CN114430341A - Method and device for realizing conversion from exact rule to mask rule - Google Patents
Method and device for realizing conversion from exact rule to mask rule Download PDFInfo
- Publication number
- CN114430341A CN114430341A CN202111634485.6A CN202111634485A CN114430341A CN 114430341 A CN114430341 A CN 114430341A CN 202111634485 A CN202111634485 A CN 202111634485A CN 114430341 A CN114430341 A CN 114430341A
- Authority
- CN
- China
- Prior art keywords
- rule
- flexible
- quintuple
- types
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network security, and provides a method and a device for realizing a function-to-mask rule based implementation. The invention provides a flexible five-tuple rule realization method for the condition that a certain special local point exceeds the search performance of an FPGA (field programmable gate array) in the process of controlling the functions of flow forwarding, discarding, redirecting and the like under the action of an ACL (access control list) rule. The ACL rule type with less part of rule numbers is selected to be converted from the exact rule into the mask rule, so that when the number of the flexible quintuple rule types exceeds the search performance of the FPGA, the TCAM is used for searching and storing the flexible quintuple rule types which are mask rules, the exact rule types needing to be searched by the equipment are still kept in the search performance of the FPGA, and the logic search performance can be ensured, thereby avoiding the condition that the rule of the current network part ACL cannot be hit, the packet loss is caused, or the flow forwarding error is caused because the rule of the black list or redirection action is hit, and the white list action is carried out.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for realizing the function rule to mask rule based.
Background
For network security devices, the role of the ACL rules is mainly to control the functions of traffic forwarding, dropping, redirecting, etc. For high-end network security devices, such as shunts and certain special devices, ACL rules are very diverse and have large rule capacity, and high-end chips such as NPS | FPGA and switch chips are generally used as basic chips of the devices. For example, the rule types required by a specific device are flexible quintuple, mask quintuple, feature code rule, extension header rule, prefix and suffix rule of V6, VLAN | MPLS rule, etc., and the types are very many, while the rule number quintuple requires tens of millions of levels. For such needs, the difficulty is high no matter the matching of the rules and the output of the rule priority, the main bottleneck lies in the search performance of the FPGA, and the unreasonable design can cause resource waste and miss situations. The difficulty is particularly great for the flexible quintuple rule with the largest rule type and the largest number, and the following focuses on the implementation of the current flexible quintuple rule.
The flexible quintuple rule is stored in DDR particles in the FPGA, so that how much space can be reserved depends on the size of a DDR memory, and the method relates to chip type selection and is not described in more detail here. The rule types of the flexible quintuple rule are 25 types by combining five element permutation, minus all the careless categories (and the rule of the quintuple of all 0), and there are 31 rule types, and currently, for the online project of the operator, the rule types are generally 6, for example: some important items include 12 rule types, and the rule types in some special points exceed 12 types. For more than 12 rule types of sites, many high-end chip lookup performance bottlenecks are often reached.
In view of the above, overcoming the drawbacks of the prior art is an urgent problem in the art.
Disclosure of Invention
The invention aims to provide a method for realizing a mask rule based on an exact rule.
The invention further aims to provide a device for realizing the mask rule based on the exact rule.
The invention adopts the following technical scheme:
in a first aspect, a method for implementing a mask rule based on an exact rule includes:
the method comprises the steps that flexible quintuple rules are stored in a memory and are subjected to flow hit, when the number of flexible quintuple rule types required by a local point is larger than a first number, the first number of flexible quintuple rule types are selected as a first part of flexible quintuple rule types, and the first part of flexible quintuple rule types are stored in a first memory;
selecting flexible quintuple rule types exceeding the first number as a second part of flexible quintuple rule types, converting the exact rules of the second part of flexible quintuple rule types into mask rules and storing the mask rules in a second memory;
and the flow rate matches the flexible quintuple rule, hits the matched flexible quintuple rule type according to the priority and outputs the flow rate.
Preferably, the number of rules for all flexible five-tuple rule types is queried and sorted from small to large.
Preferably, the flexible five-tuple rule types with relatively smaller rule number are selected from small to large as the second part of flexible five-tuple rule types in sequence until the second part of flexible five-tuple rule types are filled up
And converting the exact rule of the second part of flexible quintuple rule type into a mask rule and storing the mask rule in a second memory.
Preferably, the traffic matches the flexible quintuple rule, hits the matched flexible quintuple rule type according to the priority, and outputs the traffic, specifically including:
and when the flow is matched with only one flexible quintuple rule type, the flow hits the matched flexible quintuple rule type and is output according to the hit flexible quintuple rule type.
Preferably, the traffic matches the flexible quintuple rule, hits the matched flexible quintuple rule type according to the priority, and outputs the traffic, specifically including:
and when the flow is matched with two or more flexible quintuple rule types, finding the flexible quintuple rule type with the highest priority in the matched flexible quintuple rule types according to the priority by the flow.
Preferably, the priority specifically includes:
a priority of a flexible quintuple rule type required by the office point;
an exact rule of the flexible quintuple rule type and a priority of a mask rule of the flexible quintuple rule type.
Preferably, when the found flexible quintuple rule type with the highest priority is the target flexible quintuple rule type, the traffic hits the flexible quintuple rule type with the highest priority and is output.
Preferably, when the found flexible quintuple rule type with the highest priority is not the target flexible quintuple rule type, the priority is changed so that the priority of the target flexible quintuple rule type is the highest, and the flow hits the flexible quintuple rule type with the highest priority after being changed and is output.
Preferably, the flexible quintuple rule comprises: SIP, DIP, sports, Dport, Protocol and the mutual combination of the 5 flexible quintuple rules SIP, DIP, sports, Dport and Protocol;
the number of rule types of the flexible quintuple is less than or equal to 32.
In a second aspect, an implementation apparatus for converting exact rules to mask rules includes at least one processor and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor for performing the exact rule transfer mask rule based implementation method.
The invention provides a flexible five-tuple rule realization method for the condition that a certain special local point exceeds the search performance of an FPGA (field programmable gate array) in the process of controlling the functions of flow forwarding, discarding, redirecting and the like under the action of an ACL (access control list) rule. The ACL rule type with less part of rule numbers is selected to be converted from the exact rule into the mask rule, so that when the number of the flexible quintuple rule types exceeds the search performance of the FPGA, the TCAM is used for searching and storing the flexible quintuple rule types which are mask rules, the exact rule types needing to be searched by the equipment are still kept in the search performance of the FPGA, and the logic search performance can be ensured, thereby avoiding the condition that the rule of the current network part ACL cannot be hit, the packet loss is caused, or the flow forwarding error is caused because the rule of the black list or redirection action is hit, and the white list action is carried out.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the embodiments of the present invention will be briefly described below. It is obvious that the drawings described below are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a flowchart of a method for implementing a mask rule based on an exact rule according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method for implementing a method for converting a mask rule based on an exact rule according to an embodiment of the present invention;
FIG. 3 is a flowchart of a method for implementing a method for converting a mask rule based on an exact rule according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a method for implementing a mask rule based on an exact rule according to an embodiment of the present invention;
fig. 5 is a schematic device diagram of an implementation device based on exact rule to mask rule according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In the description of the present invention, the terms "inner", "outer", "longitudinal", "lateral", "upper", "lower", "top", "bottom", and the like indicate orientations or positional relationships based on those shown in the drawings, only for the purpose of facilitating the description of the present invention but not for the purpose of requiring the present invention to be necessarily constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention.
In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
Example 1:
the embodiment 1 of the invention provides a method for realizing a mask rule based on an exact rule, which specifically comprises the following steps:
as shown in fig. 1, the flexible quintuple rule is stored in the memory and output, and when the number of types of flexible quintuple rules required by the local site is greater than the first number, the flow is as follows:
in step 101, a first number of flexible quintuple rule types are selected as a first part of flexible quintuple rule types;
in step 102, storing the first part of flexible quintuple rule type in a first memory;
in step 103, selecting more than a first number of flexible quintuple rule types as a second part of flexible quintuple rule types;
in step 104, converting the exact rule of the second part of flexible quintuple rule type into a mask rule;
in step 105, storing the second part of the flexible five-tuple rule type in a second memory;
in step 106, the traffic matches the flexible quintuple rule, and hits the matched flexible quintuple rule type according to the priority and outputs the traffic.
Since there may be cases where the number of rule types of the flexible quintuple is greater than the first number and less than or equal to the first number in different local points, the flow in two different cases is as follows:
as shown in fig. 2, the flow of the implementation method based on exact rule to mask rule is as follows:
in step 201, inquiring the rule type number of the flexible quintuple existing in the current local point;
in step 202, comparing whether the rule type number of the flexible quintuple existing in the current office point is larger than a first number, if so, jumping to step 104, and if not, jumping to step 103;
the first number is greater than or equal to 12, and because the rule types in part of special local points at present have the condition that more than 12 flexible quintuple rule types, for the local points with more than 12 flexible quintuple rule types, the performance bottleneck of searching for a plurality of high-end chips is often reached, so the first number is set and determined by persons in the field according to the performance bottleneck of searching for the high-end chips at present, and the protection range of the special local points is not limited;
because the mask rule is a mask quintuple rule, and the mask quintuple rule and the five elements in the exact rule are adopted, the difference is that the mask quintuple rule needs to be matched according to a mask range, the exact rule of the flexible quintuple can be converted into the mask rule to be placed in a second memory for storage and search operation.
The first part of flexible quintuple rule types are a first number of flexible quintuple rule types within the first memory searching performance, do not need to perform the operation of converting the exact rule into the mask rule, and are directly delivered to the first memory for storage and searching operation;
the first memory is an FPGA hardware chip, the first part of flexible quintuple rule types are stored in DDR particles in the FPGA, 12 or less than 12 flexible quintuple rule types are the bottleneck of the search performance of the FPGA hardware chip, and the first memory is set by a user or a person skilled in the art according to needs and should not limit the protection scope of the patent.
The second part of flexible quintuple rule types are that the whole quantity of the flexible quintuple rule types exceeds the searching performance of the first memory, and a part of the flexible quintuple rule types is taken out from the whole quantity of the flexible quintuple rule types to be stored in the second memory for entering and exiting searching operation, so that the searching operation pressure of the first memory is shared, and the exact rule of the second part of flexible quintuple rule types is converted into a mask rule;
the second memory is a TCAM ternary content addressable memory, and mainly stores a mask rule, the exact rule of the second part of flexible quintuple rule type is converted into a mask rule and stored in the TCAM ternary content addressable memory, and the second memory is set by a user or a person skilled in the art according to needs, and the protection scope of the patent should not be limited.
The flexible quintuple rule is mainly used for controlling functions of flow forwarding, discarding, redirecting and the like, so that after the flexible quintuple rule type is stored in the memory, the flow root message matches the flexible quintuple rule type, and hits and outputs a target flexible quintuple rule type in the matched flexible quintuple rule type according to a set priority.
The target flexible quintuple rule type is a flexible quintuple rule required by a user and used for controlling functions of correct traffic forwarding, discarding, redirecting and the like, and is set by the user or a person skilled in the art according to needs, and the protection scope of the patent is not limited.
After the exact rule of the second part of flexible quintuple rule types is converted into a mask rule, the flexible quintuple rule types needing to be searched by the first memory are also the rule types of the first quantity and the type, so that the searching performance bottleneck of the first memory is prevented from being exceeded, and therefore part of flexible quintuple rules cannot be hit, packet loss is caused, or a rule that should be hit to go through a blacklist or redirect action goes through a whitelist, and finally traffic forwarding errors are caused.
In step 203, when the number of rule types of the flexible quintuple existing in the current office point is less than or equal to the first number, storing the rule type of the flexible quintuple in a first memory and hitting the rule type by the flow;
the second memory is a TCAM ternary content addressable memory, and the TCAM ternary content addressable memory has limited rule capacity and cannot store flexible quintuple rule types with excessive rule number, so the following preferred method exists:
in step 204, inquiring the rule number of all the flexible quintuple rule types, and sequencing from small to large;
in step 205, selecting the rule type with relatively small number of flexible quintuple rules as a second part to be stored in a second memory, and storing the rest flexible quintuple rule types in a first memory;
as shown in fig. 3, the partitioning procedure of the rule type of the second part of flexible five-tuple rule is as follows:
in step 301, the rule types existing in the office points and the number of each current rule type are searched;
in step 302, the rule numbers of all flexible five-tuple rule types are sorted from small to large;
in step 303, the rule types with relatively smaller flexible quintuple rule number are sequentially divided into a second part of flexible quintuple rule types;
when the number of the flexible quintuple rule types required by the local point is one more than the first number, selecting the flexible quintuple rule type with the minimum rule number as a second part of flexible quintuple rule type, converting the exact rule of the second part of flexible quintuple rule type into a mask rule and storing the mask rule in a second memory; when the number of the flexible quintuple rule types required by the local point is two or more than two than the first number, sequentially selecting the flexible quintuple rule type with the minimum rule number into a second part of flexible quintuple rule types;
in step 304, checking whether the number of the flexible five-tuple rule types classified into the second part is the difference value obtained by subtracting the first number from the number of the flexible five-tuple rule types existing in the current local point, if so, indicating that the second part is filled, and skipping to step 305; if not, the second part is not filled, and the step 303 is skipped;
in step 305, the exact rule of the second part of flexible quintuple rule type is converted into a mask rule and stored in a second memory.
When traffic is forwarded, discarded, redirected, and the like according to an ACL rule, the traffic may match flexible quintuple rule types in the office point, and the situation that multiple flexible quintuple rule types are matched may occur, but only one target flexible quintuple rule type needs to be hit, and the traffic is output according to the hit target flexible quintuple rule type, so the following preferred method exists:
and when the flow is matched with only one flexible quintuple rule type, the flow hits the matched flexible quintuple rule type, and the flow is output according to the hit flexible quintuple rule type.
And when the flow is matched with two or more flexible quintuple rule types, the flow hits the flexible quintuple rule type with the highest priority in the matched flexible quintuple rule types according to the priority, and the flow is output according to the hit flexible quintuple rule type.
The flexible quintuple rules comprise SIP, DIP, Sport, Dport and Protocol, and the 5 flexible quintuple rules are combined with each other, wherein the SIP is a source address, the DIP is a destination address, the Sport is a source port, the Dport is a destination port and the Protocol is a Protocol;
the content range of the SIP is 0.0.0.0-255.255.255.255;
the content range of the DIP is 0.0.0-255.255.255.255;
the content range of the Sport is 1-65535;
the content range of Dport is 1-65535;
the content range of the Protocol is 1-255;
the number of the rule types of the flexible quintuple is 31 in total except that the flexible quintuple is all 0, wherein the rule types comprise 5 basic flexible quintuple rule types of SIP, DIP, Sport, Dport and Protocol, the other 26 flexible quintuple rules are the mutual combination of SIP, DIP, Sport, Dport and Protocol, and one flexible quintuple rule cannot have two same basic flexible quintuple rule types;
when the flow is matched with a flexible quintuple rule type, the contents of the SIP, DIP, sports and Dport corresponding to the flow message and the contents corresponding to the flexible quintuple rule type are consistent;
and when the flow is matched with the two or more flexible quintuple rule types, the contents of the SIP, DIP, sports, Dport and Protocol positions corresponding to the flow message meet the requirement that the contents corresponding to the two or more flexible quintuple rule types are consistent at the same time.
The priority is that a target flexible quintuple rule is selected preferentially to hit from two or more flexible quintuple rule types matched with the flow; wherein the priorities include:
a priority of a flexible quintuple rule type required by the office point;
an exact rule of the flexible quintuple rule type and a priority of a mask rule of the flexible quintuple rule type.
The priority of the flexible quintuple rule type required by the office point specifically includes: setting the hit priority order of all flexible quintuple rule types in the local point, so that the target flexible quintuple can be hit by the flow preferentially after being matched;
the priority of the exact rule of the flexible quintuple rule type and the mask rule of the flexible quintuple rule type specifically comprises: and setting the hit priority order of the exact rule of the flexible quintuple rule type and the mask rule of the flexible quintuple rule type, so that the target flexible quintuple can be hit as the exact rule or the mask rule.
When there are the above two priorities, there may be conflict between the priority objects of the two priorities, which results in the situation that the matched target flexible five-tuple rule type cannot be hit by traffic because the priorities cannot be hit by traffic, so there are the following preferred methods:
and when the matched target flexible five-tuple rule type cannot be hit by the flow because of the priority, changing the priority to ensure that the priority of the target flexible five-tuple rule type is the highest, and the flow hits the target flexible five-tuple rule type and outputs the target flexible five-tuple rule type.
The changing the priority specifically includes: changing the hit priority order of the flexible quintuple rule type matched with the flow to ensure that the hit priority of the target flexible quintuple rule type is the highest, thereby ensuring that the target flexible quintuple rule type can be hit by the flow preferentially;
because the priority of the target flexible quintuple rule type is the highest of all rule types matched with the flow possibly, but the priority of the exact rule is higher than that of the mask rule, and the target flexible quintuple rule type is converted into the mask rule, the target flexible quintuple rule type cannot be hit by the flow, the hit priority order of the exact rule of the flexible quintuple rule type and the mask rule of the flexible quintuple rule type is changed, the hit priority of the target flexible quintuple rule type is the highest, and the target flexible quintuple rule type can be hit by the flow preferentially;
example 2:
embodiment 2 of the present invention provides a method for implementing a mask rule based on an exact rule, and embodiment 2 shows an implementation procedure of the present solution from a more specific scenario than embodiment 1.
Five elements in the flexible quintuple comprise SIP, DIP, Sport, Dport and Protocol, the permutation and combination of the five elements has 32 types in total, one type which is not concerned about all the five elements is removed, namely the type with all the five elements being 0, and 31 types are left;
let the rule concerning only SIP be type16, assuming that SIP is 1;
let the rule concerning DIP alone be type8, assuming DIP is 2;
let the rule concerning only Sport be type4, let Sport be 4;
let the rule concerning Dport only be type2, let Dport equal to 8;
let the rule concerning only Protocol be type1, assuming Protocol is 16;
wherein, SIP + DIP + Sport + Dport + Protocol is 31, the combination of five elements in the flexible quintuple is arranged to obtain the remaining 26 rules except the five rules, for example, the rule type of SIP + DIP 1+2 + 3 is type 3; the details are shown in the following table:
the 31 flexible quintuple rule types are defined as shown in the table; adding a command show rule type sum in the device, searching all the flexible five-tuple rule types and their rule numbers existing in the device, and obtaining the contents of five basic elements of the flexible five-tuple corresponding to them, which is specifically shown in the following table:
the number of rules in the table is the number of pieces issued to the device in the same flexible quintuple rule type, where the rule values between adjacent pieces in part of the rule types have a difference, i.e., step size.
As can be seen from the above table, the rule types of 15 flexible quintuple existing in the device, in this embodiment, the first memory is an FPGA hardware chip, and the second memory is a TCAM ternary content addressable memory, so that the first number in this embodiment is 12, and the rule type of three flexible quintuple with the minimum rule number needs to be selected from the rule types of 15 flexible quintuple existing in the device, and their exact rules are converted into mask rules; as shown in the above figure, the three flexible quintuple rule types with the least number of rules are type16, type18 and type15, and thus, the exact rules of the three flexible quintuple rule types shown as type16, type18 and type15 are converted into mask rules.
In the embodiment, the hit priority of the flexible quintuple is set to be gradually reduced along with the increase of the sequence number of the rule type, the type4 has the highest priority, the type8 has the second priority, and the type31 has the lowest priority;
in this embodiment, the priority of the exact rule for setting the flexible quintuple rule type is higher than the mask rule for setting the flexible quintuple rule type;
in the embodiment, the flow is SIP 11.1.1.3; DIP 2.2.2.2; sprot: 1001; dport: 66; protocol: 0;
as shown in fig. 4, the flow of the target flexible quintuple rule type hit and output of the corresponding traffic is as follows:
in step 401, as can be seen from the above table, the traffic is matched with the flexible quintuple rule type18, the flexible quintuple rule type8 and the flexible quintuple rule type 4;
the target flexible quintuple rule type of the embodiment is type 4;
in step 402, since the hit priority of the flexible quintuple is set to decrease gradually as the sequence number of the rule type increases, and the action rule priority of the flexible quintuple rule type is higher than the mask rule of the flexible quintuple rule type; therefore, the priority of flexible quintuple rule type4 is higher than that of flexible quintuple rule type18 and flexible quintuple rule type8, and the flexible quintuple rule type4 is an exact rule and has a higher priority than the mask rule of flexible quintuple rule type 18; traffic will hit flexible quintuple rule type 4;
in step 403, since the target flexible quintuple rule type is type4, go to step 404;
in step 404, the traffic hits the flexible quintuple rule type4 and is output, completing the hit of the target flexible quintuple rule type and the output of the corresponding traffic.
Example 3:
embodiment 3 of the present invention provides a method for implementing a mask rule based on an exact rule, and embodiment 3 shows an implementation procedure of the present solution from a more specific scenario than embodiment 1.
Five elements in the flexible quintuple comprise SIP, DIP, Sport, Dport and Protocol, the permutation and combination of the five elements has 32 types in total, one type which is not concerned about all the five elements is removed, namely the type with all the five elements being 0, and 31 types are left;
let the rule concerning only SIP be type16, let SIP be 16;
let the rule concerning DIP alone be type8, let DIP be 8;
let the rule concerning only Sport be type4, let Sport be 4;
let the rule concerning Dport only be type2, let Dport equal to 2;
let the rule concerning only Protocol be type1, assuming Protocol is 1;
wherein, SIP + DIP + Sport + Dport + Protocol is 31, the combination of five elements in the flexible quintuple is arranged to obtain the rules in the remaining 26 except the five rules, for example, the rule type of SIP + DIP-16 + 8-24 is type 24; the details are shown in the following table:
the 31 flexible quintuple rule types are defined as shown in the table; adding a command show rule type sum in the device, searching all the flexible five-tuple rule types and their rule numbers existing in the device, and obtaining the contents of five basic elements of the flexible five-tuple corresponding to them, which is specifically shown in the following table:
as can be seen from the above table, the rule types of 15 flexible quintuple existing in the device, in this embodiment, the first memory is an FPGA hardware chip, and the second memory is a TCAM ternary content addressable memory, so that the first number in this embodiment is 12, and it is necessary to select the rule type of three flexible quintuple with the smallest rule number from the rule types of 15 flexible quintuple existing in the device, and convert their exact rules into mask rules; as shown in the above figure, the three flexible quintuple rule types with the least number of rules are type16, type18 and type15, and thus, the exact rules of the three flexible quintuple rule types shown as type16, type18 and type15 are converted into mask rules.
In the embodiment, the flexible quintuple output priority is set to be that as the sequence number of the rule type increases, the output priority increases step by step, the type4 has the lowest priority, the type8 has the second priority, and the like, and the type31 has the highest priority;
in this embodiment, the priority of the exact rule for setting the flexible quintuple rule type is higher than the mask rule for setting the flexible quintuple rule type;
in this embodiment, the flow rate is SIP 1.1.1.1; 2.12.2.4 is the DIP; sprot: 1001; dport: 0; protocol: 6;
the target flexible quintuple rule type of the embodiment is type 16;
as shown in fig. 4, the flow of the target flexible quintuple rule type hit and output of the corresponding traffic is as follows:
in step 401, as can be seen from the above table, the traffic is matched with the flexible quintuple rule type16, the flexible quintuple rule type9 and the flexible quintuple rule type 4.
In step 402, the target flexible quintuple rule type in this embodiment is type16, but according to the priority set in this embodiment, although flexible quintuple rule type16 has higher priority than flexible quintuple rule type9 and flexible quintuple rule type4, flexible quintuple rule type16 is a mask rule, in this embodiment, the exact rule priority of flexible quintuple rule type is higher than the mask rule of flexible quintuple rule type; traffic will hit flexible quintuple rule type 9;
in step 403, since the target flexible quintuple rule type is type16, if the priority relationship is not changed, the traffic cannot hit the target flexible quintuple rule type is type16 and is output;
in step 405, changing the priority of the exact rule and the mask rule, and changing the priority setting into that the mask rule of the flexible quintuple rule type has higher priority than the exact rule of the flexible quintuple rule type; at this point the traffic will hit flexible quintuple rule type 16;
in step 406, the traffic hits the flexible quintuple rule type16 and is output, completing the hit of the target flexible quintuple rule type and the output of the corresponding traffic.
Example 4:
fig. 5 is a schematic device diagram illustrating an implementation method based on exact rule to mask rule according to an embodiment of the present invention. The implementation device based on the exact rule to mask rule of this embodiment includes one or more processors 51 and a memory 52. In fig. 5, one processor 51 is taken as an example.
The processor 51 and the memory 52 may be connected by a bus or other means, such as the bus shown in fig. 5.
The memory 52 is a non-volatile computer-readable storage medium, and can be used to store a non-volatile software program and a non-volatile computer-executable program, such as the method for implementing the exact rule to mask rule in embodiment 1. The processor 51 executes the implementation method based on the exact rule to mask rule by running the nonvolatile software program and instructions stored in the memory 52.
The memory 52 may include high speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, the memory 52 may optionally include memory located remotely from the processor 51, and these remote memories may be connected to the processor 51 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The program instructions/modules are stored in the memory 52, and when executed by the one or more processors 51, perform the implementation method based on the exact rule transfer mask rule in embodiment 1, for example, perform the steps shown in fig. 1 to 4 described above.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (10)
1. An implementation method for converting a mask rule based on an exact rule is characterized by comprising the following steps:
the method comprises the steps that flexible quintuple rules are stored in a memory and are subjected to flow hit, when the number of flexible quintuple rule types required by a local point is larger than a first number, the flexible quintuple rule types of the first number are selected as a first part of flexible quintuple rule types, and the first part of flexible quintuple rule types are stored in the first memory;
selecting flexible quintuple rule types exceeding the first number as a second part of flexible quintuple rule types, converting the exact rule of the second part of flexible quintuple rule types into a mask rule and storing the mask rule in a second memory;
and the flow rate matches the flexible quintuple rule, hits the matched flexible quintuple rule type according to the priority and outputs the flow rate.
2. The method of claim 1, wherein the flexible quintuple rule types are queried for a number of rules and sorted from small to large.
3. The method of claim 2, wherein the flexible quintuple rule type having a smaller rule number is selected from the group consisting of smaller and larger flexible quintuple rule types as the second part of flexible quintuple rule types until the second part of flexible quintuple rule types is filled up
And converting the exact rule of the second part of flexible quintuple rule type into a mask rule and storing the mask rule in a second memory.
4. The method for implementing an exact rule to mask rule according to claim 1, wherein the flow matches the flexible quintuple rule, hits the matched flexible quintuple rule type according to priority, and outputs the flow, specifically comprising:
and when the flow is matched with only one flexible quintuple rule type, the flow hits the matched flexible quintuple rule type and is output according to the hit flexible quintuple rule type.
5. The method for implementing an exact rule to mask rule according to claim 1, wherein the flow matches the flexible quintuple rule, hits the matched flexible quintuple rule type according to priority, and outputs the flow, specifically comprising:
and when the flow is matched with two or more flexible quintuple rule types, the flow finds the flexible quintuple rule type with the highest priority in the matched flexible quintuple rule types according to the priority.
6. The method for implementing function-based rule-to-mask rule of claim 5, wherein the priority comprises:
a priority of a flexible quintuple rule type required by the office point;
an exact rule of the flexible quintuple rule type and a priority of a mask rule of the flexible quintuple rule type.
7. The method of claim 5, wherein when the found flexible quintuple rule type with the highest priority is the target flexible quintuple rule type, the traffic hits the flexible quintuple rule type with the highest priority and is output.
8. The method of claim 7, wherein when the found flexible quintuple rule type with the highest priority is not the target flexible quintuple rule type, the priority is changed so that the target flexible quintuple rule type has the highest priority, and the traffic hits and is output the flexible quintuple rule type with the highest priority after the change.
9. The method for implementing an exact rule to mask rule based on claim 1, wherein the flexible quintuple rule comprises: SIP, DIP, Sport, Dport, Protocol and the mutual combination of the 5 flexible quintuple rules SIP, DIP, Sport, Dport and Protocol;
the number of rule types of the flexible quintuple is less than or equal to 32.
10. An implementation device for converting an exact rule into a mask rule is characterized by comprising at least one processor and a memory, wherein the memory is in communication connection with the at least one processor; wherein the memory stores instructions executable by the at least one processor for performing the method of any of claims 1-9 based on the exact rule transfer mask rule.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111634485.6A CN114430341B (en) | 2021-12-29 | 2021-12-29 | Method and device for realizing conversion from exact rule to mask rule |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111634485.6A CN114430341B (en) | 2021-12-29 | 2021-12-29 | Method and device for realizing conversion from exact rule to mask rule |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114430341A true CN114430341A (en) | 2022-05-03 |
| CN114430341B CN114430341B (en) | 2023-04-14 |
Family
ID=81310781
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111634485.6A Active CN114430341B (en) | 2021-12-29 | 2021-12-29 | Method and device for realizing conversion from exact rule to mask rule |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114430341B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115081628A (en) * | 2022-08-15 | 2022-09-20 | 浙江大华技术股份有限公司 | Method and device for determining adaptation degree of deep learning model |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954200A (en) * | 2015-06-17 | 2015-09-30 | 国家计算机网络与信息安全管理中心 | Multi-type rule high-speed matching method and device of network data packet |
| US20170195253A1 (en) * | 2015-12-31 | 2017-07-06 | Fortinet, Inc. | Flexible pipeline architecture for multi-table flow processing |
| CN110442586A (en) * | 2019-07-03 | 2019-11-12 | 北京左江科技股份有限公司 | A kind of five-tuple querying method based on classification priority |
| CN111988231A (en) * | 2020-08-20 | 2020-11-24 | 国家计算机网络与信息安全管理中心 | Mask five-tuple rule matching method and device |
-
2021
- 2021-12-29 CN CN202111634485.6A patent/CN114430341B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954200A (en) * | 2015-06-17 | 2015-09-30 | 国家计算机网络与信息安全管理中心 | Multi-type rule high-speed matching method and device of network data packet |
| US20170195253A1 (en) * | 2015-12-31 | 2017-07-06 | Fortinet, Inc. | Flexible pipeline architecture for multi-table flow processing |
| CN110442586A (en) * | 2019-07-03 | 2019-11-12 | 北京左江科技股份有限公司 | A kind of five-tuple querying method based on classification priority |
| CN111988231A (en) * | 2020-08-20 | 2020-11-24 | 国家计算机网络与信息安全管理中心 | Mask five-tuple rule matching method and device |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115081628A (en) * | 2022-08-15 | 2022-09-20 | 浙江大华技术股份有限公司 | Method and device for determining adaptation degree of deep learning model |
| CN115081628B (en) * | 2022-08-15 | 2022-12-09 | 浙江大华技术股份有限公司 | Method and device for determining adaptation degree of deep learning model |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114430341B (en) | 2023-04-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4336625B2 (en) | Packet transfer device | |
| US7872993B2 (en) | Method and system for classifying data packets | |
| US9270592B1 (en) | Hash collision avoidance in network routing | |
| US10084687B1 (en) | Weighted-cost multi-pathing using range lookups | |
| US10778721B1 (en) | Hash-based ACL lookup offload | |
| CN1816016A (en) | Routing method and apparatus for reducing loss of ip packets | |
| US20210051114A1 (en) | Timestamp-based packet switching using a trie data structure | |
| US10348646B2 (en) | Two-stage port-channel resolution in a multistage fabric switch | |
| US8838558B2 (en) | Hash lookup table method and apparatus | |
| US20030233516A1 (en) | Method and system for performing range rule testing in a ternary content addressable memory | |
| US20110080830A1 (en) | Device and method for providing forwarding information and qos information in flow based network environment | |
| CN101106518B (en) | Service denial method for providing load protection of central processor | |
| US20090135826A1 (en) | Apparatus and method of classifying packets | |
| CN114430341B (en) | Method and device for realizing conversion from exact rule to mask rule | |
| US10757230B2 (en) | Efficient parsing of extended packet headers | |
| US9729446B1 (en) | Protocol-independent packet routing | |
| CN112422435B (en) | Message forwarding control method and device and electronic equipment | |
| US11327974B2 (en) | Field variability based TCAM splitting | |
| CN108600107B (en) | Flow matching method capable of customizing content field | |
| US6950429B2 (en) | IP data transmission network using a route selection based on level 4/5 protocol information | |
| US20160285756A1 (en) | Efficient implementation of MPLS tables for multi-level and multi-path scenarios | |
| US10397113B2 (en) | Method of identifying internal destinations of network packets and an apparatus thereof | |
| US11025549B2 (en) | Systems and methods for stateful packet processing | |
| US10284426B2 (en) | Method and apparatus for processing service node ability, service classifier and service controller | |
| CN117999772A (en) | Network device utilizing TCAM configured to output multiple matching indexes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |