TWI390910B - Entry generation method of access control list - Google Patents

Entry generation method of access control list Download PDF

Info

Publication number
TWI390910B
TWI390910B TW97125750A TW97125750A TWI390910B TW I390910 B TWI390910 B TW I390910B TW 97125750 A TW97125750 A TW 97125750A TW 97125750 A TW97125750 A TW 97125750A TW I390910 B TWI390910 B TW I390910B
Authority
TW
Taiwan
Prior art keywords
access control
entry
control list
parameter
generation method
Prior art date
Application number
TW97125750A
Other languages
Chinese (zh)
Other versions
TW201004221A (en
Inventor
Wen Hsin Yang
Original Assignee
Ic Plus Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ic Plus Corp filed Critical Ic Plus Corp
Priority to TW97125750A priority Critical patent/TWI390910B/en
Publication of TW201004221A publication Critical patent/TW201004221A/en
Application granted granted Critical
Publication of TWI390910B publication Critical patent/TWI390910B/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Description

存取控制列表的條目產生方法Access control list entry generation method

本發明是有關於一種存取控制列表,且特別是有關於一種存取控制列表的條目產生方法。The present invention relates to an access control list, and more particularly to an entry generation method for an access control list.

存取控制列表(Access Control List,簡稱ACL)已經普遍使用在各系統或各通訊裝置中。當系統或通訊裝置接收到封包(Packet)時,會利用存取控制列表來用來過濾(Filter)封包,並據以將封包分配至各目的地。以下配合圖式作詳細地說明。Access Control List (ACL) has been commonly used in various systems or communication devices. When a system or communication device receives a packet, it uses an access control list to filter the packet and distribute the packet to each destination. The following is a detailed description with reference to the drawings.

圖1是習知的一種存取控制列表的示意圖。請參照圖1,假設存取控制列表10具有16個條目(Entry)與3個項目。16個條目分別為En_0~En_15。3個項目分別為媒體存取控制位址(Media Access Control Address,簡稱MAC Address)、網際網路協定位址(Internet Procotol Address,簡稱IP Address)與動作(Action)。此外,假設各條目中對應於媒體存取控制位址、網際網路協定位址與動作的參數之位元寬度(Bit Width)分別為48bits、32bits、4bits。1 is a schematic diagram of a conventional access control list. Referring to FIG. 1, assume that the access control list 10 has 16 entries (Entry) and 3 entries. The 16 entries are En_0~En_15. The three items are Media Access Control Address (MAC Address), Internet Protocol Address (IP Address) and Action (Action). ). In addition, it is assumed that the bit widths of the parameters corresponding to the media access control address, the internet protocol address, and the action in each entry are 48 bits, 32 bits, and 4 bits, respectively.

在條目En_0中,首先會檢查封包的媒體存取控制位址是否為0090c3000001,並檢查網際網路協定位址是否為192.168.1.10。當封包的媒體存取控制位址為0090c3000001且網際網路協定位址為192.168.1.10時,則執行動作0001;反之,則不執行動作0001。In the entry En_0, first check whether the media access control address of the packet is 0090c3000001, and check if the Internet Protocol address is 192.168.1.10. When the media access control address of the packet is 0090c3000001 and the Internet Protocol address is 192.168.1.10, then action 0001 is performed; otherwise, action 0001 is not performed.

承上述,在條目En_1中,首先會檢查封包的媒體存 取控制位址是否為0080c1000008,並檢查網際網路協定位址是否為192.168.1.10。當封包的媒體存取控制位址為0080c1000008且網際網路協定位址為192.168.1.10時,則執行動作0010;反之,則不執行動作0010。According to the above, in the entry En_1, the packaged media storage is first checked. Take the control address as 0080c1000008 and check if the Internet Protocol address is 192.168.1.10. When the media access control address of the packet is 0080c1000008 and the Internet Protocol address is 192.168.1.10, then action 0010 is performed; otherwise, action 0010 is not performed.

以此類推,在條目En_15中,首先會檢查網際網路協定位址是否為192.168.101.88。當封包的網際網路協定位址為192.168.101.88時,則執行動作1111;反之,則不執行動作1111。值得一提的是,在條目En_15中,雖無須檢查封包的媒體存取控制位址,但條目En_15中對應於媒體存取控制位址的參數卻仍需佔用48bits的空間,其可視為一種空間浪費。By analogy, in the entry En_15, the Internet Protocol address is first checked to be 192.168.101.88. When the Internet Protocol address of the packet is 192.168.101.88, then action 1111 is performed; otherwise, action 1111 is not performed. It is worth mentioning that in the entry En_15, although it is not necessary to check the media access control address of the packet, the parameter corresponding to the media access control address in the entry En_15 still needs 48 bit space, which can be regarded as a space. waste.

另外,在習知技術中,條目En_0、En_1對應於網際網路協定位址的參數雖皆為192.168.1.10。但條目En_0、En_1中的網路協定位址的參數卻仍需佔用32bits+32bits=64bits的空間。也就是說,即便有多條目中的部分參數相同,各條目所佔用的空間也無法降低。再從另一角度來看,存取控制列表10的各條目皆需佔用48bits+32bits+4bits=84bits。由於存取控制列表10具有16個條目,因此存取控制列表10共需佔用84×16=1344bits。即便存取控制列表10僅使用16個條目中的其中一個,存取控制列表10仍需佔用1344bits。換個角度來看,依照習知所採用的技術,1344 bits僅能提供16個條目,其空間的使用效率相當差。In addition, in the prior art, the parameters of the entries En_0 and En_1 corresponding to the Internet Protocol address are both 192.168.1.10. However, the parameters of the network protocol address in En_0 and En_1 still need to occupy 32bits+32bits=64bits. That is to say, even if some of the parameters in the multiple entries are the same, the space occupied by each entry cannot be reduced. From another point of view, each entry of the access control list 10 needs to occupy 48 bits + 32 bits + 4 bits = 84 bits. Since the access control list 10 has 16 entries, the access control list 10 requires a total of 84 x 16 = 1344 bits. Even if the access control list 10 uses only one of the 16 entries, the access control list 10 still needs to occupy 1344 bits. From another point of view, according to the technology used in the prior art, 1344 bits can only provide 16 items, and the space is very inefficient.

再者,在習知技術中,存取控制列表10的各條目皆 必須具有相同的項目。換言之,假設條目En_0需要新增特定項目時,條目En_1~En_15也必須對應新增相同的特定條目。因此習知技術中常會發生僅有少數幾個條目需要用到特定項目,但其他條目的特定項目仍會佔用相當多的空間。此種空間浪費的情形會隨著條目數量的增加而更形嚴重。Moreover, in the prior art, each entry of the access control list 10 is Must have the same project. In other words, if the entry En_0 needs to add a specific item, the entries En_1~En_15 must also add the same specific entry. Therefore, in the prior art, there are often only a few entries that need to use a specific project, but the specific projects of other entries still occupy a considerable amount of space. This waste of space will become more serious as the number of entries increases.

本發明提供一種存取控制列表的條目產生方法,可降低存取控制列表所佔的儲存空間。The present invention provides an entry generation method for an access control list, which can reduce the storage space occupied by the access control list.

本發明提出一種存取控制列表的條目產生方法,其包括定義多個程序單元,各程序單元包括項目與對應上述項目的參數。另外,產生存取控制列表的第一條目,其中第一條目連結上述程序單元中的N1 個程序單元,N1 為正整數,且各程序單元還能供其他條目進行連結。The present invention provides an entry generation method for an access control list, which includes defining a plurality of program units, each program unit including an item and a parameter corresponding to the item. In addition, a first entry of the access control list is generated, wherein the first entry links N 1 program units in the program unit, N 1 is a positive integer, and each program unit can also be connected to other entries.

在本發明的一實施例中,上述的條目產生方法更包括產生存取控制列表的第二條目,其中第二條目連結上述程序單元中的N2 個程序單元,N2 為正整數。在另一實施例中,N1 =N2 。在又一實施例中,N1 ≠N2In an embodiment of the invention, the method for generating an entry further includes generating a second entry of the access control list, wherein the second entry links N 2 program units in the program unit, and N 2 is a positive integer. In another embodiment, N 1 = N 2 . In yet another embodiment, N 1 ≠N 2 .

在本發明的一實施例中,定義程序單元的步驟包括定義項目,此項目為邏輯運算子、決策或動作。此外,定義參數。在另一實施例中,邏輯運算子包括AND、NAND、OR、NOR、NOT、XOR或XNOR…等。在又一實施例中,決策包括檢查媒體存取控制位址或網際網路協定位址。在再一實施例中,動作包括傳送至一目的地、過濾、廣播或 複製…等。在更一實施例中,定義參數的步驟包括定義參數的位元寬度。In an embodiment of the invention, the step of defining a program unit includes defining an item, the item being a logical operator, a decision, or an action. In addition, define the parameters. In another embodiment, the logical operators include AND, NAND, OR, NOR, NOT, XOR, or XNOR... and the like. In yet another embodiment, the decision includes checking the media access control address or the internet protocol address. In still another embodiment, the action includes transmitting to a destination, filtering, broadcasting, or Copy...etc. In a further embodiment, the step of defining parameters includes defining a bit width of the parameter.

本發明定義多個程序單元。另外,產生存取控制列表的條目,此條目連結上述程序單元中的N1 個程序單元,N1 為正整數,且各程序單元還能供其他條目進行連結。因此能降低存取控制列表所佔的儲存空間。The present invention defines a plurality of program units. In addition, an entry of the access control list is generated, and the entry links N 1 program units in the program unit, N 1 is a positive integer, and each program unit can also be connected to other entries. Therefore, the storage space occupied by the access control list can be reduced.

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉幾個實施例,並配合所附圖式,作詳細說明如下。The above described features and advantages of the invention will be apparent from the following description.

在習知技術中,存取控制列表中的各條目皆必須具有相同的項目,因此容易造成空間浪費。有鑒於此,本發明的實施例提供一種存取控制列表的條目產生方法。首先可定義多個程序單元,各程序單元可包括項目與參數。接著再從上述多個程序單元進行挑選與組合,藉以產生條目。因此當多個條目採用相同的程序單元時,則可有效降低存取控制列表所佔用的空間。以下配合圖式作更詳細的說明。In the prior art, each entry in the access control list must have the same item, so it is easy to waste space. In view of this, embodiments of the present invention provide an entry generation method of an access control list. First, a plurality of program units can be defined, each of which can include items and parameters. The selection and combination are then performed from the plurality of program units described above to generate an entry. Therefore, when multiple entries adopt the same program unit, the space occupied by the access control list can be effectively reduced. The following is a more detailed description of the drawings.

圖2是依照本發明的一實施例的一種存取控制列表的條目產生方法之流程圖。圖3是依照本發明的一實施例的多個程序單元的示意圖。請合併參照圖2與圖3,首先可由步驟S201,定義多個程序單元,在本實施例中多個程序單元以10個程序單元為例進行說明,其分別為P1~P10。以下先以定義程序單元P1為例進行說明。2 is a flow chart of a method for generating an entry of an access control list according to an embodiment of the invention. 3 is a schematic diagram of a plurality of program units in accordance with an embodiment of the present invention. Referring to FIG. 2 and FIG. 3 together, a plurality of program units may be defined by step S201. In the embodiment, a plurality of program units are described by taking 10 program units as examples, which are respectively P1~P10. Hereinafter, the definition program unit P1 will be described as an example.

在定義程序單元P1的過程中,可先定義程序單元P1的項目E1的種類及位元寬度(Bit Width)。在本實施例 中,項目E1的種類為一決策,此決策的內容以檢查媒體存取控制位址為例進行說明,而項目E1的位元寬度則以4bits為例進行說明。熟習本領域技術者可依其需求定義決策的內容,本發明並不以此為限。舉例來說,在其他實施例中,決策的內容亦可檢查網際網路協定位址。In the process of defining the program unit P1, the type and bit width (Bit Width) of the item E1 of the program unit P1 can be defined first. In this embodiment The type of the item E1 is a decision, and the content of the decision is taken as an example to check the media access control address, and the bit width of the item E1 is described by taking 4 bits as an example. Those skilled in the art can define the content of the decision according to their needs, and the present invention is not limited thereto. For example, in other embodiments, the content of the decision can also check the internet protocol address.

接著可對程序單元P1的參數A1及參數A1的位元寬度進行定義,其中參數A1對應於項目E1。在本實施例中,參數A1以0090c3000001為例進行說明,而參數A1的位元寬度則以48bits為例進行說明。值得一提的是,隨著項目的種類不同,其所對應的參數之位元寬度也可隨之改變。換言之,若項目的種類相同,其對應的參數之位元寬度可設定為相同。以此類推,在本實施例中,程序單元P2的項目E2、項目E2的位元寬度、參數A2與參數A2的位元寬度分別定義為媒體存取控制位址、4bits、0080c1000008與48bits。The parameter A1 of the program unit P1 and the bit width of the parameter A1 can then be defined, wherein the parameter A1 corresponds to the item E1. In the present embodiment, the parameter A1 is exemplified by 0090c3000001, and the bit width of the parameter A1 is 4848s as an example. It is worth mentioning that, depending on the type of project, the bit width of the corresponding parameter can also change. In other words, if the types of items are the same, the bit widths of the corresponding parameters can be set to be the same. By analogy, in the present embodiment, the item width of the item E2, the item E2 of the program unit P2, the bit width of the parameter A2 and the parameter A2 are defined as the medium access control address, 4 bits, 0080c1000008 and 48 bits, respectively.

承上述,在本實施例中,程序單元P3的項目E3、項目E3的位元寬度、參數A3與參數A3的位元寬度分別定義為動作、4bits、0001與4bits。程序單元P4的項目E4、項目E4的位元寬度、參數A4與參數A4的位元寬度分別定義為動作、4bits、0010與4bits。程序單元P5的項目E5、項目E5的位元寬度、參數A5與參數A5的位元寬度分別定義為動作、4bits、0011與4bits。在本實施例中,參數A3為0001代表廣播(Broadcast),參數A4為0010代表傳送至一目的地,參數A5為0011代表過濾。熟習本領域 技術者應當知道參數A3~A5僅是一種選擇實施例,本發明並不以此為限。舉例說明,在另一實施例中,參數A3為0001可代表其他動作,例如複製。在又一實施例中,參數A3也可以為111100,藉以代表廣播。As described above, in the present embodiment, the bit widths of the items E3 and E3 of the program unit P3, the bit widths of the parameters A3 and A3 are defined as operations, 4 bits, 0001, and 4 bits, respectively. The bit width of the item E4 and the item E4 of the program unit P4, the bit width of the parameter A4 and the parameter A4 are defined as the operation, 4 bits, 0010 and 4 bits, respectively. The item width of the item E5 and the item E5 of the program unit P5, the bit width of the parameter A5 and the parameter A5 are defined as the operation, 4 bits, 0011 and 4 bits, respectively. In this embodiment, the parameter A3 is 0001 for broadcast, the parameter A4 is 0010 for transmission to a destination, and the parameter A5 is for 0011 for filtering. Familiar with the field The skilled person should know that the parameters A3~A5 are only one alternative embodiment, and the invention is not limited thereto. By way of example, in another embodiment, parameter A3 of 0001 may represent other actions, such as copying. In yet another embodiment, the parameter A3 may also be 111100 to represent the broadcast.

承接上述,程序單元P6的項目E6、項目E6的位元寬度、參數A6與參數A6的位元寬度分別定義為決策(檢查網際網路協定位址)、4bits、192.168.101.88與32bits。程序單元P7的項目E7、項目E7的位元寬度、參數A7與參數A7的位元寬度分別定義為決策(檢查網際網路協定位址)、4bits、192.168.1.10與32bits。In the above, the bit width of the item E6 and the item E6 of the program unit P6, the bit width of the parameter A6 and the parameter A6 are respectively defined as decision (check the internet protocol address), 4 bits, 192.168.101.88 and 32 bits. The item E7 of program unit P7, the bit width of item E7, the bit width of parameter A7 and parameter A7 are defined as decision (check internet protocol address), 4 bits, 192.168.1.10 and 32 bits, respectively.

承上述,程序單元P8的項目E8、項目E8的位元寬度、參數A8與參數A8的位元寬度分別定義為邏輯運算子(Logic Operator)、4bits、001與4bits。程序單元P9的項目E9、項目E9的位元寬度、參數A9與參數A9的位元寬度分別定義為邏輯運算子、4bits、010與4bits。程序單元P10的項目E10、項目E10的位元寬度、參數A10與參數A10的位元寬度分別定義為邏輯運算子、4bits、011與4bits。在本實施例中,參數A8為001代表AND,參數A9為010代表OR,參數A10為011代表NOT。熟習本領域技術者應當知道參數A8~A10僅是一種選擇實施例,本發明並不以此為限。舉例說明,在另一實施例中,參數A8為001可代表其他邏輯運算子,例如NAND、NOR、XOR或XNOR…等。在又一實施例中,參數A8也可以為10100,藉以代表AND。In the above, the bit widths of the items E8 and E8 of the program unit P8, the bit widths of the parameters A8 and A8 are defined as logical operators, 4 bits, 001 and 4 bits, respectively. The bit width of the item E9 and the item E9 of the program unit P9, the bit width of the parameter A9 and the parameter A9 are defined as logical operators, 4 bits, 010 and 4 bits, respectively. The item E10 of the program unit P10, the bit width of the item E10, and the bit width of the parameter A10 and the parameter A10 are defined as logical operators, 4 bits, 011, and 4 bits, respectively. In the present embodiment, the parameter A8 is 001 for AND, the parameter A9 is 010 for OR, and the parameter A10 is 011 for NOT. Those skilled in the art should know that the parameters A8~A10 are only one alternative embodiment, and the invention is not limited thereto. For example, in another embodiment, the parameter A8 is 001, which may represent other logical operators, such as NAND, NOR, XOR, or XNOR, and the like. In yet another embodiment, the parameter A8 may also be 10100, thereby representing AND.

完成步驟S201之後可接續步驟S202,產生存取控制列表的條目,此條目可連結程序單元P1~P10的多個程序單元。值得注意的是,程序單元P1~P10可重複地被多個條目進行連結。此外,熟習本領域技術者可重複執行步驟S202藉以產生多個條目。舉例來說,圖4是依照本發明的一實施例的多個條目的示意圖。請合併參照圖2~圖4,在本實施例中,多個條目以4個條目為例進行說明,其分別為Ent_0~Ent_3。After step S201 is completed, step S202 is followed to generate an entry of the access control list, and the entry can be connected to the plurality of program units of the program units P1 to P10. It is worth noting that the program units P1 to P10 can be repeatedly linked by a plurality of items. In addition, those skilled in the art can repeatedly perform step S202 to generate a plurality of entries. For example, Figure 4 is a schematic illustration of a plurality of entries in accordance with an embodiment of the present invention. Referring to FIG. 2 to FIG. 4 in combination, in the present embodiment, a plurality of entries are described by taking four entries as an example, and they are respectively Ent_0 to Ent_3.

承接上述,條目Ent_0依序連結了程序單元P1、P9、P2、P3。條目Ent_0代表的意義為當接收到封包時,會檢查封包的媒體存取控制位址是否為0090c3000001或0080c1000008。當封包的媒體存取控制位址為0090c3000001或0080c1000008則廣播封包;反之,則不廣播封包。In response to the above, the entry Ent_0 sequentially connects the program units P1, P9, P2, and P3. The meaning of the entry Ent_0 is that when the packet is received, it checks whether the media access control address of the packet is 0090c3000001 or 0080c1000008. When the media access control address of the packet is 0090c3000001 or 0080c1000008, the packet is broadcast; otherwise, the packet is not broadcast.

條目Ent_1依序連結了程序單元P1、P8、P6、P4。條目Ent_1代表的意義為當接收到封包時,會檢查封包的媒體存取控制位址是否為0090c3000001且網際網路協定位址是否為192.168.101.88。當封包的媒體存取控制位址為0090c3000001且網際網路協定位址為192.168.101.88時,則將封包傳送至一目的地;反之,則不傳送此封包至上述目的地。The entry Ent_1 sequentially links the program units P1, P8, P6, and P4. The meaning of the entry Ent_1 is that when the packet is received, it checks whether the media access control address of the packet is 0090c3000001 and the Internet Protocol address is 192.168.101.88. When the media access control address of the packet is 0090c3000001 and the Internet Protocol address is 192.168.101.88, the packet is transmitted to a destination; otherwise, the packet is not transmitted to the destination.

條目Ent_2依序連結了程序單元P1、P9、P2、P9、P7、P5。條目Ent_2代表的意義為當接收到封包時,會檢查封包的媒體存取控制位址是否為0090c3000001或媒體 存取控制位址是否為0080c1000008或網際網路協定位址是否為192.168.1.10。當封包的媒體存取控制位址為0090c3000001或媒體存取控制位址為0080c1000008或網際網路協定位址為192.168.1.10時,則過濾封包;反之,則不過濾封包。The entry Ent_2 sequentially connects the program units P1, P9, P2, P9, P7, and P5. The meaning of the entry Ent_2 is that when the packet is received, it checks whether the media access control address of the packet is 0090c3000001 or media. Whether the access control address is 0080c1000008 or the Internet Protocol address is 192.168.1.10. When the media access control address of the packet is 0090c3000001 or the media access control address is 0080c1000008 or the Internet Protocol address is 192.168.1.10, the packet is filtered; otherwise, the packet is not filtered.

條目Ent_3依序連結了程序單元P10、P1、P5。條目Ent_2代表的意義為當接收到封包時,會檢查封包的媒體存取控制位址是否不是0090c3000001。當封包的媒體存取控制位址不為0090c3000001時,則過濾封包;反之,則不過濾封包。The entry Ent_3 sequentially links the program units P10, P1, and P5. The meaning of the entry Ent_2 is that when the packet is received, it is checked whether the media access control address of the packet is not 0090c3000001. When the media access control address of the packet is not 0090c3000001, the packet is filtered; otherwise, the packet is not filtered.

從上述可清楚看出,本實施例的存取控制列表的各條目可擁有相同數量的程序單元,也可擁有相異數量的程序單元。更具體地說,本實施例的存取控制列表的各條目彼此互相獨立(Independent),並不受限於必須具有相同的程序單元。與習知相較之下,本實施例各條目中的程序單元皆能有效地被利用。As is apparent from the above, each entry of the access control list of this embodiment may have the same number of program units, or may have a different number of program units. More specifically, the entries of the access control list of the present embodiment are independent of each other and are not limited to having the same program unit. In contrast to conventional ones, the program elements in the various entries of this embodiment can be effectively utilized.

另外,在條目Ent_0~Ent_3都有使用程序單元P1,也就是說程序單元P4雖被使用了4次,但程序單元P1卻僅佔了48bits。與習知相較之下,習知若有4個條目皆檢查相同的媒體存取控制位址,則需要佔用48×4=192bits。因此本實施例可有效降低存取控制列表所佔用的空間。In addition, the program unit P1 is used in the entries Ent_0~Ent_3, that is, the program unit P4 is used four times, but the program unit P1 only occupies 48 bits. In contrast to the conventional knowledge, if there are four entries that check the same media access control address, it needs to occupy 48×4=192 bits. Therefore, the embodiment can effectively reduce the space occupied by the access control list.

再者,本實施例中各條目因配合使用了程序單元P8~P10的邏輯運算子A8~A10,因此能使各條目更有彈性變化。Furthermore, in the present embodiment, the entries of the program units P8 to P10 are used in conjunction with the logical operators A8 to A10 of the program units P8 to P10, so that the entries can be more elastically changed.

雖然上述實施例中已經對存取控制列表的條目產生方法描繪出了一個可能的型態,但所屬技術領域中具有通常知識者應當知道,各廠商對於存取控制列表的條目產生方法的步驟設計都不一樣,因此本發明的應用當不限制於此種可能的型態。換言之,只要是此存取控制列表的條目產生方法定義了多個程序單元,並利用條目連結上述多個程序單元的N1 個程序單元,且各程序單元還能供其他條目進行連結,就已經是符合了本發明的精神所在。以下再舉幾個實施方式以便本領域具有通常知識者能夠更進一步的了解本發明的精神,並實施本發明。Although the above embodiment has delineated a possible pattern for the entry generation method of the access control list, those skilled in the art should know that each vendor has a step design method for the entry of the access control list entry. They are different, so the application of the invention is not limited to this possible type. In other words, as long as the entry generation method of the access control list defines a plurality of program units, and the N 1 program units of the plurality of program units are linked by an entry, and each program unit can be connected to other items, It is in line with the spirit of the present invention. In the following, several embodiments will be described to enable those skilled in the art to further understand the spirit of the invention and to practice the invention.

上述實施例中,各程序單元的項目雖僅以媒體存取控制位址、動作、網際網路協定位址與邏輯運算子為例進行說明,但本發明並不以此為限。在其他實施例中,熟習本領域技術者可依其需求將程序單元的項目定義為其他內容。In the above embodiment, the items of each program unit are described by using only the media access control address, the action, the internet protocol address, and the logical operation, but the invention is not limited thereto. In other embodiments, those skilled in the art can define items of program units as other content as desired.

另外,上述實施例中,各程序單元的項目與參數的位元寬度僅是一種選擇實施例,本發明並不以此為限。在其他實施例中,熟習本領域技術者可依其需求自行定義各程序單元的項目與參數的位元寬度。In addition, in the foregoing embodiment, the bit width of the items and parameters of each program unit is only an optional embodiment, and the present invention is not limited thereto. In other embodiments, those skilled in the art can customize the bit width of the items and parameters of each program unit according to their needs.

請再參照圖3,值得一提的是,上述實施例中的各程序單元可互相獨立。更具體地說,上述實施例中參數A1與參數A2的位元寬度雖設置為相同,但本發明並不以此為限。在其他實施例中,參數A1與參數A2的位元寬度也可設置為不同。Referring to FIG. 3 again, it is worth mentioning that the program units in the above embodiments can be independent of each other. More specifically, although the bit widths of the parameter A1 and the parameter A2 are set to be the same in the above embodiment, the present invention is not limited thereto. In other embodiments, the bit widths of parameter A1 and parameter A2 may also be set to be different.

綜上所述,本發明定義多個程序單元。另外,產生存取控制列表的條目,此條目連結多個程序單元中的N1 個程序單元,N1 為正整數,且各程序單元還能供其他條目進行連結。因此能降低存取控制列表所佔的儲存空間。再者,本發明的實施例至少具有下列功效:1.本發明之實施例中存取控制列表的各條目彼此互相獨立,並不受限於必須具有相同的程序單元。與習知相較之下,本發明之實施例各條目中的程序單元皆能有效地被利用。In summary, the present invention defines a plurality of program units. In addition, an entry of an access control list is generated, which links N 1 program units among the plurality of program units, N 1 is a positive integer, and each program unit can also be connected to other items. Therefore, the storage space occupied by the access control list can be reduced. Furthermore, embodiments of the present invention have at least the following effects: 1. The entries of the access control list in the embodiment of the present invention are independent of each other and are not necessarily limited to having the same program unit. In contrast to conventional ones, the program elements in the various entries of the embodiments of the present invention can be effectively utilized.

2.由於程序單元可重複被使用,因此可有效降低存取控制列表所佔用的空間。2. Since the program unit can be used repeatedly, the space occupied by the access control list can be effectively reduced.

3.配合使用了程序單元的邏輯運算子,因此能使各條目更有彈性變化。3. The logical operator of the program unit is used in combination, so that each item can be more elastically changed.

雖然本發明已以幾個實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,因此本發明的保護範圍當視後附的申請專利範圍所界定者為準。The present invention has been disclosed in several embodiments, and is not intended to limit the scope of the present invention. Any one of ordinary skill in the art can make a few changes and refinements without departing from the spirit and scope of the invention. Therefore, the scope of the invention is defined by the scope of the appended claims.

10‧‧‧存取控制列表10‧‧‧Access Control List

S201、S202‧‧‧存取控制列表的條目產生方法之各步驟S201, S202‧‧‧ steps of the method for generating an entry of the access control list

En_0~En_15、Ent_0~Ent_3‧‧‧條目En_0~En_15, Ent_0~Ent_3‧‧‧Entry

P1~P10‧‧‧程序單元P1~P10‧‧‧ program unit

E1~E10‧‧‧項目E1~E10‧‧‧ project

A1~A10‧‧‧參數A1~A10‧‧‧ parameters

圖1是習知的一種存取控制列表的示意圖。1 is a schematic diagram of a conventional access control list.

圖2是依照本發明的一實施例的一種存取控制列表的條目產生方法之流程圖。2 is a flow chart of a method for generating an entry of an access control list according to an embodiment of the invention.

圖3是依照本發明的一實施例的多個程序單元的示意圖。3 is a schematic diagram of a plurality of program units in accordance with an embodiment of the present invention.

圖4是依照本發明的一實施例的多個條目的示意圖。4 is a schematic diagram of a plurality of entries in accordance with an embodiment of the present invention.

S201、S202‧‧‧存取控制列表的條目產生方法之各步驟S201, S202‧‧‧ steps of the method for generating an entry of the access control list

Claims (10)

一種存取控制列表的條目產生方法,包括:定義多個程序單元,該些程序單元中各程序單元包括一項目與對應該項目的一參數;以及產生該存取控制列表的一第一條目,其中該第一條目連結該些程序單元中的N1 個程序單元,N1 為正整數,且該些程序單元還能供其他條目進行連結。An entry generation method for an access control list, comprising: defining a plurality of program units, each of the program units including a parameter and a parameter corresponding to the item; and generating a first entry of the access control list The first entry links N 1 program units in the program units, N 1 is a positive integer, and the program units can also be linked by other items. 如申請專利範圍第1項所述的存取控制列表的條目產生方法,更包括:產生該存取控制列表的一第二條目,其中該第二條目連結該些程序單元中的N2 個程序單元,N2 為正整數。The method for generating an entry of an access control list according to claim 1, further comprising: generating a second entry of the access control list, wherein the second entry links N 2 of the program units Program unit, N 2 is a positive integer. 如申請專利範圍第2項所述的存取控制列表的條目產生方法,其中N1 =N2An entry generation method of an access control list as described in claim 2, wherein N 1 =N 2 . 如申請專利範圍第2項所述的存取控制列表的條目產生方法,其中N1 ≠N2An entry generation method of an access control list as described in claim 2, wherein N 1 ≠ N 2 . 如申請專利範圍第1項所述的存取控制列表的條目產生方法,其中定義該些程序單元的步驟包括:定義該項目,該項目為一邏輯運算子、一決策或一動作;以及定義該參數。 The method for generating an entry of an access control list according to claim 1, wherein the step of defining the program unit comprises: defining the item, the item being a logical operation, a decision or an action; and defining the parameter. 如申請專利範圍第5項所述的存取控制列表的條目產生方法,其中該邏輯運算子包括AND、NAND、OR、NOR、NOT、XOR或XNOR。 An entry generation method of an access control list as described in claim 5, wherein the logical operation includes AND, NAND, OR, NOR, NOT, XOR, or XNOR. 如申請專利範圍第5項所述的存取控制列表的條目 產生方法,其中該決策包括檢查媒體存取控制位址或網際網路協定位址。 Entries of the access control list as described in claim 5 A method of generating, wherein the determining comprises checking a media access control address or an internet protocol address. 如申請專利範圍第5項所述的存取控制列表的條目產生方法,其中該動作包括傳送至一目的地、過濾、廣播或複製。 An entry generation method of an access control list as described in claim 5, wherein the action comprises transmitting to a destination, filtering, broadcasting, or copying. 如申請專利範圍第5項所述的存取控制列表的條目產生方法,其中定義該參數的步驟包括:定義該參數的位元寬度。 An entry generation method of an access control list as described in claim 5, wherein the step of defining the parameter comprises: defining a bit width of the parameter. 如申請專利範圍第1項所述的存取控制列表的條目產生方法,其中該些程序單元中各程序單元互為獨立。 An entry generation method of an access control list according to claim 1, wherein each of the program units is independent of each other.
TW97125750A 2008-07-08 2008-07-08 Entry generation method of access control list TWI390910B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW97125750A TWI390910B (en) 2008-07-08 2008-07-08 Entry generation method of access control list

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW97125750A TWI390910B (en) 2008-07-08 2008-07-08 Entry generation method of access control list

Publications (2)

Publication Number Publication Date
TW201004221A TW201004221A (en) 2010-01-16
TWI390910B true TWI390910B (en) 2013-03-21

Family

ID=44825804

Family Applications (1)

Application Number Title Priority Date Filing Date
TW97125750A TWI390910B (en) 2008-07-08 2008-07-08 Entry generation method of access control list

Country Status (1)

Country Link
TW (1) TWI390910B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103377261A (en) * 2012-04-28 2013-10-30 瑞昱半导体股份有限公司 Access control list management device, executive device and method

Also Published As

Publication number Publication date
TW201004221A (en) 2010-01-16

Similar Documents

Publication Publication Date Title
US10530799B1 (en) Non-harmful insertion of data mimicking computer network attacks
US10831826B2 (en) Validation of schema and schema conformance verification
US20240146774A1 (en) Assurance of security rules in a network
McClurg et al. Event-driven network programming
WO2005072344A2 (en) Routing systems and methods for implementing routing policy
CN107534568B (en) Synthetic constraints for network policies
US20200007583A1 (en) Assurance of security rules in a network
CA2925662C (en) Anti-malware mobile content data management apparatus and method
JP6329254B2 (en) Imaging cartridge storage chip parameter transmission method, storage chip, and imaging cartridge
CN112367211B (en) Method, device and storage medium for generating configuration template by device command line
Cho Recursive lattice search: Hierarchical heavy hitters revisited
CN104598400A (en) Peripheral equipment management method, device and system
Yoon et al. Minimizing the maximum firewall rule set in a network with multiple firewalls
Al-Shaer Active management framework for distributed multimedia systems
TWI390910B (en) Entry generation method of access control list
CN108390786A (en) A kind of business O&M method, apparatus and electronic equipment
CN102763371B (en) Method and apparatus for controlling network device
Voellmy et al. Nettle: A language for configuring routing networks
CN115795546A (en) Micro-service application access control method and device based on stain mark tracking
US11796975B2 (en) Network centric process control
CN109391590A (en) A kind of regular description method and construction method, medium of network-oriented access control
Moore Practical active packets
Bryant et al. Decomposing Graphs of High Minimum Degree into 4‐Cycles
Dubuc et al. Traffic engineering link management information base
Taylor et al. A model of configuration languages for routing protocols