[go: up one dir, main page]

CN112073357A - Method and device for issuing access control list - Google Patents

Method and device for issuing access control list Download PDF

Info

Publication number
CN112073357A
CN112073357A CN201910497981.8A CN201910497981A CN112073357A CN 112073357 A CN112073357 A CN 112073357A CN 201910497981 A CN201910497981 A CN 201910497981A CN 112073357 A CN112073357 A CN 112073357A
Authority
CN
China
Prior art keywords
matching
acl
field
length
record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201910497981.8A
Other languages
Chinese (zh)
Inventor
刘民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201910497981.8A priority Critical patent/CN112073357A/en
Priority to PCT/CN2020/083582 priority patent/WO2020248675A1/en
Publication of CN112073357A publication Critical patent/CN112073357A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本文公开了一种访问控制列表下发方法及装置。所述方法包括:根据访问控制列表ACL规则生成ACL匹配表;所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;将更新后的ACL匹配表下发至芯片的逻辑单元中。本文的技术方案能够节省访问控制列表下发时对芯片上的逻辑单元的占用。

Figure 201910497981

This document discloses a method and device for issuing an access control list. The method includes: generating an ACL matching table according to an access control list ACL rule; each record in the ACL matching table corresponds to all matching fields of an ACL rule; traversing the ACL matching table, and determining each record in the ACL matching table; The chip logic unit matching length of a record is to update the ACL matching table: when there is a record whose chip logic unit matching length exceeds the preset matching length in the ACL matching table, field culling is performed on the ACL matching table Process so that the matching length of all the chip logic units recorded in the ACL matching table does not exceed the preset matching length; and deliver the updated ACL matching table to the logic unit of the chip. The technical solution of this paper can save the occupation of the logic unit on the chip when the access control list is issued.

Figure 201910497981

Description

一种访问控制列表下发方法及装置Method and device for issuing access control list

技术领域technical field

本发明涉及通信技术领域,尤其涉及的是一种访问控制列表下发方法及装置。The present invention relates to the field of communication technologies, and in particular, to a method and device for issuing an access control list.

背景技术Background technique

ACL(Access Control List,访问控制列表)是一种访问控制技术,网络设备使用ACL来匹配过滤数据报文。一般网络设备将ACL下发到芯片逻辑单元(slice)中,来实现ACL规则内容的匹配。芯片逻辑单元位宽长度值是固定的数值,限制了ACL匹配内容的长度。虽然可以通过使用多个逻辑单元组合的方式增大ACL匹配长度,但是由于芯片的逻辑单元数量有限,如果每条ACL规则占用多个逻辑单元,则会造成设备ACL支持规则数的总量下降。ACL (Access Control List, access control list) is an access control technology. Network devices use ACL to match and filter data packets. Generally, network devices deliver ACLs to chip logic units (slices) to match the content of ACL rules. The value of the bit width and length of the chip logic unit is a fixed value, which limits the length of the content matched by the ACL. Although the ACL matching length can be increased by combining multiple logical units, due to the limited number of logical units on the chip, if each ACL rule occupies multiple logical units, the total number of ACL rules supported by the device will decrease.

相关技术中,下发ACL规则时通常按照ACL规则的最长匹配长度进行芯片表项占用。随着网络的发展,如IPv6、vxlan等的广泛应用,下发ACL时按ACL规则的最长匹配长度进行资源预留时占用的逻辑单元数显著增加,实际需要匹配内容的逻辑单元数可能远小于芯片预留的逻辑单元数,导致芯片ACL资源的浪费。In the related art, when an ACL rule is issued, the chip entry is usually occupied according to the longest matching length of the ACL rule. With the development of the network, such as the wide application of IPv6, vxlan, etc., the number of logical units occupied during resource reservation according to the longest matching length of the ACL rule when ACL is issued increases significantly, and the actual number of logical units that need to match the content may be far The number of logic units is less than the number of logic units reserved on the chip, resulting in a waste of ACL resources on the chip.

发明内容SUMMARY OF THE INVENTION

本发明所要解决的技术问题是提供一种访问控制列表下发方法及装置,能够节省访问控制列表下发时对芯片上的逻辑单元的占用。The technical problem to be solved by the present invention is to provide a method and device for issuing an access control list, which can save the occupation of logic units on a chip when the access control list is issued.

本发明实施例提供一种访问控制列表下发方法,包括:An embodiment of the present invention provides a method for issuing an access control list, including:

根据访问控制列表ACL规则生成ACL匹配表;所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;An ACL matching table is generated according to the access control list ACL rule; each record in the ACL matching table corresponds to all matching fields of an ACL rule;

遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;Traverse the ACL matching table, determine the chip logic unit matching length of each record in the ACL matching table, and update the ACL matching table: when there is a chip logic unit matching length in the ACL matching table that exceeds a preset length When matching the length of the record, perform field elimination processing on the ACL matching table so that the chip logic unit matching length of all records in the ACL matching table does not exceed the preset matching length;

将更新后的ACL匹配表下发至芯片的逻辑单元中。The updated ACL matching table is delivered to the logic unit of the chip.

本发明实施例提供一种访问控制列表下发装置,包括:An embodiment of the present invention provides an access control list issuing device, including:

ACL匹配表生成模块,用于根据访问控制列表ACL规则生成ACL匹配表;所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;An ACL matching table generating module is used to generate an ACL matching table according to an access control list ACL rule; each record in the ACL matching table corresponds to all matching fields of an ACL rule;

ACL匹配表更新模块,用于遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;The ACL matching table updating module is used to traverse the ACL matching table, determine the chip logic unit matching length of each record in the ACL matching table, and update the ACL matching table: when the ACL matching table exists When the chip logic unit matching length exceeds the record of the preset matching length, perform field elimination processing on the ACL matching table so that the chip logic unit matching length of all records in the ACL matching table does not exceed the preset matching length;

ACL匹配表下发模块,用于将更新后的ACL匹配表下发至芯片的逻辑单元中。The ACL matching table delivery module is used to deliver the updated ACL matching table to the logic unit of the chip.

本发明实施例提供一种访问控制列表下发装置,包括:An embodiment of the present invention provides an access control list issuing device, including:

存储器、处理器及存储在所述存储器上并可在所述处理器上运行的访问控制列表下发程序,所述访问控制列表下发程序被所述处理器执行时实现上述访问控制列表下发方法的步骤。A memory, a processor, and an access control list issuing program stored on the memory and running on the processor, the access control list issuing program implementing the above-mentioned access control list issuing when the access control list issuing program is executed by the processor steps of the method.

本发明实施例提供一种计算机可读存储介质,所述计算机可读存储介质上存储有访问控制列表下发程序,所述访问控制列表下发程序被处理器执行时实现上述访问控制列表下发方法的步骤。An embodiment of the present invention provides a computer-readable storage medium, where an access control list distribution program is stored on the computer-readable storage medium, and the access control list distribution program implements the above-mentioned access control list distribution when the access control list distribution program is executed by a processor steps of the method.

与相关技术相比,本发明提供的一种访问控制列表下发方法及装置,根据访问控制列表ACL规则生成ACL匹配表,所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;将更新后的ACL匹配表下发至芯片的逻辑单元中。本发明实施例的技术方案能够节省访问控制列表下发时对芯片上的逻辑单元的占用,在芯片逻辑单元资源数量一定时,增加下发至芯片的ACL规则数量。Compared with the related art, the present invention provides a method and device for issuing an access control list, which generates an ACL matching table according to the ACL rule of the access control list, and each record in the ACL matching table corresponds to all matching fields of an ACL rule. Traverse the ACL matching table, determine the chip logic unit matching length of each record in the ACL matching table, and update the ACL matching table: when there is a chip logic unit matching length in the ACL matching table that exceeds the predetermined length When setting the record of the matching length, perform field elimination processing on the ACL matching table so that the chip logic unit matching length of all records in the ACL matching table does not exceed the preset matching length; Sent to the logic unit of the chip. The technical solutions of the embodiments of the present invention can save the occupation of logic units on the chip when the access control list is issued, and increase the number of ACL rules issued to the chip when the number of chip logic unit resources is constant.

附图说明Description of drawings

图1为本发明实施例1的一种访问控制列表下发方法流程图;1 is a flowchart of a method for issuing an access control list according to Embodiment 1 of the present invention;

图2为本发明实施例2的一种访问控制列表下发装置示意图;2 is a schematic diagram of a device for issuing an access control list according to Embodiment 2 of the present invention;

图3为本发明示例1的一种更新ACL匹配表的方法流程图。FIG. 3 is a flowchart of a method for updating an ACL matching table according to Example 1 of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚明白,下文中将结合附图对本发明的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。In order to make the objectives, technical solutions and advantages of the present invention clearer, the embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, the embodiments in the present application and the features in the embodiments may be arbitrarily combined with each other if there is no conflict.

实施例1Example 1

如图1所示,本发明实施例提供了一种访问控制列表下发方法,包括:As shown in FIG. 1 , an embodiment of the present invention provides a method for issuing an access control list, including:

步骤S110,根据访问控制列表ACL规则生成ACL匹配表;所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;Step S110, generating an ACL matching table according to the ACL rule of the access control list; each record in the ACL matching table corresponds to all matching fields of an ACL rule;

步骤S120,遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;Step S120, traverse the ACL matching table, determine the chip logic unit matching length of each record in the ACL matching table, and update the ACL matching table: when there is a chip logic unit matching length in the ACL matching table When exceeding the record of the preset matching length, perform field elimination processing on the ACL matching table so that the chip logic unit matching length of all records in the ACL matching table does not exceed the preset matching length;

步骤S130,将更新后的ACL匹配表下发至芯片的逻辑单元中。Step S130, delivering the updated ACL matching table to the logic unit of the chip.

在一种实施方式中,所述预设匹配长度根据报文协议设定或者由用户设定;In an implementation manner, the preset matching length is set according to a message protocol or set by a user;

比如,Ipv4报文可以设定预设匹配长度为1个芯片逻辑单元;Ipv6报文可以设定预设匹配长度为2个芯片逻辑单元;For example, for IPv4 packets, the preset matching length can be set to 1 chip logic unit; for IPv6 packets, the preset matching length can be set to 2 chip logic units;

在一种实施方式中,所述对所述ACL匹配表进行字段剔除处理,包括:In one embodiment, the process of performing field elimination on the ACL matching table includes:

确定所述ACL匹配表中所有匹配字段的剔除优先级;对所有匹配字段按照剔除优先级从高到低进行排序;Determine the culling priority of all matching fields in the ACL matching table; sort all matching fields according to the culling priority from high to low;

遍历所述ACL匹配表中所有芯片逻辑单元匹配长度超过预设匹配长度的记录生成待处理记录集合;对所述待处理记录集合中的第i条记录进行如下处理:将所述第i条记录包含的剔除优先级高的前mi个匹配字段确定为该条记录的剔除字段,从所述记录中剔除所述mi个剔除字段;其中,所述mi是使得所述记录的芯片逻辑单元匹配长度不超过预设匹配长度的最小值;Traverse all the records in the ACL matching table whose matching length of the chip logic unit exceeds the preset matching length to generate a set of records to be processed; perform the following processing on the ith record in the set of records to be processed: The first m i matching fields with high culling priorities are determined as the culling fields of this record, and the m i culling fields are eliminated from the record; wherein, the m i is the chip logic that makes the record The unit matching length does not exceed the minimum value of the preset matching length;

在一种实施方式中,所述确定所述ACL匹配表中所有匹配字段的剔除优先级,包括:In one embodiment, the determining of the culling priority of all matching fields in the ACL matching table includes:

统计所述ACL匹配表中每一个匹配字段的使用率;Statistics on the usage rate of each matching field in the ACL matching table;

根据每一个匹配字段的使用率和/或匹配权重对所述匹配字段进行评分;一个匹配字段的分值用于表示该匹配字段被剔除的可能性大小;The matching field is scored according to the usage rate and/or matching weight of each matching field; the score of a matching field is used to indicate the possibility that the matching field is eliminated;

在一种实施方式中,所述根据每一个匹配字段的使用率和/或匹配权重对所述匹配字段进行评分,包括:In one embodiment, the scoring of the matching fields according to the usage rate and/or the matching weight of each matching field includes:

对任意一个匹配字段,根据所述匹配字段的使用率ai对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分pi,pi=1-ai;0<ai≤1;或For any matching field, evaluate the possibility of the matching field being eliminated according to the utilization rate a i of the matching field to obtain the score p i of the matching field, p i =1-a i ; 0<a i ≤ 1; or

对任意一个匹配字段,根据所述匹配字段的匹配权重bi对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分pi,pi=1-bi;0<bi≤1;或For any matching field, evaluate the possibility of the matching field being eliminated according to the matching weight b i of the matching field to obtain the score p i of the matching field, p i =1- bi ; 0<b i 1; or

对任意一个匹配字段,根据所述匹配字段的使用率ai和匹配权重bi对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分pi,pi=(1-ai)×(1-bi);0<ai≤1,0≤bi<1;For any matching field, evaluate the possibility of the matching field being eliminated according to the utilization rate a i of the matching field and the matching weight b i to obtain the score p i of the matching field, p i =(1-a i )×(1-bi ); 0<a i ≤1 , 0≤bi <1;

其中,任意一个匹配字段的使用率ai是所述ACL匹配表中使用了该匹配字段的记录数与所述ACL匹配表中所有记录总数的比值;Wherein, the usage rate a i of any matching field is the ratio of the number of records using the matching field in the ACL matching table to the total number of all records in the ACL matching table;

在一种实施方式中,所述匹配字段的匹配权重可以通过以下任意一种方式进行确定:In one embodiment, the matching weight of the matching field may be determined in any of the following ways:

根据用户设定的匹配字段的关注度ki确定所述匹配字段的匹配权重bi,bi=ki;0≤ki≤1Determine the matching weight b i of the matching field according to the attention degree k i of the matching field set by the user, b i = ki ; 0≤k i ≤1

根据系统预设的匹配字段的匹配权重bi和用户设定的匹配字段的关注度ki确定所述匹配字段的匹配权重,bi'=ki×bi;0<bi≤1,0≤ki≤1。The matching weight of the matching field is determined according to the matching weight b i of the matching field preset by the system and the attention degree ki of the matching field set by the user, b i '= ki ×b i ; 0<b i ≤1, 0≤k i ≤1.

实施例2Example 2

如图2所示,本发明实施例提供了一种访问控制列表下发装置,包括:As shown in FIG. 2, an embodiment of the present invention provides an access control list issuing device, including:

ACL匹配表生成模块201,用于根据访问控制列表ACL规则生成ACL匹配表;所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;The ACL matching table generating module 201 is used to generate an ACL matching table according to the access control list ACL rule; each record in the ACL matching table corresponds to all matching fields of an ACL rule;

ACL匹配表更新模块202,用于遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;The ACL matching table updating module 202 is configured to traverse the ACL matching table, determine the chip logic unit matching length of each record in the ACL matching table, and update the ACL matching table: when the ACL matching table is in the When there is a record whose chip logic unit matching length exceeds the preset matching length, perform field elimination processing on the ACL matching table so that the chip logic unit matching length of all records in the ACL matching table does not exceed the preset matching length;

ACL匹配表下发模块203,用于将更新后的ACL匹配表下发至芯片的逻辑单元中。The ACL matching table issuing module 203 is configured to issue the updated ACL matching table to the logic unit of the chip.

在一种实施方式中,所述预设匹配长度根据报文协议设定或者由用户设定;In an implementation manner, the preset matching length is set according to a message protocol or set by a user;

比如,Ipv4报文可以设定预设匹配长度为1个芯片逻辑单元;Ipv6报文可以设定预设匹配长度为2个芯片逻辑单元;For example, for IPv4 packets, the preset matching length can be set to 1 chip logic unit; for IPv6 packets, the preset matching length can be set to 2 chip logic units;

在一种实施方式中,ACL匹配表更新模块,用于采用以下方式对所述ACL匹配表进行字段剔除处理:In one embodiment, the ACL matching table updating module is configured to perform field elimination processing on the ACL matching table in the following manner:

确定所述ACL匹配表中所有匹配字段的剔除优先级;对所有匹配字段按照剔除优先级从高到低进行排序;Determine the culling priority of all matching fields in the ACL matching table; sort all matching fields according to the culling priority from high to low;

遍历所述ACL匹配表中所有芯片逻辑单元匹配长度超过预设匹配长度的记录生成待处理记录集合;对所述待处理记录集合中的第i条记录进行如下处理:将所述第i条记录包含的剔除优先级高的前mi个匹配字段确定为该条记录的剔除字段,从所述记录中剔除所述mi个剔除字段;其中,所述mi是使得所述记录的芯片逻辑单元匹配长度不超过预设匹配长度的最小值;Traverse all the records in the ACL matching table whose matching length of the chip logic unit exceeds the preset matching length to generate a set of records to be processed; perform the following processing on the ith record in the set of records to be processed: The first m i matching fields with high culling priorities are determined as the culling fields of this record, and the m i culling fields are eliminated from the record; wherein, the m i is the chip logic that makes the record The unit matching length does not exceed the minimum value of the preset matching length;

在一种实施方式中,ACL匹配表更新模块,用于采用以下方式确定所述ACL匹配表中所有匹配字段的剔除优先级:In one embodiment, the ACL matching table updating module is configured to determine the culling priority of all matching fields in the ACL matching table in the following manner:

统计所述ACL匹配表中每一个匹配字段的使用率;Statistics on the usage rate of each matching field in the ACL matching table;

根据每一个匹配字段的使用率和/或匹配权重对所述匹配字段进行评分;一个匹配字段的分值用于表示该匹配字段被剔除的可能性大小;The matching field is scored according to the usage rate and/or matching weight of each matching field; the score of a matching field is used to indicate the possibility that the matching field is eliminated;

在一种实施方式中,ACL匹配表更新模块,用于采用以下方式根据每一个匹配字段的使用率和/或匹配权重对所述匹配字段进行评分:In one embodiment, the ACL matching table updating module is configured to score each matching field according to the usage rate and/or matching weight of each matching field in the following manner:

对任意一个匹配字段,根据所述匹配字段的使用率ai对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分pi,pi=1-ai;0<ai≤1;或For any matching field, evaluate the possibility of the matching field being eliminated according to the utilization rate a i of the matching field to obtain the score p i of the matching field, p i =1-a i ; 0<a i ≤ 1; or

对任意一个匹配字段,根据所述匹配字段的匹配权重bi对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分pi,pi=1-bi;0<bi≤1;或For any matching field, evaluate the possibility of the matching field being eliminated according to the matching weight b i of the matching field to obtain the score p i of the matching field, p i =1- bi ; 0<b i 1; or

对任意一个匹配字段,根据所述匹配字段的使用率ai和匹配权重bi对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分pi,pi=(1-ai)×(1-bi);0<ai≤1,0≤bi<1;For any matching field, evaluate the possibility of the matching field being eliminated according to the utilization rate a i of the matching field and the matching weight b i to obtain the score p i of the matching field, p i =(1-a i )×(1-bi ); 0<a i ≤1 , 0≤bi <1;

其中,任意一个匹配字段的使用率ai是所述ACL匹配表中使用了该匹配字段的记录数与所述ACL匹配表中所有记录总数的比值;Wherein, the usage rate a i of any matching field is the ratio of the number of records using the matching field in the ACL matching table to the total number of all records in the ACL matching table;

在一种实施方式中,所述匹配字段的匹配权重可以通过以下任意一种方式进行确定:In one embodiment, the matching weight of the matching field may be determined in any of the following ways:

根据用户设定的匹配字段的关注度ki确定所述匹配字段的匹配权重bi,bi=ki;0≤ki≤1Determine the matching weight b i of the matching field according to the attention degree k i of the matching field set by the user, b i = ki ; 0≤k i ≤1

根据系统预设的匹配字段的匹配权重bi和用户设定的匹配字段的关注度ki确定所述匹配字段的匹配权重,bi'=ki×bi;0<bi≤1,0≤ki≤1。The matching weight of the matching field is determined according to the matching weight b i of the matching field preset by the system and the attention degree ki of the matching field set by the user, b i '= ki ×b i ; 0<b i ≤1, 0≤k i ≤1.

实施例3Example 3

本发明实施例提供了一种访问控制列表下发装置,包括:An embodiment of the present invention provides a device for issuing an access control list, including:

存储器、处理器及存储在所述存储器上并可在所述处理器上运行的访问控制列表下发程序,所述访问控制列表下发程序被所述处理器执行时实现上述实施例1所述的访问控制列表下发方法的步骤。A memory, a processor, and an access control list issuing program stored on the memory and running on the processor, the access control list issuing program being executed by the processor to implement the above-mentioned Embodiment 1 The steps of the access control list distribution method.

实施例4Example 4

本发明实施例提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有访问控制列表下发程序,所述访问控制列表下发程序被处理器执行时实现上述实施例1所述的访问控制列表下发方法的步骤。An embodiment of the present invention provides a computer-readable storage medium, where an access control list distribution program is stored on the computer-readable storage medium, and when the access control list distribution program is executed by a processor, the above-mentioned embodiment 1 is implemented. The steps of the access control list distribution method described above.

下面通过示例说明本申请的访问控制列表下发方法。The following describes the method for issuing an access control list of the present application by using an example.

示例1Example 1

本示例提供一种访问控制列表下发方法,假设报文为Ipv6报文,系统设定ACL规则的预设匹配长度为2个芯片逻辑单元(1个芯片逻辑单元的位宽为80bit)。This example provides an access control list delivery method. Assuming that the packets are IPv6 packets, the system sets the default matching length of the ACL rule to 2 chip logic units (the bit width of one chip logic unit is 80 bits).

传统的ACL规则包括N条(N大于4),表1中示意性地列出4条。其中第一条ACL规则是Rule 1,规则内容是:permit tcp srcip 1000::1srcport 1000,匹配字段包括协议号(tcp)、源ip(1000::1)、源端口号(1000);其中第二条ACL规则是Rule 2,规则内容是:permit udp srcip 2000::1,匹配字段包括协议号(udp)、源ip(2000::1);其中第三条ACL规则是Rule 3,规则内容是:permit tcp srcip 3000::1srcport 3000dstip 3100::1,匹配字段包括协议号(tcp)、源ip(3000::1)、源端口号(3000)、目的ip(3100::1);其中第四条ACL规则是Rule 4,规则内容是:permit tcp srcip4000::1srcport 4000dstip 4100::1dst 4100,匹配字段包括协议号(tcp)、源ip(4000::1)、源端口号(4000)、目的ip(4100::1)、目的端口号(4100);A traditional ACL rule includes N items (N is greater than 4), and 4 items are schematically listed in Table 1. The first ACL rule is Rule 1. The content of the rule is: permit tcp srcip 1000::1srcport 1000. The matching fields include protocol number (tcp), source ip (1000::1), and source port number (1000). The second ACL rule is Rule 2, the content of the rule is: permit udp srcip 2000::1, the matching fields include the protocol number (udp), the source ip (2000::1); the third ACL rule is Rule 3, the content of the rule Yes: permit tcp srcip 3000::1srcport 3000dstip 3100::1, the matching fields include protocol number (tcp), source ip (3000::1), source port number (3000), destination ip (3100::1); where The fourth ACL rule is Rule 4. The content of the rule is: permit tcp srcip4000::1srcport 4000dstip 4100::1dst 4100. The matching fields include protocol number (tcp), source ip (4000::1), source port number (4000) , destination ip (4100::1), destination port number (4100);

Figure BDA0002089258770000081
Figure BDA0002089258770000081

表1Table 1

如下表2所示,按照传统的ACL规则生成ACL匹配表,所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;As shown in Table 2 below, an ACL matching table is generated according to a traditional ACL rule, and each record in the ACL matching table corresponds to all matching fields of an ACL rule;

Figure BDA0002089258770000082
Figure BDA0002089258770000082

表2Table 2

其中,第1条规则包括3个字段,协议号字段占用8bit、源ip字段占用128bit、源端口号字段占用16bit,一共占用152bit,如果映射到芯片逻辑单元,则需要2个逻辑单元;Among them, the first rule includes 3 fields, the protocol number field occupies 8 bits, the source ip field occupies 128 bits, and the source port number field occupies 16 bits, occupying a total of 152 bits. If it is mapped to the chip logic unit, 2 logic units are required;

其中,第2条规则包括2个字段,协议号字段占用8bit、源ip字段占用128bit,一共占用136bit,如果映射到芯片逻辑单元,则需要2个逻辑单元;Among them, the second rule includes 2 fields, the protocol number field occupies 8 bits, the source ip field occupies 128 bits, and occupies 136 bits in total. If it is mapped to the chip logic unit, 2 logic units are required;

其中,第3条规则包括4个字段,协议号字段占用8bit、源ip字段占用128bit、源端口号字段占用16bit、目的ip字段占用128bit,一共占用280bit,如果映射到芯片逻辑单元,则需要4个逻辑单元;Among them, the third rule includes 4 fields, the protocol number field occupies 8 bits, the source ip field occupies 128 bits, the source port number field occupies 16 bits, and the destination ip field occupies 128 bits, occupying a total of 280 bits. If it is mapped to the chip logic unit, 4 logical unit;

其中,第4条规则包括5个字段,协议号字段占用8bit、源ip字段占用128bit、源端口号字段占用16bit、目的ip字段占用128bit、目的端口号字段占用16bit,一共占用296bit,如果映射到芯片逻辑单元,则需要4个逻辑单元;Among them, the fourth rule includes 5 fields, the protocol number field occupies 8 bits, the source ip field occupies 128 bits, the source port number field occupies 16 bits, the destination ip field occupies 128 bits, and the destination port number field occupies 16 bits, occupying a total of 296 bits. The chip logic unit requires 4 logic units;

因此,对所述ACL匹配表进行更新处理。如图3所述,所述ACL匹配表的更新处理包括以下步骤:Therefore, the ACL matching table is updated. As shown in Figure 3, the update process of the ACL matching table includes the following steps:

S101,统计所述ACL匹配表中每一个匹配字段的使用率;S101, statistics the usage rate of each matching field in the ACL matching table;

其中,任意一个匹配字段的使用率ai是所述ACL匹配表中使用了该匹配字段的记录数与所述ACL匹配表中所有记录总数的比值;Wherein, the usage rate a i of any matching field is the ratio of the number of records using the matching field in the ACL matching table to the total number of all records in the ACL matching table;

其中,对表2中的各个匹配字段进行统计,得到每一个匹配字段的使用率见下表3。Among them, each matching field in Table 2 is counted, and the usage rate of each matching field is obtained as shown in Table 3 below.

匹配字段match field 使用率a<sub>i</sub>Usage a<sub>i</sub> 协议号agreement number 11 源ipsource ip 11 源端口号source port number 0.750.75 目的ipdestination ip 0.50.5 目的端口号destination port number 0.250.25

表3table 3

S102,对任意一个匹配字段,根据系统预设的匹配字段的匹配权重bi和用户设定的匹配字段的关注度ki确定所述匹配字段的匹配权重;S102, for any matching field, determine the matching weight of the matching field according to the matching weight b i of the matching field preset by the system and the attention degree ki of the matching field set by the user;

bi'=ki×bi;0<bi≤1,0≤ki≤1;b i '=k i ×b i ; 0<b i ≤1, 0≤k i ≤1;

其中,针对表2中的各个匹配字段,系统预设的匹配字段的匹配权重如表4所示;Wherein, for each matching field in Table 2, the matching weight of the matching field preset by the system is shown in Table 4;

Figure BDA0002089258770000091
Figure BDA0002089258770000091

Figure BDA0002089258770000101
Figure BDA0002089258770000101

表4Table 4

其中,针对表2中的各个匹配字段,用户设定的匹配字段的关注度如表5所示;Wherein, for each matching field in Table 2, the degree of attention of the matching field set by the user is shown in Table 5;

匹配字段match field 用户设定关注度k<sub>i</sub>User set attention k<sub>i</sub> 协议号agreement number 0.50.5 源ipsource ip 11 源端口号source port number 11 目的ipdestination ip 0.20.2 目的端口号destination port number 0.20.2

表5table 5

其中,针对表2中的各个匹配字段,根据系统预设的匹配字段的匹配权重和用户设定的匹配字段的关注度确定匹配字段的匹配权重如表6所示。Wherein, for each matching field in Table 2, the matching weight of the matching field is determined according to the matching weight of the matching field preset by the system and the attention degree of the matching field set by the user, as shown in Table 6.

匹配字段match field 匹配权重b<sub>i</sub>'=k<sub>i</sub>×b<sub>i</sub>Matching weight b<sub>i</sub>'=k<sub>i</sub>×b<sub>i</sub> 协议号agreement number 0.250.25 源ipsource ip 0.80.8 源端口号source port number 0.50.5 目的ipdestination ip 0.140.14 目的端口号destination port number 0.080.08

表6Table 6

S103,根据每一个匹配字段的使用率和匹配权重对所述匹配字段进行评分;S103, scoring the matching field according to the utilization rate and matching weight of each matching field;

其中,一个匹配字段的分值用于表示该匹配字段被剔除的可能性大小;Among them, the score of a matching field is used to indicate the possibility of the matching field being eliminated;

其中,对任意一个匹配字段,根据所述匹配字段的使用率ai和匹配权重bi对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分pi,pi=(1-ai)×(1-bi);0<ai≤1,0≤bi<1;Wherein, for any matching field, the possibility of the matching field being eliminated is evaluated according to the utilization rate a i of the matching field and the matching weight b i to obtain the score p i of the matching field, pi =(1- a i )×(1-b i ); 0<a i ≤1, 0≤b i <1;

其中,针对表2中的各个匹配字段,匹配字段的评分如下表7所示。Among them, for each matching field in Table 2, the score of the matching field is shown in Table 7 below.

匹配字段match field 匹配字段评分p<sub>i</sub>match field score p<sub>i</sub> 协议号agreement number 00 源ipsource ip 00 源端口号source port number 0.1250.125 目的ipdestination ip 0.2580.258 目的端口号destination port number 0.690.69

表7Table 7

S104,对所有匹配字段按照评分从高到低进行排序;S104, sort all matching fields according to the scores from high to low;

其中,评分从高到低的匹配字段分别是:目的端口号,目的ip,源端口号,源ip和协议号(二者并列);因此,目的端口号字段被剔除的可能性最高。Among them, the matching fields with scores from high to low are: destination port number, destination ip, source port number, source ip and protocol number (the two are in parallel); therefore, the destination port number field is most likely to be eliminated.

S105,对ACL匹配表中第i条记录,判断i是否小于或等于N,是则执行步骤S106,否则结束;N是ACL匹配表中的记录总数。S105, for the i-th record in the ACL matching table, determine whether i is less than or equal to N, and if yes, execute step S106, otherwise end; N is the total number of records in the ACL matching table.

S106,所述第i条记录的芯片逻辑单元匹配长度是否超过预设匹配长度,是则执行步骤S107,否则执行步骤S108;S106, whether the matching length of the chip logic unit of the i-th record exceeds the preset matching length, if yes, go to step S107, otherwise go to step S108;

其中,所述预设匹配长度根据报文协议设定;比如,针对Ipv6报文可以设定预设匹配长度为2个芯片逻辑单元(1个芯片逻辑单元的位宽为80bit);Wherein, the preset matching length is set according to the message protocol; for example, for the IPv6 message, the preset matching length can be set as 2 chip logic units (the bit width of one chip logic unit is 80bit);

S107,将所述第i条记录包含的评分值靠前的mi个匹配字段确定为该条记录的剔除字段,从所述记录中剔除所述mi个剔除字段;其中,所述mi是使得所述记录的芯片逻辑单元匹配长度不超过预设匹配长度的最小值;S107, determine the m i matching fields in the front of the score value included in the i-th record as the rejection fields of the record, and remove the m i rejection fields from the record; wherein, the m i is to make the recorded chip logic unit matching length not exceed the minimum value of the preset matching length;

其中,对mi值可以做如下理解:Among them, the value of mi can be understood as follows:

以表2中的第3条记录为例,剔除该条记录包含的评分值最高的1个匹配字段(目的ip字段),就可以使得该条记录的芯片逻辑单元匹配长度缩短为152bit,不超过2个芯片逻辑单元,因此该条记录的mi值为1。Taking the third record in Table 2 as an example, excluding the one matching field (destination ip field) with the highest scoring value contained in this record, the matching length of the chip logic unit of this record can be shortened to 152 bits, which is not more than 152 bits. 2 chip logic units, so the m i value of this record is 1.

以表2中的第4条记录为例,剔除该条记录包含的评分值靠前的2个匹配字段(目的端口号字段和目的ip字段),才能使得该条记录的芯片逻辑单元匹配长度缩短为152bit,不超过2个芯片逻辑单元,因此该条记录的mi值为2。Taking the fourth record in Table 2 as an example, the matching length of the chip logic unit of this record can be shortened by eliminating the two matching fields (destination port number field and destination ip field) with the top score value contained in this record. It is 152bit, no more than 2 chip logic units, so the m i value of this record is 2.

S108,将i值增加1,返回步骤S105。S108, the value of i is increased by 1, and the process returns to step S105.

最后,更新后的ACL匹配表通过剔除匹配字段的处理,所有记录的芯片逻辑单元匹配长度均不超过预设匹配长度。将更新后的ACL匹配表下发至芯片的逻辑单元中,与相关技术中按照ACL规则的最长匹配长度进行芯片表项占用的方案相比,目前单个逻辑单元的最大匹配长度主流为80比特。IPv6的五元组由128位源IP、128位目的IP、16位源port、16位目的port、8位协议号组成,总共296比特。如果1条ACL规则需要实现对IPv6五元组的完整匹配则至少需要占用4个逻辑单元。示例1的技术方案中,每条ACL规则占用2个逻辑单元,能够大大缩减对芯片的逻辑单元的占用,在芯片逻辑单元资源数量一定时,可以大大增加下发至芯片的ACL规则数量。在大量配置ACL规则的使用场景下可以显著提高支持匹配的ACL容量。Finally, through the process of eliminating the matching field in the updated ACL matching table, the matching length of all recorded chip logic units does not exceed the preset matching length. The updated ACL matching table is delivered to the logic unit of the chip. Compared with the scheme in which the chip table entry is occupied according to the longest matching length of the ACL rule in the related art, the current maximum matching length of a single logic unit is 80 bits. . The quintuple of IPv6 consists of 128-bit source IP, 128-bit destination IP, 16-bit source port, 16-bit destination port, and 8-bit protocol number, with a total of 296 bits. If an ACL rule needs to achieve complete matching of IPv6 quintuple, it needs to occupy at least 4 logical units. In the technical solution of Example 1, each ACL rule occupies 2 logic units, which can greatly reduce the occupation of logic units on the chip. When the number of chip logic unit resources is constant, the number of ACL rules delivered to the chip can be greatly increased. In scenarios where a large number of ACL rules are configured, the ACL capacity that supports matching can be significantly increased.

本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。Those of ordinary skill in the art can understand that all or some of the steps in the methods disclosed above, functional modules/units in the system, and the apparatus can be implemented as software, firmware, hardware, and appropriate combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical components Components execute cooperatively. Some or all physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit . Such software may be distributed on computer-readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As known to those of ordinary skill in the art, the term computer storage media includes both volatile and nonvolatile implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules or other data flexible, removable and non-removable media. Computer storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices, or may Any other medium used to store desired information and which can be accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and can include any information delivery media, as is well known to those of ordinary skill in the art .

需要说明的是,本发明还可有其他多种实施例,在不背离本发明精神及其实质的情况下,熟悉本领域的技术人员可根据本发明作出各种相应的改变和变形,但这些相应的改变和变形都应属于本发明所附的权利要求的保护范围。It should be noted that the present invention can also have other various embodiments. Without departing from the spirit and essence of the present invention, those skilled in the art can make various corresponding changes and deformations according to the present invention, but these Corresponding changes and deformations should belong to the protection scope of the appended claims of the present invention.

Claims (10)

1.一种访问控制列表下发方法,包括:1. A method for issuing an access control list, comprising: 根据访问控制列表ACL规则生成ACL匹配表;所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;An ACL matching table is generated according to the access control list ACL rule; each record in the ACL matching table corresponds to all matching fields of an ACL rule; 遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;Traverse the ACL matching table, determine the chip logic unit matching length of each record in the ACL matching table, and update the ACL matching table: when there is a chip logic unit matching length in the ACL matching table that exceeds a preset length When matching the length of the record, perform field elimination processing on the ACL matching table so that the chip logic unit matching length of all records in the ACL matching table does not exceed the preset matching length; 将更新后的ACL匹配表下发至芯片的逻辑单元中。The updated ACL matching table is delivered to the logic unit of the chip. 2.如权利要求1所述的方法,其特征在于:2. The method of claim 1, wherein: 所述对所述ACL匹配表进行字段剔除处理,包括:The process of field culling on the ACL matching table includes: 确定所述ACL匹配表中所有匹配字段的剔除优先级;对所有匹配字段按照剔除优先级从高到低进行排序;Determine the culling priority of all matching fields in the ACL matching table; sort all matching fields according to the culling priority from high to low; 遍历所述ACL匹配表中所有芯片逻辑单元匹配长度超过预设匹配长度的记录生成待处理记录集合;对所述待处理记录集合中的第i条记录进行如下处理:将所述第i条记录包含的剔除优先级高的前mi个匹配字段确定为该条记录的剔除字段,从所述记录中剔除所述mi个剔除字段;其中,所述mi是使得所述记录的芯片逻辑单元匹配长度不超过预设匹配长度的最小值。Traverse all the records in the ACL matching table whose matching length of the chip logic unit exceeds the preset matching length to generate a set of records to be processed; perform the following processing on the ith record in the set of records to be processed: The first m i matching fields with high culling priorities are determined as the culling fields of this record, and the m i culling fields are eliminated from the record; wherein, the m i is the chip logic that makes the record The unit match length does not exceed the minimum value of the preset match length. 3.如权利要求2所述的方法,其特征在于:3. The method of claim 2, wherein: 所述确定所述ACL匹配表中所有匹配字段的剔除优先级,包括:Determining the culling priority of all matching fields in the ACL matching table includes: 统计所述ACL匹配表中每一个匹配字段的使用率;Statistics on the usage rate of each matching field in the ACL matching table; 根据每一个匹配字段的使用率和/或匹配权重对所述匹配字段进行评分;一个匹配字段的分值用于表示该匹配字段被剔除的可能性大小。The matching fields are scored according to the usage rate and/or the matching weight of each matching field; the score of a matching field is used to indicate the possibility of the matching field being eliminated. 4.如权利要求3所述的方法,其特征在于:4. The method of claim 3, wherein: 所述根据每一个匹配字段的使用率和/或匹配权重对所述匹配字段进行评分,包括:The scoring of the matching fields according to the usage rate and/or the matching weight of each matching field includes: 对任意一个匹配字段,根据所述匹配字段的使用率ai对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分pi,pi=1-ai;0<ai≤1;或For any matching field, evaluate the possibility of the matching field being eliminated according to the utilization rate a i of the matching field to obtain the score p i of the matching field, p i =1-a i ; 0<a i ≤ 1; or 对任意一个匹配字段,根据所述匹配字段的匹配权重bi对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分pi,pi=1-bi;0<bi≤1;或For any matching field, evaluate the possibility of the matching field being eliminated according to the matching weight b i of the matching field to obtain the score p i of the matching field, p i =1- bi ; 0<b i 1; or 对任意一个匹配字段,根据所述匹配字段的使用率ai和匹配权重bi对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分pi,pi=(1-ai)×(1-bi);0<ai≤1,0≤bi<1;For any matching field, evaluate the possibility of the matching field being eliminated according to the utilization rate a i of the matching field and the matching weight b i to obtain the score p i of the matching field, p i =(1-a i )×(1-bi ); 0<a i ≤1 , 0≤bi <1; 其中,任意一个匹配字段的使用率ai是所述ACL匹配表中使用了该匹配字段的记录数与所述ACL匹配表中所有记录总数的比值。Wherein, the usage rate a i of any matching field is the ratio of the number of records using the matching field in the ACL matching table to the total number of all records in the ACL matching table. 5.如权利要求3所述的方法,其特征在于:5. The method of claim 3, wherein: 所述匹配字段的匹配权重可以通过以下任意一种方式进行确定:The matching weight of the matching field can be determined in any of the following ways: 根据用户设定的匹配字段的关注度ki确定所述匹配字段的匹配权重bi,bi=ki;0≤ki≤1Determine the matching weight b i of the matching field according to the attention degree k i of the matching field set by the user, b i = ki ; 0≤k i ≤1 根据系统预设的匹配字段的匹配权重bi和用户设定的匹配字段的关注度ki确定所述匹配字段的匹配权重,bi'=ki×bi;0<bi≤1,0≤ki≤1。The matching weight of the matching field is determined according to the matching weight b i of the matching field preset by the system and the attention degree ki of the matching field set by the user, b i '= ki ×b i ; 0<b i ≤1, 0≤k i ≤1. 6.如权利要求1-5中任一项所述的方法,其特征在于:6. The method according to any one of claims 1-5, wherein: 所述预设匹配长度根据报文协议设定或者由用户设定。The preset matching length is set according to the message protocol or set by the user. 7.一种访问控制列表下发装置,包括:7. An access control list issuing device, comprising: ACL匹配表生成模块,用于根据访问控制列表ACL规则生成ACL匹配表;所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;An ACL matching table generating module is used to generate an ACL matching table according to an access control list ACL rule; each record in the ACL matching table corresponds to all matching fields of an ACL rule; ACL匹配表更新模块,用于遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;The ACL matching table updating module is used to traverse the ACL matching table, determine the chip logic unit matching length of each record in the ACL matching table, and update the ACL matching table: when the ACL matching table exists When the chip logic unit matching length exceeds the record of the preset matching length, perform field elimination processing on the ACL matching table so that the chip logic unit matching length of all records in the ACL matching table does not exceed the preset matching length; ACL匹配表下发模块,用于将更新后的ACL匹配表下发至芯片的逻辑单元中。The ACL matching table delivery module is used to deliver the updated ACL matching table to the logic unit of the chip. 8.如权利要求7所述的装置,其特征在于:8. The device of claim 7, wherein: ACL匹配表更新模块,用于采用以下方式对所述ACL匹配表进行字段剔除处理:The ACL matching table updating module is configured to perform field elimination processing on the ACL matching table in the following manner: 确定所述ACL匹配表中所有匹配字段的剔除优先级;对所有匹配字段按照剔除优先级从高到低进行排序;Determine the culling priority of all matching fields in the ACL matching table; sort all matching fields according to the culling priority from high to low; 遍历所述ACL匹配表中所有芯片逻辑单元匹配长度超过预设匹配长度的记录生成待处理记录集合;对所述待处理记录集合中的第i条记录进行如下处理:将所述第i条记录包含的剔除优先级高的前mi个匹配字段确定为该条记录的剔除字段,从所述记录中剔除所述mi个剔除字段;其中,所述mi是使得所述记录的芯片逻辑单元匹配长度不超过预设匹配长度的最小值。Traverse all the records in the ACL matching table whose matching length of the chip logic unit exceeds the preset matching length to generate a set of records to be processed; perform the following processing on the ith record in the set of records to be processed: The first m i matching fields with high culling priorities are determined as the culling fields of this record, and the m i culling fields are eliminated from the record; wherein, the m i is the chip logic that makes the record The unit match length does not exceed the minimum value of the preset match length. 9.一种访问控制列表下发装置,包括:9. An access control list issuing device, comprising: 存储器、处理器及存储在所述存储器上并可在所述处理器上运行的访问控制列表下发程序,所述访问控制列表下发程序被所述处理器执行时实现上述权利要求1-6中任一项所述的访问控制列表下发方法的步骤。A memory, a processor, and an access control list issuing program stored on the memory and running on the processor, the access control list issuing program being executed by the processor to implement the above claims 1-6 The steps of any one of the methods for issuing an access control list. 10.一种计算机可读存储介质,所述计算机可读存储介质上存储有访问控制列表下发程序,所述访问控制列表下发程序被处理器执行时实现上述权利要求1-6中任一项所述的访问控制列表下发方法的步骤。10. A computer-readable storage medium on which an access control list issuing program is stored, and when the access control list issuing program is executed by a processor, any one of the above claims 1-6 is realized The steps of the method for issuing the access control list described in the item.
CN201910497981.8A 2019-06-10 2019-06-10 Method and device for issuing access control list Withdrawn CN112073357A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910497981.8A CN112073357A (en) 2019-06-10 2019-06-10 Method and device for issuing access control list
PCT/CN2020/083582 WO2020248675A1 (en) 2019-06-10 2020-04-07 Access control list issuing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910497981.8A CN112073357A (en) 2019-06-10 2019-06-10 Method and device for issuing access control list

Publications (1)

Publication Number Publication Date
CN112073357A true CN112073357A (en) 2020-12-11

Family

ID=73658213

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910497981.8A Withdrawn CN112073357A (en) 2019-06-10 2019-06-10 Method and device for issuing access control list

Country Status (2)

Country Link
CN (1) CN112073357A (en)
WO (1) WO2020248675A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115633097A (en) * 2022-12-21 2023-01-20 新华三信息技术有限公司 Access control list ACL compression method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101364947A (en) * 2008-09-08 2009-02-11 中兴通讯股份有限公司 Rule matching method and system for control list access
CN102857510A (en) * 2012-09-18 2013-01-02 杭州华三通信技术有限公司 Method and device for issuing ACL (access control list) items
CN103001793A (en) * 2012-10-26 2013-03-27 杭州迪普科技有限公司 Method and device for managing ACL (access control list)
CN104125232A (en) * 2014-08-04 2014-10-29 上海斐讯数据通信技术有限公司 Method for quickly issuing ACL rule
CN106506388A (en) * 2016-10-14 2017-03-15 盛科网络(苏州)有限公司 Implementation method and the device for searching ACL is bound based on TCAM resources
CN108259504A (en) * 2018-01-30 2018-07-06 盛科网络(苏州)有限公司 It is a kind of based on group realize accesses control list a method and device
CN109088894A (en) * 2018-10-25 2018-12-25 新华三技术有限公司合肥分公司 ACL delivery method and the network equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100433715C (en) * 2005-08-19 2008-11-12 华为技术有限公司 Method for providing different service quality tactics to data stream
US20090125470A1 (en) * 2007-11-09 2009-05-14 Juniper Networks, Inc. System and Method for Managing Access Control Lists

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101364947A (en) * 2008-09-08 2009-02-11 中兴通讯股份有限公司 Rule matching method and system for control list access
CN102857510A (en) * 2012-09-18 2013-01-02 杭州华三通信技术有限公司 Method and device for issuing ACL (access control list) items
CN103001793A (en) * 2012-10-26 2013-03-27 杭州迪普科技有限公司 Method and device for managing ACL (access control list)
CN104125232A (en) * 2014-08-04 2014-10-29 上海斐讯数据通信技术有限公司 Method for quickly issuing ACL rule
CN106506388A (en) * 2016-10-14 2017-03-15 盛科网络(苏州)有限公司 Implementation method and the device for searching ACL is bound based on TCAM resources
CN108259504A (en) * 2018-01-30 2018-07-06 盛科网络(苏州)有限公司 It is a kind of based on group realize accesses control list a method and device
CN109088894A (en) * 2018-10-25 2018-12-25 新华三技术有限公司合肥分公司 ACL delivery method and the network equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115633097A (en) * 2022-12-21 2023-01-20 新华三信息技术有限公司 Access control list ACL compression method and device
CN115633097B (en) * 2022-12-21 2023-04-28 新华三信息技术有限公司 ACL (access control list) compression method and device

Also Published As

Publication number Publication date
WO2020248675A1 (en) 2020-12-17

Similar Documents

Publication Publication Date Title
CN108259328B (en) Message forwarding method and device
WO2018001020A1 (en) Aggregated link based message forwarding method and device
WO2017067476A1 (en) Mac address processing method and device
CN107040393B (en) A route management method and device
CN107786450A (en) A kind of data message transmission method, device and machinable medium
US11606295B2 (en) Search apparatus and method
CN112073357A (en) Method and device for issuing access control list
CN106789671B (en) Service message forwarding method and device
WO2021115160A1 (en) Acl rule management method and apparatus, computer device, and computer readable medium
CN104601645B (en) A data packet processing method and device
CN113612730B (en) ACL access rule control method, processing device and system
US11316788B2 (en) Dynamic allocation of resources within network devices
US20190044873A1 (en) Method of packet processing using packet filter rules
CN106357688B (en) A kind of method and apparatus for defending ICMP flood attack
US9893997B2 (en) System and method for creating session entry
CN109450797B (en) Message forwarding method and device and computer equipment
CN111224964A (en) Access control method and device
CN116915709A (en) Load balancing method and device, electronic equipment and storage medium
CN112291310B (en) Method and device for counting connection number
WO2022205830A1 (en) Message processing method, message processing apparatus, distribution control apparatus, and storage medium
CN111327543A (en) Message forwarding method and device, storage medium, and electronic device
US20180183712A1 (en) Traffic control method and apparatus
CN114390023A (en) Dynamic address non-aging method and device, electronic equipment and storage medium
TW201828084A (en) User log storage method and apparatus capable of effectively avoiding the problem of disordered logs and ensuring the orderliness of the entire cloud platform log system
CN113872878A (en) Message processing method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20201211

WW01 Invention patent application withdrawn after publication