CN104253754A - ACL (access control list) fast matching method and equipment - Google Patents
ACL (access control list) fast matching method and equipment Download PDFInfo
- Publication number
- CN104253754A CN104253754A CN201410460519.8A CN201410460519A CN104253754A CN 104253754 A CN104253754 A CN 104253754A CN 201410460519 A CN201410460519 A CN 201410460519A CN 104253754 A CN104253754 A CN 104253754A
- Authority
- CN
- China
- Prior art keywords
- matched rule
- network equipment
- message
- current
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses an ACL (access control list) fast matching method and equipment. The method comprises the following steps that when network equipment carries out ACL matching on a message, multiple matching options in the message are obtained; the network equipment respectively determines a rule set corresponding to each matching option; the network equipment judges whether matching rules corresponding to the multiple currently determined rule set exit in the corresponding relationship of the rule set and the matching rules or not; when the matching rules corresponding to the multiple current determined rule set exit, the network equipment determines that the matching rulers are matching rules of the message. According to the embodiment, the processing speed of the message is accelerated, the matching performance of the message is improved, and in addition the processing efficiency of the network equipment is improved.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of method and apparatus of ACL Rapid matching.
Background technology
ACL (Access Control List, Access Control List (ACL)) is the set of one or more of matched rule.When the matched rule of ACL is { source IP address, object IP address }, matched rule is used for mating the source IP address of message and object IP address.Wherein, source IP address and object IP address all represent with IP host address/masked bits number form formula.Such as, ACL comprises following 4 matched rules, R1={1.0.0.0/8,2.2.2.2/32}, R2={1.1.0.0/16,2.2.2.0/24}, R3={1.1.1.0/24,2.2.0.0/16}, R4={1.1.1.1/32,2.0.0.0/8}.Be 1.0.0.0/8, object IP address for source IP address be the message of 2.2.2.2/32, will match the matched rule R1 in ACL, by that analogy, other matched rule repeats no more.
When the network equipment receives message at every turn, the information (as source IP address and object IP address) all by carrying in message inquires about the matched rule in ACL, to judge whether message can match the matched rule in ACL.When the matched rule in ACL is a lot, during matched rule in the information inquiry ACL carried in network device via report, the treatment effeciency of the network equipment is very low, and processing speed is very slow.
Summary of the invention
The embodiment of the present invention provides a kind of method of access control list ACL Rapid matching, and the method comprises: the network equipment, when carrying out ACL coupling to message, obtains the multiple match options in described message; The described network equipment determines the regular collection that each match options is corresponding respectively; In the corresponding relation of the set of described network equipment judgment rule and matched rule, whether there is the current matched rule corresponding to multiple regular collections determined; When there is the matched rule corresponding to the current multiple regular collections determined, then the described network equipment determines that described matched rule is the matched rule of described message.
The described network equipment judges in corresponding relation, whether there is the current matched rule corresponding to multiple regular collections determined, also comprise afterwards: when there is not the matched rule corresponding to the current multiple regular collections determined, then the described network equipment occurs simultaneously to the current multiple rule set conjunction determined, obtain matched rule to occur simultaneously, from described matched rule occurs simultaneously, select a matched rule to be the matched rule of described message, and in described corresponding relation, store the matched rule of current multiple regular collection of determining and current selection.
Described method comprises further:
The stretching, extension that the described network equipment builds the corresponding relation being used for storage rule set and matched rule is set;
The corresponding relation of regular collection and matched rule is stored in described stretching, extension and sets by the described network equipment;
The described network equipment utilizes described stretching, extension to set the upper regular collection of storage and the corresponding relation of matched rule, judges whether described stretching, extension tree exists the current matched rule corresponding to multiple regular collections determined.
Described method comprises further:
The described network equipment is after being stored in the corresponding relation between current multiple regular collection of determining and the matched rule of current selection and stretching and set, and the corresponding relation between current multiple regular collection of determining and the matched rule of current selection is moved to the root node stretching and set by singly revolving operation by the described network equipment.
When the described network equipment comprises multiple central processor CPU, corresponding one of each CPU stretches tree, and described method comprises further:
The described network equipment utilizes the five-tuple information of message to carry out hash to message, to obtain CPU corresponding to this message, and this message is sent to this CPU, carries out ACL coupling by this CPU to message.
The embodiment of the present invention provides a kind of network equipment, and the described network equipment specifically comprises:
Obtain module, for when conducting interviews control list ACL coupling to message, obtain the multiple match options in described message; Determination module, for determining the regular collection that each match options is corresponding respectively; Whether judge module, in the corresponding relation of judgment rule set and matched rule, exist the current matched rule corresponding to multiple regular collections determined of described determination module; Selecting module, for when there is the matched rule corresponding to the described current multiple regular collections determined, selecting the matched rule corresponding to described multiple regular collection to be the matched rule of described message.
Described selection module, also for when there is not the matched rule corresponding to the described current multiple regular collections determined, occur simultaneously to the current multiple rule set conjunction determined, obtain matched rule and occur simultaneously, from described matched rule occurs simultaneously, selection matched rule is the matched rule of described message;
The described network equipment also comprises: memory module, in the corresponding relation of described regular collection and matched rule, stores the matched rule of current multiple regular collection of determining and current selection.
Described memory module, sets for the stretching, extension built for the corresponding relation of storage rule set and matched rule, and the corresponding relation of regular collection and matched rule is stored in described stretching, extension sets;
Described judge module, specifically for utilizing described stretching, extension to set the upper regular collection of storage and the corresponding relation of matched rule, judges whether described stretching, extension tree exists the current matched rule corresponding to multiple regular collections determined.
Described memory module, being further used for after the corresponding relation between current multiple regular collection of determining and the matched rule of current selection is stored in stretches and set, by singly revolving operation, the corresponding relation between current multiple regular collection of determining and the matched rule of current selection being moved to the root node stretching and set.
When the described network equipment comprises multiple CPU, corresponding one of each CPU stretches tree; Described acquisition module, also for utilizing the five-tuple information of message to carry out hash to message, to obtain CPU corresponding to described message, and sending to this CPU by described message, carrying out ACL coupling by this CPU to described message.
Based on technique scheme, in the embodiment of the present invention, by the corresponding relation of record rule set and matched rule, for the non-first message of data flow, when carrying out ACL coupling to message, can directly by the corresponding relation of regular collection and matched rule, obtain the matched rule of message, and utilize strategy corresponding to the matched rule of message to process message, thus do not need to perform the process of occuring simultaneously to rule set conjunction, improve processing speed and the matching performance of message, and improve the treatment effeciency of the network equipment.
Accompanying drawing explanation
Fig. 1 is the method flow schematic diagram of a kind of ACL Rapid matching that the embodiment of the present invention proposes;
Fig. 2-Fig. 4 is the structural representation of the stretching, extension tree proposed in the embodiment of the present invention;
Fig. 5 is the structural representation of a kind of network equipment that the embodiment of the present invention proposes.
Embodiment
For problems of the prior art, the embodiment of the present invention provides a kind of method of ACL Rapid matching, and the method is used for Rapid matching to the matched rule in ACL.Wherein, a matched rule in ACL generally includes multiple match options, as matched rule be { source IP address, object IP address } time, the match options that this matched rule comprises is source IP address and object IP address.When the source IP address in the source IP address carried in message and matched rule matches, and during object IP addresses match in the object IP address of carrying in message and this matched rule, then illustrate that this message can match this matched rule.Further, between the Different matching rule in ACL, there is priority relationship, when the information matches of carrying in message is to multiple matched rule in ACL, determine that this message matches the highest matched rule of priority.
As shown in Figure 1, the method for this ACL Rapid matching specifically can comprise the following steps:
Step 101, the network equipment, when carrying out ACL coupling to message, obtains the multiple match options in message.Wherein, multiple match options specifically include but not limited to following in several arbitrarily: source IP address, object IP address, source port number, destination slogan, protocol type etc.For convenience of description, in the embodiment of the present invention, be { source IP address, object IP address } be example with the matched rule in ACL, based on this, then the match options obtained in message specifically comprises source IP address and object IP address.
Concrete, the network equipment is when receiving message, if the matched rule in ACL is { source IP address, object IP address }, then need to be mated multiple match options (as source IP address and object IP address) of this message by ACL, therefore, the network equipment needs to extract the source IP address and object IP address that carry in this message, suppose that source IP address be 1.1.1.1, object IP address is 2.2.0.0.
Step 102, the network equipment determines the regular collection that each match options is corresponding respectively.
In the embodiment of the present invention, ACL is the set of one or more of matched rule, suppose that ACL comprises following 4 matched rules, R1={1.0.0.0/8,2.2.2.2/32}, R2={1.1.0.0/16,2.2.2.0/24}, R3={1.1.1.0/24,2.2.0.0/16}, R4={1.1.1.1/32,2.0.0.0/8}.
The network equipment, extracting after source IP address is 1.1.1.1 (match options) from message, determines the regular collection S1 that source IP address (1.1.1.1) is corresponding.First, whether the source IP address (1.1.1.1) carried in network equipment query message mates with the source IP address (1.0.0.0/8) in matched rule R1; Due to the subset that source IP address (1.1.1.1) is source IP address (1.0.0.0/8), therefore the two matches, and comprises matched rule R1 in regular collection S1.Secondly, whether the source IP address (1.1.1.1) carried in network equipment query message mates with the source IP address (1.1.0.0/16) in matched rule R2; Due to the subset that source IP address (1.1.1.1) is source IP address (1.1.0.0/16), therefore the two matches, and comprises matched rule R2 in regular collection S1.By that analogy, because source IP address (1.1.1.1) is the subset of source IP address (1.1.1.0/24), therefore matched rule R3 is comprised in regular collection S1; Due to the subset that source IP address (1.1.1.1) is source IP address (1.1.1.1/32), therefore, in regular collection S1, comprise matched rule R4.Therefore, network equipment determination regular collection S1 is { R1, R2, R3, R4}.
The network equipment, extracting after object IP address is 2.2.0.0 (match options) from message, determines the regular collection S2 that object IP address (2.2.0.0) is corresponding.First, whether the object IP address (2.2.0.0) of carrying in network equipment query message mates with the object IP address (2.2.2.2/32) in matched rule R1; Due to the subset that object IP address (2.2.0.0) is not object IP address (2.2.2.2/32), therefore the two does not mate, and does not comprise matched rule R1 in regular collection S2.By that analogy, because object IP address (2.2.0.0) is not the subset of object IP address (2.2.2.0/24), therefore, in regular collection S2, matched rule R2 is not comprised.Due to the subset that object IP address (2.2.0.0) is object IP address (2.2.0.0/16), therefore, in regular collection S2, comprise matched rule R3.Due to the subset that object IP address (2.2.0.0) is object IP address (2.0.0.0/8), therefore, in regular collection S2, comprise matched rule R4.Therefore, network equipment determination regular collection S2 is { R3, R4}.
Whether step 103, in the corresponding relation of the set of network equipment judgment rule and matched rule, exist the current matched rule corresponding to multiple regular collections (regular collection that each match options namely determined in step 102 is corresponding) determined; If not, then step 104 is performed; If so, then step 105 is performed.Wherein, in the corresponding relation of regular collection and matched rule, matched rule is only a matched rule.
In the embodiment of the present invention, the corresponding relation of meeting maintenance regulation set and matched rule on the network equipment, as the network equipment passes through the corresponding relation of the mapping table storage rule set shown in table 1 and matched rule.Based on the corresponding relation of this regular collection and matched rule, the network equipment, after determining the regular collection that each match options is corresponding, judges whether there is the current matched rule corresponding to multiple regular collections determined in mapping table.Wherein, matched rule refers to a matched rule in ACL, as matched rule R1 or matched rule R2 or matched rule R3 or matched rule R4 etc.Such as, mapping table as shown in table 1, be S1 at the current multiple regular collections determined be { R1, R2, R3, R4}, S3 is { R2, during R4}, then illustrate in the corresponding relation of regular collection and matched rule, there is the current matched rule (R2) corresponding to multiple regular collections (S1, S3) determined.To be S1 at the current multiple regular collections determined be, and { R1, R2, R3, R4}, S2 { when R3, R4}, then illustrate in the corresponding relation of regular collection and matched rule, there is not the current matched rule corresponding to multiple regular collections (S1, S2) determined.
Table 1
Step 104, the network equipment occurs simultaneously to the current multiple rule set conjunction determined, obtain matched rule to occur simultaneously, and from this matched rule occurs simultaneously, select the matched rule that a matched rule (first matched rule in occuring simultaneously as selected matched rule) is message, and in corresponding relation the corresponding relation of regular collection and matched rule (i.e. in), store the matched rule of current multiple regular collection of determining and current selection.
Wherein, the network equipment only needs the matched rule storing current selection in corresponding relation.
After this step 104, then current message is matched to the matched rule in ACL, terminate coupling flow process, follow-uply carry out relevant treatment according to this matched rule to message, this process repeats no more.
Wherein, matched rule common factor refers to the common factor of the matched rule in multiple regular collection.Such as, when regular collection S1 is { R1, R2, R3, R4}, regular collection S2 is { R3, during R4}, then the common factor of the matched rule in multiple regular collection (S1, S2) is { R1, R2, R3, R4} and the { common factor between R3, R4}, obviously, common factor is therebetween { R3, R4}, namely matched rule occurs simultaneously for { R3, R4}.
To be S1 at the current multiple regular collections determined be, and { { when R3, R4}, due in the corresponding relation of regular collection and matched rule, there is not the current matched rule corresponding to multiple regular collections (S1, S2) determined in R1, R2, R3, R4}, S2.Therefore, the network equipment gets common factor to the current multiple regular collections (S1, S2) determined, obtains matched rule common factor { R3, R4}.Afterwards, the network equipment is from this matched rule common factor { R3, first matched rule R3 is selected to be the matched rule of message in R4}, and in corresponding relation (i.e. the corresponding relation of regular collection and matched rule), store the matched rule R3 of the current multiple regular collections (S1, S2) determined and current selection, mapping table as shown in table 2.
Table 2
Step 105, the network equipment directly determines the matched rule that matched rule (matched rule that namely regular collection is corresponding with the current multiple regular collections determined existed in the corresponding relation of matched rule) is message.
After this step 105, then current message is matched to the matched rule in ACL, terminate coupling flow process, follow-uply carry out relevant treatment according to this matched rule to message, this process repeats no more.
Such as, be S1 at the current multiple regular collections determined be { R1, R2, R3, R4}, S3 is { R2, during R4}, as shown in table 1, owing to there is the matched rule (R2) corresponding to the current multiple regular collections (S1, S3) determined in the corresponding relation of regular collection and matched rule, therefore, the network equipment directly determines that the matched rule R2 existed in the corresponding relation of regular collection and matched rule is the matched rule of message.
Based on technique scheme, in the embodiment of the present invention, for the first message of data flow, as being 1.1.1.1 for source IP address, object IP address is the first message of the data flow of 2.2.0.0, and regular collection will not exist matched rule corresponding to the current multiple regular collections (S1 and S2) determined with the corresponding relation of matched rule.Now, the network equipment gets common factor to the current multiple regular collections (S1 and S2) determined, namely to regular collection, { { R3, R4} get common factor, obtain matched rule common factor { R3, R4} for R1, R2, R3, R4} and regular collection; The network equipment is from matched rule common factor { R3, first matched rule R3 is selected to be the matched rule of message in R4}, then by the strategy that this matched rule R3 is corresponding, message can be processed, and in corresponding relation the corresponding relation of regular collection and matched rule (i.e. in), store the matched rule (R3) of the current multiple regular collections (S1 and S2) determined and current selection, as shown in table 2, be the corresponding relation of regular collection and matched rule.For the non-first message of data flow, as being 1.1.1.1 for source IP address, object IP address is the non-first message of the data flow of 2.2.0.0, as shown in table 2, will there is matched rule corresponding to the current multiple regular collections (S1 and S2) determined with the corresponding relation of matched rule in regular collection.Now, the matched rule that the matched rule (R3) directly determined corresponding to the current multiple regular collections (S1 and S2) determined that exist in the corresponding relation of regular collection and matched rule is message by the network equipment, can be processed message by the strategy that this matched rule R3 is corresponding then.
Based on above-mentioned process, in the embodiment of the present invention, by the corresponding relation of record rule set and matched rule, for the non-first message of data flow, the network equipment is when carrying out ACL coupling to message, can directly by the corresponding relation of regular collection and matched rule, obtain the matched rule of message, and utilize strategy corresponding to the matched rule of message to process message, thus do not need to perform the process of occuring simultaneously to rule set conjunction, improve processing speed and the matching performance of message, and improve the treatment effeciency of the network equipment.
In the embodiment of the present invention, the network equipment is when the corresponding relation of maintenance regulation set and matched rule, and the corresponding relation (as shown in table 1, table 2) of regular collection and matched rule can directly be stored in cache (cache memory) by the network equipment.Further, the corresponding relation of regular collection and matched rule can be stored in stretch and set by the network equipment, and is stored in the cache of the network equipment by stretching, extension tree.
Concrete, the stretching, extension that the network equipment builds the corresponding relation being used for storage rule set and matched rule is set, and the corresponding relation (corresponding relation as shown in Table 1 and Table 2) of regular collection and matched rule is stored in this stretching, extension sets.Further, for step 103, the network equipment is in the corresponding relation of judgment rule set and matched rule, when whether there is the current matched rule corresponding to multiple regular collections determined, the network equipment utilizes and stretches the upper regular collection of storage of tree and the corresponding relation of matched rule, judges whether this stretching, extension tree exists the current matched rule corresponding to multiple regular collections determined.
Wherein, stretch the improvement that tree is binary search tree, there is the order of binary search tree, in embodiments of the present invention, the each node stretching tree represents the corresponding relation of regular collection and matched rule, and regular collection is the index of node, and matched rule is the numerical value of node.Further, stretching tree is an empty tree or the binary tree with following character: (1) if left subtree is not empty, then on left subtree, the value of all nodes is all less than the value of its root node; (2) if right subtree is not empty, then on right subtree, the value of all nodes is all greater than the value of its root node; (3) left and right subtree is also respectively binary sort tree.
In the embodiment of the present invention, after structure stretches tree, the network equipment needs that the corresponding relation of regular collection and matched rule is stored in this stretching, extension and sets, namely at step 104, the network equipment is selected after a matched rule is the matched rule of message from matched rule occurs simultaneously, and is stretching corresponding relation tree stored between current multiple regular collection of determining and the matched rule of current selection.
Suppose that the current source IP address that receives is 1.1.1.1, object IP address is the first message of the data flow of 2.2.0.0, then the network equipment needs the corresponding relation between regular collection (S1 and S2) and matched rule (R3) to be stored into stretch to set.In storing process, first perform lookup algorithm, determine the current father node being inserted into the node (being assumed to be node m) stretching tree, concrete father node lookup algorithm repeats no more.Afterwards, decision node m is the left son of its father node or right son, when node m is the left son of its father node, node m is inserted into the left son position of the father node stretched on tree; When node m is the right son of its father node, node m is inserted into the right son position of the father node stretched on tree.Wherein, node m represents the corresponding relation between regular collection (S1 and S2) and matched rule (R3).The storing process of node m and existing to stretch the mode setting memory node similar, does not repeat them here.
Further, the network equipment is after being stored in the corresponding relation between current multiple regular collection of determining and the matched rule of current selection and stretching and set, and the corresponding relation between current multiple regular collection of determining and the matched rule of current selection is moved to the root node stretching and set by singly revolving operation by the network equipment.
Based on stretch tree insertion algorithm, the network equipment the corresponding relation of regular collection and matched rule is stored in stretch set time, the corresponding relation of this regular collection and matched rule generally can not be stored in the root node stretching and set.Therefore, corresponding relation between current multiple regular collection of determining and the matched rule of current selection, after being stored in by the corresponding relation between current multiple regular collection of determining and the matched rule of current selection and stretching and set, can also be moved to the root node stretching and set by singly revolving operation by the network equipment.
In the embodiment of the present invention, the network equipment is when receiving the non-first message of data flow, if the corresponding relation of the regular collection that this message is corresponding and matched rule is not stretching the root node set, then the network equipment is after the corresponding relation inquiring regular collection corresponding to this message and matched rule, by singly revolving operation, the corresponding relation of regular collection corresponding for this message and matched rule can also be moved to the root node stretching and set.
As shown in Figure 2, for stretching the structural representation of tree, suppose that the corresponding relation of the regular collection that the non-first message of the current data flow received is corresponding and matched rule is node x, then the network equipment needs node x to be moved to by singly revolving operation the root node stretching tree.As shown in Figure 3, being the structure that the stretching, extension after singly revolving operation is for the first time set, as shown in Figure 4, is the structure of the stretching, extension tree after second time singly revolves operation.Singly revolve operation through twice, the network equipment node x is moved to stretch tree root node, wherein, to stretch tree singly revolve mode of operation and existing mode of operation of singly revolving is similar, do not repeat them here.
Suppose that node x represents the corresponding relation between regular collection (S1 and S2) and matched rule (R3), the network equipment is 1.1.1.1 receiving source IP address, when object IP address is the non-first message of the data flow of 2.2.0.0, based on the stretching, extension tree shown in Fig. 4, the network equipment inquires about by the regular collection S1 of source IP address 1.1.1.1 (i.e. match options) correspondence and the regular collection S2 of object IP address 2.2.0.0 (i.e. match options) correspondence the index stretching tree, because the index of the root node stretching tree is S1 and S2, therefore, the network equipment directly determines that the root node of stretching, extension tree and message match, and determine the matched rule that the numerical value (i.e. matched rule R3) of the root node stretching tree is message, afterwards, the network equipment can be processed message by the strategy that this matched rule R3 is corresponding.
In the embodiment of the present invention, the network equipment is after being stored in the corresponding relation between current multiple regular collection of determining and the matched rule of current selection and stretching and set, because the corresponding relation between current multiple regular collection of determining and the matched rule of current selection is moved to the root node stretching and set by singly revolving operation by the network equipment, again owing to for a large amount of messages of same data flow being reception continuously, therefore, the network equipment is when receiving message next time, when stretching tree by the current multiple regular collection inquiries determined, directly can inquire the root node stretching tree, namely only one query is needed, namely the matched rule of object can be investigated and prosecuted, thus save the queries stretching tree, accelerate matched rule constant speed degree really.
In the embodiment of the present invention, when the network equipment is device for multi-core, namely when the network equipment comprises multiple CPU (Central Processing Unit, central processing unit), then each CPU safeguards cache separately, and corresponding one of each CPU stretches tree.Based on this, the network equipment, when receiving message, first utilizes the five-tuple information of message to carry out hash to message, to obtain CPU corresponding to this message, and this message is sent to this CPU, by this CPU, ACL coupling is carried out to message, namely perform above-mentioned flow process by this CPU.
Wherein, the five-tuple information of message comprises: the object IP address information of the source IP address information of message, the source port information of message, message, the destination interface information of message, the transport layer protocol number of message.
Based on the inventive concept same with said method, additionally provide a kind of network equipment in the embodiment of the present invention, as shown in Figure 5, the described network equipment specifically comprises:
Obtain module 11, for when conducting interviews control list ACL coupling to message, obtain the multiple match options in described message;
Determination module 12, for determining the regular collection that each match options is corresponding respectively;
Whether judge module 13, in the corresponding relation of judgment rule set and matched rule, exist the current matched rule corresponding to multiple regular collections determined of described determination module;
Selecting module 14, for when there is the matched rule corresponding to the described current multiple regular collections determined, selecting the matched rule corresponding to described multiple regular collection to be the matched rule of described message.
Described selection module 14, also for when there is not the matched rule corresponding to the described current multiple regular collections determined, the current multiple rule set conjunction determined are occured simultaneously, obtain matched rule to occur simultaneously, from described matched rule occurs simultaneously, selection matched rule is the matched rule of described message;
The described network equipment also comprises: memory module 15, in the corresponding relation of described regular collection and matched rule, stores the matched rule of current multiple regular collection of determining and current selection.
Described memory module 15, sets for the stretching, extension built for the corresponding relation of storage rule set and matched rule, and the corresponding relation of regular collection and matched rule is stored in described stretching, extension sets;
Described judge module 13, specifically for utilizing described stretching, extension to set the upper regular collection of storage and the corresponding relation of matched rule, judges whether described stretching, extension tree exists the current matched rule corresponding to multiple regular collections determined.
Described memory module 15, being further used for after the corresponding relation between current multiple regular collection of determining and the matched rule of current selection is stored in stretches and set, by singly revolving operation, the corresponding relation between current multiple regular collection of determining and the matched rule of current selection being moved to the root node stretching and set.
In the embodiment of the present invention, when the described network equipment comprises multiple central processor CPU, corresponding one of each CPU stretches tree; Described acquisition module 11, also for utilizing the five-tuple information of message to carry out hash to message, to obtain CPU corresponding to described message, and sending to this CPU by described message, carrying out ACL coupling by this CPU to described message.
Wherein, the modules of apparatus of the present invention can be integrated in one, and also can be separated deployment.Above-mentioned module can merge into a module, also can split into multiple submodule further.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realize, and can certainly pass through hardware, but in a lot of situation, the former is better execution mode.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product is stored in a storage medium, comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform method described in each embodiment of the present invention.It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.It will be appreciated by those skilled in the art that the module in the device in embodiment can carry out being distributed in the device of embodiment according to embodiment description, also can carry out respective change and be arranged in the one or more devices being different from the present embodiment.The module of above-described embodiment can merge into a module, also can split into multiple submodule further.The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.Be only several specific embodiment of the present invention above, but the present invention is not limited thereto, the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.
Claims (10)
1. a method for access control list ACL Rapid matching, is characterized in that, the method comprises:
The network equipment, when carrying out ACL coupling to message, obtains the multiple match options in described message;
The described network equipment determines the regular collection that each match options is corresponding respectively;
In the corresponding relation of the set of described network equipment judgment rule and matched rule, whether there is the current matched rule corresponding to multiple regular collections determined;
When there is the matched rule corresponding to the current multiple regular collections determined, then the described network equipment determines that described matched rule is the matched rule of described message.
2. the method for claim 1, is characterized in that, the described network equipment judges in corresponding relation, whether there is the current matched rule corresponding to multiple regular collections determined, also comprises afterwards:
When there is not the matched rule corresponding to the current multiple regular collections determined, then the described network equipment occurs simultaneously to the current multiple rule set conjunction determined, obtain matched rule to occur simultaneously, from described matched rule occurs simultaneously, select a matched rule to be the matched rule of described message, and in described corresponding relation, store the matched rule of current multiple regular collection of determining and current selection.
3. method as claimed in claim 1 or 2, it is characterized in that, described method comprises further:
The stretching, extension that the described network equipment builds the corresponding relation being used for storage rule set and matched rule is set;
The corresponding relation of regular collection and matched rule is stored in described stretching, extension and sets by the described network equipment;
The described network equipment utilizes described stretching, extension to set the upper regular collection of storage and the corresponding relation of matched rule, judges whether described stretching, extension tree exists the current matched rule corresponding to multiple regular collections determined.
4. method as claimed in claim 3, it is characterized in that, described method comprises further:
The described network equipment is after being stored in the corresponding relation between current multiple regular collection of determining and the matched rule of current selection and stretching and set, and the corresponding relation between current multiple regular collection of determining and the matched rule of current selection is moved to the root node stretching and set by singly revolving operation by the described network equipment.
5. method as claimed in claim 3, is characterized in that, when the described network equipment comprises multiple central processor CPU, corresponding one of each CPU stretches tree, and described method comprises further:
The described network equipment utilizes the five-tuple information of message to carry out hash to message, to obtain CPU corresponding to this message, and this message is sent to this CPU, carries out ACL coupling by this CPU to message.
6. a network equipment, is characterized in that, the described network equipment specifically comprises:
Obtain module, for when conducting interviews control list ACL coupling to message, obtain the multiple match options in described message;
Determination module, for determining the regular collection that each match options is corresponding respectively;
Whether judge module, in the corresponding relation of judgment rule set and matched rule, exist the current matched rule corresponding to multiple regular collections determined of described determination module;
Selecting module, for when there is the matched rule corresponding to the described current multiple regular collections determined, selecting the matched rule corresponding to described multiple regular collection to be the matched rule of described message.
7. the network equipment as claimed in claim 6, is characterized in that,
Described selection module, also for when there is not the matched rule corresponding to the described current multiple regular collections determined, occur simultaneously to the current multiple rule set conjunction determined, obtain matched rule and occur simultaneously, from described matched rule occurs simultaneously, selection matched rule is the matched rule of described message;
The described network equipment also comprises: memory module, in the corresponding relation of described regular collection and matched rule, stores the matched rule of current multiple regular collection of determining and current selection.
8. the network equipment as claimed in claim 7, is characterized in that,
Described memory module, sets for the stretching, extension built for the corresponding relation of storage rule set and matched rule, and the corresponding relation of regular collection and matched rule is stored in described stretching, extension sets;
Described judge module, specifically for utilizing described stretching, extension to set the upper regular collection of storage and the corresponding relation of matched rule, judges whether described stretching, extension tree exists the current matched rule corresponding to multiple regular collections determined.
9. the network equipment as claimed in claim 8, is characterized in that,
Described memory module, being further used for after the corresponding relation between current multiple regular collection of determining and the matched rule of current selection is stored in stretches and set, by singly revolving operation, the corresponding relation between current multiple regular collection of determining and the matched rule of current selection being moved to the root node stretching and set.
10. the network equipment as claimed in claim 8, is characterized in that, when the described network equipment comprises multiple central processor CPU, corresponding one of each CPU stretches tree; Described acquisition module, also for utilizing the five-tuple information of message to carry out hash to message, to obtain CPU corresponding to described message, and sending to this CPU by described message, carrying out ACL coupling by this CPU to described message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410460519.8A CN104253754B (en) | 2014-09-11 | 2014-09-11 | A kind of method and apparatus of ACL Rapid matching |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410460519.8A CN104253754B (en) | 2014-09-11 | 2014-09-11 | A kind of method and apparatus of ACL Rapid matching |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104253754A true CN104253754A (en) | 2014-12-31 |
| CN104253754B CN104253754B (en) | 2019-03-15 |
Family
ID=52188309
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410460519.8A Active CN104253754B (en) | 2014-09-11 | 2014-09-11 | A kind of method and apparatus of ACL Rapid matching |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104253754B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107707479A (en) * | 2017-10-31 | 2018-02-16 | 北京锐安科技有限公司 | The lookup method and device of five-tuple rule |
| CN108718320A (en) * | 2018-06-14 | 2018-10-30 | 浙江远望信息股份有限公司 | A method of forming data packet communication white list to close rule data packet intersection with similar configuration internet of things equipment |
| CN109547502A (en) * | 2019-01-22 | 2019-03-29 | 成都亚信网络安全产业技术研究院有限公司 | Firewall ACL management method and device |
| CN112367262A (en) * | 2020-08-20 | 2021-02-12 | 国家计算机网络与信息安全管理中心 | Matching method and device for quintuple rule |
| CN112804206A (en) * | 2020-12-31 | 2021-05-14 | 北京知道创宇信息技术股份有限公司 | Message matching method and device based on search tree and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197675A (en) * | 2007-11-14 | 2008-06-11 | 杭州华三通信技术有限公司 | Accesses control list configuration method and device |
| CN101651623A (en) * | 2009-09-07 | 2010-02-17 | 中兴通讯股份有限公司 | Generation method and device for access control list application |
| CN101753542A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method and device for speeding up matching of filter rules of firewalls |
| US20130218853A1 (en) * | 2011-08-02 | 2013-08-22 | Cavium, Inc. | Rule Modification in Decision Trees |
-
2014
- 2014-09-11 CN CN201410460519.8A patent/CN104253754B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197675A (en) * | 2007-11-14 | 2008-06-11 | 杭州华三通信技术有限公司 | Accesses control list configuration method and device |
| CN101753542A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method and device for speeding up matching of filter rules of firewalls |
| CN101651623A (en) * | 2009-09-07 | 2010-02-17 | 中兴通讯股份有限公司 | Generation method and device for access control list application |
| US20130218853A1 (en) * | 2011-08-02 | 2013-08-22 | Cavium, Inc. | Rule Modification in Decision Trees |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107707479A (en) * | 2017-10-31 | 2018-02-16 | 北京锐安科技有限公司 | The lookup method and device of five-tuple rule |
| CN108718320A (en) * | 2018-06-14 | 2018-10-30 | 浙江远望信息股份有限公司 | A method of forming data packet communication white list to close rule data packet intersection with similar configuration internet of things equipment |
| CN108718320B (en) * | 2018-06-14 | 2021-03-30 | 浙江远望信息股份有限公司 | Method for forming data packet communication white list by intersection of compliance data packets of similar same-configuration Internet of things equipment |
| CN109547502A (en) * | 2019-01-22 | 2019-03-29 | 成都亚信网络安全产业技术研究院有限公司 | Firewall ACL management method and device |
| CN112367262A (en) * | 2020-08-20 | 2021-02-12 | 国家计算机网络与信息安全管理中心 | Matching method and device for quintuple rule |
| CN112804206A (en) * | 2020-12-31 | 2021-05-14 | 北京知道创宇信息技术股份有限公司 | Message matching method and device based on search tree and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104253754B (en) | 2019-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9704574B1 (en) | Method and apparatus for pattern matching | |
| US9984144B2 (en) | Efficient lookup of TCAM-like rules in RAM | |
| CN104168222A (en) | Message transmission method and device | |
| CN104253754A (en) | ACL (access control list) fast matching method and equipment | |
| CN101594319B (en) | Entry lookup method and entry lookup device | |
| US11100073B2 (en) | Method and system for data assignment in a distributed system | |
| US20220045875A1 (en) | Multicast message processing method and apparatus, storage medium and processor | |
| CN104679778A (en) | Search result generating method and device | |
| US9294390B2 (en) | Hash table storage and search methods and devices | |
| CN104580027A (en) | OpenFlow message forwarding method and equipment | |
| CN101753445A (en) | Fast flow classification method based on keyword decomposition hash algorithm | |
| CN111868710A (en) | Random extraction forest index structure for searching large-scale unstructured data | |
| CN101140592A (en) | Keywords storing and researching method and apparatus | |
| CN110858823B (en) | Data packet classification method and device and computer readable storage medium | |
| CN105515997B (en) | The higher efficiency range matching process of zero scope expansion is realized based on BF_TCAM | |
| CN101848248B (en) | Rule searching method and device | |
| US9485179B2 (en) | Apparatus and method for scalable and flexible table search in a network switch | |
| CN107948060A (en) | A kind of new routing table is established and IP method for searching route and device | |
| CN102308296A (en) | Hash calculating and processing method and device | |
| CN107276916A (en) | Interchanger flow table management method based on agreement unaware retransmission technique | |
| WO2017065795A1 (en) | Incremental update of a neighbor graph via an orthogonal transform based indexing | |
| CN109039911B (en) | Method and system for sharing RAM based on HASH searching mode | |
| Kekely et al. | Packet classification with limited memory resources | |
| US20160105363A1 (en) | Memory system for multiple clients | |
| CN106027369A (en) | Email address characteristic oriented email address matching method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |