CN117081805A - Method and device for issuing chip white list - Google Patents

Method and device for issuing chip white list Download PDF

Info

Publication number
CN117081805A
CN117081805A CN202311042524.2A CN202311042524A CN117081805A CN 117081805 A CN117081805 A CN 117081805A CN 202311042524 A CN202311042524 A CN 202311042524A CN 117081805 A CN117081805 A CN 117081805A
Authority
CN
China
Prior art keywords
rule
type
message
forwarded
issuing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311042524.2A
Other languages
Chinese (zh)
Inventor
李胜奇
贾聿庸
欧亮
李杰群
党卫谦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Intelligent Network Technology Co ltd
Original Assignee
China Telecom Intelligent Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Intelligent Network Technology Co ltd filed Critical China Telecom Intelligent Network Technology Co ltd
Priority to CN202311042524.2A priority Critical patent/CN117081805A/en
Publication of CN117081805A publication Critical patent/CN117081805A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9014Indexing; Data structures therefor; Storage structures hash tables
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9027Trees
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Computation (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application discloses a method and a device for issuing a chip white list. Wherein the method comprises the following steps: acquiring a weight corresponding to a sub-file of a file to be migrated, wherein the weight is determined by the data quantity of the sub-file; generating a binary tree corresponding to the file to be migrated according to the weight and the subfiles, wherein the binary tree is used for determining the migration sequence of the subfiles of the file to be migrated; acquiring a starting position and a destination position corresponding to files to be migrated before and after migration; determining at least one migration path linked list corresponding to the file to be migrated according to the initial position and the destination position; and determining a target migration path from at least one migration path linked list, and migrating the file to be migrated through the target migration path. The application solves the technical problem of low white list issuing efficiency caused by less resources of the TCAM in the forwarding chip in the related technology.

Description

Method and device for issuing chip white list
Technical Field
The application relates to the technical field of networks, in particular to a method and a device for issuing a chip white list.
Background
When the forwarding chip faces the number of the ACLs (Access Control List, access control lists) with the increasing number, the functions of the chip, such as message uploading, white list issuing and the like, realized by depending on the ACLs are limited due to the insufficient resources of the chip TCAM (ternary content addressable memory ); meanwhile, due to the limitation of a chip message processing pipeline and the dependence of various services, the ACL memory is complex and limited in internal implementation, and the white list issuing efficiency is reduced.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the application provides a method and a device for issuing a chip white list, which at least solve the technical problem of low white list issuing efficiency caused by less resources of a TCAM in a forwarding chip in the related art.
According to an aspect of the embodiment of the present application, there is provided a method for issuing a chip whitelist, including: acquiring a white list configuration file to be issued; dividing rules in the white list configuration file into a first type rule and a second type rule according to whether masks are contained or not, wherein the first type rule and the second type rule are different from a mode of matching a message to be forwarded; and issuing the first type of rules through a ternary content addressable memory TCAM, and issuing the second type of rules through a preset memory.
Optionally, dividing the rules in the white list configuration file into a first type rule and a second type rule according to whether the mask is included, including: determining rules with partial characters as masks in the white list configuration file as first-class rules; and determining the rule that all characters in the white list configuration file are masked and the rule that all characters are not masked as the second type rule.
Optionally, issuing the second type rule through the preset memory includes: determining rules belonging to the first type of IP protocol in the second type of rules as third type of rules; determining rules belonging to the second class IP protocol in the second class rules as fourth class rules; and directly issuing the third type rule, compressing the fourth type rule and issuing, wherein the versions of the first type IP protocol and the second type IP protocol are different.
Optionally, compressing the fourth rule and then issuing the fourth rule, including: generating a reverse path forwarding table (RPF) corresponding to the fourth type rule by using a Session Initiation Protocol (SIP) corresponding to the fourth type rule and a virtual routing forwarding table (VRF); and determining the RPF of the reverse path forwarding table as a matching field corresponding to the fourth type rule, and issuing the matching field.
Optionally, the method further comprises: receiving a message to be forwarded; and under the condition that the message to be forwarded belongs to the first type IP protocol, matching the message to be forwarded with a third type rule, and forwarding the message to be forwarded after the matching is completed.
Optionally, in the case that the message to be forwarded belongs to the second class IP protocol, the method includes: and modifying the forwarding information of the message to be forwarded and the VRF corresponding to the message to be forwarded so as to enable the message to be forwarded to carry out loop-back, wherein the VRF modified by the message to be forwarded is consistent with the reverse path forwarding table RPF corresponding to the fourth type rule.
Optionally, after the message to be forwarded completes the loop, the method further includes: lowering the forwarding priority of the message to be forwarded; and matching the message to be forwarded with a matching field corresponding to the fourth type rule, and after the matching of the message to be forwarded and the matching field corresponding to the fourth type rule is completed, increasing the priority of the message to be forwarded so as to forward the message to be forwarded.
According to another aspect of the embodiment of the present application, there is also provided a device for issuing a chip whitelist, including: the acquisition module is used for acquiring the white list configuration file to be issued; the classification module is used for classifying rules in the white list configuration file into a first type rule and a second type rule according to whether masks are contained or not, and the first type rule and the second type rule are different from a mode of matching the message to be forwarded; and the issuing module is used for issuing the first type of rule through the TCAM and issuing the second type of rule through the preset memory.
According to still another aspect of the embodiment of the present application, there is also provided an electronic device including: a memory for storing program instructions; a processor coupled to the memory for executing program instructions for: acquiring a white list configuration file to be issued; dividing rules in the white list configuration file into a first type rule and a second type rule according to whether masks are contained or not, wherein the first type rule and the second type rule are different from a mode of matching a message to be forwarded; and issuing the first type of rules through a ternary content addressable memory TCAM, and issuing the second type of rules through a preset memory.
According to still another aspect of the embodiments of the present application, there is further provided a nonvolatile storage medium, where the nonvolatile storage medium includes a stored computer program, and a device where the nonvolatile storage medium is located executes the method for issuing the chip whitelist by running the computer program.
In the embodiment of the application, a white list configuration file to be issued is acquired; dividing rules in the white list configuration file into a first type rule and a second type rule according to whether masks are contained or not, wherein the first type rule and the second type rule are different from a mode of matching a message to be forwarded; the method comprises the steps of issuing a first rule through a Ternary Content Addressable Memory (TCAM), issuing a second rule through a preset memory, and issuing the rule in a white list configuration file through different memories after classifying the rule, so that the purpose of reducing the use of TCAM resources is achieved, the technical effect of improving the white list issuing efficiency is achieved, and the technical problem that the white list issuing efficiency is low due to the fact that TCAM resources in a forwarding chip are fewer in the related art is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
fig. 1 is a hardware block diagram of a computer terminal for implementing a method for issuing a chip whitelist according to an embodiment of the present application;
FIG. 2 is a flow chart of a method for issuing a chip whitelist according to the present application;
FIG. 3 is a schematic diagram of a method for issuing a chip whitelist in the related art;
FIG. 4 is a flowchart of another method for issuing a chip whitelist according to an embodiment of the application;
fig. 5 is a block diagram of a chip whitelist issuing apparatus according to an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In the related art, a traditional whitelist issuing system is used, firstly, a configured whitelist or a whitelist configuration file issued by a network protocol is issued, then, issued rules are stored in an ACL storage module, and all TCAM rules are used for mask storage, the TCAM belongs to expensive and scarce hardware resources consuming a large amount of power, the issued rules are issued by all TCAMs, so that TCAM resources are consumed rapidly, the issuing efficiency of subsequent rules is reduced, and in order to solve the problems and improve the issuing efficiency, the embodiment of the application provides a method for issuing a chip whitelist, which can be operated in a computer terminal shown in fig. 1 and is described in detail below.
The method for issuing the chip whitelist provided by the embodiment of the application can be executed in a mobile terminal, a computer terminal or similar computing devices. Fig. 1 shows a hardware block diagram of a computer terminal for implementing a method for issuing a chip whitelist. As shown in fig. 1, the computer terminal 10 may include one or more processors (shown as 102a, 102b, … …,102n in the figures) which may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, a memory 104 for storing data, and a transmission module 106 for communication functions. In addition, the method may further include: a display, a keyboard, a cursor control device, an input/output interface (I/O interface), a Universal Serial BUS (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a BUS. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 1 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors and/or other data processing circuits described above may be referred to herein generally as "data processing circuits. The data processing circuit may be embodied in whole or in part in software, hardware, firmware, or any other combination. Furthermore, the data processing circuitry may be a single stand-alone processing module or incorporated, in whole or in part, into any of the other elements in the computer terminal 10. As referred to in embodiments of the application, the data processing circuit acts as a processor control (e.g., selection of the path of the variable resistor termination connected to the interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the method for issuing a chip whitelist in the embodiment of the present application, and the processor executes various functional applications and data processing by running the software programs and modules stored in the memory 104, that is, implements the method for issuing a chip whitelist described above. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission module 106 is used to receive or transmit data via a network. The specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission module 106 includes a network adapter (Network Interface Controller, NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission module 106 may be a Radio Frequency (RF) module for communicating with the internet wirelessly.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10.
It should be noted here that, in some alternative embodiments, the computer device shown in fig. 1 described above may include hardware elements (including circuits), software elements (including computer code stored on a computer readable medium), or a combination of both hardware and software elements. It should be noted that fig. 1 is only one example of a specific example, and is intended to illustrate the types of components that may be present in the computer devices described above.
In the above-described operating environment, embodiments of the present application provide an embodiment of a method for issuing a chip whitelist, and it should be noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order other than that illustrated herein.
Fig. 2 is a flowchart of a method for issuing a chip whitelist according to an embodiment of the present application, as shown in fig. 2, the method includes the following steps:
step S202, acquiring a white list configuration file to be issued;
in the above step S202, the white list configuration file includes various rules for restricting access to a certain system, service or resource only to the users or IP addresses in the white list. By configuring the white list, the security of the system can be improved, and unauthorized users are prevented from accessing sensitive data or functions; but may also be used to restrict access to a certain system, service or resource to only users or IP addresses in the white list. The flow of the access system or service can be controlled by configuring the white list, malicious access or overload request is prevented, and the normal operation of the system is ensured; it may also be used to grant a particular user or IP address access to a certain system, service or resource. By configuring the whitelist, the rights of the user can be managed, ensuring that only authorized users can use the system or service.
In an alternative embodiment, the rules in the whitelist configuration file may be set according to the requirement, for example, the source IP address of the message may be limited. The above description is given by way of example only and is not meant to be limiting.
Step S204, dividing rules in the white list configuration file into a first type rule and a second type rule according to whether masks are contained, wherein the first type rule and the second type rule are different from a mode of matching a message to be forwarded;
the first type of rules adopts a mask matching mode, and the second type of rules adopts a full word matching mode.
In step S204, the rule in the white list configuration file is used as an example of the IP address, and the rule is stored in the clear text or stored in the mask.
In step S206, the first type rule is issued through the TCAM, and the second type rule is issued through the preset memory.
In the step S206, the preset memory may be a common memory with lower cost, larger memory space and simpler structure.
It will be appreciated that TCAMs are a scarce hardware resource that is relatively expensive to build and consumes a large amount of power. As such, TCAMs tend to be small and the use of TCAMs must be carefully managed. Algorithms based on exact match hashes typically do not require the use of special memory, such as TCAMs.
Through the method for issuing the chip whitelist in the steps S202 to S206, after the rules in the whitelist configuration file are classified, the purpose of reducing the use of TCAM resources is achieved through issuing through different memories, so that the technical effect of improving the whitelist issuing efficiency is achieved, and the technical problem of low whitelist issuing efficiency caused by fewer TCAM resources in a forwarding chip in the related art is solved. The following is a detailed description.
Fig. 3 shows a flowchart of a whitelist configuration file issuing in the related art, as shown in fig. 3, in the related art, a configured whitelist or a whitelist issued by a network protocol is issued through a whitelist configuration issuing module; then, the issued rule is stored in an ACL storage module, and mask storage is carried out by using a TCAM corresponding mode; and (3) when the message to be forwarded (incoming message) enters an ACL matching module through a chip pipeline, the internal priority of the message is modified through matching an ACL rule to finish flow scheduling, and the message forwarding information is modified to finish uploading to a CPU or forwarding.
As can be seen from the flow of issuing the whitelist configuration file in the related art, mask storage is performed in a manner corresponding to the rule TCAM in the whitelist configuration file, so that a great resource utilization pressure is brought to the TCAM, and when the number of the whitelist configuration files issued increases, the efficiency of issuing the whitelist configuration file is reduced.
In step S204 in the method for issuing the chip whitelist, the rule in the whitelist configuration file is divided into a first type rule and a second type rule according to whether the mask is included, and specifically includes the following steps: determining rules with partial characters as masks in the white list configuration file as first-class rules; and determining the rule that all characters in the white list configuration file are masked and the rule that all characters are not masked as the second type rule.
For example: an 8-bit TCAM mask in which the first three bits are fixed and the last five bits are variable wildcards. The mask may be represented as 111XXX, where the first three bits must match to 1 and the last five bits may match to any value. This means that the mask may match 111000, 111111, 111010, etc.
In the above step, the second type rule is issued by the preset memory, which specifically includes the following steps: determining rules belonging to the first type of IP protocol in the second type of rules as third type of rules; determining rules belonging to the second class IP protocol in the second class rules as fourth class rules; and directly issuing the third type rule, compressing the fourth type rule and issuing, wherein the versions of the first type IP protocol and the second type IP protocol are different.
It should be noted that, the first type of IP protocol may be an IPV4 protocol, and the second type of IP protocol may be an IPV6 protocol.
In the above step, the fourth rule is compressed and issued, which specifically includes the following steps: generating a reverse path forwarding table (RPF) corresponding to the fourth type rule by using a Session Initiation Protocol (SIP) corresponding to the fourth type rule and a virtual routing forwarding table (VRF); and determining the RPF of the reverse path forwarding table as a matching field corresponding to the fourth type rule, and issuing the matching field.
The virtual route forwarding table VRF is used for creating a plurality of route tables on the three-layer forwarding equipment to realize the isolation of data and service; the reverse path forwarding table (RPF) is used for checking the reverse path of the data packet by the router. If the router finds a routing table entry matching the source address, the packet to be forwarded is forwarded to all other interfaces participating in the multicast group if the check passes.
It should be further noted that, through data compression, the fourth rule is fixed, so that the fourth rule is not repeated, and the field length corresponding to the rule is shortened due to data compression, and hash collision is not caused by overlong fields.
In some embodiments of the present application, after the rule corresponding to the white list configuration file is issued, the forwarding chip receives the message to be forwarded; and under the condition that the message to be forwarded belongs to the first type IP protocol, matching the message to be forwarded with a third type rule, and forwarding the message to be forwarded after the matching is completed.
Under the condition that the message to be forwarded belongs to the second type of IP protocol, the specific steps of message forwarding are as follows: and modifying the forwarding information of the message to be forwarded and the VRF corresponding to the message to be forwarded so as to enable the message to be forwarded to carry out loop-back, wherein the VRF modified by the message to be forwarded is consistent with the reverse path forwarding table RPF corresponding to the fourth type rule.
After the message to be forwarded completes the loop, the forwarding priority of the message to be forwarded is reduced; and matching the message to be forwarded with a matching field corresponding to the fourth type rule, and after the matching of the message to be forwarded and the matching field corresponding to the fourth type rule is completed, increasing the priority of the message to be forwarded so as to forward the message to be forwarded.
And when the message to be forwarded belongs to the second type of IP protocol, the message to be forwarded needs to pass through the chip assembly line twice to avoid conflict between the information of the reverse path forwarding table RPF corresponding to the fourth type of rule and the information of the route forwarding table of the message to be forwarded.
The routing forwarding table information refers to table information stored in the router for forwarding the packet. Each router maintains a routing forwarding table that includes the address of the destination network and the corresponding next-hop address. When the router receives a data packet, it searches the corresponding next-hop address in the forwarding table according to the destination address of the data packet, and forwards the data packet to the address. In this way, the packet can eventually reach the destination network through a series of routers. Updating of the routing forwarding table may be implemented by a dynamic routing protocol or manual configuration.
In some embodiments of the present application, the RPF information and the routing forwarding table lookup information are dependent on different routing protocols or routing policies, which may result in collisions if the routing information therebetween is inconsistent.
Fig. 4 is a flowchart illustrating another method for issuing a chip whitelist, where, as shown in fig. 4, a whitelist configuration file is issued from a whitelist configuration module to a verification distribution module, and multiple rules in the whitelist configuration file are divided into a first type rule and a second type rule according to whether a mask is included, for example: the method comprises the steps of determining that a part of characters in a rule contain masks as a first type of rule, determining that the method of matching with a message to be forwarded is mask matching (TCAM matching), determining that all characters in the rule are mask rules and all characters do not have mask rules as a second type of rule, issuing the first type of rule to a TCAM rule storage module in an ACL storage module, issuing the second type of rule to a data compression module, then normally issuing a third type of rule belonging to an IPV4 protocol in the second type of rule to an EM (precise matching) rule storage module, compressing a fourth type of rule belonging to an IPV6 protocol in the second type of rule and then issuing the fourth type of rule to the EM rule storage module, generating a reverse path forwarding table RPF corresponding to the fourth type of rule based on a session initiation protocol SIP and a virtual routing forwarding table VRF corresponding to the fourth type of rule, issuing the reverse path forwarding table RPF corresponding to the fourth type of rule as a matching field corresponding to the fourth type of rule, and issuing the matching field to the ACL storage matching module to the message to be forwarded.
It should be noted that, the EM rule storage module may be shared with other table entry resources, but the length of the stored field corresponding to the rule is shorter, and when the length of the stored field exceeds the preset length value, hash collision easily occurs. The EM rule storage module can only be used to achieve full word matching. In the hash table, each stored field is subjected to hash function calculation to obtain an index value, then the field is stored in a corresponding index position, and when the length of the stored field exceeds a preset length, the hash function may intercept part of the fields, and only the field with the specified length is taken for calculation. This results in different fields potentially getting the same hash value, thereby causing hash collisions. And the fourth rule after data compression shortens the field length, so that the field length can be stored and issued by adopting an EM rule storage module (preset memory).
After the message to be forwarded (incoming message) enters an ACL matching module, matching with a third type rule belonging to the IPV4 protocol under the condition that the message to be forwarded belongs to the IPV4 protocol, and uploading the message to a CPU according to the information in the message;
under the condition that the message to be forwarded belongs to the IPV6 protocol, the forwarding information of the message to be forwarded and the VRF corresponding to the message to be forwarded are modified according to the fourth type rule, and the VRF after the modification of the forwarding message is consistent with the reverse path forwarding table RPF corresponding to the fourth type rule, so that the message to be forwarded is transmitted to the message loop module, and the conflict between the information of the reverse path forwarding table RPF corresponding to the fourth type rule and the route forwarding table information of the message to be forwarded is avoided.
After the message to be forwarded carries out the loop-back module, the loop-back module retransmits the message to be forwarded to an inlet of the chip assembly line, hits the message to be forwarded on a forwarding rule with low priority, and simultaneously matches the message to be forwarded with a matching field corresponding to a fourth rule, and adjusts the priority of the message to be forwarded under the condition that the matching is completed, so that the message to be forwarded hits the rule with high priority, and the message to be forwarded is forwarded.
It can be understood that the ACL matching module includes two forwarding rules with different priorities, and when the message hits the forwarding rule with a low priority, forwarding is suspended, and when the message hits the forwarding rule with a high priority, forwarding is performed.
Fig. 5 is a block diagram of a device for issuing a chip whitelist according to an embodiment of the present application, and as shown in fig. 5, the device includes:
the acquiring module 50 is configured to acquire a whitelist configuration file to be issued;
the classification module 52 is configured to divide the rules in the white list configuration file into a first type rule and a second type rule according to whether the mask is included, where the first type rule and the second type rule are different from the manner in which the message to be forwarded is matched;
the issuing module 54 is configured to issue the first type rule through the ternary content addressable memory TCAM and issue the second type rule through the preset memory.
The classification module 52 of the chip whitelist issuing device includes: the classification submodule is used for determining the rule that all characters in the white list configuration file are mask codes and the rule that all characters are not mask codes as a first type rule; determining rules with partial characters as masks in the white list configuration file as second-class rules;
the classifying sub-module comprises: the issuing unit is used for determining the rule belonging to the first type IP protocol in the second type rule as a third type rule; determining rules belonging to the second class IP protocol in the second class rules as fourth class rules; directly issuing the third type rule, compressing the fourth type rule and issuing, wherein the versions of the first type IP protocol and the second type IP protocol are different;
the issuing unit comprises: a transmitting subunit, configured to generate a reverse path forwarding table RPF corresponding to the fourth type rule from the session initiation protocol SIP and the virtual routing forwarding table VRF corresponding to the fourth type rule; determining the RPF of the reverse path forwarding table as a matching field corresponding to the fourth type rule, and issuing the matching field;
the above-mentioned device for file migration further comprises: the forwarding module is used for receiving the message to be forwarded; under the condition that the message to be forwarded belongs to the first type IP protocol, matching the message to be forwarded with a third type rule, and forwarding the message to be forwarded after matching is completed;
a forwarding module comprising: the forwarding sub-module is used for modifying forwarding information of the message to be forwarded and VRF corresponding to the message to be forwarded so as to enable the message to be forwarded to carry out loop-back, wherein the VRF modified by the message to be forwarded is consistent with the reverse path forwarding table RPF corresponding to the fourth type rule;
a forwarding sub-module, comprising: the forwarding unit is used for reducing the forwarding priority of the message to be forwarded; and matching the message to be forwarded with a matching field corresponding to the fourth type rule, and after the matching of the message to be forwarded and the matching field corresponding to the fourth type rule is completed, increasing the priority of the message to be forwarded so as to forward the message to be forwarded.
It should be noted that, the apparatus for issuing a chip whitelist shown in fig. 5 is used to execute a method for issuing a chip whitelist shown in fig. 2, so the explanation related to the method for issuing a chip whitelist is also applicable to the apparatus for issuing a chip whitelist, and is not repeated herein.
The embodiment of the application also provides electronic equipment, which comprises: a memory for storing program instructions; a processor coupled to the memory for executing program instructions for: acquiring a white list configuration file to be issued; dividing rules in the white list configuration file into a first type rule and a second type rule according to whether masks are contained or not, wherein the first type rule and the second type rule are different from a mode of matching a message to be forwarded; and issuing the first type of rules through a ternary content addressable memory TCAM, and issuing the second type of rules through a preset memory.
It should be noted that, the electronic device is configured to execute the method for issuing the chip whitelist shown in fig. 2, so that the explanation of the method for issuing the chip whitelist is also applicable to the electronic device, and is not repeated herein.
The embodiment of the application also provides a nonvolatile storage medium, which comprises a stored computer program, wherein the equipment of the nonvolatile storage medium executes the following file migration method by running the computer program: acquiring a white list configuration file to be issued; dividing rules in the white list configuration file into a first type rule and a second type rule according to whether masks are contained or not, wherein the first type rule and the second type rule are different from a mode of matching a message to be forwarded; and issuing the first type of rules through a ternary content addressable memory TCAM, and issuing the second type of rules through a preset memory.
It should be noted that, the above-mentioned nonvolatile storage medium is used to execute the method for issuing the chip whitelist shown in fig. 2, so that the explanation related to the method for issuing the chip whitelist is also applicable to the nonvolatile storage medium, and will not be repeated here.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of units may be a logic function division, and there may be another division manner in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the method of the various embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application, which are intended to be comprehended within the scope of the present application.

Claims (10)

1. The method for issuing the chip white list is characterized by comprising the following steps of:
acquiring a white list configuration file to be issued;
dividing rules in the white list configuration file into a first type rule and a second type rule according to whether masks are contained or not, wherein the first type rule and the second type rule are different in matching mode with a message to be forwarded;
and issuing the first type of rules through a Ternary Content Addressable Memory (TCAM), and issuing the second type of rules through a preset memory.
2. The method of claim 1, wherein classifying the rules in the whitelist profile into a first class of rules and a second class of rules according to whether a mask is included, comprising:
determining a rule with partial characters in the white list configuration file as a mask as a first type rule;
and determining the rule that all characters in the white list configuration file are masked and the rule that all characters are not masked as a second type rule.
3. The method of claim 2, wherein issuing the second type of rule through the memory with the preset comprises:
determining the rule belonging to the first type IP protocol in the second type rule as a third type rule;
determining the rule belonging to the second class IP protocol in the second class rule as a fourth class rule;
and directly issuing the third type rule, compressing the fourth type rule and issuing, wherein the versions of the first type IP protocol and the second type IP protocol are different.
4. A method according to claim 3, wherein compressing the fourth class of rules is followed by issuing, comprising:
generating a reverse path forwarding table (RPF) corresponding to the fourth type rule by using a Session Initiation Protocol (SIP) and a virtual routing forwarding table (VRF) corresponding to the fourth type rule;
and determining the RPF of the reverse path forwarding table as a matching field corresponding to the fourth type rule, and issuing the matching field.
5. The method according to claim 1, wherein the method further comprises:
receiving the message to be forwarded;
and under the condition that the message to be forwarded belongs to the first type IP protocol, matching the message to be forwarded with a third type rule, and forwarding the message to be forwarded after the matching is completed.
6. The method according to claim 5, wherein in case the message to be forwarded belongs to the second class IP protocol, comprising:
and modifying the forwarding information of the message to be forwarded and the VRF corresponding to the message to be forwarded so as to enable the message to be forwarded to carry out loop-back, wherein the VRF modified by the message to be forwarded is consistent with the reverse path forwarding table RPF corresponding to the fourth type rule.
7. The method of claim 6, wherein after the message to be forwarded completes the loop, the method further comprises:
reducing the forwarding priority of the message to be forwarded;
and matching the message to be forwarded with the matching field corresponding to the fourth type rule, and after the matching of the message to be forwarded with the matching field corresponding to the fourth type rule is completed, increasing the priority of the message to be forwarded so as to forward the message to be forwarded.
8. The utility model provides a chip whitelist's issuing device which characterized in that includes:
the acquisition module is used for acquiring the white list configuration file to be issued;
the classification module is used for classifying rules in the white list configuration file into a first type rule and a second type rule according to whether masks are contained or not, and the first type rule and the second type rule are different in matching mode with the message to be forwarded;
and the issuing module is used for issuing the first type rule through a ternary content addressable memory TCAM and issuing the second type rule through a preset memory.
9. An electronic device, comprising:
a memory for storing program instructions;
a processor coupled to the memory for executing program instructions for: acquiring a white list configuration file to be issued; dividing rules in the white list configuration file into a first type rule and a second type rule according to whether masks are contained or not, wherein the first type rule and the second type rule are different in matching mode with a message to be forwarded; and issuing the first type of rules through a Ternary Content Addressable Memory (TCAM), and issuing the second type of rules through a preset memory.
10. A non-volatile storage medium, wherein the non-volatile storage medium comprises a stored computer program, and wherein a device in which the non-volatile storage medium is located executes the method for issuing the chip whitelist according to any one of claims 1 to 7 by running the computer program.
CN202311042524.2A 2023-08-17 2023-08-17 Method and device for issuing chip white list Pending CN117081805A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311042524.2A CN117081805A (en) 2023-08-17 2023-08-17 Method and device for issuing chip white list

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311042524.2A CN117081805A (en) 2023-08-17 2023-08-17 Method and device for issuing chip white list

Publications (1)

Publication Number Publication Date
CN117081805A true CN117081805A (en) 2023-11-17

Family

ID=88701724

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311042524.2A Pending CN117081805A (en) 2023-08-17 2023-08-17 Method and device for issuing chip white list

Country Status (1)

Country Link
CN (1) CN117081805A (en)

Similar Documents

Publication Publication Date Title
US10135857B2 (en) Structuring data and pre-compiled exception list engines and internet protocol threat prevention
US9866540B2 (en) System and method for rule matching in a processor
US8181258B2 (en) Access control list constructed as a tree of matching tables
CN108768866B (en) Cross-card forwarding method and device for multicast message, network equipment and readable storage medium
US10567345B2 (en) Verifying firewall filter entries using rules associated with an access control list (ACL) template
WO2014101777A1 (en) Flow table matching method and device, and switch
US9419941B2 (en) Distributed computer network zone based security architecture
US9667446B2 (en) Condition code approach for comparing rule and packet data that are provided in portions
US8937945B2 (en) Method and apparatus for optimizing usage of ternary content addressable memory (TCAM)
US10348603B1 (en) Adaptive forwarding tables
US10154062B2 (en) Rule lookup using predictive tuples based rule lookup cache in the data plane
US10263957B2 (en) System and method for a fallback access control list port configuration
WO2020151482A1 (en) Information query method, apparatus, device, and storage medium
CN116545921A (en) Message forwarding method, device, equipment and storage medium based on ECMP
CN106789671B (en) Service message forwarding method and device
US9590897B1 (en) Methods and systems for network devices and associated network transmissions
CN117081805A (en) Method and device for issuing chip white list
CN112737850B (en) Mutually exclusive access method and device
US10205658B1 (en) Reducing size of policy databases using bidirectional rules
US20190273715A1 (en) Domain identifier based access policy control
CN110661744A (en) Network access control method
US11316828B2 (en) Networking sub-ranges
US20240015157A1 (en) Per-host access lists
CN107483331B (en) Processing method and system for eliminating service looping
CN115865802A (en) Virtual instance flow mirroring method and device, virtual machine platform and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination