CN108200086B - High-speed network data packet filtering device - Google Patents

High-speed network data packet filtering device Download PDF

Info

Publication number
CN108200086B
CN108200086B CN201810096656.6A CN201810096656A CN108200086B CN 108200086 B CN108200086 B CN 108200086B CN 201810096656 A CN201810096656 A CN 201810096656A CN 108200086 B CN108200086 B CN 108200086B
Authority
CN
China
Prior art keywords
data
filtering
packet
data packet
fragment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810096656.6A
Other languages
Chinese (zh)
Other versions
CN108200086A (en
Inventor
刘斌
陈玉忠
杨杰
唐召胜
马康红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Jiuzhou Electric Group Co Ltd
Original Assignee
Sichuan Jiuzhou Electric Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Jiuzhou Electric Group Co Ltd filed Critical Sichuan Jiuzhou Electric Group Co Ltd
Priority to CN201810096656.6A priority Critical patent/CN108200086B/en
Publication of CN108200086A publication Critical patent/CN108200086A/en
Application granted granted Critical
Publication of CN108200086B publication Critical patent/CN108200086B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a high-speed network data packet filtering device, which distributes multi-core hardware resources on a data plane and a control plane, wherein the control plane is used for realizing a network protocol stack, network interface management and memory management, and the data plane is used for realizing the capture, filtration and forwarding of data packets; the device has high-efficiency multi-level processing and filtering capability of network data packets, has good real-time performance and flexibility, and solves the problem of low filtering efficiency in the current high-speed network application environment.

Description

High-speed network data packet filtering device
Technical Field
The invention relates to the field of computer information, in particular to a high-speed network data packet filtering device.
Background
With the continuous emergence of new network services, the speed of network interfaces is accelerated and upgraded, and the network interfaces are developed from the earliest 1GE, to 10GE, 10GPOS, to the present 40GPOS, and to-be-scaled commercial 100GE, so that the load of network switching nodes is increased day by day, the network supervision performance is reduced, and the network is vulnerable to external attacks.
In the face of higher and higher network speeds, some original traditional network data filtering processing schemes based on application-Specific integrated circuits (ASICs) and General Purpose Processors (GPPs) can achieve a high processing rate, but most products are single-threaded (process) processing methods, and it is difficult to meet the requirements of security protection and flexibility in a high-speed network environment. In recent years, Multi-core Network processors (Multi-core NPs) based on Application Specific Instruction Processor (ASIP) technology, which are introduced by some chip manufacturers, integrate multiple Network processors in a single chip, and integrate some special hardware acceleration engine units, for example, a caviumceton series chip integrates acceleration engine units such as TCP/IP, PIP/IPD, PKO, DFA, DMA, and Sec vacuum, and thus, a novel Network data packet processing solution is provided.
In the existing network data packet filtering method, the adaptation range is narrow, the filtering algorithm is complex and the efficiency is low, which is usually only for a certain special condition.
Existing network packet filtering products are not compatible with each other, and need to be enhanced in terms of hardware processing capability, identification capability, flexibility, real-time performance, throughput and the like, and in general, there are some following points that need to be improved:
in a high-speed network environment, the system architecture of the filtering device needs to be further improved. In a high-speed network environment, the ASIC lacking flexibility cannot cope with a rapidly changing network application, and a general computing architecture may cause delay and packet loss when processing a large data traffic.
And secondly, non-real-time online full-flow monitoring and filtering. Some current devices adopt network bypass full-flow mirroring, shunting and other modes for detection, but the flexibility is not high, and data cannot be processed quickly in real time; although some systems adopt serial online detection, due to the defects of insufficient computing capability of a hardware processing platform, lack of an equipment fault bypass mechanism and the like, data is delayed and lost, the throughput of the systems is reduced, and the reliability and robustness of the systems are poor.
And thirdly, the filtering strategy method is simpler, the efficiency is not high, and the coverage protocol level is less. The method is based on single IP, single data packet and quintuple rule filtering processing, does not save the state of a data packet with relevance, and does not comprehensively consider the aspects of session tracking, fragment tracking, deep packet analysis (DPI) and the like; the analysis filtering processing is usually positioned at a network layer and a transport layer, and the full coverage filtering of the protocol stacks of the layers L2-L7 of ISO/RM is not carried out.
Disclosure of Invention
The invention provides a high-speed network data packet filtering device which has high-efficiency network data packet multi-level processing and filtering capacity, good real-time performance and flexibility and solves the problem of low filtering efficiency in the current high-speed network application environment.
Through research on the prior art, the inventor finds that in order to realize effective filtering of large data traffic in a high-speed network environment, on the basis of the traditional data packet filtering technology, the structure and field information of a data packet are deeply analyzed, a high-efficiency filtering rule or strategy is formulated, and effective filtering of data packets of a fixed network and a mobile network is realized through rule matching detection.
Furthermore, an optimization algorithm and a filtering model are designed according to the correlation characteristics among the data packets based on a novel multi-core network processing platform, and are processed in parallel, so that the filtering efficiency of the network data packets is improved.
In order to achieve the above object, the present application provides a high-speed network packet filtering apparatus, which includes a hardware portion and a software portion, wherein the hardware portion includes:
the processing module is used for realizing data filtering rule table management, application protocol identification and conversion and data packet detection and filtering;
the main control board module is used for managing the whole device, processing data exchange and processing FPGA configuration;
the interface module is used for completing the input/output of an optical signal interface and expanding the interface;
the software part adopts a multi-level software architecture, adopts multi-core mixed mode operation, distributes multi-core hardware resources on a data plane and a control plane, the control plane is used for realizing a network protocol stack, network interface management and memory management, and the data plane is used for realizing capture, filtration and forwarding of data packets; the device data filtering processing flow comprises four stages: input preprocessing, data packet filtering rule detection, filtering processing action and output processing.
The data packet filtering processing flow specifically comprises: firstly, inputting a data stream, preprocessing the data stream, then judging whether the data stream is a single data packet or not, if so, judging whether the single data packet is matched with rules in the fragment, the session tracking table and the filtering rule set or not based on the fragment, the session tracking table and the filtering rule set, if so, sending the single data packet into a data stream queue, and if not, executing a default behavior action; if the data stream is not a single data packet, judging whether the data stream is a first associated packet of the fragment according to the fragment mark in the data packet; if the packet is not the first associated packet of the fragment, sending the packet into a data flow queue; if the first association packet is the first association packet of the fragment, judging whether the first association packet of the fragment is matched with rules in the fragment, the session tracking table and the filtering rule set based on the fragment, the session tracking table and the filtering rule set; if the first association packet is matched with the rule, the data flow is marked with a filter label and sent to a data flow queue; if the first association packet does not match the rule, executing a default behavior action; and finally, detecting a data stream queue filtering label, carrying out filtering processing, and outputting the filtered data stream.
The device is provided with two guide groups, namely a control plane and a data plane, the control plane runs an executive program in a user mode on a Linux instance based on an executive program application program interface provided by the device, and the data plane runs an executable exclusive program; and between the two boot groups, the memory sharing between the control plane and the data plane is realized by using the naming block.
Wherein, the software part is provided with a fragment tracking table for realizing the tracking of the fragment data packet.
When a certain data flow hits the filtering rule with the session tracking function, an item is established in the session tracking table, and the subsequent message directly hits the table to execute the same processing action.
The data packet filtering rule detection adopts a hierarchical data analysis method: the first layer is used for processing the data to be processed according to a single data packet and a related data packet; the second layer judges whether the associated data packet is the first one, if the associated data packet is the first one, the session tracking detection and the filtering rule set matching detection are carried out, and a filtering label is marked on the data stream which accords with the filtering rule; and in the third layer, if the data is not the first piece of data, entering a fragment flow queue, and judging whether the flow queue is full.
In the rule detection matching process, according to the calculation complexity from low to high, the step-by-step matching is performed on the basis of ports, behavior characteristics and application loads of data streams in sequence; adopting a DFA hardware acceleration unit of a network processor to process the pattern matching based on the application load in parallel; if the load to be processed is fixed at a certain offset position, a preset matching mode is applied, and floating processing of data at an unfixed position is performed, a regular expression is adopted to perform single-mode or AC _ NFA multi-mode matching.
In the filtering action stage, checking a flow queue label, if the flow queue has the filtering label, filtering the whole data packet, otherwise executing the default action; this stage completes the forwarding, dropping, copying, forking, traffic shaping, key desensitization, or performing other actions on the combined device.
The data packet header information configuration and load balancing processing are completed in the output stage, the data link layer is packaged into frames, and the data packets are sent through the set output interface group.
In the data filtering, a device log is generated, and is packaged into a standard log data packet based on the device log and important information of the device, and the standard log data packet is sent to a preset log server and stored.
The device further comprises a power supply module used for carrying out power supply management on the device, and the device is particularly used for realizing full-coverage filtering processing on an ISO/RM protocol stack of layers L2-L7.
One or more technical solutions provided by the present application have at least the following technical effects or advantages:
the invention provides an improved data packet processing method aiming at the requirements of next generation network equipment in a high-speed network application scene and analyzing some problems and defects of a traditional data filtering method in a high-speed network, which comprises the following steps: by adopting the novel multi-core network processor and the comprehensive optimization design of the system architecture, the Parallel Filtering Model (PFM), the software operation mode, the processing flow and the algorithm, the device has high-efficiency multi-level processing and filtering capability of network data packets, has good real-time performance and flexibility, and solves the problem of low filtering efficiency under the current high-speed network application environment.
The technical scheme of the invention can be widely applied to network systems such as firewalls, intrusion detection systems, intrusion prevention systems, routing switching equipment, network supervision and the like, and provides high-performance data packet filtering service.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention;
FIG. 1 is a schematic diagram of the system module of the apparatus of the present invention;
FIG. 2 is a schematic diagram of the software module hierarchy and composition of the present invention;
FIG. 3 is a flow chart of packet filtering process according to the present invention.
Detailed Description
The invention provides a high-speed network data packet filtering device which has high-efficiency network data packet multi-level processing and filtering capacity, good real-time performance and flexibility and solves the problem of low filtering efficiency in the current high-speed network application environment.
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflicting with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described and thus the scope of the present invention is not limited by the specific embodiments disclosed below.
Wherein, some technical terms in this application are interpreted as:
a quintuple: the Five tuple, generally refers to a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol type value.
A data plane: and the Data-plane is used for quickly processing and forwarding Data.
A control plane: and the Control-plane is used for controlling and managing the operation of all network protocols.
MIPS Microprocessor with out Interlocked pipelined Stages abbreviation, without internal Interlocked pipeline stage Microprocessor.
The utility model provides a to present network data filter module more than not enough, based on novel multicore network processor, multicore concurrent matching detection processing mechanism, on traditional network package detects filtration technique's basis, adopt novel software and hardware framework, Parallel Filtration Model (PFM), new algorithm, realize network data package high efficiency processing, reach technical effect such as filtration mechanism is nimble, filtration data is accurate.
The invention provides a high-speed network filtering device and a parallel filtering processing model (PFM). The device adopts a novel network processor to build a good multi-core computing platform, integrates and balances software and hardware functions, realizes the high-speed processing part of a data packet by a hardware acceleration engine in parallel, constructs a multi-level software operation mode, reduces processing time delay and eliminates performance bottlenecks; the parallel filtering processing model (PFM) facing to a plurality of flows is based on the traditional pipeline technology, is further improved, adopts a fine-grained asynchronous parallel algorithm, realizes multi-core and multi-thread parallel execution, and enables the device to have better throughput rate, speed-up ratio, expansion and load balancing capability.
The device of the invention can carry out full coverage filtering, packet session tracking and fragment tracking on the protocol stack of the L2-L7 layer of ISO/RM. After the data packet is preprocessed, the analysis and encapsulation of frames, IP packets, TCP messages and application layer data are completed in an L2-L7 layer in sequence: and directly carrying out filtering rule matching, fragment and session tracking check and data flow management on the single packet which is not fragmented, and carrying out matching processing after the associated packet of the fragment enters a fragment flow queue. By rule matching before the data packet enters the network protocol stack, system overhead and delay caused by copying, fragment recombination and re-matching between the kernel mode and the user mode are effectively avoided, and the problem that the existing filtering processing method is low in efficiency is solved.
The invention is based on a novel multi-core network processor, carries out single packet and related packet classification division on network data packets by methods such as software and hardware integrated design, system equilibrium design and the like, reasonably distributes task groups and cores, and realizes high-precision, large-throughput and high-efficiency filtration of data by using a related detection model and algorithm.
FIG. 1 is a diagram showing the hardware functional module composition of the system. The hardware of the device is designed based on a multi-core network processor of an MIPS64 system structure, and mainly comprises a processing module, a main control board module, an interface module, a power module and the like, and the main functions of the modules comprise:
the processing module mainly realizes the functions of filtering rule table management, application protocol identification and conversion, packet detection and filtering and the like;
the main control board module is mainly responsible for functions of complete machine management, data exchange, FPGA configuration and the like;
the interface module completes the functions of high-speed POS/Ethernet optical signal interface input/output, interface expansion and the like;
the power supply module can be hot plugged and provided with a redundant backup power supply module;
the interfaces among all the service modules are unified, so that interconnection, replacement and upgrading are facilitated, for example, when capacity expansion is needed to be carried out on a main control board, a plurality of circuits and processing modules are configured, and the modules meeting the interface standards can be selected according to performance requirements.
Fig. 2 illustrates a multi-level software architecture, which requires not only a strong Data packet processing capability but also a complex Control capability in a high-speed network Data stream filtering system, so that a multi-core hybrid mode is adopted to operate, and multi-core hardware resources are reasonably distributed on a Data-plane and a Control-plane, wherein the Control-plane is responsible for implementing functions such as a network protocol stack, network interface management, memory management, and the like, and the Data-plane implements functions such as capturing, filtering, forwarding, and the like of Data packets.
Therefore, two boot groups (Load Set) of the control plane and the data plane are designed, the control plane runs a User-Mode (SE-UM) Simple executable program on a Linux instance based on a Simple Executable (SE) application program interface provided by a device, and the data plane runs a SE-S Simple executable exclusive program. Between two Load sets, memory sharing between the control plane and the data plane is realized by using a name block (NamedBlock).
And a fragment tracking table is arranged in software and used for realizing the tracking of the fragment data packet, so that the non-first fragment data packet can also track the processing action of the first fragment data packet. In order to facilitate the rapid processing of the same session filtering, a session tracking table is set, when a certain data stream hits a filtering rule with a session tracking function, an entry is established in the session tracking table, and the subsequent messages directly execute the same processing action according to the entry in the session tracking table, thereby reducing the matching times of the rule and effectively improving the filtering efficiency.
The above-mentioned fragment tracking table and session tracking table use fast Hash table to store information of all data streams, each key value of the table is different parameters of various streams, for example, the key managed by TCP is 4 parameters of source IP address, source port, destination IP address and destination port, and the key managed by IP is 3 parameters of source IP address, destination IP address and protocol number. And obtaining an index value table [ index ] of the Hash table according to the key value, wherein each table [ index ] points to one data stream stored in the bidirectional linked list.
Fig. 3 is a flow chart of a data filtering process. The treatment process mainly comprises four stages: input preprocessing, data packet filtering rule detection, filtering processing action and output processing.
And in the input preprocessing stage, data packet analysis and related operations of a data flow table are mainly completed, and data packet integrity check is carried out.
The data packet filtering rule detection adopts a hierarchical data analysis method: the first layer is used for processing the data to be processed according to a single data packet and a related data packet; the second layer judges whether the associated data packet is the first one, if the associated data packet is the first one, the session tracking detection and the filtering rule set matching detection are carried out, and a filtering label is marked on the data stream which accords with the filtering rule; and in the third layer, if the data is not the first piece of data, entering a fragment flow queue, and judging whether the flow queue is full.
In the rule detection matching process, according to the calculation complexity from low to high, the step-by-step matching is performed on the basis of the ports, the behavior characteristics and the application loads of the data streams in sequence. Aiming at the problem that the processing speed of the pattern matching method based on the application load is low, a method of parallel processing of DFA hardware acceleration units of a network processor is adopted. Further, if the load to be processed is fixed at a certain offset position, an accurate matching mode is applied, and for floating processing of data at an unfixed position, a regular expression is used for single-mode or AC _ NFA multi-mode matching.
And in the filtering action stage, checking the flow queue label, if the flow queue has the filtering label, filtering the whole data packet, and otherwise, executing the default action. This phase is primarily associated with the device completing forwarding, dropping, copying, offloading, traffic shaping, key desensitization, or performing other actions on the data stream.
And an output stage finishes data packet header information configuration and load balancing processing, encapsulates the data packet header information into frames at a data link layer, and sends data packets through a set output interface group.
Finally, in data filtering, some important information, such as analysis, discarding and forwarding conditions of data streams, running states of modules of a hardware platform, generation, updating, aging and other information of rule strategies, generates system logs, encapsulates the information into standard log data packets, and sends and stores the standard log data packets to a preset log server.
The device in the application adopts a novel multi-core network processor and a parallel filtering processing model (PFM), a well designed system architecture and integrated balance design software and hardware functions, the high-speed processing part of the data packet is realized in parallel by a hardware acceleration engine, a multi-level software operation mode is constructed, full-coverage filtering processing of an ISO/RM L2-L7 protocol stack is realized, and the technical effects of flexible filtering mechanism, accurate filtered data and the like are achieved.
The device in the application adopts a parallel filtering processing model (PFM) based on a traditional pipeline mode, is further improved, enables any core in a multi-core processor to process any stage of a pipeline, adopts a fine-grained asynchronous parallel algorithm, realizes multi-core and multi-thread parallel execution, and has better throughput rate, speed-up ratio, expansion and load balancing capability.
The device is provided with a set of high-efficiency data filtering method and flow. The method has the advantages that the rules are matched before the data packet enters the network protocol stack, and the system overhead and delay caused by copying, fragment recombination and re-matching between the kernel mode and the user mode are effectively avoided. The method adopts hierarchical data analysis, and firstly, data to be processed is processed according to a single data packet and a related data packet; secondly, if the data packet is a single data packet or a related packet first piece, session tracking detection and filtering rule set matching detection are carried out, and a filtering label is marked on the data stream which accords with the filtering rule; if yes, entering a fragment flow queue, and judging whether the flow queue is full; and finally, checking the label of the flow queue, if the flow queue has a filtering label, filtering and outputting the whole data packet, and if not, executing the default action.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (9)

1. A high-speed network data packet filtering device is characterized in that a data plane and a control plane are arranged on the device, the device distributes multi-core hardware resources on the data plane and the control plane, the control plane is used for realizing a network protocol stack, network interface management and memory management, and the data plane is used for realizing capture, filtering and forwarding of data packets; the data plane comprises a data packet filtering processing module, and the flow of the module specifically comprises: firstly, inputting a data stream, preprocessing the data stream, then judging whether the data stream is a single data packet or not, if so, judging whether the single data packet is matched with rules in the fragment, the session tracking table and the filtering rule set or not based on the fragment, the session tracking table and the filtering rule set, if so, sending the single data packet into a data stream queue, and if not, executing a default behavior action; if the data stream is not a single data packet, judging whether the data stream is a first associated packet of the fragment according to the fragment mark in the data packet; if the packet is not the first associated packet of the fragment, sending the packet into a data flow queue; if the first association packet is the first association packet of the fragment, judging whether the first association packet of the fragment is matched with rules in the fragment, the session tracking table and the filtering rule set based on the fragment, the session tracking table and the filtering rule set; if the first association packet is matched with the rule, the data flow is marked with a filter label and sent to a data flow queue; if the first association packet does not match the rule, executing a default behavior action; and finally, detecting a data stream queue filtering label, carrying out filtering processing, and outputting the filtered data stream.
2. The high speed network packet filtering device according to claim 1, further comprising:
the processing module is used for realizing data filtering rule table management, application protocol identification and conversion, and data packet detection and filtering established in the control software;
the main control board module is used for managing the whole device, processing data exchange and processing FPGA configuration;
and the interface module is used for completing the input/output of the optical signal interface and expanding the interface.
3. The high-speed network data packet filtering device according to claim 1, wherein the device is provided with two boot groups, namely a control plane and a data plane, the control plane runs an executive program in a user mode on a Linux instance based on an executive program application program interface provided by the device, and the data plane runs an executable exclusive program; and between the two guide groups, the memory sharing between the control plane and the data plane is realized by using the naming block, and the device is provided with a fragment tracking table for realizing the tracking of the fragment data packet.
4. A high speed network packet filtering apparatus according to claim 1, wherein the software part is provided with a session tracking table, and when a certain data stream hits the filtering rule with session tracking function, an entry is created in the session tracking table, and subsequent messages will perform the same processing action directly according to the entry of the session tracking table.
5. The high speed network packet filtering device according to claim 1, wherein the packet filtering rule detection adopts a hierarchical data analysis method: the first layer is used for processing the data to be processed according to a single data packet and a related data packet; the second layer judges whether the associated data packet is the first one, if the associated data packet is the first one, the session tracking detection and the filtering rule set matching detection are carried out, and a filtering label is marked on the data stream which accords with the filtering rule; and in the third layer, if the data is not the first piece of data, entering a fragment flow queue, and judging whether the flow queue is full.
6. The high-speed network data packet filtering device according to claim 5, wherein in the rule detection matching process, according to the calculation complexity from low to high, the step-by-step matching is performed sequentially based on ports, behavior characteristics and application loads of data streams; adopting a DFA hardware acceleration unit of a network processor to process the pattern matching based on the application load in parallel; if the load to be processed is fixed at a certain offset position, a preset matching mode is applied, and floating processing of data at an unfixed position is performed, a regular expression is adopted to perform single-mode or AC _ NFA multi-mode matching.
7. The high-speed network data packet filtering device according to claim 1, wherein in the filtering action phase, the flow queue tag is checked, if the flow queue has the filtering tag, the data packet is filtered as a whole, otherwise, the filtering is executed according to a default action; this phase completes forwarding, dropping, copying, forking, traffic shaping, key desensitization, or performing other actions on the data flow.
8. The apparatus as claimed in claim 1, wherein the configuration of the header information and the load balancing process are performed in the output stage, and the data packet is encapsulated into a frame at the data link layer and sent through the set output interface group.
9. The high-speed network data packet filtering device according to claim 1, wherein in the data filtering, a device log is generated, and is packaged into a standard log data packet based on the device log and important information of the device, and is transmitted to a preset log server and stored; the device also comprises a power supply module used for carrying out power supply management on the device, and the device is particularly used for realizing full-coverage filtering processing on an ISO/RM protocol stack of layers L2-L7.
CN201810096656.6A 2018-01-31 2018-01-31 High-speed network data packet filtering device Active CN108200086B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810096656.6A CN108200086B (en) 2018-01-31 2018-01-31 High-speed network data packet filtering device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810096656.6A CN108200086B (en) 2018-01-31 2018-01-31 High-speed network data packet filtering device

Publications (2)

Publication Number Publication Date
CN108200086A CN108200086A (en) 2018-06-22
CN108200086B true CN108200086B (en) 2020-03-17

Family

ID=62591621

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810096656.6A Active CN108200086B (en) 2018-01-31 2018-01-31 High-speed network data packet filtering device

Country Status (1)

Country Link
CN (1) CN108200086B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109802872B (en) * 2019-03-19 2021-07-30 北京信而泰科技股份有限公司 Message capturing method, device and equipment
CN110020532B (en) * 2019-04-15 2020-07-07 苏州浪潮智能科技有限公司 Information filtering method, system, equipment and computer readable storage medium
CN111949740B (en) * 2019-05-15 2024-03-26 中国科学院声学研究所 Parallel network packet classification method, system and network equipment based on multi-core processor
CN110311914A (en) * 2019-07-02 2019-10-08 北京微步在线科技有限公司 Pass through the method and device of image network flow extraction document
CN110768865B (en) * 2019-10-23 2021-08-27 新华三信息安全技术有限公司 Deep packet inspection engine activation method and device and electronic equipment
CN112995108B (en) * 2019-12-17 2023-03-10 恒为科技(上海)股份有限公司 Network data recovery system
CN111125769B (en) * 2019-12-27 2023-09-19 上海轻维软件有限公司 Mass data desensitization method based on ORACLE database
CN111031073B (en) * 2020-01-03 2021-10-19 广东电网有限责任公司电力科学研究院 Network intrusion detection system and method
CN111897644B (en) * 2020-08-06 2024-01-30 成都九洲电子信息***股份有限公司 Multi-dimensional-based network data fusion matching method
WO2022251998A1 (en) * 2021-05-31 2022-12-08 华为技术有限公司 Communication method and system supporting multiple protocol stacks
CN114900350B (en) * 2022-04-29 2024-02-20 北京元数智联技术有限公司 Message transmission method, device, equipment, storage medium and program product

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9521066B2 (en) * 2015-02-02 2016-12-13 Vss Monitoring, Inc. vStack enhancements for path calculations
CN105516016B (en) * 2015-11-25 2018-05-11 北京航空航天大学 A kind of packet filtering system and packet filtering method based on stream using Tilera multinuclears accelerator card

Also Published As

Publication number Publication date
CN108200086A (en) 2018-06-22

Similar Documents

Publication Publication Date Title
CN108200086B (en) High-speed network data packet filtering device
Miao et al. Silkroad: Making stateful layer-4 load balancing fast and cheap using switching asics
US10432745B2 (en) Accelerated network packet processing
CN108833299B (en) Large-scale network data processing method based on reconfigurable switching chip architecture
US6944670B2 (en) Method and apparatus for multiple processing of a plurality of communication protocols on a single processing machine
CN111371779A (en) Firewall based on DPDK virtualization management system and implementation method thereof
US10616099B2 (en) Hypervisor support for network functions virtualization
CN101771627B (en) Equipment and method for analyzing and controlling node real-time deep packet on internet
US11729300B2 (en) Generating programmatically defined fields of metadata for network packets
CN111614631B (en) User mode assembly line framework firewall system
US20080013541A1 (en) Selective header field dispatch in a network processing system
CN112558948A (en) Method and device for identifying message under mass flow
WO2012080170A1 (en) Network processor and method for accelerating data packet parsing
CN102255754B (en) Serial accessing high speed backbone network traffic acquisition and monitoring method
Van Tu et al. Accelerating virtual network functions with fast-slow path architecture using express data path
CN103368777A (en) Data packet processing board and processing method
CN115225734A (en) Message processing method and network equipment
CN110519079B (en) Data forwarding method and device, network board, network equipment and storage medium
RU2584471C1 (en) DEVICE FOR RECEIVING AND TRANSMITTING DATA WITH THE POSSIBILITY OF INTERACTION WITH OpenFlow CONTROLLER
CN114327833A (en) Efficient flow processing method based on software-defined complex rule
WO2018004931A1 (en) Techniques for virtual ethernet switching of a multi-node fabric
CN116723162B (en) Network first packet processing method, system, device, medium and heterogeneous equipment
CN117201646A (en) Deep analysis method for electric power Internet of things terminal message
CN115033407B (en) System and method for collecting and identifying flow suitable for cloud computing
US20220278946A1 (en) Programmable packet processing pipeline with offload circuitry

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant