CN110620729A - Message forwarding method and device and message forwarding equipment - Google Patents
Message forwarding method and device and message forwarding equipment Download PDFInfo
- Publication number
- CN110620729A CN110620729A CN201911023718.1A CN201911023718A CN110620729A CN 110620729 A CN110620729 A CN 110620729A CN 201911023718 A CN201911023718 A CN 201911023718A CN 110620729 A CN110620729 A CN 110620729A
- Authority
- CN
- China
- Prior art keywords
- forwarding
- message
- fingerprint
- digital identifier
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
- H04L45/7453—Address table lookup; Address filtering using hashing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a message forwarding method, a message forwarding device and message forwarding equipment. Wherein the method comprises the following steps: when a message is received, acquiring an equipment fingerprint carried by the message, wherein the equipment fingerprint is used for identifying equipment for sending the message; acquiring a forwarding strategy corresponding to the device fingerprint, wherein the forwarding strategy comprises at least one rule, and the rule comprises at least one matching item; and determining a target rule of the matching item matched with the message characteristics of the message in the at least one rule, and processing the message according to the target rule. Under the condition that the IP address of the equipment is difficult to know in advance, the message forwarding equipment can adopt different forwarding logics for messages sent by different equipment through the corresponding relation between the equipment identified by the equipment fingerprint and the forwarding strategy.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for forwarding a packet, and a packet forwarding device.
Background
The message forwarding device can forward the message sent by the terminal device. In some application scenarios, a user may want a message forwarding device to apply different forwarding logics to messages sent by different terminal devices. For example, in a private video network, some cameras may be infected by viruses, and for safety reasons, a user does not want the message forwarding device to forward messages sent by the cameras infected by the viruses, and needs the message forwarding device to forward messages sent by the cameras not infected by the viruses.
In the related art, a user may configure an IP address of a terminal device that needs to be prohibited in a message forwarding device, and the message forwarding device does not forward a message whose source address is the configured IP address when receiving the message whose source address is not the configured IP address, and forwards the message when receiving the message whose source address is not the configured IP address.
However, in some application scenarios, it may be difficult for a user to know in advance the IP address of the terminal device that needs to be prohibited, for example, in some application scenarios, the IP address of the terminal device may be dynamically allocated. In these application scenarios, it is difficult for a user to configure an IP address of a terminal device that needs to be prohibited in a message forwarding device, so that the above scheme is difficult to implement.
Disclosure of Invention
The embodiment of the invention aims to provide a message forwarding method, a message forwarding device and a message forwarding device, so that the message forwarding device can adopt different forwarding logics for messages sent by different devices under the condition that the IP address of the device is difficult to know in advance. The specific technical scheme is as follows:
in a first aspect of the present invention, a method for forwarding a packet is provided, where the method includes:
when a message is received, acquiring an equipment fingerprint carried by the message, wherein the equipment fingerprint is used for identifying equipment for sending the message;
acquiring a forwarding strategy corresponding to the device fingerprint, wherein the forwarding strategy comprises at least one rule, and the rule comprises at least one matching item;
and determining a target rule of the matching item matched with the message characteristics of the message in the at least one rule, and processing the message according to the target rule.
In a possible embodiment, before the obtaining, when the message is received, the device fingerprint carried by the message, the method further includes:
distributing corresponding digital identifiers for the fingerprints of each device;
the obtaining of the forwarding policy corresponding to the device fingerprint includes:
determining a digital identifier corresponding to the device fingerprint as a target digital identifier;
and acquiring a forwarding strategy corresponding to the target digital identifier.
In a possible embodiment, after said assigning respective digital identifications to respective device fingerprints, the method further comprises:
acquiring a forwarding strategy for forwarding a message carrying the equipment fingerprint corresponding to the digital identifier as a forwarding strategy corresponding to the digital identifier aiming at each digital identifier;
with the digital identifications as key values, storing the forwarding strategy corresponding to each digital identification in a preset hash table;
the obtaining of the forwarding policy corresponding to the target digital identifier includes:
and reading a forwarding strategy corresponding to the target digital identification from the preset hash table by taking the target digital identification as a key value.
In a possible embodiment, the obtaining, for each digital identifier, a forwarding policy for forwarding the packet carrying the device fingerprint corresponding to the digital identifier, as the forwarding policy corresponding to the digital identifier, includes:
aiming at each digital identifier, acquiring all rules adopted for forwarding the message carrying the equipment fingerprint corresponding to the digital identifier;
and storing the rule numbers of all the rules in a bitmap, and taking the bitmap as a forwarding strategy corresponding to the digital identifier.
In a possible embodiment, before the obtaining, for each digital identifier, a forwarding policy for forwarding a packet carrying an apparatus fingerprint corresponding to the digital identifier, as the forwarding policy corresponding to the digital identifier, the method further includes:
constructing a binary tree, wherein each leaf node of the binary tree corresponds to a digital identifier;
for a first device fingerprint stored by the message forwarding device, associating a forwarding policy configured for the first device identified by the first device fingerprint with a leaf node in the binary tree, which is identified by the same number corresponding to the first device fingerprint;
the acquiring, for each digital identifier, a forwarding policy for forwarding a packet carrying an equipment fingerprint corresponding to the digital identifier, as the forwarding policy corresponding to the digital identifier, includes:
and aiming at each digital identifier, acquiring a forwarding strategy associated with the leaf node corresponding to the digital identifier in the binary tree, and taking the forwarding strategy as the forwarding strategy corresponding to the digital identifier corresponding to the leaf node.
In a possible embodiment, the method further comprises:
and receiving the device fingerprint stored by the authentication server, wherein the device fingerprint is sent by the authentication server, the authentication server is used for authorizing the device to join the network when the device fingerprint of the device accessing the network to which the message forwarding device belongs is contained by the stored device fingerprint, and refusing the device to join the network when the device fingerprint of the device accessing the network is not contained by the stored device fingerprint.
In a possible embodiment, after the obtaining the device fingerprint carried by the packet, the method further includes:
judging whether the device fingerprint carried by the message is contained by the device fingerprint stored by the message forwarding device;
if the device fingerprint carried by the message is not contained by the device fingerprint stored by the message forwarding device, discarding the message;
and if the device fingerprint carried by the message is contained by the device fingerprint stored by the message forwarding device, acquiring a forwarding strategy corresponding to the device fingerprint carried by the message.
In a second aspect of the present invention, there is provided a packet forwarding apparatus, applied to a packet forwarding device, the apparatus including:
the fingerprint identification module is used for acquiring an equipment fingerprint carried by a message when the message is received, wherein the equipment fingerprint is used for identifying equipment for sending the message;
the policy matching module is used for acquiring a forwarding policy corresponding to the device fingerprint, wherein the forwarding policy comprises at least one rule, and the rule comprises at least one matching item;
and the message processing module is used for determining a target rule of the matching item matched with the message characteristics of the message in the at least one rule and processing the message according to the target rule.
In a possible embodiment, the apparatus further includes a policy configuration module configured to assign a corresponding digital identifier to each device fingerprint;
the obtaining of the forwarding policy corresponding to the device fingerprint includes:
determining a digital identifier corresponding to the device fingerprint as a target digital identifier;
and acquiring a forwarding strategy corresponding to the target digital identifier.
In a possible embodiment, the policy configuration module is further configured to, for each digital identifier, obtain a forwarding policy for forwarding a packet carrying an apparatus fingerprint corresponding to the digital identifier, as the forwarding policy corresponding to the digital identifier;
with the digital identifications as key values, storing the forwarding strategy corresponding to each digital identification in a preset hash table;
and reading a forwarding strategy corresponding to the target digital identification from the preset hash table by taking the target digital identification as a key value.
In a possible embodiment, the policy configuration module is specifically configured to, for each digital identifier, obtain all rules used for forwarding a packet carrying an apparatus fingerprint corresponding to the digital identifier;
and storing the rule numbers of all the rules in a bitmap, and taking the bitmap as a forwarding strategy corresponding to the digital identifier.
In a possible embodiment, the policy configuration module is further configured to construct a binary tree, where each leaf node of the binary tree corresponds to a numerical identifier;
for a first device fingerprint locally stored by the message forwarding device, associating a forwarding policy configured for the first device identified by the first device fingerprint with a leaf node in the binary tree, which corresponds to the same digital identifier as the device fingerprint of the first device;
the policy configuration module is specifically configured to, for each digital identifier, acquire a forwarding policy associated with a leaf node corresponding to the digital identifier in the binary tree, and use the forwarding policy as a forwarding policy corresponding to the digital identifier corresponding to the leaf node.
In a possible embodiment, the fingerprint identification module is further configured to receive a device fingerprint stored by the authentication server, where the device fingerprint is sent by the authentication server, and the authentication server is configured to authorize the device to join the network when the device fingerprint of the device accessing the network to which the packet forwarding device belongs is included in the stored device fingerprint, and reject the device to join the network when the device fingerprint of the device accessing the network is not included in the stored device fingerprint.
In a possible embodiment, the message processing module is further configured to determine whether the device fingerprint carried by the message is included in the device fingerprint stored in the message forwarding device;
if the device fingerprint carried by the message is not contained by the device fingerprint stored by the message forwarding device, discarding the message;
the policy matching module is specifically configured to, if the device fingerprint carried by the packet is included in the device fingerprint stored by the packet forwarding device, obtain a forwarding policy corresponding to the device fingerprint carried by the packet.
In a third aspect of the present invention, a message forwarding apparatus is provided, including:
a memory for storing a computer program;
a processor adapted to perform the method steps of any of the above first aspects when executing a program stored in the memory.
In a fourth aspect of the invention, a computer-readable storage medium is provided, having stored therein a computer program, which when executed by a processor, performs the method steps of any of the first aspects described above.
According to the message forwarding method, the message forwarding device and the message forwarding device provided by the embodiment of the invention, the message forwarding device can establish the corresponding relationship between the device fingerprint and the forwarding strategy, and the device fingerprint can identify the device, so that the corresponding relationship between the device identified by the device fingerprint and the forwarding strategy can be determined, and the message forwarding device can adopt different forwarding logics for messages sent by different devices through the corresponding relationship between the device identified by the device fingerprint and the forwarding strategy under the condition that the IP address of the device is difficult to know in advance. Of course, not all of the advantages described above need to be achieved at the same time in the practice of any one product or method of the invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1a is a schematic view of an application scenario of a message forwarding method according to an embodiment of the present invention;
fig. 1b is a schematic view of another application scenario of the packet forwarding method according to the embodiment of the present invention;
fig. 2 is a schematic flow chart of a message forwarding method according to an embodiment of the present invention;
fig. 3a is a schematic flowchart of a forwarding policy configuration method according to an embodiment of the present invention;
FIG. 3b is a schematic structural diagram of a binary tree according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a service logic of a message forwarding device;
fig. 5 is a schematic structural diagram of a message forwarding apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a message forwarding device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1a, fig. 1a is a schematic view of an application scenario of a message forwarding method according to an embodiment of the present invention, which may include a plurality of terminal devices 110 and a message forwarding device 120. In this application scenario, the plurality of terminal devices 110 may include terminal device 111, terminal device 112, terminal device 113, and terminal device 114. In other possible application scenarios, the number of terminal devices included in the plurality of terminal devices 110 may also be other, which is not limited in this embodiment. A communication connection is established between the plurality of terminal devices 110 and the message forwarding device 120, and the communication connection may be a direct connection or a logical connection according to actual needs.
The packet forwarding device 120 may be configured to forward the packets sent by the multiple terminal devices 110 to a target network to which the target device belongs. For practical purposes, the user may not want the message forwarding device 120 to forward a part of the messages sent by the terminal devices. Taking the application scenario as an example, assuming that the user does not want the message forwarding device 120 to forward the message sent by the terminal device 111, in the related art, the user may configure a forwarding policy in the message forwarding device 120 in advance according to the IP address of the terminal device 111, and the forwarding policy may cause the message forwarding device 120 to discard the message whose source address is the IP address of the terminal device 111. However, it may be difficult for the user to know the IP address of the terminal device 111 in advance, for example, the IP address of the terminal device 111 may be dynamically allocated after the terminal device 111 accesses the network. Therefore, it is impossible to configure a forwarding policy in the message forwarding device 120 in advance according to the IP address of the terminal device 111, where the forwarding policy is used to enable the message forwarding device 120 to discard the message whose source address is the IP address of the terminal device 111.
In view of this, an embodiment of the present invention provides a message forwarding method applied to a message forwarding device, which may be referred to fig. 2, where fig. 2 is a schematic flow diagram of the message forwarding method provided in the embodiment of the present invention, and the schematic flow diagram may include S201 to S203.
S201, when a message is received, acquiring the device fingerprint carried by the message.
The device fingerprint is used to represent the device that sent the message. Different fingerprints may be set for different devices, or different fingerprints may be set for devices of different device types.
For example, assuming that terminal devices 111 and 112 are a1 type terminal devices produced by manufacturer a and terminal devices 113 and 114 are B2 type terminal devices produced by manufacturer B, in one possible embodiment, the device fingerprint of terminal device 111 is fingerprint 1, the device fingerprint of terminal device 112 is fingerprint 2, the device fingerprint of terminal device 113 is fingerprint 3, and the device fingerprint of terminal device 114 is fingerprint 4. In another possible embodiment, the device fingerprints of terminal devices 111 and 112 may be fingerprint 1, and the device fingerprints of terminal devices 113 and 114 may be fingerprint 2. In yet another possible embodiment, it may be that the device fingerprints of terminal devices 111 and 112 are fingerprint 1, the device fingerprint of terminal device 113 is fingerprint 2, and the device fingerprint of terminal device 114 is fingerprint 3.
The device fingerprint may be represented in different forms according to different application scenarios, for example, in one possible embodiment, the device fingerprint may be represented in a character string composed of letters and numbers, and in other possible embodiments, the device fingerprint may be represented in other forms.
S202, acquiring a forwarding strategy corresponding to the device fingerprint.
The forwarding strategies corresponding to different device fingerprints may be determined by user pre-configuration. The configured forwarding strategy may be different according to different actual requirements. For example, in a possible application scenario, a user may set a device name for each terminal device in a message forwarding device, and configure a forwarding policy according to the device name of the terminal device. For example, the user may set the device name of the terminal device 111 as "terminal device 1" in the message forwarding device, and send configuration information to the message forwarding device through the input device, where the configuration information includes the forwarding policy a and identification information indicating "terminal device 1". After receiving the configuration information, the message forwarding device establishes a correspondence between a device fingerprint for identifying the terminal device 111 and the forwarding policy a according to the carried identification information.
In another possible application scenario, a user may divide the terminal devices into a plurality of terminal device groups in the message forwarding device in advance, and then the user may configure a forwarding policy for the terminal device groups. For example, the user may divide the terminal device 111 and the terminal device 112 into the terminal device group 1 in the message forwarding device in advance, and send configuration information to the message forwarding device through the input device, where the configuration information includes the forwarding policy B and identification information used to indicate the terminal device group 1. After receiving the configuration information, the message forwarding device establishes a correspondence between a device fingerprint for identifying the terminal device 111, a device fingerprint for identifying the terminal device 112, and the forwarding policy B according to the carried identification information.
The terminal devices may be grouped according to actual requirements, for example, the terminal devices with the same device type may be grouped into the same terminal device group, or the terminal devices with the same manufacturer may be grouped into the same terminal device group. The user can configure the forwarding strategy aiming at the terminal equipment group, so that the batch configuration of the forwarding strategy for the terminal equipment is realized, and the labor cost for configuring the forwarding strategy can be effectively reduced. For example, in some application scenarios, since a terminal device of a1 type produced by manufacturer a has a certain security hole, a user may want a message forwarding device to discard a message sent by a terminal device of a1 type. If the user configures the forwarding policy for each terminal device, it may be necessary to configure a corresponding forwarding policy for a larger number of terminal devices. If the user configures the forwarding policy for the terminal device group and the terminal devices are grouped according to the device types to which the terminal devices belong, the user only needs to configure the forwarding policy for the terminal device group corresponding to the a1 type.
The forwarding policy includes a rule (rule) used by the message forwarding device to process the message, where the rule is used to indicate a processing mode of the message forwarding device on the message, such as discarding and forwarding. For example, the forwarding policy may include rule 1, rule 3, rule 4, and rule 5, and the message forwarding device may process the message using rule 1, rule 3, rule 4, or rule 5. Each rule includes at least one matching item, and the matching item may include a message characteristic of a rule adopted by the message forwarding device to process the message, and may include, for example, a source IP address, a source MAC address, and the like of the message.
S203, determining a target rule of the matching item matched with the message characteristics of the message in at least one rule, and processing the message according to the target rule.
Illustratively, it is assumed that the forwarding policy corresponding to the device fingerprint includes rule 1, rule 3, rule 4, and rule 5, where the matching entry of rule 1 includes source IP address 192.168.1.1 and destination IP address 10.1.1, the matching entry of rule 3 includes source IP address 192.168.1.2, the matching entry of rule 4 includes destination IP address 10.1.1.1, and the matching entry of rule 5 includes source IP address 10.1.1.1, destination IP address 20.1.1.1, source port 10, and destination port 20. After receiving the message, the message forwarding device obtains message characteristics of the message, including a source IP address of 192.168.1.2, a destination IP address of 192.168.10.2, a source port of 22, and a destination port of 10, and determines that rule 3 is a target rule through matching, and then may determine to adopt rule 3 for the message after matching, and if rule 3 is to discard the message, discard the message.
By adopting the embodiment, the message forwarding equipment can establish the corresponding relation between the equipment fingerprint and the forwarding strategy, and the equipment fingerprint can identify the equipment, so that the corresponding relation between the equipment identified by the equipment fingerprint and the forwarding strategy can be determined, and the message forwarding equipment can adopt different forwarding logics for messages sent by different equipment through the corresponding relation between the equipment identified by the equipment fingerprint and the forwarding strategy under the condition that the IP address of the equipment is difficult to know in advance.
On the other hand, when configuring the forwarding policy, the user does not need to know the IP address of the device, and can set the correspondence between the device and the device attribute (such as the device name and the device type) of the device in the message forwarding device in advance, so that the corresponding forwarding policy can be configured according to the device attribute, thereby reducing the labor cost for configuring the forwarding policy.
In some application scenarios, the device fingerprint of the device may be complex, for example, the device fingerprint may be a string of letters and numbers up to tens of bytes or even tens of bytes long. It may take a lot of time to find the corresponding forwarding policy if the device fingerprint is directly used as an index. In view of the above, in one possible embodiment, each device fingerprint may be assigned a corresponding digital identifier in advance, and the length of the digital identifier is smaller than the device fingerprint to which the digital identifier corresponds. The setting of the digital identifier may be dependent on the number of devices accommodated by the network to which the message forwarding device belongs. For example, assuming that the network performs message transmission according to the IPV4 protocol, since the IP address in the IPV4 protocol has a length of 4 bytes, that is, 32 bits, theoretically, the network can accommodate 2 bytes at most32The device, and therefore the numeric identifier, may be a 32bit binary numeric string, or a 4 byte decimal numeric string, which tends to be short compared to the device fingerprint.
Based on this, the specific scheme for obtaining the forwarding policy corresponding to the device fingerprint may be: firstly, the digital identifier corresponding to the device fingerprint is determined and used as a target digital identifier, then a forwarding strategy corresponding to the target digital identifier is obtained, and the corresponding relation between the digital identifier and the forwarding strategy can be configured in advance by a user. Because the length of the digital identifier is shorter than the device fingerprint, finding the corresponding forwarding policy with the digital identifier as an index takes less computation and time.
A flow of configuring a corresponding relationship between a digital identifier and a forwarding policy is described below, and referring to fig. 3a, fig. 3a is a schematic flow diagram of a forwarding policy configuration method provided in an embodiment of the present invention, and the schematic flow diagram may include:
s301, aiming at each digital identifier, a forwarding strategy for forwarding the message carrying the device fingerprint corresponding to the digital identifier is obtained.
In the embodiment, for each digital identifier, all rules adopted for forwarding the packet carrying the device fingerprint corresponding to the digital identifier are obtained, and the all rules are the forwarding policy corresponding to the digital identifier. The rules may be input by a user, for example, the user may input configuration information through an input device, where the configuration information includes rule 1, rule 2, rule 3, rule 5, and an identifier for representing a device name "terminal device 1", and the message forwarding device may determine, according to the identifier and a pre-configured correspondence between the device name and the device, that the device corresponding to the device name "terminal device 1" is the terminal device 111, determine, according to the correspondence between the device and the device fingerprint, an device fingerprint for identifying the terminal device 111 is fingerprint 1, and assume that a digital identifier assigned to the message forwarding device for the fingerprint 1 is the digital identifier 1, after receiving a message carrying the device fingerprint corresponding to the digital identifier 1, the message forwarding device may apply, to the configuration information, the rule 1, the rule 2, the rule 3, the rule 1, and the device fingerprint included in the configuration information, Rule 5 determines all rules to be used for forwarding the message.
In some possible embodiments, the obtained forwarding policies may be stored in a linked list. A linked list is a data structure containing at least one element, each element containing a rule in a forwarding policy and a pointer to the next element in the linked list.
However, storing the forwarding policy in a linked list requires completely storing each rule in each forwarding policy, and different forwarding policies may have the same rule, so that the same rule is stored for multiple times, and therefore, the occupied space is large. On the other hand, as described in the foregoing analysis, if the rule adopted by the message forwarding device for the message needs to match a matching item other than the device fingerprint, each rule needs to be traversed during the process of matching the matching item of the forwarding policy and the message feature, so as to determine which rule is adopted to process the message. This traversal process takes a lot of time.
For example, it is assumed that the message forwarding device determines to forward the message according to the source IP address of the message, and rule 3, rule 4, rule 7, and rule 8 are adopted, and the forwarding policy includes rule 1, rule 2, rule 3, and rule 5. The message forwarding device first matches rule 1 contained in the forwarding policy, but may not adopt rule 1 according to the source IP address, and therefore may not adopt rule 1 to process the message. The message forwarding device matches the rule 2 contained in the forwarding policy again, but the rule 2 cannot be adopted according to the source IP address, so the rule 2 cannot be adopted. The message forwarding device matches rule 3 contained in the forwarding policy again, and may adopt rule 3 according to the source IP address, so that the message may be processed … in sequence by adopting rule 3 until all rules are traversed. Therefore, each rule needs to be traversed to determine which rule is used to process the packet. This traversal process takes a lot of time.
Based on this, in another possible embodiment, the rule numbers of all rules in the forwarding policy may be stored in a bitmap (bitmap). Taking the above example as an example, the rule numbers of rule 1, rule 2, rule 3, and rule 5 in the forwarding policy may be stored in a bitmap.
A bitmap is a data structure for storing shaping (int) data, and may be represented in the form of a binary sequence. For example, the bitmap may be a binary sequence with a length of 10 bits, each bit in the binary sequence corresponds to a rule number, and the value of each bit is used to indicate whether all rules contain the rule with the rule number corresponding to the bit. For example, the first bit in the binary sequence is used to indicate whether the rule with rule number 1 is included in all the rules.
Taking the example of storing the rule numbers of rule 1, rule 2, rule 3, and rule 5 in a bitmap, the bitmap may be represented in the form of "1110100000", i.e., in the form of a binary sequence with the 1 st, 2 nd, 3 nd, and 5 th bits set. Wherein the 1 st bit being set indicates the rule with rule number 1 among all the rules, the 2 nd bit being set indicates the rule with rule number 2 among all the rules, and the 4 th bit being not set indicates that the rule with rule number 4 is not included.
The forwarding strategy is expressed in a bitmap form, so that the storage space occupied by storing the forwarding strategy can be effectively saved. On the other hand, if the rule adopted by the message forwarding device for the message also needs matching items other than the device fingerprint, and the matching items are also expressed in the form of bitmaps, the matching between the forwarding policy and the matching items can be accelerated through the and operation between the bitmaps. For example, assuming that the forwarding policy is represented by a bitmap in the form of "1110100000", and a certain matching item (e.g., a source IP address) of each rule is represented by a bitmap in the form of "0011001100", the two bitmaps may be subjected to an and operation, that is, a bit corresponding to the bitmap is subjected to a logical and operation to obtain an operation result "0010000000", where each bit in the operation result represents whether a rule of the rule number corresponding to the bit is successfully matched, and only a bit corresponding to the rule number 3 in the operation result is not 0, that is, only a rule of the rule number 3 is successfully matched by matching the forwarding policy and the packet characteristics of the packet, so that the packet forwarding device may determine to process the packet by using the rule of the rule number 3 according to the operation result.
In another possible embodiment, there may also be a plurality of bits corresponding to the rule number not being 0 in the operation result, for example, the operation result is "101000000", where the bits corresponding to the rule number 1 and the rule number 3 in the operation result are not 0, that is, by matching the forwarding policy and the packet characteristics of the packet, the rule with the rule number 1 and the rule with the rule number 3 are successfully matched. The message forwarding device may select one rule from the rule with rule number 1 and the rule with rule number 3 according to a preset logic, and process the message by using the selected rule. For example, a rule with the rule number of 1 may be selected to be successfully matched first, and if the logical and operation between bitmaps is performed after the logical and operation is performed from the first bit, the rule with the rule number of 1 may be successfully matched first, so that the message may be processed by using the rule with the rule number of 1. The rule may also be selected according to other preset logics according to the actual requirements of the user, for example, the rule that the last matching is successful is selected. In other possible embodiments, the matching result between the forwarding policy and the packet characteristic of the packet may also be represented in other forms besides a bitmap, which is not limited in this embodiment.
In a possible embodiment, the message forwarding device may locally store a plurality of forwarding policies configured for a plurality of devices, and may traverse each locally stored forwarding policy for each digital identifier, so as to determine whether each forwarding policy is a forwarding policy corresponding to the digital identifier, that is, whether the forwarding policy is a forwarding policy adopted for forwarding a message carrying an apparatus fingerprint corresponding to the digital identifier. However, this traversal process may take a significant amount of time.
Based on this, in another possible embodiment, a binary tree may be constructed in advance, the number of levels of the binary tree being related to the setting of the numerical identifier. For example, as the application scenario of IPV4 analyzed previously is an example, the binary tree may have 32 levels, since the numeric identifier may be a 32-bit binary numeric string. It will be appreciated that since each node includes two child nodes except leaf child nodes (a leaf node is a node in the binary tree that does not include a child node), the 32 nd level includes a total of 232The binary digit character string of each leaf node, 32bit, has 2 in total32And each leaf node can correspond to a digital identifier.
And aiming at each device fingerprint locally stored by the message forwarding device, taking the digital identifier distributed to the device fingerprint as a certain node in the binary tree, wherein the value of the node is the same as the digital identifier. And associating the forwarding strategy configured for the equipment identified by the equipment fingerprint with leaf nodes corresponding to the same numerical identifiers of the equipment in the binary tree. For example, the manner of associating the forwarding policy with the leaf node may be to store a policy identifier in the forwarding policy configured for the device identified by the device fingerprint in a data field of a leaf node in the binary tree corresponding to the same number identifier as the device, so as to associate the forwarding policy with the leaf node. The policy identifier is used to uniquely identify the forwarding policy, and the policy identifier may be represented in the form of a rule number set of all rules included in the forwarding policy, or may be represented in other forms, which is not limited in this embodiment.
For example, assuming that a binary tree is shown in fig. 3b, and the assigned number identifier for the device fingerprint identifying the terminal device 111 is a binary number character string "1010", when storing the forwarding policy configured for the terminal device 111, the message forwarding device may access a leaf node corresponding to the number identifier "1010" according to the number identifier "1010" from the root node, according to a path shown by an bold arrow in fig. 3b, and associate the forwarding policy configured for the terminal device 111 with the leaf node.
How to obtain a forwarding policy for forwarding a packet carrying a device fingerprint corresponding to a digital identifier through the binary tree will be described below. Still taking the binary tree shown in fig. 3b as an example, assuming that a forwarding policy for forwarding a packet carrying the device fingerprint corresponding to the digital identifier "1010" needs to be obtained, the packet forwarding device may access, according to the digital identifier "1010", a leaf node corresponding to the digital identifier "1010" from the root node according to a path shown by an bold arrow in fig. 3b, and obtain a forwarding policy associated with the leaf node, where the forwarding policy is a forwarding policy for forwarding a packet carrying the device fingerprint corresponding to the digital identifier "1010".
By adopting the embodiment, when the forwarding strategy for forwarding the message carrying the equipment fingerprint corresponding to the digital identifier is obtained, traversal is not needed, and the efficiency of obtaining the forwarding strategy can be effectively improved.
And S302, storing the digital identifier and the obtained forwarding strategy in a preset hash (hash) table by taking the digital identifier as a key value.
The data in the hash table is stored in a key value (key) -value (value) form, and for example, assuming that the obtained forwarding policy is a forwarding policy a for a digital identifier 1, it may be a data pair represented in a form of < digital identifier 1-forwarding policy a > existing in the hash table. As previously discussed, in one possible embodiment, the forwarding policy may be represented in the form of a bitmap, and stored in the hash table is a < number identification-bitmap > data pair.
Based on the hash table, after the message forwarding device receives the message, the device fingerprint carried by the message is acquired, and then the digital identifier corresponding to the device fingerprint is determined. And reading a forwarding strategy corresponding to the target digital identification from the hash table by taking the digital identification as a key value, and processing the message according to the forwarding strategy.
By adopting the embodiment, the forwarding strategy can be obtained in a hash table mode, and the corresponding forwarding strategy does not need to be obtained in a polling mode, so that the message processing efficiency of the message forwarding equipment can be improved.
Referring to fig. 1b, fig. 1b is a schematic view of another application scenario of the message forwarding method according to the embodiment of the present invention, and compared with fig. 1a, the method may further include an authentication server 130. The authentication server 130 maintains the device fingerprint and synchronizes the locally stored device fingerprint to the message forwarding device 120 on a regular or irregular basis. The authentication server 130 may be configured to authorize a device accessing the network to which the message forwarding device 120 belongs to join the network when its device fingerprint is contained by the stored device fingerprint, and to deny the device joining the network when its device fingerprint is not contained by the stored device fingerprint.
For example, the user may only want the terminal device 111, the terminal device 112, and the terminal device 113 to join the network to which the message forwarding device belongs, and the user may import the device fingerprints of the terminal device 111, the terminal device 112, and the terminal device 113 to the authentication server 130 in advance. After each terminal device 110 accesses the network, it sends an authentication request carrying a device fingerprint to the authentication server 130.
For the terminal device 111, the terminal device 112, and the terminal device 113, since the authentication server 130 stores the device fingerprints of the terminal devices 110 in advance, the authentication server 130 may authorize the terminal device 111, the terminal device 112, and the terminal device 113 to access the network, and allocate IP addresses to the terminal device 111, the terminal device 112, and the terminal device 113, so that the terminal device 111, the terminal device 112, and the terminal device 113 can operate normally. For the terminal device 114, since the authentication server 130 does not store the device fingerprint of the terminal device 114, the authentication server 130 rejects the terminal device 114 from accessing the network and rejects the allocation of the IP address to the terminal device 114, so that the terminal device 114 cannot operate normally.
However, some illegal devices may send a message containing malicious data to a device in the target network through the message forwarding device 120 without being authorized by the authentication server 130, resulting in poor network security. Based on this, in a possible embodiment, the service logic of the message forwarding device 120 may refer to fig. 4, and fig. 4 is a schematic diagram of the service logic of the message forwarding device, which may include:
s401, when the message receiving and sending module receives the message, the message is sent to the fingerprint identification module.
For the device fingerprint, reference may be made to the related description in the foregoing S201, which is not described herein again.
S402, the fingerprint identification module analyzes the message to obtain the device fingerprint carried by the message.
S403, the fingerprint identification module determines whether the device fingerprint carried by the packet is included in the device fingerprint stored locally by the packet forwarding device, if not, S404 is executed, and if so, S405 is executed.
S404, the fingerprint identification module discards the message.
As described above, the device fingerprint stored locally at the message forwarding device is the same as the device fingerprint stored locally at the authentication server. And the device fingerprint stored locally by the authentication server is the device fingerprint of the authorized device, so if the device fingerprint carried by the message is not contained by the device fingerprint stored locally by the message forwarding device, the device sending the message can be regarded as an illegal device, and the message can be directly discarded.
S405, the fingerprint identification module sends the device fingerprint obtained through analysis to the security policy module.
S406, the security policy module searches for a forwarding policy corresponding to the device fingerprint, and processes the message according to a target rule determined from the forwarding policy.
For the determination of the forwarding policy and the target rule, reference may be made to the related descriptions in S202 and S203, which are not described herein again.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a message forwarding apparatus according to an embodiment of the present invention, where the schematic structural diagram may include:
a fingerprint identification module 501, configured to, when a message is received, obtain an equipment fingerprint carried by the message, where the equipment fingerprint is used to identify an equipment that sends the message;
a policy matching module 502, configured to obtain a forwarding policy corresponding to the device fingerprint, where the forwarding policy includes at least one rule, and the rule includes at least one matching item;
the message processing module 503 is configured to determine a target rule matching the matching item with the message feature of the message in the at least one rule, and process the message according to the target rule.
In a possible embodiment, the apparatus further includes a policy configuration module configured to assign a corresponding digital identifier to each device fingerprint;
the method for acquiring the forwarding strategy corresponding to the device fingerprint comprises the following steps:
determining a digital identifier corresponding to the device fingerprint as a target digital identifier;
and acquiring a forwarding strategy corresponding to the target digital identifier.
In a possible embodiment, the policy configuration module is further configured to, for each digital identifier, obtain a forwarding policy for forwarding a packet carrying an apparatus fingerprint corresponding to the digital identifier, as the forwarding policy corresponding to the digital identifier;
with the digital identifications as key values, storing the forwarding strategy corresponding to each digital identification in a preset hash table;
and reading a forwarding strategy corresponding to the target digital identification from a preset hash table by taking the target digital identification as a key value.
In a possible embodiment, the policy configuration module is specifically configured to, for each digital identifier, obtain all rules used for forwarding a packet carrying an equipment fingerprint corresponding to the digital identifier;
and storing all the rule numbers in a bitmap, and taking the bitmap as a forwarding strategy corresponding to the digital identifier.
In a possible embodiment, the policy configuration module is further configured to construct a binary tree, where each leaf node of the binary tree corresponds to a numerical identifier;
aiming at a first device fingerprint locally stored by message forwarding equipment, associating a forwarding strategy configured for the first device with a leaf node of a same digital identifier corresponding to the device fingerprint of the first device in a binary tree;
and the policy configuration module is specifically configured to, for each digital identifier, acquire a forwarding policy associated with a leaf node corresponding to the digital identifier in the binary tree, and use the forwarding policy as the forwarding policy corresponding to the digital identifier corresponding to the leaf node.
In a possible embodiment, the fingerprint identification module 501 is further configured to receive a device fingerprint stored by the authentication server, where the device fingerprint is sent by the authentication server, and the authentication server is configured to authorize the device to join the network when the device fingerprint of the device accessing the network to which the packet forwarding device belongs is included in the stored device fingerprint, and deny the device to join the network when the device fingerprint of the device accessing the network is not included in the stored device fingerprint.
In a possible embodiment, the message processing module 503 is further configured to determine whether the device fingerprint carried by the message is included in the device fingerprint stored in the message forwarding device;
if the device fingerprint carried by the message is not contained by the device fingerprint stored by the message forwarding device, discarding the message;
and the policy matching module is specifically configured to, if the device fingerprint carried by the message is included in the device fingerprint stored in the message forwarding device, acquire a forwarding policy corresponding to the device fingerprint carried by the message.
An embodiment of the present invention further provides a packet forwarding device, as shown in fig. 6, including:
a memory 601 for storing a computer program;
the processor 602 is configured to implement the following steps when executing the program stored in the memory 601:
when a message is received, acquiring a device fingerprint carried by the message, wherein the device fingerprint is used for identifying a device for sending the message;
acquiring a forwarding strategy corresponding to the equipment fingerprint, wherein the forwarding strategy comprises at least one rule, and the rule comprises at least one matching item;
and determining a target rule matched with the matching item and the message characteristic of the message in at least one rule, and processing the message according to the target rule.
In a possible embodiment, before acquiring, when a message is received, a device fingerprint carried by the message, the method further includes:
distributing corresponding digital identifiers for the fingerprints of each device;
the method for acquiring the forwarding strategy corresponding to the device fingerprint comprises the following steps:
determining a digital identifier corresponding to the device fingerprint as a target digital identifier;
and acquiring a forwarding strategy corresponding to the target digital identifier.
In one possible embodiment, after assigning the respective device fingerprints with corresponding digital identifications, the method further comprises:
acquiring a forwarding strategy for forwarding a message carrying the equipment fingerprint corresponding to the digital identifier as a forwarding strategy corresponding to the digital identifier aiming at each digital identifier;
with the digital identifications as key values, storing the forwarding strategy corresponding to each digital identification in a preset hash table;
obtaining a forwarding strategy corresponding to the target digital identifier, including:
and reading a forwarding strategy corresponding to the target digital identification from a preset hash table by taking the target digital identification as a key value.
In a possible embodiment, acquiring, for each digital identifier, a forwarding policy for forwarding the packet carrying the device fingerprint corresponding to the digital identifier, as the forwarding policy corresponding to the digital identifier, includes:
aiming at each digital identifier, acquiring all rules adopted for forwarding the message carrying the equipment fingerprint corresponding to the digital identifier;
and storing all the rule numbers in a bitmap, and taking the bitmap as a forwarding strategy corresponding to the digital identifier.
In a possible embodiment, before acquiring, for each digital identifier, a forwarding policy for forwarding a packet carrying an apparatus fingerprint corresponding to the digital identifier, as the forwarding policy corresponding to the digital identifier, the method further includes:
constructing a binary tree, wherein each leaf node of the binary tree corresponds to a digital identifier;
aiming at a first device fingerprint stored by message forwarding equipment, associating a forwarding strategy configured for the first device with a leaf node in a binary tree, which corresponds to the same digital identifier as the first device fingerprint, aiming at the first device fingerprint identified by the first device fingerprint;
for each digital identifier, acquiring a forwarding policy for forwarding a packet carrying a device fingerprint corresponding to the digital identifier, as the forwarding policy corresponding to the digital identifier, including:
and aiming at each digital identifier, acquiring a forwarding strategy associated with a leaf node corresponding to the digital identifier in the binary tree, and taking the forwarding strategy as a forwarding strategy corresponding to the digital identifier corresponding to the leaf node.
In one possible embodiment, the method further comprises:
and receiving the device fingerprint stored by the authentication server sent by the authentication server, wherein the authentication server is used for authorizing the device to join the network when the device fingerprint of the device accessing the network to which the message forwarding device belongs is contained by the stored device fingerprint, and refusing the device to join the network when the device fingerprint of the device accessing the network is not contained by the stored device fingerprint.
In a possible embodiment, after obtaining the device fingerprint carried by the packet, the method further includes:
judging whether the device fingerprint carried by the message is contained by the device fingerprint stored by the message forwarding device;
if the device fingerprint carried by the message is not contained by the device fingerprint stored by the message forwarding device, discarding the message;
and if the device fingerprint carried by the message is contained by the device fingerprint stored by the message forwarding device, acquiring a forwarding strategy corresponding to the device fingerprint carried by the message.
The Memory mentioned in the message forwarding device may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
In another embodiment of the present invention, a computer-readable storage medium is further provided, in which instructions are stored, and when the instructions are executed on a computer, the computer is caused to execute any of the message forwarding methods in the foregoing embodiments.
In another embodiment, a computer program product containing instructions is provided, which when run on a computer causes the computer to perform any of the message forwarding methods in the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the apparatus, the message forwarding device, the computer-readable storage medium, and the computer program product, since they are substantially similar to the method embodiments, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiments.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (15)
1. A message forwarding method is applied to a message forwarding device, and the method comprises the following steps:
when a message is received, acquiring an equipment fingerprint carried by the message, wherein the equipment fingerprint is used for identifying equipment for sending the message;
acquiring a forwarding strategy corresponding to the device fingerprint, wherein the forwarding strategy comprises at least one rule, and the rule comprises at least one matching item;
and determining a target rule of the matching item matched with the message characteristics of the message in the at least one rule, and processing the message according to the target rule.
2. The method according to claim 1, wherein before said obtaining a device fingerprint carried by a message when the message is received, the method further comprises:
distributing corresponding digital identifiers for the fingerprints of each device;
the obtaining of the forwarding policy corresponding to the device fingerprint includes:
determining a digital identifier corresponding to the device fingerprint as a target digital identifier;
and acquiring a forwarding strategy corresponding to the target digital identifier.
3. The method of claim 2, wherein after assigning the respective device fingerprints with corresponding digital identifications, the method further comprises:
acquiring a forwarding strategy for forwarding a message carrying the equipment fingerprint corresponding to the digital identifier as a forwarding strategy corresponding to the digital identifier aiming at each digital identifier;
with the digital identifications as key values, storing the forwarding strategy corresponding to each digital identification in a preset hash table;
the obtaining of the forwarding policy corresponding to the target digital identifier includes:
and reading a forwarding strategy corresponding to the target digital identification from the preset hash table by taking the target digital identification as a key value.
4. The method according to claim 3, wherein the obtaining, for each digital identifier, a forwarding policy for forwarding the packet carrying the device fingerprint corresponding to the digital identifier, as the forwarding policy corresponding to the digital identifier, includes:
aiming at each digital identifier, acquiring all rules adopted for forwarding the message carrying the equipment fingerprint corresponding to the digital identifier;
and storing the rule numbers of all the rules in a bitmap, and taking the bitmap as a forwarding strategy corresponding to the digital identifier.
5. The method according to claim 3, wherein before the obtaining, for each digital identifier, a forwarding policy for forwarding a packet carrying a device fingerprint corresponding to the digital identifier, as the forwarding policy corresponding to the digital identifier, the method further comprises:
constructing a binary tree, wherein each leaf node of the binary tree corresponds to a digital identifier;
for a first device fingerprint stored by the message forwarding device, associating a forwarding policy configured for the first device identified by the first device fingerprint with a leaf node in the binary tree, which is identified by the same number corresponding to the first device fingerprint;
the acquiring, for each digital identifier, a forwarding policy for forwarding a packet carrying an equipment fingerprint corresponding to the digital identifier, as the forwarding policy corresponding to the digital identifier, includes:
and aiming at each digital identifier, acquiring a forwarding strategy associated with the leaf node corresponding to the digital identifier in the binary tree, and taking the forwarding strategy as the forwarding strategy corresponding to the digital identifier corresponding to the leaf node.
6. The method of claim 1, further comprising:
and receiving the device fingerprint stored by the authentication server, wherein the device fingerprint is sent by the authentication server, the authentication server is used for authorizing the device to join the network when the device fingerprint of the device accessing the network to which the message forwarding device belongs is contained by the stored device fingerprint, and refusing the device to join the network when the device fingerprint of the device accessing the network is not contained by the stored device fingerprint.
7. The method according to claim 1, wherein after the obtaining of the device fingerprint carried by the packet, the method further comprises:
judging whether the device fingerprint carried by the message is contained by the device fingerprint stored by the message forwarding device;
if the device fingerprint carried by the message is not contained by the device fingerprint stored by the message forwarding device, discarding the message;
and if the device fingerprint carried by the message is contained by the device fingerprint stored by the message forwarding device, acquiring a forwarding strategy corresponding to the device fingerprint carried by the message.
8. A message forwarding apparatus is applied to a message forwarding device, and the apparatus comprises:
the fingerprint identification module is used for acquiring an equipment fingerprint carried by a message when the message is received, wherein the equipment fingerprint is used for identifying equipment for sending the message;
the policy matching module is used for acquiring a forwarding policy corresponding to the device fingerprint, wherein the forwarding policy comprises at least one rule, and the rule comprises at least one matching item;
and the message processing module is used for determining a target rule of the matching item matched with the message characteristics of the message in the at least one rule and processing the message according to the target rule.
9. The apparatus of claim 8, further comprising a policy configuration module configured to assign a corresponding digital identifier to each device fingerprint;
the obtaining of the forwarding policy corresponding to the device fingerprint includes:
determining a digital identifier corresponding to the device fingerprint as a target digital identifier;
and acquiring a forwarding strategy corresponding to the target digital identifier.
10. The apparatus according to claim 9, wherein the policy configuration module is further configured to, for each digital identifier, obtain a forwarding policy for forwarding a packet carrying an equipment fingerprint corresponding to the digital identifier, as the forwarding policy corresponding to the digital identifier;
with the digital identifications as key values, storing the forwarding strategy corresponding to each digital identification in a preset hash table;
and reading a forwarding strategy corresponding to the target digital identification from the preset hash table by taking the target digital identification as a key value.
11. The apparatus according to claim 10, wherein the policy configuration module is specifically configured to, for each digital identifier, obtain all rules for forwarding the packet carrying the device fingerprint corresponding to the digital identifier;
and storing the rule numbers of all the rules in a bitmap, and taking the bitmap as a forwarding strategy corresponding to the digital identifier.
12. The apparatus of claim 10, wherein the policy configuration module is further configured to construct a binary tree, and each leaf node of the binary tree corresponds to a numerical identifier;
for a first device fingerprint locally stored by the message forwarding device, associating a forwarding policy configured for the first device identified by the first device fingerprint with a leaf node in the binary tree, which corresponds to the same digital identifier as the device fingerprint of the first device;
the policy configuration module is specifically configured to, for each digital identifier, acquire a forwarding policy associated with a leaf node corresponding to the digital identifier in the binary tree, and use the forwarding policy as a forwarding policy corresponding to the digital identifier corresponding to the leaf node.
13. The apparatus according to claim 8, wherein the fingerprint identification module is further configured to receive a device fingerprint stored by the authentication server and sent by the authentication server, and the authentication server is configured to authorize a device accessing the network to which the packet forwarding device belongs to join the network when the device fingerprint of the device is included in the stored device fingerprint, and deny the device joining the network when the device fingerprint of the device accessing the network is not included in the stored device fingerprint.
14. The apparatus according to claim 8, wherein the message processing module is further configured to determine whether a device fingerprint carried by the message is included in the device fingerprint stored in the message forwarding device;
if the device fingerprint carried by the message is not contained by the device fingerprint stored by the message forwarding device, discarding the message;
the policy matching module is specifically configured to, if the device fingerprint carried by the packet is included in the device fingerprint stored by the packet forwarding device, obtain a forwarding policy corresponding to the device fingerprint carried by the packet.
15. A message forwarding device, comprising:
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1 to 7 when executing a program stored in the memory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911023718.1A CN110620729A (en) | 2019-10-25 | 2019-10-25 | Message forwarding method and device and message forwarding equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911023718.1A CN110620729A (en) | 2019-10-25 | 2019-10-25 | Message forwarding method and device and message forwarding equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110620729A true CN110620729A (en) | 2019-12-27 |
Family
ID=68926617
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911023718.1A Pending CN110620729A (en) | 2019-10-25 | 2019-10-25 | Message forwarding method and device and message forwarding equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110620729A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112437098A (en) * | 2020-12-18 | 2021-03-02 | 支付宝(杭州)信息技术有限公司 | Data message transmission method and device |
| CN113965386A (en) * | 2021-10-25 | 2022-01-21 | 绿盟科技集团股份有限公司 | Industrial control protocol message processing method, device, equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1845531A (en) * | 2006-04-28 | 2006-10-11 | 杭州华为三康技术有限公司 | Data forwarding controlling method and apparatus |
| CN102916826A (en) * | 2011-08-01 | 2013-02-06 | 中兴通讯股份有限公司 | Method and device for controlling network access |
| CN104994108A (en) * | 2015-07-14 | 2015-10-21 | 中国联合网络通信集团有限公司 | URL filtering method, device and system |
| CN106060006A (en) * | 2016-05-09 | 2016-10-26 | 杭州华三通信技术有限公司 | Access method and device |
| CN109088824A (en) * | 2018-10-26 | 2018-12-25 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
| CN109327395A (en) * | 2018-11-30 | 2019-02-12 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
| US20190116493A1 (en) * | 2017-10-17 | 2019-04-18 | Comcast Cable Communications, Llc | Device Based Credentials |
| CN109842529A (en) * | 2014-09-05 | 2019-06-04 | 华为技术有限公司 | Method, apparatus and network system for configuration service |
-
2019
- 2019-10-25 CN CN201911023718.1A patent/CN110620729A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1845531A (en) * | 2006-04-28 | 2006-10-11 | 杭州华为三康技术有限公司 | Data forwarding controlling method and apparatus |
| CN102916826A (en) * | 2011-08-01 | 2013-02-06 | 中兴通讯股份有限公司 | Method and device for controlling network access |
| CN109842529A (en) * | 2014-09-05 | 2019-06-04 | 华为技术有限公司 | Method, apparatus and network system for configuration service |
| CN104994108A (en) * | 2015-07-14 | 2015-10-21 | 中国联合网络通信集团有限公司 | URL filtering method, device and system |
| CN106060006A (en) * | 2016-05-09 | 2016-10-26 | 杭州华三通信技术有限公司 | Access method and device |
| US20190116493A1 (en) * | 2017-10-17 | 2019-04-18 | Comcast Cable Communications, Llc | Device Based Credentials |
| CN109088824A (en) * | 2018-10-26 | 2018-12-25 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
| CN109327395A (en) * | 2018-11-30 | 2019-02-12 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
Non-Patent Citations (2)
| Title |
|---|
| V. TSIATSIS,等: ""Architecture strategies for energy-efficient packet forwarding in wireless sensor networks"", 《ISLPED"01: PROCEEDINGS OF THE 2001 INTERNATIONAL SYMPOSIUM ON LOW POWER ELECTRONICS AND DESIGN (IEEE CAT. NO.01TH8581)》 * |
| 孙光懿,等: ""基于策略路由和SLA实现校园网出口链路高可靠性"", 《新疆师范大学学报(自然科学版)》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112437098A (en) * | 2020-12-18 | 2021-03-02 | 支付宝(杭州)信息技术有限公司 | Data message transmission method and device |
| CN113965386A (en) * | 2021-10-25 | 2022-01-21 | 绿盟科技集团股份有限公司 | Industrial control protocol message processing method, device, equipment and storage medium |
| CN113965386B (en) * | 2021-10-25 | 2023-11-03 | 绿盟科技集团股份有限公司 | Industrial control protocol message processing method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12010096B2 (en) | Dynamic firewall configuration | |
| CN109889547B (en) | Abnormal network equipment detection method and device | |
| US10491561B2 (en) | Equipment for offering domain-name resolution services | |
| US9215234B2 (en) | Security actions based on client identity databases | |
| EP3905622A1 (en) | Botnet detection method and system, and storage medium | |
| CN105591973B (en) | Application identification method and device | |
| JP6007458B2 (en) | Packet receiving method, deep packet inspection apparatus and system | |
| US8990573B2 (en) | System and method for using variable security tag location in network communications | |
| US10931636B2 (en) | Method and system for restricting transmission of data traffic for devices with networking capabilities | |
| US8102860B2 (en) | System and method of changing a network designation in response to data received from a device | |
| CN110519265B (en) | Method and device for defending attack | |
| US20220159016A1 (en) | Network data traffic identification | |
| US20150026780A1 (en) | Host providing system and communication control method | |
| JP2020017809A (en) | Communication apparatus and communication system | |
| CN109964469A (en) | For updating the method and system of white list at network node | |
| JP2018133692A (en) | Communication apparatus, system, and method | |
| CN110620729A (en) | Message forwarding method and device and message forwarding equipment | |
| WO2023041039A1 (en) | Secure access control method, system and apparatus based on dns resolution, and device | |
| EP3016423A1 (en) | Network safety monitoring method and system | |
| CN111031148B (en) | Address resolution method and device, electronic equipment and storage medium | |
| WO2010064439A1 (en) | Identifier management system, identifier generation method and management method, terminal, and generation and management program | |
| CN108989175B (en) | Communication method and device | |
| CN109981813B (en) | Message processing method and device | |
| CN113489659A (en) | Message processing method and device | |
| WO2023134557A1 (en) | Processing method and apparatus based on industrial internet identifier |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191227 |
|
| RJ01 | Rejection of invention patent application after publication |