CN114826775A

CN114826775A - Method, device, system, equipment and medium for generating filtering rule of data packet

Info

Publication number: CN114826775A
Application number: CN202210622837.4A
Authority: CN
Inventors: 孙大娟
Original assignee: Beijing Armyfly Technology Co Ltd
Current assignee: Beijing Armyfly Technology Co Ltd
Priority date: 2022-06-01
Filing date: 2022-06-01
Publication date: 2022-07-29
Anticipated expiration: 2042-06-01
Also published as: CN114826775B

Abstract

The embodiment of the application relates to the technical field of computer networks, in particular to a method, a device, a system, equipment and a medium for generating a filtering rule of a data packet. The specific implementation scheme is as follows: analyzing, including analyzing a data packet from a network port, and extracting network address information and protocol information of the data packet; a first generation step, including table look-up in an access control list according to the network address information and the protocol information, and generating a session table item according to the table look-up result; determining, including determining an execution rule corresponding to the session table entry; and a second generation step, which comprises generating a filtering rule of the data packet according to the execution rule corresponding to the session table entry. The embodiment of the application can dynamically generate the filtering rule of the data packet through analyzing the current network data flow, and can adapt to the requirement of continuous updating of the network, thereby effectively avoiding the potential network safety hazard.

Description

Method, device, system, equipment and medium for generating filtering rule of data packet

Technical Field

The present invention relates to the field of computer network technologies, and in particular, to a method, an apparatus, a system, a device, and a medium for generating a filter rule of a data packet.

Background

The conventional gateway device filters the data stream in the network according to a predetermined filtering rule, thereby preventing illegal access, allowing legal access to pass through smoothly, and realizing protection of the internal network. In general, the filtering rules may be stored in order, and the network data streams arrive at the gateway and are matched with the filtering rules one by one. If the matching is successful, the specified action is executed, and if the matching is unsuccessful, the next rule is executed continuously. Such a pre-defined filtering rule is difficult to adapt to the complexity of the cyber attack technique. The filtering rules are configured by a security administrator through learning or experience. Network attack modes are increasingly diversified, and the requirement of continuous updating of the network is difficult to adapt only by some preset filtering rules, so that a plurality of network safety hidden dangers exist.

Disclosure of Invention

In view of the above problems in the prior art, embodiments of the present application provide a method, an apparatus, a system, a device, and a medium for generating a filtering rule of a data packet, which can dynamically generate the filtering rule of the data packet by analyzing a current network data stream, and can adapt to a requirement of a network to be continuously updated, thereby effectively avoiding a potential network security hazard.

In order to achieve the above object, a first aspect of the present application provides a method for generating a filter rule of a data packet, including:

analyzing, including analyzing a data packet from a network port, and extracting network address information and protocol information of the data packet;

a first generation step, including table look-up in an access control list according to the network address information and the protocol information, and generating a session table item according to the table look-up result;

determining, including determining an execution rule corresponding to the session table entry;

and a second generation step, which comprises generating a filtering rule of the data packet according to the execution rule corresponding to the session table entry.

As a possible implementation manner of the first aspect, the performing table lookup in an access control list according to the network address information and the protocol information includes:

a table lookup is performed in the access control list using a ternary content addressable memory.

As a possible implementation manner of the first aspect, the determining an execution rule corresponding to the session entry includes:

counting the number of data packets corresponding to the session table entry according to the network address information, and sequencing the session table entry according to the number of the data packets;

and taking the session table entries with the sorted top preset number threshold as session table entries to be processed, and determining an execution rule corresponding to the session table entries to be processed.

As a possible implementation manner of the first aspect, the determining an execution rule corresponding to the to-be-processed session entry includes:

displaying the session table item to be processed to a user;

receiving setting information input by a user aiming at the session table item to be processed;

and determining an execution rule corresponding to the session table entry to be processed according to the setting information.

carrying out validity detection on the session table entry to be processed;

and determining an execution rule corresponding to the session table entry to be processed according to the result of the validity detection.

A second aspect of the present application provides a system for generating filter rules for data packets, which is used to execute the method of the first aspect, and includes:

a field programmable gate array for performing the parsing step and the first generating step;

and the central processing unit is used for reading the session table entry from the field programmable logic gate array according to a preset period and executing the determining step and the second generating step on the session table entry.

As a possible implementation manner of the second aspect, the system further includes:

and the switching chip is used for forwarding the data packet from the network port to the field programmable gate array and is also used for receiving the data packet returned from the field programmable gate array and forwarding the data packet to the network port.

A third aspect of the present application provides a device for generating a filtering rule of a data packet, including:

the analysis unit is used for analyzing the data packet from the network port and extracting the network address information and the protocol information of the data packet;

a first generating unit, configured to perform table lookup in an access control list according to the network address information and the protocol information, and generate a session table entry according to a result of the table lookup;

the determining unit is used for determining an execution rule corresponding to the session table entry;

and the second generating unit is used for generating the filtering rule of the data packet according to the execution rule corresponding to the session table entry.

As a possible implementation manner of the third aspect, the first generating unit is configured to:

As a possible implementation manner of the third aspect, the determining unit is configured to:

displaying the session table item to be processed to a user;

carrying out validity detection on the session table entry to be processed;

A fourth aspect of the present application provides a computing device comprising:

a communication interface;

at least one processor coupled with the communication interface; and

at least one memory coupled to the processor and storing program instructions that, when executed by the at least one processor, cause the at least one processor to perform the method of any of the first aspects.

A fifth aspect of the present application provides a computer readable storage medium having stored thereon program instructions which, when executed by a computer, cause the computer to perform the method of any of the first aspects described above.

These and other aspects of the invention will be apparent from and elucidated with reference to the embodiment(s) described hereinafter.

Drawings

The various features and the connections between the various features of the present invention are further described below with reference to the attached figures. The figures are exemplary, some features are not shown to scale, and some of the figures may omit features that are conventional in the art to which the application relates and are not essential to the application, or show additional features that are not essential to the application, and the combination of features shown in the figures is not intended to limit the application. In addition, the same reference numerals are used throughout the specification to designate the same components. The specific drawings are illustrated as follows:

fig. 1 is a schematic diagram illustrating an embodiment of a method for generating a filter rule of a data packet according to an embodiment of the present application;

fig. 2 is a functional diagram of an automatic learning function according to an embodiment of a method for generating a filter rule of a data packet according to the present application;

fig. 3 is a session management hardware schematic diagram of an embodiment of a method for generating a filter rule of a data packet according to an embodiment of the present application;

fig. 4 is a flowchart of a session management process according to an embodiment of a method for generating a filter rule of a data packet according to the present application;

fig. 5 is a schematic diagram of an automatic learning WEB configuration page according to an embodiment of a method for generating a filtering rule of a data packet according to the present application;

fig. 6 is a schematic diagram of an embodiment of a filter rule generation apparatus for data packets according to an embodiment of the present disclosure;

fig. 7 is a schematic diagram of a computing device provided in an embodiment of the present application.

Detailed Description

The terms "first, second, third and the like" or "module a, module B, module C and the like in the description and in the claims, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order, it being understood that specific orders or sequences may be interchanged where permissible to effect embodiments of the present application in other than those illustrated or described herein.

In the following description, reference to reference numerals indicating steps, such as S110, S120 … …, etc., does not necessarily indicate that the steps are performed in this order, and the order of the preceding and following steps may be interchanged or performed simultaneously, where permitted.

The term "comprising" as used in the specification and claims should not be construed as being limited to the contents listed thereafter; it does not exclude other elements or steps. It should therefore be interpreted as specifying the presence of the stated features, integers, steps or components as referred to, but does not preclude the presence or addition of one or more other features, integers, steps or components, and groups thereof. Thus, the expression "an apparatus comprising the devices a and B" should not be limited to an apparatus consisting of only the components a and B.

Reference in the specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. Thus, appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment, but may. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments, as would be apparent to one of ordinary skill in the art from this disclosure.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. In the case of inconsistency, the meaning described in the present specification or the meaning derived from the content described in the present specification shall control. In addition, the terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the present application. To accurately describe the technical content in the present application and to accurately understand the present invention, terms used in the present specification are given the following explanation or definition before describing the specific embodiments:

1) access Control Lists (ACL): is an access control technology based on packet filtering, which can filter the data packet on the interface according to the set condition, allow it to pass or drop. The access control list is widely applied to routers and three-layer switches, and by means of the access control list, the access of users to the network can be effectively controlled, so that the network security is guaranteed to the greatest extent. The access control list is a list of instructions that are applied at the router interface. These instruction lists are used to tell the router which packets can be received and which packets need to be rejected. As to whether the packet is received or rejected, it can be decided by a specific indication condition like a source address, a destination address, a port number, etc.

2) Ternary Content Addressable Memory (TCAM): the method is mainly used for quickly searching the items such as ACL, routing and the like.

3) Field Programmable Gate Array (FPGA): the FPGA adopts a concept of a Logic Cell array lca (Logic Cell array), and includes three parts, namely, a configurable Logic module clb (configurable Logic block), an input Output module iob (input Output block), and an internal connection (Interconnect). The FPGA device belongs to a semi-custom circuit in an application-specific integrated circuit, is a programmable logic array, and can effectively solve the problem of less gate circuits of the original device. The basic structure of the FPGA comprises a programmable input/output unit, a configurable logic block, a digital clock management module, an embedded block Random Access Memory (RAM), a wiring resource, an embedded special hard core and a bottom layer embedded functional unit. The FPGA has the characteristics of abundant wiring resources, high repeatable programming and integration level and low investment, and is widely applied to the field of digital circuit design.

4) Media Access Control Address (MAC Address): is an address used to identify the location of the network device. The MAC address is also called a physical address and a hardware address, and is burned into the network card when produced by a network equipment manufacturer. The MAC address is used to uniquely identify a network card in the network, and if one or more network cards exist in a device, each network card needs to have a unique MAC address.

5) An Internet Protocol Address (IP Address) refers to an Internet Protocol Address and is translated into an Internet Protocol Address. The IP address is a uniform address format provided by the IP protocol, and it allocates a logical address to each network and each host on the internet, so as to mask the difference of physical addresses.

6) Double Data Rate Synchronous Dynamic Random Access Memory (DDR SDRAM): the SDRAM transfers data only once in one clock cycle, and it performs data transfer during the clock rising period. In DDR, data can be transmitted twice in one clock cycle, that is, data can be transmitted once in the rising period and once in the falling period of the clock. The DDR SDRAM is an SDRAM having a double data transfer rate, the data transfer rate of which is twice the system clock frequency, and the transfer performance of which is superior to that of the conventional SDRAM due to the increase in speed. DDR SDRAM may perform data transfers on both the rising and falling edges of the system clock.

7) Port Physical layer (PHY): is a common abbreviation for the physical layer of the Open System Interconnection Reference Model (OSI) Model. And ethernet is a device that operates the physical layer of the OSI model. An ethernet PHY is a chip that can send and receive ethernet data frames (frames).

The prior art method is described first, and then the technical solution of the present application is described in detail.

The traditional gateway device filters the data stream in the network according to the filter rule specified in advance, thereby preventing illegal access, allowing legal access to pass smoothly and realizing the protection of the internal network. The filtering rules can be stored in sequence, the network data streams are matched with the filtering rules one by one after arriving at the gateway, if the matching is successful, the specified action is executed, and if the matching is unsuccessful, the next rule is continuously executed.

The prior art has the following defects: such a pre-defined filtering rule is difficult to adapt to the complexity of the cyber attack technique. The filtering rules are configured by a security administrator through learning or experience. Network attack modes are increasingly diversified, and the requirement of continuous network updating is difficult to adapt only by some preset filtering rules, so that a plurality of network safety hidden dangers exist.

Based on the technical problems in the prior art, the present application provides a method for generating a filtering rule of a data packet. The method may provide an automatic learning function that dynamically generates filtering rules through analysis of the current network data flow. According to the embodiment of the application, the data packets from the network port are analyzed to generate the session table entry, and the new filtering rule can be generated based on the session table entry, so that the requirement that the filtering rule can dynamically adapt to the change of the network is met, and the technical problem that the filtering rule which is specified in advance is difficult to adapt to the network updating requirement and causes network safety hidden danger in the prior art can be solved.

Fig. 1 is a schematic diagram of an embodiment of a method for generating a filter rule of a data packet according to an embodiment of the present application. As shown in fig. 1, the method for generating the filtering rule of the data packet may include:

step S110, an analysis step, which comprises analyzing a data packet from a network port and extracting network address information and protocol information of the data packet;

step S120, a first generation step, which includes table look-up in an access control list according to the network address information and the protocol information, and generating a session table item according to the table look-up result;

step S130, determining step, including determining the execution rule corresponding to the session table entry;

step S140, a second generating step, which includes generating a filtering rule of the data packet according to the execution rule corresponding to the session table entry.

To accommodate the constantly updated requirements of the network, new filtering rules need to be generated for newly discovered illegal accesses. In the embodiment of the application, dynamic analysis statistics can be periodically performed on the data stream from the network port, and the filtering rule of the data packet is generated according to the result of the analysis statistics, so that the requirement of continuous updating of the network is met, and the potential network safety hazard which may exist is effectively avoided. The data processing period may be preset, and the data stream may be periodically analyzed to generate the filtering rule of the data packet.

In step S110, a data packet from the network port may be acquired within the time of the data processing cycle. By analyzing the content of the data packet, the network address information and the protocol information can be extracted from the data packet. The network address may include information such as a source MAC, a destination MAC, a source IP, a destination IP, a source port number, a destination port number, a VLAN ID, and a VLAN priority. The protocol information may include information such as a two-layer protocol type, a three-layer protocol type, a TCP connection status, and a protocol number. In one example, a 12-tuple (source MAC, destination MAC, source IP, destination IP, source port number, destination port number, layer two protocol type, layer three protocol type, TCP connection status, VLAN ID, VLAN priority, and protocol number) may be extracted from the packet by parsing.

In step S120, a table lookup operation may be performed in the access control list ACL according to the network address information and the protocol information obtained by the analysis in step S110. The ACL is a list of access control instructions based on packet filtering. Data packets on the interface can be filtered according to set conditions using the ACL, allowed to pass or discarded. And generating a session table item based on the data packets allowed to pass through according to the table look-up result. In a subsequent step, filter rules for the data packets are generated based on the session table entries. In this step, packets dropped without allowing forwarding in the ACL should themselves be filtered out by the filtering rules. For this part, therefore, no further steps need to be carried out, i.e. no dynamic analysis statistics need to be carried out, nor new filter rules need to be regenerated.

In step S130, the execution rule corresponding to the session entry generated in step S120 is determined. Executing the rule may include allowing it to pass or drop. In one mode, the execution rule corresponding to the session table entry may be determined according to the setting information indicated by the user. In another mode, the system may also perform validity detection on the session entry, and determine the execution rule corresponding to the session entry according to the detection result. In the above various manners, through the analysis of the session table entry, a new execution rule can be generated for the newly discovered illegal access, and the filtering rule of the data packet can be generated according to the new execution rule in the subsequent step.

In step S140, a filtering rule of the data packet is generated according to the execution rule corresponding to the session entry determined in step S130. In the embodiment of the application, within the time of each data processing cycle, statistical analysis can be performed on the acquired data packet to determine the corresponding execution rule, so that the filtering rule of the data packet is dynamically generated according to the execution rule.

The embodiment of the application can dynamically generate the filtering rule of the data packet through analyzing the current network data flow, and can adapt to the requirement of continuous updating of the network, thereby effectively avoiding the potential network safety hazard.

The network ports in the embodiments of the present application may include hubs, switches, and interfaces of routers for connecting other network devices. The network ports may also include traffic ports. The service port is a port connected between the service node interface and the service node in the access network. The method for generating the filtering rule of the data packet can realize an automatic learning function, periodically analyzes the data stream from the network port in an automatic learning mode, and generates the filtering rule of the data packet.

Fig. 2 is a functional diagram of an automatic learning function according to an embodiment of a method for generating a filter rule of a data packet according to the present application. As shown in fig. 2, in the auto-learn mode, each port may transparently forward the data stream. In the forwarding process, data can not be processed, data content is not changed, and operation of adding a header is not performed. First, the data stream is sent to the FPGA by the switch module. The switching module plays a role in transferring data from the network port to the FPGA. A packet analysis module in the FPGA may parse the data packet and provide 12-tuple of the data packet (source MAC, destination MAC, source IP, destination IP, source port number, destination port number, two-layer protocol type, three-layer protocol type, TCP connection state, VLAN ID, VLAN priority, and protocol number).

In one embodiment, the table lookup in the access control list according to the network address information and the protocol information includes:

and performing table lookup in the access control list by using a Ternary Content Addressable Memory (TCAM).

Referring to fig. 2, a packet analysis module in the FPGA provides 12 tuples of the data packet, sends the 12 tuples to an ACL module for performing a first-level TCAM table lookup, determines whether a second-level table lookup is needed according to a table lookup result returned by the first-level TCAM, and finally sends the table lookup result to a session module. According to the table look-up result, the ACL module sends the data packet allowed to pass through in the access control list to the session module. That is, the session table entry in the session module is generated based on the allowed data packet according to the table lookup result.

For a common device, a TCAM-based first-level lookup table, such as a twelve-tuple lookup table, can satisfy the common performance requirements of users. However, for high-end devices, such as those operating in the core and backbone of the network, huge traffic must be handled, and various complex services, such as ACL flow classification, policy routing, packet filtering, packet content modification, user-defined rules, etc., must be handled, and a simple first-level table lookup does not satisfy such a requirement. Therefore, the embodiment of the invention uses a multi-stage flow table lookup mechanism, and can meet the requirement of high performance of the network security equipment.

The session module extracts information such as a quintuple (a source IP address, a destination IP address, a source port number, a destination port number and a protocol number) of the message from the 12-tuple of the data packet input by the ACL module, and calculates a HASH (HASH) value of the quintuple. And then storing the information of the session table entry into a DDR memory address block at the beginning of the address according to the HASH value as the entry address of the session table entry.

In one embodiment, the determining the execution rule corresponding to the session entry includes:

and taking the session table entries with the front sorted preset quantity threshold as session table entries to be processed, and determining execution rules corresponding to the session table entries to be processed.

Referring to fig. 2, a Central Processing Unit (CPU) periodically reads session table entries from an FPGA. In one aspect, the CPU may calculate session table statistics for each protocol type. On the other hand, the CPU can also sort the session entries according to the network address information and count the session entry sorting data. For example, the source IP address and the destination IP address may be used as a group of address information during sorting, the number of packets having the same source IP address and destination IP address may be counted, and then sorting may be performed according to the number of the packets from large to small.

For convenience of maintaining the session table, sqlite (lightweight database) can be used to store the session table entry information for retrieval, statistics and query. In one example, the preset number threshold may be set to 20. And the CPU writes the session table item information read from the FPGA into a database, and retrieves the session table item 20 before the IP address is ranked from the database according to the session table item ranking value based on the IP address. That is, the first 20 session entries with the largest number of packets are retrieved based on the IP address, and the session entries ranked in the first 20 are used as the session entries to be processed. In the subsequent step, the session table entry to be processed may be converted into a filtering rule according to the five-tuple information (source IP address, destination IP address, source port number, destination port number, and protocol number) of the session table entry.

In one embodiment, the determining the execution rule corresponding to the to-be-processed session entry includes:

displaying the session table item to be processed to a user;

Aiming at the conversation table items to be processed in the front row, an interface can be provided for the upper computer software to check. And the user can screen the related rules from the generated filtering rules according to the requirement to carry out issuing configuration. For example, the user can set which packets corresponding to the session table entries are allowed to pass or discarded in the host computer. In the embodiment of the invention, the data flow is periodically subjected to statistical analysis, the session table entry is dynamically generated based on the analysis result, and the user screens the filtering rule according to the session table entry and issues the configuration, so that a new filtering rule can be generated at any time according to the current situation, and the network security is ensured.

carrying out validity detection on the session table entry to be processed;

Aiming at the conversation items to be processed which are arranged in the front, a certain detection mode which is agreed in advance can be utilized to carry out validity detection on the conversation items to be processed. And determining an execution rule for allowing or discarding the data packet according to the detection result. For example, the content integrity and/or validity of the data packet corresponding to the to-be-processed session entry may be detected to determine the validity of the to-be-processed session entry. For another example, whether sensitive information or illegal information exists in the content of the data packet corresponding to the to-be-processed session entry may be detected to determine the validity of the to-be-processed session entry. In the embodiment of the invention, the newly generated session table item to be processed can be subjected to validity detection in real time aiming at the dynamically generated session table item, and a new filtering rule can be generated according to the current situation, thereby ensuring the network security.

Fig. 3 is a session management hardware schematic diagram of an embodiment of a method for generating a filtering rule of a data packet according to an embodiment of the present application. Fig. 4 is a flowchart of session management processing according to an embodiment of a method for generating a filtering rule of a data packet according to the present application. Referring to fig. 2 to 4, an exemplary filtering rule generating method for a packet is as follows:

1) and generating a session table.

Referring to fig. 3, the data packet from the service gateway is sent to the FPGA through the port physical layer PHY and the switch module. The example of fig. 3 employs a switch chip as the switch module. Referring back to fig. 4, the switching module is responsible for sending the data message of the service port to the FPGA, and receiving the data packet returned from the FPGA and forwarding the data packet to the service port normally.

Referring to fig. 3 and 4, the FPGA dynamically updates the session table entry stored in the DDR according to the packet quintuple information (source IP address, destination IP address, source port number, destination port number, and protocol type) obtained by analyzing the packet. Specifically, the FPGA calculates a HASH (HASH) value of the quintuple, and stores the session table entry information into the DDR memory address block at the start of the address according to the HASH value as the entry address of the session table entry.

Referring to fig. 4, the CPU periodically reads the session table entry in the DDR, and generates a session table statistic value according to the number of entries of the session table entry counted by the protocol type field in the session table. The protocol types may include: transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and other protocols. And the session table statistics can be displayed in a WEB browser for a user to check. The user can check the statistical information of the session table items of each protocol type through a WEB browser.

Referring to fig. 4, the CPU may store the session table entry in the database. The CPU adopts the database to store the conversation table information, which is convenient for quick retrieval, statistics and inquiry. The CPU can call a database Application Program Interface (API) to sort the session table items according to the IP addresses, and count the scheduling data of the session table items. The conversation table item ranking data can be displayed in a WEB browser for a user to check.

2) The user can obtain the current session list item through the WEB browser. The CPU converts the quintuple information (source IP address, destination IP address, source port number, destination port number and protocol number) of the current session table item into a filtering rule and provides an interface for the upper computer software to check. The filtering rules may include allowing them to pass or drop. And the user screens the relevant rules from the generated filtering rules according to the requirements to carry out issuing configuration.

Fig. 5 is a schematic diagram of an automatic learning WEB configuration page according to an embodiment of a method for generating a filtering rule of a data packet according to the embodiment of the present application. As shown in FIG. 5, in the auto-learn configuration interface, "enable/disable" may be utilized to determine whether to use the auto-learn mode per configuration. ACL rules learned by the automatic learning mode can also be viewed and set in the configuration interface. Where "enabled" in an ACL rule identifies whether the ACL rule is enabled.

To sum up, the embodiment of the present invention provides a method for dynamically generating a filtering rule based on a session table entry, aiming at the limitation of filtering network traffic according to a filtering rule specified in advance. The session table items generated by analyzing the network data packets in the gateway device can generate new execution rules aiming at newly discovered illegal accesses through analyzing the session table items, thereby achieving the technical effect that the filtering rules can dynamically adapt to the change of the network.

Referring to fig. 2 to 4, another aspect of the present application provides a system for generating a filter rule of a packet, for executing the method for generating a filter rule of a packet, including:

In one embodiment, the system further comprises:

The system for generating the filtering rule of the data packet in the embodiment of the application can be arranged in a gateway device. For the beneficial effects or technical problems to be solved by the system, reference may be made to the description in the method for generating the filtering rule of the data packet, or to the description in the summary of the invention, which is not repeated herein.

As shown in fig. 6, the present application further provides an embodiment of a device for generating a filtering rule of a data packet, and for beneficial effects or technical problems to be solved by the device, reference may be made to descriptions in methods respectively corresponding to the devices, or to descriptions in the summary of the invention, and details are not repeated here.

In an embodiment of the apparatus for generating filter rules of the data packet, the apparatus includes:

an analysis unit 100, configured to analyze a data packet from a network port, and extract network address information and protocol information of the data packet;

a first generating unit 200, configured to perform table lookup in an access control list according to the network address information and the protocol information, and generate a session table entry according to a result of the table lookup;

a determining unit 300, configured to determine an execution rule corresponding to the session entry;

the second generating unit 400 is configured to generate a filtering rule of a data packet according to the execution rule corresponding to the session table entry.

As shown in fig. 6, in an embodiment, the first generating unit 200 is configured to:

In one embodiment, the determining unit 300 is configured to:

displaying the session table item to be processed to a user;

In one embodiment, the determining unit 300 is configured to:

carrying out validity detection on the session table entry to be processed;

Fig. 7 is a schematic structural diagram of a computing device 900 provided in an embodiment of the present application. The computing device 900 includes: a processor 910, a memory 920, and a communication interface 930.

It is to be appreciated that the communication interface 930 in the computing device 900 shown in fig. 7 may be used to communicate with other devices.

The processor 910 may be coupled to the memory 920. The memory 920 may be used to store the program codes and data. Therefore, the memory 920 may be a storage unit inside the processor 910, an external storage unit independent of the processor 910, or a component including a storage unit inside the processor 910 and an external storage unit independent of the processor 910.

Optionally, computing device 900 may also include a bus. The memory 920 and the communication interface 930 may be connected to the processor 910 through a bus. The bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc.

It should be understood that, in the embodiment of the present application, the processor 910 may employ a Central Processing Unit (CPU). The processor may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. Or the processor 910 may employ one or more integrated circuits for executing related programs to implement the technical solutions provided in the embodiments of the present application.

The memory 920 may include a read-only memory and a random access memory, and provides instructions and data to the processor 910. A portion of the processor 910 may also include non-volatile random access memory. For example, the processor 910 may also store information of the device type.

When the computing device 900 is running, the processor 910 executes the computer-executable instructions in the memory 920 to perform the operational steps of the above-described method.

It should be understood that the computing device 900 according to the embodiment of the present application may correspond to a corresponding main body for executing the method according to the embodiments of the present application, and the above and other operations and/or functions of each module in the computing device 900 are respectively for implementing corresponding flows of each method of the embodiment, and are not described herein again for brevity.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The present embodiments also provide a computer-readable storage medium, on which a computer program is stored, the program being used for executing a diversification problem generation method when executed by a processor, the method including at least one of the solutions described in the above embodiments.

The computer storage media of the embodiments of the present application may take any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).

It should be noted that the foregoing is only illustrative of the preferred embodiments of the present application and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present application has been described in more detail with reference to the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention.

Claims

1. A method for generating a filtering rule of a data packet is characterized by comprising the following steps:

2. The method of claim 1, wherein the performing a table lookup in an access control list based on the network address information and the protocol information comprises:

3. The method according to claim 1 or 2, wherein the determining the execution rule corresponding to the session entry includes:

4. The method of claim 3, wherein the determining the execution rule corresponding to the to-be-processed session entry comprises:

displaying the session table item to be processed to a user;

5. The method of claim 3, wherein the determining the execution rule corresponding to the to-be-processed session entry comprises:

carrying out validity detection on the session table entry to be processed;

6. A system for generating filter rules for data packets for performing the method of any one of claims 1 to 5, comprising:

7. The system of claim 6, further comprising:

8. An apparatus for generating a filtering rule for a packet, comprising:

9. A computing device, comprising:

a communication interface;

at least one processor coupled with the communication interface; and

at least one memory coupled to the processor and storing program instructions that, when executed by the at least one processor, cause the at least one processor to perform the method of any of claims 1-5.

10. A computer-readable storage medium having stored thereon program instructions, which, when executed by a computer, cause the computer to perform the method of any of claims 1-5.