WO2021249055A1 - Vpn rule matching method and apparatus, and device, and storage medium - Google Patents

Vpn rule matching method and apparatus, and device, and storage medium Download PDF

Info

Publication number
WO2021249055A1
WO2021249055A1 PCT/CN2021/090535 CN2021090535W WO2021249055A1 WO 2021249055 A1 WO2021249055 A1 WO 2021249055A1 CN 2021090535 W CN2021090535 W CN 2021090535W WO 2021249055 A1 WO2021249055 A1 WO 2021249055A1
Authority
WO
WIPO (PCT)
Prior art keywords
vpn
vpn rule
normalized
destination
rule entry
Prior art date
Application number
PCT/CN2021/090535
Other languages
French (fr)
Chinese (zh)
Inventor
余长林
陈伟
施晟
曲鹏超
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2021249055A1 publication Critical patent/WO2021249055A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/4675Dynamic sharing of VLAN information amongst network nodes

Definitions

  • the present disclosure relates to the field of network communication technology, and in particular to a method, device, device, and storage medium for matching virtual private network rules.
  • VPN Virtual Private Network
  • the management platform sends VPN rules to different service modules through the interface layer, so that each service module can configure and manage the VPN rules according to specific policies.
  • the interface layer There is a large amount of information interaction between the interface layer and the business module, which seriously affects the configuration efficiency of VPN rules.
  • the existing VPN matching rules all adopt the linked list model.
  • the linked list model basically meets the business needs.
  • the Hash table or linked list model cannot meet the requirements, which seriously affects work efficiency.
  • the embodiment of the application provides a method for matching VPN rules, including: receiving VPN rule entries; normalizing the VPN rule entries; configuring the normalized VPN rule entries; and receiving the VPN rule entries sent by the user terminal Access request; extract the key information in the access request; and match the key information with the configured VPN rule entry.
  • the embodiment of the present application also provides a VPN rule matching device, including: a VPN rule normalization processing module, configured to receive VPN rule entries, and perform normalization processing on the VPN rule entries; a VPN rule configuration module, Used to configure the normalized VPN rule entries; a key information extraction module, used to receive an access request sent by a user terminal, and extract key information in the access request; and a matching module, used to combine the key The information is matched with the configured VPN rule entries.
  • a VPN rule normalization processing module configured to receive VPN rule entries, and perform normalization processing on the VPN rule entries
  • a VPN rule configuration module Used to configure the normalized VPN rule entries
  • a key information extraction module used to receive an access request sent by a user terminal, and extract key information in the access request
  • a matching module used to combine the key The information is matched with the configured VPN rule entries.
  • An embodiment of the present application also provides a communication device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor.
  • the processor executes the computer program according to the embodiment of the present application. Matching method of VPN rules.
  • the embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored.
  • the processor implements the VPN rule matching method according to the embodiment of the present application.
  • Fig. 1 is a flowchart of a VPN rule matching method according to an embodiment of the present application
  • Figure 2 is a schematic structural diagram of a VPN rule matching device according to an embodiment of the present application.
  • Fig. 3 is a working principle diagram of a VPN rule matching device according to an embodiment of the present application.
  • Fig. 4 is a schematic structural diagram of a device according to an embodiment of the present application.
  • Fig. 1 is a flowchart of a VPN rule matching method according to an embodiment of the present application. This method can be used to configure and match VPN rules, and can be executed by a matching device according to the VPN rules of this application.
  • the VPN rule matching method includes the following steps S110 to S160.
  • step S110 a VPN rule entry is received.
  • the VPN rule entry sent from the management platform may be received.
  • the management platform can be a third-party platform that needs to create a VPN. Different management platforms can adopt different communication protocols and data structures.
  • the management platform may be the TR069 platform.
  • a VPN rule entry may include a destination Internet Protocol (IP) address range, a destination Uniform Resource Locator (URL), and a source Media Access Control (Media Access Control, MAC) address.
  • IP Internet Protocol
  • URL Uniform Resource Locator
  • MAC Media Access Control
  • step S120 normalization processing is performed on the VPN rule entries.
  • the communication protocol and/or data structure of the VPN rule entry may be normalized. Normalize different communication protocols to the same communication protocol, and normalize different data structures to the same data structure.
  • different management platforms can dynamically send a large number of VPN rule entries.
  • the communication protocols and/or data structures of multiple VPN rule entries can be normalized to avoid This solves the problem of using different service modules to process VPN rule entries separately due to the different communication protocols and/or data structures of each management platform.
  • VPN rule entries from different management platforms can be processed uniformly. The normalization of VPN rule entries can shield the differences between management platforms, reduce the amount of exchanged data and the number of messages, and improve the configuration and processing efficiency of VPN rules.
  • step S130 the normalized VPN rule entries are configured.
  • the process of configuring the VPN rule entry can be understood as the process of adding the VPN rule entry to the preset database.
  • the preset database can be used to configure and manage VPN rule entries, including adding, deleting and querying VPN rule entries.
  • the step of configuring the normalized VPN rule entry may be: judging whether the normalized VPN rule entry exists in the preset database; responding to the normalized VPN rule entry existing in In the preset database, the configuration success information is returned to the management platform; in response to the normalized VPN rule entry does not exist in the preset database, the normalized VPN rule entry is added to the preset database.
  • the VPN rule entries stored in the preset database may be normalized VPN rule entries.
  • the VPN rule entry may be a destination IP address range or a destination URL
  • the step of adding the normalized VPN rule entry to the preset database may include: converting the normalized VPN rule entry into a range Tree (IntervalTree) structure; and adding the interval tree structure to the preset database.
  • IntervalTree range Tree
  • the interval tree structure can be understood as a tree structure formed by the destination IP address interval.
  • the interval tree structure may include multiple nodes, a root node, a child node, and a leaf node, and each node represents an address interval.
  • the address range represented by the child node is a subset of the address range represented by its parent node.
  • the destination IP address may be stored in the preset database in the form of an interval tree structure.
  • the destination IP address interval may be divided into multiple sub-intervals; the node position of each sub-interval is determined according to the IP address range corresponding to each sub-interval; and the interval tree structure is constructed according to the node position.
  • the relationship between any two sub-intervals in the multiple sub-intervals may include at least one of the following: an inclusive relationship or an empty set of intersection, that is, the address interval represented by the child node is a proper subset of the address interval represented by its parent node, and is in the interval
  • the intersection between the address ranges represented by nodes at the same level of the tree structure is an empty set.
  • the destination IP address range is "1-100”
  • the divided sub-ranges may include "1-100", "1-50", “51-100", "1-30”, and "31-50” , "51-80” and "81-100".
  • the root node of the interval tree structure is "1-100", the root node contains two child nodes "1-50” and "51-100", and the child node "1-50” contains two leaf nodes "1-30” and " 31-50", the child node "51-100” contains two leaf nodes "51-80" and "81-100”.
  • the converted interval tree structure can be added to the existing interval tree structure; If the converted interval tree structure is not a branch of the existing interval tree structure, you can add the converted interval tree structure as an independent interval tree structure to the preset database; if the converted interval tree structure is the same as the existing interval tree If the structure has a partial intersection, the existing interval tree structure can be adjusted according to the converted interval tree structure to obtain the adjusted interval tree structure.
  • the destination URL can be converted into a destination IP address range, and the above process can be executed to convert the destination IP address range into an interval tree structure.
  • the VPN rule entry may be the source MAC address
  • the step of adding the normalized VPN rule entry to the preset database may include: converting the normalized VPN rule entry into a linked list structure; and The linked list structure is added to the preset database.
  • the linked list structure can be a hash (Hash) table. If the VPN rule entry is the source MAC address, the MAC address can be stored in the form of a linked list structure.
  • Hash hash
  • step S140 an access request sent by the user terminal is received.
  • the user can be a user in the management platform, and the user can send an access request through a LAN port or a WLAN port.
  • step S150 the key information in the access request is extracted.
  • the key information can be the destination IP address or MAC address.
  • step S160 the key information is matched with the configured VPN rule entry.
  • the key information belongs to the configured VPN rule entry, it is determined that the matching is successful, and the VPN channel is allocated to the user terminal, so that the user terminal can transmit data through the VPN channel.
  • the step of matching the key information with the configured VPN rule entry may include: querying the MAC address in the linked list structure. If the MAC address that is the same as the MAC address in the key information can be found, the match is successful; if it cannot be found, the match is unsuccessful.
  • the step of matching the key information with the configured VPN rule entry may include: converting the destination IP address into a destination IP address range; and converting the converted destination IP address
  • the interval is matched with the interval tree structure. If the converted destination IP address range belongs to the IP address range in the interval tree structure, the matching is successful.
  • the interval tree structure is used to match the user's access request, and it is not necessary to traverse all address intervals, which can improve the matching efficiency.
  • Using interval tree structure instead of linked list structure can greatly increase the processing speed, and red-black tree technology can also be used to provide the best possible worst-case guarantee. Red-black trees can complete search, insertion, and deletion in O(log n) time, where n represents the number of elements in the interval tree structure, and in the same case, the linked list structure is about O(n) time-length complexity level.
  • the destination IP address can be converted into a destination IP address range in which both the start address and the end address are destination IP addresses. For example, the destination IP address is 5, and the converted destination IP address range is 5-5.
  • Match first determine the corresponding interval tree structure according to the converted destination IP address interval, and then start a downward search from the root node of the determined interval tree structure. If a node that matches the converted destination IP address interval is found, The matching is successful. If no node matching the converted destination IP address range is found, the matching is unsuccessful.
  • a VPN channel can be allocated to the user, so that the user terminal of the user can transmit data through the VPN channel.
  • the technology of interval overlap, red-black tree, and interval tree can be applied to solve the matching problem of VPN rule entries of optical network unit (ONU) gateways on the order of 10K or more, and the matching efficiency is improved.
  • ONU optical network unit
  • the VPN rule entries are normalized and then configured, which can reduce the amount of information exchange, thereby improving the configuration efficiency.
  • matching the key information in the user's access request with the configured VPN rule entries can improve the matching efficiency.
  • the VPN channel after the VPN channel is allocated to the user terminal, it is also possible to: collect behavior data of the user terminal; perform statistical analysis on the behavior data to obtain the analysis result; and perform at least one of the following operations according to the analysis result: adjust the user's priority Level, adjust the priority of the VPN channel and adjust the network bandwidth.
  • the access request may be received from multiple user terminals.
  • the key information may be matched with the configured VPN rule entry according to the priority of the user terminal corresponding to the key information.
  • the matching can be performed in sequence from the highest priority of the user terminal to the last.
  • the step of allocating the VPN channel to the user terminal may include: allocating the VPN channel to the user terminal according to the priority of the VPN channel, and allocating the adjusted network bandwidth to the VPN channel.
  • the VPN channel with high priority can be allocated to the user terminal first, and the network bandwidth can be allocated to the VPN channel according to the adjusted network bandwidth.
  • Fig. 2 is a schematic structural diagram of a VPN rule matching device according to an embodiment of the present application.
  • the VPN rule matching device may include a VPN rule normalization processing module 210, a VPN rule configuration module 220, a key information extraction module 230, and a matching module 240.
  • the VPN rule normalization processing module 210 is configured to receive VPN rule entries and perform normalization processing on the VPN rule entries.
  • the VPN rule configuration module 220 is used to configure the normalized VPN rule entries.
  • the key information extraction module 230 is configured to receive the access request sent by the user terminal, and extract the key information in the access request.
  • the matching module 240 is used to match the key information with the configured VPN rule entries.
  • the VPN rule normalization processing module 210 is configured to perform normalization processing on the communication protocol and/or data structure of the VPN rule entry.
  • the VPN rule configuration module 220 is configured to: determine whether the normalized VPN rule entry exists in the preset database; in response to the normalized VPN rule entry existing in the preset database, return that the configuration is successful ⁇ ; In response to the normalized VPN rule entry does not exist in the preset database, the normalized VPN rule entry is added to the preset database.
  • the VPN rule entry may be a destination IP address range or a destination URL
  • the VPN rule configuration module 220 is used to: convert the normalized VPN rule entry into an interval tree structure; and add the interval tree structure to the preset database.
  • the VPN rule entry may be a destination IP address interval
  • the VPN rule configuration module 220 may be used to: divide the destination IP address interval into multiple sub-intervals, and the relationship between any two sub-intervals in the multiple sub-intervals includes the following relationship One: the containment relationship or the intersection is an empty set; the node location of each sub-interval is determined according to the IP address range corresponding to each sub-interval; and the interval tree structure is constructed according to the node location.
  • the VPN rule entry may be a destination URL
  • the VPN rule configuration module 220 may be used to: convert the destination URL into a destination IP address interval; divide the destination IP address interval into multiple sub-intervals, and any two of the multiple sub-intervals
  • the relationship between intervals includes one of the following relationships: an inclusion relationship or an empty set of intersection; determining the node position of each subinterval according to the IP address range corresponding to each subinterval; and constructing an interval tree structure according to the node position.
  • the VPN rule entry may be a source MAC address
  • the VPN rule configuration module 220 may be used to: convert the normalized VPN rule entry into a linked list structure; and add the linked list structure to the preset database.
  • the key information may include a destination IP address
  • the matching module 240 may be used to: convert the destination IP address into a destination IP address interval; and match the converted destination IP address interval with the interval tree structure.
  • the VPN rule matching device may further include an allocation module, and in response to the key information belonging to the configured VPN rule entry, it is determined that the matching is successful, and the allocation module is used to allocate the VPN channel to the user terminal.
  • the VPN rule matching device may further include: a behavior data analysis module for: collecting behavior data of the user terminal; performing statistical analysis on the behavior data to obtain an analysis result; and performing at least one of the following operations according to the analysis result : Adjust the priority of the user terminal, adjust the priority of the VPN channel, and adjust the network bandwidth.
  • a behavior data analysis module for: collecting behavior data of the user terminal; performing statistical analysis on the behavior data to obtain an analysis result; and performing at least one of the following operations according to the analysis result : Adjust the priority of the user terminal, adjust the priority of the VPN channel, and adjust the network bandwidth.
  • the VPN rule normalization processing module 210 receives access requests sent by multiple user terminals, and the matching module 240 may be used to compare the key information with the configured VPN rules according to the priority of the user terminal corresponding to the key information. The entries are matched.
  • the matching module 240 may also be used to allocate a VPN channel to the user terminal according to the priority of the VPN channel, and to allocate an adjusted network bandwidth to the VPN channel.
  • Fig. 3 is a working principle diagram of a VPN rule matching device according to an embodiment of the present application.
  • the VPN rule matching device can receive the VPN rule entries sent by the management platform, normalize the VPN rule entries, and perform normalization on the normalized VPN rule entries.
  • VPN rule entries are configured.
  • the user sends an access request, and the VPN rule matching device can extract the key information in the access request sent by the user, and match the key information with the configured VPN rule entry. If the matching is successful, that is, the key information belongs to the configured VPN rule entry, the VPN channel can be allocated to the user terminal, so that the user terminal can transmit data through the VPN channel.
  • Fig. 4 is a schematic structural diagram of a device according to an embodiment of the present application.
  • the device includes: a processor 310 and a memory 320.
  • the number of processors 310 may be one or more.
  • One processor 310 is taken as an example in FIG. 4.
  • the number of memories 320 may be one or more, and one memory 320 is taken as an example in FIG. 4.
  • the processor 310 and the memory 320 may be connected by a bus or in other ways.
  • the bus connection is taken as an example in FIG. 4.
  • the device may be a communication device.
  • the memory 320 can be configured to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the device in any embodiment of the present application.
  • the memory 320 may include a program storage area and a data storage area, where the program storage area may store an operating system and an application program required by at least one function; the data storage area may store data created according to the use of the device, and the like.
  • the memory 320 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one magnetic disk storage device, a flash memory device, or other non-volatile solid-state storage devices.
  • the memory 320 may further include a memory remotely provided with respect to the processor 310, and these remote memories may be connected to the device through a network.
  • networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.
  • the device provided above can be configured to execute the VPN rule matching method according to any embodiment of the present application, and have corresponding functions and effects.
  • the program stored in the corresponding memory 320 may be a program instruction/module corresponding to the signal processing method provided in the embodiment of the present application.
  • the processor 310 executes the computer equipment by running the software program, instruction, and module stored in the memory 320.
  • One or more functional applications and data processing that is, a method for matching VPN rules according to any embodiment of the present application.
  • the embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored.
  • the processor implements a method for matching VPN rules.
  • the method includes: receiving VPN rule entries; The rule entries are normalized; the normalized VPN rule entries are configured; the access request sent by the user terminal is received; the key information in the access request is extracted; and the key information is matched with the configured VPN rule entry.
  • user terminal encompasses any suitable type of wireless user equipment, such as a mobile phone, a portable data processing device, a portable web browser, or a vehicle-mounted mobile station.
  • the embodiments of the present application may be implemented by executing computer program instructions by a data processor of a mobile device, for example, in a processor entity, or by hardware, or by a combination of software and hardware.
  • Computer program instructions can be assembly instructions, instruction set architecture (Instruction Set Architecture, ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or written in any combination of one or more programming languages Source code or object code.
  • the block diagram of any logic flow in the drawings of the present application may represent program steps, or may represent interconnected logic circuits, modules, and functions, or may represent a combination of program steps and logic circuits, modules, and functions.
  • the computer program can be stored on the memory.
  • the memory can be of any type suitable for the local technical environment and can be implemented using any suitable data storage technology, such as but not limited to read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), optical Memory devices and systems (Digital Video Disc (DVD) or Compact Disk (CD)), etc.
  • Computer-readable storage media may include non-transitory storage media.
  • the data processor can be any type suitable for the local technical environment, such as but not limited to general-purpose computers, special-purpose computers, microprocessors, digital signal processors (Digital Signal Processing, DSP), application specific integrated circuits (ASICs) ), programmable logic devices (Field-Programmable Gate Array, FGPA), and processors based on multi-core processor architecture.
  • DSP Digital Signal Processing
  • ASICs application specific integrated circuits
  • FGPA programmable logic devices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed in embodiments of the present application are a VPN rule matching method and apparatus, and a device, and a storage medium. The method comprises: receiving VPN rule entries; normalizing the VPN rule entries; configuring the normalized VPN rule entries; receiving an access request sent by a user terminal; extracting key information in the access request; and matching the key information with the configured VPN rule entries.

Description

VPN规则的匹配方法、装置、设备及存储介质VPN rule matching method, device, equipment and storage medium 技术领域Technical field
本公开涉及网络通信技术领域,具体地涉及一种虚拟专用网络规则的匹配方法、装置、设备及存储介质。The present disclosure relates to the field of network communication technology, and in particular to a method, device, device, and storage medium for matching virtual private network rules.
背景技术Background technique
随着通信技术的发展,互联网的发展推动了采用基于公网的虚拟专用网络(Virtual Private Network,VPN)的发展,从而使跨地区的企业的不同部门之间通过公共网络实现互连成为可能,不需要企业重复建网,可以节省大量的通信费用和资金。这些新的业务需求给VPN的配置和管理提出更高的性能要求。With the development of communication technology, the development of the Internet has promoted the development of virtual private networks (Virtual Private Network, VPN) based on the public network, which makes it possible to interconnect different departments of enterprises across regions through public networks. There is no need for enterprises to build networks repeatedly, which can save a lot of communication costs and funds. These new business requirements put forward higher performance requirements for VPN configuration and management.
相关技术中,管理平台通过接口层将VPN规则发送至不同的业务模块,使得各业务模块可以根据具体的策略对VPN规则进行配置和管理。在接口层与业务模块间存在大量的信息交互,严重影响了VPN规则的配置效率。另外,现有的VPN匹配规则均采用链表模型,在VPN需求不大,匹配条目数较小时,链表模型基本满足业务需求。但是随着业务需求增加,在10K数量级以上VPN规则情况下,哈希(Hash)表或者链表模型无法满足需求,严重影响工作效率。In related technologies, the management platform sends VPN rules to different service modules through the interface layer, so that each service module can configure and manage the VPN rules according to specific policies. There is a large amount of information interaction between the interface layer and the business module, which seriously affects the configuration efficiency of VPN rules. In addition, the existing VPN matching rules all adopt the linked list model. When the VPN demand is not large and the number of matching entries is small, the linked list model basically meets the business needs. However, as business requirements increase, in the case of VPN rules of the order of 10K or more, the Hash table or linked list model cannot meet the requirements, which seriously affects work efficiency.
发明内容Summary of the invention
本申请实施例提供了一种VPN规则的匹配方法,包括:接收VPN规则条目;对所述VPN规则条目进行归一化处理;对归一化后的VPN规则条目进行配置;接收用户终端发送的访问请求;提取所述访问请求中的关键信息;以及将所述关键信息与配置后的VPN规则条目进行匹配。The embodiment of the application provides a method for matching VPN rules, including: receiving VPN rule entries; normalizing the VPN rule entries; configuring the normalized VPN rule entries; and receiving the VPN rule entries sent by the user terminal Access request; extract the key information in the access request; and match the key information with the configured VPN rule entry.
本申请实施例还提供了一种VPN规则的匹配装置,包括:VPN规则归一化处理模块,用于接收VPN规则条目,并对所述VPN规则条目进行归一化处理;VPN规则配置模块,用于对归一化后的VPN规则条目进行配置;关键信息提取模块,用于接收用户终端发送的访问请 求,并提取所述访问请求中的关键信息;以及匹配模块,用于将所述关键信息与配置后的VPN规则条目进行匹配。The embodiment of the present application also provides a VPN rule matching device, including: a VPN rule normalization processing module, configured to receive VPN rule entries, and perform normalization processing on the VPN rule entries; a VPN rule configuration module, Used to configure the normalized VPN rule entries; a key information extraction module, used to receive an access request sent by a user terminal, and extract key information in the access request; and a matching module, used to combine the key The information is matched with the configured VPN rule entries.
本申请实施例还提供了一种通信设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现根据本申请实施例的VPN规则的匹配方法。An embodiment of the present application also provides a communication device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor. The processor executes the computer program according to the embodiment of the present application. Matching method of VPN rules.
本申请实施例还提供了一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时,所述处理器实现根据本申请实施例的VPN规则的匹配方法。The embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the processor implements the VPN rule matching method according to the embodiment of the present application.
附图说明Description of the drawings
图1是根据本申请实施例的VPN规则的匹配方法的流程图;Fig. 1 is a flowchart of a VPN rule matching method according to an embodiment of the present application;
图2是根据本申请实施例的VPN规则的匹配装置的结构示意图;Figure 2 is a schematic structural diagram of a VPN rule matching device according to an embodiment of the present application;
图3是根据本申请实施例的VPN规则的匹配装置的工作原理图;Fig. 3 is a working principle diagram of a VPN rule matching device according to an embodiment of the present application;
以及as well as
图4是根据本申请实施例的设备的结构示意图。Fig. 4 is a schematic structural diagram of a device according to an embodiment of the present application.
具体实施方式detailed description
为使本申请的目的、技术方案和优点更加清楚明白,下文中将结合附图对本申请的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。In order to make the purpose, technical solutions, and advantages of the present application clearer, the embodiments of the present application will be described in detail below in conjunction with the accompanying drawings. It should be noted that the embodiments in this application and the features in the embodiments can be combined with each other arbitrarily if there is no conflict.
应当理解,此处所描述的实施例仅仅用以解释本公开,并不用于限定本公开。It should be understood that the embodiments described here are only used to explain the present disclosure, but not used to limit the present disclosure.
在后续的描述中,使用用于表示元件的诸如“模块”、“部件”或“单元”的后缀仅为了有利于本公开的说明,其本身没有特有的意义。因此,“模块”、“部件”或“单元”可以混合地使用。In the following description, the use of suffixes such as “module”, “part” or “unit” used to indicate elements is only for facilitating the description of the present disclosure, and has no special meaning in itself. Therefore, "module", "part" or "unit" can be used in a mixed manner.
图1是根据本申请实施例的VPN规则的匹配方法的流程图。该方法可用于对VPN规则进行配置及匹配,并且可以由根据本申请的VPN规则的匹配装置来执行。Fig. 1 is a flowchart of a VPN rule matching method according to an embodiment of the present application. This method can be used to configure and match VPN rules, and can be executed by a matching device according to the VPN rules of this application.
如图1所示,根据本申请实施例的VPN规则的匹配方法包括如下步骤S110至S160。As shown in Fig. 1, the VPN rule matching method according to the embodiment of the present application includes the following steps S110 to S160.
在步骤S110,接收VPN规则条目。In step S110, a VPN rule entry is received.
在实施例中,可以接收从管理平台发送的VPN规则条目。管理平台可以是需要创建VPN的第三方平台。不同的管理平台可以采用不同的通信协议及数据结构。例如,管理平台可以是TR069平台。VPN规则条目可以包括目的网络互连协议(Internet Protocol,IP)地址区间、目的统一资源定位符(Uniform Resource Locator,URL)及源媒体访问控制(Media Access Control,MAC)地址。In an embodiment, the VPN rule entry sent from the management platform may be received. The management platform can be a third-party platform that needs to create a VPN. Different management platforms can adopt different communication protocols and data structures. For example, the management platform may be the TR069 platform. A VPN rule entry may include a destination Internet Protocol (IP) address range, a destination Uniform Resource Locator (URL), and a source Media Access Control (Media Access Control, MAC) address.
在步骤S120,对VPN规则条目进行归一化处理。In step S120, normalization processing is performed on the VPN rule entries.
在实施例中,可以对VPN规则条目的通信协议和/或数据结构进行归一化处理。将不同的通信协议归一化为相同的通信协议,将各不同的数据结构归一化为相同的数据结构。In an embodiment, the communication protocol and/or data structure of the VPN rule entry may be normalized. Normalize different communication protocols to the same communication protocol, and normalize different data structures to the same data structure.
在实施例中,不同的管理平台可以动态地下发大量的VPN规则条目,在接收到VPN规则条目后,可以对多个VPN规则条目的通信协议和/或数据结构进行归一化处理,从而避免了由于各管理平台的通信协议和/或数据结构不同,而采用不同的业务模块对VPN规则条目分别进行处理的问题。在实施例中,可对来自不同管理平台的VPN规则条目进行统一处理。对VPN规则条目的归一化处理可以屏蔽各管理平台的差异,减少交互数据量和消息数目,从而提高VPN规则的配置和处理效率。In the embodiment, different management platforms can dynamically send a large number of VPN rule entries. After receiving the VPN rule entries, the communication protocols and/or data structures of multiple VPN rule entries can be normalized to avoid This solves the problem of using different service modules to process VPN rule entries separately due to the different communication protocols and/or data structures of each management platform. In an embodiment, VPN rule entries from different management platforms can be processed uniformly. The normalization of VPN rule entries can shield the differences between management platforms, reduce the amount of exchanged data and the number of messages, and improve the configuration and processing efficiency of VPN rules.
在步骤S130,对归一化后的VPN规则条目进行配置。In step S130, the normalized VPN rule entries are configured.
对VPN规则条目进行配置的过程可以理解为将VPN规则条目添加至预设数据库的过程。预设数据库可以用于配置并管理VPN规则条目,包括VPN规则条目的添加、删除和查询。The process of configuring the VPN rule entry can be understood as the process of adding the VPN rule entry to the preset database. The preset database can be used to configure and manage VPN rule entries, including adding, deleting and querying VPN rule entries.
在实施例中,对归一化后的VPN规则条目进行配置的步骤可以是:判断归一化后的VPN规则条目是否存在于预设数据库中;响应于归一化后的VPN规则条目存在于预设数据库中,向管理平台返回配置成功的信息;响应于归一化后的VPN规则条目不存在于预设数据库中,将归一化后的VPN规则条目添加至预设数据库。In an embodiment, the step of configuring the normalized VPN rule entry may be: judging whether the normalized VPN rule entry exists in the preset database; responding to the normalized VPN rule entry existing in In the preset database, the configuration success information is returned to the management platform; in response to the normalized VPN rule entry does not exist in the preset database, the normalized VPN rule entry is added to the preset database.
可以在预设数据库中查询归一化后的VPN规则条目,若能查找到与归一化后的VPN规则条目(其对应于接收的VPN规则条目)相同 的VPN规则条目,则可以向管理平台返回配置成功的信息;若查找不到,则可以将归一化后的VPN规则条目添加至预设数据库。也就是说,在实施例中,存储在预设数据库中的VPN规则条目可以是经归一化的VPN规则条目。You can query the normalized VPN rule entry in the preset database. If you can find the same VPN rule entry as the normalized VPN rule entry (which corresponds to the received VPN rule entry), you can contact the management platform Return the successful configuration information; if you can't find it, you can add the normalized VPN rule entry to the preset database. That is, in an embodiment, the VPN rule entries stored in the preset database may be normalized VPN rule entries.
在实施例中,VPN规则条目可以为目的IP地址区间或者目的URL,将归一化后的VPN规则条目添加至预设数据库中的步骤可以包括:将归一化后的VPN规则条目转化为区间树(IntervalTree)结构;以及将区间树结构添加至预设数据库。In an embodiment, the VPN rule entry may be a destination IP address range or a destination URL, and the step of adding the normalized VPN rule entry to the preset database may include: converting the normalized VPN rule entry into a range Tree (IntervalTree) structure; and adding the interval tree structure to the preset database.
区间树结构可以理解为由目的IP地址区间构成的树结构。区间树结构可以包括多个节点,根节点、子节点及叶子节点,每个节点代表一个地址区间。子节点代表的地址区间是其父节点代表的地址区间的子集。在实施例中,可以将目的IP地址以区间树结构的形式存储于预设数据库中。The interval tree structure can be understood as a tree structure formed by the destination IP address interval. The interval tree structure may include multiple nodes, a root node, a child node, and a leaf node, and each node represents an address interval. The address range represented by the child node is a subset of the address range represented by its parent node. In an embodiment, the destination IP address may be stored in the preset database in the form of an interval tree structure.
具体地,可以将目的IP地址区间划分为多个子区间;根据各子区间对应的IP地址范围确定各子区间所在的节点位置;并且根据节点位置构建区间树结构。Specifically, the destination IP address interval may be divided into multiple sub-intervals; the node position of each sub-interval is determined according to the IP address range corresponding to each sub-interval; and the interval tree structure is constructed according to the node position.
多个子区间中任意两个子区间之间的关系可以包括如下至少一种:包含关系或者交集为空集,即,子节点代表的地址区间是其父节点代表的地址区间的真子集,并且处于区间树结构同一水平处的节点代表的地址区间之间的交集为空集。示例性地,目的IP地址区间为“1-100”,划分的子区间可以包括“1-100”、“1-50”、“51-100”、“1-30”、“31-50”、“51-80”和“81-100”。区间树结构的根节点为“1-100”,根节点包含两个子节点“1-50”和“51-100”,子节点“1-50”包含两个叶子节点“1-30”和“31-50”,子节点“51-100”包含两个叶子节点“51-80”和“81-100”。确定了各子区间对应的节点位置后,可以根据节点位置建立区间树结构。The relationship between any two sub-intervals in the multiple sub-intervals may include at least one of the following: an inclusive relationship or an empty set of intersection, that is, the address interval represented by the child node is a proper subset of the address interval represented by its parent node, and is in the interval The intersection between the address ranges represented by nodes at the same level of the tree structure is an empty set. Exemplarily, the destination IP address range is "1-100", and the divided sub-ranges may include "1-100", "1-50", "51-100", "1-30", and "31-50" , "51-80" and "81-100". The root node of the interval tree structure is "1-100", the root node contains two child nodes "1-50" and "51-100", and the child node "1-50" contains two leaf nodes "1-30" and " 31-50", the child node "51-100" contains two leaf nodes "51-80" and "81-100". After determining the node position corresponding to each subinterval, the interval tree structure can be established according to the node position.
具体地,在将目的IP地址区间转换为区间树结构后,若转换后的区间树结构是已有区间树结构的分支,则可以将转换后的区间树结构添加至已有区间树结构中;若转换后的区间树结构不是已有区间树结构的分支,则可以将转换后的区间树结构作为独立的区间树结构添 加至预设数据库;若转换后的区间树结构与已有的区间树结构存在一部分交集,则可以根据转换后的区间树结构对已有的区间树结构进行调整,以获得调整后的区间树结构。Specifically, after the destination IP address interval is converted into an interval tree structure, if the converted interval tree structure is a branch of an existing interval tree structure, the converted interval tree structure can be added to the existing interval tree structure; If the converted interval tree structure is not a branch of the existing interval tree structure, you can add the converted interval tree structure as an independent interval tree structure to the preset database; if the converted interval tree structure is the same as the existing interval tree If the structure has a partial intersection, the existing interval tree structure can be adjusted according to the converted interval tree structure to obtain the adjusted interval tree structure.
在实施例中,若VPN规则条目是目的URL,则可以将目的URL转换为目的IP地址区间,再执行上面的过程,以将目的IP地址区间转化为区间树结构。In an embodiment, if the VPN rule entry is a destination URL, the destination URL can be converted into a destination IP address range, and the above process can be executed to convert the destination IP address range into an interval tree structure.
在实施例中,VPN规则条目可以为源MAC地址,将归一化后的VPN规则条目添加至预设数据库中的步骤可以包括:将归一化后的VPN规则条目转化为链表结构;将以及链表结构添加至预设数据库。In an embodiment, the VPN rule entry may be the source MAC address, and the step of adding the normalized VPN rule entry to the preset database may include: converting the normalized VPN rule entry into a linked list structure; and The linked list structure is added to the preset database.
链表结构可以是哈希(Hash)表。若VPN规则条目为源MAC地址,则可以以链表结构的形式存储MAC地址。The linked list structure can be a hash (Hash) table. If the VPN rule entry is the source MAC address, the MAC address can be stored in the form of a linked list structure.
在步骤S140,接收用户终端发送的访问请求。In step S140, an access request sent by the user terminal is received.
用户可以是管理平台中的用户,用户可以通过LAN端口或者WLAN端口发送访问请求。The user can be a user in the management platform, and the user can send an access request through a LAN port or a WLAN port.
在步骤S150,提取访问请求中的关键信息。In step S150, the key information in the access request is extracted.
关键信息可以是目的IP地址或者MAC地址。The key information can be the destination IP address or MAC address.
在步骤S160,将关键信息与配置后的VPN规则条目进行匹配。In step S160, the key information is matched with the configured VPN rule entry.
若关键信息属于配置后的VPN规则条目,则确定匹配成功,并对用户终端分配VPN通道,使得用户终端可以通过VPN通道传输数据。If the key information belongs to the configured VPN rule entry, it is determined that the matching is successful, and the VPN channel is allocated to the user terminal, so that the user terminal can transmit data through the VPN channel.
在实施例中,若关键信息是MAC地址,则对关键信息与配置后的VPN规则条目进行匹配的步骤可以包括:在链表结构中查询MAC地址。若能查找到与关键信息中的MAC地址相同的MAC地址,则匹配成功;若查找不到,则匹配不成功。In an embodiment, if the key information is a MAC address, the step of matching the key information with the configured VPN rule entry may include: querying the MAC address in the linked list structure. If the MAC address that is the same as the MAC address in the key information can be found, the match is successful; if it cannot be found, the match is unsuccessful.
在实施例中,若关键信息是目的IP地址,则对关键信息与配置后的VPN规则条目进行匹配的步骤可以包括:将目的IP地址转换为目的IP地址区间;以及将转换后的目的IP地址区间与区间树结构进行匹配。若转换后的目的IP地址区间属于区间树结构中的IP地址区间,则匹配成功。本实施例采用区间树结构对用户的访问请求进行匹配,无需对所有的地址区间进行遍历,可以提高匹配效率。使用区间树结构代替链表结构可以大大提高处理速度,还可以利用红黑树技术 提供最好可能的最坏情况担保。红黑树可以在O(log n)时长内完成查找、插入和删除,其中n表示区间树结构中的元素数目,而在同样情况下,链表结构大约是O(n)时长复杂度级别。In an embodiment, if the key information is the destination IP address, the step of matching the key information with the configured VPN rule entry may include: converting the destination IP address into a destination IP address range; and converting the converted destination IP address The interval is matched with the interval tree structure. If the converted destination IP address range belongs to the IP address range in the interval tree structure, the matching is successful. In this embodiment, the interval tree structure is used to match the user's access request, and it is not necessary to traverse all address intervals, which can improve the matching efficiency. Using interval tree structure instead of linked list structure can greatly increase the processing speed, and red-black tree technology can also be used to provide the best possible worst-case guarantee. Red-black trees can complete search, insertion, and deletion in O(log n) time, where n represents the number of elements in the interval tree structure, and in the same case, the linked list structure is about O(n) time-length complexity level.
可以将目的IP地址转换为起始地址和结束地址均为目的IP地址的目的IP地址区间,例如,目的IP地址为5,转换后的目的IP地址区间为5-5。在进行匹配时,首先根据转换后的目的IP地址区间确定对应的区间树结构,然后从确定的区间树结构的根节点开始下行查找,若查找到与转换后的目的IP地址区间匹配的节点,则匹配成功,若没有查找到与转换后的目的IP地址区间匹配的节点,则匹配不成功。The destination IP address can be converted into a destination IP address range in which both the start address and the end address are destination IP addresses. For example, the destination IP address is 5, and the converted destination IP address range is 5-5. When matching, first determine the corresponding interval tree structure according to the converted destination IP address interval, and then start a downward search from the root node of the determined interval tree structure. If a node that matches the converted destination IP address interval is found, The matching is successful. If no node matching the converted destination IP address range is found, the matching is unsuccessful.
在实施例中,若关键信息匹配成功,则表示用户是合法用户,可以对该用户分配VPN通道,使得用户的用户终端可以通过VPN通道传输数据。In the embodiment, if the key information is successfully matched, it means that the user is a legitimate user, and a VPN channel can be allocated to the user, so that the user terminal of the user can transmit data through the VPN channel.
根据本公开的实施例,可以应用区间重叠、红黑树和区间树技术解决光网络单元(Optical Network Unit,ONU)网关10K数量级以上VPN规则条目的匹配问题,提高了匹配效率。According to the embodiments of the present disclosure, the technology of interval overlap, red-black tree, and interval tree can be applied to solve the matching problem of VPN rule entries of optical network unit (ONU) gateways on the order of 10K or more, and the matching efficiency is improved.
根据本公开的实施例,对VPN规则条目进行归一化处理后再配置,这样可以减少信息交互量,从而提高配置效率。另外,将用户访问请求中的关键信息与配置后的VPN规则条目进行匹配,可以提高匹配效率。According to the embodiment of the present disclosure, the VPN rule entries are normalized and then configured, which can reduce the amount of information exchange, thereby improving the configuration efficiency. In addition, matching the key information in the user's access request with the configured VPN rule entries can improve the matching efficiency.
在实施例中,在对用户终端分配VPN通道之后,还可以:采集用户终端的行为数据;对行为数据进行统计分析,获得分析结果;以及根据分析结果执行如下至少一项操作:调整用户的优先级、调整VPN通道的优先级以及调整网络带宽。In the embodiment, after the VPN channel is allocated to the user terminal, it is also possible to: collect behavior data of the user terminal; perform statistical analysis on the behavior data to obtain the analysis result; and perform at least one of the following operations according to the analysis result: adjust the user's priority Level, adjust the priority of the VPN channel and adjust the network bandwidth.
在实施例中,可以从多个用户终端接收到访问请求,在此情况下,可以按照与关键信息对应的用户终端的优先级将关键信息与配置后的VPN规则条目进行匹配。可以按照从用户终端的优先级高到底的顺序依次进行匹配。In the embodiment, the access request may be received from multiple user terminals. In this case, the key information may be matched with the configured VPN rule entry according to the priority of the user terminal corresponding to the key information. The matching can be performed in sequence from the highest priority of the user terminal to the last.
在实施例中,对用户终端分配VPN通道的步骤可以包括:根据VPN通道的优先级对用户终端分配VPN通道,并对VPN通道分配调整 后的网络带宽。可以将优先级高的VPN通道优先分配给用户终端,并按照调整后的网络带宽对VPN通道分配网络带宽。In an embodiment, the step of allocating the VPN channel to the user terminal may include: allocating the VPN channel to the user terminal according to the priority of the VPN channel, and allocating the adjusted network bandwidth to the VPN channel. The VPN channel with high priority can be allocated to the user terminal first, and the network bandwidth can be allocated to the VPN channel according to the adjusted network bandwidth.
图2是根据本申请实施例的VPN规则的匹配装置的结构示意图。Fig. 2 is a schematic structural diagram of a VPN rule matching device according to an embodiment of the present application.
如图2所示,根据本申请实施例的VPN规则的匹配装置可以包括VPN规则归一化处理模块210、VPN规则配置模块220、关键信息提取模块230和匹配模块240。As shown in FIG. 2, the VPN rule matching device according to the embodiment of the present application may include a VPN rule normalization processing module 210, a VPN rule configuration module 220, a key information extraction module 230, and a matching module 240.
VPN规则归一化处理模块210用于接收VPN规则条目,并对所述VPN规则条目进行归一化处理。The VPN rule normalization processing module 210 is configured to receive VPN rule entries and perform normalization processing on the VPN rule entries.
VPN规则配置模块220用于对归一化后的VPN规则条目进行配置。The VPN rule configuration module 220 is used to configure the normalized VPN rule entries.
关键信息提取模块230用于接收用户终端发送的访问请求,并提取访问请求中的关键信息。The key information extraction module 230 is configured to receive the access request sent by the user terminal, and extract the key information in the access request.
匹配模块240用于将关键信息与配置后的VPN规则条目进行匹配。The matching module 240 is used to match the key information with the configured VPN rule entries.
在实施例中,VPN规则归一化处理模块210用于对VPN规则条目的通信协议和/或数据结构进行归一化处理。In an embodiment, the VPN rule normalization processing module 210 is configured to perform normalization processing on the communication protocol and/or data structure of the VPN rule entry.
在实施例中,VPN规则配置模块220用于:判断归一化后的VPN规则条目是否存在于预设数据库中;响应于归一化后的VPN规则条目存在于预设数据库中,返回配置成功的信息;响应于归一化后的VPN规则条目不存在于预设数据库中,将归一化后的VPN规则条目添加至预设数据库。In an embodiment, the VPN rule configuration module 220 is configured to: determine whether the normalized VPN rule entry exists in the preset database; in response to the normalized VPN rule entry existing in the preset database, return that the configuration is successful的信息; In response to the normalized VPN rule entry does not exist in the preset database, the normalized VPN rule entry is added to the preset database.
在实施例中,VPN规则条目可以为目的IP地址区间或者目的URL,VPN规则配置模块220用于:将归一化后的VPN规则条目转化为区间树结构;并且将区间树结构添加至预设数据库。In an embodiment, the VPN rule entry may be a destination IP address range or a destination URL, and the VPN rule configuration module 220 is used to: convert the normalized VPN rule entry into an interval tree structure; and add the interval tree structure to the preset database.
在实施例中,VPN规则条目可以为目的IP地址区间,VPN规则配置模块220可以用于:将目的IP地址区间划分为多个子区间,多个子区间中任意两个子区间之间的关系包括如下关系之一:包含关系或者交集为空集;根据各子区间对应的IP地址范围确定各子区间所在的节点位置;以及根据节点位置构建区间树结构。In an embodiment, the VPN rule entry may be a destination IP address interval, and the VPN rule configuration module 220 may be used to: divide the destination IP address interval into multiple sub-intervals, and the relationship between any two sub-intervals in the multiple sub-intervals includes the following relationship One: the containment relationship or the intersection is an empty set; the node location of each sub-interval is determined according to the IP address range corresponding to each sub-interval; and the interval tree structure is constructed according to the node location.
在实施例中,VPN规则条目可以为目的URL,VPN规则配置模块220可以用于:将目的URL转换为目的IP地址区间;将目的IP地址 区间划分为多个子区间,多个子区间中任意两个子区间之间的关系包括如下关系之一:包含关系或者交集为空集;根据各子区间对应的IP地址范围确定各子区间所在的节点位置;以及根据节点位置构建区间树结构。In an embodiment, the VPN rule entry may be a destination URL, and the VPN rule configuration module 220 may be used to: convert the destination URL into a destination IP address interval; divide the destination IP address interval into multiple sub-intervals, and any two of the multiple sub-intervals The relationship between intervals includes one of the following relationships: an inclusion relationship or an empty set of intersection; determining the node position of each subinterval according to the IP address range corresponding to each subinterval; and constructing an interval tree structure according to the node position.
在实施例中,VPN规则条目可以为源MAC地址,VPN规则配置模块220可以用于:将归一化后的VPN规则条目转化为链表结构;并且将链表结构添加至预设数据库。In an embodiment, the VPN rule entry may be a source MAC address, and the VPN rule configuration module 220 may be used to: convert the normalized VPN rule entry into a linked list structure; and add the linked list structure to the preset database.
在实施例中,关键信息可以包括目的IP地址,匹配模块240可以用于:将目的IP地址转换为目的IP地址区间;并且将转换后的目的IP地址区间与区间树结构进行匹配。In an embodiment, the key information may include a destination IP address, and the matching module 240 may be used to: convert the destination IP address into a destination IP address interval; and match the converted destination IP address interval with the interval tree structure.
在实施例中,VPN规则的匹配装置还可以包括分配模块,响应于关键信息属于配置后的VPN规则条目,确定匹配成功,分配模块用于对用户终端分配VPN通道。In an embodiment, the VPN rule matching device may further include an allocation module, and in response to the key information belonging to the configured VPN rule entry, it is determined that the matching is successful, and the allocation module is used to allocate the VPN channel to the user terminal.
在实施例中,VPN规则的匹配装置还可以包括:行为数据分析模块,用于:采集用户终端的行为数据;对行为数据进行统计分析,获得分析结果;并且根据分析结果执行如下至少一项操作:调整用户终端的优先级、调整VPN通道的优先级以及调整网络带宽。In an embodiment, the VPN rule matching device may further include: a behavior data analysis module for: collecting behavior data of the user terminal; performing statistical analysis on the behavior data to obtain an analysis result; and performing at least one of the following operations according to the analysis result : Adjust the priority of the user terminal, adjust the priority of the VPN channel, and adjust the network bandwidth.
在实施例中,VPN规则归一化处理模块210接收到多个用户终端发送的访问请求,匹配模块240可以用于按照与关键信息对应的用户终端的优先级将关键信息与配置后的VPN规则条目进行匹配。In an embodiment, the VPN rule normalization processing module 210 receives access requests sent by multiple user terminals, and the matching module 240 may be used to compare the key information with the configured VPN rules according to the priority of the user terminal corresponding to the key information. The entries are matched.
在实施例中,匹配模块240还可以用于根据VPN通道的优先级对用户终端分配VPN通道,并对VPN通道分配调整后的网络带宽。In the embodiment, the matching module 240 may also be used to allocate a VPN channel to the user terminal according to the priority of the VPN channel, and to allocate an adjusted network bandwidth to the VPN channel.
图3是根据本申请实施例的VPN规则的匹配装置的工作原理图。Fig. 3 is a working principle diagram of a VPN rule matching device according to an embodiment of the present application.
如图3所示,多个管理平台通过通信模块下发VPN规则条目,VPN规则的匹配装置可以接收管理平台发送的VPN规则条目,对VPN规则条目进行归一化处理,并对归一化的VPN规则条目进行配置。用户发送访问请求,VPN规则的匹配装置可以提取用户发送的访问请求中的关键信息,并将关键信息与配置后的VPN规则条目进行匹配。若匹配成功,即,关键信息属于配置后的VPN规则条目,则可以对用户终端分配VPN通道,使得用户终端可以通过VPN通道传输数据。As shown in Figure 3, multiple management platforms issue VPN rule entries through the communication module, and the VPN rule matching device can receive the VPN rule entries sent by the management platform, normalize the VPN rule entries, and perform normalization on the normalized VPN rule entries. VPN rule entries are configured. The user sends an access request, and the VPN rule matching device can extract the key information in the access request sent by the user, and match the key information with the configured VPN rule entry. If the matching is successful, that is, the key information belongs to the configured VPN rule entry, the VPN channel can be allocated to the user terminal, so that the user terminal can transmit data through the VPN channel.
图4是根据本申请实施例的设备的结构示意图。Fig. 4 is a schematic structural diagram of a device according to an embodiment of the present application.
如图4所示,根据本申请实施例的设备包括:处理器310以及存储器320。处理器310的数量可以是一个或者多个,图4中以一个处理器310为例。存储器320的数量可以是一个或者多个,图4中以一个存储器320为例。处理器310以及存储器320可以通过总线或者其他方式连接,图4中以总线连接为例。在实施例中,该设备可以为通信设备。As shown in FIG. 4, the device according to the embodiment of the present application includes: a processor 310 and a memory 320. The number of processors 310 may be one or more. One processor 310 is taken as an example in FIG. 4. The number of memories 320 may be one or more, and one memory 320 is taken as an example in FIG. 4. The processor 310 and the memory 320 may be connected by a bus or in other ways. The bus connection is taken as an example in FIG. 4. In an embodiment, the device may be a communication device.
存储器320作为一种计算机可读存储介质,可设置为存储软件程序、计算机可执行程序以及模块,如本申请任意实施例的设备对应的程序指令/模块。存储器320可包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序;存储数据区可存储根据设备的使用所创建的数据等。此外,存储器320可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他非易失性固态存储器件。在一些实例中,存储器320可进一步包括相对于处理器310远程设置的存储器,这些远程存储器可以通过网络连接至设备。网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。As a computer-readable storage medium, the memory 320 can be configured to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the device in any embodiment of the present application. The memory 320 may include a program storage area and a data storage area, where the program storage area may store an operating system and an application program required by at least one function; the data storage area may store data created according to the use of the device, and the like. In addition, the memory 320 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one magnetic disk storage device, a flash memory device, or other non-volatile solid-state storage devices. In some examples, the memory 320 may further include a memory remotely provided with respect to the processor 310, and these remote memories may be connected to the device through a network. Examples of networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.
上述提供的设备可设置为执行根据本申请任意实施例的VPN规则的匹配方法,并具备相应的功能和效果。The device provided above can be configured to execute the VPN rule matching method according to any embodiment of the present application, and have corresponding functions and effects.
对应存储器320中存储的程序可以是本申请实施例所提供应用于信号处理方法对应的程序指令/模块,处理器310通过运行存储在存储器320中的软件程序、指令以及模块,从而执行计算机设备的一种或多种功能应用以及数据处理,即,实现根据本申请任意实施例的VPN规则的匹配方法。The program stored in the corresponding memory 320 may be a program instruction/module corresponding to the signal processing method provided in the embodiment of the present application. The processor 310 executes the computer equipment by running the software program, instruction, and module stored in the memory 320. One or more functional applications and data processing, that is, a method for matching VPN rules according to any embodiment of the present application.
本申请实施例还提供一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时,处理器实现VPN规则的匹配方法,该方法包括:接收VPN规则条目;对VPN规则条目进行归一化处理;对归一化后的VPN规则条目进行配置;接收用户终端发送的访问请求;提取访问请求中的关键信息;以及将关键信息与配置后的VPN规则条目进行匹配。The embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the processor implements a method for matching VPN rules. The method includes: receiving VPN rule entries; The rule entries are normalized; the normalized VPN rule entries are configured; the access request sent by the user terminal is received; the key information in the access request is extracted; and the key information is matched with the configured VPN rule entry.
本领域内的技术人员应明白,术语用户终端涵盖任何适合类型的无线用户设备,例如移动电话、便携数据处理装置、便携网络浏览器或车载移动台。Those skilled in the art should understand that the term user terminal encompasses any suitable type of wireless user equipment, such as a mobile phone, a portable data processing device, a portable web browser, or a vehicle-mounted mobile station.
本申请的多种实施例可以在硬件或专用电路、软件、逻辑或其任何组合中实现。例如,一些方面可以被实现在硬件中,而其它方面可以被实现在可以被控制器、微处理器或其它计算装置执行的固件或软件中,但本申请不限于此。The various embodiments of the present application may be implemented in hardware or dedicated circuits, software, logic or any combination thereof. For example, some aspects may be implemented in hardware, and other aspects may be implemented in firmware or software that may be executed by a controller, microprocessor or other computing device, but the application is not limited thereto.
本申请的实施例可以通过移动装置的数据处理器执行计算机程序指令来实现,例如在处理器实体中,或者通过硬件,或者通过软件和硬件的组合。计算机程序指令可以是汇编指令、指令集架构(Instruction Set Architecture,ISA)指令、机器指令、机器相关指令、微代码、固件指令、状态设置数据、或者以一种或多种编程语言的任意组合编写的源代码或目标代码。The embodiments of the present application may be implemented by executing computer program instructions by a data processor of a mobile device, for example, in a processor entity, or by hardware, or by a combination of software and hardware. Computer program instructions can be assembly instructions, instruction set architecture (Instruction Set Architecture, ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or written in any combination of one or more programming languages Source code or object code.
本申请附图中的任何逻辑流程的框图可以表示程序步骤,或者可以表示相互连接的逻辑电路、模块和功能,或者可以表示程序步骤与逻辑电路、模块和功能的组合。计算机程序可以存储在存储器上。存储器可以具有任何适合于本地技术环境的类型并且可以使用任何适合的数据存储技术实现,例如但不限于只读存储器(Read-Only Memory,ROM)、随机访问存储器(Random Access Memory,RAM)、光存储器装置和系统(数码多功能光碟(Digital Video Disc,DVD)或光盘(Compact Disk,CD))等。计算机可读存储介质可以包括非瞬时性存储介质。数据处理器可以是任何适合于本地技术环境的类型,例如但不限于通用计算机、专用计算机、微处理器、数字信号处理器(Digital Signal Processing,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程逻辑器件(Field-Programmable Gate Array,FGPA)以及基于多核处理器架构的处理器。The block diagram of any logic flow in the drawings of the present application may represent program steps, or may represent interconnected logic circuits, modules, and functions, or may represent a combination of program steps and logic circuits, modules, and functions. The computer program can be stored on the memory. The memory can be of any type suitable for the local technical environment and can be implemented using any suitable data storage technology, such as but not limited to read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), optical Memory devices and systems (Digital Video Disc (DVD) or Compact Disk (CD)), etc. Computer-readable storage media may include non-transitory storage media. The data processor can be any type suitable for the local technical environment, such as but not limited to general-purpose computers, special-purpose computers, microprocessors, digital signal processors (Digital Signal Processing, DSP), application specific integrated circuits (ASICs) ), programmable logic devices (Field-Programmable Gate Array, FGPA), and processors based on multi-core processor architecture.
以上所述,仅为本申请的示例性实施例而已,并非用于限定本申请的保护范围。The above are only exemplary embodiments of the present application, and are not used to limit the protection scope of the present application.
通过示范性和非限制性的示例,上文已提供了对本申请的示范 实施例的详细描述。但结合附图和权利要求来考虑,对以上实施例的多种修改和调整对本领域技术人员来说是显而易见的,但不偏离本公开的范围。因此,本公开的恰当范围将根据权利要求确定。By way of exemplary and non-limiting examples, a detailed description of the exemplary embodiments of the present application has been provided above. However, considering the accompanying drawings and claims, various modifications and adjustments to the above embodiments are obvious to those skilled in the art, but they do not deviate from the scope of the present disclosure. Therefore, the proper scope of the present disclosure will be determined according to the claims.

Claims (15)

  1. 一种虚拟专用网络VPN规则的匹配方法,包括:A method for matching VPN rules of a virtual private network, including:
    接收VPN规则条目;Receive VPN rule entries;
    对所述VPN规则条目进行归一化处理;Normalize the VPN rule entry;
    对归一化后的VPN规则条目进行配置;Configure the normalized VPN rule entries;
    接收用户终端发送的访问请求;Receive an access request sent by the user terminal;
    提取所述访问请求中的关键信息;以及Extract the key information in the access request; and
    将所述关键信息与配置后的VPN规则条目进行匹配。Match the key information with the configured VPN rule entry.
  2. 根据权利要求1所述的方法,其中,对所述VPN规则条目进行归一化处理的步骤包括:The method according to claim 1, wherein the step of normalizing the VPN rule entry comprises:
    对所述VPN规则条目的通信协议和/或数据结构进行归一化处理。Normalize the communication protocol and/or data structure of the VPN rule entry.
  3. 根据权利要求1所述的方法,其中,对所述归一化后的VPN规则条目进行配置的步骤包括:The method according to claim 1, wherein the step of configuring the normalized VPN rule entry comprises:
    判断所述归一化后的VPN规则条目是否存在于预设数据库中;Judging whether the normalized VPN rule entry exists in a preset database;
    响应于所述归一化后的VPN规则条目存在于所述预设数据库中,返回配置成功的信息;In response to the normalized VPN rule entry existing in the preset database, return information indicating that the configuration is successful;
    响应于所述归一化后的VPN规则条目不存在于所述预设数据库中,将所述归一化后的VPN规则条目添加至所述预设数据库。In response to that the normalized VPN rule entry does not exist in the preset database, adding the normalized VPN rule entry to the preset database.
  4. 根据权利要求3所述的方法,其中,所述VPN规则条目为目的网络互连协议IP地址区间或者目的统一资源定位符URL,并且将所述归一化后的VPN规则条目添加至所述预设数据库的步骤包括:The method according to claim 3, wherein the VPN rule entry is a destination network interconnection protocol IP address range or a destination Uniform Resource Locator URL, and the normalized VPN rule entry is added to the preset The steps to set up a database include:
    将所述归一化后的VPN规则条目转化为区间树结构;以及Converting the normalized VPN rule entries into an interval tree structure; and
    将所述区间树结构添加至所述预设数据库。Adding the interval tree structure to the preset database.
  5. 根据权利要求4所述的方法,其中,所述VPN规则条目为所述目的IP地址区间,并且将所述归一化后的VPN规则条目转化为所 述区间树结构的步骤包括:The method according to claim 4, wherein the VPN rule entry is the destination IP address range, and the step of converting the normalized VPN rule entry into the interval tree structure comprises:
    将所述目的IP地址区间划分为多个子区间,所述多个子区间中任意两个子区间之间的关系包括如下关系之一:包含关系或者交集为空集;Dividing the destination IP address interval into a plurality of sub-intervals, and the relationship between any two sub-intervals in the plurality of sub-intervals includes one of the following relationships: an inclusion relationship or an intersection is an empty set;
    根据各子区间对应的IP地址范围确定各子区间所在的节点位置;以及Determine the location of the node where each sub-interval is located according to the IP address range corresponding to each sub-interval; and
    根据所述节点位置构建所述区间树结构。The interval tree structure is constructed according to the position of the node.
  6. 根据权利要求4所述的方法,其中,所述VPN规则条目为所述目的URL,并且将所述归一化后的VPN规则条目转化为所述区间树结构的步骤包括:The method according to claim 4, wherein the VPN rule entry is the destination URL, and the step of converting the normalized VPN rule entry into the interval tree structure comprises:
    将所述目的URL转换为目的IP地址区间;Converting the destination URL into a destination IP address range;
    将所述目的IP地址区间划分为多个子区间,所述多个子区间中任意两个子区间之间的关系包括如下关系之一:包含关系或者交集为空集;Dividing the destination IP address interval into a plurality of sub-intervals, and the relationship between any two sub-intervals in the plurality of sub-intervals includes one of the following relationships: an inclusion relationship or an intersection is an empty set;
    根据各子区间对应的IP地址范围确定各子区间所在的节点位置;以及Determine the location of the node where each sub-interval is located according to the IP address range corresponding to each sub-interval; and
    根据所述节点位置构建所述区间树结构。The interval tree structure is constructed according to the position of the node.
  7. 根据权利要求3所述的方法,其中,所述VPN规则条目为源媒体访问控制MAC地址,并且将所述归一化后的VPN规则条目添加至所述预设数据库的步骤包括:The method according to claim 3, wherein the VPN rule entry is a source media access control MAC address, and the step of adding the normalized VPN rule entry to the preset database comprises:
    将所述归一化后的VPN规则条目转化为链表结构;以及Converting the normalized VPN rule entries into a linked list structure; and
    将所述链表结构添加至所述预设数据库。The linked list structure is added to the preset database.
  8. 根据权利要求4所述的方法,其中,所述关键信息包括目的IP地址,并且将所述关键信息与所述配置后的VPN规则条目进行匹配的步骤包括:The method according to claim 4, wherein the key information includes a destination IP address, and the step of matching the key information with the configured VPN rule entry comprises:
    将所述目的IP地址转换为目的IP地址区间;以及Converting the destination IP address into a destination IP address range; and
    将转换后的目的IP地址区间与所述区间树结构进行匹配。Match the converted destination IP address interval with the interval tree structure.
  9. 根据权利要求1所述的方法,还包括:The method according to claim 1, further comprising:
    响应于所述关键信息属于所述配置后的VPN规则条目,确定匹配成功;以及In response to the key information belonging to the configured VPN rule entry, it is determined that the matching is successful; and
    对所述用户终端分配VPN通道。The VPN tunnel is allocated to the user terminal.
  10. 根据权利要求9所述的方法,还包括,The method according to claim 9, further comprising,
    采集所述用户终端的行为数据;Collecting behavior data of the user terminal;
    对所述行为数据进行统计分析,获得分析结果;以及Perform statistical analysis on the behavior data to obtain analysis results; and
    根据所述分析结果执行如下至少一项操作:Perform at least one of the following operations according to the analysis result:
    调整所述用户终端的优先级、调整所述VPN通道的优先级以及调整网络带宽。Adjust the priority of the user terminal, adjust the priority of the VPN channel, and adjust the network bandwidth.
  11. 根据权利要求10所述的方法,其中,接收到多个用户终端发送的访问请求,并且将所述关键信息与所述配置后的VPN规则条目进行匹配的步骤包括:The method according to claim 10, wherein the step of receiving access requests sent by multiple user terminals and matching the key information with the configured VPN rule entry comprises:
    按照与所述关键信息对应的用户终端的优先级将所述关键信息与所述配置后的VPN规则条目进行匹配。The key information is matched with the configured VPN rule entry according to the priority of the user terminal corresponding to the key information.
  12. 根据权利要求10所述的方法,其中,对所述用户终端分配VPN通道的步骤包括:The method according to claim 10, wherein the step of allocating a VPN tunnel to the user terminal comprises:
    根据所述VPN通道的优先级对所述用户终端分配VPN通道,并对所述VPN通道分配调整后的网络带宽。The VPN channel is allocated to the user terminal according to the priority of the VPN channel, and the adjusted network bandwidth is allocated to the VPN channel.
  13. 一种VPN规则的匹配装置,包括:A VPN rule matching device, including:
    VPN规则归一化处理模块,用于接收VPN规则条目,并对所述VPN规则条目进行归一化处理;The VPN rule normalization processing module is used to receive VPN rule entries and perform normalization processing on the VPN rule entries;
    VPN规则配置模块,用于对归一化后的VPN规则条目进行配置;The VPN rule configuration module is used to configure the normalized VPN rule entries;
    关键信息提取模块,用于接收用户终端发送的访问请求,并提取所述访问请求中的关键信息;以及The key information extraction module is used to receive the access request sent by the user terminal, and extract the key information in the access request; and
    匹配模块,用于将所述关键信息与配置后的VPN规则条目进行匹配。The matching module is used to match the key information with the configured VPN rule entry.
  14. 一种通信设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述计算机程序时实现如权利要求1-12中任一所述的VPN规则的匹配方法。A communication device, comprising a memory, a processor, and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the computer program as described in any one of claims 1-12 The matching method of VPN rules.
  15. 一种计算机可读存储介质,其上存储有计算机程序,其中,该计算机程序被处理器执行时,所述处理器实现如权利要求1-12中任一所述的VPN规则的匹配方法。A computer-readable storage medium having a computer program stored thereon, wherein when the computer program is executed by a processor, the processor implements the VPN rule matching method according to any one of claims 1-12.
PCT/CN2021/090535 2020-06-08 2021-04-28 Vpn rule matching method and apparatus, and device, and storage medium WO2021249055A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010514410.3A CN113839848A (en) 2020-06-08 2020-06-08 VPN rule matching method, device, equipment and storage medium
CN202010514410.3 2020-06-08

Publications (1)

Publication Number Publication Date
WO2021249055A1 true WO2021249055A1 (en) 2021-12-16

Family

ID=78845278

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/090535 WO2021249055A1 (en) 2020-06-08 2021-04-28 Vpn rule matching method and apparatus, and device, and storage medium

Country Status (2)

Country Link
CN (1) CN113839848A (en)
WO (1) WO2021249055A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1561033A (en) * 2004-03-11 2005-01-05 中兴通讯股份有限公司 System and method for implementing out band network management based on virtual special network
EP1515501A1 (en) * 2003-08-27 2005-03-16 Alcatel Data structure for range-specified algorithms
US7990893B1 (en) * 2009-05-19 2011-08-02 Juniper Networks, Inc. Fast prefix-based network route filtering
CN104486444A (en) * 2014-12-30 2015-04-01 北京天云融创软件技术有限公司 Heterogeneous API conversion system for cloud management platforms
CN111010329A (en) * 2019-03-20 2020-04-14 新华三技术有限公司 Message transmission method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1515501A1 (en) * 2003-08-27 2005-03-16 Alcatel Data structure for range-specified algorithms
CN1561033A (en) * 2004-03-11 2005-01-05 中兴通讯股份有限公司 System and method for implementing out band network management based on virtual special network
US7990893B1 (en) * 2009-05-19 2011-08-02 Juniper Networks, Inc. Fast prefix-based network route filtering
CN104486444A (en) * 2014-12-30 2015-04-01 北京天云融创软件技术有限公司 Heterogeneous API conversion system for cloud management platforms
CN111010329A (en) * 2019-03-20 2020-04-14 新华三技术有限公司 Message transmission method and device

Also Published As

Publication number Publication date
CN113839848A (en) 2021-12-24

Similar Documents

Publication Publication Date Title
EP3297213B1 (en) Method and apparatus for identifying application information in network traffic
JP6004299B2 (en) Method and apparatus for matching flow tables and switch
AU2014235793B2 (en) Automatic tuning of virtual data center resource utilization policies
WO2019184164A1 (en) Method for automatically deploying kubernetes worker node, device, terminal apparatus, and readable storage medium
US20160164963A1 (en) Method, system, and device for managing server hardware resources in a cloud scheduling environment
US20210117231A1 (en) Task processing method and apparatus
CN109194559B (en) Multicast method and VTEP device
WO2021184551A1 (en) Communication method and apparatus based on plurality of networks, electronic device, and storage medium
WO2021197253A1 (en) Service message transmission method and related device
US11212329B2 (en) Method, apparatus, device and storage medium for pushing video stream
WO2009000214A1 (en) Method and device for configuring configuration data of user access network
CN114095430A (en) Processing method, system and working node of access message
WO2020088170A1 (en) Domain name system configuration method and related apparatus
CN113259479A (en) Data processing method and equipment
CN110909030B (en) Information processing method and server cluster
CN112527504A (en) Multi-tenant resource quota management method and device, and computer equipment
WO2021012795A1 (en) Network node scheduling method and apparatus, electronic device and storage medium
CN111405018A (en) File transmission method and device, electronic equipment and storage medium
WO2021249055A1 (en) Vpn rule matching method and apparatus, and device, and storage medium
US20180081746A1 (en) Application message processing system, method, and application device
CN110995489B (en) Large data platform server management method, device, server and storage medium
US11411887B2 (en) Method and device for performing traffic control on user equipment
WO2013159591A1 (en) Method and apparatus for differentiating wireless terminals
WO2023011233A1 (en) Traffic management method and apparatus, device, and computer-readable storage medium
WO2012167657A1 (en) Event forwarding method and common information model (cim) server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21822502

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 22/05/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 21822502

Country of ref document: EP

Kind code of ref document: A1