CN103701704A - Priority-based access control list insertion and deletion method - Google Patents
Priority-based access control list insertion and deletion method Download PDFInfo
- Publication number
- CN103701704A CN103701704A CN201310697867.2A CN201310697867A CN103701704A CN 103701704 A CN103701704 A CN 103701704A CN 201310697867 A CN201310697867 A CN 201310697867A CN 103701704 A CN103701704 A CN 103701704A
- Authority
- CN
- China
- Prior art keywords
- entry
- acl
- priority
- template
- acl entry
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a priority-based insertion and deletion method for an access control list. The method comprises the following steps of creating at least one matching template, and determining the priority of the matching template; establishing a constraint set of each matching template to determine the priority of the matching template; establishing entry constraints of entries in the matching template to determine the priority of each entry; setting constraint conditions of an entry to be inserted/deleted, and determining the template priority of the matching template of the entry to be inserted/deleted and the entry priority of the entry to be inserted/deleted according to the set constraint conditions, the priority of the matching template and the priority of each entry; calculating a hardware table entry address of the entry to be inserted/deleted according to the template priority of the matching template of the entry to be inserted/deleted and the entry priority of the entry to be inserted/deleted; inserting/deleting the corresponding entry according to the calculated hardware table entry address. According to the method, the entries can be automatically added and deleted according to the constraint conditions set by a user, and influence on the execution sequence of the other existing entries is avoided.
Description
Technical field
The present invention relates to Access Control List (ACL) technology, relate in particular to a kind of method that Access Control List (ACL) is deleted in insertion based on priority.
Background technology
At present, a series of rules that have priority orders that Access Control List (ACL) (Access Control List, ACL) is comprised of matching field set and set of actions.In the network equipment, generally exist a plurality of acl entrys, according to the needs of network application scene, these acl entrys often need to be carried out according to certain execution sequence.In the network equipment, the execution sequence of acl entry is that the priority by acl entry guarantees, the carrying out prior to low priority entry of high priority.The setting of acl entry priority is exactly to set up an execution sequence to the mapping relations of ACL priority, the priority that is acl entry is to formulate according to the demand of the ACL execution sequence of user's requirement, conventionally according to the sequencing of configuration acl entry based on first join first effect or after the priority of the policy setting acl entry that comes into force after joining, when adding new acl entry, user must make the priority of the new acl entry adding in whole acl entry meet following two conditions: 1) newly add user that acl entry priority can meet this ACL requirement to ACL execution sequence, 2) requirement of the user that the priority of newly adding acl entry can not affect the current ACL having existed to ACL execution sequence.If can find out the empty entry of 1,2 the priority of satisfying condition, this ACL adds successfully, otherwise adds unsuccessfully.
Yet, according to user's request, in acl list, add new acl rule, according to the mode of existing human configuration, must be before configuration, carry out a large amount of artificial calculating, to determine that the acl entry newly increasing satisfies condition 1,2 simultaneously, along with the increase of acl entry in the network equipment, its difficulty in computation is also multiplied.Therefore, adopt prior art arrangement acl rule, in to ACL, add new rule, the acl rule of having set up is carried out to the workload that order adjusts again very large, thereby make the acl rule that user add is new very inconvenient.
Summary of the invention
In view of this, the invention provides a kind of method that Access Control List (ACL) is deleted in the insertion based on priority that can automatically insert/delete the acl entry that meets corresponding constraints.
The method of Access Control List (ACL) is deleted in a kind of insertion based on priority, it is for automatically inserting and delete acl entry according to user's request, the method that Access Control List (ACL) (Access Control List, ACL) is deleted in the described insertion based on priority comprises the following steps:
Create the priority of at least one ACL matching template definite described at least one ACL matching template;
Set up each ACL matching template constrain set to determine the priority of described at least one ACL matching template;
The entry of setting up the acl entry of described at least one ACL matching template retrains to determine the priority of each acl entry;
Setting needs the constraints of the acl entry that inserts/delete and according to the constraints, the priority of described at least one ACL matching template and the priority of each acl entry that set, determines template priority and the entry priority of matching template of the acl entry of required insertion/deletion;
According to the entry priority of the acl entry of the template priority of the acl entry matching template of required insertion/deletion and required insertion, calculate the hardware table item address of the acl entry of required insertion/deletion;
According to calculated hardware table item address, insert/delete corresponding acl entry.
Compared with prior art, insertion based on priority provided by the invention is deleted in the method for Access Control List (ACL), can automatically in current ACL resource, judge whether to exist the not use resource that meets constraints, and when existing, will add acl entry and add appropriate location to, and the adjustment of carrying out suitable ACL resource prioritization meets the requirement of user to ACL execution sequence, thereby the constraints that can set according to user by this method is automatically added and is deleted acl entry, and other acl entry execution sequence having existed is not impacted.
Accompanying drawing explanation
Fig. 1 is that the method flow diagram of Access Control List (ACL) is deleted in the insertion based on priority provided by the invention.
Fig. 2-11st, inserts the method flow diagram of acl entry under various boundary conditions in Fig. 1.
Figure 12 is the method flow diagram of deleting acl entry in Fig. 1.
Following embodiment further illustrates the present invention in connection with above-mentioned accompanying drawing.
Embodiment
Refer to Fig. 1, a kind of insertion deletion Access Control List (ACL) (Access Control List based on priority that it provides for embodiment of the present invention, ACL) method, it is for automatically inserting and delete acl entry according to user's request, and the method that Access Control List (ACL) is deleted in the described insertion based on priority comprises the following steps:
S100: create at least one ACL matching template;
S200: set up each ACL matching template constrain set to determine the priority of at least one ACL matching template;
S300: the entry of setting up the acl entry of at least one ACL matching template retrains to determine the priority of each acl entry;
S400: template priority and the entry priority of setting the matching template of the acl entry need the constraints of the acl entry that inserts/delete and to determine required insertion/deletion according to the constraints, the priority of at least one ACL matching template and the priority of each acl entry that set;
S500: the hardware table item address of calculating the acl entry of required insertion/deletion according to the entry priority of the acl entry of the template priority of the acl entry matching template of required insertion/deletion and required insertion;
S600: insert/delete corresponding acl entry according to calculated hardware table item address.
Refer to Fig. 3, in step S100, S200 and S300, ACL resource carried out to initialization and comprise the following steps:
S110: distribute ACL matching template according to user's request and ardware feature;
S210: set each matching template default priority and for each matching template set up template constrain set and when the initialization template constrain set be sky;
S310: the acl entry priority limit of determining the whole network equipment;
S320: determine the initial scope of acl entry priority in each matching template according to the template priority of each matching template;
S330: be that sky and entry state are set to not use for each acl entry creates this entry constrain set of entry constraint set merging initialization.
At step S110, matching template may in present embodiment, as shown in Figure 2, be 4 matching templates according to user's request by the ACL initializing resource of the network equipment for 1 to n, is respectively matching template A, matching template B, matching template C and matching template D.Not use initialization acl entry number in each matching template is respectively CountA, CountB, CountC and CountD.
In step S210, the default priority scope of ACL matching template is 0 to matching template number-1, in present embodiment, the template priority limit of matching template A, B, C and D is 0 to 3, the entry priority limit of template A is 0 to CountA-1, the entry priority limit of template B is 0 to CountB-1, and the entry priority limit of template C is 0 to CountC-1, and the entry priority limit of template D is 0 to CountD-1.Hardware address that can unique definite entry according to the entry priority of the template priority of entry place matching template and entry.If template number is n, between every two templates, create a template constraint, altogether create
individual template constraint, in present embodiment, template A initial priority is 0, template B initial priority is 1, and template C initial priority is 2, and template D initial priority is 3, template constrain set is { (A, B), (A, C), (A, D), (B, C), (B, D), (C, D) } totally 6 template constraints.Wherein, each template constraint in this template constrain set is with reference count, represents that this template constraint quoted by the entry in how many these matching templates.
In step S310, the minimum value of the acl entry priority limit of the whole network equipment is 0, and maximum is that in all matching templates, acl entry is counted sum and deducted 1.
In step S320, priority is that the acl entry priority limit of 0 matching template is 0 to this matching template acl entry number, to deduct 1, if it is n that this matching template comprises acl entry number, acl entry priority limit is 0 to n-1, thereby can obtain successively the initial scope of priority of acl entry in all matching templates.
In step S400, the constraints of setting comprises the first constraints, the second constraints, the third constraints and the 4th kind of constraints, in present embodiment, setting already present first acl entry is that entry a, second acl entry are that the acl entry that entry b and need insert is entry c, wherein, the priority of entry a is less than the priority of entry b.
In present embodiment, each constraints is set as follows:
The priority of the first constraints: entry c is unrestricted;
The priority of the second constraints: entry c is greater than the priority of entry a;
The priority of the third constraints: entry c is less than the priority of entry b;
The priority of the 4th kind of constraints: entry c is greater than the priority of entry a and is less than the priority of entry b.
Refer to Fig. 4, according to the constraints setting, carrying out in acl entry inserting step, if corresponding acl entry inserting step comprises the following steps when the entry c setting is the first constraints:
S411: judge entry c specifies in the matching template adding whether have the not use entry that entry priority is minimum, if so, enters step S412, if not, adds unsuccessfully.
S412: select entry c to specify the minimum entry of not using of entry priority in the matching template adding to carry out the interpolation of entry c.
Be understandable that, according to the template priority of the matching template of this entry c appointment and entry c priority, calculate entry c hardware table item address, will add acl entry c and add corresponding hardware address to.
For example in the present embodiment, in matching template A, add entry a ', and the constraints of setting is the first, add entry process prescription: according to adding acl entry step, select entry that entry priority in matching template A is minimum as the point of addition of entry a ', after adding, the entry priority of entry a is 0, and the template priority of matching template A is 0.
Refer to Fig. 5, according to the constraints setting, carrying out in acl entry inserting step, if corresponding acl entry inserting step comprises the following steps when the acl entry that the need of setting insert is the second constraints:
S421: judge whether entry c and entry a belong to same matching template, if so, enter step S422, if not, enter step S422a;
S422: search in the matching template under entry a and whether exist entry priority to be greater than the not use entry set of entry a, if so, enter step S423, if not, enter step S423a;
S422a: judge that entry c, by whether there being template constraint between the template under the template of interpolation and entry a, if so, enters step S4222a, if not, enter step S4222b;
S4222a: judge whether existing template constraint conflicts with the entry constraint between entry c and entry a, if so, adds unsuccessfully, if not, enters step S4222c;
S4222b: create this template constraint in the template constrain set of entry c and entry a, and this new template constraint is added to template constrain set, recalculate and arrange the priority of all matching templates that satisfy condition according to new template constrain set.Wherein, the reference count that the constraint of this new template is set is 1.
S4222c: select not use entry that entry priority is minimum as inserting entry in the matching template that entry c specify to add;
S423: the entry priority of the matching template under entry a be greater than entry a do not use entry set in select entry priority minimum entry as inserting entry;
S423a: search in the matching template under entry a and whether exist entry priority to be less than the not use entry set of entry a, if so, enter step S424, if not, add unsuccessfully;
The entry priority of S424: entry c is set to the entry priority of entry a, in matching template under entry a, entry priority is less than in the not use entry set of entry priority of entry a, and the priority of selecting the entry that entry priority is minimum is as the new entry priority of entry a and add entry a and entry c according to new priority.
Be understandable that, according to the template priority of matching template under entry a and entry c and separately the entry priority of entry after calculating the hardware table item address of entry a and entry c, add entry a and entry c to corresponding hardware address.
For example in the present embodiment, the constraints of adding entry b ' and setting in matching template B is priority entry a<b, adding procedure is described: according to adding acl entry step, first judge whether b ' and a entry are same matching templates, entry a belongs to template A, b ' belongs to template B, do not belong to same matching template, meet constraints, even if the priority of template A is lower than the priority of template B, drawing template establishment constraint A<B, now the template priority of matching template A is 0, the template priority of matching template B is 1, can meet the requirement of constraints, do not need to adjust the priority of matching template.Therefore, only need in matching template B, search whether to exist and not use entry set, and select an entry that entry priority is minimum as the point of addition of entry b.After adding, the entry priority of entry a is 0, and the template priority of matching template A is 0, and the entry priority of entry b ' is 0, and the priority of matching template B is 1.Wherein between template A and template B template, have template constraint A<B, template constraint (A, B) reference count adds 1, and pass is A<B.
Refer to Fig. 6, according to the constraints setting, carrying out in acl entry inserting step, if corresponding acl entry inserting step comprises the following steps when the acl entry that the need of setting insert is the third constraints:
S431: judge whether entry c and entry a belong to same matching template, if so, enter step S432, if not, enter step S432a;
S432: whether judgement exists entry priority to be less than the not use entry set of entry b under entry b in matching template, if so, enter step S433, if not, enters step S433a;
S432a: judge that entry c, by whether there being template constraint between the template under the template of interpolation and entry b, if so, enters step S4322a, if not, enter step S4322b;
S4322a: judge whether existing template constraint conflicts with the entry constraint between entry c and entry b, if so, adds unsuccessfully, if not, enters step S4322c;
S4322b: create this template constraint in the template constrain set of entry c and entry b, and this new template constraint is added to template constrain set, recalculate and arrange the priority of all matching templates that satisfy condition according to new template constrain set.Wherein, the reference count that the constraint of this new template is set is 1.Wherein, the reference count that the constraint of this new template is set is 1.
S4322c: the not use entry that in the matching template that entry c appointment is added, entry priority is minimum is as inserting entry;
S433: the entry priority of matching template described in entry b be less than entry b priority do not use entry set in select the entry of entry priority minimum as inserting entry;
S433a: while whether existing entry priority to be greater than the not use entry set of entry b in the matching template of judgement under entry b, if so, enter step S434, if not, add unsuccessfully;
The entry priority of S434: entry c is set to the entry priority of entry b, in the matching template under entry b entry priority be greater than entry b entry priority do not use entry set in select the entry that entry priority is minimum priority as the new entry priority of entry b and add entry b and entry c according to new priority.
Be understandable that, according to the template priority of matching template under entry b and entry c and separately the entry priority of entry after calculating the hardware table item address of entry b and entry c, add entry a and entry c to corresponding hardware address.
For example: in the present embodiment, in matching template C, adding entry c ' and setting constraints is that ACL execution priority is c<b, adding procedure is described: according to adding acl entry step, first judge whether c and b entry are same matching templates, and c belongs to template C, b belongs to template B, do not belong to same matching template, meet constraints, even if the priority of template C will be lower than the priority of template B, drawing template establishment constraint, C<B.Between A, B template, also there is template constraint A<B simultaneously.First whether inquiry there is the untapped priority that is less than template B, does not exist.
Therefore, must make to readjust priority between A, B, C, be greater than template B do not use template priority in select priority minimum, as the new template priority of template B, the original priority of template B is as template C priority.After adjustment, template A priority is 0, and template B priority is 2, and template C priority is 1.Then template C do not use entry in select entry that entry priority is minimum as the point of addition of entry c '.After interpolation, the entry priority of entry a is 0, and the priority of template A is 0, and the entry priority of entry b is 0, and template B priority is 2, and the entry priority of entry c ' is 0, and template C priority is 1.Between template A, B, C, Existence restraint condition is as follows: B>A, C<B.Now template constraint (A, B) reference count is constant, and template constraint (B, C) reference count adds 1, and pass is B>C.
Incorporated by reference to Fig. 7-11, according to the constraints setting, carrying out in acl entry inserting step, if corresponding acl entry inserting step comprises the following steps when the acl entry that the need of setting insert is the 4th kind of constraints:
S441: judge whether entry c and entry a belong to same matching template, if so, enter step S442, if not, enter step S442a;
S442: judge whether entry c and entry b belong to same matching template, if so, enter step S443, if not, enter step S443a;
S442a: judge whether entry c and entry b belong to same matching template, if so, enter step S4422a, if not, enter step S4422b;
S4422a: whether judgement exists template to retrain between the matching template of entry c appointment and the matching template under entry a, if so, enters step S4422c; If not, enter step S4422d;
S4422b: judge whether entry a and entry b belong to same template, if so, enter step S4422m, if not, enter step S4422n;
S4422c: judge whether existing template constraint and entry c conflict with the entry constraint between entry a, if so, add unsuccessfully, if not, enter step S4422e;
S4422d: create new template constraint in the template constrain set of entry a and entry c, and this new template constraint is added to template constrain set, recalculate and arrange the priority of all matching templates that satisfy condition according to new template constrain set.
S4422e: search and whether exist entry priority to be less than the not use entry set of entry b under entry b in matching template, if so, enter step S4422f, if not, enter step S4422g;
S4422f: select the entry of set discal patch order priority minimum as adding entry and the entry priority of entry c being set for the entry priority of this entry;
S4422g: search and whether exist entry priority to be greater than the not use entry set of entry b under entry b in matching template, if so, enter step S4422h, if not, add unsuccessfully;
The entry priority of S4422h: entry c is set to the entry priority of described the second acl entry, under entry b in matching template entry priority be greater than entry b do not use entry set in select the priority of entry of entry priority minimum as the new entry priority of entry b;
S4422m: entry c adds unsuccessfully;
S4422n: whether have template constraint between the template that judgement is added in entry c appointment and the template under entry a, if so, enter step S44222a, if not, enter step S44222b;
S44222a: judge the constraint of existing template and entry c and entry a and between entry retrain and whether conflict, if so, add unsuccessfully, if not, enter step S44222c;
S44222b: create new template constraint in the template constrain set of entry c and entry a, and this new template constraint is added to template constrain set, recalculate and arrange the priority of all matching templates that satisfy condition according to new template constrain set; Be understandable that, according to the template priority of template described in entry a and entry c and separately the entry priority of entry after calculating the hardware table item address of entry a and entry c, add entry a and entry c to corresponding hardware address.
S44222c: judge between the template under template under entry b and entry c and whether exist template to retrain, if so, to enter step S44222d, if not, to enter step S44222e;
S44222d: judge the constraint of existing template and entry c and entry b and between entry retrain and whether conflict, if so, add unsuccessfully, if not, enter step S44222f;
S44222e: create new template constraint in the template constrain set of entry c and entry b, and this new template constraint is added to template constrain set, recalculate and arrange the priority of all matching templates that satisfy condition according to new template constrain set; Be understandable that, according to the template priority of template described in entry b and entry c and separately the entry priority of entry after calculating the hardware table item address of entry b and entry c, add entry b and entry c to corresponding hardware address.
S44222f: judge between the template under template under entry a and entry b and whether exist template to retrain, if so, to enter step S44222g, if not, to enter step S44222h;
S44222g: judge the constraint of existing template and entry a and entry b and between entry retrain while whether conflicting, if so, add unsuccessfully, if not, enter step S44222i;
S44222h: create new template constraint in the template constrain set of entry a and entry b, and this new template constraint is added to template constrain set, recalculate and arrange the priority of all matching templates that satisfy condition according to new template constrain set;
S44222i: search in the affiliated matching template of required insertion acl entry whether have untapped entry, if so, enter step S44222j, if not, add unsuccessfully;
S44222j: what in the template under entry c, entry priority was minimum does not use entry priority as the entry priority of entry c;
S443: whether exist entry priority to meet the not use entry set of the 4th kind of constraints in the matching template of judgement under entry a, entry b and entry c, if so, enter step S444, if not, enter step S444a;
S443a: whether judgement exists template to retrain between the matching template of entry c appointment and the matching template under entry b, if so, enters step S4433a, if not, enters step S4433b;
S4433a: judge whether existing template constraint and entry c conflict with the entry constraint between entry b, if so, add unsuccessfully, if not, enter step S4433c;
S4433b: create entry c and the constraint of entry b template in template constrain set, and this new template constraint is added to template constrain set, recalculate and arrange the priority of all matching templates that satisfy condition according to new template constrain set; Be understandable that, according to the template priority of template described in entry b and entry c and separately the entry priority of entry after calculating the hardware table item address of entry b and entry c, add entry b and entry c to corresponding hardware address.
S4433c: search and whether exist entry priority to be greater than the not use entry set of entry a under entry a in matching template, if so, enter step S4433d, if not, enter step S4433e;
S4433d: select the entry of set discal patch order priority minimum as adding entry and the entry priority of entry c being set for the entry priority of this entry; Be understandable that, according to the matching template priority of entry c or entry a and entry priority, calculate this entry hardware table item address, add acl entry c or entry a to this hardware address.
S4433e: search and whether exist entry priority to be less than the not use entry set of entry a under entry a in matching template, if so, enter step S4433f, if not, add unsuccessfully;
The entry priority of S4433f: entry c is set to the entry priority of entry a, under entry a in matching template entry priority be less than entry a do not use entry set in select the priority of entry of entry priority minimum as the new entry priority of entry a;
S444: select entry that set discal patch order priority is minimum as inserting entry; Be understandable that, according to the hardware table item address of the template priority of matching template under entry c and c entry priority calculating c entry, add acl entry c to corresponding hardware address.
S444a: judge in the affiliated matching template of entry a, entry b and entry c and whether exist entry priority to be less than the not use entry set of entry a, if so, to enter step S4444a, if not, to enter step S4444b;
The entry priority of S4444a: entry c is set to the entry priority of entry a, under entry a, the entry priority of matching template is less than in the not use entry set of entry a, and the priority of the entry of selection entry priority minimum is as the new entry priority of entry a.Be understandable that, according to entry a, the entry priority of the template priority of the affiliated matching template of entry c and separately entry is calculated entry a, the hardware table item address of c, and by acl entry a, c adds corresponding hardware address to.
S4444b: whether judgement exists entry priority to be greater than the not use entry set of entry b under entry a, entry b and entry c in matching template, if so, enter step S4444c, if not, adds unsuccessfully;
The entry priority of S4444c: entry c is set to the entry priority of entry b, under entry b, the entry priority of matching template is greater than in the not use entry set of entry b, and the priority of the entry of selection entry priority minimum is as the new entry priority of entry b.
Be understandable that, according to entry b, the hardware table item address that the entry priority of the template priority of the affiliated matching template of entry c and separately entry is calculated entry b and entry c, adds acl entry b and entry c to corresponding hardware address.
Refer to Figure 12, in step S400, setting and will deleting acl entry is entry d, deletes in the step of entry d and comprises the following steps:
S451: search in the acl entry having existed and whether have entry d, if so, enter step S452, if not, entry c deletes successfully;
S452: whether the entry constraint that judges entry d is empty, if so, enters step S500, if not, enters step S453;
S453: judge whether all entry constraints in entry d belong to same matching template, if so, perform step S454, if not, enter step S454a;
S454: delete relevant entry constraint in the entry constrain set of each approximately intrafascicular acl entry of entry;
S454a: delete correlate template constraint in the template constrain set in the acl entry place matching template of entry constraint;
In step S454, the acl entry approximately intrafascicular with entry do not belong to same matching template template constraint reference count-1.From the template constrain set of entry d place matching template, find the template constraint of d place template and non-d entry place template, and to its reference count-1.If reference count becomes 0, in the template constrain set of entry d place template, delete this constraint.From the template constrain set of non-entry d place matching template, find the template constraint of non-c entry place template and d place template, and to its reference count-1.If reference count becomes 0, in the template constrain set of non-d entry place template, delete this constraint.
In step S454a, when deleting the constraint of entry d relevant entry, from the entry constrain set of entry c, delete the entry constraint of d and non-d entry, from the entry constrain set of non-entry c, delete the entry constraint of d and non-d entry.
For example, in the present embodiment, in matching template A, adding entry d and constraints is ACL execution priority d>b, adding procedure is described: according to adding acl entry step, first judge whether b and d entry are same matching templates, d belongs to template A, b belongs to template B, do not belong to same matching template, meet constraints, even if the priority of template A is higher than the priority of template B, need to revise template constraint (A, B) pass is A>B, but due to template (A, B) between, there is template constraint, and closing is A<B, conflict with the demand of template constraint.Therefore add entry d failure.When template constraint is used (reference count is not 0), the relation of template constraint can not be revised.
For example, in matching template A, adding entry e and constraints is ACL execution priority e<b, adding procedure is described: according to adding acl entry step, first judge whether e and d entry are same matching templates, e belongs to template A, b belongs to template B, do not belong to same matching template, meet constraints, even the priority of the low template B of priority of template A, template (A, B) between, there is template constraint, and closing is A<B, therefore to template constraint (A, B) reference count adds 1, entry e order in matching template A is added can meet constraints, now template constraint (A, B) reference count is 2.
Insertion based on priority provided by the invention is deleted in the method for Access Control List (ACL), can automatically in current ACL resource, judge whether to exist the not use resource that meets constraints, and when existing, will add acl entry and add appropriate location to, and the adjustment of carrying out suitable ACL resource prioritization meets the requirement of user to ACL execution sequence, thereby the constraints that can set according to user by this method is automatically added and is deleted acl entry, and other acl entry execution sequence having existed is not impacted.
Be understandable that, for the person of ordinary skill of the art, can make other various corresponding changes and distortion by technical conceive according to the present invention, and all these change and distortion all should belong to the protection range of the claims in the present invention.
Claims (10)
1. the method for Access Control List (ACL) is deleted in an insertion based on priority, it is for automatically inserting and delete acl entry according to user's request, the method that Access Control List (ACL) (Access Control List, ACL) is deleted in the described insertion based on priority comprises the following steps:
Create the priority of at least one ACL matching template definite described at least one ACL matching template;
Set up each ACL matching template constrain set to determine the priority of described at least one ACL matching template;
The entry of setting up the acl entry of described at least one ACL matching template retrains to determine the priority of each acl entry;
Setting needs the constraints of the acl entry that inserts/delete and according to the constraints, the priority of described at least one ACL matching template and the priority of each acl entry that set, determines template priority and the entry priority of matching template of the acl entry of required insertion/deletion;
According to the entry priority of the acl entry of the template priority of the acl entry matching template of required insertion/deletion and required insertion, calculate the hardware table item address of the acl entry of required insertion/deletion;
According to calculated hardware table item address, insert/delete corresponding acl entry.
2. the method for Access Control List (ACL) is deleted in the insertion based on priority as claimed in claim 1, it is characterized in that, in the step of acl entry of setting constraints, described constraints comprises the first constraints, the second constraints, the third constraints and the 4th kind of constraints, the priority of setting already present first acl entry and second acl entry and described the first acl entry is less than the priority of described the second acl entry, described the first constraints is that the acl entry inserting is unrestricted, described the second constraints is that the priority of the acl entry of insertion is greater than described the first acl entry, described the third constraints is that the priority of the acl entry of insertion is less than described the second acl entry, described the 4th kind of constraints is that the priority of the acl entry of insertion is greater than described the first acl entry and is less than described the second acl entry.
3. the method for Access Control List (ACL) is deleted in the insertion based on priority as claimed in claim 2, it is characterized in that, in the step of carrying out corresponding acl entry insertion according to the first constraints setting, comprises the following steps:
Find out not use entry that in the matching template that the acl entry of required insertion specify to add, entry priority is minimum as inserting entry.
4. the method for Access Control List (ACL) is deleted in the insertion based on priority as claimed in claim 2, it is characterized in that, in the step of carrying out corresponding acl entry insertion according to the second constraints setting, comprises the following steps:
Judgement needs to insert acl entry and whether described the first acl entry belongs to same matching template, if, in the matching template under described the first acl entry, exist entry priority be greater than described the first acl entry do not use entry set time do not use entry set described in selecting in the entry of entry priority minimum as inserting entry, if not, when there is template constraint and the constraint of existing template between the template under the template of interpolation and described the first acl entry and needing entry between insertion acl entry and described the first acl entry to retrain not conflict in the acl entry inserting at need, need are inserted to not use entry that in the matching template that acl entry specify to add, entry priority is minimum as inserting entry, when the acl entry inserting at need does not exist template to retrain between by the template under the template of interpolation and described the first acl entry, in template constrain set, create the constraint of new template and according to new template constrain set so that the priority of each matching template to be set, need are inserted to not use entry that in the matching template that acl entry specify to add, entry priority is minimum in new template constrain set as inserting entry.
5. the method for Access Control List (ACL) is deleted in the insertion based on priority as claimed in claim 4, it is characterized in that, further comprising the steps of in judging the step that needs insertion acl entry and described the first acl entry to belong to same matching template:
In matching template under described the first acl entry, do not exist entry priority be greater than described the first acl entry do not use entry set time and the matching template under described the first acl entry in while existing entry priority to be less than the not use entry set of described the first acl entry, the entry priority of the acl entry that need insert is set to the entry priority of described the first acl entry, in matching template under described the first acl entry, entry priority is less than in the not use entry set of entry priority of described the first acl entry, select the priority of the entry that entry priority is minimum as the new entry priority of described the first acl entry.
6. the method for Access Control List (ACL) is deleted in the insertion based on priority as claimed in claim 2, it is characterized in that, in the step of carrying out corresponding acl entry insertion according to the third constraints setting, comprises the following steps:
Judgement needs to insert acl entry and whether described the first acl entry belongs to same matching template, if, under described the second acl entry, in matching template, exist entry priority be less than described the second acl entry do not use entry set time do not use entry set described in selecting in minimum entry priority as need, insert the priority of acl entry, if not, need the acl entry that inserts when having template constraint and the constraint of existing template between the template under the template of interpolation and described the second acl entry and needing entry between insertion acl entry and described the second acl entry to retrain not conflict, need are inserted to not use entry that in the matching template that acl entry specify to add, entry priority is minimum as inserting entry, when the acl entry inserting at need does not exist template to retrain between by the template under the template of interpolation and described the second acl entry, in template constrain set, create the constraint of new template and according to new template constrain set so that the priority of each matching template to be set, need are inserted to not use entry that in the matching template that acl entry specify to add, entry priority is minimum in new template constrain set as inserting entry.
7. the method for Access Control List (ACL) is deleted in the insertion based on priority as claimed in claim 6, it is characterized in that, further comprising the steps of in judging the step that needs insertion acl entry and described the second acl entry to belong to same matching template:
While not existing entry priority to be less than not using of described the second acl entry in the matching template under described the second acl entry to exist entry priority to be greater than the not use entry set of described the second acl entry in entry set and the matching template under described the second acl entry, the entry priority that need insert acl entry is set to the entry priority of described the second acl entry, in matching template under described the second acl entry, entry priority is greater than in the not use entry set of entry priority of described the second acl entry, select the priority of the entry that entry priority is minimum as the new entry priority of described the second acl entry.
8. the method for Access Control List (ACL) is deleted in the insertion based on priority as claimed in claim 2, it is characterized in that, in the step of carrying out corresponding acl entry insertion according to the 4th kind of constraints setting, comprises the following steps:
Judge whether required insertion acl entry and described the first acl entry and described the second acl entry all belong to same matching template, if so, exist in the matching template under described the first acl entry, described the second acl entry and required insertion acl entry entry priority meet described the 4th kind of constraints do not use entry set time select the priority of the entry that set discal patch order priority is minimum as required insertion acl entry priority;
If not, described the first acl entry with need to insert acl entry and belong to same matching template and described the second acl entry and required insertion acl entry and do not belong to same matching template and between the matching template under the matching template of required insertion acl entry appointment and described the second acl entry, exist template constraint and existing template to retrain and required insertion acl entry and entry between described the second acl entry retrain while not conflicting, under described the first acl entry, in matching template, exist entry priority be greater than described the first acl entry do not use entry set time select entry priority minimum entry as adding entry and the entry priority that the entry priority of required insertion acl entry is this entry being set, while not existing entry priority to be greater than not using entry set and existing entry priority to be less than the not use entry set of described the first acl entry in matching template of described the first acl entry under described the first acl entry in matching template under described the first acl entry, the entry priority of required insertion acl entry is set to the entry priority of described the first acl entry, under described the first acl entry in matching template entry priority be less than described the first acl entry do not use entry set in select the priority of entry of entry priority minimum as the new entry priority of described the first acl entry,
Described the first acl entry with need to insert acl entry and do not belong to same matching template and described the second acl entry and required insertion acl entry and belong to same matching template and between the matching template under the matching template of required insertion acl entry appointment and described the first acl entry, exist template constraint and existing template to retrain and required insertion acl entry and entry between described the first acl entry retrain while not conflicting, under described the second acl entry, in matching template, exist entry priority be less than described the second acl entry do not use entry set time select entry priority minimum entry as adding entry and the entry priority that the entry priority of required insertion acl entry is this entry being set, while not existing entry priority to be less than not using entry set and existing entry priority to be greater than the not use entry set of described the second acl entry in matching template of described the second acl entry under described the second acl entry in matching template under described the second acl entry, the entry priority of required insertion acl entry is set to the entry priority of described the second acl entry, under described the second acl entry in matching template entry priority be greater than described the second acl entry do not use entry set in select the priority of entry of entry priority minimum as the new entry priority of described the second acl entry,
At described the first acl entry, described the second acl entry does not all belong to same matching template with needing the acl entry inserting, if between the template under the template under described the first acl entry and the acl entry that needs to insert, exist template constraint and the constraint of existing template and required insertion acl entry and described the first acl entry and between entry retrain while not conflicting, and between the template under the template under described the second acl entry and the acl entry need inserting, exist template constraint and the constraint of existing template and required insertion acl entry and described the second acl entry and between entry retrain while not conflicting, and between the template under template and described the second acl entry under described the first acl entry, exist template constraint and the constraint of existing template and described the first acl entry and described the second acl entry and between entry retrain while not conflicting, and while there is untapped entry in the matching template under required insertion acl entry, what in the template under required insertion acl entry, entry priority was minimum does not use entry priority as the entry priority of required insertion acl entry.
9. the method for Access Control List (ACL) is deleted in the insertion based on priority as claimed in claim 8, it is characterized in that, at judgement described the first acl entry, described the second acl entry and required insertion acl entry, belong to further comprising the steps of in the step of same matching template:
At described the first acl entry, in matching template under described the second acl entry and required insertion acl entry, do not exist entry priority to meet the not use entry set of described the 4th kind of constraints and at described the first acl entry, while existing entry priority to be less than the not use entry set of described the first acl entry in the matching template under described the second acl entry and required insertion acl entry, the entry priority of required insertion acl entry is set to the entry priority of described the first acl entry, under described the first acl entry, the entry priority of matching template is less than in the not use entry set of described the first acl entry, the priority of the entry of selection entry priority minimum is as the new entry priority of described the first acl entry,
At described the first acl entry, in matching template under described the second acl entry and required insertion acl entry, do not exist entry priority to be less than the not use entry set of described the first acl entry and at described the first acl entry, while existing entry priority to be greater than the not use entry set of described the second acl entry in matching template under described the second acl entry and required insertion acl entry, the entry priority of required insertion acl entry is set to the entry priority of described the second acl entry, under described the second acl entry, the entry priority of matching template is greater than in the not use entry set of described the second acl entry, the priority of the entry of selection entry priority minimum is as the new entry priority of described the second acl entry.
10. the method for Access Control List (ACL) is deleted in the insertion based on priority as claimed in claim 1, it is characterized in that, in deleting acl entry step, comprises the following steps:
In the acl entry having existed, search the acl entry that whether exists need to delete;
If exist and when the entry of the acl entry of required deletion is constrained to non-NULL all entries constraints in the acl entry of judgement in required deletion whether belong to same matching template, if so, in the entry constrain set of each approximately intrafascicular acl entry of entry, delete relevant entry constraint; If not, in the template constrain set in the acl entry place matching template of entry constraint, delete correlate template constraint.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310697867.2A CN103701704B (en) | 2013-12-18 | 2013-12-18 | Based on priority insertion deletes the method accessing control list |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310697867.2A CN103701704B (en) | 2013-12-18 | 2013-12-18 | Based on priority insertion deletes the method accessing control list |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103701704A true CN103701704A (en) | 2014-04-02 |
| CN103701704B CN103701704B (en) | 2016-09-28 |
Family
ID=50363106
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310697867.2A Active CN103701704B (en) | 2013-12-18 | 2013-12-18 | Based on priority insertion deletes the method accessing control list |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103701704B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107168900A (en) * | 2017-05-26 | 2017-09-15 | 杭州迪普科技股份有限公司 | A kind of method and apparatus for configuring ACL table |
| CN108667644A (en) * | 2017-03-31 | 2018-10-16 | 华为数字技术(苏州)有限公司 | Configure the method and forwarding unit of ACL business |
| CN109150686A (en) * | 2018-09-07 | 2019-01-04 | 迈普通信技术股份有限公司 | ACL table item delivery method, device and the network equipment |
| CN109688126A (en) * | 2018-12-19 | 2019-04-26 | 迈普通信技术股份有限公司 | A kind of data processing method, the network equipment and computer readable storage medium |
| CN110807003A (en) * | 2018-07-18 | 2020-02-18 | 成都华为技术有限公司 | Method and apparatus for modifying reference counts of access control lists |
| CN110837647A (en) * | 2018-08-16 | 2020-02-25 | 迈普通信技术股份有限公司 | Method and device for managing access control list |
| CN114745177A (en) * | 2022-04-11 | 2022-07-12 | 浪潮思科网络科技有限公司 | ACL rule processing method, device, equipment and medium |
| CN116016387A (en) * | 2023-03-10 | 2023-04-25 | 苏州浪潮智能科技有限公司 | Access control list effective control method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1414757A (en) * | 2002-05-08 | 2003-04-30 | 华为技术有限公司 | Method of automatic sequential arranging access control list rule and its application |
| CN101035062A (en) * | 2006-03-09 | 2007-09-12 | 中兴通讯股份有限公司 | Rule update method for three-folded content addressable memory message classification |
| US20090125470A1 (en) * | 2007-11-09 | 2009-05-14 | Juniper Networks, Inc. | System and Method for Managing Access Control Lists |
| CN101447940A (en) * | 2008-12-23 | 2009-06-03 | 杭州华三通信技术有限公司 | Method and device for updating access control list rules |
| CN102857510A (en) * | 2012-09-18 | 2013-01-02 | 杭州华三通信技术有限公司 | Method and device for issuing ACL (access control list) items |
-
2013
- 2013-12-18 CN CN201310697867.2A patent/CN103701704B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1414757A (en) * | 2002-05-08 | 2003-04-30 | 华为技术有限公司 | Method of automatic sequential arranging access control list rule and its application |
| CN101035062A (en) * | 2006-03-09 | 2007-09-12 | 中兴通讯股份有限公司 | Rule update method for three-folded content addressable memory message classification |
| US20090125470A1 (en) * | 2007-11-09 | 2009-05-14 | Juniper Networks, Inc. | System and Method for Managing Access Control Lists |
| CN101447940A (en) * | 2008-12-23 | 2009-06-03 | 杭州华三通信技术有限公司 | Method and device for updating access control list rules |
| CN102857510A (en) * | 2012-09-18 | 2013-01-02 | 杭州华三通信技术有限公司 | Method and device for issuing ACL (access control list) items |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108667644A (en) * | 2017-03-31 | 2018-10-16 | 华为数字技术(苏州)有限公司 | Configure the method and forwarding unit of ACL business |
| CN107168900A (en) * | 2017-05-26 | 2017-09-15 | 杭州迪普科技股份有限公司 | A kind of method and apparatus for configuring ACL table |
| CN107168900B (en) * | 2017-05-26 | 2019-09-06 | 杭州迪普科技股份有限公司 | A kind of method and apparatus configuring ACL table item |
| CN110807003A (en) * | 2018-07-18 | 2020-02-18 | 成都华为技术有限公司 | Method and apparatus for modifying reference counts of access control lists |
| CN110807003B (en) * | 2018-07-18 | 2023-03-24 | 成都华为技术有限公司 | Method and apparatus for modifying reference counts of access control lists |
| CN110837647A (en) * | 2018-08-16 | 2020-02-25 | 迈普通信技术股份有限公司 | Method and device for managing access control list |
| CN109150686A (en) * | 2018-09-07 | 2019-01-04 | 迈普通信技术股份有限公司 | ACL table item delivery method, device and the network equipment |
| CN109150686B (en) * | 2018-09-07 | 2020-12-22 | 迈普通信技术股份有限公司 | ACL (access control list) table item issuing method, device and network equipment |
| CN109688126A (en) * | 2018-12-19 | 2019-04-26 | 迈普通信技术股份有限公司 | A kind of data processing method, the network equipment and computer readable storage medium |
| CN109688126B (en) * | 2018-12-19 | 2021-08-17 | 迈普通信技术股份有限公司 | Data processing method, network equipment and computer readable storage medium |
| CN114745177A (en) * | 2022-04-11 | 2022-07-12 | 浪潮思科网络科技有限公司 | ACL rule processing method, device, equipment and medium |
| CN116016387A (en) * | 2023-03-10 | 2023-04-25 | 苏州浪潮智能科技有限公司 | Access control list effective control method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103701704B (en) | 2016-09-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103701704A (en) | Priority-based access control list insertion and deletion method | |
| US9075633B2 (en) | Configuration of life cycle management for configuration files for an application | |
| Kurtz | Weak and strong solutions of general stochastic models | |
| US20130326458A1 (en) | Timing refinement re-routing | |
| CN105608366B (en) | User authority control method and device | |
| JP2008537254A (en) | Conflict resolution by synchronous manager | |
| DE60003457D1 (en) | METHOD AND SYSTEM FOR CONFIGURING COMPONENTS, OUTPUTABLE IN A NETWORK | |
| CN105808273B (en) | Method for upgrading software and software updating apparatus | |
| CN101156379B (en) | Method and system for selecting service quality policy | |
| WO2015184880A1 (en) | Method for arranging icons and user terminal | |
| CN104361190B (en) | The method and device of empty terminal automation connection in electrical secondary system | |
| WO2020042776A1 (en) | Recommending method and apparatus, storage medium, and terminal device | |
| CN101179580B (en) | Method for implementing encoding/decoding of WiMAX system information | |
| CN104991707B (en) | A kind of display user interface method and device | |
| Zachary | A note on insensitivity in stochastic networks | |
| US20140006595A1 (en) | User-selectable ieee 1588 clock class and quality level mapping | |
| CN103488476A (en) | Associated data processing system and associated data processing method | |
| CN109510681A (en) | A kind of communication system time synchronization the smallest datum node selection method of series | |
| CN103220336B (en) | The implementation method of vector clock and system in a kind of file synchronization | |
| CN108549797A (en) | A kind of user and user group and the System right management method of role | |
| US10402422B2 (en) | Method and system for synchronizing data | |
| CN108351767B (en) | Graph node with automatically adjusting input ports | |
| CN107682362B (en) | Information flow control method and device | |
| CN104869531A (en) | Group member update method and device | |
| CN107632857B (en) | Method for configuring front-end UI layout of mobile internet application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20170413 Address after: 430000 East Lake high tech Development Zone, Hubei Province, No. 6, No., high and new technology development zone, No. four Patentee after: Fenghuo Communication Science &. Technology Co., Ltd. Address before: East Lake high tech city of Wuhan province Hubei Dongxin road 430074 No. 5 East optical communication industry building Patentee before: Wuhan Fenghuo Network Co., Ltd. |
|
| TR01 | Transfer of patent right |