CN106487769A - A kind of implementation method of access control list ACL and device - Google Patents

A kind of implementation method of access control list ACL and device Download PDF

Info

Publication number
CN106487769A
CN106487769A CN201510551233.5A CN201510551233A CN106487769A CN 106487769 A CN106487769 A CN 106487769A CN 201510551233 A CN201510551233 A CN 201510551233A CN 106487769 A CN106487769 A CN 106487769A
Authority
CN
China
Prior art keywords
critical field
rule
keyword
field
length
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510551233.5A
Other languages
Chinese (zh)
Other versions
CN106487769B (en
Inventor
陈钦树
郭继正
王平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen ZTE Microelectronics Technology Co Ltd
Original Assignee
Shenzhen ZTE Microelectronics Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen ZTE Microelectronics Technology Co Ltd filed Critical Shenzhen ZTE Microelectronics Technology Co Ltd
Priority to CN201510551233.5A priority Critical patent/CN106487769B/en
Priority to PCT/CN2016/094450 priority patent/WO2017036291A1/en
Publication of CN106487769A publication Critical patent/CN106487769A/en
Application granted granted Critical
Publication of CN106487769B publication Critical patent/CN106487769B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a kind of implementation method of access control list ACL, including:Step A, each keyword to be found extracted from same packet is divided into M critical field;Step B, at least using i-th critical field in M critical field as M rule list of address access preset in i-th rule list, obtain the corresponding regular node type of i-th critical field;Step C, when the corresponding regular node type of i-th critical field is leaf node, corresponding for i-th critical field rule numbers are defined as the rule numbers of the corresponding keyword to be found of M critical field, go to execution step E;Step D, when the corresponding regular node type of i-th critical field is intermediate node or mixed node, i value adds 1, goes to execution step B;Step E, after the rule numbers for determining keyword to be found, according to the rule numbers of keyword to be found, obtain corresponding action.

Description

A kind of implementation method of access control list ACL and device
Technical field
The present invention relates to packet transmission field, more particularly to a kind of implementation method of access control list ACL and Device.
Background technology
With the development of network technology, the increasing network equipment needs to support fast and accurately message classification, Such as security gateway, edge router, core router etc..The development trend of future network needs to carry for user For more preferable service quality, and such as fire wall, Differentiated Services, virtual private network VPN, the road based on strategy By etc. the mechanism improved service quality be all based on efficient access and control list (ACL, Access Control List) on technology.Additionally, with the development of Fibre Optical Communication Technology, link bandwidth and transfer rate are not Become problem again, routing forwarding equipment is becoming network bottleneck, and ACL is even more the key of key.Therefore Efficiently quickly realize ACL the development of Future Internet is extremely important.
Existing packet transmission apparatus adopt three-state content addressing memory (TCAM, Ternary Content Addressable Memory) realize ACL.The advantage for ACL being realized using TCAM is to realize simply, Where but TCAM also has many deficiencies.First, TCAM will be to be found within the same clock cycle Each entry of keyword and TCAM is compared, and causes power dissipation ratio larger;Second is TCAM device Part cost is higher, expensive.Therefore, do not have a kind of more suitable ACL's in prior art Implementation method.
Content of the invention
In view of this, the embodiment of the present invention is expected to provide a kind of implementation method of access control list ACL and dress Put, to provide a kind of new method for realizing ACL, it is to avoid power consumption that TCAM is caused is big, high cost Problem.
For above-mentioned purpose is reached, the technical scheme is that and be achieved in that:
In a first aspect, the embodiment of the present invention provides a kind of implementation method of access control list ACL, including: Step A, each keyword to be found extracted from same packet is divided into M critical field, Wherein, M is the integer more than or equal to 1;Step B, at least with i-th in the M critical field Critical field is obtained described i-th as i-th rule list in M rule list of address access preset The corresponding regular node type of critical field, wherein, i=1,2,3,4 ..., M, described M rule Then table corresponds to the rule with dimension;Step C, when the corresponding regular node of i-th critical field When type is leaf node, corresponding for i-th critical field rule numbers are defined as described M pass The rule numbers of the corresponding keyword to be found of key field, go to execution step E;Step D, when described i-th When the corresponding regular node type of individual critical field is intermediate node or mixed node, i value is added 1, is gone to Execution step B;Step E, after the rule numbers for determining the keyword to be found, according to described to be checked Look for the rule numbers of keyword, obtain the corresponding action of rule numbers of the keyword to be found.
In such scheme, when i=2,3 ..., M when, after step B, methods described is also wrapped Include:When the corresponding regular node type of i-th critical field is invalid node, and the i-th -1 pass When the corresponding regular node type of key field is mixed node type, the i-th -1 critical field is corresponded to Rule numbers be defined as the rule numbers of the corresponding keyword to be found of the M critical field, go to and hold Row step E.
In such scheme, as i=1, step B, including:Using the 1st critical field as ground The 1st rule list in M rule list of location access preset.
In such scheme, when i=2,3 ..., M when, step B, including:With described i-th -1 The next stage index of individual critical field and i-th critical field access i-th rule list for address.
In such scheme, step D, including:When the corresponding rule section of i-th critical field When vertex type is intermediate node, i value is added 1, go to execution step B;When described i-th crucial When the corresponding regular node type of field is mixed node, the corresponding rule of i-th critical field is recorded Numbering, and i value is added 1, go to execution step B.
In such scheme, methods described also includes:Corresponding for the rule of same dimension keyword is divided into M Section;When the length of the keyword is equal to the length of the 1st critical field, by the 1st keyword Duan Zuowei reads address the 1st rule list, obtains and manage corresponding nodal information;When the keyword When length is less than the length of the 1st critical field, this remaining field is expanded, is closed Key word residue field, reads the 1st rule list with keyword residue field respectively as address, obtains Corresponding nodal information is taken and manages, wherein, this remaining field is to need to close in the keyword The critical field of the heart;When the length of the keyword is more than the length of the 1st critical field, by institute State the 1st critical field and the 1st rule list is read as address, obtain and manage corresponding node letter Breath.
In such scheme, methods described also includes:Crucial for i-th in the M critical field Field, wherein, i=2,3 ..., M, successively execute following steps:Calculate previous difference with described The difference of i-th critical field length, wherein, needs to be concerned about in keyword described in the previous difference Critical field length and i-th critical field length difference;When the difference is equal to described i-th During the length of individual critical field, by the next stage index of the i-th -1 critical field and i-th key Field reads i-th rule list as address, obtains and manage corresponding nodal information;When the difference is little When the length of i-th critical field, this remaining field is expanded, obtain keyword and remain Remaining field, reads i-th rule list with keyword residue field respectively as address, obtains and manage Corresponding nodal information is managed, wherein, this remaining field is the pass for needing to be concerned about in the keyword Key field removes remaining field after front i critical field;When the difference is more than i-th keyword During the length of section, using the next stage of the i-th -1 critical field index and i-th critical field as I-th rule list is read in address, obtains and manage corresponding nodal information.
In such scheme, methods described also includes:After configuration rule completes to update, joined based on new Rule is put, M backup rules table is updated, wherein, the M backup rules table and described M rule Table is corresponded;After the M backup rules table completes to update, the M accessed after updating is switched to Individual backup rules table, and update the M rule list;After the M rule list completes to update, Switchback is to the M backup rules table accessed after updating.
In such scheme, after step E, methods described also includes:Each is to be checked by described Look for the corresponding action of rule numbers of keyword that merger is carried out, obtain the ACL result of the packet.
Second aspect, what the embodiment of the present invention provided a kind of access control list ACL realize device, including: Rule list module, scheduler module, access modules, determining module, loop module, acquisition module;Wherein, The rule list module, for storage with dimension rule corresponding to M rule list, M be more than etc. In 1 integer;The scheduler module, for by each pass to be found extracted from same packet Key stroke is divided into M critical field;The access modules, at least with the M critical field I-th critical field as i-th rule list in M rule list of address access preset, obtain institute State the corresponding regular node type of i-th critical field, wherein, i=1,2,3,4 ..., M;Described true Cover half block, for when the corresponding regular node type of i-th critical field is leaf node, by institute State the corresponding rule numbers of i-th critical field and be defined as the corresponding key to be found of the M critical field The rule numbers of word, trigger the acquisition module;The loop module, for working as i-th keyword When the corresponding regular node type of section is intermediate node or mixed node, i value is added 1, trigger the access Module;The acquisition module, for after the rule numbers for determining the keyword to be found, according to described The rule numbers of keyword to be found, obtain the corresponding action of rule numbers of the keyword to be found.
In such scheme, when i=2,3 ..., M when, the determining module, be additionally operable to when described i-th The corresponding regular node type of individual critical field is invalid node, and the corresponding rule of the i-th -1 critical field When node type is mixed node, corresponding for the i-th -1 critical field rule numbers are defined as described The rule numbers of the corresponding keyword to be found of M critical field, trigger the acquisition module.
In such scheme, as i=1, the access modules, for using the 1st critical field as ground The 1st rule list in M rule list of location access preset.
In such scheme, when i=2,3 ..., M when, the access modules, for described i-th -1 The next stage index of individual critical field and i-th critical field access i-th rule list for address.
In such scheme, the loop module, for when the corresponding rule section of i-th critical field When vertex type is intermediate node, i value is added 1, trigger the access modules;It is additionally operable to when described i-th When the corresponding regular node type of critical field is mixed node, i-th critical field is recorded corresponding Rule numbers, and i value is added 1, trigger the access modules.
In such scheme, described device also includes:Rule list generation module, for by the rule of same dimension Then corresponding keyword is divided into M section;When the length of the keyword is equal to the length of the 1st critical field, 1st critical field is read the 1st rule list as address, obtains and manage corresponding node letter Breath;When the length of the keyword is less than the length of the 1st critical field, by this remaining word Duan Jinhang expands, and obtains keyword residue field, reads institute with keyword residue field respectively as address The 1st rule list is stated, corresponding nodal information is obtained and manage, wherein, this remaining field is The critical field being concerned about is needed in the keyword;When the length of the keyword is more than the 1st key During the length of field, the 1st critical field is read the 1st rule list as address, obtain And manage corresponding nodal information.
In such scheme, the rule list generation module, for for the in the M critical field I critical field, calculates the difference of previous difference and i-th critical field length, wherein, institute State the critical field length and i-th critical field for needing to be concerned about in keyword described in previous difference The difference of length, i=2,3 ..., M;When the difference is equal to the length of i-th critical field, The next stage index of the i-th -1 critical field and i-th critical field are read i-th as address Individual rule list, obtains and manages corresponding nodal information;When the difference is less than i-th critical field Length when, this remaining field is expanded, obtain keyword residue field, with the keyword Remaining field reads i-th rule list respectively for address, obtains and manage corresponding nodal information, its In, this remaining field is to need the critical field being concerned about to remove front i key in the keyword Remaining field after field;When the difference is more than the length of i-th critical field, will be described The next stage index of the i-th -1 critical field and i-th critical field read described i-th as address Rule list, obtains and manages corresponding nodal information.
In such scheme, the rule list module, it is additionally operable to after configuration rule completes to update, is based on New configuration rule, updates M backup rules table, wherein, the M backup rules table and the M Individual rule list is corresponded;Correspondingly, the access modules, are additionally operable to complete in the M backup rules table Become after updating, the M backup rules table accessed after updating is switched to, and updates the M rule list; After the M rule list completes to update, switchback is to the M backup rules table accessed after updating.
In such scheme, described device also includes:Merger module, for obtaining in multiple acquisition modules After the corresponding action of the rule numbers of each keyword to be found described in obtaining, the action is carried out merger, Obtain the ACL result of the packet.
A kind of implementation method of access control list ACL and device is embodiments provided, first, will Each keyword to be found extracted from same packet is divided into M critical field, then, with M In individual critical field, i-th critical field is used as i-th rule in M rule list of address access preset Table, at least obtains the corresponding rule type of i-th critical field, and here, M rule list corresponds to rule Then, then, according to the corresponding rule type of i-th critical field, determine the rule volume of keyword to be found Number, finally, according to the rule numbers that determines, the corresponding action of keyword to be found is obtained, that is, is determined The regular corresponding action, it is achieved that ACL.In this way, avoid the power consumption caused by TCAM big, The problem of high cost;
Further, as a keyword to be found is divided into M critical field, when i-th crucial When the corresponding regular node type of field is leaf node, just corresponding for critical field rule numbers are determined For the rule numbers of the keyword to be found, so, it is not necessary to which entirely keyword to be found is made a look up, Data processing amount is greatly reduced, and then improves search efficiency;
Further, due to carrying out dividing M keyword to each keyword in same packet Section, and follow-up process is carried out, keyword here can be the keyword of a dimension, or many The keyword of individual dimension, that is to say, that the ACL of various dimensions can be realized.
Description of the drawings
Fig. 1 is the first structural representation for realizing device of the ACL in the embodiment of the present invention;
Fig. 2 is second structural representation for realizing device of the ACL in the embodiment of the present invention;
Fig. 3 is the third structural representation for realizing device of the ACL in the embodiment of the present invention;
Fig. 4 is the schematic flow sheet of the implementation method of the ACL in the embodiment of the present invention;
Fig. 5 is a kind of schematic flow sheet of method of the create-rule table in the embodiment of the present invention;
Fig. 6 is the schematic flow sheet of another kind of method of the create-rule table in the embodiment of the present invention;
Fig. 7 is the schematic diagram of the rule list in the embodiment of the present invention;
Fig. 8 is the schematic diagram of the action schedule in the embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly Chu, it is fully described by.
Firstly, it is necessary to illustrate, in packet data transmission, according to packet special key words section by number It is divided into different streams according to bag.After being divided into stream, various process can be carried out for the stream, for example, abandon or forward, Speed limit, redistributes priority etc., and this process is referred to as action.A usual rule adds respective action Referred to as one ACL.
For example, the critical field of general industrywide standard composition rule has 5, generally also referred to as 5 tuples, This 5 keywords are:The source address of IP message, the destination address of IP message, the bearing protocol class of IP message Type, TCP or UDP source port number, the destination slogan of TCP or UDP.In implementing, use Keyword can also have other extension, such as COS, TOS, DSCP, VLAN index VLANID, Source and destination MAC Address etc., the present invention is not specifically limited.Each keyword above-mentioned can in any combination, And scope restriction can be set, and for example, a rule can be:1000~2000+IP of tcp port address (255.122.122.* * is the field that need not be concerned about).
Implementation method to ACL provided in an embodiment of the present invention is illustrated below.
A kind of embodiment of the present invention ACL of offer is realized in device, and shown in Figure 1, the device includes: Rule list module 1, scheduler module 2, access modules 31, determining module 32, loop module 33, acquisition mould Block 34;
In actual applications, above-mentioned rule list module 1, can be a module, can be multiple modules, Each module is regular corresponding with a dimension, and be stored with each module M rule list, and M is big In the integer for being equal to 1;
Above-mentioned access modules 31, determining module 32, loop module 33 and acquisition module 34 are arranged on search In engine, shown in Figure 2, a search engine 3 is connected with a rule list module 1, that is to say, that For same packet, a search engine 3 can be scanned for for the rule of a dimension.So, When in said apparatus comprising multiple search engines 3, mean that the device can be for many of same packet The parallel search that the rule of individual dimension is carried out, substantially increases the efficiency of ACL realization.
Now, when ACL is when realizing device and carrying out multiple dimensional searches, the device can also just include:Return And module 4, for the action corresponding to the rule for multiple dimensions of same packet is carried out merger, To obtain the ACL result of the packet.
Further, shown in Figure 3, the device can also be simultaneous for multiple packets and carry out one parallel Dimension or the search of various dimensions, in this way, substantially increase parallel data disposal ability so that processing speed The big real-time for being lifted, can be good at ensureing ACL.
When ACL is when realizing device multiple packets being processed, the device can also include:Poll is adjusted Degree module, for being scheduling to the ACL result of multiple packets, exports to next stage processing module.
In conjunction with the embodiment of the present invention, above-mentioned rule list module, for storing corresponding to the rule with dimension M rule list;
Above-mentioned scheduler module, for dividing each keyword to be found extracted from same packet For M critical field, and it is distributed to corresponding search engine;
Above-mentioned access modules, at least being visited using i-th critical field in M critical field as address Ask i-th rule list in default M rule list, the corresponding regular node of i-th critical field of acquisition Type, wherein, i=1,2,3,4 ..., M, M rule list with one rule corresponding;
Above-mentioned determining module, for when the corresponding regular node type of i-th critical field is leaf node, Corresponding for i-th critical field rule numbers are defined as the corresponding keyword to be found of M critical field Rule numbers, trigger above-mentioned acquisition module;
Above-mentioned loop module, for when the corresponding regular node type of i-th critical field be intermediate node or During mixed node, i value is added 1, trigger above-mentioned access modules;
Above-mentioned acquisition module, for after the rule numbers for determining keyword to be found, according to key to be found The rule numbers of word, obtain the corresponding action of rule numbers of keyword to be found.
With reference to said system, the implementation method to ACL provided in an embodiment of the present invention is illustrated.
Shown in Figure 4, the method includes:
S401:Each keyword to be found extracted from same packet is divided into M keyword Section;
Specifically, scheduler module is for same packet, according to configuration information set in advance, from this The keyword to be found under a dimension rule is parsed in packet, for example, extracts the input in packet Port, purpose IP address and IP precedence TOS are combined into that { input port, purpose IP address, IP are preferential Level TOS } it is designated as keyword A to be found.Then, keyword to be found is divided M critical field, this In, the division for critical field can be carried out according to the partition strategy being manually set in advance, with practical application It is defined, the present invention is not specifically limited.
S402:At least using i-th critical field in M critical field as the M of address access preset I-th rule list in rule list, the corresponding regular node type of i-th critical field of acquisition;
Specifically, after scheduler module has divided critical field, these fields are sent to above-mentioned dimension Search engine corresponding to rule, then, the access modules in search engine are with M critical field I critical field accesses i-th rule in the M rule list prestored in rule list module as address Then table, obtains the corresponding regular node type of i-th critical field, wherein, i=1,2,3,4 ..., M;It can be seen that, critical field with rule list be one-to-one, regular, to be found crucial, search engine with And rule list module is one-to-one.
In actual applications, by accessing rule list, except the corresponding rule of i-th critical field can be obtained Then node type, can also obtain the corresponding next stage index of i-th critical field and rule numbers.When So, can also there are other property parameters, such as current fragment length, the present invention is not specifically limited.
Further, since the 1st critical field is initial field, so, access modules can be closed with the 1st Key field accesses the 1st rule list, the corresponding regular node type of the 1st critical field of acquisition as address; And for other critical fielies, i.e., the 2nd, 3 ..., M critical field, access modules can be with the key The upper level index of field and the critical field access corresponding rule list as address.
Further, M rule list in each rule list module above-mentioned both corresponds to the rule of same dimension The rule list for then storing in rule list module presets, then, before S401, in addition it is also necessary to be directed to With the rule of dimension, corresponding M rule list is generated.
So, shown in Figure 5, the method and step of create-rule table includes:
S501:M section will be divided into the corresponding keyword of dimension rule;
Here, above-mentioned keyword is designated as B, and a width of N, the M section critical field of its bit is designated as Bi, B={ B1, B2..., BM, i=1,2 ..., M, BiLength be designated as Ni, N1+N2+…+NM=N.In reality In application, NiLength can be adjusted according to implementing, per critical field length NiCan be equal Can not also wait.
Further, the critical field for needing to be concerned about in above-mentioned keyword B is designated as C, length is P, no The critical field being concerned about is needed to be designated as D, length is Q, then, B={ C, D }, P+Q=N.
For example, keyword B is 168.152.128.* for IP address, and length is 32 bits, is averaged point Become four sections, be 8 bits per segment length.It is 168.152.128 to need critical field C being concerned about in keyword B, Length is 24 bits, it is not necessary to which critical field D of care is *, and length is 8 bits.
S502:When the length of keyword is equal to the length of the 1st critical field, by the 1st critical field The 1st rule list is read as address, obtain and manage corresponding nodal information;
Here, above-mentioned nodal information includes:Node type, rule numbers, next stage index and current point Segment length.It is, of course, also possible to include other contents, the present invention is not specifically limited.In rule list, one The corresponding nodal information of individual critical field is an entry.
So, can include the step of above-mentioned leader information:When the 1st critical field is advised at the 1st When then corresponding node type in table is invalid node, node type is changed to leaf node, and is write The corresponding rule numbers of keyword and the key for current fragment length being set in the keyword need to be concerned about Field length;
When the corresponding node type in the 1st rule list of the 1st critical field is intermediate node, will Node type is changed to mixed node, and writes the corresponding rule numbers of keyword, and current fragment length is set The critical field length for needing to be concerned about is set in the keyword;
When the corresponding node type in the 1st rule list of the 1st critical field is mixed node or leaf During node, keep node type constant, and the corresponding rule numbers of keyword are write, by current fragment length The critical field length for needing to be concerned about is set in the keyword.
S503:When the length of keyword is less than the length of the 1st critical field, by this remaining field Expanded, keyword residue field is obtained, the 1st rule are read respectively as address with keyword residue field Then table, obtains and manages corresponding nodal information;
So, can include the step of above-mentioned leader information:When the 1st critical field is advised at the 1st When then corresponding node type in table is invalid node, node type is changed to leaf node, and is write The corresponding rule numbers of keyword and the key for current fragment length being set in the keyword need to be concerned about Field length;
Here, this remaining field above-mentioned refers to the critical field for needing to be concerned about in keyword.
When the corresponding node type in the 1st rule list of the 1st critical field is intermediate node, will Node type is changed to mixed node, and writes the corresponding rule numbers of keyword, and current fragment length is set The critical field length for needing to be concerned about is set in the keyword;
When the corresponding node type in the 1st rule list of the 1st critical field is mixed node or leaf During node, keep node type constant, meanwhile, need in comparison keyword be concerned about critical field length and The size of current fragment length, the critical field length if necessary to be concerned about are less than current fragment length, then protect Hold original rule numbers and current fragment length be constant, otherwise, the corresponding rule numbers of write keyword with And the critical field length for current fragment length being set in the keyword need to be concerned about.
It should be noted that above-mentioned expanded this remaining field, keyword residue field, tool is obtained Body is:With the 1st critical field length N1Critical field length P for needing to be concerned about in keyword is deducted, is obtained Difference x is obtained, this remaining field is expanded, obtains 2xIndividual keyword residue field C11={ C1, 0 }, C12={ C1, 1 } ... ..., C12 x=C, (2x-1)}.
S504:When the length of keyword is more than the length of the 1st critical field, by the 1st critical field The 1st rule list is read as address, obtain and manage corresponding nodal information.
Here, can include the step of above-mentioned leader information:When the 1st critical field is advised at the 1st When then corresponding node type in table is invalid node, node type is changed to intermediate node, and is write The corresponding next stage index of 1st critical field;When the 1st critical field, in the 1st rule list, institute is right When the node type that answers is intermediate node or mixed node, keep nodal information constant;When the 1st keyword When in 1 rule list of Duan, corresponding node type is leaf node, then node type is changed to mix Node is closed, and writes the corresponding next stage index of the 1st critical field.
Next, be directed to i-th critical field, i=2,3 ..., M, after S504, referring to Fig. 6 Shown, the method also includes:
S601:Calculate the difference of previous difference and i-th critical field length;
Here, previous difference is referred to:As i=1, previous difference is to need to be concerned about in keyword Critical field length;As i=2, previous difference is the keyword segment length for needing to be concerned about in keyword The difference with i-th critical field length is spent, successively iteration, by that analogy.
S602:When difference is equal to the length of i-th critical field, by the next stage of the i-th -1 critical field Index and i-th critical field read i-th rule list as address, obtain and manage corresponding nodal information;
So, can include the step of above-mentioned leader information:When i-th critical field is in i-th rule When corresponding node type is invalid node in table, node type is changed to leaf node, and writes pass The corresponding rule numbers of key word and current fragment length is set to above-mentioned difference;
When i-th corresponding node type in i-th rule list of critical field is intermediate node, will section Vertex type is changed to mixed node, and writes the corresponding rule numbers of keyword, and current fragment length is arranged For above-mentioned difference;
When i-th corresponding node type in i-th rule list of critical field is mixed node or leaf section During point, keep node type constant, and the corresponding rule numbers of keyword are write, current fragment length is set It is set to above-mentioned difference.
S603:When difference is less than the length of i-th critical field, this remaining field is expanded, Keyword residue field is obtained, i-th rule list is read respectively as address with keyword residue field, is obtained And manage the information of corresponding node;
So, can include the step of above-mentioned leader information:When i-th critical field is in i-th rule When corresponding node type is invalid node in table, node type is changed to leaf node, and writes pass The corresponding rule numbers of key word and current fragment length is set to above-mentioned difference;
Here, i pass before this remaining field above-mentioned refers to need the critical field being concerned about to remove in keyword Remaining field after key field.
When i-th corresponding node type in i-th rule list of critical field is intermediate node, will section Vertex type is changed to mixed node, and writes the corresponding rule numbers of keyword and set current fragment length It is set to above-mentioned difference;
When i-th corresponding node type in i-th rule list of critical field is mixed node or leaf section During point, keep node type constant, meanwhile, the size of the above-mentioned difference of comparison and current fragment length, if Above-mentioned difference be less than current fragment length, then keep original rule numbers and current fragment length constant, no Then, the corresponding rule numbers of keyword are write and current fragment length is set to above-mentioned difference.
S604:When difference is more than the length of i-th critical field, by the next stage of the i-th -1 critical field Index and i-th critical field read i-th rule list as address, obtain and manage corresponding nodal information.
Here, can include the step of above-mentioned leader information:When i-th critical field is in i-th rule When corresponding node type is invalid node in table, node type is changed to intermediate node, and writes the The corresponding next stage index of i critical field;When i-th critical field is corresponding in i-th rule list When node type is intermediate node or mixed node, keep nodal information constant;When i-th critical field exists When corresponding node type is leaf node in i-th rule list, then node type is changed to mixing section Point, and write the corresponding next stage index of i-th critical field.
Method according to S601~S604 is unanimously circulated, until generating m-th rule list.Now, i-th Rule list as shown in fig. 7, each entry include node type, current fragment length, next stage index and Rule numbers.
Further, after rule list generation, corresponding for rule numbers action is written in action schedule. Shown in Figure 8, each entry includes the priority in the dimension, abandon/instruction is forwarded, QoS maps, Speed limit mark etc..
S403a:When the corresponding regular node type of i-th critical field is leaf node, i-th is closed The corresponding rule numbers of key field are defined as the rule numbers of the corresponding keyword to be found of M critical field, Go to execution S404;
Specifically, the corresponding regular node type of critical field can be point three kinds, i.e. leaf node, When node type is obtained by S402, intermediate node and mixed node, represent that i-th critical field is leaf section During point, the rule numbers of the critical field are just defined as determining module the rule numbers of keyword to be found, Now, i=1,2,3 ..., M.
S403b:When the corresponding regular node type of i-th critical field is intermediate node or mixed node, I value is added 1, goes to execution S402;
Specifically, after S402, when the corresponding regular node type of i-th critical field is middle node When point or mixed node, i value is added 1 by loop module, triggers access modules, so, access modules again Using i+1 critical field as the i+1 rule list of address access preset, i+1 keyword is obtained The corresponding regular node type of section, by that analogy, circulation executes S402~S403b, until obtaining pass to be found The rule numbers of key word.
In specific implementation process, when the corresponding regular node type of i-th critical field is intermediate node, I value is added 1, goes to execution S402;When the corresponding regular node type of i-th critical field is mixing During node, the corresponding rule numbers of i-th critical field of record, and i value is added 1, go to execution S402.
In actual applications, the corresponding regular node type of critical field can also be invalid node, then, When i=2,3 ..., M when, represent that i-th critical field is invalid section when node type is obtained by S402 Point, and when the i-th -1 critical field is mixed node, determining module is just by the rule of the i-th -1 critical field Numbering is defined as the rule numbers of keyword to be found.
For example, A is taken1Address as the rule list 1 in M rule list accesses rule list 1, obtains A1Corresponding regular node type, A1Next stage index and A1Corresponding rule numbers.
Work as A1When corresponding regular node type is leaf node, then by A1Corresponding rule numbers are used as this The corresponding rule numbers of keyword A simultaneously terminate this lookup;
Work as A1Corresponding node is intermediate node, uses A1Next stage index and A2Rule is accessed as address Table 2, obtains A2Corresponding regular node type, A2Next stage index and A2Rule numbers, then, Execute A1Identical judgement and process.
Work as A1Corresponding node then records A for mixed node1Corresponding rule numbers, then, use A1Under One-level index and A2Rule list 2 is accessed as address, if A2Corresponding node is invalid node, then close The corresponding rule numbers of key word A are A1Corresponding rule numbers simultaneously terminate this lookup;If A2Corresponding Node is leaf node, then the rule numbers of keyword A are A2Corresponding numbering simultaneously terminates this lookup; If A2Corresponding node is that intermediate node or mixed node then repeat A1Lookup method continue to use A2 Next stage index and A3Rule list 3, its processing method and A are accessed as address1Similar.So repeat Till the rule numbers or whole keyword search that obtain keyword are completed.
S404:After the rule numbers for determining keyword to be found, according to the rule numbers of keyword to be found, Obtain the corresponding action of rule numbers of keyword to be found.
Specifically, ACL realize also be preset with action schedule as shown in Figure 8, obtaining unit in device Action schedule is accessed using the rule numbers of keyword to be found as address, obtain keyword to be found corresponding dynamic Make, that is to say, that the action corresponding to the rule of the dimension.
Alternatively, message attribute, the such as rule of priority, the dimension can also be obtained by accessing action schedule Corresponding QoS and QoS priority, speed limit mark and speed limit mark priority, the color of message and discarding Or forward etc..It is, of course, also possible to there is other message attribute, the present invention is not specifically limited.
So far, the whole process of the ACL of the rule being achieved that for single dimension.So, for multiple Dimension regular when, merger module is by the rule numbers of corresponding for the rule of each dimension keyword to be found Corresponding action carries out merger, obtains the ACL result of packet.
In above process, the rule list in rule list module is also possible to be adjusted according to the configuration of user, As rule list disposably cannot update, so, in order to reduce error rate, it is stored with rule list module M rule list and one-to-one M backup rules table.So, said method also includes:Work as configuration After rule completes to update, based on new configuration rule, M backup rules table is updated, wherein, M standby Part rule list is corresponded with M rule list;After M backup rules table completes to update, switch to M backup rules table after updating is accessed, and updates M rule list;Complete to update in M rule list Afterwards, switchback is to the M backup rules table accessed after updating.
Specifically, during rule list renewal is carried out, first, backup rules table is updated, in backup Rule list is updated after completing, and access modules switch to access backup rules table, while update rule list again, After rule list updates and finishes, access modules switch to the rule list after updating again, in this way, would not go out The error that the rule that should now update does not update and causes, it is ensured that the accuracy that ACL is realized.
From the foregoing, first, each keyword to be found extracted from same packet is divided into M critical field, then, using in M critical field, i-th critical field is used as address access preset I-th rule list in M rule list, at least obtains the corresponding rule type of i-th critical field, this In, M rule list corresponds to a rule, then, according to the corresponding rule type of i-th critical field, Determine the rule numbers of keyword to be found, finally, according to the rule numbers that determines, obtain to be found The corresponding action of keyword, that is, determine the regular corresponding action, it is achieved that ACL.In this way, it is avoided that Power consumption that TCAM is caused is big, the problem of high cost;Further, due to by a key to be found Stroke is divided into M critical field, when the corresponding regular node type of i-th critical field be invalid node or During leaf node, corresponding for critical field rule numbers are just defined as the rule volume of the keyword to be found Number, so, it is not necessary to entirely keyword to be found is made a look up, is greatly reduced data processing amount, enters And improve search efficiency;Further, due to carrying out drawing to each keyword in same packet Divide M critical field, and follow-up process carried out, keyword here can be the keyword of a dimension, Can also be the keyword of multiple dimensions, that is to say, that the ACL of various dimensions can be realized.
Based on same inventive concept, what the embodiment of the present invention also provided a kind of ACL realizes device, with above-mentioned one ACL described in individual or multiple embodiments to realize device consistent.
Shown in Figure 1, the device includes:Rule list module 1, scheduler module 2, access modules 31, Determining module 32, loop module 33, acquisition module 34;Wherein, rule list module 1, same for storing M rule list corresponding to the rule of dimension, M are the integer more than or equal to 1;Scheduler module 2, is used for Each keyword to be found extracted from same packet is divided into M critical field;Access mould Block 31, at least using i-th critical field in M critical field as the M of address access preset I-th rule list in individual rule list, the corresponding regular node type of i-th critical field of acquisition, wherein, I=1,2,3,4 ..., M;Determining module 32, for when the corresponding regular node of i-th critical field When type is leaf node, corresponding for i-th critical field rule numbers are defined as M critical field pair The rule numbers of the keyword to be found that answers, triggering obtain module 34;Loop module 33, for when i-th When the corresponding regular node type of critical field is intermediate node or mixed node, i value is added 1, triggering is visited Ask module 31;Module 34 is obtained, for after the rule numbers for determining keyword to be found, according to be found The rule numbers of keyword, obtain the corresponding action of rule numbers of keyword to be found.
In such scheme, when i=2,3 ..., M when, determining module 32, be additionally operable to when i-th crucial The corresponding regular node type of field is invalid node, and the corresponding regular node class of the i-th -1 critical field When type is mixed node, corresponding for the i-th -1 critical field rule numbers are defined as M keyword The rule numbers of the corresponding keyword to be found of section, triggering obtain module 34.
In such scheme, as i=1, access modules 31, for using the 1st critical field as address The 1st rule list in M rule list of access preset.
In such scheme, when i=2,3 ..., M when, access modules 31, for the i-th -1 key The next stage index of field and i-th critical field access i-th rule list for address.
In such scheme, loop module 33, for when the corresponding regular node type of i-th critical field During for intermediate node, i value is added 1, trigger access modules 31;It is additionally operable to correspond to when i-th critical field Regular node type when being mixed node, corresponding rule numbers of i-th critical field of record, and by i Value adds 1, triggers access modules 31.
In such scheme, device also includes:Rule list generation module, for will be right for the rule of same dimension The keyword that answers is divided into M section;When the length of keyword is equal to the length of the 1st critical field, by the 1st Individual critical field reads the 1st rule list as address, obtains and manage corresponding nodal information;Work as key When the length of word is less than the length of the 1st critical field, this remaining field is expanded, is closed Key word residue field, reads the 1st rule list with keyword residue field respectively as address, obtains and manage Corresponding nodal information, wherein, this remaining field is the critical field for needing to be concerned about in keyword;When When the length of keyword is more than the length of the 1st critical field, the 1st critical field is read as address 1st rule list, obtains and manages corresponding nodal information.
In such scheme, rule list generation module, for crucial for i-th in M critical field Field, calculates the difference of previous difference and i-th critical field length, wherein, previous difference Need the difference of critical field length and i-th critical field length being concerned about in keyword, i=2,3 ..., M;When difference is equal to the length of i-th critical field, by the next stage of the i-th -1 critical field index and I-th critical field reads i-th rule list as address, obtains and manage corresponding nodal information;It is on duty When value is less than the length of i-th critical field, this remaining field is expanded, obtain keyword and remain Remaining field, reads i-th rule list with keyword residue field respectively as address, obtains and manage and be corresponding Nodal information, wherein, this remaining field is to need the critical field being concerned about to remove first i in keyword Remaining field after critical field;When difference is more than the length of i-th critical field, the i-th -1 is closed The next stage index of key field and i-th critical field read i-th rule list as address, obtain and manage Corresponding nodal information.
In such scheme, rule list module 1, it is additionally operable to after configuration rule completes to update, based on new Configuration rule, update M backup rules table, wherein, M backup rules table and M rule list one One corresponds to;Correspondingly, access modules 31, are additionally operable to after M backup rules table completes to update, cut Shift to M backup rules table after updating is accessed, and update M rule list;Complete in M rule list After renewal, switchback is to the M backup rules table accessed after updating.
In actual applications, above-mentioned access modules 31, determining module 32, loop module 33 and acquisition mould Block 34 is arranged in search engine 3, and a search engine 3 is connected with a rule list module 1, that is, Say, for same packet, a search engine 3 can be scanned for for the rule of a dimension. So, shown in Figure 2, when in said apparatus comprising multiple search engines 3, mean that the device energy The parallel search for enough carrying out for the rule of multiple dimensions of same packet, substantially increases ACL realization Efficiency.Further, shown in Figure 3, the device can also be simultaneous for multiple packets to be carried out parallel Dimension or the search of various dimensions, in this way, substantially increase parallel data disposal ability so that processes speed Degree is big to be lifted, the real-time that can be good at ensureing ACL.
In such scheme, when ACL device carries out multiple dimensional searches, device also includes:Merger module, For, after the corresponding action of the rule numbers that multiple acquisition modules obtain each keyword to be found, inciting somebody to action Action carries out merger, obtains the ACL result of packet.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or meter Calculation machine program product.Therefore, the present invention can using hardware embodiment, software implementation or combine software and The form of the embodiment of hardware aspect.And, the present invention can be adopted and wherein include calculating one or more Computer-usable storage medium (including but not limited to magnetic disc store and the optical storage of machine usable program code Device etc.) the upper computer program that implements form.
The present invention be with reference to method according to embodiments of the present invention, equipment (system) and computer program Flow chart and/or block diagram describing.It should be understood that can be by computer program instructions flowchart and/or side The knot of each flow process and/or square frame and flow chart and/or the flow process in block diagram and/or square frame in block diagram Close.Can provide these computer program instructions to all-purpose computer, special-purpose computer, Embedded Processor or The processor of other programmable data processing device is to produce a machine so that by computer or other can The instruction of the computing device of programming data processing equipment is produced for realizing in one flow process or multiple of flow chart The device of the function of specifying in one square frame of flow process and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in and can guide computer or other programmable data processing device In the computer-readable memory for working in a specific way so that be stored in the computer-readable memory Instruction produces the manufacture for including command device, and the command device is realized in one flow process of flow chart or multiple streams The function of specifying in one square frame of journey and/or block diagram or multiple square frames.
These computer program instructions can be also loaded in computer or other programmable data processing device, made Obtain series of operation steps is executed on computer or other programmable devices to produce computer implemented place Reason, the instruction so as to execute on computer or other programmable devices are provided for realizing in flow chart one The step of function of specifying in flow process or one square frame of multiple flow processs and/or block diagram or multiple square frames.
The above, only presently preferred embodiments of the present invention, is not intended to limit the protection model of the present invention Enclose.

Claims (18)

1. a kind of implementation method of access control list ACL, it is characterised in that include:
Step A, each keyword to be found extracted from same packet is divided into M crucial Field, wherein, M is the integer more than or equal to 1;
Step B, at least using i-th critical field in the M critical field as address access preset M rule list in i-th rule list, obtain the corresponding regular node class of i-th critical field Type, wherein, i=1,2,3,4 ..., M, the M rule list correspond to dimension rule;
Step C, when the corresponding regular node type of i-th critical field is leaf node, by institute State the corresponding rule numbers of i-th critical field and be defined as the corresponding key to be found of the M critical field The rule numbers of word, go to execution step E;
Step D, when the corresponding regular node type of i-th critical field be intermediate node or mixing section During point, i value is added 1, goes to execution step B;
Step E, after the rule numbers for determining the keyword to be found, according to the keyword to be found Rule numbers, obtain the corresponding action of rule numbers of the keyword to be found.
2. method according to claim 1, it is characterised in that when i=2,3 ..., M when, After step B, methods described also includes:
When the corresponding regular node type of i-th critical field is invalid node, and the i-th -1 pass When the corresponding regular node type of key field is mixed node type, the i-th -1 critical field is corresponded to Rule numbers be defined as the rule numbers of the corresponding keyword to be found of the M critical field, go to and hold Row step E.
3. method according to claim 1, it is characterised in that as i=1, step B, bag Include:
Using the 1st critical field as the 1st rule list in M rule list of address access preset.
4. method according to claim 1, it is characterised in that when i=2,3 ..., M when, institute Step B is stated, including:
Institute is accessed as address with the next stage index of the i-th -1 critical field and i-th critical field State i-th rule list.
5. method according to claim 1, it is characterised in that step D, including:
When the corresponding regular node type of i-th critical field is intermediate node, i value is added 1, Go to execution step B;
When the corresponding regular node type of i-th critical field is mixed node, described i-th is recorded The corresponding rule numbers of individual critical field, and i value is added 1, go to execution step B.
6. method according to claim 1, it is characterised in that methods described also includes:
Corresponding for the rule of same dimension keyword is divided into M section;
When the length of the keyword is equal to the length of the 1st critical field, by the 1st keyword Duan Zuowei reads address the 1st rule list, obtains and manage corresponding nodal information;
When the length of the keyword is less than the length of the 1st critical field, by this remaining word Duan Jinhang expands, and obtains keyword residue field, reads institute with keyword residue field respectively as address The 1st rule list is stated, corresponding nodal information is obtained and manage, wherein, this remaining field is The critical field being concerned about is needed in the keyword;
When the length of the keyword is more than the length of the 1st critical field, described 1st is closed Key field reads the 1st rule list as address, obtains and manage corresponding nodal information.
7. method according to claim 6, it is characterised in that methods described also includes:
For i-th critical field in the M critical field, wherein, i=2,3 ..., M, according to Secondary execution following steps:
Calculate the difference of previous difference and i-th critical field length, wherein, described front once Difference described in need the difference of the critical field length and i-th critical field length being concerned about in keyword Value;
When the difference is equal to the length of i-th critical field, by the i-th -1 critical field Next stage index and i-th critical field read i-th rule list as address, obtain and manage correspondence Nodal information;
When the difference is less than the length of i-th critical field, this remaining field is expanded Fill, keyword residue field is obtained, described i-th is read with keyword residue field respectively as address Rule list, obtains and manages corresponding nodal information, and wherein, this remaining field is the key Remaining field after i critical field before needing the critical field being concerned about to remove in word;
When the difference is more than the length of i-th critical field, by the i-th -1 critical field Next stage index and i-th critical field read i-th rule list as address, obtain and manage Corresponding nodal information.
8. method according to claim 1, it is characterised in that methods described also includes:
After configuration rule completes to update, based on new configuration rule, M backup rules table is updated, its In, the M backup rules table is corresponded with the M rule list;
After the M backup rules table completes to update, the M backup rules accessed after updating are switched to Table, and update the M rule list;
After the M rule list completes to update, switchback is to the M backup rules table accessed after updating.
9. method according to claim 1, it is characterised in that after step E, described Method also includes:
Corresponding for the rule numbers of each keyword to be found action is carried out merger, obtains the number ACL result according to bag.
10. a kind of access control list ACL realize device, it is characterised in that include:Rule list module, Scheduler module, access modules, determining module, loop module, acquisition module;Wherein,
The rule list module, for storing with M rule list corresponding to the rule of dimension, M is big In the integer for being equal to 1;
The scheduler module, for dividing each keyword to be found extracted from same packet For M critical field;
The access modules, at least using i-th critical field in the M critical field as ground I-th rule list in M rule list of location access preset, obtains i-th critical field corresponding Regular node type, wherein, i=1,2,3,4 ..., M;
The determining module, for being leaf section when the corresponding regular node type of i-th critical field During point, corresponding for i-th critical field rule numbers are defined as the M critical field corresponding The rule numbers of keyword to be found, trigger the acquisition module;
The loop module, for being middle node when the corresponding regular node type of i-th critical field When point or mixed node, i value is added 1, trigger the access modules;
The acquisition module, for, after the rule numbers for determining the keyword to be found, treating according to described The rule numbers of search key, obtain the corresponding action of rule numbers of the keyword to be found.
11. devices according to claim 10, it is characterised in that when i=2,3 ..., M when, The determining module, it is invalid node to be additionally operable to when the corresponding regular node type of i-th critical field, And the i-th -1 critical field corresponding regular node type is when being mixed node, by the i-th -1 keyword The corresponding rule numbers of section are defined as the rule numbers of the corresponding keyword to be found of the M critical field, Trigger the acquisition module.
12. devices according to claim 10, it is characterised in that as i=1, the access modules, For using the 1st critical field as the 1st rule list in M rule list of address access preset.
13. devices according to claim 10, it is characterised in that when i=2,3 ..., M when, The access modules, for the next stage index with the i-th -1 critical field and i-th keyword Section accesses i-th rule list for address.
14. devices according to claim 10, it is characterised in that the loop module, for working as When to state the corresponding regular node type of i-th critical field be intermediate node, i value is added 1, triggering is described Access modules;It is additionally operable to when the corresponding regular node type of i-th critical field is mixed node, The corresponding rule numbers of i-th critical field are recorded, and i value is added 1, trigger the access modules.
15. devices according to claim 10, it is characterised in that described device also includes:Rule list Generation module, for being divided into M section by corresponding for the rule of same dimension keyword;Length when the keyword When degree is equal to the length of the 1st critical field, the 1st critical field is read the 1st as address Rule list, obtains and manages corresponding nodal information;When the length of the keyword is less than the 1st pass During the length of key field, this remaining field is expanded, keyword residue field is obtained, with described Keyword residue field reads the 1st rule list respectively for address, obtains and manage corresponding node letter Breath, wherein, this remaining field is the critical field for needing to be concerned about in the keyword;When described The length of keyword more than the 1st critical field length when, using the 1st critical field as The 1st rule list is read in address, obtains and manage corresponding nodal information.
16. devices according to claim 15, it is characterised in that the rule list generation module, use I-th critical field in for the M critical field, calculates previous difference and described i-th The difference of individual critical field length, wherein, needs the pass being concerned about in keyword described in the previous difference The difference of key field length and i-th critical field length, i=2,3 ..., M;When described difference etc. When the length of i-th critical field, the next stage of the i-th -1 critical field is indexed and described I-th critical field reads i-th rule list as address, obtains and manage corresponding nodal information;Work as institute When the length that difference is less than i-th critical field is stated, this remaining field is expanded, is obtained Keyword residue field, reads i-th rule list with keyword residue field respectively as address, Corresponding nodal information is obtained and manages, wherein, this remaining field is to need in the keyword The critical field of care removes remaining field after front i critical field;When the difference is more than described i-th During the length of individual critical field, by the next stage index of the i-th -1 critical field and i-th key Field reads i-th rule list as address, obtains and manage corresponding nodal information.
17. devices according to claim 10, it is characterised in that the rule list module, are additionally operable to After configuration rule completes to update, based on new configuration rule, M backup rules table is updated, wherein, The M backup rules table is corresponded with the M rule list;
Correspondingly, the access modules, are additionally operable to after the M backup rules table completes to update, cut Shift to M backup rules table after updating is accessed, and update the M rule list;Advise at described M After then table completes to update, switchback is to the M backup rules table accessed after updating.
18. devices according to claim 10, it is characterised in that described device also includes:Merger mould Block, for corresponding in multiple rule numbers for obtaining module acquisition each keyword to be found After action, the action is carried out merger, obtain the ACL result of the packet.
CN201510551233.5A 2015-09-01 2015-09-01 Method and device for realizing Access Control List (ACL) Active CN106487769B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510551233.5A CN106487769B (en) 2015-09-01 2015-09-01 Method and device for realizing Access Control List (ACL)
PCT/CN2016/094450 WO2017036291A1 (en) 2015-09-01 2016-08-10 Access control list implementation method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510551233.5A CN106487769B (en) 2015-09-01 2015-09-01 Method and device for realizing Access Control List (ACL)

Publications (2)

Publication Number Publication Date
CN106487769A true CN106487769A (en) 2017-03-08
CN106487769B CN106487769B (en) 2020-02-04

Family

ID=58186607

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510551233.5A Active CN106487769B (en) 2015-09-01 2015-09-01 Method and device for realizing Access Control List (ACL)

Country Status (2)

Country Link
CN (1) CN106487769B (en)
WO (1) WO2017036291A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109150686A (en) * 2018-09-07 2019-01-04 迈普通信技术股份有限公司 ACL table item delivery method, device and the network equipment
CN112425131A (en) * 2018-11-30 2021-02-26 华为技术有限公司 ACL rule classification method, ACL rule search method and ACL rule classification device
CN113037681A (en) * 2019-12-09 2021-06-25 中兴通讯股份有限公司 ACL rule management method, device, computer equipment and computer readable medium
CN115361214A (en) * 2022-08-22 2022-11-18 中国电信股份有限公司 Message access control method, device, apparatus, medium, and program

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112131356B (en) * 2020-08-03 2022-06-07 国家计算机网络与信息安全管理中心 Message keyword matching method and device based on TCAM

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050114655A1 (en) * 2003-11-26 2005-05-26 Miller Stephen H. Directed graph approach for constructing a tree representation of an access control list
CN101493841A (en) * 2009-02-23 2009-07-29 深圳市中科新业信息科技发展有限公司 Searching method and device
CN102487374A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Access control list realization method and apparatus thereof
CN102986179A (en) * 2010-06-08 2013-03-20 博科通讯系统有限公司 Methods and apparatuses for processing and/or forwarding packets
CN103647773A (en) * 2013-12-11 2014-03-19 北京中创信测科技股份有限公司 Fast encoding method of access control list (ACL) behavior set
CN104579941A (en) * 2015-01-05 2015-04-29 北京邮电大学 Message classification method in OpenFlow switch

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101035061B (en) * 2006-03-09 2010-05-12 中兴通讯股份有限公司 Segmented coded expansion method for realizing the match of the three-folded content addressable memory range

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050114655A1 (en) * 2003-11-26 2005-05-26 Miller Stephen H. Directed graph approach for constructing a tree representation of an access control list
CN101493841A (en) * 2009-02-23 2009-07-29 深圳市中科新业信息科技发展有限公司 Searching method and device
CN102986179A (en) * 2010-06-08 2013-03-20 博科通讯系统有限公司 Methods and apparatuses for processing and/or forwarding packets
CN102487374A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Access control list realization method and apparatus thereof
CN103647773A (en) * 2013-12-11 2014-03-19 北京中创信测科技股份有限公司 Fast encoding method of access control list (ACL) behavior set
CN104579941A (en) * 2015-01-05 2015-04-29 北京邮电大学 Message classification method in OpenFlow switch

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张艳军 等: "《基于决策树的递归包分类算法》", 《北京邮电大学学报》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109150686A (en) * 2018-09-07 2019-01-04 迈普通信技术股份有限公司 ACL table item delivery method, device and the network equipment
CN109150686B (en) * 2018-09-07 2020-12-22 迈普通信技术股份有限公司 ACL (access control list) table item issuing method, device and network equipment
CN112425131A (en) * 2018-11-30 2021-02-26 华为技术有限公司 ACL rule classification method, ACL rule search method and ACL rule classification device
CN112425131B (en) * 2018-11-30 2022-03-04 华为技术有限公司 ACL rule classification method, ACL rule search method and ACL rule classification device
CN113037681A (en) * 2019-12-09 2021-06-25 中兴通讯股份有限公司 ACL rule management method, device, computer equipment and computer readable medium
CN113037681B (en) * 2019-12-09 2023-09-05 中兴通讯股份有限公司 ACL rule management method, ACL rule management device, computer equipment and computer readable medium
CN115361214A (en) * 2022-08-22 2022-11-18 中国电信股份有限公司 Message access control method, device, apparatus, medium, and program

Also Published As

Publication number Publication date
CN106487769B (en) 2020-02-04
WO2017036291A1 (en) 2017-03-09

Similar Documents

Publication Publication Date Title
CN106487769A (en) A kind of implementation method of access control list ACL and device
US10069764B2 (en) Ruled-based network traffic interception and distribution scheme
CN105706044B (en) Work based on ranking keeps scheduler
US10778583B2 (en) Chained longest prefix matching in programmable switch
CN107689931A (en) It is a kind of that Ethernet exchanging function system and method are realized based on domestic FPGA
EP1649389B1 (en) Internet protocol security matching values in an associative memory
US7408932B2 (en) Method and apparatus for two-stage packet classification using most specific filter matching and transport level sharing
US6874016B1 (en) Information searching device
CN102334112B (en) Method and system for virtual machine networking
CN104184664B (en) Route forwarding table items generation method and device
CN110383777A (en) The flexible processor of port expander equipment
CN104168170B (en) packet switching device and method
CN104717098B (en) A kind of data processing method and device
Warkhede et al. Multiway range trees: scalable IP lookup with fast updates
CN102487374B (en) Access control list realization method and apparatus thereof
EP3661153B1 (en) Building decision tree for packet classification
CN108833299A (en) A kind of large scale network data processing method based on restructural exchange chip framework
CN110414928A (en) Service stream classification processing method, device and communication equipment
CN112118167A (en) Method for quickly transmitting cross-network tunnel data
CN104009918B (en) A kind of service message processing method, apparatus and system
CN106453091B (en) The equivalent route management method and device of router Forwarding plane
CN106559339A (en) A kind of message processing method and device
CN103457855B (en) Classless inter-domain routing table is established and the method and apparatus of message forwarding
US8316151B1 (en) Maintaining spatial ordering in firewall filters
Lu et al. $ O (\log W) $ Multidimensional Packet Classification

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant