CN101447940B - Method and device for updating access control list rules - Google Patents
Method and device for updating access control list rules Download PDFInfo
- Publication number
- CN101447940B CN101447940B CN2008102407229A CN200810240722A CN101447940B CN 101447940 B CN101447940 B CN 101447940B CN 2008102407229 A CN2008102407229 A CN 2008102407229A CN 200810240722 A CN200810240722 A CN 200810240722A CN 101447940 B CN101447940 B CN 101447940B
- Authority
- CN
- China
- Prior art keywords
- acl
- block
- acl rule
- rule
- priority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a method and a device for updating access control list rules. The method of the invention comprises the following steps: storage space is divided into a plurality of blocks, each block is provided with a plurality of ACL hardware recourses used for recording ACL rules; the priority of the front blocks recording the ACL rules is more than or equal to that of the back blocks recording the ACL rules; when the ACL rules are inserted every time, ACL rules which has the same priority with the ACL rules to be inserted are sought in all blocks; if the ACL rules are sought, the ACL rules to be inserted are inserted in the sought blocks without triggering ordering process; if the ACL rules are not sought, all ACL rules with the priority are less than the ACL rules to be inserted are moved from the present block to an adjacent next block; and the ACL rules to be inserted are inserted in an empty block which turns empty due to movement. The invention can greatly reduce the times of re-ordering, thereby reducing resources cost of the system caused by the ordering.
Description
Technical field
The present invention relates to the Access Control List (ACL) technology in the communications field, be specifically related to the update method of access control list (ACL) regulations and the updating device of access control list (ACL) regulations.
Background technology
Along with the expansion of network size and the increase of flow, to the control of network security with the distribution of bandwidth is become the important content of network management.By message is filtered, can effectively prevent the visit of disabled user to network, also can control flow, conserve network resources simultaneously.
Adopting ACL (Access Control List, Access Control List (ACL)) rule-based filtering message is packet filtering means comparatively commonly used.After the port of the network equipment receives message, according to the acl rule of on front port, using the field of message is analyzed, after identifying specific message, message is carried out corresponding actions, thereby realize packet filtering according to predefined strategy.In concrete the application, according to the difference that realizes function, acl rule has different priorities.
The acl rule storage mode of main flow is at Ternary Content Addressable Memory (TCAM, Ternary Content-Addressable Memory) at present.Fig. 1 is a storage schematic diagram of storing acl rule in the prior art at TCAM.As shown in Figure 1, TCAM is divided into a plurality of clauses and subclauses, and each clauses and subclauses (entry) provide an ACL hardware resource, and each entry has a call number (Index).When TCAM storage acl rule, each ACL hardware resource can be stored an acl rule.In TCAM, come acl rule is sorted according to the height of acl rule priority.The call number of the numeral entry in entry left side among Fig. 1, the numeral acl rule priority of entry inside.The acl rule priority height of the entry storage that call number is little, the acl rule priority of the entry storage that call number is big is low.
When TCAM inserts new acl rule, according to the priority of existing acl rule among the TCAM, determine to be inserted into the insertion position of acl rule, the priority of each acl rule of assurance insertion back is sequence arrangement from high in the end.If the lowest priority of the existing acl rule of the acl rule priority ratio that inserts is also low or equal with it, so as shown in Figure 2, can directly be inserted into the acl rule that is inserted among first idle entry.If the priority that is inserted into acl rule is between the limit priority and lowest priority of existing acl rule, so as shown in Figure 3, just need be lower than all existing acl rules that are inserted into acl rule to priority and all distinguish mobile backward entry, and then in the idle entry that vacates, insert acl rule.If it is all high to be inserted into the priority of all existing acl rules of priority ratio of acl rule, so just need moves an entry to all existing acl rules respectively backward, and then be inserted among first entry being inserted into acl rule.
When from the existing acl rule of TCAM deletion, if the acl rule of deletion is not to be in last entry, then can trigger rearrangement, making does not all have idle entry between any two entry in ordering back.
As seen, adopt existing acl rule update mode, under most applicable cases, all can trigger rearrangement acl rule.If issue the acl rule of a large amount of different priorities in the same time, just need constantly resequence to these acl rules.From above description to sequencer procedure as can be seen, ordering is to realize by the position of mobile acl rule.Need operate hardware resource owing to move an acl rule, therefore a large amount of move operations is operational hardware continually, expends a large amount of system CPU resources, and increases time overhead, causes the reduction of equipment integral performance.For the situation that adopts the storage medium stores acl rule outside the TCAM, as long as, all can have above-mentioned defective according to the storage of acl rule priority.
Summary of the invention
In view of this, the invention provides a kind of update method of access control list (ACL) regulations, can reduce the number of times of rearrangement, thereby reduce the resource cost that ordering brings.
This method comprises:
Memory space is divided into a plurality of blocks, and each block has a plurality of ACL hardware resources that are used to write down acl rule; The position the preceding acl rule that block writes down priority more than or equal to the position after the priority of acl rule that block writes down;
When inserting acl rule, in each block, search and be inserted into the acl rule that acl rule has equal priority at every turn; If find, then will be inserted into acl rule and insert in the affiliated block of the acl rule that has equal priority with it; If do not find, then priority is lower than all acl rules that are inserted into acl rule and from the block of current place, moves on in the adjacent back block, insert because of moving in the dead zone piece that becomes empty being inserted into acl rule.
Preferably, the ACL hardware resource number that has of different blocks is identical.
Wherein, the described acl rule that will be inserted into inserts in the affiliated block of the acl rule that has equal priority with it, comprising:
Search and be inserted into last block that acl rule that acl rule has equal priority takies;
If the block that finds has idle ACL hardware resource, then will be inserted into acl rule and insert in this free time ACL hardware resource;
If the block that finds does not have idle ACL hardware resource, and a back block adjacent with this block that finds is occupied, then all block medium priorities are lower than the acl rule that is inserted into acl rule and move on to the adjacent back block, insert the dead zone piece that becomes empty because of moving being inserted into acl rule from current place block.
Wherein, determine not find described be inserted into after the acl rule that acl rule has equal priority, this method further comprises:
Judge in the acl rule in all blocks, whether exist priority to be lower than the acl rule that is inserted into acl rule;
If, then carry out and describedly priority is lower than all acl rules that are inserted into acl rule and moves on to the adjacent back block from current place block, will be inserted into acl rule and insert because of moving the operation in the dead zone piece that becomes sky;
If not, then will be inserted into acl rule and insert the dead zone piece adjacent with last occupied block.
Wherein, inserting acl rule to described dead zone piece is: will be inserted into first ACL hardware resource that acl rule inserts the dead zone piece.
Wherein, inserting acl rule to the block with idle ACL hardware resource is: will be inserted into acl rule and insert first idle ACL hardware resource in the block.
Preferably, this method further comprises: behind the deletion acl rule, if deleted acl rule place block becomes the dead zone piece, then be that unit carries out the acl rule ordering with the block from block, eliminate the dead zone piece between any two occupied blocks;
Or, behind block deletion acl rule, all acl rules in the block of deleted acl rule place are sorted, eliminate the idle ACL hardware resource between any two occupied ACL hardware resources in the block.
Preferably, this method further comprises: when described insertion acl rule, judge whether that all blocks are all occupied; If, then cancel the division of block, be that unit sorts with the acl rule, eliminate the idle ACL hardware resource between any two acl rules, insert acl rule then; Otherwise, keep block to divide, carry out the described operation that acl rule has the acl rule of equal priority of in each block, searching and be inserted into.
Preferably, before the described move operation, further comprise: judge whether that all blocks are all occupied; If, then cancel the division of block, be that unit sorts with the acl rule, eliminate the idle ACL hardware resource between any two acl rules, insert acl rule then; Otherwise, keep block to divide, carry out described move operation.
Described memory space is a three-state content addressable memory TCAM; Described each block has a plurality of ACL hardware resources: different blocks comprises the clauses and subclauses of similar number, the corresponding ACL hardware resource of clauses and subclauses.
The present invention also provides a kind of updating device of access control list (ACL) regulations, can reduce the number of times of rearrangement, thereby reduces the resource cost that ordering brings.
This device comprises memory cell, zoning unit and insertion processing unit;
Described memory cell is used to store acl rule;
Described zoning unit is used for the memory space of described memory cell is divided into a plurality of blocks, and each block has a plurality of ACL hardware resources that are used to write down acl rule; The position the preceding acl rule that block writes down priority more than or equal to the position after the priority of acl rule that block writes down;
Described insertion is handled unit pack and is drawn together judge module, equal priority processing module and different priorities processing module;
Described judge module when being used for inserting acl rule, searches and is inserted into the acl rule that acl rule has equal priority at every turn in each block; If find, then notify the equal priority processing module, otherwise notice different priorities processing module;
Described equal priority processing module after having notice, is inserted under the acl rule that has equal priority with it in block being inserted into acl rule;
Described different priorities processing module after having notice, is lower than all acl rules that are inserted into acl rule with priority and moves on to the adjacent back block from current place block, inserts because of moving in the dead zone piece that becomes empty being inserted into acl rule.
Wherein, described zoning unit is divided into a plurality of continuous blocks with the memory space of three-state content addressable memory TCAM, and different blocks has the clauses and subclauses of similar number, the corresponding ACL hardware resource of clauses and subclauses.
Wherein, described equal priority processing module comprises and searches submodule, first submodule and second submodule;
Last block that acl rule that acl rule has equal priority takies is searched and be inserted into to the described submodule of searching after having notice,, and the block information that finds is sent to first submodule and second submodule;
Described first submodule when the block that finds has idle ACL hardware resource, will be inserted into acl rule and insert in this free time ACL hardware resource;
Described second submodule, there is not idle ACL hardware resource at the block that finds, and when a back block adjacent with this block that finds is occupied, all block medium priorities are lower than the acl rule that is inserted into acl rule move on to the adjacent back block, insert the dead zone piece that becomes empty because of moving being inserted into acl rule from current place block.
Whether preferably, described different priorities processing module is further used for, and after having notice, judges in the acl rule in all blocks, exist priority to be lower than the acl rule that is inserted into acl rule; If, then carry out and describedly priority is lower than all acl rules that are inserted into acl rule and from the block of current place, moves on in the adjacent back block, will be inserted into acl rule and insert because of moving the operation in the dead zone piece that becomes sky; If not, then will be inserted into acl rule inserts in the dead zone piece adjacent with last occupied block.
Preferably, this device further comprises the deletion processing unit, be used for behind block deletion acl rule, all acl rules in the block of deleted acl rule place being sorted, eliminate the idle ACL hardware resource between any two occupied ACL hardware resources in the block; Or, behind block deletion acl rule,, then be that unit carries out the acl rule ordering with the block if deleted acl rule place block becomes the dead zone piece, eliminate the dead zone piece between any two occupied blocks.
According to above technical scheme as seen, the present invention is divided into a plurality of blocks with memory space, and the acl rule of equal priority inserts same block, and the acl rule of different priorities inserts different blocks.When inserting acl rule, if be inserted into the acl rule place block that acl rule has equal priority and also have living space, then need not to trigger sequencer procedure, only in all block all less than when being inserted into the identical acl rule of acl rule priority, just trigger sorting operation.Reduced the number of times of rearrangement greatly, expended thereby reduce the system resource of bringing that sorts.
Description of drawings
Fig. 1 is a storage schematic diagram of storing acl rule in the prior art at TCAM.
Fig. 2 is one of design sketch behind the insertion acl rule in the prior art.
Fig. 3 inserts two of design sketch behind the acl rule in the prior art.
Fig. 4 divides schematic diagram for block among the present invention.
Fig. 5 a inserts acl rule storage schematic diagram before for adopting the present invention program.
Fig. 5 b inserts acl rule storage schematic diagram before for adopting prior art.
Fig. 6 a is a design sketch behind 9 the acl rule for adopting the present invention program to insert priority.
Fig. 6 b is a design sketch behind 9 the acl rule for adopting prior art to insert priority.
Fig. 7 a is a design sketch behind 8 the acl rule for adopting the present invention program to insert priority.
Fig. 7 b is a design sketch behind 8 the acl rule for adopting prior art to insert priority.
Fig. 8 a is a design sketch behind 3 the acl rule for adopting the present invention program to insert priority.
Fig. 8 b is a design sketch behind 3 the acl rule for adopting prior art to insert priority.
Fig. 9 a is a design sketch behind 4 the acl rule for adopting the present invention program to insert priority.
Fig. 9 b is a design sketch behind 4 the acl rule for adopting prior art to insert priority.
Figure 10 a is the design sketch behind 4 acl rules of employing twice insertion of the present invention program.
Figure 10 b is the design sketch behind 4 acl rules of employing twice insertion of prior art.
Figure 11 a is for adopting the design sketch after the present invention program inserts 4 acl rules for three times.
Figure 11 b is for adopting the design sketch after prior art is inserted 4 acl rules for three times.
Figure 12 is for adopting the present invention program at the design sketch that inserts again on the basis of Figure 11 after priority is 8 acl rule.
Figure 13 is the structural representation of the updating device of acl rule in the embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing embodiment that develops simultaneously, describe the present invention.
The present invention is a kind of update scheme of acl rule, and its basic thought is: memory space is divided into a plurality of blocks, is called block, each block comprises several ACL hardware resources.The position the preceding acl rule that block writes down priority more than or equal to the position after the priority of acl rule that block writes down.
The principle that the present invention inserts acl rule is: the acl rule of equal priority is put into identical block, and the acl rule of different priorities is put into different block.
When inserting acl rule at every turn, in each block, search the acl rule identical with being inserted into acl rule priority, if find, then directly will be inserted into acl rule and insert under the acl rule that has equal priority with it among block, need not to resequence and acl rule mobile.If do not find, then priority is lower than all acl rules that are inserted into acl rule and from current place block, moves on among the adjacent back block, insert because of moving among the empty block that becomes empty being inserted into acl rule.
As seen, adopt update scheme of the present invention, when inserting acl rule, if corresponding block also has living space, then need not to trigger sequencer procedure, only in all block all less than when being inserted into the identical acl rule of acl rule priority, just trigger sorting operation, greatly reduced the number of times of rearrangement, expended thereby reduce the system resource of bringing that sorts.
In practice, extensively adopt the storage medium of TCAM as acl rule.Below be example with TCAM as storage medium, the solution of the present invention is described in detail.
At first, according to the dividing mode of above-mentioned block the memory space of TCAM is divided, the memory space of TCAM is divided into a plurality of block, each block comprises several entry, the corresponding ACL hardware resource of each entry.The entry quantity of concrete each block can be set according to actual needs by the user, takes all factors into consideration equipment performance and resource cost during setting.Here suppose that TCAM comprises 400 ACL hardware resources, each block comprises 4 entry, can mark off 100 block so.Concrete dividing condition as shown in Figure 4.The priority of entry0 is the highest, and the priority of entry399 is minimum.
When inserting acl rule, at first determine to be inserted into the priority of acl rule;
When the priority that is inserted into acl rule overlaps with the priority of existing acl rule, then carry out following operation: search and be inserted into last block that acl rule that acl rule has equal priority takies; If the block that finds has idle entry, then directly will be inserted among the idle entry that acl rule is inserted into this block; If the block that finds is full and a back block adjacent with this block taken by the acl rule of other priority, then all block medium priorities are lower than the acl rule that is inserted into acl rule, move on to the adjacent back block from current place block, will be inserted into acl rule then and insert because of moving among the block that vacates.When empty block inserts acl rule, be inserted among the first entry in the sky block.
When the priority that is inserted into acl rule does not overlap with the priority of existing acl rule, comprise two kinds of situations:
In order to distinguish both of these case, in the priority of determining to be inserted into acl rule with after the priority of existing acl rule does not overlap, further judge in the acl rule in all block, whether exist priority to be lower than the acl rule that is inserted into acl rule, if, then be considered as situation 1, if not, then be considered as situation 2.
At situation 1, priority is lower than all acl rules that are inserted into acl rule moves on to the adjacent back block from current place block, insert the block that becomes empty because of moving with being inserted into acl rule.
More specifically carry out following operation: occupied if first block does not have when the priority that is inserted into acl rule is higher than acl rule among all block, then will be inserted into ACL and directly be inserted among first block; If first block is occupied, then all acl rules are moved on to the adjacent back block from current place block, the relative position of the acl rule that is moved in block is constant, will be inserted into acl rule then and insert among first block.When inserting, be inserted among the idle entry of first block, preferably, insert among the first entry of first block.
When between the limit priority of the priority that is inserted into acl rule each acl rule in all block and the lowest priority, priority is lower than all acl rules that are inserted into acl rule to move on to the adjacent back block from current place block, the relative position of the acl rule that is moved in block is constant, then the acl rule that is inserted into is inserted among the empty block that vacates after moving.Equally, when inserting, be inserted among the first entry of the block that vacates.
At situation 2, insert in the dead zone piece adjacent with last occupied block with being inserted into acl rule.
More specifically carry out following operation: begin to search from first block, find the block of a free time, insert among the idle block that finds with being inserted into acl rule.Equally, when inserting, be inserted among the first entry in first idle block.
It more than is the processing method of inserting acl rule.In practice, the existing acl rule of deletion also is a kind of form of upgrading operation.If the acl rule in the block is deleted, two kinds of situations then may appear,
One: after from block, deleting acl rule, this deletion does not cause deleted acl rule place block for empty, then all acl rules in the block of deleted acl rule place are sorted, eliminate the idle entry between any two occupied entry in the block, this free time entry produces because of the deletion acl rule.Sorting operation is: will be in same block with deleted acl rule and each acl rule of being positioned at after the deleted acl rule moves forward several entry, the idle entry between any two occupied entry is filled.
Its two: from block the deletion acl rule after, cause deleted acl rule place block for empty, and should also have occupied block in sky block back, be that unit carries out the acl rule ordering with block, eliminates the empty block between any two occupied block.This sorting operation is: all the block contents after each empty block are moved forward several block, and the idle block between any two occupied block is received in rule.
Sorting operation after the above-mentioned deletion can be after occurring being inserted into acl rule next time, and carried out before inserting.
After all block are all occupied, move operation after if desired block being carried out, to cause the acl rule among last block to be lost, in order to hold acl rule to greatest extent, as all block all occupied and need carry out any one block after move when operation, the embodiment of the invention judges whether that all block are all occupied, if, then cancel the division of block, with the acl rule is that unit sorts, eliminate the idle entry between any two acl rules, adopt existing inserted mode to insert acl rule then; If free block is also arranged, move operation after then allowing to carry out.
In practice, can also issue when being inserted into acl rule, judge whether that all block are all occupied, if, then cancel the division of block, with the acl rule is that unit sorts, and eliminates the idle entry between any two acl rules, adopts existing inserted mode to insert acl rule then; If free block is also arranged, then carry out operation and the follow-up flow process thereof that judges whether the ACL of equal priority according to the priority that is inserted into acl rule.
Enumerate instantiation below,, technique effect of the present invention is described by contrast embodiment of the invention mode and existing execution mode.
Suppose, existed priority to be respectively 4 acl rules of 10,8,7,4 in the ACL hardware resource.The current storage effect that employing embodiment of the invention block shown in Fig. 5 a is divided.Fig. 5 b shows the current storage effect that adopts prior art.
1. situation inserts priority is 9 acl rule:
Adopt the inserted mode of the embodiment of the invention: priority is respectively these 3 block contents of 8,7 and 4 and moves a block respectively backward, and then be that 9 acl rule is inserted among first entry of the block2 that vacates to priority.Insert effect referring to Fig. 6 a.
Adopt existing inserted mode: with priority is that these 3 entry of 8,7 and 4 move an entry respectively backward, and then is priority that 9 acl rule is inserted among the entry that vacates.Insert effect referring to Fig. 6 b.
2. situation is followed, and insertion priority is 8 acl rule:
Adopt the inserted mode of the embodiment of the invention: because the priority of first entry of block3 is 8, and block3 has idle entry, so can be 8 be inserted among second entry that acl rule directly is inserted into block3 with priority.Insert effect referring to Fig. 7 a.
Adopt existing inserted mode: need be that these two entry of 7 and 4 move an entry respectively backward, and then be that 8 the acl rule that is inserted into inserts among the entry that vacates to priority with priority.Insert effect referring to Fig. 7 b.
3. situation is followed, and insertion priority is 3 acl rule:
Adopt the inserted mode of the embodiment of the invention: because priority is 3 to be lower than existing any one acl rule, therefore, can be directly to be inserted into priority be among the idle block behind 4 the block5, promptly among first entry of block6 with being inserted into acl rule.Insert effect referring to Fig. 8 a.
Adopt existing inserted mode: will being inserted into acl rule, directly to be inserted into priority be among the idle entry behind 4 the entry.Insert effect referring to Fig. 8 b.
4. situation is followed, and insertion priority is 4 acl rule:
Adopt the inserted mode of the embodiment of the invention: because the priority of first entry is 4 among the block5, and block5 has idle entry, so can will be inserted among second entry that acl rule directly is inserted into block5.Insert effect referring to Fig. 9 a.
Adopt existing inserted mode: need be that 3 entry moves an entry backward with priority, and then be inserted among the entry that vacates being inserted into acl rule.Insert effect referring to Fig. 9 b.
Suppose repeatedly to issue a plurality of acl rules, and the acl rule that at every turn issues comprises that priority is 9,8,3 and 4 acl rule.If before insertion shown in Figure 5, on the basis of initial condition, issue such rule group 3 times, so, by above-named example as can be seen:
Issue for the first time priority when being respectively 9,8,3 and 4 acl rule, the inserted mode that adopts the embodiment of the invention only just need be resequenced when priority is 9 acl rule inserting; And existing inserted mode is except need not rearrangement when priority is 3 acl rule inserting, and inserting priority and be 9,8 and 4 acl rule all needs to resequence.
Issue for the second time priority when being respectively 9,8,3 and 4 acl rule, adopt the inserted mode of the embodiment of the invention not need to resequence, insert effect referring to Figure 10 a; And existing inserted mode still needs to resequence when insertion priority is 9,8 and 4 acl rule, inserts effect referring to Figure 10 b.
Issue priority for the third time when being respectively 9,8,3 and 4 acl rule, adopt the inserted mode of the embodiment of the invention still not need to resequence, insert effect referring to Figure 11 a; And existing inserted mode still needs to resequence when insertion priority is 9,8 and 4 acl rule, inserts effect referring to Figure 11 b.
To sum up can obtain:
The number of times that adopts the inserted mode of the embodiment of the invention need resequence altogether is: 1 (for the first time)+0 (for the second time)+0 (for the third time)=1 time.
The number of times that adopts existing inserted mode need resequence altogether is: 3 (for the first time)+3 (for the second time)+3 (for the third time)=9 time.
In practice, acl rule of every insertion need carry out a hardware resource operation, and whenever moving an acl rule simultaneously also needs to carry out a hardware resource operation, can also obtain thus:
The number of times that adopts the inserted mode of the embodiment of the invention need carry out hardware operation altogether is: 7 (for the first time)+4 (for the second time)+4 (for the third time)=15 time.
The number of times that adopts existing inserted mode need carry out hardware operation altogether is: 10 (for the first time)+16 (for the second time)+22 (for the third time)=48 time.
Can clearly be seen that from above example the inserted mode that adopts the embodiment of the invention has greatly reduced rearrangement number of times and hardware operation number of times than prior art, obviously increase system efficiency.
If on the basis of Figure 11 a, insert priority again and be 8 acl rule, because block3 is full, therefore the acl rule among the block4 to block6 need be moved a block respectively backward, be that 8 acl rule inserts among first entry of the block4 that vacates then with the priority that is inserted into, insert effect referring to Figure 12.
When programming realization according to embodiment of the invention scheme, can adopt following operating sequence to realize: to begin search from first block, ferret out is and is inserted into the acl rule place block that acl rule has equal priority, if search, then judge existence and be inserted into the rule that acl rule has equal priority, carry out corresponding operating.
In search procedure, when also not searching the acl rule of equal priority, just had been found that priority is lower than the acl rule that band inserts acl rule, at this moment, judge among each block not and be inserted into the acl rule that acl rule has equal priority, and can judge simultaneously the acl rule that has priority to be lower than to be inserted into acl rule, carry out corresponding operating.
In search procedure, when also not searching the acl rule of equal priority, just had been found that empty block, at this moment, judge among each block not and be inserted into the acl rule that acl rule has equal priority, and can judge that the priority that is inserted into acl rule is minimum simultaneously, carry out corresponding operating.
Adopt above-mentioned way of search to need not repeatedly to search for, only need once search can determine to be inserted into the position of priority in all acl rule priority of acl rule, and carry out corresponding operating.
In order to realize said method, the present invention also provides a kind of updating device of acl rule.Figure 13 shows the structural representation of the updating device of acl rule in the embodiment of the invention.As shown in figure 13, this device comprises: memory cell 10, zoning unit 20 and insertion processing unit 30.
Wherein, memory cell 10 provides memory space, the storage acl rule;
Equal priority processing module 32 after having notice, is inserted under the acl rule that has equal priority with it among block being inserted into acl rule.
Specifically, equal priority processing module 32 comprises and searches submodule, first submodule and second submodule.The concrete structure of not shown equal priority processing module 32 among Figure 13.
Wherein, search submodule, after having notice, search and be inserted into last block that acl rule that acl rule has equal priority takies, the block information that finds is sent to first submodule and second submodule.
First submodule when the block that finds has idle ACL hardware resource, will be inserted into acl rule and insert in this free time ACL hardware resource.
Second submodule, there is not idle ACL hardware resource at the block that finds, and when a back block adjacent with this block is occupied, all block medium priorities are lower than the acl rule that is inserted into acl rule move on to the adjacent back block, insert the empty block that becomes empty because of moving being inserted into acl rule from current place block.
Different priorities processing module 33 after having notice, is lower than all acl rules that are inserted into acl rule with priority and moves on to the adjacent back block from current place block, inserts because of moving among the empty block that becomes empty being inserted into acl rule.
Specifically, whether this different priorities processing module 33 is judged in the acl rule in all block after having notice, is existed priority to be lower than the acl rule that is inserted into acl rule; If, then priority is lower than all acl rules that are inserted into acl rule and moves on to the adjacent back block from current place block, insert because of moving among the empty block that becomes empty being inserted into acl rule; If not, then will be inserted into acl rule inserts among the empty block adjacent with last occupied block.
Preferably, this device further comprises deletion processing unit 40, be used for behind block deletion acl rule, all acl rules in the deleted acl rule place block being sorted, eliminate the idle entry between any two occupied ACL hardware resources in the block; Or, empty if deleted acl rule place block becomes behind block deletion acl rule, then be that unit carries out the acl rule ordering with block, eliminate the empty block between any two occupied block.
Preferably, each module in the insertion processing unit 30 judged whether further that all block were all occupied before the move operation of carrying out acl rule; If, then cancel the division of block, be that unit sorts with the acl rule, eliminate the idle entry between any two acl rules, adopt existing inserted mode to insert new acl rule then; Otherwise, keep block to divide, carry out described move operation.
This judges whether that all occupied operation of all block also can be carried out by the judge module 31 that inserts in the processing unit 30 before inserting acl rule, if all block are all occupied, then cancel the division of block, eliminate the idle entry between any two acl rules; If free block is also arranged, then keep block to divide, carry out subsequent operation.
In sum, more than be preferred embodiment of the present invention only, be not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (15)
1. the update method of an access control list (ACL) regulations is characterized in that, this method comprises:
Memory space is divided into a plurality of blocks, and each block has a plurality of ACL hardware resources that are used to write down acl rule; The position the preceding acl rule that block writes down priority more than or equal to the position after the priority of acl rule that block writes down;
When inserting acl rule, in each block, search and be inserted into the acl rule that acl rule has equal priority at every turn; If find, then will be inserted into acl rule and insert in the affiliated block of the acl rule that has equal priority with it; If do not find, then priority is lower than all acl rules that are inserted into acl rule and from the block of current place, moves on in the adjacent back block, insert because of moving in the dead zone piece that becomes empty being inserted into acl rule.
2. the method for claim 1 is characterized in that, the ACL hardware resource number that different blocks has is identical.
3. the method for claim 1 is characterized in that, the described acl rule that will be inserted into inserts in the affiliated block of the acl rule that has equal priority with it, comprising:
Search and be inserted into last block that acl rule that acl rule has equal priority takies;
If the block that finds has idle ACL hardware resource, then will be inserted into acl rule and insert in this free time ACL hardware resource;
If the block that finds does not have idle ACL hardware resource, and a back block adjacent with this block that finds is occupied, then all block medium priorities are lower than the acl rule that is inserted into acl rule and move on to the adjacent back block, insert the dead zone piece that becomes empty because of moving being inserted into acl rule from current place block.
4. the method for claim 1 is characterized in that, determine not find described be inserted into after the acl rule that acl rule has equal priority, this method further comprises:
Judge in the acl rule in all blocks, whether exist priority to be lower than the acl rule that is inserted into acl rule;
If, then carry out and describedly priority is lower than all acl rules that are inserted into acl rule and moves on to the adjacent back block from current place block, will be inserted into acl rule and insert because of moving the operation in the dead zone piece that becomes sky;
If not, then will be inserted into acl rule and insert the dead zone piece adjacent with last occupied block.
5. as claim 3 or 4 described methods, it is characterized in that, to described dead zone piece insertion acl rule be: will be inserted into first ACL hardware resource that acl rule inserts the dead zone piece.
6. method as claimed in claim 3 is characterized in that, inserts acl rule to the block with idle ACL hardware resource to be: will be inserted into acl rule and insert first idle ACL hardware resource in the block.
7. the method for claim 1, it is characterized in that this method further comprises: after from block, deleting acl rule, if deleted acl rule place block becomes the dead zone piece, then be that unit carries out the acl rule ordering, eliminate the dead zone piece between any two occupied blocks with the block;
Or, behind block deletion acl rule, all acl rules in the block of deleted acl rule place are sorted, eliminate the idle ACL hardware resource between any two occupied ACL hardware resources in the block.
8. the method for claim 1 is characterized in that, this method further comprises: when described insertion acl rule, judge whether that all blocks are all occupied; If, then cancel the division of block, be that unit sorts with the acl rule, eliminate the idle ACL hardware resource between any two acl rules, insert acl rule then; Otherwise, keep block to divide, carry out the described operation that acl rule has the acl rule of equal priority of in each block, searching and be inserted into.
9. as claim 1,3 or 4 described methods, it is characterized in that, before the described move operation, further comprise: judge whether that all blocks are all occupied; If, then cancel the division of block, be that unit sorts with the acl rule, eliminate the idle ACL hardware resource between any two acl rules, insert acl rule then; Otherwise, keep block to divide, carry out described move operation.
10. the method for claim 1 is characterized in that, described memory space is a three-state content addressable memory TCAM; Described each block has a plurality of ACL hardware resources: different blocks comprises the clauses and subclauses of similar number, the corresponding ACL hardware resource of clauses and subclauses.
11. the updating device of an access control list (ACL) regulations is characterized in that, this device comprises memory cell, zoning unit and insertion processing unit;
Described memory cell is used to store acl rule;
Described zoning unit is used for the memory space of described memory cell is divided into a plurality of blocks, and each block has a plurality of ACL hardware resources that are used to write down acl rule; The position the preceding acl rule that block writes down priority more than or equal to the position after the priority of acl rule that block writes down;
Described insertion is handled unit pack and is drawn together judge module, equal priority processing module and different priorities processing module;
Described judge module when being used for inserting acl rule, searches and is inserted into the acl rule that acl rule has equal priority at every turn in each block; If find, then notify the equal priority processing module, otherwise notice different priorities processing module;
Described equal priority processing module after having notice, is inserted under the acl rule that has equal priority with it in block being inserted into acl rule;
Described different priorities processing module after having notice, is lower than all acl rules that are inserted into acl rule with priority and moves on to the adjacent back block from current place block, inserts because of moving in the dead zone piece that becomes empty being inserted into acl rule.
12. device as claimed in claim 11, it is characterized in that, described zoning unit is divided into a plurality of continuous blocks with the memory space of three-state content addressable memory TCAM, and different blocks has the clauses and subclauses of similar number, the corresponding ACL hardware resource of clauses and subclauses.
13. device as claimed in claim 11 is characterized in that, described equal priority processing module comprises searches submodule, first submodule and second submodule;
Last block that acl rule that acl rule has equal priority takies is searched and be inserted into to the described submodule of searching after having notice,, and the block information that finds is sent to first submodule and second submodule;
Described first submodule when the block that finds has idle ACL hardware resource, will be inserted into acl rule and insert in this free time ACL hardware resource;
Described second submodule, there is not idle ACL hardware resource at the block that finds, and when a back block adjacent with this block that finds is occupied, all block medium priorities are lower than the acl rule that is inserted into acl rule move on to the adjacent back block, insert the dead zone piece that becomes empty because of moving being inserted into acl rule from current place block.
Whether 14. device as claimed in claim 11 is characterized in that, described different priorities processing module is further used for, and after having notice, judges in the acl rule in all blocks, exist priority to be lower than the acl rule that is inserted into acl rule; If, then carry out and describedly priority is lower than all acl rules that are inserted into acl rule and from the block of current place, moves on in the adjacent back block, will be inserted into acl rule and insert because of moving the operation in the dead zone piece that becomes sky; If not, then will be inserted into acl rule inserts in the dead zone piece adjacent with last occupied block.
15. device as claimed in claim 11, it is characterized in that, this device further comprises the deletion processing unit, be used for behind block deletion acl rule, all acl rules in the block of deleted acl rule place are sorted, eliminate the idle ACL hardware resource between any two occupied ACL hardware resources in the block; Or, behind block deletion acl rule,, then be that unit carries out the acl rule ordering with the block if deleted acl rule place block becomes the dead zone piece, eliminate the dead zone piece between any two occupied blocks.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102407229A CN101447940B (en) | 2008-12-23 | 2008-12-23 | Method and device for updating access control list rules |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102407229A CN101447940B (en) | 2008-12-23 | 2008-12-23 | Method and device for updating access control list rules |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101447940A CN101447940A (en) | 2009-06-03 |
| CN101447940B true CN101447940B (en) | 2011-03-30 |
Family
ID=40743352
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008102407229A Active CN101447940B (en) | 2008-12-23 | 2008-12-23 | Method and device for updating access control list rules |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101447940B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103001793A (en) * | 2012-10-26 | 2013-03-27 | 杭州迪普科技有限公司 | Method and device for managing ACL (access control list) |
Families Citing this family (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103377261A (en) * | 2012-04-28 | 2013-10-30 | 瑞昱半导体股份有限公司 | Access control list management device, executive device and method |
| CN102857510B (en) * | 2012-09-18 | 2015-04-22 | 杭州华三通信技术有限公司 | Method and device for issuing ACL (access control list) items |
| CN102857513B (en) * | 2012-09-19 | 2015-03-11 | 北京星网锐捷网络技术有限公司 | Method, device and network equipment for installing filtration list item |
| CN103248575B (en) * | 2013-05-14 | 2016-09-14 | 盛科网络(苏州)有限公司 | A kind of distribution method of TCAM list item priority |
| CN103384222B (en) * | 2013-06-26 | 2016-09-14 | 汉柏科技有限公司 | A kind of method of data stream matches ACL |
| CN103701704B (en) * | 2013-12-18 | 2016-09-28 | 武汉烽火网络有限责任公司 | Based on priority insertion deletes the method accessing control list |
| CN103744722A (en) * | 2014-01-10 | 2014-04-23 | 上海斐讯数据通信技术有限公司 | Method for determining priority of rule |
| CN104038423B (en) * | 2014-05-29 | 2017-11-14 | 新华三技术有限公司 | A kind of Open flow flow tables method for refreshing and routing device |
| CN104156245B (en) | 2014-08-06 | 2018-04-10 | 小米科技有限责任公司 | list updating method and device |
| CN106603302B (en) * | 2016-12-29 | 2019-11-12 | 杭州迪普科技股份有限公司 | A kind of method and apparatus of ACL table item management |
| CN106878270A (en) * | 2016-12-30 | 2017-06-20 | 深圳市风云实业有限公司 | Enhanced access control equipment based on portal agreements |
| CN107391527B (en) * | 2017-03-28 | 2020-03-27 | 创新先进技术有限公司 | Data processing method and device based on block chain |
| CN107896169B (en) * | 2017-12-28 | 2021-12-24 | 杭州迪普科技股份有限公司 | ACL management method and device |
| CN110837647B (en) * | 2018-08-16 | 2022-11-08 | 迈普通信技术股份有限公司 | Method and device for managing access control list |
| CN109688126B (en) * | 2018-12-19 | 2021-08-17 | 迈普通信技术股份有限公司 | Data processing method, network equipment and computer readable storage medium |
| CN109981464B (en) * | 2019-02-28 | 2021-03-26 | 中国人民解放军陆军工程大学 | TCAM circuit structure realized in FPGA and matching method thereof |
| CN110191135B (en) * | 2019-06-11 | 2021-09-21 | 杭州迪普信息技术有限公司 | ACL configuration method, device and electronic equipment |
| CN111353018B (en) * | 2020-02-24 | 2023-11-10 | 杭州迪普信息技术有限公司 | Data processing method and device based on deep packet inspection and network equipment |
| CN111431875B (en) * | 2020-03-12 | 2022-07-01 | 杭州迪普科技股份有限公司 | Method and device for issuing insertion rule |
| CN111935100B (en) * | 2020-07-16 | 2022-05-20 | 锐捷网络股份有限公司 | Flowspec rule issuing method, device, equipment and medium |
| CN113656329B (en) * | 2021-08-09 | 2024-02-02 | 国家计算机网络与信息安全管理中心 | Mask rule insertion method based on TCAM, electronic equipment and storage medium |
| CN114389844B (en) * | 2021-12-08 | 2024-04-16 | 锐捷网络股份有限公司 | Message processing method, device, electronic equipment and computer readable storage medium |
| CN114745177A (en) * | 2022-04-11 | 2022-07-12 | 浪潮思科网络科技有限公司 | ACL rule processing method, device, equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6320848B1 (en) * | 1998-05-01 | 2001-11-20 | Hewlett-Packard Company | Methods of altering dynamic decision trees |
| CN101039271A (en) * | 2007-03-20 | 2007-09-19 | 华为技术有限公司 | Method and apparatus for taking effect rules of access control list |
| CN101222434A (en) * | 2008-01-31 | 2008-07-16 | 福建星网锐捷网络有限公司 | Storage policy control listing, policy searching method and tri-state addressing memory |
-
2008
- 2008-12-23 CN CN2008102407229A patent/CN101447940B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6320848B1 (en) * | 1998-05-01 | 2001-11-20 | Hewlett-Packard Company | Methods of altering dynamic decision trees |
| CN101039271A (en) * | 2007-03-20 | 2007-09-19 | 华为技术有限公司 | Method and apparatus for taking effect rules of access control list |
| CN101222434A (en) * | 2008-01-31 | 2008-07-16 | 福建星网锐捷网络有限公司 | Storage policy control listing, policy searching method and tri-state addressing memory |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103001793A (en) * | 2012-10-26 | 2013-03-27 | 杭州迪普科技有限公司 | Method and device for managing ACL (access control list) |
| CN103001793B (en) * | 2012-10-26 | 2015-06-10 | 杭州迪普科技有限公司 | Method and device for managing ACL (access control list) |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101447940A (en) | 2009-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101447940B (en) | Method and device for updating access control list rules | |
| US11811660B2 (en) | Flow classification apparatus, methods, and systems | |
| US7606236B2 (en) | Forwarding information base lookup method | |
| US9003135B2 (en) | Efficient allocation and reclamation of thin-provisioned storage | |
| KR100603699B1 (en) | Hybrid search memory for network processor and computer systems | |
| CN103038755B (en) | Method, the Apparatus and system of data buffer storage in multi-node system | |
| US8990492B1 (en) | Increasing capacity in router forwarding tables | |
| CN103164490A (en) | Method and device for achieving high-efficient storage of data with non-fixed lengths | |
| CN104731799A (en) | Memory database management device | |
| CN111177017B (en) | Memory allocation method and device | |
| CN108932271B (en) | File management method and device | |
| CN106020735A (en) | Data storage method and device | |
| US20030121030A1 (en) | Method for implementing dual link list structure to enable fast link-list pointer updates | |
| CN107545021A (en) | A kind of date storage method and device | |
| CN103425435A (en) | Disk storage method and disk storage system | |
| CN105243031B (en) | A kind of method and device of cache partitions distribution free page | |
| US7484068B2 (en) | Storage space management methods and systems | |
| US20060236065A1 (en) | Method and system for variable dynamic memory management | |
| CN105335307A (en) | ACL rule loading method and device | |
| US20090097494A1 (en) | Packet forwarding method and device | |
| CN102023845A (en) | Cache concurrent access management method based on state machine | |
| CN101321170B (en) | Automatic updating method for novel filtering and searching table | |
| US11402999B2 (en) | Adaptive wear leveling using multiple partitions | |
| CN109947798A (en) | A kind of processing method and processing device of stream event | |
| WO2013170373A1 (en) | Dynamic allocation of records to clusters in a ternary content addressable memory |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |