CN114301620B - ACL time domain-based rapid matching method - Google Patents
ACL time domain-based rapid matching method Download PDFInfo
- Publication number
- CN114301620B CN114301620B CN202111360590.5A CN202111360590A CN114301620B CN 114301620 B CN114301620 B CN 114301620B CN 202111360590 A CN202111360590 A CN 202111360590A CN 114301620 B CN114301620 B CN 114301620B
- Authority
- CN
- China
- Prior art keywords
- time domain
- acl
- matching
- time
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000012163 sequencing technique Methods 0.000 claims abstract description 4
- 238000004364 calculation method Methods 0.000 abstract description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a rapid matching method based on an ACL time domain. The method includes receiving a data packet; building a stream according to the five-tuple of the data packet, calculating the hash value of the five-tuple, and putting the hash value into a hash bucket; searching all hit ACL rules according to the five-tuple; sequencing the time domains of all hit ACL rules, and recording the action of each time domain; returning the time domain rule to the streaming node; when the following data message arrives, the time domain matching the data message and the ACL rule is executed, and the corresponding time domain action is executed. According to the technical scheme, the ACL matching rule with low calculation complexity is obtained after one-time matching, actions at all times after the data message is received can be achieved after one-time matching, the purpose of matching the rule is not needed, and the complexity of ACL matching is greatly reduced.
Description
Technical Field
The invention relates to the technical field of industrial control safety, in particular to a rapid matching method based on an ACL time domain.
Background
ACL: access Control List (ACL) is a packet filtering-based access control technique that filters data packets on an interface according to set conditions, allowing them to pass or drop. The access control list is widely applied to routers and three-layer switches, and by means of the access control list, the access of users to the network can be effectively controlled, so that the network security is ensured to the greatest extent
The ACL rule of the firewall is often composed of five-tuple, interface and other information, but sometimes a time domain is used to specify a rule of a certain time period, and for such rule, the traditional matching mode generally needs to compare the time domains each time, so that CPU resources are wasted.
Disclosure of Invention
The invention provides a rapid matching method based on an ACL time domain, which comprises the following steps:
step 1, collecting a data packet;
step 2, constructing a stream according to the quintuple of the data packet, calculating a hash value of the quintuple, and putting the hash value into a hash bucket;
step 3, searching all hit ACL rules according to the five-tuple;
step 4, sequencing all time domains of the hit ACL rule, and recording the action of each time domain;
step 5, returning the ordered ACL rule to the flow node;
and 6, when the following data message arrives, matching the time domain of the data message and the ACL rule, and executing the corresponding time domain action.
The rapid matching method based on the ACL time domain comprises a quintuple and the time domain, wherein the quintuple comprises a source IP, a destination IP, a source port, a destination port and a protocol.
A fast matching method based on ACL time domain as described above, wherein the actions of time domain include discarding and discarding.
A quick matching method based on ACL time domain as described above, wherein if no time domain is configured, the time domain defaults to infinity.
The rapid matching method based on the ACL time domain, as described above, wherein the time domain of the matching data message and the ACL rule, executes the corresponding time domain action, specifically: obtaining the arrival time of the data message, matching the arrival time of the data message with the time domain of the ACL rule on the flow node, and executing the action of the time domain capable of being matched.
The present application also provides a computer storage medium having one or more program instructions embodied therein for execution by a processor of a rapid matching method based on an ACL time domain as described in any one of the above.
The beneficial effects achieved by the invention are as follows: according to the technical scheme, the ACL matching rule with low calculation complexity is obtained after one-time matching, actions at all times after the data message is received can be achieved after one-time matching, the purpose of matching the rule is not needed, and the complexity of ACL matching is greatly reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
Fig. 1 is a flowchart of a fast matching method based on ACL time domain according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
As shown in fig. 1, the first embodiment of the present application provides a fast matching method based on an ACL time domain, which is an ACL matching rule with low computation complexity, and by obtaining actions at all times after receiving a data packet after one-time matching, the purpose of never removing the matching rule after one-time matching can be achieved, thereby greatly reducing the complexity of ACL matching. The method comprises the following steps:
and step 1, collecting the data packet.
Step 2, constructing a stream according to the quintuple of the data packet, calculating a hash value of the quintuple, and putting the hash value into a hash bucket;
five-tuple: generally referred to as source IP, destination IP, source port, destination port, protocol.
And step 3, searching all hit ACL rules according to the five-tuple.
In this embodiment of the present application, from a time point of receiving a first packet of a data packet, all ACL rules are traversed, and all ACL rules that can be hit are found, so that a rule and an action of a full period of a packet of the five-tuple are determined by one-time matching, then the hit rule is ordered according to the time point, and when a subsequent packet arrives, the ACL action at a corresponding time is executed.
And 4, sequencing time domains of the ACL rule, and recording actions of each time domain, including discarding and releasing.
The ACL rules provided by the present application include five tuples and time domains, and the multiple ACL rules are shown in the following table:
assuming that the five-member group of a message respectively calculates rule 1 and rule 2 in the table, the time domain returned to the flow node is the union of T0 and T1, and the action corresponding to the time domain is executed in the two time domains.
And step 5, returning the ordered ACL rule to the flow node, and defaulting the time domain to infinity if the time domain is not configured.
And 6, executing the following actions when the following data packet arrives:
(1) the arrival time of the data message is obtained.
(2) Matching the arrival time of the data message with the time domain of the ACL rule on the flow node, and executing the action of the time domain.
(3) And returning to continue waiting for the data packet.
Corresponding to the above embodiments, an embodiment of the present invention provides a computer storage medium, including: at least one memory and at least one processor;
the memory is used for storing one or more program instructions;
a processor for executing one or more program instructions for performing a fast matching method based on ACL time domains.
In accordance with the foregoing embodiments, the embodiments of the present invention provide a computer readable storage medium having one or more program instructions embodied therein, the one or more program instructions configured to be executed by a processor to perform a fast matching method based on ACL time domains.
The disclosed embodiments provide a computer readable storage medium having stored therein computer program instructions that, when executed on a computer, cause the computer to perform a rapid matching method based on ACL time domains as described above.
In the embodiment of the invention, the processor may be an integrated circuit chip with signal processing capability. The processor may be a general purpose processor, a digital signal processor (Digital Signal Processor, DSP for short), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC for short), a field programmable gate array (FieldProgrammable Gate Array, FPGA for short), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The processor reads the information in the storage medium and, in combination with its hardware, performs the steps of the above method.
The storage medium may be memory, for example, may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory.
The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable ROM (Electrically EPROM, EEPROM), or a flash Memory.
The volatile memory may be a random access memory (Random Access Memory, RAM for short) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (Double Data RateSDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and direct memory bus RAM (directracram, DRRAM).
The storage media described in embodiments of the present invention are intended to comprise, without being limited to, these and any other suitable types of memory.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in a combination of hardware and software. When the software is applied, the corresponding functions may be stored in a computer-readable medium or transmitted as one or more instructions or code on the computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.
Claims (5)
1. A rapid matching method based on ACL time domain, comprising:
step 1, collecting a data packet;
step 2, constructing a stream according to the quintuple of the data packet, calculating a hash value of the quintuple, and putting the hash value into a hash bucket;
step 3, searching all hit ACL rules according to the five-tuple;
step 4, sequencing all time domains of the hit ACL rule, and recording the action of each time domain;
step 5, returning the ordered ACL rule to the flow node;
step 6, when the following data message arrives, matching the time domain of the data message and the ACL rule, and executing the corresponding time domain action;
the time domain matching the data message and the ACL rule executes the corresponding time domain action, specifically: obtaining the arrival time of the data message, matching the arrival time of the data message with the time domain of the ACL rule on the flow node, executing the action of the time domain capable of being matched, and returning to continue waiting for the data packet.
2. The ACL time domain based rapid matching method of claim 1, wherein the ACL rule comprises a five-tuple and a time domain, the five-tuple comprising a source IP, a destination IP, a source port, a destination port, a protocol.
3. The ACL time domain based rapid matching method as claimed in claim 1, wherein the actions of the time domain include discarding and passing.
4. The ACL-based time domain quick match method according to claim 1, wherein if the time domain is not configured, the time domain defaults to infinity.
5. A computer storage medium having one or more program instructions embodied therein for execution by a processor of a rapid matching method based on ACL time domains as claimed in any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111360590.5A CN114301620B (en) | 2021-11-17 | 2021-11-17 | ACL time domain-based rapid matching method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111360590.5A CN114301620B (en) | 2021-11-17 | 2021-11-17 | ACL time domain-based rapid matching method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301620A CN114301620A (en) | 2022-04-08 |
| CN114301620B true CN114301620B (en) | 2024-04-16 |
Family
ID=80965981
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111360590.5A Active CN114301620B (en) | 2021-11-17 | 2021-11-17 | ACL time domain-based rapid matching method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301620B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115580579B (en) * | 2022-09-28 | 2024-06-04 | 杭州迪普科技股份有限公司 | Message forwarding method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101039271A (en) * | 2007-03-20 | 2007-09-19 | 华为技术有限公司 | Method and apparatus for taking effect rules of access control list |
| CN103236893A (en) * | 2013-03-22 | 2013-08-07 | 南京南瑞继保电气有限公司 | Network message synchronizing method for process levels of intelligent substation |
| CN107294929A (en) * | 2016-04-05 | 2017-10-24 | 阿里巴巴集团控股有限公司 | Rule match and management method and device |
| CN112637234A (en) * | 2020-12-30 | 2021-04-09 | 锐捷网络股份有限公司 | Security rule updating method and device based on port change |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2287689C (en) * | 1998-12-03 | 2003-09-30 | P. Krishnan | Adaptive re-ordering of data packet filter rules |
| US9237128B2 (en) * | 2013-03-15 | 2016-01-12 | International Business Machines Corporation | Firewall packet filtering |
-
2021
- 2021-11-17 CN CN202111360590.5A patent/CN114301620B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101039271A (en) * | 2007-03-20 | 2007-09-19 | 华为技术有限公司 | Method and apparatus for taking effect rules of access control list |
| CN103236893A (en) * | 2013-03-22 | 2013-08-07 | 南京南瑞继保电气有限公司 | Network message synchronizing method for process levels of intelligent substation |
| CN107294929A (en) * | 2016-04-05 | 2017-10-24 | 阿里巴巴集团控股有限公司 | Rule match and management method and device |
| CN112637234A (en) * | 2020-12-30 | 2021-04-09 | 锐捷网络股份有限公司 | Security rule updating method and device based on port change |
Non-Patent Citations (3)
| Title |
|---|
| 一种报文过滤设备配置管理系统的实现;张泽鑫, 陈曙晖, 苏金树;计算机工程与科学(05);全文 * |
| 基于时间的多层防火墙访问控制列表策略审计方案;王旭东;陈清萍;李文;张信明;;计算机应用(01);全文 * |
| 基于时间窗统计的LDoS攻击检测方法的研究;吴志军;曾化龙;岳猛;;通信学报(12);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301620A (en) | 2022-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10834085B2 (en) | Method and apparatus for speeding up ACL rule lookups that include TCP/UDP port ranges in the rules | |
| US20180083882A1 (en) | Methods, systems, and computer readable media for discarding messages during a congestion event | |
| CN112787951B (en) | Congestion control method, apparatus, device and computer readable storage medium | |
| WO2017025021A1 (en) | Method and device for processing flow table | |
| CN107689901B (en) | Method and device for monitoring traffic message flow | |
| US9049200B2 (en) | System and method for improving hardware utilization for a bidirectional access controls list in a low latency high-throughput network | |
| US10212083B2 (en) | Openflow data channel and control channel separation | |
| WO2020207248A1 (en) | Stream classification method and device | |
| US9379978B2 (en) | Parallel processing for low latency network address translation | |
| CN114301620B (en) | ACL time domain-based rapid matching method | |
| WO2021104393A1 (en) | Method for achieving multi-rule flow classification, device, and storage medium | |
| US9893997B2 (en) | System and method for creating session entry | |
| US20170063706A1 (en) | Method and communication system | |
| WO2015176212A1 (en) | Tcam and fpga-based packet processing method and device | |
| US10205658B1 (en) | Reducing size of policy databases using bidirectional rules | |
| US20160065457A1 (en) | Flow inheritance | |
| CN112887317A (en) | Method and system for protecting database based on VXLAN network | |
| CN107086965B (en) | ARP (Address resolution protocol) table entry generation method and device and switch | |
| WO2017211211A1 (en) | Packet forwarding method and device | |
| CN111064671B (en) | Data packet forwarding method and device and electronic equipment | |
| US20070104188A1 (en) | Determining transmission latency in network devices | |
| CN114827044B (en) | Message processing method, device and network equipment | |
| US9152494B2 (en) | Method and apparatus for data packet integrity checking in a processor | |
| US20040083337A1 (en) | Content addressable memory with automated learning | |
| CN113518025B (en) | Message management method, device, equipment and machine-readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |