CN115589389A - Method, system, equipment and storage medium for processing ACL - Google Patents
Method, system, equipment and storage medium for processing ACL Download PDFInfo
- Publication number
- CN115589389A CN115589389A CN202211167658.2A CN202211167658A CN115589389A CN 115589389 A CN115589389 A CN 115589389A CN 202211167658 A CN202211167658 A CN 202211167658A CN 115589389 A CN115589389 A CN 115589389A
- Authority
- CN
- China
- Prior art keywords
- acl
- chip
- deleting
- rule
- configuration request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012545 processing Methods 0.000 title claims abstract description 60
- 238000000034 method Methods 0.000 title claims abstract description 47
- 230000004044 response Effects 0.000 claims abstract description 27
- 230000006870 function Effects 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 7
- 230000000694 effects Effects 0.000 description 12
- 230000002776 aggregation Effects 0.000 description 9
- 238000004220 aggregation Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 230000009471 action Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/30—Peripheral units, e.g. input or output ports
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/35—Switches specially adapted for specific applications
- H04L49/354—Switches specially adapted for specific applications for supporting virtual local area networks [VLAN]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method, a system, equipment and a storage medium for processing ACL, wherein the method comprises the following steps: creating structural bodies for the chip ACL, recording the ID of the ACL table items of the chip, the ID of the corresponding ACL table items of the user and the rule corresponding to the ACL table items of the chip in each structural body, and generating a linked list according to all the structural bodies; in response to receiving a configuration request, determining whether the configuration request is to configure a binding point or a configuration rule; responding to the configuration request that a binding point is configured, and processing a corresponding chip ACL according to the relation between the binding point and the rules of the chip ACL list items; and in response to the configuration request being a configuration rule, processing the corresponding chip ACL according to the number of binding points. The invention cuts off the possible dependency relationship between binding points, has clearer logic, does not depend on specific chip realization, and is easier for users to use.
Description
Technical Field
The present invention relates to the field of switches, and more particularly, to a method, system, device, and storage medium for processing an ACL.
Background
An Access Control List (ACL) is a commonly used function of a switch. It can control various behaviors of message, and has important position on message processing pipeline of exchange chip. From the user perspective, there are two preconditions for the ACL to be validated, one is to select the appropriate ACL matching rule, and the other is to select the appropriate ACL action. In the provisions of the open source item SONIC, ACL rules have a special class of rules, binding points (binding points), in addition to the normal rules. The binding points represent some common matching rules, which mainly include three types, namely, matching ports, matching aggregation, and matching VLAN (Virtual Local Area Network). Port aggregation (trunk) is a common method for a switch to improve bandwidth and link stability, and typically includes multiple member ports. Because a user can regard a port aggregation as a port, the bandwidth and link stability of the aggregated port are significantly improved compared with those of a common port.
In the prior art, the ACL binding points and binding rules issued to the user are only issued to the chip directly according to the configuration original state of the user. The interaction between binding points and binding rules are not considered in the prior art. The final configuration effect is therefore strongly dependent on the chip implementation. The following are two practical examples:
1. configuring an ACL rule, and selecting a port1 and a port aggregation trunk1 by a binding point, wherein the port1 is a member of the trunk 1. Then port1 is unbound, and ACL will not take effect on port1 of trunk1, which is a serious problem because trunk1 contains port1 in the user's eye, and ACL rules will take effect on member port1 of trunk1 since the user binds trunk 1;
2. an ACL rule is configured, a binding point selects vlan1 and port1, and in the existing scheme, the rule can only be enabled to take effect if the traffic hits vlan1 and port1 simultaneously. If the binding point selects two vlans: vlan1 and vlan2, then a traffic hit on either vlan1 or vlan2 may be effective, a result that is very unacceptable to the user.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, a system, a computer device, and a computer-readable storage medium for processing an ACL, where when a user configures an ACL entry with multiple binding points or adds a new binding point to an ACL entry of an existing binding point, an ACL entry invisible to the user is created for each binding point on a chip, and when the user deletes or unbinds the ACL entry, a corresponding hardware ACL is found by looking up a table to perform corresponding adjustment.
In view of the above, an aspect of the embodiments of the present invention provides a method for processing an ACL, including the following steps: creating structural bodies for the chip ACL, recording the chip ACL list item ID, the corresponding user ACL list item ID and the rule corresponding to the chip ACL list item in each structural body, and generating a linked list according to all the structural bodies; in response to receiving a configuration request, determining whether the configuration request is to configure an attachment point or a configuration rule; responding to the configuration request that a binding point is configured, and processing a corresponding chip ACL according to the relation between the binding point and the rule of the chip ACL table item; and in response to the configuration request being a configuration rule, processing the corresponding chip ACL according to the number of binding points.
In some embodiments, processing the corresponding chip ACL according to the relationship between the binding point and the rule of the chip ACL entry includes: responding to the superposition of the binding point and the rule of the chip ACL table item, and not operating; and in response to the fact that the binding points are not coincident with the rules of the ACL table items of the chip, creating or deleting the ACL of the chip corresponding to the binding points, and updating the linked list.
In some embodiments, the creating or deleting the chip ACL corresponding to the binding point includes: responding to the configuration request for adding the binding point, creating a rule capable of matching a chip ACL table item and a chip ACL of a new binding point, and recording the rule and the chip ACL into the linked list; and traversing the linked list in response to the configuration request for deleting the binding point, and determining and deleting all chip ACLs and corresponding linked list members which accord with the binding point.
In some embodiments, said processing the corresponding chip ACL according to the number of binding points comprises: in response to no binding point, creating a chip ACL meeting the user requirement or deleting a corresponding chip ACL table item, and updating the linked list; and responding to the existence of the binding points, respectively creating a chip ACL table item for each binding point or deleting the corresponding chip ACL, and updating the linked list.
In some embodiments, the creating a chip ACL meeting the user requirement or deleting a corresponding chip ACL entry includes: responding to the configuration request to create the user ACL, configuring the ACL meeting the user requirement in the chip, responding to the coincidence of the rule of the ACL and the function of the binding point, and enabling the ACL in the chip; and responding to the configuration request for deleting the user ACL, deleting the corresponding chip ACL table item and deleting the corresponding record from the linked list.
In some embodiments, the creating a chip ACL that meets the user requirement or deleting a corresponding chip ACL entry includes: and adding a node in the linked list, and recording the corresponding relation between the chip ACL and the user ACL.
In some embodiments, creating a chip ACL entry or deleting a corresponding chip ACL for each binding point includes: responding to the configuration request to create a user ACL, creating a chip ACL table item for each binding point, and matching a user ACL rule with each chip ACL table item; and responding to the configuration request for deleting the user ACL, determining a corresponding chip ACL table item ID in the linked list, and deleting the chip ACL according to the corresponding chip ACL table item ID.
In another aspect of the embodiments of the present invention, a system for processing an ACL is provided, including: the linked list module is configured for creating structural bodies for the chip ACL, recording the chip ACL list item ID, the corresponding user ACL list item ID and the rule corresponding to the chip ACL list item in each structural body, and generating a linked list according to all the structural bodies; a determining module configured to determine, in response to receiving a configuration request, whether the configuration request is to configure an attachment point or a configuration rule; the first processing module is configured to respond to the configuration request that the configuration request is a configuration binding point, and process the corresponding chip ACL according to the relation between the binding point and the rule of the chip ACL table item; and a second processing module configured to process the corresponding chip ACL according to the number of binding points in response to the configuration request being a configuration rule.
In another aspect of the embodiments of the present invention, there is also provided a computer device, including: at least one processor; and a memory storing computer instructions executable on the processor, the instructions when executed by the processor implementing the steps of the method as above.
In another aspect of the embodiments of the present invention, a computer-readable storage medium is further provided, in which a computer program for implementing the above method steps is stored when the computer program is executed by a processor.
The invention has the following beneficial technical effects: when a user configures an ACL table item with a plurality of binding points or adds a new binding point to the ACL table item of the existing binding point, an ACL table item invisible to the user is created for each binding point on the chip, and when the user deletes the ACL table item or unbinds the ACL, the corresponding hardware ACL is found by looking up a table to perform corresponding adjustment, thereby cutting the possible dependency relationship between the binding points, having more clear logic, being realized without depending on a specific chip and being more easy to use for the user.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other embodiments can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram of an embodiment of a method of processing ACLs provided by the present invention;
FIG. 2 is a schematic diagram of an embodiment of a system for processing ACLs provided by the present invention;
FIG. 3 is a schematic diagram of a hardware structure of an embodiment of a computer device for processing ACLs provided in the present invention;
FIG. 4 is a schematic diagram of an embodiment of a computer storage medium for processing ACLs provided by the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it should be noted that "first" and "second" are merely for convenience of description and should not be construed as limitations of the embodiments of the present invention, and they are not described in any more detail in the following embodiments.
In a first aspect of an embodiment of the present invention, an embodiment of a method for processing an ACL is provided. FIG. 1 is a diagram illustrating an embodiment of a method for processing ACLs provided by the present invention. As shown in fig. 1, the embodiment of the present invention includes the following steps:
s1, building structural bodies for the ACL of the chip, recording the ID of the ACL table items of the chip, the ID of the corresponding ACL table items of the user and the rule corresponding to the ACL table items of the chip in each structural body, and generating a linked list according to all the structural bodies;
s2, responding to the received configuration request, and judging whether the configuration request is a configuration binding point or a configuration rule;
s3, responding to the configuration request that the binding point is configured, and processing the corresponding chip ACL according to the relation between the binding point and the rules of the chip ACL list items; and
and S4, responding to the configuration request as a configuration rule, and processing the corresponding chip ACL according to the number of the binding points.
When a user configures an ACL table item with a plurality of binding points, or when the user adds a new binding point to the ACL table item of the existing binding point, the embodiment of the invention creates an ACL table item which is invisible to the user for each binding point on a chip. When the user deletes the ACL list item or unbinds, the corresponding hardware ACL is found by table lookup to make corresponding adjustment.
And creating a structural body according to the chip ACL table item ID, the user ACL table item ID, the binding point and the rule corresponding to the chip table item. And creating structural bodies for the chip ACL, recording the chip ACL list item ID, the corresponding user ACL list item ID and the rule corresponding to the chip ACL list item in each structural body, and generating a linked list according to all the structural bodies.
Each linked list member is an example of a structure body, corresponds to a chip ACL, records a chip ACL list item id corresponding to the ACL list item, a corresponding user ACL list item id and rules (mainly including ports, aggregation and VLAN) corresponding to the chip list item, and then modifies a corresponding flow according to possible configuration scenes of the user to the ACL. The structure for recording ACL configuration information may be as follows:
in response to receiving a configuration request, it is determined whether the configuration request is to configure a binding point or a configuration rule.
And responding to the configuration request that the binding point is configured, and processing the corresponding chip ACL according to the relation between the binding point and the rule of the chip ACL table entry.
In some embodiments, processing the corresponding chip ACL according to the relationship between the binding point and the rule of the chip ACL entry includes: responding to the coincidence of the binding point and the rule of the chip ACL table item, and not operating; and in response to the fact that the binding points are not coincident with the rules of the ACL table items of the chip, creating or deleting the ACL of the chip corresponding to the binding points, and updating the linked list.
In some embodiments, the creating or deleting the chip ACL corresponding to the binding point includes: responding to the configuration request for adding the binding point, creating a rule capable of matching a chip ACL table item and a chip ACL of a new binding point, and recording the rule and the chip ACL into the linked list; and responding to the configuration request for deleting the binding point, traversing the linked list, and determining and deleting all chip ACLs and corresponding linked list members which accord with the binding point.
If the operation is the operation of adding the binding point, whether the binding point is overlapped with the rule of the table entry or not is checked, and the overlapping does not need to be operated. Otherwise, a new chip ACL is created, which can match the ACL rule and the new binding point at the same time, and is recorded in the linked list.
If the operation is deleting the binding point, whether the binding point is overlapped with the rule of the table entry is also checked, and no operation is needed if the binding point is overlapped with the rule of the table entry, because the binding point is not added. Otherwise, the linked list is traversed, all chip ACL table items which accord with the binding point are deleted, and the linked list is cleaned.
In response to the configuration request being a configuration rule, the corresponding chip ACL is processed according to the number of binding points.
In some embodiments, said processing the corresponding chip ACL according to the number of binding points comprises: in response to no binding point, creating a chip ACL meeting the user requirement or deleting a corresponding chip ACL table item, and updating the linked list; and in response to the existence of the binding points, creating a chip ACL table item or deleting a corresponding chip ACL for each binding point, and updating the linked list.
In some embodiments, the creating a chip ACL meeting the user requirement or deleting a corresponding chip ACL entry includes: responding to the configuration request to create the user ACL, configuring the ACL meeting the user requirement in the chip, responding to the coincidence of the rule of the ACL and the function of the binding point, and enabling the ACL in the chip; and responding to the configuration request for deleting the user ACL, deleting the corresponding chip ACL table item and deleting the corresponding record from the linked list.
In some embodiments, creating a chip ACL that meets the user requirements or deleting a corresponding chip ACL entry includes: and adding a new node in the linked list, and recording the corresponding relation between the chip ACL and the user ACL.
A user ACL is configured without a binding point: if the operation is a creating operation, an ACL meeting the requirement of a user is configured in the chip, and then whether the rule of the ACL is coincided with the function of the binding point (the rule is matched with the port, the aggregation and the VLAN) is checked, if so, the ACL is enabled in the chip, otherwise, the ACL is not enabled. Finally, recording and adding the data into a linked list; if the operation is deleting, deleting the corresponding chip ACL table entry. And finally finding and deleting the record from the linked list.
In some embodiments, creating a chip ACL entry for each binding point or deleting the corresponding chip ACL from the linked list includes: responding to the configuration request to create the user ACL, creating a chip ACL list item for each binding point, and matching a user ACL rule with each chip ACL list item; and responding to the configuration request for deleting the user ACL, determining a corresponding chip ACL list item ID in the linked list, and deleting the chip ACL according to the corresponding chip ACL list item ID.
A user ACL is configured with the binding point already: if the operation is a creation operation, a chip ACL entry needs to be created for each binding point, each entry matches the binding point and the user ACL rules, and if the rules themselves have matched ports, aggregations, and VLANs and are not coincident with existing binding points, an entry is also created. Finally, all the data are added into a linked list; if the operation is deletion, finding the corresponding chip ACL list item ID in the linked list, deleting the chip ACL, and deleting the record in the linked list.
Different scenes are verified according to the embodiment of the invention:
a first verification scenario:
step one, configuring an ACLlist and an ACLrule on a switch, binding an aggregation trunk1 and a port1 at the same time, then adding the port1 into the trunk1, and printing a message which accords with the ACL rule, wherein the result is that the ACL rule can take effect on the port;
secondly, port1 is removed from trunk1, and as a result, the ACL rule can still take effect on port1, thus proving the effectiveness of the embodiment of the invention;
a second verification scenario:
step one, configuring ACL list and ACL rule on an exchanger, binding vlan1 and port1 at the same time, then adding vlan1 into port1, and printing a message meeting the ACL rule, so that the ACL rule can take effect on port1 or other member ports of vlan 1;
and secondly, deleting all ports from the vlan1, so that the ACL rule can only take effect on the port1 and cannot take effect on the port removed from the vlan 1. The effectiveness of embodiments of the present invention was also demonstrated.
If the binding points of the same type, such as ports, can be replaced by bitmaps, multiple chip ACL entries are not required to be created when multiple ports are bound, and the same is true for VLAN and port aggregation.
When a user configures an ACL table item with a plurality of binding points or adds a new binding point to the ACL table item of the existing binding point, the embodiment of the invention creates an ACL table item invisible to the user for each binding point on the chip, and when the user deletes the ACL table item or unbinds the ACL table item, the table lookup finds the corresponding hardware ACL to perform corresponding adjustment, thereby cutting off the possible dependency relationship between the binding points, having more clear logic, being realized without depending on a specific chip, and being more easy to use for the user.
It should be particularly noted that, the steps in the embodiments of the method for processing an ACL described above can be mutually intersected, replaced, added, or deleted, and therefore, these methods for processing an ACL that are reasonably transformed by permutation and combination should also belong to the scope of the present invention, and should not limit the scope of the present invention to the embodiments.
In view of the above object, according to a second aspect of the embodiments of the present invention, a system for processing an ACL is provided. As shown in FIG. 2, system 200 includes the following modules: the linked list module is configured for creating structural bodies for the chip ACL, recording the chip ACL list item ID, the corresponding user ACL list item ID and the rule corresponding to the chip ACL list item in each structural body, and generating a linked list according to all the structural bodies; a determining module configured to determine, in response to receiving a configuration request, whether the configuration request is to configure a binding point or a configuration rule; the first processing module is configured to respond to the configuration request that the configuration request is a configuration binding point, and process the corresponding chip ACL according to the relation between the binding point and the rule of the chip ACL table item; and a second processing module configured to process the corresponding chip ACL according to the number of binding points in response to the configuration request being a configuration rule.
In some embodiments, the first processing module is configured to: responding to the superposition of the binding point and the rule of the chip ACL table item, and not operating; and in response to the fact that the binding points are not coincident with the rules of the ACL table items of the chip, creating or deleting the ACL of the chip corresponding to the binding points, and updating the linked list.
In some embodiments, the first processing module is configured to: responding to the configuration request for adding the binding point, creating a rule capable of matching a chip ACL table item and a chip ACL of a new binding point, and recording the rule and the chip ACL into the linked list; and traversing the linked list in response to the configuration request for deleting the binding point, and determining and deleting all chip ACLs and corresponding linked list members which accord with the binding point.
In some embodiments, the second processing module is configured to: in response to the fact that no binding point exists, a chip ACL meeting the user requirement is created or a corresponding chip ACL entry is deleted, and the linked list is updated; and responding to the existence of the binding points, respectively creating a chip ACL table item for each binding point or deleting the corresponding chip ACL, and updating the linked list.
In some embodiments, the second processing module is configured to: responding to the configuration request to create a user ACL, configuring the ACL meeting the user requirement in the chip, responding to the coincidence of the rule of the ACL and the function of the binding point, and enabling the ACL in the chip; and responding to the configuration request for deleting the user ACL, deleting the corresponding chip ACL list item and deleting the corresponding record from the linked list.
In some embodiments, the second processing module is configured to: and adding a new node in the linked list, and recording the corresponding relation between the chip ACL and the user ACL.
In some embodiments, the second processing module is configured to: responding to the configuration request to create a user ACL, creating a chip ACL table item for each binding point, and matching a user ACL rule with each chip ACL table item; and responding to the configuration request for deleting the user ACL, determining a corresponding chip ACL table item ID in the linked list, and deleting the chip ACL according to the corresponding chip ACL table item ID.
In view of the above object, a third aspect of the embodiments of the present invention provides a computer device, including: at least one processor; and a memory storing computer instructions executable on the processor, the instructions being executable by the processor to perform the steps of: s1, building structural bodies for the ACL of the chip, recording the ID of the ACL table items of the chip, the ID of the corresponding ACL table items of the user and the rule corresponding to the ACL table items of the chip in each structural body, and generating a linked list according to all the structural bodies; s2, responding to the received configuration request, and judging whether the configuration request is a configuration binding point or a configuration rule; s3, responding to the configuration request that the binding point is configured, and processing the corresponding chip ACL according to the relation between the binding point and the rules of the chip ACL list items; and S4, responding to the configuration request as a configuration rule, and processing the corresponding chip ACL according to the number of the binding points.
In some embodiments, processing the corresponding chip ACL according to the relationship between the binding point and the rule of the chip ACL entry includes: responding to the superposition of the binding point and the rule of the chip ACL table item, and not operating; and in response to the fact that the binding points are not coincident with the rules of the ACL table items of the chip, creating or deleting the ACL of the chip corresponding to the binding points, and updating the linked list.
In some embodiments, the creating or deleting the chip ACL corresponding to the binding point includes: responding to the configuration request for adding the binding point, creating a rule capable of matching a chip ACL table item and a chip ACL of a new binding point, and recording the rule and the chip ACL into the linked list; and responding to the configuration request for deleting the binding point, traversing the linked list, and determining and deleting all chip ACLs and corresponding linked list members which accord with the binding point.
In some embodiments, said processing the corresponding chip ACL according to the number of binding points comprises: in response to no binding point, creating a chip ACL meeting the user requirement or deleting a corresponding chip ACL table item, and updating the linked list; and responding to the existence of the binding points, respectively creating a chip ACL table item for each binding point or deleting the corresponding chip ACL, and updating the linked list.
In some embodiments, the creating a chip ACL meeting the user requirement or deleting a corresponding chip ACL entry includes: responding to the configuration request to create the user ACL, configuring the ACL meeting the user requirement in the chip, responding to the coincidence of the rule of the ACL and the function of the binding point, and enabling the ACL in the chip; and responding to the configuration request for deleting the user ACL, deleting the corresponding chip ACL table item and deleting the corresponding record from the linked list.
In some embodiments, the creating a chip ACL that meets the user requirement or deleting a corresponding chip ACL entry includes: and adding a node in the linked list, and recording the corresponding relation between the chip ACL and the user ACL.
In some embodiments, creating a chip ACL entry or deleting a corresponding chip ACL for each binding point includes: responding to the configuration request to create a user ACL, creating a chip ACL table item for each binding point, and matching a user ACL rule with each chip ACL table item; and responding to the configuration request for deleting the user ACL, determining a corresponding chip ACL table item ID in the linked list, and deleting the chip ACL according to the corresponding chip ACL table item ID.
Fig. 3 is a schematic diagram illustrating a hardware structure of an embodiment of the computer device for processing an ACL according to the present invention.
Taking the apparatus shown in fig. 3 as an example, the apparatus includes a processor 301 and a memory 302.
The processor 301 and the memory 302 may be connected by a bus or other means, and fig. 3 illustrates a connection by a bus as an example.
The memory 302 is used as a non-volatile computer readable storage medium, and can be used to store non-volatile software programs, non-volatile computer executable programs, and modules, such as program instructions/modules corresponding to the method for processing ACL in the embodiment of the present application. The processor 301 executes various functional applications of the server and data processing, i.e., implements a method of processing the ACL, by running nonvolatile software programs, instructions, and modules stored in the memory 302.
The memory 302 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of a method of processing an ACL, and the like. Further, the memory 302 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 302 optionally includes memory located remotely from processor 301, which may be connected to a local module via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
One or more computer instructions 303 corresponding to a method of processing an ACL are stored in the memory 302 and when executed by the processor 301 perform the method of processing an ACL in any of the method embodiments described above.
Any embodiment of a computer device implementing the method for processing an ACL described above may achieve the same or similar effects as any of the preceding method embodiments corresponding thereto.
The present invention also provides a computer-readable storage medium storing a computer program that, when executed by a processor, performs a method of processing an ACL.
Fig. 4 is a schematic diagram of an embodiment of the computer storage medium for processing an ACL according to the present invention. Taking the computer storage medium as shown in fig. 4 as an example, the computer readable storage medium 401 stores a computer program 402 which, when executed by a processor, performs the method as described above.
Finally, it should be noted that, as those skilled in the art can understand, all or part of the processes in the methods of the above embodiments can be implemented by instructing relevant hardware by a computer program, and the program of the method for processing an ACL can be stored in a computer readable storage medium, and when executed, the program can include the processes of the embodiments of the methods as described above. The storage medium of the program may be a magnetic disk, an optical disk, a Read Only Memory (ROM), a Random Access Memory (RAM), or the like. The embodiments of the computer program may achieve the same or similar effects as any of the above-described method embodiments.
The foregoing are exemplary embodiments of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the present disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that, as used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The numbers of the embodiments disclosed in the above embodiments of the present invention are merely for description, and do not represent the advantages or disadvantages of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, and the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, of embodiments of the invention is limited to these examples; within the idea of an embodiment of the invention, also combinations between technical features in the above embodiments or in different embodiments are possible, and there are many other variations of the different aspects of the embodiments of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.
Claims (10)
1. A method of processing an ACL, comprising the steps of:
creating structural bodies for the chip ACL, recording the ID of the ACL table items of the chip, the ID of the corresponding ACL table items of the user and the rule corresponding to the ACL table items of the chip in each structural body, and generating a linked list according to all the structural bodies;
in response to receiving a configuration request, determining whether the configuration request is to configure an attachment point or a configuration rule;
responding to the configuration request that a binding point is configured, and processing a corresponding chip ACL according to the relation between the binding point and the rules of the chip ACL list items; and
in response to the configuration request being a configuration rule, the corresponding chip ACL is processed according to the number of binding points.
2. The method of claim 1, wherein processing the corresponding chip ACL according to the relationship of the binding points and the rules of the chip ACL entries comprises:
responding to the coincidence of the binding point and the rule of the chip ACL table item, and not operating; and
and in response to the fact that the binding points are not coincident with the rules of the ACL items of the chip, creating or deleting the ACL corresponding to the binding points, and updating the linked list.
3. The method according to claim 2, wherein the creating or deleting the chip ACL corresponding to the binding point comprises:
responding to the configuration request for adding the binding point, creating a rule capable of matching a chip ACL table item and a chip ACL of a new binding point, and recording the rule and the chip ACL into the linked list; and
and responding to the configuration request for deleting the binding point, traversing the linked list, and determining and deleting all chip ACLs conforming to the binding point and corresponding linked list members.
4. The method of claim 1, wherein said processing the corresponding chip ACL according to the number of binding points comprises:
in response to no binding point, creating a chip ACL meeting the user requirement or deleting a corresponding chip ACL table item, and updating the linked list; and
and in response to the existence of the binding points, creating a chip ACL table item or deleting a corresponding chip ACL for each binding point, and updating the linked list.
5. The method of claim 4, wherein creating a chip ACL that meets user requirements or deleting corresponding chip ACL entries comprises:
responding to the configuration request to create a user ACL, configuring the ACL meeting the user requirement in the chip, responding to the coincidence of the rule of the ACL and the function of the binding point, and enabling the ACL in the chip; and
and responding to the configuration request for deleting the user ACL, deleting the corresponding chip ACL table item and deleting the corresponding record from the linked list.
6. The method of claim 5, wherein creating a chip ACL that meets user requirements or deleting corresponding chip ACL entries comprises:
and adding a node in the linked list, and recording the corresponding relation between the chip ACL and the user ACL.
7. The method of claim 4, wherein creating a chip ACL entry or deleting a corresponding chip ACL for each binding point comprises:
responding to the configuration request to create a user ACL, creating a chip ACL table item for each binding point, and matching a user ACL rule with each chip ACL table item; and
and responding to the configuration request for deleting the user ACL, determining a corresponding chip ACL table item ID in the linked list, and deleting the chip ACL according to the corresponding chip ACL table item ID.
8. A system for processing an ACL, comprising:
the linked list module is configured for creating structural bodies for the chip ACL, recording the chip ACL list item ID, the corresponding user ACL list item ID and the rule corresponding to the chip ACL list item in each structural body, and generating a linked list according to all the structural bodies;
a determining module configured to determine, in response to receiving a configuration request, whether the configuration request is to configure an attachment point or a configuration rule;
the first processing module is configured to respond to the configuration request that the configuration request is a configuration binding point, and process the corresponding chip ACL according to the relation between the binding point and the rule of the chip ACL table item; and
and the second processing module is configured to respond to the configuration request being a configuration rule, and process the corresponding chip ACL according to the number of the binding points.
9. A computer device, comprising:
at least one processor; and
a memory storing computer instructions executable on the processor, the instructions when executed by the processor implementing the steps of the method of any one of claims 1 to 7.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211167658.2A CN115589389A (en) | 2022-09-23 | 2022-09-23 | Method, system, equipment and storage medium for processing ACL |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211167658.2A CN115589389A (en) | 2022-09-23 | 2022-09-23 | Method, system, equipment and storage medium for processing ACL |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115589389A true CN115589389A (en) | 2023-01-10 |
Family
ID=84778229
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211167658.2A Pending CN115589389A (en) | 2022-09-23 | 2022-09-23 | Method, system, equipment and storage medium for processing ACL |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115589389A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115865839A (en) * | 2023-01-20 | 2023-03-28 | 苏州浪潮智能科技有限公司 | ACL management method, device, communication equipment and storage medium |
| CN116016387A (en) * | 2023-03-10 | 2023-04-25 | 苏州浪潮智能科技有限公司 | Access control list effective control method, device, equipment and storage medium |
-
2022
- 2022-09-23 CN CN202211167658.2A patent/CN115589389A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115865839A (en) * | 2023-01-20 | 2023-03-28 | 苏州浪潮智能科技有限公司 | ACL management method, device, communication equipment and storage medium |
| CN116016387A (en) * | 2023-03-10 | 2023-04-25 | 苏州浪潮智能科技有限公司 | Access control list effective control method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115589389A (en) | Method, system, equipment and storage medium for processing ACL | |
| US20160212048A1 (en) | Openflow service chain data packet routing using tables | |
| US10193861B2 (en) | Method and apparatus for best effort propagation of security group information | |
| US9906496B2 (en) | Zone-based firewall policy model for a virtualized data center | |
| US9860254B2 (en) | Method and apparatus for providing network security using role-based access control | |
| US10601702B1 (en) | Flexible packet replication and filtering for multicast/broadcast | |
| WO2020073685A1 (en) | Forwarding path determining method, apparatus and system, computer device, and storage medium | |
| US10848457B2 (en) | Method and system for cross-zone network traffic between different zones using virtual network identifiers and virtual layer-2 broadcast domains | |
| US10855733B2 (en) | Method and system for inspecting unicast network traffic between end points residing within a same zone | |
| CN110808924B (en) | Chip loopback message processing method, device and storage medium | |
| CN106254245A (en) | A kind of method and device managing list item | |
| CN116545665A (en) | Safe drainage method, system, equipment and medium | |
| CN112737850B (en) | Mutually exclusive access method and device | |
| US11775342B2 (en) | System and method for processing information hierarchy management | |
| CN114374637B (en) | Routing processing method and device | |
| CN114285907A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN1822565A (en) | Network with MAC table overflow protection | |
| CN117614887B (en) | Method and device for transmitting BGP community attribute values in OSPF | |
| US10749789B2 (en) | Method and system for inspecting broadcast network traffic between end points residing within a same zone | |
| US11025539B1 (en) | Overlay network hardware service chaining | |
| CN117221102A (en) | Dumb terminal management method and device | |
| Alsaleh et al. | Towards a unified modeling and verification of network and system security configurations | |
| CN116886395A (en) | Configuration method and device of access control list rule and nonvolatile storage medium | |
| CN115733699A (en) | Method and system for processing black and white list of domain name, electronic equipment and storage medium | |
| CN117201640A (en) | Method for processing message, communication device and communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |