CN117278341A - ACL rule updating method, device, equipment and storage medium - Google Patents
ACL rule updating method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN117278341A CN117278341A CN202311570556.XA CN202311570556A CN117278341A CN 117278341 A CN117278341 A CN 117278341A CN 202311570556 A CN202311570556 A CN 202311570556A CN 117278341 A CN117278341 A CN 117278341A
- Authority
- CN
- China
- Prior art keywords
- acl rule
- list
- acl
- latest
- rule list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000004590 computer program Methods 0.000 claims description 8
- 238000012217 deletion Methods 0.000 abstract description 5
- 230000037430 deletion Effects 0.000 abstract description 5
- 238000012545 processing Methods 0.000 description 4
- 230000006854 communication Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/0813—Configuration setting characterised by the conditions triggering a change of settings
- H04L41/082—Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application provides an ACL rule updating method, device, equipment and storage medium, which are used for acquiring an original target ACL rule list which is configured currently by network equipment to be subjected to ACL rule updating and a latest ACL rule list which is to be updated currently by the network equipment, determining that an ACL rule to be deleted is added into the ACL rule list to be deleted and a new ACL rule to be added into the ACL rule list to be added according to the original target ACL rule list and the latest ACL rule list, writing the ACL rule list to be deleted and the new ACL rule list into the network equipment, and carrying out ACL rule deletion and new addition by the network equipment according to the ACL rule list to be deleted and the new ACL rule list, so that batch writing of ACL rules can be realized, and batch updating of ACL rules in the network equipment is carried out.
Description
Technical Field
The present invention relates to the field of network technologies, and in particular, to a method, an apparatus, a device, and a storage medium for updating ACL rules.
Background
With the development of the information security technology field, more and more technicians choose to configure an access control list (Access Control Lists, ACL) for network devices, especially routers and three-layer switches, so as to ensure the data security of the communication process between multiple local area networks and wide area networks. Therefore, how to configure and update ACL rules of network devices is a technical problem to be solved currently.
Disclosure of Invention
An objective of the embodiments of the present application is to provide a method, an apparatus, a device, and a storage medium for updating ACL rules, so as to solve the above technical problems.
In one aspect, there is provided an ACL rule updating method, the method comprising:
acquiring an original target ACL rule list which is configured by network equipment currently and is to be updated, and acquiring a latest ACL rule list which is to be updated by the network equipment currently;
determining that the ACL rule to be deleted is added into the ACL rule list to be deleted and the ACL rule to be newly added into the ACL rule list to be newly added according to the original target ACL rule list and the latest ACL rule list;
and writing the ACL rule list to be deleted and the ACL rule list to be newly added into the network equipment so that the network equipment can delete and newly add the ACL rule according to the ACL rule list to be deleted and the ACL rule list to be newly added.
In one embodiment, the obtaining the original target ACL rule list that is currently configured by the network device to be updated with the ACL rule includes:
acquiring ACL configuration information from network equipment to be subjected to ACL rule updating;
analyzing the ACL configuration information to obtain an original ACL rule list;
and determining an original target ACL rule list from the original ACL rule list.
In one embodiment, the determining the original target ACL rule list from the original ACL rule list includes:
for each original ACL rule in the original ACL rule list, acquiring a rule identifier of the original ACL rule;
judging whether the rule identifier accords with a preset rule identifier or not;
if so, taking the original ACL rule as an original target ACL rule, and taking the set of the original target ACL rule in the original ACL rule list as an original target ACL rule list.
In one embodiment, the obtaining the latest ACL rule list to be updated currently by the network device includes:
acquiring a current latest online IP address list and a latest online MAC address list of the network equipment;
and generating a latest ACL rule list according to the original target ACL rule list, the latest online IP address list and the latest online MAC address list.
In one embodiment, the determining that the to-be-deleted ACL rule is added to the to-be-deleted ACL rule list and that the to-be-added ACL rule is added to the to-be-added ACL rule list according to the original target ACL rule list and the latest ACL rule list includes:
for each original target ACL rule in the original target ACL rule list, when determining that the original target ACL rule is not in the latest ACL rule list, adding the original target ACL rule as an ACL rule to be deleted into the ACL rule list to be deleted;
and adding each latest ACL rule in the latest ACL rule list as an ACL rule to be added into the ACL rule list to be added when the latest ACL rule is determined not to be in the original target ACL rule list.
In one embodiment, each of the original target ACL rules includes a first rule identifier and corresponding first rule content, and each of the latest ACL rules includes a second rule identifier and corresponding second rule content;
and adding each original target ACL rule in the original target ACL rule list as an ACL rule to be deleted into the ACL rule list to be deleted when determining that the original target ACL rule is not in the latest ACL rule list, wherein the method comprises the following steps:
and aiming at each original target ACL rule in the original target ACL rule list, when the corresponding first rule identifier is not in the latest ACL rule list, determining that the original target ACL rule is not in the latest ACL rule list, and adding the original target ACL rule as an ACL rule to be deleted into the ACL rule list to be deleted.
In one embodiment, the adding the latest ACL rule for each of the latest ACL rule lists as a to-be-added ACL rule to the to-be-added ACL rule list when it is determined that the latest ACL rule is not in the original target ACL rule list includes:
for each of the latest ACL rules in the latest ACL rule list, when the corresponding second rule identifier is determined not to be in the original target ACL rule list, the latest ACL rule is determined not to be in the original target ACL rule list, and the latest ACL rule is added into the to-be-added ACL rule list as the to-be-added ACL rule.
In another aspect, there is provided an ACL rule updating apparatus, the apparatus including:
the acquisition module is used for acquiring an original target ACL rule list which is configured by the network equipment currently and is to be updated, and acquiring a latest ACL rule list which is to be updated by the network equipment currently;
the determining module is used for determining that the ACL rule to be deleted is added into the ACL rule list to be deleted and the ACL rule to be newly added into the ACL rule list to be newly added according to the original target ACL rule list and the latest ACL rule list;
and the writing module is used for writing the ACL rule list to be deleted and the ACL rule list to be newly added into the network equipment so that the network equipment can delete and newly add the ACL rule according to the ACL rule list to be deleted and the ACL rule list to be newly added.
In another aspect, there is provided a terminal device comprising a processor and a memory, the memory having stored therein a computer program, the processor executing the computer program to implement any of the methods described above.
In another aspect, a computer readable storage medium is provided, storing a computer program which, when executed by at least one processor, implements any of the methods described above.
According to the ACL rule updating method, device, equipment and storage medium, an original target ACL rule list which is configured by network equipment to be subjected to ACL rule updating currently and a latest ACL rule list which is to be updated currently can be obtained, according to the original target ACL rule list and the latest ACL rule list, the fact that an ACL rule to be deleted is added into the ACL rule list to be deleted and an ACL rule to be added into the ACL rule list to be added is determined, the ACL rule list to be deleted and the ACL rule list to be added are written into the network equipment, and therefore the network equipment can carry out ACL rule deletion and new addition according to the ACL rule list to be deleted and the ACL rule list to be added, batch writing of ACL rules can be achieved, and therefore the ACL rules in the network equipment are updated in batches.
Drawings
Fig. 1 is a flowchart of an ACL rule updating method according to an embodiment of the present application;
fig. 2 is a flowchart of determining an original target ACL rule list according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an ACL rule updating apparatus according to a second embodiment of the present application;
fig. 4 is a schematic structural diagram of a terminal device according to a third embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
Embodiment one:
the embodiment of the application provides an ACL rule updating method, which can be applied to terminal equipment, wherein the terminal equipment can be electronic equipment such as a notebook computer and the like, and the ACL rule in network equipment can be updated through the terminal equipment.
Referring to fig. 1, the ACL rule updating method in the embodiment of the present application may include the following steps:
s11: and acquiring an original target ACL rule list which is configured by the network equipment currently and is to be updated, and a latest ACL rule list which is to be updated by the network equipment currently.
S12: and determining that the ACL rule to be deleted is added into the ACL rule list to be deleted and the ACL rule to be newly added into the ACL rule list to be newly added according to the original target ACL rule list and the latest ACL rule list.
S13: and writing the ACL rule list to be deleted and the ACL rule list to be newly added into the network equipment so that the network equipment can delete and newly add the ACL rule according to the ACL rule list to be deleted and the ACL rule list to be newly added.
The steps described above are described in detail below.
In this embodiment of the present application, the terminal device may obtain, from the network device to be updated with the ACL rule, the original target ACL rule list that is currently configured by the network device, and of course, in some other embodiments, the network device may synchronize the original target ACL rule list of the current device to other devices, where the terminal device may read the original target ACL rule list.
Referring to fig. 2, step S11 may include the following sub-steps:
s111: and acquiring ACL configuration information from the network equipment to be subjected to ACL rule updating.
S112: and analyzing the ACL configuration information to obtain an original ACL rule list.
S113: and determining an original target ACL rule list from the original ACL rule list.
In sub-step S111, the terminal device may execute a "display current-configuration" command through the SSH protocol, and read ACL configuration information currently configured in the network device, which is typically a string information.
In sub-step S112, the original ACL rule list may be obtained by identifying the target character in the string information, and dividing the string information based on the target character.
Specifically, the ACL configuration information can be split into different information modules through the target character "#", and meanwhile, related configuration character strings of the information modules are extracted according to the ACL keywords.
The extracted character strings are split into character string arrays through the target character 'line feed character', each character string array is an ACL rule, and each item in the array can be understood as detailed rule content in the ACL rule.
In the embodiment of the application, the rule information of the ACL rule can be obtained by identifying and analyzing the keywords in the ACL rule, and the rule information comprises rule identification, rule type and the like.
For example, the name, number, specific type, etc. of an ACL rule may be analyzed by "name", "number", "mac", "advanced", "basic", "ipv6" keywords.
Through the accurate matching of the keywords of the ACL rule, other keywords under the ACL rule are sequentially read to obtain ACL detailed rule information, and the specific keyword meanings are as follows:
"limit" and "dense" indicate whether an ACL rule is allowed to pass or forbidden;
"tcp", "ip", "udp" means protocol type;
"source", "source-MAC", "source-port" means source IP address, source MAC address, source port information;
"destination", "dest-MAC", "destination-port" means destination IP address, destination MAC address, destination port information;
"icmp" means whether or not it is an icmp protocol;
and generating structured data objects through reading and analyzing keywords, wherein the set of all the structured data objects is the original ACL rule list.
It can be understood that the latest ACL rule list in the embodiment of the present application may also be a list made up of structured data objects obtained by processing the above method.
For sub-step S113, in some embodiments, the original ACL rule list may be directly taken as the original target ACL rule list.
In other embodiments, the original target ACL rule list may be determined from the original ACL rule list. The original ACL rule list is composed of a plurality of original ACL rules, each original ACL rule comprises a rule identifier and corresponding rule content, wherein the rule identifier can be a rule name and/or a rule number, and in the embodiment of the application, the rule identifier of the original ACL rule can be obtained for each original ACL rule in the original ACL rule list; judging whether the rule identifier accords with a preset rule identifier or not; if the original ACL rule is used as the original target ACL rule, and the set of all the original target ACL rules in the original ACL rule list is used as the original target ACL rule list, if not, the original ACL rule is not processed, namely the original ACL rule is not used as the original target ACL rule.
It should be noted that, the preset rule identifier in the embodiment of the present application may be preset by a developer, or may support user definition, so that a user may update only the ACL rule with the preset rule identifier in the network device according to his own requirement.
For example, for each original ACL rule in the original ACL rule list, the ACL rule name may be obtained, if the ACL rule name uses a custom string as a prefix, the original ACL rule is used as an original target ACL rule, and if the ACL rule name does not use a custom string as a prefix, the original ACL rule may not be processed.
In this embodiment of the present application, the terminal device may obtain, from a database, a current latest ACL rule list to be updated by the network device, where the database may be a local database of the terminal device or a cloud database, and may store the ACL rule list to be updated by the network device each time in the database.
For step S11, a current latest online IP address list and a latest online MAC address list of the network device may be acquired, and then a latest ACL rule list is generated according to the original target ACL rule list, the latest online IP address list and the latest online MAC address list.
The latest online IP address list refers to a list of IP addresses of nodes currently connected to the network in which the network device is located, and the latest online MAC address list refers to a list of MAC addresses of nodes currently connected to the network in which the network device is located.
Next, a detailed description will be given of a procedure for determining an ACL rule to be deleted and an ACL rule to be newly added in the embodiment of the present application.
In the embodiment of the application, the original target ACL rule list and the latest ACL rule list can be compared to determine the ACL rule to be deleted and the ACL rule to be newly added.
Specifically, each original target ACL rule in the original target ACL rule list can be traversed, and it is determined that the ACL rule to be deleted is added into the ACL rule list to be deleted. For each original target ACL rule in the original target ACL rule list, the original target ACL rule is added into the to-be-deleted ACL rule list as the to-be-deleted ACL rule when the original target ACL rule is not determined to be in the latest ACL rule list, and the original target ACL rule is not processed when the original target ACL rule is determined to be in the latest ACL rule list.
Likewise, each latest ACL rule in the latest ACL rule list may be traversed to determine that the ACL rule to be added adds to the ACL rule list to be added. For example, for each latest ACL rule in the latest ACL rule list, when it is determined that it is not in the original target ACL rule list, it may be added as a to-be-added ACL rule to the to-be-added ACL rule list, and when it is determined that it is in the original target ACL rule list, the latest ACL rule may not be processed.
Here, first, a method of determining whether or not an original target ACL rule is in the latest ACL rule list will be described. Each original target ACL rule comprises a first rule identifier and corresponding first rule content, and each latest ACL rule comprises a second rule identifier and corresponding second rule content. The first rule identifier and the second rule identifier in the embodiment of the present application refer to unique identity identifiers corresponding to ACL rules, which may be composed of names and/or numbers of ACL rules.
For each original target ACL rule in the original target ACL rule list, when determining that the original target ACL rule is not in the latest ACL rule list, adding the original target ACL rule as an ACL rule to be deleted into the ACL rule list to be deleted, wherein the method comprises the following steps:
for each original target ACL rule in the original target ACL rule list, when the corresponding first rule identifier is not in the latest ACL rule list, the original target ACL rule is determined not to be in the latest ACL rule list, and the original target ACL rule is added into the to-be-deleted ACL rule list as the to-be-deleted ACL rule; of course, when determining that the corresponding first rule identifier is in the latest ACL rule list, it is indicated that the latest ACL rule and the rule identifier of the original target ACL rule exist in the latest ACL rule list, at this time, whether the rule content is consistent or not can be further judged, if so, it is indicated that the original target ACL rule is in the latest ACL rule list, at this time, the original target ACL rule is not in the latest ACL rule list, at this time, the original target ACL rule can be added as an ACL rule to be deleted to the latest ACL rule to be added as an ACL rule to be added to the new ACL rule list.
Specifically, for each original target ACL rule in the original target ACL rule list, when determining that the corresponding first rule identifier is in the latest ACL rule list, extracting the latest ACL rule with the second rule identifier consistent with the first rule identifier in the latest ACL rule list, judging whether the rule content of the latest ACL rule is consistent with the rule content of the original target ACL rule, if not, adding the original target ACL rule into the to-be-deleted ACL rule list as the to-be-deleted ACL rule, and adding the latest ACL rule into the to-be-added ACL rule list as the to-be-newly-added ACL rule.
It should be noted that, in the embodiment of the present application, whether the original target ACL rule is in the latest ACL rule list is determined by the rule identifier, so that the ACL rule to be deleted is determined, and compared with whether the rule content of the original target ACL rule is consistent with the rule content of the latest ACL rule or not, the rule identifier is compared first without directly comparing all the content, thereby improving the comparison efficiency, and further improving the updating efficiency of the ACL rule.
For each latest ACL rule in the latest ACL rule list, when determining that the latest ACL rule is not in the original target ACL rule list, adding the latest ACL rule as an ACL rule to be added into the ACL rule list to be added, wherein the method comprises the following steps:
for each latest ACL rule in the latest ACL rule list, when the corresponding second rule identifier is determined not to be in the original target ACL rule list, the latest ACL rule is determined not to be in the original target ACL rule list, and the latest ACL rule is added into the to-be-added ACL rule list as the to-be-added ACL rule.
Of course, for each latest ACL rule, when determining that the corresponding second rule identifier is in the original target ACL rule list, it is indicated that the original target ACL rule and the rule identifier of the latest ACL rule exist in the original target ACL rule list, at this time, whether the rule content is consistent or not may be further determined, if so, it is indicated that the latest ACL rule is in the original target ACL rule list, at this time, the latest ACL rule may not be processed, if the rule content is inconsistent, it is indicated that the latest ACL rule is not in the original target ACL rule list, at this time, the latest ACL rule may be added as an ACL rule to be newly added to the new ACL rule list, and the corresponding original target ACL rule may be added as an ACL rule to be deleted to the new ACL rule list.
Specifically, for each of the latest ACL rules in the latest ACL rule list, when determining that the corresponding second rule identifier is in the original target ACL rule list, extracting the original target ACL rule with the first rule identifier consistent with the second rule identifier in the original target ACL rule list, judging whether the rule content of the original target ACL rule is consistent with the rule content of the latest ACL rule, if not, adding the original target ACL rule as an ACL rule to be deleted into the to-be-deleted ACL rule list, and adding the latest ACL rule as a new ACL rule into the to-be-added ACL rule list.
For ease of understanding, the process of determining the list of ACL rules to be deleted and determining the list of ACL rules to be newly added will be described herein with specific examples.
Traversing the latest ACL rule list k_n_list, and taking the name and the number of the latest ACL rule as a second rule identifier, wherein the second rule identifier is denoted as k_n, and each latest ACL rule also comprises corresponding rule content.
Traversing the original target ACL rule list k_o_list, taking the name and the number of the original target ACL rule as a first rule mark, wherein the first rule mark is denoted as k_o, and each original target ACL rule also comprises the corresponding rule content.
When traversing the original target ACL rule list, comparing the latest ACL rule list k_n_list with the original target ACL rule list k_n_list, and if k_o does not exist in k_n_list, adding the original target ACL rule into the to-be-deleted ACL rule list delete_list. The traversal is used for searching the deleted rule information. If k_o exists in k_n_list, the detailed information, namely rule content, of the original target ACL rule and the latest ACL rule corresponding to the previous mark is read from k_o_list and k_n_list, then comparison is carried out, if the rule content is identical, no change is carried out on the rule, if the rule content is different, the rule is changed, the original target ACL rule is added to an ACL rule list delete_list to be deleted, and meanwhile the latest ACL rule is added to an ACL rule list add_list to be newly added.
When traversing the original target ACL rule list, comparing the latest ACL rule list k_n_list with the original target ACL rule list k_n_list, if k_n does not exist in k_o_list, indicating that the latest ACL rule is a brand new rule, and directly adding the brand new rule into the ACL rule list add_list to be newly added. The traversal is used for confirming the newly added rule and the changed rule information. If k_n exists in k_o_list, the detailed information, namely rule content, of the original target ACL rule and the latest ACL rule corresponding to the previous mark is read from k_o_list and k_n_list, then comparison is carried out, if the rule content is identical, no change is carried out on the rule, if the rule content is different, the rule is changed, the original target ACL rule is added to an ACL rule list delete_list to be deleted, and meanwhile the latest ACL rule is added to an ACL rule list add_list to be newly added.
In step S13, the terminal device may write the ACL rule list to be deleted and the ACL rule list to be newly added to the network device through the SSH protocol. Optionally, the list of the ACL rules to be added can be written in preferentially, so that the network equipment can be protected as soon as possible.
Specifically, the terminal device may convert the ACL rule list to be added into a configuration command string newly added to the ACL rule of the network device, and uniformly submit the configuration command string to the network device through the SSH protocol, where the network device operates the configuration, and completes writing of the configuration.
Likewise, the terminal device may convert the ACL rule list to be deleted into a network device ACL rule deletion configuration command string, and uniformly submit the deletion configuration command string to the network device through the SSH protocol, where the network device operates the configuration, and completes writing of the configuration.
By the ACL rule updating method provided by the embodiment of the application, only the newly added ACL rule or the changed ACL rule can be written, and no processing can be performed when the rule content is unchanged. All ACL rules of the current network equipment can be analyzed, updating of the ACL rules is completed with minimum codes, in addition, editability, readability and practicability are high, ACL configuration character strings can be converted into structured data, and follow-up maintenance and modification are facilitated.
It should be understood that, although the steps in the above-described flowcharts are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described above may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, and the order of execution of the sub-steps or stages is not necessarily sequential, but may be performed alternately or alternately with at least a part of the sub-steps or stages of other steps or other steps.
Embodiment two:
based on the same inventive concept, an embodiment of the present application provides an ACL rule updating apparatus, as shown in fig. 3, including:
an obtaining module 301, configured to obtain an original target ACL rule list that is currently configured by a network device to be updated with ACL rules, and a latest ACL rule list that is currently to be updated by the network device;
the determining module 302 is configured to determine, according to the original target ACL rule list and the latest ACL rule list, that an ACL rule to be deleted is added to the ACL rule list to be deleted, and that a new ACL rule to be added to the new ACL rule list to be added;
and a writing module 303, configured to write the to-be-deleted ACL rule list and the to-be-added ACL rule list into the network device, so that the network device performs ACL rule deletion and addition according to the to-be-deleted ACL rule list and the to-be-added ACL rule list.
Further, the acquiring module 301 is configured to acquire ACL configuration information from a network device to be updated with ACL rules; analyzing the ACL configuration information to obtain an original ACL rule list; and determining an original target ACL rule list from the original ACL rule list.
Further, the obtaining module 301 is configured to obtain, for each original ACL rule in the original ACL rule list, a rule identifier of the original ACL rule; judging whether the rule identifier accords with a preset rule identifier or not; if so, taking the original ACL rule as an original target ACL rule, and taking the set of the original target ACL rule in the original ACL rule list as an original target ACL rule list.
Further, the acquiring module 301 is configured to acquire a current latest online IP address list and a latest online MAC address list of the network device; and generating a latest ACL rule list according to the original target ACL rule list, the latest online IP address list and the latest online MAC address list.
Further, the determining module 302 is configured to add, for each original target ACL rule in the original target ACL rule list, the original target ACL rule as an ACL rule to be deleted to the ACL rule list to be deleted when it is determined that the original target ACL rule is not in the latest ACL rule list; and adding each latest ACL rule in the latest ACL rule list as an ACL rule to be added into the ACL rule list to be added when the latest ACL rule is determined not to be in the original target ACL rule list.
Further, each original target ACL rule includes a first rule identifier and corresponding first rule content, and each latest ACL rule includes a second rule identifier and corresponding second rule content. The determining module 302 is configured to determine, for each original target ACL rule in the original target ACL rule list, that the original target ACL rule is not in the latest ACL rule list when determining that the corresponding first rule identifier is not in the latest ACL rule list, and add the original target ACL rule as an ACL rule to be deleted to the ACL rule list to be deleted.
Further, the determining module 302 is configured to, for each of the latest ACL rules in the latest ACL rule list, determine that the latest ACL rule is not in the original target ACL rule list when determining that the corresponding second rule identifier is not in the original target ACL rule list, and add the latest ACL rule as an ACL rule to be added to the new ACL rule list.
It should be noted that, for simplicity of description, the content described in the above embodiment is not repeated in this embodiment.
Embodiment III:
based on the same inventive concept, the embodiment of the present application provides a terminal device, where the terminal device includes a processor 401 and a memory 402, where the memory 402 stores a computer program, the processor 401 and the memory 402 implement communication through a communication bus, and the processor 401 executes the computer program to implement each step of the method in the first embodiment, which is not described herein again.
It will be appreciated that the configuration shown in fig. 4 is merely illustrative, and that the terminal device may also include more or fewer components than shown in fig. 4, or have a different configuration than shown in fig. 4.
The processor 401 may be an integrated circuit chip having signal processing capabilities. The processor 401 may be a general-purpose processor including a Central Processing Unit (CPU), a Network Processor (NP), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. Which may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Memory 402 may include, but is not limited to, random Access Memory (RAM), read Only Memory (ROM), programmable Read Only Memory (PROM), erasable read only memory (EPROM), electrically erasable read only memory (EEPROM), and the like.
The present embodiment also provides a computer readable storage medium, such as a floppy disk, an optical disk, a hard disk, a flash memory, a usb disk, an SD card, an MMC card, etc., in which one or more programs for implementing the above steps are stored, and the one or more programs may be executed by the one or more processors 401 to implement the steps of the method in the first embodiment, which is not described herein again.
It should be noted that, the illustrations provided in the present embodiment merely illustrate the basic concept of the present invention by way of illustration, and only the components related to the present invention are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complex. The structures, proportions, sizes, etc. shown in the drawings attached hereto are for illustration purposes only and are not intended to limit the scope of the invention, which is defined by the claims, but rather by the claims. Also, the terms such as "upper," "lower," "left," "right," "middle," and "a" and the like recited in the present specification are merely for descriptive purposes and are not intended to limit the scope of the invention, but are intended to provide relative positional changes or modifications without materially altering the technical context in which the invention may be practiced.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.
Claims (10)
1. An ACL rule updating method, characterized by comprising:
acquiring an original target ACL rule list which is configured by network equipment currently and is to be updated, and acquiring a latest ACL rule list which is to be updated by the network equipment currently;
determining that the ACL rule to be deleted is added into the ACL rule list to be deleted and the ACL rule to be newly added into the ACL rule list to be newly added according to the original target ACL rule list and the latest ACL rule list;
and writing the ACL rule list to be deleted and the ACL rule list to be newly added into the network equipment so that the network equipment can delete and newly add the ACL rule according to the ACL rule list to be deleted and the ACL rule list to be newly added.
2. The ACL rule updating method according to claim 1, wherein the obtaining the original target ACL rule list currently configured by the network device to be ACL rule updated includes:
acquiring ACL configuration information from network equipment to be subjected to ACL rule updating;
analyzing the ACL configuration information to obtain an original ACL rule list;
and determining an original target ACL rule list from the original ACL rule list.
3. The ACL rule updating method as claimed in claim 2, wherein said determining an original target ACL rule list from the original ACL rule list includes:
for each original ACL rule in the original ACL rule list, acquiring a rule identifier of the original ACL rule;
judging whether the rule identifier accords with a preset rule identifier or not;
if so, taking the original ACL rule as an original target ACL rule, and taking the set of the original target ACL rule in the original ACL rule list as an original target ACL rule list.
4. The ACL rule updating method according to claim 2, wherein the obtaining the latest ACL rule list to be updated currently by the network device includes:
acquiring a current latest online IP address list and a latest online MAC address list of the network equipment;
and generating a latest ACL rule list according to the original target ACL rule list, the latest online IP address list and the latest online MAC address list.
5. The ACL rule updating method according to any one of claims 1-4, wherein determining that the ACL rule to be deleted is added to the ACL rule list to be deleted and that the ACL rule to be newly added is added to the ACL rule list to be newly added according to the original target ACL rule list and the latest ACL rule list includes:
for each original target ACL rule in the original target ACL rule list, when determining that the original target ACL rule is not in the latest ACL rule list, adding the original target ACL rule as an ACL rule to be deleted into the ACL rule list to be deleted;
and adding each latest ACL rule in the latest ACL rule list as an ACL rule to be added into the ACL rule list to be added when the latest ACL rule is determined not to be in the original target ACL rule list.
6. The ACL rule updating method as claimed in claim 5, wherein each of the original target ACL rules includes a first rule identification and a corresponding first rule content, and each of the latest ACL rules includes a second rule identification and a corresponding second rule content;
and adding each original target ACL rule in the original target ACL rule list as an ACL rule to be deleted into the ACL rule list to be deleted when determining that the original target ACL rule is not in the latest ACL rule list, wherein the method comprises the following steps:
and aiming at each original target ACL rule in the original target ACL rule list, when the corresponding first rule identifier is not in the latest ACL rule list, determining that the original target ACL rule is not in the latest ACL rule list, and adding the original target ACL rule as an ACL rule to be deleted into the ACL rule list to be deleted.
7. The ACL rule updating method as claimed in claim 6, wherein said adding, for each of the latest ACL rules in the latest ACL rule list, it as an ACL rule to be added to the new ACL rule list when it is determined that it is not in the original target ACL rule list, comprises:
for each of the latest ACL rules in the latest ACL rule list, when the corresponding second rule identifier is determined not to be in the original target ACL rule list, the latest ACL rule is determined not to be in the original target ACL rule list, and the latest ACL rule is added into the to-be-added ACL rule list as the to-be-added ACL rule.
8. An ACL rule updating apparatus, characterized by comprising:
the acquisition module is used for acquiring an original target ACL rule list which is configured by the network equipment currently and is to be updated, and acquiring a latest ACL rule list which is to be updated by the network equipment currently;
the determining module is used for determining that the ACL rule to be deleted is added into the ACL rule list to be deleted and the ACL rule to be newly added into the ACL rule list to be newly added according to the original target ACL rule list and the latest ACL rule list;
and the writing module is used for writing the ACL rule list to be deleted and the ACL rule list to be newly added into the network equipment so that the network equipment can delete and newly add the ACL rule according to the ACL rule list to be deleted and the ACL rule list to be newly added.
9. A terminal device comprising a processor and a memory, the memory having stored therein a computer program, the processor executing the computer program to implement the method of any of claims 1-7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by at least one processor, implements the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311570556.XA CN117278341A (en) | 2023-11-23 | 2023-11-23 | ACL rule updating method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311570556.XA CN117278341A (en) | 2023-11-23 | 2023-11-23 | ACL rule updating method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117278341A true CN117278341A (en) | 2023-12-22 |
Family
ID=89201290
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311570556.XA Pending CN117278341A (en) | 2023-11-23 | 2023-11-23 | ACL rule updating method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117278341A (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2006053824A (en) * | 2004-08-13 | 2006-02-23 | Nec Corp | Access control system, device and program |
| CN102349078A (en) * | 2009-03-19 | 2012-02-08 | 日本电气株式会社 | Access control list conversion system, and method and program therefor |
| CN107508836A (en) * | 2017-09-27 | 2017-12-22 | 杭州迪普科技股份有限公司 | The method and device that a kind of acl rule issues |
| CN108769045A (en) * | 2018-06-07 | 2018-11-06 | 深圳市风云实业有限公司 | Acl rule configuration method, device and the network equipment |
| CN110557335A (en) * | 2018-06-04 | 2019-12-10 | 中兴通讯股份有限公司 | Ternary Content Addressable Memory (TCAM) table item processing method and device |
| CN110837647A (en) * | 2018-08-16 | 2020-02-25 | 迈普通信技术股份有限公司 | Method and device for managing access control list |
| CN111355746A (en) * | 2020-03-16 | 2020-06-30 | 深信服科技股份有限公司 | Communication method, device, equipment and storage medium |
| CN113992580A (en) * | 2021-09-23 | 2022-01-28 | 新华三信息安全技术有限公司 | Method and equipment for modifying policy routing |
| US20220210128A1 (en) * | 2020-12-31 | 2022-06-30 | Cerner Innovation, Inc. | Generating network infastructure firewalls |
| CN115695014A (en) * | 2022-11-02 | 2023-02-03 | 北京百度网讯科技有限公司 | Access control list construction and data message processing method, device and system |
| CN116112191A (en) * | 2021-11-11 | 2023-05-12 | 中国移动通信集团山东有限公司 | Method, device and network equipment for configuring ACL (Access control list) based on routing table |
-
2023
- 2023-11-23 CN CN202311570556.XA patent/CN117278341A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2006053824A (en) * | 2004-08-13 | 2006-02-23 | Nec Corp | Access control system, device and program |
| CN102349078A (en) * | 2009-03-19 | 2012-02-08 | 日本电气株式会社 | Access control list conversion system, and method and program therefor |
| CN107508836A (en) * | 2017-09-27 | 2017-12-22 | 杭州迪普科技股份有限公司 | The method and device that a kind of acl rule issues |
| CN110557335A (en) * | 2018-06-04 | 2019-12-10 | 中兴通讯股份有限公司 | Ternary Content Addressable Memory (TCAM) table item processing method and device |
| CN108769045A (en) * | 2018-06-07 | 2018-11-06 | 深圳市风云实业有限公司 | Acl rule configuration method, device and the network equipment |
| CN110837647A (en) * | 2018-08-16 | 2020-02-25 | 迈普通信技术股份有限公司 | Method and device for managing access control list |
| CN111355746A (en) * | 2020-03-16 | 2020-06-30 | 深信服科技股份有限公司 | Communication method, device, equipment and storage medium |
| US20220210128A1 (en) * | 2020-12-31 | 2022-06-30 | Cerner Innovation, Inc. | Generating network infastructure firewalls |
| CN113992580A (en) * | 2021-09-23 | 2022-01-28 | 新华三信息安全技术有限公司 | Method and equipment for modifying policy routing |
| CN116112191A (en) * | 2021-11-11 | 2023-05-12 | 中国移动通信集团山东有限公司 | Method, device and network equipment for configuring ACL (Access control list) based on routing table |
| CN115695014A (en) * | 2022-11-02 | 2023-02-03 | 北京百度网讯科技有限公司 | Access control list construction and data message processing method, device and system |
Non-Patent Citations (2)
| Title |
|---|
| BIANLU3602: ""ACL访问控制列表规则建立、增加条目、删除条目"", Retrieved from the Internet <URL:https://blog.csdn.net/bianlu3602/article/details/100953711> * |
| JEFF MELNICK: ""How to Manage File System ACLs with PowerShell Scripts"", Retrieved from the Internet <URL:https://blog.netwrix.com/2018/04/18/how-to-manage-file-system-acls-with-powershell-scripts/> * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109829287A (en) | Api interface permission access method, equipment, storage medium and device | |
| CN110704062A (en) | Dependency management method, data acquisition method, device and equipment | |
| CN110674360B (en) | Tracing method and system for data | |
| TW201837749A (en) | Method and device for searching group based on social networks | |
| CN111083054B (en) | Route configuration processing method and device, computer equipment and storage medium | |
| CN111026765A (en) | Dynamic processing method, equipment, storage medium and device for strictly balanced binary tree | |
| CN110990350B (en) | Log analysis method and device | |
| CN114172793B (en) | Network configuration knowledge graph construction method and device | |
| CN112115328B (en) | Page flow map construction method and device and computer readable storage medium | |
| CN115309796A (en) | Similarity query method, database updating method, device and system | |
| CN112433753A (en) | Interface document generation method, device, equipment and medium based on parameter information | |
| CN113806647A (en) | Method for identifying development framework and related equipment | |
| CN117278341A (en) | ACL rule updating method, device, equipment and storage medium | |
| CN111752958A (en) | Intelligent associated label method, device, computer equipment and storage medium | |
| US9201982B2 (en) | Priority search trees | |
| CN108460116B (en) | Search method, search device, computer equipment, storage medium and search system | |
| CN114564856A (en) | Data sharing method based on FMEA and electronic equipment | |
| CN109840080B (en) | Character attribute comparison method and device, storage medium and electronic equipment | |
| CN109460255B (en) | Memory address query method and device | |
| CN112737831A (en) | Firmware upgrade package processing method and device, electronic equipment and storage medium | |
| CN112559888A (en) | Recommended content tracing method and system, electronic device and readable storage medium | |
| CN112433943A (en) | Method, device, equipment and medium for detecting environment variable based on abstract syntax tree | |
| CN112732335B (en) | Object code extraction method, device, computer equipment and storage medium | |
| CN112765433B (en) | Text keyword scanning method, device, equipment and computer readable storage medium | |
| CN112905191B (en) | Data processing method, device, computer readable storage medium and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |