CN112769748B - DPDK-based ACL packet filtering method - Google Patents
DPDK-based ACL packet filtering method Download PDFInfo
- Publication number
- CN112769748B CN112769748B CN202011414634.3A CN202011414634A CN112769748B CN 112769748 B CN112769748 B CN 112769748B CN 202011414634 A CN202011414634 A CN 202011414634A CN 112769748 B CN112769748 B CN 112769748B
- Authority
- CN
- China
- Prior art keywords
- data packet
- acl
- packet
- dpdk
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001914 filtration Methods 0.000 title claims abstract description 19
- 238000000034 method Methods 0.000 title claims abstract description 17
- 238000012545 processing Methods 0.000 claims description 11
- 230000009471 action Effects 0.000 claims description 9
- 238000013507 mapping Methods 0.000 claims description 7
- 238000012986 modification Methods 0.000 claims description 5
- 230000004048 modification Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 abstract description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of communication, and particularly provides a DPDK-based ACL packet filtering method, which comprises the following steps: s1, capturing a data packet; s2, selecting quintuple from the data packet; s3, managing ACL rules; s4, storing an ACL table in an ovsdb database; s5, sending out the data packet from the corresponding port; s6, DPDK receives network data packet; s7, extracting quintuple from the data packet; s8, accessing an ACL table; and S9, selecting to discard or receive the data packet. Compared with the prior art, the invention encapsulates a layer of filtering function on the outer layer, can carry out more detailed access control from the port and the network access direction, and has higher safety.
Description
Technical Field
The invention relates to the technical field of communication, and particularly provides a DPDK-based ACL packet filtering method.
Background
The cloud computing provides a very convenient resource use mode and flexible resource expansion capability for users by virtue of virtualization abstraction of various resources such as computing, network and storage. The OVS virtual switch and the physical switch are interconnected on the two-layer network, so that the network scale is expanded and the physical resources are saved, which is one of the reasons for large-scale application of the virtual technology.
With the continuous expansion of network scale, the requirement for data processing is increasing, and the traditional packet processing needs to transfer the application program and data into the kernel mode, which undoubtedly slows down the processing efficiency.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides the ACL packet filtering method based on DPDK, which has strong practicability.
The technical scheme adopted by the invention for solving the technical problem is as follows:
a DPDK-based ACL packet filtering method comprises the following steps:
s1, capturing a data packet;
s2, selecting quintuple from the data packet;
s3, managing ACL rules;
s4, storing an ACL table in an ovsdb database;
s5, sending out the data packet from the corresponding port;
s6, DPDK receives network data packet;
s7, extracting quintuple from the data packet;
s8, accessing an ACL table;
and S9, selecting to discard or receive the data packet.
Further, in step S1, the packet arrives at the network card, and is sent to the datapath user mode data path.
Further, in step S2, a quintuple is formed by selecting a source IP address, a destination IP address, a source port, a destination port, and a network protocol from the packet, and the quintuple is matched with each rule in the ACL table to determine whether to discard the packet or perform the next step.
Further, in step S3, the existing ACL rules are managed, including the content of the modification rule and the addition/deletion, and the modifications are stored.
Further, in step S4, the storage of the ACL table is taken over by ovsdb, there is a corresponding ovsdb database storage service in the ovs architecture, and the ACL function is implemented by means of flow table control of openflow protocol.
Further, in step S5, after ACL filtering and subsequent stage flow table matching, the packet will be sent out from the corresponding port and received at the destination port reaching the corresponding destination address.
Further, in step S6, the DPDK receives the network packet in a polling manner, and maps the network packet from the kernel mode to the user mode for processing.
Further, in step S7, five tuples are extracted from the data packet for the rule matching, where the five tuples are the source IP address, the destination IP address, the source port, the destination port, and the network protocol.
Further, in step S8, in step S8, the ACL table is accessed, the next action of the packet is determined, and the packet is selected to be discarded or accepted.
Further, in step S9, if the packet is discarded, the packet processing is ended; and receiving, performing next-level flow table matching according to the action, performing NAT mapping of EIP and FIP, and accessing the server resource in the VPC.
Compared with the prior art, the ACL packet filtering method based on DPDK has the following outstanding advantages:
(1) compared with the common NAT mapping, the invention encapsulates a layer of filtering function on the outer layer, can carry out more detailed access control from the port and the network access direction, and has higher safety.
(2) Under the condition of lacking the controller, manual configuration of the flow table rules is tedious, and the ACL rules and the EIP are bound one by one, so that the times of manual configuration of the filtering rules during NAT mapping each time are reduced, the use is more convenient, and the resource waste during creation and deletion of the filtering rules is saved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a schematic flow chart of a DPDK-based ACL packet filtering method;
fig. 2 is a schematic structural diagram of a DPDK-based ACL packet filtering method.
Detailed Description
The present invention will be described in further detail with reference to specific embodiments in order to better understand the technical solutions of the present invention. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A preferred embodiment is given below:
as shown in fig. 1 and 2, the method for filtering an ACL packet based on DPDK in this embodiment includes the following steps:
s1, capturing a data packet:
after the packet arrives at the network card, the packet is sent to the datapath user mode data path where the next action to be taken by the packet is determined.
S2, selecting quintuple from the data packet:
and selecting a source IP address, a destination IP address, a source port, a destination port and a network protocol from the data packet to form a quintuple, matching the quintuple with each rule in the ACL table, and determining whether to discard the data packet or perform the next step.
S3, managing ACL rules:
and managing the existing ACL rules, including modifying the content of the rules, adding and deleting new rules, and storing and recording the modifications.
S4, storing an ACL table in an ovsdb database:
the storage of the ACL table is taken over by ovsdb, corresponding ovsdb database storage service exists in ovs architecture, and the ACL function is realized by flow table control of openflow protocol.
S5, sending out the data packet from the corresponding port:
after ACL filtering and subsequent flow table matching of each stage, the data packet will be sent out from the corresponding port, and received at the destination port of the corresponding destination address.
S6, DPDK receives network data packet:
the DPDK receives the network data packet in a polling mode and maps the data packet from the kernel mode to the user mode for processing.
S7, extracting quintuple from the data packet:
and extracting five-tuple from the data packet for regulation matching, wherein the five-tuple comprises a source IP address, a destination IP address, a source port, a destination port and a network protocol.
S8, access ACL table:
and accessing an ACL table, determining the next action of the data packet, and selecting to discard or accept the data packet.
S9, selecting to discard or receive the data packet:
if the packet is discarded, the data packet processing is finished; and receiving, performing next-level flow table matching according to the action, performing NAT mapping of EIP and FIP, and accessing the server resource in the VPC.
The processing and forwarding of the data packet from the entry to the ov layer two virtual network to the server resource needing to be accessed are explained in detail as follows:
preparing a precondition:
(1) corresponding ACL rules have been created for the accessing EIP resources, such as:
destinateIp:0.0.0.0/0,destinatePort:22, sourceIp:100.100.100.1,sourcePort:22,protocol:tcp, action:allow,direction:ingress
sourceIp:0.0.0.0/0,sourcePort:22, destinateIp:100.100.100.1,destinatePort:22,protocol:tcp, action:allow,direction:engress。
(2) and after ACL matching, carrying out next-level flow table matching NAT mapping to find an access inlet corresponding to the virtual machine, wherein the NAT rules are as follows:
EIP:100.100.100.1,FIP:10.10.10.1
(1) and the network data packet is forwarded to ovs cluster through a physical switch, and the cluster network card captures the data packet and sends the data packet into a user mode DataPath for next forwarding processing.
(2) The DataPath acquires a source IP address, a source port, a destination IP address, a destination port and a protocol type from the data packet to form a quintuple for ACL matching, searches an ACL table, finds that the data packet with the source address of 100.100.100.1 is exactly matched with the ACL rule, and allows the data packet to enter and enter the next stage of flow table for matching.
(3) Look up the flow table, find the NAT mapping corresponding to this piece EIP100.100.100.1, and forward the packet from the corresponding port.
(4) And after the data packet is forwarded from the corresponding port, finding the virtual network where the corresponding virtual machine is located through FIP, and forwarding the data packet to the corresponding server.
(5) The response message is mapped and returned to the cluster along the NAT, and because the ACL rule is only applied to one direction, the response message of the server can be ensured to be received only by a corresponding allow rule in the network outgoing direction.
The above embodiments are only specific cases of the present invention, and the scope of the present invention includes but is not limited to the above embodiments, and any suitable changes or substitutions that are required by a DPDK-based ACL packet filtering method according to the present invention and can be made by a person of ordinary skill in the art shall fall within the scope of the present invention.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (6)
1. A DPDK-based ACL packet filtering method is characterized by comprising the following steps:
s1, capturing a data packet;
after the data packet arrives at the network card, the data packet is sent to a datapath user mode data path;
s2, selecting quintuple from the data packet;
selecting a source IP address, a destination IP address, a source port, a destination port and a network protocol from a data packet to form a quintuple, matching the quintuple with each rule in an ACL table, and determining whether to discard the data packet or perform the next step;
s3, managing ACL rules;
managing the existing ACL rules, including modifying the content of the rules and adding and deleting new and modifying the rules, and storing and recording the modifications;
s4, storing an ACL table in an ovsdb database;
the storage of the ACL table is taken over by ovsdb, corresponding ovsdb database storage service exists in an ovs framework, and the ACL function is realized by flow table control of an openflow protocol;
s5, sending out the data packet from the corresponding port;
s6, DPDK receives network data packet;
s7, extracting quintuple from the data packet;
s8, accessing an ACL table;
and S9, selecting to discard or receive the data packet.
2. The method as claimed in claim 1, wherein in step S5, after ACL filtering and subsequent stage of flow table matching, the data packet is sent out from the corresponding port and received at the destination port of the corresponding destination address.
3. The method as claimed in claim 1, wherein in step S6, the DPDK receives network packets in a polling manner, and maps the network packets from a kernel mode to a user mode for processing.
4. The method as claimed in claim 1, wherein in step S7, five tuples are extracted from the data packet for rule matching, and the five tuples are source IP address, destination IP address, source port, destination port and network protocol.
5. The method as claimed in claim 1, wherein in step S8, the ACL table is accessed to determine the next action of the packet, and the packet is selected to be discarded or accepted.
6. The method according to claim 1, wherein in step S9, if the packet is discarded, the packet processing is finished; and receiving, performing next-level flow table matching according to the action, performing NAT mapping of EIP and FIP, and accessing the server resource in the VPC.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011414634.3A CN112769748B (en) | 2020-12-07 | 2020-12-07 | DPDK-based ACL packet filtering method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011414634.3A CN112769748B (en) | 2020-12-07 | 2020-12-07 | DPDK-based ACL packet filtering method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112769748A CN112769748A (en) | 2021-05-07 |
| CN112769748B true CN112769748B (en) | 2022-05-31 |
Family
ID=75693503
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011414634.3A Active CN112769748B (en) | 2020-12-07 | 2020-12-07 | DPDK-based ACL packet filtering method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112769748B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113904798B (en) * | 2021-08-27 | 2024-03-22 | 长沙星融元数据技术有限公司 | Multi-group filtering method, system, equipment and storage medium for IP message |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105516091A (en) * | 2015-11-27 | 2016-04-20 | 武汉邮电科学研究院 | Secure flow filter and filtering method based on software defined network (SDN) controller |
| CN111371779A (en) * | 2020-02-29 | 2020-07-03 | 苏州浪潮智能科技有限公司 | Firewall based on DPDK virtualization management system and implementation method thereof |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104994065A (en) * | 2015-05-20 | 2015-10-21 | 上海斐讯数据通信技术有限公司 | Access control list operation system and method based on software-defined network |
| WO2018032399A1 (en) * | 2016-08-17 | 2018-02-22 | Zte Corporation | Server and method having high concurrency capability |
| CN109672623B (en) * | 2018-12-28 | 2020-12-25 | 大唐软件技术股份有限公司 | Message processing method and device |
-
2020
- 2020-12-07 CN CN202011414634.3A patent/CN112769748B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105516091A (en) * | 2015-11-27 | 2016-04-20 | 武汉邮电科学研究院 | Secure flow filter and filtering method based on software defined network (SDN) controller |
| CN111371779A (en) * | 2020-02-29 | 2020-07-03 | 苏州浪潮智能科技有限公司 | Firewall based on DPDK virtualization management system and implementation method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112769748A (en) | 2021-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111371779B (en) | Firewall based on DPDK virtualization management system and implementation method thereof | |
| CN111095901B (en) | Service operation linking method, device, system, and readable storage medium | |
| CN111164939B (en) | Specifying and utilizing paths through a network | |
| CN108833299B (en) | Large-scale network data processing method based on reconfigurable switching chip architecture | |
| US9774707B2 (en) | Efficient packet classification for dynamic containers | |
| US8169910B1 (en) | Network traffic analysis using a flow table | |
| US11595503B2 (en) | Efficient packet classification for dynamic containers | |
| CN110168499A (en) | Executing context-rich attribute-based services on a host | |
| US20110258694A1 (en) | High performance packet processing using a general purpose processor | |
| CN111740910A (en) | Message processing method and device, network transmission equipment and message processing system | |
| CN108540387A (en) | Method for network access control and device | |
| CN112769748B (en) | DPDK-based ACL packet filtering method | |
| US11012542B2 (en) | Data processing method and apparatus | |
| CN109672594B (en) | IPoE message processing method and device and broadband remote access server | |
| US9742702B1 (en) | End-to-end cache for network elements | |
| Zou et al. | An identification decision tree learning model for self-management in virtual radio access network: IDTLM | |
| WO2015187200A1 (en) | Efficient packet classification for dynamic containers | |
| WO2016183732A1 (en) | Data packet forwarding method and network device | |
| JP2008085886A (en) | Packet processing apparatus, packet processing method, and packet processing program | |
| CN115988574B (en) | Data processing method, system, equipment and storage medium based on flow table | |
| US11895005B1 (en) | Network devices with hardware accelerated table updates | |
| KR102716914B1 (en) | Packet transmission system and the method for networking acceleration | |
| CN117336246A (en) | Data message processing method and device, electronic equipment and storage medium | |
| CN116668140A (en) | Linux firewall system implementation method based on eBPF and XDP technology | |
| KR20230103043A (en) | Packet transmission system and the method for networking acceleration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |