CN113037681B - ACL rule management method, ACL rule management device, computer equipment and computer readable medium - Google Patents
ACL rule management method, ACL rule management device, computer equipment and computer readable medium Download PDFInfo
- Publication number
- CN113037681B CN113037681B CN201911250942.4A CN201911250942A CN113037681B CN 113037681 B CN113037681 B CN 113037681B CN 201911250942 A CN201911250942 A CN 201911250942A CN 113037681 B CN113037681 B CN 113037681B
- Authority
- CN
- China
- Prior art keywords
- rule
- written
- priority
- access control
- control list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The present disclosure provides an ACL rule management method, an ACL rule management device, a computer device, and a computer readable medium, wherein the ACL rule management method includes: determining the priority of a rule to be written, wherein the priority of the rule to be written is determined by the priority of a rule type of the rule to be written and the sequence number of the rule type in an access control list; and writing the rule to be written into the access control list at least according to the priority of the rule to be written. According to the determined priority of the rule to be written, when the rule to be written is written into the access control list, the phenomenon of moving can be reduced to the greatest extent, the CPU consumption of the network equipment is reduced, the black hole period is correspondingly reduced, the packet loss phenomenon caused by ACL moving is also reduced, and therefore the reliability and the stability of the network equipment are improved.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method, an apparatus, a computer device, and a computer readable medium for ACL rule management.
Background
An access control list (Access Control List, ACL) is a list of instructions for router and switch interfaces to control packets to and from ports. Generally, ACL management follows the following basic management principles:
1. when the ACL priorities are the same, the rule issued first takes effect first.
2. When the priorities are different, the rule with high priority takes effect first.
3. When the message is forwarded, the rules in the ACL are matched from top to bottom, and the first matched rule is matched, and forwarding is performed according to the rule.
Therefore, if a rule with low priority is issued first and then a rule with high priority is issued, the rule with ACL will be moved when hardware is issued, so as to satisfy the management basic principle of ACL.
The ACL issuing processing process of the current common equipment is as follows:
1. a rule of a certain priority is issued.
2. And comparing the priority relation between the rule and the existing rule, and issuing the sequence relation by the rule with the same priority.
3. The regular movement is carried out according to the basic management principle of ACL to meet the requirement that the matching from top to bottom meets the priority when the report Wen Pi is sent.
It can be seen that if the priority of the rule issued earlier is lower than the priority of the rule issued later, the rule moving situation occurs. If there are a large number of rules to be issued, in an extreme case, issuing a rule requires moving all rules. The movement causes additional consumption of the CPU (Central Processing Unit ) of the device. In addition, in the moving process, a short black hole period exists in the original rule which is already in effect, and during the black hole period, the original ACL matched message which is already in effect cannot be forwarded normally, so that the network stability is affected.
Disclosure of Invention
The present disclosure addresses the above-described deficiencies in the prior art by providing a method, apparatus, computer device and computer readable medium for ACL rule management.
In a first aspect, an embodiment of the present disclosure provides an ACL rule management method, including:
determining the priority of a rule to be written, wherein the priority of the rule to be written is determined by the priority of a rule type of the rule to be written and the sequence number of the rule type in an access control list;
and writing the rule to be written into the access control list at least according to the priority of the rule to be written.
Preferably, the priority of the rule to be written includes a first field and a second field, the value of the first field is the priority of the rule type of the rule to be written, the value of the second field is the sequence number of the rule type of the rule in the access control list, and the determining the priority of the rule to be written includes:
determining the total bit number of the priority of the rule to be written;
determining a value of a first field according to the rule type of the rule to be written and a mapping relation between the preset rule type and the priority of the rule type;
determining the bit number of the second field according to the total bit number and the preset bit number of the first field;
determining the value of the second field according to the bit number of the second field and the number of the rules of the rule type in the access control list;
and splicing the value of the first field and the value of the second field to generate the priority of the rule to be written.
The determining the total bit number of the priority of the rule to be written comprises the following steps:
and determining the total bit number of the priority of the rule to be written according to the maximum number of the rules which can be accommodated in the access control list.
Preferably, the determining the total bit number of the priority of the rule to be written includes:
and determining the total bit number of the priority of the rule to be written according to the maximum number of the rules which can be accommodated in the access control list.
Preferably, the higher the priority of the rule type, the smaller the value of the first field;
the determining the value of the second field according to the number of bits of the second field and the number of rules of the rule type in the access control list includes:
determining the number of rules of the rule type in the current access control list;
the number is taken as the value of a second field, and the value of the second field is represented by the number of bits of the second field.
Preferably, in the access control list, a value of a first field of a rule located at a front is smaller than a value of a first field of a rule located at a rear; the value of the second field of the rule preceding the first field is smaller than the value of the second field of the rule following the first field.
Preferably, the writing the rule to be written into the access control list at least according to the priority includes:
and taking the priority of the rule to be written as an index for writing the access control list, and writing the rule to be written into a position in the access control list corresponding to the index.
Preferably, the writing the rule to be written into the access control list at least according to the priority of the rule to be written includes:
and writing the rule to be written into the access control list according to the priority of the rule to be written and the priority of each rule written into the access control list.
Preferably, the writing the rule to be written into the access control list according to the priority of the rule to be written and the priority of each rule written into the access control list includes:
if the access control list is not empty, sequencing the priority of the rule to be written and the priority of each rule written in the access control list;
and writing the rule to be written into the access control list according to the sorting result.
Preferably, the writing the rule to be written into the access control list according to the priority of the rule to be written and the priority of each rule written into the access control list includes:
and if the access control list is empty, writing the rule to be written into the last position of the access control list.
In a second aspect, an embodiment of the present disclosure provides an ACL rule management apparatus, including a determining module and a writing module, where the determining module is configured to determine a priority of a rule to be written, where the priority of the rule to be written is determined by a priority of a rule type of the rule to be written and a sequence number of the rule type in an access control list;
the writing module is used for writing the rule to be written into the access control list at least according to the priority of the rule to be written.
In a third aspect, embodiments of the present disclosure further provide a computer device, comprising: one or more processors and a storage device; the storage device stores one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the ACL rule management method as provided in the first aspect.
In a fourth aspect, embodiments of the present disclosure also provide a computer readable medium having stored thereon a computer program which, when executed, implements the ACL rule management method as provided in the foregoing first aspect.
According to the ACL rule management method provided by the embodiment of the disclosure, the priority of the rule to be written is determined, and the rule to be written is written into the access control list at least according to the priority of the rule to be written, wherein the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule type in the access control list. The priority of the rule to be written considers the priority sequence among different rule types of ACL and the rule issuing sequence of the same rule type, so that the moving phenomenon can be reduced to the greatest extent when the rule to be written is written into the access control list according to the priority of the rule to be written, the CPU consumption of the network equipment is reduced, the black hole period is correspondingly reduced, and the packet loss phenomenon caused by ACL moving is also reduced, thereby improving the reliability and the stability of the network equipment.
Drawings
FIG. 1 is a flow chart of a method for ACL rule management according to an embodiment of the present disclosure;
FIG. 2 is a flow chart of a method for ACL rule management provided in yet another embodiment of the present disclosure;
FIG. 3 is a schematic diagram of writing rules to an access control list provided by yet another embodiment of the present disclosure;
FIG. 4 is another illustration of writing rules to an access control list provided by yet another embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an ACL rule management apparatus according to another embodiment of the present disclosure.
Detailed Description
Example embodiments will be described more fully hereinafter with reference to the accompanying drawings, but may be embodied in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed rules.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used herein, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
Embodiments described herein may be described with reference to plan and/or cross-sectional views with the aid of idealized schematic diagrams of the present disclosure. Accordingly, the example illustrations may be modified in accordance with manufacturing techniques and/or tolerances. Thus, the embodiments are not limited to the embodiments shown in the drawings, but include modifications of the configuration formed based on the manufacturing process. Thus, the regions illustrated in the figures have schematic properties and the shapes of the regions illustrated in the figures illustrate the particular shapes of the regions of the elements, but are not intended to be limiting.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and the present disclosure, and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The embodiment of the disclosure provides an ACL rule management method, as shown in fig. 1, which includes the following steps:
and step 11, determining the priority of the rule to be written.
In this step, the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule type in the access control list. I.e. the priority of the rule to be written consists of two parts, namely the priority of the rule type of the rule to be written and the sequence number of the rule of said rule type in the access control list.
It should be noted that different rule types respectively correspond to different priorities. Rule types may be classified by binding type, which may include: ports, SG (Signal ing Gateway ), VLAN (Virtual Local Area Network, virtual local area network), different binding types correspond to different priorities, respectively. Rule types may also be classified by ACL types, e.g., IPv4 (Internet Protocol Version, internet protocol version 4), IPv6 (Internet Protocol Version, internet protocol version 6), etc., with different ACL types corresponding to different priorities, respectively. Of course, the rule type partitioning principle can be customized by the user.
The larger the sequence number of the rule type in the access control list, the larger the issuing sequence (i.e. the later issuing) of the rule aiming at the rule of the same rule type, and the larger the value of the priority of the corresponding rule to be written. That is, the priority of the rule to be written considers both the priority order among different rule types of the ACL and the order in which the rules of the same rule type are issued.
And step 12, writing the rule to be written into the access control list at least according to the priority of the rule to be written.
In this step, the priority of the rule to be written determined in step 11 is used as a basis for writing the rule to be written into the access control list, that is, the writing position of the rule to be written in the access control list is determined according to the priority of the rule to be written.
According to the embodiment of the disclosure, the priority of the rule to be written is determined, and the rule to be written is written into the access control list at least according to the priority of the rule to be written, wherein the priority of the rule to be written is determined by the priority of the rule type of the rule to be written and the sequence number of the rule type of the rule in the access control list. The priority of the rule to be written considers the priority sequence among different rule types of ACL and the rule issuing sequence of the same rule type, so that the moving phenomenon can be reduced to the greatest extent when the rule to be written is written into the access control list according to the priority of the rule to be written, the CPU consumption of the network equipment is reduced, the black hole period is correspondingly reduced, and the packet loss phenomenon caused by ACL moving is also reduced, thereby improving the reliability and the stability of the network equipment.
In some embodiments, the priority of the rule to be written includes a first field and a second field, the value of the first field is the priority of the rule type of the rule to be written, and the value of the second field is the sequence number of the rule type in the access control list. The ACL rule management means defines the priority of the rule to be written to the access control list in segments. The priority comprises a first field and a second field, wherein the value of the first field is the priority of the rule type of the rule to be written, and the value of the second field is the serial number of the rule type in the access control list. The first field is a high field and the second field is a low field, i.e. the priority of the rule to be written comprises the value of the high field and the value of the low field.
As shown in fig. 2, the determining the priority of the rule to be written (i.e. step 11) includes the following steps:
step 111, determining the total number of bits of the priority of the rule to be written.
It should be noted that, in the embodiment of the present disclosure, the total number of bits of the priority of the rule to be written, the number of bits of the first field, and the number of bits of the second field are all illustrated in hexadecimal.
Step 112, determining the value of the first field according to the rule type of the rule to be written and the mapping relationship between the preset rule type and the priority of the rule type.
In this step, a mapping relation is established in advance between rule types and priorities of the rule types. The higher the priority of the rule type, the smaller the value of the first field. For example, when the rule type is a binding type, because the basic validation order of the rule is port > VLAN > SG, then the priority order is also port > VLAN > SG, then the value of the first field of the rule of the port type < the value of the first field of the rule of the VLAN type < the value of the first field of the rule of the SG type. The mapping relation between the rule type and the priority of the rule type is as follows: the priority of the port is 0x1, the priority of the vlan is 0x2, and the priority of the sg is 0x3. And determining the value of the first field according to the mapping relation and the rule type of the rule to be written. For example, if the rule type of the rule to be written is a port, the value of the first field is 0x1 (representing 1 in hexadecimal).
Step 113, determining the bit number of the second field according to the total bit number and the preset bit number of the first field.
In this step, the number of bits in the first field is a preset number of bits, and after the total number of bits is determined, the remaining bytes are all calculated as the second field, i.e., the lower field, and the number of bits in the second field is obtained by subtracting the preset number of bits in the first field from the calculated total number of bits. For example, the total number of bits is 4 bits, the first field is 1 bit, and it can be determined that the number of bits of the second field is 3 bits.
Step 114, determining the value of the second field according to the number of bits of the second field and the number of rules of the rule type in the access control list.
In some embodiments, the number is taken as the value of the second field and the value of the second field is represented by the number of bits of the second field.
In this step, the number of the rule type in the access control list is equal to the number of the rule type in the access control list, the number is taken as the value of the second field, and the number of bits of the second field is used to represent the value of the second field, that is, the value of the second field increases by 1 sequentially as the number of the rule type in the access control list increases. For example, when the number of bits of the second field is three, 0 rule of the port type in the access control list exists, the second field is 000, when the number of bits of the second field is three, 1 rule of the port type in the access control list exists, the second field is 001, which indicates that the rule to be written is the rule of the port type of the 2 nd. And so on, when the rule writing of the same first field is completed each time, the value written later is necessarily larger than the value written earlier, so that the movement of the rule is reduced.
In step 115, the values of the first field and the values of the second field are concatenated to generate a priority of the rule to be written.
In this step, the value of the first field is placed in the high order, the value of the second field is placed in the low order, and the priority of the rule to be written is generated by splicing. For example, if the value of the first field is 0x1 and the value of the second field is 000, the priority of the rule to be written is 0x1000.
In some embodiments, the determining the total number of bits of the priority of the rule to be written (i.e., step 111) includes: the total number of bits of priority of the rule to be written is determined from the maximum number of rules that the access control list can accommodate. That is, the range of the total number of bits of the priority of the rule to be written is determined by the maximum number of rules that the access control list can accommodate, and the larger the maximum number of rules that the access control list can accommodate, the larger the total number of bits of the priority of the rule to be written. For example, when the maximum number of access control list capable of accommodating rules is 2 4 When the total number of bits of the priority of the rule to be written is determined to be 4 bits and when the maximum number of the access control list capable of accommodating the rule is 2 5 When the total number of bits of the priority of the rule to be written may be determined to be 5 bits.
It should be noted that, in some embodiments, in the access control list, the value of the first field of the rule that is located before is smaller than the value of the first field of the rule that is located after; the value of the second field of the rule preceding the first field is smaller than the value of the second field of the rule following the first field. I.e. the rule with the preceding position in the access control list, the smaller its priority value, the higher its priority.
In the embodiment of the disclosure, two methods exist for writing the determined priority of the rule to be written into the access control list, one is to write the rule to be written into the absolute position of the access control list, and the other is to write the rule to be written into the relative position of the access control list. As discussed in detail below.
In some embodiments, the writing the rule to be written to the access control list (i.e. step S12) at least according to the priority comprises: and taking the priority of the rule to be written as an index of the access control list, and writing the rule to be written into a position in the access control list corresponding to the index.
In this step, the priority of the rule to be written is taken as an index of the access control list, and the index corresponds to a position in the access control list, i.e. an address in the access control list. Aiming at the rules of the same rule type, the values of the second fields of the priorities of the rules to be written are sequentially increased according to the issuing sequence, namely the values of the second fields of the priorities of the rules to be issued later are large. Aiming at the rules with the same rule type, the rule priority of each writing is always smaller than the rule priority of the previous writing, namely the rule issued later is always arranged behind the rule issued earlier.
Taking fig. 3 as an example, the writing method of the rule to be written is specifically described. The access control list of the device can accommodate the maximum number of rules being 32K, then the total number of bits of the priority of the rule to be written is 16 bits, which is converted to hexadecimal being 4 bits. The 1-bit high-order field is used as the first field of the priority of the rule. When the rule type is the bound port, SG and VLAN, the priority relationship is port > VLAN > SG, the priority of the port is set to 0x1, VLAN is 0x2 and SG is 0x3 in the 1-bit high-order field. This arrangement may ensure that port type rules are necessarily preceded by VLAN type rules in the access control list and that VLAN type rules are necessarily preceded by SG type rules. The remaining 3 bits are set to the second field of the priority of the rule.
The method comprises the steps that a rule A of a port type is issued for the first time, the priority of the rule A of the port type is 0x1, the first field is 0x1, the value of the second field is the same as the number of the rules of the same type in an access control list because the rule of the port type in the access control list is 0, the second field is 000, the priority of the rule A of the port type is 0x1000, the 0x1000 is used as an index, and the rule A of the port type is written into the position of the access control list corresponding to the index 0x1000. And issuing the rule B of the port type for the second time, wherein the rule type is that the priority of the port is 0x1, the first field is 0x1, the rule of the port type in the access control list is 1 when the rule of the port type is issued for the second time, the value of the second field is the same as the number of the rules of the same type in the access control list, the second field is 001, the priority of the rule B of the port type is 0x1001, and the rule B of the port type is written into the position of the access control list corresponding to the index 0x1000 and is positioned below the rule A of the port type. The method comprises the steps of firstly issuing a VLAN type rule C, wherein the priority of the VLAN type rule is 0x2, the first field is 0x2, the VLAN type rule in an access control list is 0 when the VLAN type rule is issued for the first time, the value of the second field is the same as the rule number of the same type in the access control list, the second field is 000, the priority of the VLAN type rule C is 0x2000, and the VLAN type rule C is written into the position of the access control list corresponding to the index 0x 2000. Similarly, the port type rule must precede the VLAN type rule, the VLAN type rule must precede the SG type rule, and the rule of the same rule type is always arranged behind the rule issued earlier.
The writing method of the rule to be written does not cause the situation of rule movement at the initial stage of writing the access control list, and correspondingly, packet loss caused by the rule movement is avoided, so that the CPU consumption of the network equipment is reduced, and the stability of the network is improved.
In some embodiments, to prevent voids from occurring in the access control list after a rule is deleted, and to avoid limiting the number of rule writes for each rule type by the access control list, the rules to be written may be written to the relative locations of the access control list. Namely, the writing of the rule to be written into the access control list (step S12) at least according to the priority of the rule to be written, comprising: and writing the rule to be written into the access control list according to the priority of the rule to be written and the priority of each rule written into the access control list.
In some embodiments, the writing the rule to be written into the access control list according to the priority of the rule to be written and the priority of each rule written into the access control list includes: and if the access control list is not empty, sequencing the priority of the rule to be written and the priority of each rule written in the access control list, and writing the rule to be written into the access control list according to the sequencing result. And if the access control list is empty, writing the rule to be written into the last position of the access control list.
In some embodiments, if the access control list is empty, that is, if the rule to be written is the first rule in the access control list, the rule to be written is written to the last position of the access control list. All rules are written in starting from the last position of the access control list. And if the access control list is not empty, when the rule to be written is written into the access control list each time, sequencing the priority of the rule to be written and the priority of each rule written into the access control list, and writing the rule to be written into the access control list according to the sequencing result. Rules with low priority are arranged at the later position in the access control list each time, i.e. rules with high priority values are arranged at the later position.
Taking fig. 4 as an example, the writing method of the rule to be written is specifically described. The maximum number of the access control list of the device can accommodate the rule and can support 32K, and then a 16-bit data segment is used as the priority of the rule to be written, and the rule is converted into hexadecimal 4 bits. The 1-bit high-order field is used as the first field of the priority of the rule. When the rule type is the bound port, SG and VLAN, the priority relationship is port > VLAN > SG, the priority of the port is set to 0x1, VLAN is 0x2 and SG is 0x3 in the 1-bit high-order field. This arrangement can ensure that port type rules are necessarily preceded by VLAN type rules in the access control list. The remaining 3 bits are set to the second field of the priority of the rule.
The method comprises the steps of firstly issuing a VLAN type rule A, wherein the priority of the VLAN type rule A to be written is 0x2, the first field is 0x2, the VLAN rule in an access control list is 0, the value of the second field is the same as the rule number of the same type in the access control list, the second field is 000, the priority is generated to be 0x2000, and the VLAN type rule A is written into the last position of the access control list. The method comprises the steps that a VLAN type rule B is issued for the second time, the priority of the VLAN type rule B is 0x2, the first field is 0x2, the VLAN type rule in an access control list is 1 when the VLAN type rule is issued for the second time, the value of the second field is the same as the same type rule number in the access control list, the second field is 001, therefore, the priority of the VLAN type rule B is 0x2001 and is larger than the priority of the VLAN type rule A by 0x2000, the VLAN type rule B is pressed in from the last position of the access control list in a push stack mode, and the VLAN type rule A is moved upwards by one position. The first time the port type rule C is issued, the priority of the port type rule is 0x1, the first field is 0x1, the value of the second field is 000 as the same as the number of the same type rule in the access control list because the port type rule in the access control list is 0, the priority of the port type rule C is 0x1000 and is smaller than the priority of the VLAN type rule A by 0x2000, and therefore the port type rule C is written into the position before the VLAN type rule A. And similarly, each rule to be written is compared with the priorities of all rules existing in the access control list, the rules are inserted into the access control list according to the sequence from small to large in numerical value, the writing of other rules is completed, and finally, the effect that the priorities of all the rules are from large to small in the whole table of the access control list is kept.
The writing method of the rule to be written can complete dynamic position writing by sequentially carrying out push-stack writing from bottom to top, can still ensure that most of rules cannot be moved, reduces black hole period, and also reduces packet loss caused by ACL (access control list) movement, thereby reducing CPU (Central processing Unit) consumption of network equipment and improving network stability. And the number of writes of a certain type of rule is not limited, and voids due to rule deletion do not occur.
According to the ACL rule management method provided by the embodiment of the disclosure, the priority of the rule to be written is determined, the rule to be written is written into the access control list at least according to the priority of the rule to be written, wherein the priority of the rule to be written comprises a first field and a second field, the value of the first field is the priority of the rule type of the rule to be written, and the value of the second field is the sequence number of the rule type in the access control list. The priority of the rule to be written considers the priority sequence among different rule types of ACLs and the rule issuing sequence of the same rule type. Through the two methods for writing the rule, the situation that the rule is moved as little as possible when the rule is written into the access control list can be ensured to the greatest extent, the CPU consumption of the network equipment is reduced, the corresponding black hole period is reduced, and the packet loss phenomenon caused by ACL movement is also reduced, so that the reliability and the stability of the network equipment are improved.
Based on the same technical concept, the embodiment of the present disclosure further provides an ACL rule management apparatus, as shown in fig. 5, where the ACL rule management apparatus includes a determining module 1 and a writing module 2, where the determining module 1 is configured to determine a priority of a rule to be written, where the priority of the rule to be written is determined by a priority of a rule type of the rule to be written and a sequence number of a rule of the rule type in an access control list.
The writing module 2 is configured to write the rule to be written into the access control list at least according to the priority of the rule to be written.
In some embodiments, the priority of the rule to be written includes a first field and a second field, where a value of the first field is a priority of a rule type of the rule to be written, and a value of the second field is a sequence number of the rule type in the access control list, and the determining module 1 is configured to:
the total number of bits of the priority of the rule to be written is determined.
And determining the value of the first field according to the rule type of the rule to be written and the mapping relation between the preset rule type and the priority of the rule type.
And determining the bit number of the second field according to the total bit number and the preset bit number of the first field.
And determining the value of the second field according to the bit number of the second field and the number of the rules of the rule type in the access control list.
And splicing the value of the first field and the value of the second field to generate the priority of the rule to be written.
In some embodiments, the determining module 1 is configured to:
and determining the total bit number of the priority of the rule to be written according to the maximum number of the rules which can be accommodated in the access control list.
In some embodiments, the higher the priority of the rule type, the smaller the value of the first field;
in some embodiments, the determining module 1 is configured to:
the number of rules of the rule type in the current access control list is determined.
The number is taken as the value of a second field, and the value of the second field is represented by the number of bits of the second field.
In some embodiments, in the access control list, a value of a first field of a rule preceding the position is less than a value of a first field of a rule following the position; the value of the second field of the rule preceding the position is smaller than the value of the second field of the rule following the position.
In some embodiments, the writing module 2 is configured to:
and taking the priority of the rule to be written as an index for writing the access control list, and writing the rule to be written into a position in the access control list corresponding to the index.
In some embodiments, the writing module 2 is configured to:
and writing the rule to be written into the access control list according to the priority of the rule to be written and the priority of each rule written into the access control list.
In some embodiments, the writing module 2 is configured to:
and if the access control list is not empty, sequencing the priority of the rule to be written and the priority of each rule written in the access control list.
And writing the rule to be written into the access control list according to the sorting result.
In some embodiments, the writing module 2 is configured to:
and if the access control list is empty, writing the rule to be written into the last position of the access control list.
The disclosed embodiments also provide a computer device comprising: one or more processors; a storage device, wherein one or more programs are stored thereon; the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the ACL rule management method as provided by the foregoing embodiments.
The embodiments of the present disclosure also provide a computer-readable medium having stored thereon a computer program, wherein the program when executed implements the ACL rule management method as provided by the foregoing embodiments.
Those of ordinary skill in the art will appreciate that all or some of the steps of the methods, functional modules/units in the apparatus disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
Example embodiments have been disclosed herein, and although specific terms are employed, they are used and should be interpreted in a generic and descriptive sense only and not for purpose of limitation. In some examples, it will be apparent to one skilled in the art that features, characteristics, and/or elements described in connection with a particular embodiment may be used alone or in combination with other embodiments unless explicitly stated otherwise. It will therefore be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the scope of the present invention as set forth in the following claims.
Claims (12)
1. An ACL rule management method, comprising:
determining the priority of a rule to be written, wherein the priority of the rule to be written is determined by the priority of a rule type of the rule to be written and the sequence number of the rule type in an access control list; when the rule types of the plurality of rules to be written are the same, the priority of the plurality of rules to be written is determined by the serial numbers of the plurality of rules to be written in the access control list, and the larger the serial numbers of the plurality of rules to be written aiming at the same rule type in the access control list, the larger the issuing order of the corresponding rules;
and writing the rule to be written into the access control list at least according to the priority of the rule to be written.
2. The method of claim 1, wherein the priority of the rule to be written comprises a first field whose value is the priority of the rule type of the rule to be written and a second field whose value is the sequence number of the rule type in an access control list, the determining the priority of the rule to be written comprising:
determining the total bit number of the priority of the rule to be written;
determining a value of a first field according to the rule type of the rule to be written and a mapping relation between the preset rule type and the priority of the rule type;
determining the bit number of the second field according to the total bit number and the preset bit number of the first field;
determining the value of the second field according to the bit number of the second field and the number of the rules of the rule type in the access control list;
and splicing the value of the first field and the value of the second field to generate the priority of the rule to be written.
3. The method of claim 2, wherein the determining the total number of bits of the priority of the rule to be written comprises:
the total number of bits of priority of the rule to be written is determined from the maximum number of rules that the access control list can accommodate.
4. The method of claim 2, wherein the higher the priority of a rule type, the smaller the value of the first field;
the determining the value of the second field according to the number of bits of the second field and the number of rules of the rule type in the access control list includes:
determining the number of rules of the rule type in the current access control list;
the number is taken as the value of a second field, and the value of the second field is represented by the number of bits of the second field.
5. The method of claim 4, wherein in the access control list, a value of a first field of a rule preceding the position is smaller than a value of a first field of a rule following the position; for rules with the same value for the first field, the value of the second field of the rule that is located before is smaller than the value of the second field of the rule that is located after.
6. The method according to any one of claims 1-5, wherein said writing the rule to be written to the access control list at least according to the priority comprises:
and taking the priority of the rule to be written as an index for writing the access control list, and writing the rule to be written into a position in the access control list corresponding to the index.
7. The method according to any one of claims 1-5, wherein said writing said rule to be written to said access control list based at least on a priority of said rule to be written, comprises:
and writing the rule to be written into the access control list according to the priority of the rule to be written and the priority of each rule written into the access control list.
8. The method of claim 7, wherein the writing the rule to be written to the access control list according to the priority of the rule to be written and the priority of each rule that has been written to the access control list comprises:
if the access control list is not empty, sequencing the priority of the rule to be written and the priority of each rule written in the access control list;
and writing the rule to be written into the access control list according to the sorting result.
9. The method of claim 7, wherein the writing the rule to be written to the access control list according to the priority of the rule to be written and the priority of each rule that has been written to the access control list comprises:
and if the access control list is empty, writing the rule to be written into the last position of the access control list.
10. An ACL rule management device comprises a determination module and a writing module, wherein the determination module is used for determining the priority of a rule to be written, and the priority of the rule to be written is determined by the priority of a rule type of the rule to be written and the sequence number of the rule type in an access control list; when the rule types of the plurality of rules to be written are the same, the priority of the plurality of rules to be written is determined by the serial numbers of the plurality of rules to be written in the access control list, and the larger the serial numbers of the plurality of rules to be written aiming at the same rule type in the access control list, the larger the issuing order of the corresponding rules;
the writing module is used for writing the rule to be written into the access control list at least according to the priority of the rule to be written.
11. A computer device, comprising:
one or more processors;
a storage device, wherein one or more programs are stored thereon;
the ACL rule management method according to any one of claims 1-9, when the one or more programs are executed by the one or more processors, causing the one or more processors to implement the ACL rule management method.
12. A computer readable medium having stored thereon a computer program, wherein the program when executed implements the ACL rule management method as claimed in any one of claims 1 to 9.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911250942.4A CN113037681B (en) | 2019-12-09 | 2019-12-09 | ACL rule management method, ACL rule management device, computer equipment and computer readable medium |
| PCT/CN2020/133118 WO2021115160A1 (en) | 2019-12-09 | 2020-12-01 | Acl rule management method and apparatus, computer device, and computer readable medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911250942.4A CN113037681B (en) | 2019-12-09 | 2019-12-09 | ACL rule management method, ACL rule management device, computer equipment and computer readable medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113037681A CN113037681A (en) | 2021-06-25 |
| CN113037681B true CN113037681B (en) | 2023-09-05 |
Family
ID=76329520
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911250942.4A Active CN113037681B (en) | 2019-12-09 | 2019-12-09 | ACL rule management method, ACL rule management device, computer equipment and computer readable medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN113037681B (en) |
| WO (1) | WO2021115160A1 (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114745177A (en) * | 2022-04-11 | 2022-07-12 | 浪潮思科网络科技有限公司 | ACL rule processing method, device, equipment and medium |
| CN114978809B (en) * | 2022-06-23 | 2024-01-12 | 惠州华阳通用电子有限公司 | Vehicle-mounted Ethernet VLAN node configuration method |
| CN117472554A (en) * | 2022-07-20 | 2024-01-30 | 华为技术有限公司 | Rule searching method, device, equipment and computer readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101039271A (en) * | 2007-03-20 | 2007-09-19 | 华为技术有限公司 | Method and apparatus for taking effect rules of access control list |
| CN104618140A (en) * | 2014-12-26 | 2015-05-13 | 上海斐讯数据通信技术有限公司 | ACL (access control list) table insertion sequencing method |
| CN106034046A (en) * | 2015-03-20 | 2016-10-19 | 中兴通讯股份有限公司 | Method and device for sending access control list (ACL) |
| CN106487769A (en) * | 2015-09-01 | 2017-03-08 | 深圳市中兴微电子技术有限公司 | A kind of implementation method of access control list ACL and device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6961809B2 (en) * | 2002-06-04 | 2005-11-01 | Riverstone Networks, Inc. | Managing a position-dependent data set that is stored in a content addressable memory array at a network node |
| CN102811227A (en) * | 2012-08-30 | 2012-12-05 | 重庆大学 | Administration mechanism for standard way access control list (ACL) rule under internet protocol security (IPsec) protocol |
| US10623271B2 (en) * | 2017-05-31 | 2020-04-14 | Cisco Technology, Inc. | Intra-priority class ordering of rules corresponding to a model of network intents |
| US10187217B1 (en) * | 2017-07-11 | 2019-01-22 | Oracle International Corporation | Methods, systems, and computer readable media for efficient mapping of rule precedence values and filter priority values |
-
2019
- 2019-12-09 CN CN201911250942.4A patent/CN113037681B/en active Active
-
2020
- 2020-12-01 WO PCT/CN2020/133118 patent/WO2021115160A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101039271A (en) * | 2007-03-20 | 2007-09-19 | 华为技术有限公司 | Method and apparatus for taking effect rules of access control list |
| CN104618140A (en) * | 2014-12-26 | 2015-05-13 | 上海斐讯数据通信技术有限公司 | ACL (access control list) table insertion sequencing method |
| CN106034046A (en) * | 2015-03-20 | 2016-10-19 | 中兴通讯股份有限公司 | Method and device for sending access control list (ACL) |
| CN106487769A (en) * | 2015-09-01 | 2017-03-08 | 深圳市中兴微电子技术有限公司 | A kind of implementation method of access control list ACL and device |
| WO2017036291A1 (en) * | 2015-09-01 | 2017-03-09 | 深圳市中兴微电子技术有限公司 | Access control list implementation method, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113037681A (en) | 2021-06-25 |
| WO2021115160A1 (en) | 2021-06-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113037681B (en) | ACL rule management method, ACL rule management device, computer equipment and computer readable medium | |
| US10819634B2 (en) | Packet edit processing method and related device | |
| US7650429B2 (en) | Preventing aliasing of compressed keys across multiple hash tables | |
| US7616635B2 (en) | Address mapping for data packet routing | |
| US20120136889A1 (en) | Hash Collision Resolution with Key Compression in a MAC Forwarding Data Structure | |
| US10348603B1 (en) | Adaptive forwarding tables | |
| CN111193783B (en) | Service access processing method and device | |
| US10116506B2 (en) | Method for upgrading version of network device and network device | |
| US9197598B2 (en) | MAC address distribution | |
| CN112887229B (en) | Session information synchronization method and device | |
| WO2021088629A1 (en) | Detnet data packet processing method and apparatus | |
| US20200067882A1 (en) | Systems and methods for operating a networking device | |
| US10084613B2 (en) | Self adapting driver for controlling datapath hardware elements | |
| US10289384B2 (en) | Methods, systems, and computer readable media for processing data containing type-length-value (TLV) elements | |
| CN109039947B (en) | Network packet duplication removing method and device, network distribution equipment and storage medium | |
| CN115174474A (en) | Private cloud SFC implementation method and device based on SRv6 | |
| CN112866115B (en) | Method, device, electronic equipment and storage medium for realizing transparent serial connection | |
| CN111107142B (en) | Service access method and device | |
| US8091136B2 (en) | Packet transfer device, packet transfer method, and program | |
| CN103457864A (en) | Method, device and network equipment for processing next-hop of routing | |
| CN114389844B (en) | Message processing method, device, electronic equipment and computer readable storage medium | |
| US11811643B2 (en) | System and method for managing computing resources | |
| EP3618389B1 (en) | Systems and methods for operating a networking device | |
| US20040083337A1 (en) | Content addressable memory with automated learning | |
| CN114520790B (en) | Message filtering method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |