CN109688126B - Data processing method, network equipment and computer readable storage medium - Google Patents

Data processing method, network equipment and computer readable storage medium Download PDF

Info

Publication number
CN109688126B
CN109688126B CN201811566794.2A CN201811566794A CN109688126B CN 109688126 B CN109688126 B CN 109688126B CN 201811566794 A CN201811566794 A CN 201811566794A CN 109688126 B CN109688126 B CN 109688126B
Authority
CN
China
Prior art keywords
ace
acl
hardware
memory
hardware table
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811566794.2A
Other languages
Chinese (zh)
Other versions
CN109688126A (en
Inventor
吴帮华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maipu Communication Technology Co Ltd
Original Assignee
Maipu Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maipu Communication Technology Co Ltd filed Critical Maipu Communication Technology Co Ltd
Priority to CN201811566794.2A priority Critical patent/CN109688126B/en
Publication of CN109688126A publication Critical patent/CN109688126A/en
Application granted granted Critical
Publication of CN109688126B publication Critical patent/CN109688126B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An embodiment of the present application provides a data processing method, a network device, and a computer-readable storage medium, which are used for processing at least one access control item ACE in an access control list ACL, and include: acquiring an application object identifier of an application object corresponding to the ACL; sequentially acquiring the ACEs from at least one ACE in the ACL according to the order of the priorities of the ACEs from high to low; adding the corresponding application object identification for the obtained ACE; and writing the ACE added with the application object identifier into idle hardware table entries in a memory according to the sequence of the hardware table entry values from small to large. According to the embodiment of the application, the ACE can be written in the memory in an idle hardware table entry inserting mode, and compared with the existing ACE needing continuous hardware table entry storage, the ACE of the ACL in the memory is prevented from being moved, and the efficiency is improved.

Description

Data processing method, network equipment and computer readable storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a data processing method, a network device, and a computer-readable storage medium.
Background
With the development of the technology, the control of network security and the allocation of bandwidth become important contents of network management, and by filtering the messages, the access of illegal users to the network can be effectively prevented, the flow can be controlled, and the network resources are saved.
An Access Control List (ACL) implements a filtering function on a message by configuring a matching rule and a processing operation of the message. An ACL is an ordered set of rules, and the rules contained in the ACL are Access Control Entry (ACE for short). When a port of the network device receives a message, the ACL processes the message through a series of matching conditions, for example, allowing or prohibiting the message to pass through.
In an existing network device, a plurality of ACLs are typically stored, each ACL is distinguished by a name or an identifier, and each ACL is stored in consecutive Hardware entries in the network device according to a Hardware priority (Hardware priority) set by a person in the network device, and each Hardware entry typically stores an ACE. If the number of consecutive hardware entries in the network device is less than the number of ACEs contained in an ACL, other ACLs already stored in the network device need to be moved, which is time-consuming and inefficient.
Content of application
Embodiments of the present application provide a data processing method, a network device, and a computer-readable storage medium, so as to improve the situation that in the prior art, an ACL in a network device may need to be moved, which may result in long time consumption and low efficiency.
In a first aspect, an embodiment of the present application provides a data processing method, configured to process at least one access control item ACE in an access control list ACL, where the method includes: acquiring an application object identifier of an application object corresponding to the ACL; sequentially acquiring the ACEs from at least one ACE in the ACL according to the order of the priorities of the ACEs from high to low; adding the corresponding application object identification for the obtained ACE; and writing the ACE added with the application object identifier into idle hardware table entries in a memory according to the sequence of the hardware table entry values from small to large.
The method provided by the embodiment of the application can ensure the sequence precedence when the ACE is obtained, and then the ACE is added into the idle hardware table entries of the memory according to the sequence of the hardware table entry values of the memory from small to large after the application object identifier is added to the ACE. Specifically, each hardware table entry of the memory can be traversed from small to large according to the value of the hardware table entry, and if the hardware table entry is an idle hardware table entry, the ACE is written into the hardware table entry; if the hardware table entry is the hardware table entry of the ACE which has written other ACLs, the next hardware table entry of the memory is continuously judged according to the sequence of the hardware table entry values from small to large. According to the embodiment of the application, the ACE can be written in the memory in an idle hardware table entry inserting mode, and compared with the existing ACE needing continuous hardware table entry storage, the ACE of the ACL in the memory is prevented from being moved, and the efficiency is improved.
In one possible design, after the ACE to which the application object identifier is added is written into free hardware entries in a memory in the order from small to large in hardware entry value, the method further includes: acquiring a hardware table item identifier written in a hardware table item of the ACE; and establishing a corresponding relation between the ACE and the hardware table item identifier.
After the ACE is written into the hardware table entry of the memory, the hardware table entry identifier of the corresponding hardware table entry can be obtained, and the corresponding relation between the ACE and the hardware table entry identifier is established, so that the ACE in the memory can be conveniently searched according to the hardware table entry identifier, and subsequent operation can be conveniently carried out.
In one possible design, before the obtaining the application object identifier of the application object corresponding to the ACL, the method further includes: after an ACE is newly added in the ACL, acquiring a hardware table item identifier corresponding to each ACE which is written into a memory in the ACL; deleting, from the memory, the ACE corresponding to the hardware entry identification corresponding to each ACE in the ACL that was written to memory.
If an ACE is newly added into one ACL, a plurality of ACEs originally stored in a memory of the ACL of the newly added ACE can be deleted, then the ACL of the newly added ACE is rewritten into the memory, and the rewriting step can be the same as the step of writing the ACL into the memory for the first time; therefore, the priority order of the ACEs in the ACL can be ensured in the mode, and the ACEs stored in the storage do not need to be moved.
In one possible design, the method further includes: if a first ACL receives an ACE deletion instruction, acquiring a first hardware table item identifier of an ACE to be deleted from the first ACL; deleting, from the memory, the ACE corresponding to the first hardware table entry identification.
If the first ACL receives an ACE deletion instruction and wants to delete a certain ACE from the first ACL stored in the memory, the ACE to be deleted of the first ACL may be searched from the memory according to the hardware table entry identifier of the ACE, and then the ACE may be directly deleted. Deleting an ACE in memory leaves a free hardware entry that can be used for insertion of an ACE for a later received ACL in order of small to large hardware entry values.
In one possible design, the method further includes: if a second ACL receives an ACE modification instruction, acquiring a second hardware table item identifier of an ACE to be modified from the second ACL, wherein the ACE modification instruction comprises the information of the action behavior after the ACE is updated; in the memory, modifying the action behavior of the ACE in the entry corresponding to the second hardware entry identification to an updated action behavior.
If the second ACL receives an ACE modification instruction, and the action behavior of a certain ACE is to be modified from the second ACL stored in the memory, the ACE to be modified of the second ACL may be searched from the memory according to the hardware table entry identifier corresponding to the ACE, and then the action behavior of the ACE in the second ACL is modified into the updated action behavior according to the updated action behavior of the ACE included in the ACE modification instruction. The action behavior of a certain ACE can be quickly modified through the corresponding relation between the ACE and the hardware table item identification.
In a second aspect, an embodiment of the present application provides a network device, where the network device includes: the identification acquisition module is used for acquiring the application object identification of the application object corresponding to the ACL; the ACE obtaining module is used for sequentially obtaining the ACEs from at least one ACE in the ACL according to the sequence of the priorities of the ACEs from high to low; the identification adding module is used for adding the corresponding application object identification for the acquired ACE; and the ACE writing module is used for writing the ACE added with the application object identifier into idle hardware table entries in a memory according to the sequence of the values of the hardware table entries from small to large.
The method provided by the embodiment of the application can ensure the sequence precedence when the ACE is obtained, and then the ACE is added into the idle hardware table entries of the memory according to the sequence of the hardware table entry values of the memory from small to large after the application object identifier is added to the ACE. Specifically, each hardware table entry of the memory can be traversed from small to large according to the value of the hardware table entry, and if the hardware table entry is an idle hardware table entry, the ACE is written into the hardware table entry; if the hardware table entry is the hardware table entry of the ACE which has written other ACLs, the next hardware table entry of the memory is continuously judged according to the sequence of the hardware table entry values from small to large. According to the embodiment of the application, the ACE can be written in the memory in an idle hardware table entry inserting mode, and compared with the existing ACE needing continuous hardware table entry storage, the ACE of the ACL in the memory is prevented from being moved, and the efficiency is improved.
In one possible design, the apparatus further includes: the hardware identification acquisition module is used for acquiring the hardware table item identification written in the hardware table item of the ACE; and the hardware identifier corresponding module is used for establishing the corresponding relation between the ACE and the hardware table item identifier.
After the ACE is written into the hardware table entry of the memory, the hardware table entry identifier of the corresponding hardware table entry can be obtained, and the corresponding relation between the ACE and the hardware table entry identifier is established, so that the ACE in the memory can be conveniently searched according to the hardware table entry identifier, and subsequent operation can be conveniently carried out.
In one possible design, the apparatus further includes: an ACE adding module, configured to obtain a hardware table entry identifier corresponding to each ACE written into a memory in the ACL after an ACE is added in the ACL; and the ACL deleting module is used for deleting the ACE corresponding to the hardware table entry identification corresponding to each ACE which is written into the memory in the ACL from the memory.
If an ACE is newly added into one ACL, a plurality of ACEs originally stored in a memory of the ACL of the newly added ACE can be deleted, then the ACL of the newly added ACE is rewritten into the memory, and the rewriting step can be the same as the step of writing the ACL into the memory for the first time; therefore, the priority order of the ACEs in the ACL can be ensured in the mode, and the ACEs stored in the storage do not need to be moved.
In one possible design, the apparatus further includes: the ACE deletion module is used for acquiring a first hardware table item identifier of an ACE to be deleted from a first ACL if the first ACL receives an ACE deletion instruction; and further configured to delete the ACE corresponding to the first hardware table entry identification from the memory.
If the first ACL receives an ACE deletion instruction and wants to delete a certain ACE from the first ACL stored in the memory, the ACE to be deleted of the first ACL may be searched from the memory according to the hardware table entry identifier of the ACE, and then the ACE may be directly deleted. Deleting an ACE in memory leaves a free hardware entry that can be used for insertion of an ACE for a later received ACL in order of small to large hardware entry values.
In one possible design, the apparatus further includes: the ACE modification module is used for acquiring a second hardware table item identifier of an ACE to be modified from a second ACL if the second ACL receives an ACE modification instruction, wherein the ACE modification instruction comprises information of action behaviors of the ACE after updating; and further configured to modify, in the memory, an action behavior of an ACE in an entry corresponding to the second hardware entry identification to an updated action behavior.
If the second ACL receives an ACE modification instruction, and the action behavior of a certain ACE is to be modified from the second ACL stored in the memory, the ACE to be modified of the second ACL may be searched from the memory according to the hardware table entry identifier corresponding to the ACE, and then the action behavior of the ACE in the second ACL is modified into the updated action behavior according to the updated action behavior of the ACE included in the ACE modification instruction. The action behavior of a certain ACE can be quickly modified through the corresponding relation between the ACE and the hardware table item identification.
In a third aspect, the present application provides an electronic device, comprising: a processor and a memory, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating when the network device is running, the machine-readable instructions when executed by the processor performing the method of the first aspect or any of the optional implementations of the first aspect.
In a fourth aspect, the present application provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the method of the first aspect or any of the alternative implementations of the first aspect.
In a fifth aspect, the present application provides a computer program product which, when run on a computer, causes the computer to perform the method of the first aspect or any possible implementation manner of the first aspect.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
For a clearer explanation of the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic block diagram of a prior art memory storage ACL;
FIG. 2 is a schematic flow chart of a data processing method according to a first embodiment of the present application;
FIG. 3 is a flow chart illustrating a portion of steps of a data processing method according to a first embodiment of the present application;
FIG. 4 is a flow chart illustrating a portion of steps of a data processing method according to a first embodiment of the present application;
FIG. 5 is a flow chart illustrating a portion of steps of a data processing method according to a first embodiment of the present application;
FIG. 6 is a flow chart illustrating a portion of steps of a data processing method according to a first embodiment of the present application;
fig. 7 is a block diagram of a network device according to a second embodiment of the present application;
fig. 8 is a schematic block diagram of a memory storage ACL in the present application.
Detailed Description
In the prior art, the ACL classifies the packets according to a series of matching conditions, such as source addresses, destination addresses, port numbers, etc. of the packets. The matching rule of the ACL-defined packet may be referred to by other application scenarios that need to distinguish traffic, for example, the definition of a flow classification rule in Quality of Service (QoS), so the ACL is an important function for network devices.
Usually, a plurality of ACLs may exist in one network device, each ACL may have a plurality of ACEs added thereto, each ACE has a corresponding rule identifier, and the rule identifier may indicate a sequence of each ACE of the plurality of ACEs in a certain ACL and may be regarded as a priority of the ACE. The rule identifier can be configured by a user or can be automatically generated by the system according to the set step length. For example, the step size may be set to 10, and then the rule identifications of consecutive ACEs in the same ACL may be assigned in the order of 10, 20, 30 …; the step size can also be set to 2, and the rule identifications of consecutive ACEs in the same ACL can be assigned in the order of 2, 4 and 6 …, and the numerical values of the rule identifications are arranged from small to large as the priorities of the ACEs are from high to low.
The ACL may be applied to different application objects of the Network device, where an application object may be a Port (Port), a Virtual Local Area Network (VLAN), or the entire Network device.
Taking a switch as an example, the ACL is usually stored in a Ternary Content Addressable Memory (TCAM). In the prior art, when a TCAM is written in a memory of a certain ACL, the rule identifiers of multiple ACEs in the ACL are always converted into artificially set hardware priorities. For each ACE in the multiple ACEs, each ACE needs to correspond to a hardware priority, the hardware priority corresponding to the ACE in front of the rule identification is high, and the hardware priority corresponding to the ACE in back of the rule identification is low. For artificially set hardware priorities, the higher the priority value is, the higher the priority level is.
When an ACE of an ACL in the ACLs needs to be deleted, the hardware table entry occupied by the ACE can be directly changed into an idle state, which may form discontinuous arrangement of ACEs. If another ACL is to be written into the TCAM, it may occur that the number of hardware entries that belong to the ACL's location is less than the number of ACEs in the ACL, in order of hardware priority. In this case, it is necessary to move an ACL having a hardware priority lower than that ACL to a position having a lower hardware priority, or to move an ACL having a hardware priority higher than that ACL to a position having a higher hardware priority.
Please refer to fig. 1, which illustrates the above situation that ACL movement is required: FIG. 1 shows a partial ACL currently stored by TCAM0, where ACL1 includes three ACEs, and the application objects corresponding to the three ACEs are all Port 1; the action behaviors of the three ACEs are permitted, namely, the message is continuously forwarded; the hardware priorities corresponding to the three ACEs are 900, 899 and 898, respectively, where the ACE corresponding to the hardware priority 900 can execute a continuous forwarding action on a packet whose destination IP address is 1.1.1.1, and the ACE corresponding to the hardware priority 899 can execute a continuous forwarding action on a packet whose destination IP address is 1.1.1.2, and the ACE corresponding to the hardware priority 898 can execute a continuous forwarding action on a packet whose destination IP address is 1.1.1.3.
The ACL2 comprises three ACEs, and application objects corresponding to the three ACEs are all Port 2; the action behaviors of the three ACEs are all permit, namely, the message is continuously forwarded; the hardware priorities corresponding to the three ACEs are 300, 299 and 298 respectively, wherein the ACE corresponding to the hardware priority 300 can execute a continuous forwarding action on the message with the destination IP address of 2.2.2.1, the ACE corresponding to the hardware priority 299 can execute a continuous forwarding action on the message with the destination IP address of 2.2.2.2, and the ACE corresponding to the hardware priority 298 can execute a continuous forwarding action on the message with the destination IP address of 2.2.2.3.
Index0, 1, 2 … n is the hardware entry value of each hardware entry, and the hardware entry values represent the sequence of the physical locations of the hardware entries in TCAM 0. It is evident that the hardware priority 898 of the ACE at the Index4 location is higher than the hardware priority 300 of the ACE at the Index n-3 location, and thus the ACE at the Index4 location is located at a higher front position than the ACE at the Index n-3 location.
At this time, if ACL3 needs to be written into TCAM0, ACL3 includes three ACEs, and the hardware priorities of the three ACE applications of ACL3 are 100, 99, and 98, respectively. Then, according to the size of the hardware priority, after the ACE corresponding to the hardware priority 100 should be written into the entry of the ACE corresponding to 298, after the ACE corresponding to the hardware priority 99 should be written into the entry of the ACE corresponding to 100, and after the ACE corresponding to the hardware priority 98 should be written into the entry of the ACE corresponding to 99. However, the ACE corresponding to hardware priority 298 has only one entry in an idle state after it, and therefore, at least two entries need to be moved forward of ACL2 to make enough entries for ACL 3. Specifically, at least the ACE at Index n-3 is moved to the table entry at Index n-5, the ACE at Index n-2 is moved to the table entry at Index n-4, and the ACE at Index n-1 is moved to the table entry at Index n-3.
In an extreme case, the part of ACE that has been written into TCAM0 may be moved once every new ACL written into TCAM0, but the process of moving each time is time consuming and inefficient. Especially, under the condition that many ACL resources are occupied, user configuration is very blocked, a CPU runs at full load, other tasks cannot be scheduled, inter-block communication failure, protocol oscillation, stacking split and even equipment restart are caused.
The above-mentioned drawbacks of the prior art are considered by the applicant to be the result of the practical and careful study, and therefore, the discovery process of the above-mentioned problems and the solution proposed by the following embodiments of the present invention to the above-mentioned problems should be the contribution of the inventor to the present invention in the course of the present invention.
In order to solve the above technical problem, embodiments of the present application provide the following data processing method, network device and computer readable storage medium, which will be described in detail below with reference to the accompanying drawings.
First embodiment
Referring to fig. 2, fig. 2 is a schematic flow chart of a data processing method according to a first embodiment of the present application, which specifically includes the following steps:
step S110, an application object identifier of the application object corresponding to the ACL is obtained.
Normally, one application object usually corresponds to only one ACL, and therefore, the application object identifier of the application object corresponding to the ACL may be obtained first, for example, ACL1 may correspond to Port1, and ACL2 may correspond to Port 2. Thus, for ACL1, the corresponding application object identification Port1 may be obtained, and for ACL2, the corresponding application object identification Port2 may be obtained.
And step S120, acquiring the ACEs in sequence from at least one ACE in the ACL according to the sequence of the priorities of the ACEs from high to low.
Each ACL may include multiple ACEs, where each ACE has a corresponding priority, and the priority, i.e., the precedence order of each ACE in the multiple ACEs, may be the rule identifier described above. In particular, ACEs may be sequentially retrieved from multiple ACEs of an ACL in a small to large order according to a rule identification.
And step S130, adding the corresponding application object identification for the acquired ACE.
After the ACE is obtained, the application object identifier corresponding to the ACE is added to the table item information of the ACE, so that the table item information of the ACE can be perfected.
Step S140, writing the ACE after the application object identifier is added into the idle hardware table entries in the memory according to the sequence of the hardware table entry values from small to large.
The hardware table entry value is different from the hardware priority, and the hardware table entry value represents the front-to-back order of the physical location of each of the plurality of hardware table entries in the memory, and may be represented by Index0, 1, 2 … n, where n is the number of hardware table entries.
Referring to fig. 1 and fig. 8, in the embodiment of the present application, the sequence of the physical positions of each hardware entry may be represented by the order of the hardware entry values from small to large, that is, the physical position of the hardware entry represented by Index0 is before the physical position of the hardware entry represented by Index1, and the physical position of the hardware entry represented by Index1 is before … of the physical position of the hardware entry represented by Index2, in some embodiments, the sequence of the hardware entry values from large to small may also be used to represent the sequence of the physical positions of each hardware entry, and the sequence of the hardware entry values from small to large or from large to small should not be construed as a limitation to the present application.
Specifically, please refer to fig. 8, the hardware priorities may be set to 1000, so as to avoid the influence of the artificially set hardware priorities on the write position of the ACE. Then, whether the hardware table entry corresponding to the hardware table entry value is idle or not can be judged according to the sequence from small to large, for example, whether the hardware table entry represented by Index0 is idle or not is judged, and if the hardware table entry represented by Index0 is idle, the ACE with the highest priority in the ACL to be written is written into the hardware table entry represented by Index 0; and then obtaining the ACE with the second highest priority in the ACL to be written, adding a corresponding application object identifier for the ACE, then judging whether the hardware table entry represented by Index0 is idle, writing the ACE just written into the ACL, so that the hardware table entry represented by Index0 is not idle, continuously judging whether the hardware table entry represented by Index1 is idle or not, if the hardware table entry represented by Index1 is idle, writing the ACE with the second highest priority in the ACL to be written into the hardware table entry … represented by Index1, repeating the process, searching the idle hardware table entries from a memory according to the sequence of the values of the hardware table entries from small to large, and if the idle hardware table entry is found, writing the ACE which is currently obtained and is added with the application object identifier into the idle hardware table entry.
Traversing each hardware table entry of the memory according to the sequence of the hardware table entry values from small to large, and writing the ACE into the hardware table entry if the hardware table entry is an idle hardware table entry; if the hardware table entry is the hardware table entry written with other ACE, the next hardware table entry of the memory is continuously judged according to the sequence of the hardware table entry values from small to large. According to the embodiment of the application, the ACE can be written in the memory in an idle hardware table entry inserting mode, and compared with the existing ACE needing continuous hardware table entry storage, the ACE of the ACL in the memory is prevented from being moved, and the efficiency is improved.
Optionally, referring to fig. 4, after step S140, the method may further include the following steps:
step S150, the hardware table item identification of the hardware table item written into the ACE is obtained.
The hardware table entry identifier is that the hardware table entry in the memory represents a corresponding identity identifier representing identity information. In the embodiment of the present application, the hardware table entry identifier may be the above-mentioned hardware table entry value Index0, 1, 2 … n.
Step S160, establishing a corresponding relationship between the ACE and the hardware table identifier.
After the ACE is written into the hardware table entry of the memory, the hardware table entry identifier of the corresponding hardware table entry can be obtained, and the corresponding relation between the ACE and the hardware table entry identifier is established, so that the ACE in the memory can be conveniently searched according to the hardware table entry identifier, and subsequent operation can be conveniently carried out.
Optionally, referring to fig. 4, the method may further include the following steps:
step S210, after adding an ACE in the ACL, acquiring a hardware table entry identifier corresponding to each ACE written in a memory in the ACL.
When an ACE is added to the ACL, the ACL stored in the memory needs to be updated, so that the ACL stored in the memory also has the added ACE, and therefore, the hardware table entry identifier corresponding to each ACE in which the ACL is already stored in the memory can be obtained.
Step S220, deleting, from the memory, the ACE corresponding to the hardware table entry identifier corresponding to each ACE written in the memory in the ACL.
Deleting each ACE with the ACL written into the memory according to the hardware table item identification corresponding to each ACE stored in the memory and acquired in the step S210, then executing the step S110, and writing the ACL added with the new ACE into the memory again according to the sequence from the step S110 to the step S140.
If an ACE is newly added into one ACL, a plurality of ACEs originally stored in a memory of the ACL of the newly added ACE can be deleted, then the ACL of the newly added ACE is rewritten into the memory, and the rewriting step can be the same as the step of writing the ACL into the memory for the first time; therefore, the priority order of the ACEs in the ACL can be ensured in the mode, and the ACEs stored in the storage do not need to be moved.
Optionally, referring to fig. 5, the method may further include the following steps:
step S310, if the first ACL receives an ACE deleting instruction, a first hardware table item identifier of the ACE to be deleted is obtained from the first ACL.
Step S320, deleting the ACE corresponding to the first hardware table entry identifier from the memory.
If the first ACL receives an ACE deletion instruction and wants to delete a certain ACE from the first ACL stored in the memory, the ACE to be deleted of the first ACL may be searched from the memory according to the hardware table entry identifier of the ACE, and then the ACE may be directly deleted. Deleting an ACE in memory leaves a free hardware entry that can be used for insertion of an ACE for a later received ACL in order of small to large hardware entry values.
Optionally, referring to fig. 6, the method may further include the following steps:
step S410, if the second ACL receives an ACE modification instruction, obtaining a second hardware table entry identifier of the ACE to be modified from the second ACL, wherein the ACE modification instruction includes information of an action behavior after the ACE is updated.
The action behaviors may include actions such as flow rate limit, flow mirror, flow statistics, and the like, for example, if the pre-update action behavior of the ACE to be modified is the flow rate limit, and the post-update action behavior is the flow statistics, then the action behavior included in the ACE modification instruction is the action behavior representing the flow statistics.
Step S420, in the memory, modifying the action behavior of the ACE in the entry corresponding to the second hardware entry identifier into an updated action behavior.
If the second ACL receives an ACE modification instruction, and the action behavior of a certain ACE is to be modified from the second ACL stored in the memory, the ACE to be modified of the second ACL may be searched from the memory according to the hardware table entry identifier corresponding to the ACE, and then the action behavior of the ACE in the second ACL is modified into the updated action behavior according to the updated action behavior of the ACE included in the ACE modification instruction. The action behavior of a certain ACE can be quickly modified through the corresponding relation between the ACE and the hardware table item identification. Both the ACE delete instruction and the ACE modify instruction may be instructions issued by a user.
When a message reaches a network device and needs to be filtered by an ACL in the network device, obtaining key values (such as a source MAC, a destination MAC, a source IP, a destination IP, a protocol number and the like) of the message and an application object acted by the message, taking the key values and the application object of the message as matching conditions, sequentially searching corresponding ACEs from a memory according to the front and back sequence of the physical positions of hardware table items of the memory, if one ACE is matched with the message, finishing the searching process, and correspondingly processing the message according to the searched action behavior of the ACE, for example, if the action behavior is permit, continuing to forward the message; if the action is deny, the message is discarded. And if all the ACEs in the memory are not matched with the message, not processing.
When the data processing method provided by the embodiment of the present application is used to write the ACEs in the ACLs into the memory, although the ACEs between different ACLs may intersect with each other, please refer to fig. 8, because the ACLs are always applied to different application objects, that is, an application object with a message function is also one of the matching conditions, and in the TCAM, one application object does not have two or more ACLs, nor does it have the same application object, therefore, the ACLs applied to different application objects do not interfere with each other, that is, although the ACEs between ACL1 and ACL2 intersect with each other, the ACE priority inside the ACL does not change.
Second embodiment
Referring to fig. 7, fig. 7 shows a network device provided in a second embodiment of the present application, where the network device 700 includes:
the identifier obtaining module 710 is configured to obtain an application object identifier of an application object corresponding to the ACL.
An ACE obtaining module 720, configured to sequentially obtain ACEs from at least one ACE in the ACL according to the order of priorities of the ACEs from high to low.
And an identifier adding module 730, configured to add the corresponding application object identifier to the obtained ACE.
And the ACE writing module 740 is configured to write the ACEs to which the application object identifiers are added into idle hardware entries in the memory according to a descending order of the values of the hardware entries.
The apparatus further comprises:
and the hardware identification acquisition module is used for acquiring the hardware table item identification of the hardware table item written into the ACE.
And the hardware identifier corresponding module is used for establishing the corresponding relation between the ACE and the hardware table item identifier.
And the ACE newly-adding module is used for acquiring the hardware table item identifier corresponding to each ACE which is written into the memory in the ACL after the ACE is newly added in the ACL.
And the ACL deleting module is used for deleting the ACE corresponding to the hardware table entry identification corresponding to each ACE which is written into the memory in the ACL from the memory.
The ACE deletion module is used for acquiring a first hardware table item identifier of an ACE to be deleted from a first ACL if the first ACL receives an ACE deletion instruction; and further configured to delete the ACE corresponding to the first hardware table entry identification from the memory.
The ACE modification module is used for acquiring a second hardware table item identifier of an ACE to be modified from a second ACL if the second ACL receives an ACE modification instruction, wherein the ACE modification instruction comprises information of action behaviors of the ACE after updating; and further configured to modify, in the memory, an action behavior of an ACE in an entry corresponding to the second hardware entry identification to an updated action behavior.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the network device described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
The present application further provides an electronic device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating over the bus when the network device is operating, the machine-readable instructions when executed by the processor performing the method of the first embodiment.
The present application also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the method of the first embodiment.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the first embodiment.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the system described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
An embodiment of the present application provides a data processing method, a network device, and a computer-readable storage medium, which are used for processing at least one access control item ACE in an access control list ACL, and include: acquiring an application object identifier of an application object corresponding to the ACL; sequentially acquiring the ACEs from at least one ACE in the ACL according to the order of the priorities of the ACEs from high to low; adding the corresponding application object identification for the obtained ACE; and writing the ACE added with the application object identifier into idle hardware table entries in a memory according to the sequence of the hardware table entry values from small to large. According to the embodiment of the application, the ACE can be written in the memory in an idle hardware table entry inserting mode, and compared with the existing ACE needing continuous hardware table entry storage, the ACE of the ACL in the memory is prevented from being moved, and the efficiency is improved.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (9)

1. A data processing method for processing at least one access control item ACE in an access control list ACL, the method comprising:
acquiring an application object identifier of an application object corresponding to the ACL; the application object comprises a port of network equipment, a virtual local area network of the network equipment or the network equipment;
sequentially acquiring the ACEs from at least one ACE in the ACL according to the order of the priorities of the ACEs from high to low;
adding the corresponding application object identification for the obtained ACE;
writing the ACE added with the application object identifier into idle hardware table entries in a memory according to the sequence of the hardware table entry values from small to large;
before the obtaining of the application object identifier of the application object corresponding to the ACL, the method further includes:
after an ACE is newly added in the ACL, acquiring a hardware table item identifier corresponding to each ACE which is written into a memory in the ACL;
deleting, from the memory, the ACE corresponding to the hardware entry identification corresponding to each ACE in the ACL that was written to memory.
2. The method of claim 1, wherein after the ACE added with the application object identifier is written into a free hardware entry in a memory in an order from a small value to a large value of the hardware entry, the method further comprises:
acquiring a hardware table item identifier written in a hardware table item of the ACE;
and establishing a corresponding relation between the ACE and the hardware table item identifier.
3. The method of claim 2, further comprising:
if a first ACL receives an ACE deletion instruction, acquiring a first hardware table item identifier of an ACE to be deleted from the first ACL;
deleting, from the memory, the ACE corresponding to the first hardware table entry identification.
4. The method of claim 2, further comprising:
if a second ACL receives an ACE modification instruction, acquiring a second hardware table item identifier of an ACE to be modified from the second ACL, wherein the ACE modification instruction comprises the information of the action behavior after the ACE is updated;
in the memory, modifying the action behavior of the ACE in the entry corresponding to the second hardware entry identification to an updated action behavior.
5. A network device, the device comprising:
the identification acquisition module is used for acquiring the application object identification of the application object corresponding to the ACL; the application object comprises a port of network equipment, a virtual local area network of the network equipment or the network equipment;
the ACE obtaining module is used for sequentially obtaining the ACEs from at least one ACE in the ACL according to the sequence of the priorities of the ACEs from high to low;
the identification adding module is used for adding the corresponding application object identification for the acquired ACE;
the ACE writing module is used for writing the ACE added with the application object identifier into idle hardware table entries in a memory according to the sequence of the hardware table entry values from small to large;
an ACE adding module, configured to obtain a hardware table entry identifier corresponding to each ACE written into a memory in the ACL after an ACE is added in the ACL;
and the ACL deleting module is used for deleting the ACE corresponding to the hardware table entry identification corresponding to each ACE which is written into the memory in the ACL from the memory.
6. The network device of claim 5, wherein the device further comprises:
the hardware identification acquisition module is used for acquiring the hardware table item identification written in the hardware table item of the ACE;
and the hardware identifier corresponding module is used for establishing the corresponding relation between the ACE and the hardware table item identifier.
7. The network device of claim 6, wherein the device further comprises:
the ACE deletion module is used for acquiring a first hardware table item identifier of an ACE to be deleted from a first ACL if the first ACL receives an ACE deletion instruction;
and further configured to delete the ACE corresponding to the first hardware table entry identification from the memory.
8. The network device of claim 6, wherein the device further comprises:
the ACE modification module is used for acquiring a second hardware table item identifier of an ACE to be modified from a second ACL if the second ACL receives an ACE modification instruction, wherein the ACE modification instruction comprises information of action behaviors of the ACE after updating;
and further configured to modify, in the memory, an action behavior of an ACE in an entry corresponding to the second hardware entry identification to an updated action behavior.
9. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, performs the data processing method of any one of claims 1-4.
CN201811566794.2A 2018-12-19 2018-12-19 Data processing method, network equipment and computer readable storage medium Active CN109688126B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811566794.2A CN109688126B (en) 2018-12-19 2018-12-19 Data processing method, network equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811566794.2A CN109688126B (en) 2018-12-19 2018-12-19 Data processing method, network equipment and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN109688126A CN109688126A (en) 2019-04-26
CN109688126B true CN109688126B (en) 2021-08-17

Family

ID=66188442

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811566794.2A Active CN109688126B (en) 2018-12-19 2018-12-19 Data processing method, network equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN109688126B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113839891B (en) * 2021-09-24 2023-02-21 新华三信息安全技术有限公司 Stream classification management method and device, electronic equipment and storage medium
CN114362991B (en) * 2021-11-22 2024-04-16 北京威努特技术有限公司 Method and device for filtering and filtering heavy ACL access control list rule
CN114389844B (en) * 2021-12-08 2024-04-16 锐捷网络股份有限公司 Message processing method, device, electronic equipment and computer readable storage medium

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101035062A (en) * 2006-03-09 2007-09-12 中兴通讯股份有限公司 Rule update method for three-folded content addressable memory message classification
CN101039271A (en) * 2007-03-20 2007-09-19 华为技术有限公司 Method and apparatus for taking effect rules of access control list
CN101447940A (en) * 2008-12-23 2009-06-03 杭州华三通信技术有限公司 Method and device for updating access control list rules
CN101866357A (en) * 2010-06-11 2010-10-20 福建星网锐捷网络有限公司 Method and device for updating items of three-state content addressing memory
CN102857510A (en) * 2012-09-18 2013-01-02 杭州华三通信技术有限公司 Method and device for issuing ACL (access control list) items
CN103248575A (en) * 2013-05-14 2013-08-14 盛科网络(苏州)有限公司 Distribution method of TCAM (Ternary Content Addressable Memory) list item priority
CN103701704A (en) * 2013-12-18 2014-04-02 武汉烽火网络有限责任公司 Priority-based access control list insertion and deletion method
CN104468361A (en) * 2014-12-15 2015-03-25 盛科网络(苏州)有限公司 Storing and searching method and device for TCAM with priorities
CN105335307A (en) * 2014-08-13 2016-02-17 华为技术有限公司 ACL rule loading method and device
CN106330759A (en) * 2016-09-29 2017-01-11 杭州迪普科技有限公司 Method and device for adjusting ACL table items
CN106789859A (en) * 2016-01-29 2017-05-31 新华三技术有限公司 message matching method and device
CN107196857A (en) * 2017-05-24 2017-09-22 北京东土军悦科技有限公司 A kind of moving method and the network equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8345688B2 (en) * 2010-02-23 2013-01-01 Google Inc. System and method for managing flow of packets
US9571502B2 (en) * 2012-09-14 2017-02-14 International Business Machines Corporation Priority resolution for access control list policies in a networking device

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101035062A (en) * 2006-03-09 2007-09-12 中兴通讯股份有限公司 Rule update method for three-folded content addressable memory message classification
CN101039271A (en) * 2007-03-20 2007-09-19 华为技术有限公司 Method and apparatus for taking effect rules of access control list
CN101447940A (en) * 2008-12-23 2009-06-03 杭州华三通信技术有限公司 Method and device for updating access control list rules
CN101866357A (en) * 2010-06-11 2010-10-20 福建星网锐捷网络有限公司 Method and device for updating items of three-state content addressing memory
CN102857510A (en) * 2012-09-18 2013-01-02 杭州华三通信技术有限公司 Method and device for issuing ACL (access control list) items
CN103248575A (en) * 2013-05-14 2013-08-14 盛科网络(苏州)有限公司 Distribution method of TCAM (Ternary Content Addressable Memory) list item priority
CN103701704A (en) * 2013-12-18 2014-04-02 武汉烽火网络有限责任公司 Priority-based access control list insertion and deletion method
CN105335307A (en) * 2014-08-13 2016-02-17 华为技术有限公司 ACL rule loading method and device
CN104468361A (en) * 2014-12-15 2015-03-25 盛科网络(苏州)有限公司 Storing and searching method and device for TCAM with priorities
CN106789859A (en) * 2016-01-29 2017-05-31 新华三技术有限公司 message matching method and device
CN106330759A (en) * 2016-09-29 2017-01-11 杭州迪普科技有限公司 Method and device for adjusting ACL table items
CN107196857A (en) * 2017-05-24 2017-09-22 北京东土军悦科技有限公司 A kind of moving method and the network equipment

Also Published As

Publication number Publication date
CN109688126A (en) 2019-04-26

Similar Documents

Publication Publication Date Title
CN109688126B (en) Data processing method, network equipment and computer readable storage medium
CN109218281B (en) Intent-based network security policy modification
CN101866357B (en) Method and device for updating items of three-state content addressing memory
CN108566296B (en) Network device layering method, network management device and computer readable storage medium
CN108259218B (en) IP address allocation method and device
CN107800627B (en) Writing method and device for TCAM (ternary content addressable memory) table
CN110557335B (en) Ternary Content Addressable Memory (TCAM) table item processing method and device
EP3451592A1 (en) Packet transmission
CN108540427B (en) Conflict detection method and detection device, access control method and access control device
CN112073438B (en) Access control rule configuration method and device, switch and storage medium
CN106789859B (en) Message matching method and device
CN111181964A (en) Security policy matching method and device, network device and storage medium
CN108777662B (en) Table item management method and device
CN104836738A (en) Router hardware item resource management method and device, and network equipment
CN109067744B (en) ACL rule processing method, device and communication equipment
CN110837647A (en) Method and device for managing access control list
CN112565091A (en) Message forwarding method and device, storage medium and terminal equipment
CN115118615B (en) Network monitoring data processing method and device
CN112019361A (en) Migration method and device of access control list, storage medium and electronic equipment
CN108551439B (en) Method and device for improving policy template application
CN111353018B (en) Data processing method and device based on deep packet inspection and network equipment
CN113992580B (en) Method and equipment for modifying policy routing
CN108768859B (en) Data processing method, device and system
CN111130871B (en) Protection switching method and device and network equipment
CN110661892B (en) Domain name configuration information processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant