Based On The Linux Gigabit Wire-speed Firewall Design And Realization

With Interact application popularizing,the network has been the main platform which deliver data and exchange information.The security of network and information is the key of guaranteeing business on the network as usual.As the front line of network security it is increasingly being discussed by more and more users during the course of building up secured network environment.Now firewall basically plays a role in prevention and becomes a necessary tool to network protection.Currently,traditional software firewall is mostly based on the Netfilter architecture of Linux system.Netfilter architecture is exactly a packet filtering architecture in Linux system,which provides some functions,such as packet filtering,state-checking, network address translation,packet tagging.According to opening of Netfilter architecture,developer can realize himself or herself functional modules on Data Link layer or network layer.Based on the research of the Netfilter architecture of Linux system,combining the flexible of FPGA techniques,a kind of hardware firewall architecture is designed with extensibility and good performance.Switching and routing have become important parts of firewall product,since multi function has become the characteristic of firewall product.The paper will realize the functions of switching and routing in FPGA chip.Considering the complicity of switching and routing,the kernel of Linux system finishes creation of switching and routing tables then writes information of tables as rules to FPGA chip.According to switching,routing and Netfilter architecture of Linux system,the paper realizes those functions of switching,routing and firewall in FPGA chip.At the same time,making use of the mechanism of module loading of Linux system,module that operates FPGA chip is loaded to the kernel of Linux system.Some hook functions that are realized in dynamic module are set in kernel of Linux system,which makes it became reality that the switching,routing and firewall rules of FPGA chip are consistent with kernel of Linux system.We finish functional and performance testing on the firewall which is designed with the method what we introduce above.From the result,we know that the firewall reaches wire rate.We can make a conclusion that Linux system and dynamic module realize consistency of software and hardware,while handling datagram are accomplished on FPGA chip,which makes it have the flexibility of software and high performance of hardware.The design style in the paper is uniform to give a new thought of the firewall design.