CN1933487A - Method, device and system for assuring correct execution - Google Patents

Method, device and system for assuring correct execution Download PDF

Info

Publication number
CN1933487A
CN1933487A CNA2006101400685A CN200610140068A CN1933487A CN 1933487 A CN1933487 A CN 1933487A CN A2006101400685 A CNA2006101400685 A CN A2006101400685A CN 200610140068 A CN200610140068 A CN 200610140068A CN 1933487 A CN1933487 A CN 1933487A
Authority
CN
China
Prior art keywords
acl
rule
acl rule
rules
network equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2006101400685A
Other languages
Chinese (zh)
Other versions
CN100531218C (en
Inventor
王明辉
赵品
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Enterprise Development LP
Original Assignee
Hangzhou Huawei 3Com Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Huawei 3Com Technology Co Ltd filed Critical Hangzhou Huawei 3Com Technology Co Ltd
Priority to CNB2006101400685A priority Critical patent/CN100531218C/en
Publication of CN1933487A publication Critical patent/CN1933487A/en
Application granted granted Critical
Publication of CN100531218C publication Critical patent/CN100531218C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

A method for ensuring correct execution includes comparing all rules down-sent on any port of network device to judge whether any two rules are upside down in execution order or not and regulating any two rules according to principle of first down-send rule to be firstly validated if it is then down-sending all regulated rules on said port of network device in sequence for ensuring correct service treatment on message. The unit used fro realizing said method is also disclosed.

Description

A kind of methods, devices and systems that assure correct execution
Technical field
The present invention relates to the network communications technology, particularly relate to a kind of assurance the access control list (ACL) rule is carried out correct method, device and system.
Background technology
At present, in order to make the network equipment when receiving message, can carry out miscellaneous service according to user's requirement handles, such as, can be redirected or abandon received message etc. to the message that receives, usually need issue corresponding acl rule at the port of the network equipment, in acl rule, write down the Business Processing requirement of various messages.When the network equipment receives message on a port, at first with message with mate corresponding to the acl rule of this port, according to the acl rule that matches message is carried out corresponding service and handles.
In the network equipment, in order to write down all acl rules that issue to each port, be provided with hardware table item at each port, comprising: rule (RULE) table, mask (MASK) table, counter (COUNTER) table and current limliting (METER) table.Wherein, the specific descriptions of MASK table, RULE table, COUNTER table and METER table can be referring to as shown in table 1 below.
Table name claims Effect List item is formed structure Function declaration
The MASK table The indication user needs the position of matching message.The user can be mated 32 bytes in preceding 80 bytes of message The end sequence number of the start sequence number RULE table of the position RULE table of mask 32 bytes of coupling have been divided into 84 bytes.Byte location is not arbitrarily, must satisfy the continuous requirement of 4 bytes.MASK list item and RULE list item are the relations of one-to-many.In the MASK list item, write down the original position and the end position of this RULE list item piece
The RULE table The content of message that the user need be mated is described MASK table sequence number IN-PROFILE action OUT-PROFILE action COUNTER list item sequence number The RULE list item has write down corresponding MASK list item sequence number, METER list item sequence number and COUNTER list item sequence number.If do not have current limliting and tally function, the numerical value of METER list item sequence number and COUNTER list item sequence number is set to 0.
Other are miscellaneous for METER list item sequence number The main action of RULE list item has: abandon/transmit/be redirected/mark/statistics again
The COUNTER table Message to coupling is added up Counter Value Be used for the traffic-statistic function
The METER table Indication flow restricter resource is used for message is carried out bandwidth control Token bucket size token injection rate token bucket residue token number Be used for the traffic-limit function
Table 1
Referring to table 1, when a port to the network equipment issues acl rule, after the network equipment decomposes the content of this acl rule, be assigned in the MASK table and RULE table corresponding to this port, if the action that the user issues is traffic-statistic or traffic-limit, then can be saved in COUNTER table that should port and METER shown with the relevant parameter of action.
At present, a lot of network equipments, such as utilizing broadcom chip to carry out the network equipment that message is handled, the principle that hardware table item is set according to the acl rule that issues is: if the corresponding same mask of different acl rule, then should use same MASK list item by the difference acl rule, and each RULE list item that should difference acl rule correspondence in RULE table is put together, forms one " piece ", and does not consider the order that issues of this difference acl rule; If the corresponding different masks of different acl rules then according to the order that issues of this difference acl rule, are set up each corresponding MASK list item successively, and are set up each corresponding RULE list item successively in the RULE table in the MASK list item.Such as, the user issues following three acl rules successively to the port one of the network equipment:
rule?1?permit?ip?source?2.2.11.20
rule?2?deny?ip?source?2.2.11.00.0.0.255
rule?3?permit?ip?source?2.2.11.30
Wherein, the rule 1 that at first issues requires to transmit the message that source IP address satisfies 2.2.11.2/32, next rule that issues 2 requires to abandon the message that source IP address satisfies 2.2.11.0/24, and the rule 3 that issues at last requires to transmit the message that source IP address satisfies 2.2.11.3/32.
Referring to Fig. 1, according to the above-mentioned principle that hardware table item is set, when the network equipment at first receives rule 1, then in the MASK of port one table, set up corresponding MASK list item 1, and in the RULE of port one table, set up corresponding RULE list item 1 at this rule 1 at this rule 1; When the network equipment receives rule 2 subsequently, because the mask that the mask of rule 2 correspondences and rule 1 are corresponding is different, the network equipment is then set up corresponding MASK list item 2 at this rule 2 in the MASK of port one table, and sets up corresponding RULE list item 2 at this rule 2 in the RULE of port one table; When the network equipment receives rule 3 at last, because the mask that the mask of rule 3 correspondences and rule 1 are corresponding is identical, the network equipment then MASK list item of rule 3 correspondences is set to rule 1 pairing MASK list item 1, and will put together with RULE list item 1 at the RULE list item 3 that this rule3 sets up, form one " piece ".
After setting hardware table item, when the network equipment receives message, then travel through all MASK list items and corresponding RULE list item, for message matches a series of action, if this a series of action is conflict not, the network equipment is then carried out the corresponding processing of each action respectively, if action has conflict, then, only carry out the action in the RULE list item that is matched according to the MASK list item of setting up earlier for the action that conflict is arranged.
At present, the user desired, to the execution principle of acl rule be: the rule that issues earlier comes into force earlier.For the rule 1 that issues successively, rule 2 and rule 3, because the mask-length among the rule 2 is shorter, only require that satisfying an IP address field gets final product, mask-length among the rule 3 is longer, require to satisfy a concrete host IP address, and, rule 3 and rule 2 intersect, promptly exist message can match rule2 and rule 3 simultaneously, and there is conflict in the action of rule 2 and rule 3, rule 2 requires to abandon, rule 3 requires to transmit, and according to the execution principle of acl rule, rule 2 issues earlier and come into force earlier, even should at first carry out to be performed behind the rule 2 and abandon so can match the message of rule 3, handle and can not carry out to transmit according to rule 3 again.
Yet, referring to Fig. 1, because the mask of rule 3 correspondences is identical with the rule 1 that issues at first, therefore, the MASK list item of these rule 3 correspondences and RULE list item are all before the MASK list item and RULE list item of rule 2 correspondences, like this, after receiving the message that can match rule 3 and rule 2 simultaneously on the port one when the network equipment, because the action among rule 3 and the rule 2 has conflict, so only can carry out the action among the rule 3 that matches according to the MASK list item of setting up earlier 1, promptly E-Packet, and can not carry out action among the rule 2 that the MASK list item 2 set up according to the back matches, be dropping packets, like this, the problem that the acl rule execution sequence is put upside down then occurred, that is to say, in the business realizing of reality, the network equipment is carried out rule 1 successively not according to the execution requirement to acl rule, rule2 and rule 3 corresponding service are handled.
When the problem that the acl rule execution sequence is put upside down having occurred, if intersect between two acl rules that execution sequence is put upside down and action existence conflict, such as for rule 2 and rule 3, rule 2 and rule 3 intersect and there is conflict in action, rule 2 requires to abandon the message that the 2.2.11.3/32 rule is satisfied in the IP address, but rule 3 requires to transmit the message that the 2.2.11.3/32 rule is satisfied in the IP address, so, after carrying out these two acl rules according to the order of putting upside down, then can not carry out correct Business Processing, can't meet customer need message.
Summary of the invention
In view of this, first purpose of the present invention is to provide a kind of method that assures correct execution, second purpose of the present invention is to provide a kind of device that assures correct execution, the 3rd purpose of the present invention is to provide a kind of system that assures correct execution, thereby the assurance network equipment can correctly be carried out acl rule, guarantees message is carried out correct Business Processing.
In order to achieve the above object, technical scheme of the present invention is achieved in that
A kind of method that assures correct execution, this method comprises:
The all-access control tabulation acl rule that is issued on any one port of the network equipment is compared, judge whether any two acl rules of existing execution sequence to put upside down, if then these two acl rules are adjusted according to issuing the regular principle that comes into force earlier earlier; The described network equipment is according to the hardware table item of adjusted all acl rules settings corresponding to described port.
This method further comprises: when the user issues acl rule successively at described port, according to the sequencing that issues each acl rule priority from high to low is set, each acl rule is sorted again;
Describedly relatively be: all acl rules after will resequencing compare;
Described any two acl rules that exist execution sequence to put upside down that judge whether comprise: when comparing, judgement is for any two acl rules, whether the priority of acl rule that comes the front is less than the priority of the acl rule that comes the back, if then determine two acl rules that exist execution sequence to put upside down.
The described step that each acl rule is sorted again comprises: according to acl rule mask-length order from big to small, all acl rules that needs are issued on any one port of the network equipment carry out vertical ordering.
Judge have two acl rules that execution sequence puts upside down after, and before adjusting, further comprise: judge whether described two acl rules intersect and whether exist the action conflict, if all be, then continue to carry out described according to issuing the regular principle that comes into force earlier earlier to these two steps that acl rule is adjusted.
The described step that two acl rules are adjusted comprises: generate a new acl rule, the action of this new regulation comprises in described two acl rules, in the acl rule that need come into force earlier, with need after the afoul action of acl rule that comes into force, and new regulation is come the front of described two acl rules.
Comprise in the action of the new regulation that generates in described two acl rules, in the acl rule that need come into force earlier, with need after the action that do not conflict of the acl rule that comes into force.
When comparing, further comprise:, judge whether the acl rule that comes into force behind the wherein current needs is covered by the current acl rule that need come into force earlier, if then delete the acl rule that comes into force behind these current needs for any two acl rules.
This method further comprises: when the user issues acl rule successively at described port, according to the sequencing that issues each acl rule priority from high to low is set;
The acl rule that comes into force behind the described current needs is described two acl rules that the acl rule medium priority is lower;
The described current acl rule that need come into force earlier is described two acl rules that the acl rule medium priority is higher.
This method further comprises: according to acl rule mask-length order from big to small, all acl rules that needs are issued on any one port of the network equipment carry out vertical ordering;
Described compare into: in all acl rules after rearrangement, each acl rule and all acl rules of coming are thereafter compared respectively.
After the described network equipment is provided with hardware table item, further comprise: in the time need issuing a newly-increased acl rule to the described port of the described network equipment, this newly-increased acl rule and the acl rule that issues are before compared, whether judgement increases acl rule newly and can put upside down by execution sequence with its acl rule relatively, if then adjust to newly-increased acl rule with its acl rule relatively according to issuing the regular principle that comes into force earlier earlier; The described network equipment upgrades the hardware table item corresponding to described port according to the adjustment of being carried out.
After judging newly-increased acl rule and putting upside down with its acl rule execution sequence relatively, and before carrying out described adjustment, further comprise: judge newly-increased acl rule and whether intersect with its acl rule relatively and whether exist action to conflict, if all be, then continue to carry out the step of described adjustment.
The described adjustment comprises: generate a new acl rule, the action of this new regulation comprise newly-increased acl rule and with its acl rule relatively in, in the acl rule that need come into force earlier, with need after the afoul action of acl rule that comes into force;
Described renewal comprises corresponding to the step of the hardware table item of described port: the network equipment upgrades the hardware table item corresponding to described port according to new regulation that is generated and described newly-increased acl rule.
After receiving each acl rule successively on the described port, carry out the step of described comparison and adjustment by the described network equipment.
Before on the described port that all acl rules is issued to the network equipment, carry out the step of described comparison and adjustment by an equipment that assures correct execution that is independent of the described network equipment that sets in advance;
After carrying out described adjustment, and before by the described network equipment hardware table item being set, further comprise: the described equipment that assures correct execution is issued to adjusted all acl rules on the described port of the network equipment successively.
A kind of device that assures correct execution, this device comprises: interactive unit and adjustment unit, wherein,
Interactive unit is used for receiving successively all acl rules that are issued on any one port of the network equipment;
Adjustment unit, be used for when interactive unit receives all acl rules that need be issued on any one port of the network equipment, all acl rules are compared, judge whether any two acl rules of existing execution sequence to put upside down, after determining existence, these any two acl rules are adjusted according to issuing the regular principle that comes into force earlier earlier.
Described adjustment unit is carried out according to issuing the principle that rule comes into force earlier earlier these any two acl rules is adjusted further after definite any two acl rules intersect and have the action conflict.
A kind of system that guarantees that execution sequence is correct, this system comprises: guarantee the correct device and the network equipment of execution sequence, wherein,
Guarantee the correct device of execution sequence, all acl rules that are issued on any one port of the network equipment are compared, judge whether any two acl rules of existing execution sequence to put upside down, if then these any two acl rules are adjusted according to issuing the regular principle that comes into force earlier earlier;
The network equipment is used for according to adjusted all acl rules hardware table item being set, and when receiving message, according to set hardware table item message is carried out corresponding service and handle.
The correct device of described assurance execution sequence is integrated in the described network equipment;
Perhaps, the correct device of described assurance execution sequence is arranged in the equipment that is independent of the described network equipment, the correct device of this assurance execution sequence further is issued to adjusted all acl rules on the described port of the described network equipment after adjusting.
This shows, in the present invention, before will issuing at all acl rules of a port of the network equipment, at first these acl rules are carried out a series of comparison, when the execution sequence that compares any two acl rules is put upside down, and after determining that further these two acl rules intersect and the existence action conflicts,, these any two acl rules are adjusted according to issuing the principle that rule comes into force earlier earlier; Adjusted all acl rules are issued to successively on the described port of the network equipment, the network equipment is carried out corresponding service according to received adjusted acl rule.Therefore, the present invention can guarantee that the network equipment can correctly carry out acl rule, guarantees message is carried out correct Business Processing.
Description of drawings
Fig. 1 is a schematic diagram of setting up MASK list item and RULE list item in the prior art at three acl rules that issue.
Fig. 2 A is the structural representation of the device that assures correct execution in the present invention.
Fig. 2 B is the structural representation of the system that assures correct execution in the present invention.
Fig. 3 guarantees acl rule is carried out correct flow chart in embodiments of the present invention.
Embodiment
The present invention proposes a kind of assurance acl rule is carried out correct method, its core concept is: all acl rules that will be issued on any one port of the network equipment compare, judge whether any two acl rules of existing execution sequence to put upside down, if then these two acl rules are adjusted according to issuing the regular principle that comes into force earlier earlier; The described network equipment is according to the hardware table item of adjusted all acl rules settings corresponding to described port.
Accordingly, the invention allows for a kind of assurance acl rule is carried out correct device.Fig. 2 A is the structural representation of the device that assures correct execution in the present invention.Referring to Fig. 2 A, in the present invention, guarantee that acl rule is carried out correct device to be comprised: interactive unit and adjustment unit, wherein,
Interactive unit is used for receiving successively all acl rules that are issued on any one port of the network equipment;
Adjustment unit, be used for when interactive unit receives all acl rules that need be issued on any one port of the network equipment, all acl rules are compared, judge whether any two acl rules of existing execution sequence to put upside down, after determining existence, these any two acl rules are adjusted according to issuing the regular principle that comes into force earlier earlier.
Accordingly, the invention allows for a kind of assurance acl rule is carried out correct system.Fig. 2 B is the structural representation of the system that assures correct execution in the present invention.Referring to Fig. 2 B, this system comprises: the device that assures correct execution and the network equipment shown in Fig. 2 A, wherein,
The device that assures correct execution, all acl rules that are issued on any one port of the network equipment are compared, judge whether any two acl rules of existing execution sequence to put upside down, if then these any two acl rules are adjusted according to issuing the principle that rule comes into force earlier earlier;
The network equipment is used for according to adjusted all acl rules of device that assure correct execution hardware table item being set, and when receiving message, according to set hardware table item message is carried out corresponding service and handle.
In the present invention, the described device that assures correct execution can be integrated in the described network equipment; Perhaps, the described device that assures correct execution also can be arranged in the equipment that is independent of the described network equipment, at this moment, this device that assures correct execution further is issued to adjusted all acl rules on the described port of the described network equipment after adjusting.
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with drawings and the specific embodiments.
Fig. 3 guarantees acl rule is carried out correct flow chart in embodiments of the present invention.Referring to Fig. 2 A, Fig. 2 B and Fig. 3, in the present embodiment, guarantee that the correct process of acl rule execution may further comprise the steps:
Step 301: receive that the user issues, need be assigned to all acl rules on any one port of the network equipment.
For ease of describing, in following process, with at any one port be that port one in the network equipment is that example describes.
Step 302: issue the order of acl rule according to the user, for each acl rule that receives is provided with priority.
In this step, be in order in subsequent process, to represent the order that comes into force of the desired acl rule of user for each acl rule is provided with priority by this priority.And described priority can be the numerical value of the sequencing of can representing to come into force.Such as, for the 1st acl rule that the user issues, it is limit priority 1 that its corresponding priorities is set, the 2nd acl rule that issues for the user, its corresponding priorities is set is time high priority 2, for the n bar acl rule that the user issues, it is n etc. that its corresponding priorities is set.
Step 303:, all received acl rules are carried out vertical ordering according to acl rule mask-length order from big to small.
Here, for the big acl rule of mask-length, the matching length of message when this acl rule of coupling is also big, in the time of promptly must satisfying comparatively strict matching condition, just can carry out this acl rule; And for the little acl rule of mask-length, the matching length of message when this acl rule of coupling is also little, promptly only needs to satisfy comparatively wide in range matching condition, just can carry out this acl rule.Such as, for above-mentioned acl rule rule 3 and rule 2,, just can carry out rule 3 after must satisfying a concrete IP matching addresses condition because the mask-length of rule 3 is bigger, and the mask-length of rule 2 is less, only need satisfy in an IP address field and will carry out rule 2.Therefore as seen, the acl rule that mask-length is big exists by the little possibility that acl rule covered of mask-length, like this, in this step, the acl rule that mask-length is big comes the front, the acl rule that mask-length is little comes the back, makes can be issued as much as possible earlier by the acl rule that other acl rules covered to obtain earlier carrying out.
Need to prove, in this step, if exist the mask-length of two acl rules identical, so, the priority of these two acl rules relatively then is because the high acl rule of priority is that the user issues earlier, so the acl rule that priority is high comes before the low acl rule of priority.
Step 304: in all acl rules after ordering, select a not acl rule of selected mistake.
In this step, preferably, can select a not acl rule of selected mistake according to vertical order.That is to say that by the processing procedure of this step, what at first select can be the acl rule that comes first, the rest may be inferred, until selecting to come last acl rule.
Step 305: judge in each acl rule after current selected acl rule whether have also not the acl rule that compares with current selected acl rule, if then execution in step 306, otherwise, execution in step 304 returned.
Step 306 a: acl rule (being called the current acl rule that compares) that is chosen in after the current selected acl rule and does not compare with current selected acl rule, whether the priority of judging current selected acl rule is more than or equal to the priority of the current acl rule that compares, if, then directly finish comparison with this current acl rule that compares, return execution in step 305, otherwise, execution in step 307.
Here, because the big acl rule of mask-length comes before the little acl rule of mask-length, and in this step, current selected acl rule is to compare with the acl rule that comes thereafter, therefore, current selected acl rule exists by the current possibility that acl rule covered that compares.In such cases,
If the priority of current selected acl rule is more than or equal to the current acl rule that compares, then illustrate order that current selected acl rule is issued to the network equipment prior to or equal the current acl rule that compares, even subsequent process can determine that there is the action conflict in both, it is carried out and also satisfies customer requirements, can mistake, at this moment, current selected acl rule can be exemplified as above-mentioned rule 1, the current acl rule that compares can be exemplified as rule 2, therefore, the directly comparison of end and the current acl rule that compares;
On the contrary, if the priority of current selected acl rule is less than the current acl rule that compares, then explanation, not only there is the possibility that is capped, and the order that is issued to the network equipment of current selected acl rule should be back in the current acl rule that compares, at this moment, current selected acl rule can be exemplified as above-mentioned rule 3, the current acl rule that compares can be exemplified as rule 2, like this, there is conflict, then can has the problem of acl rule execution error if subsequent process can be determined this both action, therefore, should continue further to determine by step 307 and subsequent process thereof.
Step 307: judge whether current selected acl rule is covered by the current acl rule that compares, if, then directly delete current selected acl rule, return step 304, otherwise, execution in step 308.
Here, current selected acl rule by the current situation that acl rule covered that compares can be: the current acl rule that compares has comprised the full content of current selected acl rule, and promptly any message that satisfies current selected acl rule necessarily satisfies the current acl rule that compares; Perhaps, the current acl rule that compares is identical with current selected acl rule.
Carry out this step, because the priority of current selected acl rule is less than the priority of the current acl rule that compares, promptly as requested, the current acl rule that compares should come into force prior to current selected acl rule, in such cases,
If current selected acl rule is covered by the current acl rule that compares, so, even current selected acl rule is issued to the network equipment, also be performed never, so preferably, can directly delete current selected acl rule, certainly, directly the current selected acl rule of deletion is a kind of preferably processing mode, also can not delete in the business realizing of reality, and directly issues;
If current selected acl rule is not covered by the current acl rule that compares, then explanation still has the problem that may have the acl rule execution error, should continue further to determine by step 308 and subsequent process thereof.
Step 308: judge whether current selected acl rule and the current acl rule that compares intersect, if then execution in step 309, otherwise directly execution in step 305 is returned in the comparison of end and the current acl rule that compares.
Here, described current selected acl rule with the situation that the current acl rule that compares intersects can be: current selected acl rule and the current acl rule that compares have the identical content of the part content different with a part, promptly exist message can match current selected acl rule and the current acl rule that compares simultaneously, also exist message only to satisfy one of them rule simultaneously.Such as, above-mentioned rule 2 and rule 3 are because the IP address among the rule 3 is one in the rule 2IP address field, so rule 2 and rule 3 intersect.
In this step, if current selected acl rule and the current acl rule that compares are non-intersect, then no matter elder generation's current selected acl rule of execution still is the current acl rule that compares in explanation, therefore the problem that all can not cause the acl rule execution error, can finish current comparison, on the contrary, if intersect, illustrate that then these two rules cause the problem of acl rule execution error possibly, should further determine by step 309 and subsequent process thereof.
Step 309: judge whether current selected acl rule exists with the action of the current acl rule that compares and conflict, if then execution in step 310, otherwise, directly finish the comparison with the current acl rule that compares, return execution in step 305.
When carrying out this step, because the priority of current selected acl rule is less than the priority of the current acl rule that compares, be that the current acl rule that compares of customer requirements comes into force earlier, but, current selected acl rule comes the front of the current acl rule that compares, can be issued earlier and carry out and come into force, like this, the problem that execution sequence is put upside down then occurred.In such cases, if current selected acl rule intersects with the current acl rule that compares and the action existence conflicts, then be bound to occur the problem of acl rule execution error, at this moment, current selected acl rule can be exemplified as above-mentioned rule 3, the current acl rule that compares can be exemplified as above-mentioned rule 2, therefore must take the adjustment measure of subsequent step 310, guarantee to exist in the action of conflict, the desired current corresponding actions that compares in the acl rule of user comes into force earlier.
In above-mentioned steps 306 to the comparison procedure of step 309, for current selected acl rule and the current acl rule that compares, be to compare its priority earlier, more whether intersect again, more whether there is the action conflict then, thereby determine whether these two ACL can cause execution error, whether should adjust.Need to prove, above-mentioned steps 306 to the comparison procedure of step 309 is the cited a kind of possible implementation that two acl rules are compared of present embodiment, in the business realizing of reality, also can adopt other manner of comparison, such as, judge earlier that current selected acl rule compares with current whether acl rule intersects and the existence action conflicts, and judges the priority of these two acl rules etc. again.No matter adopt which kind of mode, as long as can determine that current selected acl rule is issued to hardware table item earlier, and current selected acl rule compares with current that acl rule intersects and exist action to conflict, and the current acl rule that compares of customer requirements comes into force earlier, the priority that is current selected acl rule is less than the current priority that compares acl rule, so, just can carry out the adjustment of subsequent step 310 handles.
Step 310: generate a new regulation, the new regulation that is generated is come the front of current selected acl rule, and in subsequent process, no longer carry out the new regulation that to be generated and current selected acl rule and currently compare the processing that acl rule compares and adjusts.
When carrying out this step, because the action in the current selected acl rule is designated as action 1, be designated as action 2 with current action of comparing acl rule, there is conflict, but owing to the action 2 in the current acl rule that compares of customer requirements comes into force earlier, therefore, in this step, the action of the new regulation that is generated necessarily comprises: currently compare acl rule and the afoul action of current selected acl rule, promptly move 2.Further, because when carrying out this step, because the action in the current acl rule that compares of customer requirements comes into force earlier, therefore, the action of the new regulation that generates can further include current other actions except that action 2 in the acl rule of comparing, that is to say that the action of the new regulation that is generated can be identical with current action of comparing acl rule.
And the new regulation corresponding priorities that is generated is the priority of current comparison acl rule.
According to the process of above-mentioned steps 306, then finished current selected acl rule and the comparison and the adjustment that come an acl rule thereafter to step 310.
Step 311: judge the current not acl rule of selected mistake that whether also exists, if, then return step 304, otherwise, direct execution in step 312.
By the process of above-mentioned steps 304, then realized all acl rules that needs are issued on any one port of the network equipment are compared in twos, and carried out the corresponding processing of adjusting according to comparative result each time to step 311.
In addition, in order more clearly to embody the main key technology means that the present invention adopts, is example with all acl rules after the ordering as the position from the beginning to the end that node comes chained list List successively, and above-mentioned steps 304 to the process of step 311 can embody intuitively by following program language and descriptive language:
List is carried out following operation:
The first step: for the node among the List is set up a relational matrix Matrix
The value of this matrix shows whether two nodes were done to have compared, as rule1.ID=ID1, and rule2.ID=ID2,
Then Matrix (ID1, ID2)=(ID2, ID1)=1 o'clock, just represent that these two rule had done has compared Matrix.
When initial, the value of Matrix all is 0.
Second step: suppose that rule order from front to back is among the present List
R1,R2,R3,......,Rn
The 3rd the step: with R1 successively with R2, R3 ..., Rn makes comparisons
for(i=2;i<=n;i++)
{
(A) (R1.ID Ri.ID)=1, then did originally and had compared, and need not compare again as if Matrix.Continue;
Be provided with Matrix (R1.ID, Ri.ID)=Matrix (Ri.ID, R1.ID)=1
(B) if R1.Pri>=Ri.Pri does not then compare continue;
(C) if Ri comprises R1, or Ri=R1, node R1 then deleted; R1.ID is released, and can be used by other new nodes later on, and with every zero clearing relevant with R1.ID among the Matrix, withdraw from circulation;
If R1, Ri is non-intersect, then direct continue;
If R1, Ri intersects, and R1.Act does not conflict then direct continue with Ri.Act;
(D) otherwise, this moment R1, Ri intersects, and R1.Act has with Ri.Act and conflict, and has at this moment just produced the jump of priority,
Need to generate an auxiliary regular and solve, so we generate a new node Rn+1, as R1, the common factor of Ri, it satisfies
Rn+1.Pri=Ri.Pri, Rn+1.Act=Ri.Act, Rn+1.ID is in other node differences;
Note down simultaneously Matrix (R1.ID, Rn+1.ID)=Matrix (Rn+1.ID, R1.ID)=1;
Matrix(Ri.ID,Rn+1.ID)=Matrix(Rn+1.ID,Ri.ID)=1;
And new node added among the List, withdraw from circulation
}
If since deletion or add node withdraw from circulation (at this moment i!=n+1), forwarded for second step to;
Otherwise, continue next step.
The 4th the step: with R2 successively with R3, R4 ..., Rn makes comparisons
Handle by the 3rd step identical operations
……
The n+1 step: Rn-1 and Rn are made comparisons
Handle by the 3rd step identical operations
Step 312:, successively each acl rule is issued to the port one of the network equipment from front to back according to putting in order of current acl rule.
Referring to Fig. 2 A, the process of this step can be carried out jointly by adjustment unit in apparatus of the present invention and interactive unit, promptly, adjustment unit is sent to interactive unit according to putting in order of current acl rule successively with all acl rules, interactive unit is sent the order of acl rule according to adjustment unit, successively each acl rule is issued to the port one of the network equipment.
Step 313: the network equipment is provided with the hardware table item corresponding to port one according to each acl rule that receives on port one.
Step 314: when the network equipment receives message on port one, in hardware table item, mate, carry out corresponding service according to matching result and handle corresponding to port one.
Here, the network equipment travels through all MASK list items and corresponding RULE list item in corresponding to the hardware table item of port one, for message matches a series of action, if this a series of action is conflict not, then carry out each action respectively, if action has conflict,, only carry out the action in the RULE list item that is matched according to the MASK list item of setting up earlier then for the action that conflict is arranged.
Above-mentioned steps 313 is identical to the respective process of the process of step 314 and prior art.
In above-mentioned process shown in Figure 3, be after having determined that two acl rule execution sequences are put upside down and these two acl rules intersect and the existence action conflicts, just carry out and adjust processing, promptly generate new regulation.In the business realizing of reality, can correctly carry out acl rule in order to guarantee the network equipment, assurance is carried out correct Business Processing to message, no matter whether two acl rules intersect and exist the action conflict, put upside down as long as determined two acl rule execution sequences, just can carry out above-mentioned adjustment processing and promptly generate new regulation.
Need to prove, utilize above-mentioned process shown in Figure 3 that all acl rules that needs are issued to port one are compared and adjust, and the network equipment is provided with after the hardware table item according to this adjusted acl rule, if the user has newly-increased acl rule need be issued to port one again, so, processing procedure of the present invention comprises: receive newly-increased acl rule, this newly-increased acl rule and the acl rule that issues are before compared, whether judgement increases acl rule newly and can put upside down by execution sequence with its acl rule relatively, if, can also further judge newly-increased acl rule and whether intersect with its acl rule relatively and whether exist action to conflict, if, then adjust to newly-increased acl rule with its acl rule relatively according to issuing the regular principle that comes into force earlier earlier, this adjustment is identical with the described corresponding contents of Fig. 3, also be to generate a new acl rule, the action of this new regulation comprise newly-increased acl rule and with its acl rule relatively in, in the acl rule that need come into force earlier, with the afoul action of the acl rule that comes into force behind the needs; Then, the network equipment upgrades the hardware table item corresponding to described port according to new regulation that is generated and described newly-increased acl rule.
Also need to prove, referring to apparatus of the present invention of Fig. 2 A, the step 301 among Fig. 3 and can carry out by the interactive unit in apparatus of the present invention in the process that receives newly-increased acl rule; Step 302 among Fig. 3 during to the process of step 311 and for newly-increased acl rule comparison and the process of adjustment, can carry out by the adjustment unit in apparatus of the present invention.
And, referring to the system of the present invention of Fig. 2 B, in the present invention; protection is carried out correct device and can be arranged in the described network equipment; at this moment, it is after the described port of the network equipment receives described acl rule that correct device is carried out in protection, carries out the step of described comparison and adjustment.
And; protection is carried out correct device and also can be arranged in the equipment that is independent of the described network equipment; at this moment; before on the described port that all acl rules is issued to the network equipment; carry out the step that correct device is carried out described comparison and adjustment by protection; after adjustment, protection is carried out correct device and more adjusted described acl rule is issued on the described port of the network equipment.
In a word, the above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (18)

1, a kind of method that assures correct execution is characterized in that, this method comprises:
The all-access control tabulation acl rule that is issued on any one port of the network equipment is compared, judge whether any two acl rules of existing execution sequence to put upside down, if then these two acl rules are adjusted according to issuing the regular principle that comes into force earlier earlier; The described network equipment is according to the hardware table item of adjusted all acl rules settings corresponding to described port.
2, method according to claim 1, it is characterized in that, this method further comprises: when the user issues acl rule successively at described port, according to the sequencing that issues each acl rule priority from high to low is set, each acl rule is sorted again;
Describedly relatively be: all acl rules after will resequencing compare;
Described any two acl rules that exist execution sequence to put upside down that judge whether comprise: when comparing, judgement is for any two acl rules, whether the priority of acl rule that comes the front is less than the priority of the acl rule that comes the back, if then determine two acl rules that exist execution sequence to put upside down.
3, method according to claim 2, it is characterized in that, the described step that each acl rule is sorted again comprises: according to acl rule mask-length order from big to small, all acl rules that needs are issued on any one port of the network equipment carry out vertical ordering.
4, method according to claim 1, it is characterized in that, judge have two acl rules that execution sequence puts upside down after, and before adjusting, further comprise: judge whether described two acl rules intersect and whether exist the action conflict, if all be, then continue to carry out described according to issuing the regular principle that comes into force earlier earlier to these two steps that acl rule is adjusted.
5, method according to claim 4, it is characterized in that, the described step that two acl rules are adjusted comprises: generate a new acl rule, the action of this new regulation comprises in described two acl rules, in the acl rule that need come into force earlier, with need after the afoul action of acl rule that comes into force, and new regulation is come the front of described two acl rules.
6, method according to claim 5 is characterized in that, comprise in the action of the new regulation that generates in described two acl rules, in the acl rule that need come into force earlier, with need after the action that do not conflict of the acl rule that comes into force.
7, method according to claim 1, it is characterized in that, when comparing, further comprise: for any two acl rules, judge whether the acl rule that comes into force behind the wherein current needs is covered by the current acl rule that need come into force earlier, if then delete the acl rule that comes into force behind these current needs.
8, according to claim 5,6 or 7 described methods, it is characterized in that this method further comprises: when the user issues acl rule successively at described port, each acl rule priority from high to low is set according to the sequencing that issues;
The acl rule that comes into force behind the described current needs is described two acl rules that the acl rule medium priority is lower;
The described current acl rule that need come into force earlier is described two acl rules that the acl rule medium priority is higher.
9, method according to claim 1 is characterized in that, this method further comprises: according to acl rule mask-length order from big to small, all acl rules that needs are issued on any one port of the network equipment carry out vertical ordering;
Described compare into: in all acl rules after rearrangement, each acl rule and all acl rules of coming are thereafter compared respectively.
10, method according to claim 1, it is characterized in that, after the described network equipment is provided with hardware table item, further comprise: in the time need issuing a newly-increased acl rule to the described port of the described network equipment, this newly-increased acl rule and the acl rule that issues are before compared, whether judgement increases acl rule newly and can put upside down by execution sequence with its acl rule relatively, if then adjust to newly-increased acl rule with its acl rule relatively according to issuing the regular principle that comes into force earlier earlier; The described network equipment upgrades the hardware table item corresponding to described port according to the adjustment of being carried out.
11, method according to claim 10, it is characterized in that, after judging newly-increased acl rule and putting upside down with its acl rule execution sequence relatively, and before carrying out described adjustment, further comprise: judge newly-increased acl rule and whether intersect with its acl rule relatively and whether exist action to conflict, if all be, then continue to carry out the step of described adjustment.
12, method according to claim 11, it is characterized in that, the described adjustment comprises: generate a new acl rule, the action of this new regulation comprise newly-increased acl rule and with its acl rule relatively in, in the acl rule that need come into force earlier, with need after the afoul action of acl rule that comes into force;
Described renewal comprises corresponding to the step of the hardware table item of described port: the network equipment upgrades the hardware table item corresponding to described port according to new regulation that is generated and described newly-increased acl rule.
13, according to claim 1 or 10 described methods, it is characterized in that, after receiving each acl rule successively on the described port, carry out the step of described comparison and adjustment by the described network equipment.
14, according to claim 1 or 10 described methods, it is characterized in that, before on the described port that all acl rules is issued to the network equipment, carry out the step of described comparison and adjustment by an equipment that assures correct execution that is independent of the described network equipment that sets in advance;
After carrying out described adjustment, and before by the described network equipment hardware table item being set, further comprise: the described equipment that assures correct execution is issued to adjusted all acl rules on the described port of the network equipment successively.
15, a kind of device that assures correct execution is characterized in that, this device comprises: interactive unit and adjustment unit, wherein,
Interactive unit is used for receiving successively all acl rules that are issued on any one port of the network equipment;
Adjustment unit, be used for when interactive unit receives all acl rules that need be issued on any one port of the network equipment, all acl rules are compared, judge whether any two acl rules of existing execution sequence to put upside down, after determining existence, these any two acl rules are adjusted according to issuing the regular principle that comes into force earlier earlier.
16, device according to claim 15 is characterized in that, described adjustment unit is carried out according to issuing the principle that rule comes into force earlier earlier these any two acl rules are adjusted further after definite any two acl rules intersect and have the action conflict.
17, a kind of system that guarantees that execution sequence is correct is characterized in that, this system comprises: guarantee the correct device and the network equipment of execution sequence, wherein,
Guarantee the correct device of execution sequence, all acl rules that are issued on any one port of the network equipment are compared, judge whether any two acl rules of existing execution sequence to put upside down, if then these any two acl rules are adjusted according to issuing the regular principle that comes into force earlier earlier;
The network equipment is used for according to adjusted all acl rules hardware table item being set, and when receiving message, according to set hardware table item message is carried out corresponding service and handle.
18, system according to claim 17 is characterized in that, the correct device of described assurance execution sequence is integrated in the described network equipment;
Perhaps, the correct device of described assurance execution sequence is arranged in the equipment that is independent of the described network equipment, the correct device of this assurance execution sequence further is issued to adjusted all acl rules on the described port of the described network equipment after adjusting.
CNB2006101400685A 2006-10-18 2006-10-18 Method, device and system for assuring correct execution Active CN100531218C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2006101400685A CN100531218C (en) 2006-10-18 2006-10-18 Method, device and system for assuring correct execution

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2006101400685A CN100531218C (en) 2006-10-18 2006-10-18 Method, device and system for assuring correct execution

Publications (2)

Publication Number Publication Date
CN1933487A true CN1933487A (en) 2007-03-21
CN100531218C CN100531218C (en) 2009-08-19

Family

ID=37879103

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2006101400685A Active CN100531218C (en) 2006-10-18 2006-10-18 Method, device and system for assuring correct execution

Country Status (1)

Country Link
CN (1) CN100531218C (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141304B (en) * 2007-09-18 2010-11-24 杭州华三通信技术有限公司 Management method and equipment of ACL regulation
CN103701639A (en) * 2013-12-17 2014-04-02 上海斐讯数据通信技术有限公司 ACL (Access Control List) collocation method and system
CN107688613A (en) * 2017-08-03 2018-02-13 北京蓝海讯通科技股份有限公司 The processing rule optimization method and computing device of a kind of packet
CN107896169A (en) * 2017-12-28 2018-04-10 杭州迪普科技股份有限公司 A kind of ACL management method and device
CN114301737A (en) * 2021-12-29 2022-04-08 迈普通信技术股份有限公司 Network configuration method and device, network equipment and computer readable storage medium

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141304B (en) * 2007-09-18 2010-11-24 杭州华三通信技术有限公司 Management method and equipment of ACL regulation
CN103701639A (en) * 2013-12-17 2014-04-02 上海斐讯数据通信技术有限公司 ACL (Access Control List) collocation method and system
CN103701639B (en) * 2013-12-17 2018-09-28 上海斐讯数据通信技术有限公司 A kind of ACL configuration methods and system
CN107688613A (en) * 2017-08-03 2018-02-13 北京蓝海讯通科技股份有限公司 The processing rule optimization method and computing device of a kind of packet
CN107896169A (en) * 2017-12-28 2018-04-10 杭州迪普科技股份有限公司 A kind of ACL management method and device
CN114301737A (en) * 2021-12-29 2022-04-08 迈普通信技术股份有限公司 Network configuration method and device, network equipment and computer readable storage medium
CN114301737B (en) * 2021-12-29 2023-10-24 迈普通信技术股份有限公司 Network configuration method, device, network equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN100531218C (en) 2009-08-19

Similar Documents

Publication Publication Date Title
CN101068206A (en) Grouping exchange, network node, packet exchanging structure and data packet routing method
CN1203425C (en) Device and method of controlling intergroup resource utilization
CN1933487A (en) Method, device and system for assuring correct execution
CN1248453C (en) Method for realtime synchronisation of net element and telecommunication system
CN101075864A (en) Method for synchronizing and processing data, customer terminal equipment and servo
CN101043661A (en) Method and apparatus for processing PoC service media request
CN1852261A (en) Method for maintenance of neighbor entry
CN1917504A (en) Method for preventing deadlock caused by accessing shared data of resources
CN1787459A (en) Method and system for transmitting order to lower levels
CN1825274A (en) Image formation system, image formation device, server device and program
CN1977248A (en) Administration device for warranting local concentrated access in low-band width, administration method, and animation processing apparatus including the administration device
CN1859197A (en) Method for determining QoS strategy
CN101047523A (en) Server and method for providing on-line person state
CN1839388A (en) In-place evolution of XML mode in database
CN1879354A (en) Network message processing using inverse pattern matching
CN1913524A (en) Method of network management system interface consulation and its device
CN101051920A (en) Method for realizing multicast business and network equipment
CN1889045A (en) Cocurrent event processing device and method in multi-task software system
CN101079728A (en) A method, server and system fro optimizing group management protocol
CN1976289A (en) Program arranging method and system based on distributing network
CN1725707A (en) Method for managing distribution network equipment
CN101034383A (en) DMA controller and transmit method for implementing software/hardware reusing
CN1946060A (en) Method for realizing re-oriented message correctly repeat and first-part and second-part
CN1412648A (en) User interface method and device of equipment connected with host computer system
CN101080015A (en) System and method for uploading third party video and audio content in IPTV system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd.

CP03 Change of name, title or address
TR01 Transfer of patent right

Effective date of registration: 20230802

Address after: Texas, USA

Patentee after: HEWLETT PACKARD ENTERPRISE DEVELOPMENT L.P.

Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466

Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right