[go: up one dir, main page]

CN115834233A - A message filtering method and device - Google Patents

A message filtering method and device Download PDF

Info

Publication number
CN115834233A
CN115834233A CN202211649296.0A CN202211649296A CN115834233A CN 115834233 A CN115834233 A CN 115834233A CN 202211649296 A CN202211649296 A CN 202211649296A CN 115834233 A CN115834233 A CN 115834233A
Authority
CN
China
Prior art keywords
entry
scl
address
acl
metadata identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202211649296.0A
Other languages
Chinese (zh)
Inventor
刘涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN202211649296.0A priority Critical patent/CN115834233A/en
Publication of CN115834233A publication Critical patent/CN115834233A/en
Withdrawn legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a message filtering method and a device, which relate to the technical field of networks and are applied to network equipment, wherein a target interface of the network equipment is configured with an IPSG function, and a network chip in the network equipment stores: record SCL table entry and ACL table entry recorded with metadata identification of the corresponding relation between IP address and metadata identification, the length of the metadata identification is smaller than the length of the IP address, the above-mentioned method includes: after receiving a message through a target interface, searching a target SCL table entry recording a source IP address of the message from the stored SCL table entries; if the target SCL table entry is found, adding a metadata identifier recorded in the target SCL table entry for the message; and carrying out ACL table item matching on the message based on the metadata identifier carried by the message, and forwarding the message under the condition of matching the target ACL table item recorded with the metadata identifier.

Description

一种报文过滤方法及装置A message filtering method and device

技术领域technical field

本发明涉及网络技术领域,特别是涉及一种报文过滤方法及装置。The invention relates to the field of network technology, in particular to a message filtering method and device.

背景技术Background technique

IPSG(Internet Protocol Source Guard,网际互连协议源防护)功能用于对网络设备的接口接收到的报文进行过滤控制,通常与网络设备用户侧接口相绑定。IPSG功能可以通过下发ACL(Access Control Lists,访问控制列表)表项来实现,绑定IPSG功能的用户侧接口在接收到报文后,可以基于预先设置的ACL表项对接收到的报文进行匹配,仅有与ACL表项相匹配的报文才会被网络设备转发,否则报文会被网络设备丢弃,从而可以实现对报文的过滤。The IPSG (Internet Protocol Source Guard, Internet Protocol Source Guard) function is used to filter and control packets received by the interface of the network device, and is usually bound to the user-side interface of the network device. The IPSG function can be realized by issuing ACL (Access Control Lists, access control list) entries. After receiving the message, the user-side interface bound to the IPSG function can check the received message based on the preset ACL entry. After matching, only the packets that match the ACL entries will be forwarded by the network device, otherwise the packets will be discarded by the network device, so that the packets can be filtered.

具体的,ACL表项中可以记录有IP地址,仅有源地址与ACL表项中记录的IP地址相同的报文才能被网络设备转发,即仅有自身的IP地址与ACL表项中记录的IP地址相同的用户终端发送的报文才能被网络设备转发,从而正常地进行网络访问。但当网络中上线的用户终端的数量较多时,网络设备中需要配置大量不同的ACL表项才能使大量的用户终端都能够正常地进行网络访问。大量的ACL表项会占用大量的ACL资源,但网络设备中的网络芯片内用于存储ACL表项的ACL资源有限,使得网络设备难以为大量的用户终端提供网络访问服务。Specifically, an IP address can be recorded in an ACL entry, and only packets with the same source address as the IP address recorded in the ACL entry can be forwarded by the network device. Only packets sent by user terminals with the same IP address can be forwarded by the network device, so that network access can be performed normally. However, when a large number of user terminals go online in the network, a large number of different ACL entries need to be configured in the network device so that a large number of user terminals can normally access the network. A large number of ACL entries will occupy a large amount of ACL resources, but the ACL resources used to store ACL entries in the network chip in the network device are limited, making it difficult for the network device to provide network access services for a large number of user terminals.

发明内容Contents of the invention

本发明实施例的目的在于提供一种报文过滤方法及装置,以节省网络芯片中的ACL资源。具体技术方案如下:The purpose of the embodiments of the present invention is to provide a message filtering method and device to save ACL resources in a network chip. The specific technical scheme is as follows:

第一方面,本发明实施例提供了一种报文过滤方法,应用于网络设备,所述网络设备的目标接口配置有网际互连协议源防护IPSG功能,所述网络设备内的网络芯片中存储有:记录有IP地址与元数据标识之间对应关系的SCL表项以及记录有元数据标识的访问控制列表ACL表项,其中,所述元数据标识的长度小于IP地址的长度,所述方法包括:In the first aspect, the embodiment of the present invention provides a message filtering method, which is applied to a network device. The target interface of the network device is configured with an Internet interconnection protocol source guard IPSG function, and the network chip in the network device stores There are: an SCL entry that records the correspondence between the IP address and the metadata identifier and an ACL entry that records the metadata identifier, wherein the length of the metadata identifier is less than the length of the IP address, and the method include:

在通过所述目标接口接收到报文后,从已存储的SCL表项中查找记录有所述报文的源IP地址的目标SCL表项;After receiving the message through the target interface, search for the target SCL entry that records the source IP address of the message from the stored SCL entry;

若查找到所述目标SCL表项,则为所述报文添加所述目标SCL表项中记录的元数据标识;If the target SCL entry is found, adding the metadata identifier recorded in the target SCL entry to the message;

基于所述报文携带的元数据标识对所述报文进行ACL表项匹配,在匹配到记录有所述元数据标识的目标ACL表项的情况下对所述报文进行转发处理。Perform ACL entry matching on the packet based on the metadata identifier carried in the packet, and forward the packet when a target ACL entry recorded with the metadata identifier is matched.

本发明的一个实施例中,所述ACL表项中记录有元数据标识与媒体访问控制MAC地址,所述基于所述报文携带的元数据标识对所述报文进行ACL表项匹配,在匹配到记录有所述元数据标识的目标ACL表项的情况下对所述报文进行转发处理,包括:In an embodiment of the present invention, the metadata identifier and the media access control MAC address are recorded in the ACL entry, and the ACL entry matching is performed on the packet based on the metadata identifier carried in the packet. When the target ACL entry recorded with the metadata identifier is matched, the packet is forwarded, including:

基于所述报文携带的元数据标识以及所述报文的源MAC地址对所述报文进行ACL表项匹配,在匹配到记录有所述元数据标识与所述源MAC地址的目标ACL表项的情况下,对所述报文进行转发处理。Based on the metadata identifier carried by the packet and the source MAC address of the packet, perform ACL entry matching on the packet, and when the target ACL table with the metadata identifier and the source MAC address is matched, In the case of the item, the message is forwarded.

本发明的一个实施例中,所述SCL表项中记录的IP地址包括IPv4地址与IPv6地址,其中,记录有IPv4地址的SCL表项保存于SCL HASH1中,记录有IPv6地址的SCL表项保存于SCL HASH0中。In one embodiment of the present invention, the IP address recorded in the SCL entry includes an IPv4 address and an IPv6 address, wherein the SCL entry recorded with the IPv4 address is stored in SCL HASH1, and the SCL entry recorded with the IPv6 address is stored in in SCL HASH0.

本发明的一个实施例中,所述记录有元数据标识的ACL表项占用一个ACL资源位。In an embodiment of the present invention, the ACL entry recorded with the metadata identifier occupies one ACL resource bit.

第二方面,本发明实施例提供了一种报文过滤装置,应用于网络设备,所述网络设备的目标接口配置有网际互连协议源防护IPSG功能,所述网络设备内的网络芯片中存储有:记录有IP地址与元数据标识之间对应关系的SCL表项以及记录有元数据标识的访问控制列表ACL表项,其中,所述元数据标识的长度小于IP地址的长度,所述装置包括:In the second aspect, the embodiment of the present invention provides a message filtering device, which is applied to a network device. The target interface of the network device is configured with an Internet interconnection protocol source guard IPSG function, and the network chip in the network device stores There are: an SCL entry that records the correspondence between the IP address and the metadata identifier and an ACL entry that records the metadata identifier, wherein the length of the metadata identifier is less than the length of the IP address, and the device include:

SCL表项查找模块,用于在通过所述目标接口接收到报文后,从已存储的SCL表项中查找记录有所述报文的源IP地址的目标SCL表项;The SCL entry search module is used to search the stored SCL entry for the target SCL entry that records the source IP address of the message after receiving the message through the target interface;

标记添加模块,用于若查找到所述目标SCL表项,则为所述报文添加所述目标SCL表项中记录的元数据标识;A tag adding module, configured to add the metadata identifier recorded in the target SCL entry to the message if the target SCL entry is found;

ACL表项匹配模块,用于基于所述报文携带的元数据标识对所述报文进行ACL表项匹配,在匹配到记录有所述元数据标识的目标ACL表项的情况下对所述报文进行转发处理。The ACL entry matching module is configured to perform ACL entry matching on the packet based on the metadata identifier carried by the packet, and perform the ACL entry matching on the packet when the target ACL entry recorded with the metadata identifier is matched. Packets are forwarded.

本发明的一个实施例中,所述ACL表项中记录有元数据标识与媒体访问控制MAC地址,所述ACL表项匹配模块,具体用于:In one embodiment of the present invention, metadata identifiers and media access control MAC addresses are recorded in the ACL entries, and the ACL entry matching module is specifically used for:

基于所述报文携带的元数据标识以及所述报文的源MAC地址对所述报文进行ACL表项匹配,在匹配到记录有所述元数据标识与所述源MAC地址的目标ACL表项的情况下,对所述报文进行转发处理。Based on the metadata identifier carried by the packet and the source MAC address of the packet, perform ACL entry matching on the packet, and when the target ACL table with the metadata identifier and the source MAC address is matched, In the case of the item, the message is forwarded.

本发明的一个实施例中,所述SCL表项中记录的IP地址包括IPv4地址与IPv6地址,其中,记录有IPv4地址的SCL表项保存于SCL HASH1中,记录有IPv6地址的SCL表项保存于SCL HASH0中。In one embodiment of the present invention, the IP address recorded in the SCL entry includes an IPv4 address and an IPv6 address, wherein the SCL entry recorded with the IPv4 address is stored in SCL HASH1, and the SCL entry recorded with the IPv6 address is stored in in SCL HASH0.

本发明的一个实施例中,所述记录有元数据标识的ACL表项占用一个ACL资源位。In an embodiment of the present invention, the ACL entry recorded with the metadata identifier occupies one ACL resource bit.

第三方面,本发明实施例提供了一种网络设备,包括处理器、通信接口、存储器和通信总线,其中,处理器,通信接口,存储器通过通信总线完成相互间的通信;In a third aspect, an embodiment of the present invention provides a network device, including a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory complete communication with each other through the communication bus;

存储器,用于存放计算机程序;memory for storing computer programs;

处理器,用于执行存储器上所存放的程序时,实现第一方面任一所述的方法步骤。The processor is configured to implement the method steps described in any one of the first aspect when executing the program stored in the memory.

第四方面,本发明实施例提供了一种计算机可读存储介质,所述计算机可读存储介质内存储有计算机程序,所述计算机程序被处理器执行时实现第一方面任一所述的方法步骤。In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, any method described in the first aspect is implemented. step.

第五方面,本发明实施例还提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述第一方面任一所述的方法。In the fifth aspect, the embodiment of the present invention further provides a computer program product containing instructions, which, when run on a computer, causes the computer to execute the method described in any one of the above first aspects.

本发明实施例有益效果:Beneficial effects of the embodiments of the present invention:

本发明实施例提供的报文过滤方法应用于网络设备,网络设备的目标接口配置有IPSG功能,即目标接口为需要进行报文过滤的接口。网络设备的网络芯片中存储有SCL表项与ACL表项,SCL表项中记录有元数据标识与IP地址之间的对应关系,在网络设备通过目标接口接收到报文后,可以基于SCL表项确定与该报文的源IP地址相对应的元数据标识并将源数据标识添加至该报文中。之后,网络设备继续基于记录有元数据标识的ACL表项对报文进行匹配,若匹配通过,则继续对报文进行转发处理,从而实现对报文的过滤。The message filtering method provided by the embodiment of the present invention is applied to a network device, and the target interface of the network device is configured with an IPSG function, that is, the target interface is an interface that needs to perform message filtering. The network chip of the network device stores SCL entries and ACL entries, and the SCL entry records the correspondence between the metadata identifier and the IP address. After the network device receives the message through the target interface, it can based on the SCL table The item determines the metadata identifier corresponding to the source IP address of the message and adds the source data identifier to the message. Afterwards, the network device continues to match the packet based on the ACL entry recorded with the metadata identifier, and if the match passes, it continues to forward the packet, thereby implementing packet filtering.

由以上可见,上述网络设备的网络芯片中存储有记录IP地址与元数据标识之间的对应关系的SCL表项,通过SCL表项实现了IP地址与元数据标识之间的紧耦合。因此网络设备可以基于SCL表项确定与IP地址相对应的元数据标识,相当于通过SCL表项可以为报文添加一个与源IP地址相对应的元数据标识,后续基于元数据标识对报文进行匹配,使得用于对报文进行匹配的ACL表项中不需要记录现有技术中的IP地址,而是记录元数据标识,而元数据标识的长度小于IP地址的长度,因此本发明实施例提供的方案中ACL表项内记录的是长度较短的元数据标识,也就是通过本发明实施例提供的方案能够缩短ACL表项的长度,从而节省网络芯片中的ACL资源,使得网络设备能够为大量的用户终端同步提供网络访问服务。It can be seen from the above that the network chip of the above network device stores the SCL entry that records the correspondence between the IP address and the metadata identifier, and the tight coupling between the IP address and the metadata identifier is realized through the SCL entry. Therefore, the network device can determine the metadata identifier corresponding to the IP address based on the SCL entry, which is equivalent to adding a metadata identifier corresponding to the source IP address to the packet through the SCL entry. Matching makes it unnecessary to record the IP address in the prior art in the ACL entry for matching the message, but record the metadata identifier, and the length of the metadata identifier is less than the length of the IP address, so the present invention implements In the scheme provided by the example, the metadata identifier with a short length is recorded in the ACL entry, that is, the length of the ACL entry can be shortened through the scheme provided by the embodiment of the present invention, thereby saving ACL resources in the network chip and making the network device It can simultaneously provide network access services for a large number of user terminals.

当然,实施本发明的任一产品或方法并不一定需要同时达到以上所述的所有优点。Of course, implementing any product or method of the present invention does not necessarily need to achieve all the above-mentioned advantages at the same time.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,还可以根据这些附图获得其他的实施例。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention, and those skilled in the art can also obtain other embodiments according to these drawings.

图1为本发明实施例提供的第一种报文过滤方法的流程示意图;FIG. 1 is a schematic flowchart of a first message filtering method provided by an embodiment of the present invention;

图2为本发明实施例提供的第二种报文过滤方法的流程示意图;FIG. 2 is a schematic flowchart of a second message filtering method provided by an embodiment of the present invention;

图3为本发明实施例提供的一种报文过滤装置的结构示意图;FIG. 3 is a schematic structural diagram of a message filtering device provided by an embodiment of the present invention;

图4为本发明实施例提供的一种网络设备的结构示意图。FIG. 4 is a schematic structural diagram of a network device provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员基于本发明所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art based on the present invention belong to the protection scope of the present invention.

由于现有技术中存在网络设备中的网络芯片内用于存储ACL表项的ACL资源有限,使得网络设备难以为大量的用户终端提供网络访问服务的问题,为了解决上述问题本发明实施例提供了一种报文过滤方法及装置。Due to the limited ACL resources used to store ACL entries in the network chip in the network device in the prior art, it is difficult for the network device to provide network access services for a large number of user terminals. In order to solve the above problem, the embodiments of the present invention provide A message filtering method and device.

本发明实施例提供了一种报文过滤方法,应用于网络设备,上述网络设备的目标接口配置有IPSG功能,上述网络设备内的网络芯片中存储有:记录有IP地址与元数据标识之间对应关系的SCL(Service Classification List,服务分类表)表项以及记录有元数据标识的ACL表项,其中,上述元数据标识的长度小于IP地址的长度,上述方法包括:The embodiment of the present invention provides a message filtering method, which is applied to a network device. The target interface of the above network device is configured with an IPSG function. The network chip in the above network device stores: a record between the IP address and the metadata identifier The SCL (Service Classification List, service classification table) entry of the corresponding relationship and the ACL entry recorded with the metadata identifier, wherein the length of the metadata identifier is less than the length of the IP address, and the method includes:

在通过上述目标接口接收到报文后,从已存储的SCL表项中查找记录有上述报文的源IP地址的目标SCL表项;After receiving the message through the above-mentioned target interface, search for the target SCL table entry that records the source IP address of the above-mentioned message from the stored SCL table entry;

若查找到上述目标SCL表项,则为上述报文添加上述目标SCL表项中记录的元数据标识;If the above-mentioned target SCL entry is found, add the metadata identifier recorded in the above-mentioned target SCL entry for the above-mentioned message;

基于已存储的ACL表项以及上述报文携带的元数据标识对上述报文进行匹配,在查找到目标ACL表项的情况下对上述报文进行转发处理。Match the above-mentioned message based on the stored ACL entry and the metadata identifier carried by the above-mentioned message, and forward the above-mentioned message when the target ACL entry is found.

由以上可见,上述网络设备的网络芯片中存储有记录IP地址与元数据标识之间的对应关系的SCL表项,通过SCL表项实现了IP地址与元数据标识之间的紧耦合。因此网络设备可以基于SCL表项确定与IP地址相对应的元数据标识,相当于通过SCL表项可以为报文添加一个与源IP地址相对应的元数据标识,后续基于元数据标识对报文进行匹配,使得用于对报文进行匹配的ACL表项中不需要记录现有技术中的IP地址,而是记录元数据标识,而元数据标识的长度小于IP地址的长度,因此本发明实施例提供的方案中ACL表项内记录的是长度较短的元数据标识,也就是通过本发明实施例提供的方案能够缩短ACL表项的长度,从而节省网络芯片中的ACL资源,使得网络设备能够为大量的用户终端同步提供网络访问服务。It can be seen from the above that the network chip of the above network device stores the SCL entry that records the correspondence between the IP address and the metadata identifier, and the tight coupling between the IP address and the metadata identifier is realized through the SCL entry. Therefore, the network device can determine the metadata identifier corresponding to the IP address based on the SCL entry, which is equivalent to adding a metadata identifier corresponding to the source IP address to the packet through the SCL entry. Matching makes it unnecessary to record the IP address in the prior art in the ACL entry for matching the message, but record the metadata identifier, and the length of the metadata identifier is less than the length of the IP address, so the present invention implements In the scheme provided by the example, the metadata identifier with a short length is recorded in the ACL entry, that is, the length of the ACL entry can be shortened through the scheme provided by the embodiment of the present invention, thereby saving ACL resources in the network chip and making the network device It can simultaneously provide network access services for a large number of user terminals.

参见图1,为本发明实施例提供的第一种报文过滤方法的流程示意图,应用于网络设备,上述网络设备可以为路由器、交换机等。上述网络设备的目标接口配置有IPSG功能,上述网络设备内的网络芯片中存储有:记录有IP地址与元数据标识(MetaData)之间对应关系的SCL表项以及记录有元数据标识的ACL表项,其中,上述元数据标识的长度小于IP地址的长度。Referring to FIG. 1 , it is a schematic flowchart of a first packet filtering method provided by an embodiment of the present invention, which is applied to a network device, and the above network device may be a router, a switch, or the like. The target interface of the above-mentioned network device is configured with an IPSG function, and the network chip in the above-mentioned network device stores: an SCL entry recording the correspondence between the IP address and the metadata identifier (MetaData) and an ACL table recording the metadata identifier item, wherein the length of the metadata identifier is less than the length of the IP address.

具体的,上述IP地址与元数据标识之间存在一一对应的关系,不同IP地址对应的元数据标识不同,上述SCL表项中的IP地址表示:在通过上述目标接口接收到源地址为该IP地址的报文后网络设备允许转发该报文,上述SCL表项与ACL表项可以是人工手动设置的,也可以动态获取的。每一SCL表项中记录有一条IP地址与该IP地址对应的一条元数据标识。每一ACL表项中记录有一条元数据标识。Specifically, there is a one-to-one correspondence between the above-mentioned IP addresses and metadata identifiers, and the metadata identifiers corresponding to different IP addresses are different. The IP address in the above-mentioned SCL entry indicates that: when the source address is The network device is allowed to forward the packet after the packet with the IP address, and the above SCL entry and ACL entry can be manually set or dynamically obtained. Each SCL entry records an IP address and a metadata identifier corresponding to the IP address. A metadata identifier is recorded in each ACL entry.

另外,上述SCL表项中记录的IP地址包括IPv4地址与IPv6地址,记录有IPv4地址的SCL表项保存于SCL HASH(Service Classification List Hash,服务分类哈希表)1中,记录有IPv6地址的SCL表项保存于SCL HASH0中。其中,SCL HASH0与SCL HASH1为SCL表项的两个存储分区。In addition, the IP addresses recorded in the above SCL entries include IPv4 addresses and IPv6 addresses, and the SCL entries recorded with IPv4 addresses are stored in SCL HASH (Service Classification List Hash, service classification hash table) 1, and those recorded with IPv6 addresses SCL entries are stored in SCL HASH0. Among them, SCL HASH0 and SCL HASH1 are two storage partitions of SCL entries.

此外,本发明实施例可以在网络设备配置的switch-mode(交换机工作模式)为ACL-hash(访问控制列表-哈希)模式的情况下运行,在将网络设备配置为ACL-hash模式之后需要保存配置之后重启网络设备后下发SCL表项与ACL表项后本发明实施例提供的方案即可生效。In addition, the embodiment of the present invention can run under the situation that the switch-mode (switch operating mode) of network equipment configuration is ACL-hash (access control list-hash) mode, after the network equipment is configured to ACL-hash mode, need After the configuration is saved, the network device is restarted, and the SCL entry and the ACL entry are delivered, and the solution provided by the embodiment of the present invention can take effect.

上述方法包括以下步骤S101-S103。The above method includes the following steps S101-S103.

S101:在通过上述目标接口接收到报文后,从已存储的SCL表项中查找记录有上述报文的源IP地址的目标SCL表项。S101: After receiving the message through the above-mentioned target interface, search for the target SCL entry in which the source IP address of the above-mentioned message is recorded from the stored SCL entries.

本发明的一个实施例中,可以遍历已存储的SCL表项,从中查找记录有所接收到的报文的源IP地址的目标SCL表项,若能够查找到上述目标SCL表项,则表示网络设备在通过目标接口接收到源IP地址为该目标SCL表项中记录的IP地址的报文后,网络设备允许转发该报文,则继续执行后续步骤S102-S103,若未查找到目标SCL表项,则表示不存在记录有上述报文的源IP地址的目标SCL表项,则表示网络设备在通过目标接口接收到该报文后不转发该报文,则可以将该报文丢弃或进行其他形式的处理,不继续执行后续步骤S102-S103。In one embodiment of the present invention, the stored SCL entries can be traversed to search for the target SCL entry that records the source IP address of the received message. If the above-mentioned target SCL entry can be found, it means that the network After the device receives the message whose source IP address is the IP address recorded in the target SCL entry through the target interface, the network device allows the forwarding of the message, and then continues to perform subsequent steps S102-S103, if the target SCL table is not found item, it means that there is no target SCL entry that records the source IP address of the above message, and it means that the network device does not forward the message after receiving the message through the target interface, then the message can be discarded or processed. For other forms of processing, the subsequent steps S102-S103 are not performed.

S102:若查找到上述目标SCL表项,则为上述报文添加上述目标SCL表项中记录的元数据标识。S102: If the above-mentioned target SCL entry is found, add the metadata identifier recorded in the above-mentioned target SCL entry to the above-mentioned message.

S103:基于上述报文携带的元数据标识对上述报文进行ACL表项匹配,在匹配到记录有上述元数据标识的目标ACL表项的情况下对上述报文进行转发处理。S103: Perform ACL entry matching on the packet based on the metadata identifier carried in the packet, and forward the packet if a target ACL entry recorded with the metadata identifier is matched.

具体的,网络设备中存储的ACL表项中的元数据标识表示网络设备允许转发携带有该元数据标识的报文,则在匹配到记录有上述报文携带的元数据标识的目标ACL表项的情况下,网络设备可以转发上述报文。若未匹配到上述目标ACL表项,则可以丢弃上述报文或者采用其他方式对上述报文进行处理,不对上述报文进行转发处理。Specifically, the metadata identifier in the ACL entry stored in the network device indicates that the network device is allowed to forward the packet carrying the metadata identifier, then the target ACL entry that records the metadata identifier carried by the above packet is matched In the case of , the network device can forward the above message. If the above-mentioned target ACL entry is not matched, the above-mentioned packet can be discarded or processed in other ways, and the above-mentioned packet is not forwarded.

由以上可见,上述网络设备的网络芯片中存储有记录IP地址与元数据标识之间的对应关系的SCL表项,通过SCL表项实现了IP地址与元数据标识之间的紧耦合。因此网络设备可以基于SCL表项确定与IP地址相对应的元数据标识,相当于通过SCL表项可以为报文添加一个与源IP地址相对应的元数据标识,后续基于元数据标识对报文进行匹配,使得用于对报文进行匹配的ACL表项中不需要记录现有技术中的IP地址,而是记录元数据标识,而元数据标识的长度小于IP地址的长度,因此本发明实施例提供的方案中ACL表项内记录的是长度较短的元数据标识,也就是通过本发明实施例提供的方案能够缩短ACL表项的长度,从而节省网络芯片中的ACL资源,使得网络设备能够为大量的用户终端同步提供网络访问服务。It can be seen from the above that the network chip of the above network device stores the SCL entry that records the correspondence between the IP address and the metadata identifier, and the tight coupling between the IP address and the metadata identifier is realized through the SCL entry. Therefore, the network device can determine the metadata identifier corresponding to the IP address based on the SCL entry, which is equivalent to adding a metadata identifier corresponding to the source IP address to the packet through the SCL entry. Matching makes it unnecessary to record the IP address in the prior art in the ACL entry for matching the message, but record the metadata identifier, and the length of the metadata identifier is less than the length of the IP address, so the present invention implements In the scheme provided by the example, the metadata identifier with a short length is recorded in the ACL entry, that is, the length of the ACL entry can be shortened through the scheme provided by the embodiment of the present invention, thereby saving ACL resources in the network chip and making the network device It can simultaneously provide network access services for a large number of user terminals.

此外,本发明实施例提供的记录有元数据标识的ACL表项的位宽可以为160bit,占用1个ACL资源位,而现有技术中直接记录IPv4地址的ACL表项的位宽为320bit,占用2个ACL资源位,现有技术中直接记录IPv6地址的ACL表项的位宽为640bit,占用4个ACL资源位。可见采用本发明实施例可以减少每一ACL表项占用的ACL资源,从而节省网络芯片中的ACL资源。In addition, the bit width of the ACL entry recorded with the metadata identifier provided by the embodiment of the present invention can be 160 bits, occupying 1 ACL resource bit, while the bit width of the ACL entry directly recording the IPv4 address in the prior art is 320 bits, Two ACL resource bits are occupied. In the prior art, the bit width of the ACL entry directly recording the IPv6 address is 640 bits, and four ACL resource bits are occupied. It can be seen that the ACL resource occupied by each ACL entry can be reduced by adopting the embodiment of the present invention, thereby saving the ACL resource in the network chip.

并且,网络芯片中入方向的ACL资源共分为8块,编号分别为0-7号。前4块内每一ACL资源块中包含的资源位的数量为1536个,每一个资源位的位宽为160bit,后4块内每一ACL资源块中包含的资源位的数量为512个。其中,位于最前端的编号为0的ACL资源块用于存储协议组,在网络设备初始化后会被默认占用,编号为1-6的ACL资源用于存储不进行放大处理的ACL表项,编号为7的ACL资源用于存储进行放大处理的ACL表项,其中,本发明实施例提供的方案中涉及的ACL表项可以存储于编号为1-6的ACL资源块中,每一ACL表项占用一个ACL资源位,编号为1-6的ACL资源块中共包含1536+1536+1536+512+512+512=6144个ACL资源位,共能够存储6144个ACL表项,若每一表项对应一个用户终端,则通过本发明实施例提供的方案使得一个网络芯片中的ACL资源内能够容纳6000多个ACL表项,从而在理论上为6000多个用户终端提供网络访问服务。In addition, the ACL resources in the inbound direction of the network chip are divided into 8 blocks, numbered 0-7. The number of resource bits included in each ACL resource block in the first 4 blocks is 1536, and the bit width of each resource bit is 160 bits, and the number of resource bits included in each ACL resource block in the last 4 blocks is 512. Among them, the ACL resource block numbered 0 at the front is used to store the protocol group, which will be occupied by default after the network device is initialized, and the ACL resource block numbered 1-6 is used to store ACL entries that are not enlarged. ACL resources of 7 are used to store ACL entries for amplification processing, wherein the ACL entries involved in the solution provided by the embodiment of the present invention can be stored in ACL resource blocks numbered 1-6, and each ACL entry Occupies one ACL resource bit, and the ACL resource blocks numbered 1-6 contain 1536+1536+1536+512+512+512=6144 ACL resource bits in total, and can store 6144 ACL entries in total. If each entry corresponds to For one user terminal, through the solution provided by the embodiment of the present invention, more than 6,000 ACL entries can be accommodated in the ACL resource in one network chip, thereby theoretically providing network access services for more than 6,000 user terminals.

再者,现有技术中由于每一包含IP地址的ACL表项占用的ACL资源较多,为了能够正常地为大量的用户终端提供网络访问服务,现有技术中可以通过多台网络设备的堆叠增加ACL资源,但采用此方式堆叠网络设备会增加网络系统的硬件经济成本,并且进行网络设备的堆叠需要考虑堆叠的稳定性及跨板报文转发时会出现的问题,增加网络系统的运营维护成本。但采用本发明实施例提供的方案通过降低每一条ACL表项的数据量,可以节省ACL表项占用的ACL资源,从而使得一台网络设备中的网络芯片内的ACL资源能够容纳更多的ACL表项,因此采用本发明实施例提供的方案可以尽量避免进行网络设备的叠加,节省硬件经济成本以及运营维护成本。Furthermore, in the prior art, since each ACL entry containing an IP address occupies more ACL resources, in order to normally provide network access services for a large number of user terminals, in the prior art, stacking of multiple network devices can Increases ACL resources, but stacking network devices in this way will increase the hardware economic cost of the network system, and the stacking of network devices needs to consider the stability of the stack and the problems that may occur when forwarding messages across boards, increasing the operation and maintenance of the network system cost. However, the solution provided by the embodiment of the present invention can save the ACL resources occupied by the ACL entries by reducing the data volume of each ACL entry, so that the ACL resources in the network chip in a network device can accommodate more ACLs. Table entries, therefore, by adopting the solution provided by the embodiment of the present invention, the superposition of network devices can be avoided as much as possible, and the economic cost of hardware and the cost of operation and maintenance can be saved.

另外,本发明实施例中存储的SCL表项中记录的是IP地址与元数据标识之间的对应关系,并借助元数据标识实现了基于IP地址的报文过滤,因此本发明实施例提供的方案适用于基于IP地址的报文过滤,但不适用于IPSG沉底丢弃规则、Free VLAN(Free VirtualLocal Area Network,放行虚拟局域网)放行规则、没有包含IP地址的绑定规则等与IP地址无关的报文过滤规则,此类报文过滤规则可以采用现有技术中的方式通过SCL表项实现,同样不占用ACL资源,与本发明实施例提供的方案共同配置部署可以扩大IPSG绑定表项的规格。In addition, the SCL entry stored in the embodiment of the present invention records the corresponding relationship between the IP address and the metadata identifier, and the packet filtering based on the IP address is realized by means of the metadata identifier, so the embodiment of the present invention provides The solution is applicable to packet filtering based on IP address, but not applicable to IPSG bottom drop rules, Free VLAN (Free Virtual Local Area Network, release virtual local area network) release rules, binding rules that do not contain IP addresses, etc. that have nothing to do with IP addresses Message filtering rules, such message filtering rules can be implemented through SCL entries in the way of the prior art, and do not occupy ACL resources, and can be configured and deployed together with the scheme provided by the embodiment of the present invention to expand the capacity of IPSG binding entries. Specification.

本发明的一个实施例中,上述ACL表项中记录有元数据标识与MAC(Media AccessControl Address,媒体存取控制位址)地址,表示网络设备允许转发携带有ACL表项中记录的元数据标识且源MAC地址为ACL表项中记录的MAC地址的报文。In one embodiment of the present invention, the above-mentioned ACL entry is recorded with a metadata identifier and a MAC (Media Access Control Address, Media Access Control Address) address, indicating that the network device is allowed to forward the metadata identifier recorded in the ACL entry. and the source MAC address is the MAC address recorded in the ACL entry.

在此基础上,参见图2,为本发明实施例提供的第二种报文过滤方法的流程示意图,与前述图1所示的实施例相比,上述步骤S103可以通过以下步骤S103 A实现。On this basis, referring to FIG. 2 , it is a schematic flowchart of a second message filtering method provided by an embodiment of the present invention. Compared with the embodiment shown in FIG. 1 , the above step S103 can be realized by the following step S103A.

S103A:基于上述报文携带的元数据标识以及上述报文的源MAC地址对上述报文进行ACL表项匹配,在匹配到记录有上述元数据标识与上述源MAC地址的目标ACL表项的情况下,对上述报文进行转发处理。S103A: Perform ACL entry matching on the above-mentioned message based on the metadata identifier carried by the above-mentioned message and the source MAC address of the above-mentioned message, and when the target ACL entry that records the above-mentioned metadata identifier and the above-mentioned source MAC address is matched Next, the above packet is forwarded.

本发明的一个实施例中,上述ACL表项中记录有元数据标识以及MAC地址,在存在所记录的元数据标识与上述报文携带的元数据标识相同,且所记录的MAC地址与上述报文的源MAC地址相同的目标ACL表项的情况下,表示网络设备允许转发上述报文,因此可以对上述报文进行转发处理。In one embodiment of the present invention, the metadata identifier and the MAC address are recorded in the above-mentioned ACL entry. If the source MAC address of the packet is the same as the target ACL entry, it means that the network device is allowed to forward the packet, so the packet can be forwarded.

由以上可见,本发明实施例提供的方案中的ACL表项中记录有MAC地址与元数据标识,元数据标识与IP地址紧耦合,即元数据标识能够代表IP地址,因此记录有MAC地址与元数据标识的ACL表项相当于记录有MAC地址以及与IP地址的ACL表项。因此,通过本发明实施例提供的方案能够基于IP地址与MAC地址共同对报文进行过滤,进一步提高网络的安全性。As can be seen from the above, the ACL entry in the solution provided by the embodiment of the present invention records the MAC address and the metadata identifier, and the metadata identifier and the IP address are tightly coupled, that is, the metadata identifier can represent the IP address, so the MAC address and the IP address are recorded. The ACL entry identified by the metadata is equivalent to the ACL entry that records the MAC address and the IP address. Therefore, the solution provided by the embodiment of the present invention can filter packets based on both the IP address and the MAC address, thereby further improving the security of the network.

与前述应用于网络设备的报文过滤方法相对应,本发明实施例还提供了一种应用于网络设备的报文过滤装置。Corresponding to the aforementioned message filtering method applied to network equipment, the embodiment of the present invention also provides a message filtering device applied to network equipment.

参见图3,为本发明实施例提供的一种报文过滤装置的结构示意图,应用于网络设备,上述网络设备的目标接口配置有IPSG功能,上述网络设备内的网络芯片中存储有:记录有IP地址与元数据标识之间对应关系的SCL表项以及记录有元数据标识的ACL表项,其中,上述元数据标识的长度小于IP地址的长度,上述装置包括:Referring to FIG. 3 , it is a schematic structural diagram of a message filtering device provided by an embodiment of the present invention, which is applied to network equipment. The target interface of the above-mentioned network equipment is configured with an IPSG function, and the network chip in the above-mentioned network equipment stores: The SCL entry of the corresponding relationship between the IP address and the metadata identifier and the ACL entry recorded with the metadata identifier, wherein the length of the metadata identifier is less than the length of the IP address, and the above-mentioned device includes:

SCL表项查找模块301,用于在通过所述目标接口接收到报文后,从已存储的SCL表项中查找记录有所述报文的源IP地址的目标SCL表项;The SCL entry search module 301 is configured to search for a target SCL entry that records the source IP address of the message from the stored SCL entries after receiving the message through the target interface;

标记添加模块302,用于若查找到所述目标SCL表项,则为所述报文添加所述目标SCL表项中记录的元数据标识;A tag adding module 302, configured to add the metadata identifier recorded in the target SCL entry to the message if the target SCL entry is found;

ACL表项匹配模块303,用于基于所述报文携带的元数据标识对所述报文进行ACL表项匹配,在匹配到记录有所述元数据标识的目标ACL表项的情况下对所述报文进行转发处理。The ACL entry matching module 303 is configured to perform ACL entry matching on the packet based on the metadata identifier carried by the packet, and perform ACL entry matching on the packet when the target ACL entry recorded with the metadata identifier is matched. The above message is forwarded.

由以上可见,上述网络设备的网络芯片中存储有记录IP地址与元数据标识之间的对应关系的SCL表项,通过SCL表项实现了IP地址与元数据标识之间的紧耦合。因此网络设备可以基于SCL表项确定与IP地址相对应的元数据标识,相当于通过SCL表项可以为报文添加一个与源IP地址相对应的元数据标识,后续基于元数据标识对报文进行匹配,使得用于对报文进行匹配的ACL表项中不需要记录现有技术中的IP地址,而是记录元数据标识,而元数据标识的长度小于IP地址的长度,因此本发明实施例提供的方案中ACL表项内记录的是长度较短的元数据标识,也就是通过本发明实施例提供的方案能够缩短ACL表项的长度,从而节省网络芯片中的ACL资源,使得网络设备能够为大量的用户终端同步提供网络访问服务。It can be seen from the above that the network chip of the above network device stores the SCL entry that records the correspondence between the IP address and the metadata identifier, and the tight coupling between the IP address and the metadata identifier is realized through the SCL entry. Therefore, the network device can determine the metadata identifier corresponding to the IP address based on the SCL entry, which is equivalent to adding a metadata identifier corresponding to the source IP address to the packet through the SCL entry. Matching makes it unnecessary to record the IP address in the prior art in the ACL entry for matching the message, but record the metadata identifier, and the length of the metadata identifier is less than the length of the IP address, so the present invention implements In the scheme provided by the example, the metadata identifier with a short length is recorded in the ACL entry, that is, the length of the ACL entry can be shortened through the scheme provided by the embodiment of the present invention, thereby saving ACL resources in the network chip and making the network device It can simultaneously provide network access services for a large number of user terminals.

本发明的一个实施例中,所述ACL表项中记录有元数据标识与媒体访问控制MAC地址,所述ACL表项匹配模块303,具体用于:In an embodiment of the present invention, metadata identifiers and media access control MAC addresses are recorded in the ACL entries, and the ACL entry matching module 303 is specifically used for:

基于所述报文携带的元数据标识以及所述报文的源MAC地址对所述报文进行ACL表项匹配,在匹配到记录有所述元数据标识与所述源MAC地址的目标ACL表项的情况下,对所述报文进行转发处理。Based on the metadata identifier carried by the packet and the source MAC address of the packet, perform ACL entry matching on the packet, and when the target ACL table with the metadata identifier and the source MAC address is matched, In the case of the item, the message is forwarded.

由以上可见,本发明实施例提供的方案中的ACL表项中记录有MAC地址与元数据标识,元数据标识与IP地址紧耦合,即元数据标识能够代表IP地址,因此记录有MAC地址与元数据标识的ACL表项相当于记录有MAC地址以及与IP地址的ACL表项。因此,通过本发明实施例提供的方案能够基于IP地址与MAC地址共同对报文进行过滤,进一步提高网络的安全性。As can be seen from the above, the ACL entry in the solution provided by the embodiment of the present invention records the MAC address and the metadata identifier, and the metadata identifier and the IP address are tightly coupled, that is, the metadata identifier can represent the IP address, so the MAC address and the IP address are recorded. The ACL entry identified by the metadata is equivalent to the ACL entry that records the MAC address and the IP address. Therefore, the solution provided by the embodiment of the present invention can filter packets based on both the IP address and the MAC address, thereby further improving the security of the network.

本发明的一个实施例中,所述SCL表项中记录的IP地址包括IPv4地址与IPv6地址,其中,记录有IPv4地址的SCL表项保存于SCL HASH1中,记录有IPv6地址的SCL表项保存于SCL HASH0中。In one embodiment of the present invention, the IP address recorded in the SCL entry includes an IPv4 address and an IPv6 address, wherein the SCL entry recorded with the IPv4 address is stored in SCL HASH1, and the SCL entry recorded with the IPv6 address is stored in in SCL HASH0.

本发明的一个实施例中,所述记录有元数据标识的ACL表项占用一个ACL资源位。In an embodiment of the present invention, the ACL entry recorded with the metadata identifier occupies one ACL resource bit.

本发明实施例还提供了一种网络设备,如图4所示,包括处理器401、通信接口402、存储器403和通信总线404,其中,处理器401,通信接口402,存储器403通过通信总线404完成相互间的通信,The embodiment of the present invention also provides a network device, as shown in FIG. complete the mutual communication,

存储器403,用于存放计算机程序;Memory 403, used to store computer programs;

处理器401,用于执行存储器403上所存放的程序时,实现上述报文过滤方法任一所示的方法步骤。The processor 401 is configured to implement the method steps shown in any one of the above packet filtering methods when executing the program stored in the memory 403 .

应用本发明实施例提供的网络设备进行报文过滤时,上述网络设备的网络芯片中存储有记录IP地址与元数据标识之间的对应关系的SCL表项,通过SCL表项实现了IP地址与元数据标识之间的紧耦合。因此网络设备可以基于SCL表项确定与IP地址相对应的元数据标识,相当于通过SCL表项可以为报文添加一个与源IP地址相对应的元数据标识,后续基于元数据标识对报文进行匹配,使得用于对报文进行匹配的ACL表项中不需要记录现有技术中的IP地址,而是记录元数据标识,而元数据标识的长度小于IP地址的长度,因此本发明实施例提供的方案中ACL表项内记录的是长度较短的元数据标识,也就是通过本发明实施例提供的方案能够缩短ACL表项的长度,从而节省网络芯片中的ACL资源,使得网络设备能够为大量的用户终端同步提供网络访问服务。When the network device provided by the embodiment of the present invention is used for message filtering, the network chip of the above network device stores an SCL entry that records the correspondence between the IP address and the metadata identifier, and the IP address and Tight coupling between metadata identifiers. Therefore, the network device can determine the metadata identifier corresponding to the IP address based on the SCL entry, which is equivalent to adding a metadata identifier corresponding to the source IP address to the packet through the SCL entry. Matching makes it unnecessary to record the IP address in the prior art in the ACL entry for matching the message, but record the metadata identifier, and the length of the metadata identifier is less than the length of the IP address, so the present invention implements In the scheme provided by the example, the metadata identifier with a short length is recorded in the ACL entry, that is, the length of the ACL entry can be shortened through the scheme provided by the embodiment of the present invention, thereby saving ACL resources in the network chip and making the network device It can simultaneously provide network access services for a large number of user terminals.

上述网络设备提到的通信总线可以是外设部件互连标准(Peripheral ComponentInterconnect,PCI)总线或扩展工业标准结构(Extended Industry StandardArchitecture,EISA)总线等。该通信总线可以分为地址总线、数据总线、控制总线等。为便于表示,图中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The communication bus mentioned in the above network device may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (Extended Industry Standard Architecture, EISA) bus or the like. The communication bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is used in the figure, but it does not mean that there is only one bus or one type of bus.

通信接口用于上述网络设备与其他设备之间的通信。The communication interface is used for communication between the above-mentioned network device and other devices.

存储器可以包括随机存取存储器(Random Access Memory,RAM),也可以包括非易失性存储器(Non-Volatile Memory,NVM),例如至少一个磁盘存储器。可选的,存储器还可以是至少一个位于远离前述处理器的存储装置。The memory may include a random access memory (Random Access Memory, RAM), and may also include a non-volatile memory (Non-Volatile Memory, NVM), such as at least one disk memory. Optionally, the memory may also be at least one storage device located far away from the aforementioned processor.

上述的处理器可以是通用处理器,包括中央处理器(Central Processing Unit,CPU)、网络处理器(Network Processor,NP)等;还可以是数字信号处理器(Digital SignalProcessor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。Above-mentioned processor can be general-purpose processor, comprises central processing unit (Central Processing Unit, CPU), network processor (Network Processor, NP) etc.; It can also be Digital Signal Processor (Digital Signal Processor, DSP), ASIC (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.

在本发明提供的又一实施例中,还提供了一种计算机可读存储介质,该计算机可读存储介质内存储有计算机程序,所述计算机程序被处理器执行时实现上述任一报文过滤方法的步骤。In yet another embodiment provided by the present invention, a computer-readable storage medium is also provided, and a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, any of the above-mentioned message filtering method steps.

应用本发明实施例提供的计算机程序进行报文过滤时,上述网络设备的网络芯片中存储有记录IP地址与元数据标识之间的对应关系的SCL表项,通过SCL表项实现了IP地址与元数据标识之间的紧耦合。因此网络设备可以基于SCL表项确定与IP地址相对应的元数据标识,相当于通过SCL表项可以为报文添加一个与源IP地址相对应的元数据标识,后续基于元数据标识对报文进行匹配,使得用于对报文进行匹配的ACL表项中不需要记录现有技术中的IP地址,而是记录元数据标识,而元数据标识的长度小于IP地址的长度,因此本发明实施例提供的方案中ACL表项内记录的是长度较短的元数据标识,也就是通过本发明实施例提供的方案能够缩短ACL表项的长度,从而节省网络芯片中的ACL资源,使得网络设备能够为大量的用户终端同步提供网络访问服务。When the computer program provided by the embodiment of the present invention is used for message filtering, the network chip of the above-mentioned network device stores an SCL entry that records the correspondence between the IP address and the metadata identifier, and the IP address and the metadata identifier are realized through the SCL entry. Tight coupling between metadata identifiers. Therefore, the network device can determine the metadata identifier corresponding to the IP address based on the SCL entry, which is equivalent to adding a metadata identifier corresponding to the source IP address to the packet through the SCL entry. Matching makes it unnecessary to record the IP address in the prior art in the ACL entry for matching the message, but record the metadata identifier, and the length of the metadata identifier is less than the length of the IP address, so the present invention implements In the scheme provided by the example, the metadata identifier with a short length is recorded in the ACL entry, that is, the length of the ACL entry can be shortened through the scheme provided by the embodiment of the present invention, thereby saving ACL resources in the network chip and making the network device It can simultaneously provide network access services for a large number of user terminals.

在本发明提供的又一实施例中,还提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述实施例中任一报文过滤方法。In yet another embodiment provided by the present invention, a computer program product including instructions is also provided, and when it is run on a computer, it causes the computer to execute any packet filtering method in the above embodiments.

应用本发明实施例提供的计算机程序产品进行报文过滤时,上述网络设备的网络芯片中存储有记录IP地址与元数据标识之间的对应关系的SCL表项,通过SCL表项实现了IP地址与元数据标识之间的紧耦合。因此网络设备可以基于SCL表项确定与IP地址相对应的元数据标识,相当于通过SCL表项可以为报文添加一个与源IP地址相对应的元数据标识,后续基于元数据标识对报文进行匹配,使得用于对报文进行匹配的ACL表项中不需要记录现有技术中的IP地址,而是记录元数据标识,而元数据标识的长度小于IP地址的长度,因此本发明实施例提供的方案中ACL表项内记录的是长度较短的元数据标识,也就是通过本发明实施例提供的方案能够缩短ACL表项的长度,从而节省网络芯片中的ACL资源,使得网络设备能够为大量的用户终端同步提供网络访问服务。When the computer program product provided by the embodiment of the present invention is used for message filtering, the network chip of the above-mentioned network device stores an SCL entry that records the correspondence between the IP address and the metadata identifier, and the IP address is realized through the SCL entry. Tight coupling with metadata identification. Therefore, the network device can determine the metadata identifier corresponding to the IP address based on the SCL entry, which is equivalent to adding a metadata identifier corresponding to the source IP address to the packet through the SCL entry. Matching makes it unnecessary to record the IP address in the prior art in the ACL entry for matching the message, but record the metadata identifier, and the length of the metadata identifier is less than the length of the IP address, so the present invention implements In the scheme provided by the example, the metadata identifier with a short length is recorded in the ACL entry, that is, the length of the ACL entry can be shortened through the scheme provided by the embodiment of the present invention, thereby saving ACL resources in the network chip and making the network device It can simultaneously provide network access services for a large number of user terminals.

在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本发明实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘Solid State Disk(SSD))等。In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present invention will be generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server, or data center by wired (eg, coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media. The available medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, DVD), or a semiconductor medium (for example, a Solid State Disk (SSD)).

需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that in this article, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that there is a relationship between these entities or operations. There is no such actual relationship or order between them. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

本说明书中的各个实施例均采用相关的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于装置、网络设备、计算机可读存储介质和计算机程序产品实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。Each embodiment in this specification is described in a related manner, the same and similar parts of each embodiment can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the apparatus, network equipment, computer-readable storage medium and computer program product embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and for relevant parts, please refer to the part of the description of the method embodiments.

以上所述仅为本发明的较佳实施例,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内所作的任何修改、等同替换、改进等,均包含在本发明的保护范围内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present invention are included in the protection scope of the present invention.

Claims (10)

1.一种报文过滤方法,其特征在于,应用于网络设备,所述网络设备的目标接口配置有网际互连协议源防护IPSG功能,所述网络设备内的网络芯片中存储有:记录有IP地址与元数据标识之间对应关系的服务分类表SCL表项以及记录有元数据标识的访问控制列表ACL表项,其中,所述元数据标识的长度小于IP地址的长度,所述方法包括:1. a message filtering method, it is characterized in that, be applied to network equipment, the target interface of described network equipment is configured with Internet Interconnection Protocol source protection IPSG function, is stored in the network chip in the described network equipment: record has The service classification table SCL entry of the corresponding relationship between the IP address and the metadata identifier and the access control list ACL entry recorded with the metadata identifier, wherein the length of the metadata identifier is less than the length of the IP address, and the method includes : 在通过所述目标接口接收到报文后,从已存储的SCL表项中查找记录有所述报文的源IP地址的目标SCL表项;After receiving the message through the target interface, search for the target SCL entry that records the source IP address of the message from the stored SCL entry; 若查找到所述目标SCL表项,则为所述报文添加所述目标SCL表项中记录的元数据标识;If the target SCL entry is found, adding the metadata identifier recorded in the target SCL entry to the message; 基于所述报文携带的元数据标识对所述报文进行ACL表项匹配,在匹配到记录有所述元数据标识的目标ACL表项的情况下对所述报文进行转发处理。Perform ACL entry matching on the packet based on the metadata identifier carried in the packet, and forward the packet when a target ACL entry recorded with the metadata identifier is matched. 2.根据权利要求1所述的方法,其特征在于,所述ACL表项中记录有元数据标识与媒体访问控制MAC地址,所述基于所述报文携带的元数据标识对所述报文进行ACL表项匹配,在匹配到记录有所述元数据标识的目标ACL表项的情况下对所述报文进行转发处理,包括:2. The method according to claim 1, wherein metadata identifiers and media access control MAC addresses are recorded in the ACL entry, and the packet is identified based on the metadata identifier carried by the packet. Perform ACL entry matching, and forward the message if the target ACL entry recorded with the metadata identifier is matched, including: 基于所述报文携带的元数据标识以及所述报文的源MAC地址对所述报文进行ACL表项匹配,在匹配到记录有所述元数据标识与所述源MAC地址的目标ACL表项的情况下,对所述报文进行转发处理。Based on the metadata identifier carried by the packet and the source MAC address of the packet, perform ACL entry matching on the packet, and when the target ACL table with the metadata identifier and the source MAC address is matched, In the case of the item, the message is forwarded. 3.根据权利要求1所述的方法,其特征在于,所述SCL表项中记录的IP地址包括IPv4地址与IPv6地址,其中,记录有IPv4地址的SCL表项保存于服务分类哈希表SCL HASH1中,记录有IPv6地址的SCL表项保存于SCL HASH0中。3. The method according to claim 1, wherein the IP address recorded in the SCL entry includes an IPv4 address and an IPv6 address, wherein the SCL entry recorded with the IPv4 address is stored in the service classification hash table SCL In HASH1, the SCL entry that records the IPv6 address is stored in SCL HASH0. 4.根据权利要求1-3中任一项所述的方法,其特征在于,所述记录有元数据标识的ACL表项占用一个ACL资源位。4. The method according to any one of claims 1-3, wherein the ACL entry recorded with the metadata identifier occupies one ACL resource bit. 5.一种报文过滤装置,其特征在于,应用于网络设备,所述网络设备的目标接口配置有网际互连协议源防护IPSG功能,所述网络设备内的网络芯片中存储有:记录有IP地址与元数据标识之间对应关系的服务分类表SCL表项以及记录有元数据标识的访问控制列表ACL表项,其中,所述元数据标识的长度小于IP地址的长度,所述装置包括:5. A message filtering device, characterized in that it is applied to network equipment, the target interface of the network equipment is configured with an Internet Protocol source protection IPSG function, stored in the network chip in the network equipment: the record has The service classification table SCL entry of the corresponding relationship between the IP address and the metadata identifier and the access control list ACL entry recorded with the metadata identifier, wherein the length of the metadata identifier is less than the length of the IP address, and the device includes : SCL表项查找模块,用于在通过所述目标接口接收到报文后,从已存储的SCL表项中查找记录有所述报文的源IP地址的目标SCL表项;The SCL entry search module is used to search the stored SCL entry for the target SCL entry that records the source IP address of the message after receiving the message through the target interface; 标记添加模块,用于若查找到所述目标SCL表项,则为所述报文添加所述目标SCL表项中记录的元数据标识;A tag adding module, configured to add the metadata identifier recorded in the target SCL entry to the message if the target SCL entry is found; ACL表项匹配模块,用于基于所述报文携带的元数据标识对所述报文进行ACL表项匹配,在匹配到记录有所述元数据标识的目标ACL表项的情况下对所述报文进行转发处理。The ACL entry matching module is configured to perform ACL entry matching on the packet based on the metadata identifier carried by the packet, and perform the ACL entry matching on the packet when the target ACL entry recorded with the metadata identifier is matched. Packets are forwarded. 6.根据权利要求5所述的装置,其特征在于,所述ACL表项中记录有元数据标识与媒体访问控制MAC地址,所述ACL表项匹配模块,具体用于:6. The device according to claim 5, wherein metadata identifiers and media access control MAC addresses are recorded in the ACL entry, and the ACL entry matching module is specifically used for: 基于所述报文携带的元数据标识以及所述报文的源MAC地址对所述报文进行ACL表项匹配,在匹配到记录有所述元数据标识与所述源MAC地址的目标ACL表项的情况下,对所述报文进行转发处理。Based on the metadata identifier carried by the packet and the source MAC address of the packet, perform ACL entry matching on the packet, and when the target ACL table with the metadata identifier and the source MAC address is matched, In the case of the item, the message is forwarded. 7.根据权利要求5所述的装置,其特征在于,所述SCL表项中记录的IP地址包括IPv4地址与IPv6地址,其中,记录有IPv4地址的SCL表项保存于服务分类哈希表SCL HASH1中,记录有IPv6地址的SCL表项保存于SCL HASH0中。7. The device according to claim 5, wherein the IP address recorded in the SCL entry includes an IPv4 address and an IPv6 address, wherein the SCL entry recorded with the IPv4 address is stored in the service classification hash table SCL In HASH1, the SCL entry that records the IPv6 address is stored in SCL HASH0. 8.根据权利要求5-7中任一项所述的装置,其特征在于,所述记录有元数据标识的ACL表项占用一个ACL资源位。8. The device according to any one of claims 5-7, wherein the ACL entry recorded with the metadata identifier occupies one ACL resource bit. 9.一种网络设备,其特征在于,包括处理器、通信接口、存储器和通信总线,其中,处理器,通信接口,存储器通过通信总线完成相互间的通信;9. A network device, characterized in that it includes a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory complete mutual communication through the communication bus; 存储器,用于存放计算机程序;memory for storing computer programs; 处理器,用于执行存储器上所存放的程序时,实现权利要求1-4任一所述的方法步骤。When the processor is used to execute the program stored in the memory, it realizes the method steps described in any one of claims 1-4. 10.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质内存储有计算机程序,所述计算机程序被处理器执行时实现权利要求1-4任一所述的方法步骤。10. A computer-readable storage medium, wherein a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the method steps of any one of claims 1-4 are implemented.
CN202211649296.0A 2022-12-21 2022-12-21 A message filtering method and device Withdrawn CN115834233A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211649296.0A CN115834233A (en) 2022-12-21 2022-12-21 A message filtering method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211649296.0A CN115834233A (en) 2022-12-21 2022-12-21 A message filtering method and device

Publications (1)

Publication Number Publication Date
CN115834233A true CN115834233A (en) 2023-03-21

Family

ID=85517368

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211649296.0A Withdrawn CN115834233A (en) 2022-12-21 2022-12-21 A message filtering method and device

Country Status (1)

Country Link
CN (1) CN115834233A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008141584A1 (en) * 2007-05-22 2008-11-27 Huawei Technologies Co., Ltd. Message processing method, system, and equipment
US9912639B1 (en) * 2015-12-28 2018-03-06 Juniper Networks, Inc. Verifying firewall filter entries using rules associated with an access control list (ACL) template
CN110958334A (en) * 2019-11-25 2020-04-03 新华三半导体技术有限公司 Message processing method and device
CN113132257A (en) * 2021-04-29 2021-07-16 杭州迪普信息技术有限公司 Message processing method and device
CN115277097A (en) * 2022-06-28 2022-11-01 新华三技术有限公司合肥分公司 A message processing method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008141584A1 (en) * 2007-05-22 2008-11-27 Huawei Technologies Co., Ltd. Message processing method, system, and equipment
US9912639B1 (en) * 2015-12-28 2018-03-06 Juniper Networks, Inc. Verifying firewall filter entries using rules associated with an access control list (ACL) template
CN110958334A (en) * 2019-11-25 2020-04-03 新华三半导体技术有限公司 Message processing method and device
CN113132257A (en) * 2021-04-29 2021-07-16 杭州迪普信息技术有限公司 Message processing method and device
CN115277097A (en) * 2022-06-28 2022-11-01 新华三技术有限公司合肥分公司 A message processing method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
潘朝晖;: "华为S6506R交换机配置ACL时易被忽略的规则", 中国金融电脑, no. 04, 15 April 2007 (2007-04-15) *
陈昌奇;吴军平;: "ACL功能在MDU设备中研究与实现", 电子设计工程, no. 02, 20 January 2020 (2020-01-20) *

Similar Documents

Publication Publication Date Title
CN112910792B (en) Message processing method, device and related equipment
CN106664261B (en) A method, device and system for configuring flow entry
WO2018082592A1 (en) Message processing method and network device
CN110703817A (en) A control method, device and system for statistical flow
CN113079097B (en) Message processing method and device
CN113132202B (en) Message transmission method and related equipment
US10880109B2 (en) Forwarding multicast data packet
CN101304389A (en) Message processing method, device and system
CN113452594B (en) Inner layer message matching method and device of tunnel message
EP3832960B1 (en) Establishment of fast forwarding table
WO2024148877A1 (en) Method and apparatus for implementing service topology awareness of cluster, and device and medium
US11805049B2 (en) Communication method and communications device
CN112165460B (en) Flow detection method, device, computer equipment and storage medium
CN113285918A (en) ACL (access control list) filtering table item establishing method and device for network attack
WO2024082081A1 (en) Packet processing method and apparatus
CN115834233A (en) A message filtering method and device
CN108848033B (en) Method, device and storage medium for avoiding route conflict
CN114389844B (en) Message processing method, device, electronic equipment and computer readable storage medium
CN113709067B (en) A MAC address synchronous learning method and related device for multiple switches
CN114978563B (en) Method and device for blocking IP address
WO2017157127A1 (en) Access record passing back method, device and system
CN113132273A (en) Data forwarding method and device
CN114422459A (en) Method, apparatus and computer equipment for instant message transmission
WO2022089027A1 (en) Method, apparatus and system for sending packet, and storage medium
CN113992566B (en) Message broadcasting method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20230321