摘要
为提高大规则集防火墙中规则匹配效率,研究了Iptables规则中扩展match模块的匹配特点,将匹配过程分为数据包解码和参数比较两个步骤,对不同规则中的相同扩展match模块,提出了一种"一次解码,多次匹配"(decoding-once-techno-logy,DOT)的优化算法。通过对规则匹配时间建模分析,证明改进算法可以减少规则匹配时数据包解码次数,从而降低规则中扩展match模块的匹配时间。实验结果表明,改进后的算法可以有效提高防火墙吞吐量,降低时延。
To raise the efficiency of rule-matching in firewall with large ruleset,the characteristics of extended match module in iptables rules is studied.The process of matching is divided into two steps: packet decoding and parameter comparing.Then an optimized matching algorithm of the same match module in different rules named decoding-once-technology(DOT) is proposed.The model of rule-matching time proved that it could reduce the times of rule-matching packet decoding,and decrease the matching time of the extended match modules in firewall rules.The experimental results showed that the improved algorithm could effectively increase the throughput and decrease the delay of firewall.
出处
《计算机工程与设计》
CSCD
北大核心
2011年第3期766-769,共4页
Computer Engineering and Design
基金
国家863高技术研究发展计划基金项目(2009AA01Z432)