CN105072122A - Rapid matching classification method for data packets - Google Patents

Rapid matching classification method for data packets Download PDF

Info

Publication number
CN105072122A
CN105072122A CN201510509932.3A CN201510509932A CN105072122A CN 105072122 A CN105072122 A CN 105072122A CN 201510509932 A CN201510509932 A CN 201510509932A CN 105072122 A CN105072122 A CN 105072122A
Authority
CN
China
Prior art keywords
rule
priority
packet
rules
order
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510509932.3A
Other languages
Chinese (zh)
Inventor
吴登勇
钟超群
孙超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Chaoyue Numerical Control Electronics Co Ltd
Original Assignee
Shandong Chaoyue Numerical Control Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Chaoyue Numerical Control Electronics Co Ltd filed Critical Shandong Chaoyue Numerical Control Electronics Co Ltd
Priority to CN201510509932.3A priority Critical patent/CN105072122A/en
Publication of CN105072122A publication Critical patent/CN105072122A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a rapid matching classification method for data packets. The method comprises the following steps: firstly, classifying existing rule libraries according to a set classification rule, performing priority comparison on rules of the same types, and deleting previous rules in repeated rules in order of departure; secondly, performing rule matching on the rules of the same types through sequence matching and priority sets; and lastly, executing corresponding commands according to the matched rules. Through adoption of the method, the matched filtering of the data packets can be accelerated with an existing matching mechanism and algorithm, and the forwarding effect and efficiency of the data packets can be improved.

Description

A kind of packet Rapid matching sorting technique
Technical field
The present invention relates to the data packet matched filtration art in network technology direction, be specifically related to a kind of packet Rapid matching sorting technique, a kind of data packet matched algorithm of rule-based storehouse is mainly provided, this algorithm combining classification method and order priority matching mechanisms, the data packet matched filter efficiency of effective raising, greatly improves the efficiency of data retransmission.
Background technology
Packet Filtering technology is the basic fundamental of fire compartment wall, all embedded this function of nearly all router.Its general principle is the access rule list according to setting in advance in system, check the information such as the source address of each packet in data flow, destination address, source port number, destination slogan, protocol type and connection status, and determine whether to allow packet to pass through with this.For osi model, packet filtering module is operated between network layer and data link layer.The core technology of Packet Filtering is the rule list of its definition, and each rule in filter inspection rule list is until find that the information in packet conforms to certain rule.If do not have a rule to mate, fire compartment wall will use default rule.Generally, default rule requires that fire compartment wall abandons this packet exactly.
Packet Filtering technology belongs to rule-based software systems.These software systems are mainly used in one group of rule defined and decide in the program of next step action, with the correctness of strictly all rules and correlation since the function that it will realize.Its strictly all rules forms a rule base, and in general, the mode of searching is linear.For Packet Filtering technology, when rule base always only have several, tens rules, little on network transmission performance impact, but when regular quantity is more than 1000, performance can decline greatly.
According to the design feature of IP packet, packet filtering function realizes mainly through some message segments of analyzing IP head and TCP head.Such as, by this rule of natural language description be: if(packet arrives network 192.168.137.73), then(lets pass).If the implication of this rule wants to reach network 192.168.137.73 for packet, so packet can be forwarded by switch, otherwise abandons.
Filtering rule is: if(conndition) then(action).Wherein condition is one 8 tuple { sm, dm, sa, da, sp, dp, pt, flag}, wherein sm represents mac address, source, and dm represents object mac address, and sa represents source address, da represents destination address, and sp represents source port, and dp represents destination interface, pt presentation protocol type, and flag represents priority; The action that action adopts when being rule match success, its value is " passing through " or " abandoning ".
Packet filtering function is that the filtering rule set consisted of a series of filtering rule realizes, and this filtering rule set is called as rule list RT, namely famous ACL Access Control List (ACL).The scale of current switch increases gradually, and is no less than more than 1000, these principle combinations to together, places that these rules exist many conflicts and repeat.
Summary of the invention
The technical problem to be solved in the present invention is: traditional matching process is the most simply order coupling, namely mates one by one from the 1st rule until success, how to find suitable matched rule faster, and increasing data retransmission efficiency is the problem that the present invention solves.
The technical solution adopted in the present invention is:
A kind of packet Rapid matching sorting technique, first classified according to the classifying rules arranged by existing rule base, of a sort rule carries out priority ratio comparatively, and the rule of repetition, according to arriving first principle afterwards, deletes rule in the past; Then, in same class rule, the mode of employing order coupling and priority set carries out rule match; Finally, according to the rule of coupling, perform and order accordingly.
Rule is divided into MAC Address, IP address, port and protocol 4 class according to 8 tuples by described classifying rules, and meet wherein a few class if regular, so this rule is incorporated in each class, and priority then follows rule;
Described priority is divided into 1-255, and priority value is integer, is the bigger the better;
The rule of the priority of equal size, according to Time priority, priority is afterwards larger, the rule before rule afterwards replaces;
If the priority of multiple rule varies in size, the rule that priority is higher can be selected.
Described method concrete operation step is as follows:
1) the filtering rule storehouse will enriched constantly, is divided into 4 classes according to classifying rules, and arranges according to order, makes filtering rule orderly;
2) matching strategy mates each filtering rule in order, and compares its priority, selects suitable matched rule;
3) according to obtain matched rule, to packet carry out by and discard processing.
Beneficial effect of the present invention is:
By adopting method of the present invention, can utilize existing matching mechanisms and algorithm, the coupling accelerating packet is filtered, can the forwarding effect of effective data packets and efficiency.
Accompanying drawing explanation
Fig. 1 is a kind of packet Rapid matching sorting technique flow chart.
Embodiment
With reference to the accompanying drawings, by embodiment, the present invention is further described:
Embodiment 1:
As shown in Figure 1, a kind of packet Rapid matching sorting technique, first classified according to the classifying rules arranged by existing rule base, of a sort rule carries out priority ratio comparatively, and the rule of repetition, according to arriving first principle afterwards, deletes rule in the past; Then, in same class rule, the mode of employing order coupling and priority set carries out rule match; Finally, according to the rule of coupling, perform and order accordingly.
Embodiment 2:
On the basis of embodiment 1, rule is divided into MAC Address, IP address, port and protocol 4 class according to 8 tuples by classifying rules described in the present embodiment, and meet wherein a few class if regular, so this rule is incorporated in each class, and priority then follows rule;
For example, abandon if a rule is if{*, *, 192.168.137.23,192.168.137.73, *, *, ICMP, 100}, then, then this rule can be ip address rule, also can be protocol rule; If ip address is regular, be then that if{*, *, 192.168.137.23,192.168.137.73, *, *, *, 100}, then abandon; If protocol rule, be then that if{*, *, *, *, *, *, ICMP, 100}, then abandon;
Described priority is divided into 1-255, and priority value is integer, is the bigger the better;
The rule of the priority of equal size, according to Time priority, priority is afterwards larger, the rule before rule afterwards replaces;
If the priority of multiple rule varies in size, the rule that priority is higher can be selected.
Embodiment 3:
On the basis of embodiment 1 or 2, described in the present embodiment, method concrete operation step is as follows:
1) the filtering rule storehouse will enriched constantly, is divided into 4 classes according to classifying rules, and arranges according to order, makes filtering rule orderly;
2) matching strategy mates each filtering rule in order, and compares its priority, selects suitable matched rule;
3) according to obtain matched rule, to packet carry out by and discard processing.
Above execution mode is only for illustration of the present invention; and be not limitation of the present invention; the those of ordinary skill of relevant technical field; without departing from the spirit and scope of the present invention; can also make a variety of changes and modification; therefore all equivalent technical schemes also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.

Claims (3)

1. a packet Rapid matching sorting technique, is characterized in that: first classified according to the classifying rules arranged by existing rule base, of a sort rule carries out priority ratio comparatively, and the rule of repetition, according to arriving first principle afterwards, deletes rule in the past; Then, in same class rule, the mode of employing order coupling and priority set carries out rule match; Finally, according to the rule of coupling, perform and order accordingly.
2. a kind of packet Rapid matching sorting technique according to claim 1, it is characterized in that: rule is divided into MAC Address, IP address, port and protocol 4 class according to 8 tuples by described classifying rules, wherein a few class is met if regular, so this rule is incorporated in each class, and priority then follows rule;
Priority is divided into 1-255, and priority value is integer, is the bigger the better;
The rule of the priority of equal size, according to Time priority, priority is afterwards larger, the rule before rule afterwards replaces;
If the priority of multiple rule varies in size, the rule that priority is higher can be selected.
3. a kind of packet Rapid matching sorting technique according to claim 1, it is characterized in that, described method concrete operation step is as follows:
1) the filtering rule storehouse will enriched constantly, is divided into 4 classes according to classifying rules, and arranges according to order, makes filtering rule orderly;
2) matching strategy mates each filtering rule in order, and compares its priority, selects suitable matched rule;
3) according to obtain matched rule, to packet carry out by and discard processing.
CN201510509932.3A 2015-08-19 2015-08-19 Rapid matching classification method for data packets Pending CN105072122A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510509932.3A CN105072122A (en) 2015-08-19 2015-08-19 Rapid matching classification method for data packets

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510509932.3A CN105072122A (en) 2015-08-19 2015-08-19 Rapid matching classification method for data packets

Publications (1)

Publication Number Publication Date
CN105072122A true CN105072122A (en) 2015-11-18

Family

ID=54501402

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510509932.3A Pending CN105072122A (en) 2015-08-19 2015-08-19 Rapid matching classification method for data packets

Country Status (1)

Country Link
CN (1) CN105072122A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108377211A (en) * 2018-01-31 2018-08-07 湖南戎腾网络科技有限公司 Dynamic rules chain type recurrence triggering method and its system based on message content perception
CN109272059A (en) * 2018-12-04 2019-01-25 合肥泰禾光电科技股份有限公司 A kind of dynamic data classification method and device
CN112887300A (en) * 2021-01-22 2021-06-01 北京交通大学 Data packet classification method
CN113395213A (en) * 2021-06-10 2021-09-14 哲库科技(北京)有限公司 Configuration method of routing table item, storage medium, electronic equipment and mobile terminal

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1905523A (en) * 2006-08-02 2007-01-31 华为技术有限公司 Method for implementing multi-area stream classifying
WO2011085577A1 (en) * 2010-06-28 2011-07-21 华为技术有限公司 Classification method and device for packets
CN103188231A (en) * 2011-12-30 2013-07-03 北京锐安科技有限公司 Multi-core printed circuit board access control list (ACL) rule matching method
CN104468381A (en) * 2014-12-01 2015-03-25 国家计算机网络与信息安全管理中心 Implementation method for multi-field rule matching

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1905523A (en) * 2006-08-02 2007-01-31 华为技术有限公司 Method for implementing multi-area stream classifying
WO2011085577A1 (en) * 2010-06-28 2011-07-21 华为技术有限公司 Classification method and device for packets
CN103188231A (en) * 2011-12-30 2013-07-03 北京锐安科技有限公司 Multi-core printed circuit board access control list (ACL) rule matching method
CN104468381A (en) * 2014-12-01 2015-03-25 国家计算机网络与信息安全管理中心 Implementation method for multi-field rule matching

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108377211A (en) * 2018-01-31 2018-08-07 湖南戎腾网络科技有限公司 Dynamic rules chain type recurrence triggering method and its system based on message content perception
CN108377211B (en) * 2018-01-31 2021-06-11 湖南戎腾网络科技有限公司 Dynamic rule chain type recursion triggering method and system based on message content perception
CN109272059A (en) * 2018-12-04 2019-01-25 合肥泰禾光电科技股份有限公司 A kind of dynamic data classification method and device
CN109272059B (en) * 2018-12-04 2021-05-04 合肥泰禾光电科技股份有限公司 Dynamic data classification method and device
CN112887300A (en) * 2021-01-22 2021-06-01 北京交通大学 Data packet classification method
CN112887300B (en) * 2021-01-22 2022-02-01 北京交通大学 Data packet classification method
CN113395213A (en) * 2021-06-10 2021-09-14 哲库科技(北京)有限公司 Configuration method of routing table item, storage medium, electronic equipment and mobile terminal

Similar Documents

Publication Publication Date Title
US7872993B2 (en) Method and system for classifying data packets
CN110311829B (en) Network traffic classification method based on machine learning acceleration
US9363234B2 (en) Fast update filter
CN1881950B (en) Packet classification acceleration using spectral analysis
CN105072122A (en) Rapid matching classification method for data packets
US8937954B2 (en) Decision tree level merging
US10778588B1 (en) Load balancing for multipath groups routed flows by re-associating routes to multipath groups
US10116567B1 (en) Load balancing for multipath group routed flows by re-routing the congested route
WO2010065418A1 (en) Graph-based data search
TW201501556A (en) Apparatus and method for uniquely enumerating paths in a parse tree
CN101242362B (en) Find key value generation device and method
CN110324245A (en) A kind of method and device to be E-Packeted based on integrated flow table
CN104579941A (en) Message classification method in OpenFlow switch
US9288159B2 (en) Systems and methods for deep packet inspection with a virtual machine
CN103166802A (en) Method and device for constructing deterministic finite automaton (DFA)
Luo et al. Practical flow table aggregation in SDN
CN101345707A (en) Method and apparatus for implementing IPv6 packet classification
WO2015154484A1 (en) Traffic data classification method and device
CN101184000A (en) Packet sampling and application signature based internet application flux identifying method
CN103746869B (en) With reference to data/mask and the multistage deep packet inspection method of regular expression
CN104333483A (en) Identification method, system and identification device for internet application flow
CN112583788A (en) Intelligent generation method and system for vehicle-mounted firewall strategy
CN104333461A (en) Identification method, system and identification device for internet application flow
CN115967673A (en) P4 programmable switch-based large flow quintuple query method
CN114327833A (en) Efficient flow processing method based on software-defined complex rule

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20151118