CN101707617B - Message filtering method, device and network device - Google Patents

Message filtering method, device and network device Download PDF

Info

Publication number
CN101707617B
CN101707617B CN2009102529292A CN200910252929A CN101707617B CN 101707617 B CN101707617 B CN 101707617B CN 2009102529292 A CN2009102529292 A CN 2009102529292A CN 200910252929 A CN200910252929 A CN 200910252929A CN 101707617 B CN101707617 B CN 101707617B
Authority
CN
China
Prior art keywords
message
information
address
parameter
icmp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009102529292A
Other languages
Chinese (zh)
Other versions
CN101707617A (en
Inventor
黄凯明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Fujian Star Net Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Star Net Communication Co Ltd filed Critical Fujian Star Net Communication Co Ltd
Priority to CN2009102529292A priority Critical patent/CN101707617B/en
Publication of CN101707617A publication Critical patent/CN101707617A/en
Application granted granted Critical
Publication of CN101707617B publication Critical patent/CN101707617B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides message filtering method, device and network device. The method comprises the following steps of: according to a received message, acquiring first information containing a source IP address, a destination IP address, a protocol type, a first parameter and a second parameter of the message, and a first identification indicating the property of the source IP address; conducting discretization processing on the first information to generate a first index value; separately matching the first information and the first identification with information in all flow records in a data flow table, which corresponds to the first index value; when no flow record containing the first information and the first identification is matched, establishing a flow record that the message belongs to; when a flow record containing the first information and the first identification is matched, judging the legality of the message according to connecting state information in the flow record, and filtering the message. The message filtering method, device and network device can reduce the operation for querying a route table in the process of message filtering and improve the performance of message forwarding of a firewall.

Description

Message filtering method, device and the network equipment
Technical field
The embodiment of the invention relates to firewall technology, relates in particular to a kind of message filtering method, device and the network equipment.
Background technology
Fire compartment wall is configured in each link of network widely as a kind of important network protection equipment, the mutual message between internal network and the external network is filtered interception malicious attack.Fire compartment wall is through following the tracks of the reciprocal process of whole message to the filtration of message, in certain context environmental, the legitimacy of mutual message judged and realizes, rather than only based on single message.Wherein, fire compartment wall comes the context environmental in the recording interactive process through creating " stream " for the message in the reciprocal process, and flows with the form organization and management of stream table.
Usually, the byte elements in the stream record only comprises source network agreement (Internet Protocol; Abbreviate as: IP) address, purpose IP address, protocol type, source port and destination interface five-tuple, and according to the filtration treatment of this five-tuple completion to message.But, along with VPN (VirtualPrivate Network; Abbreviate as: fast development VPN), drawn virtual routing forwarding (Virtual Routing Forwarding in order to isolate different VPN users with solution address overlap problem; Abbreviate as: VRF) technology; VRF can be divided into many virtual routers to a router, each virtual router have oneself routing table, transmit and the corresponding interface, therefore; On a router, can safeguard one or more VRF, different VRF distinguishes through the VRF sign.And in some certain applications environment, need the VRF static routing be expanded, jump as outgoing interface realizing striding the VRF route through next that is configured to other VRF, above-mentioned with the five-tuple mode message is carried out the mode of filtration treatment will be no longer suitable.
Whether striding under the VRF route pattern, fire compartment wall receives message, legal in order to judge this message, need be from heading extraction source IP, purpose IP, protocol type, source port and destination interface; Obtain the VRF under the IP of source in the slave firewall interface attributes value and obtain the VRF under the purpose IP through table of query and routing; Promptly obtain seven tuples: the VRF under source IP, the source IP, VRF, protocol type, source port and destination interface under purpose IP, the purpose IP.Seven tuples find the mapping position of this message in the stream table through Hash (HASH) computing according to this HASH result.Then seven tuples of this message and each seven tuple that flow in the record at stream table mapping position place are mated one by one; If on one of them coupling, explain that then the stream under this message exists, and through further judging this type of message, to judge the legitimacy of message; If on the coupling, then this message meet create new condition of contact after, be not that this message is created a stream, and hang over the corresponding position of stream table index, to write down the connection under this message.
In realizing process of the present invention, the inventor finds to have following problem in the prior art at least: after fire compartment wall is whenever received message, obtaining seven tuples; To confirm that " stream " under this message writes down in the process that whether exists; Need obtain the VRF under the purpose IP through looking into routing table, be a kind of operation more consuming time and look into routing table, frequent table of query and routing; Will influence the speed that fire compartment wall E-Packets, reduce the performance that fire compartment wall E-Packets.
Summary of the invention
The embodiment of the invention provides a kind of message filtering method, device and the network equipment, and the defective of frequent table of query and routing improves the performance that fire compartment wall E-Packets when overcoming firewall filtering message in the prior art.
The embodiment of the invention provides a kind of message filtering method, comprising:
According to the message that receives; Obtain the first information and first sign; The said first information comprises source IP address, purpose IP address, protocol type, first parameter and second parameter of said message, and said first is designated the sign of the virtual routing forwarding under the said source IP address;
The said first information is carried out discretization handle, generate first index value;
In each corresponding stream record of first index value described in the data stream list, the said first information and said first sign are mated respectively with the information in each stream record;
When not matching the stream record that comprises the said first information and said first sign; Create the new stream record corresponding with said first index value; Be used to write down connection state information; And with the said first information and said first identification record in said new stream record, and will be in said new stream writes down according to the identification record that is identified at the virtual routing forwarding under the purpose IP address that inquiry is obtained in the routing table of the virtual routing forwarding under the said first information and the said source IP address;
When matching stream when record that comprises the said first information and said first sign, judge the legitimacy of said message according to the connection state information in the stream record that matches, and said message is carried out filtration treatment.
The embodiment of the invention provides a kind of packet filtering device, comprising:
Acquisition module; Be used for according to the message that receives; Obtain the first information and first sign; The said first information comprises source IP address, purpose IP address, protocol type, first parameter and second parameter of said message, and said first is designated the sign of the virtual routing forwarding under the said source IP address;
Generation module is used for that the said first information is carried out discretization and handles, and generates first index value;
Matching module is used at each corresponding stream record of first index value described in the data stream list, and the said first information and said first sign are mated respectively with the information in each stream record;
Create module; Be used for when not matching the stream record that comprises the said first information and said first sign; Create the new stream record corresponding with said first index value; Be used to write down connection state information; And with the said first information and said first identification record in said new stream record, and will be in said new stream writes down according to the identification record that is identified at the virtual routing forwarding under the purpose IP address that inquiry is obtained in the routing table of the virtual routing forwarding under the said first information and the said source IP address;
Processing module is used for when matching the stream record that comprises the said first information and said first sign, and the connection state information in writing down according to the stream that matches is judged the legitimacy of said message, and said message is carried out filtration treatment.
The embodiment of the invention provides a kind of network equipment, comprises the packet filtering device that the embodiment of the invention provides.
The message filtering method of the embodiment of the invention, device and the network equipment; Source IP address, purpose IP address, protocol type, first parameter and second parameter according to message; Obtain the mapping position of message in data stream list; The sign of VRF under source IP address, purpose IP address, protocol type, first parameter, second parameter and the source IP address of message and each information that flows in the record at mapping position place are mated, message is carried out filtration treatment according to matching result.Because the technical scheme of the embodiment of the invention does not need the sign of the VRF under the purpose IP address in matching process; Therefore; Do not need table of query and routing, saved the processing time of fire compartment wall, when realization is carried out filtration treatment to message; Overcome the operation of frequent table of query and routing in the prior art, improved the performance that fire compartment wall E-Packets.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply; Obviously, the accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
The flow chart of the message filtering method that Fig. 1 provides for the embodiment of the invention one;
Fig. 2 A is the flow chart that sends the TCP message in the message filtering method that provides of the embodiment of the invention two;
Fig. 2 B is the flow chart that receives response message in the message filtering method that provides of the embodiment of the invention two;
The structural representation of the packet filtering device that Fig. 3 provides for the embodiment of the invention three.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer; To combine the accompanying drawing in the embodiment of the invention below; Technical scheme in the embodiment of the invention is carried out clear, intactly description; Obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
Embodiment one
The flow chart of the message filtering method that Fig. 1 provides for the embodiment of the invention one, the executive agent of present embodiment is fire compartment wall, and is as shown in Figure 1, the message filtering method of present embodiment comprises:
Step 11 according to the message that receives, is obtained the first information and first sign, and the first information comprises source IP address, purpose IP address, protocol type, first parameter and second parameter of message, and first is designated the sign of the VRF under the source IP address;
Wherein, fire compartment wall obtains the first information after receiving message from heading, and from the property value of the firewall interface that receives this message, obtains first sign, the i.e. sign of VRF under the source IP address.
Step 12 is carried out discretization to the first information and is handled, and generates first index value;
Step 13 in each stream record that first index value is corresponding in data stream list, is mated the first information and first sign respectively with the information in each stream record;
This step is used to judge whether the pairing stream record of this message exists, if do not exist, then execution in step 14; If exist, then execution in step 15.The first information and first sign are formed hexa-atomic group of message.Wherein, the information of each stream record record includes the connection state information that the first information, first sign and institute's respective session connect at least, and this connection state information changes with the variation of session connection.
Step 14; When not matching the stream record that comprises the first information and first sign; Create the new stream record corresponding with first index value; Be used to write down connection state information, and with the first information and first identification record in new stream record, and will be in new stream writes down according to the identification record that is identified at the VRF under the purpose IP address that inquiry is obtained in the routing table of the VRF under the first information and the source IP address;
This step is used for when the pairing stream of this message record does not exist, and when definite this message meets the new condition of contact of establishment, creates the stream record of this message, to write down the connection under this message.
Step 15 when matching stream when record that comprises the first information and first sign, is judged the legitimacy of this message according to the connection state information in the stream record that matches, and this message is carried out filtration treatment.
Concrete, the context environmental of this message that passes through to be write down is judged the legitimacy of this message, if this message is legal, fire compartment wall can be transmitted this message; If this message is illegal, fire compartment wall may abandon this message.
The message filtering method of present embodiment; The first information in the message is carried out the discretization processing to be realized different messages are mapped in the data stream list; Mate through the first information in the message and first sign each stream record corresponding with mapping position; Whether the stream record with under definite message exists, and then according to matching result message is carried out filtration treatment.In the present embodiment technical scheme, obtaining of hexa-atomic group of message do not need table of query and routing, compared with prior art, reduced the number of operations of table of query and routing, improved the performance that fire compartment wall E-Packets.
Wherein, to different IP messages, the first information in the technical scheme of the present invention has different contents.Specific as follows:
For transmission control protocol (Transmission Control Protocol; Abbreviate as: TCP) or User Datagram Protocol (User Datagram Protocol; Abbreviate as: UDP) message, the first information are usually said message five-tuple: source IP address, purpose IP address, protocol type, source port (corresponding to first parameter) and destination interface (corresponding to second parameter); For ICMP (Internet Control Message Protocol; Abbreviate as: ICMP) message, the first information are specially source IP address, purpose IP address and protocol type, icmp packet sign (ICMP_Id) (corresponding to first parameter) and the first icmp packet type (ICMP_Type) of this message and the combination (corresponding to second parameter) of icmp packet code field (ICMP_Code); And for the message of other protocol type, wherein the first information is source IP address, purpose IP address, protocol type, first parameter and second parameter, and first parameter and second parameter are put 0.
Concrete, the data stream list in the technical scheme of the present invention is used for each stream record is organized and managed, and passes through the mode that discretization is handled, and the stream record that each message is corresponding is distributed in this data stream list to be managed; First index value is used for representing that this message is mapped to the position of data stream list, also promptly to the memory location in data stream list of stream record that should message; Present embodiment carries out discretization through the HASH algorithm to message to be handled, and for TCP or UDP message, concrete processing procedure is following:
With the input of the first information as the HASH computing, the first information is carried out discretization handle, obtain first operation result, i.e. the HASH operation result; Then, the source IP address in the first information, source port are exchanged with purpose IP address, destination interface respectively; With the input of the first information after exchanging as the HASH computing, the first information after exchanging is carried out discretization handle, obtain second operation result, i.e. the HASH operation result; First operation result and second operation result are done the XOR processing, generate first index value.
Further, technical scheme of the present invention also provides icmp packet has been carried out the method that discretization is handled.Because the icmp packet type (ICMP_Type) in the response message of icmp packet and icmp packet is different; Make that second parameter is different in the response message of icmp packet and icmp packet, therefore can not as TCP or UDP message, simply exchange first parameter and second parameter.The embodiment of the invention provides carries out the method that discretization handles to icmp packet and is specially:
Through Hash operation the first information is carried out discretization and handle, obtain the 3rd operation result; According to the first icmp packet type in the first information, the mapping table of inquiry icmp packet obtains the second icmp packet type, and generates second information; Through Hash operation second information is carried out discretization and handle, obtain the 4th operation result; The 3rd operation result and the 4th operation result are done XOR, generate first index value.Wherein, second information comprises the combination of purpose IP address, source IP address, protocol type, icmp packet sign and the second icmp packet type and icmp packet code field.Wherein the first icmp packet type and the second icmp packet type are used for representing the type of the message and the responder message of connection procedure originating end.
Illustrate the corresponding relation of the first icmp packet type and the second icmp packet type below; For example if the first icmp packet type corresponding to ICMP response message (ICMP_ECHO), then the second icmp packet type is corresponding to the response message (ICMP_ECHO_REPLY) of ICMP response message; Otherwise corresponding to the ICMP_ECHO_REPLY message, then the second icmp packet type is corresponding to the ICMP_ECHO message as if the first icmp packet type; If the first icmp packet type is corresponding to the address information (ICMP_ADDRESS) of ICMP, then the second icmp packet type is replied (ICMP_ADDRESS_REPLY) corresponding to the ICMP address information; Otherwise the first icmp packet type is corresponding to ICMP_ADDRESS_REPLY, and then the second icmp packet type is corresponding to ICMP_ADDRESS.
For the message of other protocol types, because first parameter and second parameter in the first information are 0, the discretization TCP or the UDP method of message that therefore can adopt present embodiment to provide realize the discretization processing.
Exchange the constant characteristic of back maintenance HASH result because the HASH algorithm has at the ad-hoc location of input parameter, therefore, different messages are mapped to data stream list, can guarantee that the mutual message in the connection procedure is mapped to identical position through the HASH algorithm; And present embodiment adopts above-mentioned algorithm, guarantees that further mutual message is mapped to same position, to guarantee the accuracy of follow-up matching process.
Following examples of the present invention are example with the TCP message, and technical scheme of the present invention is further elaborated.
Embodiment two
Fig. 2 A is the flow chart that sends the TCP message in the message filtering method that provides of the embodiment of the invention two, and Fig. 2 B is the flow chart that receives response message in the message filtering method that provides of the embodiment of the invention two.Present embodiment is the basis with embodiment one, is example with the TCP message, and through concrete reciprocal process, the VRF message filtering method in routing mode of striding that present embodiment is provided describes, and at first does following hypothesis:
Suppose to have two route instances in the fire compartment wall routing table: the first via is by instance VRF_A and secondary route instance VRF_B; And the first via is that the network address is the virtual routing forwarding of 192.168.100.0 first network by instance, and VRF_A is that next jumping of route outgoing interface of second network of 192.168.200.0 need obtain through searching the secondary route instance to the purpose network address; The secondary route instance is the virtual routing forwarding of second network, and VRF_B need be obtained by instance through searching the first via to next jumping of the route outgoing interface of purpose first network; Then the network address is that first network and the network address of 192.168.100.0 are that communication between 192.168.200.0 second network need be striden VRF and realized.
Be that first main frame IP address in second network of 192.168.100.11 is that second main frame of 192.168.200.22 sends the TCP message first with IP address in first network below; And second main frame is an example to the process that first main frame returns response message; Concrete, the message filtering method of present embodiment may further comprise the steps:
Based on above-mentioned, shown in Fig. 2 A, the process of sending the TCP message in the present embodiment may further comprise the steps:
Step 21, fire compartment wall receive first main frame to mail to the TCP message of second main frame;
Step 22, fire compartment wall are obtained the message five-tuple from the heading of this TCP message;
The message five-tuple is in this step: source IP address: 192.168.100.11, purpose IP address: 192.168.200.22, source port: Sport, destination interface: Dport and protocol type: P_TCP (Transmission Control Protocol value).
Step 23, fire compartment wall are obtained the sign of the VRF under source IP address: the 192.168.100.11 from the interface attributes value that receives the TCP message;
VRF in this step under the source IP address is VRF_A, and its sign is represented with identification number VRF_A_ID.
Step 24, fire compartment wall carries out the HASH computing to the message five-tuple, generates the first index value M;
Step 25, fire compartment wall matees the information in each stream record of the first index value M position in the message five-tuple of TCP message and the data stream list;
Because this TCP message is the message that sends first, the stream under this TCP message does not also exist, and therefore, fire compartment wall is created the affiliated stream record of this TCP message after confirming that this message meets the condition of creating new stream record.
Step 26, fire compartment wall are obtained the sign of the affiliated VRF of purpose IP address: 192.168.200.22 through table of query and routing, create the affiliated stream record of this TCP message, and transmit the TCP message and give second main frame; The stream of the TCP message of being set up is designated as M_TCP stream;
VRF in this step under the purpose IP address is VRF_B, and its sign is represented with identification number VRF_B_ID; Concrete; Record identification number VRF_A_ID, the identification number VRF_B_ID of the VRF under the purpose IP address and the information such as state information of this connection of the VRF under source IP address: 192.168.100.11, purpose IP address: 192.168.200.22, source port: Sport, destination interface: Dport, protocol type: P_TCP, the source IP address in the stream record under the TCP message that this step is created, wherein include the residing context environmental of follow-up mutual message in the state information.
Shown in Fig. 2 B, the process that present embodiment receives response message comprises:
Step 27, fire compartment wall receive the response message of second main frame after transmitting the TCP message;
Step 28, fire compartment wall are obtained the message five-tuple of response message from the heading of response message;
The message five-tuple is specially in this step: source IP address: 192.168.200.22, purpose IP address: 192.168.100.11, source port: Dport, destination interface: Sport and protocol type: P_TCP (Transmission Control Protocol value).
Step 29, fire compartment wall are obtained the sign of the VRF under source IP address: the 192.168.200.22 from the interface attributes value that receives response message;
VRF in this step under the source IP address is VRF_B, and its sign is represented with identification number VRF_B_ID.
Step 30, fire compartment wall carries out the HASH computing to the message five-tuple of response message, generates the second index value N;
The HASH algorithm that provides based on the embodiment of the invention one, and the parameter position is different in the message five-tuple of TCP message and response message, but the identical characteristics of parameter value can know that the first index value M that obtains through the HASH computing is identical with the second index value N.
Step 31, fire compartment wall matees the information in each stream record of the first index value M in response message and the data stream list (or second index value N) position;
Concrete, with each stream record of the first index value M position one by one after the coupling, M_TCP stream matees consistently in the message five-tuple that gets response packet and the data stream list, is specially:
The identification number VRF_B_ID of VRF under source IP address: 192.168.200.22 in the message five-tuple of response message, purpose IP address: 192.168.100.11, source port: Dport, destination interface: Sport, protocol type: P_TCP, the source IP address, respectively with the purpose IP address of M_TCP stream: the identification number VRF_B_ID of the VRF under 192.168.200.22, source IP address: 192.168.100.11, destination interface: Dport, source port: Sport, protocol type: P_TCP, the purpose IP address is consistent.
So far, fire compartment wall finds the stream record under the response message, according to the information in this stream record this response message is carried out filtration treatment then.Concrete, owing to being example, so (the Synchronize that shakes hands with the TCP message; Abbreviate as: SYN) message is current mutual initial message, and what promptly fire compartment wall was received is the SYN message, and creates the stream record under this SYN message.Can know that through the shown context environmental of SYN message it is handshake response (the Synchronize ACKnowledge Character of second response of host that subsequent packet only allows; Abbreviate as: SYNACK) message, or the SYN message of first main frame repeating transmission; If the non-SYN message of first main frame, or the non-SYNACK message of second main frame all think illegal.For the other types message, like FIN (FINish; Abbreviate as: FIN) message, ACK (ACKnowledge; Abbreviate as: ACK) message etc. also is to decide what to use through context environmental.
This response message of present embodiment hypothesis is the SYNACK message, and promptly legal, then the fire compartment wall execution in step 32.
Step 32, fire compartment wall is transmitted to first main frame with response message.
Determined the sign of the VRF under source IP address, purpose IP address, the source IP address and wherein known any three of the sign of the VRF under the purpose IP address can confirm the 4th owing to stride the VRF routing mechanism; Therefore; Technical scheme of the present invention utilizes hexa-atomic group of message and stream record to mate, and can obtain matching result identical when utilizing message seven tuples to mate.And can know by said process; Technical scheme of the present invention is routing table of inquiry when creating the stream record only, and the forwarding of subsequent packet no longer needs table of query and routing, has reduced the number of times of fire compartment wall table of query and routing; Make fire compartment wall to E-Packet fast, improved the performance that fire compartment wall E-Packets.
Based on technique scheme, further through comparison, the performance of technical scheme of the present invention is described, specific as follows:
If sign with the message five-tuple and the VRF under the source IP address of TCP message; Be source IP address: the identification number VRF_A_ID of the VRF under 192.168.100.11, purpose IP address: 192.168.200.22, source port: Sport, destination interface: Dport, protocol type: P_TCP and the source IP address; Input as the HASH computing; Obtain the first index value M, and the record of the stream under the TCP message is based upon the corresponding position of the first index value M;
When response message is mated; Sign with the message five-tuple and the described VRF of source IP address of response message; Be source IP address: the identification number VRF_B_ID of the VRF under 192.168.200.22, purpose IP address: 192.168.100.11, source port: Dport, destination interface: Sport, protocol type: P_TCP and the source IP address; As the input of HASH computing, obtain the second index value N;
Because the input of twice HASH computing is different; The identification number VRF_B_ID that is the affiliated VRF of identification number VRF_A_ID and the source IP address of response message of the VRF under the source IP address of TCP message is different; Then the first index value M is different with the second index value N, so response message can't match correct M_TCP stream, according to concrete rule of communication; Fire compartment wall might abandon this message as invalid packet, cause first main frame can't receive the response message of second main frame.
Can know that through above-mentioned analysis the present invention as HASH computing input, is mapped to the mode of in data stream list managing with message with five-tuple, can guarantee that mutual message can correct match arrive affiliated stream record in the connection procedure.
In addition; In the technical scheme that above-mentioned each embodiment provides; Fire compartment wall also can regularly be carried out the aging program of data stream list; Promptly remove invalid (not having the message contact at the appointed time in the length) or connect the stream record of having closed, full to avoid generation because of the data stream list storage, and can't write down the situation that new stream writes down again.
Embodiment three
The structural representation of the packet filtering device that Fig. 3 provides for the embodiment of the invention three; The packet filtering device of present embodiment; Can independently be provided with, and be connected with routing device in the network, also can be arranged in the routing device according to real needs; As shown in Figure 3, the filter of present embodiment comprises: acquisition module 31, generation module 32, matching module 33, establishment module 34 and processing module 35.
Acquisition module 31 is used for according to the message that receives, and obtains the first information and first sign; Concrete; Acquisition module 31 obtains the first information from heading; The first information comprises source IP address, purpose IP address, protocol type, first parameter and second parameter of said message, is referred to as five-tuple, and wherein first parameter can be different because of concrete IP message with second parameter; Acquisition module 31 receives from the packet filtering device in the property value of interface of this message and obtains first sign, i.e. the sign of VRF under the source IP address.
The first information that generation module 32 is used for that acquisition module 31 is obtained carries out discretization to be handled; Generate first index value; Discretization is handled can different messages be mapped in the data stream list and is managed; Make one to connect a corresponding stream record, all messages that promptly belong to same connection belong to a stream record.
Matching module 33 is used for hexa-atomic group of each information that flows in the record with the pairing data stream list of first index value of the message that receives is mated; To judge whether the stream record under this message exists, wherein hexa-atomic group comprises by the first information and first sign.
Create module 34 and be used for when matching module 33 does not match the stream record that comprises hexa-atomic group, create the stream record under this message, and the VRF under hexa-atomic group and the purpose IP address that obtains according to hexa-atomic group polling routing table is recorded in the stream record of being created; This stream record is used to write down the connection state information of this time connection, and wherein the context environmental of subsequent packet just is recorded in the connection state information of stream record.
Processing module 35 is used for when matching module 33 matches the stream record that comprises hexa-atomic group; Judge the legitimacy of message according to the connection state information in the stream record that matches; And message is carried out filtration treatment according to judged result, for example, then E-Packet if message is legal; If message is illegal, then dropping packets.
The packet filtering device of present embodiment; Carrying out the discretization processing through generation module, matching module, establishment module and processing module with five-tuple (being the first information) realizes different messages are mapped in the data stream list; Mate with hexa-atomic group of each stream record corresponding with mapping position; To confirm that whether the stream record under the message exists, realizes the filtration treatment to message.Obtaining of hexa-atomic group of message do not need table of query and routing in the present embodiment technical scheme, compared with prior art, reduced the number of operations of table of query and routing, improved the performance that fire compartment wall E-Packets.
Further, this packet filtering device comprises that also one removes module, is used for regularly carrying out an aging program, with invalid in the data stream list or connect buttoned-up stream record purge, and when avoiding the data stream list storage full, and the situation that can't store new stream record again.
Concrete, acquisition module 31 comprises first acquiring unit 311 and the second acquisition unit 312 that is used to obtain first sign that is used to obtain the first information.
If the message that receives is TCP or UDP message, then the first information comprises source IP address, purpose IP address, protocol type, source port and the destination interface of message, the message five-tuple of promptly often saying.Corresponding generation module 32 comprises first processing unit 321, is used for through Hash operation the first information being carried out discretization and handles, and obtains first operation result; Exchange unit 322, be used for source IP address, the source port of the first information are exchanged with purpose IP address, destination interface respectively; Second processing unit 323 is used for through Hash operation the first information after exchanging being carried out discretization and handles, and obtains second operation result; And generation unit 324, be used for first operation result and second operation result are done XOR, generate first index value.
If the message that receives is an icmp packet, then the first information comprises the combination of source IP address, purpose IP address, protocol type, icmp packet sign and the first icmp packet type and the icmp packet code field of message; Corresponding generation module 32 can comprise that the 3rd processing unit, inquiry generation unit and the manage the unit everywhere.Because above-mentioned each unit is similar with annexation with the principle of each unit of handling TCP or UDP, in not shown above-mentioned each unit of the structural representation of present embodiment.
Concrete, the 3rd processing unit is used for through Hash operation the first information being carried out discretization and handles, and obtains the 3rd operation result; The inquiry generation unit is used for the first icmp packet type according to the first information, and the mapping table of inquiry icmp packet obtains the second icmp packet type, and generates second information; Said second information comprises the combination of purpose IP address, source IP address, protocol type, icmp packet sign and the second icmp packet type and icmp packet code field; Generation unit also is used for the 3rd operation result and the 4th operation result are done XOR, generates first index value.Wherein, the first icmp packet type and the second icmp packet type are represented the type of originating end message and responder message in the connection procedure respectively.
Technique scheme has specifically described the embodiment of the invention and has generated the method for first index value and the concrete structure of the device of this method of realization.
Embodiment four
The embodiment of the invention four provides a kind of network equipment, and present embodiment can be realized based on above-mentioned each embodiment.Concrete, this network equipment comprises the packet filtering device that the foregoing description provides, and wherein the packet filtering device message filtering method that adopts above-mentioned each embodiment to provide is realized the filtration to message.For example, the network equipment of present embodiment can be a firewall box, also can be the routing device with firewall functionality.
The network equipment that present embodiment provides is based on above-mentioned message filtering method and packet filtering device, therefore; In the filtering packets process; Can reduce the number of operations of table of query and routing equally, the network equipment can be E-Packeted fast, improve the performance that the network equipment E-Packets.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be accomplished through the relevant hardware of program command; Aforesaid program can be stored in the computer read/write memory medium; This program the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
What should explain at last is: above embodiment is only in order to explaining technical scheme of the present invention, but not to its restriction; Although with reference to previous embodiment the present invention has been carried out detailed explanation, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these are revised or replacement, do not make the spirit and the scope of the essence disengaging various embodiments of the present invention technical scheme of relevant art scheme.

Claims (13)

1. a message filtering method is characterized in that, comprising:
According to the message that receives, obtain the first information and first sign; The said first information comprises source IP address, purpose IP address, protocol type, first parameter and second parameter of said message; Said first is designated the sign of the virtual routing forwarding under the said source IP address;
The said first information is carried out discretization handle, generate first index value;
In each corresponding stream record of first index value described in the data stream list, the said first information and said first sign are mated respectively with the information in each stream record;
When not matching the stream record that comprises the said first information and said first sign; Create the new stream record corresponding with said first index value; Be used to write down connection state information; And with the said first information and said first identification record in said new stream record, and will be in said new stream writes down according to the identification record that is identified at the virtual routing forwarding under the purpose IP address that inquiry is obtained in the routing table of the virtual routing forwarding under the said first information and the said source IP address;
When matching stream when record that comprises the said first information and said first sign, judge the legitimacy of said message according to the connection state information in the stream record that matches, and said message is carried out filtration treatment.
2. message filtering method according to claim 1 is characterized in that, the message that said basis receives obtains the first information and first sign, is specially:
From the heading of said message, obtain the said first information;
From the property value of the firewall interface that receives said message, obtain said first sign.
3. message filtering method according to claim 1 and 2 is characterized in that, said message is transmission control protocol message or User Datagram Protocol message, and said first parameter is the source port of said message; Said second parameter is the destination interface of said message.
4. message filtering method according to claim 3 is characterized in that, the said first information is carried out discretization handle, and generates first index value, is specially:
Through Hash operation the said first information is carried out discretization and handle, obtain first operation result;
Source IP address in the said first information, first parameter are exchanged with purpose IP address, second parameter respectively;
Through Hash operation the said first information after exchanging is carried out discretization and handle, obtain second operation result;
Said first operation result and said second operation result are done XOR, generate said first index value.
5. message filtering method according to claim 1 and 2 is characterized in that, said message is the ICMP message, and said first parameter is the ICMP message identification; Said second parameter is the combination of the first ICMP type of message and ICMP message code field.
6. message filtering method according to claim 5 is characterized in that, the said first information is carried out discretization handle, and generates first index value, is specially:
Through Hash operation the said first information is carried out discretization and handle, obtain the 3rd operation result;
According to the said first ICMP type of message, inquire about the mapping table of said message, obtain the second ICMP type of message, and generate second information; Said second information comprises the combination of purpose IP address, source IP address, protocol type, ICMP message identification and said second ICMP type of message and said ICMP message code field;
Through Hash operation said second information is carried out discretization and handle, obtain the 4th operation result;
Said the 3rd operation result and said the 4th operation result are done XOR, generate said first index value.
7. a packet filtering device is characterized in that, comprising:
Acquisition module; Be used for according to the message that receives; Obtain the first information and first sign; The said first information comprises source IP address, purpose IP address, protocol type, first parameter and second parameter of said message, and said first is designated the sign of the virtual routing forwarding under the said source IP address;
Generation module is used for that the said first information is carried out discretization and handles, and generates first index value;
Matching module is used at each corresponding stream record of first index value described in the data stream list, and the said first information and said first sign are mated respectively with the information in each stream record;
Create module; Be used for when not matching the stream record that comprises the said first information and said first sign; Create the new stream record corresponding with said first index value; Be used to write down connection state information; And with the said first information and said first identification record in said new stream record, and will be in said new stream writes down according to the identification record that is identified at the virtual routing forwarding under the purpose IP address that inquiry is obtained in the routing table of the virtual routing forwarding under the said first information and the said source IP address;
Processing module is used for when matching the stream record that comprises the said first information and said first sign, and the connection state information in writing down according to the stream that matches is judged the legitimacy of said message, and said message is carried out filtration treatment.
8. packet filtering device according to claim 7 is characterized in that, said acquisition module comprises:
First acquiring unit is used for obtaining the said first information from the heading of said message;
Second acquisition unit is used for obtaining said first sign from the property value of the said packet filtering device interface that receives said message.
9. according to claim 7 or 8 described packet filtering devices, it is characterized in that said message is transmission control protocol message or User Datagram Protocol message, said first parameter is the source port of said message; Said second parameter is the destination interface of said message.
10. packet filtering device according to claim 9 is characterized in that, said generation module comprises:
First processing unit is used for through Hash operation the said first information being carried out discretization and handles, and obtains first operation result;
Exchange the unit, be used for source IP address, first parameter of the said first information are exchanged with purpose IP address, second parameter respectively;
Second processing unit is used for through Hash operation the said first information after exchanging being carried out discretization and handles, and obtains second operation result;
Generation unit is used for said first operation result and said second operation result are done XOR, generates said first index value.
11. according to claim 7 or 8 described packet filtering devices, it is characterized in that said message is the ICMP message, said first parameter is the ICMP message identification; Said second parameter is the combination of the first ICMP type of message and ICMP message code field.
12. packet filtering device according to claim 11, its spy just is that said generation module comprises:
The 3rd processing unit is used for through Hash operation the said first information being carried out discretization and handles, and obtains the 3rd operation result;
The inquiry generation unit is used for inquiring about the mapping table of said message according to the said first ICMP type of message, obtains the second ICMP type of message, and generates second information; Said second information comprises the combination of purpose IP address, source IP address, protocol type, ICMP message identification and said second ICMP type of message and said ICMP message code field;
The manages the unit everywhere, is used for through Hash operation said second information being carried out discretization and handles, and obtains the 4th operation result;
Said generation unit also is used for said the 3rd operation result and said the 4th operation result are done XOR, generates said first index value.
13. a network equipment is characterized in that, comprises each described packet filtering device of claim 7-12.
CN2009102529292A 2009-12-04 2009-12-04 Message filtering method, device and network device Expired - Fee Related CN101707617B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009102529292A CN101707617B (en) 2009-12-04 2009-12-04 Message filtering method, device and network device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009102529292A CN101707617B (en) 2009-12-04 2009-12-04 Message filtering method, device and network device

Publications (2)

Publication Number Publication Date
CN101707617A CN101707617A (en) 2010-05-12
CN101707617B true CN101707617B (en) 2012-08-15

Family

ID=42377807

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009102529292A Expired - Fee Related CN101707617B (en) 2009-12-04 2009-12-04 Message filtering method, device and network device

Country Status (1)

Country Link
CN (1) CN101707617B (en)

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101860531B (en) * 2010-04-21 2013-04-17 北京星网锐捷网络技术有限公司 Filtering rule matching method of data packet and device thereof
CN102546363A (en) * 2010-12-21 2012-07-04 深圳市恒扬科技有限公司 Message processing method, device and equipment
WO2012142750A1 (en) 2011-04-19 2012-10-26 华为技术有限公司 Method, apparatus and system for address resolution
CN102497372A (en) * 2011-12-13 2012-06-13 曙光信息产业(北京)有限公司 System and method based on Internet protocol (IP) message destination port filtering strategy
CN102387160B (en) * 2011-12-13 2014-10-22 曙光信息产业(北京)有限公司 System and method based on IP message quintuple filtering strategy
CN103607316A (en) * 2012-03-15 2014-02-26 无锡信捷电气股份有限公司 State firewall state detection system and method based on industrial Internet of Things
CN108989311A (en) * 2013-05-31 2018-12-11 华为技术有限公司 Generate the method and apparatus of input parameter
CN104734897B (en) * 2013-12-18 2018-04-06 国家计算机网络与信息安全管理中心 A kind of session is directed at repeater system
CN103746918B (en) * 2014-01-06 2018-01-12 深圳市星盾网络技术有限公司 Message forwarding system and message forwarding method
CN107113282A (en) * 2014-12-30 2017-08-29 华为技术有限公司 A kind of method and device for extracting data message
US9584415B2 (en) * 2015-01-30 2017-02-28 Huawei Technologies Co., Ltd. Devices, systems and methods for service chains
CN105071991B (en) * 2015-08-11 2018-11-02 上海携程商务有限公司 The test method of the IP connectivity of multiple fire walls
CN105187436B (en) * 2015-09-25 2019-03-08 中国航天科工集团第二研究院七〇六所 A kind of packet filtering mainframe network control method based on hash table
CN105847042A (en) * 2016-03-18 2016-08-10 广州市苏瑞计算机科技有限公司 Communication system configuration method and device
CN107948060A (en) * 2016-10-12 2018-04-20 深圳市中兴微电子技术有限公司 A kind of new routing table is established and IP method for searching route and device
CN106547855B (en) * 2016-10-19 2020-06-05 北京交通大学 Automatic database generation method and device based on electronic map and IO driving and collecting information
CN106878308B (en) * 2017-02-21 2020-06-19 浪潮集团有限公司 ICMP message matching system and method
CN109446422B (en) * 2018-10-24 2021-09-14 湖北大学 Service recommendation method based on outlier user filtering
CN109714228B (en) * 2018-12-24 2020-10-16 工联数据技术(杭州)有限公司 Global monitoring system for equipment and workers
CN113765858A (en) * 2020-06-05 2021-12-07 中创为(成都)量子通信技术有限公司 Method and device for realizing high-performance state firewall
CN113438176B (en) * 2021-05-17 2022-08-23 翱捷科技股份有限公司 Method and device for processing fragment IP data packet
CN114244625A (en) * 2021-12-30 2022-03-25 山东安控信息科技有限公司 Method and system for rapidly forwarding message of physical isolation equipment
CN116233060B (en) * 2022-12-28 2023-11-03 北京六方云信息技术有限公司 Message information hiding method and device, terminal equipment and storage medium
CN115883456B (en) * 2023-01-31 2023-06-23 天翼云科技有限公司 Uplink outlet identification method, device and equipment, medium and product

Also Published As

Publication number Publication date
CN101707617A (en) 2010-05-12

Similar Documents

Publication Publication Date Title
CN101707617B (en) Message filtering method, device and network device
US11784914B1 (en) Routing methods, systems, and computer program products
US10574562B1 (en) Routing methods, systems, and computer program products
US10382327B1 (en) Methods, systems, and computer program products for routing using headers including a sequence of node scope-specific identifiers
CN101707619B (en) Message filtering method, device and network device
KR100398281B1 (en) Method for high speed policy distinction in firewall system
JP5362669B2 (en) Efficient classification of network packets
US10103962B1 (en) Return path trace
TW201713082A (en) Systems and methods for externalizing network functions via packet trunking
US10587505B1 (en) Routing methods, systems, and computer program products
Kristensen et al. Applications of coloured Petri nets for functional validation of protocol designs
CN111131539B (en) Message forwarding method and device
CN104486229A (en) Method and equipment for realizing VPN message forwarding
CN111698110B (en) Network equipment performance analysis method, system, equipment and computer medium
CN105052106A (en) Methods and systems for receiving and transmitting internet protocol (ip) data packets
US10404582B1 (en) Routing methods, systems, and computer program products using an outside-scope indentifier
US20150032898A1 (en) Method for establishing a virtual community network connection and a system for implementing said method
CN114422160B (en) Virtual firewall setting method and device, electronic equipment and storage medium
CN106878308B (en) ICMP message matching system and method
CN110166375A (en) A kind of message forwarding method and device
KR20190110719A (en) Apparatus and method for concealing network
US10419334B1 (en) Internet protocol routing methods, systems, and computer program products
US10397100B1 (en) Routing methods, systems, and computer program products using a region scoped outside-scope identifier
US10476787B1 (en) Routing methods, systems, and computer program products
WO2015025848A1 (en) Communication system, control instruction device, communication control method, and program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor

Patentee after: RUIJIE NETWORKS Co.,Ltd.

Address before: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor

Patentee before: Fujian Star-net Ruijie Network Co.,Ltd.

CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120815