CN111131197B - Filtering strategy management system and method thereof - Google Patents

Filtering strategy management system and method thereof Download PDF

Info

Publication number
CN111131197B
CN111131197B CN201911267070.2A CN201911267070A CN111131197B CN 111131197 B CN111131197 B CN 111131197B CN 201911267070 A CN201911267070 A CN 201911267070A CN 111131197 B CN111131197 B CN 111131197B
Authority
CN
China
Prior art keywords
node
data block
storage module
basic
filtering
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911267070.2A
Other languages
Chinese (zh)
Other versions
CN111131197A (en
Inventor
江荧荧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPtech Information Technology Co Ltd
Original Assignee
Hangzhou DPtech Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPtech Information Technology Co Ltd filed Critical Hangzhou DPtech Information Technology Co Ltd
Priority to CN201911267070.2A priority Critical patent/CN111131197B/en
Publication of CN111131197A publication Critical patent/CN111131197A/en
Application granted granted Critical
Publication of CN111131197B publication Critical patent/CN111131197B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Abstract

The application provides a filtering strategy management system and a method thereof. The filtering strategies in the hardware memory are in one-to-one correspondence with the filtering strategies in the software memory, the management of a user on the filtering strategies is realized through software (a second storage module), the filtering strategies are synchronized into hardware when changed, and the high-speed matching of messages is realized through the hardware (a first storage module). The software layer faces to users and is used for managing strategies; the hardware layer faces to the network flow, and high-speed matching of the messages is achieved. The software is closely linked with the hardware, so that the efficient message filtering function is realized.

Description

Filtering strategy management system and method thereof
Technical Field
The present application relates to the field of internet technologies, and in particular, to a filtering policy management system and a method thereof.
Background
The principle of the filtering strategy is to perform packet header inspection on the packets passing through the firewall packet by packet, and perform corresponding strategy operation on the packets meeting the filtering condition. The method comprises the steps of firstly obtaining information of a message header, such as a source IP address, a destination IP address, a protocol number of an upper layer protocol carried by an IP layer, a source port number, a destination port number and the like, and when the message header is successfully matched, carrying out operations of forwarding, discarding and the like on a message.
The filtering strategy is essentially a classification of the messages. Generally, the filtering policy is stored in hardware such as DDR, which can quickly perform matching of messages, but the hardware side cannot efficiently and quickly respond to the user's needs, and when the user needs to add, delete or change the filtering policy, the efficiency is low.
Disclosure of Invention
In view of the foregoing technical problems, embodiments of the present application provide a filtering policy management system and a method thereof, and the technical solution is as follows:
according to a first aspect of embodiments of the present application, there is provided a filtering policy management system, the system comprising a first storage module and a second storage module,
the first storage module comprises a hash chain area and a hash chain tail area, the hash chain area and the hash chain tail area respectively comprise a plurality of data blocks, each data block has an index value and correspondingly stores a filtering strategy, and the first storage module is used for executing message matching according to the stored filtering strategy; the first storage module is a hardware module;
the second storage module comprises a hash chain table structure, the hash chain table structure comprises a plurality of head nodes, each head node comprises a basic node, each basic node correspondingly stores a filtering strategy, and the second storage module is used for receiving strategy management operation of a user so as to correspondingly change the stored filtering strategy; the second storage module is a software module;
the filtering strategies stored in the first storage module and the second storage module are in one-to-one correspondence, and when the filtering strategy in the second storage module is changed, the corresponding filtering strategy in the first storage module is synchronously changed.
According to a second aspect of the embodiments of the present application, there is provided a filtering policy adding method applied to the filtering policy management system of the first aspect, the method including:
acquiring an idle base node, and writing quintuple information in a strategy to be added into a quintuple storage area of the base node;
calculating a hash value according to the quintuple information, searching a head node consistent with the hash value in a hash chain table structure of the second storage module, and adding the basic nodes under the head node, wherein each basic node under the head node comprises head and tail pointers which are connected with each other, and the basic nodes are connected with a previous basic node through the head pointers and connected with a next basic node through the tail pointers;
selecting an idle data block in a first storage module, writing the strategy to be added into the data block, and writing the index value of the data block into the address storage area of the basic node.
According to a third aspect of embodiments of the present application, there is provided a filtering policy deletion method applied to the filtering policy management system of the first aspect, where the method includes:
calculating a hash value according to quintuple information of the strategy to be deleted, and searching a head node consistent with the hash value in a hash chain table structure of the second storage module;
under the head node, removing a basic node matched with the quintuple information of the strategy to be deleted, and rewriting the basic node information in the hash chain table structure of the second storage module into a first storage structure;
determining the index value of the data block in the address storage area of the basic node, determining the bit corresponding to the data block in the second bitmap according to the index value, and setting the state of the bit to be idle.
According to a fourth aspect of embodiments of the present application, there is provided a filtering policy deleting device applied to the filtering policy management system of the first aspect, the device including:
a data writing module: the method comprises the steps that an idle base node is obtained, and quintuple information in a strategy to be added is written into a quintuple storage area of the base node;
a node adding module: the hash value is calculated according to the quintuple information, a head node consistent with the hash value is searched in a hash chain table structure of the second storage module, and the basic nodes are added under the head node, wherein all the basic nodes under the head node are connected with each other through head and tail pointers;
a rule storage module: the method comprises the steps of selecting an idle data block in a first storage module, writing the strategy to be added into the data block, and writing the index value of the data block into the address storage area of the base node.
According to a fifth aspect of embodiments of the present application, there is provided a filtering policy deleting device applied to the filtering policy management system of the first aspect, the device including:
a node searching module: the hash value is calculated according to quintuple information of the strategy to be deleted, and a head node consistent with the hash value is searched in a hash chain table structure of the second storage module;
a node removing module: the base node matched with the quintuple information of the strategy to be deleted is removed under the head node;
the bitmap resetting module: the method is used for determining the index value of the data block in the address storage area of the basic node, determining the bit corresponding to the data block in the second bitmap according to the index value, and setting the state of the bit to be idle.
The embodiment of the application provides a filtering strategy management system and a method thereof. The filtering strategies in the hardware memory are in one-to-one correspondence with the filtering strategies in the software memory, the management of a user on the filtering strategies is realized through software (a second storage module), the filtering strategies are synchronized into hardware when changed, and the high-speed matching of messages is realized through the hardware (a first storage module). The software layer faces to users and is used for managing strategies; the hardware layer faces to the network flow, and high-speed matching of the messages is achieved. The software is closely linked with the hardware, so that the efficient message filtering function is realized.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the embodiments of the application.
In addition, any one of the embodiments of the present application does not necessarily achieve all of the effects described above.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present application, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a schematic diagram of a filtering policy management system shown in an exemplary embodiment of the present application;
FIG. 2 is a schematic diagram illustrating blocks of data in a first memory module in accordance with an exemplary embodiment of the present application;
FIG. 3 is a schematic diagram illustrating a sequential memory of a second storage module according to an exemplary embodiment of the present application;
FIG. 4 is a schematic diagram of an infrastructure node architecture shown in an exemplary embodiment of the present application;
FIG. 5 is a diagram illustrating a structure of a linked list of base nodes in an exemplary embodiment of the present application;
FIG. 6 is a diagram illustrating a hash chain structure in accordance with an illustrative embodiment of the present application;
FIG. 7 is a flow chart illustrating a filtering policy addition method according to an exemplary embodiment of the present application;
FIG. 8 is a diagram illustrating a filtering policy addition method according to an exemplary embodiment of the present application;
FIG. 9 is a flow chart illustrating a method for filtering policy deletion in accordance with an exemplary embodiment of the present application;
FIG. 10 is a diagram illustrating a method for filtering policy deletion according to an exemplary embodiment of the present application;
FIG. 11 is a schematic diagram of a filtering policy adding apparatus according to an exemplary embodiment of the present application;
fig. 12 is a schematic diagram illustrating a filtering policy deleting apparatus according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The principle of the filtering strategy is to perform packet header inspection on the packets passing through the firewall packet by packet, and perform corresponding strategy operation on the packets meeting the filtering condition. The method comprises the steps of firstly obtaining information of a message header, such as a source IP address, a destination IP address, a protocol number of an upper layer protocol carried by an IP layer, a source port number, a destination port number and the like, and when the message header is successfully matched, carrying out operations of forwarding, discarding and the like on a message.
The filtering strategy is essentially a classification of the messages. Generally, the filtering policy is stored in hardware such as DDR, which can quickly perform matching of messages, but the hardware side cannot efficiently and quickly respond to the user's needs, and when the user needs to add, delete or change the filtering policy, the efficiency is low.
In view of the foregoing problems, embodiments of the present application provide a filtering policy management system and a filtering policy management method applied to the filtering policy management system.
Referring to fig. 1, the filtering policy management system according to the embodiment is described in detail below, and the system includes a first storage module and a second storage module,
the first storage module, referring to fig. 2, includes a hash chain region and a hash chain end region, where the hash chain region and the hash chain end region respectively include a plurality of data blocks, each data block has an index value and correspondingly stores a filtering policy, and the first storage module is configured to perform packet matching according to the stored filtering policy;
the second storage module comprises a hash chain table structure, the hash chain table structure comprises a plurality of head nodes, each head node comprises at least one basic node, each basic node correspondingly stores a filtering strategy, and the second storage module is used for receiving strategy management operation of a user so as to correspondingly change the stored filtering strategy;
the filtering strategies stored in the first storage module and the second storage module are in one-to-one correspondence, and when the filtering strategy in the second storage module is changed, the corresponding filtering strategy in the first storage module is synchronously changed.
The filtering policy management system may include a first storage module on a hardware level, where the storage module may be a DDR or other storage device, and the first storage module is configured to perform packet matching according to a stored filtering policy.
The first storage module is divided into a plurality of small blocks according to a specific format size, and each small block is a basic storage unit, namely the data block mentioned above. These storage units are numbered and the resulting number is the index value of the data block mentioned above. The present embodiment manages the rules stored therein by using the index values, as shown in fig. 2. Each square in the figure is a data block, each data block is numbered in turn, and the number on each small square in the figure is the index value of the basic storage space of the block.
The filtering strategy management system also comprises a second storage module on the software level, the second storage module can be a CPU memory and the like, the second storage module comprises a hash chain table structure, the hash chain table structure comprises a plurality of head nodes, each head node comprises a basic node, each basic node correspondingly stores a filtering strategy, and the second storage module is used for receiving strategy management operation of a user so as to correspondingly change the stored filtering strategy.
Specifically, storing the rule in the memory requires dividing the storage space for the rule, and in order to ensure high efficiency of rule issuing, sufficient space needs to be divided in advance for storing the rule. The number of preset rules needs a larger order of magnitude on the premise of meeting the requirements of users. Because of the memory management mechanism of the operating system, it is easy to fail to apply for a large space once, and this embodiment obtains the continuous memory by applying for a small block of memory for many times. Fig. 3 shows the locations of the requested spaces in the memory (gray areas), and it can be seen from fig. 3 that the rules are stored in a plurality of consecutive memory spaces.
The memory space of the second memory module is divided into basic memory units, and the memory units can be called basic node elem. Each base node elem stores a filtering policy. The specific structure of the base node elem is shown in fig. 4. The system comprises a five-tuple storage area, a rule storage area, an address storage area and head and tail pointers.
Wherein, the head and tail pointers respectively point to another base node elem; a quintuple storage area for storing quintuple information (source destination address, source destination port, protocol type, etc.) of the filtering policy; the rule storage area is used for storing processing actions (discarding, forwarding and the like) after the quintuple matching is successful; and the address storage area is used for storing the index value of the data block corresponding to the basic node and the index value of the data block corresponding to the next basic node, and the corresponding filtering strategies are stored in the basic node elem and the corresponding data block.
Further, these base nodes elem may be concatenated into a double-linked-list elem cache structure. Referring to fig. 5, all the base node linked lists are idle base nodes that are not used. When the filtering strategy is added, an idle basic node elem is removed from the basic node elem cache for use, and when the filtering strategy is deleted, the basic node elem which is not used any more is hung back to the basic node elem cache again for cyclic utilization.
It should be noted that the above-mentioned "removing" and "hanging back" operations are both completed by changing the head and tail pointers in the base node.
The second storage module comprises a Hash table of a Hash chain table structure, the Hash chain table structure comprises a plurality of head nodes, and each head node comprises at least one basic node.
Specifically, the Hash table is an array of pointers, and each pointer points to a base node elem. The specific structure is shown in figure 6. The hash chain table is also called a hash table, and is a data structure which can be directly accessed according to keywords.
The Hash chain table is provided with used basic nodes elem, namely the basic nodes elem are filled with data, the data block of the first storage module corresponds to the filtering strategies stored in the basic nodes in the second storage module one by one, and when the filtering strategies in the second storage module are changed, the corresponding filtering strategies in the first storage module are synchronously changed.
Further, the current usage status of the first and second storage modules may be identified by a bitmap. Specifically, the bitmap array is associated with the actual data by an array index, and the usage of the memory module is identified by a designated bit in the bitmap. Because the elements in the bitmap array only occupy one bit, the use state of the storage module is known by inquiring the bitmap, which is equivalent to that the information of a large memory-strategy data can be known by traversing a small storage region-bitmap. Thereby enabling faster querying and management.
Generally, two bitmaps, a first bitmap1 and a second bitmap2, may be used for management. Each bit in the first bitmap corresponds to each head node of the hash chain table in the second storage module, when the bit in the first bitmap is set to be 1, the base node already exists under the corresponding hash chain table head node, and when the bit in the first bitmap is set to be 0, the base node does not exist under the corresponding hash chain table head node.
Each bit in the second bitmap corresponds to each data block in the first storage module, when the bit in the first bitmap is set to 1, the filtering policy is stored under the corresponding hash chain table head node, and when the bit in the first bitmap is set to 0, the filtering policy is not stored under the corresponding hash chain table head node.
Specifically, the filtering policy management system performs the packet matching in the following manner: and extracting quinary information after the message is obtained to calculate a hash value, comparing the quinary information with quinary information stored in a position corresponding to the hash value of the first storage module, executing corresponding actions if the five-ary information is the same as the quinary information stored in the position corresponding to the hash value of the first storage module, continuously comparing the quinary information with a next node address stored in the data block if the five-ary information is different from the quinary information stored in the hash value of the first storage module until the comparison results are the same again, and indicating that the message does not hit all strategies in the equipment if the comparison results are not the same until the last node.
The present application further provides a filtering policy adding method applied to the filtering policy management system, referring to fig. 7 and 8, the method includes:
s701, acquiring an idle base node, and writing quintuple information in a strategy to be added into a quintuple storage area of the base node;
s702, calculating a hash value according to the quintuple information, searching a head node consistent with the hash value in a hash chain table structure of the second storage module, and adding the basic nodes under the head node, wherein all the basic nodes under the head node are connected with each other through head and tail pointers;
s703, selecting an idle data block in the first storage module, writing the strategy to be added into the data block, and writing the index value of the data block into the address storage area of the base node.
When step S703 is executed, the following manners may be adopted, but not limited to:
(1-1) judging whether a base node exists under a head node consistent with the calculated hash value or not through a first bitmap, wherein the first bitmap identifies the occupation state of the head node corresponding to a bit through the state of the bit;
(1-2) if no basic node exists under the head node, searching a data block with an index value consistent with the hash value in a hash chain area in a first storage module, and determining the data block as a selected free data block;
and (1-3) if a basic node exists under the head node, traversing a second bitmap until obtaining an idle data block in a hash chain tail area of the first storage module, determining the data block as the selected idle data block, and identifying the occupation state of the data block corresponding to the bit through the state of the bit by the second bitmap.
Specifically, when a user needs to add a piece of quintuple information, a node is firstly extracted from an idle hash chain elem cache chain table, and the information of the quintuple policy is written into the node. And then, calculating the hash key value of the policy by using quintuple information, namely the source destination address, the source destination port and the protocol number, of the policy to be added.
For example, the following steps are carried out: assuming that the hash value is 2, a bit corresponding to the head node with the number 2 is first searched in the first bitmap1, if the bit is 0, it indicates that there is no base node under the head node with the number 2, and if the bit is 1, it indicates that there is a base node under the head node with the number 2.
And whether the basic node exists under the head node with the number of 2 or not, adding the newly added basic node under the head node. The head node can be found out through the calculated hash value during subsequent deletion, modification and query, traversal is carried out under the head node, different base nodes under the same head node have different quintuple information, and the required head node can be matched through the quintuple information.
When no basic node exists under the head node with the number of 2, storing the filter strategy to be added in a data block with the index value of 2 in the first storage module according to a specified structure, and writing the index value of the data block with the index value of 2 in an address storage area of the newly added basic node;
when a base node exists under the head node with the number of 2, it is indicated that a filtering rule is stored in a data block with the index value of 2, in addition, a free data block is selected in the first storage module, the filtering policy to be added is stored in the free data block according to a specified structure, the index value of the free data block is written in the address storage area of the newly added base node, and the index value of the next base node is written in, so that the filtering rule in the first storage module is searched when the subsequent messages are matched. Specifically, when the free data block in the first storage module can be obtained in a mode of traversing the second bitmap, the second bitmap identifies the occupation state of the data block corresponding to the bit through the state of the bit.
It should be noted that, after the filtering rule is added to the data block of the first storage module and the hash chain table of the second storage module, the state of the corresponding bit in the first bitmap and the state of the corresponding bit in the second bitmap are changed correspondingly.
The present application further provides a filtering policy deleting method applied to the filtering policy management system, referring to fig. 9 and 10, the method includes:
s901, calculating a hash value according to quintuple information of the strategy to be deleted, and searching a head node consistent with the hash value in a hash chain table structure of the second storage module;
s902, under the head node, removing a basic node matched with the quintuple information of the strategy to be deleted, and rewriting the basic node information in the hash chain table structure of the second storage module into a first storage structure;
s903, determining the index value of the data block in the address storage area of the basic node, determining the bit corresponding to the data block in the second bitmap according to the index value, and setting the state of the bit to be idle.
When a user needs to delete a rule, a hash value is calculated according to quintuple information of the rule to be deleted, and a head node with a corresponding number is found in a hash chain table by using the hash value. If only one basic node exists under the head node, the basic node is removed from the hash chain table and hung on an elem cache of an idle chain table again for recycling, and the position of the first bitmap corresponding to the hash value is marked as available. And finding the corresponding data block address in the base node, and marking the position corresponding to the data block in the second bitmap as available.
After the nodes are removed from the hash chain table, the data in the nodes and the data in the data blocks do not need to be deleted, and as long as the marked positions in the first bitmap and the second bitmap are available, the original data can be covered when the positions are used next time.
If there is more than one base node under the head node, each base node under the head node needs to be compared until a base node matched with the quintuple is found, and the node is removed. And finding the corresponding data block address in the base node, and marking the position corresponding to the data block in the second bitmap as available. It should be noted that, after the node is removed, the index value of the next base node needs to be rewritten because the address of the next base node changes due to the pointing relationship.
Further, five tuple information is used as a unique identifier of the filtering strategy, and different five tuples can be considered as different filtering strategies. When the filtering rule is modified, the modified action is the action aiming at the five-tuple information, such as changing the original discarding action into the forwarding action. When the filtering strategy is modified, the query is executed firstly, namely the hash value is calculated through the quintuple information, the corresponding basic node in the second storage module is found, then the address storage module in the second basic node finds the data block address of the filtering rule in the first storage module, and the data in the data block is modified.
Corresponding to the foregoing method embodiment, an embodiment of the present application further provides a filtering policy adding apparatus applied to a filtering policy management system, and as shown in fig. 11, the apparatus may include: a data writing module 1110, a node adding module 1120 and a rule storing module 1130.
The data writing module 1110: the quintuple information is written into a quintuple storage area of the base node;
node addition module 1120: the hash value is calculated according to the quintuple information, a head node consistent with the hash value is searched in a hash chain table structure of the second storage module, and the basic nodes are added under the head node, wherein all the basic nodes under the head node are connected with each other through head and tail pointers;
the rule storage module 1130: the method comprises the steps of selecting an idle data block in a first storage module, writing the strategy to be added into the data block, and writing the index value of the data block into the address storage area of the base node.
Corresponding to the foregoing method embodiment, an embodiment of the present application further provides a filtering policy deleting device applied to a filtering policy management system, and referring to fig. 12, the device may include: a node searching module 1210, a node removing module 1220 and a bitmap resetting module 1230.
The node lookup module 1210: the hash value is calculated according to quintuple information of the strategy to be deleted, and a head node consistent with the hash value is searched in a hash chain table structure of the second storage module;
node removal module 1220: the base node matched with the quintuple information of the strategy to be deleted is removed under the head node;
the bitmap reset module 1230: the method is used for determining the index value of the data block in the address storage area of the basic node, determining the bit corresponding to the data block in the second bitmap according to the index value, and setting the state of the bit to be idle.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
The foregoing is merely a detailed description of embodiments of the present application, and it should be noted that those skilled in the art can make various modifications and decorations without departing from the principle of the embodiments of the present application, and the modifications and decorations should also be regarded as the protection scope of the embodiments of the present application.

Claims (10)

1. A filtering policy management system, comprising a first storage module and a second storage module,
the first storage module comprises a hash chain area and a hash chain tail area, the hash chain area and the hash chain tail area respectively comprise a plurality of data blocks, each data block has an index value and correspondingly stores a filtering strategy, and the first storage module is used for executing message matching according to the stored filtering strategy; the first storage module is a hardware module;
the second storage module comprises a hash chain table structure, the hash chain table structure comprises a plurality of head nodes, each head node comprises a basic node, each basic node correspondingly stores a filtering strategy, and the second storage module is used for receiving strategy management operation of a user so as to correspondingly change the stored filtering strategy; the second storage module is a software module;
the filtering strategies stored in the first storage module and the second storage module are in one-to-one correspondence, and when the filtering strategy in the second storage module is changed, the corresponding filtering strategy in the first storage module is synchronously changed.
2. The filtering policy management system of claim 1, wherein the base node comprises:
a quintuple storage area for storing quintuple information of the filtering policy;
the rule storage area is used for storing the processing action after the quintuple matching is successful;
and the address storage area is used for storing the index value of the data block corresponding to the basic node and the index value of the data block corresponding to the next basic node, and the basic node and the corresponding data block store corresponding filtering strategies.
3. A filtering policy adding method applied to the filtering policy management system according to claim 1 or 2, wherein the method comprises:
acquiring an idle base node, and writing quintuple information in a strategy to be added into a quintuple storage area of the base node;
calculating a hash value according to the quintuple information, searching a head node consistent with the hash value in a hash chain table structure of the second storage module, and adding the basic node under the head node, wherein the basic node under the head node comprises a head pointer and a tail pointer, and the basic node is connected with a previous basic node through the head pointer and is connected with a next basic node through the tail pointer;
selecting an idle data block in a first storage module, writing the strategy to be added into the data block, and writing the index value of the data block into the address storage area of the basic node.
4. The filtering policy adding method of claim 3, wherein said obtaining an idle base node comprises:
the method comprises the steps that a basic node is obtained from a basic node linked list, the basic node linked list comprises a plurality of idle basic nodes, and the idle basic nodes are connected with one another through head pointers and tail pointers.
5. The filtering policy adding method according to claim 3, wherein said selecting a free data block in the first storage module comprises:
judging whether a base node exists under a head node consistent with the calculated hash value or not through a first bitmap, wherein the first bitmap identifies the occupation state of the head node corresponding to a bit through the state of the bit;
if no basic node exists under the head node, searching a data block with an index value consistent with the hash value in a hash chain area in a first storage module, and determining the data block as a selected idle data block;
and if the basic node exists under the head node, traversing a second bitmap until an idle data block in the hash chain tail area of the first storage module is obtained, determining the data block as the selected idle data block, and identifying the occupation state of the data block corresponding to the bit through the state of the bit by the second bitmap.
6. A filtering policy deletion method applied to the filtering policy management system according to claim 1 or 2, wherein the method comprises:
calculating a hash value according to quintuple information of the strategy to be deleted, and searching a head node consistent with the hash value in a hash chain table structure of the second storage module;
under the head node, removing a basic node matched with the quintuple information of the strategy to be deleted, and rewriting the basic node information in the hash chain table structure of the second storage module into a first storage structure;
determining the index value of the data block in the address storage area of the basic node, determining the bit corresponding to the data block in the second bitmap according to the index value, and setting the state of the bit to be idle.
7. A filtering policy adding apparatus applied to the filtering policy management system according to claim 1 or 2, wherein the apparatus comprises:
a data writing module: the method comprises the steps that an idle base node is obtained, and quintuple information in a strategy to be added is written into a quintuple storage area of the base node;
a node adding module: the base nodes under the head node comprise head and tail pointers, and are connected with the previous base node through the head pointers and connected with the next base node through the tail pointers;
a rule storage module: the method comprises the steps of selecting an idle data block in a first storage module, writing the strategy to be added into the data block, and writing the index value of the data block into the address storage area of the base node.
8. The filtering policy adding apparatus according to claim 7, wherein the data writing module: the method is used for acquiring a basic node from a basic node linked list, wherein the basic node linked list comprises a plurality of idle basic nodes, and the idle basic nodes are connected with each other through head and tail pointers.
9. The filtering policy adding apparatus according to claim 7, wherein the rule storage module: the first bitmap is used for judging whether a base node exists under a head node consistent with the calculated hash value or not, and the first bitmap identifies the occupation state of the head node corresponding to the bit through the state of the bit; if no basic node exists under the head node, searching a data block with an index value consistent with the hash value in a hash chain area in a first storage module, and determining the data block as a selected idle data block; and if the basic node exists under the head node, traversing a second bitmap until an idle data block in the hash chain tail area of the first storage module is obtained, determining the data block as the selected idle data block, and identifying the occupation state of the data block corresponding to the bit through the state of the bit by the second bitmap.
10. A filtering policy deleting apparatus applied to the filtering policy management system according to claim 1 or 2, wherein the apparatus comprises:
a node searching module: the hash value is calculated according to quintuple information of the strategy to be deleted, and a head node consistent with the hash value is searched in a hash chain table structure of the second storage module;
a node removing module: the basic node matched with the quintuple information of the strategy to be deleted is removed under the head node, and the basic node information in the hash chain table structure of the second storage module is rewritten into the first storage structure;
the bitmap resetting module: the method is used for determining the index value of the data block in the address storage area of the basic node, determining the bit corresponding to the data block in the second bitmap according to the index value, and setting the state of the bit to be idle.
CN201911267070.2A 2019-12-11 2019-12-11 Filtering strategy management system and method thereof Active CN111131197B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911267070.2A CN111131197B (en) 2019-12-11 2019-12-11 Filtering strategy management system and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911267070.2A CN111131197B (en) 2019-12-11 2019-12-11 Filtering strategy management system and method thereof

Publications (2)

Publication Number Publication Date
CN111131197A CN111131197A (en) 2020-05-08
CN111131197B true CN111131197B (en) 2021-12-24

Family

ID=70498730

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911267070.2A Active CN111131197B (en) 2019-12-11 2019-12-11 Filtering strategy management system and method thereof

Country Status (1)

Country Link
CN (1) CN111131197B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008003262A1 (en) * 2006-06-27 2008-01-10 Huawei Technologies Co., Ltd. A media gateway and packet-filtering method thereof
WO2009018759A1 (en) * 2007-08-08 2009-02-12 Huawei Technologies Co., Ltd. Control device, execution device, method and system of generating filter rule
CN104079526A (en) * 2013-03-25 2014-10-01 北京百度网讯科技有限公司 Traffic-filtering anti-attack method and system supporting real-time strategy loading
CN109587065A (en) * 2017-09-28 2019-04-05 北京金山云网络技术有限公司 Method, apparatus, interchanger, equipment and the storage medium to E-Packet

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008003262A1 (en) * 2006-06-27 2008-01-10 Huawei Technologies Co., Ltd. A media gateway and packet-filtering method thereof
WO2009018759A1 (en) * 2007-08-08 2009-02-12 Huawei Technologies Co., Ltd. Control device, execution device, method and system of generating filter rule
CN104079526A (en) * 2013-03-25 2014-10-01 北京百度网讯科技有限公司 Traffic-filtering anti-attack method and system supporting real-time strategy loading
CN109587065A (en) * 2017-09-28 2019-04-05 北京金山云网络技术有限公司 Method, apparatus, interchanger, equipment and the storage medium to E-Packet

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于LRU改进算法的实时数据库缓存机制;黄贤明;《工业控制计算机》;20151225(第12期);全文 *

Also Published As

Publication number Publication date
CN111131197A (en) 2020-05-08

Similar Documents

Publication Publication Date Title
TWI719281B (en) A system, machine readable medium, and machine-implemented method for stream selection
CN110268394B (en) Method, system and machine readable storage medium for storing and manipulating key value data
US11811660B2 (en) Flow classification apparatus, methods, and systems
KR102290835B1 (en) Merge tree modifications for maintenance operations
TWI702506B (en) System, machine readable medium, and machine-implemenated method for merge tree garbage metrics
WO2018099107A1 (en) Hash table management method and device, and computer storage medium
CN103425725B (en) Hash collision reduction system
US10397362B1 (en) Combined cache-overflow memory structure
US20100228914A1 (en) Data caching system and method for implementing large capacity cache
CN108268216B (en) Data processing method, device and server
Xiao et al. Using parallel bloom filters for multiattribute representation on network services
CN114244752A (en) Flow statistical method, device and equipment
CN111240599B (en) Data stream storage method and device
CN108399175B (en) Data storage and query method and device
CN106254270A (en) A kind of queue management method and device
CN100397816C (en) Method for classifying received data pocket in network apparatus
CN109542612A (en) A kind of hot spot keyword acquisition methods, device and server
WO2020024446A1 (en) Data storage method and apparatus, storage medium, and computer device
CN111541617B (en) Data flow table processing method and device for high-speed large-scale concurrent data flow
CN111131197B (en) Filtering strategy management system and method thereof
CN109522242A (en) A kind of method and apparatus for searching for Cache data
CN108614879A (en) Small documents processing method and device
US20180054386A1 (en) Table lookup method for determing set membership and table lookup apparatus using the same
CN114691612A (en) Data writing method and device and data reading method and device
JP6266445B2 (en) Packet relay apparatus and packet relay method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant