CN104253754B - A kind of method and apparatus of ACL Rapid matching - Google Patents
A kind of method and apparatus of ACL Rapid matching Download PDFInfo
- Publication number
- CN104253754B CN104253754B CN201410460519.8A CN201410460519A CN104253754B CN 104253754 B CN104253754 B CN 104253754B CN 201410460519 A CN201410460519 A CN 201410460519A CN 104253754 B CN104253754 B CN 104253754B
- Authority
- CN
- China
- Prior art keywords
- matching rule
- message
- network equipment
- rule
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of methods and apparatus of ACL Rapid matching, this method comprises: the network equipment obtains multiple match options in the message when carrying out ACL matching to message;The network equipment determines the corresponding regular collection of each match options respectively;In the corresponding relationship of the network equipment judgment rule set and matching rule, if there is matching rule corresponding to the multiple regular collections currently determined;When there is matching rule corresponding to the multiple regular collections currently determined, the network equipment determines that the matching rule is the matching rule of the message.In the embodiment of the present invention, the processing speed and matching performance of message are improved, and improves the treatment effeciency of the network equipment.
Description
Technical field
The present invention relates to field of communication technology more particularly to a kind of methods and apparatus of ACL Rapid matching.
Background technique
ACL (Access Control List, accesses control list) is the set of one or more of matching rules.When
When the matching rule of ACL is { source IP address, purpose IP address }, matching rule is for the source IP address of message and destination IP
Location is matched.Wherein, source IP address and purpose IP address are indicated with IP host address/masked bits number form formula.For example, ACL
In include following 4 matching rules, R1={ 1.0.0.0/8,2.2.2.2/32 }, R2={ 1.1.0.0/16,2.2.2.0/24 },
R3={ 1.1.1.0/24,2.2.0.0/16 }, R4={ 1.1.1.1/32,2.0.0.0/8 }.It is 1.0.0.0/ for source IP address
8, purpose IP address is the message of 2.2.2.2/32, will match to the matching rule R1 in ACL, and so on, other matching rule
Then repeat no more.
When the network equipment receives message every time, pass through the information carried in message (such as source IP address and destination IP
Location) matching rule in inquiry ACL, to judge matching rule that whether message can be matched in ACL.When the matching in ACL
When there are many rule, when the information carried in network device via report inquires the matching rule in ACL, the processing effect of the network equipment
Rate is very low, and processing speed is very slow.
Summary of the invention
The embodiment of the present invention provides a kind of method of access control list ACL Rapid matching, this method comprises: the network equipment
When carrying out ACL matching to message, multiple match options in the message are obtained;The network equipment determines each respectively
With the corresponding regular collection of option;In the corresponding relationship of the network equipment judgment rule set and matching rule, if exist
Matching rule corresponding to the multiple regular collections currently determined;When in the presence of corresponding to the multiple regular collections currently determined
When with rule, then the network equipment determines that the matching rule is the matching rule of the message.
The network equipment judges in corresponding relationship, if there is matching corresponding to the multiple regular collections currently determined
Rule, later further include: when there is no matching rule corresponding to the multiple regular collections currently determined, then the network is set
Standby multiple rule set conjunction intersections to currently determining, obtain matching rule intersection, select one from the matching rule intersection
A matching rule is the matching rule of the message, and store in the corresponding relationship multiple regular collections for currently determining with
The matching rule currently selected.
The method further includes:
The stretching, extension tree of corresponding relationship of the network equipment building for storage rule set and matching rule;
The corresponding relationship of regular collection and matching rule is stored on the stretching, extension tree by the network equipment;
The network equipment judges institute using the corresponding relationship of the regular collection stored and matching rule on the stretching, extension tree
It states on stretching, extension tree with the presence or absence of matching rule corresponding to the multiple regular collections currently determined.
The method further includes:
The network equipment is corresponding between the multiple regular collections and the matching rule currently selected that will currently determine
After relationship is stored in stretching, extension tree, the network equipment passes through the multiple regular collections and current selection that single rotation operation will be determined currently
Matching rule between corresponding relationship be moved to stretching, extension tree root node.
When the network equipment includes multiple central processor CPUs, the corresponding stretching, extension tree of each CPU, the method
Further comprise:
The network equipment carries out hash to message using the five-tuple information of message, to obtain the corresponding CPU of the message,
And the message is sent to the CPU, ACL matching is carried out to message by the CPU.
The embodiment of the present invention provides a kind of network equipment, and the network equipment specifically includes:
Obtain module, for access to message control list ACL matching when, obtain multiple in the message
With option;Determining module, for determining the corresponding regular collection of each match options respectively;Judgment module is used for judgment rule
In the corresponding relationship of set and matching rule, if corresponding to the multiple regular collections currently determined there are the determining module
Matching rule;Selecting module, for selecting when there are matching rule corresponding to the multiple regular collections currently determined
Matching rule corresponding to the multiple regular collection is the matching rule of the message.
The selecting module is also used to when there is no matching rules corresponding to the multiple regular collections currently determined
When, multiple rule set conjunction intersections to currently determining obtain matching rule intersection, select one from the matching rule intersection
A matching rule is the matching rule of the message;
The network equipment further include: memory module, in the corresponding relationship of the regular collection and matching rule,
Multiple regular collections that storage currently determines and the matching rule currently selected.
The memory module, for constructing the stretching, extension tree for being used for the corresponding relationship of storage rule set and matching rule, and
The corresponding relationship of regular collection and matching rule is stored on the stretching, extension tree;
The judgment module, specifically for being closed using the regular collection stored on the stretching, extension tree is corresponding with matching rule
System judges on the stretching, extension tree with the presence or absence of matching rule corresponding to the multiple regular collections currently determined.
The memory module is further used for by the multiple regular collections currently determined and the matching rule that currently selects
Between corresponding relationship be stored in stretching, extension tree after, by single rotation operation by the multiple regular collections currently determined with currently select
Corresponding relationship between matching rule is moved to the root node of stretching, extension tree.
When the network equipment includes multiple CPU, the corresponding stretching, extension tree of each CPU;The acquisition module, is also used to
Hash is carried out to message using the five-tuple information of message, to obtain the corresponding CPU of the message, and the message is sent to
The CPU carries out ACL matching to the message by the CPU.
Based on the above-mentioned technical proposal, in the embodiment of the present invention, by the corresponding relationship of record rule set and matching rule,
For the non-first message of data flow, when carrying out ACL matching to message, it can directly pass through regular collection and matching rule
Corresponding relationship is obtained the matching rule of message, and is handled using the corresponding strategy of the matching rule of message message, thus
It does not need to execute the process to rule set conjunction intersection, improves the processing speed and matching performance of message, and improve the network equipment
Treatment effeciency.
Detailed description of the invention
Fig. 1 is a kind of method flow schematic diagram for ACL Rapid matching that the embodiment of the present invention proposes;
Fig. 2-Fig. 4 is the structural schematic diagram of the stretching, extension tree proposed in the embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram for network equipment that the embodiment of the present invention proposes.
Specific embodiment
Aiming at the problems existing in the prior art, the embodiment of the present invention provides a kind of method of ACL Rapid matching, this method
For matching rule of the Rapid matching into ACL.Wherein, a matching rule in ACL generally includes multiple match options, such as
When matching rule is { source IP address, purpose IP address }, the match options which includes are source IP address and destination IP
Address.When the destination IP that the source IP address in the source IP address and matching rule carried in message matches, and carries in message
When purpose IP address in address and the matching rule matches, then illustrate that the message can be matched to the matching rule.Into one
Step, there is priority relationship between the Different matching rule in ACL, when the information matches carried in message are into ACL
When multiple matching rules, determine the message matching to highest priority matching rule.
As shown in Figure 1, the method for the ACL Rapid matching can specifically include following steps:
Step 101, the network equipment obtains multiple match options in message when carrying out ACL matching to message.Wherein,
Multiple match options are specifically including but not limited to any several in following: source IP address, purpose IP address, source port number, mesh
Port numbers, protocol type etc..For the convenience of description, in the embodiment of the present invention, be with the matching rule in ACL source IP address,
Purpose IP address } for, it is based on this, then the match options obtained in message specifically include source IP address and purpose IP address.
Specifically, the network equipment is when receiving message, if the matching rule in ACL is { source IP address, destination IP
Location }, then it needs to match by multiple match options (such as source IP address and purpose IP address) of the ACL to the message, therefore,
The network equipment needs to extract the source IP address carried in the message and purpose IP address, it is assumed that source IP address 1.1.1.1, purpose
IP address is 2.2.0.0.
Step 102, the network equipment determines the corresponding regular collection of each match options respectively.
In the embodiment of the present invention, ACL is the set of one or more of matching rules, it is assumed that includes following 4 in ACL
With rule, R1={ 1.0.0.0/8,2.2.2.2/32 }, R2={ 1.1.0.0/16,2.2.2.0/24 }, R3={ 1.1.1.0/
24,2.2.0.0/16 }, R4={ 1.1.1.1/32,2.0.0.0/8 }.
The network equipment determines source IP address after extracting source IP address in message as 1.1.1.1 (match options)
(1.1.1.1) corresponding regular collection S1.Firstly, the source IP address (1.1.1.1) carried in network equipment query message with
Whether matched with the source IP address (1.0.0.0/8) in regular R1;Since source IP address (1.1.1.1) is source IP address
The subset of (1.0.0.0/8), therefore the two matches, and includes matching rule R1 in regular collection S1.Secondly, the network equipment is inquired
Whether the source IP address (1.1.1.1) carried in message matches with the source IP address (1.1.0.0/16) in matching rule R2;By
In the subset that source IP address (1.1.1.1) is source IP address (1.1.0.0/16), therefore the two matches, and wraps in regular collection S1
R2 containing matching rule.And so on, since source IP address (1.1.1.1) is the subset of source IP address (1.1.1.0/24),
It include matching rule R3 in regular collection S1;Since source IP address (1.1.1.1) is the subset of source IP address (1.1.1.1/32),
It therefore, include matching rule R4 in regular collection S1.Therefore, the network equipment determines that regular collection S1 is { R1, R2, R3, R4 }.
The network equipment is after being 2.2.0.0 (match options) from extraction purpose IP address in message, with determining destination IP
The corresponding regular collection S2 in location (2.2.0.0).Firstly, the purpose IP address (2.2.0.0) carried in network equipment query message
Whether matched with the purpose IP address (2.2.2.2/32) in matching rule R1;Since purpose IP address (2.2.0.0) is not mesh
IP address (2.2.2.2/32) subset, therefore the two mismatches, and matching rule R1 is not included in regular collection S2.With such
It pushes away, since purpose IP address (2.2.0.0) is not the subset of purpose IP address (2.2.2.0/24), in regular collection S2
Not comprising matching rule R2.Since purpose IP address (2.2.0.0) is the subset of purpose IP address (2.2.0.0/16),
It include matching rule R3 in regular collection S2.Since purpose IP address (2.2.0.0) is the son of purpose IP address (2.0.0.0/8)
Therefore collection includes matching rule R4 in regular collection S2.Therefore, the network equipment determines that regular collection S2 is { R3, R4 }.
Step 103, in the corresponding relationship of network equipment judgment rule set and matching rule, if there is currently determination
Matching rule corresponding to multiple regular collections (the corresponding regular collection of each match options determined i.e. in step 102);Such as
Fruit is no, thens follow the steps 104;If so, thening follow the steps 105.Wherein, in the corresponding relationship of regular collection and matching rule
In, matching rule is only a matching rule.
In the embodiment of the present invention, the corresponding relationship of meeting maintenance regulation set and matching rule on the network equipment, as network is set
The standby corresponding relationship by mapping table storage rule set and matching rule shown in table 1.Based on this regular collection with
Corresponding relationship with rule, the network equipment judge mapping table after determining the corresponding regular collection of each match options
In whether have currently determine multiple regular collections corresponding to matching rule.Wherein, matching rule refers to one in ACL
With rule, such as matching rule R1 or matching rule R2 or matching rule R3 or matching rule R4.For example, as shown in Table 1
It is that { R1, R2, R3, R4 } then illustrates to advise when S3 is { R2, R4 } that mapping table, which is S1 in the multiple regular collections currently determined,
Then gather in the corresponding relationship with matching rule, there are the rule of matching corresponding to the multiple regular collections (S1, S3) currently determined
Then (R2).Currently determine multiple regular collections be S1 be { R1, R2, R3, R4 }, S2 be { R3, R4 } when, then illustrate rule set
It closes in the corresponding relationship with matching rule, there is no matching rules corresponding to the multiple regular collections (S1, S2) currently determined.
Table 1
Step 104, multiple rule set conjunction intersections of the network equipment to currently determining, obtain matching rule intersection, and from
It is message that matching rule (as selected first matching rule in matching rule intersection) is selected in the matching rule intersection
Matching rule, and in corresponding relationship (i.e. in the corresponding relationship of regular collection and matching rule), storage is currently determined more
A regular collection and the matching rule currently selected.
Wherein, the network equipment only needs to store the matching rule currently selected in corresponding relationship.
After this step 104, then the matching rule in ACL is matched to current message, terminates matching process, it is subsequent according to
The matching rule carries out relevant treatment to message, which repeats no more.
Wherein, matching rule intersection refers to the intersection of the matching rule in multiple regular collections.For example, working as regular collection S1
For { R1, R2, R3, R4 }, when regular collection S2 is { R3, R4 }, the then intersection of the matching rule in multiple regular collections (S1, S2)
For the intersection between { R1, R2, R3, R4 } and { R3, R4 }, it is clear that intersection between the two is { R3, R4 }, i.e. matching rule is handed over
Collection is { R3, R4 }.
Currently determine multiple regular collections be S1 be { R1, R2, R3, R4 }, S2 be { R3, R4 } when, due to rule set
It closes in the corresponding relationship with matching rule, there is no matching rules corresponding to the multiple regular collections (S1, S2) currently determined.
Therefore, the network equipment takes intersection to the multiple regular collections (S1, S2) currently determined, obtains matching rule intersection { R3, R4 }.It
Afterwards, the network equipment selects first matching rule R3 for the matching rule of message from the matching rule intersection { R3, R4 }, and
In corresponding relationship (i.e. the corresponding relationship of regular collection and matching rule), the currently determining multiple regular collections (S1, S2) of storage
With the matching rule R3 currently selected, mapping table as shown in Table 2.
Table 2
Step 105, the network equipment directly determines matching rule and (exists in the corresponding relationship of regular collection and matching rule
Currently determine the corresponding matching rule of multiple regular collections) be message matching rule.
After this step 105, then the matching rule in ACL is matched to current message, terminates matching process, it is subsequent according to
The matching rule carries out relevant treatment to message, which repeats no more.
For example, currently determine multiple regular collections be S1 be { R1, R2, R3, R4 }, S3 be { R2, R4 } when, such as table 1
It is shown, it is right by there is the multiple regular collections (S1, S3) currently determined institute in regular collection and the corresponding relationship of matching rule
The matching rule (R2) answered, therefore, the network equipment directly determines present in regular collection and the corresponding relationship of matching rule
It is the matching rule of message with regular R2.
Based on the above-mentioned technical proposal, in the embodiment of the present invention, for the first message of data flow, such as it is for source IP address
1.1.1.1, purpose IP address is the first message of the data flow of 2.2.0.0, in the corresponding relationship of regular collection and matching rule
There will be no the corresponding matching rules of multiple regular collections (S1 and S2) currently determined.At this point, the network equipment is determined to current
Multiple regular collections (S1 and S2) take intersection, i.e., friendship is taken to regular collection { R1, R2, R3, R4 } and regular collection { R3, R4 }
Collection, obtains matching rule intersection { R3, R4 };The network equipment selects first matching rule from matching rule intersection { R3, R4 }
R3 is the matching rule of message, can then be handled by the corresponding strategy of matching rule R3 message, and in correspondence
In relationship (i.e. in the corresponding relationship of regular collection and matching rule), storage currently determine multiple regular collections (S1 and S2) with
The matching rule (R3) currently selected is as shown in table 2 the corresponding relationship of regular collection and matching rule.For data flow
Non- first message is such as 1.1.1.1 for source IP address, and purpose IP address is the non-first message of the data flow of 2.2.0.0, such as
Shown in table 2, it is right that the multiple regular collections (S1 and S2) currently determined will be present in the corresponding relationship of regular collection and matching rule
The matching rule answered.At this point, the network equipment will directly determine present in the corresponding relationship of regular collection and matching rule currently
Matching rule (R3) corresponding to determining multiple regular collections (S1 and S2) is the matching rule of message, then can be by this
The corresponding strategy of matching rule R3 handles message.
Based on above-mentioned processing, in the embodiment of the present invention, by the corresponding relationship of record rule set and matching rule, for
The non-first message of data flow, the network equipment to message carry out ACL matching when, can directly by regular collection with match advise
Corresponding relationship then is obtained the matching rule of message, and is handled using the corresponding strategy of the matching rule of message message,
Without executing the process to rule set conjunction intersection, the processing speed and matching performance of message are improved, and improve network
The treatment effeciency of equipment.
In the embodiment of the present invention, the network equipment is in the corresponding relationship of maintenance regulation set and matching rule, the network equipment
The corresponding relationship (as shown in table 1, table 2) of regular collection and matching rule directly can be stored in cache (caches
Device) in.Further, the corresponding relationship of regular collection and matching rule can be stored on stretching, extension tree by the network equipment, and will
Stretching, extension tree is stored in the cache of the network equipment.
Specifically, stretching, extension tree of the network equipment building for the corresponding relationship of storage rule set and matching rule, and will
Regular collection and the corresponding relationship (corresponding relationship as shown in Table 1 and Table 2) of matching rule are stored on the stretching, extension tree.Further
, for step 103, the network equipment is in the corresponding relationship of judgment rule set and matching rule, if there are current determinations
Multiple regular collections corresponding to matching rule when, the network equipment utilizes the regular collection that stores and matching rule on stretching, extension tree
Corresponding relationship, judge on the stretching, extension tree with the presence or absence of currently determine multiple regular collections corresponding to matching rule.
Wherein, stretching, extension tree is the improvement of binary search tree, the order with binary search tree, in the embodiment of the present invention
In, each node for stretching tree indicates that the corresponding relationship of regular collection and matching rule, regular collection are the index of node, matching
Rule is the numerical value of node.Further, stretching, extension tree is an empty tree or the binary tree having the following property: if (1) Zuo Zi
Set it is not empty, then on left subtree the value of all nodes be respectively less than it root node value;(2) if right subtree is not empty, on right subtree
The value of all nodes is all larger than the value of its root node;(3) left and right subtree is also respectively binary sort tree.
In the embodiment of the present invention, after building stretching, extension tree, the network equipment needs pair by regular collection and matching rule
It should be related to and be stored on the stretching, extension tree, i.e., at step 104, the network equipment selects a matching rule from matching rule intersection
After the matching rule of message, the matching rule for setting and storing the multiple regular collections currently determined and currently selecting is being stretched
Between corresponding relationship.
Assuming that being currently received source IP address is 1.1.1.1, purpose IP address is the first message of the data flow of 2.2.0.0,
Then the network equipment needs to set the storage of the corresponding relationship between regular collection (S1 and S2) and matching rule (R3) to stretching, extension.?
In storing process, be first carried out lookup algorithm, determine currently be inserted into stretching, extension tree node (be assumed to be the father node of node m),
Specific father node lookup algorithm repeats no more.Later, judge that node m is the left son or right son of its father node, work as section
When point m is the left son of its father node, node m is inserted into the left son position of the father node on stretching, extension tree;When node m is it
When the right son of father node, node m is inserted into the right son position of the father node on stretching, extension tree.Wherein, node m indicates rule
Gather the corresponding relationship between (S1 and S2) and matching rule (R3).It stores and saves on the storing process of node m and existing stretching, extension tree
The mode of point is similar, and details are not described herein.
Further, the network equipment is in the multiple regular collections that will currently determine and currently between the matching rule that selects
After corresponding relationship is stored in stretching, extension tree, the network equipment passes through the multiple regular collections and current selection that single rotation operation will be determined currently
Matching rule between corresponding relationship be moved to stretching, extension tree root node.
Based on the insertion algorithm of stretching, extension tree, the network equipment is stretched the corresponding relationship of regular collection and matching rule to be stored in
When exhibition tree, the corresponding relationship of the regular collection and matching rule is generally not stored in the root node of stretching, extension tree.Therefore, network is set
It is standby after the corresponding relationship between the multiple regular collections currently determined and the matching rule currently selected is stored in stretching, extension tree,
It can also be operated by single rotation by the corresponding relationship between the multiple regular collections currently determined and the matching rule currently selected
It is moved to the root node of stretching, extension tree.
In the embodiment of the present invention, the network equipment is in the non-first message for receiving data flow, if the corresponding rule of the message
Then gather with the corresponding relationship of matching rule not in the root node of stretching, extension tree, then the network equipment is inquiring the corresponding rule of the message
Then gather with after the corresponding relationship of matching rule, can also be advised the corresponding regular collection of the message with matching by single rotation operation
Corresponding relationship then is moved to the root node of stretching, extension tree.
As shown in Fig. 2, for the structural schematic diagram of stretching, extension tree, it is assumed that the non-first message for the data flow being currently received is corresponding
Regular collection and the corresponding relationship of matching rule are node x, then the network equipment is needed to be moved to node x by single rotation operation and be stretched
The root node of Zhan Shu.As shown in figure 3, for the structure of the stretching, extension tree after single rotation operation for the first time, as shown in figure 4, for second
The structure of stretching, extension tree after single rotation operation.Node x is moved to the root section of stretching, extension tree by single rotation operation, the network equipment twice
Point, wherein similar with existing single rotation mode of operation to single rotation mode of operation of stretching, extension tree, details are not described herein.
Assuming that node x indicates that the corresponding relationship between regular collection (S1 and S2) and matching rule (R3), the network equipment exist
Receiving source IP address is 1.1.1.1, when purpose IP address is the non-first message of the data flow of 2.2.0.0, based on shown in Fig. 4
Stretching, extension tree, the network equipment pass through source IP address 1.1.1.1 (i.e. match options) corresponding regular collection S1 and purpose IP address
2.2.0.0 the index of (i.e. match options) corresponding regular collection S2 inquiry stretching, extension tree, due to the index of the root node of stretching, extension tree
For S1 and S2, therefore, the root node that the network equipment directly determines stretching, extension tree matches with message, and determines the root node of stretching, extension tree
Numerical value (i.e. matching rule R3) be message a matching rule, later, the network equipment can be R3 pairs by the matching rule
The strategy answered handles message.
In the embodiment of the present invention, the network equipment is by the multiple regular collections currently determined and the matching rule that currently selects
Between corresponding relationship be stored in stretching, extension tree after, multiple regular collections for will currently being determined due to the network equipment by single rotation operation
The root node of stretching, extension tree is moved to the corresponding relationship between the matching rule that currently selects, and due to for same data flow
Largely messages are continuous received, and therefore, the network equipment is when receiving message next time, in multiple rule sets by currently determining
When closing inquiry stretching, extension tree, the root node of stretching, extension tree can be directly inquired, i.e., only needs one query, it can investigate and prosecute purpose
Matching rule accelerates matching rule constant speed degree really to save the queries of stretching, extension tree.
In the embodiment of the present invention, when the network equipment is device for multi-core, i.e., when the network equipment includes multiple CPU (Central
Processing Unit, central processing unit) when, then each CPU separately maintains cache, and the corresponding stretching, extension tree of each CPU.
Based on this, the network equipment carries out hash to message when receiving message, first with the five-tuple information of message, to be somebody's turn to do
The corresponding CPU of message, and the message is sent to the CPU, ACL matching is carried out to message by the CPU, i.e., by the CPU execution
State process.
Wherein, the five-tuple information of message includes: the source IP address information of message, the source port information of message, message
Purpose IP address information, the destination port information of message, the transport layer protocol number of message.
Based on inventive concept same as the above method, a kind of network equipment, such as Fig. 5 are additionally provided in the embodiment of the present invention
Shown, the network equipment specifically includes:
Obtain module 11, for access to message control list ACL matching when, obtain multiple in the message
Match options;
Determining module 12, for determining the corresponding regular collection of each match options respectively;
Judgment module 13, in the corresponding relationship of judgment rule set and matching rule, if there are the determining moulds
Matching rule corresponding to multiple regular collections that block currently determines;
Selecting module 14, for selecting when there are matching rule corresponding to the multiple regular collections currently determined
Select the matching rule that matching rule corresponding to the multiple regular collection is the message.
The selecting module 14 is also used to when there is no matching rule corresponding to the multiple regular collections currently determined
When then, to currently determining multiple rule set conjunction intersections, matching rule intersection is obtained, is selected from the matching rule intersection
One matching rule is the matching rule of the message;
The network equipment further include: memory module 15, for the corresponding relationship in the regular collection and matching rule
In, multiple regular collections that storage currently determines and the matching rule currently selected.
The memory module 15, for constructing the stretching, extension tree for being used for the corresponding relationship of storage rule set and matching rule,
And the corresponding relationship of regular collection and matching rule is stored on the stretching, extension tree;
The judgment module 13, specifically for corresponding with matching rule using the regular collection stored on the stretching, extension tree
Relationship judges on the stretching, extension tree with the presence or absence of matching rule corresponding to the multiple regular collections currently determined.
The memory module 15 is further used for advising the multiple regular collections currently determined with the matching currently selected
After corresponding relationship between then is stored in stretching, extension tree, the multiple regular collections that will currently determine and current selection are operated by single rotation
Matching rule between corresponding relationship be moved to stretching, extension tree root node.
In the embodiment of the present invention, when the network equipment includes multiple central processor CPUs, each CPU is one corresponding
Stretching, extension tree;The acquisition module 11 is also used to carry out hash to message using the five-tuple information of message, to obtain the message
Corresponding CPU, and the message is sent to the CPU, ACL matching is carried out to the message by the CPU.
Wherein, the modules of apparatus of the present invention can integrate in one, can also be deployed separately.Above-mentioned module can close
And be a module, multiple submodule can also be further split into.
Through the above description of the embodiments, those skilled in the art can be understood that the present invention can be by
Software adds the mode of required general hardware platform to realize, naturally it is also possible to which by hardware, but in many cases, the former is more
Good embodiment.Based on this understanding, technical solution of the present invention substantially in other words contributes to the prior art
Part can be embodied in the form of software products, which is stored in a storage medium, if including
Dry instruction is used so that a computer equipment (can be personal computer, server or the network equipment etc.) executes this hair
Method described in bright each embodiment.It will be appreciated by those skilled in the art that attached drawing is the schematic diagram of a preferred embodiment,
Module or process in attached drawing are not necessarily implemented necessary to the present invention.It will be appreciated by those skilled in the art that in embodiment
Device in module can according to embodiment describe be distributed in the device of embodiment, corresponding change position can also be carried out
In the one or more devices for being different from the present embodiment.The module of above-described embodiment can be merged into a module, can also be with
It is further split into multiple submodule.The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.With
Upper disclosed several specific embodiments only of the invention, still, the present invention is not limited to this, any those skilled in the art
Member can think of variation should all fall into protection scope of the present invention.
Claims (8)
1. a kind of method of access control list ACL Rapid matching, which is characterized in that this method comprises:
The network equipment obtains multiple match options in the message when carrying out ACL matching to message;
The network equipment determines the corresponding regular collection of each match options respectively;
In the corresponding relationship of the network equipment judgment rule set and matching rule, if there are the multiple rules currently determined
The corresponding matching rule of set;
When there is matching rule corresponding to the multiple regular collections currently determined, then the network equipment determines the matching
Rule is the matching rule of the message;
Wherein, the network equipment judges in corresponding relationship, if exist currently determine multiple regular collections corresponding to
With rule, later further include:
When there is no matching rule corresponding to the multiple regular collections currently determined, then the network equipment is determined to current
Multiple rule set conjunction intersections, obtain matching rule intersection, selected from the matching rule intersection matching rule for
The matching rule of the message, and the multiple regular collections currently determined and currently selected are stored in the corresponding relationship
With rule;
Wherein, in the regular collection and the corresponding relationship of matching rule, the matching rule is only a matching rule.
2. the method as described in claim 1, which is characterized in that the method further includes:
The stretching, extension tree of corresponding relationship of the network equipment building for storage rule set and matching rule;
The corresponding relationship of regular collection and matching rule is stored on the stretching, extension tree by the network equipment;
The network equipment sets the corresponding relationship of the regular collection stored and matching rule using the stretching, extension, stretches described in judgement
With the presence or absence of matching rule corresponding to the multiple regular collections currently determined on Zhan Shu.
3. method according to claim 2, which is characterized in that the method further includes:
Corresponding relationship of the network equipment between the multiple regular collections that will currently determine and the currently matching rule that selects
After being stored in stretching, extension tree, the network equipment passes through single rotation operation for the multiple regular collections currently determined and currently selected
The root node of stretching, extension tree is moved to the corresponding relationship between rule.
4. method according to claim 2, which is characterized in that when the network equipment includes multiple central processor CPUs,
The corresponding stretching, extension tree of each CPU, the method further includes:
The network equipment carries out hash to message using the five-tuple information of message, to obtain the corresponding CPU of the message, and will
The message is sent to the CPU, carries out ACL matching to message by the CPU;
Wherein, the five-tuple information includes: the destination IP of the source IP address information of message, the source port information of message, message
Address information, the destination port information of message, the transport layer protocol number of message.
5. a kind of network equipment, which is characterized in that the network equipment specifically includes:
Obtain module, for access to message control list ACL matching when, obtain in the message multiple matchings choosing
?;
Determining module, for determining the corresponding regular collection of each match options respectively;
Judgment module, in the corresponding relationship of judgment rule set and matching rule, if there are the determining module is current
Matching rule corresponding to determining multiple regular collections;
Selecting module, for when there are matching rule corresponding to the multiple regular collections currently determined, described in selection
Matching rule corresponding to multiple regular collections is the matching rule of the message;
The selecting module is also used to when there is no matching rule corresponding to the multiple regular collections currently determined,
Multiple rule set conjunction intersections to currently determining, obtain matching rule intersection, and one is selected from the matching rule intersection
Matching rule is the matching rule of the message;
The network equipment further include: memory module, for storing in the corresponding relationship of the regular collection and matching rule
The multiple regular collections currently determined and the matching rule currently selected;
Wherein, in the regular collection and the corresponding relationship of matching rule, the matching rule is only a matching rule.
6. the network equipment as claimed in claim 5, which is characterized in that
The memory module, for constructing the stretching, extension tree for being used for the corresponding relationship of storage rule set and matching rule, and will rule
Then gather and is stored on the stretching, extension tree with the corresponding relationship of matching rule;
The judgment module, specifically for setting the corresponding relationship of the regular collection stored and matching rule using the stretching, extension,
Judge on the stretching, extension tree with the presence or absence of matching rule corresponding to the multiple regular collections currently determined.
7. the network equipment as claimed in claim 6, which is characterized in that
The memory module is further used in the multiple regular collections that will currently determine and currently between the matching rule that selects
Corresponding relationship be stored in stretching, extension tree after, pass through single rotation operation for the multiple regular collections currently determined and the matching that currently selects
Corresponding relationship between rule is moved to the root node of stretching, extension tree.
8. the network equipment as claimed in claim 6, which is characterized in that when the network equipment includes multiple central processing units
When CPU, the corresponding stretching, extension tree of each CPU;The acquisition module is also used to carry out message using the five-tuple information of message
The message to obtain the corresponding CPU of the message, and is sent to the CPU by hash, carries out ACL to the message by the CPU
Matching;
Wherein, the five-tuple information includes: the destination IP of the source IP address information of message, the source port information of message, message
Address information, the destination port information of message, the transport layer protocol number of message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410460519.8A CN104253754B (en) | 2014-09-11 | 2014-09-11 | A kind of method and apparatus of ACL Rapid matching |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410460519.8A CN104253754B (en) | 2014-09-11 | 2014-09-11 | A kind of method and apparatus of ACL Rapid matching |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104253754A CN104253754A (en) | 2014-12-31 |
| CN104253754B true CN104253754B (en) | 2019-03-15 |
Family
ID=52188309
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410460519.8A Active CN104253754B (en) | 2014-09-11 | 2014-09-11 | A kind of method and apparatus of ACL Rapid matching |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104253754B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107707479B (en) * | 2017-10-31 | 2021-08-31 | 北京锐安科技有限公司 | Five-tuple rule searching method and device |
| CN108718320B (en) * | 2018-06-14 | 2021-03-30 | 浙江远望信息股份有限公司 | Method for forming data packet communication white list by intersection of compliance data packets of similar same-configuration Internet of things equipment |
| CN109547502A (en) * | 2019-01-22 | 2019-03-29 | 成都亚信网络安全产业技术研究院有限公司 | Firewall ACL management method and device |
| CN112367262B (en) * | 2020-08-20 | 2022-07-05 | 国家计算机网络与信息安全管理中心 | Matching method and device for quintuple rule |
| CN112804206A (en) * | 2020-12-31 | 2021-05-14 | 北京知道创宇信息技术股份有限公司 | Message matching method and device based on search tree and electronic equipment |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753542A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method and device for speeding up matching of filter rules of firewalls |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197675B (en) * | 2007-11-14 | 2010-06-09 | 杭州华三通信技术有限公司 | Accesses control list configuration method and device |
| CN101651623B (en) * | 2009-09-07 | 2012-05-23 | 中兴通讯股份有限公司 | Generation method and device for access control list application |
| US9183244B2 (en) * | 2011-08-02 | 2015-11-10 | Cavium, Inc. | Rule modification in decision trees |
-
2014
- 2014-09-11 CN CN201410460519.8A patent/CN104253754B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753542A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method and device for speeding up matching of filter rules of firewalls |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104253754A (en) | 2014-12-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104253754B (en) | A kind of method and apparatus of ACL Rapid matching | |
| CN104580027B (en) | A kind of OpenFlow message forwarding methods and equipment | |
| JP6457648B2 (en) | Location and mapping methods | |
| US9171153B2 (en) | Bloom filter with memory element | |
| CN107800631B (en) | Method and apparatus for efficient matching of TCAM rules using hash tables in RAM | |
| US9269411B2 (en) | Organizing data in a hybrid memory for search operations | |
| US8750144B1 (en) | System and method for reducing required memory updates | |
| CN103425725B (en) | Hash collision reduction system | |
| US9589073B2 (en) | Systems and methods for keyword spotting using adaptive management of multiple pattern matching algorithms | |
| CN101309216B (en) | IP packet classification method and apparatus | |
| CN107395659A (en) | A kind of method and device of service handling and common recognition | |
| US10671667B2 (en) | Data matching method and apparatus and computer storage medium | |
| US9294390B2 (en) | Hash table storage and search methods and devices | |
| CN104794228A (en) | Search result providing method and device | |
| US20150019592A1 (en) | Systems, methods and software for computing reachability in large graphs | |
| CN112187710B (en) | Method and device for sensing threat intelligence data, electronic device and storage medium | |
| CN101834788B (en) | Storage operation method, device and equipment of media access control address table items | |
| WO2016175768A1 (en) | Map tables for hardware tables | |
| US9485179B2 (en) | Apparatus and method for scalable and flexible table search in a network switch | |
| CN109618020A (en) | A kind of method for network address translation and device of fragment message | |
| CN107426041A (en) | A kind of method and apparatus of resolve command | |
| CN106254244A (en) | A kind of merging stream list item method based on SDN | |
| CN110460529A (en) | Content router FIB storage organization and its data processing method | |
| CN101277252A (en) | Method for traversing multi-branch Trie tree | |
| CN106202102B (en) | Batch data querying method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |