CN106790170B - Data packet filtering method and device - Google Patents

Data packet filtering method and device Download PDF

Info

Publication number
CN106790170B
CN106790170B CN201611248795.3A CN201611248795A CN106790170B CN 106790170 B CN106790170 B CN 106790170B CN 201611248795 A CN201611248795 A CN 201611248795A CN 106790170 B CN106790170 B CN 106790170B
Authority
CN
China
Prior art keywords
packet filtering
rule
grouping
field
rules
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611248795.3A
Other languages
Chinese (zh)
Other versions
CN106790170A (en
Inventor
谭天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPtech Information Technology Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201611248795.3A priority Critical patent/CN106790170B/en
Publication of CN106790170A publication Critical patent/CN106790170A/en
Application granted granted Critical
Publication of CN106790170B publication Critical patent/CN106790170B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a data packet filtering method and a data packet filtering device, wherein the method comprises the following steps: the network equipment divides a plurality of pre-configured packet filtering rules into a plurality of grouping rules; each grouping rule corresponds to different preset fields respectively, and each grouping rule is formed by field values corresponding to the corresponding preset fields in the plurality of packet filtering rules; the network equipment extracts field values corresponding to all preset fields of the received target data packet, and performs parallel matching on the extracted field values and the corresponding grouping rules of the extracted field values; and then calculating the intersection of the matching results of the values of the fields and the grouping rules corresponding to the values of the fields, determining the packet filtering rules matched with the target data packet based on the intersection, and executing packet filtering processing on the target data packet based on the packet filtering strategies corresponding to the packet filtering rules. The method and the device solve the problem that in the prior art, the matching efficiency is reduced due to the fact that the number of the packet filtering rules is increased when the packet filtering rules are preprocessed.

Description

Data packet filtering method and device
Technical Field
The present application relates to the field of network security, and in particular, to a method and an apparatus for filtering data packets.
Background
In the field of network security, a packet filtering rule is a rule configured by a user for filtering data packets entering and exiting a network, and generally consists of fields such as a source IP address, a destination IP address, a port number, a protocol and the like. The network equipment adopts different filtering strategies according to different configured packet filtering rules. In order for a network device to be able to quickly match data packets according to packet filtering rules, the packet filtering rules typically need to be preprocessed. And the network equipment matches the received data packet according to the preprocessed packet filtering rule.
In this case, after receiving the data packet, the network device sequentially matches the data packet according to each packet filtering rule until the matching is successful. Therefore, after the number of the packet filtering rules is increased, the workload of the network device for matching the data packets according to the packet filtering rules is increased, and the matching efficiency in the whole process is reduced.
Disclosure of Invention
In view of this, the present application provides a data packet filtering method and apparatus, so as to solve the problem that in the prior art, the number of packet filtering rules is increased during the process of preprocessing the packet filtering rules, which results in the decrease of the matching efficiency.
Specifically, the method is realized through the following technical scheme:
a data packet filtering method is applied to a network device, the network device is preconfigured with a plurality of packet filtering rules formed by a plurality of preset fields, and the method comprises the following steps:
dividing the plurality of packet filtering rules into a plurality of grouping rules corresponding to each preset field; wherein, each grouping rule corresponds to different preset fields respectively; each grouping rule is composed of corresponding field values of the corresponding preset fields in the plurality of packet filtering rules;
extracting field values of the received target data packet corresponding to each preset field;
the extracted values of each field are respectively matched with the corresponding grouping rules in parallel;
calculating the intersection of the matching results of each field value and the corresponding grouping rule, determining the packet filtering rule matched with the target data packet based on the calculated intersection, and executing packet filtering processing aiming at the target data packet based on the packet filtering strategy corresponding to the matched packet filtering rule.
In the packet filtering method, the dividing the packet filtering rules into a plurality of grouping rules corresponding to preset fields includes:
sequentially selecting all preset fields as target fields;
respectively extracting field values of each group of filtering rules corresponding to the target field;
and creating a grouping rule corresponding to the target field based on the field value corresponding to the target field of each extracted group filtering rule and the group filtering rule identification corresponding to the field value.
In the packet filtering method, the method further includes:
and processing each grouping rule respectively based on a preset algorithm, so that the processed grouping rules are more suitable for being matched with the extracted values of each field.
In the packet filtering method, the method further includes:
when a plurality of related preset fields exist in each preset field, merging the grouping rules respectively established for the preset fields; and the number of the first and second groups,
and when any created grouping rule comprises a plurality of same field values, merging the packet filtering rule identifications corresponding to the field values.
In the data packet filtering method, different matching threads are respectively preconfigured in each grouping rule;
the parallel matching of the extracted values of the fields and the corresponding grouping rules respectively comprises the following steps:
submitting the extracted field values to a matching thread which is pre-configured for the corresponding grouping rule, and matching the received field values with the field values recorded in the corresponding grouping rule by the matching thread; wherein, each matching thread creates a corresponding bitmap table for each field value; the bitmap table comprises a plurality of bits for recording matching results; each bit is respectively corresponding to the identifier of the packet filtering rule recorded in the grouping rule;
and each matching thread records the extracted matching result of each field value and each field value recorded in the corresponding grouping rule to the corresponding bit in the bitmap table.
In the data packet filtering method, when the bit value in the bitmap table is 1, the packet filtering rule corresponding to the bit is matched;
the calculating the intersection of the matching results of each field value and the corresponding grouping rule, and determining the packet filtering rule matched with the target data packet based on the calculated intersection, includes:
carrying out bitmap table corresponding to each field value according to the bit and operation; wherein the arrangement order of the bits in the bitmap table corresponds to the priority order of the packet filtering rules;
and determining a packet filtering rule corresponding to the bit with the first value of 1 after the bit-by-bit operation as a packet filtering rule matched with the target data packet.
A data packet filtering device is applied to a network device, the network device is preconfigured with a plurality of packet filtering rules formed by a plurality of preset fields, and the data packet filtering device comprises:
a dividing unit, configured to divide the plurality of packet filtering rules into a plurality of grouping rules corresponding to each preset field; wherein, each grouping rule corresponds to different preset fields respectively; each grouping rule is composed of corresponding field values of the corresponding preset fields in the plurality of packet filtering rules;
the extraction unit is used for extracting field values corresponding to all preset fields of the received target data packet;
the matching unit is used for respectively matching the extracted values of the fields with the corresponding grouping rules in parallel;
and the computing unit is used for computing the intersection of the matching results of the field values and the corresponding grouping rules, determining the packet filtering rule matched with the target data packet based on the computed intersection, and executing packet filtering processing aiming at the target data packet based on the packet filtering strategy corresponding to the matched packet filtering rule.
In the packet filtering apparatus, the dividing unit is further configured to:
sequentially selecting all preset fields as target fields;
respectively extracting field values of each group of filtering rules corresponding to the target field;
and creating a grouping rule corresponding to the target field based on the field value corresponding to the target field of each extracted group filtering rule and the group filtering rule identification corresponding to the field value.
In the packet filtering device, the device further comprises:
and the processing unit is used for respectively processing each grouping rule based on a preset algorithm, so that the processed grouping rules are more suitable for being matched with the extracted values of each field.
In the packet filtering apparatus, the apparatus further comprises:
the merging unit is used for merging the grouping rules respectively established for the preset fields when the preset fields have a plurality of related preset fields; and the number of the first and second groups,
and when any created grouping rule comprises a plurality of same field values, merging the packet filtering rule identifications corresponding to the field values.
In the data packet filtering device, different matching threads are respectively preconfigured in each grouping rule; the matching unit is further configured to:
submitting the extracted field values to a matching thread which is pre-configured for the corresponding grouping rule, and matching the received field values with the field values recorded in the corresponding grouping rule by the matching thread; wherein, each matching thread creates a corresponding bitmap table for each field value; the bitmap table comprises a plurality of bits for recording matching results; each bit is respectively corresponding to the identifier of the packet filtering rule recorded in the grouping rule;
and each matching thread records the extracted matching result of each field value and each field value recorded in the corresponding grouping rule to the corresponding bit in the bitmap table.
In the data packet filtering device, when the bit value in the bitmap table is 1, the packet filtering rule corresponding to the bit is matched; the computing unit is further configured to:
carrying out bitmap table corresponding to each field value according to the bit and operation; wherein the arrangement order of the bits in the bitmap table corresponds to the priority order of the packet filtering rules;
and determining a packet filtering rule corresponding to the bit with the first value of 1 after the bit-by-bit operation as a packet filtering rule matched with the target data packet.
In the embodiment of the application, a network device pre-configures a plurality of packet filtering rules composed of a plurality of preset fields, and divides the packet filtering rules into a plurality of grouping rules corresponding to the preset fields; wherein, each grouping rule corresponds to different preset fields respectively; each grouping rule is composed of corresponding field values of the corresponding preset fields in the plurality of packet filtering rules; the network equipment extracts field values corresponding to all preset fields of the received target data packet, and performs parallel matching on the extracted field values and the corresponding grouping rules of the extracted field values; and then calculating the intersection of the matching results of the field values and the corresponding grouping rules, determining the packet filtering rule matched with the target data packet based on the calculated intersection, and executing packet filtering processing aiming at the target data packet based on the packet filtering strategy corresponding to the matched packet filtering rule.
In the application, the network device divides the pre-configured packet filtering rules into the grouping rules corresponding to the preset fields, and then matches the field values of the received target data message corresponding to the preset fields in parallel according to the grouping rules, so that the matching efficiency can be effectively improved.
Drawings
FIG. 1 is a flow chart of a method of packet filtering as illustrated herein;
FIG. 2 is a schematic diagram of a parallel packet filtering shown in the present application;
FIG. 3 is a schematic diagram of a bitmap table shown in the present application;
FIG. 4 is a block diagram of an embodiment of a packet filtering device shown in the present application;
fig. 5 is a hardware configuration diagram of a packet filtering apparatus according to the present application.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the embodiments of the present invention more comprehensible, the following description of the prior art and the technical solutions in the embodiments of the present invention with reference to the accompanying drawings is provided.
The packet filtering rule generally consists of fields such as a source IP address, a destination IP address, a port number, a protocol and the like, and the network device filters data packets entering and exiting the network according to the packet filtering rule preconfigured by a user. In order to improve the efficiency of packet filtering, the packet filtering rule is usually preprocessed, and the network device matches the received packet according to the preprocessed packet filtering rule.
Since the packet filtering rule is multidimensional data composed of a plurality of fields, some of the fields may be split during the preprocessing process, resulting in an increase in the number of packet filtering rules. For example: now there are three fields a, B, C in the packet filtering rule, where the B field is not suitable for matching in a comparative manner because it is configured as a mask. At this point, it needs to be split into ranges suitable for comparison, and the B field is split into 3 ranges: [ x1, y1], [ x2, y2], [ x3, y3 ]. The number of the rules is changed from the original one to 3, and the number of the rules is respectively A, [ x1, y1] and C; a, [ x2, y2], C; a, [ x3, y3], C. If the C field also needs to be split into 3 ranges, the total number of rules becomes 9.
Therefore, the network device changes the original 1 packet filtering rule matched with the received data packet into 9 packet filtering rules, which increases the workload of the network device in filtering the data packet, and causes the matching efficiency of the whole process to be reduced.
In order to solve the problems, different fields in the packet filtering rule are divided into a plurality of grouping rules, after a data packet is received, field values of the data packet corresponding to the fields are extracted, and then the extracted field values in the data packet are matched in parallel based on the grouping rules, so that the efficiency of filtering the data packet can be effectively improved.
Referring to fig. 1, a flow chart of a packet filtering method shown in the present application is shown, where an execution subject of the embodiment is a network device, and the network device is preconfigured with a plurality of packet filtering rules composed of a plurality of preset fields; the method comprises the following steps:
step 101: dividing the plurality of packet filtering rules into a plurality of grouping rules corresponding to each preset field; wherein, each grouping rule corresponds to different preset fields respectively; each grouping rule is composed of corresponding field values of the corresponding preset fields in the plurality of packet filtering rules.
Step 102: and extracting field values of the received target data packet corresponding to each preset field.
Step 103: and respectively carrying out parallel matching on the extracted values of the fields and the corresponding grouping rules.
Step 104: calculating the intersection of the matching results of each field value and the corresponding grouping rule, determining the packet filtering rule matched with the target data packet based on the calculated intersection, and executing packet filtering processing aiming at the target data packet based on the packet filtering strategy corresponding to the matched packet filtering rule.
In the embodiment of the present application, in order to solve the problem that the number of packet filtering rules may increase due to field splitting in the packet filtering rules when the packet filtering rules are preprocessed in the prior art, the network device may divide a plurality of packet filtering rules, which are pre-configured and composed of a plurality of preset fields, into a plurality of grouping rules corresponding to each preset field.
In an illustrated embodiment, the network device may sequentially select preset fields in the packet filtering rules as target fields, extract field values corresponding to the target fields of each packet filtering rule, and then create a grouping rule corresponding to the target fields based on the extracted field values and packet filtering rule identifiers corresponding to the field values.
For example: a packet filtering rule containing n preset fields can be expressed as:
Rule={field1,field2,field3,……,fieldnin which fieldiIndicating the ith field, the specific contents of which need not be of interest here.
A packet filtering rule set consisting of m packet filtering rules may be expressed as:
Figure BDA0001197647340000071
the network device may first select the 1 st preset field of the m packet filtering rules including n preset fields as a target field, and then extract the field value of each packet filtering rule corresponding to the target field, to obtain:
Figure BDA0001197647340000072
after obtaining the field value corresponding to the target field, the network device may create a grouping rule corresponding to the target field based on the field value and the packet filtering rule identifier corresponding to the field value, where the grouping rule corresponding to the 1 st preset field may be represented as:
Figure BDA0001197647340000073
after obtaining the grouping rule corresponding to the 1 st preset field, the network device may then select the 2 nd preset field of the packet filtering rule as the target field, and obtain the grouping rule corresponding to the 2 nd preset field. The network equipment sequentially selects all preset fields of the packet filtering rule as target fields, obtains grouping rules corresponding to all the preset fields, and obtains n grouping rules corresponding to all the preset fields in total.
The jth grouping rule may be expressed as:
Figure BDA0001197647340000074
after dividing the pre-configured packet filtering rules into a plurality of grouping rules corresponding to the preset fields, the network device can extract the field values of the preset fields from the received target data packet, and then match the extracted field values of the preset fields in parallel according to the grouping rules, thereby improving the efficiency of filtering the data packet.
In addition, after the packet filtering rules are divided into a plurality of grouping rules, the grouping rules can be preprocessed respectively, and the relation among fields in the packet filtering rules is not considered any more, so that the number of the packet filtering rules is not increased due to preprocessing.
In an embodiment shown, in order to make the subsequent packet filtering more efficient, the partitioned packet rules corresponding to the preset fields may be preprocessed, and after the processing is completed, the network device may filter the packet according to the preprocessed packet rules. Because the searching and matching processes of the grouping rules are independent, the preprocessing of the grouping rules can adopt different modes. The network device may use a method that is most suitable for the packet rule to perform fast lookup for each packet rule, for example, the processing method for the packet rule includes hash processing and k-d tree processing.
In one embodiment shown, when there are multiple preset fields related to each preset field of the packet filtering rule, the network device may perform preprocessing on each preset field in the same manner; the related preset fields are fields which can be put together in the same grouping rule for processing; for example, all wildcard mask fields can be processed in one grouping rule.
In this case, the network device may merge the grouping rules respectively created for the related preset fields, so that the related preset fields can be processed in the same grouping rule.
In the subsequent searching and matching process, after the network device extracts the field values of the target data packet corresponding to the plurality of preset fields, the searching and matching can be performed in a grouping rule. If the matching is successful, that is, the field values of the target data packet corresponding to the preset fields are located in the field values of the grouping rule corresponding to the preset fields.
The grouping rules created for the related preset fields are combined into one grouping rule, so that the number of the grouping rules can be reduced, the network equipment can manage the grouping rules conveniently, and the efficiency of subsequently calculating the intersection of the matching results corresponding to the grouping rules is improved.
In an embodiment shown, after the network device divides the packet filtering rule into a plurality of grouping rules, a situation that some fields have the same value may occur in the same grouping rule, or after the grouping rule is preprocessed, the split field values have the same value.
In this case, usually, no special processing is performed, and all the same field values and the corresponding packet filtering rules are found out in the subsequent matching.
On the other hand, the network device may merge the packet filtering rule identifications corresponding to the same field value in the same packet rule. For example, the duplet in the jth grouping rule is:
Figure BDA0001197647340000091
wherein, 0<i≤m,0<j≤n。
If there are two fields to take value
Figure BDA0001197647340000092
It can be combined into the following form:
Figure BDA0001197647340000093
at this time, when the grouping rule is matched, the grouping rule is matched
Figure BDA0001197647340000094
It is possible to determine the matching to the packet filtering Rule at the same timeiAnd Rulei+k
Therefore, after the network equipment combines the packet filtering rule identifications corresponding to the same field values in the same grouping rule, the process of matching the extracted field values according to the grouping rule is more efficient, and the efficiency of the whole data packet filtering process is improved.
In the embodiment of the present application, after dividing a plurality of preconfigured packet filtering rules into a plurality of grouping rules, the network device may perform matching with field values corresponding to each preset field of the target data packet in parallel through each grouping rule when receiving the target data packet. The parallel matching of the network devices may be performed by hardware (e.g., logic devices) or software, and is not particularly limited in this example.
In an embodiment shown, taking implementation by software as an example, the network device may configure different matching threads for each grouping rule, and each matching thread is responsible for matching one grouping rule.
Referring to fig. 2, which is a schematic diagram of parallel filtering of a data packet shown in the present application, as shown in fig. 2, after receiving a target data packet, a network may extract field values of preset fields in a packet filtering rule corresponding to the target data packet. After the extraction is completed, the network device may perform parallel matching on the extracted values of each field with the corresponding grouping rules.
In this example, the network device configures different matching threads for each grouping rule, so that each extracted field value can be submitted to a matching thread preconfigured for its corresponding grouping rule, and the matching thread matches the received field value with each field value recorded in its corresponding grouping rule.
In one embodiment, the grouping rule shown in fig. 2 may be a preprocessed grouping rule, and each matching thread may complete matching more quickly based on the preprocessed grouping rule.
Wherein, each matching thread can respectively create a corresponding bitmap table for each field value; the bitmap table comprises a plurality of bit positions for recording the matching result, and each bit position corresponds to the identifier of the packet filtering rule recorded in the grouping rule.
Referring to fig. 3, which is a schematic diagram of a bitmap table shown in the present application, as shown in fig. 3, when a network device pre-configures m packet filtering rules, a bitmap table created by each matching thread includes m bits for recording a matching result, and each bit corresponds to an identifier of one packet filtering rule.
And each matching thread records the extracted matching result of each field value and each field value recorded in the corresponding grouping rule to the corresponding bit in the bitmap table.
In this embodiment of the present application, after obtaining a matching result between each field value of a target data packet and a corresponding grouping rule thereof, a network device may calculate an intersection according to the matching result corresponding to each grouping rule, and determine a packet filtering rule matched to the target data packet based on the calculated intersection.
In an illustrated embodiment, still taking the example that the network device configures different matching threads for each grouping rule, referring to fig. 2, each matching thread records the extracted matching result of each field value and each field value recorded in the corresponding grouping rule to the corresponding bit in the bitmap table created by each matching thread.
When the network device calculates the intersection of the matching results obtained by each matching thread, the network device can perform bitwise and operation on each bitmap table matched and completed in each matching thread by taking the value of each field of the target data packet, so as to obtain the target bitmap table recorded with the bitwise and operation results.
The target bitmap table comprises m bits for recording bitwise and operation results. If a bit in the bitmap table takes a value of 1, it indicates that a packet filtering rule corresponding to the bit is matched, and the packet filtering rule corresponding to the bit taking a value of 1 in the target bitmap table is the packet filtering rule finally matched by the target data packet.
In an embodiment shown, since a plurality of packet filtering rules preconfigured by the network device are generally sorted according to priority, and there is no need to match a rule with a low priority after matching a rule with a high priority, the order of bits in the target bitmap table also generally corresponds to the order of priority of the packet filtering rules preconfigured by the network device.
In this case, if there are a plurality of bits with a value of 1 in the bitwise and operation result recorded in the target bitmap table, the packet filtering rule corresponding to the first bit with a value of 1 in the target bitmap table may be determined as the packet filtering rule matched with the target data packet.
After determining the packet filtering rule matched with the target data packet, the packet filtering process may be performed on the target data packet according to the packet filtering policy corresponding to the matched packet filtering rule. Wherein the packet filtering process may typically include dropping or forwarding.
Of course, if the packet filtering rule preconfigured in the network device does not support the priority, at this time, the arrangement order of the bits in the target bitmap table is irrelevant to the priority order of the packet filtering rule, and in this case, the packet filtering rules corresponding to all bits whose values are 1 in the calculated target bitmap table according to the bits can be determined as the packet filtering rules matched with the target data packet.
As can be seen from the above embodiments, a network device preconfigured with a plurality of packet filtering rules composed of a plurality of preset fields may divide the plurality of packet filtering rules into a plurality of grouping rules corresponding to the preset fields; each grouping rule corresponds to different preset fields respectively, and each grouping rule is formed by field values corresponding to the corresponding preset fields in the plurality of packet filtering rules; after receiving a target data packet, the network equipment extracts field values corresponding to preset fields of the target data packet, and performs parallel matching on the extracted field values and corresponding grouping rules respectively; and then calculating the intersection of the matching results of the field values and the corresponding grouping rules, determining the packet filtering rules matched with the target data packet based on the calculated intersection, and executing packet filtering processing aiming at the target data packet based on the packet filtering strategy corresponding to the matched packet filtering rules.
On one hand, the pre-configured packet filtering rules are divided into the plurality of grouping rules corresponding to the preset fields, so that when the pre-processing is carried out on each grouping rule, even if any field in the grouping rules is split, the split field only affects the grouping rule, and does not affect other grouping rules, and the integral increase of the number of the packet filtering rules is effectively avoided.
On the other hand, in the application, the network device performs parallel matching on each field value of the extracted target data packet and the corresponding grouping rule thereof, then calculates intersection according to each matching result, determines the packet filtering rule matched with the target data packet, and can remarkably improve matching efficiency through parallel matching.
Corresponding to the embodiment of the data packet filtering method, the present application also provides an embodiment of an apparatus for executing the above method embodiment.
Referring to fig. 4, a block diagram of an embodiment of a packet filtering device according to the present application is shown:
as shown in fig. 4, the packet filtering apparatus 40 includes:
a dividing unit 410, configured to divide the plurality of packet filtering rules into a plurality of grouping rules corresponding to each preset field; wherein, each grouping rule corresponds to different preset fields respectively; each grouping rule is composed of corresponding field values of the corresponding preset fields in the plurality of packet filtering rules.
The extracting unit 420 is configured to extract field values corresponding to preset fields of the received target data packet.
And a matching unit 430, configured to perform parallel matching on the extracted field values and the corresponding grouping rules.
The calculating unit 440 is configured to calculate an intersection of matching results of each field value and the corresponding grouping rule, determine a packet filtering rule matched with the target data packet based on the calculated intersection, and perform packet filtering processing on the target data packet based on a packet filtering policy corresponding to the matched packet filtering rule.
In this example, the dividing unit 410 is further configured to:
sequentially selecting all preset fields as target fields;
respectively extracting field values of each group of filtering rules corresponding to the target field;
and creating a grouping rule corresponding to the target field based on the field value corresponding to the target field of each extracted group filtering rule and the group filtering rule identification corresponding to the field value.
In this example, the apparatus further comprises:
the processing unit 450 is configured to process each grouping rule based on a preset algorithm, so that the processed grouping rule is more suitable for being matched with each extracted field value.
In this example, the apparatus further comprises:
a merging unit 460, configured to merge, when multiple relevant preset fields exist in each preset field, the grouping rules respectively created for the multiple preset fields; and the number of the first and second groups,
and when any created grouping rule comprises a plurality of same field values, merging the packet filtering rule identifications corresponding to the field values.
In this example, each grouping rule is pre-configured with different matching threads; the matching unit 430 is further configured to:
submitting the extracted field values to a matching thread which is pre-configured for the corresponding grouping rule, and matching the received field values with the field values recorded in the corresponding grouping rule by the matching thread; wherein, each matching thread creates a corresponding bitmap table for each field value; the bitmap table comprises a plurality of bits for recording matching results; each bit is respectively corresponding to the identifier of the packet filtering rule recorded in the grouping rule;
and each matching thread records the extracted matching result of each field value and each field value recorded in the corresponding grouping rule to the corresponding bit in the bitmap table.
In this example, when the bit value in the bitmap table is 1, it indicates that the packet filtering rule corresponding to the bit is matched; the calculating unit 440 is further configured to:
carrying out bitmap table corresponding to each field value according to the bit and operation; wherein the arrangement order of the bits in the bitmap table corresponds to the priority order of the packet filtering rules;
and determining a packet filtering rule corresponding to the bit with the first value of 1 after the bit-by-bit operation as a packet filtering rule matched with the target data packet.
The embodiment of the data packet filtering device can be applied to network equipment. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for operation through the processor of the network device where the software implementation is located as a logical means. From a hardware aspect, as shown in fig. 5, the present application is a hardware structure diagram of a network device where a data packet filtering apparatus is located, and except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 5, the network device where the apparatus is located in the embodiment may also include other hardware according to the actual function of the data packet filtering apparatus, which is not described again.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (12)

1. A data packet filtering method is applied to a network device, the network device is preconfigured with a plurality of packet filtering rules formed by a plurality of preset fields, and the method is characterized by comprising the following steps:
dividing the plurality of packet filtering rules into a plurality of grouping rules corresponding to each preset field; wherein, each grouping rule corresponds to different preset fields respectively; each grouping rule consists of a field value corresponding to a preset field corresponding to the grouping rule in the plurality of packet filtering rules and a packet filtering rule identifier corresponding to the field value;
extracting field values of the received target data packet corresponding to each preset field;
the extracted values of each field are respectively matched with the corresponding grouping rules in parallel;
calculating the intersection of the matching results of each field value and the corresponding grouping rule, determining the packet filtering rule matched with the target data packet based on the calculated intersection, and executing packet filtering processing aiming at the target data packet based on the packet filtering strategy corresponding to the matched packet filtering rule.
2. The method of claim 1, wherein the dividing the plurality of packet filtering rules into a plurality of grouping rules corresponding to respective predetermined fields comprises:
sequentially selecting all preset fields as target fields;
respectively extracting field values of each group of filtering rules corresponding to the target field;
and creating a grouping rule corresponding to the target field based on the field value corresponding to the target field of each extracted group filtering rule and the group filtering rule identification corresponding to the field value.
3. The method of claim 2, further comprising:
and processing each grouping rule respectively based on a preset algorithm, so that the processed grouping rules are more suitable for being matched with the extracted values of each field.
4. The method of claim 2, further comprising:
when a plurality of related preset fields exist in each preset field, merging the grouping rules respectively established for the preset fields; and the number of the first and second groups,
and when any created grouping rule comprises a plurality of same field values, merging the packet filtering rule identifications corresponding to the field values.
5. The method of claim 2, wherein each grouping rule is preconfigured with a different matching thread;
the parallel matching of the extracted values of the fields and the corresponding grouping rules respectively comprises the following steps:
submitting the extracted field values to a matching thread which is pre-configured for the corresponding grouping rule, and matching the received field values with the field values recorded in the corresponding grouping rule by the matching thread; wherein, each matching thread creates a corresponding bitmap table for each field value; the bitmap table comprises a plurality of bits for recording matching results; each bit is respectively corresponding to the identifier of the packet filtering rule recorded in the grouping rule;
and each matching thread records the extracted matching result of each field value and each field value recorded in the corresponding grouping rule to the corresponding bit in the bitmap table.
6. The method of claim 5, wherein when the value of a bit in the bitmap table is 1, it indicates that the packet filtering rule corresponding to the bit is matched;
the calculating the intersection of the matching results of each field value and the corresponding grouping rule, and determining the packet filtering rule matched with the target data packet based on the calculated intersection, includes:
carrying out bitmap table corresponding to each field value according to the bit and operation; wherein the arrangement order of the bits in the bitmap table corresponds to the priority order of the packet filtering rules;
and determining a packet filtering rule corresponding to the bit with the first value of 1 after the bit-by-bit operation as a packet filtering rule matched with the target data packet.
7. A data packet filtering device is applied to a network device, the network device is preconfigured with a plurality of packet filtering rules formed by a plurality of preset fields, and the data packet filtering device is characterized by comprising:
a dividing unit, configured to divide the plurality of packet filtering rules into a plurality of grouping rules corresponding to each preset field; wherein, each grouping rule corresponds to different preset fields respectively; each grouping rule consists of a field value corresponding to a preset field corresponding to the grouping rule in the plurality of packet filtering rules and a packet filtering rule identifier corresponding to the field value;
the extraction unit is used for extracting field values corresponding to all preset fields of the received target data packet;
the matching unit is used for respectively matching the extracted values of the fields with the corresponding grouping rules in parallel;
and the computing unit is used for computing the intersection of the matching results of the field values and the corresponding grouping rules, determining the packet filtering rule matched with the target data packet based on the computed intersection, and executing packet filtering processing aiming at the target data packet based on the packet filtering strategy corresponding to the matched packet filtering rule.
8. The apparatus of claim 7, wherein the dividing unit is further configured to:
sequentially selecting all preset fields as target fields;
respectively extracting field values of each group of filtering rules corresponding to the target field;
and creating a grouping rule corresponding to the target field based on the field value corresponding to the target field of each extracted group filtering rule and the group filtering rule identification corresponding to the field value.
9. The apparatus of claim 8, further comprising:
and the processing unit is used for respectively processing each grouping rule based on a preset algorithm, so that the processed grouping rules are more suitable for being matched with the extracted values of each field.
10. The apparatus of claim 8, further comprising:
the merging unit is used for merging the grouping rules respectively established for the preset fields when the preset fields have a plurality of related preset fields; and the number of the first and second groups,
and when any created grouping rule comprises a plurality of same field values, merging the packet filtering rule identifications corresponding to the field values.
11. The apparatus of claim 8, wherein each grouping rule is preconfigured with a different matching thread; the matching unit is further configured to:
submitting the extracted field values to a matching thread which is pre-configured for the corresponding grouping rule, and matching the received field values with the field values recorded in the corresponding grouping rule by the matching thread; wherein, each matching thread creates a corresponding bitmap table for each field value; the bitmap table comprises a plurality of bits for recording matching results; each bit is respectively corresponding to the identifier of the packet filtering rule recorded in the grouping rule;
and each matching thread records the extracted matching result of each field value and each field value recorded in the corresponding grouping rule to the corresponding bit in the bitmap table.
12. The apparatus according to claim 11, wherein when the value of bit in the bitmap table is 1, it indicates that the packet filtering rule corresponding to the bit is matched; the computing unit is further configured to:
carrying out bitmap table corresponding to each field value according to the bit and operation; wherein the arrangement order of the bits in the bitmap table corresponds to the priority order of the packet filtering rules;
and determining a packet filtering rule corresponding to the bit with the first value of 1 after the bit-by-bit operation as a packet filtering rule matched with the target data packet.
CN201611248795.3A 2016-12-29 2016-12-29 Data packet filtering method and device Active CN106790170B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611248795.3A CN106790170B (en) 2016-12-29 2016-12-29 Data packet filtering method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611248795.3A CN106790170B (en) 2016-12-29 2016-12-29 Data packet filtering method and device

Publications (2)

Publication Number Publication Date
CN106790170A CN106790170A (en) 2017-05-31
CN106790170B true CN106790170B (en) 2020-05-12

Family

ID=58927502

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611248795.3A Active CN106790170B (en) 2016-12-29 2016-12-29 Data packet filtering method and device

Country Status (1)

Country Link
CN (1) CN106790170B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110909149B (en) * 2018-09-17 2022-06-03 北京国双科技有限公司 Data filtering method and device
CN109347747B (en) * 2018-11-13 2021-12-17 锐捷网络股份有限公司 Data processing method and device
CN111262812A (en) * 2018-11-30 2020-06-09 比亚迪股份有限公司 Data packet screening method and device
CN109802872B (en) * 2019-03-19 2021-07-30 北京信而泰科技股份有限公司 Message capturing method, device and equipment
CN111897644B (en) * 2020-08-06 2024-01-30 成都九洲电子信息系统股份有限公司 Multi-dimensional-based network data fusion matching method
CN112685611A (en) * 2020-12-31 2021-04-20 恒安嘉新(北京)科技股份公司 Data filtering method and device, storage medium and electronic equipment
WO2023019403A1 (en) * 2021-08-16 2023-02-23 北京小米移动软件有限公司 Ip data packet transmission method and apparatus and readable storage medium
CN114268451B (en) * 2021-11-15 2024-04-16 中国南方电网有限责任公司 Method, device, equipment and medium for constructing safety buffer zone of power monitoring network
CN114189572B (en) * 2021-12-16 2022-09-06 深圳市领创星通科技有限公司 Packet detection rule matching method, device, network element and storage medium
CN114615231A (en) * 2022-03-04 2022-06-10 北京理工大学 Network packet processing method and system based on name extraction

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1545254A (en) * 2003-11-13 2004-11-10 中兴通讯股份有限公司 A method of fast data packet filtering

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7134143B2 (en) * 2003-02-04 2006-11-07 Stellenberg Gerald S Method and apparatus for data packet pattern matching
CN103401777B (en) * 2013-08-21 2015-12-02 中国人民解放军国防科学技术大学 The parallel search method and system of Openflow

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1545254A (en) * 2003-11-13 2004-11-10 中兴通讯股份有限公司 A method of fast data packet filtering

Also Published As

Publication number Publication date
CN106790170A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
CN106790170B (en) Data packet filtering method and device
JP4626811B2 (en) Port hopping detection system, port hopping detection device, port hopping detection method, and program
EP2434689B1 (en) Method and apparatus for detecting message
US9154418B1 (en) Efficient packet classification in a network device
US20120311704A1 (en) Method and Apparatus for Efficient Netflow Data Analysis
CN107968791B (en) Attack message detection method and device
US11838318B2 (en) Data plane with connection validation circuits
US10348751B2 (en) Device, system and method for extraction of malicious communication pattern to detect traffic caused by malware using traffic logs
US8782092B2 (en) Method and apparatus for streaming netflow data analysis
JP2017501639A (en) Packet processing method and device
CN107483341B (en) Method and device for rapidly forwarding firewall-crossing messages
CN104283736B (en) A kind of network communication five-tuple Fast Match Algorithm based on improvement automatic state machine
CN104580202A (en) Message matching method and device
EP3264713B1 (en) Hardware acceleration architecture for signature matching applications for deep packet inspection
CN106302236A (en) A kind of method of data distribution and access device
CN106657128B (en) Data packet filtering method and device based on wildcard mask rule
CN106598747A (en) Network data package parallel processing method and device
EP3264716B1 (en) State transition compression mechanism to efficiently compress dfa based regular expression signatures
WO2017097026A1 (en) Identification processing method and apparatus for data message, and storage medium
CN104753934B (en) By the method that the more communication party&#39;s data stream separations of unknown protocol are Point-to-Point Data stream
CN112311728A (en) Host attack and sink judgment method and device, computing equipment and computer storage medium
CN103546443A (en) Method for reversely analyzing network protocols by means of combining network traffic analysis with message clustering
CN113347100B (en) Data stream transmission method and device, computer equipment and storage medium
Sija et al. Automatic payload signature generation for accurate identification of internet applications and application services
CN104486240B (en) A kind of data packet classification method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20210611

Address after: 310051 05, room A, 11 floor, Chung Cai mansion, 68 Tong Xing Road, Binjiang District, Hangzhou, Zhejiang.

Patentee after: Hangzhou Dip Information Technology Co.,Ltd.

Address before: 6 / F, Zhongcai building, 68 Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee before: Hangzhou DPtech Technologies Co.,Ltd.

TR01 Transfer of patent right