A kind of querying method and device of accesses control list
Technical field
The invention belongs to access control list ACL inquiry field more particularly to a kind of querying methods of accesses control list
And device.
Background technique
In the communication equipment of router, exchanger and similar functions, it is often necessary to which ACL carried out network flow
Filter.According to the needs of traffic filtering, some rules are only concerned the SIP of message in ACL, some rules are concerned about SIP+SP etc..When
When rule quantity is especially big in ACL, it is necessary to be stored in DDR, and calculate rule according to the content of rule by way of Hash
The then storage address in DDR.
However, the number that different type rule needs to inquire ACL is excessive, search efficiency in current ACL inquiry field
It is low, data packet is unable to satisfy to the query demand of accesses control list.The reason is that in the prior art, each type of rule
Then require individually to carry out a Hash operation, to obtain the storage address of rule, and read inside the storage address rule with
The information of data packet compares, come judge data packet whether matching rule.If there are many rule type, data packet
The number of inquiry can be very much, and one query needs to read a DDR, and the physical interface bandwidth of DDR is limited, single data packet
Inquiry times are more, then the data packet number being capable of handling in the unit time is fewer.It can be seen that the prior art is for this
The efficiency of many situations of kind rule type, ACL inquiry is very low.
Summary of the invention
The querying method for being designed to provide a kind of accesses control list of the embodiment of the present invention, it is intended to solve current
In ACL inquiry field, the number that different type rule needs to inquire ACL is excessive, and search efficiency is low, is unable to satisfy data packet to visit
The problem of asking the query demand of control list.
The embodiments of the present invention are implemented as follows, a kind of querying method of accesses control list, comprising:
Receive different types of rule in access control list ACL;
The element in each rule is obtained, the different types of rule classification that will be provided with common element is the same rule
Then group;
Hash operation is carried out to the common element using Hash hash algorithm, is generated different types of in the regular group
The address of rule storage;
The corresponding common element of extracting rule group carries out Hash operation from the data packet, and generation Double Data Rate synchronizes dynamic
The address state random access memory DDR matches each element in data packet with each element regular in the address DDR, root
According to matched as a result, executing the query actions of accesses control list;
Wherein, the address of rule storage is the address DDR of regular length, indicates storage address of the rule in DDR.
The another object of the embodiment of the present invention is to provide a kind of inquiry unit of accesses control list, comprising:
Regular receiving module, for receiving different types of rule in access control list ACL;
Categorization module will be provided with the different types of rule of common element for obtaining the element in each rule
It is classified as the same regular group;
Address storage module, for using Hash hash algorithm to common element progress Hash operation, described in generation
The address of different types of rule storage in regular group;
Query actions execution module, for the corresponding common element progress Hash fortune of extracting rule group from the data packet
Calculate, generate the address Double Data Rate synchronous DRAM DDR, by data packet each element and the address DDR in advise
Each element then is matched, according to matched as a result, executing the query actions of accesses control list;
Wherein, the address of rule storage is the address DDR of regular length, indicates storage address of the rule in DDR.
In embodiments of the present invention, Hash operation is carried out to the common element using Hash hash algorithm, described in generation
The address of different types of rule storage in regular group.It solves in current ACL inquiry field, different type rule needs
The problem of number for inquiring ACL is excessive, and search efficiency is low, is unable to satisfy query demand of the data packet to accesses control list.?
When single data packet inquires this group rule, the inquiry of all types rule can be completed as long as once tabling look-up, saves inquiry
Time significantly improves ACL and tables look-up efficiency.
Detailed description of the invention
Fig. 1 is the implementation flow chart of the querying method of accesses control list provided in an embodiment of the present invention;
Fig. 2 is the implementation flow chart of the querying method step S102 of accesses control list provided in an embodiment of the present invention;
Fig. 3 is that rule group provided in an embodiment of the present invention divides preferable sample figure;
Fig. 4 is the implementation flow chart of the space partition functionality of configuration DDR provided in an embodiment of the present invention;
Fig. 5 is the preferable sample figure that the space of DDR provided in an embodiment of the present invention divides;
Fig. 6 is preferable flow chart provided in an embodiment of the present invention, that acl rule issues in practical applications;
Fig. 7 be it is provided in an embodiment of the present invention, in practical applications data packet inquiry ACL preferable flow chart;
Fig. 8 is the structural block diagram of the inquiry unit of accesses control list provided in an embodiment of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.
Embodiment one
Fig. 1 is the implementation flow chart of the querying method of accesses control list provided in an embodiment of the present invention, and details are as follows:
In step s101, different types of rule in access control list ACL is received;
In step s 102, the element in each rule is obtained, will be provided with the different types of rule of common element
It is classified as the same regular group;
In step s 103, Hash operation is carried out to the common element using Hash hash algorithm, generates the rule
The address of different types of rule storage in group;
In step S104, the corresponding common element of extracting rule group carries out Hash operation from the data packet, generates
The address Double Data Rate synchronous DRAM DDR, by each element and each member regular in the address DDR in data packet
Element is matched, according to matched as a result, executing the query actions of accesses control list;
Wherein, the address of rule storage is the address DDR of regular length, indicates storage address of the rule in DDR.
Each element in data packet is matched with each element regular in the address DDR, according to matched as a result,
The query actions of accesses control list are executed, specifically:
, each element in data packet is matched with each element regular in the address DDR;
When successful match, the data packet is filtered according to the movement specified in rule;
When matching unsuccessful, the data packet is not influenced.
When the storage address that Different Rule Hash operation obtains in ACL is identical, rule is cascaded by chain sheet form;Number
Every first-order rule in inquiry linked list is needed according to packet;
When chained list is too long, chained list is removed, rule is subjected to second of Hash calculating, former chained list by complete element information
In rule will obtain different storage addresses;Data packet presses address lookup ACL of first time hash first, and then every kind
The rule of type carries out a wheel ACL inquiry by the address that secondary hash is obtained again;
The number that ACL tables look-up is controlled by the way of secondary Hash, the maximum search frequency is equal to the species number of rule, keeps away
It is uncontrolled to exempt from the too long inquiry times of chained list.
In embodiments of the present invention, it when realizing that single data packet looks into this rule group, can be completed as long as once tabling look-up more
The inquiry of seed type rule, saves query time, significantly improves ACL and tables look-up efficiency, at the same but also with it is enough flexibly
Property, it can be designed different regular groups according to different demands, improve the degree of intelligence tabled look-up.In addition, when for the first time
When the storage address for there are a large amount of rules to obtain in Hash is identical, by way of secondary Hash, the length of chained list is controlled.It solves
In the current ACL inquiry field, the storage address of a large amount of rule Hash operations acquisitions is identical, and chained list length is uncontrolled,
The number that single data packet needs to inquire ACL is excessive, low efficiency of tabling look-up, and is unable to satisfy inquiry of the data packet to accesses control list
The problem of demand.In the storage address of single data packet inquiry first time Hash operation, regardless of how many rule falls in this
They can be broken up by second of Hash, control the maximum times of inquiry, save query time, significantly by address
The ACL that improves table look-up efficiency.
Embodiment two
Fig. 2 is the implementation flow chart of the querying method step S102 of accesses control list provided in an embodiment of the present invention, in detail
It states as follows:
In step s 201, the first element and second element in the rule are obtained;
In step S202, whether the first element detected in the rule is source IP address SIP, when in the rule
When first element is SIP, whether the second element detected in the rule is purpose IP address DIP, when in the rule
It by multiple first elements is SIP, second element be not the rule classification of DIP is the first regular group when second element is not DIP,
It by multiple first elements is SIP, the rule classification that second element is DIP is the when the second element in the rule is DIP
Two regular groups;
In step S203, whether the first element detected in the rule is purpose IP address DIP, when in the rule
The first element when being DIP, be third rule group by the rule classification that multiple first elements are DIP;
Each element in the rule is arranged: being put in order as source IP address SIP, purpose IP address DIP, source
Port SP, destination port DP etc..When not including some element in rule, only from subsequent element toward one, front row, such as rule
When comprising DIP, SP, DP, the first regular element is DIP, second element SP, third element DP.
Wherein, each not phase of the common element of the described first regular group, the Second Rule group and the third rule group
Together.
It is that rule group provided in an embodiment of the present invention divides preferable sample figure with reference to Fig. 3, Fig. 3, details are as follows:
24 kinds of different types of rules are divided into 3 regular groups, respectively SIP, DIP, SIP+DIP, are single with rule group
ACL is inquired in position.Different types of rule is as follows in 3 regular groups:
First regular group:
1.SIP;
2.SIP+SP;
3.SIP+DP;
4.SIP+Protocol;
5.SIP+SP+DP;
6.SIP+SP+Protocol;
7.SIP+DP+Protocol;
8.SIP+SP+DP+Protocol。
Second Rule group:
1.SIP+DIP;
2.SIP+DIP+SP;
3.SIP+DIP+DP;
4.SIP+DIP+Protocol;
5.SIP+DIP+SP+DP;
6.SIP+DIP+SP+Protocol;
7.SIP+DIP+DP+Protocol;
8.SIP+DIP+SP+DP+Protocol。
Third rule group:
1.DIP;
2.DIP+SP;
3.DIP+DP;
4.DIP+Protocol;
5.DIP+SP+DP;
6.DIP+SP+Protocol;
7.DIP+DP+Protocol;
8.DIP+SP+DP+Protocol。
After the rule of above-mentioned 24 seed type is divided into 3 groups, when address of the computation rule in DDR is no longer by various rules
In all elements carry out Hash operation, these three rule group calculate the addresses DDR when respectively only take SIP, DIP, SIP+DIP carry out
Hash operation.By taking the first regular group as an example, SIP, SIP+SP, SIP+DP, SIP+Protocol, SIP+SP+DP, SIP+SP+
Protocol, SIP+DP+Protocol, SIP+SP+DP+Protocol include SIP, this 8 rule-like calculates DDR storage address
When be all only by SIP participate in Hash operation.Therefore it for this 8 class acl rule, if SIP is identical, calculates with obtaining DDR
Location is identical.That is, if housing a rule inside this address, regardless of the rule of storage is above-mentioned 8 kinds
Any one of type, data packet only need to carry out Hash by SIP to obtain address, and 8 seed types rule can once be obtained by looking into
Query result.And so on, Second Rule group and third rule group can also in the same way, and reduction ACL tables look-up secondary
Number.
In embodiments of the present invention, compare the prior art, and one group of rule ACL tables look-up number in the scheme that the application refers to
It is reduced to 1 time by 8 times, substantially increases efficiency of tabling look-up.
Embodiment three
Fig. 4 is the implementation flow chart of the space partition functionality of configuration DDR provided in an embodiment of the present invention, and details are as follows:
ACL basic space is distributed in the space of first percentage by S401;
ACL extending space is distributed in the space of second percentage by S402;
ACL conflict space is distributed in the remaining space DDR by S403;
Wherein, the first percentage and the second percentage are preset value.
With reference to the preferable sample figure that the space that Fig. 5, Fig. 5 are DDR provided in an embodiment of the present invention divides, details are as follows:
The space DDR is divided into three parts by Fig. 5, and wherein ACL basic space is maximum.
In embodiments of the present invention, the space of DDR is divided into three parts: ACL basic space, ACL conflict space, ACL expand
Open up space.Space where the regular address being calculated by hash algorithm, as ACL basic space.
Example IV
The embodiment of the invention provides the implementation processes that configuration acl rule issues function, and details are as follows:
Configuration acl rule issues function, and the acl rule issues function, specifically:
When obtaining for the first time using Hash hash algorithm to common element progress Hash operation, create-rule is described
The address stored in ACL basic space;
Judge whether regular in the address of the ACL basic space;
When not having rule, rule is stored in the ACL basic space;
When regular, judge whether the rule in the address of the ACL basic space has used two-stage Hash;
When the rule in the address of the ACL basic space does not use two-stage Hash, judgment rule chained list length is
No is more than limit value, when regulation linked length is not above limit value, establishes or extends chained list and rule is stored in the ACL
Conflict space;
When the rule in the address of the ACL basic space uses two-stage Hash, alternatively, when regulation linked length is more than limit
When definite value, the regulation linked that first order Hash is established is removed, is calculated by second of Hash, create-rule is extended in the ACL
The address in space;
Judge whether regular in the address of the ACL extending space;
When regular in the address of the ACL extending space, establish or extend chained list and rule is stored in the ACL
Conflict space;
When in the address of the ACL extending space without rule, rule is stored in the ACL extending space.
Wherein, limit value can be user from setting, can also be with system default, herein with no restrictions.
Wherein, when some regulation linked series is more than after 8 grades, it is necessary to remove chained list, simultaneously using all elements
Participate in Hash operation.Such as the rule of SIP+SP type, it needs to simultaneously participate in SIP+SP into Hash operation.By it is this twice
The mode of Hash, when first time Hash, fall on the rule inside the same address DDR, are fallen in the same address DDR again
Probability it is very small.
In this case, the Rule-A originally in chained list is also located at the address A of ACL basic space, Rule-B
It is just stored in Rule-C at the address B1 and C1 of ACL extending space.For the message of some specific SIP, it is only necessary to look into
Then primary address A successively looks into ACL-B, ACL-C further according to the address obtained second of Hash, at most only needs 9 times.
If still there is the case where Hash conflict, together at the address of ACL extending space in second of Hash computation rule
Sample can establish chained list, and other than rule first in chained list is stored in ACL extending space, subsequent rule is stored in ACL in chained list
Conflict space.
Generally, first time Hash calculates the address DDR obtained and is in ACL basic space, and second of Hash calculating obtains
The address DDR obtained is in ACL extending space;In regulation linked, the address of the first rule is expanded in ACL basic space or ACL
Space is opened up, space locating for subsequent rule is ACL conflict space.
In the present embodiment, by way of second level hash computation rule storage address, conflict in first order hash very tight
In the case where weight (such as chained list length is more than 8), chained list is removed, by the rule on the same chained list by way of the hash of the second level
It then breaks up, is stored in ACL extending space.In this way, the number tabled look-up of ACL is reduced, ACL is significantly improved and tables look-up effect
Rate.
Embodiment five
The embodiment of the invention provides the implementation processes of the querying method step S104 of accesses control list, and details are as follows:
The request of received data packet inquiry ACL;
The common element that extracting rule group requires from the data packet carries out Hash operation, generates the first address DDR;
Each element regular in first address DDR is matched with each element in data packet, judges ACL basic space
Address in whether have matched rule;
When in the address of ACL basic space without rule, end rules inquiry;
When regular in the address of ACL basic space, judge whether matching rule success;
When matching rule success, end rules inquiry;
When matching rule is unsuccessful, other the rules whether address is directed toward in regulation linked are judged;
When other rules in regulation linked are directed toward in the address, successively each rule in rule searching chained list, directly
To matching or chain end of list (EOL), the inquiry of ability end rules;
When other rules in regulation linked are not directed toward in the address, it is secondary to judge whether the address needs
Hash;
When the address needs secondary Hash, in regular group, secondary Hash is successively participated in the specified element of rule
It calculates, generates the 2nd address DDR;
Each element regular in 2nd address DDR is matched with each element in data packet, inquires ACL extending space
Address in it is whether regular, when rule match success or rule type traversal finish when, end rules inquiry.
Embodiment six
Fig. 6 is preferable flow chart provided in an embodiment of the present invention, that acl rule issues in practical applications, and details are as follows:
First DDR address calculation rule is in the address of ACL basic space;
Judge whether regular in the address of ACL basic space;
When in the address of ACL basic space without rule, rule is stored in ACL basic space;
When regular in the address of ACL basic space, judge whether the rule in the address has used two-stage
Hash;
When the rule in the address does not use two-stage Hash, whether judgment rule chained list length is more than limit value;
When regulation linked length is not above limit value, establishes or extend chained list and rule is stored in ACL conflict space;
When the rule in the address uses two-stage Hash, alternatively, being removed when regulation linked length is more than limit value
The regulation linked that first order Hash is established, second of Hash computation rule is in the address of ACL extending space;
Judge whether regular in the address of ACL extending space;
When regular in the address of ACL extending space, establish or extend chained list and rule is stored in ACL conflict sky
Between;
When in the address of ACL extending space without rule, rule is stored in ACL extending space.
Embodiment seven
Fig. 7 be it is provided in an embodiment of the present invention, in practical applications data packet inquiry ACL preferable flow chart, be described in detail such as
Under:
Data packet inquires ACL;
Computation rule address is inputted using SIP as Hash for the first time;
Judge whether regular in the address of access control list ACL basic space;
When in the address of access control list ACL basic space without rule, end rules inquiry;
When regular in the address of access control list ACL basic space, judge whether matching rule success;
When matching rule success, end rules inquiry;
When matching rule is unsuccessful, other the rules whether address is directed toward in regulation linked are judged;
When other rules in regulation linked are directed toward in the address, successively each rule in rule searching chained list, until
Matching or chain end of list (EOL), the inquiry of ability end rules;
When other rules in regulation linked are not directed toward in the address, judge whether the address needs secondary Hash;
When the address needs secondary Hash, according to different type rule in regular group, the element successively specified with rule
It participates in secondary Hash to calculate, obtains rule in the address of extending space, by address lookup rule, until rule match or rule
Then type traversal finishes, end rules inquiry.
Fig. 7 is suitable for the rule for the several type that SIP is common element, for example, the rule of following 8 seed type:
SIP、SIP+SP、SIP+DP、SIP+Protocol、SIP+SP+DP、SIP+SP+Protocol、SIP+DP+
Protocol、SIP+SP+DP+Protocol。
Using the data packet of this rule, the process once tabled look-up can be completed according to Fig. 7.
Embodiment eight
Fig. 8 is the structural block diagram of the inquiry unit of accesses control list provided in an embodiment of the present invention, which can transport
Row is in communication equipment.For ease of description, only the parts related to this embodiment are shown.
Referring to Fig. 8, the inquiry unit of the accesses control list, comprising:
Regular receiving module 81, for receiving different types of rule in access control list ACL;
Categorization module 82 will be provided with the different types of rule of common element for obtaining the element in each rule
Then it is classified as the same regular group;
Address storage module 83 generates institute for carrying out Hash operation to the common element using Hash hash algorithm
State the address of different types of rule storage in regular group;
Query actions execution module 84, for the corresponding common element progress Hash of extracting rule group from the data packet
Operation generates the address Double Data Rate synchronous DRAM DDR, will be in each element and the address DDR in data packet
The each element of rule is matched, according to matched as a result, executing the query actions of accesses control list;
Wherein, the address of rule storage is the address DDR of regular length, indicates storage address of the rule in DDR.
As a kind of implementation of the present embodiment, in the inquiry unit of the accesses control list, the classification mould
Block specifically includes:
Acquiring unit, for obtaining the first element and second element in the rule;
Whether the first taxon is source IP address SIP for detecting the first element in the rule, when the rule
In the first element when being SIP, whether the second element detected in the rule is purpose IP address DIP, when the rule
In second element when not being DIP, by multiple first elements be SIP, second element be not the rule classification of DIP is the first rule
Multiple first elements are SIP, the rule classification that second element is DIP when the second element in the rule is DIP by group
For Second Rule group;
Whether the second taxon is purpose IP address DIP for detecting the first element in the rule, when the rule
It is third rule group by the rule classification that multiple first elements are DIP when the first element in then is DIP;
Wherein, each not phase of the common element of the described first regular group, the Second Rule group and the third rule group
Together.
As a kind of implementation of the present embodiment, in the inquiry unit of the accesses control list, the inquiry dress
It sets, further includes:
Space partition functionality configuration module, for configuring the space partition functionality of DDR, the space partition functionality, specifically
Are as follows:
ACL basic space is distributed into the space of first percentage;
ACL extending space is distributed into the space of second percentage;
ACL conflict space is distributed into the remaining space DDR;
Wherein, the first percentage and the second percentage are preset value.
As a kind of implementation of the present embodiment, in the inquiry unit of the accesses control list, the access control
The inquiry unit of list processed, further includes:
Acl rule issues functional configuration module, is used for
Configuration acl rule issues function, and the acl rule issues function, specifically:
When obtaining for the first time using Hash hash algorithm to common element progress Hash operation, create-rule is described
The address stored in ACL basic space;
Judge whether regular in the address of the ACL basic space;
When not having rule, rule is stored in the ACL basic space;
When regular, judge whether the rule in the address of the ACL basic space has used two-stage Hash;
When the rule in the address of the ACL basic space does not use two-stage Hash, judgment rule chained list length is
No is more than limit value, when regulation linked length is not above limit value, establishes or extends chained list and rule is stored in the ACL
Conflict space;
When the rule in the address of the ACL basic space uses two-stage Hash, alternatively, when regulation linked length is more than limit
When definite value, the regulation linked that first order Hash is established is removed, is calculated by second of Hash, create-rule is extended in the ACL
The address in space;
Judge whether regular in the address of the ACL extending space;
When regular in the address of the ACL extending space, establish or extend chained list and rule is stored in the ACL
Conflict space;
When in the address of the ACL extending space without rule, rule is stored in the ACL extending space.
As a kind of implementation of the present embodiment, in the inquiry unit of the accesses control list, the inquiry is dynamic
Make execution module, specifically include:
Request reception unit, for receiving data request of packet inquiry ACL;
First DDR scalar/vector is carried out for the common element that extracting rule group requires from the data packet
Hash operation generates the first address DDR;
Regular judging unit, for by each element and data packet regular in the first address DDR each element carry out
Match, judges whether there is matched rule in the address of ACL basic space;
First rule query end unit, for when in the address of ACL basic space without rule, end rules to be looked into
It askes;
First matching unit, for when regular in the address of ACL basic space, judging whether matching rule success;
Second Rule poll-final unit, for when matching rule success, end rules to be inquired;
It is directed toward regular judging unit, for judging whether the address is directed toward regulation linked when matching rule is unsuccessful
In other rule;
Third rule query end unit, for successively looking into when other rules in regulation linked are directed toward in the address
Each rule in regulation linked is ask, until matching or chain end of list (EOL), the inquiry of ability end rules;
Secondary Hash judging unit, for judging institute when other rules in regulation linked are not directed toward in the address
State whether address needs secondary Hash;
2nd DDR scalar/vector is used for when the address needs secondary Hash, in regular group, successively with rule
Then specified element participates in secondary Hash calculating, generates the 2nd address DDR;
Stop query unit, for by each element and data packet regular in the 2nd address DDR each element carry out
Match, it is whether regular in the address of inquiry ACL extending space, when rule match is successful or rule type traversal finishes, knot
Beam rule query.
Device provided in an embodiment of the present invention can be applied in aforementioned corresponding embodiment of the method, and details are referring to above-mentioned reality
The description of example is applied, details are not described herein.
Through the above description of the embodiments, it is apparent to those skilled in the art that the present invention can borrow
Help software that the mode of required common hardware is added to realize.The program can store in read/write memory medium, described
Storage medium, as random access memory, flash memory, read-only memory, programmable read only memory, electrically erasable programmable storage
Device, register etc..The storage medium is located at memory, and processor reads the information in memory, executes sheet in conjunction with its hardware
Invent method described in each embodiment.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.