CN114745177A - ACL rule processing method, device, equipment and medium - Google Patents
ACL rule processing method, device, equipment and medium Download PDFInfo
- Publication number
- CN114745177A CN114745177A CN202210372509.3A CN202210372509A CN114745177A CN 114745177 A CN114745177 A CN 114745177A CN 202210372509 A CN202210372509 A CN 202210372509A CN 114745177 A CN114745177 A CN 114745177A
- Authority
- CN
- China
- Prior art keywords
- block
- entry
- newly added
- priority
- entries
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title description 5
- 238000000034 method Methods 0.000 claims abstract description 43
- 238000012545 processing Methods 0.000 claims abstract description 20
- 239000000126 substance Substances 0.000 claims description 3
- 238000012217 deletion Methods 0.000 claims 1
- 230000037430 deletion Effects 0.000 claims 1
- 230000008569 process Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 3
- 108090000248 Deleted entry Proteins 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The embodiment of the specification discloses a method, a device, equipment and a medium for processing an ACL rule, which comprise the following steps: arranging entries contained in applications of the same type into corresponding block blocks, wherein each application comprises one or more entries; when a new entry is inserted, determining the type of the application to which the new entry belongs; determining a corresponding first block according to the type of the application to which the newly added entry belongs; comparing the priority of the existing entries and the newly-added entries in the first block to obtain a priority comparison result; and inserting the newly added entry into the first block according to the priority comparison result. The embodiment of the specification can be classified according to application types, each type occupies one block, priority difference exists between the application types, the application types are arranged in front according to the condition that the application types are obtained first and the priority is higher, and the application types only need to be moved in the same block when the application types need to be moved by recording the last occupied position in each block, so that the moving times can be reduced.
Description
Technical Field
The present specification relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a medium for processing an ACL rule.
Background
The communication between information points and the communication between the internal network and the external network are indispensable business requirements in the enterprise network, but in order to ensure the safety of the internal network, a security strategy is needed to ensure that an unauthorized user can only access specific network resources, so that the aim of controlling access is fulfilled. An ACL (access control list) can filter traffic in the network, a network technology means of controlling access. Entries applied to the router interface, each entry may represent an instruction. These instructions are used to tell the router which packets can be received and which packets need to be rejected. As to whether the packet is received or rejected, it can be decided by a specific indication condition like a source address, a destination address, a port number, etc.
The ACL rules take effect according to the priority, and the rules with the same priority are issued first according to the rules with higher priority ranked ahead. If the priority of the newly issued rule is higher, all the following rules with low priority need to be moved according to the comparison. During the move, a large amount of the CPU of the device may be consumed.
Based on this, a processing method of ACL rules is required to reduce the CPU consumption of the device during the moving process.
Disclosure of Invention
One or more embodiments of the present specification provide a method, an apparatus, a device, and a medium for processing an ACL rule, which are used to solve the following technical problems:
a processing method of ACL rules is required to reduce CPU consumption of the device during the move.
One or more embodiments of the present specification adopt the following technical solutions:
one or more embodiments of the present specification provide a method for processing an ACL rule, the method including:
arranging entries contained in applications of the same type into corresponding block blocks, wherein each application comprises one or more entries;
when a new entry is inserted, determining the type of the application to which the new entry belongs;
determining a corresponding first block according to the type of the application to which the newly added entry belongs;
comparing the priority of the existing entries and the newly-added entries in the first block to obtain a priority comparison result;
and inserting the newly added entry into the first block according to the priority comparison result.
Further, the arranging the entries included in the applications of the same type into the corresponding block specifically includes:
respectively determining the priority of the items contained in the applications of the same type;
and arranging the entries from large to small in the corresponding block according to the priority of each entry.
Further, the priority comparison result includes that the newly added entry is less than or equal to the priority of the existing entry in the first block, the newly added entry is greater than the priority of the existing partial entries in the first block, and the newly added entry is greater than the priority of the existing entry in the first block;
if the priority comparison result indicates that the newly added entry is less than or equal to the priority of the existing entry in the first block, inserting the newly added entry into the first block specifically includes:
inserting the newly added entry into an empty position behind the first block;
if the newly added entry is greater than the priority of the existing partial entries in the first block, inserting the newly added entry into the first block specifically includes:
in the first block, moving the items with the priority lower than that of the newly added items backwards, and arranging the newly added items to an empty position, wherein the moving step length is the same as the number of the newly added items;
if the newly added entry is greater than the priority of the existing entry in the first block, inserting the newly added entry into the first block specifically includes:
and moving the existing items in the first block backwards, and arranging the newly added items to vacant positions, wherein the moving step length is the same as the number of the newly added items.
Further, if the newly added entry cannot be inserted into the remaining space of the first block, the method further includes:
if the next block of the first block is occupied, integrally moving the blocks behind the first block so as to enable the next block of the first block to be in an idle state, wherein the step length of the integral moving is one block;
if the priority comparison result indicates that the newly added entry is less than or equal to the priority of the existing entry in the first block, inserting the newly added entry into the first block specifically includes:
inserting the newly added entry into the next block of the first block;
if the newly added entry is greater than the priority of the existing partial entries in the first block, inserting the newly added entry into the first block specifically includes:
in the first block, moving the items with the priority lower than that of the newly added items backwards, moving the items exceeding the first block to the next block of the first block, and arranging the newly added items to spare positions, wherein the moving step length is the same as the number of the newly added items;
if the newly added entry is greater than the priority of the existing entry in the first block, inserting the newly added entry into the first block specifically includes:
and moving the existing items in the first block backwards, moving the items beyond the first block to the next block of the first block, and arranging the newly added items to spare positions, wherein the moving step length is the same as the number of the newly added items.
Further, when the specified entry is deleted, the method further includes:
determining the type of the application to which the specified entry belongs;
determining a corresponding second block according to the type of the application to which the specified entry belongs;
determining a location of the specified entry in the second block;
and deleting the specified entry according to the position of the specified entry in the second block.
Further, if the position of the specified entry in the second block does not belong to the extreme end of the second block, after the specified entry is deleted, the method further includes:
and in the second block, moving the items at the rear end of the specified items forward, wherein the moving step length is the same as the number of the specified items.
Further, if all entries of the second block are the designated entry, after the designated entry is deleted, the method further includes:
and if the next block of the second block is determined to be occupied, integrally moving the blocks behind the second block forwards, wherein the step length of the integral moving is one block.
One or more embodiments of the present specification provide an apparatus for processing an ACL rule, the apparatus including:
the system comprises an item arrangement unit, a block unit and a block management unit, wherein the item arrangement unit is used for arranging items contained in applications of the same type into corresponding blocks, and each application comprises one or more items;
the type determining unit is used for determining the type of the application to which the newly added entry belongs when the newly added entry is inserted;
the block determining unit is used for determining a corresponding first block according to the type of the application to which the newly-added entry belongs;
the comparison unit is used for comparing the priorities of the existing entries and the newly-added entries in the first block to obtain a priority comparison result;
and the entry inserting unit inserts the newly added entry into the first block according to the priority comparison result.
One or more embodiments of the present specification provide an ACL rule processing apparatus including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
arranging entries contained in applications of the same type into corresponding block blocks, wherein each application comprises one or more entries;
when a new entry is inserted, determining the type of the application to which the new entry belongs;
determining a corresponding first block according to the type of the application to which the newly added entry belongs;
comparing the priority of the existing entries and the newly-added entries in the first block to obtain a priority comparison result;
and inserting the newly added entry into the first block according to the priority comparison result.
One or more embodiments of the present specification provide a non-transitory computer storage medium storing computer-executable instructions configured to:
arranging entries contained in applications of the same type into corresponding block blocks, wherein each application comprises one or more entries;
when a new entry is inserted, determining the type of the application to which the new entry belongs;
determining a corresponding first block according to the type of the application to which the newly added entry belongs;
comparing the priority of the existing entries and the newly-added entries in the first block to obtain a priority comparison result;
and inserting the newly added entry into the first block according to the priority comparison result.
The embodiment of the specification adopts at least one technical scheme which can achieve the following beneficial effects: the method and the device can be classified according to application types, each type occupies one block, priority difference exists between the application types, the priority is obtained first, the higher the priority is, the front is arranged, the last occupied position in each block is recorded, when the block needs to be moved, the block only needs to be moved in the same block, the moving times are reduced, only when items issued by the type exceed the block capacity, whether the next block is occupied or not needs to be judged, if not, the next block is directly occupied, if the block is occupied, the block needs to be moved, the next block is occupied, even if the same type of application occupies a plurality of blocks, the adjacent block is also occupied, and subsequent processing is facilitated.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present specification, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort. In the drawings:
FIG. 1 is a flow diagram illustrating a method for processing an ACL rule according to one or more embodiments of the present disclosure;
FIG. 2 is a flow chart illustrating a method for moving an item according to one or more embodiments of the present disclosure;
FIG. 3 is a flow diagram of a method for deleting an item according to one or more embodiments of the present disclosure;
fig. 4 is a schematic structural diagram of a device for processing an ACL rule according to one or more embodiments of the present disclosure;
fig. 5 is a schematic structural diagram of a processing device for an ACL rule according to one or more embodiments of the present specification.
Detailed Description
The embodiment of the specification provides a method, a device, equipment and a medium for processing an ACL rule.
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present specification without any creative effort shall fall within the protection scope of the present specification.
Fig. 1 is a schematic flow chart of a processing method of an ACL rule according to one or more embodiments of the present disclosure, where the flow may be executed by a processing system of the ACL rule, and the system may process the ACL rule, so as to greatly improve that when an entry is added or deleted in the ACL rule, the number of times of moving the ACL rule is reduced as much as possible, so as to reduce CPU consumption of the device, and some input parameters or intermediate results in the flow allow manual intervention and adjustment, so as to help improve accuracy.
The method of the embodiments of the present specification comprises the following steps:
s102, arranging the entries contained in the applications of the same type into corresponding block blocks, wherein each application comprises one or more entries.
In the embodiment of the present specification, the entry included in the application corresponds to an access control instruction in the ACL, and is used to control which data can be received by the router and which data needs to be rejected.
Further, when the entries contained in the applications of the same type are arranged in the corresponding block, the priorities of the entries contained in the applications of the same type can be respectively determined; and arranging the entries from large to small in the corresponding block according to the priority of each entry. In the process, the entries contained in the same type of application are placed in the same block, and if the memory of one block is not enough to store the entries contained in the same type of application, the remaining entries can be stored in the next adjacent block. For example, the applications of type a include application 1 and application 2, the applications of type B include application 3 and application 4, when in application, the entries of application 1 and application 2 are stored in the same block, the entries of application 3 and application 4 are stored in the same block, the entries in the storage process may be arranged according to the priority of all the entries in the current block, the entries with the higher priority are placed in front of the current block, and the entries with the same priority may be placed in front of the current block according to the storage time, that is, the entries with the earlier storage time.
S104, when a new entry is inserted, determining the type of the application to which the new entry belongs.
And S106, determining a corresponding first block according to the type of the application to which the newly added entry belongs.
In this embodiment of the present specification, it is determined which block the entry should exist in according to the type of the application to which the newly added entry belongs.
And S108, comparing the priority of the existing entry and the newly-added entry in the first block to obtain a priority comparison result.
And S110, inserting the newly added entry into the first block according to the priority comparison result.
In this embodiment of the present specification, the priority comparison result may include that the newly added entry is less than or equal to the priority of the existing entry in the first block, the newly added entry is greater than the priority of the existing partial entries in the first block, and the newly added entry is greater than the priority of the existing entries in the first block.
If the priority comparison result shows that the newly added entry is smaller than or equal to the priority of the existing entry in the first block, when the newly added entry is inserted into the first block, the newly added entry can be inserted into an empty position behind the first block. For example, the priority of the existing entry in the first block is 2, 3, and 4, and when the priority of the newly added entry is 2, the priority of the newly added entry is equal to the priority 2 of the existing entry, but the storage time of the newly added entry is latest, and the newly added entry may be inserted into an empty position behind the current first block when inserted, that is, behind the entry with the priority 2.
If the newly added entry is larger than the priority of the existing partial entries in the first block, when the newly added entry is inserted into the first block, the entry with the priority smaller than that of the newly added entry can be moved backwards in the first block, and the newly added entry is arranged to an empty position, wherein the moving step size is the same as the number of the newly added entries. For example, when the priority of the existing entry in the first block is 2, 3, and 4, respectively, and the priority of the newly added entry is 3, the entry with the priority of 2 may be moved backward by one position, and the newly added entry may be arranged in an empty position.
If the newly added item is greater than the priority of the existing items in the first block, when the newly added item is inserted into the first block, the existing items in the first block can be moved backwards, and the newly added items are arranged to be vacant positions, wherein the moving step size is the same as the number of the newly added items. For example, when the priority of the existing entry in the first block is 2, 3, and 4, respectively, and the priority of the new entry is 5, the existing entry may be moved backward by one location, the first location is set aside, and the new entry is arranged in an empty location, that is, the new entry is arranged in the first location.
Further, if the remaining space of the first block cannot be inserted with the newly added entry, that is, the space of the first block is fully occupied, if the next block of the first block is occupied, the blocks behind the first block are integrally moved so as to enable the next block of the first block to be in an idle state, wherein the step length of the integral movement is one block, and if the next block of the first block is not occupied, the newly added entry can be continuously inserted.
If the space of the first block is occupied and the next block of the first block is in an idle state, if the priority comparison result is that the newly added entry is smaller than or equal to the priority of the existing entry in the first block, the newly added entry can be inserted into the next block of the first block when the newly added entry is inserted into the first block. For example, the priority of the existing entry in the first block is 2, 3, and 4, and when the priority of the newly added entry is 2, the priority of the newly added entry is equal to the priority 2 of the existing entry, but the storage time of the newly added entry is latest, and the newly added entry may be inserted into the next block of the current first block when inserted.
If the newly added item is larger than the priority of the existing partial items in the first block, when the newly added item is inserted into the first block, moving the item with the priority smaller than that of the newly added item backwards in the first block, moving the item exceeding the first block to the next block of the first block, and arranging the newly added item to an empty position, wherein the moving step size is the same as the number of the newly added items. For example, when the priority of the existing entry in the first block is 2, 3, and 4, respectively, and the priority of the newly added entry is 3, the entry with the priority of 2 may be moved backward by one position, that is, the entry with the priority of 2 is moved to the next block of the current first block, and the newly added entry is arranged in an empty position.
If the newly added items are larger than the priority of the existing items in the first block, when the newly added items are inserted into the first block, the existing items in the first block are moved backwards, the items exceeding the first block are moved to the next block of the first block, and the newly added items are arranged to the vacant positions, wherein the moving step size is the same as the number of the newly added items. For example, when the priority of an existing entry in the first block is 2, 3, and 4, and the priority of a newly added entry is 5, the existing entry may be moved backward to a position, and a first position is set aside, that is, the entry with the priority is moved to the next block of the current block, and the newly added entry is arranged in an empty position, that is, the newly added entry is arranged in the first position.
Further, when deleting a specified entry, the type of the application to which the specified entry belongs may be determined first; determining a corresponding second block according to the type of the application to which the specified entry belongs; then determining the position of the specified entry in the second block;
and deleting the specified entry according to the position of the specified entry in the second block.
Further, if the position of the specified entry in the second block does not belong to the extreme end of the second block, the second block may have a vacant position after the specified entry is deleted, so that the entry at the rear end of the specified entry needs to be moved forward in the second block, wherein the moving step size is the same as the number of the specified entries.
Further, if all the entries of the second block are the designated entries, the second block is a vacant block after the designated entries are deleted, and if it is determined that the next block of the second block is occupied, blocks behind the second block are integrally moved forward, wherein the step length of the overall movement is one block, so that no vacant block exists between the two blocks with the entries. If the next block of the second block is determined to be unoccupied, the moving operation does not need to be executed.
The processing mode of the ACL rules in the embodiments of the present description can reduce the moving operation, reduce the CPU consumption of the network device, and reduce the network black hole period when the entry is inserted or deleted. In the process, the application types are classified according to the application types, each type occupies one block, priority difference exists among the application types, the priority is obtained first, the higher the priority is, the front is arranged, the last occupied position in each block is recorded, when the block needs to be moved, the block only needs to be moved in the same block, when items issued by the application types exceed the block capacity, whether the next block is occupied or not needs to be judged, if the next block is not occupied, the next block is directly occupied, if the next block is occupied, the block behind needs to be integrally moved, the next block of the current block is in an idle state, and then the next block is occupied.
When a block stores an entry in an embodiment of this specification, reference may be made to an ACL rule entry shown in table 1.
| block0 | 01 2 3···························127 |
| block1 | 128 129···························255 |
| block2 | 256 257···························383 |
| bBlock3 | 384 385···························511 |
| block4 | 512513···························639 |
| ···· | ···· |
TABLE 1ACL rule entries
For example, an ACL application may issue 100 entries to occupy block0, and the ACL application issues 100 entries to occupy block1, and if an entry exists in the ACL application and needs to be inserted into block0, the ACL application only needs to move in block0, and does not need to move all entries. When the capacity of the block0 is exceeded, block1 needs to be occupied, and if block1 is already occupied, the whole of the items behind block1 and block1 needs to be moved, and block1 is free.
Further, an embodiment of the present specification further provides an item moving method, and a flowchart of the method may refer to fig. 2. The method comprises the steps of starting, judging whether block needs to be created or not, if not, ending the process, if yes, judging whether resources exist or not, if not, ending the process, if yes, creating the block, searching whether ACL rule items need to be moved or not, if an item is newly added or deleted, the item needs to be moved, the judgment can be triggered, even if the item is newly added or deleted, the item does not need to be moved, namely the priority of the newly added item is smaller than or equal to the priority of the existing item of the current block, at the moment, only the item needs to be arranged at the rear end of the current block, and when the item is deleted, the item needing to be deleted is located at the tail end of the current block and the item does not need to be moved. If not, directly inserting a newly added block or deleting a block; if yes, finding the block identifier of the moved item, namely the block position of the moved item. And then, judging whether the block needs to be moved, namely, when the entries are newly added, the memory of the current block is full, the next block needs to be occupied, and the block needs to be moved at the moment. If not, moving the item; if yes, finding the identification of the block to be moved and the step size of the movement, for example, inserting an item into block0, and when the block1 needs to be moved, determining that the items of block1, block2 and block3 in the following block exist, moving the items of block1, block2 and block3 to block2, block3 and block4 respectively to leave block1 empty, wherein the identification of the block to be moved is block1, block2 and block3, the step size of the movement is 1 block, and if block1 is in an idle state, the item to be moved can be directly moved to block1, and finally, the item is moved.
Further, when an entry is deleted, if the entry is not the last block of the block, the entry needs to be moved in the block, if the deleted entry is only one block, whether the next block of the block is occupied needs to be judged, if the deleted entry is occupied, all the following blocks need to be moved, and the step length is the length of one block.
Further, an embodiment of the present specification further provides an item deleting method, and a flowchart of the method may refer to fig. 3. When starting, determining a block identifier where the deleted item is located, judging whether the deleted item needs to be moved, if not, indicating that the item is located at the last item of the block, and judging whether the block is empty; if yes, searching ACL rule table items to determine the structure of the block, deleting the items, judging whether the block is vacant, namely judging whether the block has only one item after deleting the items, wherein the block is a vacant block and can have vacant blocks, if not, ending the flow, if yes, judging whether the next block of the block is occupied, if not, releasing the vacant block, if yes, searching the marks of the next block of the block and the last block with the items, and integrally moving the next block of the block and the last block with the items forward by one block so that the block in a vacant state does not exist between the two blocks with the items.
The method and the device can be classified according to application types, each type occupies one block, priority difference exists between the application types, the priority is obtained first, the higher the priority is, the front is arranged, the last occupied position in each block is recorded, when the block needs to be moved, the block only needs to be moved in the same block, the moving times are reduced, only when items issued by the type exceed the block capacity, whether the next block is occupied or not needs to be judged, if not, the next block is directly occupied, if the block is occupied, the block needs to be moved, the next block is occupied, even if the same type of application occupies a plurality of blocks, the adjacent block is also occupied, and subsequent processing is facilitated.
Corresponding to the above embodiments, fig. 4 is a schematic structural diagram of a processing device for providing an ACL rule according to one or more embodiments of the present specification, where the device includes: an entry arrangement unit 402, a type determination unit 404, a block determination unit 406, a comparison unit 408, and an entry insertion unit 410.
An entry arrangement unit 402, which arranges entries contained in applications of the same type into corresponding block, wherein each application includes one or more entries;
a type determining unit 404, configured to determine, when a new entry is inserted, an application type to which the new entry belongs;
the block determining unit 406 is configured to determine a corresponding first block according to the type of the application to which the newly added entry belongs;
a comparing unit 408, configured to compare priorities of the existing entries and the newly-added entries in the first block, and obtain a priority comparison result;
an entry inserting unit 410, which inserts the newly added entry into the first block according to the priority comparison result.
Corresponding to the above embodiments, fig. 5 is a schematic structural diagram of a processing device for providing an ACL rule according to one or more embodiments of the present specification, and includes:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to cause the at least one processor to:
arranging entries contained in applications of the same type into corresponding block blocks, wherein each application comprises one or more entries;
when a new entry is inserted, determining the type of the application to which the new entry belongs;
determining a corresponding first block according to the type of the application to which the newly added entry belongs;
comparing the priority of the existing entries and the newly-added entries in the first block to obtain a priority comparison result;
and inserting the newly added entry into the first block according to the priority comparison result.
One or more embodiments of the present specification provide a non-transitory computer storage medium storing computer-executable instructions configured to:
arranging entries contained in applications of the same type into corresponding block blocks, wherein each application comprises one or more entries;
when a new entry is inserted, determining the type of the application to which the new entry belongs;
determining a corresponding first block according to the type of the application to which the newly added entry belongs;
comparing the priority of the existing entries and the newly-added entries in the first block to obtain a priority comparison result;
and inserting the newly added entry into the first block according to the priority comparison result.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the apparatus, the device, and the nonvolatile computer storage medium, since they are substantially similar to the embodiments of the method, the description is simple, and for the relevant points, reference may be made to the partial description of the embodiments of the method.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The above description is merely one or more embodiments of the present disclosure and is not intended to limit the present disclosure. Various modifications and alterations to one or more embodiments of the present description will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of one or more embodiments of the present specification should be included in the scope of the claims of the present specification.
Claims (10)
1. A method for processing ACL rules, the method comprising:
arranging entries contained in applications of the same type into corresponding block blocks, wherein each application comprises one or more entries;
when a new entry is inserted, determining the type of the application to which the new entry belongs;
determining a corresponding first block according to the type of the application to which the newly added entry belongs;
comparing the priority of the existing entries and the newly-added entries in the first block to obtain a priority comparison result;
and inserting the newly added entry into the first block according to the priority comparison result.
2. The method of claim 1, wherein arranging entries included in applications of a same type into corresponding block blocks comprises:
respectively determining the priority of the items contained in the applications of the same type;
and arranging the entries from large to small in the corresponding block according to the priority of each entry.
3. The method of claim 1, wherein the priority comparison result comprises that the newly added entry is less than or equal to the priority of the existing entry in the first block, that the newly added entry is greater than the priority of the existing partial entries in the first block, and that the newly added entry is greater than the priority of the existing entries in the first block;
if the priority comparison result indicates that the newly added entry is less than or equal to the priority of the existing entry in the first block, inserting the newly added entry into the first block specifically includes:
inserting the newly added entry into an empty position behind the first block;
if the newly added entry is greater than the priority of the existing partial entries in the first block, inserting the newly added entry into the first block specifically includes:
in the first block, moving the items with the priority lower than that of the newly added items backwards, and arranging the newly added items to an empty position, wherein the moving step length is the same as the number of the newly added items;
if the newly added entry is greater than the priority of the existing entry in the first block, inserting the newly added entry into the first block specifically includes:
and moving the existing items in the first block backwards, and arranging the newly added items to vacant positions, wherein the moving step length is the same as the number of the newly added items.
4. The method of claim 3, wherein if the remaining space of the first block cannot be inserted into the newly added entry, the method further comprises:
if the next block of the first block is occupied, integrally moving the blocks behind the first block so as to enable the next block of the first block to be in an idle state, wherein the step length of the integral moving is one block;
if the priority comparison result indicates that the newly added entry is less than or equal to the priority of the existing entry in the first block, inserting the newly added entry into the first block specifically includes:
inserting the newly added entry into the next block of the first block;
if the newly added entry is greater than the priority of the existing partial entries in the first block, inserting the newly added entry into the first block specifically includes:
in the first block, moving the items with the priority lower than that of the newly added items backwards, moving the items exceeding the first block to the next block of the first block, and arranging the newly added items to spare positions, wherein the moving step length is the same as the number of the newly added items;
if the newly added entry is greater than the priority of the existing entry in the first block, inserting the newly added entry into the first block specifically includes:
and moving the existing items in the first block backwards, moving the items beyond the first block to the next block of the first block, and arranging the newly added items to spare positions, wherein the moving step length is the same as the number of the newly added items.
5. The method of claim 1, wherein upon deletion of a specified entry, the method further comprises:
determining the type of the application to which the specified entry belongs;
determining a corresponding second block according to the type of the application to which the specified entry belongs;
determining a location of the specified entry in the second block;
and deleting the specified entry according to the position of the specified entry in the second block.
6. The method of claim 5, wherein if the designated entry is located in the second block at a position other than an extreme end of the second block, the method further comprises, after deleting the designated entry:
and in the second block, moving the items at the rear end of the specified items forward, wherein the moving step length is the same as the number of the specified items.
7. The method of claim 5, wherein if all entries of the second block are the designated entry, after the designated entry is deleted, the method further comprises:
and if the next block of the second block is determined to be occupied, integrally moving the blocks behind the second block forwards, wherein the step length of the integral moving is one block.
8. An apparatus for processing ACL rules, the apparatus comprising:
the system comprises an item arrangement unit, a block unit and a block management unit, wherein the item arrangement unit is used for arranging items contained in applications of the same type into corresponding blocks, and each application comprises one or more items;
the type determining unit is used for determining the type of the application to which the newly added entry belongs when the newly added entry is inserted;
the block determining unit is used for determining a corresponding first block according to the type of the application to which the newly-added entry belongs;
the comparison unit is used for comparing the priorities of the existing entries and the newly-added entries in the first block to obtain a priority comparison result;
and the entry inserting unit inserts the newly added entry into the first block according to the priority comparison result.
9. An apparatus for processing an ACL rule, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
arranging entries contained in applications of the same type into corresponding block blocks, wherein each application comprises one or more entries;
when a new entry is inserted, determining the type of the application to which the new entry belongs;
determining a corresponding first block according to the type of the application to which the newly added entry belongs;
comparing the priority of the existing entries and the newly-added entries in the first block to obtain a priority comparison result;
and inserting the newly added entry into the first block according to the priority comparison result.
10. A non-transitory computer storage medium having stored thereon computer-executable instructions configured to:
arranging entries contained in applications of the same type into corresponding block blocks, wherein each application comprises one or more entries;
when a new entry is inserted, determining the type of the application to which the new entry belongs;
determining a corresponding first block according to the type of the application to which the newly added entry belongs;
comparing the priority of the existing entries and the newly-added entries in the first block to obtain a priority comparison result;
and inserting the newly added entry into the first block according to the priority comparison result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210372509.3A CN114745177A (en) | 2022-04-11 | 2022-04-11 | ACL rule processing method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210372509.3A CN114745177A (en) | 2022-04-11 | 2022-04-11 | ACL rule processing method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114745177A true CN114745177A (en) | 2022-07-12 |
Family
ID=82282140
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210372509.3A Pending CN114745177A (en) | 2022-04-11 | 2022-04-11 | ACL rule processing method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114745177A (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101039271A (en) * | 2007-03-20 | 2007-09-19 | 华为技术有限公司 | Method and apparatus for taking effect rules of access control list |
| US20080080539A1 (en) * | 2006-09-29 | 2008-04-03 | Seung-Woo Hong | Method for ternary contents address memory table management |
| CN101447940A (en) * | 2008-12-23 | 2009-06-03 | 杭州华三通信技术有限公司 | Method and device for updating access control list rules |
| US7680822B1 (en) * | 2004-02-11 | 2010-03-16 | Novell, Inc. | Method and system for automatically creating and updating access controls lists |
| US20100199344A1 (en) * | 2009-02-02 | 2010-08-05 | Telcordia Technologies, Inc. | Redundancy detection and resolution and partial order dependency quantification in access control lists |
| CN103701704A (en) * | 2013-12-18 | 2014-04-02 | 武汉烽火网络有限责任公司 | Priority-based access control list insertion and deletion method |
| US20160248665A1 (en) * | 2013-10-10 | 2016-08-25 | Hangzhou H3C Technologies Co., Ltd. | Packet processing |
| CN108279853A (en) * | 2018-01-19 | 2018-07-13 | 盛科网络(苏州)有限公司 | IPMC date storage methods based on TCAM |
| CN112468415A (en) * | 2020-10-21 | 2021-03-09 | 浪潮思科网络科技有限公司 | Protocol message processing method, device, equipment and medium |
| CN113037681A (en) * | 2019-12-09 | 2021-06-25 | 中兴通讯股份有限公司 | ACL rule management method, device, computer equipment and computer readable medium |
-
2022
- 2022-04-11 CN CN202210372509.3A patent/CN114745177A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7680822B1 (en) * | 2004-02-11 | 2010-03-16 | Novell, Inc. | Method and system for automatically creating and updating access controls lists |
| US20080080539A1 (en) * | 2006-09-29 | 2008-04-03 | Seung-Woo Hong | Method for ternary contents address memory table management |
| CN101039271A (en) * | 2007-03-20 | 2007-09-19 | 华为技术有限公司 | Method and apparatus for taking effect rules of access control list |
| CN101447940A (en) * | 2008-12-23 | 2009-06-03 | 杭州华三通信技术有限公司 | Method and device for updating access control list rules |
| US20100199344A1 (en) * | 2009-02-02 | 2010-08-05 | Telcordia Technologies, Inc. | Redundancy detection and resolution and partial order dependency quantification in access control lists |
| US20160248665A1 (en) * | 2013-10-10 | 2016-08-25 | Hangzhou H3C Technologies Co., Ltd. | Packet processing |
| CN103701704A (en) * | 2013-12-18 | 2014-04-02 | 武汉烽火网络有限责任公司 | Priority-based access control list insertion and deletion method |
| CN108279853A (en) * | 2018-01-19 | 2018-07-13 | 盛科网络(苏州)有限公司 | IPMC date storage methods based on TCAM |
| CN113037681A (en) * | 2019-12-09 | 2021-06-25 | 中兴通讯股份有限公司 | ACL rule management method, device, computer equipment and computer readable medium |
| CN112468415A (en) * | 2020-10-21 | 2021-03-09 | 浪潮思科网络科技有限公司 | Protocol message processing method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101447940B (en) | Method and device for updating access control list rules | |
| CN100574281C (en) | A kind of management method of switch routing table | |
| CN104778222B (en) | Media library based on USB storage device is established and update method | |
| CN103024329B (en) | A kind of memory management method of monitoring video | |
| CN109240607B (en) | File reading method and device | |
| CN103425435B (en) | Disk storage method and disk storage system | |
| CN111198856B (en) | File management method, device, computer equipment and storage medium | |
| CN108932271B (en) | File management method and device | |
| WO2022083287A1 (en) | Storage space management method and apparatus, device, and storage medium | |
| CN108304259A (en) | EMS memory management process and system | |
| CN109688126B (en) | Data processing method, network equipment and computer readable storage medium | |
| CN109189343B (en) | Metadata disk-dropping method, device, equipment and computer-readable storage medium | |
| CN101692653B (en) | Management method and management device for routing table | |
| CN110837647B (en) | Method and device for managing access control list | |
| CN112463058B (en) | Fragmented data sorting method and device and storage node | |
| CN114138181A (en) | Method, device, equipment and readable medium for placing, grouping and selecting owners in binding pool | |
| CN114745177A (en) | ACL rule processing method, device, equipment and medium | |
| CN117271531A (en) | Data storage method, system, equipment and medium | |
| CN106354793B (en) | Method and device for monitoring hot spot object | |
| CN111221468B (en) | Storage block data deleting method and device, electronic equipment and cloud storage system | |
| CN104753788A (en) | Data forwarding method and device based on index allocation | |
| CN100553233C (en) | In the FDB table, add the method and the FDB equipment of next-hop mac address | |
| CN109962861B (en) | Message statistical method and device | |
| CN110661892B (en) | Domain name configuration information processing method and device | |
| CN110874182B (en) | Processing method, device and equipment for strip index |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |