Design And Implementation Of Firewall Based On DPDK

In a complex network environment,a firewall is a barrier for network security.Configuring a firewall is one of the most common,economical,and effective security measures for network security.However,with the development of optical fiber technology,the network bandwidth is rapidly improved,and the hardware performance is extremely improved.By contrast,the software technology is relatively backward.The traditional network protocol stack has a complicated processing procedurre and cause too much loss of performance,which cannot meet the requirements of processing massive data in a high performance way.This article is dedicated to improving the performance of the firewall system,such as throughput and packet forwarding rate.In order to deal with the problem of inefficiency processing way of the general server kernel network,this paper studies the Data Plane Development Kit(DPDK)and the usermode protocol stack f-stack based on DPDK.And designed a high performance firewall based on dpdk to processes packets efficiently.The main work and innovations are as follows:This system uses the DPDK to intercept the interrupt,does not trigger the subsequent interrupt process,and bypasses the kernel protocol stack.The system uses the UIO technology mapping the packets received by the NICs to the user-mode protocol stack fstack to process,greatly reducing the time when the data packet is captured.The performance consumption increases the performance of the firewall processing packets and reduces the system performance loss caused by the firewall.The system adds a fast forwarding path before the data packet enters the f-stack protocol stack,performs session check on the data packet captured by the DPDK,and forwards the flow of the established session directly from the recorded port to reduce the performance loss caused by the process of the protocol stack increases the packet forwarding rate.The system optimizes the rule matching algorithm,uses the rule query algorithm based on divide and conquer method to perform rule matching,divides the rule set into multiple sub-rule sets according to the protocol type,reduces the number of rules to match,and divided the rules into different groups according to the relationship between the rules.Different query algorithms are selected by the rule features in the group,which effectively improves the query efficiency of the data packet in the sub-rule set,and also improves the overall processing performance of the rule query module.Finally,the system performs functional and performance tests to verify that the packet filtering function and fast forwarding function of the firewall are effective.In the high-speed network environment,the packet loss rate is low,and the overall performance of the firewall reaches a high level.