In a traditional network, a data layer and a control layer exist in a switch or a router, but in SDN (Software-Defined Networking, software-defined networking), a data layer and a control layer of a network are separated, and the control layer is moved to a separate device such as a controller, where the control layer controls a flow table in an OpenFlow switch by using the OpenFlow protocol, so as to implement centralized control over the entire network. The controller may be an apparatus, a virtual machine, or a physical server, and control network communication by using the OpenFlow protocol.
Currently, there is no audit and track mechanism specific for a flow table in the existing OpenFlow standard, and therefore, in a manner of rewriting a source address range and a destination address range of a current flow table by adding a flow table rule to a switch, it is easy for an address range of a data flow in the current flow table to bypass an SDN firewall. To resolve the problem in changing an address range of a conflict data flow by adding a flow table rule to a switch, a conflict data flow is blocked by expanding a source address range and a destination address range of a security policy in the prior art.
However, the method used in the prior art considers a flow table rule only in one switch, that is, if an address of a data flow is rewritten on a switch during transmission, blocking is performed on the switch according to a security policy, and the problem is not resolved from an overall perspective of a path of a data flow on an entire network.