CN106027459B - A kind of querying method and device of accesses control list - Google Patents

A kind of querying method and device of accesses control list Download PDF

Info

Publication number
CN106027459B
CN106027459B CN201510998606.3A CN201510998606A CN106027459B CN 106027459 B CN106027459 B CN 106027459B CN 201510998606 A CN201510998606 A CN 201510998606A CN 106027459 B CN106027459 B CN 106027459B
Authority
CN
China
Prior art keywords
rule
address
acl
space
regular
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510998606.3A
Other languages
Chinese (zh)
Other versions
CN106027459A (en
Inventor
周毅华
兰军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Hengxin Data Ltd By Share Ltd
Original Assignee
Shenzhen Hengxin Data Ltd By Share Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Hengxin Data Ltd By Share Ltd filed Critical Shenzhen Hengxin Data Ltd By Share Ltd
Priority to CN201510998606.3A priority Critical patent/CN106027459B/en
Publication of CN106027459A publication Critical patent/CN106027459A/en
Application granted granted Critical
Publication of CN106027459B publication Critical patent/CN106027459B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention is suitable for access control list ACL and inquires field, provides the querying method and device of a kind of accesses control list, and method includes: to receive different types of rule in access control list ACL;The element in each rule is obtained, the different types of rule classification that will be provided with common element is the same regular group;Hash operation is carried out to common element using Hash hash algorithm, the address of different types of rule storage in create-rule group;The request of received data packet inquiry ACL, the common element that extracting rule group requires from the data packet carries out Hash operation, generate the address Double Data Rate synchronous DRAM DDR, the each element of the data packet is matched with each element regular in the address DDR, according to matched as a result, executing the query actions of accesses control list.When inquiring this group rule the invention enables single data packet, the inquiry of all types rule can be completed as long as once tabling look-up, saves query time, significantly improve ACL and table look-up efficiency.

Description

A kind of querying method and device of accesses control list
Technical field
The invention belongs to access control list ACL inquiry field more particularly to a kind of querying methods of accesses control list And device.
Background technique
In the communication equipment of router, exchanger and similar functions, it is often necessary to which ACL carried out network flow Filter.According to the needs of traffic filtering, some rules are only concerned the SIP of message in ACL, some rules are concerned about SIP+SP etc..When When rule quantity is especially big in ACL, it is necessary to be stored in DDR, and calculate rule according to the content of rule by way of Hash The then storage address in DDR.
However, the number that different type rule needs to inquire ACL is excessive, search efficiency in current ACL inquiry field It is low, data packet is unable to satisfy to the query demand of accesses control list.The reason is that in the prior art, each type of rule Then require individually to carry out a Hash operation, to obtain the storage address of rule, and read inside the storage address rule with The information of data packet compares, come judge data packet whether matching rule.If there are many rule type, data packet The number of inquiry can be very much, and one query needs to read a DDR, and the physical interface bandwidth of DDR is limited, single data packet Inquiry times are more, then the data packet number being capable of handling in the unit time is fewer.It can be seen that the prior art is for this The efficiency of many situations of kind rule type, ACL inquiry is very low.
Summary of the invention
The querying method for being designed to provide a kind of accesses control list of the embodiment of the present invention, it is intended to solve current In ACL inquiry field, the number that different type rule needs to inquire ACL is excessive, and search efficiency is low, is unable to satisfy data packet to visit The problem of asking the query demand of control list.
The embodiments of the present invention are implemented as follows, a kind of querying method of accesses control list, comprising:
Receive different types of rule in access control list ACL;
The element in each rule is obtained, the different types of rule classification that will be provided with common element is the same rule Then group;
Hash operation is carried out to the common element using Hash hash algorithm, is generated different types of in the regular group The address of rule storage;
The corresponding common element of extracting rule group carries out Hash operation from the data packet, and generation Double Data Rate synchronizes dynamic The address state random access memory DDR matches each element in data packet with each element regular in the address DDR, root According to matched as a result, executing the query actions of accesses control list;
Wherein, the address of rule storage is the address DDR of regular length, indicates storage address of the rule in DDR.
The another object of the embodiment of the present invention is to provide a kind of inquiry unit of accesses control list, comprising:
Regular receiving module, for receiving different types of rule in access control list ACL;
Categorization module will be provided with the different types of rule of common element for obtaining the element in each rule It is classified as the same regular group;
Address storage module, for using Hash hash algorithm to common element progress Hash operation, described in generation The address of different types of rule storage in regular group;
Query actions execution module, for the corresponding common element progress Hash fortune of extracting rule group from the data packet Calculate, generate the address Double Data Rate synchronous DRAM DDR, by data packet each element and the address DDR in advise Each element then is matched, according to matched as a result, executing the query actions of accesses control list;
Wherein, the address of rule storage is the address DDR of regular length, indicates storage address of the rule in DDR.
In embodiments of the present invention, Hash operation is carried out to the common element using Hash hash algorithm, described in generation The address of different types of rule storage in regular group.It solves in current ACL inquiry field, different type rule needs The problem of number for inquiring ACL is excessive, and search efficiency is low, is unable to satisfy query demand of the data packet to accesses control list.? When single data packet inquires this group rule, the inquiry of all types rule can be completed as long as once tabling look-up, saves inquiry Time significantly improves ACL and tables look-up efficiency.
Detailed description of the invention
Fig. 1 is the implementation flow chart of the querying method of accesses control list provided in an embodiment of the present invention;
Fig. 2 is the implementation flow chart of the querying method step S102 of accesses control list provided in an embodiment of the present invention;
Fig. 3 is that rule group provided in an embodiment of the present invention divides preferable sample figure;
Fig. 4 is the implementation flow chart of the space partition functionality of configuration DDR provided in an embodiment of the present invention;
Fig. 5 is the preferable sample figure that the space of DDR provided in an embodiment of the present invention divides;
Fig. 6 is preferable flow chart provided in an embodiment of the present invention, that acl rule issues in practical applications;
Fig. 7 be it is provided in an embodiment of the present invention, in practical applications data packet inquiry ACL preferable flow chart;
Fig. 8 is the structural block diagram of the inquiry unit of accesses control list provided in an embodiment of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.
Embodiment one
Fig. 1 is the implementation flow chart of the querying method of accesses control list provided in an embodiment of the present invention, and details are as follows:
In step s101, different types of rule in access control list ACL is received;
In step s 102, the element in each rule is obtained, will be provided with the different types of rule of common element It is classified as the same regular group;
In step s 103, Hash operation is carried out to the common element using Hash hash algorithm, generates the rule The address of different types of rule storage in group;
In step S104, the corresponding common element of extracting rule group carries out Hash operation from the data packet, generates The address Double Data Rate synchronous DRAM DDR, by each element and each member regular in the address DDR in data packet Element is matched, according to matched as a result, executing the query actions of accesses control list;
Wherein, the address of rule storage is the address DDR of regular length, indicates storage address of the rule in DDR.
Each element in data packet is matched with each element regular in the address DDR, according to matched as a result, The query actions of accesses control list are executed, specifically:
, each element in data packet is matched with each element regular in the address DDR;
When successful match, the data packet is filtered according to the movement specified in rule;
When matching unsuccessful, the data packet is not influenced.
When the storage address that Different Rule Hash operation obtains in ACL is identical, rule is cascaded by chain sheet form;Number Every first-order rule in inquiry linked list is needed according to packet;
When chained list is too long, chained list is removed, rule is subjected to second of Hash calculating, former chained list by complete element information In rule will obtain different storage addresses;Data packet presses address lookup ACL of first time hash first, and then every kind The rule of type carries out a wheel ACL inquiry by the address that secondary hash is obtained again;
The number that ACL tables look-up is controlled by the way of secondary Hash, the maximum search frequency is equal to the species number of rule, keeps away It is uncontrolled to exempt from the too long inquiry times of chained list.
In embodiments of the present invention, it when realizing that single data packet looks into this rule group, can be completed as long as once tabling look-up more The inquiry of seed type rule, saves query time, significantly improves ACL and tables look-up efficiency, at the same but also with it is enough flexibly Property, it can be designed different regular groups according to different demands, improve the degree of intelligence tabled look-up.In addition, when for the first time When the storage address for there are a large amount of rules to obtain in Hash is identical, by way of secondary Hash, the length of chained list is controlled.It solves In the current ACL inquiry field, the storage address of a large amount of rule Hash operations acquisitions is identical, and chained list length is uncontrolled, The number that single data packet needs to inquire ACL is excessive, low efficiency of tabling look-up, and is unable to satisfy inquiry of the data packet to accesses control list The problem of demand.In the storage address of single data packet inquiry first time Hash operation, regardless of how many rule falls in this They can be broken up by second of Hash, control the maximum times of inquiry, save query time, significantly by address The ACL that improves table look-up efficiency.
Embodiment two
Fig. 2 is the implementation flow chart of the querying method step S102 of accesses control list provided in an embodiment of the present invention, in detail It states as follows:
In step s 201, the first element and second element in the rule are obtained;
In step S202, whether the first element detected in the rule is source IP address SIP, when in the rule When first element is SIP, whether the second element detected in the rule is purpose IP address DIP, when in the rule It by multiple first elements is SIP, second element be not the rule classification of DIP is the first regular group when second element is not DIP, It by multiple first elements is SIP, the rule classification that second element is DIP is the when the second element in the rule is DIP Two regular groups;
In step S203, whether the first element detected in the rule is purpose IP address DIP, when in the rule The first element when being DIP, be third rule group by the rule classification that multiple first elements are DIP;
Each element in the rule is arranged: being put in order as source IP address SIP, purpose IP address DIP, source Port SP, destination port DP etc..When not including some element in rule, only from subsequent element toward one, front row, such as rule When comprising DIP, SP, DP, the first regular element is DIP, second element SP, third element DP.
Wherein, each not phase of the common element of the described first regular group, the Second Rule group and the third rule group Together.
It is that rule group provided in an embodiment of the present invention divides preferable sample figure with reference to Fig. 3, Fig. 3, details are as follows:
24 kinds of different types of rules are divided into 3 regular groups, respectively SIP, DIP, SIP+DIP, are single with rule group ACL is inquired in position.Different types of rule is as follows in 3 regular groups:
First regular group:
1.SIP;
2.SIP+SP;
3.SIP+DP;
4.SIP+Protocol;
5.SIP+SP+DP;
6.SIP+SP+Protocol;
7.SIP+DP+Protocol;
8.SIP+SP+DP+Protocol。
Second Rule group:
1.SIP+DIP;
2.SIP+DIP+SP;
3.SIP+DIP+DP;
4.SIP+DIP+Protocol;
5.SIP+DIP+SP+DP;
6.SIP+DIP+SP+Protocol;
7.SIP+DIP+DP+Protocol;
8.SIP+DIP+SP+DP+Protocol。
Third rule group:
1.DIP;
2.DIP+SP;
3.DIP+DP;
4.DIP+Protocol;
5.DIP+SP+DP;
6.DIP+SP+Protocol;
7.DIP+DP+Protocol;
8.DIP+SP+DP+Protocol。
After the rule of above-mentioned 24 seed type is divided into 3 groups, when address of the computation rule in DDR is no longer by various rules In all elements carry out Hash operation, these three rule group calculate the addresses DDR when respectively only take SIP, DIP, SIP+DIP carry out Hash operation.By taking the first regular group as an example, SIP, SIP+SP, SIP+DP, SIP+Protocol, SIP+SP+DP, SIP+SP+ Protocol, SIP+DP+Protocol, SIP+SP+DP+Protocol include SIP, this 8 rule-like calculates DDR storage address When be all only by SIP participate in Hash operation.Therefore it for this 8 class acl rule, if SIP is identical, calculates with obtaining DDR Location is identical.That is, if housing a rule inside this address, regardless of the rule of storage is above-mentioned 8 kinds Any one of type, data packet only need to carry out Hash by SIP to obtain address, and 8 seed types rule can once be obtained by looking into Query result.And so on, Second Rule group and third rule group can also in the same way, and reduction ACL tables look-up secondary Number.
In embodiments of the present invention, compare the prior art, and one group of rule ACL tables look-up number in the scheme that the application refers to It is reduced to 1 time by 8 times, substantially increases efficiency of tabling look-up.
Embodiment three
Fig. 4 is the implementation flow chart of the space partition functionality of configuration DDR provided in an embodiment of the present invention, and details are as follows:
ACL basic space is distributed in the space of first percentage by S401;
ACL extending space is distributed in the space of second percentage by S402;
ACL conflict space is distributed in the remaining space DDR by S403;
Wherein, the first percentage and the second percentage are preset value.
With reference to the preferable sample figure that the space that Fig. 5, Fig. 5 are DDR provided in an embodiment of the present invention divides, details are as follows:
The space DDR is divided into three parts by Fig. 5, and wherein ACL basic space is maximum.
In embodiments of the present invention, the space of DDR is divided into three parts: ACL basic space, ACL conflict space, ACL expand Open up space.Space where the regular address being calculated by hash algorithm, as ACL basic space.
Example IV
The embodiment of the invention provides the implementation processes that configuration acl rule issues function, and details are as follows:
Configuration acl rule issues function, and the acl rule issues function, specifically:
When obtaining for the first time using Hash hash algorithm to common element progress Hash operation, create-rule is described The address stored in ACL basic space;
Judge whether regular in the address of the ACL basic space;
When not having rule, rule is stored in the ACL basic space;
When regular, judge whether the rule in the address of the ACL basic space has used two-stage Hash;
When the rule in the address of the ACL basic space does not use two-stage Hash, judgment rule chained list length is No is more than limit value, when regulation linked length is not above limit value, establishes or extends chained list and rule is stored in the ACL Conflict space;
When the rule in the address of the ACL basic space uses two-stage Hash, alternatively, when regulation linked length is more than limit When definite value, the regulation linked that first order Hash is established is removed, is calculated by second of Hash, create-rule is extended in the ACL The address in space;
Judge whether regular in the address of the ACL extending space;
When regular in the address of the ACL extending space, establish or extend chained list and rule is stored in the ACL Conflict space;
When in the address of the ACL extending space without rule, rule is stored in the ACL extending space.
Wherein, limit value can be user from setting, can also be with system default, herein with no restrictions.
Wherein, when some regulation linked series is more than after 8 grades, it is necessary to remove chained list, simultaneously using all elements Participate in Hash operation.Such as the rule of SIP+SP type, it needs to simultaneously participate in SIP+SP into Hash operation.By it is this twice The mode of Hash, when first time Hash, fall on the rule inside the same address DDR, are fallen in the same address DDR again Probability it is very small.
In this case, the Rule-A originally in chained list is also located at the address A of ACL basic space, Rule-B It is just stored in Rule-C at the address B1 and C1 of ACL extending space.For the message of some specific SIP, it is only necessary to look into Then primary address A successively looks into ACL-B, ACL-C further according to the address obtained second of Hash, at most only needs 9 times.
If still there is the case where Hash conflict, together at the address of ACL extending space in second of Hash computation rule Sample can establish chained list, and other than rule first in chained list is stored in ACL extending space, subsequent rule is stored in ACL in chained list Conflict space.
Generally, first time Hash calculates the address DDR obtained and is in ACL basic space, and second of Hash calculating obtains The address DDR obtained is in ACL extending space;In regulation linked, the address of the first rule is expanded in ACL basic space or ACL Space is opened up, space locating for subsequent rule is ACL conflict space.
In the present embodiment, by way of second level hash computation rule storage address, conflict in first order hash very tight In the case where weight (such as chained list length is more than 8), chained list is removed, by the rule on the same chained list by way of the hash of the second level It then breaks up, is stored in ACL extending space.In this way, the number tabled look-up of ACL is reduced, ACL is significantly improved and tables look-up effect Rate.
Embodiment five
The embodiment of the invention provides the implementation processes of the querying method step S104 of accesses control list, and details are as follows:
The request of received data packet inquiry ACL;
The common element that extracting rule group requires from the data packet carries out Hash operation, generates the first address DDR;
Each element regular in first address DDR is matched with each element in data packet, judges ACL basic space Address in whether have matched rule;
When in the address of ACL basic space without rule, end rules inquiry;
When regular in the address of ACL basic space, judge whether matching rule success;
When matching rule success, end rules inquiry;
When matching rule is unsuccessful, other the rules whether address is directed toward in regulation linked are judged;
When other rules in regulation linked are directed toward in the address, successively each rule in rule searching chained list, directly To matching or chain end of list (EOL), the inquiry of ability end rules;
When other rules in regulation linked are not directed toward in the address, it is secondary to judge whether the address needs Hash;
When the address needs secondary Hash, in regular group, secondary Hash is successively participated in the specified element of rule It calculates, generates the 2nd address DDR;
Each element regular in 2nd address DDR is matched with each element in data packet, inquires ACL extending space Address in it is whether regular, when rule match success or rule type traversal finish when, end rules inquiry.
Embodiment six
Fig. 6 is preferable flow chart provided in an embodiment of the present invention, that acl rule issues in practical applications, and details are as follows:
First DDR address calculation rule is in the address of ACL basic space;
Judge whether regular in the address of ACL basic space;
When in the address of ACL basic space without rule, rule is stored in ACL basic space;
When regular in the address of ACL basic space, judge whether the rule in the address has used two-stage Hash;
When the rule in the address does not use two-stage Hash, whether judgment rule chained list length is more than limit value;
When regulation linked length is not above limit value, establishes or extend chained list and rule is stored in ACL conflict space;
When the rule in the address uses two-stage Hash, alternatively, being removed when regulation linked length is more than limit value The regulation linked that first order Hash is established, second of Hash computation rule is in the address of ACL extending space;
Judge whether regular in the address of ACL extending space;
When regular in the address of ACL extending space, establish or extend chained list and rule is stored in ACL conflict sky Between;
When in the address of ACL extending space without rule, rule is stored in ACL extending space.
Embodiment seven
Fig. 7 be it is provided in an embodiment of the present invention, in practical applications data packet inquiry ACL preferable flow chart, be described in detail such as Under:
Data packet inquires ACL;
Computation rule address is inputted using SIP as Hash for the first time;
Judge whether regular in the address of access control list ACL basic space;
When in the address of access control list ACL basic space without rule, end rules inquiry;
When regular in the address of access control list ACL basic space, judge whether matching rule success;
When matching rule success, end rules inquiry;
When matching rule is unsuccessful, other the rules whether address is directed toward in regulation linked are judged;
When other rules in regulation linked are directed toward in the address, successively each rule in rule searching chained list, until Matching or chain end of list (EOL), the inquiry of ability end rules;
When other rules in regulation linked are not directed toward in the address, judge whether the address needs secondary Hash;
When the address needs secondary Hash, according to different type rule in regular group, the element successively specified with rule It participates in secondary Hash to calculate, obtains rule in the address of extending space, by address lookup rule, until rule match or rule Then type traversal finishes, end rules inquiry.
Fig. 7 is suitable for the rule for the several type that SIP is common element, for example, the rule of following 8 seed type:
SIP、SIP+SP、SIP+DP、SIP+Protocol、SIP+SP+DP、SIP+SP+Protocol、SIP+DP+ Protocol、SIP+SP+DP+Protocol。
Using the data packet of this rule, the process once tabled look-up can be completed according to Fig. 7.
Embodiment eight
Fig. 8 is the structural block diagram of the inquiry unit of accesses control list provided in an embodiment of the present invention, which can transport Row is in communication equipment.For ease of description, only the parts related to this embodiment are shown.
Referring to Fig. 8, the inquiry unit of the accesses control list, comprising:
Regular receiving module 81, for receiving different types of rule in access control list ACL;
Categorization module 82 will be provided with the different types of rule of common element for obtaining the element in each rule Then it is classified as the same regular group;
Address storage module 83 generates institute for carrying out Hash operation to the common element using Hash hash algorithm State the address of different types of rule storage in regular group;
Query actions execution module 84, for the corresponding common element progress Hash of extracting rule group from the data packet Operation generates the address Double Data Rate synchronous DRAM DDR, will be in each element and the address DDR in data packet The each element of rule is matched, according to matched as a result, executing the query actions of accesses control list;
Wherein, the address of rule storage is the address DDR of regular length, indicates storage address of the rule in DDR.
As a kind of implementation of the present embodiment, in the inquiry unit of the accesses control list, the classification mould Block specifically includes:
Acquiring unit, for obtaining the first element and second element in the rule;
Whether the first taxon is source IP address SIP for detecting the first element in the rule, when the rule In the first element when being SIP, whether the second element detected in the rule is purpose IP address DIP, when the rule In second element when not being DIP, by multiple first elements be SIP, second element be not the rule classification of DIP is the first rule Multiple first elements are SIP, the rule classification that second element is DIP when the second element in the rule is DIP by group For Second Rule group;
Whether the second taxon is purpose IP address DIP for detecting the first element in the rule, when the rule It is third rule group by the rule classification that multiple first elements are DIP when the first element in then is DIP;
Wherein, each not phase of the common element of the described first regular group, the Second Rule group and the third rule group Together.
As a kind of implementation of the present embodiment, in the inquiry unit of the accesses control list, the inquiry dress It sets, further includes:
Space partition functionality configuration module, for configuring the space partition functionality of DDR, the space partition functionality, specifically Are as follows:
ACL basic space is distributed into the space of first percentage;
ACL extending space is distributed into the space of second percentage;
ACL conflict space is distributed into the remaining space DDR;
Wherein, the first percentage and the second percentage are preset value.
As a kind of implementation of the present embodiment, in the inquiry unit of the accesses control list, the access control The inquiry unit of list processed, further includes:
Acl rule issues functional configuration module, is used for
Configuration acl rule issues function, and the acl rule issues function, specifically:
When obtaining for the first time using Hash hash algorithm to common element progress Hash operation, create-rule is described The address stored in ACL basic space;
Judge whether regular in the address of the ACL basic space;
When not having rule, rule is stored in the ACL basic space;
When regular, judge whether the rule in the address of the ACL basic space has used two-stage Hash;
When the rule in the address of the ACL basic space does not use two-stage Hash, judgment rule chained list length is No is more than limit value, when regulation linked length is not above limit value, establishes or extends chained list and rule is stored in the ACL Conflict space;
When the rule in the address of the ACL basic space uses two-stage Hash, alternatively, when regulation linked length is more than limit When definite value, the regulation linked that first order Hash is established is removed, is calculated by second of Hash, create-rule is extended in the ACL The address in space;
Judge whether regular in the address of the ACL extending space;
When regular in the address of the ACL extending space, establish or extend chained list and rule is stored in the ACL Conflict space;
When in the address of the ACL extending space without rule, rule is stored in the ACL extending space.
As a kind of implementation of the present embodiment, in the inquiry unit of the accesses control list, the inquiry is dynamic Make execution module, specifically include:
Request reception unit, for receiving data request of packet inquiry ACL;
First DDR scalar/vector is carried out for the common element that extracting rule group requires from the data packet Hash operation generates the first address DDR;
Regular judging unit, for by each element and data packet regular in the first address DDR each element carry out Match, judges whether there is matched rule in the address of ACL basic space;
First rule query end unit, for when in the address of ACL basic space without rule, end rules to be looked into It askes;
First matching unit, for when regular in the address of ACL basic space, judging whether matching rule success;
Second Rule poll-final unit, for when matching rule success, end rules to be inquired;
It is directed toward regular judging unit, for judging whether the address is directed toward regulation linked when matching rule is unsuccessful In other rule;
Third rule query end unit, for successively looking into when other rules in regulation linked are directed toward in the address Each rule in regulation linked is ask, until matching or chain end of list (EOL), the inquiry of ability end rules;
Secondary Hash judging unit, for judging institute when other rules in regulation linked are not directed toward in the address State whether address needs secondary Hash;
2nd DDR scalar/vector is used for when the address needs secondary Hash, in regular group, successively with rule Then specified element participates in secondary Hash calculating, generates the 2nd address DDR;
Stop query unit, for by each element and data packet regular in the 2nd address DDR each element carry out Match, it is whether regular in the address of inquiry ACL extending space, when rule match is successful or rule type traversal finishes, knot Beam rule query.
Device provided in an embodiment of the present invention can be applied in aforementioned corresponding embodiment of the method, and details are referring to above-mentioned reality The description of example is applied, details are not described herein.
Through the above description of the embodiments, it is apparent to those skilled in the art that the present invention can borrow Help software that the mode of required common hardware is added to realize.The program can store in read/write memory medium, described Storage medium, as random access memory, flash memory, read-only memory, programmable read only memory, electrically erasable programmable storage Device, register etc..The storage medium is located at memory, and processor reads the information in memory, executes sheet in conjunction with its hardware Invent method described in each embodiment.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.

Claims (10)

1. a kind of querying method of accesses control list characterized by comprising
Receive different types of rule in access control list ACL;
The element in each rule is obtained, the different types of rule classification that will be provided with common element is the same rule Group;
Hash operation is carried out to the common element using Hash hash algorithm, generates different types of rule in the regular group The address of storage;
The corresponding common element of extracting rule group carries out Hash operation from data packet, generates Double Data Rate synchronous dynamic random and deposits The address reservoir DDR matches each element in data packet with each element regular in the address DDR, according to matched As a result, executing the query actions of accesses control list;
Wherein, the address of rule storage is the address DDR of regular length, indicates storage address of the rule in DDR.
2. the querying method of accesses control list as described in claim 1, which is characterized in that obtain in each rule Element, the different types of rule classification that will be provided with common element is the same regular group, specifically:
Obtain the first element and second element in the rule;
Whether the first element detected in the rule is source IP address SIP, when the first element in the rule is SIP When, whether the second element detected in the rule is purpose IP address DIP, when the second element in the rule is not DIP When, it by multiple first elements is SIP, second element be not the rule classification of DIP is the first regular group, when the in the rule When Was Used is DIP, by multiple first elements be SIP, the rule classification that second element is DIP is Second Rule group;
Whether the first element detected in the rule is purpose IP address DIP, when the first element in the rule is DIP When, it is third rule group by the rule classification that multiple first elements are DIP;
Wherein, the common element of the described first regular group, the Second Rule group and the third rule group is different.
3. the querying method of accesses control list as described in claim 1, which is characterized in that the querying method, further includes:
The space partition functionality of configuration DDR, the space partition functionality, specifically:
ACL basic space is distributed into the space of first percentage;
ACL extending space is distributed into the space of second percentage;
ACL conflict space is distributed into the remaining space DDR;
Wherein, the first percentage and the second percentage are preset value.
4. the querying method of accesses control list as claimed in claim 3, which is characterized in that the querying method, further includes:
Configuration acl rule issues function, and the acl rule issues function, specifically:
When obtaining for the first time using Hash hash algorithm to common element progress Hash operation, create-rule is in the ACL The address stored in basic space;
Judge whether regular in the address of the ACL basic space;
When not having rule, rule is stored in the ACL basic space;
When regular, judge whether the rule in the address of the ACL basic space has used two-stage Hash;
When the rule in the address of the ACL basic space does not use two-stage Hash, whether judgment rule chained list length surpasses Limit value is crossed, when regulation linked length is not above limit value, establishes or rule is stored in the ACL and conflicted by extension chained list Space;
When the rule in the address of the ACL basic space uses two-stage Hash, alternatively, when regulation linked length is more than limit value When, the regulation linked that first order Hash is established is removed, is calculated by second of Hash, create-rule is in the ACL extending space Address;
Judge whether regular in the address of the ACL extending space;
When regular in the address of the ACL extending space, establish or rule is stored in the ACL and conflicted by extension chained list Space;
When in the address of the ACL extending space without rule, rule is stored in the ACL extending space.
5. the querying method of accesses control list as claimed in claim 1 or 3, which is characterized in that described from the data packet The corresponding common element of middle extracting rule group carries out Hash operation, generates the address Double Data Rate synchronous DRAM DDR, Each element in data packet is matched with each element regular in the address DDR, according to matched as a result, executing access The query actions of list are controlled, specifically:
The request of received data packet inquiry ACL;
The common element that extracting rule group requires from the data packet carries out Hash operation, generates the first address DDR;
Each element regular in first address DDR is matched with each element in data packet, judges the ground of ACL basic space Whether matched rule is had in location;
When in the address of ACL basic space without rule, end rules inquiry;
When regular in the address of ACL basic space, judge whether matching rule success;
When matching rule success, end rules inquiry;
When matching rule is unsuccessful, other the rules whether address is directed toward in regulation linked are judged;
When other rules in regulation linked are directed toward in the address, successively each rule in rule searching chained list, until Match or chain end of list (EOL), ability end rules are inquired;
When other rules in regulation linked are not directed toward in the address, judge whether the address needs secondary Hash;
When the address needs secondary Hash, in regular group, secondary Hash is successively participated in the specified element of rule and is calculated, Generate the 2nd address DDR;
Each element regular in 2nd address DDR is matched with each element in data packet, inquires the ground of ACL extending space Whether regular in location, when rule match success or rule type traverse when finishing, end rules are inquired.
6. a kind of inquiry unit of accesses control list characterized by comprising
Regular receiving module, for receiving different types of rule in access control list ACL;
Categorization module will be provided with the different types of rule classification of common element for obtaining the element in each rule For the same regular group;
Address storage module generates the rule for carrying out Hash operation to the common element using Hash hash algorithm The address of different types of rule storage in group;
Query actions execution module is generated for the corresponding common element progress Hash operation of extracting rule group from data packet The address Double Data Rate synchronous DRAM DDR, by each element and each member regular in the address DDR in data packet Element is matched, according to matched as a result, executing the query actions of accesses control list;
Wherein, the address of rule storage is the address DDR of regular length, indicates storage address of the rule in DDR.
7. the inquiry unit of accesses control list as claimed in claim 6, which is characterized in that the categorization module specifically includes:
Acquiring unit, for obtaining the first element and second element in the rule;
Whether the first taxon is source IP address SIP for detecting the first element in the rule, when in the rule When first element is SIP, whether the second element detected in the rule is purpose IP address DIP, when in the rule It by multiple first elements is SIP, second element be not the rule classification of DIP is the first regular group when second element is not DIP, It by multiple first elements is SIP, the rule classification that second element is DIP is the when the second element in the rule is DIP Two regular groups;
Whether the second taxon is purpose IP address DIP for detecting the first element in the rule, when in the rule The first element when being DIP, be third rule group by the rule classification that multiple first elements are DIP;
Wherein, the common element of the described first regular group, the Second Rule group and the third rule group is different.
8. the inquiry unit of accesses control list as claimed in claim 6, which is characterized in that the inquiry unit, further includes:
Space partition functionality configuration module, for configuring the space partition functionality of DDR, the space partition functionality, specifically:
ACL basic space is distributed into the space of first percentage;
ACL extending space is distributed into the space of second percentage;
ACL conflict space is distributed into the remaining space DDR;
Wherein, the first percentage and the second percentage are preset value.
9. the inquiry unit of accesses control list as claimed in claim 8, which is characterized in that the inquiry of the accesses control list Device, further includes:
Acl rule issues functional configuration module, issues function for configuring acl rule, the acl rule issues function, specifically Are as follows:
When obtaining for the first time using Hash hash algorithm to common element progress Hash operation, create-rule is in the ACL The address stored in basic space;
Judge whether regular in the address of the ACL basic space;
When not having rule, rule is stored in the ACL basic space;
When regular, judge whether the rule in the address of the ACL basic space has used two-stage Hash;
When the rule in the address of the ACL basic space does not use two-stage Hash, whether judgment rule chained list length surpasses Limit value is crossed, when regulation linked length is not above limit value, establishes or rule is stored in the ACL and conflicted by extension chained list Space;
When the rule in the address of the ACL basic space uses two-stage Hash, alternatively, when regulation linked length is more than limit value When, the regulation linked that first order Hash is established is removed, is calculated by second of Hash, create-rule is in the ACL extending space Address;
Judge whether regular in the address of the ACL extending space;
When regular in the address of the ACL extending space, establish or rule is stored in the ACL and conflicted by extension chained list Space;
When in the address of the ACL extending space without rule, rule is stored in the ACL extending space.
10. the inquiry unit of accesses control list as described in claim 6 or 8, which is characterized in that the query actions execute mould Block specifically includes:
Request reception unit, for receiving data request of packet inquiry ACL;
First DDR scalar/vector carries out Hash fortune for the identical element that extracting rule group requires from the data packet It calculates, generates the first address DDR;
Regular judging unit is sentenced for matching each element regular in the first address DDR with each element in data packet Whether there is matched rule in the address of disconnected ACL basic space;
First rule query end unit, for when in the address of ACL basic space without rule, end rules to be inquired;
First matching unit, for when regular in the address of ACL basic space, judging whether matching rule success;
Second Rule poll-final unit, for when matching rule success, end rules to be inquired;
It is directed toward regular judging unit, for judging whether the address is directed toward in regulation linked when matching rule is unsuccessful Other rules;
Third rule query end unit, for when other rules in regulation linked are directed toward in the address, successively inquiry to be advised Then each rule in chained list, until matching or chain end of list (EOL), the inquiry of ability end rules;
Secondary Hash judging unit, for judging describedly when other rules in regulation linked are not directed toward in the address Whether location needs secondary Hash;
2nd DDR scalar/vector, in regular group, successively being referred to rule when the address needs secondary Hash Fixed element participates in secondary Hash and calculates, and generates the 2nd address DDR;
Stop query unit looking into for matching each element regular in the 2nd address DDR with each element in data packet It is whether regular in the address of inquiry ACL extending space, when rule match is successful or rule type traversal finishes, end rules Inquiry.
CN201510998606.3A 2015-12-28 2015-12-28 A kind of querying method and device of accesses control list Active CN106027459B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510998606.3A CN106027459B (en) 2015-12-28 2015-12-28 A kind of querying method and device of accesses control list

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510998606.3A CN106027459B (en) 2015-12-28 2015-12-28 A kind of querying method and device of accesses control list

Publications (2)

Publication Number Publication Date
CN106027459A CN106027459A (en) 2016-10-12
CN106027459B true CN106027459B (en) 2019-04-30

Family

ID=57082593

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510998606.3A Active CN106027459B (en) 2015-12-28 2015-12-28 A kind of querying method and device of accesses control list

Country Status (1)

Country Link
CN (1) CN106027459B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110022281B (en) * 2018-01-08 2021-11-19 中国移动通信有限公司研究院 Method, apparatus and computer storage medium for testing access control list capacity
CN109547502A (en) * 2019-01-22 2019-03-29 成都亚信网络安全产业技术研究院有限公司 Firewall ACL management method and device
CN112311595B (en) * 2020-10-15 2022-09-09 烽火通信科技股份有限公司 Efficient access control linked list and implementation method thereof
CN112383479B (en) * 2020-10-15 2022-03-22 国家计算机网络与信息安全管理中心 Rule query method and device, computer equipment and storage medium
CN112667526B (en) * 2021-03-22 2021-06-29 芯启源(南京)半导体科技有限公司 Method and circuit for realizing access control list circuit
CN113779320B (en) * 2021-08-18 2024-02-27 北京计算机技术及应用研究所 Method for solving table entry storage address conflict

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101345694A (en) * 2007-07-11 2009-01-14 上海未来宽带技术及应用工程研究中心有限公司 Method for fast searching, positioning and matching access control list
CN103188231A (en) * 2011-12-30 2013-07-03 北京锐安科技有限公司 Multi-core printed circuit board access control list (ACL) rule matching method
CN104954200A (en) * 2015-06-17 2015-09-30 国家计算机网络与信息安全管理中心 Multi-type rule high-speed matching method and device of network data packet

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7478094B2 (en) * 2003-06-11 2009-01-13 International Business Machines Corporation High run-time performance method for setting ACL rule for content management security

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101345694A (en) * 2007-07-11 2009-01-14 上海未来宽带技术及应用工程研究中心有限公司 Method for fast searching, positioning and matching access control list
CN103188231A (en) * 2011-12-30 2013-07-03 北京锐安科技有限公司 Multi-core printed circuit board access control list (ACL) rule matching method
CN104954200A (en) * 2015-06-17 2015-09-30 国家计算机网络与信息安全管理中心 Multi-type rule high-speed matching method and device of network data packet

Also Published As

Publication number Publication date
CN106027459A (en) 2016-10-12

Similar Documents

Publication Publication Date Title
CN106027459B (en) A kind of querying method and device of accesses control list
JP6328596B2 (en) PCI Express fabric routing for fully connected mesh topologies
CN106878194B (en) Message processing method and device
US20180287942A1 (en) Forwarding Data Packets
CN101651623B (en) Generation method and device for access control list application
CN110417683B (en) Message processing method and device and server
CN109639589B (en) Load balancing method and device
CN108259218A (en) A kind of IP address distribution method and device
KR101754618B1 (en) A method and apparatus for generating dinamic virtual network based on software defined networks
RU2019113321A (en) SYSTEMS AND METHODS FOR AUXILIARY NETWORK DETECTION FOR CLUSTER SYSTEMS BASED ON ZERO CONFIGURATION
CN107046503B (en) Message transmission method, system and device
CN108259348B (en) Message transmission method and device
CN109213774A (en) Storage method and device, storage medium, the terminal of data
CN108810881B (en) Network distribution method, equipment and system
CN114172853A (en) Flow forwarding and bare computer server configuration method and device
US20150195122A1 (en) Method and System for Transparent Network Acceleration
US9203733B2 (en) Method of pseudo-dynamic routing in a cluster comprising static communication links and computer program implementing that method
CN108153494A (en) A kind of I/O request processing method and processing device
JP2020184317A (en) Method of collaboratively executing task by robotic group using distributed semantic knowledge base
US20150278360A1 (en) Computing apparatus for data distribution service and method of operating the same
CN107276898B (en) Shortest route implementation method based on FPGA
EP3346380A1 (en) Methods for adaptive placement of applications and devices thereof
CN110138890B (en) Method, device, computer equipment and storage medium for acquiring IP address
CN108040010A (en) The chip implementing method and system of list item aging
CN109639845B (en) Network Address Translation (NAT) resource allocation method and equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A query method and device of access control list

Effective date of registration: 20200826

Granted publication date: 20190430

Pledgee: Bank of Beijing Limited by Share Ltd. Shenzhen branch

Pledgor: Shenzhen Hengyang Data Co.,Ltd.

Registration number: Y2020980005382

PE01 Entry into force of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20210803

Granted publication date: 20190430

Pledgee: Bank of Beijing Limited by Share Ltd. Shenzhen branch

Pledgor: Shenzhen Hengyang Data Co.,Ltd.

Registration number: Y2020980005382

PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A query method and device for access control list

Effective date of registration: 20210816

Granted publication date: 20190430

Pledgee: Bank of Beijing Limited by Share Ltd. Shenzhen branch

Pledgor: Shenzhen Hengyang Data Co.,Ltd.

Registration number: Y2021440020082

PC01 Cancellation of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Granted publication date: 20190430

Pledgee: Bank of Beijing Limited by Share Ltd. Shenzhen branch

Pledgor: Shenzhen Hengyang Data Co.,Ltd.

Registration number: Y2021440020082