CN111371779A - Firewall based on DPDK virtualization management system and implementation method thereof - Google Patents
Firewall based on DPDK virtualization management system and implementation method thereof Download PDFInfo
- Publication number
- CN111371779A CN111371779A CN202010134854.4A CN202010134854A CN111371779A CN 111371779 A CN111371779 A CN 111371779A CN 202010134854 A CN202010134854 A CN 202010134854A CN 111371779 A CN111371779 A CN 111371779A
- Authority
- CN
- China
- Prior art keywords
- rule
- data
- data packet
- session
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000012545 processing Methods 0.000 claims abstract description 37
- 230000008569 process Effects 0.000 claims abstract description 12
- 230000009471 action Effects 0.000 claims description 8
- 238000013507 mapping Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 abstract description 14
- 238000012423 maintenance Methods 0.000 description 8
- 238000013461 design Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000013481 data capture Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a firewall based on a DPDK virtualization management system and an implementation method thereof, wherein interruption is intercepted by utilizing a DPDK polling technology, the problem of loss caused by interruption processing is solved, a kernel protocol stack is bypassed by utilizing an UIO technology, and a message received by a network card is mapped to a working principle of f-stack processing of a user mode protocol stack through the UIO technology, so that the performance consumption during capturing a data packet is greatly reduced, and the performance of the firewall for processing the data packet is improved. A fast forwarding path is added before a data packet enters an f-stack protocol stack, session check is carried out on the data packet captured by the DPDK, and a stream with established session is directly forwarded from a recorded port, so that performance loss of the data packet in the process of passing through the protocol stack is reduced, packet forwarding rate is improved, and data processing performance of a virtual management system firewall is improved.
Description
Technical Field
The invention relates to the technical field of firewalls, in particular to a firewall based on a DPDK virtualization management system and an implementation method thereof.
Background
With the development of optical fiber technology, the network bandwidth rapidly promotes the increase of system traffic, the processing flow of a firewall with software technical performance based on the traditional network protocol stack to a data packet is complex, the cost is high, and the requirement of people on high-performance processing intensive data cannot be met, so that the research and development of a high-performance firewall have very important significance.
Disclosure of Invention
The invention aims to provide a firewall based on a DPDK virtualization management system and an implementation method thereof, and aims to solve the problems that in the prior art, the processing flow of a firewall to a data packet is complex and the performance cost is high, improve the data processing performance of the firewall of the virtualization management system and reduce the performance consumption.
In order to achieve the technical object, the present invention provides a firewall based on a DPDK virtualization management system, the firewall comprising:
the data packet capturing module is used for receiving network data packets in batches by using a polling mode based on a DPDK interface and mapping the data packets from a kernel mode to a user mode;
the session query module is used for analyzing quintuple data information of the identification data stream from the data packet and then performing session query, trying rule matching if the query fails, and establishing a new session under the condition that the rule allows; if the query is successful, entering a fast-forwarding path;
the rule query module is used for dividing the rule set into a plurality of sub-rule sets by adopting a rule matching algorithm based on a divide-and-conquer method, grouping the rules according to the relation among the rules, selecting different query algorithms according to the rule characteristics in the groups, and entering an f-stack protocol stack after matching is successful;
the fast forwarding module is used for fast forwarding the data packet which is established with the session and the data stream does not need to be processed by a protocol stack;
and the management module is used for recording the packet header information and the data packet flow direction of the data packet into a log file, writing the rule form into a firewall rule file and managing the firewall network policy.
Preferably, the parsing the quintuple data information of the identification data stream from the data packet and then performing session query specifically includes:
and taking the source IP address, the destination IP address, the source port, the destination port and the protocol type of the IP message as a five-tuple, calculating a hash value to identify the data flow, and inquiring whether the flow is in the session table by utilizing a hash lookup algorithm.
Preferably, when the rule query module performs rule query, the rule query module tries to match the data packets with the rules in the sub-rule set in sequence from high priority to low priority, if the matching is successful, the action specified by the rule is executed and the matching of the following rules is not tried any more, otherwise, the next rule is tried to be matched until the matching of the last default rule with the lowest priority is completed, the query result is returned, and if the rule allows the matching, the data packets are handed to the upper f-stack protocol stack for processing.
Preferably, when the fast forwarding module performs fast forwarding, after a first packet of a data flow is forwarded by looking up the routing table, the forwarding information is recorded in the session table, and forwarding of subsequent packets of the data flow can be performed by directly looking up the session table.
Preferably, the data packets that the f-stack protocol stack needs to process include the first received data packet, MPLS packet, ARP packet, VLAN packet, and also need to record information of each new session, including the destination MAC address and the forwarding port of the data packet.
The invention also provides a firewall implementation method based on the DPDK virtualization management system, which comprises the following operations:
based on a DPDK interface, receiving network data packets sent by a service network card in batch by using a polling mode, and mapping the data packets from a kernel mode to a user mode;
analyzing quintuple data information of the identification data stream from the data packet and then inquiring the session, if the inquiry is failed, trying rule matching, and establishing a new session under the condition that the rule allows; if the query is successful, entering a fast-forwarding path;
for rule matching, a rule matching algorithm based on a divide-and-conquer method is adopted to divide a rule set into a plurality of sub-rule sets, the rules are grouped according to the relation among the rules, different query algorithms are selected according to the rule characteristics in the groups, and after matching is successful, the rules enter an f-stack protocol stack and are processed by the protocol stack to return to a service network card;
and rapidly forwarding the data packet which is established with the session and does not need to be processed by the protocol stack to the service network card.
Preferably, the parsing the quintuple data information of the identification data stream from the data packet and then performing session query specifically includes:
and taking the source IP address, the destination IP address, the source port, the destination port and the protocol type of the IP message as a five-tuple, calculating a hash value to identify the data flow, and inquiring whether the flow is in the session table by utilizing a hash lookup algorithm.
Preferably, when the rules are matched, the data packets are tried to be matched with the rules in the sub-rule set in sequence from high priority to low priority, if the matching is successful, the action specified by the rules is executed and the matching of the following rules is not tried any more, otherwise, the matching of the next rule is tried until the matching of the last default rule with the lowest priority is completed, the query result is returned, and if the rules allow, the data packets are handed to an upper f-stack for processing.
Preferably, when fast forwarding is performed, after a first packet of a data flow is forwarded by looking up a routing table, forwarding information is recorded in a session table, and forwarding of subsequent packets of the data flow can be performed by directly looking up the session table.
Preferably, the data packets that the f-stack protocol stack needs to process include the first received data packet, MPLS packet, ARP packet, VLAN packet, and also need to record information of each new session, including the destination MAC address and the forwarding port of the data packet.
The effect provided in the summary of the invention is only the effect of the embodiment, not all the effects of the invention, and one of the above technical solutions has the following advantages or beneficial effects:
compared with the prior art, the design of the firewall is realized by arranging the data packet capturing module, the session query module, the rule query module, the fast-forwarding module and the management module, interruption is intercepted by utilizing the polling technology of DPDK, the problem of loss caused by interruption processing is solved, the UIO technology is utilized to bypass a kernel protocol stack, and a message received by the network card is mapped to the working principle of f-stack processing of a user mode protocol stack through the UIO technology, so that the performance consumption of capturing the data packet is greatly reduced, and the performance of the firewall for processing the data packet is improved. A fast forwarding path is added before a data packet enters an f-stack protocol stack, session check is carried out on the data packet captured by the DPDK, and a stream with established session is directly forwarded from a recorded port, so that performance loss caused by the data packet in the process of passing through the protocol stack is reduced, and packet forwarding rate is improved. The invention also optimizes the rule matching algorithm, utilizes the rule query algorithm based on the divide-and-conquer method to carry out rule matching, divides the rule set into a plurality of sub-rule sets according to the protocol type, reduces the number of the rule sets for rule matching, groups the rules according to the relation among the rules, and selects different query algorithms according to the rule characteristics in the group, thereby effectively improving the query efficiency packaged in the sub-rule sets, simultaneously improving the overall processing performance of the rule query module and further improving the data processing performance of the firewall of the virtualization management system.
Drawings
Fig. 1 is a schematic structural diagram of a firewall system based on a DPDK virtualization management system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a packet capture parallel process according to an embodiment of the present invention.
Detailed Description
In order to clearly explain the technical features of the present invention, the following detailed description of the present invention is provided with reference to the accompanying drawings. The following disclosure provides many different embodiments, or examples, for implementing different features of the invention. To simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and procedures are omitted so as to not unnecessarily limit the invention.
The following describes a firewall based on a DPDK virtualization management system and an implementation method thereof according to embodiments of the present invention in detail with reference to the accompanying drawings.
As shown in fig. 1, the present invention discloses a firewall based on a DPDK virtualization management system, wherein the firewall includes:
the data packet capturing module is used for receiving network data packets in batches by using a polling mode based on a DPDK interface and mapping the data packets from a kernel mode to a user mode;
the session query module is used for analyzing a source IP address, a destination IP address, a source port, a destination port and protocol type information from the data packet and then performing session query, trying rule matching if the query fails and establishing a session under the condition that the rule allows; if the query is successful, entering a fast-forwarding path;
the rule query module is used for dividing the rule set into a plurality of sub-rule sets by adopting a rule matching algorithm based on a divide-and-conquer method, grouping the rules according to the relation among the rules, selecting different query algorithms according to the rule characteristics in the groups, and entering an f-stack protocol stack after matching is successful;
the fast forwarding module is used for fast forwarding the data packet which is established with the session and the data stream does not need to be processed by a protocol stack;
and the management module is used for recording the packet header information and the data packet flow direction of the data packet into a log file, writing the rule form into a firewall rule file and managing the firewall network policy.
In the embodiment of the invention, the traffic of the data packet capturing module, the session query module, the rule query module and the fast forwarding module realizes the service communication of the firewall system through the service network card, the performance of the firewall is improved, the management module configures and manages the system through the Linux protocol stack, and a user can remotely operate the system through the management network card.
The Data packet capturing module is realized based on a DPDK (Data Plane Development Kit), and the DPDK provides a Data packet processing function library and a drive set, and provides a communication interface for realizing the Data packet capturing module, so that operations of a Data Plane and a control Plane are integrated to improve the Data packet processing efficiency. The received data packet is mapped from the kernel mode to the user mode through the data packet capturing module, and the capturing performance of the data packet directly influences the performance of the whole system.
Since DPDK is a multi-core multi-threaded architecture, packets can be captured in parallel as shown in fig. 2.
The method has the advantages that each execution thread is bound with different CPU logic cores by utilizing CPU affinity, one CPU logic core is independently distributed for each thread, and then messages received by the network card are distributed to each CPU for processing, so that the processing pressure of a single CPU core is reduced.
The network card with multiple queues can calculate hash values for data streams by using RSS technology, different data streams select different queues according to a certain distribution strategy and then are handed to a specific CPU thread for processing, and load balancing and stream distribution of received messages among multiple CPUs can be realized. Meanwhile, as the network card driver of the DPDK works in a user mode, the network data packets are received in batch by using a polling mode and mapped to the user mode through UIO (Userspace I/O) technology for use by an application program, the data packets do not need to be copied in a memory like the working mode of a traditional protocol stack, and the data capture performance is greatly improved.
The session query module comprises three parts, namely session data structure design, session table maintenance and session query, and is used for analyzing a source IP address, a destination IP address, a source port, a destination port and protocol type information from a data packet captured by the DPDK and then performing session query, trying rule matching if the query fails and establishing a new session under the condition that the rule allows; and if the query is successful, entering a fast forwarding path.
In the module, for the data structure design, a source IP address, a destination IP address, a source port, a destination port and a protocol type of an IP packet are used as a five-tuple, a hash value is calculated to identify a data stream, and a hash lookup algorithm is used to query whether the data stream is in a session list. For the maintenance of the session table, a period of time is set, the session table is checked periodically, the timeout time of the session is specified, the session is deleted from the session table once the session is timed out, and the performance of the system for inquiring the session table is ensured to be maintained at a high level through the maintenance of the session table.
The rule inquiry module is used for inquiring the rule of the data packet, and the rule in the firewall set comprises a source/destination IP address, a source/destination port, a source/destination MAC address, a protocol type and a processing action of the data packet. In the embodiment of the invention, a rule matching algorithm based on a divide-and-conquer method is adopted, the rule set is divided into sub-rule sets according to a certain classification scheme, the rules are grouped according to the relation among the rules, and different query algorithms are selected according to the rule characteristics in the group. And (3) sequentially trying to match the data packet with the rules in the sub-rule set from high priority to low priority, if the matching is successful, executing the action specified by the rules and not trying to match the following rules, otherwise, trying to match the next rule until the last default rule with the lowest priority is completely matched, returning a query result, and if the rules allow, handing the data packet to an upper f-stack (a user-state high-performance network access development kit) protocol stack for processing.
The fast forwarding module is used for fast forwarding of the message, and processes the data packet which is established with the session and is processed by the data stream without passing through a protocol stack.
A data flow is identified using a five-tuple (source IP address, destination IP address, source port, destination port, and protocol type). After the first message of a data flow is forwarded by looking up the routing table, the forwarding information is recorded in the session table, and the forwarding of the subsequent messages of the data flow can be forwarded by directly looking up the session table. Therefore, the forwarding information can be obtained only by carrying out session query on the data packet once, and then the data packet is directly forwarded according to the information, so that the queuing process of the IP message can be greatly reduced, the forwarding time of the message is reduced, and the forwarding speed of the IP message is improved.
The data packets to be processed by the f-stack protocol stack include the first received data packet, MPLS packet, ARP packet, VLAN packet, etc. The f-stack protocol stack also needs to record information of each newly-created session, including a destination MAC address and a forwarding port of a data packet, so as to facilitate fast forwarding of the data packet. In addition, the user mode protocol stack provides route lookup functionality.
The management module is used for managing data packet records, and the packet header information and the data packet flow direction are recorded into a log file when the data packet passes through the session query module, the fast forwarding module and the rule query module, so that the management and maintenance of the system are facilitated. The management module provides a man-machine interaction interface, uses the php language to develop a service program, processes a rule form submitted by a user, speaks rules to be written into a rule file of the firewall system, deploys the program into the nginx server, and presents the program to the user in a Web page form, so that the functions of adding, deleting, modifying, checking and the like of the firewall rules are provided, and the user can conveniently manage the implementation of network policies.
The embodiment of the invention realizes the design of the firewall by setting the data packet capturing module, the session query module, the rule query module, the fast-forwarding module and the management module, intercepts interruption by utilizing the polling technology of DPDK, solves the problem of loss caused by interruption processing, bypasses a kernel protocol stack by utilizing UIO technology, maps the message received by the network card to the working principle of f-stack processing of a user mode protocol stack by utilizing UIO technology, greatly reduces the performance consumption when capturing the data packet and improves the performance of the firewall for processing the data packet. A fast forwarding path is added before a data packet enters an f-stack protocol stack, session check is carried out on the data packet captured by the DPDK, and a stream with established session is directly forwarded from a recorded port, so that performance loss caused by the data packet in the process of passing through the protocol stack is reduced, and packet forwarding rate is improved. The invention also optimizes the rule matching algorithm, utilizes the rule query algorithm based on the divide-and-conquer method to carry out rule matching, divides the rule set into a plurality of sub-rule sets according to the protocol type, reduces the number of the rule sets for rule matching, groups the rules according to the relation among the rules, and selects different query algorithms according to the rule characteristics in the group, thereby effectively improving the query efficiency packaged in the sub-rule sets, simultaneously improving the overall processing performance of the rule query module and further improving the data processing performance of the firewall of the virtualization management system.
The embodiment of the invention also discloses a firewall implementation method based on the DPDK virtualization management system, which comprises the following operations:
based on a DPDK interface, receiving network data packets sent by a service network card in batch by using a polling mode, and mapping the data packets from a kernel mode to a user mode;
analyzing quintuple data information of the identification data stream from the data packet and then inquiring the session, if the inquiry is failed, trying rule matching, and establishing a new session under the condition that the rule allows; if the query is successful, entering a fast-forwarding path;
for rule matching, a rule matching algorithm based on a divide-and-conquer method is adopted to divide a rule set into a plurality of sub-rule sets, the rules are grouped according to the relation among the rules, different query algorithms are selected according to the rule characteristics in the groups, and after matching is successful, the rules enter an f-stack protocol stack and are processed by the protocol stack to return to a service network card;
and rapidly forwarding the data packet which is established with the session and does not need to be processed by the protocol stack to the service network card.
The data packet capturing is realized based on the DPDK, the DPDK provides a data packet processing function library and a drive set, a communication interface is provided for realizing the data packet capturing, and the operation of a data plane and a control plane is convenient to integrate so as to improve the data packet processing efficiency. The received data packet is mapped from the kernel mode to the user mode through data packet capture, and the capture performance of the data packet directly influences the performance of the whole system.
Since the DPDK is a multi-core multi-thread architecture, data packets can be captured in parallel.
The method has the advantages that each execution thread is bound with different CPU logic cores by utilizing CPU affinity, one CPU logic core is independently distributed for each thread, and then messages received by the network card are distributed to each CPU for processing, so that the processing pressure of a single CPU core is reduced.
The network card with multiple queues can calculate hash values for data streams by using RSS technology, different data streams select different queues according to a certain distribution strategy and then are handed to a specific CPU thread for processing, and load balancing and stream distribution of received messages among multiple CPUs can be realized. Meanwhile, as the network card driver of the DPDK works in a user mode, the network data packets are received in batch by using a polling mode and mapped to the user mode through UIO (Userspace I/O) technology for use by an application program, the data packets do not need to be copied in a memory like the working mode of a traditional protocol stack, and the data capture performance is greatly improved.
And performing session query according to the data packet. The session query comprises three parts, namely session data structure design, session table maintenance and session query, and is used for analyzing a source IP address, a destination IP address, a source port, a destination port and protocol type information from a data packet captured by the DPDK and then performing session query, trying rule matching if the query fails and establishing a session under the condition that the rule allows; and if the query is successful, entering a fast forwarding path.
For the data structure design, a source IP address, a destination IP address, a source port, a destination port and a protocol type of an IP message are used as a quintuple, a hash value is calculated to identify data flow, and whether the data flow is in a session list or not is inquired by utilizing a hash searching algorithm. For the maintenance of the session table, a period of time is set, the session table is checked periodically, the timeout time of the session is specified, the session is deleted from the session table once the session is timed out, and the performance of the system for inquiring the session table is ensured to be maintained at a high level through the maintenance of the session table.
And carrying out rule query on the data packet with the failed query session, wherein the rules in the firewall set comprise source/destination IP addresses, source/destination ports, source/destination MAC addresses, protocol types and processing actions of the data packet. In the embodiment of the invention, a rule matching algorithm based on a divide-and-conquer method is adopted, the rule set is divided into sub-rule sets according to a certain classification scheme, the rules are grouped according to the relation among the rules, and different query algorithms are selected according to the rule characteristics in the group. And (3) sequentially trying to match the data packet with the rules in the sub-rule set from high priority to low priority, if the matching is successful, executing the action specified by the rules and not trying to match the following rules, otherwise, trying to match the next rule until the last default rule with the lowest priority is completely matched, returning a query result, and if the rules allow, handing the data packet to an upper f-stack (a user-state high-performance network access development kit) protocol stack for processing.
And rapidly forwarding the message with the successful query session, wherein the message is processed by the data packet which is already established and is processed by the data stream without passing through a protocol stack.
A data flow is identified using a five-tuple (source IP address, destination IP address, source port, destination port, and protocol type). After the first message of a data flow is forwarded by looking up the routing table, the forwarding information is recorded in the session table, and the forwarding of the subsequent messages of the data flow can be forwarded by directly looking up the session table. Therefore, the forwarding information can be obtained only by carrying out session query on the data packet once, and then the data packet is directly forwarded according to the information, so that the queuing process of the IP message can be greatly reduced, the forwarding time of the message is reduced, and the forwarding speed of the IP message is improved.
The data packets to be processed by the f-stack protocol stack include the first received data packet, MPLS packet, ARP packet, VLAN packet, etc. The f-stack protocol stack also needs to record information of each newly-created session, including a destination MAC address and a forwarding port of a data packet, so as to facilitate fast forwarding of the data packet. In addition, the user mode protocol stack provides route lookup functionality.
When the data packet is subjected to session query, fast forwarding and rule query, the packet header information and the data packet flow direction are recorded in the log file, so that the management and maintenance of the system are facilitated. The embodiment of the invention provides a man-machine interaction interface, a php language is used for developing a service program, a rule form submitted by a user is processed, rules are written into a rule file of a firewall system, the program is deployed into an nginx server and then presented to the user in a Web page form, functions of adding, deleting, modifying, checking and the like of firewall rules are provided, and the user can conveniently manage network policy implementation.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (10)
1. A firewall based on a DPDK virtualization management system, the firewall comprising:
the data packet capturing module is used for receiving network data packets in batches by using a polling mode based on a DPDK interface and mapping the data packets from a kernel mode to a user mode;
the session query module is used for analyzing quintuple data information of the identification data stream from the data packet and then performing session query, trying rule matching if the query fails, and establishing a new session under the condition that the rule allows; if the query is successful, entering a fast-forwarding path;
the rule query module is used for dividing the rule set into a plurality of sub-rule sets by adopting a rule matching algorithm based on a divide-and-conquer method, grouping the rules according to the relation among the rules, selecting different query algorithms according to the rule characteristics in the groups, and entering an f-stack protocol stack after matching is successful;
the fast forwarding module is used for fast forwarding the data packet which is established with the session and the data stream does not need to be processed by a protocol stack;
and the management module is used for recording the packet header information and the data packet flow direction of the data packet into a log file, writing the rule form into a firewall rule file and managing the firewall network policy.
2. The firewall based on the DPDK virtualization management system according to claim 1, wherein the session query after analyzing the quintuple data information identifying the data stream from the data packet specifically includes:
and taking the source IP address, the destination IP address, the source port, the destination port and the protocol type of the IP message as a five-tuple, calculating a hash value to identify the data flow, and inquiring whether the flow is in the session table by utilizing a hash lookup algorithm.
3. The firewall based on the DPDK virtualization management system of claim 1, wherein the rule query module, when querying the rule, tries to match the data packet with the rules in the sub-rule set in sequence from high to low according to the priority of the rule, if matching is successful, executes the action specified by the rule and does not try to match the following rule any more, otherwise tries to match the next rule until the last default rule with the lowest priority is completely matched, returns the query result, and if the rule allows, passes the data packet to the upper f-stack for processing.
4. The fire wall based on the DPDK virtualization management system of claim 1, wherein when the fast forwarding module performs fast forwarding, after a first packet of a data stream is forwarded by looking up a routing table, the forwarding information is recorded in a session table, and forwarding of subsequent packets of the data stream can be performed by looking up the session table directly.
5. The firewall based on the DPDK virtualization management system of claim 1, wherein the data packets that the f-stack needs to process include the first received data packet, MPLS packet, ARP packet, and VLAN packet, and further needs to record information of each new session, including the destination MAC address and the forwarding port of the data packet.
6. A firewall implementation method based on a DPDK virtualization management system is characterized by comprising the following operations:
based on a DPDK interface, receiving network data packets sent by a service network card in batch by using a polling mode, and mapping the data packets from a kernel mode to a user mode;
analyzing quintuple data information of the identification data stream from the data packet and then inquiring the session, if the inquiry is failed, trying rule matching, and establishing a new session under the condition that the rule allows; if the query is successful, entering a fast-forwarding path;
for rule matching, a rule matching algorithm based on a divide-and-conquer method is adopted to divide a rule set into a plurality of sub-rule sets, the rules are grouped according to the relation among the rules, different query algorithms are selected according to the rule characteristics in the groups, and after matching is successful, the rules enter an f-stack protocol stack and are processed by the protocol stack to return to a service network card;
and rapidly forwarding the data packet which is established with the session and does not need to be processed by the protocol stack to the service network card.
7. The fire wall implementation method based on the DPDK virtualization management system according to claim 6, wherein the session query after analyzing the quintuple data information of the identification data stream from the data packet specifically includes:
and taking the source IP address, the destination IP address, the source port, the destination port and the protocol type of the IP message as a five-tuple, calculating a hash value to identify the data flow, and inquiring whether the flow is in the session table by utilizing a hash lookup algorithm.
8. The fire wall implementation method based on the DPDK virtualization management system according to claim 6, wherein when the rule is matched, the data packets are sequentially tried to match the rules in the sub-rule set from high priority to low priority, if the matching is successful, the action specified by the rule is executed and the matching of the following rules is not tried any more, otherwise, the matching of the next rule is tried until the matching of the last default rule with the lowest priority is completed, the query result is returned, and if the rule allows, the data packets are handed to the upper f-stack protocol stack for processing.
9. The fire wall implementation method based on the DPDK virtualization management system according to claim 6, wherein when performing fast forwarding, after a first packet of a data stream is forwarded by looking up a routing table, the forwarding information is recorded in a session table, and forwarding of subsequent packets of the data stream can be performed by directly looking up the session table.
10. The method as claimed in claim 6, wherein the data packets that the f-stack protocol stack needs to process include a first received data packet, an MPLS packet, an ARP packet, and a VLAN packet, and further record information of each new session, including a destination MAC address and a forwarding port of the data packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010134854.4A CN111371779B (en) | 2020-02-29 | 2020-02-29 | Firewall based on DPDK virtualization management system and implementation method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010134854.4A CN111371779B (en) | 2020-02-29 | 2020-02-29 | Firewall based on DPDK virtualization management system and implementation method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111371779A true CN111371779A (en) | 2020-07-03 |
| CN111371779B CN111371779B (en) | 2022-05-10 |
Family
ID=71210257
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010134854.4A Active CN111371779B (en) | 2020-02-29 | 2020-02-29 | Firewall based on DPDK virtualization management system and implementation method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111371779B (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111953706A (en) * | 2020-08-21 | 2020-11-17 | 公安部第三研究所 | Method for identifying mobile application based on HTTPS flow information |
| CN112153005A (en) * | 2020-08-26 | 2020-12-29 | 广东网堤信息安全技术有限公司 | Architecture of TCPUDP data packet forwarding system |
| CN112737966A (en) * | 2020-12-23 | 2021-04-30 | 北京浪潮数据技术有限公司 | Load balancing method and related device |
| CN112769748A (en) * | 2020-12-07 | 2021-05-07 | 浪潮云信息技术股份公司 | DPDK-based ACL packet filtering method |
| CN113098925A (en) * | 2021-03-06 | 2021-07-09 | 郑州信大捷安信息技术股份有限公司 | Method and system for realizing dynamic proxy based on F-Stack and Nginx |
| CN113434287A (en) * | 2021-06-03 | 2021-09-24 | 中国联合网络通信集团有限公司 | Task data transmission method, system, electronic device and storage medium |
| CN113518270A (en) * | 2021-05-24 | 2021-10-19 | 北京邮电大学 | Heterogeneous data acquisition device and method for mobile network |
| CN113535433A (en) * | 2021-07-21 | 2021-10-22 | 广州市品高软件股份有限公司 | Control forwarding separation method, device, equipment and storage medium based on Linux system |
| CN113630342A (en) * | 2021-06-25 | 2021-11-09 | 济南浪潮数据技术有限公司 | Forwarding table management method, system and device of virtual switch |
| CN113839937A (en) * | 2021-09-15 | 2021-12-24 | 神州网云(北京)信息技术有限公司 | Method and system for detecting unknown Trojan horse by using cross-session technology based on network flow |
| CN114172695A (en) * | 2021-11-22 | 2022-03-11 | 闪捷信息科技有限公司 | Serial firewall message forwarding method, device, equipment and storage medium |
| CN114640515A (en) * | 2022-03-09 | 2022-06-17 | 京东科技信息技术有限公司 | Data processing method and device based on flow blocking and related equipment |
| CN115225483A (en) * | 2022-06-29 | 2022-10-21 | 北京天融信网络安全技术有限公司 | Data packet forwarding method, electronic device and storage medium |
| CN115473811A (en) * | 2022-09-21 | 2022-12-13 | 西安超越申泰信息科技有限公司 | Network performance optimization method, device, equipment and medium |
| CN115858152A (en) * | 2022-11-27 | 2023-03-28 | 北京泰策科技有限公司 | DNS load balancing performance optimization scheme based on single port |
| CN115883440A (en) * | 2021-09-27 | 2023-03-31 | 成都鼎桥通信技术有限公司 | Data processing method, device, equipment and storage medium |
| CN116319510A (en) * | 2021-12-21 | 2023-06-23 | 达发科技(苏州)有限公司 | Vector packet processing and forwarding method |
| CN116527410A (en) * | 2023-07-05 | 2023-08-01 | 北京亿赛通科技发展有限责任公司 | Firewall multiprocess processing method and device in reverse proxy mode |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105634958A (en) * | 2015-12-24 | 2016-06-01 | 东软集团股份有限公司 | Packet forwarding method and device based on multi-core system |
| CN107196870A (en) * | 2017-07-20 | 2017-09-22 | 哈尔滨工业大学 | A kind of flow dynamics load-balancing method based on DPDK |
| CN107888500A (en) * | 2017-11-03 | 2018-04-06 | 东软集团股份有限公司 | Message forwarding method and device, storage medium, electronic equipment |
| CN109379303A (en) * | 2018-08-22 | 2019-02-22 | 华东计算技术研究所(中国电子科技集团公司第三十二研究所) | Parallelization processing framework system and method based on improving performance of gigabit Ethernet |
| CN110768994A (en) * | 2019-10-30 | 2020-02-07 | 中电福富信息科技有限公司 | Method for improving SIP gateway performance based on DPDK technology |
-
2020
- 2020-02-29 CN CN202010134854.4A patent/CN111371779B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105634958A (en) * | 2015-12-24 | 2016-06-01 | 东软集团股份有限公司 | Packet forwarding method and device based on multi-core system |
| CN107196870A (en) * | 2017-07-20 | 2017-09-22 | 哈尔滨工业大学 | A kind of flow dynamics load-balancing method based on DPDK |
| CN107888500A (en) * | 2017-11-03 | 2018-04-06 | 东软集团股份有限公司 | Message forwarding method and device, storage medium, electronic equipment |
| CN109379303A (en) * | 2018-08-22 | 2019-02-22 | 华东计算技术研究所(中国电子科技集团公司第三十二研究所) | Parallelization processing framework system and method based on improving performance of gigabit Ethernet |
| CN110768994A (en) * | 2019-10-30 | 2020-02-07 | 中电福富信息科技有限公司 | Method for improving SIP gateway performance based on DPDK technology |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111953706A (en) * | 2020-08-21 | 2020-11-17 | 公安部第三研究所 | Method for identifying mobile application based on HTTPS flow information |
| CN112153005A (en) * | 2020-08-26 | 2020-12-29 | 广东网堤信息安全技术有限公司 | Architecture of TCPUDP data packet forwarding system |
| CN112769748A (en) * | 2020-12-07 | 2021-05-07 | 浪潮云信息技术股份公司 | DPDK-based ACL packet filtering method |
| CN112769748B (en) * | 2020-12-07 | 2022-05-31 | 浪潮云信息技术股份公司 | DPDK-based ACL packet filtering method |
| CN112737966A (en) * | 2020-12-23 | 2021-04-30 | 北京浪潮数据技术有限公司 | Load balancing method and related device |
| CN113098925B (en) * | 2021-03-06 | 2022-03-11 | 郑州信大捷安信息技术股份有限公司 | Method and system for realizing dynamic proxy based on F-Stack and Nginx |
| CN113098925A (en) * | 2021-03-06 | 2021-07-09 | 郑州信大捷安信息技术股份有限公司 | Method and system for realizing dynamic proxy based on F-Stack and Nginx |
| CN113518270A (en) * | 2021-05-24 | 2021-10-19 | 北京邮电大学 | Heterogeneous data acquisition device and method for mobile network |
| CN113434287A (en) * | 2021-06-03 | 2021-09-24 | 中国联合网络通信集团有限公司 | Task data transmission method, system, electronic device and storage medium |
| CN113630342B (en) * | 2021-06-25 | 2023-08-15 | 济南浪潮数据技术有限公司 | Forwarding table management method, system and device of virtual switch |
| CN113630342A (en) * | 2021-06-25 | 2021-11-09 | 济南浪潮数据技术有限公司 | Forwarding table management method, system and device of virtual switch |
| CN113535433B (en) * | 2021-07-21 | 2023-08-11 | 广州市品高软件股份有限公司 | Control forwarding separation method, device, equipment and storage medium based on Linux system |
| CN113535433A (en) * | 2021-07-21 | 2021-10-22 | 广州市品高软件股份有限公司 | Control forwarding separation method, device, equipment and storage medium based on Linux system |
| CN113839937A (en) * | 2021-09-15 | 2021-12-24 | 神州网云(北京)信息技术有限公司 | Method and system for detecting unknown Trojan horse by using cross-session technology based on network flow |
| CN115883440A (en) * | 2021-09-27 | 2023-03-31 | 成都鼎桥通信技术有限公司 | Data processing method, device, equipment and storage medium |
| CN114172695A (en) * | 2021-11-22 | 2022-03-11 | 闪捷信息科技有限公司 | Serial firewall message forwarding method, device, equipment and storage medium |
| CN116319510A (en) * | 2021-12-21 | 2023-06-23 | 达发科技(苏州)有限公司 | Vector packet processing and forwarding method |
| CN114640515A (en) * | 2022-03-09 | 2022-06-17 | 京东科技信息技术有限公司 | Data processing method and device based on flow blocking and related equipment |
| CN115225483A (en) * | 2022-06-29 | 2022-10-21 | 北京天融信网络安全技术有限公司 | Data packet forwarding method, electronic device and storage medium |
| CN115225483B (en) * | 2022-06-29 | 2024-08-13 | 北京天融信网络安全技术有限公司 | Data packet forwarding method, electronic device and storage medium |
| CN115473811A (en) * | 2022-09-21 | 2022-12-13 | 西安超越申泰信息科技有限公司 | Network performance optimization method, device, equipment and medium |
| CN115858152A (en) * | 2022-11-27 | 2023-03-28 | 北京泰策科技有限公司 | DNS load balancing performance optimization scheme based on single port |
| CN115858152B (en) * | 2022-11-27 | 2024-05-28 | 北京泰策科技有限公司 | DNS load balancing performance optimization scheme based on single port |
| CN116527410A (en) * | 2023-07-05 | 2023-08-01 | 北京亿赛通科技发展有限责任公司 | Firewall multiprocess processing method and device in reverse proxy mode |
| CN116527410B (en) * | 2023-07-05 | 2023-09-26 | 北京亿赛通科技发展有限责任公司 | Firewall multiprocess processing method and device in reverse proxy mode |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111371779B (en) | 2022-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111371779B (en) | Firewall based on DPDK virtualization management system and implementation method thereof | |
| US10735325B1 (en) | Congestion avoidance in multipath routed flows | |
| US11677851B2 (en) | Accelerated network packet processing | |
| US9614762B2 (en) | Work migration in a processor | |
| US9531723B2 (en) | Phased bucket pre-fetch in a network processor | |
| US10778588B1 (en) | Load balancing for multipath groups routed flows by re-associating routes to multipath groups | |
| CN108833299B (en) | Large-scale network data processing method based on reconfigurable switching chip architecture | |
| JP3645734B2 (en) | Network relay device and network relay method | |
| US8638793B1 (en) | Enhanced parsing and classification in a packet processor | |
| US10693790B1 (en) | Load balancing for multipath group routed flows by re-routing the congested route | |
| US11729300B2 (en) | Generating programmatically defined fields of metadata for network packets | |
| US20130128742A1 (en) | Internet Real-Time Deep Packet Inspection and Control Device and Method | |
| US9590922B2 (en) | Programmable and high performance switch for data center networks | |
| US10819640B1 (en) | Congestion avoidance in multipath routed flows using virtual output queue statistics | |
| US10397116B1 (en) | Access control based on range-matching | |
| US20130294231A1 (en) | Method of high-speed switching for network virtualization and high-speed virtual switch architecture | |
| CN112118167A (en) | Method for quickly transmitting cross-network tunnel data | |
| US10887234B1 (en) | Programmatic selection of load balancing output amongst forwarding paths | |
| CN113726636A (en) | Data forwarding method and system of software forwarding equipment and electronic equipment | |
| US20190044873A1 (en) | Method of packet processing using packet filter rules | |
| TW202327316A (en) | Method for fowarding vector packet processing | |
| CN117336246A (en) | Data message processing method and device, electronic equipment and storage medium | |
| CN117793031A (en) | Flow scheduling system and scheduling method for multi-core SDN switch | |
| CN118474055A (en) | Core state virtual switch of information creation operating system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |