防火墙规则间包含关系的解析方法

针对防火墙规则集中规则间的相互关系难以把握,从而导致防火墙无法正确地过滤数据包的问题,提出了一种基于集合理论的规则间包含关系的解析方法.该方法在不考虑规则动作的情况下,基于集合理论的包含关系来解析和分类规则之间的关系,简化了分析规则间相互关系的过程.并且使用高效的函数式编程语言Haskell实现了所提出的方法,整体代码简洁、易于维护和扩展.实验结果表明,对于中小规模的防火墙规则集,能够快速而有效地解析规则间的包含关系,并且能够为后续的规则间的异常检测提供重要的依据.

Analysis method of inclusion relations between firewall rules

It is difficult to understand all the relations between firewall rules. Poorly-organized rules may cause the problem that firewall could not filter packets correctly. In order to solve this problem, an analysis method of inclusion relations between firewall rules based on set theory was proposed. Based on the inclusion relations in set theory, the proposed method analyzed and classified the relations between firewall rules without considering the actions of rules. The proposed method simplified the process of analysis relations between firewall rules, and it was implemented by using a functional programming language, Haskell. The whole Haskell codes were concise, which also were easy to maintain and expand. The experimental results show that, with regard to medium scale sets of rules, the proposed method can analyze the inclusion relations between firewall rules rapidly and effectively. The proposed method also provides an important basis for the succeeding rules conflict detection.