CN106027459A - ACL (access control list) query method and device - Google Patents
ACL (access control list) query method and device Download PDFInfo
- Publication number
- CN106027459A CN106027459A CN201510998606.3A CN201510998606A CN106027459A CN 106027459 A CN106027459 A CN 106027459A CN 201510998606 A CN201510998606 A CN 201510998606A CN 106027459 A CN106027459 A CN 106027459A
- Authority
- CN
- China
- Prior art keywords
- rule
- address
- acl
- space
- hash
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Abstract
The invention is suitable for the field of ACL (access control list) query, and provides an ACL (access control list) query method and device. The method comprises the steps: receiving different types of rules in the ACL; obtaining elements in each rule, and classifying different types of rules with the common elements in the same rule group; carrying out the Hash calculation of the common elements through employing the Hash algorithm, and generating the storage addresses of different types of rules in the rule group; receiving a request of a data package for querying the ACL, extracting the common elements, required by the rule group, from the data package, carrying out the Hash operation, generating a DDR (double data rate) address of a DDR synchronous dynamic random access memory, carrying out the matching of all elements in the data package with all elements of rules in the DDR address, and carrying out the query of the ACL according to the matching result. The method enables the single data package to query the rule group, just needs to query the ACL for one time to complete the query of all types of rules, saves the query time, and remarkably improving the ACL query efficiency.
Description
Technical field
The invention belongs to access control list ACL inquiry field, particularly relate to a kind of access and control looking into of list
Ask method and device.
Background technology
In the communication equipment of router, exchanger and similar functions, it is often necessary to ACL comes network flow
Amount filters.According to the needs of traffic filtering, in ACL, some rule is only concerned the SIP of message, some
Rule is concerned about SIP+SP etc..When in ACL, rule quantity is the biggest, it is necessary to leave in DDR,
And by the way of Hash content computation rule storage address in DDR according to rule.
But, in current ACL inquiry field, dissimilar rule needs to inquire about the number of times mistake of ACL
Many, search efficiency is low, it is impossible to meet packet to accessing the query demand controlling list.Its reason is,
In prior art, each type of rule is required for individually carrying out a Hash computing, obtains depositing of rule
Put address, and reading rule contrasts with the information of packet inside storage address, judges packet
Whether matched rule.If rule type is a lot, then the number of times of packet inquiry can be a lot, once
Inquiry needs to read a DDR, and the physical interface bandwidth of DDR is limited, the inquiry time of individual data bag
Number is the most, then the packet number that can process in the unit interval is the fewest.As can be seen here, prior art
When this rule type is a lot, the efficiency of ACL inquiry is the lowest.
Summary of the invention
The purpose of the embodiment of the present invention is to provide a kind of querying method accessing and controlling list, it is intended to solve
In current ACL inquiry field, dissimilar rule needs the number of times inquiring about ACL too much, search efficiency
Low, it is impossible to meet the packet problem to accessing the query demand controlling list.
The embodiment of the present invention is achieved in that a kind of querying method accessing and controlling list, including:
Receive different types of rule in access control list ACL;
Obtaining the element in each described rule, the different types of rule classification that will be provided with common element is same
One rule sets;
Utilize Hash hash algorithm that described common element is carried out Hash computing, generate in described rule sets not
The address deposited with the rule of type;
The common element that extracting rule group is corresponding from described packet carries out Hash computing, generates double-speed
Rate synchronous DRAM DDR address, advises each element in packet in described DDR address
Each element then mates, and according to the result of coupling, performs to access the query actions controlling list;
Wherein, the address that rule is deposited is the DDR address of regular length, represents rule depositing in DDR
Put address.
The another object of the embodiment of the present invention is to provide a kind of inquiry unit accessing and controlling list, including:
Rule receiver module, is used for receiving different types of rule in access control list ACL;
Sort module, for obtaining the element in each described rule, will be provided with the dissimilar of common element
Rule classification be same rule sets;
Address storage module, is used for utilizing Hash hash algorithm that described common element is carried out Hash computing,
Generate the address that in described rule sets, different types of rule is deposited;
Query actions performs module, carries out for the common element that extracting rule group is corresponding from described packet
Hash computing, generates Double Data Rate synchronous DRAM DDR address, by each unit in packet
In plain and described DDR address, each element of rule mates, and according to the result of coupling, performs to access control
The query actions of list processed;
Wherein, the address that rule is deposited is the DDR address of regular length, represents rule depositing in DDR
Put address.
In embodiments of the present invention, utilize Hash hash algorithm that described common element is carried out Hash computing,
Generate the address that in described rule sets, different types of rule is deposited.Solve and inquire about field at current ACL
In, dissimilar rule needs the number of times inquiring about ACL too much, and search efficiency is low, it is impossible to meet packet pair
The problem accessing the query demand controlling list.When this group rule inquired about by individual data bag, as long as once
Table look-up and just can complete the inquiry of all types rule, save query time, significantly improve ACL and table look-up
Efficiency.
Accompanying drawing explanation
Fig. 1 is the flowchart accessing the querying method controlling list that the embodiment of the present invention provides;
Fig. 2 be the embodiment of the present invention provide access control list querying method step S102 realize flow process
Figure;
Fig. 3 is that the rule sets that the embodiment of the present invention provides divides preferably sample figure;
Fig. 4 is the flowchart of the space partition functionality of the configuration DDR that the embodiment of the present invention provides;
Fig. 5 is the preferable sample figure of the space division of the DDR that the embodiment of the present invention provides;
Fig. 6 is that the embodiment of the present invention provides, the preferable flow chart that acl rule issues in actual applications;
Fig. 7 is that the embodiment of the present invention provides, in actual applications the preferable flow chart of packet inquiry ACL;
Fig. 8 is the structured flowchart accessing the inquiry unit controlling list that the embodiment of the present invention provides.
Detailed description of the invention
In order to make the purpose of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing and reality
Execute example, the present invention is further elaborated.Only should be appreciated that specific embodiment described herein
Only in order to explain the present invention, it is not intended to limit the present invention.
Embodiment one
Fig. 1 is the flowchart accessing the querying method controlling list that the embodiment of the present invention provides, and describes in detail
As follows:
In step S101, receive different types of rule in access control list ACL;
In step s 102, obtain the element in each described rule, will be provided with the inhomogeneity of common element
The rule classification of type is same rule sets;
In step s 103, utilize Hash hash algorithm that described common element is carried out Hash computing, raw
Become the address that in described rule sets, different types of rule is deposited;
In step S104, the common element that extracting rule group is corresponding from described packet carries out Hash fortune
Calculate, generate Double Data Rate synchronous DRAM DDR address, by each element in packet and institute
State each element of rule in DDR address to mate, according to the result of coupling, perform to access control list
Query actions;
Wherein, the address that rule is deposited is the DDR address of regular length, represents rule depositing in DDR
Put address.
By each element in packet with in described DDR address rule each element mate, according to
The result joined, performs to access the query actions controlling list, particularly as follows:
, each element in packet is mated with each element of rule in described DDR address;
When the match is successful, according to the action specified in rule, described packet is filtered;
When mating unsuccessful, do not affect described packet.
When the storage address that Different Rule Hash computing in ACL obtains is identical, will rule by chain sheet form
Then cascade;Every first-order rule in packets need inquiry linked list;
When chained list is long, remove chained list, rule is carried out based on second time Hash by complete element information
Calculating, the rule in former chained list will obtain different storage addresses;Packet is first by the address of hash for the first time
Inquiring about an ACL, the address that the most each type of rule is obtained by secondary hash again carries out taking turns ACL
Inquiry;
The mode using secondary Hash controls the number of times that ACL tables look-up, and the maximum search frequency is equal to rule
Species number, it is to avoid the long inquiry times of chained list is uncontrolled.
In embodiments of the present invention, it is achieved when this rule sets looked into by individual data bag, as long as once tabling look-up with regard to energy
Complete the inquiry of polytype rule, save query time, significantly improve ACL and table look-up efficiency, with
Time possess again enough motilities, different rule sets can be designed according to different demands, improve and look into
The degree of intelligence of table.Additionally, when the storage address having a large amount of rule to obtain in first time Hash is identical, logical
Cross the mode of secondary Hash, control the length of chained list.Solve in current ACL inquiry field,
The storage address that the Hash computing of a large amount of rule obtains is identical, and chained list length is uncontrolled, and individual data bag needs
The number of times of inquiry ACL is too much, and efficiency of tabling look-up is low, it is impossible to meet packet to accessing the inquiry need controlling list
The problem asked.When the storage address of individual data bag inquiry Hash computing for the first time, no matter there are how many rules and regulations
Then fall in this address, by second time Hash, they can be broken up, control the maximum times of inquiry,
Save query time, significantly improve ACL and table look-up efficiency.
Embodiment two
Fig. 2 is the realization stream accessing querying method step S102 controlling list that the embodiment of the present invention provides
Cheng Tu, details are as follows:
In step s 201, the first element in described rule and the second element are obtained;
In step S202, detect whether the first element in described rule is source IP address SIP, work as institute
State the first element in rule when being SIP, detect the second element in described rule whether for the purpose of IP ground
Location DIP, when the second element in described rule is not DIP, by multiple first elements be SIP, second
Element is not the first rule sets for the rule classification of DIP, when the second element in described rule is DIP,
By multiple first elements be SIP, the second element be the rule classification of DIP be Second Rule group;
In step S203, detect the first element in described rule whether for the purpose of IP address D IP, when
When the first element in described rule is DIP, by the described rule classification that multiple first elements are DIP it is
Three sigma rule group;
Each element in described rule is arranged: put in order as source IP address SIP, purpose IP
Address D IP, source port SP, destination interface DP etc..When rule does not comprise certain element, by below
Element toward front-seat one, when only comprising DIP, SP, DP such as rule, the first element of rule is DIP,
Second element is SP, third element is DP.
Wherein, described first rule sets, described Second Rule group and the common element of described three sigma rule group
Different.
It is that the rule sets that the embodiment of the present invention provides divides preferably sample figure with reference to Fig. 3, Fig. 3, describes in detail such as
Under:
24 kinds of different types of rules are divided into 3 rule sets, respectively SIP, DIP, SIP+DIP, with
Rule sets is that ACL is inquired about by unit.In 3 rule sets, different types of rule is as follows:
First rule sets:
1.SIP;
2.SIP+SP;
3.SIP+DP;
4.SIP+Protocol;
5.SIP+SP+DP;
6.SIP+SP+Protocol;
7.SIP+DP+Protocol;
8.SIP+SP+DP+Protocol。
Second Rule group:
1.SIP+DIP;
2.SIP+DIP+SP;
3.SIP+DIP+DP;
4.SIP+DIP+Protocol;
5.SIP+DIP+SP+DP;
6.SIP+DIP+SP+Protocol;
7.SIP+DIP+DP+Protocol;
8.SIP+DIP+SP+DP+Protocol。
Three sigma rule group:
1.DIP;
2.DIP+SP;
3.DIP+DP;
4.DIP+Protocol;
5.DIP+SP+DP;
6.DIP+SP+Protocol;
7.DIP+DP+Protocol;
8.DIP+SP+DP+Protocol。
After the rule of above-mentioned 24 types is divided into 3 groups, during computation rule address in DDR it is no longer
All elements in various rules is carried out Hash computing, difference when these three rule sets calculates DDR address
SIP, DIP, SIP+DIP is only taken to carry out Hash computing.As a example by the first rule sets, SIP, SIP+SP,
SIP+DP、SIP+Protocol、SIP+SP+DP、SIP+SP+Protocol、SIP+DP+Protocol、
SIP+SP+DP+Protocol comprises SIP, and this 8 rule-like is all only will when calculating DDR storage address
SIP participates in Hash computing.Therefore for this 8 class acl rule, if SIP is identical, then calculate and obtain
It is identical for obtaining DDR address.If it is to say, housing a rule inside this address, no
The rule that pipe is deposited is any one of above-mentioned 8 types, and packet has only to carry out Hash by SIP
Obtain address, look into the Query Result that the most just can obtain 8 type rules.The like, Second Rule group
Can also adopt in the same way with three sigma rule group, reduce ACL and table look-up number of times.
In embodiments of the present invention, compare prior art, one group of rule ACL in the scheme that the application mentions
Number of times of tabling look-up is reduced to 1 time by 8 times, substantially increases efficiency of tabling look-up.
Embodiment three
Fig. 4 is the flowchart of the space partition functionality of the configuration DDR that the embodiment of the present invention provides, in detail
State as follows:
S401, distributes to ACL basic space by the space of the first percentage ratio;
S402, distributes to ACL extending space by the space of the second percentage ratio;
S403, distributes to ACL conflict space by remaining DDR space;
Wherein, the first percentage ratio and the second percentage ratio are preset value.
The preferable sample figure divided with reference to the space that Fig. 5, Fig. 5 are the DDR that the embodiment of the present invention provides, in detail
State as follows:
DDR space is divided into three parts by Fig. 5, and wherein ACL basic space is maximum.
In embodiments of the present invention, the space of DDR is divided into three parts: ACL basic space, ACL rush
Prominent space, ACL extending space.By the space at the place, regular address that hash algorithm calculates, i.e.
For ACL basic space.
Embodiment four
Embodiments provide that configuration acl rule issues function realizes flow process, and details are as follows:
Configuration acl rule issues function, and described acl rule issues function, particularly as follows:
When acquisition utilizes Hash hash algorithm that described common element is carried out Hash computing for the first time, generate rule
The address then deposited in described ACL basic space;
In judging the address of described ACL basic space the most regular;
When there is no rule, rule is left in described ACL basic space;
When regular, it is judged that the rule in the address of described ACL basic space have employed two-stage
Hash;
When the rule in the address of described ACL basic space does not use two-stage Hash, it is judged that rule chain
Whether table length exceedes limit value, when regulation linked length is not above limit value, sets up or extends chained list
Rule is left in described ACL conflict space;
When the rule in the address of described ACL basic space uses two-stage Hash, or, work as regulation linked
When length exceedes limit value, remove the regulation linked that first order Hash is set up, calculated by second time Hash,
Create-rule is in the address of described ACL extending space;
In judging the address of described ACL extending space the most regular;
When existing rule in the address of described ACL extending space, set up or extend chained list and rule is left in
Described ACL conflicts space;
When there is no rule in the address of described ACL extending space in, rule is left described ACL extension
Space.
Wherein, limit value can be that user is from setting, it is also possible to system default, does not limits at this.
Wherein, after certain regulation linked progression is more than 8 grades, it is necessary to chained list is removed, use all
Element simultaneously participates in Hash computing.The rule of such as SIP+SP type, needs to simultaneously participate in SIP+SP
Hash computing.By the way of this twice Hash, during Hash, fall same DDR address for the first time
The rule of the inside, falls the probability in same DDR address the least again.
In this case, originally the Rule-A in chained list is also located in the address A of ACL basic space
Place, Rule-B and Rule-C is just stored at address B1 and C1 of ACL extending space.For certain
The message of individual specific SIP, it is only necessary to look into primary address A, the address then obtained further according to second time Hash
Look into ACL-B, ACL-C successively, at most have only to 9 times.
If second time Hash computation rule is when the address of ACL extending space, still occur that Hash rushes
Prominent situation, equally sets up chained list, in addition to rule first in chained list leaves ACL extending space in,
In chained list, follow-up rule leaves ACL conflict space in.
Generally, Hash calculates the DDR address obtained and is in ACL basic space for the first time, and second
Secondary Hash calculates the DDR address obtained and is in ACL extending space;In regulation linked, Article 1 rule
Address be ACL in ACL basic space or ACL extending space, the space residing for rule below
Conflict space.
In the present embodiment, by the way of two grades of hash computation rule storage addresses, in first order hash
In the case of conflict is very serious (if chained list length is more than 8), chained list is removed, by second level hash's
Rule on same chained list is broken up by mode, is stored in ACL extending space.In this way, subtract
The number of times that few ACL tables look-up, significantly improves ACL and tables look-up efficiency.
Embodiment five
Embodiments provide access control list querying method step S104 realize flow process, in detail
State as follows:
Receive the request of packet inquiry ACL;
The common element that extracting rule group requires from described packet carries out Hash computing, generates a DDR
Address;
Each element of rule in oneth DDR address is mated with each element in packet, it is judged that ACL
The rule of coupling whether is had in the address of basic space;
When not having rule in the address of ACL basic space, end rules is inquired about;
When in the address of ACL basic space regular time, it may be judged whether matched rule success;
When matched rule success, end rules is inquired about;
When matched rule is unsuccessful, it is judged that whether described address points to other rules in regulation linked;
When other during regulation linked is pointed in described address are regular, the rule of each in rule searching chained list successively
Then, until coupling or chain end of list (EOL), just end rules is inquired about;
When other rules that described address is not pointed towards in regulation linked, it is judged that described address is the need of two
Secondary Hash;
When described address needs secondary Hash, in rule sets, the element specified with rule successively participates in
Secondary Hash calculates, and generates the 2nd DDR address;
Each element of rule in 2nd DDR address is mated with each element in packet, inquires about ACL
In the address of extending space the most regular, when rule match success or rule type travel through complete, knot
Bundle rule query.
Embodiment six
Fig. 6 is that the embodiment of the present invention provides, the preferable flow chart that acl rule issues in actual applications,
Details are as follows:
Oneth DDR address computation rule is in the address of ACL basic space;
In judging the address of ACL basic space the most regular;
When there is no rule in the address of ACL basic space, rule is left in ACL basic space;
When in the address of ACL basic space regular time, it is judged that the rule in this address have employed
Two-stage Hash;
When the rule in this address does not use two-stage Hash, it is judged that whether regulation linked length exceedes limit
Definite value;
When regulation linked length is not above limit value, sets up or extend chained list and leave rule in ACL
Conflict space;
When the rule in this address have employed two-stage Hash, or, when regulation linked length exceedes restriction
During value, removing the regulation linked that first order Hash is set up, Hash computation rule extends at ACL for the second time
The address in space;
In judging the address of ACL extending space the most regular;
When existing rule in the address of ACL extending space, set up or extend chained list and leave rule in ACL
Conflict space;
When there is no rule in the address of ACL extending space in, rule is left ACL extending space.
Embodiment seven
Fig. 7 is that the embodiment of the present invention provides, in actual applications the preferable flow chart of packet inquiry ACL,
Details are as follows:
Packet inquiry ACL;
Computation rule address is inputted as Hash for the first time using SIP;
In judging the address of access control list ACL basic space the most regular;
When not having rule in the address of access control list ACL basic space, end rules is inquired about;
When in the address of access control list ACL basic space regular time, it may be judged whether matched rule become
Merit;
When matched rule success, end rules is inquired about;
When matched rule is unsuccessful, it is judged that whether this address points to other rules in regulation linked;
When other during regulation linked is pointed in this address are regular, the rule of each in rule searching chained list successively,
Until coupling or chain end of list (EOL), just end rules inquiry;
When other rules that this address is not pointed towards in regulation linked, it is judged that this address is the need of secondary
Hash;
When this address needs secondary Hash, according to rule dissimilar in rule sets, refer to rule successively
Fixed element participates in secondary Hash and calculates, and obtains regular in the address of extending space, by address lookup rule,
Until rule match or rule type traversal are complete, end rules is inquired about.
Fig. 7 is applicable to the rule of the several type that SIP is common element, such as, and 8 types below
Rule:
SIP、SIP+SP、SIP+DP、SIP+Protocol、SIP+SP+DP、SIP+SP+Protocol、
SIP+DP+Protocol、SIP+SP+DP+Protocol。
Use the packet of this rule, can complete, according to Fig. 7, the flow process once tabled look-up.
Embodiment eight
Fig. 8 is the structured flowchart accessing the inquiry unit controlling list that the embodiment of the present invention provides, this device
Can run in communication equipment.For convenience of description, illustrate only part related to the present embodiment.
With reference to Fig. 8, this access controls the inquiry unit of list, including:
Rule receiver module 81, is used for receiving different types of rule in access control list ACL;
Sort module 82, for obtaining the element in each described rule, will be provided with the inhomogeneity of common element
The rule classification of type is same rule sets;
Address storage module 83, is used for utilizing Hash hash algorithm that described common element is carried out Hash computing,
Generate the address that in described rule sets, different types of rule is deposited;
Query actions performs module 84, enters for the common element that extracting rule group is corresponding from described packet
Row Hash computing, generates Double Data Rate synchronous DRAM DDR address, each by packet
Element mates with each element of rule in described DDR address, according to the result of coupling, performs access
Control the query actions of list;
Wherein, the address that rule is deposited is the DDR address of regular length, represents rule depositing in DDR
Put address.
As a kind of implementation of the present embodiment, access in the inquiry unit controlling list described, described
Sort module, specifically includes:
Acquiring unit, for obtaining the first element in described rule and the second element;
Whether the first taxon, be source IP address SIP for the first element detected in described rule, when
When the first element in described rule is SIP, detect the second element in described rule whether for the purpose of IP
Address D IP, when the second element in described rule is not DIP, by multiple first elements be SIP,
Was Used is not the first rule sets for the rule classification of DIP, when the second element in described rule is DIP,
By multiple first elements be SIP, the second element be the rule classification of DIP be Second Rule group;
Second taxon, for detect the first element in described rule whether for the purpose of IP address D IP,
When the first element in described rule is DIP, by the described rule classification that multiple first elements are DIP
It it is three sigma rule group;
Wherein, described first rule sets, described Second Rule group and the common element of described three sigma rule group
Different.
As a kind of implementation of the present embodiment, access in the inquiry unit controlling list described, described
Inquiry unit, also includes:
Space partition functionality configuration module, for configuring the space partition functionality of DDR, described space divides
Function, particularly as follows:
ACL basic space is distributed in the space of the first percentage ratio;
ACL extending space is distributed in the space of the second percentage ratio;
Remaining DDR space is distributed to ACL conflict space;
Wherein, the first percentage ratio and the second percentage ratio are preset value.
As a kind of implementation of the present embodiment, access in the inquiry unit controlling list described, described
Access the inquiry unit controlling list, also include:
Acl rule issues functional configuration module, is used for
Configuration acl rule issues function, and described acl rule issues function, particularly as follows:
When acquisition utilizes Hash hash algorithm that described common element is carried out Hash computing for the first time, generate rule
The address then deposited in described ACL basic space;
In judging the address of described ACL basic space the most regular;
When there is no rule, rule is left in described ACL basic space;
When regular, it is judged that the rule in the address of described ACL basic space have employed two-stage
Hash;
When the rule in the address of described ACL basic space does not use two-stage Hash, it is judged that rule chain
Whether table length exceedes limit value, when regulation linked length is not above limit value, sets up or extends chained list
Rule is left in described ACL conflict space;
When the rule in the address of described ACL basic space uses two-stage Hash, or, work as regulation linked
When length exceedes limit value, remove the regulation linked that first order Hash is set up, calculated by second time Hash,
Create-rule is in the address of described ACL extending space;
In judging the address of described ACL extending space the most regular;
When existing rule in the address of described ACL extending space, set up or extend chained list and rule is left in
Described ACL conflicts space;
When there is no rule in the address of described ACL extending space in, rule is left described ACL extension
Space.
As a kind of implementation of the present embodiment, access in the inquiry unit controlling list described, described
Query actions performs module, specifically includes:
Request reception unit, for receiving the request of packet inquiry ACL;
Oneth DDR scalar/vector, the public unit required for extracting rule group from described packet
Element carries out Hash computing, generates a DDR address;
Rule judgment unit, for by each element of rule in a DDR address and each unit in packet
Element mates, it is judged that whether have the rule of coupling in the address of ACL basic space;
First rule query end unit, for when not having rule in the address of ACL basic space, terminates
Rule query;
First matching unit, for when in the address of ACL basic space regular time, it may be judged whether coupling rule
Then success;
Second Rule poll-final unit, for when matched rule success, end rules is inquired about;
Point to rule judgment unit, for when matched rule is unsuccessful, it is judged that whether described address points to rule
The then rule of other in chained list;
Three sigma rule poll-final unit, is used for when other during regulation linked is pointed in described address are regular,
Each in rule searching chained list rule successively, until coupling or chain end of list (EOL), just end rules inquiry;
Secondary Hash judging unit, is used for when other rules that described address is not pointed towards in regulation linked,
Judge that described address is the need of secondary Hash;
2nd DDR scalar/vector, for when described address needs secondary Hash, in rule sets,
The element specified with rule successively participates in secondary Hash and calculates, and generates the 2nd DDR address;
Stop query unit, for by each element of rule in the 2nd DDR address and each unit in packet
Element mates, the most regular in the address of inquiry ACL extending space, when rule match success or rule
When then type traversal is complete, end rules is inquired about.
The device that the embodiment of the present invention provides can be applied in the embodiment of the method for aforementioned correspondence, and details see
The description of above-described embodiment, does not repeats them here.
Through the above description of the embodiments, those skilled in the art is it can be understood that arrive this
Bright can add the mode of required common hardware by software and realize.Described program can be stored in and can read
In storage medium, described storage medium, as random access memory, flash memory, read only memory, able to programme
Read memorizer, electrically erasable programmable memorizer, depositor etc..Described storage medium is positioned at memorizer, place
Reason device reads the information in memorizer, performs the method described in each embodiment of the present invention in conjunction with its hardware.
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited to
This, any those familiar with the art, in the technical scope that the invention discloses, can readily occur in
Change or replacement, all should contain within protection scope of the present invention.Therefore, protection scope of the present invention
Should be as the criterion with scope of the claims.
Claims (10)
1. one kind accesses the querying method controlling list, it is characterised in that including:
Receive different types of rule in access control list ACL;
Obtaining the element in each described rule, the different types of rule classification that will be provided with common element is same
One rule sets;
Utilize Hash hash algorithm that described common element is carried out Hash computing, generate in described rule sets not
The address deposited with the rule of type;
The common element that extracting rule group is corresponding from described packet carries out Hash computing, generates double-speed
Rate synchronous DRAM DDR address, advises each element in packet in described DDR address
Each element then mates, and according to the result of coupling, performs to access the query actions controlling list;
Wherein, the address that rule is deposited is the DDR address of regular length, represents rule depositing in DDR
Put address.
2. the querying method accessing control list as claimed in claim 1, it is characterised in that obtain each
Element in described rule, the different types of rule classification that will be provided with common element is same rule sets,
Particularly as follows:
Obtain the first element in described rule and the second element;
Detect whether the first element in described rule is source IP address SIP, when first yuan in described rule
When element is SIP, detect the second element in described rule whether for the purpose of IP address D IP, when described rule
When the second element in then is not DIP, by multiple first elements be SIP, the second element is for the rule of DIP
Then it is categorized as the first rule sets, when the second element in described rule is DIP, by multiple first elements is
SIP, the second element be the rule classification of DIP be Second Rule group;
Detect the first element in described rule whether for the purpose of IP address D IP, first in described rule
When element is DIP, it is three sigma rule group by the described rule classification that multiple first elements are DIP;
Wherein, described first rule sets, described Second Rule group and the common element of described three sigma rule group
Different.
3. the querying method accessing control list as claimed in claim 1, it is characterised in that described inquiry
Method, also includes:
The space partition functionality of configuration DDR, described space partition functionality, particularly as follows:
ACL basic space is distributed in the space of the first percentage ratio;
ACL extending space is distributed in the space of the second percentage ratio;
Remaining DDR space is distributed to ACL conflict space;
Wherein, the first percentage ratio and the second percentage ratio are preset value.
4. the querying method accessing control list as claimed in claim 3, it is characterised in that described inquiry
Method, also includes:
Configuration acl rule issues function, and described acl rule issues function, particularly as follows:
When acquisition utilizes Hash hash algorithm that described common element is carried out Hash computing for the first time, generate rule
The address then deposited in described ACL basic space;
In judging the address of described ACL basic space the most regular;
When there is no rule, rule is left in described ACL basic space;
When regular, it is judged that the rule in the address of described ACL basic space have employed two-stage
Hash;
When the rule in the address of described ACL basic space does not use two-stage Hash, it is judged that rule chain
Whether table length exceedes limit value, when regulation linked length is not above limit value, sets up or extends chained list
Rule is left in described ACL conflict space;
When the rule in the address of described ACL basic space uses two-stage Hash, or, work as regulation linked
When length exceedes limit value, remove the regulation linked that first order Hash is set up, calculated by second time Hash,
Create-rule is in the address of described ACL extending space;
In judging the address of described ACL extending space the most regular;
When existing rule in the address of described ACL extending space, set up or extend chained list and rule is left in
Described ACL conflicts space;
When there is no rule in the address of described ACL extending space in, rule is left described ACL extension
Space.
5. the querying method accessing control list as described in claim 1 or 3, it is characterised in that described
The common element that extracting rule group is corresponding from described packet carries out Hash computing, generates Double Data Rate and synchronizes
Dynamic RAM DDR address, by rule each in each element in packet and described DDR address
Element mates, and according to the result of coupling, performs to access the query actions controlling list, particularly as follows:
Receive the request of packet inquiry ACL;
The common element that extracting rule group requires from described packet carries out Hash computing, generates a DDR
Address;
Each element of rule in oneth DDR address is mated with each element in packet, it is judged that ACL
The rule of coupling whether is had in the address of basic space;
When not having rule in the address of ACL basic space, end rules is inquired about;
When in the address of ACL basic space regular time, it may be judged whether matched rule success;
When matched rule success, end rules is inquired about;
When matched rule is unsuccessful, it is judged that whether described address points to other rules in regulation linked;
When other during regulation linked is pointed in described address are regular, the rule of each in rule searching chained list successively
Then, until coupling or chain end of list (EOL), just end rules is inquired about;
When other rules that described address is not pointed towards in regulation linked, it is judged that described address is the need of two
Secondary Hash;
When described address needs secondary Hash, in rule sets, the element specified with rule successively participates in
Secondary Hash calculates, and generates the 2nd DDR address;
Each element of rule in 2nd DDR address is mated with each element in packet, inquires about ACL
In the address of extending space the most regular, when rule match success or rule type travel through complete, knot
Bundle rule query.
6. one kind accesses the inquiry unit controlling list, it is characterised in that including:
Rule receiver module, is used for receiving different types of rule in access control list ACL;
Sort module, for obtaining the element in each described rule, will be provided with the dissimilar of common element
Rule classification be same rule sets;
Address storage module, is used for utilizing Hash hash algorithm that described common element is carried out Hash computing,
Generate the address that in described rule sets, different types of rule is deposited;
Query actions performs module, carries out for the common element that extracting rule group is corresponding from described packet
Hash computing, generates Double Data Rate synchronous DRAM DDR address, by each unit in packet
In plain and described DDR address, each element of rule mates, and according to the result of coupling, performs to access control
The query actions of list processed;
Wherein, the address that rule is deposited is the DDR address of regular length, represents rule depositing in DDR
Put address.
7. access the inquiry unit controlling list as claimed in claim 6, it is characterised in that described classification mould
Block, specifically includes:
Acquiring unit, for obtaining the first element in described rule and the second element;
Whether the first taxon, be source IP address SIP for the first element detected in described rule, when
When the first element in described rule is SIP, detect the second element in described rule whether for the purpose of IP
Address D IP, when the second element in described rule is not DIP, by multiple first elements be SIP,
Was Used is not the first rule sets for the rule classification of DIP, when the second element in described rule is DIP,
By multiple first elements be SIP, the second element be the rule classification of DIP be Second Rule group;
Second taxon, for detect the first element in described rule whether for the purpose of IP address D IP,
When the first element in described rule is DIP, by the described rule classification that multiple first elements are DIP
It it is three sigma rule group;
Wherein, described first rule sets, described Second Rule group and the common element of described three sigma rule group
Different.
8. access the inquiry unit controlling list as claimed in claim 6, it is characterised in that described inquiry fills
Put, also include:
Space partition functionality configuration module, for configuring the space partition functionality of DDR, described space divides
Function, particularly as follows:
ACL basic space is distributed in the space of the first percentage ratio;
ACL extending space is distributed in the space of the second percentage ratio;
Remaining DDR space is distributed to ACL conflict space;
Wherein, the first percentage ratio and the second percentage ratio are preset value.
9. access the inquiry unit controlling list as claimed in claim 8, it is characterised in that described access control
The inquiry unit of list processed, also includes:
Acl rule issues functional configuration module, is used for configuring acl rule and issues function, and described ACL advises
Then issue function, particularly as follows:
When acquisition utilizes Hash hash algorithm that described common element is carried out Hash computing for the first time, generate rule
The address then deposited in described ACL basic space;
In judging the address of described ACL basic space the most regular;
When there is no rule, rule is left in described ACL basic space;
When regular, it is judged that the rule in the address of described ACL basic space have employed two-stage
Hash;
When the rule in the address of described ACL basic space does not use two-stage Hash, it is judged that rule chain
Whether table length exceedes limit value, when regulation linked length is not above limit value, sets up or extends chained list
Rule is left in described ACL conflict space;
When the rule in the address of described ACL basic space uses two-stage Hash, or, work as regulation linked
When length exceedes limit value, remove the regulation linked that first order Hash is set up, calculated by second time Hash,
Create-rule is in the address of described ACL extending space;
In judging the address of described ACL extending space the most regular;
When existing rule in the address of described ACL extending space, set up or extend chained list and rule is left in
Described ACL conflicts space;
When there is no rule in the address of described ACL extending space in, rule is left described ACL extension
Space.
10. as described in claim 6 or 8, access the inquiry unit controlling list, it is characterised in that described
Query actions performs module, specifically includes:
Request reception unit, for receiving the request of packet inquiry ACL;
Oneth DDR scalar/vector, the identical unit required for extracting rule group from described packet
Element carries out Hash computing, generates a DDR address;
Rule judgment unit, for by each element of rule in a DDR address and each unit in packet
Element mates, it is judged that whether have the rule of coupling in the address of ACL basic space;
First rule query end unit, for when not having rule in the address of ACL basic space, terminates
Rule query;
First matching unit, for when in the address of ACL basic space regular time, it may be judged whether coupling rule
Then success;
Second Rule poll-final unit, for when matched rule success, end rules is inquired about;
Point to rule judgment unit, for when matched rule is unsuccessful, it is judged that whether described address points to rule
The then rule of other in chained list;
Three sigma rule poll-final unit, is used for when other during regulation linked is pointed in described address are regular,
Each in rule searching chained list rule successively, until coupling or chain end of list (EOL), just end rules inquiry;
Secondary Hash judging unit, is used for when other rules that described address is not pointed towards in regulation linked,
Judge that described address is the need of secondary Hash;
2nd DDR scalar/vector, for when described address needs secondary Hash, in rule sets,
The element specified with rule successively participates in secondary Hash and calculates, and generates the 2nd DDR address;
Stop query unit, for by each element of rule in the 2nd DDR address and each unit in packet
Element mates, the most regular in the address of inquiry ACL extending space, when rule match success or rule
When then type traversal is complete, end rules is inquired about.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510998606.3A CN106027459B (en) | 2015-12-28 | 2015-12-28 | A kind of querying method and device of accesses control list |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510998606.3A CN106027459B (en) | 2015-12-28 | 2015-12-28 | A kind of querying method and device of accesses control list |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106027459A true CN106027459A (en) | 2016-10-12 |
| CN106027459B CN106027459B (en) | 2019-04-30 |
Family
ID=57082593
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510998606.3A Active CN106027459B (en) | 2015-12-28 | 2015-12-28 | A kind of querying method and device of accesses control list |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106027459B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109547502A (en) * | 2019-01-22 | 2019-03-29 | 成都亚信网络安全产业技术研究院有限公司 | Firewall ACL management method and device |
| CN110022281A (en) * | 2018-01-08 | 2019-07-16 | 中国移动通信有限公司研究院 | Test method, equipment and the computer storage medium of accesses control list capacity |
| CN112311595A (en) * | 2020-10-15 | 2021-02-02 | 烽火通信科技股份有限公司 | Efficient access control linked list and implementation method thereof |
| CN112383479A (en) * | 2020-10-15 | 2021-02-19 | 国家计算机网络与信息安全管理中心 | Rule query method and device, computer equipment and storage medium |
| CN112667526A (en) * | 2021-03-22 | 2021-04-16 | 芯启源(南京)半导体科技有限公司 | Method and circuit for realizing access control list circuit |
| CN113779320A (en) * | 2021-08-18 | 2021-12-10 | 北京计算机技术及应用研究所 | Method for solving table entry storage address conflict |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040254934A1 (en) * | 2003-06-11 | 2004-12-16 | International Business Machines Corporation | High run-time performance method and system for setting ACL rule for content management security |
| CN101345694A (en) * | 2007-07-11 | 2009-01-14 | 上海未来宽带技术及应用工程研究中心有限公司 | Method for fast searching, positioning and matching access control list |
| CN103188231A (en) * | 2011-12-30 | 2013-07-03 | 北京锐安科技有限公司 | Multi-core printed circuit board access control list (ACL) rule matching method |
| CN104954200A (en) * | 2015-06-17 | 2015-09-30 | 国家计算机网络与信息安全管理中心 | Multi-type rule high-speed matching method and device of network data packet |
-
2015
- 2015-12-28 CN CN201510998606.3A patent/CN106027459B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040254934A1 (en) * | 2003-06-11 | 2004-12-16 | International Business Machines Corporation | High run-time performance method and system for setting ACL rule for content management security |
| CN101345694A (en) * | 2007-07-11 | 2009-01-14 | 上海未来宽带技术及应用工程研究中心有限公司 | Method for fast searching, positioning and matching access control list |
| CN103188231A (en) * | 2011-12-30 | 2013-07-03 | 北京锐安科技有限公司 | Multi-core printed circuit board access control list (ACL) rule matching method |
| CN104954200A (en) * | 2015-06-17 | 2015-09-30 | 国家计算机网络与信息安全管理中心 | Multi-type rule high-speed matching method and device of network data packet |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110022281A (en) * | 2018-01-08 | 2019-07-16 | 中国移动通信有限公司研究院 | Test method, equipment and the computer storage medium of accesses control list capacity |
| CN109547502A (en) * | 2019-01-22 | 2019-03-29 | 成都亚信网络安全产业技术研究院有限公司 | Firewall ACL management method and device |
| CN112311595A (en) * | 2020-10-15 | 2021-02-02 | 烽火通信科技股份有限公司 | Efficient access control linked list and implementation method thereof |
| CN112383479A (en) * | 2020-10-15 | 2021-02-19 | 国家计算机网络与信息安全管理中心 | Rule query method and device, computer equipment and storage medium |
| CN112383479B (en) * | 2020-10-15 | 2022-03-22 | 国家计算机网络与信息安全管理中心 | Rule query method and device, computer equipment and storage medium |
| CN112311595B (en) * | 2020-10-15 | 2022-09-09 | 烽火通信科技股份有限公司 | Efficient access control linked list and implementation method thereof |
| CN112667526A (en) * | 2021-03-22 | 2021-04-16 | 芯启源(南京)半导体科技有限公司 | Method and circuit for realizing access control list circuit |
| CN112667526B (en) * | 2021-03-22 | 2021-06-29 | 芯启源(南京)半导体科技有限公司 | Method and circuit for realizing access control list circuit |
| CN113779320A (en) * | 2021-08-18 | 2021-12-10 | 北京计算机技术及应用研究所 | Method for solving table entry storage address conflict |
| CN113779320B (en) * | 2021-08-18 | 2024-02-27 | 北京计算机技术及应用研究所 | Method for solving table entry storage address conflict |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106027459B (en) | 2019-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106027459A (en) | ACL (access control list) query method and device | |
| US10547541B2 (en) | Route determining method, and corresponding apparatus and system | |
| CN101860531B (en) | Filtering rule matching method of data packet and device thereof | |
| CN105122745A (en) | Efficient longest prefix matching techniques for network devices | |
| CN104579940B (en) | Search the method and device of accesses control list | |
| CN107547391B (en) | Message transmission method and device | |
| CN103166874A (en) | Message forwarding method and device | |
| TWI661698B (en) | Method and device for forwarding Ethernet packet | |
| CN103812765B (en) | CAN (Controller Area Network) to Ethernet gateway with filtering function and data transmission method based on gateway | |
| CN101753542A (en) | Method and device for speeding up matching of filter rules of firewalls | |
| CN103188231A (en) | Multi-core printed circuit board access control list (ACL) rule matching method | |
| CN103078798A (en) | Method and equipment for establishing route table | |
| CN101242362A (en) | Find key value generation device and method | |
| CN104580008B (en) | The method and device of more queue random drop message precision is improved based on hardware | |
| CN101645851A (en) | Recombination method for IP fragment messages and device thereof | |
| CN106777133A (en) | A kind of similar connection processing method of metric space based on MapReduce | |
| WO2012095386A4 (en) | Peer node and method for improved peer node selection | |
| CN101710864B (en) | Collocation method and device for multi-gateway Linux server | |
| CN108810881B (en) | Network distribution method, equipment and system | |
| CN106878185B (en) | Message IP address matching circuit and method | |
| CN107493245B (en) | Board card of switch and data stream forwarding method | |
| CN105933235A (en) | Data communication method and data communication device | |
| CN102752208B (en) | Prevent the method and system that half-connection is attacked | |
| CN105357332B (en) | A kind of method for network address translation and device | |
| CN103905324A (en) | Dispatching and distributing method and system based on message five-element set |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A query method and device of access control list Effective date of registration: 20200826 Granted publication date: 20190430 Pledgee: Bank of Beijing Limited by Share Ltd. Shenzhen branch Pledgor: Shenzhen Hengyang Data Co.,Ltd. Registration number: Y2020980005382 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20210803 Granted publication date: 20190430 Pledgee: Bank of Beijing Limited by Share Ltd. Shenzhen branch Pledgor: Shenzhen Hengyang Data Co.,Ltd. Registration number: Y2020980005382 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A query method and device for access control list Effective date of registration: 20210816 Granted publication date: 20190430 Pledgee: Bank of Beijing Limited by Share Ltd. Shenzhen branch Pledgor: Shenzhen Hengyang Data Co.,Ltd. Registration number: Y2021440020082 |