| 对Linux系统中的iptables过滤模块的改进 |
| |
| 引用本文: | 陈鑫,方宁,沈金龙.对Linux系统中的iptables过滤模块的改进[J].南京邮电大学学报(自然科学版),2005,25(2):91-94. |
| |
| 作者姓名: | 陈鑫 方宁 沈金龙 |
| |
| 作者单位: | 南京邮电学院,电子工程系,江苏,南京,210003;南京邮电学院,计算机科学与技术系,江苏,南京,210003 |
| |
| 摘 要: | 为了改善现有linux系统内核iptables模块在数据包过滤中线性匹配规则的效率。采用了散列表和动态平衡树来组织过滤表,提出了按照三层递进式的搜索规则,减少了原来的线性查找重复匹配的次数,改进了过滤效率,并确保原有功能不变。把A个IP地址、B个网络设备和C个协议规则的过滤表查找时间复杂度从O(A*B*C)降低到m*O(log2A)+n*O(B)+k*O(log2C),(m,n,k为系数因子)。通过适当增加数据结构,安排合理的搜索规则,在有限的系统开销内,可以提高数据包过滤的规则匹配效率。
|
| 关 键 词: | Linux iptables 散列表 平衡树 |
| 文章编号: | 1000-1972(2005)02-0091-04 |
| 修稿时间: | 2004年6月15日 |
The Improvement of Iptables Filter Module in Linux Operating System |
| |
| CHEN Xin,FANG Ning,SHEN Jin-long.The Improvement of Iptables Filter Module in Linux Operating System[J].Journal of Nanjing University of Posts and Telecommunications,2005,25(2):91-94. |
| |
| Authors: | CHEN Xin FANG Ning SHEN Jin-long |
| |
| Institution: | CHEN Xin~1,FANG Ning~2,SHEN Jin-long~21.Department of Electronic Engineering,Nanjing University of Posts and Telecommunications,Nanjing 210003,China2.Department of Computer Science and Technology,Nanjing University of Posts and Telecommunications,Nanjing 210003,China |
| |
| Abstract: | In this paper, the filter efficiency of iptables filter module in Linux kernel is analyzed. In order to improve the filter efficiency, new data structures are proposed including hash tables and height balanced trees.New three-layer incremental filter rules are propssed instead of linear matching rules foreduce the number of iterative matching.It guarantees that the original functions of iptables filter module remainun changed. In a system consisting of A IP addresses, B net devices and C protocols , matching time complexity decreases from O (A*B*C) to m*O(log_2A)+n*O(B)+k*O(log_2C)(m,n and k are coefficients). |
| |
| Keywords: | Linux Iptables Hash tables Height balanced trees |
| 本文献已被 CNKI 万方数据 等数据库收录! |
|
