计算机应用
計算機應用
계산궤응용
COMPUTER APPLICATION
2015年
z1期
22-24,28
,共4页
乔龙飞%刘剑英%郑建生
喬龍飛%劉劍英%鄭建生
교룡비%류검영%정건생
网络防火墙%Netfilter/Iptables%包匹配%Bsearch
網絡防火牆%Netfilter/Iptables%包匹配%Bsearch
망락방화장%Netfilter/Iptables%포필배%Bsearch
network firewall%Netfilter/Iptables%packet matching%Bsearch
针对传统防火墙线性匹配算法匹配效率低、维护困难等问题,提出并实现了一种面向IP地址集过滤的高效、灵活的Netfilter扩展框架Salist。 Salist包含一个基于内核虚拟文件的表管理模块,一个可自动对IP地址集进行去重、归并和排序的表内规则管理模块,一个基于Bsearch算法的高效的包匹配模块。通过理论分析和实际测试证明, Salist使包匹配算法时间复杂度由传统线性匹配的O( n)降低为O( log n),规则合并减少了规则表占用的内核内存空间10%以上,按文件分离的规则管理机制简化了对规则集进行维护的难度。结果表明Salist使用在核心网络设备中可极大提高包转发速率,降低规则的内存占用和管理难度。
針對傳統防火牆線性匹配算法匹配效率低、維護睏難等問題,提齣併實現瞭一種麵嚮IP地阯集過濾的高效、靈活的Netfilter擴展框架Salist。 Salist包含一箇基于內覈虛擬文件的錶管理模塊,一箇可自動對IP地阯集進行去重、歸併和排序的錶內規則管理模塊,一箇基于Bsearch算法的高效的包匹配模塊。通過理論分析和實際測試證明, Salist使包匹配算法時間複雜度由傳統線性匹配的O( n)降低為O( log n),規則閤併減少瞭規則錶佔用的內覈內存空間10%以上,按文件分離的規則管理機製簡化瞭對規則集進行維護的難度。結果錶明Salist使用在覈心網絡設備中可極大提高包轉髮速率,降低規則的內存佔用和管理難度。
침대전통방화장선성필배산법필배효솔저、유호곤난등문제,제출병실현료일충면향IP지지집과려적고효、령활적Netfilter확전광가Salist。 Salist포함일개기우내핵허의문건적표관리모괴,일개가자동대IP지지집진행거중、귀병화배서적표내규칙관리모괴,일개기우Bsearch산법적고효적포필배모괴。통과이론분석화실제측시증명, Salist사포필배산법시간복잡도유전통선성필배적O( n)강저위O( log n),규칙합병감소료규칙표점용적내핵내존공간10%이상,안문건분리적규칙관리궤제간화료대규칙집진행유호적난도。결과표명Salist사용재핵심망락설비중가겁대제고포전발속솔,강저규칙적내존점용화관리난도。
Traditional network firewall uses a linear package matching algorithm which is very inefficient, and it”s also very difficult to manage complex rules and tables. To improve this, this paper designed and implemented a Netfilter extension framework called Salist ( simple address list) . Salist contains a table management module based on kernel virtual file system, a rule management module that can automatically merge and sort rules in tables and an efficient packet matching module based on Bsearch algorithm. The time complexity of the packet matching algorithm declines to O ( log n ) from O ( n ) . The kernel memory space to store the rules reduces by at lease 10 percent. The management of the rules is much easier because rules are stored in different files in kernel space. The results show that the Salist framework can substantially improve the network packet forwarding speed.
