CN1791068A - Giga-linearspeed firewall core package filtering algorithm - Google Patents
Giga-linearspeed firewall core package filtering algorithm Download PDFInfo
- Publication number
- CN1791068A CN1791068A CNA2005101356048A CN200510135604A CN1791068A CN 1791068 A CN1791068 A CN 1791068A CN A2005101356048 A CNA2005101356048 A CN A2005101356048A CN 200510135604 A CN200510135604 A CN 200510135604A CN 1791068 A CN1791068 A CN 1791068A
- Authority
- CN
- China
- Prior art keywords
- coupling
- packet filtering
- grouping
- address
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method for firewall group filter. Wherein, it builds Multi-Trie index to group filter table to raise search speed, stage filters based on prefix, range, and value by turns, and takes it as unqualified as long as one stage unqualified. This invention reduces treatment time and also supports multipriority setting.
Description
Technical field
The present invention relates to a kind of method of fire compartment wall packet filtering, this method has improved the speed of retrieval greatly by the packet filtering table being set up the index of Multi-Trie; This method is according to the characteristics of packet filtering table simultaneously, carry out successively based on prefix, based on scope, based on the filtration stage by stage of numerical value, just can not think that it is ineligible as long as exist a stage to meet,, thereby reduce total time of processing like this by increasing to a plurality of the processing stage; This method is also supported the multipriority setting simultaneously.
Background technology
Network security has caused global attracting attention current, becomes a very crucial problem.In order to guarantee the safety of internal network data and resource, commonplace method is to adopt firewall technology at present.Fire compartment wall is a kind of system that is made of software and hardware, is used for implementing to enter control strategy between two networks.
What fire compartment wall packet filtering technology was mainly discussed is to indicate how to handle this grouping by the inquiry of information in filter rule list to grouping.Report for work when reaching when data, at first this datagram is sent to the packet filtering module,, just immediately it is abandoned if filtering module is refused this datagram.When indicating filtration and will stop the datagram of refusal, the keeper often needs to list the various combinations of following content: the IP address of the IP address of source station and corresponding mask, point of destination and corresponding mask, agreement, the port of source station, port, the weight (optionally) of point of destination and the action that need take or the like information, if the information of grouping satisfies certain rule and weight is bigger, that will make corresponding action.The packet filtering technology is more traditional technology, but it is the basis of firewall technology, and other technologies all need to be based upon on the packet filtering basis.
Summary of the invention
The characteristics of packet filtering table rule are that the packet filtering table has comprised a plurality of list items, each list item all is the processing rule that an IP divides into groups, and this rule comprises purpose IP prefix ranges, source IP prefix ranges, the scope of destination interface, scope, protocol name, the priority of source IP port and the processing of coupling being filtered the IP grouping of this rule of setting---comprise refusal and pass through two kinds of operational processes.When 5 tuples of the purpose IP address, source IP address, destination interface, source port and the protocol name that extract from IP grouping and packet filtering table carry out item by item coupling, if a certain corresponding value in this 5 tuple and the packet filtering table is consistent or be in this corresponding scope, we just think that IP divides into groups to mate this rule.
The grouping filter method of a kind of fire compartment wall that the present invention proposes, carry out coupling with the packet filtering table according to 5 tuples of the purpose IP address, source IP address, destination interface, source port and the protocol name that from IP grouping, extract, if this 5 tuple is consistent with a certain item in the packet filtering table, then carry out this desired operation---perhaps pass through or refusal; This 5 tuple is consistent with a few items in the packet filtering table, carries out one the highest operation of its medium priority so; If any one does not conform in this 5 tuple and the packet filtering table, then refuse this grouping and pass through fire compartment wall.
At first, the present invention sets up the index of Multi-Trie to the packet filtering table, and the index tree of Multi-Trie belongs to a kind of data structure based on the key spatial decomposition; Each node of index tree has been preserved the data of each list item of packet filtering table, by the IP address can be retrieved data by the Multibit index tree exactly as keyword; In the Multi-Trie tree, in ergodic process, select the different sub-branch of node to continue traversal according to a plurality of binary digits of IP address successively.
The present invention simultaneously is according to the characteristics of packet filtering table rule, carry out based on prefix, based on scope successively, filter based on the coupling stage by stage of numerical value, just can think that it is ineligible as long as exist a stage not meet, like this by increasing to a plurality of the processing stage, thereby reduced the total time of handling.
The coupling filtration is exactly the characteristics according to packet filtering table rule stage by stage, at first carry out filtering based on the purpose IP address of prefix and the coupling of source IP address to receiving the IP grouping, grouping is carried out filtering based on the source port of scope and the coupling of destination interface to IP then, carry out at last mating filtration based on worth protocol fields, if this three phases can both mate, illustrate that so this grouping coupling satisfies this rule.Just be based on the index of two Multi-Trie based on the coupling of prefix; At first carry out to the source ' the retrieval of index of address to be obtaining the entry address of purpose index tree, and then carries out the retrieval to the index of purpose IP address; Just be based on the coupling of two scopes based on the coupling of scope, judge at first whether IP source of packets port drops in this regular destination port range, and then judge whether IP grouping destination interface drops in the destination interface scope of rule; Just be based on the comparison of two values based on the coupling of value, whether the protocol fields in the comparison rule equates with the value of protocol fields in the IP grouping.
At last, the present invention also supports the multipriority setting simultaneously.The user can be provided with different other numerical value of processing level for different packet filtering list items, when this numerical value is more little, reflected the degree that it is important, when 5 tuples of IP grouping satisfy a plurality of filtering meter item, the operation of the item that an execution priority is the highest---the pairing operation of item of numerical value minimum just.
Description of drawings
In the appended claims book, state and be sure of for characterizing each novel characteristics of the present invention, yet, be inconjunction with when reading an accompanying drawing with reference to following detailed description meeting the best to an example understand the present invention itself and preferably occupation mode, its other purpose and advantage, wherein accompanying drawing is:
Fig. 1 is an exemplary plot, illustrates logic architecture of the present invention
Fig. 2 is an exemplary plot, the deployment scenario of signal the present invention in the network processing unit environment.
Fig. 3 is an example flow diagram, illustrates the flow process of retrieval of the present invention
Embodiment
Below introduce the main optimum scene of in design, considering.
The network processing unit IXP2400 that fire compartment wall packet filtering rule list mainly is based on Intel realizes.
The IXP2400 network processing unit of Intel comprises micro engine (Microengine) (can realize 8 hardware based threads in each micro engine again), XScale chip based on the RISC technology of the executed in parallel operation of 8 risc chips, CRC hardware cell, Hash unit and Scratchpad unit can be supported the DDR SDRAM of 2G and the SRAM of 1G etc. at most.This framework has satisfied all demands of network development: performance, flexibility, market reaction and littler power consumption faster.
The packet filtering table will be concentrated and be kept in the shared memory; Carry out the unified renewal of filter table by the XScale processor; The work of fire compartment wall data plane all can be handled on micro engine, as reception and transmission, packet filtering table and the inquiry of transmitting, queue management and the packet switching etc. of data.Each micro engine comprises that 1 amount of capacity is to be the control storage of 4K*40bit, is mainly used in to deposit the instruction code that this micro engine will be carried out.The restriction of extensive work and code population size owing to need to carry out complexity just requires size of code that micro engine carries out as much as possible less and efficient, and the work that just requires to search the packet filtering table is simple as much as possible and efficient.
Claims (10)
1, a kind of method of fire compartment wall packet filtering, this method have improved the speed of retrieval greatly by the packet filtering table being set up the index of Multi-Trie; This method is according to the characteristics of packet filtering table rule simultaneously, carry out based on prefix, based on scope successively, filter based on the coupling stage by stage of numerical value, just can think that it is ineligible as long as exist a stage not meet, like this by increasing to a plurality of the processing stage, thereby reduced the total time of handling; This method is also supported the multipriority setting simultaneously.
2, the characteristics of packet filtering table rule according to claim 1, it is characterized in that the packet filtering table has comprised a plurality of list items, each list item all is the processing rule that an IP divides into groups, and this rule comprises purpose IP prefix ranges, source IP prefix ranges, the scope of destination interface, scope, protocol name, the priority of source IP port and the processing of coupling being filtered the IP grouping of this rule of setting---comprise refusal and pass through two kinds of operational processes.
3, IP grouping according to claim 2 is filtered the coupling of rule, it is characterized in that carrying out and packet filtering table coupling item by item, if the corresponding value of a certain item in this 5 tuple and the packet filtering table is consistent or be in this corresponding scope according to 5 tuples of the purpose IP address, source IP address, destination interface, source port and the protocol name that from IP grouping, extract.
4, the grouping filter method of a kind of fire compartment wall according to claim 1, it is characterized in that carrying out coupling with the packet filtering table according to 5 tuples of the purpose IP address, source IP address, destination interface, source port and the protocol name that from IP grouping, extract, if this 5 tuple is consistent with a certain item in the packet filtering table, then carry out this desired operation---perhaps pass through or refusal; This 5 tuple is consistent with a few items in the packet filtering table, carries out one the highest operation of its medium priority so; If any one does not conform in this 5 tuple and the packet filtering table, then refuse this grouping and pass through fire compartment wall.
5, according to the index tree of the described Multi-Trie of claim 1, it is characterized in that it belongs to a kind of data structure based on the key spatial decomposition; Each node of index tree has been preserved the data of each list item of packet filtering table, by the IP address can be retrieved data by the Multibit index tree exactly as keyword; In the Multi-Trie tree, in ergodic process, select the different sub-branch of node to continue traversal according to a plurality of binary digits of IP address successively.
6, according to claim 1,2 described priority, it is characterized in that being provided with different other numerical value of processing level for different packet filtering list items, when this numerical value is more little, reflected the degree that it is important, when 5 tuples of IP grouping satisfy a plurality of filtering meter item, the operation of the item that an execution priority is the highest---the pairing operation of item of numerical value minimum just.
7, coupling stage by stage according to claim 1 is filtered, it is characterized in that characteristics according to packet filtering table rule, at first carry out filtering based on the purpose IP address of prefix and the coupling of source IP address to receiving the IP grouping, grouping is carried out filtering based on the source port of scope and the coupling of destination interface to IP then, carry out at last mating filtration,, illustrate that so this grouping coupling satisfies this rule if this three phases can both mate based on worth protocol fields.
8, according to claim 1,7 the coupling based on prefix is characterized in that the index of the process of its coupling based on two Multi-Trie; At first carry out the retrieval of the index of source IP address obtaining the entry address of purpose index tree, and then carry out retrieval the index of purpose IP address.
9, according to claim 1,7 the coupling based on scope is characterized in that the coupling of the process of its coupling based on two scopes, judge at first whether IP source of packets port drops in this regular destination port range, and then judge whether IP grouping destination interface drops in the destination interface scope of rule.
10, according to claim 1,7 the coupling based on value is characterized in that the comparison of the process of its coupling based on two values, and whether the protocol fields in the comparison rule equates with the value of protocol fields in the IP grouping.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101356048A CN100568851C (en) | 2005-12-31 | 2005-12-31 | A kind of method of fire compartment wall packet filtering |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101356048A CN100568851C (en) | 2005-12-31 | 2005-12-31 | A kind of method of fire compartment wall packet filtering |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1791068A true CN1791068A (en) | 2006-06-21 |
| CN100568851C CN100568851C (en) | 2009-12-09 |
Family
ID=36788578
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101356048A Expired - Fee Related CN100568851C (en) | 2005-12-31 | 2005-12-31 | A kind of method of fire compartment wall packet filtering |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100568851C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102812675A (en) * | 2010-02-04 | 2012-12-05 | 日本电信电话株式会社 | Packet Transfer Processing Device, Method, And Program |
-
2005
- 2005-12-31 CN CNB2005101356048A patent/CN100568851C/en not_active Expired - Fee Related
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102812675A (en) * | 2010-02-04 | 2012-12-05 | 日本电信电话株式会社 | Packet Transfer Processing Device, Method, And Program |
| US8902756B2 (en) | 2010-02-04 | 2014-12-02 | Nippon Telegraph And Telephone Corporation | Packet transfer processing device, packet transfer processing method, and packet transfer processing program |
| CN102812675B (en) * | 2010-02-04 | 2015-05-13 | 日本电信电话株式会社 | Packet transfer processing device and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100568851C (en) | 2009-12-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8966152B2 (en) | On-chip memory (OCM) physical bank parallelism | |
| US10460250B2 (en) | Scope in decision trees | |
| Yu et al. | Efficient multimatch packet classification and lookup with TCAM | |
| CN101594319B (en) | Entry lookup method and entry lookup device | |
| US8413124B2 (en) | System and method for compiling and matching regular expressions | |
| US9208438B2 (en) | Duplication in decision trees | |
| US10229144B2 (en) | NSP manager | |
| Qiao et al. | Fast Bloom filters and their generalization | |
| CN104050041B (en) | Scheduling Method and Apparatus for Scheduling Rule Matching in a Processor | |
| US9112767B2 (en) | Method and an accumulator scoreboard for out-of-order rule response handling | |
| CN102970150A (en) | Extensible multicast forwarding method and device for data center (DC) | |
| CN101848248B (en) | Rule searching method and device | |
| CN104025520A (en) | Lookup table creation method and query method, and controller, forwarding device and system therefor | |
| CN108650178B (en) | Service message processing method, device and system | |
| Li et al. | A power-saving pre-classifier for TCAM-based IP lookup | |
| CN101989916A (en) | Separating multi-stage buffer network content filtering system and method | |
| CN104009924A (en) | Message processing method and device based on TCAM and FPGA | |
| CN100568851C (en) | A kind of method of fire compartment wall packet filtering | |
| Yu et al. | A power and throughput-efficient packet classifier with n Bloom filters | |
| CN111163077A (en) | System and method for realizing multidimensional continuous mask based on network processor | |
| Qi et al. | Towards system-level optimization for high performance unified threat management | |
| CN103702301A (en) | Real-time sensing control system for inter-internet short message service | |
| CN103309950A (en) | Searching method for key value | |
| Zheng et al. | AM-Trie: An OC-192 parallel multidimensional packet classification algorithm | |
| CN115361604A (en) | Method and system for improving multicast blocking fairness of elastic optical network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20090306 Address after: 7-58 mailbox, Beihang University, 37 Xueyuan Road, Beijing, Haidian District: 100191 Applicant after: Beihang University Address before: Postal code of Sino German software, 16 floor, world Ning mansion, 35 Xueyuan Road, Haidian District, Beijing, zip code: 100083 Applicant before: Qian de Pei Co-applicant before: Wang Yujie Co-applicant before: Wang Rui |
|
| ASS | Succession or assignment of patent right |
Owner name: BEIJING UNIV. OF AERONAUTICS + ASTRONAUTICS Free format text: FORMER OWNER: QIAN DEPEI Effective date: 20090306 |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091209 Termination date: 20101231 |