CN110351397B - Method and device for matching IP network segments - Google Patents
Method and device for matching IP network segments Download PDFInfo
- Publication number
- CN110351397B CN110351397B CN201910462104.7A CN201910462104A CN110351397B CN 110351397 B CN110351397 B CN 110351397B CN 201910462104 A CN201910462104 A CN 201910462104A CN 110351397 B CN110351397 B CN 110351397B
- Authority
- CN
- China
- Prior art keywords
- matching
- network segment
- network
- matched
- sub
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/668—Internet protocol [IP] address subnets
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/695—Types of network addresses using masks or ranges of addresses
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for matching an IP network segment, wherein the method comprises the following steps: performing sub-network segment division on a strategy group based on an IP network segment, extracting a sub-network mask in the sub-network segment, generating a mask library, and initializing a Hash linked list of the IP network segment; carrying out logical AND operation on the IP to be matched and the mask in the mask library in sequence to obtain an IP network segment to be matched; calculating a Hash value of the IP network segment to be matched, and carrying out modular operation on the Hash value and a maximum prime number H1; and matching the Hash linked list according to the result of the modulus operation, and returning a matching result. The invention can greatly improve the matching efficiency by a method of quickly matching network segments, has small delay, and can ensure the matching speed even if the matching strategies are very many.
Description
Technical Field
The invention belongs to the technical field of networks, and particularly relates to a method and a device for matching an IP network segment.
Background
In some network service scenarios, it is often necessary to set a set of policies according to an IP network segment, and when each packet arrives, the set of policies is matched with the packet. The current matching mode is mainly implemented by a circular search mode, please refer to fig. 1 and fig. 2, and as can be seen from fig. 2, when the total number of network segments of the policy to be matched is N, the matching time complexity is o (N). That is, the more segments that need to be matched, the lower the matching efficiency. Therefore, although the method is simple to implement, the time complexity of the matching process increases with the increase of the strategies, and when the matching strategies are more, the matching time is long, the delay is high, and the efficiency is low.
Therefore, in an application scenario with many policies, a method for matching IP network segments is needed, and the matching efficiency is not greatly reduced due to the increase of the number of policies.
Disclosure of Invention
The invention provides a method and a device for matching an IP network segment, which are used for solving the problems of high delay and low efficiency of the existing strategy matching method in an application scene with more strategies.
In a first aspect of the present invention, a method for matching an IP network segment is provided, where the method includes:
s1, carrying out sub-network segment division on the strategy group based on the IP network segment, extracting sub-network masks in the sub-network segment, generating a mask library, and initializing a Hash chain table of the IP network segment;
s2, carrying out logical AND operation on the IP to be matched and the mask in the mask library in sequence to obtain an IP network segment to be matched;
s3, calculating a Hash value of the IP network segment to be matched, and carrying out modular operation on the Hash value and the maximum prime number;
and S4, matching the Hash linked list according to the result of the modular operation, and returning a matching result.
Optionally, in step S1, the specific process of initializing the Hash chain table of the IP network segment is as follows:
respectively calculating the Hash value of each sub-network segment, carrying out modulus operation on the Hash of the sub-network segment and a maximum prime number H1 to respectively obtain an INDEX, and taking the INDEX as a subscript of an array in a Hash linked list; if the INDEX of a plurality of network segments is the same, all network segments with the same INDEX are sequentially stored in a linked list.
Optionally, in step S2, when performing logical and operation on the to-be-matched IP and the masks in the mask library in sequence, a rule of matching a large mask first and then matching a small mask is adopted.
Optionally, in step S4, in the process of matching the Hash chain table, if the matched INDEX is a chain table, sequentially traversing the chain table, performing a logical and operation on the IP to be matched and the subnet mask of the network segment on the chain table, and if the matching character strings are consistent, returning, and matching successfully; and if the two lists are inconsistent, continuing to traverse until the tail of the linked list is accessed, and finishing matching.
In a second aspect of the present invention, a device for matching IP network segments is provided, where the device includes:
an initialization module: the system is used for carrying out sub-network segment division on a strategy group based on an IP network segment, extracting a sub-network mask in the sub-network segment, generating a mask library and initializing a Hash linked list of the IP network segment;
an operation module: the system comprises a mask library, a network management module and a matching module, wherein the mask library is used for storing masks of IP networks to be matched; calculating a Hash value of the IP network segment to be matched, and carrying out modular operation on the Hash value and the maximum prime number H1;
a matching module: and the Hash chain table is used for matching according to the result of the modular operation and returning a matching result.
Optionally, the specific process of initializing the Hash chain table of the IP network segment is as follows: respectively calculating the Hash value of each sub-network segment, carrying out modulus operation on the Hash value of each sub-network segment and a maximum prime number H1 to respectively obtain an INDEX, and taking the INDEX as a subscript of an array in a Hash linked list; if the INDEX of a plurality of network segments is the same, all network segments with the same INDEX are sequentially stored in a linked list.
Optionally, in the operation module, when performing and operation on the IP to be matched and the masks in the mask library in sequence, a rule of matching the large masks first and then matching the small masks is adopted.
Optionally, in the matching module, if the matched INDEX is a linked list, sequentially traversing the linked list, performing a logical and operation on the IP to be matched and the subnet mask of the network segment on the linked list, and determining whether the matched character strings are consistent, if so, returning, and matching successfully; and if the two lists are inconsistent, continuing to traverse until the tail of the linked list is accessed, and finishing matching.
The invention has the beneficial effects that:
the invention can greatly improve the matching efficiency by the method of quickly matching the network segments through the Hash linked list, has small delay, and can ensure the matching speed even if the matching strategies are very many.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings needed to be used in the technical description of the present invention will be briefly introduced below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive labor.
FIG. 1 is a schematic diagram of a conventional method for matching IP network segments;
FIG. 2 is a flow chart illustrating a conventional method for matching IP network segments;
FIG. 3 is a schematic flow chart of a method for matching IP network segments according to the present invention;
FIG. 4 is a schematic diagram of a method for matching IP network segments according to an embodiment of the present invention;
fig. 5 is a schematic view of a device structure for matching IP network segments according to the present invention.
Detailed Description
The invention provides a method and a device for matching IP network segments, which improve the matching efficiency.
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the embodiments described below are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 3 and 4, the present invention provides a method for matching IP network segments, the method comprising:
s1, carrying out sub-network segment division on the strategy group based on the IP network segment, extracting sub-network masks in the sub-network segment, generating a mask library, and initializing a Hash chain table of the IP network segment;
specifically, in a network service scene, a plurality of strategy groups set according to IP network segments are provided, the existing strategy group based on the IP network segments is used as basic data for matching the IP network segments, the strategy group based on the IP network segments is divided into sub-network segments to obtain each sub-network segment, on one hand, a sub-network mask in the sub-network segments is extracted to generate a mask library, on the other hand, a Hash chain table is generated according to the sub-network segments and initialized, the sub-network segments are stored in the Hash chain table, and each time an IP to be matched is received, the IP of the sub-network segment is matched with the IP network segment stored in the Hash chain table.
In step S1, the specific process of initializing the Hash chain table of the IP network segment is as follows: respectively calculating the Hash value of each sub-network segment, carrying out modulus operation on the Hash value of each sub-network segment and a maximum prime number H1 to respectively obtain an INDEX, and taking the INDEX as a subscript of an array in a Hash linked list; if the INDEX of a plurality of network segments is the same, all network segments with the same INDEX are sequentially stored in a linked list.
Referring to fig. 4, fig. 4 is a schematic diagram of a matching method according to the present invention, first, each subnet segment is divided from a policy group based on IP segments, then a mask library and a Hash linked list are generated based on the subnet segments, the Hash linked list adopts the form of array + linked list, INDEX obtained by modulo operation of each subnet segment is used as subscript of the array in the Hash linked list, each subnet segment is stored in the linked list, and the segments with the same INDEX are sequentially stored in the same linked list. That is, when INDEX conflicts, a network segment is added to the head of the linked list pointed by INDEX.
S2, carrying out logical AND operation on the IP to be matched and the mask in the mask library in sequence to obtain an IP network segment to be matched;
in step S2, when performing logical and operation on the IP to be matched and the masks in the mask library in sequence, a rule of matching the large mask first and then matching the small mask is adopted. Specifically, for example, mask banks 26, 24, and 22 are ANDed with IP sequentially from size to size.
S3, calculating a Hash value of the IP network segment to be matched, and carrying out modular operation on the Hash value and the maximum prime number H1;
and S4, matching the Hash chain table according to the result of the modular operation, and returning a matching result.
In the step S4, the Hash chain table is read and sequentially matched, if matching is successful, matching is returned successfully, otherwise, matching is continued until the Hash chain table ends; in the process of matching the Hash linked list, if the matched INDEX position is a linked list, traversing the linked list in sequence, carrying out logic and operation on the IP to be matched and the subnet mask of the network segment on the linked list, and if the matched character strings are consistent, returning, and successfully matching; and if the two lists are inconsistent, continuing to traverse until the tail of the linked list is accessed, and finishing matching. Specifically, the IP to be matched and the subnet mask of the network segment on the linked list are subjected to logical AND operation to obtain the IP network segment to be matched, the IP network segment to be matched and the corresponding network segment on the linked list are compared, and if the character strings are consistent, the matching is successful.
Referring to fig. 5, the present invention further provides a device for matching IP network segments, wherein the device comprises:
the initialization module 510: the system is used for carrying out sub-network segment division on a strategy group based on an IP network segment, extracting a sub-network mask in the sub-network segment, generating a mask library and initializing a Hash linked list of the IP network segment;
the operation module 520: the system comprises a mask library, a network management module and a matching module, wherein the mask library is used for storing masks of IP networks to be matched; calculating a Hash value of the IP network segment to be matched, and carrying out modular operation on the Hash value and the maximum prime number H1;
the matching module 530: and the Hash chain table is used for matching according to the result of the modular operation and returning a matching result.
In the initialization module 510, the specific process of initializing the Hash chain table of the IP network segment is as follows: respectively calculating the Hash value of each sub-network segment, carrying out modulus operation on the Hash value of each sub-network segment and a maximum prime number H1 to respectively obtain an INDEX, and taking the INDEX as a subscript of an array in a Hash linked list; if the INDEX of a plurality of network segments is the same, all network segments with the same INDEX are sequentially stored in a linked list.
In the operation module 520, when the IP to be matched is sequentially and-operated with the masks in the mask library, a rule of matching the large mask first and then matching the small mask is adopted.
In the matching module 530, if the matched INDEX is a linked list, sequentially traversing the linked list, performing logical and operation on the IP to be matched and the subnet mask of the network segment on the linked list to determine whether the matched character strings are consistent, and if so, returning, and successfully matching; and if the two lists are inconsistent, continuing to traverse until the tail of the linked list is accessed, and finishing matching.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art would appreciate that the modules, elements, and/or method steps of the various embodiments described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
Although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (7)
1. A method of matching IP network segments, the method comprising:
s1, carrying out sub-network segment division on the strategy group based on the IP network segment, extracting sub-network masks in the sub-network segment, generating a mask library, and initializing a Hash chain table of the IP network segment;
s2, carrying out logical AND operation on the IP to be matched and the mask in the mask library in sequence to obtain an IP network segment to be matched;
s3, calculating a Hash value of the IP network segment to be matched, and carrying out modular operation on the Hash value and a maximum prime number H1;
s4, matching the Hash chain table according to the result of the modular operation, and returning a matching result;
in step S1, the specific process of initializing the Hash chain table of the IP network segment is as follows:
respectively calculating the Hash value of each sub-network segment, carrying out modulus operation on the Hash value of each sub-network segment and a maximum prime number H1 to respectively obtain an INDEX, and taking the INDEX as a subscript of an array in a Hash linked list; if the INDEX of a plurality of network segments is the same, all network segments with the same INDEX are sequentially stored in a linked list.
2. The method according to claim 1, wherein in step S2, when performing logical and operation on the IP to be matched and the masks in the mask library in sequence, a rule of matching the large mask first and then matching the small mask is adopted.
3. The method for matching IP network segments according to claim 1, wherein in step S4: reading a Hash chain table and sequentially matching with the result of the modulo operation of the IP network segment to be matched, wherein in the process of matching the Hash chain table, if the matched INDEX corresponds to a chain table, sequentially traversing the chain table, and performing logic AND operation on the IP to be matched and the subnet mask of the network segment on the chain table to determine whether the matched character strings are consistent, and if so, returning, and successfully matching; and if the two lists are inconsistent, continuing to traverse until the tail of the linked list is accessed, and finishing matching.
4. An apparatus for matching IP network segments, the apparatus comprising:
an initialization module: the system is used for carrying out sub-network segment division on a strategy group based on an IP network segment, extracting a sub-network mask in the sub-network segment, generating a mask library and initializing a Hash linked list of the IP network segment;
an operation module: the system comprises a mask library, a network management module and a matching module, wherein the mask library is used for storing masks of IP networks to be matched; calculating a Hash value of the IP network segment to be matched, and carrying out modular operation on the Hash value and the maximum prime number H1;
a matching module: the Hash chain table is used for matching according to the result of the modular operation and returning a matching result;
in the initialization module, the specific process of initializing the Hash chain table of the IP network segment is as follows:
respectively calculating the Hash value of each sub-network segment, carrying out modulus operation on the Hash value of each sub-network segment and a maximum prime number H1 to respectively obtain an INDEX, and taking the INDEX as a subscript of an array in a Hash linked list; if the INDEX of a plurality of network segments is the same, all network segments with the same INDEX are sequentially stored in a linked list.
5. The device for matching IP network segments according to claim 4, wherein the specific process for initializing the Hash chain table of the IP network segments comprises:
respectively calculating the Hash value of each sub-network segment, carrying out modulus operation on the Hash value of each sub-network segment and a maximum prime number H1 to respectively obtain an INDEX, and taking the INDEX as a subscript of an array in a Hash linked list; if the INDEX of a plurality of network segments is the same, all network segments with the same INDEX are sequentially stored in a linked list.
6. The device for matching IP network segments according to claim 4, wherein in the operation module, when the IP to be matched is sequentially AND-operated with the masks in the mask library, a rule of matching the large masks first and then matching the small masks is adopted.
7. The device for matching IP network segments according to claim 4, wherein in the matching module, if the matched INDEX is a linked list, the linked list is traversed in sequence, the IP to be matched and the subnet mask of the network segment on the linked list are subjected to logical AND operation, whether the matched character strings are consistent or not is judged, if so, the matching is returned, and the matching is successful; and if the two lists are inconsistent, continuing to traverse until the tail of the linked list is accessed, and finishing matching.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910462104.7A CN110351397B (en) | 2019-05-30 | 2019-05-30 | Method and device for matching IP network segments |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910462104.7A CN110351397B (en) | 2019-05-30 | 2019-05-30 | Method and device for matching IP network segments |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110351397A CN110351397A (en) | 2019-10-18 |
CN110351397B true CN110351397B (en) | 2022-06-14 |
Family
ID=68174418
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910462104.7A Active CN110351397B (en) | 2019-05-30 | 2019-05-30 | Method and device for matching IP network segments |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110351397B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110855629B (en) * | 2019-10-21 | 2022-02-11 | 新华三信息安全技术有限公司 | Matching method of IP address, generating method of matching table and related device |
CN111078672B (en) * | 2019-12-20 | 2023-06-02 | 中国建设银行股份有限公司 | Data comparison method and device for database |
CN111245726A (en) * | 2019-12-27 | 2020-06-05 | 国家计算机网络与信息安全管理中心 | Method for realizing efficient matching of IP network segments |
CN112153053A (en) * | 2020-09-25 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | DDoS (distributed denial of service) protection configuration detection method, device, equipment and readable storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101707619A (en) * | 2009-12-10 | 2010-05-12 | 福建星网锐捷网络有限公司 | Message filtering method, device and network device |
CN102307250A (en) * | 2011-10-12 | 2012-01-04 | 北京网康科技有限公司 | Method and device for searching IP (Internet Protocol) address |
CN107204891A (en) * | 2016-03-18 | 2017-09-26 | 中兴通讯股份有限公司 | A kind of method and device of the lower message identification of magnanimity rule |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10355930B2 (en) * | 2013-03-14 | 2019-07-16 | Fortinet, Inc. | System and method of subnetting a virtual network identifier |
-
2019
- 2019-05-30 CN CN201910462104.7A patent/CN110351397B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101707619A (en) * | 2009-12-10 | 2010-05-12 | 福建星网锐捷网络有限公司 | Message filtering method, device and network device |
CN102307250A (en) * | 2011-10-12 | 2012-01-04 | 北京网康科技有限公司 | Method and device for searching IP (Internet Protocol) address |
CN107204891A (en) * | 2016-03-18 | 2017-09-26 | 中兴通讯股份有限公司 | A kind of method and device of the lower message identification of magnanimity rule |
Also Published As
Publication number | Publication date |
---|---|
CN110351397A (en) | 2019-10-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110351397B (en) | Method and device for matching IP network segments | |
US9245626B2 (en) | System and method for packet classification and internet protocol lookup in a network environment | |
US7672941B2 (en) | Pattern matching using deterministic finite automata and organization of such automata | |
EP3493084A1 (en) | Method for processing data in bloom filter and bloom filter | |
CN104881439B (en) | A kind of Multi-Pattern Matching method and system | |
US8543528B2 (en) | Exploitation of transition rule sharing based on short state tags to improve the storage efficiency | |
US9135833B2 (en) | Process for selecting compressed key bits for collision resolution in hash lookup table | |
EP4143691A1 (en) | Systems for providing an lpm implementation for a programmable data plane through a distributed algorithm | |
CN110570311B (en) | Block chain consensus method, device and equipment | |
CN110784345A (en) | Network traffic processing method and device, electronic equipment and machine-readable storage medium | |
CN114268497B (en) | Network asset scanning method, device, equipment and medium | |
CN104253754A (en) | ACL (access control list) fast matching method and equipment | |
CN111131048A (en) | Network traffic forwarding method and device, electronic equipment and machine-readable storage medium | |
US9553829B2 (en) | Apparatus and method for fast search table update in a network switch | |
CN109995646B (en) | Link switching method, device and equipment | |
CN112636949A (en) | Communication method and device for electromagnetic transient real-time parallel simulation data | |
CN108293006A (en) | Technology for tracking disordered networks grouping | |
CN116366292B (en) | Message processing method, system, storage medium and electronic equipment | |
CN114143083B (en) | Blacklist policy matching method and device, electronic equipment and storage medium | |
US11924102B2 (en) | Minimizing deviation from average latency of table lookups | |
CN114747193B (en) | Exchange chip | |
CN112187568B (en) | Message transmission method, device and system | |
CN114244650A (en) | Virtual network architecture method, storage medium and computer device | |
CN108632131B (en) | Email address matching method based on fingerprint type variable-length bloom filter | |
CN107749828A (en) | IP packet deliveries acquisition method, device, terminal device and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |