Search

CN-122027345-A - Rule matching method and device for network traffic

CN122027345ACN 122027345 ACN122027345 ACN 122027345ACN-122027345-A

Abstract

The application relates to a rule matching method and device for network traffic. The method comprises the steps of analyzing network messages in network traffic to obtain corresponding quintuple information, determining rule template types corresponding to the network messages from a rule template array based on the quintuple information, determining hash pre-filtering values based on the rule template types, performing hash operation twice based on the quintuple information and the hash pre-filtering values to obtain a first filtering result and a second filtering result, obtaining a comprehensive filtering result according to the first filtering result and the second filtering result, and executing rule matching when the comprehensive filtering result meets matching conditions. The method and the device for matching the rules of the network traffic can greatly improve the performance of the equipment for processing the traffic, reduce the phenomenon of super-performance packet loss of the equipment when the existing network operates, and improve the reliability of the equipment.

Inventors

  • ZHANG CHENG
  • ZHANG QIAN
  • ZHANG NING
  • CHEN JIANGYUAN
  • FANG QIAN
  • SUN ZHICHAO
  • MA WEIQI
  • YANG CHEN
  • Xue Boxuan

Assignees

  • 杭州迪普信息技术有限公司

Dates

Publication Date
20260512
Application Date
20260326

Claims (10)

  1. 1. A method for rule matching of network traffic, comprising: Analyzing network messages in the network traffic to obtain corresponding quintuple information; determining a rule template type corresponding to the network message from a rule template array based on the quintuple information; determining a hash pre-filter value based on the rule template type; performing hash operation twice based on the quintuple information and the hash prefilter value to obtain a first filtering result and a second filtering result; Obtaining a comprehensive filtering result according to the first filtering result and the second filtering result; And executing rule matching when the comprehensive filtering result meets the matching condition.
  2. 2. The method as recited in claim 1, further comprising: determining a rule template type for each rule according to five-tuple information corresponding to each rule in the network equipment; dividing rules with the same rule template type into the same rule template array; A corresponding hash pre-filter value is generated for each rule template array.
  3. 3. The method as recited in claim 2, further comprising: Receiving a rule newly issued; Analyzing quintuple information corresponding to the rule; determining the corresponding rule template type according to the five-tuple information; And storing the rule into a corresponding rule template array according to the rule template type.
  4. 4. The method of claim 2, wherein generating a corresponding hash pre-filter value for each rule template comprises: And generating a corresponding hash prefilter value according to bit distribution on the quintuple field corresponding to the rule template type.
  5. 5. The method of claim 1, wherein performing the hash operation twice based on the five-tuple information and the hash pre-filter value results in a first filter result and a second filter result, comprising: performing a first hash operation based on the quintuple information and the hash prefilter value to obtain a first filter result; and performing a second hash operation based on the quintuple information and the hash prefilter value to obtain a second filtering result.
  6. 6. The method of claim 5, wherein performing a first hash operation based on the five-tuple information and the hash pre-filter value to obtain a first filter result comprises: acquiring a field corresponding to the rule template type in the quintuple information; performing bit-wise inversion on the field, and then performing bit-wise OR operation with the Hash prefilter value; And performing bitwise AND operation on the operation result to obtain the first filtering result.
  7. 7. The method of claim 5, wherein performing a second hash operation based on the five-tuple information and the hash pre-filter value to obtain a second filter result comprises: acquiring a field corresponding to the rule template type in the quintuple information; performing bit-wise inversion on the hash prefilter value, and then performing bit-wise OR operation on the hash prefilter value and the field; And performing bit-wise AND operation on the operation result to obtain the second filtering result.
  8. 8. The method of claim 1, wherein obtaining a composite filter result based on the first filter result and the second filter result comprises: and performing logical AND operation on the first filtering result and the second filtering result to obtain the comprehensive filtering result.
  9. 9. The method of claim 1, wherein performing rule matching when the integrated filter result satisfies a matching condition comprises: When the comprehensive filtering result is a first preset value, determining that the comprehensive filtering result does not meet a matching condition, and executing a missing rule action; and when the comprehensive filtering result is a second preset value, determining that the comprehensive filtering result meets a matching condition, performing rule matching on the network message, and executing corresponding rule actions according to the rule matching result.
  10. 10. A rule matching device for network traffic, comprising: the analysis module is used for analyzing the network message in the network flow to acquire the corresponding quintuple information; The rule module is used for determining rule template types corresponding to the network message from a rule template array based on the five-tuple information; A filtering value module for determining a hash pre-filtering value based on the rule template type; The operation module is used for carrying out hash operation twice based on the five-tuple information and the hash prefilter value to obtain a first filtering result and a second filtering result; The result module is used for obtaining a comprehensive filtering result according to the first filtering result and the second filtering result; And the matching module is used for executing rule matching when the comprehensive filtering result meets the matching condition.

Description

Rule matching method and device for network traffic Technical Field The application relates to the field of computer information processing, in particular to a rule matching method and device for network traffic. Background Currently, network tandem devices (such as firewalls, intrusion detection systems, intrusion prevention systems, etc.) are widely used for monitoring and controlling network traffic. Such devices typically implement the processing of data packets by means of pre-issued precise rules. The exact rule generally contains five-tuple information of the network traffic, i.e. source IP address, destination IP address, source port number, destination port number, and protocol type. After the flow enters the device, the device analyzes the five-tuple information of the data packet and matches the five-tuple information with each rule stored in the device bit by bit. If the match is successful, then the action corresponding to the rule is performed (e.g., discard, pass, redirect, etc.), and if not, then a default operation (e.g., pass-through or discard) may be performed. However, the rule matching mechanism described above presents a significant performance bottleneck. In order to ensure that each data packet entering the device can be subjected to rule matching processing, the device needs to compare five-tuple information of each flow with each rule one by one. When the network traffic rate is higher, the piece-by-piece matching mode consumes a great amount of computing resources, so that the processing capacity of the equipment is reduced, and super-performance packet loss is generated when the processing capacity of the equipment is serious, namely, the equipment cannot complete the matching processing of all data packets in unit time, so that part of data packets are forced to be discarded. Particularly in extreme scenarios, performance problems are more pronounced. For example, when the rule action configured by the device is "miss-roll-out" (i.e., packets that do not match any rule are forwarded directly), if an attacker or test tool sends a large number of packets that do not match any rule to the device under high traffic pressure, each packet entering the device needs to be completely matched with all rules stored in the device before it is determined to be a "miss" and forwarded. In this case, the time complexity of the device reaches the maximum, the processing load increases sharply, and the number of data packets actually transferred out is seriously different from the number of data packets entering the device, so that the packet loss phenomenon is most serious. Therefore, a new rule matching method and device for network traffic are needed. The above information disclosed in the background section is only for enhancement of understanding of the background of the application and therefore it may contain information that does not form the prior art that is already known to a person of ordinary skill in the art. Disclosure of Invention In view of this, the application provides a rule matching method and device for network traffic, which can greatly improve the traffic processing performance of equipment, reduce the phenomenon of super-performance packet loss of the equipment during the current network operation, and improve the reliability of the equipment. Other features and advantages of the application will be apparent from the following detailed description, or may be learned by the practice of the application. According to one aspect of the application, a rule matching method of network traffic is provided, and the method comprises the steps of analyzing network messages in the network traffic to obtain corresponding quintuple information, determining rule template types corresponding to the network messages from a rule template array based on the quintuple information, determining hash pre-filtering values based on the rule template types, performing hash operation twice based on the quintuple information and the hash pre-filtering values to obtain a first filtering result and a second filtering result, obtaining a comprehensive filtering result according to the first filtering result and the second filtering result, and executing rule matching when the comprehensive filtering result meets matching conditions. In an exemplary embodiment of the present application, the method further includes determining a rule template type for each rule according to five-tuple information corresponding to each rule in the network device, dividing rules having the same rule template type into the same rule template array, and generating a corresponding hash pre-filter value for each rule template array. In an exemplary embodiment of the application, the method further comprises the steps of receiving a newly issued rule, analyzing quintuple information corresponding to the rule, determining a rule template type corresponding to the quintuple information according to the quintuple information, an