CN104113516A - Method and terminal for recognizing rule conflicts of firewalls - Google Patents

Abstract

Embodiments of the present invention provide a method and a terminal for identifying rule conflicts in a firewall. Multiple data packet sets are defined for each rule in the firewall, and each data packet set stores data packets that have different associations with the rules; Define the conflict type of rule conflicts between the rules; construct a directed acyclic rule decision tree for the current rule, and identify the conflict type of rule conflicts between the current rule and other rules based on the current rule decision tree; The conflict type traces back the source of the conflict to find the conflict rule that caused the conflict, and the set of packets defined in the conflict rule that caused the rule conflict. For the multiple data packet sets defined for each rule and the division of conflict types, a directed acyclic rule decision tree is constructed for each rule, based on the relationship between the multiple data packet sets of each rule. Conflict type identification can identify conflicts between more than two rules.

Description

A method and terminal for identifying firewall rule conflicts

technical field

The invention relates to firewall technology, in particular to a method and terminal for identifying conflicts of firewall rules. the

Background technique

The rules of the firewall are similar to the structure of the access control list (ACL), including three parts: serial number, judgment domain and behavior. The judgment field can be composed of any fields in the IP, TCP, UDP, and ICMP headers. The judgment field in practical applications usually includes the protocol, source IP address, source port number, destination IP address, and destination port number. action taken. The firewall adopts the principle of sequential matching. When a data packet arrives at the firewall, the firewall first matches the data packet sequentially starting from the first rule. If it matches, it will take corresponding actions according to the behavior defined by the rule: Deny means to discard the data packet, Accept Indicates that the data packet is received, otherwise, continue to detect whether the data packet matches the second rule, and so on to the last rule. The last rule is called the default rule, which usually discards all data packets. the

The currently mature firewall rule detection conflict algorithm is a state transition graph-based detection conflict algorithm proposed by Ehab S.Al-Shaer and Hazem H.Hamed, which defines the start state: start; final state: shadowed, redundant, general, correlated, none; intermediate state: redundant? , shadow?, generalize?, etc., a total of 15 states. Any two rules r _x and r _y match the protocol (protocol), source IP address + source port number (src), destination IP address + destination port number (dst), and action (action) in sequence, and traverse the entire transition graph according to the matching results , and finally draw whether r _x and _ry conflict.

The algorithm defines any two rule conflicts as covering conflicts, association conflicts, generalization conflicts and redundancy conflicts. the

Coverage conflict (Shadowed) means that the data packet defined by the rule _ry judgment domain is completely covered by the preceding rule r _x , and the rule _ry follows the principle of sequential matching of the firewall. If it does not match any data packets, _ry becomes invalid.

Correlated conflict means that the part of the data packet defined by the decision domain of the rule _ry is covered by the preceding rule r _x , and the behaviors defined by r _x and _ry are different. If the positions of r _x and r _y are exchanged, the firewall will take different actions for the data packets matched by the two rules, and the firewall policy configuration will be changed.

Generalization conflict (General) means that the data packet defined by the decision domain of rule r _x is completely covered by the rule r _y behind it, and the behaviors defined by r _x and r _y are different. If the positions of r _x and r _y are exchanged, the rule r _x does not match any data, and causes the firewall to take different behaviors for the data packets defined by r _x , changing the firewall policy configuration.

Redundant conflict means that the data packet defined by the rule r _x decision domain is completely covered by the subsequent rule ry _y , and the behavior defined by r _x and ry _y is the same. Although redundant conflicts will not cause changes to the firewall policy, due to the increase in the number of firewall rules, the matching time of the firewall is increased and the efficiency of the firewall is reduced.

The conflict detection algorithm based on the state transition graph is simple and easy to implement, but there are the following problems: First, the conflict classification and conflict detection algorithm can only be applied between any two rules, and cannot be extended to the conflict classification between multiple rules and conflict detection; secondly, although the algorithm can provide the rule number that caused the conflict, it cannot provide more detailed conflict source information. For example, if the algorithm detects that rule r _y is covered by rule r _x , the rule that causes conflict is r _x , but can't get which part of the data packet defined by rule r _x causes coverage conflict, and this is the information that is more urgently needed in firewall management.

Contents of the invention

The technical problem to be solved by the present invention is to provide a method and terminal for identifying firewall rule conflicts. The existing conflict classification and conflict detection algorithms can only be applied between any two rules and cannot provide more detailed information. Deficiency of conflicting source information. the

In order to solve the above technical problems, the embodiment of the present invention provides a method for identifying rule conflicts of firewalls, including: defining multiple data packet sets for each rule in the firewall, and each data packet set stores and rules exist between Data packets with different association relationships; define the conflict type of rule conflicts between rules; build a directed acyclic rule decision tree for a current rule, and identify the relationship between the current rule and other rules based on the rule decision tree of the current rule The conflict type of the rule conflict that occurs; according to the conflict type, the conflict source is traced back to find out the conflict rule causing the conflict, and the data packet set defined in the conflict rule that caused the rule conflict. the

In the described method, multiple data packet sets are defined for each rule in the firewall, and each data packet set stores data packets with different association relationships with the rules, specifically including: having d judgment fields F ₁ , ..., F _d' s firewall contains n rules r ₁ , r ₂ ,..., r _n , for a rule r _i define four data packet sets: matching set R _i represents the data packet set defined by rule _ri ; decision The set E _i represents the set of data packets first matched by the rule _ri according to the principle of sequential matching by the firewall, satisfying Coverage set, which means the set of data packets matched by the rules in front of the rule r _i , satisfying M _i ＝M _i-1 ∪E _i-1 ; the co-matching set S _i represents the data packet set matched by the rule after the rule _ri , and has the same behavior as the rule _ri .

In the described method, the conflict type of the rule conflict occurring between the definition rules specifically includes: complete coverage conflict, any data packet defined by the current rule matches the rule located in front of the current rule, and the current rule is completely covered by the previous rule , the current rule is invalid; partial coverage conflict, part of the data packet defined by the current rule matches the rule located in front of the current rule, and the current rule is partially covered by the previous rule; full coverage conflict and partial coverage conflict are collectively referred to as coverage conflict; redundant conflict , the current rule is not completely covered by the previous rules, and any data packet in the decision set matches the rules after the current rule, and the behavior of the current rule is the same as that of the subsequent rules. the

In the method, the decision set and coverage set in the multiple data packet sets of the current rule are obtained according to the corresponding rule decision tree, specifically including: when the current rule is r _i , the previous rule r _i-1 The rule decision tree is t _i-1 , the first judgment domain of the current rule r _i and the root node of the rule decision tree t _i-1 are taken as the input of the rule decision tree t _i of the current rule r _i , and the newly added edge The corresponding path is included in the decision set E _i of the current rule r _i , and the decision set E _i is solved, where the root node is the first decision field of the first rule of the current rule r _i ; the coverage set of the current rule r _i in accordance with M _i =M _i-1 ∪E _i-1 is obtained.

In the described method, for a firewall with d decision domains F ₁ ,...,F _d , a rule decision tree t satisfies: feature 1, t has one and only one root node without incoming edges, and no outgoing edges is called a leaf node; feature 2, any node v in t has a label F(v), if the node v is not a leaf node, the label F(v)∈F ₁ ,...,F _d , if the node v is a leaf node, Label F(v) receives data packets or discards data packets; feature 3, any edge e:u in t has a label I(e), and I(e) is a non-empty subset of the value range of the label of node u; Feature 4, the path from the root node to the leaf node in t constitutes a rule; feature 5, the outbound packet set E(v) of any node v in t satisfies the condition that any two different Edges e and e' have I(e)∩I(e').

In the described method, based on the rule decision tree of the current rule, the conflict type of the rule conflict occurring between the current rule and the rest of the rules is identified, including: Step 1, according to the rule decision tree corresponding to each current rule, the multiplicity of the current rule is obtained. The decision set and coverage set in the data packet set, step 2, if the decision set of the current rule is empty, the current rule is completely covered, go to step 5; step 3, if the decision set and the matching set of the current rule are equal, the current rule and the matching set are equal If there is no rule conflict among the remaining rules, execute step 5; step 4, identify partial coverage conflict; identify redundant conflict; step 5, exit current rule conflict identification. the

In the method described, a partial coverage conflict is identified, if the current rule r _i satisfies And E _i ≠ R _i , it is determined that a partial coverage conflict has occurred between the current rule and the rest of the rules; identify redundant conflicts, and construct the matching set S _i of the current rule r _i , if there is and It is determined that a redundant conflict has occurred between the current rule and the rest of the rules.

In the described method, constructing the co-assignment set S _i of the current rule r _i specifically includes: initializing the co-assignment set of the current rule as an empty set; constructing successive rules from the next rule to the last rule of the current rule The rule decision tree of the current rule is obtained, and the decision set of each subsequent rule is obtained, and the decision set corresponding to the subsequent rule with the same behavior as the current rule is merged into the matching set S _i of the current rule.

In the method, the conflict source is traced back according to the conflict type to find out the conflict rule causing the conflict, and the set of data packets defined in the conflict rule that caused the rule conflict, specifically including: if the current rule r _i generates For coverage conflicts, the conflict source is R _i ∩ M _i ; if the current rule _ri generates redundancy conflicts, the conflict source is E _i ∩ S _i .

A terminal for identifying rule conflicts of a firewall, comprising: a data packet set definition unit, configured to define multiple data packet sets for each rule in the firewall, each data packet set stores and has different associations with the rules Data package; conflict definition unit, used to define the conflict type of rule conflicts between rules; rule decision tree unit, used to build a directed acyclic rule decision tree for a current rule, based on the rule decision of the current rule The tree identifies the conflict type of the rule conflict that occurs between the current rule and the rest of the rules; the conflict source traceback unit is used to trace the conflict source according to the conflict type to find the conflict rule that caused the conflict, and the rule conflict defined in the conflict rule set of packets. the

The beneficial effects of the above-mentioned technical solution of the present invention are as follows: for each rule in the firewall, a plurality of data packet sets and the division of conflict types are defined, and a directed acyclic rule decision tree is respectively constructed for each rule, Conflict type identification based on the relationship between multiple data packet sets of each rule can identify conflicts between more than two rules, and trace back the conflict source according to the intersection of different data packet sets to find out The conflict rule that caused the conflict and the data packet set that caused the conflict defined in the conflict rule are displayed, thus providing more detailed conflict source information. the

Description of drawings

Fig. 1 represents a schematic flow diagram of a method for identifying firewall rule conflicts;

FIG. 2 shows a schematic flow chart of conflict identification. the

Detailed ways

In order to make the technical problems, technical solutions and advantages to be solved by the present invention clearer, the following will describe in detail with reference to the drawings and specific embodiments. the

In the present invention, improvements are made in aspects such as firewall formal definition, conflict type classification, conflict type classification, and firewall conflict source traceability. the

Embodiments of the present invention provide a method for identifying rule conflicts of firewalls, as shown in Figure 1, including:

Step 101, for each rule in the firewall, multiple data packet sets are defined, and each data packet set stores data packets with different association relationships with the rules;

Step 102, defining conflict types of rule conflicts occurring between rules;

Step 103, constructing a directed acyclic rule decision tree for a current rule, and identifying the conflict type of rule conflicts between the current rule and the rest of the rules based on the rule decision tree of the current rule;

Step 104, trace back the source of the conflict according to the conflict type to find out the conflict rule causing the conflict, and the set of data packets defined in the conflict rule that caused the rule conflict. the

Using the technology provided, for each rule in the firewall to define multiple data packet sets and the division of conflict types, build a directed acyclic rule decision tree for each rule, based on each rule Conflict type identification is performed on the interrelationship of multiple data packet sets, which can identify conflicts between more than two rules, and trace back the source of conflicts according to the intersection of different data packet sets to find out the conflicts that cause conflicts rule, and the set of packets defined in the conflict rule that caused the conflict, thus providing more detailed information about the source of the conflict. the

Regarding the formal definition of firewall, in order to make the provided technology adaptable to various firewalls, a formal method is used to define firewall f. the

In a preferred embodiment, a firewall with d decision domains F ₁ ,...,F _d contains n rules r ₁ , r ₂ ,...,r _n , and four data packet sets are defined for one rule r _i :

Matching Set (Matching Set) R _i , which represents the data packet set defined by the rule r _i ;

Evaluating Set (Evaluating Set) E _i , represents the set of data packets matched for the first time by rule _ri according to the principle of sequential matching by the firewall, satisfying

Covering set (Masking Set) M _i , which means the set of data packets matched by the rules in front of the rule r _i , satisfying M _i = M _i-1 ∪ _{E i-1} ;

Same Set (Same Set) S _i , which means the set of data packets matched by the rule after the rule _ri , and has the same behavior as the rule _ri .

In an application scenario, the data packet P has d decision fields F ₁ ,…,F _d , and the data packet P can be defined as a d-dimensional tuple (p ₁ ,…,p _d ), p ₁ ∈ D( F ₁ ), wherein, D(F _j ) is the value range of the decision domain F _i , which is a non-negative integer segment or a data packet set.

A firewall f with d decision domains F ₁ ,…,F _d contains n rules r ₁ ,r ₂ ,…,r _n , denoted as f<r ₁ ,r ₂ ,…,r _n ＞, rule r _i ( 1≤i≤n) is defined as: <t>^(F ₁ ∈ S ₁ )^…^(F _d ∈ _{S d} )→<action>, where S _i (1≤i≤d) is D(F _j ), and action is the behavior defined by the rule, such as: deny and accept.

For rule r _i define the following 4 packet sets:

Matching Set (Matching Set) R _i , which represents the data packet set defined by the rule r _i ;

Evaluating Set (Evaluating Set) E _i , which means according to the principle of sequential matching of firewalls, the set of data packets matched by rule r _i , then

Covering set (Masking Set) M _i , which represents the set of data packets matched by the rules in front of the rule r _i , M _i -M _i-1 ∪ _{E i-1} ;

Same Set (Same Set) S _i means the set of data packets matched by the rule _ri , and has the same behavior as the rule _ri .

Regarding the classification of conflict types, firewall conflicts are classified, and the definitions of different conflict types are provided. In a preferred embodiment, the conflict types of rule conflicts occurring between definition rules specifically include:

Complete coverage conflict, any packet defined by the current rule matches the rule in front of the current rule, the current rule is completely covered by the previous rule, and the current rule becomes invalid;

Partial coverage conflict, part of the data packets defined by the current rule match the rule in front of the current rule, and the current rule is partially covered by the previous rule;

Full coverage conflicts and partial coverage conflicts are collectively referred to as coverage conflicts;

Redundant conflicts, the current rule is not completely covered by the previous rules, any data packets in the decision set match the rules after the current rule, and the behavior of the current rule is the same as that of the subsequent rules. the

The current rule may be any rule, for example, the current rule is specifically the i-th rule r _i .

The conflict classification provided by the embodiment is not only applicable to any two rules, but also can be extended to any number of rules. the

In an application scenario, fully masked means that any data packet defined by the current rule matches the preceding rule, the current rule is completely covered by the previous rule, and the current rule becomes invalid. That is, the decision set of the current rule is an empty set, and its formal expression is: the rule r _i is completely covered, if

Partially Masked means that the partial (non-complete) data packet defined by the current rule r _i matches the rule in front of it, and the current rule is partially covered by the rule in front of it, that is, the decision set of the current rule is its The non-empty subset of the matching set R _i is formally expressed as: the current rule r _i is partially covered, if And E _i ≠ R _i .

Full coverage and partial coverage are collectively referred to as coverage conflicts. the

Redundant conflict means that the current rule r _i is not completely covered by its previous rules, and any data packet in its decision set matches the subsequent rules after the current rule, and their behavior is the same, formally expressed as: and Indicates that the current rule _ri is redundant.

Regarding firewall conflict identification, the conflict detection algorithm includes two parts: a conflict identification algorithm and a conflict source backtracking algorithm. the

The conflict identification algorithm based on rule decision tree (RDT, Rule Decision Tree) is slightly different for coverage conflict identification and redundant conflict identification. The definition of rule decision tree is:

In a preferred embodiment, according to the corresponding rule decision tree, the decision set and coverage set in the plurality of data packet sets of the current rule are obtained, specifically including:

When the current rule is r _i , the rule decision tree of the previous rule r _i-1 is t _i-1 ,

Take the first judgment domain of the current rule r _i and the root node of the rule decision tree t _i-1 as the input of the rule decision tree t _i of the current rule r _i , and include the path corresponding to the newly added edge into the current rule r _i Judgment set E _i of , solve the decision set E _i , where the root node is the first judgment domain of the first rule of the current rule r _i ;

Covering set basis for current rule r _i M _i =M _i-1 ∪E _i-1 is obtained.

Each rule in the firewall has a directed acyclic rule decision tree. Each rule builds a tree, and the decision tree of the current rule is evolved from the rule decision tree of the previous rule. the

In a preferred embodiment, for a firewall with d decision domains F ₁ ,...,F _d , a rule decision tree t satisfies:

Feature 1, t has one and only one root node without incoming edges, and nodes without outgoing edges are called leaf nodes;

Feature 2, any node v in t has a label F(v), if the node v is not a leaf node, the label F(v)∈F ₁ ,...,F _d , if the node v is a leaf node, the label F(v ) to receive data packets or discard data packets;

Feature 3, any edge e:u in t has a label I(e), and I(e) is a non-empty subset of the value range of the label of node u;

Feature 4, the path from the root node to the leaf node in t constitutes a rule;

Feature 5, the outbound packet set E(v) of any node v in t satisfies the condition that any two different edges e and e' in E(v) have I(e)∩I(e') . the

Wherein, if node v is not a leaf node, F(v)∈F ₁ ,...,F _d , if node v is a leaf node, F(v) receives data packets or discards data packets.

Let the rule decision tree of rule i-1 be t _i-1 , take the first judgment domain of rule i and the root node of ti-1 as input, and construct the rule decision tree t _i corresponding to rule i, during the construction process In , the path corresponding to the added new edge is included in the decision set E _i of rule i to realize the solution of the rule decision set.

Among them, the root node is the first judgment domain of the first rule. According to the feature 4 of the decision tree, the path is the rule. the

The construction algorithm of the rule decision tree and the solution of the decision set are as follows:

The conflict identification algorithm based on the decision tree can identify different types of conflicts. In the process of the conflict identification algorithm for a current rule,

In a preferred embodiment, for each rule, the decision set and coverage set of the rule are obtained according to the rule decision tree. the

In an application scenario, taking the current rule as an example, the first judgment domain of the current rule and the root node (the first judgment domain of the first rule) are used as input to realize the construction of a rule decision tree corresponding to the current rule. And solve the decision set E _i corresponding to the current rule. In this way, the decision set of the current rule is obtained according to the rule decision tree, and the coverage set of the current rule is based on M _i =M _i-1 ∪E _i-1 is obtained.

After establishing the decision set and coverage set of each rule, in a preferred embodiment, the rule decision tree based on the current rule identifies the conflict type of rule conflicts between the current rule and the rest of the rules, including:

Step 1, according to the rule decision tree corresponding to each current rule, the decision set and coverage set of the multiple data packet sets of the current rule are obtained,

Step 2, if the decision set of the current rule is empty, the current rule is completely covered, go to step 5;

Step 3, if the judgment set and matching set of the current rule are equal, and there is no rule conflict between the current rule and other rules, go to step 5;

Step 4, identifying partial coverage conflicts; identifying redundant conflicts;

Step 5, exit the current rule conflict identification. the

In an application scenario, the rule decision tree based on the current rule identifies the conflict type of rule conflicts between the current rule and other rules, as shown in Figure 2, including:

Step 201, start identifying conflict types. the

Step 202 , according to the rule decision tree corresponding to each current rule, the decision set and coverage set in the plurality of data packet sets of the current rule are obtained. the

Step 203, whether the judgment set of the current rule is empty, if the judgment set is empty, go to step 204, otherwise go to step 205. the

In step 204, the judgment set of the current rule is empty, indicating that the current rule is completely covered, and then go to step 209. the

Step 205, determine whether the set is equal to the matching set, if so go to step 206, otherwise go to step 207. the

Step 206, indicating that there is no rule conflict between the current rule and other rules, go to step 209. the

Step 207, identifying partial coverage conflicts. There is no chronological sequence between step 207 and step 208, therefore, if step 208 has been executed before step 207, go to step 209 after step 207 is executed. the

Step 208, identifying redundancy conflicts. the

Step 209, exit the current rule conflict identification, and end. the

The decision tree-based conflict identification algorithm is slightly different for coverage conflict identification and redundancy conflict identification. in,

In a preferred embodiment, a partial coverage conflict is identified if the current rule _ri satisfies And E _i ≠ R _i , it is determined that a partial coverage conflict has occurred between the current rule and other rules.

In a preferred embodiment, a partial coverage conflict is identified if the current rule _ri satisfies And E _i ≠ R _i , it is determined that there is a partial coverage conflict between the current rule and other rules;

Identify redundant conflicts, construct the matching set S _i of the current rule r _i , if and It is determined that a redundant conflict has occurred between the current rule and the rest of the rules.

In a preferred embodiment, constructing the assortment set S _i of the current rule r _i specifically includes:

Initialize the matching set of the current rule as an empty set;

From the next rule of the current rule to the last rule, the rule decision tree of each subsequent rule is constructed sequentially, and the decision set of each subsequent rule is obtained,

Merge the decision set corresponding to the subsequent rule with the same behavior as the current rule into the matching set S _i of the current rule.

Regarding firewall conflict source backtracking, in a preferred embodiment, according to the conflict type, backtracking the conflict source to find out the conflict rule causing the conflict, and the set of data packets defined in the conflict rule that caused the rule conflict, specifically including:

If the current rule r _i generates a coverage conflict, the source of the conflict is R _i ∩ M _i ;

If the current rule r _i generates a redundant conflict, the conflict source is E _i ∩ S _i .

For each conflict type, the source of the conflict is searched, and the number of the rule that causes the conflict and which part of the data packet set defined by the rule causes the conflict is obtained. the

An embodiment of the present invention provides a terminal for identifying firewall rule conflicts, including:

The data packet set definition unit is used to define multiple data packet sets for each rule in the firewall, and each data packet set stores data packets that have different associations with the rules;

The conflict definition unit is used to define the conflict type of the rule conflict occurring between the rules;

The rule decision tree unit is used to construct a directed acyclic rule decision tree for a current rule, and identify the conflict type of rule conflicts between the current rule and other rules based on the rule decision tree of the current rule;

The conflict source traceback unit is configured to trace back the conflict source according to the conflict type to find out the conflict rule causing the conflict, and the set of data packets defined in the conflict rule that caused the rule conflict. the

The advantage of adopting this scheme is that it realizes the complete identification of conflicts between firewall rules, and its identification is not limited to between two rules, but can be extended to multiple rules, providing detailed information on the source of firewall rule conflicts, providing Elimination of rule conflicts provides convenience, the judgment process is simple and the results are reliable. the

The above description is a preferred embodiment of the present invention, it should be pointed out that for those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications can also be made. It should be regarded as the protection scope of the present invention. the

Claims (10)

1. A method for identifying firewall rule conflicts, comprising: For each rule in the firewall, multiple data packet sets are defined, and each data packet set stores data packets that have different associations with the rules; Conflict types that define rule conflicts that arise between rules; Construct a directed acyclic rule decision tree for a current rule, and identify the conflict type of rule conflicts between the current rule and other rules based on the rule decision tree of the current rule; The source of the conflict is traced back according to the conflict type to find out the conflict rule causing the conflict, and the set of data packets defined in the conflict rule that caused the rule conflict. 2. The method according to claim 1, characterized in that, for each rule in the firewall, a plurality of data packet sets are defined, and each data packet set stores data packets with different associations with the rules, specifically comprising : A firewall with d decision domains F ₁ ,…,F _d contains n rules r ₁ ,r ₂ ,…,r _n , for a rule r _i define four data packet sets: Matching set R _i represents the packet set defined by rule _ri ; The decision set E _i represents the packet set matched by the rule _ri for the first time according to the principle of sequential matching by the firewall, satisfying ${\mathrm{E.}}_i\&SubsetEqual;R_i;$ Coverage set, which means the set of data packets matched by the rules in front of the rule r _i , satisfying M _i = M _i-1 ∪ _{E i-1} ; The co-matching set S _i represents the packet set matched by the rule after the rule _ri , and has the same behavior as the rule _ri . 3. The method according to claim 1, characterized in that, defining the conflict types of rule conflicts occurring between rules specifically includes: Complete coverage conflict, any packet defined by the current rule matches the rule in front of the current rule, the current rule is completely covered by the previous rule, and the current rule becomes invalid; Partial coverage conflict, some data packets defined by the current rule match the rule before the current rule, and the current rule is partially covered by the previous rule; Full coverage conflicts and partial coverage conflicts are collectively referred to as coverage conflicts; Redundant conflicts, the current rule is not completely covered by the previous rules, any data packets in the decision set match the rules after the current rule, and the behavior of the current rule is the same as that of the subsequent rules. 4. The method according to claim 2, wherein, according to the corresponding rule decision tree, the determination set and the coverage set in a plurality of data packets of the current rule are obtained, specifically comprising: When the current rule is r _i , the rule decision tree of the previous rule r _i-1 is t _i-1 , Take the first judgment domain of the current rule r _i and the root node of the rule decision tree t _i-1 as the input of the rule decision tree t _i of the current rule r _i , and include the path corresponding to the newly added edge into the current rule r _i Judgment set E _i of , solve the decision set E _i , where the root node is the first judgment domain of the first rule of the current rule r _i ; Covering set basis for current rule r _i M _i =M _i-1 ∪E _i-1 is obtained. 5. The method according to claim 4, characterized in that, for a firewall with d decision domains F ₁ ,..., F _d , a rule decision tree t satisfies: Feature 1, t has one and only one root node without incoming edges, and nodes without outgoing edges are called leaf nodes; Feature 2, any node v in t has a label F(v), if the node v is not a leaf node, the label F(v)∈F ₁ ,...,F _d , if the node v is a leaf node, the label F(v) receives packet or drop the packet; Feature 3, any edge e:u in t has a label I(e), and I(e) is a non-empty subset of the value range of the label of node u; Feature 4, the path from the root node to the leaf node in t constitutes a rule; Feature 5, the outbound packet set E(v) of any node v in t satisfies the condition that any two different edges e and e' in E(v) have I(e)∩I(e') . 6. The method according to claim 5, wherein, based on the rule decision tree of the current rule, the conflict type of the rule conflict occurring between the current rule and the remaining rules is identified, comprising: Step 1, according to the rule decision tree corresponding to each current rule, the decision set and coverage set of the multiple data packet sets of the current rule are obtained, Step 2, if the decision set of the current rule is empty, the current rule is completely covered, go to step 5; Step 3, if the judgment set and matching set of the current rule are equal, and there is no rule conflict between the current rule and other rules, go to step 5; Step 4, identifying partial coverage conflicts; identifying redundant conflicts; Step 5, exit the current rule conflict identification. 7. The method of claim 6, wherein, Identify partial coverage conflicts if the current rule r _i satisfies And E _i ≠ R _i , it is determined that there is a partial coverage conflict between the current rule and other rules; Identify redundant conflicts, construct the matching set S _i of the current rule r _i , if and It is determined that a redundant conflict has occurred between the current rule and the rest of the rules. 8. The method according to claim 7, characterized in that, constructing the matching set S _i of the current rule r _i specifically includes: Initialize the matching set of the current rule as an empty set; From the next rule of the current rule to the last rule, the rule decision tree of each subsequent rule is constructed sequentially, and the decision set of each subsequent rule is obtained, Merge the decision set corresponding to the subsequent rule with the same behavior as the current rule into the matching set S _i of the current rule. 9. The method according to claim 7, characterized in that, according to the conflict type, the source of the conflict is traced back to find out the conflict rule causing the conflict, and the defined packet set in the conflict rule that caused the rule conflict, specifically comprising : If the current rule r _i generates a coverage conflict, the source of the conflict is R _i ∩ M _i ; If the current rule r _i generates a redundant conflict, the conflict source is E _i ∩ S _i . 10. A terminal for identifying firewall rule conflicts, characterized in that it comprises: The data packet set definition unit is used to define multiple data packet sets for each rule in the firewall, and each data packet set stores data packets that have different associations with the rules; a conflict definition unit, configured to define a conflict type of a rule conflict occurring between rules; The rule decision tree unit is used to construct a directed acyclic rule decision tree for a current rule, and identify the conflict type of rule conflicts between the current rule and other rules based on the rule decision tree of the current rule; The conflict source traceback unit is configured to trace back the conflict source according to the conflict type to find out the conflict rule causing the conflict, and the set of data packets defined in the conflict rule that caused the rule conflict.