The algorithm of firewall rules matching designed in this paper is based on the idea of divide-and-conquer the rules set. The rules set are divided into multiple sub-sets in accordance with the protocol type. Then, accordance with the relationship between two rules, each sub-set is divided into two groups: disordered group and queue group. Furthermore, hash function is designed to match rules in disorder group, while indexing algorithm is proposed to match rules in the queue group. The analysis shows that the efficiency of the algorithm is much better than similar algorithms, greatly improving the performance of the firewall.
展开▼
