WO2017036291A1 - 一种访问控制列表acl的实现方法、装置及存储介质 - Google Patents
一种访问控制列表acl的实现方法、装置及存储介质 Download PDFInfo
- Publication number
- WO2017036291A1 WO2017036291A1 PCT/CN2016/094450 CN2016094450W WO2017036291A1 WO 2017036291 A1 WO2017036291 A1 WO 2017036291A1 CN 2016094450 W CN2016094450 W CN 2016094450W WO 2017036291 A1 WO2017036291 A1 WO 2017036291A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- rule
- keyword
- key
- node
- field
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Definitions
- the present invention relates to the field of packet transmission, and in particular, to an implementation method, an apparatus, and a computer storage medium for an Access Control List (ACL).
- ACL Access Control List
- ACLs Access Control Lists
- the current packet transmission device implements ACL by using Ternary Content Addressable Memory (TCAM).
- TCAM Ternary Content Addressable Memory
- the advantage of implementing ACL with TCAM is that it is simple to implement, but TCAM also has many shortcomings.
- the TCAM compares the key to be searched with each entry of the TCAM in the same clock cycle, resulting in relatively large power consumption.
- the TCAM device is relatively expensive and expensive. Therefore, there is no suitable implementation method of ACL in the prior art.
- embodiments of the present invention are directed to providing a method, an apparatus, and a computer storage medium for implementing an access control list ACL, to provide a new method for implementing an ACL, and avoiding a TCAM The problem of high power consumption and high cost is caused.
- step C when the ith keyword
- the rule number corresponding to the ith keyword segment is determined as the rule number of the keyword to be searched corresponding to the M keyword segments, and the process proceeds to step E; D.
- the rule node type corresponding to the ith key field is an intermediate node or a hybrid node, the value of i is incremented by 1, and the process proceeds to step B.
- Step E determining the rule of the keyword to be searched After numbering, according to the rule number of the keyword to be searched, Obtaining an action corresponding to the rule number of the keyword to be searched.
- the method further includes: when the rule node type corresponding to the ith key field is an invalid node, and When the rule node type corresponding to the i-1th key field is a hybrid node type, the rule number corresponding to the i-1th key field is determined as the to-be-searched keyword corresponding to the M key fields. Rule number, go to step E.
- the step B includes: accessing the first rule table in the preset M rule tables by using the first key field as an address.
- the step B includes: using the next-level index of the i-1th key field and the i-th key field as The address accesses the i-th rule table.
- the step D includes: when the rule corresponding to the ith key segment
- the node type is an intermediate node
- the value of i is incremented by one, and the process proceeds to step B.
- the rule node type corresponding to the i-th key field is a hybrid node
- the i-th key segment is recorded.
- the method further includes: dividing a keyword corresponding to the rule of the same dimension into M segments; and when the length of the keyword is equal to the length of the first keyword segment, the first keyword is The segment reads the first rule table as an address, and acquires and manages the corresponding node information.
- the length of the keyword is less than the length of the first key segment, the remaining fields of the current time are expanded to obtain a key.
- the remaining field of the word is read by the remaining field of the keyword as the address, and the corresponding node information is obtained and managed, wherein the remaining field of the current time is the keyword that needs to be concerned.
- a keyword segment when the length of the keyword is greater than the length of the first keyword segment, reading the first rule table as the address, acquiring and managing the corresponding Node information.
- the difference is equal to the length of the i-th key field
- the next-level index of the i-1th key field and the ith key field are read as the address as the ith a rule table, which acquires and manages corresponding node information
- the difference is smaller than the length of the ith key field, the remaining fields of the current time are expanded to obtain a remaining field of the keyword, and the remaining keywords are
- the field reads the ith rule table for the address, and obtains and manages the corresponding node information, where the remaining field of the current time is the key segment of the keyword that needs to be concerned to remove the first i key
- the method further includes: after the configuration rule is updated, updating the M backup rule tables according to the new configuration rule, where the M backup rule tables are in one-to-one correspondence with the M rule tables After the M backup rule table is updated, switch to access the updated M backup rule table, and update the M rule tables; after the M rule tables are updated, switch back to access update After M backup rule tables.
- the method further includes: merging actions corresponding to the rule numbers of each of the keywords to be searched, and obtaining an ACL result of the data packet.
- an embodiment of the present invention provides an apparatus for implementing an access control list ACL, including: a rule table module, a scheduling module, an access module, a determining module, a looping module, and an obtaining module; wherein the rule table module is configured to The M rule tables corresponding to the rules of the same dimension, where M is an integer greater than or equal to 1; the scheduling module is configured to divide each of the to-be-searched keywords extracted from the same data packet into M key segments.
- the determining module is configured to: when the rule node type corresponding to the ith key field is a leaf node, Determining the rule number corresponding to the ith keyword segment as a rule number of the to-be-searched keyword corresponding to the M keyword segments, triggering the obtaining module; and the looping module is configured to be the i-th Key fields
- the corresponding rule node type is an intermediate node or a hybrid node, the value of i is incremented by one to trigger the access module
- the obtaining module is configured to determine the rule number of the to-be-searched keyword according to the The rule number of the keyword is searched for, and the action corresponding to the rule number of the keyword to be searched is obtained.
- the determining module is further configured to: when the rule node type corresponding to the i-th key segment is an invalid node, and the i-1th key
- the rule node type corresponding to the field is a hybrid node
- the rule number corresponding to the i-1th key field is Determining, by the rule number of the to-be-searched keyword corresponding to the M key fields, triggering the obtaining module.
- the access module is configured to access the first rule table in the preset M rule tables by using the first key field as an address.
- the access module is configured to use the next-level index of the i-1th key field and the i-th key field as The address accesses the i-th rule table.
- the loop module is configured to: when the rule node type corresponding to the ith key field is an intermediate node, add 1 to the value to trigger the access module; When the rule node type corresponding to the i-th key field is a hybrid node, the rule number corresponding to the i-th key field is recorded, and the value of i is incremented by one to trigger the access module.
- the device further includes: a rule table generating module, configured to divide the keyword corresponding to the rule of the same dimension into M segments; when the length of the keyword is equal to the length of the first keyword segment, The first keyword segment reads the first rule table as an address, and acquires and manages corresponding node information; when the length of the keyword is less than the length of the first keyword segment, the current The remaining fields are expanded to obtain the remaining fields of the keyword, and the first rule table is read by using the remaining fields of the keyword as the address, and the corresponding node information is obtained and managed, wherein the remaining field of the current time is a keyword segment that needs to be concerned in the keyword; when the length of the keyword is greater than the length of the first keyword segment, the first keyword segment is read as an address to read the first rule Table, obtain and manage the corresponding node information.
- a rule table generating module configured to divide the keyword corresponding to the rule of the same dimension into M segments; when the length of the keyword is equal to the length of the first keyword segment, The first keyword segment reads
- the rule table generating module is configured to calculate a difference between the previous difference and the length of the i-th key segment for the i-th key segment of the M key fields.
- the difference between the length of the key segment to be concerned and the length of the ith key segment, i 2, 3, ..., M;
- the next-level index of the i-1th key field and the ith keyword are
- the segment reads the i-th rule table as an address, and acquires and manages the corresponding node information.
- the difference is smaller than the length of the i-th key segment, the remaining fields of the current time are expanded to obtain the remaining keyword.
- the rule table module is further configured to: after the configuration rule is updated, update the M backup rule tables according to the new configuration rule, where the M backup rule table and the M rule table are Correspondingly, the access module is further configured to: after the M backup rule table is updated, switch to access the updated M backup rule table, and update the M rule tables; After the M rule tables are updated, they are switched back to access the updated M backup rule tables.
- the device further includes: a merging module, configured to merge the actions after the obtaining, by the plurality of obtaining modules, the action corresponding to the rule number of each of the keywords to be searched, to obtain the The ACL result of the packet.
- a merging module configured to merge the actions after the obtaining, by the plurality of obtaining modules, the action corresponding to the rule number of each of the keywords to be searched, to obtain the The ACL result of the packet.
- the embodiment of the present invention provides a computer storage medium, where the computer storage medium stores a computer program, and the computer program is used to implement the implementation method of the access control list ACL described in the above first aspect.
- the embodiment of the invention provides a method, a device and a computer storage medium for implementing an access control list ACL.
- each keyword to be searched from the same data packet is divided into M key segments, and then, M
- the i-th key field in the key field is used as an address to access the i-th rule table in the preset M rule tables, and at least the rule type corresponding to the i-th key field is obtained.
- the M rule table corresponds to one a rule, and then, according to the rule type corresponding to the i-th key field, determining a rule number of the keyword to be searched, and finally, according to the determined rule
- the number is obtained by the action corresponding to the keyword to be searched, that is, the action corresponding to the rule is determined, and the ACL is implemented. In this way, the problem of large power consumption and high cost caused by TCAM is avoided;
- the rule number corresponding to the key segment is determined as the key to be searched, because the rule to be searched is divided into M key segments, and the rule node type corresponding to the i-th key segment is a leaf node.
- the rule number of the word so that it is not necessary to search the entire keyword to be searched, which greatly reduces the amount of data processing, thereby improving the search efficiency;
- the keywords herein may be keywords of one dimension or keywords of multiple dimensions.
- multi-dimensional ACLs can be implemented.
- FIG. 1 is a schematic diagram of a first structure of an apparatus for implementing an ACL according to an embodiment of the present invention
- FIG. 2 is a schematic diagram of a second structure of an apparatus for implementing an ACL according to an embodiment of the present invention
- FIG. 3 is a schematic diagram of a third structure of an apparatus for implementing an ACL according to an embodiment of the present invention.
- FIG. 4 is a schematic flowchart of a method for implementing an ACL according to an embodiment of the present invention.
- FIG. 5 is a schematic flowchart diagram of a method for generating a rule table according to an embodiment of the present invention
- FIG. 6 is a schematic flowchart diagram of another method for generating a rule table according to an embodiment of the present invention.
- FIG. 7 is a schematic diagram of a rule table in an embodiment of the present invention.
- FIG. 8 is a schematic diagram of an action table in an embodiment of the present invention.
- the data packet is divided into different streams according to the specific key field of the data packet.
- various processing such as discarding or forwarding, rate limiting, reassignment of priorities, and the like can be performed for the stream, and this processing is called an action.
- this processing is called an action.
- a rule the corresponding action is called an ACL.
- the five keywords are: the source address of the IP packet, the destination address of the IP packet, and the payload of the IP packet. Protocol type, TCP or UDP source port number, destination port number for TCP or UDP.
- the keywords used may also have other extensions, such as COS, TOS, DSCP, virtual LAN index VLAN ID, source and destination MAC addresses, etc., which are not specifically limited by the present invention.
- Each of the above keywords can be arbitrarily combined, and a range limit can be set.
- one rule can be: TCP port 1000-2000+IP address 255.122.122.* (* is a field that does not need to be concerned).
- An embodiment of the present invention provides an apparatus for implementing an ACL.
- the apparatus includes: a rule table module 1, a scheduling module 2, an access module 31, a determining module 32, a looping module 33, and an obtaining module 34.
- the rule table module 1 may be a module, and may be multiple modules. Each module corresponds to a rule of one dimension. Each module stores M rule tables, and M is an integer greater than or equal to 1. ;
- the access module 31, the determining module 32, the looping module 33, and the obtaining module 34 are disposed in the search engine.
- a search engine 3 is connected to a rule table module 1, that is, for the same data packet, A search engine 3 is able to search for rules of one dimension. Then, when the foregoing apparatus includes a plurality of search engines 3, it means that the apparatus can perform parallel search for rules of multiple dimensions of the same data packet, which greatly improves the efficiency of ACL implementation.
- the device may further include: a merging module 4 configured to merge actions corresponding to rules of multiple dimensions of the same data packet to obtain the The ACL result of the packet.
- the device can also target multiple data packets simultaneously.
- the line performs one-dimensional or multi-dimensional search, thus greatly improving the parallel data processing capability, so that the processing speed is greatly improved, and the real-time performance of the ACL can be well guaranteed.
- the device may further include: a polling scheduling module configured to schedule the ACL results of the multiple data packets to be output to the next processing module.
- the rule table module is configured to store M rule tables corresponding to rules of the same dimension
- the scheduling module is configured to divide each of the to-be-searched keywords extracted from the same data packet into M key segments, and distribute the keywords to the corresponding search engine;
- the access module is configured to access the i-th rule table in the preset M rule tables by using the i-th key segment of the M key fields as the address, and obtain the rule node corresponding to the i-th key segment.
- the determining module is configured to determine, when the rule node type corresponding to the ith keyword segment is a leaf node, the rule number corresponding to the ith keyword segment as the rule number of the to-be-searched keyword corresponding to the M keyword segments. , triggering the above obtaining module;
- the loop module is configured to increase the value of i by one when the rule node type corresponding to the i-th key field is an intermediate node or a hybrid node, and trigger the access module;
- the obtaining module is configured to obtain an action corresponding to the rule number of the keyword to be searched according to the rule number of the keyword to be searched after determining the rule number of the keyword to be searched.
- the method includes:
- the scheduling module uses the preset configuration information for the same data packet.
- the keyword to be searched under a dimension rule is parsed from the data packet, for example, the input port in the extracted data packet, the destination IP address and the IP priority TOS are combined into ⁇ input port, destination IP address, IP priority TOS ⁇ Recorded as the keyword A to be searched.
- the keywords to be searched are divided into M key fields.
- the division of the key fields may be performed according to a prior-defined splitting strategy, which is subject to actual application, and is not specifically limited by the present invention.
- the fields are sent to the search engine corresponding to the rules of the above dimension, and then the access module in the search engine uses the i-th keyword in the M keyword segments.
- the rule table in addition to obtaining the rule node type corresponding to the i-th key field, the next-level index corresponding to the i-th key field and the rule number can also be obtained.
- attribute parameters such as the current segment length, which are not specifically limited in the present invention.
- the access module can access the first rule table by using the first key field as an address, and obtain the rule node type corresponding to the first key field;
- the key segment that is, the second, third, ..., M key fields, the access module may access the corresponding rule table by using the upper-level index of the key field and the key field as an address.
- the M rule tables in each of the rule table modules are corresponding to the rules of the same dimension, and the rule table stored in the rule table module is preset, and then, before S401, Rules of the same dimension generate corresponding M rule tables.
- the method steps for generating the rule table include:
- the length N i can be adjusted according to the specific implementation, each key segment lengths N i can be equal to vary.
- the keyword B has an IP address of 168.152.128.* and a length of 32 bits, and is equally divided into four segments each having a length of 8 bits.
- the key field C that needs to be concerned in the keyword B is 168.152.128, and the length is 24 bits.
- the key segment D that does not need to be concerned is *, and the length is 8 bits.
- the above node information includes: a node type, a rule number, a next level index, and a current segment length.
- a node type a node type
- a rule number a next level index
- a current segment length a current segment length
- other content may also be included, and the present invention is not specifically limited.
- the node information corresponding to a key field is an entry.
- the step of managing the node information may include: when the node type corresponding to the first key field in the first rule table is an invalid node, changing the node type to a leaf node, and writing the keyword corresponding
- the rule number and the current segment length are set to the length of the key segment that needs to be of interest in the keyword;
- the node type corresponding to the first key field in the first rule table is an intermediate node
- the node type is changed to a hybrid node, and the rule number corresponding to the keyword is written, and the current segment length is set to the The length of the key field that needs to be concerned in the keyword;
- the node type corresponding to the first key field in the first rule table is a hybrid node or a leaf node
- the node type is unchanged, and the rule number corresponding to the keyword is written, and the current segment length is set to The length of the key field you need to care about in this keyword.
- the step of managing the node information may include: when the node type corresponding to the first key field in the first rule table is an invalid node, changing the node type to a leaf node, and writing the keyword corresponding
- the rule number and the current segment length are set to the length of the key segment that needs to be of interest in the keyword;
- the above remaining field refers to the key field that needs to be concerned in the keyword.
- the node type corresponding to the first key field in the first rule table is an intermediate node
- the node type is changed to a hybrid node, and the rule number corresponding to the keyword is written, and the current segment length is set to the The length of the key field that needs to be concerned in the keyword;
- the node type corresponding to the first key field in the first rule table is a hybrid node or a leaf node
- the node type is kept unchanged, and at the same time, the key segment length and current segment to be concerned in the keyword are compared.
- the length of the length if the length of the key segment to be concerned is smaller than the current segment length, keep the original rule number and the current segment length unchanged. Otherwise, write the rule number corresponding to the keyword and set the current segment length to The length of the key field you need to care about in this keyword.
- the step of managing the node information may include: when the node type corresponding to the first key field in the first rule table is an invalid node, changing the node type to an intermediate node, and writing the first key The next-level index corresponding to the field; when the node type corresponding to the first key field in the first rule table is an intermediate node or a hybrid node, the node information remains unchanged; when the first key field is When the node type corresponding to the first rule table is a leaf node, the node type is changed to a hybrid node, and the next level index corresponding to the first key field is written.
- the method further includes:
- S601 Calculate a difference between the previous difference and the length of the i-th key segment
- the step of managing the node information may include: when the node type corresponding to the i-th key segment in the i-th rule table is an invalid node, changing the node type to a leaf node, and writing the corresponding keyword
- the rule number and the current segment length are set to the above difference;
- the node type corresponding to the i-th key segment in the i-th rule table is an intermediate node
- the node type is changed to a hybrid node, and the rule number corresponding to the keyword is written, and the current segment length is set to the above.
- the node type corresponding to the i-th key segment in the i-th rule table is a hybrid node or a leaf node
- the node type is unchanged, and the rule number corresponding to the keyword is written, and the current segment length is set to The above difference.
- the step of managing the node information may include: when the node type corresponding to the i-th key segment in the i-th rule table is an invalid node, changing the node type to a leaf node, and writing the corresponding keyword
- the rule number and the current segment length are set to the above difference;
- the above-mentioned current remaining field refers to a field remaining after the first i key segments are removed from the keyword segment that needs to be concerned in the keyword.
- the node type corresponding to the i-th key field in the i-th rule table is an intermediate node
- the node type is changed to a hybrid node, and the rule number corresponding to the keyword is written, and the current segment length is set to the above.
- the node type corresponding to the i-th key segment in the i-th rule table is a hybrid node or a leaf node
- the node type is kept unchanged, and at the same time, the difference between the difference and the current segment length is compared, if the difference is If the value is smaller than the current segment length, the original rule number and the current segment length are kept unchanged. Otherwise, the rule number corresponding to the keyword is written and the current segment length is set to the above difference.
- the step of managing the node information may include: when the node type corresponding to the i-th key segment in the i-th rule table is an invalid node, changing the node type to an intermediate node, and writing the i-th key The next-level index corresponding to the field; when the node type corresponding to the i-th key segment in the i-th rule table is an intermediate node or a hybrid node, the node information is kept unchanged; when the i-th key segment is When the node type corresponding to the i-th rule table is a leaf node, the node type is changed to a hybrid node, and the next-level index corresponding to the i-th key segment is written.
- the loop is consistently performed according to the methods of S601 to S604 until the Mth rule table is generated.
- the i-th rule table is as shown in FIG. 7, and each entry includes a node type, a current segment length, a next-level index, and a rule number.
- each entry includes a priority in the dimension, a drop/forward indication, a QoS mapping, a rate limit flag, and the like.
- the rule node type corresponding to the key field may be divided into three types, namely, a leaf node, an intermediate node, and a hybrid node.
- the loop module increments the value of i by one, and triggers the access module again, so that the access module is i+
- One keyword segment is used as an address to access the preset i+1th rule table, and the rule node type corresponding to the i+1th key field is obtained, and so on, and S402 to S403b are executed cyclically until the keyword to be searched is obtained.
- Rule number is used as an address to access the preset i+1th rule table, and the rule node type corresponding to the i+1th key field is obtained, and so on, and S402 to S403b are executed cyclically until the keyword to be searched is obtained.
- a 1 is taken as the address access rule table 1 of the rule table 1 in the M rule tables, and the rule node type corresponding to A 1 is obtained, and the A 1 lower level index and the rule number corresponding to A 1 are obtained.
- a 1 corresponding to the type of rules node is a leaf node, then A 1 corresponding to the key number as a rule corresponding to rule numbers A and ends the lookup;
- a 1 corresponding to the node is an intermediate node, the next stage with the index of A 1 and A 2 as an address access rules in Table 2, A 2 corresponding to the acquired node type rule, a lower index of A 2 and A 2 rule number, Then, the same judgment and processing of A 1 is performed.
- the rule number corresponding to A 1 is recorded, and then the next level index of A 1 and A 2 are used as the address access rule table 2, and if the node corresponding to A 2 is an invalid node, the key is The rule number corresponding to the word A is the rule number corresponding to A 1 and the current search is ended.
- the rule number of the keyword A is the number corresponding to A 2 and the current search is ended; 2 If the corresponding node is an intermediate node or a hybrid node, the search method of repeating A 1 continues to use the next-level index of A 2 and A 3 as the address access rule table 3, and the processing method thereof is similar to that of A 1 . This is repeated until the rule number of the keyword is obtained or the entire keyword lookup is completed.
- the action table shown in FIG. 8 is further provided in the implementation device of the ACL, and the obtaining unit accesses the action table by using the rule number of the keyword to be searched as an address, and obtains an action corresponding to the keyword to be searched, that is, , the action corresponding to the rule of the dimension.
- the message attribute such as the priority, the QoS and QoS priority corresponding to the rule of the dimension, the speed limit identifier and the speed limit identifier priority, the color of the packet, and the discarding or forwarding, etc.
- the message attribute may be obtained by accessing the action table.
- the message attributes there may be other message attributes, and the present invention does not impose specific restrictions. set.
- the merging module merges the actions corresponding to the rule numbers of the keywords to be searched for the rules of each dimension, and obtains the ACL result of the data packet.
- the rule table in the rule table module may also be adjusted according to the configuration of the user. Since the rule table cannot be updated at one time, in order to reduce the error rate, the rule table module stores M rule tables and one by one. Corresponding M backup rule tables. Then, the method further includes: after the configuration rule is updated, updating the M backup rule table according to the new configuration rule, where the M backup rule table corresponds to the M rule tables one by one; and the M backup rule table is completed. After the update, switch to access the updated M backup rule table, and update the M rule tables; after the M rule tables are updated, switch back to access the updated M backup rule tables.
- the backup rule table is updated.
- the access module switches to the access backup rule table, and then updates the rule table.
- the access module then switches to the updated rule table, so that there is no error caused by the update of the rule that should be updated, and the correct rate of the ACL implementation is guaranteed.
- each of the to-be-searched keywords extracted from the same data packet is divided into M key segments, and then the i-th key segment of the M keyword segments is used as an address to access the preset M.
- the i-th rule table in the rule table obtains at least the rule type corresponding to the i-th key field, where the M rule tables correspond to one rule, and then, according to the rule type corresponding to the i-th key segment, The rule number of the keyword is searched.
- the action corresponding to the keyword to be searched is obtained according to the determined rule number, that is, the action corresponding to the rule is determined, and the ACL is implemented. In this way, the problem of large power consumption and high cost caused by the TCAM is avoided.
- the rule node type corresponding to the i-th key field is invalid.
- the rule number is determined as the rule number of the keyword to be searched, so that it is not necessary to search for the entire keyword to be searched, which greatly reduces the amount of data processing, thereby improving the search efficiency; further, because each of the same data packet A keyword is divided into M key fields and processed in subsequent steps.
- the keywords here can be keywords of one dimension or keywords of multiple dimensions, that is, multi-dimensional ACLs can be implemented.
- the embodiment of the present invention further provides an apparatus for implementing an ACL, which is consistent with the implementation apparatus of the ACL described in the one or more embodiments.
- the device includes: a rule table module 1, a scheduling module 2, an access module 31, a determining module 32, a looping module 33, and an obtaining module 34.
- the looping module 33 is configured to add the value of i when the rule node type corresponding to the i-th key field is an intermediate node or a hybrid node.
- trigger access module 31 Module 34 is configured to upon determining rule number to be searched keyword, the keyword to be searched according to the rule number, rule number to obtain an action corresponding to the keyword to be searched.
- the determining module 32 is further configured to: when the rule node type corresponding to the i-th key field is an invalid node, and the i-1th key field corresponds to When the rule node type is a hybrid node, the rule number corresponding to the i-1th key field is determined as the rule number of the keyword to be searched corresponding to the M key fields, and the obtaining module 34 is triggered.
- the first rule table in the preset M rule tables is accessed for the address.
- the access module 31 is configured to access the ith by using the next-level index and the i-th key segment of the i-1th key field as addresses. Rule table.
- the looping module 33 is configured to increase the value of i by 1 when the rule node type corresponding to the ith key field is an intermediate node, triggering the access module 31; and configuring the ith key segment
- the corresponding rule node type is a hybrid node
- the rule number corresponding to the i-th key field is recorded, and the value of i is incremented by 1, and the access module 31 is triggered.
- the device further includes: a rule table generating module, configured to divide the keyword corresponding to the rule of the same dimension into M segments; when the length of the keyword is equal to the length of the first keyword segment, the first key is The field reads the first rule table as an address, and obtains and manages the corresponding node information. When the length of the keyword is less than the length of the first key field, the remaining fields of the current field are expanded to obtain the remaining fields of the keyword. The first rule table is read as the address remaining field, and the corresponding node information is obtained and managed.
- a rule table generating module configured to divide the keyword corresponding to the rule of the same dimension into M segments; when the length of the keyword is equal to the length of the first keyword segment, the first key is The field reads the first rule table as an address, and obtains and manages the corresponding node information.
- the remaining field of the current time is the key field that needs to be concerned in the keyword; when the length of the keyword is greater than the first When the length of one key field is one, the first key table is read as the address to read the first rule table, and the corresponding node information is acquired and managed.
- the rule table generating module is configured to calculate, for the i-th key segment of the M key fields, a difference between the previous difference and the length of the i-th key segment, where the previous time
- the difference between the length of the key segment to be concerned and the length of the i-th key segment, i 2, 3, ..., M; when the difference is equal to the length of the i-th key segment,
- the next-level index and the i-th key segment of the i-1 keyword segments are used as addresses to read the i-th rule table, and the corresponding node information is acquired and managed; when the difference is smaller than the length of the i-th key segment
- the remaining fields of the current time are expanded to obtain the remaining fields of the keyword, and the ith rule table is respectively read by the remaining fields of the keyword, and the corresponding node information is obtained and managed, wherein the remaining fields of the current time are keywords.
- the key fields that need to be concerned remove the remaining fields after the first i key fields; when the difference is greater than
- the next-level index and the i-th key segment of the i-1th key segment are used as addresses to read the i-th rule table, and the corresponding node information is acquired and managed.
- the rule table module 1 is further configured to: after the configuration rule is updated, update the M backup rule tables according to the new configuration rule, where the M backup rule tables correspond to the M rule tables one by one;
- the access module 31 is further configured to: after the M backup rule table is updated, switch to access the updated M backup rule table, and update the M rule tables; after the M rule tables are updated, switch back to Access the updated M backup rule tables.
- the access module 31, the determining module 32, the looping module 33, and the obtaining module 34 are disposed in the search engine 3, and one search engine 3 is connected to a rule table module 1, that is, for the same data packet, A search engine 3 is able to search for rules of one dimension.
- the apparatus can perform parallel search for rules of multiple dimensions of the same data packet, which greatly improves the efficiency of ACL implementation.
- the device can also perform one-dimensional or multi-dimensional search for multiple data packets in parallel at the same time, thereby greatly improving the parallel data processing capability, so that the processing speed is greatly improved, and the device can be well guaranteed.
- the real-time nature of ACL is possible.
- the device when the ACL device performs a plurality of dimension searches, the device further includes: a merging module configured to merge the actions after obtaining the action corresponding to the rule number of each of the to-be-searched keywords by the obtaining module The ACL result of the packet.
- a merging module configured to merge the actions after obtaining the action corresponding to the rule number of each of the to-be-searched keywords by the obtaining module The ACL result of the packet.
- the embodiment of the invention further describes a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the implementation method of the ACL described in the foregoing embodiments.
- embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the present invention may employ computer-usable storage media (including but not limited to disks) in one or more of the computer-usable program code embodied therein. A form of computer program product embodied on a memory and optical storage, etc.).
- the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
- the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
- These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
- the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
- each of the to-be-searched keywords extracted from the same data packet is divided into M key segments, and then the i-th key segment of the M keyword segments is used as an address to access the preset M.
- the i-th rule table in the rule table obtains at least the rule type corresponding to the i-th key field, where M rule tables correspond to one rule, and then, according to the i-th key field pair Determine the rule number of the keyword to be searched, and finally obtain the action corresponding to the keyword to be searched according to the determined rule number, that is, determine the action corresponding to the rule, and implement the ACL; thus, avoiding The problem of high power consumption and high cost caused by TCAM.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明实施例公开了一种访问控制列表(ACL)的实现方法、装置及计算机存储介质;其中,所述方法包括:步骤A、将从同一数据包中提取出的每一个待查找关键字划分为M个关键字段;步骤B、至少以M个关键字段中的第i个关键字段作为地址访问预设的M个规则表中的第i个规则表,获得第i个关键字段对应的规则节点类型;步骤C、当第i个关键字段对应的规则节点类型是叶子节点时,将第i个关键字段对应的规则编号确定为M个关键字段对应的待查找关键字的规则编号,转到执行步骤E;步骤D、当第i个关键字段对应的规则节点类型为中间节点或混合节点时,i取值加1,转到执行步骤B;步骤E、在确定待查找关键字的规则编号后,根据待查找关键字的规则编号,获得对应的动作。
Description
本发明涉及分组传输领域,尤其涉及一种访问控制列表(ACL,Access Control List)的实现方法、装置及计算机存储介质。
随着网络技术的发展,越来越多的网络设备需要支持快速准确的报文分类,如安全网关、边缘路由器、核心路由器等。未来网络的发展趋势需要为用户提供更好的服务质量,而诸如防火墙、区分服务、虚拟专网VPN、基于策略的路由等提高服务质量的机制都是基于高效访问控制列表(ACL,Access Control List)技术之上的。此外,随着光纤通信技术的发展,链路带宽和传输速率已不再成为问题,路由转发设备正在成为网络瓶颈,而ACL更是关键之关键。因此高效快速的实现ACL对于未来互联网的发展具有极其重要的意义。
现行分组传输设备采用三态内容寻址存储器(TCAM,Ternary Content Addressable Memory)实现ACL。采用TCAM实现ACL的优点在于实现简单,但是TCAM也有许多不足的地方。首先,TCAM在同一时钟周期内将待查找的关键字和TCAM的每一个条目进行比较,导致功耗比较大;第二是TCAM器件成本比较高,价格昂贵。因此,现有技术中并不存在一种较为合适的ACL的实现方法。
发明内容
有鉴于此,本发明实施例期望提供一种访问控制列表ACL的实现方法、装置及计算机存储介质,以提供一种新的实现ACL的方法,避免TCAM所
导致的功耗大、成本高的问题。
为达到上述目的,本发明的技术方案是这样实现的:
第一方面,本发明实施例提供一种访问控制列表ACL的实现方法,包括:步骤A、将从同一数据包中提取出的每一个待查找关键字划分为M个关键字段,其中,M为大于等于1的整数;步骤B、至少以所述M个关键字段中的第i个关键字段作为地址访问预设的M个规则表中的第i个规则表,获得所述第i个关键字段对应的规则节点类型,其中,i=1、2、3、4、…、M,所述M个规则表对应于同一维度的规则;步骤C、当所述第i个关键字段对应的规则节点类型是叶子节点时,将所述第i个关键字段对应的规则编号确定为所述M个关键字段对应的待查找关键字的规则编号,转到执行步骤E;步骤D、当所述第i个关键字段对应的规则节点类型为中间节点或混合节点时,将i取值加1,转到执行步骤B;步骤E、在确定所述待查找关键字的规则编号后,根据所述待查找关键字的规则编号,获得所述待查找关键字的规则编号对应的动作。
在上述方案中,当i=2、3、…、M时,在所述步骤B之后,所述方法还包括:当所述第i个关键字段对应的规则节点类型为无效节点,且所述第i-1个关键字段对应的规则节点类型为混合节点类型时,将所述第i-1个关键字段对应的规则编号确定为所述M个关键字段对应的待查找关键字的规则编号,转到执行步骤E。
在上述方案中,当i=1时,所述步骤B,包括:以第1个关键字段作为地址访问预设的M个规则表中的第1个规则表。
在上述方案中,当i=2、3、…、M时,所述步骤B,包括:以所述第i-1个关键字段的下一级索引和所述第i个关键字段为地址访问所述第i个规则表。
在上述方案中,所述步骤D,包括:当所述第i个关键字段对应的规则
节点类型为中间节点时,将i取值加1,转到执行所述步骤B;当所述第i个关键字段对应的规则节点类型为混合节点时,记录所述第i个关键字段对应的规则编号,并将i取值加1,转到执行所述步骤B。
在上述方案中,所述方法还包括:将同一维度的规则对应的关键字分成M段;当所述关键字的长度等于第1个关键字段的长度时,将所述第1个关键字段作为地址读取第1个规则表,获取并管理对应的节点信息;当所述关键字的长度小于所述第1个关键字段的长度时,将本次的剩余字段进行扩充,得到关键字剩余字段,以所述关键字剩余字段为地址分别读取所述第1个规则表,获取并管理对应的节点信息,其中,所述本次的剩余字段为所述关键字中需要关心的关键字段;当所述关键字的长度大于所述第1个关键字段的长度时,将所述第1个关键字段作为地址读取所述第1个规则表,获取并管理对应的节点信息。
在上述方案中,所述方法还包括:针对所述M个关键字段中的第i个关键字段,其中,i=2、3、…、M,依次执行以下步骤:计算前一次的差值与所述第i个关键字段长度的差值,其中,所述前一次的差值所述关键字中需要关心的关键字段长度与所述第i个关键字段长度的差值;当所述差值等于所述第i个关键字段的长度时,将所述第i-1个关键字段的下一级索引和所述第i个关键字段作为地址读取第i个规则表,获取并管理对应的节点信息;当所述差值小于所述第i个关键字段的长度时,将本次的剩余字段进行扩充,得到关键字剩余字段,以所述关键字剩余字段为地址分别读取所述第i个规则表,获取并管理对应的节点信息,其中,所述本次的剩余字段为所述关键字中需要关心的关键字段除去前i个关键字段之后剩余的字段;当所述差值大于所述第i个关键字段的长度时,将所述第i-1个关键字段的下一级索引和所述第i个关键字段作为地址读取所述第i个规则表,获取并管理对应的节点信息。
在上述方案中,所述方法还包括:当配置规则完成更新之后,基于新的配置规则,更新M个备份规则表,其中,所述M个备份规则表与所述M个规则表一一对应;在所述M个备份规则表完成更新之后,切换至访问更新后的M个备份规则表,并更新所述M个规则表;在所述M个规则表完成更新之后,回切至访问更新后的M个备份规则表。
在上述方案中,在所述步骤E之后,所述方法还包括:将所述每一个待查找关键字的规则编号对应的动作进行归并,获得所述数据包的ACL结果。
第二方面,本发明实施例提供一种访问控制列表ACL的实现装置,包括:规则表模块、调度模块、访问模块、确定模块、循环模块、获得模块;其中,所述规则表模块,配置为存储同一维度的规则所对应的M个规则表,M为大于等于1的整数;所述调度模块,配置为将从同一数据包中提取出的每一个待查找关键字划分为M个关键字段;所述访问模块,配置为至少以所述M个关键字段中的第i个关键字段作为地址访问预设的M个规则表中的第i个规则表,获得所述第i个关键字段对应的规则节点类型,其中,i=1、2、3、4、…、M;所述确定模块,配置为当所述第i个关键字段对应的规则节点类型是叶子节点时,将所述第i个关键字段对应的规则编号确定为所述M个关键字段对应的待查找关键字的规则编号,触发所述获得模块;所述循环模块,配置为当所述第i个关键字段对应的规则节点类型为中间节点或混合节点时,将i取值加1,触发所述访问模块;所述获得模块,配置为在确定所述待查找关键字的规则编号后,根据所述待查找关键字的规则编号,获得所述待查找关键字的规则编号对应的动作。
在上述方案中,当i=2、3、…、M时,所述确定模块,还配置为当所述第i个关键字段对应的规则节点类型为无效节点,且第i-1个关键字段对应的规则节点类型为混合节点时,将所述第i-1个关键字段对应的规则编号
确定为所述M个关键字段对应的待查找关键字的规则编号,触发所述获得模块。
在上述方案中,当i=1时,所述访问模块,配置为以第1个关键字段作为地址访问预设的M个规则表中的第1个规则表。
在上述方案中,当i=2、3、…、M时,所述访问模块,配置为以所述第i-1个关键字段的下一级索引和所述第i个关键字段为地址访问所述第i个规则表。
在上述方案中,所述循环模块,配置为当所述第i个关键字段对应的规则节点类型为中间节点时,将i取值加1,触发所述访问模块;还配置为当所述第i个关键字段对应的规则节点类型为混合节点时,记录所述第i个关键字段对应的规则编号,并将i取值加1,触发所述访问模块。
在上述方案中,所述装置还包括:规则表生成模块,配置为将同一维度的规则对应的关键字分成M段;当所述关键字的长度等于第1个关键字段的长度时,将所述第1个关键字段作为地址读取第1个规则表,获取并管理对应的节点信息;当所述关键字的长度小于所述第1个关键字段的长度时,将本次的剩余字段进行扩充,得到关键字剩余字段,以所述关键字剩余字段为地址分别读取所述第1个规则表,获取并管理对应的节点信息,其中,所述本次的剩余字段为所述关键字中需要关心的关键字段;当所述关键字的长度大于所述第1个关键字段的长度时,将所述第1个关键字段作为地址读取所述第1个规则表,获取并管理对应的节点信息。
在上述方案中,所述规则表生成模块,配置为针对所述M个关键字段中的第i个关键字段,计算前一次的差值与所述第i个关键字段长度的差值,其中,所述前一次的差值所述关键字中需要关心的关键字段长度与所述第i个关键字段长度的差值,i=2、3、…、M;当所述差值等于所述第i个关键字段的长度时,将所述第i-1个关键字段的下一级索引和所述第i个关键字
段作为地址读取第i个规则表,获取并管理对应的节点信息;当所述差值小于所述第i个关键字段的长度时,将本次的剩余字段进行扩充,得到关键字剩余字段,以所述关键字剩余字段为地址分别读取所述第i个规则表,获取并管理对应的节点信息,其中,所述本次的剩余字段为所述关键字中需要关心的关键字段除去前i个关键字段之后剩余的字段;当所述差值大于所述第i个关键字段的长度时,将所述第i-1个关键字段的下一级索引和所述第i个关键字段作为地址读取所述第i个规则表,获取并管理对应的节点信息。
在上述方案中,所述规则表模块,还配置为当配置规则完成更新之后,基于新的配置规则,更新M个备份规则表,其中,所述M个备份规则表与所述M个规则表一一对应;相应地,所述访问模块,还配置为在所述M个备份规则表完成更新之后,切换至访问更新后的M个备份规则表,并更新所述M个规则表;在所述M个规则表完成更新之后,回切至访问更新后的M个备份规则表。
在上述方案中,所述装置还包括:归并模块,配置为在多个所述获得模块获得所述每一个待查找关键字的规则编号对应的动作之后,将所述动作进行归并,获得所述数据包的ACL结果。
本发明实施例提供了一种计算机存储介质,所述计算机存储介质中存储有计算机程序,所述计算机程序用于执行以上第一方面所述的访问控制列表ACL的实现方法。
本发明实施例提供了一种访问控制列表ACL的实现方法、装置及计算机存储介质,首先,将从同一数据包中提取的每一个待查找关键字划分为M个关键字段,然后,以M个关键字段中第i个关键字段作为地址访问预设的M个规则表中的第i个规则表,至少获得第i个关键字段对应的规则类型,这里,M个规则表对应一个规则,接着,根据第i个关键字段对应的规则类型,确定待查找关键字的规则编号,最后,根据确定出来的规则
编号,获得待查找关键字对应的动作,即确定了该规则对应的动作,实现了ACL。如此,就避免了TCAM所导致的功耗大、成本高的问题;
并且,由于将一个待查找关键字划分为M个关键字段,当第i个关键字段对应的规则节点类型为叶子节点时,就将该关键字段对应的规则编号确定为该待查找关键字的规则编号,如此,就不必对整个待查找关键字进行查找,大大减少了数据处理量,进而提高了查找效率;
并且,由于对同一数据包中的每一个关键字都进行划分M个关键字段,并进行后续的处理,这里的关键字可以为一个维度的关键字,也可以为多个维度的关键字,也就是说可以实现多维度的ACL。
图1为本发明实施例中的ACL的实现装置的第一种结构示意图;
图2为本发明实施例中的ACL的实现装置的第二种结构示意图;
图3为本发明实施例中的ACL的实现装置的第三种结构示意图;
图4为本发明实施例中的ACL的实现方法的流程示意图;
图5为本发明实施例中的生成规则表的一种方法的流程示意图;
图6为本发明实施例中的生成规则表的另一种方法的流程示意图;
图7为本发明实施例中的规则表的示意图;
图8为本发明实施例中的动作表的示意图。
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述。
首先,需要说明的是,在分组数据传输时,根据数据包特定关键字段将数据包分成不同的流。分成流后,可以针对该流进行各种处理,例如丢弃或转发,限速,重新分配优先级等,这种处理称之为动作。通常一个规
则加上对应动作称之为一个ACL。
举例来说,一般业界标准组成规则的关键字段有5个,通常也称5元组,这5个关键字是:IP报文的源地址、IP报文的目的地址、IP报文的承载协议类型、TCP或UDP源端口号、TCP或UDP的目的端口号。在具体实现中,使用的关键字还可以有其他扩展,如COS、TOS、DSCP、虚拟局域网索引VLANID、源和目的MAC地址等,本发明不做具体限定。上述各个关键字可以任意组合,并且可以设置范围限制,例如,一个规则可以是:TCP端口1000~2000+IP地址255.122.122.*(*为不需要关心的字段)。
下面对本发明实施例提供的ACL的实现方法进行说明。
本发明实施例提供一种ACL的实现装置中,参见图1所示,该装置包括:规则表模块1、调度模块2、访问模块31、确定模块32、循环模块33、获得模块34;
在实际应用中,上述规则表模块1,可以为一个模块,可以为多个模块,每一个模块与一个维度的规则对应,每一个模块中存储有M个规则表,M为大于等于1的整数;
上述访问模块31、确定模块32、循环模块33以及获得模块34设置在搜索引擎中,参见图2所示,一个搜索引擎3与一个规则表模块1连接,也就是说,针对同一个数据包,一个搜索引擎3能够针对一个维度的规则进行搜索。那么,当上述装置中包含多个搜索引擎3时,就表示该装置能够针对同一数据包的多个维度的规则进行的并行搜索,大大提高了ACL实现的效率。
此时,当ACL的实现装置进行多个维度搜索时,该装置还就可以包括:归并模块4,配置为将针对同一个数据包的多个维度的规则所对应的动作进行归并,以获得该数据包的ACL结果。
在一实施例中,参见图3所示,该装置还可以同时针对多个数据包并
行进行一维度或者多维度的搜索,如此,大大提高了并行数据处理能力,使得处理速度大提升,能够很好的保证ACL的实时性。
当ACL的实现装置对多个数据包进行处理时,该装置还可以包括:轮询调度模块,配置为对多个数据包的ACL结果进行调度,输出给下一级处理模块。
结合本发明实施例,上述规则表模块,配置为存储同一维度的规则所对应的M个规则表;
上述调度模块,配置为将从同一数据包中提取出的每一个待查找关键字划分为M个关键字段,并分发给对应的搜索引擎;
上述访问模块,配置为至少以M个关键字段中的第i个关键字段作为地址访问预设的M个规则表中的第i个规则表,获得第i个关键字段对应的规则节点类型,其中,i=1、2、3、4、…、M,M个规则表与一个规则对应;
上述确定模块,配置为当第i个关键字段对应的规则节点类型是叶子节点时,将第i个关键字段对应的规则编号确定为M个关键字段对应的待查找关键字的规则编号,触发上述获得模块;
上述循环模块,配置为当第i个关键字段对应的规则节点类型为中间节点或混合节点时,将i取值加1,触发上述访问模块;
上述获得模块,配置为在确定待查找关键字的规则编号后,根据待查找关键字的规则编号,获得待查找关键字的规则编号对应的动作。
下面结合上述系统,对本发明实施例提供的ACL的实现方法进行说明。
参见图4所示,该方法包括:
S401:将从同一数据包中提取出的每一个待查找关键字划分为M个关键字段;
具体来说,调度模块对于同一个数据包,按照预先设定的配置信息,
从该数据包中解析出一个维度规则下的待查找关键字,例如,提取数据包中的输入端口,目的IP地址和IP优先级TOS组合成{输入端口,目的IP地址,IP优先级TOS}记为待查找关键字A。然后,将待查找关键字划分M个关键字段,这里,对于关键字段的划分可以根据预先人为设定的划分策略进行,以实际应用为准,本发明不做具体限定。
S402:至少以M个关键字段中的第i个关键字段作为地址访问预设的M个规则表中的第i个规则表,获得第i个关键字段对应的规则节点类型;
具体来说,当调度模块划分好关键字段后,将这些字段发送给上述维度的规则所对应的搜索引擎,那么,搜索引擎中的访问模块以M个关键字段中的第i个关键字段作为地址访问规则表模块中预先存储的M个规则表中的第i个规则表,获得第i个关键字段对应的规则节点类型,其中,i=1、2、3、4、…、M;可见,关键字段与规则表是一一对应的,规则、待查找关键、搜索引擎以及规则表模块是一一对应的。
在实际应用中,通过访问规则表,除了可以获得第i个关键字段对应的规则节点类型,还可以获得第i个关键字段对应的下一级索引以及规则编号。当然,还可以有其它属性参数,如当前分段长度,本发明不做具体限定。
另外,由于第1个关键字段为初始字段,所以,访问模块可以以第1个关键字段作为地址访问第1个规则表,获得第1个关键字段对应的规则节点类型;而对于其它关键字段,即第2、3、…、M个关键字段,访问模块可以以该关键字段的上一级索引以及该关键字段作为地址访问对应的规则表。
作为一可选实施方式,上述每一个规则表模块中的M个规则表都对应于同一维度的规则在规则表模块中存储的规则表是预置好的,那么,在S401之前,还需要针对同一维度的规则,生成对应的M个规则表。
那么,参见图5所示,生成规则表的方法步骤包括:
S501:将同一维度规则对应的关键字分成M段;
这里,上述关键字记为B,其比特位宽为N,M段关键字段记为Bi,B={B1,B2,…,BM},i=1、2、…、M,Bi的长度记为Ni,N1+N2+…+NM=N。在实际应用中,Ni的长度可以根据具体实现进行调整,每关键字段的长度Ni可以相等也可以不等。
作为一可选实施方式,将上述关键字B中需要关心的关键字段记为C,长度为P,不需要关心的关键字段记为D,长度为Q,那么,B={C,D},P+Q=N。
例如,关键字B为IP地址为168.152.128.*,长度为32比特,将其平均分成四段,每段长度为8比特。关键字B中需要关心的关键字段C为168.152.128,长度为24比特,不需要关心的关键字段D为*,长度为8比特。
S502:当关键字的长度等于第1个关键字段的长度时,将第1个关键字段作为地址读取第1个规则表,获取并管理对应的节点信息;
这里,上述节点信息包括:节点类型、规则编号、下一级索引以及当前分段长度。当然,还可以包含其它内容,本发明不做具体限定。在规则表中,一个关键字段对应的节点信息为一个条目。
那么,上述管理节点信息的步骤可以包括:当第1个关键字段在第1个规则表中所对应的节点类型为无效节点时,将节点类型更改为叶子节点,并写入关键字对应的规则编号以及将当前分段长度设置为该关键字中需要关心的关键字段长度;
当第1个关键字段在第1个规则表中所对应的节点类型为中间节点时,将节点类型更改为混合节点,并写入关键字对应的规则编号,将当前分段长度设置为该关键字中需要关心的关键字段长度;
当第1个关键字段在第1个规则表中所对应的节点类型为混合节点或叶子节点时,保持节点类型不变,并写入关键字对应的规则编号,将当前分段长度设置为该关键字中需要关心的关键字段长度。
S503:当关键字的长度小于第1个关键字段的长度时,将本次的剩余字段进行扩充,得到关键字剩余字段,以关键字剩余字段为地址分别读取第1个规则表,获取并管理对应的节点信息;
那么,上述管理节点信息的步骤可以包括:当第1个关键字段在第1个规则表中所对应的节点类型为无效节点时,将节点类型更改为叶子节点,并写入关键字对应的规则编号以及将当前分段长度设置为该关键字中需要关心的关键字段长度;
这里,上述本次剩余字段是指关键字中需要关心的关键字段。
当第1个关键字段在第1个规则表中所对应的节点类型为中间节点时,将节点类型更改为混合节点,并写入关键字对应的规则编号,将当前分段长度设置为该关键字中需要关心的关键字段长度;
当第1个关键字段在第1个规则表中所对应的节点类型为混合节点或叶子节点时,保持节点类型不变,同时,比较关键字中需要关心的关键字段长度和当前分段长度的大小,如果需要关心的关键字段长度小于当前分段长度,则保持原来的规则编号和当前分段长度不变,否则,写入关键字对应的规则编号以及将当前分段长度设置为该关键字中需要关心的关键字段长度。
需要说明的是,上述将本次剩余字段进行扩充,得到关键字剩余字段,具体为:用第1个关键字段长度N1减去关键字中需要关心的关键字段长度P,获得差值x,将本次剩余字段进行扩充,得到2x个关键字剩余字段C11={C1,0},C12={C1,1},……,C12
x={C,(2x-1)}。
S504:当关键字的长度大于第1个关键字段的长度时,将第1个关键
字段作为地址读取第1个规则表,获取并管理对应的节点信息。
这里,上述管理节点信息的步骤可以包括:当第1个关键字段在第1个规则表中所对应的节点类型为无效节点时,将节点类型更改为中间节点,并写入第1个关键字段对应的下一级索引;当第1个关键字段在第1个规则表中所对应的节点类型为中间节点或混合节点时,保持节点信息不变;当第1个关键字段在第1个规则表中所对应的节点类型为叶子节点时,则将节点类型更改为混合节点,并写入第1个关键字段对应的下一级索引。
接下来,针对第i个关键字段,i=2、3、…、M,在S504之后,参见图6所示,该方法还包括:
S601:计算前一次的差值与第i个关键字段长度之差值;
这里,前一次的差值是指:当i=1时,前一次的差值为关键字中需要关心的关键字段长度;当i=2时,前一次的差值为关键字中需要关心的关键字段长度与第i个关键字段长度的差值,依次迭代,以此类推。
S602:当差值等于第i个关键字段的长度时,将第i-1个关键字段的下一级索引和第i个关键字段作为地址读取第i个规则表,获取并管理对应的节点信息;
那么,上述管理节点信息的步骤可以包括:当第i个关键字段在第i个规则表中所对应的节点类型为无效节点时,将节点类型更改为叶子节点,并写入关键字对应的规则编号以及将当前分段长度设置为上述差值;
当第i个关键字段在第i个规则表中所对应的节点类型为中间节点时,将节点类型更改为混合节点,并写入关键字对应的规则编号,将当前分段长度设置为上述差值;
当第i个关键字段在第i个规则表中所对应的节点类型为混合节点或叶子节点时,保持节点类型不变,并写入关键字对应的规则编号,将当前分段长度设置为上述差值。
S603:当差值小于第i个关键字段的长度时,将本次剩余字段进行扩充,得到关键字剩余字段,以关键字剩余字段为地址分别读取第i个规则表,获取并管理对应节点的信息;
那么,上述管理节点信息的步骤可以包括:当第i个关键字段在第i个规则表中所对应的节点类型为无效节点时,将节点类型更改为叶子节点,并写入关键字对应的规则编号以及将当前分段长度设置为上述差值;
这里,上述本次剩余字段是指关键字中需要关心的关键字段除去前i个关键字段之后剩余的字段。
当第i个关键字段在第i个规则表中所对应的节点类型为中间节点时,将节点类型更改为混合节点,并写入关键字对应的规则编号以及将当前分段长度设置为上述差值;
当第i个关键字段在第i个规则表中所对应的节点类型为混合节点或叶子节点时,保持节点类型不变,同时,比较上述差值和当前分段长度的大小,如果上述差值小于当前分段长度,则保持原来的规则编号和当前分段长度不变,否则,写入关键字对应的规则编号以及将当前分段长度设置为上述差值。
S604:当差值大于第i个关键字段的长度时,将第i-1个关键字段的下一级索引和第i个关键字段作为地址读取第i个规则表,获取并管理对应的节点信息。
这里,上述管理节点信息的步骤可以包括:当第i个关键字段在第i个规则表中所对应的节点类型为无效节点时,将节点类型更改为中间节点,并写入第i个关键字段对应的下一级索引;当第i个关键字段在第i个规则表中所对应的节点类型为中间节点或混合节点时,保持节点信息不变;当第i个关键字段在第i个规则表中所对应的节点类型为叶子节点时,则将节点类型更改为混合节点,并写入第i个关键字段对应的下一级索引。
按照S601~S604的方法一致循环,直至生成第M个规则表。此时,第i个规则表如图7所示,每个条目包括节点类型、当前分段长度、下一级索引以及规则编号。
进一步地,在规则表生成之后,将规则编号对应的动作写入到动作表中。参见图8所示,每个条目包括在该维度上的优先级,丢弃/转发指示,QoS映射,限速标识等。
S403a:当第i个关键字段对应的规则节点类型是叶子节点时,将第i个关键字段对应的规则编号确定为M个关键字段对应的待查找关键字的规则编号,转到执行S404;
具体来说,关键字段对应的规则节点类型可以为分了三种,即叶子节点、中间节点和混合节点,当通过S402获得节点类型表示第i个关键字段为叶子节点时,确定模块就将该关键字段的规则编号确定为待查找关键字的规则编号,此时,i=1、2、3、…、M。
S403b:当第i个关键字段对应的规则节点类型为中间节点或混合节点时,将i取值加1,转到执行S402;
具体来说,在S402之后,当第i个关键字段对应的规则节点类型为中间节点或混合节点时,循环模块将i取值加1,再次触发访问模块,这样,访问模块以第i+1个关键字段作为地址访问预设的第i+1个规则表,获得第i+1个关键字段对应的规则节点类型,以此类推,循环执行S402~S403b,直至获得待查找关键字的规则编号。
在具体实施过程中,当第i个关键字段对应的规则节点类型为中间节点时,将i取值加1,转到执行S402;当第i个关键字段对应的规则节点类型为混合节点时,记录第i个关键字段对应的规则编号,并将i取值加1,转到执行S402。
在实际应用中,关键字段对应的规则节点类型还可以为无效节点,那
么,当i=2、3、…、M时,当通过S402获得节点类型表示第i个关键字段为无效节点,且第i-1个关键字段为混合节点时,确定模块就将第i-1个关键字段的规则编号确定为待查找关键字的规则编号。
举例来说,取A1作为M个规则表中的规则表1的地址访问规则表1,得到了A1对应的规则节点类型,A1下一级索引和A1对应的规则编号。
当A1对应的规则节点类型是叶子节点时,则将A1对应的规则编号作为该关键字A对应的规则编号并结束本次查找;
当A1对应的节点为中间节点,用A1的下一级索引和A2作为地址访问规则表2,获取A2对应的规则节点类型,A2的下一级索引和A2规则编号,然后,执行A1相同判断和处理。
当A1对应的节点为混合节点则记录A1对应的规则编号,然后,用A1的下一级索引和A2作为地址访问规则表2,如果A2对应的节点为无效节点,则关键字A对应的规则编号为A1对应的规则编号并结束本次查找;如果A2对应的节点是叶子节点,则关键字A的规则编号为A2对应的编号并结束本次查找;如果A2对应的节点是中间节点或是混合节点则重复A1的查找方法继续用A2的下一级索引和A3作为地址访问规则表3,其处理方法和A1类似。如此重复直到获取关键字的规则编号或整个关键字查找完成为止。
S404:在确定待查找关键字的规则编号后,根据待查找关键字的规则编号,获得待查找关键字的规则编号对应的动作。
具体来说,在ACL的实现装置中还预设有如图8所示的动作表,获得单元以待查找关键字的规则编号作为地址访问动作表,获得待查找关键字对应的动作,也就是说,该维度的规则所对应的动作。
可选地,通过访问动作表还可以获得报文属性,如优先级、该维度的规则对应的QoS和QoS优先级、限速标识和限速标识优先级、报文的颜色以及丢弃还是转发等。当然,还可以有其它报文属性,本发明不做具体限
定。
至此,就实现了针对单个维度的规则的ACL的整个过程。那么,对于多个维度的规则时,归并模块将每一个维度的规则对应的待查找关键字的规则编号对应的动作进行归并,获得数据包的ACL结果。
在上述过程中,规则表模块中的规则表还可能根据用户的配置进行调整,由于规则表无法一次性更新完,所以,为了降低出错率,规则表模块中存储有M个规则表以及一一对应的M个备份规则表。那么,上述方法还包括:当配置规则完成更新之后,基于新的配置规则,更新M个备份规则表,其中,M个备份规则表与M个规则表一一对应;在M个备份规则表完成更新之后,切换至访问更新后的M个备份规则表,并更新M个规则表;在M个规则表完成更新之后,回切至访问更新后的M个备份规则表。
具体来说,在进行规则表更新的过程中,首先,更新备份规则表,在备份规则表更新完成之后,访问模块切换至访问备份规则表,同时再更新规则表,在规则表更新完毕之后,访问模块再切换至更新后的规则表,如此,就不会出现应该更新的规则没有更新而导致的出错,保证了ACL实现的正确率。
由上述可知,首先,将从同一数据包中提取的每一个待查找关键字划分为M个关键字段,然后,以M个关键字段中第i个关键字段作为地址访问预设的M个规则表中的第i个规则表,至少获得第i个关键字段对应的规则类型,这里,M个规则表对应一个规则,接着,根据第i个关键字段对应的规则类型,确定待查找关键字的规则编号,最后,根据确定出来的规则编号,获得待查找关键字对应的动作,即确定了该规则对应的动作,实现了ACL。如此,就避免了TCAM所导致的功耗大、成本高的问题;进一步地,由于将一个待查找关键字划分为M个关键字段,当第i个关键字段对应的规则节点类型为无效节点或叶子节点时,就将该关键字段对应的
规则编号确定为该待查找关键字的规则编号,如此,就不必对整个待查找关键字进行查找,大大减少了数据处理量,进而提高了查找效率;进一步地,由于对同一数据包中的每一个关键字都进行划分M个关键字段,并进行后续的处理,这里的关键字可以为一个维度的关键字,也可以为多个维度的关键字,也就是说可以实现多维度的ACL。
基于同一发明构思,本发明实施例还提供一种ACL的实现装置,与上述一个或者多个实施例中所述的ACL的实现装置一致。
参见图1所示,该装置包括:规则表模块1、调度模块2、访问模块31、确定模块32、循环模块33、获得模块34;其中,规则表模块1,配置为存储同一维度的规则所对应的M个规则表,M为大于等于1的整数;调度模块2,配置为将从同一数据包中提取出的每一个待查找关键字划分为M个关键字段;访问模块31,配置为至少以M个关键字段中的第i个关键字段作为地址访问预设的M个规则表中的第i个规则表,获得第i个关键字段对应的规则节点类型,其中,i=1、2、3、4、…、M;确定模块32,配置为当第i个关键字段对应的规则节点类型是叶子节点时,将第i个关键字段对应的规则编号确定为M个关键字段对应的待查找关键字的规则编号,触发获得模块34;循环模块33,配置为当第i个关键字段对应的规则节点类型为中间节点或混合节点时,将i取值加1,触发访问模块31;获得模块34,配置为在确定待查找关键字的规则编号后,根据待查找关键字的规则编号,获得待查找关键字的规则编号对应的动作。
在上述方案中,当i=2、3、…、M时,确定模块32,还配置为当第i个关键字段对应的规则节点类型为无效节点,且第i-1个关键字段对应的规则节点类型为混合节点时,将所述第i-1个关键字段对应的规则编号确定为M个关键字段对应的待查找关键字的规则编号,触发获得模块34。
在上述方案中,当i=1时,访问模块31,配置为以第1个关键字段作
为地址访问预设的M个规则表中的第1个规则表。
在上述方案中,当i=2、3、…、M时,访问模块31,配置为以第i-1个关键字段的下一级索引和第i个关键字段为地址访问第i个规则表。
在上述方案中,循环模块33,配置为当第i个关键字段对应的规则节点类型为中间节点时,将i取值加1,触发访问模块31;还配置为当第i个关键字段对应的规则节点类型为混合节点时,记录第i个关键字段对应的规则编号,并将i取值加1,触发访问模块31。
在上述方案中,装置还包括:规则表生成模块,配置为将同一维度的规则对应的关键字分成M段;当关键字的长度等于第1个关键字段的长度时,将第1个关键字段作为地址读取第1个规则表,获取并管理对应的节点信息;当关键字的长度小于第1个关键字段的长度时,将本次的剩余字段进行扩充,得到关键字剩余字段,以关键字剩余字段为地址分别读取第1个规则表,获取并管理对应的节点信息,其中,本次的剩余字段为关键字中需要关心的关键字段;当关键字的长度大于第1个关键字段的长度时,将第1个关键字段作为地址读取第1个规则表,获取并管理对应的节点信息。
在上述方案中,规则表生成模块,配置为针对M个关键字段中的第i个关键字段,计算前一次的差值与第i个关键字段长度的差值,其中,前一次的差值关键字中需要关心的关键字段长度与第i个关键字段长度的差值,i=2、3、…、M;当差值等于第i个关键字段的长度时,将第i-1个关键字段的下一级索引和第i个关键字段作为地址读取第i个规则表,获取并管理对应的节点信息;当差值小于第i个关键字段的长度时,将本次的剩余字段进行扩充,得到关键字剩余字段,以关键字剩余字段为地址分别读取第i个规则表,获取并管理对应的节点信息,其中,本次的剩余字段为关键字中需要关心的关键字段除去前i个关键字段之后剩余的字段;当差值大于第
i个关键字段的长度时,将第i-1个关键字段的下一级索引和第i个关键字段作为地址读取第i个规则表,获取并管理对应的节点信息。
在上述方案中,规则表模块1,还配置为当配置规则完成更新之后,基于新的配置规则,更新M个备份规则表,其中,M个备份规则表与M个规则表一一对应;相应地,访问模块31,还配置为在M个备份规则表完成更新之后,切换至访问更新后的M个备份规则表,并更新M个规则表;在M个规则表完成更新之后,回切至访问更新后的M个备份规则表。
在实际应用中,上述访问模块31、确定模块32、循环模块33以及获得模块34设置在搜索引擎3中,一个搜索引擎3与一个规则表模块1连接,也就是说,针对同一个数据包,一个搜索引擎3能够针对一个维度的规则进行搜索。那么,参见图2所示,当上述装置中包含多个搜索引擎3时,就表示该装置能够针对同一数据包的多个维度的规则进行的并行搜索,大大提高了ACL实现的效率。进一步地,参见图3所示,该装置还可以同时针对多个数据包并行进行一维度或者多维度的搜索,如此,大大提高了并行数据处理能力,使得处理速度大提升,能够很好的保证ACL的实时性。
在上述方案中,当ACL装置进行多个维度搜索时,装置还包括:归并模块,配置为在多个获得模块获得每一个待查找关键字的规则编号对应的动作之后,将动作进行归并,获得数据包的ACL结果。
本发明实施例还记载了一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于执行前述各个实施例所述的ACL的实现方法。
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘
存储器和光学存储器等)上实施的计算机程序产品的形式。
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。
本发明实施例中,将从同一数据包中提取的每一个待查找关键字划分为M个关键字段,然后,以M个关键字段中第i个关键字段作为地址访问预设的M个规则表中的第i个规则表,至少获得第i个关键字段对应的规则类型,这里,M个规则表对应一个规则,接着,根据第i个关键字段对
应的规则类型,确定待查找关键字的规则编号,最后,根据确定出来的规则编号,获得待查找关键字对应的动作,即确定了该规则对应的动作,实现了ACL;如此,就避免了TCAM所导致的功耗大、成本高的问题。
Claims (19)
- 一种访问控制列表ACL的实现方法,所述方法包括:步骤A、将从同一数据包中提取出的每一个待查找关键字划分为M个关键字段,其中,M为大于等于1的整数;步骤B、至少以所述M个关键字段中的第i个关键字段作为地址访问预设的M个规则表中的第i个规则表,获得所述第i个关键字段对应的规则节点类型,其中,i=1、2、3、4、…、M,所述M个规则表对应于同一维度的规则;步骤C、当所述第i个关键字段对应的规则节点类型是叶子节点时,将所述第i个关键字段对应的规则编号确定为所述M个关键字段对应的待查找关键字的规则编号,转到执行步骤E;步骤D、当所述第i个关键字段对应的规则节点类型为中间节点或混合节点时,将i取值加1,转到执行步骤B;步骤E、在确定所述待查找关键字的规则编号后,根据所述待查找关键字的规则编号,获得所述待查找关键字的规则编号对应的动作。
- 根据权利要求1所述的方法,其中,当i=2、3、…、M时,在所述步骤B之后,所述方法还包括:当所述第i个关键字段对应的规则节点类型为无效节点,且所述第i-1个关键字段对应的规则节点类型为混合节点类型时,将所述第i-1个关键字段对应的规则编号确定为所述M个关键字段对应的待查找关键字的规则编号,转到执行步骤E。
- 根据权利要求1所述的方法,其中,当i=1时,所述步骤B,包括:以第1个关键字段作为地址访问预设的M个规则表中的第1个规则表。
- 根据权利要求1所述的方法,其中,当i=2、3、…、M时,所述步骤B,包括:以所述第i-1个关键字段的下一级索引和所述第i个关键字段为地址访问所述第i个规则表。
- 根据权利要求1所述的方法,其中,所述步骤D,包括:当所述第i个关键字段对应的规则节点类型为中间节点时,将i取值加1,转到执行所述步骤B;当所述第i个关键字段对应的规则节点类型为混合节点时,记录所述第i个关键字段对应的规则编号,并将i取值加1,转到执行所述步骤B。
- 根据权利要求1所述的方法,其中,所述方法还包括:将同一维度的规则对应的关键字分成M段;当所述关键字的长度等于第1个关键字段的长度时,将所述第1个关键字段作为地址读取第1个规则表,获取并管理对应的节点信息;当所述关键字的长度小于所述第1个关键字段的长度时,将本次的剩余字段进行扩充,得到关键字剩余字段,以所述关键字剩余字段为地址分别读取所述第1个规则表,获取并管理对应的节点信息,其中,所述本次的剩余字段为所述关键字中需要关心的关键字段;当所述关键字的长度大于所述第1个关键字段的长度时,将所述第1个关键字段作为地址读取所述第1个规则表,获取并管理对应的节点信息。
- 根据权利要求6所述的方法,其中,所述方法还包括:针对所述M个关键字段中的第i个关键字段,其中,i=2、3、…、M,依次执行以下步骤:计算前一次的差值与所述第i个关键字段长度的差值,其中,所述前一次的差值所述关键字中需要关心的关键字段长度与所述第i个关键字段长度的差值;当所述差值等于所述第i个关键字段的长度时,将所述第i-1个关键字段的下一级索引和所述第i个关键字段作为地址读取第i个规则表,获取并 管理对应的节点信息;当所述差值小于所述第i个关键字段的长度时,将本次的剩余字段进行扩充,得到关键字剩余字段,以所述关键字剩余字段为地址分别读取所述第i个规则表,获取并管理对应的节点信息,其中,所述本次的剩余字段为所述关键字中需要关心的关键字段除去前i个关键字段之后剩余的字段;当所述差值大于所述第i个关键字段的长度时,将所述第i-1个关键字段的下一级索引和所述第i个关键字段作为地址读取所述第i个规则表,获取并管理对应的节点信息。
- 根据权利要求1所述的方法,其中,所述方法还包括:当配置规则完成更新之后,基于新的配置规则,更新M个备份规则表,其中,所述M个备份规则表与所述M个规则表一一对应;在所述M个备份规则表完成更新之后,切换至访问更新后的M个备份规则表,并更新所述M个规则表;在所述M个规则表完成更新之后,回切至访问更新后的M个备份规则表。
- 根据权利要求1所述的方法,其中,在所述步骤E之后,所述方法还包括:将所述每一个待查找关键字的规则编号对应的动作进行归并,获得所述数据包的ACL结果。
- 一种访问控制列表ACL的实现装置,其中,包括:规则表模块、调度模块、访问模块、确定模块、循环模块、获得模块;其中,所述规则表模块,配置为存储同一维度的规则所对应的M个规则表,M为大于等于1的整数;所述调度模块,配置为将从同一数据包中提取出的每一个待查找关键字划分为M个关键字段;所述访问模块,配置为至少以所述M个关键字段中的第i个关键字段作为地址访问预设的M个规则表中的第i个规则表,获得所述第i个关键字段对应的规则节点类型,其中,i=1、2、3、4、…、M;所述确定模块,配置为当所述第i个关键字段对应的规则节点类型是叶子节点时,将所述第i个关键字段对应的规则编号确定为所述M个关键字段对应的待查找关键字的规则编号,触发所述获得模块;所述循环模块,配置为当所述第i个关键字段对应的规则节点类型为中间节点或混合节点时,将i取值加1,触发所述访问模块;所述获得模块,配置为在确定所述待查找关键字的规则编号后,根据所述待查找关键字的规则编号,获得所述待查找关键字的规则编号对应的动作。
- 根据权利要求10所述的装置,其中,当i=2、3、…、M时,所述确定模块,还配置为当所述第i个关键字段对应的规则节点类型为无效节点,且第i-1个关键字段对应的规则节点类型为混合节点时,将所述第i-1个关键字段对应的规则编号确定为所述M个关键字段对应的待查找关键字的规则编号,触发所述获得模块。
- 根据权利要求10所述的装置,其中,当i=1时,所述访问模块,配置为以第1个关键字段作为地址访问预设的M个规则表中的第1个规则表。
- 根据权利要求10所述的装置,其中,当i=2、3、…、M时,所述访问模块,配置为以所述第i-1个关键字段的下一级索引和所述第i个关键字段为地址访问所述第i个规则表。
- 根据权利要求10所述的装置,其中,所述循环模块,配置为当所述第i个关键字段对应的规则节点类型为中间节点时,将i取值加1,触发所述访问模块;还配置为当所述第i个关键字段对应的规则节点类型为混合 节点时,记录所述第i个关键字段对应的规则编号,并将i取值加1,触发所述访问模块。
- 根据权利要求10所述的装置,其中,所述装置还包括:规则表生成模块,配置为将同一维度的规则对应的关键字分成M段;当所述关键字的长度等于第1个关键字段的长度时,将所述第1个关键字段作为地址读取第1个规则表,获取并管理对应的节点信息;当所述关键字的长度小于所述第1个关键字段的长度时,将本次的剩余字段进行扩充,得到关键字剩余字段,以所述关键字剩余字段为地址分别读取所述第1个规则表,获取并管理对应的节点信息,其中,所述本次的剩余字段为所述关键字中需要关心的关键字段;当所述关键字的长度大于所述第1个关键字段的长度时,将所述第1个关键字段作为地址读取所述第1个规则表,获取并管理对应的节点信息。
- 根据权利要求15所述的装置,其中,所述规则表生成模块,配置为针对所述M个关键字段中的第i个关键字段,计算前一次的差值与所述第i个关键字段长度的差值,其中,所述前一次的差值所述关键字中需要关心的关键字段长度与所述第i个关键字段长度的差值,i=2、3、…、M;当所述差值等于所述第i个关键字段的长度时,将所述第i-1个关键字段的下一级索引和所述第i个关键字段作为地址读取第i个规则表,获取并管理对应的节点信息;当所述差值小于所述第i个关键字段的长度时,将本次的剩余字段进行扩充,得到关键字剩余字段,以所述关键字剩余字段为地址分别读取所述第i个规则表,获取并管理对应的节点信息,其中,所述本次的剩余字段为所述关键字中需要关心的关键字段除去前i个关键字段之后剩余的字段;当所述差值大于所述第i个关键字段的长度时,将所述第i-1个关键字段的下一级索引和所述第i个关键字段作为地址读取所述第i个规则表,获取并管理对应的节点信息。
- 根据权利要求10所述的装置,其中,所述规则表模块,还配置为当配置规则完成更新之后,基于新的配置规则,更新M个备份规则表,其中,所述M个备份规则表与所述M个规则表一一对应;相应地,所述访问模块,还配置为在所述M个备份规则表完成更新之后,切换至访问更新后的M个备份规则表,并更新所述M个规则表;在所述M个规则表完成更新之后,回切至访问更新后的M个备份规则表。
- 根据权利要求10所述的装置,其中,所述装置还包括:归并模块,配置为在多个所述获得模块获得所述每一个待查找关键字的规则编号对应的动作之后,将所述动作进行归并,获得所述数据包的ACL结果。
- 一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于执行权利要求1至9任一项所述的方法。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510551233.5A CN106487769B (zh) | 2015-09-01 | 2015-09-01 | 一种访问控制列表acl的实现方法及装置 |
CN201510551233.5 | 2015-09-01 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017036291A1 true WO2017036291A1 (zh) | 2017-03-09 |
Family
ID=58186607
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2016/094450 WO2017036291A1 (zh) | 2015-09-01 | 2016-08-10 | 一种访问控制列表acl的实现方法、装置及存储介质 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN106487769B (zh) |
WO (1) | WO2017036291A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112131356A (zh) * | 2020-08-03 | 2020-12-25 | 国家计算机网络与信息安全管理中心 | 一种基于tcam的报文关键字匹配方法和装置 |
CN113037681A (zh) * | 2019-12-09 | 2021-06-25 | 中兴通讯股份有限公司 | Acl规则管理方法、装置、计算机设备及计算机可读介质 |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109150686B (zh) * | 2018-09-07 | 2020-12-22 | 迈普通信技术股份有限公司 | Acl表项下发方法、装置及网络设备 |
WO2020107484A1 (zh) * | 2018-11-30 | 2020-06-04 | 华为技术有限公司 | 一种acl的规则分类方法、查找方法和装置 |
CN115361214A (zh) * | 2022-08-22 | 2022-11-18 | 中国电信股份有限公司 | 报文的访问控制方法、装置、设备、介质及程序 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101035061A (zh) * | 2006-03-09 | 2007-09-12 | 中兴通讯股份有限公司 | 实现三重内容可寻址存储器范围匹配的分段编码扩展方法 |
CN102487374A (zh) * | 2010-12-01 | 2012-06-06 | 中兴通讯股份有限公司 | 一种访问控制列表实现方法及装置 |
CN102986179A (zh) * | 2010-06-08 | 2013-03-20 | 博科通讯系统有限公司 | 用于处理和/或转发包的方法和设备 |
CN103647773A (zh) * | 2013-12-11 | 2014-03-19 | 北京中创信测科技股份有限公司 | 一种访问控制列表acl行为集快速编码的方法 |
CN104579941A (zh) * | 2015-01-05 | 2015-04-29 | 北京邮电大学 | 一种OpenFlow交换机中的报文分类方法 |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7644085B2 (en) * | 2003-11-26 | 2010-01-05 | Agere Systems Inc. | Directed graph approach for constructing a tree representation of an access control list |
CN101493841A (zh) * | 2009-02-23 | 2009-07-29 | 深圳市中科新业信息科技发展有限公司 | 一种搜索方法及搜索装置 |
-
2015
- 2015-09-01 CN CN201510551233.5A patent/CN106487769B/zh active Active
-
2016
- 2016-08-10 WO PCT/CN2016/094450 patent/WO2017036291A1/zh active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101035061A (zh) * | 2006-03-09 | 2007-09-12 | 中兴通讯股份有限公司 | 实现三重内容可寻址存储器范围匹配的分段编码扩展方法 |
CN102986179A (zh) * | 2010-06-08 | 2013-03-20 | 博科通讯系统有限公司 | 用于处理和/或转发包的方法和设备 |
CN102487374A (zh) * | 2010-12-01 | 2012-06-06 | 中兴通讯股份有限公司 | 一种访问控制列表实现方法及装置 |
CN103647773A (zh) * | 2013-12-11 | 2014-03-19 | 北京中创信测科技股份有限公司 | 一种访问控制列表acl行为集快速编码的方法 |
CN104579941A (zh) * | 2015-01-05 | 2015-04-29 | 北京邮电大学 | 一种OpenFlow交换机中的报文分类方法 |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113037681A (zh) * | 2019-12-09 | 2021-06-25 | 中兴通讯股份有限公司 | Acl规则管理方法、装置、计算机设备及计算机可读介质 |
CN113037681B (zh) * | 2019-12-09 | 2023-09-05 | 中兴通讯股份有限公司 | Acl规则管理方法、装置、计算机设备及计算机可读介质 |
CN112131356A (zh) * | 2020-08-03 | 2020-12-25 | 国家计算机网络与信息安全管理中心 | 一种基于tcam的报文关键字匹配方法和装置 |
CN112131356B (zh) * | 2020-08-03 | 2022-06-07 | 国家计算机网络与信息安全管理中心 | 一种基于tcam的报文关键字匹配方法和装置 |
Also Published As
Publication number | Publication date |
---|---|
CN106487769A (zh) | 2017-03-08 |
CN106487769B (zh) | 2020-02-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2017036291A1 (zh) | 一种访问控制列表acl的实现方法、装置及存储介质 | |
CN110419200B (zh) | 虚拟过滤平台中的分组处理器 | |
Liu et al. | TCAM Razor: A systematic approach towards minimizing packet classifiers in TCAMs | |
US10778612B2 (en) | Variable TCAM actions | |
US10230639B1 (en) | Enhanced prefix matching | |
US7668160B2 (en) | Methods for performing packet classification | |
US10778721B1 (en) | Hash-based ACL lookup offload | |
Luo et al. | Fast incremental flow table aggregation in SDN | |
US7327727B2 (en) | Atomic lookup rule set transition | |
US10708272B1 (en) | Optimized hash-based ACL lookup offload | |
EP3661153B1 (en) | Building decision tree for packet classification | |
JP3881663B2 (ja) | フィールドレベルツリーを用いたパケット分類装置及び方法 | |
WO2016062031A1 (zh) | 一种openflow流表的查表方法和装置、存储介质 | |
US9473395B2 (en) | Ultra low latency multi-protocol network device | |
US10033698B2 (en) | Intra-term logical or operation in a network filter | |
Kesselman et al. | Space and speed tradeoffs in TCAM hierarchical packet classification | |
Sun et al. | Packet classification consuming small amount of memory | |
US11140078B1 (en) | Multi-stage prefix matching enhancements | |
Kogan et al. | FIB efficiency in distributed platforms | |
Yu et al. | Hardware accelerator to speed up packet processing in NDN router | |
US11552887B2 (en) | System and method of processing packet classification with range sets | |
US8166536B1 (en) | Transformation of network filter expressions to a content addressable memory format | |
Lo et al. | Flow entry conflict detection scheme for software-defined network | |
US11689464B2 (en) | Optimizing entries in a content addressable memory of a network device | |
Rojas-Cessa et al. | Helix: IP lookup scheme based on helicoidal properties of binary trees |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16840720 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16840720 Country of ref document: EP Kind code of ref document: A1 |