CN100583829C - Method and apparatus for taking effect of rules of access control list - Google Patents
Method and apparatus for taking effect of rules of access control list Download PDFInfo
- Publication number
- CN100583829C CN100583829C CN200710086909A CN200710086909A CN100583829C CN 100583829 C CN100583829 C CN 100583829C CN 200710086909 A CN200710086909 A CN 200710086909A CN 200710086909 A CN200710086909 A CN 200710086909A CN 100583829 C CN100583829 C CN 100583829C
- Authority
- CN
- China
- Prior art keywords
- acl rule
- module
- partition holding
- rule
- acl
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention discloses a becoming effective method for the access control list (ACL) rule. A special storage partition for the corresponding access control list (ACL) rule is arranged in the down sending module and the objective storage module. The method comprises the following part: The additional ACL rule is store in the storage partition of the down sending module according to the corresponding ACL rule. When a sorting is needed the down sending module will sort the additional ACL rule in the storage partition and execute the down sent according to the corresponding storage partition in the objective storage module. Otherwise the down sending module executes the down sent according to the corresponding storage partition in the objective storage module. The present invention also discloses a becoming effective device of the ACL rule which comprises the down sending module and the objective storage module.The present invention can reduce the time of moving and deleting the ACL rule when the ACL rule is sent, which can realize the ACL rule becoming effective in a millisecond.
Description
Technical field
The present invention relates to the communications field, particularly the method for taking effect rules of access control list and device.
Background technology
In the communications field, (Access Control List, ACL) rule is a kind of technology that is applied on the switching equipment to Access Control List (ACL).Along with deepening continuously that network technology is used, further strengthen for the demand of security monitoring, because acl rule can effectively be realized the control of network traffics and network access authority, aspect security monitoring, obtain application more and more widely.
The principle of ACL mainly is that series of rules is set, comprise in these rules can matching message Rule content and the operation that will carry out message of matching message success back.Above-mentioned coupling is meant that the match is successful as long as a rule and message are arranged according to the priority of acl rule matching message successively, then according to this rule to the message executable operations, message no longer carries out the coupling of follow-up rule.The operation that message is carried out refers generally to be redirected with packet filtering or to message, wherein filters to be meant packet loss, and redirected being meant is forwarded to designated equipment with message redirecting.
Acl rule can be by pre-configured generation, be stored in earlier to carry out in the module that issues and acl rule is issued to the purpose memory module by this module, in the time of need mating message, from the purpose memory module, inquire about rule with the message coupling by the module of carrying out inquiry, after the match is successful to the operation in the message executing rule.The acl rule that adds successfully is issued in the purpose memory module, makes the rule of interpolation can be applied to process that message handles and be called acl rule and come into force.Because the acl rule at the Different Rule characteristic adopts the mode of mixing storage in the purpose memory module at present, when issuing acl rule, need accurately sort according to priority to acl rule, otherwise because message is carried out the mode of matched rule at first, may occur according to the operation that the acl rule that the match is successful is at first carried out message is not to be the problem of the operation of real needs execution, for example needs to carry out the message that is redirected originally and may carry out filter operation.Specifically, what relate generally to when issuing the acl rule of interpolation is operating as: in the module that execution issues, one by one the acl rule that adds is inserted in the acl rule of having stored in this module, and all acl rules behind the acl rule that inserts interpolation are accurately sorted according to priority; The module that issues is carried out in the ordering back, and execution issues at the purpose memory module, if comparing with the acl rule of having stored, the priority of the acl rule that adds not minimum, module that execution issues needs at first the acl rule deletion of the acl rule that is lower than interpolation that will store in the purpose memory module, the acl rule of the interpolation after the ordering and the acl rule of storage that is lower than its priority is issued in the purpose memory module again.Under the situation of the big capacity acl rule of needs support, the method that issues in the prior art often needs to expend the more time, can't accomplish coming into force fast of acl rule.
With the blocking equipment is the process that issues that example illustrates the acl rule that adds in the above-mentioned prior art.Fig. 1 shows the classical group web frame that blocking equipment is used substantially in the prior art, blocking equipment comprises master control borad and interface board, wherein interface board comprises module and the Ternary Content Addressable Memory (TCAM) that execution issues, and TCAM is the purpose memory module of rule downloading.The acl rule that master control borad receive to add also is issued to the module that executions issues in the interface board, is issued to TCAM by the module that execution issues again, and the ardware feature realization that utilizes TCAM when handling message is searched fast and mated acl rule.Issuing in the blocking equipment interface board is the regular list item at acl rule, and by the priority of rule list entry index sign acl rule, regular list item is obtained by the parsing to acl rule.Article one, rule generally includes a rule list entry index and a regular list item, but a rule also can be resolved and drawn a plurality of regular list items sometimes, and regular list item comprises Rule content table and action schedule.Suppose that blocking equipment requires to support 90,000 complete matched rules and 10,000 mask matches rules, the concrete executable operations of acl rule is for filtering and being redirected.Fig. 2 shows the priority structure of the acl rule of having stored in the blocking equipment, and the priority of the acl rule that need to add is 3, finishes the issuing of acl rule of interpolation according to following steps:
1) receive the acl rule that adds in master control borad, Rule content that this is regular and priority are issued to the module that execution issues in the interface board;
2) in interface board, carry out the acl rule of resolving interpolation in the module that issues, obtain the regular list item and the rule list entry index of this acl rule;
3) in interface board, carry out in the module that issues, regular list item to all acl rules accurately sorts according to priority, sortord is for arranging the rule list entry index of acl rule in order, and according to the rule list entry index of arranging, move corresponding regular list item, acl rule priority as interpolation is 3, it is 2 regular list item back that the regular list item of carrying out in the module issue the acl rule that will add in interface board inserts priority, and to form priority be the regular list item of 4-7 and the regular list item that original priority is 3-6 is moved successively backward;
4) in the TCAM of interface board, be the rule list entry deletion of the acl rule of 3-6 with the priority of having stored, be that the regular list item of the acl rule of 3-7 is issued to TCAM by carrying out priority after the module issue will rearrange in the interface board.
Through above-mentioned steps 1)-4), the acl rule of interpolation comes into force.
Because in the process that above-mentioned realization acl rule comes into force, need the priority of the acl rule of consideration interpolation again all acl rules accurately to be sorted, if the regular priority of being added when issuing is higher, the operation that need delete and issue again, chamber test by experiment, it is 10 hours that the acl rule that 100,000 priority are upset is issued to the time that needs in the purpose memory module, can't accomplish coming into force fast of acl rule.
Summary of the invention
The method that the embodiment of the invention provides a kind of acl rule to come into force, this method can improve the entry-into-force time of acl rule.
The device that the embodiment of the invention provides a kind of acl rule to come into force, this device can improve the entry-into-force time of acl rule.
The method that the acl rule that the embodiment of the invention provides comes into force comprises respectively that in issuing module and purpose memory module the partition holding of corresponding access control list ACL regular nature, described acl rule characteristic are that type of action filters and is redirected; This method also comprises:
This that stores the acl rule that adds into this acl rule characteristic correspondence issues in the partition holding of module;
When the type of action of the acl rule that adds is the destination device that is redirected and be redirected when not unique, issue module to the acl rule ordering in the partition holding at the acl rule place of adding after, carry out to issue at partition holding corresponding in the purpose memory module;
When the type of action of the acl rule that adds for filtering, or the type of action of the acl rule that adds is the destination device that is redirected and be redirected when unique, issues module and carries out at partition holding corresponding in the purpose memory module and issue.
A kind of method of taking effect rules of access control list, the partition holding that in issuing module and purpose memory module, comprises corresponding access control list ACL regular nature respectively, described acl rule characteristic is the element number of matching message in the acl rule, and described element number constitutes five-tuple, two tuples and a tuple respectively; This method also comprises:
This that stores the acl rule that adds into this acl rule characteristic correspondence issues in the partition holding of module;
When the element number of matching message in the acl rule that adds does not constitute five-tuple, issue module to the acl rule ordering in the partition holding at the acl rule place of adding after, carry out to issue at partition holding corresponding in the purpose memory module;
When the element number of matching message in the acl rule that adds constitutes five-tuple, issue module and issue at partition holding execution corresponding in the purpose memory module.
The device that the acl rule that the embodiment of the invention provides comes into force, this device comprises and issues module and purpose memory module, the described partition holding that comprises corresponding access control list ACL regular nature in module and the purpose memory module respectively that issues, described acl rule characteristic are that type of action filters and is redirected;
The described module that issues, the interpolation acl rule that is used for receiving stores the storage inside subregion of its regular nature correspondence into, when the type of action of the acl rule that adds is the destination device that is redirected and be redirected when not unique, acl rule in this partition holding ordering back is issued at partition holding execution corresponding in the purpose memory module, the type of action of the acl rule that adds is for filtering, or the type of action of the acl rule that adds is the destination device that is redirected and be redirected when unique, directly carries out issuing at partition holding corresponding in the purpose memory module;
Described purpose memory module is used for the partition holding in corresponding A CL regular nature, receives to issue the acl rule that module issues.
A kind of device of taking effect rules of access control list, this device comprises and issues module and purpose memory module, the described partition holding that comprises corresponding access control list ACL regular nature in module and the purpose memory module respectively that issues, described acl rule characteristic is the element number of matching message in the acl rule, and described element number constitutes five-tuple, two tuples and a tuple respectively;
The described module that issues, the interpolation acl rule that is used for receiving stores the storage inside subregion of its regular nature correspondence into, when the element number of matching message in the acl rule that adds does not constitute five-tuple, acl rule in this partition holding ordering back is issued at partition holding execution corresponding in the purpose memory module, when the element number of matching message in the acl rule that adds constitutes five-tuple, directly carry out issuing at partition holding corresponding in the purpose memory module;
Described purpose memory module is used for the partition holding in corresponding A CL regular nature, receives to issue the acl rule that module issues.
From technique scheme as can be seen, method that the acl rule that the embodiment of the invention provides comes into force and device, the partition holding that in issuing module and purpose memory module, comprises corresponding A CL regular nature, issue the acl rule that module issues for needs, only in issuing module to sorting in the partition holding of rule, perhaps issuing module when not needing to sort in the partition holding can not sort to the rule in this partition holding, and issuing the acl rule that module issues needs is issued in the partition holding corresponding in the purpose memory module, so just realized the fuzzy ordering of only carrying out in partition holding inside, reduced regular moving in the ordering, and deletion and the time that issues rule again when issuing, have been reduced, the Millisecond of realizing acl rule comes into force, and improves the entry-into-force time of acl rule.
Description of drawings
The classical group web frame schematic diagram that Fig. 1 uses substantially for blocking equipment in the prior art;
Fig. 2 is the priority schematic diagram of acl rule in the blocking equipment shown in Figure 1;
The method flow diagram that Fig. 3 comes into force for embodiment of the invention acl rule;
First preferred embodiment flow chart of method that Fig. 4 comes into force for embodiment of the invention acl rule;
Partition holding schematic diagram in first preferred embodiment of method that Fig. 5 comes into force for embodiment of the invention acl rule;
Second preferred embodiment flow chart of method that Fig. 6 comes into force for embodiment of the invention acl rule;
Partition holding schematic diagram in second preferred embodiment of method that Fig. 7 comes into force for embodiment of the invention acl rule;
The structural representation of the device preferred embodiment that Fig. 8 comes into force for embodiment of the invention acl rule.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention is clearer,, the embodiment of the invention is further described below in conjunction with accompanying drawing.
The basic thought of the embodiment of the invention is: in issuing module and purpose memory module, the partition holding that comprises corresponding A CL regular nature respectively, to the ordering of acl rule with issue all and carry out, need not to sort between each partition holding in the partition holding inside of regular nature correspondence.
At first, the method that comes into force of the acl rule of introducing the embodiment of the invention and providing.This method comprises the partition holding of corresponding A CL regular nature respectively in issuing module and purpose memory module, this method also comprises the following steps shown in Fig. 3:
Step 301: issue module and store the acl rule that adds into inner corresponding partition holding according to its regular nature.
In this step, the characteristic of described acl rule, the type of action that can be acl rule is as filtering and being redirected, at this moment issue and just comprise corresponding two partition holdings that filter and be redirected in the module, the acl rule characteristic also can be the element number of matching message in the acl rule, at this moment issue the acl rule that just comprises the element number of corresponding different matching messages in the module, a plurality of partition holdings of corresponding five-tuple, two tuples etc. are set as the element number according to matching message.Issue the regular nature of module according to the acl rule that adds, with this rale store in the partition holding of correspondence.The size of partition holding can be by being provided with realization.
Step 302: whether the partition holding at the acl rule place of judge adding needs ordering, if execution in step 303, if not execution in step 305 then.
In this step, according to described in the step 301 to the different set-up modes of partition holding, what different partition holdings had need sort to acl rule, then not needing of having sorts to acl rule.At divide corresponding two partition holdings that filter and be redirected according to action, in the partition holding inside that correspondence is filtered, because the processing of for the acl rule of all filtrations message being carried out all abandons, therefore message is all the same with which bar acl rule matching treatment result in this partition holding, so can not sort in this partition holding.And at the redirected partition holding of correspondence, when message all needs to be redirected to an equipment, also need not ordering in this partition holding, and the target device that need be redirected when message is not when unique, just need be behind the acl rule that storage is added to partition holding in acl rule according to prioritization.In the partition holding inside that the element number at matching message is provided with, when partition holding correspondence five-tuple, because a message can not mate two five-tuple rules, therefore do not need the acl rule in this partition holding according to prioritization, when the partition holding correspondence be not five-tuple the time, still need the acl rule in the partition holding according to prioritization.
Step 303: issue module and in partition holding, sort.
In this step, judge on the basis that needs ordering, issue module and in the partition holding at the acl rule place of adding, acl rule is sorted according to priority in step 302.
Step 304: execution issues at the corresponding stored subregion in the purpose memory module to issue module.
In this step, when needing to sort in the described partition holding of step 303, carry out at the corresponding stored subregion in the purpose memory module and issue by issuing module.Partition holding in the described purpose memory module also is that corresponding A CL regular nature is provided with, and with issue module in each partition holding of being provided with corresponding identical.Execution issues and is specially: minimum if the acl rule of having stored in the corresponding partition holding in the priority of the acl rule that adds and the purpose memory module is compared priority, directly the acl rule that adds is issued to the lowest priority memory location in the partition holding of correspondence in the purpose memory module; If it is not minimum that the acl rule of having stored in the corresponding partition holding in the priority of the acl rule that adds and the purpose memory module is compared priority, corresponding partition holding medium priority is lower than the acl rule of storage that adds acl rule in the deletion purpose memory module, to issue the acl rule of storage that module memory stores up the acl rule of the interpolation after the ordering in the subregion and is lower than its priority, be issued to the inner corresponding partition holding of purpose memory module.
Step 305: directly execution issues at the corresponding stored subregion in the purpose memory module to issue module.
In this step, in step 302, judge when partition holding does not need to sort, issue module and directly the acl rule that adds is issued to any vacant memory location in the corresponding partition holding that filters in the purpose memory module.
Through above-mentioned steps 301~step 305, the method flow that the acl rule that the embodiment of the invention provides comes into force finishes.Wherein, the acl rule of interpolation can be in batches, and can be simultaneously carries out operation described in the flow process at different separately partition holdings.
The method that the acl rule that the invention described above embodiment provides comes into force, the partition holding that in issuing module and purpose memory module, comprises corresponding A CL regular nature, issue the acl rule that module issues for needs, only in issuing module to sorting in the partition holding of rule, perhaps issuing module when not needing to sort in the partition holding can not sort to the rule in this partition holding, and issuing the acl rule that module issues needs is issued in the partition holding corresponding in the purpose memory module, so just realized the fuzzy ordering of only carrying out in partition holding inside, reduced regular moving in the ordering, and the time that when issuing, has reduced deletion and issued again, the Millisecond of realizing acl rule comes into force, and improves the entry-into-force time of acl rule.
Below at the take-effective method of the invention described above embodiment A CL rule, introduce the preferred embodiment of the method that two embodiment of the invention acl rules come into force in detail.In first method preferred embodiment, suppose in issuing module and purpose memory module respectively to comprise corresponding two partition holdings that filter and be redirected according to the type of action of acl rule, and the destination device that is redirected is not unique, issues module to issuing at regular list item that the purpose memory module is carried out.Suppose type of action that this flow process needs the acl rule that adds in describing for being redirected, priority is 3, and issuing the acl rule of having stored in module and the purpose memory module has 6, and priority structure is same as shown in Figure 2.The flow chart of first preferred embodiment of method that Fig. 4 comes into force for embodiment of the invention acl rule, this flow process comprises:
Step 401: issue the acl rule that module parses is added.
In this step, issue module to the rule downloading of purpose memory module at regular list item, issuing module needs resolve the acl rule that adds earlier, obtains regular list item.Next bar acl rule of normal conditions is resolved the corresponding regular list item in back, uses a rule list entry index to identify the priority of this acl rule.But an acl rule also can parse a plurality of regular list items sometimes, for example a redirected acl rule just can parse 10 regular list items at 1-10 port, the also corresponding rule list entry index of these 10 regular list items, promptly these 10 regular list items belong to a priority.
Step 402: the regular list item and the rule list entry index that add acl rule are stored in the partition holding that issues correspondence in the module.
In this step, because the hypothesis partition holding is divided into corresponding the filtration and the corresponding partition holding that is redirected according to the type of action of acl rule, the acl rule type of action that is added is for being redirected, and the regular list item of the acl rule that adds and rule list entry index stored into issue in the module in the corresponding partition holding that is redirected.
Step 403: the type of action of the acl rule that judge to add, when type of action execution in step 406 when filtering, when type of action execution in step 404 when being redirected.
In this step, the type of action of the acl rule that adds according to hypothesis is for being redirected, so execution in step 404.
Step 404: issue module and in the inner corresponding partition holding that is redirected, acl rule is sorted.
In this step, issue module regular list item to acl rule in the partition holding that correspondence is redirected and sort according to priority.The method of ordering is specially: with the priority index of having stored in this partition holding is that the regular list item of 3-6 is moved backward, after moving the rule list entry index is changed to 4-7 respectively, then the regular list item of the acl rule that adds is inserted change back rule list entry index and be before 4 the regular list item, the rule list entry index of the acl rule of interpolation is 3.
Step 405: the acl rule that will issue after module will sort is issued to the corresponding partition holding that is redirected in the purpose memory module.
In this step, the priority of the acl rule that adds is compared with the acl rule of having stored and is not minimum, therefore issuing module need be the redundant rule elimination of 3-6 with the rule list entry index of having stored in the purpose memory module earlier, the regular list item that with ordering back rule list entry index in the step 404 is 3-7 again is issued in the partition holding that correspondence is redirected in the purpose memory module, and flow process finishes.
Step 406: issue in the inner corresponding partition holding that filters of regular list item insertion of module with the acl rule of interpolation.
In this step, owing to need not to carry out ordering in the corresponding partition holding that filters according to priority, issue module and can be directly the regular list item of the acl rule that adds and rule list entry index be inserted any vacant memory location in the corresponding partition holding that filters, and need not the acl rule in the partition holding to be resequenced according to priority.
Step 407: issue module the regular list item of the acl rule that adds and rule list entry index are issued in the purpose memory module in the corresponding partition holding that filters.
In this step, issue module the regular list item of the acl rule that adds and rule list entry index directly are issued to any vacant memory location in the partition holding corresponding in the purpose memory module, flow process finishes.
Through above-mentioned steps 401~step 407, first preferred embodiment of the take-effective method of embodiment of the invention acl rule finishes entire flow, Fig. 5 shows in this preferred embodiment, issues the corresponding partition holding that filters and be redirected in module and the purpose memory module.
In second method preferred embodiment, the element number of matching message comprises three partition holdings of corresponding five-tuple, two tuples and a tuple in supposing in issuing module and purpose memory module respectively according to acl rule, issues module to issuing at regular list item that the purpose memory module is carried out.The element number of matching message constitutes two tuples in the acl rule of supposing to need to add in the description of this flow process, priority is 3, the acl rule of having stored in the partition holding of corresponding two tuples in issuing module and purpose memory module has 6, and priority structure is same as shown in Figure 2.The flow chart of second preferred embodiment of method that Fig. 6 comes into force for embodiment of the invention acl rule, this flow process comprises:
Step 601: issue the acl rule that module parses is added.
In this step, issue module to the rule downloading of purpose memory module at regular list item, issuing module needs resolve the acl rule that adds earlier, obtains regular list item.
Step 602: the regular list item of the acl rule that adds and rule list entry index stored into issue in the partition holding corresponding in the module.
In this step, according to hypothesis, the element number of the matching message in the acl rule of interpolation constitutes two tuples, and then regular list item and the rule list entry index with the acl rule that adds stores in the partition holding that issues corresponding two tuples in the module.
Step 603: whether the element of matching message constitutes five-tuple in the acl rule that judge to add, if execution in step 606 then, if not execution in step 604.
In this step, according to hypothesis, the element number of matching message constitutes two tuples in the acl rule that adds in this preferred embodiment, and then execution in step 604.
Step 604: issue module and in partition holding, acl rule is sorted.
In this step, issue module with the acl rule in the partition holding of corresponding two tuples in inside according to prioritization, the method of ordering is specially: with the rule list entry index of having stored in this partition holding is that the regular list item of 3-6 is moved backward, after moving the rule list entry index is changed to 4-7 respectively, then the regular list item of the acl rule that adds is inserted change back rule list entry index and be before 4 the regular list item, the rule list entry index of the acl rule of interpolation is 3.
Step 605: the acl rule that will issue after module will sort is issued to partition holding corresponding in the purpose memory module.
In this step, issue the partition holding that acl rule that the needs after module will sort issue is issued to corresponding two tuples of purpose memory module.Because the priority of the acl rule that adds is compared with the acl rule of having stored and is not minimum, therefore issuing the rule list entry index that module stored in earlier need the partition holding with corresponding two tuples in the purpose memory module is the redundant rule elimination of 3-6, again the interpolation acl rule after the ordering in the step 604 and priority are lower than the regular list item and the rule list entry index that add acl rule and are issued in the partition holding of corresponding two tuples in the purpose memory module, flow process finishes.
Step 606: issue module the regular list item of the acl rule that adds is stored in the partition holding of inner corresponding five-tuple.
In this step, the element of judging matching message in the acl rule that adds in step 603 is a five-tuple, then the acl rule that adds is stored in the partition holding that issues corresponding five-tuple in the module, issue module as long as the acl rule that will add stores any vacant memory location in the partition holding of inner corresponding five-tuple into, and need not acl rule according to prioritization.
Step 607: issue module the regular list item and the rule list entry index of the acl rule that adds is issued in the partition holding of corresponding five-tuple in the purpose memory module.
In this step, issue module with any vacant memory location in the regular list item of the acl rule that adds and the partition holding that the rule list entry index directly is issued to corresponding five-tuple in the purpose memory module, flow process finishes.
Through above-mentioned steps 601~step 607, second preferred embodiment entire flow of the method that embodiment of the invention acl rule comes into force finishes, and Fig. 7 shows in this method preferred embodiment the partition holding of the element number of matching message in the corresponding A CL rule.
In two preferred embodiments of the method for the invention described above embodiment A CL taking effect rules, two kinds of situations of dividing partition holding according to the acl rule characteristic have been enumerated, also can be according to demand, be different from the situation of these two kinds of partition holdings that exemplified according to other regular nature settings of acl rule, repeat no more here.
Two method preferred embodiments described above, the partition holding that in issuing module and purpose memory module, comprises corresponding A CL regular nature, issue the acl rule that module issues for needs, only in issuing module to sorting in the partition holding of rule, and issuing the acl rule that module issues needs is issued in the partition holding corresponding in the purpose memory module, so just realized the fuzzy ordering of only carrying out in partition holding inside, reduced regular moving in the ordering, and the time that when issuing, has reduced deletion and issued again, the Millisecond of realizing acl rule comes into force, and has improved the entry-into-force time of acl rule.
At last, the device preferred embodiment that comes into force of the acl rule of introducing the embodiment of the invention and providing.The preferred embodiment structural representation of the device that the acl rule that Fig. 8 provides for the embodiment of the invention comes into force, this device comprises: purpose memory module and issue module wherein issues module and comprises again: transceiver module and order module.
Described order module comprises the partition holding of corresponding A CL regular nature, receives the acl rule and the storage of the interpolation that transceiver module provides; When needing to sort in the partition holding of the acl rule correspondence of adding, to the acl rule in this partition holding according to prioritization after, the acl rule that needs are issued offers transceiver module; When not needing to sort in the partition holding of the acl rule correspondence of adding, directly the acl rule that needs are issued offers transceiver module.
Described transceiver module receives the acl rule that adds and offers order module; Receive the acl rule that will issue that order module provides, carry out issuing at the corresponding stored subregion in the purpose memory module.
Described purpose memory module is used for the partition holding in corresponding A CL regular nature, receives to issue the acl rule that the transceiver module in the module issues.
The device that the acl rule that the embodiment of the invention provides comes into force, the partition holding that in issuing module and purpose memory module, comprises corresponding A CL regular nature, issue the acl rule that module issues for needs, when needing ordering only in issuing module to sorting in the partition holding of rule, and the acl rule that needs issue is issued in the partition holding corresponding in the purpose memory module, issue the acl rule that module directly issues needs when perhaps not needing to sort and be issued to partition holding corresponding in the purpose memory module, so just realized the fuzzy ordering of only carrying out in partition holding inside, reduced regular moving in the ordering, and the time that when issuing, has reduced deletion and issued again, realize that the Millisecond of acl rule comes into force.
In the device that the acl rule that the invention described above provides comes into force, transceiver module may further include: issue Executive Module and parsing module, issue module to issuing at regular list item that the purpose memory module is carried out.
The configuration acl rule that described parsing module, reception will add parses the regular list item of acl rule, and next bar acl rule of normal conditions is resolved the corresponding regular list item in back, uses a rule list entry index to priority that should acl rule.But an acl rule also can parse a plurality of regular list items sometimes, for example a redirected acl rule just can parse 10 regular list items at 1-10 port, these 10 regular list items also corresponding a rule list entry index, the i.e. priority of this acl rule.Regular list item that parsing module obtains after parsing is finished and rule list entry index offer in the order module partition holding that should the acl rule characteristic.
The described Executive Module that issues, the regular list item and the rule list entry index of the acl rule that will issue that order module is provided are issued to corresponding stored subregion in the purpose memory module.
In the situation at regular list item of issuing that issues that module carries out the purpose memory module, the ordering in the order module is also at the regular list item and the rule list entry index of acl rule.
The device that the acl rule that the embodiment of the invention provides comes into force, can be applied in needs to use acl rule message to be carried out in the equipment of handling, and is the concrete application that example illustrates the device that embodiment of the invention acl rule comes into force with the blocking equipment.
The device that embodiment of the invention acl rule comes into force can be arranged in the interface board of blocking equipment, blocking equipment is based on issuing of regular list item to issuing of ACL, partition holding in the suppose device in order module and the purpose memory module is that the number of matching message element in the corresponding A CL rule is the partition holding of five-tuple, two tuples and a tuple, the element number of matching message constitutes two tuples in the acl rule that adds, priority is 3, and the acl rule of having stored is that priority is 6 rules of 1-6.The master control borad of blocking equipment offers this device with the acl rule that adds, and parses regular list item in the parsing module in the device and the rule list entry index offers order module.Order module stores the acl rule that adds in the partition holding of inner corresponding two tuples into, and to the acl rule in this partition holding according to prioritization, promptly move rule list entry index and regular list item.The order module back rule list entry index of will resequencing is that the acl rule of 3-7 offers and issues Executive Module.Issuing the rule list entry index of having stored in the partition holding of Executive Module with corresponding two tuples in the purpose memory module is the rule list entry deletion of 3-6, and the rule list entry index that order module is provided is the partition holding that the regular list item of 3-7 is issued to corresponding two tuples in the purpose memory module.
Through the above-described process that issues, the acl rule of interpolation comes into force in interface board, and when message flow passed through, the module that the responsible coupling in the interface board is carried out will be according to the acl rule that comes into force to the message executable operations.The ardware feature of the purpose memory module of acl rule influences the inquiry velocity of matching and executing module to rule because storage comes into force, and a kind of preferable selection is to use TCAM to store as the purpose memory module and issues the acl rule that comes into force.
The situation that the device of the invention described above embodiment A CL taking effect rules is applied in the blocking equipment interface board is a kind of better embodiment, can also be other devices that possess same structure feature and function.
Above-described specific embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is specific embodiments of the invention; and be not intended to limit the scope of the invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1, a kind of method of taking effect rules of access control list is characterized in that, comprises the partition holding of corresponding access control list ACL regular nature in issuing module and purpose memory module respectively, and described acl rule characteristic is that type of action filters and is redirected; This method also comprises:
This that stores the acl rule that adds into this acl rule characteristic correspondence issues in the partition holding of module;
When the type of action of the acl rule that adds is the destination device that is redirected and be redirected when not unique, issue module to the acl rule ordering in the partition holding at the acl rule place of adding after, carry out to issue at partition holding corresponding in the purpose memory module;
When the type of action of the acl rule that adds for filtering, or the type of action of the acl rule that adds is the destination device that is redirected and be redirected when unique, issues module and carries out at partition holding corresponding in the purpose memory module and issue.
2, the method for claim 1 is characterized in that, described ordering is to carry out according to the priority of acl rule;
Described execution issue for: minimum if the acl rule of having stored in the corresponding partition holding that is redirected in the priority of the acl rule that adds and the purpose memory module is compared priority, directly the acl rule that adds is issued to the lowest priority memory location in the corresponding redirected partition holding in the purpose memory module; If it is not minimum that the acl rule of having stored in the corresponding redirected partition holding in the priority of the acl rule that adds and the purpose memory module is compared priority, the corresponding partition holding medium priority that is redirected is lower than the acl rule of storage that adds acl rule in the deletion purpose memory module, to issue acl rule that adds in the corresponding partition holding that is redirected in the module and the acl rule of storage that is lower than its priority, be issued to the corresponding partition holding that is redirected in the purpose memory module according to the priority orders after the ordering.
3, a kind of method of taking effect rules of access control list, it is characterized in that, the partition holding that in issuing module and purpose memory module, comprises corresponding access control list ACL regular nature respectively, described acl rule characteristic is the element number of matching message in the acl rule, and described element number constitutes five-tuple, two tuples and a tuple respectively; This method also comprises:
This that stores the acl rule that adds into this acl rule characteristic correspondence issues in the partition holding of module;
When the element number of matching message in the acl rule that adds does not constitute five-tuple, issue module to the acl rule ordering in the partition holding at the acl rule place of adding after, carry out to issue at partition holding corresponding in the purpose memory module;
When the element number of matching message in the acl rule that adds constitutes five-tuple, issue module and issue at partition holding execution corresponding in the purpose memory module.
4, method as claimed in claim 3 is characterized in that, described ordering is carried out according to acl rule priority;
Described execution issue for: minimum if the acl rule of having stored in the corresponding partition holding in the priority of the acl rule that adds and the purpose memory module is compared priority, directly the acl rule that adds is issued to the lowest priority memory location in the partition holding of correspondence in the purpose memory module; If it is not minimum that the acl rule of having stored in the corresponding partition holding in the priority of the acl rule that adds and the purpose memory module is compared priority, corresponding partition holding medium priority is lower than the acl rule of storage that adds acl rule in the deletion purpose memory module, to issue the acl rule of storage that module memory stores up the acl rule of the interpolation after the ordering in the subregion and is lower than its priority, be issued to the inner corresponding partition holding of purpose memory module.
5, a kind of device of taking effect rules of access control list, it is characterized in that, this device comprises and issues module and purpose memory module, the described partition holding that comprises corresponding access control list ACL regular nature in module and the purpose memory module respectively that issues, described acl rule characteristic are that type of action filters and is redirected;
The described module that issues, the interpolation acl rule that is used for receiving stores the storage inside subregion of its regular nature correspondence into, when the type of action of the acl rule that adds is the destination device that is redirected and be redirected when not unique, acl rule in this partition holding ordering back is issued at partition holding execution corresponding in the purpose memory module, when the type of action of the acl rule that adds for filtering, or the type of action of the acl rule that adds is the destination device that is redirected and be redirected when unique, directly carries out issuing at partition holding corresponding in the purpose memory module;
Described purpose memory module is used for the partition holding in corresponding A CL regular nature, receives to issue the acl rule that module issues.
6, device as claimed in claim 5 is characterized in that, the described module that issues comprises transceiver module and order module;
Described transceiver module is used to receive the acl rule of interpolation and stores partition holding corresponding in the order module into, and the acl rule that will issue that receiving order module provides is issued to the purpose memory module;
Described order module, be used for storing the interpolation acl rule that transceiver module provides at partition holding, when the type of action of the acl rule that adds is the destination device that is redirected and be redirected when not unique, the acl rule that will issue after the acl rule ordering to this partition holding inside offers transceiver module, when the type of action of the acl rule that adds for filtering, or the type of action of the acl rule that adds is the destination device that is redirected and be redirected when unique, and the acl rule that will issue offers transceiver module.
7, device as claimed in claim 6 is characterized in that, described transceiver module comprises and issues Executive Module and parsing module;
The described Executive Module that issues is used for the acl rule that will issue that order module provides is issued to partition holding corresponding in the purpose memory module;
Described parsing module is used to receive the acl rule of interpolation, stores the acl rule after resolving into partition holding corresponding in the order module.
8, a kind of device of taking effect rules of access control list, it is characterized in that, this device comprises and issues module and purpose memory module, the described partition holding that comprises corresponding access control list ACL regular nature in module and the purpose memory module respectively that issues, described acl rule characteristic is the element number of matching message in the acl rule, and described element number constitutes five-tuple, two tuples and a tuple respectively;
The described module that issues, the interpolation acl rule that is used for receiving stores the storage inside subregion of its regular nature correspondence into, when the element number of matching message in the acl rule that adds does not constitute five-tuple, acl rule in this partition holding ordering back is issued at partition holding execution corresponding in the purpose memory module, when the element number of matching message in the acl rule that adds constitutes five-tuple, directly carry out issuing at partition holding corresponding in the purpose memory module;
Described purpose memory module is used for the partition holding in corresponding A CL regular nature, receives to issue the acl rule that module issues.
9, device as claimed in claim 8 is characterized in that, the described module that issues comprises transceiver module and order module;
Described transceiver module is used to receive the acl rule of interpolation and stores partition holding corresponding in the order module into, and the acl rule that will issue that receiving order module provides is issued to the purpose memory module;
Described order module, be used for storing the interpolation acl rule that transceiver module provides at partition holding, when the element number of matching message in the acl rule that adds does not constitute five-tuple, the acl rule that will issue after the acl rule ordering to this partition holding inside offers transceiver module, when the element number of matching message in the acl rule that adds constituted five-tuple, the acl rule that will issue offered transceiver module.
10, device as claimed in claim 9 is characterized in that, described transceiver module comprises and issues Executive Module and parsing module;
The described Executive Module that issues is used for the acl rule that will issue that order module provides is issued to partition holding corresponding in the purpose memory module;
Described parsing module is used to receive the acl rule of interpolation, stores the acl rule after resolving into partition holding corresponding in the order module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710086909A CN100583829C (en) | 2007-03-20 | 2007-03-20 | Method and apparatus for taking effect of rules of access control list |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710086909A CN100583829C (en) | 2007-03-20 | 2007-03-20 | Method and apparatus for taking effect of rules of access control list |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101039271A CN101039271A (en) | 2007-09-19 |
| CN100583829C true CN100583829C (en) | 2010-01-20 |
Family
ID=38889915
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710086909A Expired - Fee Related CN100583829C (en) | 2007-03-20 | 2007-03-20 | Method and apparatus for taking effect of rules of access control list |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100583829C (en) |
Families Citing this family (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447940B (en) * | 2008-12-23 | 2011-03-30 | 杭州华三通信技术有限公司 | Method and device for updating access control list rules |
| CN101534301B (en) * | 2009-04-13 | 2012-09-05 | 北京星网锐捷网络技术有限公司 | List item installation method and device as well as network equipment |
| CN101662425B (en) * | 2009-09-17 | 2012-07-04 | 中兴通讯股份有限公司 | Method for detecting validity of access control list and device |
| CN103001793B (en) * | 2012-10-26 | 2015-06-10 | 杭州迪普科技有限公司 | Method and device for managing ACL (access control list) |
| CN103812774B (en) * | 2012-11-09 | 2017-12-15 | 华为技术有限公司 | Tactics configuring method, message processing method and related device based on TCAM |
| CN103312807B (en) * | 2013-06-20 | 2016-12-28 | 华为技术有限公司 | Data transmission method, apparatus and system |
| CN103384222B (en) * | 2013-06-26 | 2016-09-14 | 汉柏科技有限公司 | A kind of method of data stream matches ACL |
| CN105099918B (en) * | 2014-05-13 | 2019-01-29 | 华为技术有限公司 | A kind of matched method and apparatus of data search |
| CN104038423B (en) * | 2014-05-29 | 2017-11-14 | 新华三技术有限公司 | A kind of Open flow flow tables method for refreshing and routing device |
| CN105335307B (en) * | 2014-08-13 | 2018-10-02 | 华为技术有限公司 | A kind of loading method and device of acl rule |
| CN106789859B (en) * | 2016-01-29 | 2021-06-04 | 新华三技术有限公司 | Message matching method and device |
| CN106603302B (en) * | 2016-12-29 | 2019-11-12 | 杭州迪普科技股份有限公司 | A kind of method and apparatus of ACL table item management |
| CN108572921B (en) * | 2017-05-15 | 2021-03-12 | 北京金山云网络技术有限公司 | Rule set updating method and device, and rule matching method and device |
| CN108650181A (en) * | 2018-04-20 | 2018-10-12 | 济南浪潮高新科技投资发展有限公司 | A kind of IP packet strategy matching circuit and method |
| CN109688126B (en) * | 2018-12-19 | 2021-08-17 | 迈普通信技术股份有限公司 | Data processing method, network equipment and computer readable storage medium |
| CN113037681B (en) * | 2019-12-09 | 2023-09-05 | 中兴通讯股份有限公司 | ACL rule management method, ACL rule management device, computer equipment and computer readable medium |
| CN111935100B (en) * | 2020-07-16 | 2022-05-20 | 锐捷网络股份有限公司 | Flowspec rule issuing method, device, equipment and medium |
| CN113901274B (en) * | 2021-09-10 | 2023-03-21 | 锐捷网络股份有限公司 | Method, device, equipment and medium for moving TCAM (ternary content addressable memory) table item |
| CN114745177A (en) * | 2022-04-11 | 2022-07-12 | 浪潮思科网络科技有限公司 | ACL rule processing method, device, equipment and medium |
-
2007
- 2007-03-20 CN CN200710086909A patent/CN100583829C/en not_active Expired - Fee Related
Non-Patent Citations (2)
| Title |
|---|
| 一种基于策略的网络管理系统研究与实现. 曾旷怡,杨家海.小型微型计算机系统,第28卷第2期. 2007 |
| 一种基于策略的网络管理系统研究与实现. 曾旷怡,杨家海.小型微型计算机系统,第28卷第2期. 2007 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101039271A (en) | 2007-09-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100583829C (en) | Method and apparatus for taking effect of rules of access control list | |
| US20220124070A1 (en) | Methods, Systems, and Computer Readable Media for Adaptive Packet Filtering | |
| CN101965714B (en) | Method and filter arrangement for filtering messages that are received via a serial data bus by a user node of a communications network | |
| CN101345759B (en) | Internet protocol security matching values in an associative memory | |
| US7872993B2 (en) | Method and system for classifying data packets | |
| CN101753369B (en) | Method and device for detecting firewall rule conflict | |
| CN101414914B (en) | Method and apparatus for filtrating data content, finite state automata and conformation apparatus | |
| CN101753542A (en) | Method and device for speeding up matching of filter rules of firewalls | |
| Wu et al. | Dynamic allocation of reconfigurable resources ina two-stage tandem queueing system with reliability considerations | |
| CN101465807B (en) | Control method and device for data stream | |
| CN109067744B (en) | ACL rule processing method, device and communication equipment | |
| CN101751397A (en) | Method and device for importing files into database | |
| CN105812164A (en) | Rule index management implementation method and device based on TCAM multistage flow table | |
| CN101150431B (en) | A method for alarm processing streamline and alarm processing | |
| Tanaka et al. | Optimization of packet filter with maintenance of rule dependencies | |
| CN112199407A (en) | Data packet sequencing method, device, equipment and storage medium | |
| CN112598514A (en) | Block chain-based cross-chain transaction management method, cross-chain platform and medium | |
| CN105187490A (en) | Method for transferring data of IOT (Internet of Things) | |
| US6781961B1 (en) | Systems and methods for routing messages sent between computer systems | |
| CN112702311B (en) | Port-based message filtering method and device | |
| US20070043695A1 (en) | Action consolidation using hash table | |
| CN104639452B (en) | The processing method and processing device of data | |
| CN103414652B (en) | A kind of communication message processing method and system | |
| CN101827175A (en) | Method and system for storing sorted call bills by catalog | |
| US20020147562A1 (en) | Method and a generating module for determining filter masks for relevance testing of identifiers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100120 Termination date: 20170320 |