WO2021115160A1 - Acl rule management method and apparatus, computer device, and computer readable medium - Google Patents

Acl rule management method and apparatus, computer device, and computer readable medium Download PDF

Info

Publication number
WO2021115160A1
WO2021115160A1 PCT/CN2020/133118 CN2020133118W WO2021115160A1 WO 2021115160 A1 WO2021115160 A1 WO 2021115160A1 CN 2020133118 W CN2020133118 W CN 2020133118W WO 2021115160 A1 WO2021115160 A1 WO 2021115160A1
Authority
WO
WIPO (PCT)
Prior art keywords
rule
written
priority
access control
control list
Prior art date
Application number
PCT/CN2020/133118
Other languages
French (fr)
Chinese (zh)
Inventor
林宁
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2021115160A1 publication Critical patent/WO2021115160A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present disclosure relates to the field of communication technology, and in particular to an ACL rule management method, device, computer equipment, and computer readable medium.
  • ACL Access Control List
  • router and switch interfaces used to control data packets entering and leaving the port.
  • ACL management complies with the following basic management principles:
  • the rules are issued, the low priority rules are first issued, and then the high priority rules are issued, which will cause the ACL rules to be moved when the hardware is issued to meet the basic management of ACL. in principle.
  • the present disclosure provides an ACL rule management method, device, computer equipment and computer readable medium.
  • an embodiment of the present disclosure provides an ACL rule management method, the method includes: determining the priority of the rule to be written, the priority of the rule to be written is determined by the priority of the rule type of the rule to be written And the sequence number of the rule of the rule type in the access control list is determined; at least according to the priority of the rule to be written, the rule to be written is written into the access control list.
  • an embodiment of the present disclosure provides an ACL rule management device, including a determining module and a writing module, the determining module is set to determine the priority of the rule to be written, and the priority of the rule to be written It is determined by the priority of the rule type to be written and the sequence number of the rule of the rule type in the access control list; the writing module is set to, at least according to the priority of the rule to be written, set the The rules to be written are written into the access control list.
  • embodiments of the present disclosure also provide a computer device, including: one or more processors and a storage device; one or more programs are stored on the storage device.
  • the foregoing one or more processors implement the ACL rule management method provided in the foregoing first aspect.
  • the embodiments of the present disclosure also provide a computer-readable medium on which a computer program is stored, and the computer program implements the ACL rule management method provided in the foregoing first aspect when the computer program is executed.
  • FIG. 1 is a flowchart of an ACL rule management method provided by an embodiment of the disclosure
  • FIG. 2 is a flowchart of an ACL rule management method provided by another embodiment of the present disclosure.
  • FIG. 3 is a schematic diagram of writing a rule into an access control list according to another embodiment of the present disclosure.
  • FIG. 4 is another schematic diagram of writing a rule into an access control list according to another embodiment of the present disclosure.
  • Fig. 5 is a schematic structural diagram of an ACL rule management apparatus provided by another embodiment of the present disclosure.
  • the embodiment of the present disclosure provides an ACL rule management method. As shown in FIG. 1, the ACL rule management method includes the following steps:
  • Step 11 Determine the priority of the rule to be written.
  • the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule of the rule type in the access control list. That is, the priority of the rule to be written is composed of the priority of the rule type of the rule to be written and the sequence number of the rule of the rule type in the access control list.
  • rule types correspond to different priorities.
  • Rule types can be classified according to binding types.
  • the binding types can include: port, SG (Signaling Gateway), VLAN (Virtual Local Area Network, virtual local area network), and different binding types correspond to different priorities.
  • Rule types can also be classified according to ACL types, for example, IPv4 (Internet Protocol Version 4, Internet Protocol Version 4), IPv6 (Internet Protocol Version 6, Internet Protocol Version 6), etc.
  • IPv4 Internet Protocol Version 4, Internet Protocol Version 4
  • IPv6 Internet Protocol Version 6, Internet Protocol Version 6
  • Different ACL types correspond to different priorities.
  • the rules for dividing rule types can be defined by the user.
  • Step 12 Write the rules to be written into the access control list at least according to the priority of the rules to be written.
  • the priority of the rule to be written determined in step 11 is used as the basis for writing the rule to be written into the access control list, that is, the rule to be written is determined according to the priority of the rule to be written The writing position in the access control list.
  • the priority of the rule to be written is determined, and the rule to be written is written into the access control list at least according to the priority of the rule to be written, wherein the priority of the rule to be written It is determined by the priority of the rule type to be written in the rule and the sequence number of the rule of the rule type in the access control list.
  • the priority of the rules to be written takes into account the priority order between different ACL rule types, and also the order in which the rules of the same rule type are issued. In this way, the priority of the rules to be written is changed according to the priority of the rules to be written.
  • the priority of the rule to be written includes a first field and a second field
  • the value of the first field is the priority of the rule type of the rule to be written
  • the second field The value is the sequence number of the rule of the rule type in the access control list.
  • the ACL rule management device defines the priority of the rules to be written to be written into the access control list in segments.
  • the priority includes a first field and a second field.
  • the value of the first field is the priority of the rule type to be written in the rule
  • the value of the second field is the sequence number of the rule of the rule type in the access control list.
  • the first field is a high-order field
  • the second field is a low-order field. That is, the priority of the rule to be written includes the value of the high-order field and the value of the low-order field.
  • step 11 includes the following steps:
  • Step 111 Determine the total number of digits of the priority of the rule to be written.
  • the total digits of the priority of the rule to be written, the digits of the first field and the digits of the second field are all illustrated in hexadecimal.
  • Step 112 Determine the value of the first field according to the rule type to be written in the rule and the preset mapping relationship between the rule type and the priority of the rule type.
  • a mapping relationship is established in advance between the rule type and the priority of the rule type.
  • the higher the priority of the rule type the smaller the value of the first field.
  • the value of the first field of the port type rule is ⁇ VLAN
  • the value of the first field of the rule of the type ⁇ the value of the first field of the rule of the SG type.
  • the mapping relationship between the rule type and the priority of the rule type is: the priority of the port is 0x1, the priority of the VLAN is 0x2, and the priority of the SG is 0x3.
  • the value of the first field can be determined. For example, if the rule type of the rule to be written is a port, the value of the first field is 0x1 (representing 1 in hexadecimal notation).
  • Step 113 Determine the number of bits in the second field according to the total number of bits and the preset number of bits in the first field.
  • the number of digits in the first field is the preset number of digits.
  • the remaining bytes are all counted as the second field, that is, the low-order field.
  • the calculated total number of digits is subtracted from the preset number.
  • the number of digits in the first field is the number of digits in the second field. For example, if the total number of digits is 4 and the first field is 1 digit, it can be determined that the number of digits in the second field is 3 digits.
  • Step 114 Determine the value of the second field according to the number of digits in the second field and the number of rules of the rule type in the access control list.
  • the number is used as the value of the second field, and the number of bits in the second field is used to represent the value of the second field.
  • the sequence number of the rule of the rule type in the access control list is equal to the number of the rule of the rule type in the access control list, the number is taken as the value of the second field, and the number of digits in the second field Represents the value of the second field, that is, the value of the second field increases by 1 in order as the number of rules of the rule type in the access control list increases. For example, when the number of digits in the second field is three digits, there are 0 rules for the port type in the access control list, and the second field is 000.
  • the port in the access control list There is one type of rule, and the second field is 001, indicating that the rule to be written is the second port type rule.
  • the value written later must be larger than the value written first, thereby reducing the movement of the rules.
  • Step 115 Concatenate the value of the first field and the value of the second field to generate the priority of the rule to be written.
  • the value of the first field is placed in the high order, and the value of the second field is placed in the low order, and the priority of the rule to be written is generated by splicing. For example, if the value of the first field is 0x1 and the value of the second field is 000, the priority of the rule to be written is 0x1000.
  • the determining the total number of digits of the priority of the rule to be written includes: determining the total digit of the priority of the rule to be written according to the maximum number of rules that can be accommodated in the access control list number.
  • the value range of the total number of digits of the priority of the rules to be written is determined by the maximum number of rules that the access control list can accommodate. The greater the maximum number of rules that the access control list can accommodate, the priority of the rules to be written The total number of digits is also larger.
  • the total number of digits in the priority of the rules to be written can be determined to be 4, and when the access control list can accommodate the maximum number of rules, the total number of digits to be written can be determined
  • the total number of digits of the priority of the rule is 5 digits.
  • the value of the first field of the rule with the first position is smaller than the value of the first field of the rule with the position of the second; rules with the same value of the first field, The value of the second field of the rule with the first position is smaller than the value of the second field of the rule with the position below. That is, the rule with the first position in the access control list, the smaller the priority value, the higher the priority.
  • the writing the rule to be written into the access control list at least according to the priority includes: using the priority of the rule to be written as the write access control The index of the list, and write the rules to be written into the position in the access control list corresponding to the index.
  • the priority of the rule to be written is used as the index of the access control list, and the index corresponds to the position in the access control list, that is, the address in the access control list.
  • the value of the second field of the priority of the rule to be written is sequentially increased according to the sequence of issuance, that is, the value of the second field of the priority of the rule to be issued later is larger.
  • it is ensured that the priority of the rule written each time is always lower than the priority of the rule written before, that is, the rule issued later will always be ranked behind the rule issued first.
  • the maximum number of rules that the device's access control list can hold is 32K, so the total number of digits of the priority of the rules to be written is 16 bits, which is converted to hexadecimal to 4 bits.
  • the rule type is bound port, SG, VLAN
  • the priority relationship is port>VLAN>SG.
  • Set the remaining 3 bits as the second field of the priority of the rule.
  • the port type rule A is issued for the first time.
  • the priority of the rule type of the port is 0x1, and the first field is 0x1. Since the port type rule in the access control list is 0, the value of the second field is related to the access control If the number of rules of the same type in the list is the same, the second field is 000, then the priority of port type rule A is 0x1000, with 0x1000 as the index, write port type rule A into the position of the access control list corresponding to index 0x1000 .
  • the second time the port type rule B is issued if the rule type is port priority is 0x1, then the first field is 0x1.
  • the port type rule in the access control list is 1
  • the value of the second field is the same as the number of rules of the same type in the access control list, then the second field is 001, the priority of port type rule B is 0x1001, and port type rule B is written to the access corresponding to index 0x1000
  • the position of the control list is under the rule A of the port type.
  • the VLAN type rule C is issued for the first time, the priority of the rule type is 0x2, and the first field is 0x2.
  • the VLAN type rule in the access control list is 0.
  • the value of the second field is the same as the number of rules of the same type in the access control list.
  • VLAN type rule C If the second field is 000, the priority of VLAN type rule C is 0x2000. Write VLAN type rule C into the access control list corresponding to index 0x2000 In the location.
  • the port type rules must precede the VLAN type rules, the VLAN type rules must precede the SG type rules, and the rules of the same rule type that are issued later will always be placed behind the rules that are issued first.
  • the rules to be written can be written to the relative value of the access control list. position. That is, the writing the rule to be written into the access control list at least according to the priority of the rule to be written (step S12) includes: according to the priority of the rule to be written and the written rule The priority of each rule of the access control list, write the rules to be written into the access control list.
  • the writing the rule to be written into the access control list according to the priority of the rule to be written and the priority of each rule that has been written into the access control list includes : If the access control list is not empty, sort the priority of the rule to be written and the priority of each rule written in the access control list, and according to the sorting result, sort the rule to be written Write the access control list. If the access control list is empty, the rule to be written is written into the last position of the access control list.
  • the access control list if the access control list is empty, it means that when the rule to be written is the first rule in the access control list, the rule to be written is written to the end of the access control list. A location. All rules are written in from the last position of the access control list. If the access control list is not empty, each time a rule to be written is written to the access control list, the priority of the rule to be written and the priority of each rule written in the access control list are sorted , According to the sorting result, write the rule to be written into the access control list. Each time, the rules with lower priority are ranked at the lower position in the access control list, that is, the rules with higher priority values are arranged at the lower position.
  • the device's access control list can accommodate the maximum number of rules that can support 32K, then a 16-bit data segment is used as the priority of the rules to be written, converted to hexadecimal to 4 bits.
  • the rule type is bound port, SG, VLAN
  • the priority relationship is port>VLAN>SG.
  • Set the remaining 3 bits as the second field of the priority of the rule.
  • the VLAN type rule A is issued for the first time, the priority of the rule to be written for the VLAN type is 0x2, then the first field is 0x2, the VLAN rule in the access control list is 0, the value of the second field and access control If the number of rules of the same type in the list is the same, the second field is 000, and the priority is 0x2000, and the rule A of the VLAN type is written into the last position of the access control list.
  • the second time the VLAN type rule B is issued the priority of the rule type is 0x2, and the first field is 0x2.
  • the VLAN type rule in the access control list is 1
  • the value of the second field is the same as the number of rules of the same type in the access control list, and the second field is 001. Therefore, the priority of VLAN type rule B is 0x2001, which is greater than the priority of VLAN type rule A 0x2000.
  • the rule B of the type is pushed in from the last position of the access control list in a stacking manner, and the rule A of the VLAN type is moved up by one position.
  • the port type rule C is issued for the first time. If the rule type is port priority is 0x1, the first field is 0x1.
  • the value of the second field is the same as in the access control list If the number of rules of the same type is the same, the second field is 000, so the priority of port type rule C is 0x1000, which is less than the priority of VLAN type rule A, 0x2000, so the port type rule C is written into the VLAN type rule The previous position of A.
  • each rule to be written must be compared with the priority of all rules that already exist in the access control list, and it will be inserted into the access control list in descending order of value to complete the writing of other rules. , And finally write all rules to keep the full access control list from top to bottom, which is the effect of priority from large to small.
  • This writing method of the rules to be written is to perform the stack-type writing from bottom to top in order, which can complete dynamic position writing. It can still ensure that most of the rules will not be moved, and the black hole period will be reduced. It will also reduce packet loss due to ACL migration, thereby reducing the CPU consumption of network equipment and improving network stability. And it will not limit the number of writes of a certain type of rule, and there will be no holes due to rule deletion.
  • the ACL rule management method determines the priority of the rule to be written, and writes the rule to be written into the access control list at least according to the priority of the rule to be written.
  • the priority of writing a rule includes a first field and a second field.
  • the value of the first field is the priority of the rule type to be written in the rule
  • the value of the second field is the sequence number of the rule of the rule type in the access control list.
  • the priority of the rules to be written not only considers the priority order between different ACL rule types, but also considers the order in which the rules of the same rule type are issued. And through the two methods of writing rules, you can ensure that the rules are moved as little as possible when writing the access control list, and reduce the CPU consumption of the network equipment. Correspondingly, the black hole period will be reduced, and it will also be reduced.
  • the packet loss phenomenon caused by ACL migration improves the reliability and stability of network equipment.
  • an embodiment of the present disclosure also provides an ACL rule management device.
  • the ACL rule management device includes a determining module 1 and a writing module 2, and the determining module 1 is set to: The priority of the rule to be written is determined, and the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule of the rule type in the access control list.
  • the writing module 2 is configured to write the rules to be written into the access control list at least according to the priority of the rules to be written.
  • the priority of the rule to be written includes a first field and a second field
  • the value of the first field is the priority of the rule type of the rule to be written
  • the second field The value of is the sequence number of the rule of the rule type in the access control list
  • the determination module 1 is set as:
  • the value of the first field is determined according to the rule type of the rule to be written and the preset mapping relationship between the rule type and the priority of the rule type.
  • the number of bits in the second field is determined according to the total number of bits and the preset number of bits in the first field.
  • the value of the second field is determined according to the number of digits in the second field and the number of rules of the rule type in the access control list.
  • the value of the first field and the value of the second field are spliced to generate the priority of the rule to be written.
  • the determining module 1 is set to:
  • the total number of digits of the priority of the rules to be written is determined.
  • the higher the priority of the rule type the smaller the value of the first field
  • the determining module 1 is set to:
  • the number is used as the value of the second field, and the number of bits in the second field is used to represent the value of the second field.
  • the value of the first field of the rule with the first position is smaller than the value of the first field of the rule with the position of the latter; the rule with the same value of the first field has the first field.
  • the value of the second field of the rule of is less than the value of the second field of the rule that follows.
  • the write module 2 is set to:
  • the priority of the rule to be written is used as an index to be written into the access control list, and the rule to be written is written into a position in the access control list corresponding to the index.
  • the write module 2 is set to:
  • the rule to be written is written into the access control list.
  • the write module 2 is set to:
  • the access control list is not empty, then the priority of the rule to be written and the priority of each rule written in the access control list are sorted.
  • the rule to be written is written into the access control list.
  • the write module 2 is set to:
  • the rule to be written is written into the last position of the access control list.
  • the embodiment of the present disclosure also provides a computer device, including: one or more processors; a storage device, wherein one or more programs are stored thereon; when the one or more programs are used by the one or more When executed by each processor, the one or more processors implement the ACL rule management method provided in the foregoing embodiments.
  • the embodiments of the present disclosure also provide a computer-readable medium on which a computer program is stored, wherein the program implements the ACL rule management method provided in the foregoing embodiments when the program is executed.
  • the priority of the rule to be written is determined, and the rule to be written is at least based on the priority of the rule to be written.
  • the access control list is written, wherein the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule of the rule type in the access control list.
  • the priority of the rules to be written takes into account the priority order between different ACL rule types, and also the order in which the rules of the same rule type are issued. In this way, the priority of the rules to be written is changed according to the priority of the rules to be written.
  • the migration phenomenon can be minimized, and the CPU consumption of the network device can be reduced.
  • the black hole period is reduced, and the packet loss caused by ACL migration will also be reduced, thereby improving the performance of the network device. Reliability and stability.
  • the functional modules/units in the device can be implemented as software, firmware, hardware, and appropriate combinations thereof.
  • the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, a physical component may have multiple functions, or a function or step may consist of several physical components.
  • the components are executed cooperatively.
  • Some physical components or all physical components can be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit .
  • Such software may be distributed on a computer-readable medium
  • the computer-readable medium may include a computer storage medium (or non-transitory medium) and a communication medium (or transitory medium).
  • the term computer storage medium includes volatile and non-volatile data implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data).
  • Information such as computer-readable instructions, data structures, program modules, or other data.
  • Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, magnetic disk storage or other magnetic storage devices, or Any other medium used to store desired information and that can be accessed by a computer.
  • communication media usually contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery media. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An access control list (ACL) rule management method and apparatus, a computer device, and a computer readable medium. The method comprises: determining the priority of a rule to be written, the priority of the rule to be written being determined by the priority of the rule type of the rule to be written and the sequence numbers of rules of the rule type in an ACL (S11); and writing the rule to be written into the ACL according to at least the priority of the rule to be written (S12).

Description

ACL规则管理方法、装置、计算机设备及计算机可读介质ACL rule management method, device, computer equipment and computer readable medium
相关申请的交叉引用Cross-references to related applications
本申请基于申请号为201911250942.4、申请日为2019年12月9日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。This application is filed based on a Chinese patent application with application number 201911250942.4 and an application date of December 9, 2019, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is hereby incorporated by reference into this application.
技术领域Technical field
本公开涉及通信技术领域,具体涉及一种ACL规则管理方法、装置、计算机设备及计算机可读介质。The present disclosure relates to the field of communication technology, and in particular to an ACL rule management method, device, computer equipment, and computer readable medium.
背景技术Background technique
访问控制列表(Access Control List,ACL)是路由器和交换机接口的指令列表,用来控制端口进出的数据包。一般情况下,ACL的管理遵守以下的基本管理原则:Access Control List (ACL) is a list of commands for router and switch interfaces, used to control data packets entering and leaving the port. In general, ACL management complies with the following basic management principles:
1、ACL优先级相同时,先下发的规则先生效。1. When the ACL priority is the same, the rule issued first takes effect.
2、优先级不相同时,优先级高的规则先生效。2. When the priorities are not the same, the rule with the higher priority will be effective.
3、报文转发时,ACL内的规则自上而下进行匹配,匹配到第一个可以匹配的规则,则按照此规则进行转发。3. When a packet is forwarded, the rules in the ACL are matched from top to bottom, and the first rule that can be matched is matched, and then forwarded according to this rule.
因此,如果下发规则时,先下发了低优先级的规则,后下发了高优先级的规则,则会导致出现ACL的规则在下发硬件时要进行搬移操作,以满足ACL的管理基本原则。Therefore, if the rules are issued, the low priority rules are first issued, and then the high priority rules are issued, which will cause the ACL rules to be moved when the hardware is issued to meet the basic management of ACL. in principle.
目前普遍的设备ACL下发处理过程是:At present, the common processing process of device ACL issuance is as follows:
1、下发某优先级的规则。1. Issue a rule of a certain priority.
2、比较此规则与已经存在的规则之间的优先级关系,以及同优先级的规则下发先后顺序关系。2. Compare the priority relationship between this rule and the existing rules, as well as the sequence of issuing rules with the same priority.
3、按照ACL的基本管理原则进行规则的搬移,以满足报文匹配时从上往下的匹配满足优先级的要求。3. According to the basic management principles of ACL, the rules are moved to meet the priority requirements when matching packets from top to bottom.
由此可见,如果先下发的规则的优先级低于后下发的规则的优先级时,则会出现规则搬移的情况。如果下发的规则特别多,在极端情况下,下发一条规则需要对所有的规则进行搬移。搬移的动作会对设备的CPU(Central Processing Unit,中央处理器)带来额外的消耗。另外在搬移的过程中,原有已经生效的规则会存在短暂的黑洞期,这个黑洞期存在期间,原有已经生效的ACL匹配的报文将无法正常转发,影响网络稳定性。It can be seen that if the priority of the rule issued first is lower than the priority of the rule issued later, the rule will be moved. If there are too many rules issued, in extreme cases, issuing a rule requires all the rules to be moved. The moving action will bring additional consumption to the CPU (Central Processing Unit, central processing unit) of the device. In addition, during the migration process, the original rules that have been in effect will have a short black hole period. During this black hole period, packets matching the original ACL that have been in effect cannot be forwarded normally, which affects network stability.
发明内容Summary of the invention
本公开提供一种ACL规则管理方法、装置、计算机设备及计算机可读介质。The present disclosure provides an ACL rule management method, device, computer equipment and computer readable medium.
第一方面,本公开实施例提供一种ACL规则管理方法,所述方法包括:确定待写入规则的优先级,所述待写入规则的优先级由待写入规则的规则类型的优先级和访问控制列表中所述规则类型的规则的序号确定;至少根据所述待写入规则的优先级,将所述待写入规则写入所述访问控制列表。In the first aspect, an embodiment of the present disclosure provides an ACL rule management method, the method includes: determining the priority of the rule to be written, the priority of the rule to be written is determined by the priority of the rule type of the rule to be written And the sequence number of the rule of the rule type in the access control list is determined; at least according to the priority of the rule to be written, the rule to be written is written into the access control list.
第二方面,本公开实施例提供一种ACL规则管理装置,包括确定模块和写入模块,所述确定模块被设置为,确定待写入规则的优先级,所述待写入规则的优先级由待写入规则的规则类型的优先级和访问控制列表中所述规则类型的规则的序号确定;所述写入模块被设置为,至少根据所述待写入规则的优先级,将所述待写入规则写入所述访问控制列表。In a second aspect, an embodiment of the present disclosure provides an ACL rule management device, including a determining module and a writing module, the determining module is set to determine the priority of the rule to be written, and the priority of the rule to be written It is determined by the priority of the rule type to be written and the sequence number of the rule of the rule type in the access control list; the writing module is set to, at least according to the priority of the rule to be written, set the The rules to be written are written into the access control list.
第三方面,本公开实施例还提供一种计算机设备,包括:一个或多个处理器以及存储装置;存储装置上存储有一个或多个程序,当上述一个或多个程序被上述一个或多个处理器执行时,使得上述一个或多个处理器实现如前述第一方面所提供的ACL规则管理方法。In a third aspect, embodiments of the present disclosure also provide a computer device, including: one or more processors and a storage device; one or more programs are stored on the storage device. When executed by the two processors, the foregoing one or more processors implement the ACL rule management method provided in the foregoing first aspect.
第四方面,本公开实施例还提供了一种计算机可读介质,其上存储有计算机程序,该计算机程序被执行时实现如前述第一方面所提供的ACL规则管理方法。In a fourth aspect, the embodiments of the present disclosure also provide a computer-readable medium on which a computer program is stored, and the computer program implements the ACL rule management method provided in the foregoing first aspect when the computer program is executed.
附图说明Description of the drawings
图1为本公开一实施例提供的ACL规则管理方法的流程图;FIG. 1 is a flowchart of an ACL rule management method provided by an embodiment of the disclosure;
图2为本公开又一实施例提供的ACL规则管理方法的流程图;2 is a flowchart of an ACL rule management method provided by another embodiment of the present disclosure;
图3为本公开又一实施例提供的将规则写入访问控制列表的示意图;FIG. 3 is a schematic diagram of writing a rule into an access control list according to another embodiment of the present disclosure;
图4为本公开又一实施例提供的将规则写入访问控制列表的另一示意图;FIG. 4 is another schematic diagram of writing a rule into an access control list according to another embodiment of the present disclosure;
图5为本公开另一实施例提供的ACL规则管理装置的结构示意图。Fig. 5 is a schematic structural diagram of an ACL rule management apparatus provided by another embodiment of the present disclosure.
具体实施方式Detailed ways
在下文中将参考附图更充分地描述示例实施例,但是所述示例实施例可以以不同形式来体现且不应当被解释为限于本文阐述的实施例。反之,提供这些实施例的目的在于使本公开透彻和完整,并将使本领域技术人员充分理解本公开的范围。Hereinafter, example embodiments will be described more fully with reference to the accompanying drawings, but the example embodiments may be embodied in different forms and should not be construed as being limited to the embodiments set forth herein. On the contrary, the purpose of providing these embodiments is to make the present disclosure thorough and complete, and to enable those skilled in the art to fully understand the scope of the present disclosure.
如本文所使用的,术语“和/或”包括一个或多个相关列举规则的任何和所有组合。As used herein, the term "and/or" includes any and all combinations of one or more related listed rules.
本文所使用的术语仅用于描述特定实施例,且不意欲限制本公开。如本文所使用的,单数形式“一个”和“该”也意欲包括复数形式,除非上下文另外清楚指出。还将理解的是,当本说明书中使用术语“包括”和/或“由……制成”时,指定存在所述特征、整体、步骤、操作、元件和/或组件,但不排除存在或添加一个或多个其他特征、整体、步骤、操作、元件、组件和/或其群组。The terms used herein are only used to describe specific embodiments and are not intended to limit the present disclosure. As used herein, the singular forms "a" and "the" are also intended to include the plural forms, unless the context clearly dictates otherwise. It will also be understood that when the terms "comprising" and/or "made of" are used in this specification, it specifies the presence of the described features, wholes, steps, operations, elements and/or components, but does not exclude the presence or Add one or more other features, wholes, steps, operations, elements, components, and/or groups thereof.
本文所述实施例可借助本公开的理想示意图而参考平面图和/或截面图进行描述。因此,可根据制造技术和/或容限来修改示例图示。因此,实施例不限于附图中所示的实施例,而是包括基于制造工艺而形成的配置的修改。因此,附图中例示的区具有示意性属性,并且图中所示区的形状例示了元件的区的具体形状,但并不旨在是限制性的。The embodiments described herein can be described with reference to plan views and/or cross-sectional views with the help of ideal schematic diagrams of the present disclosure. Therefore, the example illustrations may be modified according to manufacturing technology and/or tolerances. Therefore, the embodiment is not limited to the embodiment shown in the drawings, but includes a modification of the configuration formed based on the manufacturing process. Therefore, the regions illustrated in the drawings have schematic properties, and the shapes of the regions shown in the figures exemplify the specific shapes of the regions of the elements, but are not intended to be limiting.
除非另外限定,否则本文所用的所有术语(包括技术和科学术语)的含义与本领域普通技术人员通常理解的含义相同。还将理解,诸如那些在常用字典中限定的那些术语应当被解释为具有与其在相关技术以及本公开的背景下的含义一致的含义,且将不解释为具有理想化或过度形式上的含义,除非本文明确如此限定。Unless otherwise defined, the meanings of all terms (including technical and scientific terms) used herein are the same as those commonly understood by those of ordinary skill in the art. It will also be understood that terms such as those defined in commonly used dictionaries should be interpreted as having meanings consistent with their meanings in the context of the related technology and the present disclosure, and will not be interpreted as having idealized or excessive formal meanings, Unless this article specifically defines it as such.
本公开实施例提供一种ACL规则管理方法,如图1所示,所述ACL规则管理方法包括以下步骤:The embodiment of the present disclosure provides an ACL rule management method. As shown in FIG. 1, the ACL rule management method includes the following steps:
步骤11,确定待写入规则的优先级。Step 11. Determine the priority of the rule to be written.
在本步骤中,所述待写入规则的优先级由待写入规则的规则类型的优先级和访问控制列表中所述规则类型的规则的序号确定。即待写入规则的优先级由待写入规则的规则类型的优先级和访问控制列表中所述规则类型的规则的序号两部分组成。In this step, the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule of the rule type in the access control list. That is, the priority of the rule to be written is composed of the priority of the rule type of the rule to be written and the sequence number of the rule of the rule type in the access control list.
需要说明的是,不同的规则类型分别对应不同的优先级。规则类型可以按照绑定类型分,绑定类型可以包括:端口、SG(Signaling Gateway,信令网关)、VLAN(Virtual Local Area Network,虚拟局域网),不同的绑定类型分别对应不同的优先级。规则类型也可以按照ACL类型分,例如,IPv4(Internet Protocol Version 4,网际协议版本4)、IPv6(Internet Protocol Version 6,互联网协议第6版)等,不同的ACL类型分别对应不同的优先级。当然,规则类型的划分原则可以由用户自行定义。It should be noted that different rule types correspond to different priorities. Rule types can be classified according to binding types. The binding types can include: port, SG (Signaling Gateway), VLAN (Virtual Local Area Network, virtual local area network), and different binding types correspond to different priorities. Rule types can also be classified according to ACL types, for example, IPv4 (Internet Protocol Version 4, Internet Protocol Version 4), IPv6 (Internet Protocol Version 6, Internet Protocol Version 6), etc. Different ACL types correspond to different priorities. Of course, the rules for dividing rule types can be defined by the user.
访问控制列表中所述规则类型的规则的序号越大,表示针对相同规则类型的规则,下发次序越大(即越后下发),相应的待写入规则的优先级的值也越大。也就是说,待写入规则的优先级既考虑了ACL不同规则类型之间的优先级顺序,亦考虑了同一规则类型的规则下发的顺序。The larger the sequence number of the rule of the rule type in the access control list, the higher the order of issuing the rules of the same rule type (that is, the later the issuing), and the higher the priority value of the corresponding rule to be written. . That is to say, the priority of the rules to be written takes into account the priority order between different ACL rule types, as well as the order in which the rules of the same rule type are issued.
步骤12,至少根据待写入规则的优先级,将待写入规则写入访问控制列表。Step 12: Write the rules to be written into the access control list at least according to the priority of the rules to be written.
在本步骤中,将步骤11中确定出的待写入规则的优先级,作为将该待写入规则写入访问控制列表的依据,即根据待写入规则的优先级确定该待写入规则在访问控制列表中的写入位置。In this step, the priority of the rule to be written determined in step 11 is used as the basis for writing the rule to be written into the access control list, that is, the rule to be written is determined according to the priority of the rule to be written The writing position in the access control list.
本公开实施例,确定待写入规则的优先级,至少根据所述待写入规则的优先级,将所述待写入规则写入所述访问控制列表,其中,待写入规则的优先级由为待写入规则的规则类型的优先级和访问控制列表中规则类型的规则的序号确定。待写入规则的优先级既考虑 了ACL不同规则类型之间的优先级顺序,亦考虑了同一规则类型的规则下发的顺序,这样,在根据待写入规则的优先级将所述待写入规则写入访问控制列表时,可以最大程度的减少搬移的现象,降低网络设备的CPU消耗,相应的,黑洞期减少,也会减少由于ACL搬移而导致的丢包现象,从而提高网络设备的可靠性和稳定性。In the embodiment of the present disclosure, the priority of the rule to be written is determined, and the rule to be written is written into the access control list at least according to the priority of the rule to be written, wherein the priority of the rule to be written It is determined by the priority of the rule type to be written in the rule and the sequence number of the rule of the rule type in the access control list. The priority of the rules to be written takes into account the priority order between different ACL rule types, and also the order in which the rules of the same rule type are issued. In this way, the priority of the rules to be written is changed according to the priority of the rules to be written. When the entry rules are written into the access control list, the migration phenomenon can be minimized, and the CPU consumption of the network device can be reduced. Correspondingly, the black hole period is reduced, and the packet loss caused by ACL migration will also be reduced, thereby improving the performance of the network device. Reliability and stability.
在一些实施例中,所述待写入规则的优先级包括第一字段和第二字段,所述第一字段的值为所述待写入规则的规则类型的优先级,所述第二字段的值为访问控制列表中所述规则类型的规则的序号。ACL规则管理装置对即将写入访问控制列表的待写入规则的优先级进行分段定义。所述优先级包括第一字段和第二字段,第一字段的值为待写入规则的规则类型的优先级,第二字段的值为访问控制列表中所述规则类型的规则的序号。第一字段为高位字段,第二字段为低位字段,即待写入规则的优先级包括高位字段的值和低位字段的值。In some embodiments, the priority of the rule to be written includes a first field and a second field, the value of the first field is the priority of the rule type of the rule to be written, and the second field The value is the sequence number of the rule of the rule type in the access control list. The ACL rule management device defines the priority of the rules to be written to be written into the access control list in segments. The priority includes a first field and a second field. The value of the first field is the priority of the rule type to be written in the rule, and the value of the second field is the sequence number of the rule of the rule type in the access control list. The first field is a high-order field, and the second field is a low-order field. That is, the priority of the rule to be written includes the value of the high-order field and the value of the low-order field.
如图2所示,所述确定待写入规则的优先级(即步骤11),包括以下步骤:As shown in Figure 2, the determining the priority of the rule to be written (ie step 11) includes the following steps:
步骤111,确定待写入规则的优先级的总位数。Step 111: Determine the total number of digits of the priority of the rule to be written.
需要说明的是,本公开实施例待写入规则的优先级的总位数,以及第一字段的位数、第二字段的位数均以十六进制进行举例说明。It should be noted that, in the embodiment of the present disclosure, the total digits of the priority of the rule to be written, the digits of the first field and the digits of the second field are all illustrated in hexadecimal.
步骤112,根据待写入规则的规则类型,以及预设的规则类型与规则类型的优先级之间的映射关系,确定第一字段的值。Step 112: Determine the value of the first field according to the rule type to be written in the rule and the preset mapping relationship between the rule type and the priority of the rule type.
在本步骤中,规则类型与规则类型的优先级之间预先建立有映射关系。规则类型的优先级越高,第一字段的值越小。例如,当规则类型为绑定类型时,因为规则基本的生效顺序是,端口>VLAN>SG,则优先级顺序也为端口>VLAN>SG,则端口类型的规则的第一字段的值<VLAN类型的规则的第一字段的值<SG类型的规则的第一字段的值。规则类型与规则类型的优先级之间的映射关系为:端口的优先级为0x1,VLAN的优先级为0x2,SG的优先级为0x3。根据上述映射关系和待写入规则的规则类型,可以确定出第一字段的值。例如,若待写入规则的规则类型为端口,则第一字段的值为0x1(表示十六进制中的1)。In this step, a mapping relationship is established in advance between the rule type and the priority of the rule type. The higher the priority of the rule type, the smaller the value of the first field. For example, when the rule type is the binding type, because the basic order of effect of the rule is port>VLAN>SG, the priority order is also port>VLAN>SG, then the value of the first field of the port type rule is <VLAN The value of the first field of the rule of the type <the value of the first field of the rule of the SG type. The mapping relationship between the rule type and the priority of the rule type is: the priority of the port is 0x1, the priority of the VLAN is 0x2, and the priority of the SG is 0x3. According to the foregoing mapping relationship and the rule type of the rule to be written, the value of the first field can be determined. For example, if the rule type of the rule to be written is a port, the value of the first field is 0x1 (representing 1 in hexadecimal notation).
步骤113,根据总位数和预设的第一字段的位数,确定第二字段的位数。Step 113: Determine the number of bits in the second field according to the total number of bits and the preset number of bits in the first field.
在本步骤中,第一字段的位数为预设位数,总位数确定之后,剩余的字节全部算作第二字段,即低位字段,将计算出的总位数减去预设的第一字段的位数,即可得到第二字段的位数。例如,总位数为4位,第一字段为1位,可以确定出第二字段的位数为3位。In this step, the number of digits in the first field is the preset number of digits. After the total number of digits is determined, the remaining bytes are all counted as the second field, that is, the low-order field. The calculated total number of digits is subtracted from the preset number. The number of digits in the first field is the number of digits in the second field. For example, if the total number of digits is 4 and the first field is 1 digit, it can be determined that the number of digits in the second field is 3 digits.
步骤114,根据第二字段的位数和访问控制列表中所述规则类型的规则的数量,确定第二字段的值。Step 114: Determine the value of the second field according to the number of digits in the second field and the number of rules of the rule type in the access control list.
在一些实施例中,将所述数量作为第二字段的值,并以所述第二字段的位数表示所述 第二字段的值。In some embodiments, the number is used as the value of the second field, and the number of bits in the second field is used to represent the value of the second field.
在本步骤中,访问控制列表中所述规则类型的规则的序号等于访问控制列表中所述规则类型的规则的数量,将所述数量作为第二字段的值,并以第二字段的位数表示第二字段的值,即第二字段的值随着访问控制列表中所述规则类型的规则的数量的增大,而依次加1递增。例如,当第二字段的位数为三位时,访问控制列表中端口类型的规则存在0条,则第二字段为000,当第二字段的位数为三位时,访问控制列表中端口类型的规则存在1条,则第二字段为001,表示待写入规则为第2条端口类型的规则。依次类推,这样即可完成每次相同第一字段的规则写入的时候,后写入的数值,必然比先写入的数值要大,从而减少规则的搬移。In this step, the sequence number of the rule of the rule type in the access control list is equal to the number of the rule of the rule type in the access control list, the number is taken as the value of the second field, and the number of digits in the second field Represents the value of the second field, that is, the value of the second field increases by 1 in order as the number of rules of the rule type in the access control list increases. For example, when the number of digits in the second field is three digits, there are 0 rules for the port type in the access control list, and the second field is 000. When the number of digits in the second field is three digits, the port in the access control list There is one type of rule, and the second field is 001, indicating that the rule to be written is the second port type rule. By analogy, every time the rule of the same first field is written, the value written later must be larger than the value written first, thereby reducing the movement of the rules.
步骤115,将第一字段的值和第二字段的值拼接生成待写入规则的优先级。Step 115: Concatenate the value of the first field and the value of the second field to generate the priority of the rule to be written.
在本步骤中,将第一字段的值放在高位,第二字段的值放在低位,拼接生成待写入规则的优先级。例如,第一字段的值为0x1,第二字段的值为000,则待写入规则的优先级为0x1000。In this step, the value of the first field is placed in the high order, and the value of the second field is placed in the low order, and the priority of the rule to be written is generated by splicing. For example, if the value of the first field is 0x1 and the value of the second field is 000, the priority of the rule to be written is 0x1000.
在一些实施例中,所述确定待写入规则的优先级的总位数(即步骤111),包括:根据访问控制列表能够容纳规则的最大数量,确定待写入规则的优先级的总位数。也就是说,待写入规则的优先级的总位数的取值范围由访问控制列表能够容纳规则的最大数量决定,访问控制列表能够容纳规则的最大数量越大,待写入规则的优先级的总位数也越大。例如,当访问控制列表能够容纳规则的最大数量为时,可确定待写入规则的优先级的总位数为4位,当访问控制列表能够容纳规则的最大数量为时,可确定待写入规则的优先级的总位数为5位。In some embodiments, the determining the total number of digits of the priority of the rule to be written (ie step 111) includes: determining the total digit of the priority of the rule to be written according to the maximum number of rules that can be accommodated in the access control list number. In other words, the value range of the total number of digits of the priority of the rules to be written is determined by the maximum number of rules that the access control list can accommodate. The greater the maximum number of rules that the access control list can accommodate, the priority of the rules to be written The total number of digits is also larger. For example, when the access control list can accommodate the maximum number of rules, the total number of digits in the priority of the rules to be written can be determined to be 4, and when the access control list can accommodate the maximum number of rules, the total number of digits to be written can be determined The total number of digits of the priority of the rule is 5 digits.
需要说明的是,在一些实施例中,在访问控制列表中,位置在前的规则的第一字段的值小于位置在后的规则的第一字段的值;第一字段的值相同的规则,位置在前的规则的第二字段的值小于位置在后的规则的第二字段的值。即访问控制列表中,位置在前的规则,其优先级的值越小,其优先级越高。It should be noted that, in some embodiments, in the access control list, the value of the first field of the rule with the first position is smaller than the value of the first field of the rule with the position of the second; rules with the same value of the first field, The value of the second field of the rule with the first position is smaller than the value of the second field of the rule with the position below. That is, the rule with the first position in the access control list, the smaller the priority value, the higher the priority.
本公开实施例中,将确定出的待写入规则的优先级写入访问控制列表的方法有两种,一种是将待写入规则写入访问控制列表的绝对位置,一种是将待写入规则写入访问控制列表的相对位置。具体如下论述。In the embodiment of the present disclosure, there are two methods for writing the determined priority of the rule to be written into the access control list. One is to write the rule to be written into the absolute position of the access control list, and the other is to write the rule to be written into the absolute position of the access control list. The relative position of the write rule to write the access control list. The details are discussed as follows.
在一些实施例中,所述至少根据所述优先级,将所述待写入规则写入所述访问控制列表(即步骤S12),包括:将待写入规则的优先级作为写入访问控制列表的索引,并将待写入规则写入所述索引对应的访问控制列表中的位置。In some embodiments, the writing the rule to be written into the access control list at least according to the priority (ie step S12) includes: using the priority of the rule to be written as the write access control The index of the list, and write the rules to be written into the position in the access control list corresponding to the index.
在该步骤中,将待写入规则的优先级作为访问控制列表的索引,索引对应的是访问控 制列表中的位置,即访问控制列表中的地址。针对相同规则类型的规则,待写入规则根据下发的先后顺序,其优先级的第二字段的值依次递增,即后下发的规则的优先级的第二字段的值大。针对相同规则类型的规则,保证每次写入的规则优先级始终小于之前写入的规则优先级,即后下发的规则永远排在先下发的规则后方。In this step, the priority of the rule to be written is used as the index of the access control list, and the index corresponds to the position in the access control list, that is, the address in the access control list. For the rules of the same rule type, the value of the second field of the priority of the rule to be written is sequentially increased according to the sequence of issuance, that is, the value of the second field of the priority of the rule to be issued later is larger. For rules of the same rule type, it is ensured that the priority of the rule written each time is always lower than the priority of the rule written before, that is, the rule issued later will always be ranked behind the rule issued first.
以图3为例,具体说明此种待写入规则的写入方法。设备的访问控制列表能够容纳规则的最大数量为32K,则待写入规则的优先级的总位数为16bit,转换为十六进制为4位。将1位高位字段作为规则的优先级的第一字段。规则类型为绑定的端口、SG、VLAN时,其优先级关系是端口>VLAN>SG,在1位高位字段中设置端口的优先级为0x1,VLAN为0x2,SG为0x3。此设置可以保证在访问控制列表中端口类型的规则必然排在VLAN类型的规则之前,VLAN类型的规则必然排在SG类型的规则之前。将剩余3位设置为规则的优先级的第二字段。Taking FIG. 3 as an example, the method for writing the rules to be written is described in detail. The maximum number of rules that the device's access control list can hold is 32K, so the total number of digits of the priority of the rules to be written is 16 bits, which is converted to hexadecimal to 4 bits. Take the 1-bit high-order field as the first field of the priority of the rule. When the rule type is bound port, SG, VLAN, the priority relationship is port>VLAN>SG. Set the port priority to 0x1, VLAN to 0x2, and SG to 0x3 in the 1-high bit field. This setting can ensure that the port type rules in the access control list must be ranked before the VLAN type rules, and the VLAN type rules must be ranked before the SG type rules. Set the remaining 3 bits as the second field of the priority of the rule.
首次下发端口类型的规则A,规则类型为端口的规则的优先级为0x1,则其第一字段为0x1,由于访问控制列表中端口类型的规则为0条,第二字段的值与访问控制列表中同一类型的规则数量相同,则第二字段为000,则端口类型的规则A的优先级为0x1000,以0x1000为索引,将端口类型的规则A写入索引0x1000对应的访问控制列表的位置。第二次下发端口类型的规则B,规则类型为端口的优先级为0x1,则第一字段为0x1,第二次下发端口类型的规则时访问控制列表中的端口类型的规则为1条,第二字段的值与访问控制列表中同一类型的规则数量相同,则第二字段为001,则端口类型的规则B的优先级为0x1001,将端口类型的规则B写入索引0x1000对应的访问控制列表的位置中,位于端口类型的规则A的下方。首次下发VLAN类型的规则C,规则类型为VLAN的优先级为0x2,则第一字段为0x2,第一次下发VLAN类型的规则时访问控制列表中的VLAN类型的规则为0条,第二字段的值与访问控制列表中同一类型的规则数量相同,则第二字段为000,则VLAN类型的规则C的优先级为0x2000,将VLAN类型的规则C写入索引0x2000对应的访问控制列表的位置中。以此类推,端口类型的规则必然在VLAN类型的规则之前,VLAN类型的规则必然在SG类型的规则之前,同一规则类型的规则,后下发的规则永远排在先下发的规则后方。The port type rule A is issued for the first time. The priority of the rule type of the port is 0x1, and the first field is 0x1. Since the port type rule in the access control list is 0, the value of the second field is related to the access control If the number of rules of the same type in the list is the same, the second field is 000, then the priority of port type rule A is 0x1000, with 0x1000 as the index, write port type rule A into the position of the access control list corresponding to index 0x1000 . The second time the port type rule B is issued, if the rule type is port priority is 0x1, then the first field is 0x1. When the port type rule is issued the second time, the port type rule in the access control list is 1 , The value of the second field is the same as the number of rules of the same type in the access control list, then the second field is 001, the priority of port type rule B is 0x1001, and port type rule B is written to the access corresponding to index 0x1000 The position of the control list is under the rule A of the port type. The VLAN type rule C is issued for the first time, the priority of the rule type is 0x2, and the first field is 0x2. When the VLAN type rule is issued for the first time, the VLAN type rule in the access control list is 0. The value of the second field is the same as the number of rules of the same type in the access control list. If the second field is 000, the priority of VLAN type rule C is 0x2000. Write VLAN type rule C into the access control list corresponding to index 0x2000 In the location. By analogy, the port type rules must precede the VLAN type rules, the VLAN type rules must precede the SG type rules, and the rules of the same rule type that are issued later will always be placed behind the rules that are issued first.
此种待写入规则的写入方法,在写入访问控制列表的初期,不会出现规则搬移的情况,相应的,也不会出现由于规则搬移而导致的丢包,从而减少网络设备的CPU消耗,并提高网络的稳定性。In this method of writing rules to be written, in the initial stage of writing the access control list, there will be no rule movement, and accordingly, there will be no packet loss due to rule movement, thereby reducing the CPU of the network device Consumption, and improve the stability of the network.
在一些实施例中,为了防止出现访问控制列表中删除规则后的空洞,同时为避免访问控制列表对各规则类型的规则写入数量进行限制,可以将待写入规则写入访问控制列表的 相对位置。即所述至少根据所述待写入规则的优先级,将所述待写入规则写入所述访问控制列表(步骤S12),包括:根据待写入规则的优先级和已写入所述访问控制列表的各规则的优先级,将待写入规则写入访问控制列表。In some embodiments, in order to prevent holes in the access control list after the rule is deleted, and at the same time, to avoid the access control list restricting the number of rules written for each rule type, the rules to be written can be written to the relative value of the access control list. position. That is, the writing the rule to be written into the access control list at least according to the priority of the rule to be written (step S12) includes: according to the priority of the rule to be written and the written rule The priority of each rule of the access control list, write the rules to be written into the access control list.
在一些实施例中,所述根据所述待写入规则的优先级和已写入所述访问控制列表的各规则的优先级,将所述待写入规则写入所述访问控制列表,包括:若所述访问控制列表不为空,则对所述待写入规则的优先级和已写入所述访问控制列表中的各规则的优先级排序,并根据排序结果,将待写入规则写入所述访问控制列表。若所述访问控制列表为空,则将所述待写入规则写入所述访问控制列表的最后一个位置。In some embodiments, the writing the rule to be written into the access control list according to the priority of the rule to be written and the priority of each rule that has been written into the access control list includes : If the access control list is not empty, sort the priority of the rule to be written and the priority of each rule written in the access control list, and according to the sorting result, sort the rule to be written Write the access control list. If the access control list is empty, the rule to be written is written into the last position of the access control list.
在一些实施例中,若所述访问控制列表为空,即说明待写入规则为访问控制列表中的第一条规则时,则将所述待写入规则写入所述访问控制列表的最后一个位置。所有规则从访问控制列表的最后一个位置开始往里写入。若访问控制列表不为空,每次向访问控制列表写入待写入规则的时候,对所述待写入规则的优先级和已写入所述访问控制列表中的各规则的优先级排序,根据排序结果,将所述待写入规则写入所述访问控制列表。每次都把优先级低的规则排在访问控制列表中靠后的位置,即优先级的值大的规则排在靠后的位置。In some embodiments, if the access control list is empty, it means that when the rule to be written is the first rule in the access control list, the rule to be written is written to the end of the access control list. A location. All rules are written in from the last position of the access control list. If the access control list is not empty, each time a rule to be written is written to the access control list, the priority of the rule to be written and the priority of each rule written in the access control list are sorted , According to the sorting result, write the rule to be written into the access control list. Each time, the rules with lower priority are ranked at the lower position in the access control list, that is, the rules with higher priority values are arranged at the lower position.
以图4为例,具体说明此种待写入规则的写入方法。设备的访问控制列表能够容纳规则的最大数量可以支持32K条,则使用一个16bit大小数据段,作为待写入规则的优先级,转换为十六进制为4位。将1位高位字段作为规则的优先级的第一字段。规则类型为绑定的端口、SG、VLAN时,其优先级关系是端口>VLAN>SG,在1位高位字段中设置端口的优先级为0x1,VLAN为0x2,SG为0x3。此设置可以保证在访问控制列表中端口类型的规则必然排在VLAN类型的规则之前,VLAN类型的规则必然排在SG类型的规则之前。将剩余3位设置为规则的优先级的第二字段。Taking FIG. 4 as an example, the method for writing the rules to be written is described in detail. The device's access control list can accommodate the maximum number of rules that can support 32K, then a 16-bit data segment is used as the priority of the rules to be written, converted to hexadecimal to 4 bits. Take the 1-bit high-order field as the first field of the priority of the rule. When the rule type is bound port, SG, VLAN, the priority relationship is port>VLAN>SG. Set the port priority to 0x1, VLAN to 0x2, and SG to 0x3 in the 1-high bit field. This setting can ensure that the port type rules in the access control list must be ranked before the VLAN type rules, and the VLAN type rules must be ranked before the SG type rules. Set the remaining 3 bits as the second field of the priority of the rule.
首次下发VLAN类型的规则A,规则类型为VLAN的待写入规则的优先级为0x2,则第一字段为0x2,访问控制列表中的VLAN规则为0条,第二字段的值与访问控制列表中同一类型的规则数量相同,则第二字段为000,生成优先级0x2000,将VLAN类型的规则A写入访问控制列表的最后一个位置。第二次下发VLAN类型的规则B,规则类型为VLAN的优先级为0x2,则第一字段为0x2,第二次下发VLAN类型的规则时访问控制列表中的VLAN类型的规则为1条,第二字段的值与访问控制列表中同一类型的规则数量相同,则第二字段为001,因此VLAN类型的规则B的优先级为0x2001,大于VLAN类型的规则A的优先级0x2000,将VLAN类型的规则B以压栈方式从访问控制列表最后一条位置压入,将VLAN类型的规则A向上搬移一个位置。首次下发端口类型的规则C,规则类型为端口的优先级为0x1,则第一字段为0x1,由于访问控制列表中的端口类型的规则为0条,第二字段的值与 访问控制列表中同一类型的规则数量相同,则第二字段为000,因此端口类型的规则C的优先级为0x1000,小于VLAN类型的规则A的优先级0x2000,因此将端口类型的规则C写入VLAN类型的规则A的前一条位置。以此类推,每一条待写入规则都要与访问控制列表已经存在的所有规则的优先级进行比较,将其按照数值由小到大的顺序插入到访问控制列表中,完成其他规则的写入,最终写入所有规则保持访问控制列表全表从上到下是优先级从大到小的效果。The VLAN type rule A is issued for the first time, the priority of the rule to be written for the VLAN type is 0x2, then the first field is 0x2, the VLAN rule in the access control list is 0, the value of the second field and access control If the number of rules of the same type in the list is the same, the second field is 000, and the priority is 0x2000, and the rule A of the VLAN type is written into the last position of the access control list. The second time the VLAN type rule B is issued, the priority of the rule type is 0x2, and the first field is 0x2. When the VLAN type rule is issued the second time, the VLAN type rule in the access control list is 1 , The value of the second field is the same as the number of rules of the same type in the access control list, and the second field is 001. Therefore, the priority of VLAN type rule B is 0x2001, which is greater than the priority of VLAN type rule A 0x2000. The rule B of the type is pushed in from the last position of the access control list in a stacking manner, and the rule A of the VLAN type is moved up by one position. The port type rule C is issued for the first time. If the rule type is port priority is 0x1, the first field is 0x1. Since the port type rule in the access control list is 0, the value of the second field is the same as in the access control list If the number of rules of the same type is the same, the second field is 000, so the priority of port type rule C is 0x1000, which is less than the priority of VLAN type rule A, 0x2000, so the port type rule C is written into the VLAN type rule The previous position of A. By analogy, each rule to be written must be compared with the priority of all rules that already exist in the access control list, and it will be inserted into the access control list in descending order of value to complete the writing of other rules. , And finally write all rules to keep the full access control list from top to bottom, which is the effect of priority from large to small.
此种待写入规则的写入方法,按照顺序的由下向上进行压栈式的写入,可以完成动态的位置写入,仍然可以保证大部分的规则不会出现搬移,并且黑洞期减少,也会减少由于ACL搬移而导致的丢包,从而减少网络设备的CPU消耗,并提高网络的稳定性。而且还不会限定某种类型规则的写入数量,也不会出现由于规则删除而出现的空洞。This writing method of the rules to be written is to perform the stack-type writing from bottom to top in order, which can complete dynamic position writing. It can still ensure that most of the rules will not be moved, and the black hole period will be reduced. It will also reduce packet loss due to ACL migration, thereby reducing the CPU consumption of network equipment and improving network stability. And it will not limit the number of writes of a certain type of rule, and there will be no holes due to rule deletion.
本公开实施例提供的ACL规则管理方法,确定待写入规则的优先级,至少根据所述待写入规则的优先级,将所述待写入规则写入所述访问控制列表,其中,待写入规则的优先级包括第一字段和第二字段,第一字段的值为待写入规则的规则类型的优先级,第二字段的值为访问控制列表中规则类型的规则的序号。待写入规则的优先级既考虑了ACL不同规则类型之间的优先级顺序,亦考虑了同一规则类型的规则下发的顺序。并且通过两种写入规则的方法,可以最大程度的保证规则在写入访问控制列表时,尽可能少的出现搬移的现象,降低网络设备的CPU消耗,相应的,黑洞期减少,也会减少由于ACL搬移而导致的丢包现象,从而提高网络设备的可靠性和稳定性。The ACL rule management method provided by the embodiment of the present disclosure determines the priority of the rule to be written, and writes the rule to be written into the access control list at least according to the priority of the rule to be written. The priority of writing a rule includes a first field and a second field. The value of the first field is the priority of the rule type to be written in the rule, and the value of the second field is the sequence number of the rule of the rule type in the access control list. The priority of the rules to be written not only considers the priority order between different ACL rule types, but also considers the order in which the rules of the same rule type are issued. And through the two methods of writing rules, you can ensure that the rules are moved as little as possible when writing the access control list, and reduce the CPU consumption of the network equipment. Correspondingly, the black hole period will be reduced, and it will also be reduced. The packet loss phenomenon caused by ACL migration improves the reliability and stability of network equipment.
基于相同的技术构思,本公开实施例还提供一种ACL规则管理装置,如图7所示,所述ACL规则管理装置包括确定模块1和写入模块2,所述确定模块1被设置为,确定待写入规则的优先级,所述待写入规则的优先级由待写入规则的规则类型的优先级和访问控制列表中所述规则类型的规则的序号确定。Based on the same technical concept, an embodiment of the present disclosure also provides an ACL rule management device. As shown in FIG. 7, the ACL rule management device includes a determining module 1 and a writing module 2, and the determining module 1 is set to: The priority of the rule to be written is determined, and the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule of the rule type in the access control list.
写入模块2被设置为,至少根据所述待写入规则的优先级,将所述待写入规则写入所述访问控制列表。The writing module 2 is configured to write the rules to be written into the access control list at least according to the priority of the rules to be written.
在一些实施例中,所述待写入规则的优先级包括第一字段和第二字段,所述第一字段的值为所述待写入规则的规则类型的优先级,所述第二字段的值为访问控制列表中所述规则类型的规则的序号,确定模块1被设置为:In some embodiments, the priority of the rule to be written includes a first field and a second field, the value of the first field is the priority of the rule type of the rule to be written, and the second field The value of is the sequence number of the rule of the rule type in the access control list, and the determination module 1 is set as:
确定待写入规则的优先级的总位数。Determine the total number of digits of the priority of the rule to be written.
根据所述待写入规则的规则类型,以及预设的规则类型与规则类型的优先级之间的映射关系,确定第一字段的值。The value of the first field is determined according to the rule type of the rule to be written and the preset mapping relationship between the rule type and the priority of the rule type.
根据所述总位数和预设的第一字段的位数,确定第二字段的位数。The number of bits in the second field is determined according to the total number of bits and the preset number of bits in the first field.
根据所述第二字段的位数和访问控制列表中所述规则类型的规则的数量,确定第二字段的值。The value of the second field is determined according to the number of digits in the second field and the number of rules of the rule type in the access control list.
将第一字段的值和所述第二字段的值拼接生成待写入规则的优先级。The value of the first field and the value of the second field are spliced to generate the priority of the rule to be written.
在一些实施例中,确定模块1被设置为:In some embodiments, the determining module 1 is set to:
根据所述访问控制列表能够容纳规则的最大数量,确定待写入规则的优先级的总位数。According to the maximum number of rules that can be accommodated in the access control list, the total number of digits of the priority of the rules to be written is determined.
在一些实施例中,规则类型的优先级越高,所述第一字段的值越小;In some embodiments, the higher the priority of the rule type, the smaller the value of the first field;
在一些实施例中,确定模块1被设置为:In some embodiments, the determining module 1 is set to:
确定当前访问控制列表中所述规则类型的规则的数量。Determine the number of rules of the rule type in the current access control list.
将所述数量作为第二字段的值,并以所述第二字段的位数表示所述第二字段的值。The number is used as the value of the second field, and the number of bits in the second field is used to represent the value of the second field.
在一些实施例中,在所述访问控制列表中,位置在前的规则的第一字段的值小于位置在后的规则的第一字段的值;第一字段的值相同的规则,位置在前的规则的第二字段的值小于位置在后的规则的第二字段的值。In some embodiments, in the access control list, the value of the first field of the rule with the first position is smaller than the value of the first field of the rule with the position of the latter; the rule with the same value of the first field has the first field. The value of the second field of the rule of is less than the value of the second field of the rule that follows.
在一些实施例中,写入模块2被设置为:In some embodiments, the write module 2 is set to:
将所述待写入规则的优先级作为写入所述访问控制列表的索引,并将所述待写入规则写入所述索引对应的访问控制列表中的位置。The priority of the rule to be written is used as an index to be written into the access control list, and the rule to be written is written into a position in the access control list corresponding to the index.
在一些实施例中,写入模块2被设置为:In some embodiments, the write module 2 is set to:
根据所述待写入规则的优先级和已写入所述访问控制列表的各规则的优先级,将所述待写入规则写入所述访问控制列表。According to the priority of the rule to be written and the priority of each rule that has been written in the access control list, the rule to be written is written into the access control list.
在一些实施例中,写入模块2被设置为:In some embodiments, the write module 2 is set to:
若所述访问控制列表不为空,则对所述待写入规则的优先级和已写入所述访问控制列表中的各规则的优先级排序。If the access control list is not empty, then the priority of the rule to be written and the priority of each rule written in the access control list are sorted.
根据排序结果,将所述待写入规则写入所述访问控制列表。According to the sorting result, the rule to be written is written into the access control list.
在一些实施例中,写入模块2被设置为:In some embodiments, the write module 2 is set to:
若所述访问控制列表为空,则将所述待写入规则写入所述访问控制列表的最后一个位置。If the access control list is empty, the rule to be written is written into the last position of the access control list.
本公开实施例还提供了一种计算机设备,包括:一个或多个处理器;存储装置,其中,其上存储有一个或多个程序;当所述一个或多个程序被所述一个或多个处理器执行时,使得所述一个或多个处理器实现如前述各实施例所提供的ACL规则管理方法。The embodiment of the present disclosure also provides a computer device, including: one or more processors; a storage device, wherein one or more programs are stored thereon; when the one or more programs are used by the one or more When executed by each processor, the one or more processors implement the ACL rule management method provided in the foregoing embodiments.
本公开实施例还提供了一种计算机可读介质,其上存储有计算机程序,其中,所述程序被执行时实现如前述各实施例所提供的ACL规则管理方法。The embodiments of the present disclosure also provide a computer-readable medium on which a computer program is stored, wherein the program implements the ACL rule management method provided in the foregoing embodiments when the program is executed.
根据本公开实施例提供的ACL规则管理方法、装置、计算机设备及计算机可读介质, 确定待写入规则的优先级,至少根据所述待写入规则的优先级,将所述待写入规则写入所述访问控制列表,其中,待写入规则的优先级由待写入规则的规则类型的优先级和访问控制列表中规则类型的规则的序号确定。待写入规则的优先级既考虑了ACL不同规则类型之间的优先级顺序,亦考虑了同一规则类型的规则下发的顺序,这样,在根据待写入规则的优先级将所述待写入规则写入访问控制列表时,可以最大程度的减少搬移的现象,降低网络设备的CPU消耗,相应的,黑洞期减少,也会减少由于ACL搬移而导致的丢包现象,从而提高网络设备的可靠性和稳定性。According to the ACL rule management method, device, computer equipment, and computer-readable medium provided by the embodiments of the present disclosure, the priority of the rule to be written is determined, and the rule to be written is at least based on the priority of the rule to be written. The access control list is written, wherein the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule of the rule type in the access control list. The priority of the rules to be written takes into account the priority order between different ACL rule types, and also the order in which the rules of the same rule type are issued. In this way, the priority of the rules to be written is changed according to the priority of the rules to be written. When the entry rules are written into the access control list, the migration phenomenon can be minimized, and the CPU consumption of the network device can be reduced. Correspondingly, the black hole period is reduced, and the packet loss caused by ACL migration will also be reduced, thereby improving the performance of the network device. Reliability and stability.
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。A person of ordinary skill in the art can understand that all or some of the steps in the method disclosed above, and the functional modules/units in the device can be implemented as software, firmware, hardware, and appropriate combinations thereof. In the hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, a physical component may have multiple functions, or a function or step may consist of several physical components. The components are executed cooperatively. Some physical components or all physical components can be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit . Such software may be distributed on a computer-readable medium, and the computer-readable medium may include a computer storage medium (or non-transitory medium) and a communication medium (or transitory medium). As is well known to those of ordinary skill in the art, the term computer storage medium includes volatile and non-volatile data implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Sexual, removable and non-removable media. Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, magnetic disk storage or other magnetic storage devices, or Any other medium used to store desired information and that can be accessed by a computer. In addition, as is well known to those of ordinary skill in the art, communication media usually contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery media. .
本文已经公开了示例实施例,并且虽然采用了具体术语,但它们仅用于并仅应当被解释为一般说明性含义,并且不用于限制的目的。在一些实例中,对本领域技术人员显而易见的是,除非另外明确指出,否则可单独使用与特定实施例相结合描述的特征、特性和/或元素,或可与其他实施例相结合描述的特征、特性和/或元件组合使用。因此,本领域技术人员将理解,在不脱离由所附的权利要求阐明的本发明的范围的情况下,可进行各种形式和细节上的改变。Example embodiments have been disclosed herein, and although specific terms are adopted, they are used and should only be interpreted as general descriptive meanings, and are not used for the purpose of limitation. In some instances, it is obvious to those skilled in the art that, unless clearly indicated otherwise, the features, characteristics, and/or elements described in combination with a specific embodiment may be used alone, or features, characteristics, and/or elements described in combination with other embodiments may be used, Combination of features and/or components. Therefore, those skilled in the art will understand that various changes in form and details can be made without departing from the scope of the present invention as set forth in the appended claims.

Claims (12)

  1. 一种ACL规则管理方法,包括:An ACL rule management method, including:
    确定待写入规则的优先级,所述待写入规则的优先级由待写入规则的规则类型的优先级和访问控制列表中所述规则类型的规则的序号确定;Determining the priority of the rule to be written, the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule of the rule type in the access control list;
    至少根据所述待写入规则的优先级,将所述待写入规则写入所述访问控制列表。At least according to the priority of the rule to be written, the rule to be written is written into the access control list.
  2. 如权利要求1所述的方法,其中,所述待写入规则的优先级包括第一字段和第二字段,所述第一字段的值为所述待写入规则的规则类型的优先级,所述第二字段的值为访问控制列表中所述规则类型的规则的序号,所述确定待写入规则的优先级,包括:The method according to claim 1, wherein the priority of the rule to be written includes a first field and a second field, and the value of the first field is the priority of the rule type of the rule to be written, The value of the second field is the sequence number of the rule of the rule type in the access control list, and the determining the priority of the rule to be written includes:
    确定待写入规则的优先级的总位数;Determine the total number of digits of the priority of the rule to be written;
    根据所述待写入规则的规则类型,以及预设的规则类型与规则类型的优先级之间的映射关系,确定第一字段的值;Determine the value of the first field according to the rule type of the rule to be written and the preset mapping relationship between the rule type and the priority of the rule type;
    根据所述总位数和预设的第一字段的位数,确定第二字段的位数;Determine the number of digits in the second field according to the total number of digits and the preset number of digits in the first field;
    根据所述第二字段的位数和访问控制列表中所述规则类型的规则的数量,确定第二字段的值;Determine the value of the second field according to the number of digits in the second field and the number of rules of the rule type in the access control list;
    将第一字段的值和所述第二字段的值拼接生成待写入规则的优先级。The value of the first field and the value of the second field are spliced to generate the priority of the rule to be written.
  3. 如权利要求2所述的方法,其中,所述确定待写入规则的优先级的总位数,包括:The method according to claim 2, wherein the determining the total number of bits of the priority of the rule to be written comprises:
    根据访问控制列表能够容纳规则的最大数量,确定待写入规则的优先级的总位数。According to the maximum number of rules that the access control list can accommodate, the total number of digits of the priority of the rules to be written is determined.
  4. 如权利要求2所述的方法,其中,规则类型的优先级越高,所述第一字段的值越小;The method of claim 2, wherein the higher the priority of the rule type, the smaller the value of the first field;
    所述根据所述第二字段的位数和访问控制列表中所述规则类型的规则的数量,确定第二字段的值,包括:The determining the value of the second field according to the number of digits in the second field and the number of rules of the rule type in the access control list includes:
    确定当前访问控制列表中所述规则类型的规则的数量;Determine the number of rules of the rule type in the current access control list;
    将所述数量作为第二字段的值,并以所述第二字段的位数表示所述第二字段的值。The number is used as the value of the second field, and the number of bits in the second field is used to represent the value of the second field.
  5. 如权利要求4所述的方法,其中,在所述访问控制列表中,位置在前的规则的第一字段的值小于位置在后的规则的第一字段的值;针对第一字段的值相同的规则,位置在前的规则的第二字段的值小于位置在后的规则的第二字段的值。The method according to claim 4, wherein, in the access control list, the value of the first field of the rule with the first position is smaller than the value of the first field of the rule with the position of the second; the value for the first field is the same In the rule, the value of the second field of the rule with the first position is less than the value of the second field of the rule with the second position.
  6. 如权利要求1-5任一项所述的方法,其中,所述至少根据所述优先级,将所述待写入规则写入所述访问控制列表,包括:5. The method according to any one of claims 1 to 5, wherein the writing the rule to be written into the access control list at least according to the priority comprises:
    将所述待写入规则的优先级作为写入所述访问控制列表的索引,并将所述待写入规则写入所述索引对应的访问控制列表中的位置。The priority of the rule to be written is used as an index to be written into the access control list, and the rule to be written is written into a position in the access control list corresponding to the index.
  7. 如权利要求1-5任一项所述的方法,其中,所述至少根据所述待写入规则的优先级,将所述待写入规则写入所述访问控制列表,包括:5. The method according to any one of claims 1 to 5, wherein the writing the rule to be written into the access control list at least according to the priority of the rule to be written comprises:
    根据所述待写入规则的优先级和已写入所述访问控制列表的各规则的优先级,将所述待写入规则写入所述访问控制列表。According to the priority of the rule to be written and the priority of each rule that has been written in the access control list, the rule to be written is written into the access control list.
  8. 如权利要求7所述的方法,其中,所述根据所述待写入规则的优先级和已写入所述访问控制列表的各规则的优先级,将所述待写入规则写入所述访问控制列表,包括:The method according to claim 7, wherein the said rules are written into the said rules according to the priority of the rules to be written and the priorities of the rules already written in the access control list. Access control list, including:
    若所述访问控制列表不为空,则对所述待写入规则的优先级和已写入所述访问控制列表中的各规则的优先级排序;If the access control list is not empty, sort the priority of the rules to be written and the priority of the rules already written in the access control list;
    根据排序结果,将所述待写入规则写入所述访问控制列表。According to the sorting result, the rule to be written is written into the access control list.
  9. 如权利要求7所述的方法,其中,所述根据所述待写入规则的优先级和已写入所述访问控制列表的各规则的优先级,将所述待写入规则写入所述访问控制列表,包括:The method according to claim 7, wherein the said rules are written into the said rules according to the priority of the rules to be written and the priorities of the rules already written in the access control list. Access control list, including:
    若所述访问控制列表为空,则将所述待写入规则写入所述访问控制列表的最后一个位置。If the access control list is empty, the rule to be written is written into the last position of the access control list.
  10. 一种ACL规则管理装置,包括:An ACL rule management device, including:
    确定模块,被设置为确定待写入规则的优先级,所述待写入规则的优先级由待写入规则的规则类型的优先级和访问控制列表中所述规则类型的规则的序号确定;The determining module is configured to determine the priority of the rule to be written, and the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule of the rule type in the access control list;
    写入模块,被设置为至少根据所述待写入规则的优先级,将所述待写入规则写入所述访问控制列表。The writing module is set to write the rules to be written into the access control list at least according to the priority of the rules to be written.
  11. 一种计算机设备,包括:一个或多个处理器;存储装置,其上存储有一个或多个程序;其中,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述一个或多个处理器实现如权利要求1-9任一项所述的ACL规则管理方法。A computer device includes: one or more processors; a storage device on which one or more programs are stored; wherein, when the one or more programs are executed by the one or more processors, The one or more processors implement the ACL rule management method according to any one of claims 1-9.
  12. 一种计算机可读介质,存储有计算机程序,其中,所述程序被执行时实现如权利要求1-9任一项所述的ACL规则管理方法。A computer readable medium storing a computer program, wherein when the program is executed, the ACL rule management method according to any one of claims 1-9 is realized.
PCT/CN2020/133118 2019-12-09 2020-12-01 Acl rule management method and apparatus, computer device, and computer readable medium WO2021115160A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911250942.4A CN113037681B (en) 2019-12-09 2019-12-09 ACL rule management method, ACL rule management device, computer equipment and computer readable medium
CN201911250942.4 2019-12-09

Publications (1)

Publication Number Publication Date
WO2021115160A1 true WO2021115160A1 (en) 2021-06-17

Family

ID=76329520

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/133118 WO2021115160A1 (en) 2019-12-09 2020-12-01 Acl rule management method and apparatus, computer device, and computer readable medium

Country Status (2)

Country Link
CN (1) CN113037681B (en)
WO (1) WO2021115160A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114978809A (en) * 2022-06-23 2022-08-30 惠州华阳通用电子有限公司 Vehicle-mounted Ethernet VLAN node configuration method
WO2024016863A1 (en) * 2022-07-20 2024-01-25 华为技术有限公司 Rule lookup method and apparatus, device and computer-readable storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114745177A (en) * 2022-04-11 2022-07-12 浪潮思科网络科技有限公司 ACL rule processing method, device, equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030225964A1 (en) * 2002-06-04 2003-12-04 Ram Krishnan Managing a position-dependent data set that is stored in a content addressable memory array at a network node
CN101039271A (en) * 2007-03-20 2007-09-19 华为技术有限公司 Method and apparatus for taking effect rules of access control list
CN102811227A (en) * 2012-08-30 2012-12-05 重庆大学 Administration mechanism for standard way access control list (ACL) rule under internet protocol security (IPsec) protocol
CN104618140A (en) * 2014-12-26 2015-05-13 上海斐讯数据通信技术有限公司 ACL (access control list) table insertion sequencing method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106034046A (en) * 2015-03-20 2016-10-19 中兴通讯股份有限公司 Method and device for sending access control list (ACL)
CN106487769B (en) * 2015-09-01 2020-02-04 深圳市中兴微电子技术有限公司 Method and device for realizing Access Control List (ACL)
US10623271B2 (en) * 2017-05-31 2020-04-14 Cisco Technology, Inc. Intra-priority class ordering of rules corresponding to a model of network intents
US10187217B1 (en) * 2017-07-11 2019-01-22 Oracle International Corporation Methods, systems, and computer readable media for efficient mapping of rule precedence values and filter priority values

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030225964A1 (en) * 2002-06-04 2003-12-04 Ram Krishnan Managing a position-dependent data set that is stored in a content addressable memory array at a network node
CN101039271A (en) * 2007-03-20 2007-09-19 华为技术有限公司 Method and apparatus for taking effect rules of access control list
CN102811227A (en) * 2012-08-30 2012-12-05 重庆大学 Administration mechanism for standard way access control list (ACL) rule under internet protocol security (IPsec) protocol
CN104618140A (en) * 2014-12-26 2015-05-13 上海斐讯数据通信技术有限公司 ACL (access control list) table insertion sequencing method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114978809A (en) * 2022-06-23 2022-08-30 惠州华阳通用电子有限公司 Vehicle-mounted Ethernet VLAN node configuration method
CN114978809B (en) * 2022-06-23 2024-01-12 惠州华阳通用电子有限公司 Vehicle-mounted Ethernet VLAN node configuration method
WO2024016863A1 (en) * 2022-07-20 2024-01-25 华为技术有限公司 Rule lookup method and apparatus, device and computer-readable storage medium

Also Published As

Publication number Publication date
CN113037681B (en) 2023-09-05
CN113037681A (en) 2021-06-25

Similar Documents

Publication Publication Date Title
WO2021115160A1 (en) Acl rule management method and apparatus, computer device, and computer readable medium
US10129162B1 (en) Systems and methods for defining storage
US8751547B2 (en) Multiple file system and/or multi-host single instance store techniques
US10296332B2 (en) Systems and methods for selectively enabling and disabling hardware features
US10142244B2 (en) Modifying a priority for at least one flow class of an application on a software defined networking controller
CN109120454B (en) QoS flow rate limiting system and method
US20210320881A1 (en) Nic priority queue steering and processor unit frequency tuning based on packet flow analytics
WO2018045862A1 (en) Method and device for writing ternary content addressable memory (tcam) table
US20200067882A1 (en) Systems and methods for operating a networking device
US10084613B2 (en) Self adapting driver for controlling datapath hardware elements
WO2021232743A1 (en) Cache management method and apparatus, storage medium, and solid-state non-volatile storage device
US10860358B2 (en) Virtualizing datacenter bridging settings for virtual network adapters
WO2016091027A1 (en) Rule aggregation method and device for network address translation and access control list
US10333942B2 (en) Encoding LDAP role and domain information in a fixed format
US20230198950A1 (en) Hierarchical data traffic control in network environments
KR20150139546A (en) Removable storage device identity and configuration information
US10554563B2 (en) Generating a packet processing pipeline definition
WO2021073473A1 (en) Data packet processing method and apparatus, communication device, and storage medium
JP2024510438A (en) Memory operation management in computing systems
US11310202B2 (en) Sharing of firewall rules among multiple workloads in a hypervisor
US9201809B2 (en) Accidental shared volume erasure prevention
US10769172B2 (en) Globalized object names in a global namespace
US11316828B2 (en) Networking sub-ranges
US10606751B2 (en) Techniques for cache delivery
US11979323B2 (en) System and method for programming packet forwarding hardware

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20897695

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20897695

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 20/02/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 20897695

Country of ref document: EP

Kind code of ref document: A1