of each wildcard mask rule in the group in the selected segmentation bit; wherein the split bit in any packet is selected by the following formula:
wherein bit [ i ] zero represents the regular number of the ith bit of 0 in any packet;
bit [ i ] one represents the number of rules that the ith bit in any packet is 1;
bit [ i ] star represents the regular number of the i bit in any packet as a wildcard;
when no grouping meeting the condition exists, respectively counting the use times corresponding to each selected split bit, and sequentially selecting k split bits as the preset bit according to the sequence from large to small of the use times, wherein k is a positive integer;
determining all wildcard mask rules corresponding to the index values according to a rule index table corresponding to predefined wildcard mask rules; the rule index table comprises a plurality of predefined mapping relation pairs of index values and wildcard mask rules, and each index value is obtained by calculating a numerical value corresponding to the preset bit in the mapped wildcard mask rules according to the preset algorithm;
determining a wildcard mask rule matching the data packet to be filtered among all wildcard mask rules corresponding to the index value;
and filtering the data packet to be filtered according to a filtering strategy corresponding to the wildcard mask rule matched with the data packet to be filtered.
2. The method of claim 1, wherein the value of all predefined wildcard mask rules on the preset bits distinguishes any wildcard mask rule without containment relationship.
3. The method according to claim 1, wherein the predetermined algorithm is:
sorting the extracted numerical values according to a preset sequence;
and generating the sorted numerical values into corresponding index values.
4. A packet filtering device based on a wildcard mask rule, comprising:
the extraction unit is used for extracting a numerical value of a preset bit from the received data packet to be filtered and generating a corresponding index value according to the extracted numerical value by a preset algorithm; wherein the preset bit is selected in the following manner:
determining whether there is a packet that satisfies the following condition: the grouping comprises a plurality of wildcard mask rules without inclusion relation; wherein all predefined wildcard mask rules are initially divided into the same group;
when any group meeting the condition exists, selecting a segmentation bit corresponding to the group, and dividing the wildcard mask rule in the group into two groups according to the value of each wildcard mask rule in the group in the selected segmentation bit; wherein the split bit in any packet is selected by the following formula:
wherein bit [ i ] zero represents the regular number of the ith bit of 0 in any packet;
bit [ i ] one represents the number of rules that the ith bit in any packet is 1;
bit [ i ] star represents the regular number of the i bit in any packet as a wildcard;
when no grouping meeting the condition exists, respectively counting the use times corresponding to each selected split bit, and sequentially selecting k split bits as the preset bit according to the sequence from large to small of the use times, wherein k is a positive integer;
the first determining unit is used for determining all wildcard mask rules corresponding to the index values according to a rule index table corresponding to predefined wildcard mask rules; the rule index table comprises a plurality of predefined mapping relation pairs of index values and wildcard mask rules, and each index value is obtained by calculating a numerical value corresponding to the preset bit in the mapped wildcard mask rules according to the preset algorithm;
a second determining unit, configured to determine a wildcard mask rule matching the data packet to be filtered, among all wildcard mask rules corresponding to the index value;
and the filtering unit is used for filtering the data packet to be filtered according to a filtering strategy corresponding to the wildcard mask rule matched with the data packet to be filtered.
5. The apparatus of claim 4, wherein the value of all predefined wildcard mask rules on the preset bits distinguishes any wildcard mask rule without containment relationship.
6. The apparatus of claim 4, wherein the predetermined algorithm is:
sorting the extracted numerical values according to a preset sequence;
and generating the sorted numerical values into corresponding index values.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710008116.3A CN106657128B (en) | 2017-01-05 | 2017-01-05 | Data packet filtering method and device based on wildcard mask rule |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710008116.3A CN106657128B (en) | 2017-01-05 | 2017-01-05 | Data packet filtering method and device based on wildcard mask rule |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106657128A CN106657128A (en) | 2017-05-10 |
| CN106657128B true CN106657128B (en) | 2020-03-06 |
Family
ID=58843767
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710008116.3A Active CN106657128B (en) | 2017-01-05 | 2017-01-05 | Data packet filtering method and device based on wildcard mask rule |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106657128B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110808891B (en) * | 2019-09-30 | 2021-10-12 | 深圳市道通合创新能源有限公司 | CAN filter merging method and device and CAN controller |
| CN114840133A (en) * | 2021-01-15 | 2022-08-02 | 华为技术有限公司 | Network configuration rule processing method and related equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101860531A (en) * | 2010-04-21 | 2010-10-13 | 北京星网锐捷网络技术有限公司 | Filtering rule matching method of data packet and device thereof |
| CN103780435A (en) * | 2014-02-18 | 2014-05-07 | 迈普通信技术股份有限公司 | Method and system for classifying data streams with port number masks |
| CN104954200A (en) * | 2015-06-17 | 2015-09-30 | 国家计算机网络与信息安全管理中心 | Multi-type rule high-speed matching method and device of network data packet |
-
2017
- 2017-01-05 CN CN201710008116.3A patent/CN106657128B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101860531A (en) * | 2010-04-21 | 2010-10-13 | 北京星网锐捷网络技术有限公司 | Filtering rule matching method of data packet and device thereof |
| CN103780435A (en) * | 2014-02-18 | 2014-05-07 | 迈普通信技术股份有限公司 | Method and system for classifying data streams with port number masks |
| CN104954200A (en) * | 2015-06-17 | 2015-09-30 | 国家计算机网络与信息安全管理中心 | Multi-type rule high-speed matching method and device of network data packet |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106657128A (en) | 2017-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109617927B (en) | Method and device for matching security policy | |
| CN108370352B (en) | High speed flexible packet classification using network processors | |
| CN106790170B (en) | Data packet filtering method and device | |
| EP2830260B1 (en) | Rule matching method and device | |
| CN103281246A (en) | Message processing method and network equipment | |
| CN109635084B (en) | Real-time rapid duplicate removal method and system for multi-source data document | |
| CN112074818A (en) | Method and node for enabling access to past transactions in a blockchain network | |
| EP3917099A1 (en) | Stream classification method and device | |
| CN109462612B (en) | Method and device for determining attack domain name in botnet | |
| CN106657128B (en) | Data packet filtering method and device based on wildcard mask rule | |
| CN111767364A (en) | Data processing method, device and equipment | |
| CN110770725A (en) | Data processing method and device | |
| CN110876072B (en) | Batch registered user identification method, storage medium, electronic device and system | |
| CN113347173B (en) | Packet filtering method and device and electronic equipment | |
| CN108076032A (en) | A kind of abnormal behaviour user identification method and device | |
| CN108449231B (en) | Transaction data filtering method and device and implementation device | |
| CN113127693A (en) | Traffic data packet statistical method, device, equipment and storage medium | |
| EP3264716B1 (en) | State transition compression mechanism to efficiently compress dfa based regular expression signatures | |
| CN113762424B (en) | Network packet classification method and related device | |
| CN114513460B (en) | Decision tree generation method and device | |
| CN104753934B (en) | By the method that the more communication party's data stream separations of unknown protocol are Point-to-Point Data stream | |
| CN107169121B (en) | Method for extracting website URL | |
| CN105718767B (en) | information processing method and device based on risk identification | |
| CN114386468A (en) | Network abnormal flow detection method and device, electronic equipment and storage medium | |
| CN108449226B (en) | Method and system for quickly classifying information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210621 Address after: 310051 05, room A, 11 floor, Chung Cai mansion, 68 Tong Xing Road, Binjiang District, Hangzhou, Zhejiang. Patentee after: Hangzhou Dip Information Technology Co.,Ltd. Address before: 6 / F, Zhongcai building, 68 Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee before: Hangzhou DPtech Technologies Co.,Ltd. |