[go: up one dir, main page]

CN111901311B - A method, system, terminal and storage medium for searching firewall policy based on spatial sorting - Google Patents

A method, system, terminal and storage medium for searching firewall policy based on spatial sorting Download PDF

Info

Publication number
CN111901311B
CN111901311B CN202010641857.7A CN202010641857A CN111901311B CN 111901311 B CN111901311 B CN 111901311B CN 202010641857 A CN202010641857 A CN 202010641857A CN 111901311 B CN111901311 B CN 111901311B
Authority
CN
China
Prior art keywords
policy
list
strategy
port
searched
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010641857.7A
Other languages
Chinese (zh)
Other versions
CN111901311A (en
Inventor
宋天毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Tianyuan Cloud Technology Co ltd
Original Assignee
Shenzhen Tianyuan Cloud Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Tianyuan Cloud Technology Co ltd filed Critical Shenzhen Tianyuan Cloud Technology Co ltd
Priority to CN202010641857.7A priority Critical patent/CN111901311B/en
Publication of CN111901311A publication Critical patent/CN111901311A/en
Application granted granted Critical
Publication of CN111901311B publication Critical patent/CN111901311B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a firewall policy searching method based on spatial sorting, compared with the prior art, the algorithm time complexity of the searching method is only O (N/2 + log) 2 N), the algorithm time complexity O (N) of the existing searching method is greatly reduced, and the calculation performance is obviously improved; the invention also discloses a searching system, which is used for realizing the searching method.

Description

一种基于空间排序的防火墙策略搜索方法、系统、终端及存储 介质A method, system, terminal and storage for firewall policy search based on spatial sorting medium

技术领域technical field

本发明涉及防火墙技术领域,具体涉及一种基于空间排序的防火墙策略搜索方法、系统、终端及存储介质。The present invention relates to the technical field of firewalls, in particular to a method, system, terminal and storage medium for searching firewall policies based on space sorting.

背景技术Background technique

现有的防火墙策略搜索方法为:设防火墙上已有策略列表为P[0..N-1],N为策略数;设待搜索策略为x;假设搜索的目标关系为包含关系:The existing firewall policy search method is: set the existing policy list on the firewall as P[0..N-1], and N is the number of policies; set the policy to be searched as x; assuming that the target relationship of the search is an inclusion relationship:

步骤1:遍历列表P,取当前策略P[i],比较策略x和策略P[i]的源地址,目的地址,目的端口及协议,判断P[i]和x的包含关系,如果P[i]包含x,则将P[i]保存在结果列表R中;Step 1: Traverse the list P, take the current policy P[i], compare the source address, destination address, destination port and protocol of policy x and policy P[i], and determine the inclusion relationship between P[i] and x, if P[i] i] contains x, then save P[i] in the result list R;

步骤2:返回列表R。Step 2: Return to list R.

该搜索方法的算法的时间复杂度为O(N),耗时较长。The time complexity of the algorithm of this search method is O(N), which takes a long time.

发明内容SUMMARY OF THE INVENTION

本发明要解决的技术问题在于,针对现有技术的上述缺陷,提供一种基于空间排序的防火墙策略搜索方法,以显著降低算法的时间复杂度,从而使得计算性能显著提升。The technical problem to be solved by the present invention is to provide a firewall policy search method based on spatial sorting to significantly reduce the time complexity of the algorithm, thereby significantly improving the computing performance.

本发明是这样实现的,本发明提供的一种基于空间排序的防火墙策略搜索方法所采用的技术方案是:搜索的目标关系为包含关系,所述搜索方法包括以下步骤:The present invention is implemented in this way. The technical solution adopted by a method for searching firewall policies based on spatial sorting provided by the present invention is: the target relationship of the search is an inclusion relationship, and the search method includes the following steps:

S1:遍历防火墙上已有的策略列表,获取所述策略列表的当前策略,将所述策略列表的当前策略的源地址、目的地址以及目的端口进行转换,转换后的所述源地址、所述目的地址以及所述目的端口构成三维空间的长方体;S1: Traverse the existing policy list on the firewall, obtain the current policy of the policy list, convert the source address, destination address and destination port of the current policy of the policy list, and the converted source address, the The destination address and the destination port form a cuboid in a three-dimensional space;

S2:计算所述长方体的权重;S2: Calculate the weight of the cuboid;

S3:结束所述策略列表的遍历,得到新策略列表,将所述新策略列表按照从大到小的顺序进行排序;S3: End the traversal of the policy list, obtain a new policy list, and sort the new policy list in descending order;

S4:按照所述步骤S1和S2,计算待搜索策略的权重;所述待搜索策略为外界输入的搜索策略;S4: Calculate the weight of the strategy to be searched according to the steps S1 and S2; the strategy to be searched is a search strategy input from the outside;

S5:对所述新策略列表进行二分搜索,找到大于或等于所述待搜索策略的权重的最小值;S5: Perform a binary search on the new strategy list, and find a minimum value that is greater than or equal to the weight of the strategy to be searched;

S6:从所述新策略列表中读取子策略列表,遍历所述子策略列表,获取所述子策略列表的当前策略,将所述待搜索策略的协议值、源地址、目的地址以及端口范围与所述子策略列表的当前策略的协议值、源地址、目的地址以及端口范围进行比较,如果所述待搜索策略的协议值、源地址、目的地址以及端口范围与所述子策略列表的当前策略的协议值、源地址、目的地址以及端口范围的比较结果为相等或包含关系,则将所述子策略列表的当前策略在所述策略列表中对应的策略保存到结果列表中;S6: Read the sub-policy list from the new policy list, traverse the sub-policy list, obtain the current policy of the sub-policy list, and convert the protocol value, source address, destination address, and port range of the policy to be searched Compare with the protocol value, source address, destination address and port range of the current policy of the sub-policy list, if the protocol value, source address, destination address and port range of the to-be-searched policy are the same as the current If the comparison result of the protocol value, source address, destination address and port range of the policy is equal or inclusive, then the policy corresponding to the current policy of the sub-policy list in the policy list is saved in the result list;

S7:结束遍历,返回所述结果列表。S7: End the traversal, and return the result list.

进一步地,所述策略列表为P[0..N-1],N为策略数;所述策略列表的当前策略为P[i],将P[i]的源地址转换为(Srcs,Srct),记为

Figure GDA0003692459900000021
将P[i]的目的地址转换为(Dsts,Dstt),记为
Figure GDA0003692459900000022
将P[i]的目的端口转换为(Ports,Portt),记为
Figure GDA0003692459900000023
所述源地址、所述目的地址以及所述目的端口构成三维空间的长方体表示为<(Srcs,Dsts,Ports),(Srct,Dstt,Portt)>,记为Ci。Further, the strategy list is P[0..N-1], and N is the number of strategies; the current strategy of the strategy list is P[i], and the source address of P[i] is converted into (Src s , Src t ), denoted as
Figure GDA0003692459900000021
Convert the destination address of P[i] to (Dst s , Dst t ), denoted as
Figure GDA0003692459900000022
Convert the destination port of P[i] to (Port s , Port t ), denoted as
Figure GDA0003692459900000023
The source address, the destination address and the destination port form a cuboid in a three-dimensional space, which is represented as <(Src s , Dst s , Port s ), (Src t , Dst t , Port t )>, denoted as C i .

进一步地,所述步骤S2的计算方法为:Further, the calculation method of the step S2 is:

所述长方体的权重为Wi,如果

Figure GDA0003692459900000024
其中有一个向量的长度为0,则Wi为另外两个向量所构成的长方形的面积,如果其中两个向量的长度都为0,则Wi为剩下的向量的长度,如果三个向量的长度都为0,则Wi记为0,否则,Wi为Ci的体积。The weight of the cuboid is Wi, if
Figure GDA0003692459900000024
One of the vectors has a length of 0, then Wi is the area of the rectangle formed by the other two vectors. If the length of two of the vectors is 0, then Wi is the length of the remaining vectors. If the three vectors The lengths of are all 0, then Wi is recorded as 0, otherwise, Wi is the volume of Ci .

进一步地,所述新策略列表为W[0..N-1],N为策略数。Further, the new strategy list is W[0..N-1], and N is the number of strategies.

进一步地,所述待搜索策略为x,所述待搜索策略的权重为WxFurther, the strategy to be searched is x, and the weight of the strategy to be searched is W x .

进一步地,所述待搜索策略的权重的最小值为WyFurther, the minimum value of the weight of the strategy to be searched is W y .

进一步地,所述子策略列表为W0-y,所述子策略列表的当前策略为Wj,所述结果列表为R。Further, the sub-policy list is W 0-y , the current strategy of the sub-policy list is W j , and the result list is R.

本发明还包括一种搜索系统,所述搜索系统用于实现如上所述的一种基于空间排序的防火墙策略搜索方法,所述搜索系统包括存储单元、获取单元、计算单元、比较单元以及输出单元;The present invention also includes a search system, which is used to implement the above-mentioned method for searching firewall policies based on spatial sorting, and the search system includes a storage unit, an acquisition unit, a calculation unit, a comparison unit, and an output unit ;

所述存储单元,用于存储如上所述的策略列表和新策略列表;The storage unit is used to store the above-mentioned policy list and new policy list;

所述获取单元,用于获取如上所述的外界输入的待搜索策略;The obtaining unit is used to obtain the strategy to be searched for the above-mentioned external input;

所述计算单元,用于实现如上所述的步骤S1~S5;The computing unit is used to implement the above steps S1-S5;

所述比较单元,用于实现如上所述的步骤S6;The comparison unit is used to realize the above-mentioned step S6;

所述输出单元,用于将如上所述的结果列表输出。The output unit is used for outputting the above result list.

本发明还包括一种终端,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如上所述的一种基于空间排序的防火墙策略搜索方法的步骤。The present invention also includes a terminal, comprising a memory, a processor, and a computer program stored in the memory and running on the processor, characterized in that the processor implements the above when executing the computer program The steps of a method for searching firewall policies based on spatial ordering described above.

本发明还包括一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如上所述的一种基于空间排序的防火墙策略搜索方法的步骤。The present invention also includes a computer-readable storage medium storing a computer program, characterized in that, when the computer program is executed by the processor, the above-mentioned space-sort-based firewall policy is implemented Search method steps.

与现有技术相比,本发明的有益效果在于:本搜索方法的算法时间复杂度仅为O(N/2+log2N),使得现有搜索方法的算法时间复杂度O(N)大幅降低,从而显著提升了计算性能。Compared with the prior art, the beneficial effect of the present invention is that the algorithm time complexity of the search method is only O(N/2+log 2 N), so that the algorithm time complexity O(N) of the existing search method is greatly reduced. reduced, resulting in a significant increase in computing performance.

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the embodiments of the present invention more clearly, the following briefly introduces the drawings required in the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.

图1是本发明实施例提供的一种基于空间排序的防火墙策略搜索方法流程示意图。FIG. 1 is a schematic flowchart of a method for searching firewall policies based on spatial sorting according to an embodiment of the present invention.

图2是本发明实施例提供的一种搜索系统组成示意图。FIG. 2 is a schematic diagram of the composition of a search system according to an embodiment of the present invention.

上述附图中的标记为:1、搜索系统;101、存储单元;102、获取单元;103、计算单元;104、比较单元;105、输出单元。The symbols in the above drawings are: 1. Search system; 101, Storage unit; 102, Acquisition unit; 103, Calculation unit; 104, Comparison unit; 105, Output unit.

具体实施方式Detailed ways

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

本实施例的附图中相同或相似的标号对应相同或相似的部件;在本发明的描述中,需要说明的是,当元件被称为“固定于”另一个元件,它可以直接在另一个元件上或者也可以存在居中的元件。当一个元件被认为是“连接”另一个元件,它可以是直接连接到另一个元件或者可能同时存在居中元件需要理解的是,若有术语“上”、“下”、“左”、“右”等指示的方位或位置关系为基于附图所示的方位或位置关系,仅是为了便于描述本发明和简化描述,而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作,因此附图中描述位置关系的用语仅用于示例性说明,不能理解为对本专利的限制,对于本领域的普通技术人员而言,可以根据具体情况理解上述术语的具体含义。In the drawings of this embodiment, the same or similar reference numerals correspond to the same or similar components; in the description of the present invention, it should be noted that when an element is referred to as being "fixed" to another element, it can be directly connected to another element. There may also be centered elements on the elements. When an element is referred to as being "connected" to another element, it can be directly connected to the other element or there may be intervening elements The orientation or positional relationship indicated by ” and the like is based on the orientation or positional relationship shown in the accompanying drawings, which is only for the convenience of describing the present invention and simplifying the description, rather than indicating or implying that the referred device or element must have a specific orientation, a specific orientation, and a specific orientation. Therefore, the terms describing the positional relationship in the accompanying drawings are only used for exemplary illustration, and should not be construed as a limitation on this patent. For those of ordinary skill in the art, they can understand the specific meanings of the above terms according to specific situations. .

以下结合附图与具体实施例,对本发明的技术方案做详细的说明。The technical solutions of the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments.

本发明提出的一种基于空间排序的防火墙策略搜索方法,较佳实施例如图1所示,搜索的目标关系为包含关系,本搜索方法包括以下步骤:The present invention proposes a method for searching firewall policies based on spatial sorting. A preferred embodiment is shown in FIG. 1 . The target relationship of the search is an inclusion relationship. The search method includes the following steps:

S1:遍历防火墙上已有的策略列表,获取策略列表的当前策略,将策略列表的当前策略的源地址、目的地址以及目的端口进行转换,转换后的源地址、目的地址以及目的端口构成三维空间的长方体;S1: Traverse the existing policy list on the firewall, obtain the current policy of the policy list, convert the source address, destination address and destination port of the current policy in the policy list, and the converted source address, destination address and destination port form a three-dimensional space the cuboid;

S2:计算长方体的权重;S2: Calculate the weight of the cuboid;

S3:结束策略列表的遍历,得到新策略列表,将新策略列表按照从大到小的顺序进行排序;S3: End the traversal of the strategy list, obtain a new strategy list, and sort the new strategy list in descending order;

S4:按照步骤S1和S2,计算待搜索策略的权重;待搜索策略为外界输入的搜索策略;S4: Calculate the weight of the strategy to be searched according to steps S1 and S2; the strategy to be searched is a search strategy input from the outside world;

S5:对新策略列表进行二分搜索,找到大于或等于待搜索策略的权重的最小值;S5: Perform a binary search on the new strategy list, and find the minimum value that is greater than or equal to the weight of the strategy to be searched;

S6:从新策略列表中读取子策略列表,遍历子策略列表,获取子策略列表的当前策略,将待搜索策略的协议值、源地址、目的地址以及端口范围与子策略列表的当前策略的协议值、源地址、目的地址以及端口范围进行比较,如果待搜索策略的协议值、源地址、目的地址以及端口范围与子策略列表的当前策略的协议值、源地址、目的地址以及端口范围的比较结果为相等或包含关系,则将子策略列表的当前策略在策略列表中对应的策略保存到结果列表中;S6: Read the sub-policy list from the new policy list, traverse the sub-policy list, obtain the current policy of the sub-policy list, and compare the protocol value, source address, destination address and port range of the policy to be searched with the protocol of the current policy of the sub-policy list Value, source address, destination address and port range are compared, if the protocol value, source address, destination address and port range of the policy to be searched are compared with the protocol value, source address, destination address and port range of the current policy in the sub-policy list If the result is an equality or inclusion relationship, save the corresponding strategy of the current strategy of the sub-policy list in the strategy list to the result list;

S7:结束遍历,返回结果列表;S7: End the traversal and return the result list;

其中,搜索的目标关系为包含关系。Among them, the target relationship of the search is an inclusion relationship.

上述提供的一种基于空间排序的防火墙策略搜索方法,与现有技术相比,本搜索方法的算法时间复杂度仅为O(N/2+log2N),使得现有搜索方法的算法时间复杂度O(N)大幅降低,从而显著提升了计算性能。Compared with the prior art, the algorithm time complexity of the present search method is only O(N/2+log 2 N), which makes the algorithm time of the existing search method The complexity O(N) is greatly reduced, thereby significantly improving the computing performance.

作为本发明的一种实施方式,策略列表为P[0..N-1],N为策略数;策略列表的当前策略为P[i],将P[i]的源地址转换为(Srcs,Srct),记为

Figure GDA0003692459900000051
将P[i]的目的地址转换为(Dsts,Dstt),记为
Figure GDA0003692459900000052
将P[i]的目的端口转换为(Ports,Portt),记为
Figure GDA0003692459900000053
源地址、目的地址以及目的端口构成三维空间的长方体表示为<(Srcs,Dsts,Ports),(Srct,Dstt,Portt)>,记为Ci。As an embodiment of the present invention, the policy list is P[0..N-1], and N is the number of policies; the current policy of the policy list is P[i], and the source address of P[i] is converted to (Src s , Src t ), denoted as
Figure GDA0003692459900000051
Convert the destination address of P[i] to (Dst s , Dst t ), denoted as
Figure GDA0003692459900000052
Convert the destination port of P[i] to (Port s , Port t ), denoted as
Figure GDA0003692459900000053
The source address, destination address and destination port form a cuboid in a three-dimensional space, which is represented as <(Src s , Dst s , Port s ), (Src t , Dst t , Port t )>, denoted as C i .

作为本发明的一种实施方式,步骤S2的计算方法为:As an embodiment of the present invention, the calculation method of step S2 is:

长方体的权重为Wi,如果

Figure GDA0003692459900000054
其中有一个向量的长度为0,则Wi为另外两个向量所构成的长方形的面积,如果其中两个向量的长度都为0,则Wi为剩下的向量的长度,如果三个向量的长度都为0,则Wi记为0,否则,Wi为Ci的体积。The weight of the cuboid is Wi, if
Figure GDA0003692459900000054
One of the vectors has a length of 0, then Wi is the area of the rectangle formed by the other two vectors. If the length of two of the vectors is 0, then Wi is the length of the remaining vectors. If the three vectors The lengths of are all 0, then Wi is recorded as 0, otherwise, Wi is the volume of Ci .

作为本发明的一种实施方式,新策略列表为W[0..N-1],N为策略数。As an embodiment of the present invention, the new strategy list is W[0..N-1], where N is the number of strategies.

作为本发明的一种实施方式,待搜索策略为x,待搜索策略的权重为WxAs an embodiment of the present invention, the strategy to be searched is x, and the weight of the strategy to be searched is W x .

作为本发明的一种实施方式,待搜索策略的权重的最小值为WyAs an embodiment of the present invention, the minimum value of the weight of the strategy to be searched is W y .

作为本发明的一种实施方式,子策略列表为W0-y,子策略列表的当前策略为Wj,结果列表为R。As an embodiment of the present invention, the sub-policy list is W 0-y , the current policy of the sub-policy list is W j , and the result list is R .

具体地,本搜索方法的实现方式为:Specifically, the implementation of this search method is as follows:

设防火墙上已有策略列表为P[0..N-1],N为策略数;设待搜索策略为x;假设搜索的目标关系为包含关系,则搜索步骤如下:Let the existing policy list on the firewall be P[0..N-1], and N is the number of policies; let the policy to be searched be x; assuming that the target relationship to be searched is an inclusive relationship, the search steps are as follows:

S1:遍历列表P,取当前策略P[i],将P[i]的源地址转换为(Srcs,Srct),记为

Figure GDA0003692459900000061
将P[i]的目的地址转换为(Dsts,Dstt),记为
Figure GDA0003692459900000062
将P[i]的目的端口转换为(Ports,Portt),记为
Figure GDA0003692459900000063
构成三维空间的长方体<(Srcs,Dsts,Ports),(Srcs,Dsts,Ports)>,记为Ci;S1: Traverse the list P, take the current policy P[i], convert the source address of P[i] to (Src s , Src t ), denoted as
Figure GDA0003692459900000061
Convert the destination address of P[i] to (Dst s , Dst t ), denoted as
Figure GDA0003692459900000062
Convert the destination port of P[i] to (Port s , Port t ), denoted as
Figure GDA0003692459900000063
The cuboid <(Src s ,Dst s ,Port s ),(Src s ,Dst s ,Port s )> that constitutes the three-dimensional space, denoted as C i ;

S2:计算Ci的权重,记为Wi,计算方法为:如果

Figure GDA0003692459900000064
其中有一个向量的长度为0,则Wi为另外两个向量所构成的长方形的面积,如果其中两个向量的长度都为0,则Wi为剩下的向量的长度,如果三个向量的长度都为0,则Wi记为0,否则,Wi为Ci的体积;S2: Calculate the weight of C i , denoted as Wi , the calculation method is: if
Figure GDA0003692459900000064
One of the vectors has a length of 0, then Wi is the area of the rectangle formed by the other two vectors. If the length of two of the vectors is 0, then Wi is the length of the remaining vectors. If the three vectors The lengths of all are 0, then Wi is recorded as 0, otherwise, Wi is the volume of Ci ;

S3:结束列表P的遍历,得到列表W[0..N-1],对W按照从大到小的顺序排序;S3: End the traversal of the list P, get the list W[0..N-1], and sort W in descending order;

S4:按照步骤S1和S2的方法,计算策略x的权重WxS4: Calculate the weight W x of the policy x according to the methods of steps S1 and S2;

S5:对列表W进行二分搜索,找到大于或者等于Wx的最小值WyS5: Perform a binary search on the list W, and find the minimum value W y that is greater than or equal to W x ;

S6:从W列表中取子列表W0-y,遍历W0-y,取当前策略Wj,对比策略x和策略Wj的协议值,源地址,目的地址及端口范围,如果相等或包含则将Wj在列表P中对应的策略保存到结果列表R中;S6: Take the sublist W 0-y from the W list, traverse W 0-y , take the current policy W j , compare the protocol value, source address, destination address and port range of policy x and policy W j , if they are equal or include Then save the strategy corresponding to W j in the list P to the result list R;

S7:结束遍历,返回结果列表R。S7: End the traversal, and return the result list R.

本发明还提出了一种搜索系统1,搜索系统1用于实现上述的搜索方法,如图2所示,搜索系统1包括存储单元101、获取单元102、计算单元103、比较单元104以及输出单元105;The present invention also provides a search system 1, which is used to implement the above search method. As shown in FIG. 2, the search system 1 includes a storage unit 101, an acquisition unit 102, a calculation unit 103, a comparison unit 104 and an output unit 105;

存储单元101,用于存储策略列表和新策略列表;A storage unit 101, used for storing a policy list and a new policy list;

获取单元102,用于获取外界输入的待搜索策略;an obtaining unit 102, configured to obtain a strategy to be searched for external input;

计算单元103,用于实现上述步骤S1~S5;a computing unit 103, configured to implement the above steps S1-S5;

比较单元104,用于实现上述步骤S6;a comparison unit 104, configured to implement the above step S6;

输出单元105,用于将结果列表输出。The output unit 105 is used for outputting the result list.

本发明还提出了一种终端,包括存储器、处理器以及存储在存储器中并可在处理器上运行的计算机程序,其特征在于,处理器执行计算机程序时实现上述搜索方法的步骤。The present invention also provides a terminal including a memory, a processor and a computer program stored in the memory and running on the processor, characterized in that the processor implements the steps of the search method when executing the computer program.

本发明还提出了一种计算机可读存储介质,计算机可读存储介质存储有计算机程序,其特征在于,计算机程序被处理器执行时实现上述搜索方法的步骤。The present invention also provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, wherein the computer program implements the steps of the above search method when the computer program is executed by a processor.

优选地,本发明涉及的所有计算机程序采用已有的、公开的、开源的程序代码编写实现;本领域的软件编程人员按照本发明实施例所述的技术方案可以非常容易的实现。Preferably, all computer programs involved in the present invention are written and implemented using existing, public, and open source program codes; software programmers in the field can easily implement the technical solutions described in the embodiments of the present invention.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention shall be included in the protection of the present invention. within the range.

Claims (4)

1.一种基于空间排序的防火墙策略搜索方法,其特征在于,搜索的目标关系为包含关系,所述搜索方法包括以下步骤:1. a firewall policy search method based on space sorting, is characterized in that, the target relation of search is containment relation, and described search method may further comprise the steps: S1:遍历防火墙上已有的策略列表,获取所述策略列表的当前策略,将所述策略列表的当前策略的源地址、目的地址以及目的端口进行转换,转换后的所述源地址、所述目的地址以及所述目的端口构成三维空间的长方体;S1: Traverse the existing policy list on the firewall, obtain the current policy of the policy list, convert the source address, destination address and destination port of the current policy of the policy list, and the converted source address, the The destination address and the destination port form a cuboid in a three-dimensional space; S2:计算所述长方体的权重;S2: Calculate the weight of the cuboid; 所述策略列表为P[0..N-1],N为策略数;所述策略列表的当前策略为P[i],将P[i]的源地址转换为(Srcs,Srct),记为
Figure FDA0003701952300000011
将P[i]的目的地址转换为(Dsts,Dstt),记为
Figure FDA0003701952300000012
将P[i]的目的端口转换为(Ports,Portt),记为
Figure FDA0003701952300000013
所述源地址、所述目的地址以及所述目的端口构成三维空间的长方体表示为<(Srcs,Dsts,Ports),(Srct,Dstt,Portt)>,记为CiThe policy list is P[0..N-1], and N is the number of policies; the current policy of the policy list is P[i], and the source address of P[i] is converted into (Src s , Src t ) , denoted as
Figure FDA0003701952300000011
Convert the destination address of P[i] to (Dst s , Dst t ), denoted as
Figure FDA0003701952300000012
Convert the destination port of P[i] to (Port s , Port t ), denoted as
Figure FDA0003701952300000013
The source address, the destination address and the destination port form a cuboid in a three-dimensional space, which is represented as <(Src s , Dst s , Port s ), (Src t , Dst t , Port t )>, denoted as C i ; 所述长方体的权重为Wi,如果
Figure FDA0003701952300000014
其中有一个向量的长度为0,则Wi为另外两个向量所构成的长方形的面积,如果其中两个向量的长度都为0,则Wi为剩下的向量的长度,如果三个向量的长度都为0,则Wi记为0,否则,Wi为Ci的体积;The weight of the cuboid is Wi, if
Figure FDA0003701952300000014
One of the vectors has a length of 0, then Wi is the area of the rectangle formed by the other two vectors. If the length of two of the vectors is 0, then Wi is the length of the remaining vectors. If the three vectors The lengths of all are 0, then Wi is recorded as 0, otherwise, Wi is the volume of Ci ; S3:结束所述策略列表的遍历,得到新策略列表,将所述新策略列表按照从大到小的顺序进行排序;所述新策略列表为W[0..N-1],N为策略数;S3: End the traversal of the strategy list, obtain a new strategy list, and sort the new strategy list in descending order; the new strategy list is W[0..N-1], and N is the strategy number; S4:按照所述步骤S1和S2,计算待搜索策略的权重;所述待搜索策略为外界输入的搜索策略;所述待搜索策略为x,所述待搜索策略的权重为WxS4: Calculate the weight of the strategy to be searched according to the steps S1 and S2; the strategy to be searched is a search strategy input from the outside world; the strategy to be searched is x, and the weight of the strategy to be searched is W x ; S5:对所述新策略列表进行二分搜索,找到大于或等于所述待搜索策略的权重的最小值;所述待搜索策略的权重的最小值为WyS5: perform a binary search on the new strategy list, and find a minimum value that is greater than or equal to the weight of the strategy to be searched; the minimum value of the weight of the strategy to be searched is W y ; S6:从所述新策略列表中读取子策略列表,遍历所述子策略列表,获取所述子策略列表的当前策略,将所述待搜索策略的协议值、源地址、目的地址以及端口范围与所述子策略列表的当前策略的协议值、源地址、目的地址以及端口范围进行比较,如果所述待搜索策略的协议值、源地址、目的地址以及端口范围与所述子策略列表的当前策略的协议值、源地址、目的地址以及端口范围的比较结果为相等或包含关系,则将所述子策略列表的当前策略在所述策略列表中对应的策略保存到结果列表中;所述子策略列表为W0-y,所述子策略列表的当前策略为Wj,所述结果列表为R;S6: Read the sub-policy list from the new policy list, traverse the sub-policy list, obtain the current policy of the sub-policy list, and convert the protocol value, source address, destination address, and port range of the policy to be searched Compare with the protocol value, source address, destination address and port range of the current policy of the sub-policy list, if the protocol value, source address, destination address and port range of the to-be-searched policy are the same as the current If the comparison result of the policy's protocol value, source address, destination address, and port range is equal or inclusive, the policy corresponding to the current policy of the sub-policy list in the policy list is saved in the result list; the sub-policy list is stored in the result list; The strategy list is W 0-y , the current strategy of the sub-policy list is W j , and the result list is R; S7:结束遍历,返回所述结果列表。S7: End the traversal, and return the result list. 2.一种搜索系统,其特征在于,所述搜索系统用于实现如权利要求1所述的一种基于空间排序的防火墙策略搜索方法,所述搜索系统包括存储单元、获取单元、计算单元、比较单元以及输出单元;2. A search system, characterized in that, the search system is used to implement a spatial sorting-based firewall policy search method as claimed in claim 1, and the search system comprises a storage unit, an acquisition unit, a calculation unit, a Comparison unit and output unit; 所述存储单元,用于策略列表和新策略列表;The storage unit is used for a policy list and a new policy list; 所述获取单元,用于获取外界输入的待搜索策略;The obtaining unit is used to obtain the strategy to be searched for input from the outside world; 所述计算单元,用于实现上述步骤S1~S5;The computing unit is used to implement the above steps S1-S5; 所述比较单元,用于实现上述步骤S6;The comparison unit is used to realize the above step S6; 所述输出单元,用于将结果列表输出。The output unit is used for outputting the result list. 3.一种终端,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如权利要求1所述的一种基于空间排序的防火墙策略搜索方法的步骤。3. A terminal comprising a memory, a processor and a computer program stored in the memory and running on the processor, wherein the processor implements the computer program as claimed in claim 1 when the processor executes the computer program The steps of a method for searching firewall policies based on space sorting. 4.一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如权利要求1所述的一种基于空间排序的防火墙策略搜索方法的步骤。4. A computer-readable storage medium, wherein the computer-readable storage medium stores a computer program, wherein when the computer program is executed by the processor, a space-sort-based firewall as claimed in claim 1 is implemented The steps of the policy search method.
CN202010641857.7A 2020-07-06 2020-07-06 A method, system, terminal and storage medium for searching firewall policy based on spatial sorting Active CN111901311B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010641857.7A CN111901311B (en) 2020-07-06 2020-07-06 A method, system, terminal and storage medium for searching firewall policy based on spatial sorting

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010641857.7A CN111901311B (en) 2020-07-06 2020-07-06 A method, system, terminal and storage medium for searching firewall policy based on spatial sorting

Publications (2)

Publication Number Publication Date
CN111901311A CN111901311A (en) 2020-11-06
CN111901311B true CN111901311B (en) 2022-10-04

Family

ID=73193005

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010641857.7A Active CN111901311B (en) 2020-07-06 2020-07-06 A method, system, terminal and storage medium for searching firewall policy based on spatial sorting

Country Status (1)

Country Link
CN (1) CN111901311B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112968896B (en) * 2021-02-24 2022-06-24 深圳天元云科技有限公司 Vector compression-based firewall policy filtering method, system, terminal and storage medium
CN113411336B (en) * 2021-06-21 2022-08-26 深圳天元云科技有限公司 Firewall strategy position optimization method, system, terminal and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110677383A (en) * 2019-08-22 2020-01-10 平安科技(深圳)有限公司 Firewall opening method and device, storage medium and computer equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2006230171B2 (en) * 2005-03-28 2012-06-21 Wake Forest University Methods, systems, and computer program products for network firewall policy optimization
US20090097418A1 (en) * 2007-10-11 2009-04-16 Alterpoint, Inc. System and method for network service path analysis
US10944724B2 (en) * 2018-03-28 2021-03-09 Fortinet, Inc. Accelerating computer network policy search

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110677383A (en) * 2019-08-22 2020-01-10 平安科技(深圳)有限公司 Firewall opening method and device, storage medium and computer equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
利用决策树提高防火墙过滤能力的研究;王旭虓;《中国优秀硕士学位论文全文数据库信息科技辑》;20100715;I139-95 *

Also Published As

Publication number Publication date
CN111901311A (en) 2020-11-06

Similar Documents

Publication Publication Date Title
US8473523B2 (en) Deterministic finite automata graph traversal with nodal bit mapping
CN101577662B (en) Method and device for matching longest prefix based on tree form data structure
CN109218301B (en) Method and device for mapping frame header defined by software between multiple protocols
US20150242429A1 (en) Data matching based on hash table representations of hash tables
CN111177476B (en) Data query method, device, electronic device and readable storage medium
JP5960863B1 (en) SEARCH DEVICE, SEARCH METHOD, PROGRAM, AND RECORDING MEDIUM
CN102955843B (en) Method for realizing multi-key finding of key value database
CN111901311B (en) A method, system, terminal and storage medium for searching firewall policy based on spatial sorting
CN114860670B (en) File operation method of user space file system and user space file system
CN113411380B (en) Processing method, logic circuit and equipment based on FPGA (field programmable gate array) programmable session table
CN104572983A (en) Construction method based on hash table of memory, text searching method and corresponding device
CN112765269B (en) Data processing method, device, equipment and storage medium
CN106416151A (en) Multi-table hash-based lookup for group processing
WO2014047863A1 (en) Generating a shape graph for a routing table
CN104579970A (en) A policy matching method and device for IPv6 packets
CN118036005A (en) Malicious application detection method, system, equipment and medium based on simplified call graph
CN114338529B (en) Five-tuple rule matching method and device
CN108595574B (en) Database cluster connection method, device, equipment and storage medium
CN112769973B (en) Method for matching network address and network address conversion rule
CN112527950A (en) MapReduce-based graph data deleting method and system
CN112968896B (en) Vector compression-based firewall policy filtering method, system, terminal and storage medium
US20160301658A1 (en) Method, apparatus, and computer-readable medium for efficient subnet identification
CN107643892A (en) Interface processing method, apparatus, storage medium and processor
CN115149962A (en) Deterministic finite automata compression method, device, device and storage medium
CN119848284B (en) A data query method and related equipment for graph databases

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A method, system, terminal, and storage medium for searching firewall policies based on spatial sorting

Granted publication date: 20221004

Pledgee: Shenzhen small and medium sized small loan Co.,Ltd.

Pledgor: SHENZHEN TIANYUAN CLOUD TECHNOLOGY Co.,Ltd.

Registration number: Y2024980011792

PE01 Entry into force of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Granted publication date: 20221004

Pledgee: Shenzhen small and medium sized small loan Co.,Ltd.

Pledgor: SHENZHEN TIANYUAN CLOUD TECHNOLOGY Co.,Ltd.

Registration number: Y2024980011792

PC01 Cancellation of the registration of the contract for pledge of patent right