CN111131079A - Policy query method and device - Google Patents
Policy query method and device Download PDFInfo
- Publication number
- CN111131079A CN111131079A CN201911363429.6A CN201911363429A CN111131079A CN 111131079 A CN111131079 A CN 111131079A CN 201911363429 A CN201911363429 A CN 201911363429A CN 111131079 A CN111131079 A CN 111131079A
- Authority
- CN
- China
- Prior art keywords
- message
- message processing
- dictionary tree
- updated
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000012545 processing Methods 0.000 claims abstract description 195
- 230000008569 process Effects 0.000 claims description 16
- 238000010276 construction Methods 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 15
- 238000004891 communication Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 7
- 230000008859 change Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000005034 decoration Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000001788 irregular Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/90—Buffering arrangements
- H04L49/9063—Intermediate storage in different physical parts of a node or terminal
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9027—Trees
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
Landscapes
- Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present specification discloses a policy query method and device, where the method is applied to a service board in a frame device, and the method includes: any service board card constructs a dictionary tree according to a local message processing strategy, the dictionary tree is used as an effective dictionary tree, and each path of the dictionary tree from a root node to any leaf node corresponds to one message processing strategy; after receiving the message, inquiring a corresponding path in the current effective dictionary tree according to the message information, and executing message processing operation corresponding to a leaf node of the inquired path aiming at the message; and if the updated dictionary tree is successfully constructed, replacing the current effective dictionary tree with the updated dictionary tree. The method can improve the query efficiency of the message processing strategy in the service board card.
Description
Technical Field
The embodiment of the specification relates to the field of network communication, in particular to a policy query method and device.
Background
The frame type equipment comprises a service board card and a management board card, wherein the management board card is used for updating a plurality of same message processing strategies on any service board card at variable time, the service board card is used for processing received messages according to local message processing strategies, and each message processing strategy at least comprises two parts of message matching conditions and message processing operations. The message processing strategy configured by the management board card is stored on the service board card in a linked list structure, the service board card inquires the message processing strategy in a local linked list, and the message meeting a certain strategy matching condition is processed by using corresponding message processing operation.
Specifically, after receiving a message through a port, the frame device determines a service board to be processed and forwards the message to the service board. The service board card inquires the linked list nodes stored in the service board card one by one according to the quintuple of the message and the port for receiving the message, determines the strategy matching condition which the message accords with, and executes the corresponding message processing operation.
Because the generation of the linked list is based on the order of the strategy and can only be inquired one by one, the inquiry efficiency is low by using the method.
Disclosure of Invention
In order to improve query efficiency, the present specification provides a policy query method and apparatus. The technical scheme is as follows:
a strategy query method is applied to a service board card in a frame type device, the frame type device further comprises a management board card, the service board card stores at least one message processing strategy issued by the management board card, and any message processing strategy comprises: message matching conditions and message processing operations; the method comprises the following steps:
any service board card constructs a dictionary tree according to a local message processing strategy, the dictionary tree is used as an effective dictionary tree, each path of the dictionary tree from a root node to any leaf node corresponds to a message processing strategy, the leaf node of the path corresponds to the message processing operation of the message processing strategy, and the non-leaf node of the path corresponds to the message matching condition of the message processing strategy;
after receiving the message, inquiring a corresponding path in the current effective dictionary tree according to the message information, and executing message processing operation corresponding to a leaf node of the inquired path aiming at the message;
and if the updated dictionary tree is successfully constructed, replacing the current effective dictionary tree with the updated dictionary tree.
A strategy inquiry device is configured on a service board card in a frame type device, the frame type device further comprises a management board card, the service board card stores at least one message processing strategy issued by the management board card, and any message processing strategy comprises: message matching conditions and message processing operations; the device comprises:
an initial construction unit, configured to construct a dictionary tree according to a local message processing policy, where the dictionary tree is used as an effective dictionary tree, each path of the dictionary tree from a root node to any leaf node corresponds to one message processing policy, the leaf node of the path corresponds to a message processing operation of the message processing policy, and a non-leaf node of the path corresponds to a message matching condition of the message processing policy;
the query unit is used for querying a corresponding path in the current effective dictionary tree according to the message information after receiving the message, and executing message processing operation corresponding to a leaf node of the queried path aiming at the message;
and the updating unit is used for establishing an updated dictionary tree according to the updated message processing strategy after monitoring that the stored message processing strategy is updated by the management board card, and replacing the current effective dictionary tree with the updated dictionary tree if the updated dictionary tree is successfully established.
According to the technical scheme, the dictionary tree structure is used for replacing a linked list structure, the matching times are reduced, meanwhile, the time that the query cannot be carried out is shortened by adopting a main and standby method, and the query efficiency of the strategy is further improved.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present specification, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a schematic structural diagram of a frame type device provided in an embodiment of the present specification;
FIG. 2 is a schematic diagram of a policy storage structure provided by an embodiment of the present specification;
FIG. 3 is a schematic diagram of another policy storage structure provided by an embodiment of the present specification;
FIG. 4 is a flowchart illustrating a policy query method provided by an embodiment of the present specification;
fig. 5 is a schematic structural diagram of policy storage of a gateway board card provided in an embodiment of the present specification;
fig. 6 is a schematic structural diagram of access board policy storage provided in an embodiment of this specification;
fig. 7 is a schematic structural diagram of a policy query device provided in an embodiment of the present specification;
fig. 8 is a schematic structural diagram of an apparatus for configuring a method according to an embodiment of the present disclosure.
Detailed Description
Fig. 1 is a schematic structural diagram of a frame device provided in an embodiment of the present disclosure. In the frame device, there are a plurality of interfaces, a management board, and at least one service board. The boxed device may be configured to transceive messages over multiple interfaces. The management board card can be used for issuing and updating the message processing strategy to the service board card at irregular time. The service board card may be configured to locally query a message processing policy and process the received message.
Each message processing strategy at least comprises two parts of message matching conditions and message processing operations. The packet matching condition may include a packet five-tuple (destination IP, destination port, source IP, source port, and protocol number) and/or packet interface information (an interface number on the frame device that receives the packet, that is, a packet input interface number) and/or a security domain identifier, and the packet processing operation may include operations of discarding, forwarding, and receiving.
More specifically, the message processing policy issued and updated by the management board may be made by the administrator and issued to the management board at an irregular time.
The service board card is characterized as follows:
(1) different service boards have different functions, such as a gateway board, an access board, and the like. The gateway board card can be used for forwarding or discarding the received message, and the access board card can be used for receiving the received message into the board card for processing or discarding. The frame device may distribute different messages to different service boards to implement different functions. For example, a message received from an interface connected to a network is distributed to a gateway board card, so that the gateway board card realizes a gateway function; and distributing the message received from the interface connected with other equipment to the access board card so as to facilitate the access board card to realize the receiving function.
(2) The message processing strategies stored locally by different service board cards are all the same, that is, the management board card issues the same message processing strategy to each service board card.
(3) The strategy query methods of different service board cards for the message are different. When the message is forwarded to the service board card, the message may carry a message input interface number. The gateway board card can convert the message input interface number into the identifier of the security domain for inquiring the message processing strategy; the access board card can directly use the message access interface number to inquire the message processing strategy.
The identifier of the security domain represents a set of interface numbers, for example, security domain 1 represents interface numbers 1, 2, 3, 4, 5, and security domain 2 represents interface numbers 6, 7, 8, 9, 10. And after receiving the message with the message input interface number of 1, the gateway board card replaces the message input interface number with the security domain 1 for matching the message processing strategy.
The service board card inquires a message processing strategy locally and processes the received message. The method specifically comprises the following steps: the service board card can process the message information (including the quintuple and/or the message access interface number) of the received message, then compare the message information with the message matching condition in the local message processing strategy one by one, and if the message information is matched with the message matching condition (namely the message information is the same as the message matching condition), execute the corresponding message processing operation aiming at the message.
For example, the access board compares the message information of the received message with the message matching condition in the local message processing policy, and if a message processing policy that the message information is the same as the message matching condition is found, the access board executes the message processing operation in the message processing policy for the message.
The gateway board card processes the message information of the received message, can convert the message input interface number into a security domain identifier, then compares the security domain identifier with the message matching condition in the local message processing strategy, and if the message processing strategy with the same message information and message matching condition is found, executes the message processing operation in the message processing strategy aiming at the message.
The message matching strategies are stored in a chain table structure and are arranged according to the order of strategy issuing, and the message matching strategy corresponding to the previous node in the chain table is issued to the service board card earlier than the message matching strategy corresponding to the next node.
Fig. 2 is a schematic diagram of a policy storage structure provided in an embodiment of the present disclosure. The message processing policy issued by the management board card to the service board card is shown in table 1:
TABLE 1 example message handling policy
However, the message processing strategies are stored by using the linked list structure, so that the service board card can only compare the nodes of the linked list one by one from front to back when inquiring according to the message information, the nodes of the linked list have no relation, the comparison with the message matching conditions corresponding to the nodes can only determine whether the message processing strategies corresponding to the nodes are correct, the correct positions of the message processing strategies can only be determined after traversing all the nodes in the linked list, and the inquiring efficiency is very low.
For example, if the node corresponding to the correct message processing policy is at the end of the linked list, the service board card must compare the message information with the message matching conditions corresponding to the previous nodes one by one, and then can query the correct message processing policy.
In order to make those skilled in the art better understand the technical solutions in the embodiments of the present specification, the technical solutions in the embodiments of the present specification will be described in detail below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of protection.
Aiming at the technical problem, the service board card can adopt a dictionary tree structure to store the message processing strategy. As shown in fig. 3, a schematic diagram of another policy storage structure provided for an embodiment of this specification is a schematic diagram of a packet processing policy issued by a management board to a service board, where the packet processing policy issued by the management board to the service board is shown in table 1, the service board stores the stored packet processing policy in a dictionary tree structure, and the root node, the node corresponding to a packet access interface number or a security domain identifier, the node corresponding to a destination IP, the node corresponding to a destination port, the node corresponding to a source IP, the node corresponding to a source port, the node corresponding to a protocol number, and the node corresponding to a packet processing operation are respectively from top to bottom.
After the structure storage strategy of the dictionary tree is utilized, the correct message processing strategy can be limited to be inquired in a few limited times aiming at the inquiry of the message, the inquiry range can be reduced after the branch is determined each time, the traversing of all the locally stored message processing strategies is not needed, and the inquiry efficiency is effectively improved.
For example, according to the message information of the message, the message processing policy is queried in the dictionary tree shown in fig. 3. The message information includes a message input interface 1, a destination IP1, a destination port 1, a source IP1, a source port 1 and a protocol number 1.
According to the message information, the child node corresponding to the message input interface 1 can be determined from the root node, so that the node corresponding to the security domain 1 and the descendant nodes thereof do not need to be queried, the query range is greatly reduced, the child node corresponding to the destination IP1 is determined by the node corresponding to the message input interface 1, then query and determination are performed in sequence, finally, the message processing operation corresponding to the leaf node is determined as forwarding operation, and the path from the root node to the leaf node is the queried message processing strategy. According to the message information of the message, the correct message processing strategy can be determined in seven times of inquiry.
Because there is a relation between nodes of the dictionary tree, the child node is a branch condition of the father node, and starting from the father node, the child node can be uniquely determined according to the message information, so as to determine a unique path from the root node to the leaf node, therefore, the dictionary tree can be used for limiting the inquiry to the leaf node within a few limited times, namely inquiring to a correct message processing strategy within the limited times, wherein the limited times are not more than the height of the root node of the dictionary tree.
The path corresponds to the queried message handling policy and the leaf node corresponds to the message handling operation.
Of course, the dictionary tree may also be constructed in other ways, such as grouping nodes corresponding to the five-tuple information together as child nodes of the node corresponding to the packet ingress interface or the security domain identifier, or using the node corresponding to the protocol number as parent node of the node corresponding to the destination IP, and so on.
It should be noted that, in the process of constructing the dictionary tree, there is a special case that there are multiple message processing strategies with the same message matching condition but different message processing operations, and at this time, there may be sibling nodes in leaf nodes when constructing the dictionary tree. When the dictionary tree query strategy is used, priorities can be divided for different leaf nodes of the same father node, and a certain leaf node can be determined according to the type of the service board card. The priority may be specified by the management board.
As long as the path from the root node to the leaf node of the dictionary tree can correspond to a message processing policy, and the leaf node corresponds to a message processing operation, no matter what method is adopted for constructing the dictionary tree, the method can be used for querying the message processing policy, and therefore the specific method for constructing the dictionary tree is not to be construed as a limitation to the scheme of this specification.
In practical application, when the message processing strategy is stored by adopting the dictionary tree structure, in order to further improve the query efficiency, the service board card can continue to use the dictionary tree for query during the strategy updating period. Therefore, the scheme can adopt a main standby mode, after the service board card takes one dictionary tree as an effective dictionary tree for inquiring the message processing strategy, if the message processing strategy is updated by the management board card, the standby updated dictionary tree is constructed by using the updated message processing strategy, the effective dictionary tree is not influenced, and the standby dictionary tree can be continuously used for inquiring the strategy. And when the standby updated dictionary tree is successfully constructed, the constructed updated dictionary tree is used as an effective dictionary tree for strategy query, so that the time for query incapability is reduced, and the query efficiency is improved.
As shown in fig. 4, which is a schematic flow chart of a policy query method provided in an embodiment of this specification, the method is applied to a service board in a frame device, the frame device further includes a management board, the service board stores at least one packet processing policy issued by the management board, and any packet processing policy includes: message matching conditions and message processing operations;
the method may comprise the steps of:
and aiming at any service board card, the following steps are executed.
S101: and the service board card constructs a dictionary tree according to the local message processing strategy, and the dictionary tree is used as an effective dictionary tree.
Each path of the dictionary tree from the root node to any leaf node corresponds to a message processing strategy, the leaf node of the path corresponds to the message processing operation of the message processing strategy, and the non-leaf node of the path corresponds to the message matching condition of the message processing strategy. The message matching condition may be a message quintuple and a message input interface number, or may be a message quintuple and a security domain identifier, and the like.
Moreover, for different types of service boards, the locally stored message processing strategies may be different, that is, the management board may issue different message processing strategies for different types of service boards. The detailed description is described later.
The message processing strategy of the service board card is issued by the management board card, can be stored in a linked list structure, and can be used for constructing a dictionary tree by the service board card according to the message processing strategy of the linked list structure.
S102: after receiving the message, inquiring the corresponding path in the current effective dictionary tree according to the message information, and executing the message processing operation corresponding to the leaf node of the inquired path aiming at the message.
The message information may be a message quintuple and a message input interface number, or a message quintuple and a security domain identifier, or a message quintuple, a message input interface number, a security domain identifier, and the like, but the matching conditions of the message information and the security domain identifier are the same.
The message processing operation may be forwarding to other devices, receiving the service board for processing or discarding, and the like.
If a plurality of leaf nodes are inquired by comparing the message information with the message matching conditions, the leaf node with the highest priority can be determined as the inquired leaf node, and the message processing operation corresponding to the leaf node is executed; a certain leaf node may also be determined as a queried leaf node according to the type of the service board, for example, if the gateway board does not perform the receiving operation, the leaf node corresponding to the receiving operation is not necessarily queried. Where priority is specified by the management board.
S103: and if the updated dictionary tree is successfully constructed, replacing the current effective dictionary tree with the updated dictionary tree.
After the updated trie replaces the current effective trie, the current effective trie may continue to be used in S102 for querying the message processing policy.
After the updated dictionary tree is used to replace the currently effective dictionary tree, if it is detected that a message which is being queried by the replaced dictionary tree exists, the service board card can continue to query the replaced dictionary tree according to the message information. When the message query is successful, the replaced dictionary tree can be deleted or stored in other positions.
By delaying the query, some message queries can be prevented from failing.
And some messages which have not been searched can be searched by using the current effective dictionary tree and not in the replaced dictionary tree.
In the process of building the updated dictionary tree according to the updated message processing strategy, the process of building the updated dictionary tree may be stopped after it is monitored that the stored message processing strategy is updated again by the management board card, and the updated dictionary tree is built again according to the updated message processing strategy.
Through reconstruction, the times of constructing the dictionary tree can be reduced, the dictionary tree corresponding to the latest issued message processing strategy can be constructed as soon as possible, and the query efficiency of the strategy is improved.
In addition to the above steps, in order to reduce the number of times of querying the dictionary tree and facilitate quick query of the message, the service board may further store a record for quickly querying a message processing policy, where the record includes message information and message processing operations, and the message information corresponds to the message processing operations one to one.
The service board card can inquire whether the message information exists in the record which is not failed aiming at any received message.
If yes, directly executing message processing operation corresponding to the inquired message information; if not, inquiring a corresponding path in the current effective dictionary tree, executing message processing operation corresponding to a leaf node of the inquired path aiming at the message, and adding the message information and the message processing operation in the non-failure record.
And after the updated dictionary tree is successfully established according to the updated message processing strategy, the original non-failure record is failed.
Specifically, the invalidation method may delete all the original non-invalidation records, or distinguish different versions of the dictionary tree by using the version number, add the version number to the record, or mark all the original non-invalidation records as invalidation.
For example, different versions of the dictionary tree are distinguished by using the incremental version numbers, specifically, the version number corresponding to the currently-validated dictionary tree may be n, and then after the updated dictionary tree is subsequently used to replace the currently-validated dictionary tree, the version number corresponding to the currently-validated dictionary tree may be n + 1.
If the message information of the message to be inquired does not exist in the non-failure record, inquiring the corresponding path in the current effective dictionary tree, executing the message processing operation corresponding to the leaf node of the inquired path aiming at the message, and adding the message information, the message processing operation and the version number of the current effective dictionary tree in the record.
Where the record may be a table or a session.
The steps are executed for one service board card, and different types of service board cards can store different message processing strategies issued by the management board card.
For example, because the gateway board converts the message access interface number in the message information into the security domain identifier, and then compares the message information with the message matching condition, the message processing policy corresponding to the message matching condition only including the message access interface number is not matched with the message information, and the gateway board does not query the message processing policy, so that the management board can only issue the message processing policy including the security domain identifier to the gateway board.
For the access board, because the access board does not convert the message access interface number into the security domain identifier, when comparing the message information with the message matching condition, the message processing policy corresponding to the message matching condition only including the security domain identifier is not matched with the message information, and the access board cannot inquire the message processing policy, so that the management board can only issue the message processing policy including the message access interface number to the gateway board.
If the gateway board card only performs forwarding and discarding operations, the management board card may only issue the message processing operation to the gateway board card as a message processing policy of forwarding or discarding. The access board card only performs receiving and discarding operations, so that the management board card can only issue a message processing strategy that the message processing operation is receiving or discarding to the access board card.
As shown in fig. 5, a schematic structural diagram of policy storage for a gateway board card provided in this embodiment is shown in fig. 6, and a schematic structural diagram of policy storage for an access board card provided in this embodiment is shown, where the policies issued to the service board cards are all selected and issued from table 1 by the management board card.
Different message processing strategies are issued aiming at different types of service board cards, message processing strategies which are possibly successfully matched are issued according to the characteristics and executable operation of the service board cards when condition matching is carried out, and message processing strategies which cannot be matched or cannot be executed are not issued, so that the strategy that the service board cards cannot be successfully matched is eliminated, the utilization rate of a storage space is improved, the invalid branch condition during query is reduced, and the query efficiency is improved.
By the above method embodiment, wherein:
(1) the dictionary tree storage structure can search the correct message processing strategies within a few limited times without traversing all the message processing strategies, so that the matching times of message information and message processing conditions are reduced, and the query efficiency is improved.
(2) The dictionary tree is updated in a main-standby mode, the dictionary tree can be continuously used for strategy query in the dictionary tree updating construction process, query incapability time is shortened, and query efficiency is improved.
(3) The management board card sends different message processing strategies according to different types of service board cards, so that the number of invalid matching times is reduced, invalid branches during query are also reduced, and the query efficiency is improved.
(4) By delaying the query when the new dictionary tree and the old dictionary tree are replaced, the message which is being queried by the replaced dictionary tree can be successfully queried, the number of messages which are failed to be queried is reduced, and the query efficiency is improved.
(5) By monitoring whether a new updating strategy exists in the process of constructing and updating the dictionary tree, interrupting the construction process of the dictionary tree in time and reconstructing the dictionary tree again according to the latest message processing strategy, the construction times of the dictionary tree can be reduced, and the latest message processing strategy can be used for message query as soon as possible, so that the query efficiency is improved.
In addition to the above effects, the dictionary tree is updated in a main-standby mode, so that message query and policy update can be synchronously executed without conflict.
For example, when the linked list structure is used for storage, if the message query and the policy update are executed synchronously, and when the service board card is querying the correct message processing policy according to the linked list one-to-one comparison nodes, the policy update deletes the correct message processing policy, the service board card cannot query the correct message processing policy, and also can access the illegal memory due to the change of the stored data content. Therefore, when a linked list structure is adopted, a synchronous lock is needed, when the business board card is inquiring the strategy, the strategy update of the management board card is not accepted, and the inquiring efficiency is low.
After the main and standby mode is adopted, the dictionary tree where the message query is located and the dictionary tree of the strategy update are not the same, so that the message query can be synchronously carried out without conflict.
In addition to the above method embodiments, the present specification also discloses apparatus embodiments.
Fig. 7 is a schematic structural diagram of a policy query device according to an embodiment of the present disclosure. The device is configured on a service board card in a frame type device, the frame type device further comprises a management board card, the service board card stores at least one message processing strategy issued by the management board card, and different types of service board cards can store different message processing strategies issued by the management board card; any one of the message processing strategies comprises: message matching conditions and message processing operations; the device comprises:
an initial building unit 201, configured to build a dictionary tree according to a local message processing policy, and use the dictionary tree as an effective dictionary tree.
Each path of the dictionary tree from the root node to any leaf node corresponds to a message processing strategy, the leaf node of the path corresponds to the message processing operation of the message processing strategy, and the non-leaf node of the path corresponds to the message matching condition of the message processing strategy.
The query unit 202 is configured to, after receiving the message, query the corresponding path in the current effective dictionary tree according to the message information, and execute, for the message, a message processing operation corresponding to a leaf node of the queried path.
The updating unit 203 is configured to, after it is monitored that the stored message processing policy is updated by the management board card, construct an updated dictionary tree according to the updated message processing policy, and if it is determined that the updated dictionary tree is successfully constructed, replace the currently effective dictionary tree with the updated dictionary tree.
The update unit may specifically be configured to:
in the process of establishing the updated dictionary tree according to the updated message processing strategy, after the stored message processing strategy is monitored to be updated again by the management board card, the process of establishing the updated dictionary tree is stopped, and the updated dictionary tree is reestablished according to the updated message processing strategy.
The update unit may be further configured to: and after replacing the current effective dictionary tree with the updated dictionary tree, and after monitoring that a message which is queried by the replaced dictionary tree exists, continuing to query the replaced dictionary tree according to the message information.
The query unit may be specifically configured to:
inquiring whether the message information exists in a non-failure record aiming at any received message, wherein the non-failure record comprises message information and message processing operation;
if yes, directly executing corresponding message processing operation;
if the path does not exist, inquiring a corresponding path in the current effective dictionary tree, executing message processing operation corresponding to a leaf node of the inquired path aiming at the message, and adding the message information and the message processing operation in the non-failure record;
at this time, the updating unit may be further configured to:
invalidating the non-expired records.
Embodiments of the present specification also provide a computer device, which at least includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements one of the aforementioned policy query methods when executing the program.
Fig. 8 is a schematic diagram illustrating a more specific hardware structure of a computing device according to an embodiment of the present disclosure, where the computing device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
Embodiments of the present specification also provide a computer-readable storage medium, on which a computer program is stored, and the program, when executed by a processor, implements a policy query method as described above.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
From the above description of the embodiments, it is clear to those skilled in the art that the embodiments of the present disclosure can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments of the present specification may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments of the present specification.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. The above-described apparatus embodiments are merely illustrative, and the modules described as separate components may or may not be physically separate, and the functions of the modules may be implemented in one or more software and/or hardware when implementing the embodiments of the present disclosure. And part or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The foregoing is only a specific embodiment of the embodiments of the present disclosure, and it should be noted that, for those skilled in the art, a plurality of modifications and decorations can be made without departing from the principle of the embodiments of the present disclosure, and these modifications and decorations should also be regarded as the protection scope of the embodiments of the present disclosure.
Claims (10)
1. A strategy query method is applied to a service board card in a frame type device, the frame type device further comprises a management board card, the service board card stores at least one message processing strategy issued by the management board card, and any message processing strategy comprises: message matching conditions and message processing operations; the method comprises the following steps:
any service board card constructs a dictionary tree according to a local message processing strategy, the dictionary tree is used as an effective dictionary tree, each path of the dictionary tree from a root node to any leaf node corresponds to a message processing strategy, the leaf node of the path corresponds to the message processing operation of the message processing strategy, and the non-leaf node of the path corresponds to the message matching condition of the message processing strategy;
after receiving the message, inquiring a corresponding path in the current effective dictionary tree according to the message information, and executing message processing operation corresponding to a leaf node of the inquired path aiming at the message;
and if the updated dictionary tree is successfully constructed, replacing the current effective dictionary tree with the updated dictionary tree.
2. The method of claim 1, wherein different types of the service boards store different message processing policies issued by the management board.
3. The method of claim 1, after replacing the currently active trie with the updated trie, further comprising:
and after the existence of the message which is inquired by the replaced dictionary tree is monitored, continuously inquiring the replaced dictionary tree according to the message information.
4. The method according to claim 1, wherein the querying a corresponding path in a current effective dictionary tree according to the message information, and for the message, performing a message processing operation corresponding to a leaf node of the queried path, specifically includes:
inquiring whether the message information exists in the current non-failure record aiming at any received message, wherein the non-failure record comprises the message information and the message processing operation;
if yes, directly executing corresponding message processing operation;
if the path does not exist, inquiring a corresponding path in the current effective dictionary tree, executing message processing operation corresponding to a leaf node of the inquired path aiming at the message, and adding the message information and the message processing operation in the non-failure record;
after the dictionary tree is successfully updated according to the updated message processing strategy, the method further comprises the following steps:
invalidating the non-expired records.
5. The method according to claim 1, wherein the constructing an updated trie according to the updated message processing policy specifically includes:
in the process of establishing the updated dictionary tree according to the updated message processing strategy, after the stored message processing strategy is monitored to be updated again by the management board card, the process of establishing the updated dictionary tree is stopped, and the updated dictionary tree is reestablished according to the updated message processing strategy.
6. A strategy inquiry device is configured on a service board card in a frame type device, the frame type device further comprises a management board card, the service board card stores at least one message processing strategy issued by the management board card, and any message processing strategy comprises: message matching conditions and message processing operations; the device comprises:
an initial construction unit, configured to construct a dictionary tree according to a local message processing policy, where the dictionary tree is used as an effective dictionary tree, each path of the dictionary tree from a root node to any leaf node corresponds to one message processing policy, the leaf node of the path corresponds to a message processing operation of the message processing policy, and a non-leaf node of the path corresponds to a message matching condition of the message processing policy;
the query unit is used for querying a corresponding path in the current effective dictionary tree according to the message information after receiving the message, and executing message processing operation corresponding to a leaf node of the queried path aiming at the message;
and the updating unit is used for establishing an updated dictionary tree according to the updated message processing strategy after monitoring that the stored message processing strategy is updated by the management board card, and replacing the current effective dictionary tree with the updated dictionary tree if the updated dictionary tree is successfully established.
7. The apparatus of claim 6, wherein different types of the service boards store different message processing policies issued by the management board.
8. The apparatus of claim 6, the update unit further to:
and after replacing the current effective dictionary tree with the updated dictionary tree, and after monitoring that a message which is queried by the replaced dictionary tree exists, continuing to query the replaced dictionary tree according to the message information.
9. The apparatus of claim 6, the query unit to:
inquiring whether the message information exists in the current non-failure record aiming at any received message, wherein the non-failure record comprises the message information and the message processing operation;
if yes, directly executing corresponding message processing operation;
if the path does not exist, inquiring a corresponding path in the current effective dictionary tree, executing message processing operation corresponding to a leaf node of the inquired path aiming at the message, and adding the message information and the message processing operation in the non-failure record;
the update unit is further configured to:
invalidating the non-expired records.
10. The apparatus according to claim 6, the updating unit being specifically configured to:
in the process of establishing the updated dictionary tree according to the updated message processing strategy, after the stored message processing strategy is monitored to be updated again by the management board card, the process of establishing the updated dictionary tree is stopped, and the updated dictionary tree is reestablished according to the updated message processing strategy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911363429.6A CN111131079B (en) | 2019-12-26 | 2019-12-26 | Policy query method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911363429.6A CN111131079B (en) | 2019-12-26 | 2019-12-26 | Policy query method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111131079A true CN111131079A (en) | 2020-05-08 |
| CN111131079B CN111131079B (en) | 2023-11-24 |
Family
ID=70502816
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911363429.6A Active CN111131079B (en) | 2019-12-26 | 2019-12-26 | Policy query method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111131079B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112333098A (en) * | 2020-10-29 | 2021-02-05 | 杭州迪普科技股份有限公司 | Message forwarding method and device between service board cards |
| CN112350947A (en) * | 2020-10-23 | 2021-02-09 | 杭州迪普信息技术有限公司 | Message matching decision tree updating method and device |
| CN112437096A (en) * | 2020-12-09 | 2021-03-02 | 深圳万物安全科技有限公司 | Acceleration strategy searching method and system |
| CN112491873A (en) * | 2020-11-26 | 2021-03-12 | 杭州安恒信息技术股份有限公司 | Network threat detection method, device, equipment and storage medium based on dictionary tree |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050114657A1 (en) * | 2003-11-26 | 2005-05-26 | Kumar Vinoj N. | Access control list constructed as a tree of matching tables |
| CN104811400A (en) * | 2014-01-26 | 2015-07-29 | 杭州迪普科技有限公司 | Distributed network apparatus |
| CN106330473A (en) * | 2015-06-15 | 2017-01-11 | 中兴通讯股份有限公司 | Gateway management method and device |
| CN109617927A (en) * | 2019-01-30 | 2019-04-12 | 新华三信息安全技术有限公司 | A kind of method and device matching security strategy |
-
2019
- 2019-12-26 CN CN201911363429.6A patent/CN111131079B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050114657A1 (en) * | 2003-11-26 | 2005-05-26 | Kumar Vinoj N. | Access control list constructed as a tree of matching tables |
| CN104811400A (en) * | 2014-01-26 | 2015-07-29 | 杭州迪普科技有限公司 | Distributed network apparatus |
| CN106330473A (en) * | 2015-06-15 | 2017-01-11 | 中兴通讯股份有限公司 | Gateway management method and device |
| CN109617927A (en) * | 2019-01-30 | 2019-04-12 | 新华三信息安全技术有限公司 | A kind of method and device matching security strategy |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112350947A (en) * | 2020-10-23 | 2021-02-09 | 杭州迪普信息技术有限公司 | Message matching decision tree updating method and device |
| CN112350947B (en) * | 2020-10-23 | 2022-07-29 | 杭州迪普信息技术有限公司 | Message matching decision tree updating method and device |
| CN112333098A (en) * | 2020-10-29 | 2021-02-05 | 杭州迪普科技股份有限公司 | Message forwarding method and device between service board cards |
| CN112333098B (en) * | 2020-10-29 | 2022-11-25 | 杭州迪普科技股份有限公司 | Message forwarding method and device between service board cards |
| CN112491873A (en) * | 2020-11-26 | 2021-03-12 | 杭州安恒信息技术股份有限公司 | Network threat detection method, device, equipment and storage medium based on dictionary tree |
| CN112437096A (en) * | 2020-12-09 | 2021-03-02 | 深圳万物安全科技有限公司 | Acceleration strategy searching method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111131079B (en) | 2023-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111131079B (en) | Policy query method and device | |
| KR101871383B1 (en) | Method and system for using a recursive event listener on a node in hierarchical data structure | |
| US11290367B2 (en) | Hierarchical network configuration | |
| CN107977396B (en) | Method and device for updating data table of KeyValue database | |
| US8990227B2 (en) | Globally unique identification of directory server changelog records | |
| US9400607B1 (en) | Stateless processing of replicated state for distributed storage systems | |
| CN111143382B (en) | Data processing method, system and computer readable storage medium | |
| CN110334094B (en) | Data query method, system, device and equipment based on inverted index | |
| CN111600746A (en) | Network fault positioning method, device and equipment | |
| EP2779583A1 (en) | Telecommunication method and system | |
| TWI716822B (en) | Method and device for correcting transaction causality, and electronic equipment | |
| CN107203437B (en) | Method, device and system for preventing memory data from being lost | |
| WO2016074412A1 (en) | Compatibility administration method based on network configuration protocol, storage medium and device | |
| CN113067860B (en) | Method, apparatus, device, medium and product for synchronizing information | |
| CN114860782B (en) | Data query method, device, equipment and medium | |
| US9767180B2 (en) | Floating time dimension design | |
| JP6233846B2 (en) | Variable-length nonce generation | |
| CN103902554A (en) | Data access method and device | |
| US8745072B2 (en) | Virtual directory server changelog | |
| CN115460214B (en) | Distributed network communication log storage and retrieval method and device | |
| CN109656902A (en) | A kind of data load method and system | |
| CN110879774B (en) | Network element performance data alarming method and device | |
| CN113439418A (en) | Method, system, terminal and storage medium for changing resource state | |
| CN110866002A (en) | Method and device for processing sub-table data | |
| WO2023143061A1 (en) | Data access method and data access system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |