CN106487769A - A kind of implementation method of access control list ACL and device - Google Patents
A kind of implementation method of access control list ACL and device Download PDFInfo
- Publication number
- CN106487769A CN106487769A CN201510551233.5A CN201510551233A CN106487769A CN 106487769 A CN106487769 A CN 106487769A CN 201510551233 A CN201510551233 A CN 201510551233A CN 106487769 A CN106487769 A CN 106487769A
- Authority
- CN
- China
- Prior art keywords
- critical field
- rule
- keyword
- field
- length
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a kind of implementation method of access control list ACL, including:Step A, each keyword to be found extracted from same packet is divided into M critical field;Step B, at least using i-th critical field in M critical field as M rule list of address access preset in i-th rule list, obtain the corresponding regular node type of i-th critical field;Step C, when the corresponding regular node type of i-th critical field is leaf node, corresponding for i-th critical field rule numbers are defined as the rule numbers of the corresponding keyword to be found of M critical field, go to execution step E;Step D, when the corresponding regular node type of i-th critical field is intermediate node or mixed node, i value adds 1, goes to execution step B;Step E, after the rule numbers for determining keyword to be found, according to the rule numbers of keyword to be found, obtain corresponding action.
Description
Technical field
The present invention relates to packet transmission field, more particularly to a kind of implementation method of access control list ACL and
Device.
Background technology
With the development of network technology, the increasing network equipment needs to support fast and accurately message classification,
Such as security gateway, edge router, core router etc..The development trend of future network needs to carry for user
For more preferable service quality, and such as fire wall, Differentiated Services, virtual private network VPN, the road based on strategy
By etc. the mechanism improved service quality be all based on efficient access and control list (ACL, Access Control
List) on technology.Additionally, with the development of Fibre Optical Communication Technology, link bandwidth and transfer rate are not
Become problem again, routing forwarding equipment is becoming network bottleneck, and ACL is even more the key of key.Therefore
Efficiently quickly realize ACL the development of Future Internet is extremely important.
Existing packet transmission apparatus adopt three-state content addressing memory (TCAM, Ternary Content
Addressable Memory) realize ACL.The advantage for ACL being realized using TCAM is to realize simply,
Where but TCAM also has many deficiencies.First, TCAM will be to be found within the same clock cycle
Each entry of keyword and TCAM is compared, and causes power dissipation ratio larger;Second is TCAM device
Part cost is higher, expensive.Therefore, do not have a kind of more suitable ACL's in prior art
Implementation method.
Content of the invention
In view of this, the embodiment of the present invention is expected to provide a kind of implementation method of access control list ACL and dress
Put, to provide a kind of new method for realizing ACL, it is to avoid power consumption that TCAM is caused is big, high cost
Problem.
For above-mentioned purpose is reached, the technical scheme is that and be achieved in that:
In a first aspect, the embodiment of the present invention provides a kind of implementation method of access control list ACL, including:
Step A, each keyword to be found extracted from same packet is divided into M critical field,
Wherein, M is the integer more than or equal to 1;Step B, at least with i-th in the M critical field
Critical field is obtained described i-th as i-th rule list in M rule list of address access preset
The corresponding regular node type of critical field, wherein, i=1,2,3,4 ..., M, described M rule
Then table corresponds to the rule with dimension;Step C, when the corresponding regular node of i-th critical field
When type is leaf node, corresponding for i-th critical field rule numbers are defined as described M pass
The rule numbers of the corresponding keyword to be found of key field, go to execution step E;Step D, when described i-th
When the corresponding regular node type of individual critical field is intermediate node or mixed node, i value is added 1, is gone to
Execution step B;Step E, after the rule numbers for determining the keyword to be found, according to described to be checked
Look for the rule numbers of keyword, obtain the corresponding action of rule numbers of the keyword to be found.
In such scheme, when i=2,3 ..., M when, after step B, methods described is also wrapped
Include:When the corresponding regular node type of i-th critical field is invalid node, and the i-th -1 pass
When the corresponding regular node type of key field is mixed node type, the i-th -1 critical field is corresponded to
Rule numbers be defined as the rule numbers of the corresponding keyword to be found of the M critical field, go to and hold
Row step E.
In such scheme, as i=1, step B, including:Using the 1st critical field as ground
The 1st rule list in M rule list of location access preset.
In such scheme, when i=2,3 ..., M when, step B, including:With described i-th -1
The next stage index of individual critical field and i-th critical field access i-th rule list for address.
In such scheme, step D, including:When the corresponding rule section of i-th critical field
When vertex type is intermediate node, i value is added 1, go to execution step B;When described i-th crucial
When the corresponding regular node type of field is mixed node, the corresponding rule of i-th critical field is recorded
Numbering, and i value is added 1, go to execution step B.
In such scheme, methods described also includes:Corresponding for the rule of same dimension keyword is divided into M
Section;When the length of the keyword is equal to the length of the 1st critical field, by the 1st keyword
Duan Zuowei reads address the 1st rule list, obtains and manage corresponding nodal information;When the keyword
When length is less than the length of the 1st critical field, this remaining field is expanded, is closed
Key word residue field, reads the 1st rule list with keyword residue field respectively as address, obtains
Corresponding nodal information is taken and manages, wherein, this remaining field is to need to close in the keyword
The critical field of the heart;When the length of the keyword is more than the length of the 1st critical field, by institute
State the 1st critical field and the 1st rule list is read as address, obtain and manage corresponding node letter
Breath.
In such scheme, methods described also includes:Crucial for i-th in the M critical field
Field, wherein, i=2,3 ..., M, successively execute following steps:Calculate previous difference with described
The difference of i-th critical field length, wherein, needs to be concerned about in keyword described in the previous difference
Critical field length and i-th critical field length difference;When the difference is equal to described i-th
During the length of individual critical field, by the next stage index of the i-th -1 critical field and i-th key
Field reads i-th rule list as address, obtains and manage corresponding nodal information;When the difference is little
When the length of i-th critical field, this remaining field is expanded, obtain keyword and remain
Remaining field, reads i-th rule list with keyword residue field respectively as address, obtains and manage
Corresponding nodal information is managed, wherein, this remaining field is the pass for needing to be concerned about in the keyword
Key field removes remaining field after front i critical field;When the difference is more than i-th keyword
During the length of section, using the next stage of the i-th -1 critical field index and i-th critical field as
I-th rule list is read in address, obtains and manage corresponding nodal information.
In such scheme, methods described also includes:After configuration rule completes to update, joined based on new
Rule is put, M backup rules table is updated, wherein, the M backup rules table and described M rule
Table is corresponded;After the M backup rules table completes to update, the M accessed after updating is switched to
Individual backup rules table, and update the M rule list;After the M rule list completes to update,
Switchback is to the M backup rules table accessed after updating.
In such scheme, after step E, methods described also includes:Each is to be checked by described
Look for the corresponding action of rule numbers of keyword that merger is carried out, obtain the ACL result of the packet.
Second aspect, what the embodiment of the present invention provided a kind of access control list ACL realize device, including:
Rule list module, scheduler module, access modules, determining module, loop module, acquisition module;Wherein,
The rule list module, for storage with dimension rule corresponding to M rule list, M be more than etc.
In 1 integer;The scheduler module, for by each pass to be found extracted from same packet
Key stroke is divided into M critical field;The access modules, at least with the M critical field
I-th critical field as i-th rule list in M rule list of address access preset, obtain institute
State the corresponding regular node type of i-th critical field, wherein, i=1,2,3,4 ..., M;Described true
Cover half block, for when the corresponding regular node type of i-th critical field is leaf node, by institute
State the corresponding rule numbers of i-th critical field and be defined as the corresponding key to be found of the M critical field
The rule numbers of word, trigger the acquisition module;The loop module, for working as i-th keyword
When the corresponding regular node type of section is intermediate node or mixed node, i value is added 1, trigger the access
Module;The acquisition module, for after the rule numbers for determining the keyword to be found, according to described
The rule numbers of keyword to be found, obtain the corresponding action of rule numbers of the keyword to be found.
In such scheme, when i=2,3 ..., M when, the determining module, be additionally operable to when described i-th
The corresponding regular node type of individual critical field is invalid node, and the corresponding rule of the i-th -1 critical field
When node type is mixed node, corresponding for the i-th -1 critical field rule numbers are defined as described
The rule numbers of the corresponding keyword to be found of M critical field, trigger the acquisition module.
In such scheme, as i=1, the access modules, for using the 1st critical field as ground
The 1st rule list in M rule list of location access preset.
In such scheme, when i=2,3 ..., M when, the access modules, for described i-th -1
The next stage index of individual critical field and i-th critical field access i-th rule list for address.
In such scheme, the loop module, for when the corresponding rule section of i-th critical field
When vertex type is intermediate node, i value is added 1, trigger the access modules;It is additionally operable to when described i-th
When the corresponding regular node type of critical field is mixed node, i-th critical field is recorded corresponding
Rule numbers, and i value is added 1, trigger the access modules.
In such scheme, described device also includes:Rule list generation module, for by the rule of same dimension
Then corresponding keyword is divided into M section;When the length of the keyword is equal to the length of the 1st critical field,
1st critical field is read the 1st rule list as address, obtains and manage corresponding node letter
Breath;When the length of the keyword is less than the length of the 1st critical field, by this remaining word
Duan Jinhang expands, and obtains keyword residue field, reads institute with keyword residue field respectively as address
The 1st rule list is stated, corresponding nodal information is obtained and manage, wherein, this remaining field is
The critical field being concerned about is needed in the keyword;When the length of the keyword is more than the 1st key
During the length of field, the 1st critical field is read the 1st rule list as address, obtain
And manage corresponding nodal information.
In such scheme, the rule list generation module, for for the in the M critical field
I critical field, calculates the difference of previous difference and i-th critical field length, wherein, institute
State the critical field length and i-th critical field for needing to be concerned about in keyword described in previous difference
The difference of length, i=2,3 ..., M;When the difference is equal to the length of i-th critical field,
The next stage index of the i-th -1 critical field and i-th critical field are read i-th as address
Individual rule list, obtains and manages corresponding nodal information;When the difference is less than i-th critical field
Length when, this remaining field is expanded, obtain keyword residue field, with the keyword
Remaining field reads i-th rule list respectively for address, obtains and manage corresponding nodal information, its
In, this remaining field is to need the critical field being concerned about to remove front i key in the keyword
Remaining field after field;When the difference is more than the length of i-th critical field, will be described
The next stage index of the i-th -1 critical field and i-th critical field read described i-th as address
Rule list, obtains and manages corresponding nodal information.
In such scheme, the rule list module, it is additionally operable to after configuration rule completes to update, is based on
New configuration rule, updates M backup rules table, wherein, the M backup rules table and the M
Individual rule list is corresponded;Correspondingly, the access modules, are additionally operable to complete in the M backup rules table
Become after updating, the M backup rules table accessed after updating is switched to, and updates the M rule list;
After the M rule list completes to update, switchback is to the M backup rules table accessed after updating.
In such scheme, described device also includes:Merger module, for obtaining in multiple acquisition modules
After the corresponding action of the rule numbers of each keyword to be found described in obtaining, the action is carried out merger,
Obtain the ACL result of the packet.
A kind of implementation method of access control list ACL and device is embodiments provided, first, will
Each keyword to be found extracted from same packet is divided into M critical field, then, with M
In individual critical field, i-th critical field is used as i-th rule in M rule list of address access preset
Table, at least obtains the corresponding rule type of i-th critical field, and here, M rule list corresponds to rule
Then, then, according to the corresponding rule type of i-th critical field, determine the rule volume of keyword to be found
Number, finally, according to the rule numbers that determines, the corresponding action of keyword to be found is obtained, that is, is determined
The regular corresponding action, it is achieved that ACL.In this way, avoid the power consumption caused by TCAM big,
The problem of high cost;
Further, as a keyword to be found is divided into M critical field, when i-th crucial
When the corresponding regular node type of field is leaf node, just corresponding for critical field rule numbers are determined
For the rule numbers of the keyword to be found, so, it is not necessary to which entirely keyword to be found is made a look up,
Data processing amount is greatly reduced, and then improves search efficiency;
Further, due to carrying out dividing M keyword to each keyword in same packet
Section, and follow-up process is carried out, keyword here can be the keyword of a dimension, or many
The keyword of individual dimension, that is to say, that the ACL of various dimensions can be realized.
Description of the drawings
Fig. 1 is the first structural representation for realizing device of the ACL in the embodiment of the present invention;
Fig. 2 is second structural representation for realizing device of the ACL in the embodiment of the present invention;
Fig. 3 is the third structural representation for realizing device of the ACL in the embodiment of the present invention;
Fig. 4 is the schematic flow sheet of the implementation method of the ACL in the embodiment of the present invention;
Fig. 5 is a kind of schematic flow sheet of method of the create-rule table in the embodiment of the present invention;
Fig. 6 is the schematic flow sheet of another kind of method of the create-rule table in the embodiment of the present invention;
Fig. 7 is the schematic diagram of the rule list in the embodiment of the present invention;
Fig. 8 is the schematic diagram of the action schedule in the embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly
Chu, it is fully described by.
Firstly, it is necessary to illustrate, in packet data transmission, according to packet special key words section by number
It is divided into different streams according to bag.After being divided into stream, various process can be carried out for the stream, for example, abandon or forward,
Speed limit, redistributes priority etc., and this process is referred to as action.A usual rule adds respective action
Referred to as one ACL.
For example, the critical field of general industrywide standard composition rule has 5, generally also referred to as 5 tuples,
This 5 keywords are:The source address of IP message, the destination address of IP message, the bearing protocol class of IP message
Type, TCP or UDP source port number, the destination slogan of TCP or UDP.In implementing, use
Keyword can also have other extension, such as COS, TOS, DSCP, VLAN index VLANID,
Source and destination MAC Address etc., the present invention is not specifically limited.Each keyword above-mentioned can in any combination,
And scope restriction can be set, and for example, a rule can be:1000~2000+IP of tcp port address
(255.122.122.* * is the field that need not be concerned about).
Implementation method to ACL provided in an embodiment of the present invention is illustrated below.
A kind of embodiment of the present invention ACL of offer is realized in device, and shown in Figure 1, the device includes:
Rule list module 1, scheduler module 2, access modules 31, determining module 32, loop module 33, acquisition mould
Block 34;
In actual applications, above-mentioned rule list module 1, can be a module, can be multiple modules,
Each module is regular corresponding with a dimension, and be stored with each module M rule list, and M is big
In the integer for being equal to 1;
Above-mentioned access modules 31, determining module 32, loop module 33 and acquisition module 34 are arranged on search
In engine, shown in Figure 2, a search engine 3 is connected with a rule list module 1, that is to say, that
For same packet, a search engine 3 can be scanned for for the rule of a dimension.So,
When in said apparatus comprising multiple search engines 3, mean that the device can be for many of same packet
The parallel search that the rule of individual dimension is carried out, substantially increases the efficiency of ACL realization.
Now, when ACL is when realizing device and carrying out multiple dimensional searches, the device can also just include:Return
And module 4, for the action corresponding to the rule for multiple dimensions of same packet is carried out merger,
To obtain the ACL result of the packet.
Further, shown in Figure 3, the device can also be simultaneous for multiple packets and carry out one parallel
Dimension or the search of various dimensions, in this way, substantially increase parallel data disposal ability so that processing speed
The big real-time for being lifted, can be good at ensureing ACL.
When ACL is when realizing device multiple packets being processed, the device can also include:Poll is adjusted
Degree module, for being scheduling to the ACL result of multiple packets, exports to next stage processing module.
In conjunction with the embodiment of the present invention, above-mentioned rule list module, for storing corresponding to the rule with dimension
M rule list;
Above-mentioned scheduler module, for dividing each keyword to be found extracted from same packet
For M critical field, and it is distributed to corresponding search engine;
Above-mentioned access modules, at least being visited using i-th critical field in M critical field as address
Ask i-th rule list in default M rule list, the corresponding regular node of i-th critical field of acquisition
Type, wherein, i=1,2,3,4 ..., M, M rule list with one rule corresponding;
Above-mentioned determining module, for when the corresponding regular node type of i-th critical field is leaf node,
Corresponding for i-th critical field rule numbers are defined as the corresponding keyword to be found of M critical field
Rule numbers, trigger above-mentioned acquisition module;
Above-mentioned loop module, for when the corresponding regular node type of i-th critical field be intermediate node or
During mixed node, i value is added 1, trigger above-mentioned access modules;
Above-mentioned acquisition module, for after the rule numbers for determining keyword to be found, according to key to be found
The rule numbers of word, obtain the corresponding action of rule numbers of keyword to be found.
With reference to said system, the implementation method to ACL provided in an embodiment of the present invention is illustrated.
Shown in Figure 4, the method includes:
S401:Each keyword to be found extracted from same packet is divided into M keyword
Section;
Specifically, scheduler module is for same packet, according to configuration information set in advance, from this
The keyword to be found under a dimension rule is parsed in packet, for example, extracts the input in packet
Port, purpose IP address and IP precedence TOS are combined into that { input port, purpose IP address, IP are preferential
Level TOS } it is designated as keyword A to be found.Then, keyword to be found is divided M critical field, this
In, the division for critical field can be carried out according to the partition strategy being manually set in advance, with practical application
It is defined, the present invention is not specifically limited.
S402:At least using i-th critical field in M critical field as the M of address access preset
I-th rule list in rule list, the corresponding regular node type of i-th critical field of acquisition;
Specifically, after scheduler module has divided critical field, these fields are sent to above-mentioned dimension
Search engine corresponding to rule, then, the access modules in search engine are with M critical field
I critical field accesses i-th rule in the M rule list prestored in rule list module as address
Then table, obtains the corresponding regular node type of i-th critical field, wherein, i=1,2,3,4 ...,
M;It can be seen that, critical field with rule list be one-to-one, regular, to be found crucial, search engine with
And rule list module is one-to-one.
In actual applications, by accessing rule list, except the corresponding rule of i-th critical field can be obtained
Then node type, can also obtain the corresponding next stage index of i-th critical field and rule numbers.When
So, can also there are other property parameters, such as current fragment length, the present invention is not specifically limited.
Further, since the 1st critical field is initial field, so, access modules can be closed with the 1st
Key field accesses the 1st rule list, the corresponding regular node type of the 1st critical field of acquisition as address;
And for other critical fielies, i.e., the 2nd, 3 ..., M critical field, access modules can be with the key
The upper level index of field and the critical field access corresponding rule list as address.
Further, M rule list in each rule list module above-mentioned both corresponds to the rule of same dimension
The rule list for then storing in rule list module presets, then, before S401, in addition it is also necessary to be directed to
With the rule of dimension, corresponding M rule list is generated.
So, shown in Figure 5, the method and step of create-rule table includes:
S501:M section will be divided into the corresponding keyword of dimension rule;
Here, above-mentioned keyword is designated as B, and a width of N, the M section critical field of its bit is designated as Bi, B={ B1,
B2..., BM, i=1,2 ..., M, BiLength be designated as Ni, N1+N2+…+NM=N.In reality
In application, NiLength can be adjusted according to implementing, per critical field length NiCan be equal
Can not also wait.
Further, the critical field for needing to be concerned about in above-mentioned keyword B is designated as C, length is P, no
The critical field being concerned about is needed to be designated as D, length is Q, then, B={ C, D }, P+Q=N.
For example, keyword B is 168.152.128.* for IP address, and length is 32 bits, is averaged point
Become four sections, be 8 bits per segment length.It is 168.152.128 to need critical field C being concerned about in keyword B,
Length is 24 bits, it is not necessary to which critical field D of care is *, and length is 8 bits.
S502:When the length of keyword is equal to the length of the 1st critical field, by the 1st critical field
The 1st rule list is read as address, obtain and manage corresponding nodal information;
Here, above-mentioned nodal information includes:Node type, rule numbers, next stage index and current point
Segment length.It is, of course, also possible to include other contents, the present invention is not specifically limited.In rule list, one
The corresponding nodal information of individual critical field is an entry.
So, can include the step of above-mentioned leader information:When the 1st critical field is advised at the 1st
When then corresponding node type in table is invalid node, node type is changed to leaf node, and is write
The corresponding rule numbers of keyword and the key for current fragment length being set in the keyword need to be concerned about
Field length;
When the corresponding node type in the 1st rule list of the 1st critical field is intermediate node, will
Node type is changed to mixed node, and writes the corresponding rule numbers of keyword, and current fragment length is set
The critical field length for needing to be concerned about is set in the keyword;
When the corresponding node type in the 1st rule list of the 1st critical field is mixed node or leaf
During node, keep node type constant, and the corresponding rule numbers of keyword are write, by current fragment length
The critical field length for needing to be concerned about is set in the keyword.
S503:When the length of keyword is less than the length of the 1st critical field, by this remaining field
Expanded, keyword residue field is obtained, the 1st rule are read respectively as address with keyword residue field
Then table, obtains and manages corresponding nodal information;
So, can include the step of above-mentioned leader information:When the 1st critical field is advised at the 1st
When then corresponding node type in table is invalid node, node type is changed to leaf node, and is write
The corresponding rule numbers of keyword and the key for current fragment length being set in the keyword need to be concerned about
Field length;
Here, this remaining field above-mentioned refers to the critical field for needing to be concerned about in keyword.
When the corresponding node type in the 1st rule list of the 1st critical field is intermediate node, will
Node type is changed to mixed node, and writes the corresponding rule numbers of keyword, and current fragment length is set
The critical field length for needing to be concerned about is set in the keyword;
When the corresponding node type in the 1st rule list of the 1st critical field is mixed node or leaf
During node, keep node type constant, meanwhile, need in comparison keyword be concerned about critical field length and
The size of current fragment length, the critical field length if necessary to be concerned about are less than current fragment length, then protect
Hold original rule numbers and current fragment length be constant, otherwise, the corresponding rule numbers of write keyword with
And the critical field length for current fragment length being set in the keyword need to be concerned about.
It should be noted that above-mentioned expanded this remaining field, keyword residue field, tool is obtained
Body is:With the 1st critical field length N1Critical field length P for needing to be concerned about in keyword is deducted, is obtained
Difference x is obtained, this remaining field is expanded, obtains 2xIndividual keyword residue field C11={ C1, 0 },
C12={ C1, 1 } ... ..., C12 x=C, (2x-1)}.
S504:When the length of keyword is more than the length of the 1st critical field, by the 1st critical field
The 1st rule list is read as address, obtain and manage corresponding nodal information.
Here, can include the step of above-mentioned leader information:When the 1st critical field is advised at the 1st
When then corresponding node type in table is invalid node, node type is changed to intermediate node, and is write
The corresponding next stage index of 1st critical field;When the 1st critical field, in the 1st rule list, institute is right
When the node type that answers is intermediate node or mixed node, keep nodal information constant;When the 1st keyword
When in 1 rule list of Duan, corresponding node type is leaf node, then node type is changed to mix
Node is closed, and writes the corresponding next stage index of the 1st critical field.
Next, be directed to i-th critical field, i=2,3 ..., M, after S504, referring to Fig. 6
Shown, the method also includes:
S601:Calculate the difference of previous difference and i-th critical field length;
Here, previous difference is referred to:As i=1, previous difference is to need to be concerned about in keyword
Critical field length;As i=2, previous difference is the keyword segment length for needing to be concerned about in keyword
The difference with i-th critical field length is spent, successively iteration, by that analogy.
S602:When difference is equal to the length of i-th critical field, by the next stage of the i-th -1 critical field
Index and i-th critical field read i-th rule list as address, obtain and manage corresponding nodal information;
So, can include the step of above-mentioned leader information:When i-th critical field is in i-th rule
When corresponding node type is invalid node in table, node type is changed to leaf node, and writes pass
The corresponding rule numbers of key word and current fragment length is set to above-mentioned difference;
When i-th corresponding node type in i-th rule list of critical field is intermediate node, will section
Vertex type is changed to mixed node, and writes the corresponding rule numbers of keyword, and current fragment length is arranged
For above-mentioned difference;
When i-th corresponding node type in i-th rule list of critical field is mixed node or leaf section
During point, keep node type constant, and the corresponding rule numbers of keyword are write, current fragment length is set
It is set to above-mentioned difference.
S603:When difference is less than the length of i-th critical field, this remaining field is expanded,
Keyword residue field is obtained, i-th rule list is read respectively as address with keyword residue field, is obtained
And manage the information of corresponding node;
So, can include the step of above-mentioned leader information:When i-th critical field is in i-th rule
When corresponding node type is invalid node in table, node type is changed to leaf node, and writes pass
The corresponding rule numbers of key word and current fragment length is set to above-mentioned difference;
Here, i pass before this remaining field above-mentioned refers to need the critical field being concerned about to remove in keyword
Remaining field after key field.
When i-th corresponding node type in i-th rule list of critical field is intermediate node, will section
Vertex type is changed to mixed node, and writes the corresponding rule numbers of keyword and set current fragment length
It is set to above-mentioned difference;
When i-th corresponding node type in i-th rule list of critical field is mixed node or leaf section
During point, keep node type constant, meanwhile, the size of the above-mentioned difference of comparison and current fragment length, if
Above-mentioned difference be less than current fragment length, then keep original rule numbers and current fragment length constant, no
Then, the corresponding rule numbers of keyword are write and current fragment length is set to above-mentioned difference.
S604:When difference is more than the length of i-th critical field, by the next stage of the i-th -1 critical field
Index and i-th critical field read i-th rule list as address, obtain and manage corresponding nodal information.
Here, can include the step of above-mentioned leader information:When i-th critical field is in i-th rule
When corresponding node type is invalid node in table, node type is changed to intermediate node, and writes the
The corresponding next stage index of i critical field;When i-th critical field is corresponding in i-th rule list
When node type is intermediate node or mixed node, keep nodal information constant;When i-th critical field exists
When corresponding node type is leaf node in i-th rule list, then node type is changed to mixing section
Point, and write the corresponding next stage index of i-th critical field.
Method according to S601~S604 is unanimously circulated, until generating m-th rule list.Now, i-th
Rule list as shown in fig. 7, each entry include node type, current fragment length, next stage index and
Rule numbers.
Further, after rule list generation, corresponding for rule numbers action is written in action schedule.
Shown in Figure 8, each entry includes the priority in the dimension, abandon/instruction is forwarded, QoS maps,
Speed limit mark etc..
S403a:When the corresponding regular node type of i-th critical field is leaf node, i-th is closed
The corresponding rule numbers of key field are defined as the rule numbers of the corresponding keyword to be found of M critical field,
Go to execution S404;
Specifically, the corresponding regular node type of critical field can be point three kinds, i.e. leaf node,
When node type is obtained by S402, intermediate node and mixed node, represent that i-th critical field is leaf section
During point, the rule numbers of the critical field are just defined as determining module the rule numbers of keyword to be found,
Now, i=1,2,3 ..., M.
S403b:When the corresponding regular node type of i-th critical field is intermediate node or mixed node,
I value is added 1, goes to execution S402;
Specifically, after S402, when the corresponding regular node type of i-th critical field is middle node
When point or mixed node, i value is added 1 by loop module, triggers access modules, so, access modules again
Using i+1 critical field as the i+1 rule list of address access preset, i+1 keyword is obtained
The corresponding regular node type of section, by that analogy, circulation executes S402~S403b, until obtaining pass to be found
The rule numbers of key word.
In specific implementation process, when the corresponding regular node type of i-th critical field is intermediate node,
I value is added 1, goes to execution S402;When the corresponding regular node type of i-th critical field is mixing
During node, the corresponding rule numbers of i-th critical field of record, and i value is added 1, go to execution S402.
In actual applications, the corresponding regular node type of critical field can also be invalid node, then,
When i=2,3 ..., M when, represent that i-th critical field is invalid section when node type is obtained by S402
Point, and when the i-th -1 critical field is mixed node, determining module is just by the rule of the i-th -1 critical field
Numbering is defined as the rule numbers of keyword to be found.
For example, A is taken1Address as the rule list 1 in M rule list accesses rule list 1, obtains
A1Corresponding regular node type, A1Next stage index and A1Corresponding rule numbers.
Work as A1When corresponding regular node type is leaf node, then by A1Corresponding rule numbers are used as this
The corresponding rule numbers of keyword A simultaneously terminate this lookup;
Work as A1Corresponding node is intermediate node, uses A1Next stage index and A2Rule is accessed as address
Table 2, obtains A2Corresponding regular node type, A2Next stage index and A2Rule numbers, then,
Execute A1Identical judgement and process.
Work as A1Corresponding node then records A for mixed node1Corresponding rule numbers, then, use A1Under
One-level index and A2Rule list 2 is accessed as address, if A2Corresponding node is invalid node, then close
The corresponding rule numbers of key word A are A1Corresponding rule numbers simultaneously terminate this lookup;If A2Corresponding
Node is leaf node, then the rule numbers of keyword A are A2Corresponding numbering simultaneously terminates this lookup;
If A2Corresponding node is that intermediate node or mixed node then repeat A1Lookup method continue to use A2
Next stage index and A3Rule list 3, its processing method and A are accessed as address1Similar.So repeat
Till the rule numbers or whole keyword search that obtain keyword are completed.
S404:After the rule numbers for determining keyword to be found, according to the rule numbers of keyword to be found,
Obtain the corresponding action of rule numbers of keyword to be found.
Specifically, ACL realize also be preset with action schedule as shown in Figure 8, obtaining unit in device
Action schedule is accessed using the rule numbers of keyword to be found as address, obtain keyword to be found corresponding dynamic
Make, that is to say, that the action corresponding to the rule of the dimension.
Alternatively, message attribute, the such as rule of priority, the dimension can also be obtained by accessing action schedule
Corresponding QoS and QoS priority, speed limit mark and speed limit mark priority, the color of message and discarding
Or forward etc..It is, of course, also possible to there is other message attribute, the present invention is not specifically limited.
So far, the whole process of the ACL of the rule being achieved that for single dimension.So, for multiple
Dimension regular when, merger module is by the rule numbers of corresponding for the rule of each dimension keyword to be found
Corresponding action carries out merger, obtains the ACL result of packet.
In above process, the rule list in rule list module is also possible to be adjusted according to the configuration of user,
As rule list disposably cannot update, so, in order to reduce error rate, it is stored with rule list module
M rule list and one-to-one M backup rules table.So, said method also includes:Work as configuration
After rule completes to update, based on new configuration rule, M backup rules table is updated, wherein, M standby
Part rule list is corresponded with M rule list;After M backup rules table completes to update, switch to
M backup rules table after updating is accessed, and updates M rule list;Complete to update in M rule list
Afterwards, switchback is to the M backup rules table accessed after updating.
Specifically, during rule list renewal is carried out, first, backup rules table is updated, in backup
Rule list is updated after completing, and access modules switch to access backup rules table, while update rule list again,
After rule list updates and finishes, access modules switch to the rule list after updating again, in this way, would not go out
The error that the rule that should now update does not update and causes, it is ensured that the accuracy that ACL is realized.
From the foregoing, first, each keyword to be found extracted from same packet is divided into
M critical field, then, using in M critical field, i-th critical field is used as address access preset
I-th rule list in M rule list, at least obtains the corresponding rule type of i-th critical field, this
In, M rule list corresponds to a rule, then, according to the corresponding rule type of i-th critical field,
Determine the rule numbers of keyword to be found, finally, according to the rule numbers that determines, obtain to be found
The corresponding action of keyword, that is, determine the regular corresponding action, it is achieved that ACL.In this way, it is avoided that
Power consumption that TCAM is caused is big, the problem of high cost;Further, due to by a key to be found
Stroke is divided into M critical field, when the corresponding regular node type of i-th critical field be invalid node or
During leaf node, corresponding for critical field rule numbers are just defined as the rule volume of the keyword to be found
Number, so, it is not necessary to entirely keyword to be found is made a look up, is greatly reduced data processing amount, enters
And improve search efficiency;Further, due to carrying out drawing to each keyword in same packet
Divide M critical field, and follow-up process carried out, keyword here can be the keyword of a dimension,
Can also be the keyword of multiple dimensions, that is to say, that the ACL of various dimensions can be realized.
Based on same inventive concept, what the embodiment of the present invention also provided a kind of ACL realizes device, with above-mentioned one
ACL described in individual or multiple embodiments to realize device consistent.
Shown in Figure 1, the device includes:Rule list module 1, scheduler module 2, access modules 31,
Determining module 32, loop module 33, acquisition module 34;Wherein, rule list module 1, same for storing
M rule list corresponding to the rule of dimension, M are the integer more than or equal to 1;Scheduler module 2, is used for
Each keyword to be found extracted from same packet is divided into M critical field;Access mould
Block 31, at least using i-th critical field in M critical field as the M of address access preset
I-th rule list in individual rule list, the corresponding regular node type of i-th critical field of acquisition, wherein,
I=1,2,3,4 ..., M;Determining module 32, for when the corresponding regular node of i-th critical field
When type is leaf node, corresponding for i-th critical field rule numbers are defined as M critical field pair
The rule numbers of the keyword to be found that answers, triggering obtain module 34;Loop module 33, for when i-th
When the corresponding regular node type of critical field is intermediate node or mixed node, i value is added 1, triggering is visited
Ask module 31;Module 34 is obtained, for after the rule numbers for determining keyword to be found, according to be found
The rule numbers of keyword, obtain the corresponding action of rule numbers of keyword to be found.
In such scheme, when i=2,3 ..., M when, determining module 32, be additionally operable to when i-th crucial
The corresponding regular node type of field is invalid node, and the corresponding regular node class of the i-th -1 critical field
When type is mixed node, corresponding for the i-th -1 critical field rule numbers are defined as M keyword
The rule numbers of the corresponding keyword to be found of section, triggering obtain module 34.
In such scheme, as i=1, access modules 31, for using the 1st critical field as address
The 1st rule list in M rule list of access preset.
In such scheme, when i=2,3 ..., M when, access modules 31, for the i-th -1 key
The next stage index of field and i-th critical field access i-th rule list for address.
In such scheme, loop module 33, for when the corresponding regular node type of i-th critical field
During for intermediate node, i value is added 1, trigger access modules 31;It is additionally operable to correspond to when i-th critical field
Regular node type when being mixed node, corresponding rule numbers of i-th critical field of record, and by i
Value adds 1, triggers access modules 31.
In such scheme, device also includes:Rule list generation module, for will be right for the rule of same dimension
The keyword that answers is divided into M section;When the length of keyword is equal to the length of the 1st critical field, by the 1st
Individual critical field reads the 1st rule list as address, obtains and manage corresponding nodal information;Work as key
When the length of word is less than the length of the 1st critical field, this remaining field is expanded, is closed
Key word residue field, reads the 1st rule list with keyword residue field respectively as address, obtains and manage
Corresponding nodal information, wherein, this remaining field is the critical field for needing to be concerned about in keyword;When
When the length of keyword is more than the length of the 1st critical field, the 1st critical field is read as address
1st rule list, obtains and manages corresponding nodal information.
In such scheme, rule list generation module, for crucial for i-th in M critical field
Field, calculates the difference of previous difference and i-th critical field length, wherein, previous difference
Need the difference of critical field length and i-th critical field length being concerned about in keyword, i=2,3 ...,
M;When difference is equal to the length of i-th critical field, by the next stage of the i-th -1 critical field index and
I-th critical field reads i-th rule list as address, obtains and manage corresponding nodal information;It is on duty
When value is less than the length of i-th critical field, this remaining field is expanded, obtain keyword and remain
Remaining field, reads i-th rule list with keyword residue field respectively as address, obtains and manage and be corresponding
Nodal information, wherein, this remaining field is to need the critical field being concerned about to remove first i in keyword
Remaining field after critical field;When difference is more than the length of i-th critical field, the i-th -1 is closed
The next stage index of key field and i-th critical field read i-th rule list as address, obtain and manage
Corresponding nodal information.
In such scheme, rule list module 1, it is additionally operable to after configuration rule completes to update, based on new
Configuration rule, update M backup rules table, wherein, M backup rules table and M rule list one
One corresponds to;Correspondingly, access modules 31, are additionally operable to after M backup rules table completes to update, cut
Shift to M backup rules table after updating is accessed, and update M rule list;Complete in M rule list
After renewal, switchback is to the M backup rules table accessed after updating.
In actual applications, above-mentioned access modules 31, determining module 32, loop module 33 and acquisition mould
Block 34 is arranged in search engine 3, and a search engine 3 is connected with a rule list module 1, that is,
Say, for same packet, a search engine 3 can be scanned for for the rule of a dimension.
So, shown in Figure 2, when in said apparatus comprising multiple search engines 3, mean that the device energy
The parallel search for enough carrying out for the rule of multiple dimensions of same packet, substantially increases ACL realization
Efficiency.Further, shown in Figure 3, the device can also be simultaneous for multiple packets to be carried out parallel
Dimension or the search of various dimensions, in this way, substantially increase parallel data disposal ability so that processes speed
Degree is big to be lifted, the real-time that can be good at ensureing ACL.
In such scheme, when ACL device carries out multiple dimensional searches, device also includes:Merger module,
For, after the corresponding action of the rule numbers that multiple acquisition modules obtain each keyword to be found, inciting somebody to action
Action carries out merger, obtains the ACL result of packet.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or meter
Calculation machine program product.Therefore, the present invention can using hardware embodiment, software implementation or combine software and
The form of the embodiment of hardware aspect.And, the present invention can be adopted and wherein include calculating one or more
Computer-usable storage medium (including but not limited to magnetic disc store and the optical storage of machine usable program code
Device etc.) the upper computer program that implements form.
The present invention be with reference to method according to embodiments of the present invention, equipment (system) and computer program
Flow chart and/or block diagram describing.It should be understood that can be by computer program instructions flowchart and/or side
The knot of each flow process and/or square frame and flow chart and/or the flow process in block diagram and/or square frame in block diagram
Close.Can provide these computer program instructions to all-purpose computer, special-purpose computer, Embedded Processor or
The processor of other programmable data processing device is to produce a machine so that by computer or other can
The instruction of the computing device of programming data processing equipment is produced for realizing in one flow process or multiple of flow chart
The device of the function of specifying in one square frame of flow process and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in and can guide computer or other programmable data processing device
In the computer-readable memory for working in a specific way so that be stored in the computer-readable memory
Instruction produces the manufacture for including command device, and the command device is realized in one flow process of flow chart or multiple streams
The function of specifying in one square frame of journey and/or block diagram or multiple square frames.
These computer program instructions can be also loaded in computer or other programmable data processing device, made
Obtain series of operation steps is executed on computer or other programmable devices to produce computer implemented place
Reason, the instruction so as to execute on computer or other programmable devices are provided for realizing in flow chart one
The step of function of specifying in flow process or one square frame of multiple flow processs and/or block diagram or multiple square frames.
The above, only presently preferred embodiments of the present invention, is not intended to limit the protection model of the present invention
Enclose.
Claims (18)
1. a kind of implementation method of access control list ACL, it is characterised in that include:
Step A, each keyword to be found extracted from same packet is divided into M crucial
Field, wherein, M is the integer more than or equal to 1;
Step B, at least using i-th critical field in the M critical field as address access preset
M rule list in i-th rule list, obtain the corresponding regular node class of i-th critical field
Type, wherein, i=1,2,3,4 ..., M, the M rule list correspond to dimension rule;
Step C, when the corresponding regular node type of i-th critical field is leaf node, by institute
State the corresponding rule numbers of i-th critical field and be defined as the corresponding key to be found of the M critical field
The rule numbers of word, go to execution step E;
Step D, when the corresponding regular node type of i-th critical field be intermediate node or mixing section
During point, i value is added 1, goes to execution step B;
Step E, after the rule numbers for determining the keyword to be found, according to the keyword to be found
Rule numbers, obtain the corresponding action of rule numbers of the keyword to be found.
2. method according to claim 1, it is characterised in that when i=2,3 ..., M when,
After step B, methods described also includes:
When the corresponding regular node type of i-th critical field is invalid node, and the i-th -1 pass
When the corresponding regular node type of key field is mixed node type, the i-th -1 critical field is corresponded to
Rule numbers be defined as the rule numbers of the corresponding keyword to be found of the M critical field, go to and hold
Row step E.
3. method according to claim 1, it is characterised in that as i=1, step B, bag
Include:
Using the 1st critical field as the 1st rule list in M rule list of address access preset.
4. method according to claim 1, it is characterised in that when i=2,3 ..., M when, institute
Step B is stated, including:
Institute is accessed as address with the next stage index of the i-th -1 critical field and i-th critical field
State i-th rule list.
5. method according to claim 1, it is characterised in that step D, including:
When the corresponding regular node type of i-th critical field is intermediate node, i value is added 1,
Go to execution step B;
When the corresponding regular node type of i-th critical field is mixed node, described i-th is recorded
The corresponding rule numbers of individual critical field, and i value is added 1, go to execution step B.
6. method according to claim 1, it is characterised in that methods described also includes:
Corresponding for the rule of same dimension keyword is divided into M section;
When the length of the keyword is equal to the length of the 1st critical field, by the 1st keyword
Duan Zuowei reads address the 1st rule list, obtains and manage corresponding nodal information;
When the length of the keyword is less than the length of the 1st critical field, by this remaining word
Duan Jinhang expands, and obtains keyword residue field, reads institute with keyword residue field respectively as address
The 1st rule list is stated, corresponding nodal information is obtained and manage, wherein, this remaining field is
The critical field being concerned about is needed in the keyword;
When the length of the keyword is more than the length of the 1st critical field, described 1st is closed
Key field reads the 1st rule list as address, obtains and manage corresponding nodal information.
7. method according to claim 6, it is characterised in that methods described also includes:
For i-th critical field in the M critical field, wherein, i=2,3 ..., M, according to
Secondary execution following steps:
Calculate the difference of previous difference and i-th critical field length, wherein, described front once
Difference described in need the difference of the critical field length and i-th critical field length being concerned about in keyword
Value;
When the difference is equal to the length of i-th critical field, by the i-th -1 critical field
Next stage index and i-th critical field read i-th rule list as address, obtain and manage correspondence
Nodal information;
When the difference is less than the length of i-th critical field, this remaining field is expanded
Fill, keyword residue field is obtained, described i-th is read with keyword residue field respectively as address
Rule list, obtains and manages corresponding nodal information, and wherein, this remaining field is the key
Remaining field after i critical field before needing the critical field being concerned about to remove in word;
When the difference is more than the length of i-th critical field, by the i-th -1 critical field
Next stage index and i-th critical field read i-th rule list as address, obtain and manage
Corresponding nodal information.
8. method according to claim 1, it is characterised in that methods described also includes:
After configuration rule completes to update, based on new configuration rule, M backup rules table is updated, its
In, the M backup rules table is corresponded with the M rule list;
After the M backup rules table completes to update, the M backup rules accessed after updating are switched to
Table, and update the M rule list;
After the M rule list completes to update, switchback is to the M backup rules table accessed after updating.
9. method according to claim 1, it is characterised in that after step E, described
Method also includes:
Corresponding for the rule numbers of each keyword to be found action is carried out merger, obtains the number
ACL result according to bag.
10. a kind of access control list ACL realize device, it is characterised in that include:Rule list module,
Scheduler module, access modules, determining module, loop module, acquisition module;Wherein,
The rule list module, for storing with M rule list corresponding to the rule of dimension, M is big
In the integer for being equal to 1;
The scheduler module, for dividing each keyword to be found extracted from same packet
For M critical field;
The access modules, at least using i-th critical field in the M critical field as ground
I-th rule list in M rule list of location access preset, obtains i-th critical field corresponding
Regular node type, wherein, i=1,2,3,4 ..., M;
The determining module, for being leaf section when the corresponding regular node type of i-th critical field
During point, corresponding for i-th critical field rule numbers are defined as the M critical field corresponding
The rule numbers of keyword to be found, trigger the acquisition module;
The loop module, for being middle node when the corresponding regular node type of i-th critical field
When point or mixed node, i value is added 1, trigger the access modules;
The acquisition module, for, after the rule numbers for determining the keyword to be found, treating according to described
The rule numbers of search key, obtain the corresponding action of rule numbers of the keyword to be found.
11. devices according to claim 10, it is characterised in that when i=2,3 ..., M when,
The determining module, it is invalid node to be additionally operable to when the corresponding regular node type of i-th critical field,
And the i-th -1 critical field corresponding regular node type is when being mixed node, by the i-th -1 keyword
The corresponding rule numbers of section are defined as the rule numbers of the corresponding keyword to be found of the M critical field,
Trigger the acquisition module.
12. devices according to claim 10, it is characterised in that as i=1, the access modules,
For using the 1st critical field as the 1st rule list in M rule list of address access preset.
13. devices according to claim 10, it is characterised in that when i=2,3 ..., M when,
The access modules, for the next stage index with the i-th -1 critical field and i-th keyword
Section accesses i-th rule list for address.
14. devices according to claim 10, it is characterised in that the loop module, for working as
When to state the corresponding regular node type of i-th critical field be intermediate node, i value is added 1, triggering is described
Access modules;It is additionally operable to when the corresponding regular node type of i-th critical field is mixed node,
The corresponding rule numbers of i-th critical field are recorded, and i value is added 1, trigger the access modules.
15. devices according to claim 10, it is characterised in that described device also includes:Rule list
Generation module, for being divided into M section by corresponding for the rule of same dimension keyword;Length when the keyword
When degree is equal to the length of the 1st critical field, the 1st critical field is read the 1st as address
Rule list, obtains and manages corresponding nodal information;When the length of the keyword is less than the 1st pass
During the length of key field, this remaining field is expanded, keyword residue field is obtained, with described
Keyword residue field reads the 1st rule list respectively for address, obtains and manage corresponding node letter
Breath, wherein, this remaining field is the critical field for needing to be concerned about in the keyword;When described
The length of keyword more than the 1st critical field length when, using the 1st critical field as
The 1st rule list is read in address, obtains and manage corresponding nodal information.
16. devices according to claim 15, it is characterised in that the rule list generation module, use
I-th critical field in for the M critical field, calculates previous difference and described i-th
The difference of individual critical field length, wherein, needs the pass being concerned about in keyword described in the previous difference
The difference of key field length and i-th critical field length, i=2,3 ..., M;When described difference etc.
When the length of i-th critical field, the next stage of the i-th -1 critical field is indexed and described
I-th critical field reads i-th rule list as address, obtains and manage corresponding nodal information;Work as institute
When the length that difference is less than i-th critical field is stated, this remaining field is expanded, is obtained
Keyword residue field, reads i-th rule list with keyword residue field respectively as address,
Corresponding nodal information is obtained and manages, wherein, this remaining field is to need in the keyword
The critical field of care removes remaining field after front i critical field;When the difference is more than described i-th
During the length of individual critical field, by the next stage index of the i-th -1 critical field and i-th key
Field reads i-th rule list as address, obtains and manage corresponding nodal information.
17. devices according to claim 10, it is characterised in that the rule list module, are additionally operable to
After configuration rule completes to update, based on new configuration rule, M backup rules table is updated, wherein,
The M backup rules table is corresponded with the M rule list;
Correspondingly, the access modules, are additionally operable to after the M backup rules table completes to update, cut
Shift to M backup rules table after updating is accessed, and update the M rule list;Advise at described M
After then table completes to update, switchback is to the M backup rules table accessed after updating.
18. devices according to claim 10, it is characterised in that described device also includes:Merger mould
Block, for corresponding in multiple rule numbers for obtaining module acquisition each keyword to be found
After action, the action is carried out merger, obtain the ACL result of the packet.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510551233.5A CN106487769B (en) | 2015-09-01 | 2015-09-01 | Method and device for realizing Access Control List (ACL) |
PCT/CN2016/094450 WO2017036291A1 (en) | 2015-09-01 | 2016-08-10 | Access control list implementation method, device and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510551233.5A CN106487769B (en) | 2015-09-01 | 2015-09-01 | Method and device for realizing Access Control List (ACL) |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106487769A true CN106487769A (en) | 2017-03-08 |
CN106487769B CN106487769B (en) | 2020-02-04 |
Family
ID=58186607
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510551233.5A Active CN106487769B (en) | 2015-09-01 | 2015-09-01 | Method and device for realizing Access Control List (ACL) |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN106487769B (en) |
WO (1) | WO2017036291A1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109150686A (en) * | 2018-09-07 | 2019-01-04 | 迈普通信技术股份有限公司 | ACL table item delivery method, device and the network equipment |
CN112425131A (en) * | 2018-11-30 | 2021-02-26 | 华为技术有限公司 | ACL rule classification method, ACL rule search method and ACL rule classification device |
CN113037681A (en) * | 2019-12-09 | 2021-06-25 | 中兴通讯股份有限公司 | ACL rule management method, device, computer equipment and computer readable medium |
CN115361214A (en) * | 2022-08-22 | 2022-11-18 | 中国电信股份有限公司 | Message access control method, device, apparatus, medium, and program |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112131356B (en) * | 2020-08-03 | 2022-06-07 | 国家计算机网络与信息安全管理中心 | Message keyword matching method and device based on TCAM |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050114655A1 (en) * | 2003-11-26 | 2005-05-26 | Miller Stephen H. | Directed graph approach for constructing a tree representation of an access control list |
CN101493841A (en) * | 2009-02-23 | 2009-07-29 | 深圳市中科新业信息科技发展有限公司 | Searching method and device |
CN102487374A (en) * | 2010-12-01 | 2012-06-06 | 中兴通讯股份有限公司 | Access control list realization method and apparatus thereof |
CN102986179A (en) * | 2010-06-08 | 2013-03-20 | 博科通讯系统有限公司 | Methods and apparatuses for processing and/or forwarding packets |
CN103647773A (en) * | 2013-12-11 | 2014-03-19 | 北京中创信测科技股份有限公司 | Fast encoding method of access control list (ACL) behavior set |
CN104579941A (en) * | 2015-01-05 | 2015-04-29 | 北京邮电大学 | Message classification method in OpenFlow switch |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101035061B (en) * | 2006-03-09 | 2010-05-12 | 中兴通讯股份有限公司 | Segmented coded expansion method for realizing the match of the three-folded content addressable memory range |
-
2015
- 2015-09-01 CN CN201510551233.5A patent/CN106487769B/en active Active
-
2016
- 2016-08-10 WO PCT/CN2016/094450 patent/WO2017036291A1/en active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050114655A1 (en) * | 2003-11-26 | 2005-05-26 | Miller Stephen H. | Directed graph approach for constructing a tree representation of an access control list |
CN101493841A (en) * | 2009-02-23 | 2009-07-29 | 深圳市中科新业信息科技发展有限公司 | Searching method and device |
CN102986179A (en) * | 2010-06-08 | 2013-03-20 | 博科通讯系统有限公司 | Methods and apparatuses for processing and/or forwarding packets |
CN102487374A (en) * | 2010-12-01 | 2012-06-06 | 中兴通讯股份有限公司 | Access control list realization method and apparatus thereof |
CN103647773A (en) * | 2013-12-11 | 2014-03-19 | 北京中创信测科技股份有限公司 | Fast encoding method of access control list (ACL) behavior set |
CN104579941A (en) * | 2015-01-05 | 2015-04-29 | 北京邮电大学 | Message classification method in OpenFlow switch |
Non-Patent Citations (1)
Title |
---|
张艳军 等: "《基于决策树的递归包分类算法》", 《北京邮电大学学报》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109150686A (en) * | 2018-09-07 | 2019-01-04 | 迈普通信技术股份有限公司 | ACL table item delivery method, device and the network equipment |
CN109150686B (en) * | 2018-09-07 | 2020-12-22 | 迈普通信技术股份有限公司 | ACL (access control list) table item issuing method, device and network equipment |
CN112425131A (en) * | 2018-11-30 | 2021-02-26 | 华为技术有限公司 | ACL rule classification method, ACL rule search method and ACL rule classification device |
CN112425131B (en) * | 2018-11-30 | 2022-03-04 | 华为技术有限公司 | ACL rule classification method, ACL rule search method and ACL rule classification device |
CN113037681A (en) * | 2019-12-09 | 2021-06-25 | 中兴通讯股份有限公司 | ACL rule management method, device, computer equipment and computer readable medium |
CN113037681B (en) * | 2019-12-09 | 2023-09-05 | 中兴通讯股份有限公司 | ACL rule management method, ACL rule management device, computer equipment and computer readable medium |
CN115361214A (en) * | 2022-08-22 | 2022-11-18 | 中国电信股份有限公司 | Message access control method, device, apparatus, medium, and program |
Also Published As
Publication number | Publication date |
---|---|
CN106487769B (en) | 2020-02-04 |
WO2017036291A1 (en) | 2017-03-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106487769A (en) | A kind of implementation method of access control list ACL and device | |
US10069764B2 (en) | Ruled-based network traffic interception and distribution scheme | |
CN105706044B (en) | Work based on ranking keeps scheduler | |
US10778583B2 (en) | Chained longest prefix matching in programmable switch | |
CN107689931A (en) | It is a kind of that Ethernet exchanging function system and method are realized based on domestic FPGA | |
EP1649389B1 (en) | Internet protocol security matching values in an associative memory | |
US7408932B2 (en) | Method and apparatus for two-stage packet classification using most specific filter matching and transport level sharing | |
US6874016B1 (en) | Information searching device | |
CN102334112B (en) | Method and system for virtual machine networking | |
CN104184664B (en) | Route forwarding table items generation method and device | |
CN110383777A (en) | The flexible processor of port expander equipment | |
CN104168170B (en) | packet switching device and method | |
CN104717098B (en) | A kind of data processing method and device | |
Warkhede et al. | Multiway range trees: scalable IP lookup with fast updates | |
CN102487374B (en) | Access control list realization method and apparatus thereof | |
EP3661153B1 (en) | Building decision tree for packet classification | |
CN108833299A (en) | A kind of large scale network data processing method based on restructural exchange chip framework | |
CN110414928A (en) | Service stream classification processing method, device and communication equipment | |
CN112118167A (en) | Method for quickly transmitting cross-network tunnel data | |
CN104009918B (en) | A kind of service message processing method, apparatus and system | |
CN106453091B (en) | The equivalent route management method and device of router Forwarding plane | |
CN106559339A (en) | A kind of message processing method and device | |
CN103457855B (en) | Classless inter-domain routing table is established and the method and apparatus of message forwarding | |
US8316151B1 (en) | Maintaining spatial ordering in firewall filters | |
Lu et al. | $ O (\log W) $ Multidimensional Packet Classification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |