CN113037681A - ACL rule management method, device, computer equipment and computer readable medium - Google Patents
ACL rule management method, device, computer equipment and computer readable medium Download PDFInfo
- Publication number
- CN113037681A CN113037681A CN201911250942.4A CN201911250942A CN113037681A CN 113037681 A CN113037681 A CN 113037681A CN 201911250942 A CN201911250942 A CN 201911250942A CN 113037681 A CN113037681 A CN 113037681A
- Authority
- CN
- China
- Prior art keywords
- rule
- written
- priority
- access control
- control list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The present disclosure provides an ACL rule management method, apparatus, computer device, and computer readable medium, the method comprising: determining the priority of a rule to be written, wherein the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule type in an access control list; and writing the rule to be written into the access control list at least according to the priority of the rule to be written. When the rules to be written are written into the access control list according to the determined priority of the rules to be written, the phenomenon of moving can be reduced to the greatest extent, the CPU consumption of the network equipment is reduced, correspondingly, the black hole period is reduced, the phenomenon of packet loss caused by ACL moving can also be reduced, and therefore the reliability and the stability of the network equipment are improved.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to an ACL rule management method and apparatus, a computer device, and a computer readable medium.
Background
An Access Control List (ACL) is a List of commands for router and switch interfaces to Control the ingress and egress of packets. Typically, the management of ACLs follows the following basic management principles:
1. when the ACL priorities are the same, the rule issued first takes effect first.
2. When the priorities are different, the rule with the high priority takes effect first.
3. When the message is forwarded, the rules in the ACL are matched from top to bottom, and if the first rule which can be matched is matched, the message is forwarded according to the rule.
Therefore, if a rule with a low priority is issued first and then a rule with a high priority is issued, the rule with the ACL needs to be moved when the hardware is issued, so as to satisfy the basic principle of ACL management.
The current common processing procedure for sending down the ACL of the equipment is as follows:
1. and issuing a rule of a certain priority.
2. Comparing the priority relation between the rule and the existing rule, and issuing the precedence relation of the rule with the same priority.
3. And carrying out rule moving according to the basic management principle of the ACL so as to meet the requirement that the matching from top to bottom meets the priority when the messages are matched.
Therefore, if the priority of the rule issued first is lower than that of the rule issued later, the rule is shifted. If the issued rules are too many, issuing one rule requires moving all the rules under extreme conditions. The move operation causes extra consumption to the CPU (Central Processing Unit) of the device. In addition, in the moving process, the original validated rules have a short black hole period, and during the existence of the black hole period, the original validated messages matched with the ACL cannot be normally forwarded, so that the network stability is affected.
Disclosure of Invention
In view of the above-mentioned deficiencies in the prior art, the present disclosure provides an ACL rule management method, apparatus, computer device, and computer readable medium.
In a first aspect, an embodiment of the present disclosure provides an ACL rule management method, where the method includes:
determining the priority of a rule to be written, wherein the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule type in an access control list;
and writing the rule to be written into the access control list at least according to the priority of the rule to be written.
Preferably, the priority of the rule to be written includes a first field and a second field, a value of the first field is a priority of a rule type of the rule to be written, a value of the second field is a sequence number of a rule of the rule type in an access control list, and determining the priority of the rule to be written includes:
determining the total number of bits of the priority of the rule to be written;
determining the value of a first field according to the rule type of the rule to be written and the mapping relation between the preset rule type and the priority of the rule type;
determining the digit of a second field according to the total digit and the preset digit of the first field;
determining the value of the second field according to the number of bits of the second field and the number of rules of the rule type in the access control list;
and splicing the value of the first field and the value of the second field to generate the priority of the rule to be written.
The determining of the total number of bits of the priority of the rule to be written includes:
and determining the total number of the priority of the rule to be written according to the maximum number of the rules which can be accommodated by the access control list.
Preferably, the determining the total number of bits of the priority of the rule to be written includes:
and determining the total number of the priority of the rule to be written according to the maximum number of the rules which can be accommodated by the access control list.
Preferably, the higher the priority of a rule type is, the smaller the value of the first field is;
determining the value of the second field according to the number of bits of the second field and the number of rules of the rule type in the access control list, including:
determining the number of rules of the rule type in the current access control list;
and taking the number as a value of a second field, and representing the value of the second field by the number of bits of the second field.
Preferably, in the access control list, the value of the first field of the rule positioned before is smaller than the value of the first field of the rule positioned after; the value of the first field is the same, and the value of the second field of the rule positioned before is smaller than that of the second field of the rule positioned after.
Preferably, the writing the rule to be written into the access control list according to at least the priority includes:
and taking the priority of the rule to be written as an index written into the access control list, and writing the rule to be written into a position in the access control list corresponding to the index.
Preferably, the writing the rule to be written into the access control list according to at least the priority of the rule to be written includes:
and writing the rules to be written into the access control list according to the priority of the rules to be written and the priority of each rule written into the access control list.
Preferably, the writing the rule to be written into the access control list according to the priority of the rule to be written and the priority of each rule written into the access control list includes:
if the access control list is not empty, the priority of the rule to be written and the priority of each rule written in the access control list are sequenced;
and writing the rule to be written into the access control list according to the sequencing result.
Preferably, the writing the rule to be written into the access control list according to the priority of the rule to be written and the priority of each rule written into the access control list includes:
and if the access control list is empty, writing the rule to be written into the last position of the access control list.
In a second aspect, an embodiment of the present disclosure provides an ACL rule management apparatus, including a determining module and a writing module, where the determining module is configured to determine a priority of a rule to be written, where the priority of the rule to be written is determined by a priority of a rule type of the rule to be written and a sequence number of the rule type in an access control list;
the writing module is used for writing the rule to be written into the access control list at least according to the priority of the rule to be written.
In a third aspect, an embodiment of the present disclosure further provides a computer device, including: one or more processors and storage; the storage device stores one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors implement the ACL rule management method according to the first aspect.
In a fourth aspect, the disclosed embodiments also provide a computer readable medium, on which a computer program is stored, which when executed, implements the ACL rule management method as provided in the foregoing first aspect.
The ACL rule management method provided in the embodiment of the present disclosure determines a priority of a rule to be written, and writes the rule to be written into the access control list at least according to the priority of the rule to be written, where the priority of the rule to be written is determined by a priority of a rule type of the rule to be written and a sequence number of the rule type in the access control list. The priority of the rules to be written considers the priority sequence of the ACLs among different rule types and also considers the sequence issued by the rules of the same rule type, so that when the rules to be written are written into the access control list according to the priority of the rules to be written, the moving phenomenon can be reduced to the greatest extent, the CPU consumption of the network equipment is reduced, correspondingly, the black hole period is reduced, and the packet loss phenomenon caused by the ACL moving can also be reduced, thereby improving the reliability and stability of the network equipment.
Drawings
Fig. 1 is a flowchart of an ACL rule management method according to an embodiment of the present disclosure;
FIG. 2 is a flowchart of an ACL rule management method provided by another embodiment of the present disclosure;
FIG. 3 is a schematic diagram of writing a rule to an access control list according to yet another embodiment of the present disclosure;
FIG. 4 is another exemplary diagram of writing a rule to an access control list provided by yet another embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an ACL rule management apparatus according to another embodiment of the present disclosure.
Detailed Description
Example embodiments will be described more fully hereinafter with reference to the accompanying drawings, but which may be embodied in different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed rules.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The embodiments described herein may be described with reference to plan and/or cross-sectional views in light of idealized schematic illustrations of the disclosure. Accordingly, the example illustrations can be modified in accordance with manufacturing techniques and/or tolerances. Accordingly, the embodiments are not limited to the embodiments shown in the drawings, but include modifications of configurations formed based on manufacturing processes. Thus, the regions illustrated in the figures have schematic properties, and the shapes of the regions shown in the figures illustrate specific shapes of regions of elements, but are not intended to be limiting.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and the present disclosure, and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
An embodiment of the present disclosure provides an ACL rule management method, as shown in fig. 1, the ACL rule management method includes the following steps:
and step 11, determining the priority of the rule to be written.
In this step, the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule type in the access control list. That is, the priority of the rule to be written consists of the priority of the rule type of the rule to be written and the sequence number of the rule type in the access control list.
It should be noted that different rule types respectively correspond to different priorities. The rule type may be classified by binding type, which may include: the different binding types of the port, the SG (signaling Gateway), and the VLAN (Virtual Local Area Network) correspond to different priorities, respectively. The rule type may be classified into an ACL type, for example, IPv4(Internet Protocol Version 4), IPv6 (Internet Protocol Version 6, Internet Protocol Version 6), and the like, and different ACL types correspond to different priorities, respectively. Of course, the rule type partitioning principle can be defined by the user himself.
The larger the sequence number of the rule type in the access control list is, the larger the issuing order (i.e., the more later the issuing) is, the larger the value of the priority of the corresponding rule to be written is. That is, the priority of the rule to be written takes into account the priority order between different rule types of the ACL, and also the order of issuing the rule of the same rule type.
And step 12, writing the rule to be written into the access control list at least according to the priority of the rule to be written.
In this step, the priority of the rule to be written determined in step 11 is used as a basis for writing the rule to be written into the access control list, that is, the writing position of the rule to be written in the access control list is determined according to the priority of the rule to be written.
The priority of the rule to be written is determined, and the rule to be written is written into the access control list at least according to the priority of the rule to be written, wherein the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule type of the rule in the access control list. The priority of the rules to be written considers the priority sequence of the ACLs among different rule types and also considers the sequence issued by the rules of the same rule type, thus, when the rules to be written are written into the access control list according to the priority of the rules to be written, the moving phenomenon can be reduced to the maximum extent, the CPU consumption of the network equipment is reduced, correspondingly, the black hole period is reduced, and the packet loss phenomenon caused by the ACL moving can also be reduced, thereby improving the reliability and stability of the network equipment.
In some embodiments, the priority of the rule to be written includes a first field and a second field, a value of the first field is a priority of a rule type of the rule to be written, and a value of the second field is a sequence number of a rule of the rule type in an access control list. The ACL rule management device carries out segment definition on the priority of the rule to be written which is to be written in the access control list. The priority comprises a first field and a second field, the value of the first field is the priority of the rule type of the rule to be written, and the value of the second field is the sequence number of the rule type in the access control list. The first field is a high-order field, and the second field is a low-order field, that is, the priority of the rule to be written includes the value of the high-order field and the value of the low-order field.
As shown in fig. 2, the determining the priority of the rule to be written (i.e. step 11) includes the following steps:
and step 111, determining the total number of the priority of the rule to be written.
It should be noted that, the total number of bits of the priority to be written into the rule, the number of bits of the first field, and the number of bits of the second field in the embodiment of the present disclosure are all exemplified in hexadecimal.
And step 112, determining the value of the first field according to the rule type of the rule to be written and the mapping relation between the preset rule type and the priority of the rule type.
In this step, a mapping relationship is established in advance between the rule type and the priority of the rule type. The higher the priority of the rule type, the smaller the value of the first field. For example, when the rule type is a binding type, since the basic order of effectiveness of the rule is port > VLAN > SG, the priority order is also port > VLAN > SG, and the value of the first field of the rule of the port type < the value of the first field of the rule of the VLAN type < the value of the first field of the rule of the SG type. The mapping relation between the rule type and the priority of the rule type is as follows: the priority of the port is 0x1, the priority of the VLAN is 0x2, and the priority of the SG is 0x 3. And determining the value of the first field according to the mapping relation and the rule type of the rule to be written. For example, if the rule type to be written to the rule is port, the value of the first field is 0x1 (representing a 1 in hexadecimal).
And step 113, determining the digit of the second field according to the total digit and the preset digit of the first field.
In this step, the number of bits of the first field is a preset number of bits, after the total number of bits is determined, all the remaining bytes are counted as the second field, i.e., the low-order field, and the number of bits of the second field can be obtained by subtracting the preset number of bits of the first field from the counted total number of bits. For example, the total number of bits is 4 bits, the first field is 1 bit, and the number of bits of the second field can be determined to be 3 bits.
Step 114, determining the value of the second field according to the number of bits of the second field and the number of rules of the rule type in the access control list.
In some embodiments, the number is taken as a value of a second field, and the value of the second field is represented in the number of bits of the second field.
In this step, the sequence number of the rule type in the access control list is equal to the number of the rules of the rule type in the access control list, the number is taken as the value of the second field, and the value of the second field is represented by the number of bits of the second field, that is, the value of the second field is sequentially increased by 1 as the number of the rules of the rule type in the access control list is increased. For example, when the number of bits of the second field is three, if there are 0 rules of the port type in the access control list, the second field is 000, and when the number of bits of the second field is three, there are 1 rules of the port type in the access control list, the second field is 001, which indicates that the rule to be written is a rule of the 2 nd port type. By analogy, when the rule writing of the same first field is finished each time, the value written later is inevitably larger than the value written first, so that the rule moving is reduced.
And step 115, splicing the value of the first field and the value of the second field to generate the priority of the rule to be written.
In this step, the value of the first field is placed at the high order, the value of the second field is placed at the low order, and the priority of the rule to be written is generated by splicing. For example, if the first field has a value of 0x1 and the second field has a value of 000, the priority of the rule to be written is 0x 1000.
In some embodiments, the determining the total number of bits of the priority of the rule to be written (i.e. step 111) includes: and determining the total number of the priority of the rule to be written according to the maximum number of the rules which can be accommodated by the access control list. That is, the range of the total number of bits of the priority to be written to the rule is controlled by the accessThe maximum number of rules that the access control list can accommodate is determined, and the larger the maximum number of rules that the access control list can accommodate is, the larger the total number of bits of priority to be written to the rules is. For example, when the access control list can accommodate a maximum number of rules of 24Then, the total number of bits that can determine the priority of the rule to be written is 4 bits, and the maximum number of rules that can be accommodated by the access control list is 25Then, the total number of bits of the priority to be written to the rule may be determined to be 5 bits.
It should be noted that, in some embodiments, in the access control list, the value of the first field of the rule located before is smaller than the value of the first field of the rule located after; the first field has the same value, and the value of the second field of the rule positioned before is smaller than that of the second field of the rule positioned after. I.e. the rule located in the access control list with the top priority has a smaller value and a higher priority.
In the embodiment of the present disclosure, there are two methods for writing the determined priority of the rule to be written into the access control list, one is to write the rule to be written into the absolute position of the access control list, and the other is to write the rule to be written into the relative position of the access control list. As discussed in detail below.
In some embodiments, the writing the rule to be written to the access control list according to at least the priority (i.e., step S12) includes: and taking the priority of the rule to be written as an index of the access control list, and writing the rule to be written into a position in the access control list corresponding to the index.
In this step, the priority of the rule to be written is used as an index of the access control list, and the index corresponds to a position in the access control list, that is, an address in the access control list. For the rules of the same rule type, the values of the second fields of the priorities of the rules to be written are sequentially increased according to the issuing sequence, namely the values of the second fields of the priorities of the rules issued later are large. Aiming at the rules with the same rule type, the priority of the rules written in each time is always smaller than the priority of the rules written in the previous time, namely, the rules issued later are always arranged behind the rules issued earlier.
The writing method of the rule to be written is specifically described by taking fig. 3 as an example. The maximum number of rules that can be accommodated by the access control list of the device is 32K, and the total number of bits of the priority to be written into the rules is 16 bits, which is converted into 4 bits in hexadecimal. The 1-bit high-order field is used as the first field of the priority of the rule. When the rule type is a bound port, SG, VLAN, the priority relation is that the port is > VLAN > SG, the priority of the port is set to be 0x1, the VLAN is 0x2, and the SG is 0x3 in the 1-bit high-order field. This arrangement ensures that rules of port type must precede rules of VLAN type in the access control list and rules of VLAN type must precede rules of SG type. The remaining 3 bits are set to the second field of the priority of the rule.
The rule A of the port type is issued for the first time, the priority of the rule of the port type is 0x1, the first field of the rule A is 0x1, the priority of the rule A of the port type is 0x1000 by taking 0x1000 as an index, and the rule A of the port type is written into the position of the access control list corresponding to the index 0x1000 by taking 0x1000 as the index because the rules of the port type in the access control list are 0, and the value of the second field is the same as the number of the rules of the same type in the access control list. And issuing a rule B of the port type for the second time, wherein the rule type is that the priority of the port is 0x1, the first field is 0x1, the number of the rules of the port type in the access control list is 1 when the rule of the port type is issued for the second time, the value of the second field is the same as the number of the rules of the same type in the access control list, the second field is 001, the priority of the rule B of the port type is 0x1001, and the rule B of the port type is written into the position of the access control list corresponding to the index 0x1000 and is positioned below the rule A of the port type. The VLAN type rule C is issued for the first time, the priority of the VLAN type rule C is 0x2, the first field is 0x2, the VLAN type rules in the access control list are 0 when the VLAN type rule is issued for the first time, the value of the second field is the same as the number of the same type rules in the access control list, the second field is 000, the priority of the VLAN type rule C is 0x2000, and the VLAN type rule C is written into the position of the access control list corresponding to the index 0x 2000. By analogy, the port type rule is necessarily before the VLAN type rule, the VLAN type rule is necessarily before the SG type rule, the same rule type rule, and the later issued rule is always arranged behind the earlier issued rule.
The writing method of the rules to be written does not have the condition of rule moving in the initial stage of writing the access control list, and correspondingly does not have the packet loss caused by the rule moving, thereby reducing the CPU consumption of network equipment and improving the stability of the network.
In some embodiments, to prevent a hole in the access control list after the rule is deleted, and to avoid the access control list from limiting the writing number of the rule of each rule type, the rule to be written may be written in the relative position of the access control list. Namely, the writing the rule to be written into the access control list according to at least the priority of the rule to be written (step S12), includes: and writing the rules to be written into the access control list according to the priority of the rules to be written and the priority of each rule written into the access control list.
In some embodiments, the writing the rule to be written into the access control list according to the priority of the rule to be written and the priority of each rule already written into the access control list includes: and if the access control list is not empty, sequencing the priority of the rule to be written and the priority of each rule written in the access control list, and writing the rule to be written into the access control list according to the sequencing result. And if the access control list is empty, writing the rule to be written into the last position of the access control list.
In some embodiments, if the access control list is empty, i.e. when the rule to be written is the first rule in the access control list, the rule to be written is written into the last position of the access control list. All rules are written in starting from the last position of the access control list. And if the access control list is not empty, sequencing the priority of the rule to be written and the priority of each rule written in the access control list each time when the rule to be written is written in the access control list, and writing the rule to be written in the access control list according to a sequencing result. The rule with the lower priority is ranked in the access control list at a later position each time, i.e., the rule with the higher priority value is ranked in the later position.
Taking fig. 4 as an example, the writing method of the rule to be written is specifically described. The maximum number of rules which can be accommodated by an access control list of the device can support 32K, and a 16-bit data segment is used as the priority of the rule to be written and is converted into 4-bit hexadecimal. The 1-bit high-order field is used as the first field of the priority of the rule. When the rule type is a bound port, SG, VLAN, the priority relation is that the port is > VLAN > SG, the priority of the port is set to be 0x1, the VLAN is 0x2, and the SG is 0x3 in the 1-bit high-order field. This arrangement ensures that the rules of the port type must precede the rules of the VLAN type in the access control list and that the rules of the VLAN type must precede the rules of the SG type. The remaining 3 bits are set to the second field of regular priority.
And issuing a VLAN type rule A for the first time, wherein the priority of the rule A to be written is 0x2, the first field is 0x2, the VLAN rules in the access control list are 0, the value of the second field is the same as the number of the same type of rules in the access control list, the second field is 000, the priority is 0x2000, and the VLAN type rule A is written into the last position of the access control list. And issuing the VLAN type rule B for the second time, wherein the priority of the VLAN type rule B is 0x2, the first field is 0x2, the VLAN type rule in the access control list is 1 when the VLAN type rule is issued for the second time, the value of the second field is the same as the number of the same type of rules in the access control list, the second field is 001, the priority of the VLAN type rule B is 0x2001 and is greater than the priority of the VLAN type rule A, the VLAN type rule B is pressed from the last position of the access control list in a stack pressing mode, and the VLAN type rule A is moved upwards to one position. The method comprises the steps of issuing a rule C of a port type for the first time, wherein the rule C is 0x1 in port priority, the first field is 0x1, the priority of the rule C of the port type is 0x1000 and is smaller than the priority 0x2000 of the rule A of the VLAN type because the port type rules in an access control list are 0, the value of the second field is the same as the number of the rules of the same type in the access control list, and the second field is 000, so that the rule C of the port type is written in the previous position of the rule A of the VLAN type. And by analogy, each rule to be written is compared with the priority of all existing rules in the access control list, the rules are inserted into the access control list from small to large according to the numerical value sequence, the writing of other rules is completed, and finally all rules are written to keep the effect that the priority of the access control list from top to bottom is from large to small.
According to the writing method of the rules to be written, the stack writing is performed from bottom to top in sequence, dynamic position writing can be completed, most rules can still be guaranteed not to be moved, the black hole period is reduced, and packet loss caused by ACL moving can also be reduced, so that the CPU consumption of network equipment is reduced, and the stability of a network is improved. Furthermore, the writing quantity of a certain type of rule is not limited, and a hole caused by rule deletion does not occur.
The ACL rule management method provided in the embodiment of the present disclosure determines a priority of a rule to be written, and writes the rule to be written into the access control list at least according to the priority of the rule to be written, where the priority of the rule to be written includes a first field and a second field, a value of the first field is a priority of a rule type of the rule to be written, and a value of the second field is a sequence number of the rule type in the access control list. The priority of the rule to be written considers the priority sequence between different rule types of the ACL and also considers the order of issuing the rule of the same rule type. And through two methods for writing in the rules, the phenomenon of moving the rules as little as possible when the rules are written in the access control list can be ensured to the greatest extent, the CPU consumption of the network equipment is reduced, correspondingly, the black hole period is reduced, and the phenomenon of packet loss caused by ACL moving can also be reduced, so that the reliability and the stability of the network equipment are improved.
Based on the same technical concept, an embodiment of the present disclosure further provides an ACL rule management apparatus, as shown in fig. 5, where the ACL rule management apparatus includes a determining module 1 and a writing module 2, and the determining module 1 is configured to determine a priority of a rule to be written, where the priority of the rule to be written is determined by a priority of a rule type of the rule to be written and a sequence number of the rule type in an access control list.
The writing module 2 is configured to write the rule to be written into the access control list at least according to the priority of the rule to be written.
In some embodiments, the priority of the rule to be written includes a first field and a second field, a value of the first field is a priority of a rule type of the rule to be written, a value of the second field is a sequence number of a rule of the rule type in the access control list, and the determining module 1 is configured to:
determining the total number of bits of the priority to be written into the rule.
And determining the value of the first field according to the rule type of the rule to be written and the mapping relation between the preset rule type and the priority of the rule type.
And determining the digit of the second field according to the total digit and the preset digit of the first field.
And determining the value of the second field according to the number of bits of the second field and the number of the rules of the rule type in the access control list.
And splicing the value of the first field and the value of the second field to generate the priority of the rule to be written.
In some embodiments, the determination module 1 is configured to:
and determining the total number of the priority of the rule to be written according to the maximum number of the rules which can be accommodated by the access control list.
In some embodiments, the higher the priority of a rule type, the smaller the value of the first field;
in some embodiments, the determination module 1 is configured to:
the number of rules of the rule type in the current access control list is determined.
And taking the number as a value of a second field, and representing the value of the second field by the number of bits of the second field.
In some embodiments, in the access control list, a value of a first field of a rule positioned before is smaller than a value of a first field of a rule positioned after; the rule having the same value in the first field, the value in the second field of the rule positioned before is smaller than the value in the second field of the rule positioned after.
In some embodiments, the write module 2 is to:
and taking the priority of the rule to be written as an index written into the access control list, and writing the rule to be written into a position in the access control list corresponding to the index.
In some embodiments, the write module 2 is to:
and writing the rules to be written into the access control list according to the priority of the rules to be written and the priority of each rule written into the access control list.
In some embodiments, the write module 2 is to:
and if the access control list is not empty, sequencing the priority of the rule to be written and the priority of each rule written in the access control list.
And writing the rule to be written into the access control list according to the sequencing result.
In some embodiments, the write module 2 is to:
and if the access control list is empty, writing the rule to be written into the last position of the access control list.
An embodiment of the present disclosure further provides a computer device, including: one or more processors; a storage device, wherein one or more programs are stored thereon; when executed by the one or more processors, the one or more programs cause the one or more processors to implement the ACL rule management method as provided in the foregoing embodiments.
The disclosed embodiment also provides a computer readable medium, on which a computer program is stored, wherein the program, when executed, implements the ACL rule management method provided by the foregoing embodiments.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods disclosed above, functional modules/units in the apparatus, may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to a division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as integrated circuits, such as application specific integrated circuits. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as is well known to those of ordinary skill in the art.
Example embodiments have been disclosed herein, and although specific terms are employed, they are used and should be interpreted in a generic and descriptive sense only and not for purposes of limitation. In some instances, features, characteristics, and/or elements described in connection with a particular embodiment may be used alone or in combination with features, characteristics, and/or elements described in connection with other embodiments, unless expressly stated otherwise, as would be apparent to one skilled in the art. It will therefore be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the invention encompassed by the appended claims.
Claims (12)
1. An ACL rule management method, comprising:
determining the priority of a rule to be written, wherein the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule type in an access control list;
and writing the rule to be written into the access control list at least according to the priority of the rule to be written.
2. The method of claim 1, wherein the priority of the rule to be written comprises a first field and a second field, a value of the first field is a priority of a rule type of the rule to be written, a value of the second field is a sequence number of a rule of the rule type in an access control list, and the determining the priority of the rule to be written comprises:
determining the total number of bits of the priority of the rule to be written;
determining the value of a first field according to the rule type of the rule to be written and the mapping relation between the preset rule type and the priority of the rule type;
determining the digit of a second field according to the total digit and the preset digit of the first field;
determining the value of the second field according to the number of bits of the second field and the number of rules of the rule type in the access control list;
and splicing the value of the first field and the value of the second field to generate the priority of the rule to be written.
3. The method of claim 2, wherein the determining a total number of bits of priority for the rule to be written comprises:
and determining the total number of the priority of the rule to be written according to the maximum number of the rules which can be accommodated by the access control list.
4. The method of claim 2, wherein the higher the priority of a rule type, the smaller the value of the first field;
determining the value of the second field according to the number of bits of the second field and the number of rules of the rule type in the access control list, including:
determining the number of rules of the rule type in the current access control list;
and taking the number as a value of a second field, and representing the value of the second field by the number of bits of the second field.
5. The method of claim 4, wherein, in the access control list, a value of a first field of a rule positioned before is smaller than a value of a first field of a rule positioned after; for a rule with the same value of the first field, the value of the second field of the rule positioned before is smaller than the value of the second field of the rule positioned after.
6. The method of any of claims 1-5, wherein said writing the to-be-written rule to the access control list based at least on the priority comprises:
and taking the priority of the rule to be written as an index written into the access control list, and writing the rule to be written into a position in the access control list corresponding to the index.
7. The method of any of claims 1-5, wherein the writing the to-be-written rule to the access control list based at least on the priority of the to-be-written rule comprises:
and writing the rules to be written into the access control list according to the priority of the rules to be written and the priority of each rule written into the access control list.
8. The method of claim 7, wherein the writing the rules to be written to the access control list according to the priority of the rules to be written and the priority of each rule that has been written to the access control list comprises:
if the access control list is not empty, the priority of the rule to be written and the priority of each rule written in the access control list are sequenced;
and writing the rule to be written into the access control list according to the sequencing result.
9. The method of claim 7, wherein the writing the rules to be written to the access control list according to the priority of the rules to be written and the priority of each rule that has been written to the access control list comprises:
and if the access control list is empty, writing the rule to be written into the last position of the access control list.
10. An ACL rule management device comprises a determining module and a writing module, wherein the determining module is used for determining the priority of a rule to be written, and the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule type in an access control list;
and the writing module is used for writing the rule to be written into the access control list at least according to the priority of the rule to be written.
11. A computer device, comprising:
one or more processors;
a storage device, wherein one or more programs are stored thereon;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the ACL rule management method according to any one of claims 1-9.
12. A computer-readable medium on which a computer program is stored, wherein the program, when executed, implements the ACL rule management method according to any one of claims 1-9.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911250942.4A CN113037681B (en) | 2019-12-09 | 2019-12-09 | ACL rule management method, ACL rule management device, computer equipment and computer readable medium |
| PCT/CN2020/133118 WO2021115160A1 (en) | 2019-12-09 | 2020-12-01 | Acl rule management method and apparatus, computer device, and computer readable medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911250942.4A CN113037681B (en) | 2019-12-09 | 2019-12-09 | ACL rule management method, ACL rule management device, computer equipment and computer readable medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113037681A true CN113037681A (en) | 2021-06-25 |
| CN113037681B CN113037681B (en) | 2023-09-05 |
Family
ID=76329520
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911250942.4A Active CN113037681B (en) | 2019-12-09 | 2019-12-09 | ACL rule management method, ACL rule management device, computer equipment and computer readable medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN113037681B (en) |
| WO (1) | WO2021115160A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114745177A (en) * | 2022-04-11 | 2022-07-12 | 浪潮思科网络科技有限公司 | ACL rule processing method, device, equipment and medium |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978809B (en) * | 2022-06-23 | 2024-01-12 | 惠州华阳通用电子有限公司 | Vehicle-mounted Ethernet VLAN node configuration method |
| CN117472554A (en) * | 2022-07-20 | 2024-01-30 | 华为技术有限公司 | Rule searching method, device, equipment and computer readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101039271A (en) * | 2007-03-20 | 2007-09-19 | 华为技术有限公司 | Method and apparatus for taking effect rules of access control list |
| CN104618140A (en) * | 2014-12-26 | 2015-05-13 | 上海斐讯数据通信技术有限公司 | ACL (access control list) table insertion sequencing method |
| CN106034046A (en) * | 2015-03-20 | 2016-10-19 | 中兴通讯股份有限公司 | Method and device for sending access control list (ACL) |
| CN106487769A (en) * | 2015-09-01 | 2017-03-08 | 深圳市中兴微电子技术有限公司 | A kind of implementation method of access control list ACL and device |
| US20180351822A1 (en) * | 2017-05-31 | 2018-12-06 | Cisco Technology, Inc. | Intra-priority class ordering of rules corresponding to a model of network intents |
| US20190020487A1 (en) * | 2017-07-11 | 2019-01-17 | Oracle International Corporation | Methods, systems, and computer readable media for efficient mapping of rule precedence values and filter priority values |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6961809B2 (en) * | 2002-06-04 | 2005-11-01 | Riverstone Networks, Inc. | Managing a position-dependent data set that is stored in a content addressable memory array at a network node |
| CN102811227A (en) * | 2012-08-30 | 2012-12-05 | 重庆大学 | Administration mechanism for standard way access control list (ACL) rule under internet protocol security (IPsec) protocol |
-
2019
- 2019-12-09 CN CN201911250942.4A patent/CN113037681B/en active Active
-
2020
- 2020-12-01 WO PCT/CN2020/133118 patent/WO2021115160A1/en active Application Filing
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101039271A (en) * | 2007-03-20 | 2007-09-19 | 华为技术有限公司 | Method and apparatus for taking effect rules of access control list |
| CN104618140A (en) * | 2014-12-26 | 2015-05-13 | 上海斐讯数据通信技术有限公司 | ACL (access control list) table insertion sequencing method |
| CN106034046A (en) * | 2015-03-20 | 2016-10-19 | 中兴通讯股份有限公司 | Method and device for sending access control list (ACL) |
| CN106487769A (en) * | 2015-09-01 | 2017-03-08 | 深圳市中兴微电子技术有限公司 | A kind of implementation method of access control list ACL and device |
| WO2017036291A1 (en) * | 2015-09-01 | 2017-03-09 | 深圳市中兴微电子技术有限公司 | Access control list implementation method, device and storage medium |
| US20180351822A1 (en) * | 2017-05-31 | 2018-12-06 | Cisco Technology, Inc. | Intra-priority class ordering of rules corresponding to a model of network intents |
| US20190020487A1 (en) * | 2017-07-11 | 2019-01-17 | Oracle International Corporation | Methods, systems, and computer readable media for efficient mapping of rule precedence values and filter priority values |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114745177A (en) * | 2022-04-11 | 2022-07-12 | 浪潮思科网络科技有限公司 | ACL rule processing method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2021115160A1 (en) | 2021-06-17 |
| CN113037681B (en) | 2023-09-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2021115160A1 (en) | Acl rule management method and apparatus, computer device, and computer readable medium | |
| US10812342B2 (en) | Generating composite network policy | |
| CN108322467B (en) | OVS-based virtual firewall configuration method, electronic equipment and storage medium | |
| US7616635B2 (en) | Address mapping for data packet routing | |
| US10931580B2 (en) | Packet processing method and network device | |
| US7843967B2 (en) | Multiple protocol cross layer customized QoS propagation and mapping | |
| US10116506B2 (en) | Method for upgrading version of network device and network device | |
| CN110781129B (en) | Resource scheduling method, device and medium in FPGA heterogeneous accelerator card cluster | |
| US9489328B2 (en) | System on chip and method for accessing device on bus | |
| CN111193783B (en) | Service access processing method and device | |
| CN104811473B (en) | A kind of method, system and management system for creating virtual non-volatile storage medium | |
| CN104468401A (en) | Message processing method and device | |
| US20160353461A1 (en) | Modifying a priority for at least one flow class of an application | |
| CN104488240B (en) | Session management method, address management method and relevant device | |
| US10084613B2 (en) | Self adapting driver for controlling datapath hardware elements | |
| US9294389B2 (en) | Method to select interface for IP packets when destination subnet is reachable on multiple interfaces | |
| EP3384642B1 (en) | Forwarding table compression | |
| CN110581776B (en) | QoS processing and control method and network interface controller | |
| US20080167050A1 (en) | Method and system for managing user preferences for one or more software applications runing on a mobile computing device | |
| US10554563B2 (en) | Generating a packet processing pipeline definition | |
| CN112291212B (en) | Static rule management method and device, electronic equipment and storage medium | |
| KR20130100198A (en) | Viral quality of service upgrade | |
| CN102215275A (en) | Service processing method and system as well as set top box | |
| CN109068170A (en) | A kind of storage method, device, terminal and the storage medium of barrage message | |
| US11316828B2 (en) | Networking sub-ranges |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |