[go: up one dir, main page]

CN117336240B - IP five-tuple matching method and system under high-capacity rule - Google Patents

IP five-tuple matching method and system under high-capacity rule Download PDF

Info

Publication number
CN117336240B
CN117336240B CN202311344590.5A CN202311344590A CN117336240B CN 117336240 B CN117336240 B CN 117336240B CN 202311344590 A CN202311344590 A CN 202311344590A CN 117336240 B CN117336240 B CN 117336240B
Authority
CN
China
Prior art keywords
rule
hash table
matching
tuple
trie
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311344590.5A
Other languages
Chinese (zh)
Other versions
CN117336240A (en
Inventor
刘俊豪
李丽娟
原小卫
吴颖
霍曦
李晨华洋
汪俊贵
李於铭
荆卫
胡贞松
廉浩
李毕
张驰
李兴坤
姜鑫
范有东
段军
邹昆
刘越
古训
李亮
雷杨
罗强
何倩
魏鸿权
李祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Jiuzhou Electronic Technology Co Ltd
Original Assignee
Chengdu Jiuzhou Electronic Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Jiuzhou Electronic Technology Co Ltd filed Critical Chengdu Jiuzhou Electronic Technology Co Ltd
Priority to CN202311344590.5A priority Critical patent/CN117336240B/en
Publication of CN117336240A publication Critical patent/CN117336240A/en
Application granted granted Critical
Publication of CN117336240B publication Critical patent/CN117336240B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • H04L45/7453Address table lookup; Address filtering using hashing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/48Routing tree calculation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/54Organization of routing tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种大容量规则下的IP五元组匹配方法及系统,方法包括:S1、根据掩码长度,将大容量的IP五元组规则划分为稀疏规则集或稠密规则集;S2、对于稀疏规则集,采用前置IP过滤法,构建其对应的IP HASH表;S3、对于稠密规则集,构建其对应的TRIE树;S4、通过对IP HASH表和TRIE树进行查询,对待匹配的IP五元组进行匹配。本发明通过对规则的分治、实现了在大容量规则下对编译期间各项指标的优化,例如编译期间内存峰值占用、编译时间,并兼顾在运行时高性能的匹配速度。基于本发明方法,使得在通用处理器上具备匹配百万级、甚至千万级IP五元组规则的能力。

The present invention discloses an IP five-tuple matching method and system under large-capacity rules, and the method comprises: S1, dividing the large-capacity IP five-tuple rules into a sparse rule set or a dense rule set according to the mask length; S2, for the sparse rule set, adopting the pre-IP filtering method to construct its corresponding IP HASH table; S3, for the dense rule set, constructing its corresponding TRIE tree; S4, matching the IP five-tuple to be matched by querying the IP HASH table and the TRIE tree. The present invention optimizes various indicators during compilation under large-capacity rules by dividing and conquering the rules, such as the peak memory occupancy and compilation time during compilation, and takes into account the high-performance matching speed during runtime. Based on the method of the present invention, the ability to match millions or even tens of millions of IP five-tuple rules is achieved on a general-purpose processor.

Description

一种大容量规则下的IP五元组匹配方法及系统A method and system for matching IP quintuples under large-capacity rules

技术领域Technical Field

本发明属于IP(Internal Protocol)通信技术领域,具体涉及一种大容量规则下的IP五元组匹配方法及系统。The invention belongs to the field of IP (Internal Protocol) communication technology, and in particular relates to an IP quintuple matching method and system under a large-capacity rule.

背景技术Background technique

IP五元组是一个通信术语,英文名称为five-tuple或5-tuple,通常指由源IP(source IP),源端口(source port),目标IP(destination IP),目标端口(destinationport),4层通信协议(the layer 4protocol)等5个字段来表示一个会话。IP quintuple is a communication term, the English name is five-tuple or 5-tuple, which usually refers to a session represented by five fields such as source IP, source port, destination IP, destination port, and the layer 4 protocol.

在网络安全领域,随着网络威胁的日益增长,IP五元组规则的规则容量需求迅速增长到百万数量级。基于五元组的包过滤技术常用于网络数据包分析和包分类领域,例如防火墙和路由器中的访问控制列表ACL(Access Control List)。当前基于TRIE树的IP匹配方法在匹配时性能较好,但是在编译阶段的内存爆炸式增长、编译速度慢使得它只适用于20万条以内小规模的规则集;在百万级规则时,因为内存或编译速度等原因而无法使用。In the field of network security, with the increasing number of network threats, the rule capacity demand for IP five-tuple rules has rapidly increased to the order of millions. Five-tuple-based packet filtering technology is often used in the field of network data packet analysis and packet classification, such as access control lists (ACLs) in firewalls and routers. The current TRIE tree-based IP matching method has good performance in matching, but the explosive growth of memory in the compilation stage and the slow compilation speed make it only suitable for small-scale rule sets within 200,000; when there are millions of rules, it cannot be used due to memory or compilation speed.

发明内容Summary of the invention

针对现有技术中的上述不足,本发明提供的大容量规则下的IP五元组匹配方法及系统解决了现有的IP五元组匹配方法在规则容量过大时,无法使用的问题。In view of the above-mentioned deficiencies in the prior art, the IP five-tuple matching method and system under large-capacity rules provided by the present invention solve the problem that the existing IP five-tuple matching method cannot be used when the rule capacity is too large.

为了达到上述发明目的,本发明采用的技术方案为:一种大容量规则下的IP五元组匹配方法,包括以下步骤:In order to achieve the above-mentioned invention object, the technical solution adopted by the present invention is: an IP quintuple matching method under a large-capacity rule, comprising the following steps:

S1、根据掩码长度,将大容量的IP五元组规则划分为稀疏规则集或稠密规则集;S1. Divide the large-capacity IP five-tuple rules into sparse rule sets or dense rule sets according to the mask length;

S2、对于稀疏规则集,采用前置IP过滤法,构建其对应的IP HASH表;S2. For sparse rule sets, use the pre-IP filtering method to build the corresponding IP HASH table;

S3、对于稠密规则集,构建其对应的TRIE树;S3. For a dense rule set, construct its corresponding TRIE tree;

S4、通过对IP HASH表和TRIE树进行查询,对待匹配的IP五元组进行匹配。S4. Match the IP quintuples to be matched by querying the IP HASH table and the TRIE tree.

进一步地,所述步骤S1中,将IP五元组中源IP和目的IP任意一个掩码长度大于预设掩码长度阈值的IP五元组规则划分为稀疏规则集,反之划分为稠密规则集。Furthermore, in step S1, the IP quintuple rules whose mask length of any one of the source IP and the destination IP in the IP quintuple is greater than a preset mask length threshold are divided into a sparse rule set, otherwise they are divided into a dense rule set.

进一步地,所述步骤S2中,构建的IP HASH表包括源IP HASH表和目的IP HASH表;构建IP HASH表的方法为:Furthermore, in step S2, the constructed IP HASH table includes a source IP HASH table and a destination IP HASH table; the method for constructing the IP HASH table is:

S21、将IP五元组规则中源IP或目的IP中掩码长度较大的IP地址作为前置过滤规则;S21, using the IP address with a larger mask length in the source IP or destination IP in the IP five-tuple rule as a pre-filtering rule;

S22、对作为前置过滤规则的IP地址进行IP展开,并作为前置规则插入到IP HASH表中;S22, perform IP expansion on the IP address used as the pre-filtering rule, and insert it into the IP HASH table as the pre-rule;

S23、将前置过滤规则的IP地址作为IP HASH表的key,将剩余规则作为Value存储在IP HASH表中。S23. Use the IP address of the pre-filtering rule as the key of the IP HASH table, and store the remaining rules as the Value in the IP HASH table.

进一步地,所述步骤S3中,构建TRIE树的方法具体为:Furthermore, in step S3, the method for constructing the TRIE tree is specifically as follows:

S31、按照预设步长对IP五元组的各规则展开,并逐级插入到TRIE数中,构建单个规则的TRIE树;S31, expand each rule of the IP quintuple according to a preset step length, and insert it into the TRIE tree level by level to construct a TRIE tree of a single rule;

S32、将各单个规则的TRIE树合并添加到全局的TRIE树中,作为稠密规则集的TRIE树。S32. Merge the TRIE trees of the individual rules and add them into the global TRIE tree as the TRIE tree of the dense rule set.

进一步地,所述步骤S31中,将各单个规则的TRIE树合并添加到全局的TRIE树中时,先搜索相同路径下的同一节点并确定其并集,将并集的分割结果作为新的节点添加至全局的TRIE树中。Furthermore, in step S31, when merging the TRIE trees of each single rule into the global TRIE tree, first search for the same node under the same path and determine its union, and then add the segmentation result of the union as a new node into the global TRIE tree.

进一步地,所述步骤S4中:Furthermore, in step S4:

对TRIE树查询时,判断TRIE树中是否存在匹配的IP五元组;When querying the TRIE tree, determine whether there is a matching IP quintuple in the TRIE tree;

若是,则匹配成功,将匹配成功的五元组规则id加入到命中结果集中;If yes, the match is successful, and the 5-tuple rule ID of the successful match is added to the hit result set;

若否,则匹配失败;If not, the match fails;

对IP HASH表查询时,提取其中的源IP和目的IP,判断源IP和目的IP地址是否存在于对应的IP HASH表中;When querying the IP HASH table, extract the source IP and destination IP, and determine whether the source IP and destination IP addresses exist in the corresponding IP HASH table;

若是,利用对应的IP HASH表的Value结构进行数值比较,判断后续规则是否匹配;若是,则匹配成功,将匹配成功的五元组规则id加入到命中结果集中;若否,则匹配失败;If yes, use the Value structure of the corresponding IP HASH table to perform numerical comparison to determine whether the subsequent rules match; if yes, the match is successful, and the 5-tuple rule ID of the successful match is added to the hit result set; if no, the match fails;

若否,则匹配失败。If not, the match fails.

一种IP五元组匹配系统,包括:An IP quintuple matching system, comprising:

规则集划分单元:用于对大容量的IP五元组进行规则集类型划分,包括稠密规则集和稀疏规则集;Rule set division unit: used to divide large-capacity IP quintuples into rule set types, including dense rule sets and sparse rule sets;

查询表构建单元:用于根据规则集类型构建对应的查询表,包括IP HASH表和TRIE树;Query table construction unit: used to construct a corresponding query table according to the rule set type, including an IP HASH table and a TRIE tree;

规则匹配单元:用于对待匹配IP五元组在各查询表中进行规则匹配,获得匹配结果。Rule matching unit: used to perform rule matching on the IP quintuple to be matched in each query table to obtain the matching result.

进一步地,在所述规则集划分单元中,当IP五元组中源IP和目的IP任意一个掩码长度大于预设掩码长度阈值的IP五元组规则划分为稀疏规则集,反之划分为稠密规则集。Furthermore, in the rule set division unit, when the mask length of any one of the source IP and the destination IP in the IP quintuple is greater than a preset mask length threshold, the IP quintuple rule is divided into a sparse rule set, otherwise it is divided into a dense rule set.

进一步地,在所述查询表构建单元中,对稀疏规则集构建对应的IP HASH表,其包括源IP HASH表和目的IP HASH表;所述IP HASH表中,将源IP或目的IP展开作为IP HASH表的前置规则及的key,将剩余规则作为Value存储在IP HASH表中;Furthermore, in the query table construction unit, a corresponding IP HASH table is constructed for the sparse rule set, which includes a source IP HASH table and a destination IP HASH table; in the IP HASH table, the source IP or the destination IP is expanded as a pre-rule and a key of the IP HASH table, and the remaining rules are stored as Values in the IP HASH table;

对于稠密规则集,将IP五元组各规则展开构建单个规则的TRIE树,并合并添加至全局的TRIE树中。For dense rule sets, each rule of the IP quintuple is expanded to construct a TRIE tree of a single rule, and then merged and added to the global TRIE tree.

进一步地,在所述规则匹配单元中,对于待匹配IP五元组,当TRIE树中存在待匹配IP五元组的全部规则时,则匹配成功,将待匹配IP五元组id存入命中结果集作为匹配结果;Further, in the rule matching unit, for the IP quintuple to be matched, when all the rules of the IP quintuple to be matched exist in the TRIE tree, the match is successful, and the id of the IP quintuple to be matched is stored in the hit result set as the matching result;

对于待匹配五元组,当IP HASH表中存在待匹配IP五元组的源IP或目的IP,且对应IP HASH表查找获得的剩余规则均匹配时,则匹配成功,将待匹配IP五元组id存入命中结果集作为匹配结果。For the quintuple to be matched, when the source IP or destination IP of the quintuple to be matched exists in the IP HASH table, and the remaining rules obtained by searching the corresponding IP HASH table are matched, the match is successful, and the id of the quintuple to be matched is stored in the hit result set as the matching result.

本发明的有益效果为:The beneficial effects of the present invention are:

(1)本发明通过对规则的分治、实现了在大容量规则下对编译期间各项指标的优化,例如编译期间内存峰值占用、编译时间,并兼顾在运行时高性能的匹配速度。(1) The present invention optimizes various indicators during compilation under large-capacity rules by dividing and conquering rules, such as peak memory usage and compilation time during compilation, while taking into account high-performance matching speed during runtime.

(2)基于本发明方法,使得在通用处理器上具备匹配百万级、甚至千万级IP五元组规则的能力。(2) Based on the method of the present invention, a general-purpose processor is capable of matching millions or even tens of millions of IP quintuple rules.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为本发明提供的大容量规则下的IP五元组匹配方法流程图。FIG1 is a flow chart of an IP quintuple matching method under a large-capacity rule provided by the present invention.

图2为本发明提供的IP HASH表构建示意图。FIG. 2 is a schematic diagram of constructing an IP HASH table provided by the present invention.

图3为本发明提供的规则id为100的规则内容表示。FIG. 3 is a representation of the content of a rule with a rule ID of 100 provided by the present invention.

图4为本发明提供的TRIE树构建示意图。FIG4 is a schematic diagram of constructing a TRIE tree provided by the present invention.

图5为本发明提供的规则合并示意图。FIG5 is a schematic diagram of rule merging provided by the present invention.

具体实施方式Detailed ways

下面对本发明的具体实施方式进行描述,以便于本技术领域的技术人员理解本发明,但应该清楚,本发明不限于具体实施方式的范围,对本技术领域的普通技术人员来讲,只要各种变化在所附的权利要求限定和确定的本发明的精神和范围内,这些变化是显而易见的,一切利用本发明构思的发明创造均在保护之列。The specific implementation modes of the present invention are described below so that those skilled in the art can understand the present invention. However, it should be clear that the present invention is not limited to the scope of the specific implementation modes. For those of ordinary skill in the art, as long as various changes are within the spirit and scope of the present invention as defined and determined by the attached claims, these changes are obvious, and all inventions and creations utilizing the concept of the present invention are protected.

实施例1:Embodiment 1:

本发明实施例提供了一种大容量规则下的IP五元组匹配方法,如图1所示,包括以下步骤:The embodiment of the present invention provides an IP quintuple matching method under a large-capacity rule, as shown in FIG1 , comprising the following steps:

S1、根据掩码长度,将大容量的IP五元组规则划分为稀疏规则集或稠密规则集;S1. Divide the large-capacity IP five-tuple rules into sparse rule sets or dense rule sets according to the mask length;

S2、对于稀疏规则集,采用前置IP过滤法,构建其对应的IP HASH表;S2. For sparse rule sets, use the pre-IP filtering method to build the corresponding IP HASH table;

S3、对于稠密规则集,构建其对应的TRIE树;S3. For a dense rule set, construct its corresponding TRIE tree;

S4、通过对IP HASH表和TRIE树进行查询,对待匹配的IP五元组进行匹配。S4. Match the IP quintuples to be matched by querying the IP HASH table and the TRIE tree.

在本发明实施例的步骤S1中,根据硬件资源确定掩码长度阈值,一般情况下掩码长度越长在编译期间会占用更多的内存,在匹配运行期间会有更快的匹配速度,所以需要根据物理机的内存容量存在掩码长度阈值,本实施例中以测试环境为256G内存为例,选择掩码长度阈值为24。In step S1 of the embodiment of the present invention, the mask length threshold is determined according to the hardware resources. Generally, the longer the mask length is, the more memory will be occupied during compilation, and the faster the matching speed will be during matching operation. Therefore, a mask length threshold is required according to the memory capacity of the physical machine. In this embodiment, taking the test environment with 256G memory as an example, the mask length threshold is selected as 24.

在本发明实施例的步骤S1中,在大容量的IP五元组中,将IP五元组中源IP和目的IP任意一个掩码长度大于预设掩码长度阈值的IP五元组规则划分为稀疏规则集,反之划分为稠密规则集;本实施例中将IP五元组规则进行划分是因此在后续匹配时,对稠密规则的展开会产生更多的节点,而稀疏规则节点数量展开后则远小于稠密规则展开的节点数量。In step S1 of an embodiment of the present invention, in a large-capacity IP quintuple, the IP quintuple rules whose mask length of any one of the source IP and the destination IP in the IP quintuple is greater than a preset mask length threshold are divided into a sparse rule set, and vice versa, they are divided into a dense rule set; in this embodiment, the IP quintuple rules are divided so that in subsequent matching, the expansion of the dense rules will generate more nodes, and the number of sparse rule nodes after expansion is much smaller than the number of nodes when the dense rules are expanded.

在本发明实施例的步骤S2中,构建的IP HASH表包括源IP HASH表和目的IP HASH表;在本实施例中,针对稀疏规则集的规则特征,包含有明确的IP特征,采用前置IP过滤的方法,将掩码成都大于掩码长度阈值的IP展开,作为前置规则插入到HASH表中,并关联前置规则和剩余规则,具体地,本实施例步骤S2中,构建IP HASH表的方法为:In step S2 of the embodiment of the present invention, the constructed IP HASH table includes a source IP HASH table and a destination IP HASH table; in this embodiment, for the rule features of the sparse rule set, which include clear IP features, a pre-IP filtering method is adopted to expand the IPs whose masks are greater than the mask length threshold, insert them into the HASH table as pre-rules, and associate the pre-rules with the remaining rules. Specifically, in step S2 of this embodiment, the method for constructing the IP HASH table is:

S21、将IP五元组规则中源IP和目的IP中掩码长度较大的IP地址作为前置过滤规则;S21, using the IP address with the larger mask length in the source IP and the destination IP in the IP five-tuple rule as a pre-filtering rule;

S22、对作为前置过滤规则的IP地址进行IP展开,并作为前置规则插入到IP HASH表中;S22, perform IP expansion on the IP address used as the pre-filtering rule, and insert it into the IP HASH table as the pre-rule;

S23、将前置过滤规则的IP地址作为IP HASH表的key,将剩余规则作为Value存储在IP HASH表中。S23. Use the IP address of the pre-filtering rule as the key of the IP HASH table, and store the remaining rules as the Value in the IP HASH table.

本实施例中,针对IP HASH表的构建,提供如下示例:In this embodiment, the following example is provided for the construction of the IP HASH table:

选择掩码长度较大的IP地址作为前置过滤规则,例如规则id为100,规则内容为[协议为6][源IP地址192.168.255.255/16][源端口80][目的IP地址224.1.1.1/30][目的端口8888]的IP五元组规则,选取224.1.1.1/30作为过滤规则,展开之后的集合为[224.1.1.0,224.1.1.1,224.1.1.2,224.1.1.3],在计算中使用32位无符号数表示为0xe0010100,0xe0010101,0xe0010102,0xe0010103,插入到HASH表中,剩余项编码存储为tuple_plane结构,得到如图2所示的HASH表结构,在后续规则匹配时,利用hash表关联前置规则和tuple_plane,只有当前置规则命中后,再使用tuple_plane进行最后的验证是否匹配。Select an IP address with a larger mask length as the pre-filtering rule. For example, if the rule id is 100 and the rule content is [protocol is 6][source IP address 192.168.255.255/16][source port 80][destination IP address 224.1.1.1/30][destination port 8888], select 224.1.1.1/30 as the filtering rule, and the expanded set is [224.1.1.0, 224.1.1.1, 224.1.1.2, 224.1.1. 3], in the calculation, 32-bit unsigned numbers are used as 0xe0010100, 0xe0010101, 0xe0010102, 0xe0010103, which are inserted into the HASH table, and the remaining items are encoded and stored as tuple_plane structure, resulting in the HASH table structure shown in Figure 2. In the subsequent rule matching, the hash table is used to associate the previous rule and tuple_plane. Only when the previous rule hits, the tuple_plane is used for the final verification of whether it matches.

在本发明实施例的步骤S3中,针对稠密规则集,根据其规则特征,通过对IP五元组按照步长为1将掩码展开,构建深度为13级的TRIE树;具体地,构建TRIE树的方法具体为:In step S3 of the embodiment of the present invention, for the dense rule set, according to its rule characteristics, the mask is expanded for the IP quintuple with a step length of 1 to construct a TRIE tree with a depth of 13 levels; specifically, the method for constructing the TRIE tree is as follows:

S31、按照预设步长对IP五元组的各规则展开,并逐级插入到TRIE数中,构建单个规则的TRIE树;S31, expand each rule of the IP quintuple according to a preset step length, and insert it into the TRIE tree level by level to construct a TRIE tree of a single rule;

本实施例中将预设步长设置为1;In this embodiment, the preset step size is set to 1;

S32、将各单个规则的TRIE树合并添加到全局的TRIE树中,作为稠密规则集的TRIE树。S32. Merge the TRIE trees of the individual rules and add them into the global TRIE tree as the TRIE tree of the dense rule set.

本实施例中,针对TRIE树的构建,提供如下示例:In this embodiment, the following example is provided for the construction of a TRIE tree:

按照步长为1byte展开,逐级插入到TRIE树中,构建单个规则的TRIE树;Expand with a step length of 1 byte and insert into the TRIE tree level by level to build a single regular TRIE tree;

例如,对于规则id为100,规则内容为[协议为6][源IP地址192.168.255.255/16][源端口80][目的IP地址224.1.1.1][目的端口8888],在内存中占用13个字节的规则,其表示如图3所示;For example, for a rule id of 100, the rule content is [protocol is 6][source IP address 192.168.255.255/16][source port 80][destination IP address 224.1.1.1][destination port 8888], and the rule occupies 13 bytes in the memory, as shown in FIG3 ;

取第一个字节的内容6建立TRIE节点,指向第二个字节对应的节点内容为192(16进制为0xc0),重复这个过程,完成TRIE树的构建,编译后的TRIE模型图4所示,深度为13的TRIE树。Take the content 6 of the first byte to establish a TRIE node, pointing to the node content 192 (0xc0 in hexadecimal) corresponding to the second byte, and repeat this process to complete the construction of the TRIE tree. The compiled TRIE model is shown in Figure 4, a TRIE tree with a depth of 13.

在本实施例的步骤S31中,将各单个规则的TRIE树合并添加到全局的TRIE树中时,先搜索相同路径下的同一节点并确定其并集,将并集的分割结果作为新的节点添加至全局的TRIE树中。In step S31 of this embodiment, when merging the TRIE trees of each single rule into the global TRIE tree, first search for the same node under the same path and determine its union, and then add the segmentation result of the union as a new node to the global TRIE tree.

在本实施例中,对IP五元组规则192.168.255.255/16和192.168.64.255/23合并为例,其合并过程如图5所示,其中深色代表删除的节点,浅色代表合并后新的节点;其中,TRIE_A和TRIE_B拥有相同的前缀路径[192->168],第三级区间[0-255]被TRIE_B的第三级节点[64-65]分割成了三个区间[0-63],[64-65],[66-255]。In this embodiment, the merging of IP quintuple rules 192.168.255.255/16 and 192.168.64.255/23 is taken as an example, and the merging process is shown in FIG5 , wherein dark colors represent deleted nodes and light colors represent new nodes after the merging; wherein, TRIE_A and TRIE_B have the same prefix path [192->168], and the third-level interval [0-255] is divided into three intervals [0-63], [64-65], and [66-255] by the third-level node [64-65] of TRIE_B.

本发明实施例的步骤S4中:In step S4 of the embodiment of the present invention:

对TRIE树查询时,判断TRIE树中是否存在匹配的IP五元组;When querying the TRIE tree, determine whether there is a matching IP quintuple in the TRIE tree;

若是,则匹配成功,将匹配成功的五元组规则id加入到命中结果集中;If yes, the match is successful, and the 5-tuple rule ID of the successful match is added to the hit result set;

若否,则匹配失败;If not, the match fails;

对IP HASH表查询时,提取其中的源IP和目的IP,判断源IP和目的IP地址是否存在于对应的IP HASH表中;When querying the IP HASH table, extract the source IP and destination IP, and determine whether the source IP and destination IP addresses exist in the corresponding IP HASH table;

若是,利用对应的IP HASH表的Value结构进行数值比较,判断后续规则是否匹配;若是,则匹配成功,将匹配成功的五元组规则id加入到命中结果集中;若否,则匹配失败;If yes, use the Value structure of the corresponding IP HASH table to perform numerical comparison to determine whether the subsequent rules match; if yes, the match is successful, and the 5-tuple rule ID of the successful match is added to the hit result set; if no, the match fails;

若否,则匹配失败。If not, the match fails.

在本实施例中,根据编译出的数据结构源IP HASH表、目的IP HASH表和TRIE树,在匹配过程中,仅需要完成对这三张表的查询就可以完成对IP五元组的快速匹配。In this embodiment, according to the compiled data structures of the source IP HASH table, the destination IP HASH table and the TRIE tree, in the matching process, it is only necessary to complete the query of these three tables to complete the fast matching of the IP quintuple.

实施例2:Embodiment 2:

本实施例提供了实施例1中IP五元组匹配方法对应的IP五元组匹配方法的IP五元组匹配系统,包括:This embodiment provides an IP quintuple matching system of the IP quintuple matching method corresponding to the IP quintuple matching method in Embodiment 1, including:

规则集划分单元:用于对大容量的IP五元组进行规则集类型划分,包括稠密规则集和稀疏规则集;Rule set division unit: used to divide large-capacity IP quintuples into rule set types, including dense rule sets and sparse rule sets;

查询表构建单元:用于根据规则集类型构建对应的查询表,包括IP HASH表和TRIE树;Query table construction unit: used to construct a corresponding query table according to the rule set type, including an IP HASH table and a TRIE tree;

规则匹配单元:用于对待匹配IP五元组在各查询表中进行规则匹配,获得匹配结果。Rule matching unit: used to perform rule matching on the IP quintuple to be matched in each query table to obtain the matching result.

在本实施例中的规则集划分单元中,当IP五元组中源IP和目的IP任意一个掩码长度大于预设掩码长度阈值的IP五元组规则划分为稀疏规则集,反之划分为稠密规则集。In the rule set division unit in this embodiment, when the mask length of any one of the source IP and the destination IP in the IP quintuple is greater than a preset mask length threshold, the IP quintuple rule is divided into a sparse rule set, otherwise it is divided into a dense rule set.

在本实施例中的查询表构建单元中,对稀疏规则集构建对应的IP HASH表,其包括源IP HASH表和目的IP HASH表;所述IP HASH表中,将源IP或目的IP展开作为IP HASH表的前置规则及的key,将剩余规则作为Value存储在IP HASH表中;对于稠密规则集,将IP五元组各规则展开构建单个规则的TRIE树,并合并添加至全局的TRIE树中。In the query table construction unit in this embodiment, a corresponding IP HASH table is constructed for a sparse rule set, which includes a source IP HASH table and a destination IP HASH table; in the IP HASH table, the source IP or the destination IP is expanded as the preceding rule and key of the IP HASH table, and the remaining rules are stored as Values in the IP HASH table; for a dense rule set, each rule of the IP quintuple is expanded to construct a TRIE tree of a single rule, and the rules are merged and added to the global TRIE tree.

在本实施例中的规则匹配单元中,对于待匹配IP五元组,当TRIE树中存在待匹配IP五元组的全部规则时,则匹配成功,将待匹配IP五元组id存入命中结果集作为匹配结果;In the rule matching unit in this embodiment, for the IP quintuple to be matched, when all the rules of the IP quintuple to be matched exist in the TRIE tree, the match is successful, and the id of the IP quintuple to be matched is stored in the hit result set as the matching result;

对于待匹配五元组,当IP HASH表中存在待匹配IP五元组的源IP或目的IP,且对应IP HASH表查找获得的剩余规则均匹配时,则匹配成功,将待匹配IP五元组id存入命中结果集作为匹配结果。For the quintuple to be matched, when the source IP or destination IP of the quintuple to be matched exists in the IP HASH table, and the remaining rules obtained by searching the corresponding IP HASH table are matched, the match is successful, and the id of the quintuple to be matched is stored in the hit result set as the matching result.

在本实施例中,根据编译出的数据结构源IP HASH表、目的IP HASH表和TRIE树,在匹配过程中,仅需要完成对这三张表的查询就可以完成对IP五元组的快速匹配。In this embodiment, according to the compiled data structures of the source IP HASH table, the destination IP HASH table and the TRIE tree, in the matching process, it is only necessary to complete the query of these three tables to complete the fast matching of the IP quintuple.

实施例3:Embodiment 3:

本发明实施例提供了实施例1中匹配方法的对比测试实例;The embodiment of the present invention provides a comparative test example of the matching method in embodiment 1;

在本实施例中,硬件环境如下:In this embodiment, the hardware environment is as follows:

系统:CentOS Linux release 7.9.2009System: CentOS Linux release 7.9.2009

CPU:Intel(R)Xeon(R)Gold 6230R CPU@2.10GHzCPU: Intel(R) Xeon(R) Gold 6230R CPU@2.10GHz

内存:256GMemory: 256G

测试输入为1亿条IP五元组;The test input is 100 million IP quintuples;

测试结果如表1所示;The test results are shown in Table 1;

表1:本方法测试结果Table 1: Test results of this method

对比DPDK-ACL测试结果如表2所示;The comparison of DPDK-ACL test results is shown in Table 2;

表2:DPDK-ACL测试结果Table 2: DPDK-ACL test results

其中,在使用DPDK-ACL编译100W网段规则时,编译时间大于20分钟,编译内存占用大于40G,因此停止编译。When using DPDK-ACL to compile 1 million network segment rules, the compilation time is greater than 20 minutes and the compilation memory usage is greater than 40G, so the compilation is stopped.

通过上表对比可知:By comparing the above table, we can see that:

和dpdk-acl对比:Compared with dpdk-acl:

TestCase1对100W精确规则的匹配,匹配速度接近。TestCase2在100W网段规则的情况下,dpdk-acl无法处理;本发明方案能够处理,并且也能够快速完成匹配。TestCase1 matches 1 million precise rules, and the matching speed is similar. TestCase2, in the case of 1 million network segment rules, cannot be processed by dpdk-acl; the solution of the present invention can handle it and can also quickly complete the matching.

在TestCase3、TestCase4、TestCase5、TestCase6中进一步提升规则数量,增加测试压力,本发明方案也能够完成对规则的编译和快速匹配。In TestCase3, TestCase4, TestCase5, and TestCase6, the number of rules is further increased to increase the test pressure, and the solution of the present invention can also complete the compilation and fast matching of the rules.

基于此,本发明方案在少量规则时运行更快,随着规则数量的增加,匹配速度以一种平滑的趋势放慢,而非达到某一数量阈值时骤然降低。Based on this, the solution of the present invention runs faster when there are a small number of rules. As the number of rules increases, the matching speed slows down in a smooth trend rather than suddenly decreasing when a certain number threshold is reached.

本发明中应用了具体实施例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。The present invention uses specific embodiments to illustrate the principles and implementation methods of the present invention. The description of the above embodiments is only used to help understand the method of the present invention and its core idea. At the same time, for those skilled in the art, according to the idea of the present invention, there will be changes in the specific implementation methods and application scope. In summary, the content of this specification should not be understood as a limitation on the present invention.

本领域的普通技术人员将会意识到,这里所述的实施例是为了帮助读者理解本发明的原理,应被理解为本发明的保护范围并不局限于这样的特别陈述和实施例。本领域的普通技术人员可以根据本发明公开的这些技术启示做出各种不脱离本发明实质的其它各种具体变形和组合,这些变形和组合仍然在本发明的保护范围内。Those skilled in the art will appreciate that the embodiments described herein are intended to help readers understand the principles of the present invention, and should be understood that the protection scope of the present invention is not limited to such specific statements and embodiments. Those skilled in the art can make various other specific variations and combinations that do not deviate from the essence of the present invention based on the technical revelations disclosed by the present invention, and these variations and combinations are still within the protection scope of the present invention.

Claims (3)

1. The IP five-tuple matching method under the large-capacity rule is characterized by comprising the following steps of:
S1, dividing the high-capacity IP five-tuple rule into a sparse rule set or a dense rule set according to the mask length;
s2, for the sparse rule set, constructing a corresponding IP HASH table by adopting a preposed IP filtering method;
s3, constructing a TRIE tree corresponding to the dense rule set;
S4, searching an IP HASH table and a TRIE, and matching the IP five-tuple to be matched;
In the step S1, the rule of the IP five-tuple with any one mask length greater than the preset mask length threshold value is divided into a sparse rule set, and otherwise, the rule is divided into a dense rule set;
in the step S2, the constructed IP HASH table comprises a source IP HASH table and a destination IP HASH table;
the method for constructing the IP HASH table comprises the following steps:
S21, taking an IP address with a larger mask length in a source IP or a destination IP in the IP five-tuple rule as a pre-filtering rule;
s22, carrying out IP expansion on the IP address serving as a pre-filtering rule, and inserting the IP address serving as the pre-filtering rule into an IP HASH table;
s23, taking the IP address of the pre-filtering rule as a key of an IP HASH table, and storing the remaining rule as Value in the IP HASH table;
In the step S3, the method for constructing the TRIE specifically includes:
S31, expanding each rule of the IP five-tuple according to a preset step length, and gradually inserting the rule into the TRIE number to construct a TRIE of a single rule;
S32, merging and adding the TRIE of each single rule into a global TRIE to serve as a TRIE of a dense rule set;
in the step S31, when the TRIE of each single rule is added to the global TRIE in a merging manner, the same node under the same path is searched first and the union is determined, and the division result of the union is added to the global TRIE as a new node.
2. The method for matching IP five-tuple under high-capacity rule according to claim 1, wherein in step S4:
judging whether a matched IP five-tuple exists in the TRIE or not when inquiring the TRIE;
if yes, matching is successful, and the matched five-tuple rule id is added into a hit result set;
if not, the matching fails;
when the IP HASH table is inquired, extracting a source IP and a destination IP in the IP HASH table, and judging whether the source IP and the destination IP address exist in the corresponding IP HASH table or not;
If yes, using the Value structure of the corresponding IP HASH table to carry out numerical comparison and judging whether the follow-up rules are matched; if yes, matching is successful, and the matched five-tuple rule id is added into a hit result set; if not, the matching fails;
if not, the matching fails.
3. An IP five-tuple matching system based on the IP five-tuple matching method under the high-capacity rule of any one of claims 1 to 2, comprising:
Rule set dividing unit: the rule set type classification method is used for carrying out rule set type classification on the large-capacity IP five-tuple, and comprises a dense rule set and a sparse rule set;
The lookup table construction unit: the method comprises the steps of constructing a corresponding lookup table according to rule set types, wherein the lookup table comprises an IP HASH table and a TRIE;
rule matching unit: the method comprises the steps of performing rule matching on IP five-tuple to be matched in each lookup table to obtain a matching result;
in the rule set dividing unit, when any one mask length of a source IP and a destination IP in the IP quintuple is larger than a preset mask length threshold value, dividing the IP quintuple rule into a sparse rule set, and otherwise, dividing the IP quintuple rule into a dense rule set;
In the lookup table construction unit, constructing a corresponding IP HASH table for the sparse rule set, wherein the IP HASH table comprises a source IP HASH table and a target IP HASH table; in the IP HASH table, a source IP or a destination IP is unfolded to be used as a front rule and a key of the IP HASH table, and the rest rules are stored in the IP HASH table as values;
For the dense rule set, developing each rule of the IP five-tuple to construct a TRIE of a single rule, and merging and adding the TRIE into a global TRIE;
in the rule matching unit, for the to-be-matched IP quintuples, when all rules of the to-be-matched IP quintuples exist in the TRIE, the matching is successful, and the to-be-matched IP quintuple ids are stored in a hit result set to be used as a matching result;
And for the to-be-matched quintuples, when the source IP or the destination IP of the to-be-matched IP quintuples exists in the IP HASH table and the residual rules obtained by searching the corresponding IP HASH table are matched, the matching is successful, and the to-be-matched IP quintuple id is stored into a hit result set to be used as a matching result.
CN202311344590.5A 2023-10-16 2023-10-16 IP five-tuple matching method and system under high-capacity rule Active CN117336240B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311344590.5A CN117336240B (en) 2023-10-16 2023-10-16 IP five-tuple matching method and system under high-capacity rule

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311344590.5A CN117336240B (en) 2023-10-16 2023-10-16 IP five-tuple matching method and system under high-capacity rule

Publications (2)

Publication Number Publication Date
CN117336240A CN117336240A (en) 2024-01-02
CN117336240B true CN117336240B (en) 2024-07-09

Family

ID=89290130

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311344590.5A Active CN117336240B (en) 2023-10-16 2023-10-16 IP five-tuple matching method and system under high-capacity rule

Country Status (1)

Country Link
CN (1) CN117336240B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119071225B (en) * 2024-09-12 2025-06-10 清创网御(合肥)科技有限公司 A large and small rule tree method for quickly taking effect on new flow table rules in massive flow tables

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468381A (en) * 2014-12-01 2015-03-25 国家计算机网络与信息安全管理中心 Implementation method for multi-field rule matching

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011127642A1 (en) * 2010-04-12 2011-10-20 华为技术有限公司 Routing table construction method and device and routing table lookup method and device
US10515015B2 (en) * 2018-03-20 2019-12-24 Mellanox Technologies Tlv Ltd. Hash table-based mask length computation for longest prefix match caching
CN110442570B (en) * 2019-06-06 2021-08-17 北京左江科技股份有限公司 BitMap high-speed fuzzy search method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468381A (en) * 2014-12-01 2015-03-25 国家计算机网络与信息安全管理中心 Implementation method for multi-field rule matching

Also Published As

Publication number Publication date
CN117336240A (en) 2024-01-02

Similar Documents

Publication Publication Date Title
US7089240B2 (en) Longest prefix match lookup using hash function
US10491521B2 (en) Field checking based caching of ACL lookups to ease ACL lookup search
JP6383578B2 (en) Apparatus and method for uniquely enumerating paths in a parse tree
US20050083937A1 (en) IP address lookup method using pipeline binary tree, hardware architecture, and recording medium
CN102945249B (en) A kind of policing rule matching inquiry tree generation method, matching process and device
WO2015127721A1 (en) Data matching method and apparatus and computer storage medium
CN101848248B (en) Rule searching method and device
CN111817978A (en) A kind of flow classification method and device
WO2016143405A1 (en) Retrieval device, retrieval method, program, and recording medium
CN110071871A (en) A kind of large model pool ip address matching process
CN101022407A (en) Binary tree-based stream classification checking method
CN117336240B (en) IP five-tuple matching method and system under high-capacity rule
CN113824814A (en) Address matching method and device of forwarding table, network equipment and medium
JP2014504042A (en) Packet classifier, packet classification method, and packet classification program
CN115865843B (en) Rule storage method, message processing method, device, electronic equipment and medium
CN115834340B (en) Rule storage method and device, electronic equipment and storage medium
CN107888494B (en) A package classification method and system based on community discovery
CN100488174C (en) Hardware-based differentiated organization method in stream classification
CN115473846A (en) Retrieval method and related device for router forwarding information
JP5673667B2 (en) Packet classifier, packet classification method, packet classification program
CN115714752B (en) Packet classification method and device, forwarding chip and electronic equipment
CN112437096A (en) Acceleration strategy searching method and system
CN112115312B (en) Data name searching method, system and storage medium
CN113328947B (en) Variable-length route searching method and device based on application of controllable prefix extension bloom filter
Lin et al. Improved IP lookup technology for trie-based data structures

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant