CN112910894A - Method for realizing quick matching of strategies - Google Patents
Method for realizing quick matching of strategies Download PDFInfo
- Publication number
- CN112910894A CN112910894A CN202110139635.XA CN202110139635A CN112910894A CN 112910894 A CN112910894 A CN 112910894A CN 202110139635 A CN202110139635 A CN 202110139635A CN 112910894 A CN112910894 A CN 112910894A
- Authority
- CN
- China
- Prior art keywords
- information
- mask
- strategy
- node
- last node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000006835 compression Effects 0.000 claims description 10
- 238000007906 compression Methods 0.000 claims description 10
- 230000000873 masking effect Effects 0.000 claims 1
- 238000004590 computer program Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method for realizing quick matching of strategies, which comprises the following steps: acquiring policy information of network equipment; dividing the strategy information into at least one dimension information, and acquiring a corresponding root node; reading a mask format corresponding to the at least one dimension information; establishing a corresponding mask binary tree according to a mask format corresponding to at least one dimension information and the root node; setting policy identification on a data structure on the last node; and traversing the corresponding father nodes in sequence from the last node, judging whether the corresponding father nodes have bitmap memory information, and if so, updating the storage content of the last node according to the bitmap memory information. The invention can realize the rapid matching of the strategy when a network packet reaches the gateway equipment, thereby greatly reducing the utilization rate of the CPU and reducing the time consumption for matching.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a method for realizing quick matching of strategies.
Background
In modern network applications, a gateway device (e.g., a firewall) plays a role of isolation control, in order to implement control isolation, an administrator needs to establish thousands of policies to implement this requirement (for some large network environments, the number of policies may be even tens of thousands), each policy determines whether a network packet matches a source IP, a destination IP, a source port, a destination port, a protocol type, and the like, and each policy may support configuring multiple items for each dimension (e.g., configuring a source IP without a network segment 192.168.1.1/24, or configuring multiple source IPs or a combination of network segments) for convenience of management.
However, when the number of policies is large, if the matching detection is performed by sequentially traversing each policy and then the matching detection is performed on the item of each dimension, the system will consume too much CPU resources, and the matching time of one network packet will be too long, which seriously affects the use and user experience. In summary, how to quickly perform policy matching on a network packet is an urgent problem to be solved.
Disclosure of Invention
In view of the above, there is a need to provide a method for implementing fast policy matching, so as to solve the problem of how to fast perform policy matching on a network packet.
The invention provides a method for realizing quick matching of strategies, which comprises the following steps:
acquiring policy information of network equipment;
dividing the strategy information into at least one dimension information, and acquiring a root node of the at least one dimension information;
judging whether the at least one dimension information meets a first preset condition, and if so, reading a mask format corresponding to the at least one dimension information;
according to the mask format corresponding to the at least one dimension information and the root node, establishing a mask binary tree corresponding to the at least one dimension information;
judging whether the last node of the binary mask tree meets a second preset condition or not, if so, setting a policy identifier on a data structure on the last node, wherein the policy identifier is used for enabling the last node to store bitmap memory information;
and traversing the corresponding father nodes in sequence from the last node, judging whether the bitmap memory information exists in the corresponding father nodes, and if so, updating the storage content of the last node according to the bitmap memory information.
Further, the first preset condition includes that the at least one dimension information is in a mask format.
Further, the determining whether the at least one piece of dimension information satisfies a first preset condition, and if yes, reading a mask format corresponding to the at least one piece of dimension information further includes:
if the first preset condition is not met, converting the at least one dimension information into a corresponding mask format according to a preset splitting mask rule.
Further, the establishing a binary mask tree corresponding to the at least one piece of dimension information according to the mask format corresponding to the at least one piece of dimension information and the root node includes:
converting the mask format corresponding to the at least one dimension information into a bit string format;
and sequentially taking each bit of bit information in the bit string format as a corresponding child node from the root node to construct the corresponding mask binary tree, wherein the bit information is the left child of the mask binary tree when being 0, and the bit information is the right child of the mask binary tree when being 1.
Further, the second preset condition includes that bit information exists in the last node.
Further, the placing of the policy identification on the data structure on the last node comprises: determining the corresponding strategy identification according to the ID number corresponding to the strategy information; and converting the strategy identification into corresponding bit information, and setting the bit information corresponding to the strategy identification on a data structure on the last node.
Further, the determining whether a last node of the binary mask tree satisfies a second preset condition, and if yes, after setting the policy identifier on the data structure of the last node, the method further includes:
judging whether a father node corresponding to the last node is the root node or not;
if so, judging whether the strategy information has a corresponding subsequent strategy;
if the corresponding subsequent strategy exists, returning to the step of dividing the strategy information into at least one dimension information and acquiring a root node of the at least one dimension information;
and if the corresponding subsequent strategy does not exist, ending the tree building process of the mask binary tree.
Further, the updating the storage content of the last node according to the bitmap memory information includes:
copying and storing the bitmap memory information of the corresponding father node on the last node;
and updating bitmap compression information on the last node according to the bitmap memory information.
Further, the method for implementing quick matching of policies further includes:
acquiring and analyzing a network packet, and dividing the network packet into the at least one dimension information;
converting at least one dimension information corresponding to the network packet into a mask format, and sequentially searching in the completely established mask binary tree until the last node corresponding to the mask binary tree is searched;
extracting the storage content of the last node, wherein the storage content comprises the bitmap memory information and the corresponding bitmap compression information;
determining a corresponding summation result according to the bitmap memory information corresponding to the at least one dimension information by bit summation;
searching in a preset strategy array according to the country of interest and the country of interest, and determining a strategy number corresponding to the network packet;
and determining the strategy information corresponding to the network packet according to the strategy number.
Further, the establishing process of the policy array comprises:
after the mask binary tree corresponding to at least one piece of dimension information of the strategy information is established;
determining pointer information corresponding to the policy information according to all the mask binary trees, wherein the pointer information is used for corresponding to the policy number;
and establishing the corresponding strategy array according to the pointer information.
Compared with the prior art, the invention has the beneficial effects that: firstly, effectively acquiring the strategy information of the network equipment; then, dividing the policy information into at least one dimension information (such as a source IP, a destination IP, a source port, a destination port and a protocol type), and acquiring a root node corresponding to the at least one dimension information so as to construct a mask binary tree from the root node; further, converting the dimension information into a mask format to acquire effective mask information under the condition that a first preset condition is met; then, according to the mask format and the root node, a mask binary tree for feeding back mask information is effectively established; then, setting a policy identifier on the last node by using the structural characteristics of the mask binary tree, so that the last node stores corresponding bitmap memory information; and finally, traversing the father nodes in sequence, placing bitmap memory information existing in the father nodes in the last node, updating and storing the bitmap memory information by the last node by using a mask binary tree structure, and effectively feeding back strategy information by the bitmap memory information. In summary, the invention establishes a mask binary tree for information of multiple dimensions, each configured node stores the bitmap memory information corresponding to the node, namely, each dimension can find one bitmap memory information, the bitmap memory information of different dimensions is quickly inquired through the mask binary tree, the relevant content of the strategy information is comprehensively fed back, the strategy information is quickly hit and matched, when a network packet reaches the gateway equipment, the multidimensional bitmap memory information is obtained, the strategy information can be quickly matched, the CPU utilization rate is greatly reduced, and the matching time is greatly reduced.
Drawings
FIG. 1 is a schematic flow chart of a method for implementing policy fast matching according to the present invention;
FIG. 2 is a schematic diagram of a process for creating a binary tree of masks according to the present invention;
FIG. 3 is a schematic structural diagram of a binary tree of masks provided by the present invention;
FIG. 4 is a schematic flow chart of the present invention for determining a root node;
FIG. 5 is a schematic flow chart of updating the stored content according to the present invention;
FIG. 6 is a schematic flow chart of parsing a network packet according to the present invention;
FIG. 7 is a schematic flow chart of establishing a policy array according to the present invention;
fig. 8 is a device for implementing fast matching of policies provided by the present invention.
Detailed Description
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate preferred embodiments of the invention and together with the description, serve to explain the principles of the invention and not to limit the scope of the invention.
Example 1
An embodiment of the present invention provides a method for implementing policy fast matching, and referring to fig. 1, fig. 1 is a schematic flow chart of the method for implementing policy fast matching provided by the present invention, where the method for implementing policy fast matching includes steps S1 to S6, where:
in step S1, policy information of the network device is acquired;
in step S2, dividing the policy information into at least one dimension information, and obtaining a root node of the at least one dimension information;
in step S3, it is determined whether at least one piece of dimension information satisfies a first preset condition, and if so, a mask format corresponding to the at least one piece of dimension information is read;
in step S4, a binary mask tree corresponding to at least one dimension information is established according to a mask format and a root node corresponding to at least one dimension information;
in step S5, it is determined whether the last node of the binary mask tree satisfies a second preset condition, and if yes, a policy identifier is set in the data structure on the last node, where the policy identifier is used to enable the last node to store bitmap memory information;
in step S6, the corresponding father node is traversed sequentially from the last node, whether the corresponding father node has bitmap memory information is determined, and if yes, the storage content of the last node is updated according to the bitmap memory information.
In the embodiment of the invention, firstly, the strategy information of the network equipment is effectively obtained; then, dividing the policy information into at least one dimension information (such as a source IP, a destination IP, a source port, a destination port and a protocol type), and acquiring a root node corresponding to the at least one dimension information so as to construct a mask binary tree from the root node; further, converting the dimension information into a mask format to acquire effective mask information under the condition that a first preset condition is met; then, according to the mask format and the root node, a mask binary tree for feeding back mask information is effectively established; then, setting a policy identifier on the last node by using the structural characteristics of the mask binary tree, so that the last node stores corresponding bitmap memory information; and finally, traversing the father nodes in sequence, placing bitmap memory information existing in the father nodes in the last node, updating and storing the bitmap memory information by the last node by using a mask binary tree structure, and effectively feeding back strategy information by the bitmap memory information.
Preferably, the first preset condition includes that at least one dimension information is in a mask format. As a specific embodiment, the embodiment of the present invention directly establishes a binary tree with at least one dimension information in a mask format by setting a first preset condition.
Preferably, the step S3 further includes:
if the first preset condition is not met, converting at least one dimension information into a corresponding mask format according to a preset splitting mask rule.
As a specific embodiment, the embodiment of the present invention converts at least one dimension information in a non-mask format into a mask format, so as to facilitate the construction of a binary mask tree.
In one specific embodiment of the present invention, for example, 192.168.1.1 may directly represent a mask format of 192.168.1.1/32, since no mask conversion is required. And the number of bits of IPv4 is 32 bits, so the above referenced 192.168.1.2-192.168.1.10 format can be expressed as:
192.168.1.2-192.168.1.10 ═ it will be split into multiple mask segments:
1)192.168.1.2-192.168.1.3=>192.168.1.2/31;
2)192.168.1.4-192.168.1.7=>192.168.1.4/30;
3)192.168.1.8-192.168.1.9=>192.168.1.8/31;
4)192.168.1.10-192.168.1.10=>192.168.1.8/32;
for dimension information in a non-mask format, splitting according to the specified mask algorithm (preset splitting mask rule), and for a number of n bits, any range of values can meet splitting requirements by at most 2 × n-1 group masks. It should be noted that, the IP has IPv4 and IPv6 formats, the two conversion methods are completely consistent, and IPv6 only has a bit with a bit larger than that.
Preferably, referring to fig. 2, fig. 2 is a schematic flowchart of the process of establishing the binary mask tree provided by the present invention, where the step S4 includes steps S41 to S42, where:
in step S41, converting the mask format corresponding to the at least one dimension information into a bit string format;
in step S42, each bit of bit information in the bit string format is used as a corresponding child node in sequence from the root node to construct a corresponding binary mask tree, where the bit information is 0 and is the left child of the binary mask tree, and the bit information is 1 and is the right child of the binary mask tree.
As a specific embodiment, the embodiment of the invention realizes the effective construction of the mask binary tree by converting the mask format into the bit string format, so that each node corresponds to effective bit information.
In a specific embodiment of the present invention, referring to fig. 3, fig. 3 is a schematic structural diagram of a binary mask tree provided by the present invention, and if dimension information is a source IP, taking 192.168.1.0/24 as an example, the mask form is added to the binary mask tree of the source IP in the bit string format according to the form of fig. 3, where the bit string format corresponding to the binary mask tree is 11000000101010000000000100000000, and in combination with the preset split mask rule, because the mask is 24, the number of bits of the mask bits that we need to create is the first 24 bits: 110000001010100000000001, wherein the mask binary tree of the corresponding source IP is constructed by the rule that the left child of the binary tree is 0 and the right child is 1. It should be noted that, in the process of creating the binary mask tree, if its child node does not exist, it is only required to create it directly.
Preferably, the second preset condition includes that the last node has bit information. As a specific embodiment, when the last node is used, the embodiment of the present invention first checks whether bit information exists on the node, if so, places the number (1-n) corresponding to the policy ID as a bit on the data structure of the node, and if so, places the policy ID on the data structure.
Preferably, the policy setting identifier on the data structure of the last node includes: determining a corresponding strategy identifier according to the ID number corresponding to the strategy information; and converting the strategy identification into corresponding bit information, and setting the bit information corresponding to the strategy identification on a data structure on the last node. As a specific embodiment, in the embodiment of the present invention, at the last node, the policy identifier reflects the number corresponding to the policy ID, and the number is placed as a bit on the data structure of the node, so as to store the bitmap memory information.
Preferably, referring to fig. 4, fig. 4 is a schematic flow chart of determining a root node provided by the present invention, and step S001 to step S004 are further included after step S5, where:
in step S001, it is determined whether a parent node corresponding to the last node is a root node;
in step S002, if the node is the root node, it is determined whether the policy information has a corresponding subsequent policy;
in step S003, if there is a corresponding subsequent policy, returning to the step of dividing the policy information into at least one piece of dimensional information and acquiring a root node of the at least one piece of dimensional information;
in step S004, if there is no corresponding subsequent policy, the tree building process of the masked binary tree is ended.
As a specific embodiment, the embodiment of the invention completes the establishment of the whole mask binary tree by judging whether the father node is the root node or not and whether a subsequent strategy exists or not.
Preferably, referring to fig. 5, fig. 5 is a schematic flow chart of updating the storage content provided by the present invention, and the step S6 further includes steps S61 to S62, where:
in step S61, the bitmap memory information of the corresponding parent node is copied and stored on the last node;
in step S62, the bitmap compression information on the last node is updated according to the bitmap memory information.
As a specific embodiment, the embodiment of the invention stores the bitmap memory information by using the last node, updates the bitmap compression information, and can obtain the relevant content of the strategy information only by quickly inquiring the bitmap memory information of the last node, thereby facilitating the subsequent hit matching of the strategy information.
Preferably, referring to fig. 6, fig. 6 is a schematic flow chart of parsing the network packet provided by the present invention, and the step S6 further includes steps S7 to S12, where:
in step S7, the network packet is acquired and analyzed, and the network packet is divided into at least one dimension information;
in step S8, at least one dimension information corresponding to the network packet is converted into a mask format, and sequentially searched in the complete mask binary tree until the last node corresponding to the mask binary tree is found;
in step S9, the storage content of the last node is extracted, where the storage content includes bitmap memory information and corresponding bitmap compression information;
in step S10, determining a corresponding and result according to bitmap memory information corresponding to at least one dimension information by bitwise anding;
in step S11, determining a policy number corresponding to the network packet according to the result of searching in a preset policy array;
in step S12, policy information corresponding to the network packet is determined based on the policy number.
As a specific embodiment, the embodiment of the invention rapidly determines bitmap memory information of the last node by acquiring the network packet and searching through the mask binary tree of the dimensional information of different dimensions of the network packet, and determines the strategy number by combining the bitmap memory information of different dimensions, so as to rapidly query in the strategy array and match the corresponding strategy information.
It should be noted that after matching of all dimensions, all the corresponding bitmap memory information and bitmap compression information are found; all bitmap memory information is subjected to bitwise AND, the strategy in matching is determined when the first value is 1, and if the strategy is x, the corresponding strategy address can be found in the large array of the strategy pointer. Preferably, the strategy matching further accelerates the method, the bitmap memory information is firstly subjected to 64-bit summation once, if the summation is not 0, the matched strategy is certainly at one of the 64 bits, and then the strategies are matched one by one; if 0, then the following 64 is directly performed as the AND.
Preferably, referring to fig. 7, fig. 7 is a schematic flowchart of the process of establishing the policy array provided by the present invention, where the establishing of the policy array includes steps S0001 to S0003, where:
in step S0001, after the mask binary tree corresponding to at least one dimension information of the policy information is completely established;
in step S0002, pointer information corresponding to the policy information is determined according to all the mask binary trees, and the pointer information is used for corresponding policy numbers;
in step S0003, a corresponding policy array is established according to the pointer information.
As a specific embodiment, the embodiment of the present invention queries in the policy array by establishing the policy array and using pointer information corresponding to the policy number, thereby obtaining policy information quickly.
It should be noted that, after the mask tree of all dimensions is built, a large array is created, and pointer information of all policies is stored: if 10000 strategies exist, a pointer array with 10000 sizes is established, pointers of all strategies are stored in sequence, and when the matched bit is x, the pointer of the strategy can be quickly found from the array, so that the strategy information can be quickly obtained.
In a specific embodiment of the present invention, a binary mask tree is built by using a source IP, and the specific steps are as follows:
the method comprises the steps of firstly, obtaining a root node of strategy information of equipment;
it should be noted that, the storage of policy information in the device may be a linked list or a tree structure, and there is no influence here, and it is mainly enough to be able to cycle through;
the second step is that: judging whether a subsequent strategy still exists, if so, entering the third step, otherwise, entering the twelfth step;
the third step: reading all cited source IP information according to the design mode of each device for the strategy structure;
illustratively, the source IP format is as follows: 192.168.1.1 (single IP), 192.168.1.2-192.168.1.10 (segment form), 192.168.1.0/24 (mask form);
the fourth step: judging whether the quoted IP format is in a mask form, if so, entering the sixth step, otherwise, entering the fifth step;
it should be noted that 192.168.1.1 can be directly expressed as a mask form of 192.168.1.1/32, that is, it can directly enter the sixth step;
the fifth step: converting the quoted IP format into a mask format according to a preset splitting mask rule;
and a sixth step: adding a mask form into a binary tree of a source IP in a bit string format according to a form shown in figure 3;
the seventh step: when the last node is in use, checking whether bit information exists on the node or not, if so, placing the number (1-n) corresponding to the strategy ID on the data structure of the node as a bit, and if so, placing the strategy ID on the data structure of the node;
it should be noted that, for each node corresponding to the last bit, the following information needs to be stored: a bitmap memory, which is numbered for identifying the strategy;
eighth step: acquiring a father node of the node;
the ninth step: judging whether the father node is root, if yes, entering the second step, otherwise entering the tenth step;
the tenth step: judging whether the node has bitmap information or not, if so, entering the eleventh step, and if not, continuing to enter the eighth step;
the eleventh step: here, the bitmap information of the node needs to be copied to the last node in the seventh step, and the bitmap compression information of the node needs to be updated;
it should be noted that the mask corresponding to the node is necessarily less than the mask bit number of the last node in the seventh step, such as 192.168.0.0/16 and 192.168.1.0/24, which means that the bitmap information of the node can be seen on the last node in the seventh step, that is, if the IP matches with the last node in the seventh step, the IP also matches with the node, and after the node step is executed, the eighth step is performed;
the twelfth step: the masked binary tree building process of the source IP ends.
The process of establishing the binary mask tree based on the source IP comprises the following specific steps:
the first step is as follows: when the previous network packet reaches the equipment, the source IP of the previous network packet can be obtained after the packet is analyzed;
the second step is that: converting the source IP into a bit form corresponding to the value, and sequentially searching according to bit bits in a mask binary tree of the source IP until a last node is found;
according to the principle of establishing a mask binary tree, the last node contains bitmap memory information at a certain time, in an IPv4 bit example, a source IP can be converted into 32-bit information, namely the maximum number of searching on the mask tree is 32, the maximum height of the mask tree established by the user is 32, namely when the user sees that leaf nodes are certain to have a strategy to establish the bitmap memory information in the past;
the third step: and recording the information of the node, including bitmap memory information and bitmap compression information, and then performing the matching process of the next dimension.
It should be noted that other dimensions and IP dimensions are the same processing method, and the number of bits for the source port, the destination port, and the like is less.
Example 2
An embodiment of the present invention provides a device for implementing policy fast matching, and with reference to fig. 8, fig. 8 is the device for implementing policy fast matching provided by the present invention, where the device 800 for implementing policy fast matching includes:
an obtaining unit 801, configured to obtain policy information of a network device;
a processing unit 802, configured to divide the policy information into at least one piece of dimension information, and obtain a root node of the at least one piece of dimension information; the system is also used for judging whether at least one dimension information meets a first preset condition, and if so, reading a mask format corresponding to the at least one dimension information; the binary mask tree corresponding to the at least one dimension information is established according to the mask format and the root node corresponding to the at least one dimension information; the system is also used for judging whether the last node of the mask binary tree meets a second preset condition, if so, a strategy identifier is arranged on a data structure on the last node, wherein the strategy identifier is used for enabling the last node to store bitmap memory information;
and the storage unit 803 is configured to sequentially traverse the corresponding parent node from the last node, determine whether the bitmap memory information exists in the corresponding parent node, and if so, update the storage content of the last node according to the bitmap memory information.
Example 3
The embodiment of the invention provides a device for realizing the rapid matching of a strategy, which comprises a processor and a memory, wherein the memory is stored with a computer program, and the computer program is executed by the processor to realize the method for realizing the rapid matching of the strategy.
Example 4
An embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for implementing quick matching of policies as described above is implemented.
The invention discloses a method for realizing quick matching of strategies, which comprises the following steps of firstly, effectively obtaining strategy information of network equipment; then, dividing the policy information into at least one dimension information (such as a source IP, a destination IP, a source port, a destination port and a protocol type), and acquiring a root node corresponding to the at least one dimension information so as to construct a mask binary tree from the root node; further, converting the dimension information into a mask format to acquire effective mask information under the condition that a first preset condition is met; then, according to the mask format and the root node, a mask binary tree for feeding back mask information is effectively established; then, setting a policy identifier on the last node by using the structural characteristics of the mask binary tree, so that the last node stores corresponding bitmap memory information; and finally, traversing the father nodes in sequence, placing bitmap memory information existing in the father nodes in the last node, updating and storing the bitmap memory information by the last node by using a mask binary tree structure, and effectively feeding back strategy information by the bitmap memory information.
According to the technical scheme, the mask binary tree is established for the information of various dimensions, each configured node stores the bitmap memory information corresponding to the node, namely, one bitmap memory information can be found out for each dimension, the bitmap memory information of different dimensions is rapidly inquired through the mask binary tree, the relevant content of the strategy information is comprehensively fed back, the strategy information is rapidly hit and matched conveniently, the multidimensional bitmap memory information can be obtained when a network packet reaches the gateway equipment, the strategy information can be rapidly matched, the CPU utilization rate is greatly reduced, and the matching time is greatly reduced.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention.
Claims (10)
1. A method for implementing a fast match of policies, comprising:
acquiring policy information of network equipment;
dividing the strategy information into at least one dimension information, and acquiring a root node of the at least one dimension information;
judging whether the at least one dimension information meets a first preset condition, and if so, reading a mask format corresponding to the at least one dimension information;
according to the mask format corresponding to the at least one dimension information and the root node, establishing a mask binary tree corresponding to the at least one dimension information;
judging whether the last node of the binary mask tree meets a second preset condition or not, if so, setting a policy identifier on a data structure on the last node, wherein the policy identifier is used for enabling the last node to store bitmap memory information;
and traversing the corresponding father nodes in sequence from the last node, judging whether the bitmap memory information exists in the corresponding father nodes, and if so, updating the storage content of the last node according to the bitmap memory information.
2. The method of claim 1, wherein the first preset condition comprises that the at least one dimension information is in a mask format.
3. The method for implementing policy fast matching according to claim 2, wherein the determining whether the at least one dimension information satisfies a first preset condition, and if so, reading a mask format corresponding to the at least one dimension information further includes:
if the first preset condition is not met, converting the at least one dimension information into a corresponding mask format according to a preset splitting mask rule.
4. The method according to claim 1, wherein the creating a masked binary tree corresponding to the at least one dimension information according to the masking format corresponding to the at least one dimension information and the root node includes:
converting the mask format corresponding to the at least one dimension information into a bit string format;
and sequentially taking each bit of bit information in the bit string format as a corresponding child node from the root node to construct the corresponding mask binary tree, wherein the bit information is the left child of the mask binary tree when being 0, and the bit information is the right child of the mask binary tree when being 1.
5. The method of claim 1, wherein the second predetermined condition comprises that bit information exists in the last node.
6. The method of claim 5, wherein placing a policy identifier on the data structure on the last node comprises: determining the corresponding strategy identification according to the ID number corresponding to the strategy information; and converting the strategy identification into corresponding bit information, and setting the bit information corresponding to the strategy identification on a data structure on the last node.
7. The method of claim 6, wherein the determining whether a last node of the binary mask tree satisfies a second predetermined condition, and if so, after setting a policy identifier in a data structure of the last node, the method further includes:
judging whether a father node corresponding to the last node is the root node or not;
if so, judging whether the strategy information has a corresponding subsequent strategy;
if the corresponding subsequent strategy exists, returning to the step of dividing the strategy information into at least one dimension information and acquiring a root node of the at least one dimension information;
and if the corresponding subsequent strategy does not exist, ending the tree building process of the mask binary tree.
8. The method for implementing policy fast matching according to claim 1, wherein said updating the storage content of the last node according to the bitmap memory information comprises:
copying and storing the bitmap memory information of the corresponding father node on the last node;
and updating bitmap compression information on the last node according to the bitmap memory information.
9. The method for implementing policy fast matching according to claim 1, further comprising:
acquiring and analyzing a network packet, and dividing the network packet into the at least one dimension information;
converting at least one dimension information corresponding to the network packet into a mask format, and sequentially searching in the completely established mask binary tree until the last node corresponding to the mask binary tree is searched;
extracting the storage content of the last node, wherein the storage content comprises the bitmap memory information and the corresponding bitmap compression information;
determining a corresponding summation result according to the bitmap memory information corresponding to the at least one dimension information by bit summation;
searching in a preset strategy array according to the country of interest and the country of interest, and determining a strategy number corresponding to the network packet;
and determining the strategy information corresponding to the network packet according to the strategy number.
10. The method for implementing policy fast matching according to claim 1, wherein the establishing process of the policy array comprises:
after the mask binary tree corresponding to at least one piece of dimension information of the strategy information is established;
determining pointer information corresponding to the policy information according to all the mask binary trees, wherein the pointer information is used for corresponding to the policy number;
and establishing the corresponding strategy array according to the pointer information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110139635.XA CN112910894A (en) | 2021-02-01 | 2021-02-01 | Method for realizing quick matching of strategies |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110139635.XA CN112910894A (en) | 2021-02-01 | 2021-02-01 | Method for realizing quick matching of strategies |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112910894A true CN112910894A (en) | 2021-06-04 |
Family
ID=76121157
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110139635.XA Pending CN112910894A (en) | 2021-02-01 | 2021-02-01 | Method for realizing quick matching of strategies |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112910894A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114301686A (en) * | 2021-12-29 | 2022-04-08 | 山石网科通信技术股份有限公司 | Security policy matching method and device and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102195853A (en) * | 2010-03-09 | 2011-09-21 | 杭州华三通信技术有限公司 | Method and device for storing bitmap |
| US20130010803A1 (en) * | 2010-03-24 | 2013-01-10 | Syuuhei Yamaguchi | Packet forwarding system, control device, forwarding device and method and program for preparing processing rules |
| CN109617927A (en) * | 2019-01-30 | 2019-04-12 | 新华三信息安全技术有限公司 | A kind of method and device matching security strategy |
| CN110808963A (en) * | 2019-10-17 | 2020-02-18 | 新华三信息安全技术有限公司 | Security policy rule matching method and device and firewall equipment |
| CN111552520A (en) * | 2020-04-10 | 2020-08-18 | 武汉思普崚技术有限公司 | User-defined application identification method and system |
-
2021
- 2021-02-01 CN CN202110139635.XA patent/CN112910894A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102195853A (en) * | 2010-03-09 | 2011-09-21 | 杭州华三通信技术有限公司 | Method and device for storing bitmap |
| US20130010803A1 (en) * | 2010-03-24 | 2013-01-10 | Syuuhei Yamaguchi | Packet forwarding system, control device, forwarding device and method and program for preparing processing rules |
| CN109617927A (en) * | 2019-01-30 | 2019-04-12 | 新华三信息安全技术有限公司 | A kind of method and device matching security strategy |
| CN110808963A (en) * | 2019-10-17 | 2020-02-18 | 新华三信息安全技术有限公司 | Security policy rule matching method and device and firewall equipment |
| CN111552520A (en) * | 2020-04-10 | 2020-08-18 | 武汉思普崚技术有限公司 | User-defined application identification method and system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114301686A (en) * | 2021-12-29 | 2022-04-08 | 山石网科通信技术股份有限公司 | Security policy matching method and device and storage medium |
| CN114301686B (en) * | 2021-12-29 | 2024-05-07 | 山石网科通信技术股份有限公司 | Security policy matching method and device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3035613B1 (en) | Ccn routing using hardware-assisted hash tables | |
| EP2040184B1 (en) | Database and database processing methods | |
| CN103703467B (en) | Method and apparatus for storing data | |
| JP4452183B2 (en) | How to create a programmable state machine data structure to parse the input word chain, how to use the programmable state machine data structure to find the resulting value corresponding to the input word chain, deep wire speed A method for performing packet processing, a device for deep packet processing, a chip embedding device, and a computer program including programming code instructions (method and device for deep packet processing) | |
| US7054855B2 (en) | Method and system for performing a pattern match search for text strings | |
| CN101345707B (en) | Method and apparatus for implementing IPv6 packet classification | |
| US7187676B2 (en) | Apparatus and method for steering a communication to an open stream | |
| KR100586461B1 (en) | Method, Hardware Architecture and Recording Medium for Searching IP Address by Using Pipeline Binary Tree | |
| US20200296041A1 (en) | System and method for range matching | |
| US11888743B1 (en) | Network device storage of incremental prefix trees | |
| CN110858823A (en) | Data packet classification method and device and computer readable storage medium | |
| WO2017157335A1 (en) | Message identification method and device | |
| CN109150962B (en) | Method for rapidly identifying HTTP request header through keywords | |
| CN112131356B (en) | Message keyword matching method and device based on TCAM | |
| CN111030971A (en) | Distributed access control method and device and storage equipment | |
| CN109408517B (en) | Rule multidimensional search method, device and equipment and readable storage medium | |
| CN112910894A (en) | Method for realizing quick matching of strategies | |
| CN109101595B (en) | Information query method, device, equipment and computer readable storage medium | |
| US9703484B2 (en) | Memory with compressed key | |
| CN109710860B (en) | URL (Uniform resource locator) classification matching method and device | |
| CN114911872A (en) | Intranet and extranet data synchronization method, device and system, extranet server and storage medium | |
| CN108449226B (en) | Method and system for quickly classifying information | |
| Bahrambeigy et al. | Bloom-Bird: A scalable open source router based on Bloom filter | |
| JPH1040255A (en) | Hash table control device | |
| WO2023116318A1 (en) | Packet processing method and apparatus, electronic device and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210604 |