Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to improve the processing performance of network equipment, embodiments of the present invention provide a message processing method, apparatus, network equipment, and machine-readable storage medium.
First, a method for processing a message according to an embodiment of the present invention is described below.
An execution main body of the message processing method provided in the embodiment of the present invention may be a network device, and according to different service functions, the network device may be a firewall device or a network security device such as a DPI (Deep Packet Inspection) device, and may also be a data switching device such as a router and a switch. The method for implementing the message processing method provided by the embodiment of the invention can be at least one of software, hardware circuit and logic circuit arranged in the execution main body.
As shown in fig. 1, a method for processing a message provided in an embodiment of the present invention may include the following steps:
s101, address information of the message to be processed is obtained.
The address information may include: a source IP address and a destination IP address. The message to be processed generally carries basic information of the message, for example, a source address for sending the message to be processed, a destination address for receiving the message to be processed, and the like, where the source address may be a source IP address or a source port address, and the destination address may be a destination IP address or a destination port address. The basic information is stored in each field of the message to be processed, and the specific content of the corresponding basic information can be obtained by extracting the fields of the message.
And S102, if the session table item corresponding to the address information exists in the session table, judging whether a first feature table item corresponding to the session table item exists in the feature table.
On a network device, for a packet carrying service data, a corresponding session entry is usually created before the packet is received, and the session entry records five-tuple information of the packet, that is, a source IP address, a destination IP address, a source port address, a destination port address of the packet, and a transmission protocol for transmitting the packet. In order to quickly search the feature information of the message to be processed, in this embodiment, a feature table is established, where the feature table includes a plurality of feature table entries, and each feature table entry represents a corresponding relationship between identification information of a session table entry and the feature information, or a corresponding relationship between a source address and/or a destination address in the session table and the feature information. For example, as shown in table 1, each row in the feature table represents a feature table entry, which represents a corresponding relationship between a source address, a destination address and feature information, that is, a feature information corresponding to the source address and the destination address, for example, the feature information of a to-be-processed message with the source address of 192.168.1.11 and the destination address of 33.33.33.33 is the name of a certain network television. Whether the feature table has the first feature table entry corresponding to the session table entry can be judged by judging whether the feature table has the feature table entry with the same source address and destination address as those in the session table entry. And whether a first characteristic table item corresponding to the session table item exists in the characteristic table is judged by judging whether the characteristic table item matched with the identification information of the session table item exists in the characteristic table.
TABLE 1
| Source address | Destination address | Characteristic information |
| | |
S103, if the first characteristic table item exists in the characteristic table and the message to be processed is matched with the first characteristic information in the first characteristic table item, processing the message to be processed based on the first characteristic information.
If the first feature table entry exists in the feature table, the message to be processed needs to be matched with the first feature information in the first feature table entry, and if the message to be processed can be matched with the first feature information, the network device can process the message to be processed based on a processing mode corresponding to the first feature information.
By applying the embodiment, if a session table entry corresponding to the address information of the message to be processed exists in the session table, by judging whether a first feature table entry corresponding to the session table entry exists in the feature table, if the first feature table entry exists and the message to be processed is matched with the first feature information in the first feature table entry, the message to be processed is processed based on the first feature information. Therefore, for the condition that the first feature table entry corresponding to the session table entry exists in the feature table, when the message to be processed is matched with the first feature information in the first feature table entry, the message to be processed can be directly processed without feature matching in the feature library, so that the resources of the network equipment are saved, and the processing performance of the network equipment is improved.
Based on the embodiment shown in fig. 1, as shown in fig. 2, another message processing method is provided in the embodiment of the present invention, where the message processing method may include the following steps:
s201, acquiring address information of the message to be processed.
The message to be processed in this embodiment is a service message carrying service data.
S202, if a session table entry corresponding to the address information of the to-be-processed packet exists in the session table, determining whether a first feature table entry corresponding to the session table entry exists in the feature table, if so, performing S205, otherwise, performing S203 to S204.
Because the session table entry contains the quintuple information of the message, the quintuple information of the session table entry is directly utilized in the session table to be compared with the address information of the message to be processed one by one according to the address information of the message to be processed, and if the five tuple information of the session table entry is the same as the address information of the message to be processed, the session table entry corresponding to the address information of the message to be processed is determined to exist in the session table; and if the same table item does not exist, determining that the session table item corresponding to the address information of the message to be processed does not exist in the session table. And if the session table does not have the session table item corresponding to the address information of the message to be processed, discarding the message.
The first characteristic table entry comprises first characteristic information. Because the session table entry and the feature table entry have a corresponding relationship, that is, the feature table entry having the address information is searched in the feature table by using the address information in the session table entry, and if the feature table entry having the address information is found, it is described that the first feature table entry corresponding to the session table entry exists in the feature table. Or, corresponding identification information is allocated to the session table entry, and if the feature table entry with the identification information is found, it is indicated that the first feature table entry corresponding to the session table entry exists in the feature table.
S203, second characteristic information matched with the message to be processed is obtained from the characteristic library.
And S204, processing the message to be processed based on the second characteristic information.
If the first feature table entry corresponding to the session table entry does not exist in the feature table, it indicates that the feature information corresponding to the address information or the identification information is not stored before, and second feature information matched with the message to be processed can be extracted from the feature library. In order to deal with the subsequent re-reception of the message to be processed sent based on the session corresponding to the session entry, the step of obtaining the second feature information by the feature library is reduced, and after the second feature information matched with the message to be processed is obtained from the feature library, the second feature entry corresponding to the session entry may be added to the feature table. And the second characteristic table entry comprises second characteristic information. If a message to be processed sent based on the session is received, the feature information can be directly extracted from the corresponding feature table entry without matching and extracting in a feature library, so that the processing performance of the network equipment is improved.
S205, judging whether the message to be processed is matched with the first characteristic information in the first characteristic table item, if so, executing S206, otherwise, executing S207 to S208.
If the first feature table entry corresponding to the session table entry exists in the feature table, whether the message to be processed is matched with the first feature information in the first feature table entry needs to be further judged, and whether the specified field for representing the feature information in the message to be processed is matched with the first feature information can be judged.
And S206, processing the message to be processed based on the first characteristic information.
In order to save the storage resource for storing the session table entry, when the following conditions are satisfied, the corresponding feature table entry may be deleted from the feature table, which may specifically be:
deleting a first feature table item from the feature table when the time length from the last time of receiving the message to be processed reaches a preset time length;
or,
deleting a first characteristic table item from the characteristic table when monitoring that a user sending a message to be processed is in an off-line state;
or,
and deleting a preset number of feature table entries from the feature table when the residual capacity of the storage space for storing the plurality of session table entries is smaller than a preset threshold.
If the time length from the last time of receiving the message to be processed reaches the preset time length, for example, the preset time length is 2 hours, if the time length from the last time of receiving the message to be processed reaches 2 hours, the activity of the message to be processed is extremely low, and the message to be processed is not received again for a long time, the first feature table entry can be deleted from the feature table; or, if it is monitored that a user sending a message to be processed is in an offline state, it indicates that the user does not send the message to the network device in a short period of time, and the first feature table entry may be deleted from the feature table; alternatively, if the remaining capacity of the storage space storing the session entries is less than the preset threshold, for example, the remaining capacity only remains 5% of the total capacity, i.e. the storage space is about to run out, the storage space needs to be released, and a preset number of feature entries may be deleted from the feature table.
And S207, acquiring third characteristic information matched with the message to be processed from the characteristic library.
And S208, processing the message to be processed based on the third characteristic information.
If the message to be processed is not matched with the first feature information in the first feature table entry, the feature information of the message to be processed needs to be acquired, and the feature information can be specifically acquired from a feature library. In order to deal with the subsequent re-reception of the message to be processed sent based on the session, the step of obtaining the third feature information from the feature library is reduced, and after the third feature information matched with the message to be processed is obtained from the feature library, the first feature information in the first feature table entry may be replaced with the third feature information.
By applying the embodiment, if a session table entry corresponding to the address information of the message to be processed exists in the session table, by judging whether a first feature table entry corresponding to the session table entry exists in the feature table, if the first feature table entry exists and the message to be processed is matched with the first feature information in the first feature table entry, the message to be processed is processed based on the first feature information. Therefore, for the condition that the first feature table entry corresponding to the session table entry exists in the feature table, when the message to be processed is matched with the first feature information in the first feature table entry, the message to be processed can be directly processed without feature matching in the feature library, so that the resources of the network equipment are saved, and the processing performance of the network equipment is improved. And by deleting the feature table entry from the feature table, the storage resource for storing the session table entry is saved.
For convenience of understanding, the following describes a message processing method according to an embodiment of the present invention with reference to a specific example.
As shown in fig. 3, since the company restricts the traffic of the terminal 301 using the P2P (Peer-to-Peer) network television, the firewall 302 is configured to arrange the feature information (referred to as feature information 1) corresponding to the P2P network television in the feature library of the firewall 302, and the firewall 302 is configured to perform speed limit processing when receiving the message matching the feature information 1.
When receiving a handshake message used by terminal 301 to request to establish a connection with P2P web tv server 303, after determining that terminal 301 and server 303 successfully establish a connection (i.e., after a session is successfully created, the session is referred to as session a), firewall 302 creates session entry a, where session entry a includes five-tuple information of the handshake message. The source address included in the five-tuple information is the IP address (192.168.1.11) of the terminal 301, and the destination address is the IP address (33.33.33.33) of the server 303.
After that, when receiving the service packet 1 sent by the terminal 301 based on the session a, the firewall 302 finds the session entry a corresponding to the service packet 1. Since the service packet sent based on the session a has not been feature-matched before, the feature table does not have feature information corresponding to the session entry a, and therefore, it is necessary to obtain the feature information matched with the service packet 1 from the feature library, and process the service packet 1 according to the processing mode corresponding to the feature information matched from the feature library. Based on the above configuration of the feature library in the firewall 302 and the firewall 302, the feature information matched with the service packet 1 is the feature information 1, and the speed limit processing is required to be performed on the service packet 1.
The firewall 302 may add feature information 1 corresponding to the session entry a in the feature table, specifically, may store a corresponding relationship between a source address and a destination address in the five-tuple information included in the session entry a and the feature information 1 as the feature entry a in the feature table, as shown in table 2, which is the feature table stored by the firewall 302. In this way, when receiving other service packets sent based on session a, firewall 302 may directly extract feature information from feature table entry a corresponding to session table entry a without matching and extracting in a feature library, thereby improving the processing performance of firewall 302.
TABLE 2
| Source address | Destination address | Characteristic information |
| 192.168.1.11 | 33.33.33.33 | Characteristic information 1 |
When receiving the service packet 2 sent by the terminal 301 based on the session a (the service packet 2 arrives at the firewall 302 later than the service packet 1), the firewall 302 finds the session entry a corresponding to the service packet 2. At this time, the feature table has the feature information 1 corresponding to the session entry a (i.e., the feature entry a exists), the firewall 302 directly determines whether the service packet 2 matches the feature information 1, and if so, performs the speed-limiting processing on the service packet 1. It can be seen that the firewall 302 can directly extract the feature information from the feature table entry a corresponding to the session table entry a, and does not need to match and extract in the feature library.
In addition, if the service packet 2 is not matched with the feature information 1, the feature information matched with the service packet 2 needs to be acquired from the feature library, and the service packet 2 is processed according to the processing mode corresponding to the feature information matched from the feature library. If the feature information matched with the service message 2 is the feature information 2, it indicates that the previously matched feature information may be wrong, so the feature information 1 in the feature table entry a is replaced with the feature information 2 to correct the mistake, so that the firewall 302 can subsequently and directly extract the feature information from the feature table entry a corresponding to the session table entry a without matching and extracting in the feature library.
In the scheme, the characteristic table entries corresponding to the session table entries existing in the characteristic table are searched, and when the message to be processed is matched with the characteristic information in the characteristic table entries, the message to be processed is processed based on the characteristic information. Therefore, aiming at the condition that the feature table item corresponding to the session table item exists in the feature table, the matching judgment can be carried out on the message to be processed and the feature information in the feature table item, if the matching judgment is carried out, the message to be processed is directly processed based on the feature information without carrying out feature matching in a feature library, so that the resource of network equipment is saved, and the processing performance of the network equipment is improved.
Based on the foregoing method embodiment, as shown in fig. 4, an embodiment of the present invention further provides a message processing apparatus, where the message processing apparatus may include:
a first obtaining module 410, configured to obtain address information of a packet to be processed, where the address information includes: a source IP address and a destination IP address;
a determining module 420, configured to determine whether a first feature table entry corresponding to the session table entry exists in a feature table if a session table entry corresponding to the address information already exists in the session table;
a processing module 430, configured to, if the first feature table entry exists in the feature table and the to-be-processed packet matches with the first feature information in the first feature table entry, process the to-be-processed packet based on the first feature information.
Based on the embodiment shown in fig. 4, as shown in fig. 5, an embodiment of the present invention further provides another message processing apparatus, where the message processing apparatus may include:
a first obtaining module 510, configured to obtain address information of a packet to be processed, where the address information includes: a source IP address and a destination IP address;
a determining module 520, configured to determine whether a first feature table entry corresponding to the session table entry exists in a feature table if a session table entry corresponding to the address information already exists in the session table;
a second obtaining module 530, configured to obtain, if the first feature table does not exist in the feature table, second feature information matched with the to-be-processed packet from a feature library;
an adding module 540, configured to add a second feature table entry corresponding to the session table entry in the feature table, where the second feature table entry includes the second feature information;
a processing module 550, configured to process the to-be-processed packet based on the first feature information if the first feature table entry exists in the feature table and the to-be-processed packet matches the first feature information in the first feature table entry; the processing module 550 may be further configured to process the packet to be processed based on the second feature information.
Based on the embodiment shown in fig. 4, as shown in fig. 6, another message processing apparatus is further provided in the embodiment of the present invention, where the message processing apparatus may include:
a first obtaining module 610, configured to obtain address information of a packet to be processed, where the address information includes: a source IP address and a destination IP address;
a determining module 620, configured to determine whether a first feature table entry corresponding to the session table entry exists in a feature table if the session table entry corresponding to the address information already exists in the session table;
the second obtaining module 630, further configured to obtain, if the first feature table entry exists in the feature table and the to-be-processed packet is not matched with the first feature information in the first feature table entry, third feature information matched with the to-be-processed packet from a feature library;
a replacing module 640, configured to replace the first feature information in the first feature table entry with the third feature information;
a processing module 650, configured to, if the first feature table entry exists in the feature table and the to-be-processed packet matches with first feature information in the first feature table entry, process the to-be-processed packet based on the first feature information; the processing module 650 may be further configured to process the packet to be processed based on the third feature information.
Based on the embodiment shown in fig. 4, as shown in fig. 7, another message processing apparatus is further provided in the embodiment of the present invention, where the message processing apparatus may include:
a first obtaining module 710, configured to obtain address information of a packet to be processed, where the address information includes: a source IP address and a destination IP address;
a determining module 720, configured to determine whether a first feature table entry corresponding to the session table entry exists in a feature table if the session table entry corresponding to the address information already exists in the session table;
a processing module 730, configured to process the to-be-processed packet based on the first feature information if the first feature table entry exists in the feature table and the to-be-processed packet matches the first feature information in the first feature table entry;
a deleting module 740, configured to delete the first feature table entry from the feature table when a time length from a last time when the message to be processed is received reaches a preset time length; or, when monitoring that the user sending the message to be processed is in an offline state, deleting the first feature table entry from the feature table; or deleting a preset number of feature table entries from the feature table when the remaining capacity of the storage space for storing the plurality of session table entries is smaller than a preset threshold.
By applying the embodiment, if a session table entry corresponding to the address information of the message to be processed exists in the session table, by judging whether a first feature table entry corresponding to the session table entry exists in the feature table, if the first feature table entry exists and the message to be processed is matched with the first feature information in the first feature table entry, the message to be processed is processed based on the first feature information. Therefore, for the condition that the first feature table entry corresponding to the session table entry exists in the feature table, when the message to be processed is matched with the first feature information in the first feature table entry, the message to be processed can be directly processed without feature matching in the feature library, so that the resources of the network equipment are saved, and the processing performance of the network equipment is improved. And by deleting the feature table entry from the feature table, the storage resource for storing the session table entry is saved.
As shown in fig. 8, the network device 800 includes a processor 810 and a machine-readable storage medium 820, where the machine-readable storage medium 820 stores machine-executable instructions capable of being executed by the processor 810, and the processor 810 is caused by the machine-executable instructions to implement the message processing method provided by the embodiment of the present invention.
The machine-readable storage medium may include a RAM (Random Access Memory) and a NVM (Non-volatile Memory), such as at least one disk Memory. Alternatively, the machine-readable storage medium may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
In this embodiment, the processor of the network device can realize that: if the session table has the session table entry corresponding to the address information of the message to be processed, whether a first characteristic table entry corresponding to the session table entry exists in the characteristic table or not is judged, and if the first characteristic table entry exists and the message to be processed is matched with the first characteristic information in the first characteristic table entry, the message to be processed is processed based on the first characteristic information. Therefore, for the condition that the first feature table entry corresponding to the session table entry exists in the feature table, when the message to be processed is matched with the first feature information in the first feature table entry, the message to be processed can be directly processed without feature matching in the feature library, so that the resources of the network equipment are saved, and the processing performance of the network equipment is improved. And by deleting the feature table entry from the feature table, the storage resource for storing the session table entry is saved.
In addition, corresponding to the message processing method provided in the foregoing embodiment, an embodiment of the present invention provides a computer-readable storage medium for storing a computer program, where the computer program, when executed by a processor, implements the message processing method provided in the embodiment of the present invention.
In this embodiment, the computer-readable storage medium stores an application program that executes the message processing method provided in the embodiment of the present application when running, so that the following can be implemented: if the session table has the session table entry corresponding to the address information of the message to be processed, whether a first characteristic table entry corresponding to the session table entry exists in the characteristic table or not is judged, and if the first characteristic table entry exists and the message to be processed is matched with the first characteristic information in the first characteristic table entry, the message to be processed is processed based on the first characteristic information. Therefore, for the condition that the first feature table entry corresponding to the session table entry exists in the feature table, when the message to be processed is matched with the first feature information in the first feature table entry, the message to be processed can be directly processed without feature matching in the feature library, so that the resources of the network equipment are saved, and the processing performance of the network equipment is improved. And by deleting the feature table entry from the feature table, the storage resource for storing the session table entry is saved.
As for the embodiments of the network device and the computer-readable storage medium, since the contents of the related methods are substantially similar to those of the foregoing embodiments of the methods, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the embodiments of the methods.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.