CN116886395A - Configuration method and device of access control list rule and nonvolatile storage medium - Google Patents
Configuration method and device of access control list rule and nonvolatile storage medium Download PDFInfo
- Publication number
- CN116886395A CN116886395A CN202310968515.XA CN202310968515A CN116886395A CN 116886395 A CN116886395 A CN 116886395A CN 202310968515 A CN202310968515 A CN 202310968515A CN 116886395 A CN116886395 A CN 116886395A
- Authority
- CN
- China
- Prior art keywords
- different
- access control
- control list
- index
- ternary content
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 230000015654 memory Effects 0.000 claims abstract description 135
- 239000002699 waste material Substances 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 13
- 238000012545 processing Methods 0.000 description 11
- 230000005540 biological transmission Effects 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000001914 filtration Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 238000004140 cleaning Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000006185 dispersion Substances 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/951—Indexing; Web crawling techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/953—Querying, e.g. by the use of web search engines
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Data Mining & Analysis (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a configuration method and device of access control list rules and a nonvolatile storage medium. Wherein the method comprises the following steps: determining a plurality of index fields corresponding to the plurality of stream policies one to one; binding different stream strategies and different index fields corresponding to the different stream strategies on different interfaces, and sending different access control list rules corresponding to the different index fields to a three-state content addressing memory; and matching fields in different flow strategies with fields in messages received by different interfaces through different ternary content addressable memory table entries. The application solves the technical problem of waste of the computing resources of the ternary content addressing memory caused by the fact that different access control list rules are required to be respectively configured on a plurality of different interfaces under the condition of configuring global access control list rules in the related art.
Description
Technical Field
The present application relates to the field of network technologies and security, and in particular, to a method and apparatus for configuring an access control list rule, and a nonvolatile storage medium.
Background
With the rapid development of networks, network security and network quality of service (Quality of Service, qoS) problems are increasingly prominent, with access control lists (Access Control List, ACL) being one technology closely related thereto. The ACL can control network access behavior, prevent network attack and improve network bandwidth utilization rate by accurately identifying message flow in the network and combining with other technologies, thereby practically guaranteeing the security of network environment and the reliability of network service quality. Under the condition of configuring the global ACL rule, the related technology needs to configure different ACL rules on a plurality of different interfaces respectively, so that the waste of computing resources of the three-state content addressing memory is caused.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the application provides a configuration method and a device of access control list rules and a nonvolatile storage medium, which at least solve the technical problem of waste of computing resources of a tri-state content addressable memory caused by the fact that different access control list rules are required to be respectively configured on a plurality of different interfaces under the condition of configuring global access control list rules in related technologies.
According to an aspect of the embodiment of the present application, there is provided a method for configuring an access control list rule, including: determining a plurality of index fields corresponding to the plurality of stream policies one to one; binding different flow strategies and different index fields corresponding to the different flow strategies on different interfaces, and sending different access control list rules corresponding to the different index fields to a ternary content addressing memory, wherein the ternary content addressing memory is used for generating different ternary content addressing memory table entries according to the different access control list rules; and matching fields in different flow strategies with fields in messages received by different interfaces through different ternary content addressable memory table entries.
Optionally, binding the first streaming policy and a first index field corresponding to the first streaming policy on the global interface, and sending a first access control list rule corresponding to the first index field to the ternary content addressable memory, where the ternary content addressable memory is configured to generate a first ternary content addressable memory table entry according to the first access control list rule; and matching the custom rule field in the first flow strategy with the custom rule field in the message received by the global interface through the first ternary content addressable memory table entry.
Optionally, binding different flow policies and different index fields corresponding to the different flow policies on different interfaces includes: and adding a second index field into the first interface attribute corresponding to the physical interface to obtain the first interface index attribute.
Optionally, binding a second streaming policy and a second index field corresponding to the second streaming policy on the physical interface, and sending a second access control list rule corresponding to the second index field to the ternary content addressable memory, where the ternary content addressable memory is configured to generate a second ternary content addressable memory table entry according to the second access control list rule; and matching the second index field and the custom rule field in the second flow strategy with the custom rule field and the first interface index attribute in the message received by the physical interface through the second ternary content addressable memory table entry.
Optionally, binding different flow policies and different index fields corresponding to the different flow policies on different interfaces includes: and adding a third index field into the second interface attribute corresponding to the sub-interface to obtain the second interface index attribute.
Optionally, binding a third stream policy and a third index field corresponding to the third stream policy on the subinterface, and sending a third access control list rule corresponding to the third index field to the ternary content addressable memory, where the ternary content addressable memory is configured to generate a third ternary content addressable memory table entry according to the third access control list rule; and matching the third index field, the custom rule field, the interface number field and the virtual local area network field in the third stream policy with the custom rule field and the second interface index attribute in the message received by the sub-interface through the third ternary content addressable memory table entry.
According to still another aspect of the embodiment of the present application, there is further provided a method for configuring an access control list rule, including: determining a target index field corresponding to a plurality of identical flow policies; binding a plurality of same stream strategies and target index fields on different interfaces, and sending target access control list rules corresponding to the target index fields to a ternary content addressing memory, wherein the ternary content addressing memory is used for generating target ternary content addressing memory table items according to the target access control list rules; and matching fields in a plurality of identical flow strategies with fields in messages received by different interfaces through the target three-state content addressable memory table entry.
According to still another aspect of the embodiment of the present application, there is further provided a configuration apparatus of an access control list rule, a determining module, configured to determine a plurality of index fields corresponding to a plurality of flow policies one-to-one; the sending module is used for binding different flow strategies and different index fields corresponding to the different flow strategies on different interfaces and sending different access control list rules corresponding to the different index fields to the three-state content addressing memory, wherein the three-state content addressing memory is used for generating different three-state content addressing memory table entries according to the different access control list rules; and the matching module is used for matching the fields in different flow strategies with the fields in the messages received by different interfaces through different ternary content addressable memory table entries.
According to still another aspect of the embodiments of the present application, there is further provided a nonvolatile storage medium, the storage medium including a stored program, wherein when the program runs, a device on which the storage medium is controlled to execute the above configuration method of the access control list rule.
According to still another aspect of the embodiment of the present application, there is also provided an electronic device including: the system comprises a memory and a processor, wherein the processor is used for running a program stored in the memory, and the program runs to execute the configuration method of the access control list rule.
In the embodiment of the application, a plurality of index fields which are determined to correspond to a plurality of stream strategies one by one are adopted; binding different flow strategies and different index fields corresponding to the different flow strategies on different interfaces, and sending different access control list rules corresponding to the different index fields to a ternary content addressing memory, wherein the ternary content addressing memory is used for generating different ternary content addressing memory table entries according to the different access control list rules; the method comprises the steps of matching fields in different flow strategies with fields in messages received by different interfaces through different ternary content addressable memory table items, binding different flow strategies and different index fields corresponding to the different flow strategies on different interfaces through determining a plurality of index fields corresponding to the plurality of flow strategies one by one, sending different access control list rules corresponding to the different index fields to the ternary content addressable memory, and matching the fields in the different flow strategies with the fields in the messages received by the different interfaces through the different ternary content addressable memory table items, thereby achieving the aim of saving the computing resources of the ternary content addressable memory, further achieving the technical effect of reducing the cost of network equipment, and solving the technical problem of waste of computing resources of the ternary content addressable memory caused by the fact that the different access control list rules are required to be respectively configured on the plurality of different interfaces under the condition of configuring global access control list rules in related technology.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a flow chart of a method of configuring access control list rules according to an embodiment of the present application;
FIG. 2 is a flow chart of another method of configuring access control list rules according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a method of configuring access control list rules according to an embodiment of the present application;
fig. 4 is a block diagram of a configuration apparatus of an access control list rule according to an embodiment of the present application;
fig. 5 is a block diagram of a hardware configuration of a computer terminal (or electronic device) of a configuration method of an access control list rule according to an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to an embodiment of the present application, there is provided a method embodiment of a method for configuring an access control list rule, it should be noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different from that herein.
Fig. 1 is a flowchart of a method for configuring an access control list rule according to an embodiment of the present application, as shown in fig. 1, the method includes the steps of:
step S102, a plurality of index fields corresponding to a plurality of stream policies one by one are determined.
According to some alternative embodiments of the present application, a streaming policy refers to a series of methods and techniques that are taken when processing a data stream. Data flow refers to data that continuously arrives at the system, such as network traffic, sensor data, logs, etc. The goal of the flow strategy is to process the data flow in real time, extract useful information and make corresponding decisions. The flow policy generally includes the following aspects: 1. data acquisition and transmission: the streaming policy requires determining how to collect and transmit data to the processing system; 2. data cleaning and pretreatment: the stream policy requires cleaning and preprocessing of the data to remove noise, fill missing values, normalize the data, etc.; 3. feature extraction and selection: the flow strategy needs to determine which features to extract from the data and select the most relevant features for subsequent analysis and decision-making; 4. model training and optimization: the flow strategy requires selection of an appropriate model and training and optimization to accommodate the characteristics of the data flow. 5. Real-time decision and response: the flow strategy needs to make corresponding decisions and responses based on the real-time data flow. 6. Effect evaluation and monitoring: the flow strategy requires evaluation and monitoring of its effectiveness, and timely discovery and resolution of problems.
An index field, such as an index field, is a special data structure created on one or more columns in a table for quickly locating and accessing data. By creating an index on a particular column, the database may be ordered in the order of the index and the index used to speed up the lookup and screening of the data. The index can greatly reduce the data volume to be scanned during inquiry, thereby improving the inquiry efficiency. Common index types include B-tree index, hash index, full text index, and the like. Each type of index has its applicable scenes and advantages.
Step S104, binding different stream strategies and different index fields corresponding to the different stream strategies on different interfaces, and sending different access control list rules corresponding to the different index fields to a three-state content addressing memory, wherein the three-state content addressing memory is used for generating different three-state content addressing memory table items according to the different access control list rules.
According to further alternative embodiments of the present application, the access control list (Access Control List, ACL) is a policy tool for controlling network traffic, which ACL may be configured on a network device such as a router, switch, firewall, etc. for filtering, restricting, allowing or rejecting transmissions of network traffic. The ACL classifies and controls network traffic based on predefined rule sets according to conditions of source internet protocol address, target internet protocol address, port number, protocol type, etc. By configuring the ACL, a network administrator may restrict access to specific internet protocol addresses or ranges of internet protocol addresses, preventing unauthorized network traffic from entering the protected network. ACLs may also help manage network traffic, improve network performance and efficiency, and optimize the use of network resources, for example, by filtering invalid traffic, limiting bandwidth, and the like.
A ternary content addressable memory (Ternary Content Addressable Memory, TCAM) is a cache memory for high speed lookup and matching of data that searches multiple memory locations simultaneously in a parallel manner, providing faster lookup speeds than conventional compare-based memories. Each memory location of the TCAM contains a data bit and a mask bit. The data bits are used to store data to be looked up or matched and the mask bits are used to specify which bits of the data bits are valid to be matched and which bits are irrelevant. A 0 in the mask bit represents an irrelevant bit and a 1 represents a valid bit. By setting the mask bits, the values of some bits may be ignored when performing a lookup or match, providing greater flexibility.
The main purpose of TCAM is to perform high-speed search and match operations, common applications include: 1. routers and switches: the method is used for quickly searching a routing table and a forwarding table, and carrying out routing and forwarding decision according to information such as a destination address, a source address, a protocol or a port; 2. a firewall: the method is used for rapidly matching the information such as the source address, the destination address, the protocol, the port and the like of the network packet, and performing access control and flow filtering; 3. and (3) memory management: for managing data in memory, such as looking up specific blocks or records of data; 4. classifying data packets: the network data packet classifying method is used for classifying network data packets, and classifying the data packets into different flow categories according to specific rules so as to perform priority processing or flow control; 5. database query: the method is used for searching data in the database at high speed, and matching and searching are carried out according to the keywords.
Step S106, the fields in different stream strategies are matched with the fields in the messages received by different interfaces through different three-state content addressing memory table entries.
In some alternative embodiments of the application, the TCAM entry is a high-speed memory structure for storing and retrieving forwarding rules in the network device. A TCAM entry consists of one or more rules, each defining a packet matching condition and corresponding operation, wherein the TCAM entry generally includes the following fields: 1. destination address (Destination Address): a destination IP address for matching the data packet; 2. source Address (Source Address): a source IP address for matching the data packet; 3. destination Port (Destination Port): a destination port number for matching the data packet; 4. source Port (Source Port): a source port number for matching the data packet; 5. protocol type (Protocol): protocol type for matching data packets, such as TCP, UDP, ICMP; 6. virtual local area network VLAN Tag (VLAN Tag): VLAN tags for matching packets; 7. operation (Action): operations performed according to the matching result, such as forwarding, discarding, modifying VLAN tags, etc.
Each field of the TCAM entry may be a specific value, a mask, or a wild card. The specific value represents the packet to be exactly matched to the field; the mask indicates that some bits are allowed to match, while other bits may be arbitrary values; wild cards indicate that this field may be any value.
Optionally, matching the fields in the flow policy with the fields in the message received by the interface may be performed according to the following steps: first, the names and data types of the fields in the flow policy and the fields in the message received by the interface are determined. And secondly, acquiring the value of the corresponding field in the message received by the interface. Then, matching the obtained field value with the field in the stream policy, and if the matching is successful, executing corresponding operation; otherwise, it may be selected to ignore or otherwise process.
According to the steps, through determining a plurality of index fields corresponding to the plurality of stream strategies one by one, different stream strategies and different index fields corresponding to the different stream strategies are bound on different interfaces, different access control list rules corresponding to the different index fields are sent to the three-state content addressable memory, and fields in the different stream strategies are matched with fields in messages received by the different interfaces through different three-state content addressable memory table entries, so that the aim of saving the computing resources of the three-state content addressable memory is achieved, and the technical effect of reducing the cost of network equipment is achieved.
According to some optional embodiments of the application, binding a first streaming policy and a first index field corresponding to the first streaming policy on a global interface, and sending a first access control list rule corresponding to the first index field to a ternary content addressable memory, wherein the ternary content addressable memory is configured to generate a first ternary content addressable memory table entry according to the first access control list rule; and matching the custom rule field in the first flow strategy with the custom rule field in the message received by the global interface through the first ternary content addressable memory table entry.
Global interfaces refer to interfaces that are shared and invoked by multiple modules or components throughout a system, typically including the basic functions of the system-known core business logic-that may be invoked by different modules or components to implement the various functions of the system. The global interface has the characteristics that 1. The sharing property is that the global interface is shared in a system and can be called by a plurality of modules or components, thereby avoiding repeated realization of functions and redundant codes; 2, the consistency is that the design of the global interface accords with the overall architecture and design principle of the system, the consistency of the interfaces among all modules or components is ensured, and the maintainability and the stability of the system are improved; 3. the overall interface is high in cohesiveness, namely the functions of the interfaces are gathered together as much as possible, so that the excessive dispersion and complexity of the functions of the interfaces are avoided, and the usability and usability of the interfaces are improved; 4. the global interface has good expansibility, can conveniently add new functions and modify the existing functions, and avoids influencing other modules or components of the system.
According to further alternative embodiments of the present application, binding different flow policies and different index fields corresponding to the different flow policies on different interfaces includes: and adding a second index field into the first interface attribute corresponding to the physical interface to obtain the first interface index attribute.
In some optional embodiments of the present application, binding a second streaming policy and a second index field corresponding to the second streaming policy on a physical interface, and sending a second access control list rule corresponding to the second index field to a ternary content addressable memory, where the ternary content addressable memory is configured to generate a second ternary content addressable memory table entry according to the second access control list rule; and matching the second index field and the custom rule field in the second flow strategy with the custom rule field and the first interface index attribute in the message received by the physical interface through the second ternary content addressable memory table entry.
The physical interface is a hard interface in the computer system for connecting devices and may be in the form of a slot, a jack, a connector, or a terminal block. Physical interfaces are commonly used to transfer data, power supplies, control signals, and the like. In a computer network, physical interfaces are used to connect network devices such as computers, servers, routers, traffic planes, and the like. Common physical interfaces include ethernet interfaces, USB interfaces, HDM, VGA interfaces, etc., which connect devices together through physical connectors to enable data transfer and communication between devices. The characteristics of the physical interfaces depend on their design and specifications, e.g. the ethernet interface supports the definition of parameters such as transmission rate, number size, etc., compatibility problems may exist between different physical interfaces, and an adapter or a converter is required to implement the connection of the different interfaces. The physical interface plays a role of a bridge for connecting devices in the computer system, and the stability and the performance of the physical interface are critical to the normal operation and data transmission of the system. Therefore, in designing and using a physical interface, factors such as a reliable transmission rate of the interface, electromagnetic interference resistance, and the like need to be considered.
According to some optional embodiments of the application, binding different flow policies and different index fields corresponding to the different flow policies on different interfaces comprises: and adding a third index field into the second interface attribute corresponding to the sub-interface to obtain the second interface index attribute.
According to other alternative embodiments of the present application, a third stream policy and a third index field corresponding to the third stream policy are bound to the subinterface, and a third access control list rule corresponding to the third index field is sent to the ternary content addressable memory, where the ternary content addressable memory is configured to generate a third ternary content addressable memory table entry according to the third access control list rule; and matching the third index field, the custom rule field, the interface number field and the virtual local area network field in the third stream policy with the custom rule field and the second interface index attribute in the message received by the sub-interface through the third ternary content addressable memory table entry.
Sub-interfaces refer to the case where one interface inherits from another interface. For example, in Java, an interface may inherit from one or more interfaces, the inherited interface being referred to as a parent interface or super interface, and the inherited interface from the parent interface being referred to as a child interface. The child interface inherits all the methods and constants of the parent interface and can add new methods and constants on its basis for further expanding the functionality of the interface. The sub-interfaces can also be inherited by other interfaces to form a multi-layer inheritance relationship of the interfaces. The relationship between the child interface and the parent interface is an "s-a" relationship, that is, the child interface is a specialization of the parent interface. The child interface can inherit multiple parent interfaces, thereby realizing the effect of multiple inheritance.
Fig. 2 is a flowchart of another method for configuring access control list rules according to an embodiment of the present application, as shown in fig. 2, the method includes the steps of:
step S202, determining target index fields corresponding to a plurality of same stream policies;
step S204, binding a plurality of same stream strategies and target index fields on different interfaces, and sending target access control list rules corresponding to the target index fields to a ternary content addressing memory, wherein the ternary content addressing memory is used for generating target ternary content addressing memory table items according to the target access control list rules;
step S206, the fields in the same flow strategies are matched with the fields in the messages received by different interfaces through the target three-state content addressable memory table entry.
According to the steps, only one ternary content addressing memory table item is issued in the process of matching the multiport access control list, so that the technical effect of saving the computing resources of the ternary content addressing memory is realized.
Fig. 3 is a schematic diagram of a configuration method of an access control list rule according to an embodiment of the present application, as shown in fig. 3, first, an attribute of a binding interface is set, a flow policy index is added, and when ACL rule filtering matching is performed on a message coming from the interface, a corresponding flow policy index is carried. Secondly, according to different types of binding interfaces, issuing TCAM table items of added index fields of different mask fields: specifically, in the case where the binding type is global: only matching the corresponding rule fields; in the case where the binding type is a physical port: except the corresponding rule field of matching, only index field is matched, port field and vlan field are ignored, so that not only global matching but also multiport matching can be realized, when the same flow strategy is applied to a plurality of ports, only one TCAM table entry with index is issued, resources are saved, and global matching excluding specific ports can be realized; in the case where the binding type is subinterface: in addition to the matching corresponding rule fields, index field, port field, vlan field are matched.
Fig. 4 is a block diagram of an apparatus for configuring an access control list rule according to an embodiment of the present application, as shown in fig. 4, the apparatus includes:
a determining module 40, configured to determine a plurality of index fields corresponding to a plurality of flow policies one-to-one;
a sending module 42, configured to bind different flow policies and different index fields corresponding to the different flow policies on different interfaces, and send different access control list rules corresponding to the different index fields to a ternary content addressable memory, where the ternary content addressable memory is configured to generate different ternary content addressable memory entries according to the different access control list rules;
the matching module 44 is configured to match fields in different flow policies with fields in messages received by different interfaces through different ternary content addressable memory entries.
Note that each module in fig. 4 may be a program module (for example, a set of program instructions for implementing a specific function), or may be a hardware module, and for the latter, it may be represented by the following form, but is not limited thereto: the expression forms of the modules are all a processor, or the functions of the modules are realized by one processor.
It should be noted that, the preferred implementation manner of the embodiment shown in fig. 4 may refer to the related description of the embodiment shown in fig. 1, which is not repeated herein.
Optionally, binding the first streaming policy and a first index field corresponding to the first streaming policy on the global interface, and sending a first access control list rule corresponding to the first index field to the ternary content addressable memory, where the ternary content addressable memory is configured to generate a first ternary content addressable memory table entry according to the first access control list rule; and matching the custom rule field in the first flow strategy with the custom rule field in the message received by the global interface through the first ternary content addressable memory table entry.
Optionally, binding different flow policies and different index fields corresponding to the different flow policies on different interfaces includes: and adding a second index field into the first interface attribute corresponding to the physical interface to obtain the first interface index attribute.
Optionally, binding a second streaming policy and a second index field corresponding to the second streaming policy on the physical interface, and sending a second access control list rule corresponding to the second index field to the ternary content addressable memory, where the ternary content addressable memory is configured to generate a second ternary content addressable memory table entry according to the second access control list rule; and matching the second index field and the custom rule field in the second flow strategy with the custom rule field and the first interface index attribute in the message received by the physical interface through the second ternary content addressable memory table entry.
Optionally, binding different flow policies and different index fields corresponding to the different flow policies on different interfaces includes: and adding a third index field into the second interface attribute corresponding to the sub-interface to obtain the second interface index attribute.
Optionally, binding a third stream policy and a third index field corresponding to the third stream policy on the subinterface, and sending a third access control list rule corresponding to the third index field to the ternary content addressable memory, where the ternary content addressable memory is configured to generate a third ternary content addressable memory table entry according to the third access control list rule; and matching the third index field, the custom rule field, the interface number field and the virtual local area network field in the third stream policy with the custom rule field and the second interface index attribute in the message received by the sub-interface through the third ternary content addressable memory table entry.
Fig. 5 shows a hardware block diagram of a computer terminal (or mobile device) for implementing a configuration method of access control list rules. As shown in fig. 5, the computer terminal 50 (or mobile device 50) may include one or more processors 502 (shown in the figures as 502a, 502b, … …,502 n) (the processor 502 may include, but is not limited to, a microprocessor MCU, a programmable logic device FPGA, etc.) a memory 504 for storing data, and a transmission module 506 for communication functions. In addition, the method may further include: a display, an input/output port (I/O port), a Universal Serial BUS (USB) port (which may be included as one of the ports of the BUS), a network port, a power supply, and/or a camera. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 5 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the computer terminal 50 may also include more or fewer components than shown in FIG. 5, or have a different configuration than shown in FIG. 5.
It should be noted that the one or more processors 502 and/or other data processing circuits described above may be referred to herein generally as "data processing circuits. The data processing circuit may be embodied in whole or in part in software, hardware, firmware, or any other combination. Furthermore, the data processing circuitry may be a single stand-alone processing module, or incorporated, in whole or in part, into any of the other elements in the computer terminal 50 (or mobile device). As referred to in embodiments of the application, the data processing circuit acts as a processor control (e.g., selection of the variable resistance termination path to which the port is connected).
The memory 504 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the configuration method of the access control list rule in the embodiment of the present application, and the processor 502 executes the software programs and modules stored in the memory 504, thereby performing various functional applications and data processing, that is, implementing the configuration method of the access control list rule described above. Memory 504 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 504 may further comprise memory located remotely from the processor 502, which may be connected to the computer terminal 50 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission module 506 is used to receive or transmit data via a network. The specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 50. In one example, the transmission module 506 includes a network adapter (Network Interface Controller, NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission module 506 may be a Radio Frequency (RF) module, which is used to communicate with the internet wirelessly.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 50 (or mobile device).
It should be noted here that, in some alternative embodiments, the computer device (or the electronic device) shown in fig. 5 may include hardware elements (including circuits), software elements (including computer code stored on a computer readable medium), or a combination of both hardware elements and software elements. It should be noted that fig. 5 is only one example of a specific example, and is intended to illustrate the types of components that may be present in the computer device (or electronic device) described above.
It should be noted that, the electronic device shown in fig. 5 is configured to execute the configuration method of the access control list rule shown in fig. 1, so the explanation related to the execution method of the command is also applicable to the electronic device, which is not repeated herein.
The embodiment of the application also provides a nonvolatile storage medium, which comprises a stored program, wherein the program runs to control the equipment where the storage medium is positioned to execute the configuration method of the access control list rule.
The nonvolatile storage medium executes a program of the following functions: determining a plurality of index fields corresponding to the plurality of stream policies one to one; binding different flow strategies and different index fields corresponding to the different flow strategies on different interfaces, and sending different access control list rules corresponding to the different index fields to a ternary content addressing memory, wherein the ternary content addressing memory is used for generating different ternary content addressing memory table entries according to the different access control list rules; and matching fields in different flow strategies with fields in messages received by different interfaces through different ternary content addressable memory table entries.
The embodiment of the application also provides electronic equipment, which comprises: the system comprises a memory and a processor, wherein the processor is used for running a program stored in the memory, and the program runs to execute the configuration method of the access control list rule.
The processor is configured to execute a program that performs the following functions: determining a plurality of index fields corresponding to the plurality of stream policies one to one; binding different flow strategies and different index fields corresponding to the different flow strategies on different interfaces, and sending different access control list rules corresponding to the different index fields to a ternary content addressing memory, wherein the ternary content addressing memory is used for generating different ternary content addressing memory table entries according to the different access control list rules; and matching fields in different flow strategies with fields in messages received by different interfaces through different ternary content addressable memory table entries.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some ports, units or modules, and may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the related art or all or part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application, which are intended to be comprehended within the scope of the present application.
Claims (10)
1. A method for configuring access control list rules, comprising:
determining a plurality of index fields corresponding to the plurality of stream policies one to one;
binding different flow strategies and different index fields corresponding to the different flow strategies on different interfaces, and sending different access control list rules corresponding to the different index fields to a ternary content addressing memory, wherein the ternary content addressing memory is used for generating different ternary content addressing memory table items according to the different access control list rules;
and matching the fields in the different flow strategies with the fields in the messages received by the different interfaces through the different three-state content addressable memory table entries.
2. The method according to claim 1, characterized in that it comprises:
binding a first streaming policy and a first index field corresponding to the first streaming policy on a global interface, and sending a first access control list rule corresponding to the first index field to a ternary content addressable memory, wherein the ternary content addressable memory is used for generating a first ternary content addressable memory table item according to the first access control list rule;
and matching the custom rule field in the first flow strategy with the custom rule field in the message received by the global interface through the first ternary content addressable memory table entry.
3. The method of claim 1, wherein binding different flow policies and different index fields corresponding to the different flow policies on different interfaces comprises: and adding a second index field into the first interface attribute corresponding to the physical interface to obtain the first interface index attribute.
4. A method according to claim 3, comprising:
binding a second streaming policy and the second index field corresponding to the second streaming policy on a physical interface, and sending a second access control list rule corresponding to the second index field to a ternary content addressable memory, wherein the ternary content addressable memory is used for generating a second ternary content addressable memory table item according to the second access control list rule;
and matching the second index field and the custom rule field in the second flow strategy with the custom rule field in the message received by the physical interface and the index attribute of the first interface through the second ternary content addressable memory table entry.
5. The method of claim 1, wherein binding different flow policies and different index fields corresponding to the different flow policies on different interfaces comprises: and adding a third index field into the second interface attribute corresponding to the sub-interface to obtain the second interface index attribute.
6. The method according to claim 5, comprising:
binding a third stream policy and the third index field corresponding to the third stream policy on a subinterface, and sending a third access control list rule corresponding to the third index field to a ternary content addressable memory, wherein the ternary content addressable memory is used for generating a third ternary content addressable memory table item according to the third access control list rule;
and matching the third index field, the custom rule field, the interface number field and the virtual local area network field in the third stream policy with the custom rule field and the second interface index attribute in the message received by the sub-interface through the third ternary content addressable memory table entry.
7. A method for configuring access control list rules, comprising:
determining a target index field corresponding to a plurality of identical flow policies;
binding the plurality of same stream strategies and the target index field on different interfaces, and sending a target access control list rule corresponding to the target index field to a ternary content addressable memory, wherein the ternary content addressable memory is used for generating a target ternary content addressable memory table item according to the target access control list rule;
and matching the fields in the plurality of identical flow strategies with the fields in the messages received by the different interfaces through the target three-state content addressable memory table entry.
8. An apparatus for configuring access control list rules, comprising:
a determining module, configured to determine a plurality of index fields corresponding to a plurality of flow policies one-to-one;
a sending module, configured to bind different flow policies and different index fields corresponding to the different flow policies on different interfaces, and send different access control list rules corresponding to the different index fields to a ternary content addressable memory, where the ternary content addressable memory is configured to generate different ternary content addressable memory entries according to the different access control list rules;
and the matching module is used for matching the fields in the different flow strategies with the fields in the messages received by the different interfaces through the different ternary content addressable memory table entries.
9. A non-volatile storage medium, characterized in that the non-volatile storage medium comprises a stored program, wherein the device in which the non-volatile storage medium is controlled to execute the configuration method of the access control list rule according to any one of claims 1 to 7 when the program is run.
10. An electronic device, comprising: a memory and a processor for executing a program stored in the memory, wherein the program is executed to perform the method of configuring the access control list rule according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310968515.XA CN116886395A (en) | 2023-08-02 | 2023-08-02 | Configuration method and device of access control list rule and nonvolatile storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310968515.XA CN116886395A (en) | 2023-08-02 | 2023-08-02 | Configuration method and device of access control list rule and nonvolatile storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116886395A true CN116886395A (en) | 2023-10-13 |
Family
ID=88258602
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310968515.XA Pending CN116886395A (en) | 2023-08-02 | 2023-08-02 | Configuration method and device of access control list rule and nonvolatile storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116886395A (en) |
-
2023
- 2023-08-02 CN CN202310968515.XA patent/CN116886395A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11888603B2 (en) | Assurance of security rules in a network | |
| CN110754064B (en) | Verification of routing information in a network fabric | |
| CN110612702B (en) | Intent specification checking for inconsistencies | |
| US10277510B2 (en) | System and method for storing lookup request rules in multiple memories | |
| US11558260B2 (en) | Network node memory utilization analysis | |
| CN110892685B (en) | Methods, systems, and media for identifying components for removal in a network configuration | |
| CN110785963B (en) | Collecting network model and node information from a network | |
| CN111034122A (en) | Identifying mismatches between logical models and node implementations | |
| US8797876B2 (en) | Identification of underutilized network devices | |
| CN110754063B (en) | Verifying endpoint configuration between nodes | |
| US20180054397A1 (en) | Filtration of Network Traffic Using Virtually-Extended Ternary Content-Addressable Memory (TCAM) | |
| CN110800259B (en) | Distributed fault code aggregation across application-centric dimensions | |
| CN108540387A (en) | Method for network access control and device | |
| CN110417777B (en) | Optimized method and device for communication between microservices | |
| US20180198704A1 (en) | Pre-processing of data packets with network switch application -specific integrated circuit | |
| CN116886395A (en) | Configuration method and device of access control list rule and nonvolatile storage medium | |
| US11546235B2 (en) | Action based on advertisement indicator in network packet | |
| CN115002028A (en) | Message processing method, device and medium | |
| Halder et al. | A graph based formalism for detecting flow conflicts in software defined network | |
| US10659298B1 (en) | Epoch comparison for network events | |
| CN114244555A (en) | Method for adjusting security policy | |
| US20240031328A1 (en) | Entity matching across telemetries | |
| WO2017058137A1 (en) | Latency tracking metadata for a network switch data packet | |
| CN117596050A (en) | Data access control method and device and electronic equipment | |
| CN117081805A (en) | Method and device for issuing chip white list |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |