CN113965401A - Message forwarding method and device and electronic equipment - Google Patents
Message forwarding method and device and electronic equipment Download PDFInfo
- Publication number
- CN113965401A CN113965401A CN202111284064.5A CN202111284064A CN113965401A CN 113965401 A CN113965401 A CN 113965401A CN 202111284064 A CN202111284064 A CN 202111284064A CN 113965401 A CN113965401 A CN 113965401A
- Authority
- CN
- China
- Prior art keywords
- area
- identification
- acl
- address
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The embodiment of the invention provides a message forwarding method, a message forwarding device and electronic equipment. The method comprises the following steps: when the number of hosts in the first area is more than a preset threshold value, deleting a first ACL table entry set for each host in the first area in an ACL (access control list); determining an area identifier corresponding to the IP address of the host aiming at each host of the first area; issuing a second ACL table item according to the zone identification corresponding to the IP address of each host of the first zone; determining a first ACL table item hit by the message to be forwarded according to a first source IP address and a first destination IP address of the message to be forwarded; if any first ACL table item in the ACL to be forwarded is not hit, determining a first source area identifier corresponding to a first source IP address and a first destination area identifier corresponding to a first destination IP address; determining a second ACL table item hit by the message to be forwarded according to the first source area identification and the first destination area identification; and processing the message to be forwarded according to the forwarding strategy in the second ACL table item hit by the message to be forwarded. ACL entry resources can be saved.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for forwarding a packet, and an electronic device.
Background
In some application scenarios, such as an INOF (Intelligent loss NVME Over Fabric) network, it is necessary to divide a plurality of hosts having communication connections into a plurality of zones, and enable data interaction between hosts belonging to the same zone, while hosts belonging to different zones are not capable of data interaction.
Because there is a communication connection between hosts belonging to different zones, one host may send messages to another host not belonging to the same zone. In order to realize that hosts belonging to different areas cannot perform data interaction, when forwarding a message, a switching device in a network needs to determine whether the host sending the message and the host to which the message is sent belong to the same area.
In the related art, the following ACL entries may be set for each zone in an Access Control List (ACL): a1 → a2 permit; a1 → a2 permit; …, respectively; a1 → an permit; a1 → any dent, any → a1 dent; a2 → a1 permit; …, respectively; any → an. Where a1 denotes the IP address of the first host in the zone, a2 denotes the IP address of the second host in the zone, n is the number of hosts included in the zone, permit denotes forwarding is allowed, and dense denotes forwarding is denied.
However, in this scheme, n × n +1 ACL entries need to be set for each zone, and the ACL entry resources that can be set by the switching device are limited. When the number of hosts included in an area is too large, a large number of ACL entries need to be set for the area, which leads to a shortage of ACL entry resources of the switching device.
Disclosure of Invention
The embodiment of the invention aims to provide a message forwarding method, a message forwarding device and electronic equipment, so as to save ACL table item resources. The specific technical scheme is as follows:
in a first aspect of the embodiments of the present invention, a method for forwarding a packet is provided, where the method includes:
when the number of hosts in a first area is more than a preset threshold value, deleting a first ACL table entry set for each host in the first area in an Access Control List (ACL), wherein the first ACL table entry is used for recording a first mapping relation of a source IP address, a destination IP address and a forwarding strategy, and the first area is an arbitrary area;
for each host of the first area, determining an area identifier corresponding to an IP address of the host, where the area identifier is used to represent all areas to which the host belongs;
issuing a second ACL table item to the ACL according to an area identifier corresponding to the IP address of each host of the first area, wherein the second ACL table item is used for recording a second mapping relation of a source area identifier, a destination area identifier and a forwarding strategy, and the forwarding strategy corresponding to the same source area identifier and destination area identifier in the second mapping relation is allowed to be forwarded;
determining a first ACL table item hit by a message to be forwarded according to a first source IP address and a first destination IP address of the message to be forwarded;
if the message to be forwarded does not hit any first ACL table entry in the ACLs, determining a first source area identifier corresponding to the first source IP address and a first destination area identifier corresponding to the first destination IP address;
determining a second ACL table item hit by the message to be forwarded according to the first source area identification and the first destination area identification;
and processing the message to be forwarded according to the forwarding strategy in the second ACL table item hit by the message to be forwarded.
In a possible embodiment, the determining the zone id corresponding to the IP address of the host includes:
determining a bit corresponding to each zone to which the host belongs as a target bit, wherein the bits corresponding to different zones are different;
setting each target position in a binary number group with a preset length, and taking the set binary number group as an area identifier corresponding to the IP address of the host;
the same source area identification and destination area identification comprise:
there is an intersection between the bit set in the source region identification and the bit set in the destination region identification.
In a possible embodiment, the determining the zone id corresponding to the IP address of the host includes:
if no intersection exists between the first zone and other zones, determining a value corresponding to the first zone as a target value, wherein the values corresponding to different zones are different;
adjusting an independent identification bit in a binary number group with a preset length to enable a value represented by the independent identification bit to be equal to the target value, and taking the adjusted binary number group as an area identification corresponding to the IP address of the host;
if the intersection exists between the first area and other areas, determining the bit corresponding to each area to which the host belongs as a target bit, wherein the bits corresponding to different areas are different;
for each target position in the interactive identification bits in the binary number array with the preset length, taking the binary number array subjected to setting as an area identification corresponding to the IP address of the host, wherein the interactive identification bits and the independent identification bits do not have intersection;
the same source area identification and destination area identification comprise:
the value represented by the independent identification bit of the source area identification is equal to the value represented by the independent identification bit of the destination area identification and is not a default value; alternatively, the first and second electrodes may be,
and an intersection exists between the set interaction identification bit in the source region identification and the set interaction identification bit in the destination region identification.
In a possible embodiment, the issuing, to the ACL, a second ACL entry according to the area identifier corresponding to the IP address of each host in the first area includes:
issuing the following second ACL table items to the ACL:
the third ACL table entry is used for indicating that if the source area identification is the same as the destination area identification, the forwarding policy is allowed to be forwarded;
the forwarding policy is a fourth ACL entry that rejects forwarding if the source area identifier is an area identifier corresponding to an IP address of any host in the first area and the destination area identifier is an arbitrary area identifier;
the forwarding policy is a fifth ACL entry that rejects forwarding if the area identifier is any identifier and the destination area identifier is an area identifier corresponding to an IP address of any host in the first area;
wherein the third ACL entry has a higher priority than the fourth ACL entry, and the third ACL entry has a higher priority than the fifth ACL entry.
In a second aspect of the embodiments of the present invention, a packet forwarding apparatus is provided, where the apparatus includes:
the system comprises a table item deleting module, a forwarding policy determining module and a forwarding policy determining module, wherein the table item deleting module is used for deleting a first ACL table item set for each host in a first area in an Access Control List (ACL) when the number of hosts in the first area is more than a preset threshold, the first ACL table item is used for recording a first mapping relation of a source IP address, a destination IP address and the forwarding policy, and the first area is an arbitrary area;
an identifier management module, configured to determine, for each host in the first area, an area identifier corresponding to an IP address of the host, where the area identifier is used to indicate all areas to which the host belongs;
the table entry issuing module is configured to issue a second ACL table entry to the ACL according to the area identifier corresponding to the IP address of each host in the first area, where the second ACL table entry is used to record a second mapping relationship between the source area identifier, the destination area identifier, and the forwarding policy, where the forwarding policy corresponding to the same source area identifier and destination area identifier in the second mapping relationship is allowed to be forwarded;
the first table item matching module is used for determining a first ACL table item hit by the message to be forwarded according to a first source IP address and a first destination IP address of the message to be forwarded;
an identifier determining module, configured to determine, if the to-be-forwarded packet misses any one first ACL entry in the ACLs, a first source area identifier corresponding to the first source IP address and a first destination area identifier corresponding to the first destination IP address;
a second table matching module, configured to determine, according to the first source area identifier and the first destination area identifier, a second ACL table hit by the packet to be forwarded;
and the forwarding module is used for processing the message to be forwarded according to the forwarding strategy in the second ACL table item hit by the message to be forwarded.
In a possible embodiment, the identifier management module is specifically configured to determine, as a target bit, a bit corresponding to each area to which the host belongs, where the bits corresponding to different areas are different;
setting each target position in a binary number group with a preset length, and taking the set binary number group as an area identifier corresponding to the IP address of the host;
the same source area identification and destination area identification comprise:
there is an intersection between the bit set in the source region identification and the bit set in the destination region identification.
In a possible embodiment, the identifier management module is specifically configured to determine, if there is no intersection between the first zone and another zone, a value corresponding to the first zone as a target value, where the values corresponding to different zones are different;
adjusting an independent identification bit in a binary number group with a preset length to enable a value represented by the independent identification bit to be equal to the target value, and taking the adjusted binary number group as an area identification corresponding to the IP address of the host;
if the intersection exists between the first area and other areas, determining the bit corresponding to each area to which the host belongs as a target bit, wherein the bits corresponding to different areas are different;
for each target position in the interactive identification bits in the binary number array with the preset length, taking the binary number array subjected to setting as an area identification corresponding to the IP address of the host, wherein the interactive identification bits and the independent identification bits do not have intersection;
the same source area identification and destination area identification comprise:
the value represented by the independent identification bit of the source area identification is equal to the value represented by the independent identification bit of the destination area identification and is not a default value; alternatively, the first and second electrodes may be,
and an intersection exists between the set interaction identification bit in the source region identification and the set interaction identification bit in the destination region identification.
In a possible embodiment, the entry issuing module is specifically configured to issue the following second ACL entry to the ACL:
the third ACL table entry is used for indicating that if the source area identification is the same as the destination area identification, the forwarding policy is allowed to be forwarded;
the forwarding policy is a fourth ACL entry that rejects forwarding if the source area identifier is an area identifier corresponding to an IP address of any host in the first area and the destination area identifier is an arbitrary area identifier;
the forwarding policy is a fifth ACL entry that rejects forwarding if the area identifier is any identifier and the destination area identifier is an area identifier corresponding to an IP address of any host in the first area;
wherein the third ACL entry has a higher priority than the fourth ACL entry, and the third ACL entry has a higher priority than the fifth ACL entry.
In a third aspect of the embodiments of the present invention, an electronic device is provided, which includes a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
a processor adapted to perform the method steps of any of the above first aspects when executing a program stored in the memory.
In a fourth aspect of embodiments of the present invention, a computer-readable storage medium is provided, in which a computer program is stored, which, when being executed by a processor, carries out the method steps of any one of the above-mentioned first aspects.
The embodiment of the invention has the following beneficial effects:
according to the message forwarding method, the message forwarding device and the electronic equipment provided by the embodiment of the invention, when the number of the hosts in the first area is too large, the first ACL table items based on the IP addresses, which are set for the hosts in the first area, are deleted in the ACL, and the corresponding relation between the IP addresses and the area identifications is established for the hosts in the first area. Therefore, the subsequent message sent to the host in the first region or the message sent by the host in the first region can determine the forwarding strategy according to the second ACL table item expressed by the region. Because the second ACL table entry is used for recording the second mapping relationship between the source area identifier, the destination area identifier and the forwarding policy, and the area identifier can reflect the area to which the host belongs, if two hosts belong to the same area, the area identifiers of the two hosts are the same, and because the forwarding policy corresponding to the same source area identifier and destination area identifier in the second mapping relationship is allowed to be forwarded, the forwarding policy between any two hosts belonging to the same area can be represented by the same second ACL table entry, and it is not necessary to set the first ACL table entry for each pair of hosts belonging to the same area.
Of course, not all of the advantages described above need to be achieved at the same time in the practice of any one product or method of the invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other embodiments can be obtained by referring to these drawings.
Fig. 1 is a schematic flow chart of a message forwarding method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a method for determining a zone identifier for forwarding a packet according to an embodiment of the present invention;
fig. 3 is another schematic flow chart of a method for determining a zone identifier for packet forwarding according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a message forwarding apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived from the embodiments given herein by one of ordinary skill in the art, are within the scope of the invention.
Referring to fig. 1, a flowchart of a packet forwarding method according to an embodiment of the present invention is shown in the diagram, where the flowchart may include:
s101, when the number of the hosts in the first area is more than a preset threshold value, deleting a first ACL table entry set for each host in the first area from the ACL table entries.
S102, aiming at each host of the first area, determining an area identification corresponding to the IP address of the host.
S103, issuing a second ACL table item to the ACL according to the zone identification corresponding to the IP address of each host in the first zone.
S104, determining a first ACL table item hit by the message to be forwarded according to the first source IP address and the first destination IP address of the message to be forwarded.
S105, if the message to be forwarded does not hit any first ACL table item in the ACLs, determining a first source area identifier corresponding to the first source IP address and a first destination area identifier corresponding to the first destination IP address.
And S106, determining a second ACL table item hit by the message to be forwarded according to the first source area identifier and the first destination area identifier.
And S107, processing the message to be forwarded according to the forwarding strategy in the second ACL table item hit by the message to be forwarded.
With the embodiment, when the number of hosts in the first area is too large, the first ACL table entry based on the IP address set for each host in the first area is deleted in the ACL, and the corresponding relationship between the IP address and the area identifier is established for each host in the first area. Therefore, the subsequent message sent to the host in the first region or the message sent by the host in the first region can determine the forwarding strategy according to the second ACL table item expressed by the region. Because the second ACL table entry is used for recording the second mapping relationship between the source area identifier, the destination area identifier and the forwarding policy, and the area identifier can reflect the area to which the host belongs, if two hosts belong to the same area, the area identifiers of the two hosts are the same, and because the forwarding policy corresponding to the same source area identifier and destination area identifier in the second mapping relationship is allowed to be forwarded, the forwarding policy between any two hosts belonging to the same area can be represented by the same second ACL table entry, and it is not necessary to set the first ACL table entry for each pair of hosts belonging to the same area.
For example, assuming that the first zone includes a total of 3 hosts, and the IP addresses of the three hosts are respectively denoted as a1, a2, and a3, the following entries need to be established in the ACL entry in the related art:
a1→a2 permit;a1→a3 permit;a1→any deny;any→a1 deny;
a2→a1 permit;a2→a3 permit;a2→any deny;any→a2 deny;
a3→a1 permit;a3→a2permit;a3→any deny;any→a3 deny。
it can be seen that a total of 12 first ACL entries need to be established.
In the message forwarding method provided in the embodiment of the present invention, it is assumed that the area identifier for representing the first area is 0x 01;
then in one possible embodiment only the following second ACL entry needs to be established:
0x01→0x01 permit;0x01→any deny;any→0x01 deny。
it can be seen that 3 second ACL entries are required to be established in total, and since the first ACL entries set for each host in the first area in the ACL are deleted in the message forwarding method provided in the embodiment of the present invention, that is, in this example, 12 first ACL entries are deleted in total, and only 3 second ACL entries are required to be established, 9 ACL entries are saved in total.
On the other hand, the message forwarding method provided by the embodiment of the invention can effectively save ACL table resource, so that more hosts can be included in the allowed region. So that the user can more conveniently design the network according to the actual requirement.
The foregoing S101 to S107 will be described below, respectively:
in S101, the first zone is any one of a plurality of zones divided, and the preset threshold may be set according to actual requirements, for example, it is assumed that the preset threshold may be 30, 50, 60, 62, and so on. In a possible embodiment, the more ACL table item resources of the execution main body, the higher the preset threshold value can be set, and the less ACL table item resources of the execution main body, the lower the preset threshold value is, which can prevent the first ACL table item established for the host of the single area from occupying too many ACL table item resources.
The first ACL table entry is used for recording a first mapping relation of a source IP address, a destination IP address and a forwarding strategy. The representation mode of the first ACL entry may be different according to different application scenarios, and for convenience of description, the first ACL entry is represented in a form of "src IP → dst IP forwarding policy", where src IP is a source IP address recorded by the first ACL entry, and dst IP is a destination IP address recorded by the first ACL entry.
The first ACL entry set for each host of the first area includes: the recorded source IP address is a first ACL table item of the IP address of the host computer in the first area, and the recorded destination IP address is a first ACL table item of the IP address of the host computer in the first area.
For example, assume that there are 2 zones, which are respectively designated as zone a and zone B, and that there are two hosts in zone a whose IP addresses are a1 and a2, respectively, and that there are two hosts in zone B whose IP addresses are B1 and B2, respectively.
Then, theoretically, there is a first ACL entry:
a1→a2 permit;a1→any deny;any→a1 deny;
a2→a1 permit;a2→any deny;any→a2 deny;
b1→b2 permit;b1→any deny;any→b1 deny;
b2→a1 permit;b2→any deny;any→b2 deny;
and assuming that the first area is the area a, since the source IP address a1 and the destination IP address a2 recorded in the first ACL entry "a 1 → a2 limit" are addresses of hosts of the first area, the first ACL entry "a 1 → a2 limit" is a first ACL entry set for the host of the first area, and since the source IP address a1 recorded in the first ACL entry "a 1 → any deny" is an address of the host of the first area, the first ACL entry "a 1 → any deny" is a first ACL entry set for the host of the first area. Similarly, the first ACL entry "any → a1 deny", "a 2 → a1 permit", "a 2 → any" and "any → a2 deny" is the first ACL entry set for the host of the first zone.
Therefore, after deleting the first ACL entry set for each host in the first area, the following first ACL entries remain in the ACL:
b1→b2 permit;b1→any deny;any→b1 deny;
b2→a1 permit;b2→any deny;any→b2 deny;
in S102, the zone id is used to indicate all zones to which the host belongs, and it is understood that in some application scenarios, a host may belong to only one zone, or belong to multiple zones at the same time. In other application scenarios, each host belongs to only one zone.
If a host belongs to only one zone, the zone id corresponding to the IP address of the host is used to indicate a zone to which the host belongs, and at this time, the zone id corresponding to the IP address of the host can be regarded as the zone id of the zone. If a host belongs to multiple zones, the zone id corresponding to the IP address of the host needs to be able to indicate each zone to which the host belongs.
The form of the zone identifier may be different according to different application scenarios, and how to determine the zone identifier corresponding to the host will be described below, which is not described herein again. But the zone representation should satisfy the following condition: if the intersection exists between the areas to which the two hosts belong, the area identifications corresponding to the IP addresses of the two hosts are the same. If the intersection does not exist between the areas to which the two hosts belong, the area identifications corresponding to the IP addresses of the two hosts are different.
After determining the area identifier corresponding to the IP address, the execution body may correspondingly record the IP address and the corresponding area identifier to record a corresponding relationship between the IP address and the area identifier. For example, in a possible embodiment, the executing body may record, in the routing table, for an IP address of each host of the first zone, a zone identifier corresponding to the host, so as to establish a correspondence between the IP address and the zone representation.
In S103, the second ACL entry is used to record a second mapping relationship between the source area identifier, the destination area identifier, and the forwarding policy corresponding to the same source area identifier and destination area identifier in the second mapping relationship is allowed to be forwarded.
The same source area identification and destination area identification refer to: there is an intersection between the area represented by the source area identification and the area represented by the destination area identification. For example, assuming that the source area identifier represents the areas a and B and the destination area identifier represents the area a, the source area identifier is the same as the destination area identifier. Also, assuming that the source area identification represents area a and the destination area identification represents area B, the source area identification is different from the destination area identification. How to determine whether the source area identifier is the same as the destination area identifier will be exemplarily described below, and will not be described herein again.
The representation form of the second ACL entry may also be different according to different application scenarios, for example, in a possible embodiment, the second ACL entry may be represented in the form of "src zoneid → dst zoneid forwarding policy", where src zoneid is the source area identifier of the second ACL entry record, dst zoneid is the destination area identifier of the second ACL entry record, for example, the second ACL entry "0 x01 → 0x01 limit" is used to record the mapping relationship between the source area identifier 0x01, the destination area identifier 0x01 and the forwarding policy limit, and hit when the source area identifier is 0x01 and the destination area identifier is 0x 01.
In another possible embodiment, the second ACL entry may also be expressed in the form of "proposition, forwarding policy", where the proposition is a proposition regarding the source area identification and the destination area identification, and the exemplary second ACL entry may be expressed in the form of "if the source area identification is the same as the destination area identification, limit", the second ACL entry is used to record any same mapping relationship between the source area identification and the destination area identification, and the forwarding policy limit, and the second ACL entry is hit when the source area identification is the same as the destination area identification.
In S104, the message to be forwarded is any message that is received by the execution body and has not yet been processed. The first ACL table item hit by the message to be forwarded is the first ACL table item meeting the following conditions: the source IP address recorded in the first ACL entry is a first source IP address, and the destination IP address recorded in the first ACL entry is a first destination IP address.
In the embodiment of the present invention, when the number of hosts in the first area is greater than the preset threshold, the first ACL table entry set for each host in the first area is deleted, so that the packet to be forwarded may not hit any first ACL table entry.
Still taking the example in the foregoing S101 as an example, assuming that the message to be forwarded is a message sent by one host in the area a to another host in the area a, and if the first source IP address is a1 and the first destination IP address is a2, the following first ACL entries remaining in the ACL are:
b1→b2 permit;b1→any deny;any→b1 deny;
b2→a1 permit;b2→any deny;any→b2 deny;
therefore, the message to be forwarded does not hit any first ACL entry.
If the to-be-forwarded message is a message sent by a host in the area a to a host in the area B, or the to-be-forwarded message is a message sent by a host in the area B to another host in the area B, if the first source IP address is a1 and the first destination IP address is B1, the to-be-forwarded message hits a first ACL entry "any → B1 deny", and at this time, the to-be-forwarded message is discarded. If the first source IP address is b1 and the first destination IP address is b2, the packet to be forwarded hits the first ACL entry "b 1 → b2 permit", and the packet to be forwarded at this time.
In S105, if the to-be-forwarded message does not hit any first ACL entry in the ACLs, it may be considered that all ACL entries that can be hit by the to-be-forwarded message have been deleted from the ACL. As analyzed in S101, if the ACL entry hit by the packet to be forwarded is deleted from the ACL, the first source IP address and the first destination IP address may be considered as IP addresses of the host in the first area. Illustratively, still taking the example of S101 as an example, since the following first ACL entries remain in the ACL:
b1→b2 permit;b1→any deny;any→b1 deny;
b2→a1 permit;b2→any deny;any→b2 deny;
therefore, if the message to be forwarded does not hit any first ACL entry, the first source IP address may be considered as one of a1 and a2, and the first destination IP address may be considered as the other of a1 and a 2. It can be seen that the first source IP address and the first destination IP address are both IP addresses of hosts of the first zone.
And the IP address of the host of the first area already establishes a corresponding relation with the area identifier, so that a first source area identifier corresponding to the first source IP address and a first destination area identifier corresponding to the first destination IP address can be determined.
It can be understood that, in the embodiment of the present invention, only when any first ACL entry of a packet to be forwarded is not hit, a second ACL entry hit by the packet to be forwarded is determined, so that the priority of the first ACL entry is higher than that of the second ACL entry in the embodiment of the present invention.
In S106, as described in the foregoing analysis, if the to-be-forwarded message does not hit any first ACL entry, the first source IP address and the first destination IP address are both IP addresses of the hosts of the first area, so that the first source area identifier is an area identifier corresponding to the IP address of the host of the first area, and the first destination area identifier is also an area identifier corresponding to the IP address of the host of the first area. And issuing a second ACL table item aiming at the area identification corresponding to the IP address of each host in the first area. Therefore, the second ACL table entry hit by the message to be forwarded can be determined in the ACL.
Illustratively, still taking the example of S101 as an example, and assuming that the second ACL entry is represented in the form of "src zoneid → dst zoneid forwarding policy", the zone id corresponding to a1 and a2 is 0x01, then for the zone id corresponding to the IP address of each host in the first zone, the following second ACL entry will be issued to the ACL:
0x01→0x01 permit;any→0x01 deny;0x01→any deny;
as the foregoing analysis shows, if the message to be forwarded does not hit any first ACL entry, the first source IP address is one of a1 and a2, and the first destination IP address is the other of a1 and a2, so that both the first source area identifier and the first destination identifier are 0x01, and the second ACL entry "0 x01 → 0x01 permit" is hit.
In S107, if the forwarding policy in the hit second ACL entry is allowed to forward, that is, the permit is determined, the message to be forwarded is forwarded. And if the hit forwarding policy in the second ACL table entry is to refuse forwarding, namely the deny, the message to be forwarded is refused to be forwarded.
For more clearly explaining the message forwarding method provided in the embodiment of the present invention, an exemplary explanation will be given below with reference to a specific application scenario, and it is assumed that three zones exist altogether, which are respectively denoted as zone a, zone B, and zone C, where three hosts exist in zone a, which are respectively denoted as a1, a2, and A3, two hosts exist in zone B, which are respectively denoted as B1 and B2, and three hosts exist in zone C, which are respectively denoted as C1, C2, and C3. And the IP address of host a1 is denoted as a1, the IP address of host a2 is denoted as a2, the IP address of host B1 is denoted as B1, and so on.
Then to realize that hosts belonging to the same zone can perform data interaction, and hosts belonging to different zones cannot perform data interaction, the ACL is theoretically (hereinafter referred to as ACL 1):
a1→a2 permit;a1→a3 permit;a1→any deny;any→a1 deny;
a2→a1 permit;a2→a3 permit;a2→any deny;any→a2 deny;
a3→a1 permit;a3→a2 permit;a3→any deny;any→a3 deny;
b1→b2 permit;b1→any deny;any→b1 deny;
b2→b1 permit;b2→any deny;any→b2 deny;
c1→c2 permit;c1→c3 permit;c1→any deny;any→c1 deny;
c2→c1 permit;c2→c3 permit;c2→any deny;any→c2 deny;
c3→c1 permit;c3→c2 permit;c3→any deny;any→c3 deny;
if the preset threshold is 2, the number of hosts in the area a and the area C is more than the preset threshold, so that a first ACL entry set for each host in the area a and the area C is deleted in the ACL, and the ACL after deletion includes the following ACL entries:
b1→b2 permit;b1→any deny;any→b1 deny;
b2→b1 permit;b2→any deny;any→b2 deny;
for convenience of description, assuming that the regions corresponding to a1, a2 and a3 are identified as 0x01, and the regions corresponding to c1, c2 and c3 are identified as 0x02, the following second ACL entry is issued to the ACL in this example:
0x01→0x01 permit;any→0x01 deny;0x01→any deny;
0x02→0x02 permit;any→0x02 deny;0x02→any deny;
that is, the ACL at this time is (hereinafter referred to as ACL 2):
b1→b2 permit;b1→any deny;any→b1 deny;
b2→b1 permit;b2→any deny;any→b2 deny;
0x01→0x01 permit;any→0x01 deny;0x01→any deny;
0x02→0x02 permit;any→0x02 deny;0x02→any deny;
if the message to be forwarded is the message sent by the host a1 to the host a2, the first source IP address of the message to be forwarded is a1, and the destination IP address is a 2. According to the first source IP address a1 and the first destination IP address a2, any first ACL table entry of the message to be forwarded which does not hit can be determined.
Therefore, by determining the first source region identifier corresponding to a1 and the first destination region identifier corresponding to a2, it can be determined that the first source region identifier is 0x01 and the first destination region identifier is 0x 01. According to the first source area identifier 0x01 and the first destination area identifier 0x01, it can be determined that the packet to be forwarded hits a second forwarding entry "0 x01 → 0x01 permit" in the ACL, and thus the packet to be forwarded is forwarded.
If the message to be forwarded is the message sent by the host A1 to the host B1, the first source IP address of the message to be forwarded is a1, and the destination IP address is B1. According to the first source IP address a1 and the first destination IP address b1, it can be determined that the packet to be forwarded hits the first ACL entry "any → b1 deny", so that the packet to be forwarded is rejected from being forwarded.
If the message to be forwarded is the message sent by the host A1 to the host C1, the first source IP address of the message to be forwarded is a1, and the destination IP address is C1. According to the first source IP address a1 and the first destination IP address c, it can be determined that any first ACL table entry of the packet to be forwarded does not hit.
Therefore, by determining the first source region identifier corresponding to a1 and the first destination region identifier corresponding to c1, it can be determined that the first source region identifier is 0x01 and the first destination region identifier is 0x 02. According to the first source area identifier 0x01 and the first destination area identifier 0x02, it can be determined that the packet to be forwarded hits the ACL entry with higher priority in the second forwarding entries "0 x01 → any deny" and "any → 0x02 deny" in the ACL entry with higher priority, so that the packet to be forwarded is rejected.
In this example, hosts in the same zone can normally send messages to each other, while hosts not belonging to the same zone cannot normally send messages to each other. Meanwhile, only 12 ACL entries are included in the ACL2 in this example, whereas the ACL1 in the same case in the related art requires 30 ACL entries. Therefore, the message forwarding method provided by the embodiment of the invention can effectively save ACL table entry resources under the conditions of realizing intercommunication of hosts in the same region and isolation of hosts in different regions.
How to determine the zone identity will be explained below:
if there is no intersection between any two zones, that is, there is no same host in the hosts included in any two zones, the zone identifier corresponding to the IP address of the host may be regarded as the identifier of the first zone, so in this case, an identifier may be allocated to the first zone, and the identifier allocated to the first zone may be used as the zone identifier corresponding to the IP address of the host.
The identity assigned to the first zone may be in any form, but it should be satisfied that the identities assigned to the different zones are different. For example, in one possible embodiment, the identifier assigned to a zone may be represented by a value in the range of 0-255, and if a zone has been assigned the value "211" as an identifier, the value "211" cannot be assigned to another zone.
However, if there are at least two areas and the two areas intersect with each other, because there are hosts belonging to the plurality of areas, if the identifier allocated to the area is directly used as the area identifier corresponding to the IP address of the host, the area identifier cannot indicate all the areas to which the host belongs for the hosts belonging to the plurality of areas.
Therefore, in order to enable the zone id corresponding to the IP address of the host to indicate all zones to which the host belongs even if there are hosts belonging to multiple zones, in a possible embodiment, as shown in fig. 2, the method includes:
s201, determining the corresponding bit of each area to which the host belongs as a target bit.
Wherein, the corresponding bits of different areas are different. For example, assuming that there are 3 regions in total, which are respectively referred to as region a, region B, and region C, and 8 bits in total, it may be that region a corresponds to the first bit, region B corresponds to the second bit, and region C corresponds to the third bit, or alternatively, a corresponds to the second bit, region B corresponds to the fourth bit, and region C corresponds to the first bit. The corresponding relationship between each region and the bit may be established in advance, or the corresponding relationship between the region and the bit may be established when the bit corresponding to the region needs to be determined.
S202, each target position is set in a binary number group with preset length, and the set binary number group is used as an area identifier corresponding to the IP address of the host.
The preset length may be different according to different application scenarios, and for convenience of description, the preset length is only 16 bits, and the principle is the same for the case where the preset length is other lengths, such as 8 bits, 24 bits, and 128 bits, and thus the description is omitted.
And the corresponding bit of any area should belong to a binary number group, for example, assuming that the length of the binary number group is 16 bits, i.e. the binary number group includes 16 bits, which are respectively denoted as the first bit, the second bit, the third bit, …, and so on, the corresponding bit of any area should be one of the first bit to the sixteenth bit.
Setting the target bit means changing the value of the target bit, for example, assuming that each bit in the binary number group is 0, setting the target bit means changing the value of the target bit in the binary number group to 1. For example, assuming that the target bits are the first, second, and fifth bits, and the first bit is the last bit of the binary array, the second bit is the second to last bit of the binary array, and so on, the set binary array is 0000000000010011.
In this embodiment, the same source area identification and destination area identification refer to: intersections exist between the bits set in the source region identification and the bits set in the destination region identification. For example, if the first bit, the second bit, and the fifth bit in the source region identifier are set, and the first bit and the fourth bit in the destination region identifier are set, the source region identifier is the same as the destination region identifier. For another example, if the first bit, the second bit, and the third bit in the source region identifier are set, and the fourth bit in the destination region identifier is set, the source region identifier is different from the destination region identifier.
It can be understood that, in this embodiment, since the target bit in the area identifier corresponding to the IP address of the host is set, and the target bit is a bit corresponding to the area to which the host belongs, the set bit in the area identifier may indicate all areas to which the host belongs. And then whether the areas represented by the source area identification and the destination area identification have intersection or not can be judged through the set position in the destination area identification in the source area identification, namely whether the source area identification is the same as the destination area identification or not is judged.
By selecting the embodiment, the determined area identifier can effectively represent each area to which the host belongs by the way that different areas correspond to different areas and the binary number groups are set according to the area to which the host belongs.
It will be appreciated that in this embodiment it is desirable to satisfy: the bits corresponding to any one region should belong to a binary array and the bits corresponding to different regions are different. The number of zones in this embodiment cannot therefore exceed the length of the binary array, which is often limited, resulting in a limited number of zones. For example, taking the length of the binary number group as 16 bits as an example, the number of the regions should not be more than 16, and if the user needs to divide 17 and more than 17 regions for practical needs, this embodiment cannot be applied.
Based on this, in one possible embodiment, as shown in fig. 3, includes:
s301, if no intersection exists between the first zone and other zones, determining a value corresponding to the first zone as a target value.
The other areas refer to other areas except the first area in the network, and the corresponding values of the different areas are different.
S302, adjusting the independent identification bits in the binary digit group with the preset length to enable the value represented by the independent identification bits to be equal to the target value, and taking the adjusted binary digit group as the zone identification corresponding to the IP address of the host.
The independent identification bits are partial bits in the binary number group, namely the length of the independent identification bits is smaller than the preset length. For convenience of description, the following description will be given by taking the preset length as 16 bits and the length of the independent identification bit as 8 bits as an example, and the principle is the same for the case where the preset length is other than 16 bits and/or the length of the independent identification bit is other than 8 bits, and therefore, the description thereof is omitted.
It will be appreciated that the binary number of length k has a maximum identifiable value of 2k-1, and the target value should be a value that the independent identification bit can represent, and therefore, the target value should not be greater than 2m-1, where m is the length of the independent identification bit, e.g. if m is 8, the target value ranges from [0, 255 |]. Similarly, the value corresponding to any zone should also be no greater than 2m-1。
Assuming that the first area corresponds to a value of 3, the preset length is 16 bits, the length of the independent identification bit is 8 bits, and the independent identification bit is the first 8 bits in the binary array, which is initially 000000000000, the binary array is adjusted to 0000001100000000 in this example.
S303, if the intersection exists between the first area and other areas, determining the corresponding bit of each area to which the host belongs as a target bit.
Wherein, the corresponding bits of different areas are different.
S304, setting each target position in the interactive identification bits in the binary number array with the preset length, and taking the binary number array subjected to setting as the area identification corresponding to the IP address of the host.
And the interactive identification bit and the independent identification bit do not have intersection, namely any bit in the binary number group can not be used as the interactive identification bit and the independent identification bit at the same time. And in this embodiment, the bit corresponding to any zone belongs to the interactive identification bit. And if there is no intersection between one region and the other region, the one region does not have a corresponding bit. In other possible embodiments.
For setting, reference may be made to the related description in the foregoing S202, and details are not described here. The binary array may only include the mutual identification bits and the independent identification bits, and may also include other identification bits besides the mutual identification bits and the independent identification bits. For convenience of description, only the binary array may include only the interactive flag bit and the independent flag bit, and the same principle can be obtained for the case where the binary array further includes other flag bits, and details are not repeated herein.
Assuming that the preset length is 16 bits, the length of the independent identification bit is 8 bits, and the independent identification bit is the first 8 bits in the binary number group, the interactive identification bit is the last 8 bits in the binary number group in this example. If the host belongs to the area a and the area C, and the bit corresponding to the area a is the last but one bit in the interactive identification bits, and the bit corresponding to the area C is the last but one bit in the interactive identification bits, the area identification is 0000000000000101.
In this embodiment, the same source area identification and destination area identification refer to:
the value represented by the independent identification bit of the source area identification is equal to the value represented by the independent identification bit of the destination area identification and is not a default value; or, an intersection exists between the set interactive identification positions in the source area identification and the set interactive identification positions in the destination area identification. The default value refers to a value represented by the independent identification bits when the value is not adjusted, for example, if the independent identification bits of the binary number group default to 00000000, the default value is 0.
For example, assuming that the independent identification bit of the source region identifier is 00000111, the interactive identification bit is 00000000, and the independent identification bit of the destination region identifier is 00000111, and the interactive identification bit is 00000000, since the values represented by the independent identification bit of the source region identifier and the independent identification bit of the destination region identifier are both 7, the source region identifier is the same as the destination region identifier.
Suppose again that the independent identification bit of the source region identifier is 00000111, the interactive identification bit is 00000000, the independent identification bit of the destination region identifier is 00000101, and the interactive identification bit is 00000000, then the value represented by the independent identification bit of the source region identifier is 7, and the value represented by the independent identification bit of the destination region identifier is 5, which are different from each other, and the set interactive identification in the source region identifier is located between the set interactive identification bits in the destination region identifier, so the source region identifier is different from the destination region identifier.
Suppose again that the independent identification bit of the source region identification is 00000000, the interactive identification bit is 00000111, the independent identification bit of the destination region identification is 00000000, the interactive identification bit is 00000101, and then because there is intersection between the interactive identification bits set in the destination region identification by the set interactive identification in the source region identification, the source region identification is the same as the destination region identification.
It can be understood that, since each host in the first zone can be considered to belong only to the first zone if there is no intersection between the first zone and other zones, that is, the zone representation corresponding to the IP address of each host in the first zone only needs to represent the first zone, a numerical value can be directly used as the zone identifier to save the zone identifier resource. If there is intersection with other areas, at least one host in the first area may be considered to belong to multiple areas, and at this time, the area identifier may be enabled to represent all areas to which the host belongs by setting. Therefore, with this embodiment, the area identifier may be determined in different manners according to whether the intersection exists between the first area and the other areas, so as to save the area identifier resource as much as possible on the premise that the area identifier can represent all areas to which the host belongs. Therefore, the message forwarding method provided by the embodiment of the invention can be suitable for scenes with a large number of regions.
For example, taking the preset length as 16 bits, the length of the independent identification bit as 8 bits, and the length of the interactive identification bit as 8 bits as an example, in theory, there are at most 255 regions that do not intersect with other regions and at most 8 regions that intersect with other regions in the scene, that is, there are at most 263 regions in the scene.
Still taking the aforementioned ACL2 as an example, two second ACL entries "0 x01 → 0x01 permit" and "0 x02 → 0x02 permit" exist in the ACL2, which may be replaced by one second ACL entry "allow forwarding if the source area identification is the same as the destination area identification" to further save ACL entry resources.
Therefore, in a possible embodiment, when issuing a second ACL entry to the ACL according to the area identifier corresponding to the IP address of each host in the first area, the following entries may be issued:
the third ACL table entry is used for indicating that if the source area identification is the same as the destination area identification, the forwarding policy is allowed to be forwarded;
the forwarding policy is a fourth ACL entry that rejects forwarding if the source area identifier is an area identifier corresponding to an IP address of any host in the first area and the destination area identifier is an arbitrary area identifier;
and the fifth ACL table entry is used for indicating that forwarding is rejected if the area identifier is any identifier and the destination area identifier is the area identifier corresponding to the IP address of any host in the first area.
The priority of the third forwarding table entry is higher than that of the fourth forwarding table entry, and the priority of the third forwarding table entry is higher than that of the fifth forwarding table entry.
For example, assuming that the zone identifier corresponding to the IP address of each host in the first zone is 0x01, the third ACL entry is: "if the source area identifier is the same as the destination area identifier, forwarding is allowed", and the fourth ACL entry is: "0 x01 → any dent", the fifth ACL entry is: "0 x 01".
Assuming that the area identifier corresponding to the first source IP address of the to-be-forwarded message is 0x01, and the area identifier corresponding to the first destination IP address is 0x01, in the second ACL table entry determined to be hit by the to-be-forwarded message, although the to-be-forwarded message may hit the third ACL table entry, may hit the fourth ACL table entry, and may hit the fifth ACL table entry theoretically, because the priority of the third ACL table entry is the highest, the to-be-forwarded message hits the third ACL table entry, and the forwarding policy recorded in the third ACL table entry is to allow forwarding, the to-be-forwarded message is forwarded.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a message forwarding apparatus provided in an embodiment of the present invention, where the apparatus includes:
a table item deleting module 401, configured to delete, when the number of hosts in a first area is greater than a preset threshold, a first ACL table item set for each host in the first area in an access control list ACL, where the first ACL table item is used to record a first mapping relationship between a source IP address, a destination IP address, and a forwarding policy, and the first area is an arbitrary area;
an identifier management module 402, configured to determine, for each host in the first area, an area identifier corresponding to an IP address of the host, where the area identifier is used to represent all areas to which the host belongs;
a table entry issuing module 403, configured to issue a second ACL table entry to the ACL according to the area identifier corresponding to the IP address of each host in the first area, where the second ACL table entry is used to record a second mapping relationship between the source area identifier, the destination area identifier, and the forwarding policy, where the forwarding policy corresponding to the same source area identifier and destination area identifier in the second mapping relationship is allowed to be forwarded;
a first table matching module 404, configured to determine, according to a first source IP address and a first destination IP address of a packet to be forwarded, a first ACL table hit by the packet to be forwarded;
an identifier determining module 405, configured to determine, if the to-be-forwarded packet misses any one first ACL entry in the ACLs, a first source area identifier corresponding to the first source IP address and a first destination area identifier corresponding to the first destination IP address;
a second table matching module 406, configured to determine, according to the first source area identifier and the first destination area identifier, a second ACL table hit by the packet to be forwarded;
and a forwarding module 407, configured to process the packet to be forwarded according to a forwarding policy in the second ACL entry hit by the packet to be forwarded.
In a possible embodiment, the identifier management module 402 is specifically configured to determine, as a target bit, a bit corresponding to each area to which the host belongs, where the bits corresponding to different areas are different;
setting each target position in a binary number group with a preset length, and taking the set binary number group as an area identifier corresponding to the IP address of the host;
the same source area identification and destination area identification comprise:
there is an intersection between the bit set in the source region identification and the bit set in the destination region identification.
In a possible embodiment, the identifier management module 402 is specifically configured to determine, if there is no intersection between the first zone and another zone, a value corresponding to the first zone as a target value, where the values corresponding to different zones are different;
adjusting an independent identification bit in a binary number group with a preset length to enable a value represented by the independent identification bit to be equal to the target value, and taking the adjusted binary number group as an area identification corresponding to the IP address of the host;
if the intersection exists between the first area and other areas, determining the bit corresponding to each area to which the host belongs as a target bit, wherein the bits corresponding to different areas are different;
for each target position in the interactive identification bits in the binary number array with the preset length, taking the binary number array subjected to setting as an area identification corresponding to the IP address of the host, wherein the interactive identification bits and the independent identification bits do not have intersection;
the same source area identification and destination area identification comprise:
the value represented by the independent identification bit of the source area identification is equal to the value represented by the independent identification bit of the destination area identification and is not a default value; alternatively, the first and second electrodes may be,
and an intersection exists between the set interaction identification bit in the source region identification and the set interaction identification bit in the destination region identification.
In a possible embodiment, the entry issuing module 403 is specifically configured to issue the following second ACL entry to the ACL:
the third ACL table entry is used for indicating that if the source area identification is the same as the destination area identification, the forwarding policy is allowed to be forwarded;
the forwarding policy is a fourth ACL entry that rejects forwarding if the source area identifier is an area identifier corresponding to an IP address of any host in the first area and the destination area identifier is an arbitrary area identifier;
the forwarding policy is a fifth ACL entry that rejects forwarding if the area identifier is any identifier and the destination area identifier is an area identifier corresponding to an IP address of any host in the first area;
wherein the third ACL entry has a higher priority than the fourth ACL entry, and the third ACL entry has a higher priority than the fifth ACL entry.
An embodiment of the present invention further provides an electronic device, as shown in fig. 5, which includes a processor 501, a communication interface 502, a memory 503 and a communication bus 504, where the processor 501, the communication interface 502 and the memory 503 complete mutual communication through the communication bus 504,
a memory 503 for storing a computer program;
the processor 501, when executing the program stored in the memory 503, implements the following steps:
when the number of hosts in a first area is more than a preset threshold value, deleting a first ACL table entry set for each host in the first area in an Access Control List (ACL), wherein the first ACL table entry is used for recording a first mapping relation of a source IP address, a destination IP address and a forwarding strategy, and the first area is an arbitrary area;
for each host of the first area, determining an area identifier corresponding to an IP address of the host, where the area identifier is used to represent all areas to which the host belongs;
issuing a second ACL table item to the ACL according to an area identifier corresponding to the IP address of each host of the first area, wherein the second ACL table item is used for recording a second mapping relation of a source area identifier, a destination area identifier and a forwarding strategy, and the forwarding strategy corresponding to the same source area identifier and destination area identifier in the second mapping relation is allowed to be forwarded;
determining a first ACL table item hit by a message to be forwarded according to a first source IP address and a first destination IP address of the message to be forwarded;
if the message to be forwarded does not hit any first ACL table entry in the ACLs, determining a first source area identifier corresponding to the first source IP address and a first destination area identifier corresponding to the first destination IP address;
determining a second ACL table item hit by the message to be forwarded according to the first source area identification and the first destination area identification;
and processing the message to be forwarded according to the forwarding strategy in the second ACL table item hit by the message to be forwarded.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In another embodiment of the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any of the message forwarding methods described above.
In another embodiment, a computer program product containing instructions is provided, which when run on a computer causes the computer to perform any of the message forwarding methods in the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the apparatus, the electronic device, the computer-readable storage medium, and the computer program product, since they are substantially similar to the method embodiments, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiments.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (10)
1. A message forwarding method is characterized in that the method comprises the following steps:
when the number of hosts in a first area is more than a preset threshold value, deleting a first ACL table entry set for each host in the first area in an Access Control List (ACL), wherein the first ACL table entry is used for recording a first mapping relation of a source IP address, a destination IP address and a forwarding strategy, and the first area is an arbitrary area;
for each host of the first area, determining an area identifier corresponding to an IP address of the host, where the area identifier is used to represent all areas to which the host belongs;
issuing a second ACL table item to the ACL according to an area identifier corresponding to the IP address of each host of the first area, wherein the second ACL table item is used for recording a second mapping relation of a source area identifier, a destination area identifier and a forwarding strategy, and the forwarding strategy corresponding to the same source area identifier and destination area identifier in the second mapping relation is allowed to be forwarded;
determining a first ACL table item hit by a message to be forwarded according to a first source IP address and a first destination IP address of the message to be forwarded;
if the message to be forwarded does not hit any first ACL table entry in the ACLs, determining a first source area identifier corresponding to the first source IP address and a first destination area identifier corresponding to the first destination IP address;
determining a second ACL table item hit by the message to be forwarded according to the first source area identification and the first destination area identification;
and processing the message to be forwarded according to the forwarding strategy in the second ACL table item hit by the message to be forwarded.
2. The method of claim 1, wherein the determining the zone id corresponding to the IP address of the host comprises:
determining a bit corresponding to each zone to which the host belongs as a target bit, wherein the bits corresponding to different zones are different;
setting each target position in a binary number group with a preset length, and taking the set binary number group as an area identifier corresponding to the IP address of the host;
the same source area identification and destination area identification comprise:
there is an intersection between the bit set in the source region identification and the bit set in the destination region identification.
3. The method of claim 1, wherein the determining the zone id corresponding to the IP address of the host comprises:
if no intersection exists between the first zone and other zones, determining a value corresponding to the first zone as a target value, wherein the values corresponding to different zones are different;
adjusting an independent identification bit in a binary number group with a preset length to enable a value represented by the independent identification bit to be equal to the target value, and taking the adjusted binary number group as an area identification corresponding to the IP address of the host;
if the intersection exists between the first area and other areas, determining the bit corresponding to each area to which the host belongs as a target bit, wherein the bits corresponding to different areas are different;
for each target position in the interactive identification bits in the binary number array with the preset length, taking the binary number array subjected to setting as an area identification corresponding to the IP address of the host, wherein the interactive identification bits and the independent identification bits do not have intersection;
the same source area identification and destination area identification comprise:
the value represented by the independent identification bit of the source area identification is equal to the value represented by the independent identification bit of the destination area identification and is not a default value; alternatively, the first and second electrodes may be,
and an intersection exists between the set interaction identification bit in the source region identification and the set interaction identification bit in the destination region identification.
4. The method according to any one of claims 1 to 3, wherein the issuing a second ACL entry to the ACL according to the area identifier corresponding to the IP address of each host in the first area includes:
issuing the following second ACL table items to the ACL:
the third ACL table entry is used for indicating that if the source area identification is the same as the destination area identification, the forwarding policy is allowed to be forwarded;
the forwarding policy is a fourth ACL entry that rejects forwarding if the source area identifier is an area identifier corresponding to an IP address of any host in the first area and the destination area identifier is an arbitrary area identifier;
the forwarding policy is a fifth ACL entry that rejects forwarding if the area identifier is any identifier and the destination area identifier is an area identifier corresponding to an IP address of any host in the first area;
wherein the third ACL entry has a higher priority than the fourth ACL entry, and the third ACL entry has a higher priority than the fifth ACL entry.
5. A message forwarding apparatus, the apparatus comprising:
the system comprises a table item deleting module, a forwarding policy determining module and a forwarding policy determining module, wherein the table item deleting module is used for deleting a first ACL table item set for each host in a first area in an Access Control List (ACL) when the number of hosts in the first area is more than a preset threshold, the first ACL table item is used for recording a first mapping relation of a source IP address, a destination IP address and the forwarding policy, and the first area is an arbitrary area;
an identifier management module, configured to determine, for each host in the first area, an area identifier corresponding to an IP address of the host, where the area identifier is used to indicate all areas to which the host belongs;
the table entry issuing module is configured to issue a second ACL table entry to the ACL according to the area identifier corresponding to the IP address of each host in the first area, where the second ACL table entry is used to record a second mapping relationship between the source area identifier, the destination area identifier, and the forwarding policy, where the forwarding policy corresponding to the same source area identifier and destination area identifier in the second mapping relationship is allowed to be forwarded;
the first table item matching module is used for determining a first ACL table item hit by the message to be forwarded according to a first source IP address and a first destination IP address of the message to be forwarded;
an identifier determining module, configured to determine, if the to-be-forwarded packet misses any one first ACL entry in the ACLs, a first source area identifier corresponding to the first source IP address and a first destination area identifier corresponding to the first destination IP address;
a second table matching module, configured to determine, according to the first source area identifier and the first destination area identifier, a second ACL table hit by the packet to be forwarded;
and the forwarding module is used for processing the message to be forwarded according to the forwarding strategy in the second ACL table item hit by the message to be forwarded.
6. The apparatus according to claim 5, wherein the identifier management module is specifically configured to determine, as a target bit, a bit corresponding to each zone to which the host belongs, where the bits corresponding to different zones are different;
setting each target position in a binary number group with a preset length, and setting the set binary number group
The area identification is used as the area identification corresponding to the IP address of the host;
the same source area identification and destination area identification comprise:
there is an intersection between the bit set in the source region identification and the bit set in the destination region identification.
7. The apparatus according to claim 5, wherein the identifier management module is specifically configured to determine, as the target value, a value corresponding to the first zone if there is no intersection between the first zone and another zone, where values corresponding to different zones are different;
adjusting an independent identification bit in a binary number group with a preset length to enable a value represented by the independent identification bit to be equal to the target value, and taking the adjusted binary number group as an area identification corresponding to the IP address of the host;
if the intersection exists between the first area and other areas, determining the bit corresponding to each area to which the host belongs as a target bit, wherein the bits corresponding to different areas are different;
for each target position in the interactive identification bits in the binary number array with the preset length, taking the binary number array subjected to setting as an area identification corresponding to the IP address of the host, wherein the interactive identification bits and the independent identification bits do not have intersection;
the same source area identification and destination area identification comprise:
the value represented by the independent identification bit of the source area identification is equal to the value represented by the independent identification bit of the destination area identification and is not a default value; alternatively, the first and second electrodes may be,
and an intersection exists between the set interaction identification bit in the source region identification and the set interaction identification bit in the destination region identification.
8. The apparatus according to any of claims 5 to 7, wherein the entry issuing module is specifically configured to issue the following second ACL entry to the ACL:
the third ACL table entry is used for indicating that if the source area identification is the same as the destination area identification, the forwarding policy is allowed to be forwarded;
the forwarding policy is a fourth ACL entry that rejects forwarding if the source area identifier is an area identifier corresponding to an IP address of any host in the first area and the destination area identifier is an arbitrary area identifier;
the forwarding policy is a fifth ACL entry that rejects forwarding if the area identifier is any identifier and the destination area identifier is an area identifier corresponding to an IP address of any host in the first area;
wherein the third ACL entry has a higher priority than the fourth ACL entry, and the third ACL entry has a higher priority than the fifth ACL entry.
9. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1 to 4 when executing a program stored in the memory.
10. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111284064.5A CN113965401B (en) | 2021-11-01 | 2021-11-01 | Message forwarding method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111284064.5A CN113965401B (en) | 2021-11-01 | 2021-11-01 | Message forwarding method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113965401A true CN113965401A (en) | 2022-01-21 |
| CN113965401B CN113965401B (en) | 2023-09-19 |
Family
ID=79468638
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111284064.5A Active CN113965401B (en) | 2021-11-01 | 2021-11-01 | Message forwarding method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113965401B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115426258A (en) * | 2022-08-23 | 2022-12-02 | 迈普通信技术股份有限公司 | Information configuration method, device, switch and readable storage medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090037977A1 (en) * | 2007-06-15 | 2009-02-05 | Nuova Systems, Inc. | Apparatus and method for applying network policy at a network device |
| CN103718527A (en) * | 2013-03-30 | 2014-04-09 | 华为技术有限公司 | Communication security processing method, apparatus and system |
| CN103947160A (en) * | 2011-12-07 | 2014-07-23 | 华为技术有限公司 | Method to carry FCOE frames over a TRILL based network |
| CN104717290A (en) * | 2015-03-19 | 2015-06-17 | 杭州华三通信技术有限公司 | SAN access control method and device |
| CN107968825A (en) * | 2017-11-28 | 2018-04-27 | 新华三技术有限公司 | A kind of message transmission control method and device |
| US20180375769A1 (en) * | 2017-06-26 | 2018-12-27 | Telia Company Ab | Methods, System and Apparatuses for Routing Data Packets in a Network Topology |
| CN110197079A (en) * | 2018-02-26 | 2019-09-03 | 国际商业机器公司 | Safety zone in knowledge figure |
| US20190296978A1 (en) * | 2018-03-23 | 2019-09-26 | Juniper Networks, Inc. | Enforcing policies in cloud domains with different application nomenclatures |
| CN111953599A (en) * | 2020-07-14 | 2020-11-17 | 锐捷网络股份有限公司 | Terminal authority control method and device, electronic equipment and storage medium |
| CN113079097A (en) * | 2021-03-24 | 2021-07-06 | 新华三信息安全技术有限公司 | Message processing method and device |
| CN113452594A (en) * | 2021-06-28 | 2021-09-28 | 新华三信息安全技术有限公司 | Inner layer message matching method and device of tunnel message |
-
2021
- 2021-11-01 CN CN202111284064.5A patent/CN113965401B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090037977A1 (en) * | 2007-06-15 | 2009-02-05 | Nuova Systems, Inc. | Apparatus and method for applying network policy at a network device |
| CN103947160A (en) * | 2011-12-07 | 2014-07-23 | 华为技术有限公司 | Method to carry FCOE frames over a TRILL based network |
| CN103718527A (en) * | 2013-03-30 | 2014-04-09 | 华为技术有限公司 | Communication security processing method, apparatus and system |
| CN104717290A (en) * | 2015-03-19 | 2015-06-17 | 杭州华三通信技术有限公司 | SAN access control method and device |
| US20180375769A1 (en) * | 2017-06-26 | 2018-12-27 | Telia Company Ab | Methods, System and Apparatuses for Routing Data Packets in a Network Topology |
| CN107968825A (en) * | 2017-11-28 | 2018-04-27 | 新华三技术有限公司 | A kind of message transmission control method and device |
| CN110197079A (en) * | 2018-02-26 | 2019-09-03 | 国际商业机器公司 | Safety zone in knowledge figure |
| US20190296978A1 (en) * | 2018-03-23 | 2019-09-26 | Juniper Networks, Inc. | Enforcing policies in cloud domains with different application nomenclatures |
| CN111953599A (en) * | 2020-07-14 | 2020-11-17 | 锐捷网络股份有限公司 | Terminal authority control method and device, electronic equipment and storage medium |
| CN113079097A (en) * | 2021-03-24 | 2021-07-06 | 新华三信息安全技术有限公司 | Message processing method and device |
| CN113452594A (en) * | 2021-06-28 | 2021-09-28 | 新华三信息安全技术有限公司 | Inner layer message matching method and device of tunnel message |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115426258A (en) * | 2022-08-23 | 2022-12-02 | 迈普通信技术股份有限公司 | Information configuration method, device, switch and readable storage medium |
| CN115426258B (en) * | 2022-08-23 | 2023-10-24 | 迈普通信技术股份有限公司 | Information configuration method, device, switch and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113965401B (en) | 2023-09-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8261317B2 (en) | Moving security for virtual machines | |
| EP1648118B1 (en) | Bridge node with MAC address table overflow protection | |
| US7257815B2 (en) | Methods and system of managing concurrent access to multiple resources | |
| US7814311B2 (en) | Role aware network security enforcement | |
| US20080052514A1 (en) | Information Sharing System, Information Sharing Method, Group Management Program and Compartment Management Program | |
| CN111698228A (en) | System access authority granting method, device, server and storage medium | |
| CN106878084B (en) | Authority control method and device | |
| WO2020156135A1 (en) | Method and device for processing access control policy and computer-readable storage medium | |
| WO2020119476A1 (en) | Alliance chain information release control method and terminal equipment | |
| EP4160425A1 (en) | Data transmission method, chip, and device | |
| CN113965401B (en) | Message forwarding method and device and electronic equipment | |
| US20190044796A1 (en) | Dead drop network architecture | |
| CN112311674B (en) | Message sending method, device and storage medium | |
| CN114244768A (en) | Forwarding method, device, equipment and storage medium for two-layer unknown multicast | |
| US10242174B2 (en) | Secure information flow | |
| CN113918504A (en) | Method and device for realizing isolation group | |
| WO2009120377A2 (en) | Network firewalls | |
| CN110620729A (en) | Message forwarding method and device and message forwarding equipment | |
| CN111865876A (en) | Network access control method and equipment | |
| CN115022008A (en) | Access risk assessment method, device, equipment and medium | |
| CN114257545A (en) | Message forwarding method and device | |
| CN113992566B (en) | Message broadcasting method and device | |
| CN113852572B (en) | Message processing method and device | |
| US20210243159A1 (en) | Persistent device identifier driven compromised device quarantine | |
| CN107547473A (en) | A kind of Security Vulnerabilities Scanner System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |