[go: up one dir, main page]

WO2020248675A1 - Access control list issuing method and device - Google Patents

Access control list issuing method and device Download PDF

Info

Publication number
WO2020248675A1
WO2020248675A1 PCT/CN2020/083582 CN2020083582W WO2020248675A1 WO 2020248675 A1 WO2020248675 A1 WO 2020248675A1 CN 2020083582 W CN2020083582 W CN 2020083582W WO 2020248675 A1 WO2020248675 A1 WO 2020248675A1
Authority
WO
WIPO (PCT)
Prior art keywords
matching
acl
field
length
matching table
Prior art date
Application number
PCT/CN2020/083582
Other languages
French (fr)
Chinese (zh)
Inventor
刘民
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2020248675A1 publication Critical patent/WO2020248675A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • This application relates to the field of communication technology, and in particular to a method and device for issuing an access control list.
  • ACL Access Control List
  • Network devices use ACLs to match and filter data packets.
  • ACLs to chip logic units (slices) to implement ACL rule content matching.
  • the bit width of the chip logic unit is a fixed value, which limits the length of ACL matching content.
  • chip table entries are usually occupied according to the longest matching length of the ACL rules.
  • the number of logical units occupied by resource reservation according to the longest matching length of the ACL rule when issuing ACLs has increased significantly, and the number of logical units that actually require matching content may be far Less than the number of logical units reserved by the chip, resulting in a waste of chip ACL resources.
  • the technical problem to be solved by this application is to provide a method and device for issuing an access control list.
  • the embodiment of the application provides a method for issuing an access control list, including: generating an ACL matching table according to an ACL rule of an access control list; each record in the ACL matching table corresponds to all matching fields of an ACL rule; traversing the ACL
  • the matching table determines the matching length of the chip logic unit of each record in the ACL matching table, and updates the ACL matching table: when there are records in the ACL matching table whose chip logic unit matching length exceeds the preset matching length
  • the ACL matching table is removed, the matching length of the chip logic unit of all records in the ACL matching table does not exceed the preset matching length; and the updated ACL matching table is delivered to the logic of the chip Unit.
  • the embodiment of the present application provides an access control list issuing device, including: an ACL matching table generation module, configured to generate an ACL matching table according to an ACL rule of an access control list; each record in the ACL matching table corresponds to an ACL rule All matching fields; ACL matching table update module, used to traverse the ACL matching table, determine the matching length of the chip logic unit of each record in the ACL matching table, and update the ACL matching table: when the ACL When there are records in the matching table whose chip logic unit matching length exceeds the preset matching length, field elimination processing is performed on the ACL matching table so that the chip logic unit matching length of all records in the ACL matching table does not exceed the preset matching length Matching length; ACL matching table issuance module, used to distribute the updated ACL matching table to the logic unit of the chip.
  • the embodiment of the present application provides an access control list issuing device, including: a memory, a processor, and an access control list issuing program stored on the memory and running on the processor, and the access control list is downloaded When the distribution program is executed by the processor, the steps of the above-mentioned access control list distribution method are realized.
  • An embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores an access control list issuance program, and when the access control list issuance program is executed by a processor, the foregoing access control list issuance is implemented Method steps.
  • FIG. 1 is a flowchart of a method for issuing an access control list according to Embodiment 1 of the application;
  • FIG. 2 is a schematic diagram of an access control list issuing apparatus according to Embodiment 2 of this application;
  • Fig. 3 is a flowchart of a method for updating an ACL matching table in Example 1 of the application.
  • an embodiment of the present application provides a method for issuing an access control list, including:
  • Step S110 generating an ACL matching table according to the ACL rules of the access control list; each record in the ACL matching table corresponds to all matching fields of an ACL rule;
  • Step S120 traverse the ACL matching table, determine the matching length of the chip logic unit of each record in the ACL matching table, and update the ACL matching table: when there is a chip logic unit matching length in the ACL matching table When the record exceeds the preset matching length, perform field elimination processing on the ACL matching table so that the matching length of the chip logic unit of all records in the ACL matching table does not exceed the preset matching length;
  • step S130 the updated ACL matching table is delivered to the logic unit of the chip.
  • the preset matching length is set according to a message protocol or set by a user
  • the Ipv4 message can set the default matching length to 1 chip logic unit;
  • the Ipv6 message can set the default matching length to 2 chip logic units;
  • the performing field elimination processing on the ACL matching table includes:
  • the determining the elimination priority of all matching fields in the ACL matching table includes:
  • Score the matching field according to the usage rate and/or matching weight of each matching field; the score of a matching field is used to indicate the probability of the matching field being eliminated;
  • the scoring the matching field according to the usage rate and/or matching weight of each matching field includes:
  • the usage rate a i of any matching field is the ratio of the number of records in the ACL matching table that uses the matching field to the total number of all records in the ACL matching table;
  • the matching weight of the matching field can be determined in any of the following ways:
  • the system default match weight match field heavy attention b i and the match field set by a user k i determining the match field matches the weight of weight, b i ' k i ⁇ b i; 0 ⁇ b i ⁇ 1, 0 ⁇ k i ⁇ 1.
  • an embodiment of the present application provides an access control list issuing apparatus, including:
  • the ACL matching table generating module 201 is configured to generate an ACL matching table according to an access control list ACL rule; each record in the ACL matching table corresponds to all matching fields of an ACL rule;
  • the ACL matching table update module 202 is configured to traverse the ACL matching table, determine the matching length of the chip logic unit of each record in the ACL matching table, and update the ACL matching table: when the ACL matching table is When there is a record with a chip logic unit matching length exceeding a preset matching length, performing field elimination processing on the ACL matching table so that the chip logic unit matching length of all records in the ACL matching table does not exceed the preset matching length;
  • the ACL matching table issuing module 203 is used for issuing the updated ACL matching table to the logic unit of the chip.
  • the preset matching length is set according to a message protocol or set by a user
  • the Ipv4 message can set the default matching length to 1 chip logic unit;
  • the Ipv6 message can set the default matching length to 2 chip logic units;
  • the ACL matching table update module is configured to perform field elimination processing on the ACL matching table in the following manner:
  • the ACL matching table update module is configured to determine the elimination priority of all matching fields in the ACL matching table in the following manner:
  • Score the matching field according to the usage rate and/or matching weight of each matching field; the score of a matching field is used to indicate the probability of the matching field being eliminated;
  • the ACL matching table update module is configured to score the matching field according to the usage rate and/or matching weight of each matching field in the following manner:
  • the usage rate a i of any matching field is the ratio of the number of records in the ACL matching table that uses the matching field to the total number of all records in the ACL matching table;
  • the matching weight of the matching field can be determined in any of the following ways:
  • the system default match weight match field heavy attention b i and the match field set by a user k i determining the match field matches the weight of weight, b i ' k i ⁇ b i; 0 ⁇ b i ⁇ 1, 0 ⁇ k i ⁇ 1.
  • the embodiment of the present application provides an access control list issuing device, including:
  • the embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores an access control list issuance program, and when the access control list issuance program is executed by a processor, the above-mentioned embodiment 1 is implemented. The steps of the method for issuing an access control list described above.
  • This example provides a method for issuing an access control list. Assuming that the message is an IPv6 message, the system sets the default matching length of the ACL rule to 2 chip logic units (1 chip logic unit has a bit width of 80 bits).
  • the first ACL rule is Rule 1
  • the content of the rule is: permit tcp srcip 1000::1 srcport 1000, and the matching fields include protocol number (tcp), source ip (1000::1), source port number (1000);
  • the second ACL rule is Rule 2
  • the content of the rule is: permit udp srcip 2000::1, and the matching fields include protocol number (udp), source ip (2000::1)
  • the third ACL rule is Rule 3.
  • the content is: permit tcp srcip 3000::1srcport 3000dstip 3100::1, the matching fields include protocol number (tcp), source ip (3000::1), source port number (3000), destination ip (3100::1);
  • the fourth ACL rule is Rule 4, and the content of the rule is: permit tcp srcip 4000::1 srcport 4000 dstip 4100::1 dst 4100, and the matching fields include protocol number (tcp), source ip (4000::1), source Port number (4000), destination ip (4100::1), destination port number (4100);
  • an ACL matching table is generated according to a traditional ACL rule, and each record in the ACL matching table corresponds to all matching fields of an ACL rule;
  • the first rule includes 3 fields.
  • the protocol number field occupies 8 bits
  • the source ip field occupies 128 bits
  • the source port number field occupies 16 bits, which occupies a total of 152 bits. If mapped to the chip logic unit, 2 logic units are required;
  • the second rule includes 2 fields.
  • the protocol number field occupies 8 bits and the source ip field occupies 128 bits, which occupies a total of 136 bits. If it is mapped to the chip logic unit, 2 logic units are required;
  • the third rule includes 4 fields.
  • the protocol number field occupies 8 bits
  • the source ip field occupies 128 bits
  • the source port number field occupies 16 bits
  • the destination ip field occupies 128 bits, which occupies a total of 280 bits. If mapped to the chip logic unit, 4 Logical unit
  • the fourth rule includes 5 fields.
  • the protocol number field occupies 8 bits
  • the source ip field occupies 128 bits
  • the source port number field occupies 16 bits
  • the destination ip field occupies 128 bits
  • the destination port number field occupies 16 bits.
  • a total of 296 bits are occupied.
  • Chip logic unit requires 4 logic units;
  • the update processing of the ACL matching table includes the following steps:
  • the usage rate a i of any matching field is the ratio of the number of records in the ACL matching table that uses the matching field to the total number of all records in the ACL matching table;
  • each matching field in Table 2 is counted, and the usage rate of each matching field is shown in Table 3 below.
  • the matching weight of the matching field is determined according to the matching weight of the matching field preset by the system and the attention degree of the matching field set by the user, as shown in Table 6.
  • S103 Score the matching field according to the usage rate and matching weight of each matching field
  • the score of a matching field is used to indicate the likelihood of the matching field being eliminated
  • S104 Sort all matching fields according to the score from high to low
  • the matching fields from high to low score are: destination port number, destination ip, source port number, source ip and protocol number (the two are tied together); therefore, the destination port number field is most likely to be eliminated.
  • N is the total number of records in the ACL matching table.
  • the preset matching length is set according to the message protocol; for example, the preset matching length can be set to 2 chip logic units for IPv6 messages (the bit width of one chip logic unit is 80 bits);
  • the scores of the records contained in the i-th front of the m i is determined to eliminate matching field which records the field, removed from the record fields excluding the m th i; wherein, the i m So that the matching length of the recorded chip logic unit does not exceed the minimum value of the preset matching length;
  • the updated ACL matching table eliminates the matching field, and the matching length of the chip logic unit of all records does not exceed the preset matching length.
  • the updated ACL matching table is delivered to the logic unit of the chip.
  • the current maximum matching length of a single logic unit is 80 bits.
  • the IPv6 quintuple consists of a 128-bit source IP, a 128-bit destination IP, a 16-bit source port, a 16-bit destination port, and an 8-bit protocol number, with a total of 296 bits. If an ACL rule needs to achieve complete matching of IPv6 quintuples, at least 4 logical units are required.
  • each ACL rule occupies 2 logic units, which can greatly reduce the occupation of the logic unit of the chip.
  • the number of chip logic unit resources is fixed, the number of ACL rules issued to the chip can be greatly increased.
  • the ACL capacity that supports matching can be significantly improved.
  • the method and device for issuing an access control list provided by the present invention generate an ACL matching table according to the ACL rule of the access control list, and each record in the ACL matching table corresponds to all the matching fields of an ACL rule; traverse the ACL matching Table, determining the matching length of the chip logic unit of each record in the ACL matching table, and updating the ACL matching table: when there is a record in the ACL matching table whose chip logic unit matching length exceeds the preset matching length , Performing field elimination processing on the ACL matching table so that the matching length of the chip logic unit of all records in the ACL matching table does not exceed the preset matching length; and delivering the updated ACL matching table to the logic unit of the chip in.
  • the technical solution of the embodiment of the present invention can save the occupation of logic units on the chip when the access control list is issued, and increase the number of ACL rules issued to the chip when the number of chip logic unit resources is certain.
  • Such software may be distributed on a computer-readable medium, and the computer-readable medium may include a computer storage medium (or a non-transitory medium) and a communication medium (or a transitory medium).
  • the term computer storage medium includes volatile and non-volatile memory implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Sexual, removable and non-removable media.
  • Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassette, tape, magnetic disk storage or other magnetic storage device, or Any other medium used to store desired information and that can be accessed by a computer.
  • communication media usually contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery media .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are an access control list (ACL) issuing method and device. Said method comprises: generating an ACL matching table according to ACL rules, each record in the ACL matching table corresponding to all the matching fields of one ACL rule; traversing the ACL matching table, so as to determine a chip logic unit matching length of each record in the ACL matching table, and updating the ACL matching table: when a record in which the chip logic unit matching length exceeds a pre-set matching length exists in the ACL matching table, performing field removing processing on the ACL matching table, so that the chip logic unit matching lengths of all the records in the ACL matching table do not exceed the pre-set matching length; and issuing the updated ACL matching table to the logic unit of the chip.

Description

一种访问控制列表下发方法及装置Method and device for issuing access control list

相关申请的交叉引用Cross references to related applications

本申请基于申请号为201910497981.8、申请日为2019年6月10日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此以引入方式并入本申请。This application is filed based on the Chinese patent application with the application number 201910497981.8 and the application date on June 10, 2019, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is hereby incorporated into this application by way of introduction.

技术领域Technical field

本申请涉及通信技术领域,尤其涉及的是一种访问控制列表下发方法及装置。This application relates to the field of communication technology, and in particular to a method and device for issuing an access control list.

背景技术Background technique

ACL(Access Control List,访问控制列表)是一种访问控制技术,网络设备使用ACL来匹配过滤数据报文。一般网络设备将ACL下发到芯片逻辑单元(slice)中,来实现ACL规则内容的匹配。芯片逻辑单元位宽长度值是固定的数值,限制了ACL匹配内容的长度。虽然可以通过使用多个逻辑单元组合的方式增大ACL匹配长度,但是由于芯片的逻辑单元数量有限,如果每条ACL规则占用多个逻辑单元,则会造成设备ACL支持规则数的总量下降。ACL (Access Control List) is an access control technology. Network devices use ACLs to match and filter data packets. Generally, network equipment issues ACLs to chip logic units (slices) to implement ACL rule content matching. The bit width of the chip logic unit is a fixed value, which limits the length of ACL matching content. Although it is possible to increase the ACL matching length by using a combination of multiple logical units, due to the limited number of logical units of the chip, if each ACL rule occupies multiple logical units, the total number of ACL rules supported by the device will decrease.

相关技术中,下发ACL规则时通常按照ACL规则的最长匹配长度进行芯片表项占用。随着网络的发展,如IPv6、vxlan等的广泛应用,下发ACL时按ACL规则的最长匹配长度进行资源预留时占用的逻辑单元数显著增加,实际需要匹配内容的逻辑单元数可能远小于芯片预留的逻辑单元数,导致芯片ACL资源的浪费。In related technologies, when issuing ACL rules, chip table entries are usually occupied according to the longest matching length of the ACL rules. With the development of the network, such as the widespread application of IPv6, vxlan, etc., the number of logical units occupied by resource reservation according to the longest matching length of the ACL rule when issuing ACLs has increased significantly, and the number of logical units that actually require matching content may be far Less than the number of logical units reserved by the chip, resulting in a waste of chip ACL resources.

发明内容Summary of the invention

本申请所要解决的技术问题是提供一种访问控制列表下发方法及装置。The technical problem to be solved by this application is to provide a method and device for issuing an access control list.

本申请实施例提供一种访问控制列表下发方法,包括:根据访问控制列表ACL规则生成ACL匹配表;所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;将更新后的ACL匹配表下发至芯片的逻辑单元中。The embodiment of the application provides a method for issuing an access control list, including: generating an ACL matching table according to an ACL rule of an access control list; each record in the ACL matching table corresponds to all matching fields of an ACL rule; traversing the ACL The matching table determines the matching length of the chip logic unit of each record in the ACL matching table, and updates the ACL matching table: when there are records in the ACL matching table whose chip logic unit matching length exceeds the preset matching length When the ACL matching table is removed, the matching length of the chip logic unit of all records in the ACL matching table does not exceed the preset matching length; and the updated ACL matching table is delivered to the logic of the chip Unit.

本申请实施例提供一种访问控制列表下发装置,包括:ACL匹配表生成模块,用于根据访问控制列表ACL规则生成ACL匹配表;所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;ACL匹配表更新模块,用于遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;ACL匹配表下发模块,用于将更新后的ACL匹配表下发至芯片的逻辑单元中。The embodiment of the present application provides an access control list issuing device, including: an ACL matching table generation module, configured to generate an ACL matching table according to an ACL rule of an access control list; each record in the ACL matching table corresponds to an ACL rule All matching fields; ACL matching table update module, used to traverse the ACL matching table, determine the matching length of the chip logic unit of each record in the ACL matching table, and update the ACL matching table: when the ACL When there are records in the matching table whose chip logic unit matching length exceeds the preset matching length, field elimination processing is performed on the ACL matching table so that the chip logic unit matching length of all records in the ACL matching table does not exceed the preset matching length Matching length; ACL matching table issuance module, used to distribute the updated ACL matching table to the logic unit of the chip.

本申请实施例提供一种访问控制列表下发装置,包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的访问控制列表下发程序,所述访问控制列表下发程序被所述处理器执行时实现上述访问控制列表下发方法的步骤。The embodiment of the present application provides an access control list issuing device, including: a memory, a processor, and an access control list issuing program stored on the memory and running on the processor, and the access control list is downloaded When the distribution program is executed by the processor, the steps of the above-mentioned access control list distribution method are realized.

本申请实施例提供一种计算机可读存储介质,所述计算机可读存储介质上存储有访问控制列表下发程序,所述访问控制列表下发程序被处理器执行时实现上述访问控制列表下发方法的步骤。An embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores an access control list issuance program, and when the access control list issuance program is executed by a processor, the foregoing access control list issuance is implemented Method steps.

附图说明Description of the drawings

图1为本申请实施例1的一种访问控制列表下发方法流程图;FIG. 1 is a flowchart of a method for issuing an access control list according to Embodiment 1 of the application;

图2为本申请实施例2的一种访问控制列表下发装置示意图;2 is a schematic diagram of an access control list issuing apparatus according to Embodiment 2 of this application;

图3为本申请示例1的一种更新ACL匹配表的方法流程图。Fig. 3 is a flowchart of a method for updating an ACL matching table in Example 1 of the application.

具体实施方式Detailed ways

为使本申请的目的、技术方案和优点更加清楚明白,下文中将结合附图对本申请的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。In order to make the purpose, technical solutions, and advantages of the present application clearer, the embodiments of the present application will be described in detail below in conjunction with the accompanying drawings. It should be noted that the embodiments in the application and the features in the embodiments can be combined with each other arbitrarily if there is no conflict.

实施例1Example 1

如图1所示,本申请实施例提供了一种访问控制列表下发方法,包括:As shown in Figure 1, an embodiment of the present application provides a method for issuing an access control list, including:

步骤S110,根据访问控制列表ACL规则生成ACL匹配表;所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;Step S110, generating an ACL matching table according to the ACL rules of the access control list; each record in the ACL matching table corresponds to all matching fields of an ACL rule;

步骤S120,遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;Step S120, traverse the ACL matching table, determine the matching length of the chip logic unit of each record in the ACL matching table, and update the ACL matching table: when there is a chip logic unit matching length in the ACL matching table When the record exceeds the preset matching length, perform field elimination processing on the ACL matching table so that the matching length of the chip logic unit of all records in the ACL matching table does not exceed the preset matching length;

步骤S130,将更新后的ACL匹配表下发至芯片的逻辑单元中。In step S130, the updated ACL matching table is delivered to the logic unit of the chip.

在一种实施方式中,所述预设匹配长度根据报文协议设定或者由用户设定;In an embodiment, the preset matching length is set according to a message protocol or set by a user;

比如,Ipv4报文可以设定预设匹配长度为1个芯片逻辑单元;Ipv6报文可以设定预设匹配长度为2个芯片逻辑单元;For example, the Ipv4 message can set the default matching length to 1 chip logic unit; the Ipv6 message can set the default matching length to 2 chip logic units;

在一种实施方式中,所述对所述ACL匹配表进行字段剔除处理,包括:In an implementation manner, the performing field elimination processing on the ACL matching table includes:

确定所述ACL匹配表中所有匹配字段的剔除优先级;对所有匹配字段按照剔除优先级从高到低进行排序;Determine the elimination priority of all matching fields in the ACL matching table; sort all the matching fields according to the elimination priority from high to low;

遍历所述ACL匹配表中所有芯片逻辑单元匹配长度超过预设匹配长度的记录生成待处理记录集合;对所述待处理记录集合中的第i条记录进行如 下处理:将所述第i条记录包含的剔除优先级高的前m i个匹配字段确定为该条记录的剔除字段,从所述记录中剔除所述m i个剔除字段;其中,所述m i是使得所述记录的芯片逻辑单元匹配长度不超过预设匹配长度的最小值。 Traverse all the records in the ACL matching table whose matching length of the chip logic unit exceeds the preset matching length to generate a set of records to be processed; perform the following processing on the i-th record in the set of records to be processed: comprising a high priority before culling m i is determined to eliminate matching field which records the field, removed from the record fields excluding the number m i; wherein m i is the logic chip such that the recording The unit matching length does not exceed the minimum value of the preset matching length.

在一种实施方式中,所述确定所述ACL匹配表中所有匹配字段的剔除优先级,包括:In an implementation manner, the determining the elimination priority of all matching fields in the ACL matching table includes:

统计所述ACL匹配表中每一个匹配字段的使用率;Count the usage rate of each matching field in the ACL matching table;

根据每一个匹配字段的使用率和/或匹配权重对所述匹配字段进行评分;一个匹配字段的分值用于表示该匹配字段被剔除的可能性大小;Score the matching field according to the usage rate and/or matching weight of each matching field; the score of a matching field is used to indicate the probability of the matching field being eliminated;

在一种实施方式中,所述根据每一个匹配字段的使用率和/或匹配权重对所述匹配字段进行评分,包括:In an embodiment, the scoring the matching field according to the usage rate and/or matching weight of each matching field includes:

对任意一个匹配字段,根据所述匹配字段的使用率a i对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分p i,p i=1-a i;0<a i≤1;或 For any matching field, evaluate the possibility of the matching field being eliminated according to the usage rate a i of the matching field to obtain the score p i of the matching field, p i =1-a i ; 0<a i ≤ 1; or

对任意一个匹配字段,根据所述匹配字段的匹配权重b i对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分p i,p i=1-b i;0<b i≤1;或 For any matching field, evaluate the possibility of the matching field being eliminated according to the matching weight b i of the matching field to obtain the score p i of the matching field, p i =1-b i ; 0<b i ≤ 1; or

对任意一个匹配字段,根据所述匹配字段的使用率a i和匹配权重b i对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分p i,p i=(1-a i)×(1-b i);0<a i≤1,0≤b i<1; For any matching field, evaluate the possibility of the matching field being eliminated according to the usage rate a i of the matching field and the matching weight b i to obtain the score p i of the matching field, p i = (1-a i )×(1-b i ); 0<a i ≤1, 0≤b i <1;

其中,任意一个匹配字段的使用率a i是所述ACL匹配表中使用了该匹配字段的记录数与所述ACL匹配表中所有记录总数的比值; Wherein, the usage rate a i of any matching field is the ratio of the number of records in the ACL matching table that uses the matching field to the total number of all records in the ACL matching table;

在一种实施方式中,所述匹配字段的匹配权重可以通过以下任意一种方式进行确定:In an implementation manner, the matching weight of the matching field can be determined in any of the following ways:

根据用户设定的匹配字段的关注度k i确定所述匹配字段的匹配权重b i,b i=k i;0≤k i≤1 Determine the matching weight b i of the matching field according to the attention degree k i of the matching field set by the user, b i =k i ; 0≤k i ≤1

根据系统预设的匹配字段的匹配权重b i和用户设定的匹配字段的关注度k i确定所述匹配字段的匹配权重,b i'=k i×b i;0<b i≤1,0≤k i≤1。 The system default match weight match field heavy attention b i and the match field set by a user k i determining the match field matches the weight of weight, b i '= k i × b i; 0 <b i ≤1, 0≤k i ≤1.

实施例2Example 2

如图2所示,本申请实施例提供了一种访问控制列表下发装置,包括:As shown in FIG. 2, an embodiment of the present application provides an access control list issuing apparatus, including:

ACL匹配表生成模块201,用于根据访问控制列表ACL规则生成ACL匹配表;所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;The ACL matching table generating module 201 is configured to generate an ACL matching table according to an access control list ACL rule; each record in the ACL matching table corresponds to all matching fields of an ACL rule;

ACL匹配表更新模块202,用于遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;The ACL matching table update module 202 is configured to traverse the ACL matching table, determine the matching length of the chip logic unit of each record in the ACL matching table, and update the ACL matching table: when the ACL matching table is When there is a record with a chip logic unit matching length exceeding a preset matching length, performing field elimination processing on the ACL matching table so that the chip logic unit matching length of all records in the ACL matching table does not exceed the preset matching length;

ACL匹配表下发模块203,用于将更新后的ACL匹配表下发至芯片的逻辑单元中。The ACL matching table issuing module 203 is used for issuing the updated ACL matching table to the logic unit of the chip.

在一种实施方式中,所述预设匹配长度根据报文协议设定或者由用户设定;In an embodiment, the preset matching length is set according to a message protocol or set by a user;

比如,Ipv4报文可以设定预设匹配长度为1个芯片逻辑单元;Ipv6报文可以设定预设匹配长度为2个芯片逻辑单元;For example, the Ipv4 message can set the default matching length to 1 chip logic unit; the Ipv6 message can set the default matching length to 2 chip logic units;

在一种实施方式中,ACL匹配表更新模块,用于采用以下方式对所述ACL匹配表进行字段剔除处理:In an embodiment, the ACL matching table update module is configured to perform field elimination processing on the ACL matching table in the following manner:

确定所述ACL匹配表中所有匹配字段的剔除优先级;对所有匹配字段按照剔除优先级从高到低进行排序;Determine the elimination priority of all matching fields in the ACL matching table; sort all the matching fields according to the elimination priority from high to low;

遍历所述ACL匹配表中所有芯片逻辑单元匹配长度超过预设匹配长度的记录生成待处理记录集合;对所述待处理记录集合中的第i条记录进行如下处理:将所述第i条记录包含的剔除优先级高的前m i个匹配字段确定为该条记录的剔除字段,从所述记录中剔除所述m i个剔除字段;其中,所述m i是使得所述记录的芯片逻辑单元匹配长度不超过预设匹配长度的最小值; Traverse all the records in the ACL matching table whose matching length of the chip logic unit exceeds the preset matching length to generate a set of records to be processed; perform the following processing on the i-th record in the set of records to be processed: comprising a high priority before culling m i is determined to eliminate matching field which records the field, removed from the record fields excluding the number m i; wherein m i is the logic chip such that the recording The unit matching length does not exceed the minimum value of the preset matching length;

在一种实施方式中,ACL匹配表更新模块,用于采用以下方式确定所述ACL匹配表中所有匹配字段的剔除优先级:In one embodiment, the ACL matching table update module is configured to determine the elimination priority of all matching fields in the ACL matching table in the following manner:

统计所述ACL匹配表中每一个匹配字段的使用率;Count the usage rate of each matching field in the ACL matching table;

根据每一个匹配字段的使用率和/或匹配权重对所述匹配字段进行评分; 一个匹配字段的分值用于表示该匹配字段被剔除的可能性大小;Score the matching field according to the usage rate and/or matching weight of each matching field; the score of a matching field is used to indicate the probability of the matching field being eliminated;

在一种实施方式中,ACL匹配表更新模块,用于采用以下方式根据每一个匹配字段的使用率和/或匹配权重对所述匹配字段进行评分:In one embodiment, the ACL matching table update module is configured to score the matching field according to the usage rate and/or matching weight of each matching field in the following manner:

对任意一个匹配字段,根据所述匹配字段的使用率a i对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分p i,p i=1-a i;0<a i≤1;或 For any matching field, evaluate the possibility of the matching field being eliminated according to the usage rate a i of the matching field to obtain the score p i of the matching field, p i =1-a i ; 0<a i ≤ 1; or

对任意一个匹配字段,根据所述匹配字段的匹配权重b i对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分p i,p i=1-b i;0<b i≤1;或 For any matching field, evaluate the possibility of the matching field being eliminated according to the matching weight b i of the matching field to obtain the score p i of the matching field, p i =1-b i ; 0<b i ≤ 1; or

对任意一个匹配字段,根据所述匹配字段的使用率a i和匹配权重b i对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分p i,p i=(1-a i)×(1-b i);0<a i≤1,0≤b i<1; For any matching field, evaluate the possibility of the matching field being eliminated according to the usage rate a i of the matching field and the matching weight b i to obtain the score p i of the matching field, p i = (1-a i )×(1-b i ); 0<a i ≤1, 0≤b i <1;

其中,任意一个匹配字段的使用率a i是所述ACL匹配表中使用了该匹配字段的记录数与所述ACL匹配表中所有记录总数的比值; Wherein, the usage rate a i of any matching field is the ratio of the number of records in the ACL matching table that uses the matching field to the total number of all records in the ACL matching table;

在一种实施方式中,所述匹配字段的匹配权重可以通过以下任意一种方式进行确定:In an implementation manner, the matching weight of the matching field can be determined in any of the following ways:

根据用户设定的匹配字段的关注度k i确定所述匹配字段的匹配权重b i,b i=k i;0≤k i≤1 Determine the matching weight b i of the matching field according to the attention degree k i of the matching field set by the user, b i =k i ; 0≤k i ≤1

根据系统预设的匹配字段的匹配权重b i和用户设定的匹配字段的关注度k i确定所述匹配字段的匹配权重,b i'=k i×b i;0<b i≤1,0≤k i≤1。 The system default match weight match field heavy attention b i and the match field set by a user k i determining the match field matches the weight of weight, b i '= k i × b i; 0 <b i ≤1, 0≤k i ≤1.

实施例3Example 3

本申请实施例提供了一种访问控制列表下发装置,包括:The embodiment of the present application provides an access control list issuing device, including:

存储器、处理器及存储在所述存储器上并可在所述处理器上运行的访问控制列表下发程序,所述访问控制列表下发程序被所述处理器执行时实现上述实施例1所述的访问控制列表下发方法的步骤。A memory, a processor, and an access control list issuing program stored on the memory and running on the processor, and the access control list issuing program is executed by the processor to implement the above-mentioned embodiment 1 The steps of the method for issuing an access control list.

实施例4Example 4

本申请实施例提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有访问控制列表下发程序,所述访问控制列表下发程序被处理器执行时实现上述实施例1所述的访问控制列表下发方法的步骤。The embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores an access control list issuance program, and when the access control list issuance program is executed by a processor, the above-mentioned embodiment 1 is implemented. The steps of the method for issuing an access control list described above.

下面通过示例说明本申请的访问控制列表下发方法。The following uses an example to illustrate the method for issuing an access control list of this application.

示例1Example 1

本示例提供一种访问控制列表下发方法,假设报文为Ipv6报文,系统设定ACL规则的预设匹配长度为2个芯片逻辑单元(1个芯片逻辑单元的位宽为80bit)。This example provides a method for issuing an access control list. Assuming that the message is an IPv6 message, the system sets the default matching length of the ACL rule to 2 chip logic units (1 chip logic unit has a bit width of 80 bits).

传统的ACL规则包括N条(N大于4),表1中示意性地列出4条。其中第一条ACL规则是Rule 1,规则内容是:permit tcp srcip 1000::1 srcport 1000,匹配字段包括协议号(tcp)、源ip(1000::1)、源端口号(1000);其中第二条ACL规则是Rule 2,规则内容是:permit udp srcip 2000::1,匹配字段包括协议号(udp)、源ip(2000::1);其中第三条ACL规则是Rule 3,规则内容是:permit tcp srcip 3000::1srcport 3000dstip 3100::1,匹配字段包括协议号(tcp)、源ip(3000::1)、源端口号(3000)、目的ip(3100::1);其中第四条ACL规则是Rule 4,规则内容是:permit tcp srcip 4000::1 srcport 4000 dstip 4100::1 dst 4100,匹配字段包括协议号(tcp)、源ip(4000::1)、源端口号(4000)、目的ip(4100::1)、目的端口号(4100);Traditional ACL rules include N (N is greater than 4), and 4 are listed schematically in Table 1. The first ACL rule is Rule 1, and the content of the rule is: permit tcp srcip 1000::1 srcport 1000, and the matching fields include protocol number (tcp), source ip (1000::1), source port number (1000); where The second ACL rule is Rule 2, the content of the rule is: permit udp srcip 2000::1, and the matching fields include protocol number (udp), source ip (2000::1); the third ACL rule is Rule 3. The content is: permit tcp srcip 3000::1srcport 3000dstip 3100::1, the matching fields include protocol number (tcp), source ip (3000::1), source port number (3000), destination ip (3100::1); The fourth ACL rule is Rule 4, and the content of the rule is: permit tcp srcip 4000::1 srcport 4000 dstip 4100::1 dst 4100, and the matching fields include protocol number (tcp), source ip (4000::1), source Port number (4000), destination ip (4100::1), destination port number (4100);

Figure PCTCN2020083582-appb-000001
Figure PCTCN2020083582-appb-000001

表1Table 1

如下表2所示,按照传统的ACL规则生成ACL匹配表,所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;As shown in Table 2 below, an ACL matching table is generated according to a traditional ACL rule, and each record in the ACL matching table corresponds to all matching fields of an ACL rule;

Figure PCTCN2020083582-appb-000002
Figure PCTCN2020083582-appb-000002

表2Table 2

其中,第1条规则包括3个字段,协议号字段占用8bit、源ip字段占用128bit、源端口号字段占用16bit,一共占用152bit,如果映射到芯片逻辑单元,则需要2个逻辑单元;Among them, the first rule includes 3 fields. The protocol number field occupies 8 bits, the source ip field occupies 128 bits, and the source port number field occupies 16 bits, which occupies a total of 152 bits. If mapped to the chip logic unit, 2 logic units are required;

其中,第2条规则包括2个字段,协议号字段占用8bit、源ip字段占用128bit,一共占用136bit,如果映射到芯片逻辑单元,则需要2个逻辑单元;Among them, the second rule includes 2 fields. The protocol number field occupies 8 bits and the source ip field occupies 128 bits, which occupies a total of 136 bits. If it is mapped to the chip logic unit, 2 logic units are required;

其中,第3条规则包括4个字段,协议号字段占用8bit、源ip字段占用128bit、源端口号字段占用16bit、目的ip字段占用128bit,一共占用280bit,如果映射到芯片逻辑单元,则需要4个逻辑单元;Among them, the third rule includes 4 fields. The protocol number field occupies 8 bits, the source ip field occupies 128 bits, the source port number field occupies 16 bits, and the destination ip field occupies 128 bits, which occupies a total of 280 bits. If mapped to the chip logic unit, 4 Logical unit

其中,第4条规则包括5个字段,协议号字段占用8bit、源ip字段占用128bit、源端口号字段占用16bit、目的ip字段占用128bit、目的端口号字段占用16bit,一共占用296bit,如果映射到芯片逻辑单元,则需要4个逻辑单元;Among them, the fourth rule includes 5 fields. The protocol number field occupies 8 bits, the source ip field occupies 128 bits, the source port number field occupies 16 bits, the destination ip field occupies 128 bits, and the destination port number field occupies 16 bits. A total of 296 bits are occupied. Chip logic unit requires 4 logic units;

因此,对所述ACL匹配表进行更新处理。如图3所述,所述ACL匹配表的更新处理包括以下步骤:Therefore, the ACL matching table is updated. As shown in Figure 3, the update processing of the ACL matching table includes the following steps:

S101,统计所述ACL匹配表中每一个匹配字段的使用率;S101: Count the usage rate of each matching field in the ACL matching table;

其中,任意一个匹配字段的使用率a i是所述ACL匹配表中使用了该匹配字段的记录数与所述ACL匹配表中所有记录总数的比值; Wherein, the usage rate a i of any matching field is the ratio of the number of records in the ACL matching table that uses the matching field to the total number of all records in the ACL matching table;

其中,对表2中的各个匹配字段进行统计,得到每一个匹配字段的使用率见下表3。Among them, each matching field in Table 2 is counted, and the usage rate of each matching field is shown in Table 3 below.

匹配字段Match field 使用率a i Usage rate a i 协议号Agreement number 11 源ipSource ip 11 源端口号Source port number 0.750.75 目的ipDestination ip 0.50.5 目的端口号Destination port number 0.250.25

表3table 3

S102,对任意一个匹配字段,根据系统预设的匹配字段的匹配权重b i和用户设定的匹配字段的关注度k i确定所述匹配字段的匹配权重; S102: For any matching field, determine the matching weight of the matching field according to the matching weight b i of the matching field preset by the system and the attention degree k i of the matching field set by the user;

b i'=k i×b i;0<b i≤1,0≤k i≤1; b i '= k i × b i; 0 <b i ≤1,0≤k i ≤1;

其中,针对表2中的各个匹配字段,系统预设的匹配字段的匹配权重如表4所示;Among them, for each matching field in Table 2, the matching weight of the matching field preset by the system is shown in Table 4;

匹配字段Match field 系统预设匹配权重b i System preset matching weight b i 协议号Agreement number 0.50.5 源ipSource ip 0.80.8 源端口号Source port number 0.50.5 目的ipDestination ip 0.70.7 目的端口号Destination port number 0.40.4

表4Table 4

其中,针对表2中的各个匹配字段,用户设定的匹配字段的关注度如表5所示;Among them, for each matching field in Table 2, the attention degree of the matching field set by the user is shown in Table 5;

匹配字段Match field 用户设定关注度k i User set attention k i 协议号Agreement number 0.50.5 源ipSource ip 11 源端口号Source port number 11

目的ipDestination ip 0.20.2 目的端口号Destination port number 0.20.2

表5table 5

其中,针对表2中的各个匹配字段,根据系统预设的匹配字段的匹配权重和用户设定的匹配字段的关注度确定匹配字段的匹配权重如表6所示。Among them, for each matching field in Table 2, the matching weight of the matching field is determined according to the matching weight of the matching field preset by the system and the attention degree of the matching field set by the user, as shown in Table 6.

匹配字段Match field 匹配权重b i'=k i×b i Matching weight b i '=k i ×b i 协议号Agreement number 0.250.25 源ipSource ip 0.80.8 源端口号Source port number 0.50.5 目的ipDestination ip 0.140.14 目的端口号Destination port number 0.080.08

表6Table 6

S103,根据每一个匹配字段的使用率和匹配权重对所述匹配字段进行评分;S103: Score the matching field according to the usage rate and matching weight of each matching field;

其中,一个匹配字段的分值用于表示该匹配字段被剔除的可能性大小;Among them, the score of a matching field is used to indicate the likelihood of the matching field being eliminated;

其中,对任意一个匹配字段,根据所述匹配字段的使用率a i和匹配权重b i对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分p i,p i=(1-a i)×(1-b i);0<a i≤1,0≤b i<1; Wherein, for any matching field, the possibility of the matching field being eliminated is evaluated according to the usage rate a i of the matching field and the matching weight b i to obtain the score p i of the matching field, p i = (1- a i )×(1-b i ); 0<a i ≤1, 0≤b i <1;

其中,针对表2中的各个匹配字段,匹配字段的评分如下表7所示。Among them, for each matching field in Table 2, the score of the matching field is shown in Table 7 below.

匹配字段Match field 匹配字段评分p i Match field score p i 协议号Agreement number 00 源ipSource ip 00 源端口号Source port number 0.1250.125 目的ipDestination ip 0.2580.258 目的端口号Destination port number 0.690.69

表7Table 7

S104,对所有匹配字段按照评分从高到低进行排序;S104: Sort all matching fields according to the score from high to low;

其中,评分从高到低的匹配字段分别是:目的端口号,目的ip,源端口号,源ip和协议号(二者并列);因此,目的端口号字段被剔除的可能性最高。Among them, the matching fields from high to low score are: destination port number, destination ip, source port number, source ip and protocol number (the two are tied together); therefore, the destination port number field is most likely to be eliminated.

S105,对ACL匹配表中第i条记录,判断i是否小于或等于N,是则执行步骤S106,否则结束;N是ACL匹配表中的记录总数。S105, for the i-th record in the ACL matching table, judge whether i is less than or equal to N, if yes, execute step S106, otherwise end; N is the total number of records in the ACL matching table.

S106,所述第i条记录的芯片逻辑单元匹配长度是否超过预设匹配长度,是则执行步骤S107,否则执行步骤S108;S106, whether the matching length of the chip logic unit of the i-th record exceeds the preset matching length, if yes, execute step S107, otherwise, execute step S108;

其中,所述预设匹配长度根据报文协议设定;比如,针对Ipv6报文可以设定预设匹配长度为2个芯片逻辑单元(1个芯片逻辑单元的位宽为80bit);Wherein, the preset matching length is set according to the message protocol; for example, the preset matching length can be set to 2 chip logic units for IPv6 messages (the bit width of one chip logic unit is 80 bits);

S107,将所述第i条记录包含的评分值靠前的m i个匹配字段确定为该条记录的剔除字段,从所述记录中剔除所述m i个剔除字段;其中,所述m i是使得所述记录的芯片逻辑单元匹配长度不超过预设匹配长度的最小值; S107, the scores of the records contained in the i-th front of the m i is determined to eliminate matching field which records the field, removed from the record fields excluding the m th i; wherein, the i m So that the matching length of the recorded chip logic unit does not exceed the minimum value of the preset matching length;

其中,对m i值可以做如下理解: Among them, the value of mi can be understood as follows:

以表2中的第3条记录为例,剔除该条记录包含的评分值最高的1个匹配字段(目的ip字段),就可以使得该条记录的芯片逻辑单元匹配长度缩短为152bit,不超过2个芯片逻辑单元,因此该条记录的m i值为1。 Take the third record in Table 2 as an example, remove the match field (destination ip field) with the highest score contained in this record, so that the matching length of the chip logic unit of this record can be shortened to 152 bits, which does not exceed 2 chip logic units, so the mi value of this record is 1.

以表2中的第4条记录为例,剔除该条记录包含的评分值靠前的2个匹配字段(目的端口号字段和目的ip字段),才能使得该条记录的芯片逻辑单元匹配长度缩短为152bit,不超过2个芯片逻辑单元,因此该条记录的m i值为2。 Take the 4th record in Table 2 as an example, eliminate the top 2 matching fields (destination port number field and destination ip field) contained in this record to shorten the matching length of the chip logic unit of this record It is 152bit, no more than 2 chip logic units, so the mi value of this record is 2.

S108,将i值增加1,返回步骤S105。S108: Increase the value of i by 1, and return to step S105.

最后,更新后的ACL匹配表通过剔除匹配字段的处理,所有记录的芯片逻辑单元匹配长度均不超过预设匹配长度。将更新后的ACL匹配表下发至芯片的逻辑单元中,与相关技术中按照ACL规则的最长匹配长度进行芯片表项占用的方案相比,目前单个逻辑单元的最大匹配长度主流为80比特。IPv6的五元组由128位源IP、128位目的IP、16位源port、16位目的port、 8位协议号组成,总共296比特。如果1条ACL规则需要实现对IPv6五元组的完整匹配则至少需要占用4个逻辑单元。示例1的技术方案中,每条ACL规则占用2个逻辑单元,能够大大缩减对芯片的逻辑单元的占用,在芯片逻辑单元资源数量一定时,可以大大增加下发至芯片的ACL规则数量。在大量配置ACL规则的使用场景下可以显著提高支持匹配的ACL容量。Finally, the updated ACL matching table eliminates the matching field, and the matching length of the chip logic unit of all records does not exceed the preset matching length. The updated ACL matching table is delivered to the logic unit of the chip. Compared with the solution in the related technology that uses the longest matching length of ACL rules to occupy the chip table entries, the current maximum matching length of a single logic unit is 80 bits. . The IPv6 quintuple consists of a 128-bit source IP, a 128-bit destination IP, a 16-bit source port, a 16-bit destination port, and an 8-bit protocol number, with a total of 296 bits. If an ACL rule needs to achieve complete matching of IPv6 quintuples, at least 4 logical units are required. In the technical solution of Example 1, each ACL rule occupies 2 logic units, which can greatly reduce the occupation of the logic unit of the chip. When the number of chip logic unit resources is fixed, the number of ACL rules issued to the chip can be greatly increased. In scenarios where a large number of ACL rules are configured, the ACL capacity that supports matching can be significantly improved.

本发明提供的一种访问控制列表下发方法及装置,根据访问控制列表ACL规则生成ACL匹配表,所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;将更新后的ACL匹配表下发至芯片的逻辑单元中。本发明实施例的技术方案能够节省访问控制列表下发时对芯片上的逻辑单元的占用,在芯片逻辑单元资源数量一定时,增加下发至芯片的ACL规则数量。The method and device for issuing an access control list provided by the present invention generate an ACL matching table according to the ACL rule of the access control list, and each record in the ACL matching table corresponds to all the matching fields of an ACL rule; traverse the ACL matching Table, determining the matching length of the chip logic unit of each record in the ACL matching table, and updating the ACL matching table: when there is a record in the ACL matching table whose chip logic unit matching length exceeds the preset matching length , Performing field elimination processing on the ACL matching table so that the matching length of the chip logic unit of all records in the ACL matching table does not exceed the preset matching length; and delivering the updated ACL matching table to the logic unit of the chip in. The technical solution of the embodiment of the present invention can save the occupation of logic units on the chip when the access control list is issued, and increase the number of ACL rules issued to the chip when the number of chip logic unit resources is certain.

本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能 盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。A person of ordinary skill in the art can understand that all or some of the steps, functional modules/units in the system, and apparatus in the methods disclosed above can be implemented as software, firmware, hardware, and appropriate combinations thereof. In hardware implementations, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may consist of several physical components. The components are executed cooperatively. Some physical components or all physical components can be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit . Such software may be distributed on a computer-readable medium, and the computer-readable medium may include a computer storage medium (or a non-transitory medium) and a communication medium (or a transitory medium). As is well known to those of ordinary skill in the art, the term computer storage medium includes volatile and non-volatile memory implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Sexual, removable and non-removable media. Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassette, tape, magnetic disk storage or other magnetic storage device, or Any other medium used to store desired information and that can be accessed by a computer. In addition, as is well known to those of ordinary skill in the art, communication media usually contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery media .

需要说明的是,本申请还可有其他多种实施例,在不背离本申请精神及其实质的情况下,熟悉本领域的技术人员可根据本申请作出各种相应的改变和变形,但这些相应的改变和变形都应属于本申请所附的权利要求的保护范围。It should be noted that this application can also have various other embodiments. Without departing from the spirit and essence of this application, those skilled in the art can make various corresponding changes and modifications according to this application, but these Corresponding changes and modifications should fall within the protection scope of the appended claims of this application.

Claims (10)

一种访问控制列表下发方法,包括:A method for issuing an access control list includes: 根据访问控制列表ACL规则生成ACL匹配表;所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;Generating an ACL matching table according to an access control list ACL rule; each record in the ACL matching table corresponds to all matching fields of an ACL rule; 遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;Traverse the ACL matching table, determine the matching length of the chip logic unit of each record in the ACL matching table, and update the ACL matching table: when there is a chip logic unit matching length in the ACL matching table that exceeds the preset When matching length records, perform field elimination processing on the ACL matching table so that the matching length of the chip logic unit of all records in the ACL matching table does not exceed the preset matching length; 将更新后的ACL匹配表下发至芯片的逻辑单元中。The updated ACL matching table is delivered to the logic unit of the chip. 如权利要求1所述的方法,其中:The method of claim 1, wherein: 所述对所述ACL匹配表进行字段剔除处理,包括:The performing field elimination processing on the ACL matching table includes: 确定所述ACL匹配表中所有匹配字段的剔除优先级;对所有匹配字段按照剔除优先级从高到低进行排序;Determine the elimination priority of all matching fields in the ACL matching table; sort all the matching fields according to the elimination priority from high to low; 遍历所述ACL匹配表中所有芯片逻辑单元匹配长度超过预设匹配长度的记录生成待处理记录集合;对所述待处理记录集合中的第i条记录进行如下处理:将所述第i条记录包含的剔除优先级高的前m i个匹配字段确定为该条记录的剔除字段,从所述记录中剔除所述m i个剔除字段;其中,所述m i是使得所述记录的芯片逻辑单元匹配长度不超过预设匹配长度的最小值。 Traverse all the records in the ACL matching table whose matching length of the chip logic unit exceeds the preset matching length to generate a set of records to be processed; perform the following processing on the i-th record in the set of records to be processed: comprising a high priority before culling m i is determined to eliminate matching field which records the field, removed from the record fields excluding the number m i; wherein m i is the logic chip such that the recording The unit matching length does not exceed the minimum value of the preset matching length. 如权利要求2所述的方法,其中:The method of claim 2, wherein: 所述确定所述ACL匹配表中所有匹配字段的剔除优先级,包括:The determining the elimination priority of all matching fields in the ACL matching table includes: 统计所述ACL匹配表中每一个匹配字段的使用率;Count the usage rate of each matching field in the ACL matching table; 根据每一个匹配字段的使用率和/或匹配权重对所述匹配字段进行评分;一个匹配字段的分值用于表示该匹配字段被剔除的可能性大小。The matching field is scored according to the usage rate and/or matching weight of each matching field; the score of a matching field is used to indicate the probability of the matching field being eliminated. 如权利要求3所述的方法,其中:The method of claim 3, wherein: 所述根据每一个匹配字段的使用率和/或匹配权重对所述匹配字段进行评分,包括:The scoring the matching field according to the usage rate and/or matching weight of each matching field includes: 对任意一个匹配字段,根据所述匹配字段的使用率a i对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分p i,p i=1-a i;0<a i≤1;或 For any matching field, evaluate the possibility of the matching field being eliminated according to the usage rate a i of the matching field to obtain the score p i of the matching field, p i =1-a i ; 0<a i ≤ 1; or 对任意一个匹配字段,根据所述匹配字段的匹配权重b i对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分p i,p i=1-b i;0<b i≤1;或 For any matching field, evaluate the possibility of the matching field being eliminated according to the matching weight b i of the matching field to obtain the score p i of the matching field, p i =1-b i ; 0<b i ≤ 1; or 对任意一个匹配字段,根据所述匹配字段的使用率a i和匹配权重b i对所述匹配字段被剔除的可能性进行评估获得该匹配字段的评分p i,p i=(1-a i)×(1-b i);0<a i≤1,0≤b i<1; For any matching field, evaluate the possibility of the matching field being eliminated according to the usage rate a i of the matching field and the matching weight b i to obtain the score p i of the matching field, p i = (1-a i )×(1-b i ); 0<a i ≤1, 0≤b i <1; 其中,任意一个匹配字段的使用率a i是所述ACL匹配表中使用了该匹配字段的记录数与所述ACL匹配表中所有记录总数的比值。 Wherein, the usage rate a i of any matching field is the ratio of the number of records in the ACL matching table that uses the matching field to the total number of all records in the ACL matching table. 如权利要求3所述的方法,其中:The method of claim 3, wherein: 所述匹配字段的匹配权重可以通过以下任意一种方式进行确定:The matching weight of the matching field can be determined in any of the following ways: 根据用户设定的匹配字段的关注度k i确定所述匹配字段的匹配权重b i,b i=k i;0≤k i≤1 Determine the matching weight b i of the matching field according to the attention degree k i of the matching field set by the user, b i =k i ; 0≤k i ≤1 根据系统预设的匹配字段的匹配权重b i和用户设定的匹配字段的关注度k i确定所述匹配字段的匹配权重,b i'=k i×b i;0<b i≤1,0≤k i≤1。 The system default match weight match field heavy attention b i and the match field set by a user k i determining the match field matches the weight of weight, b i '= k i × b i; 0 <b i ≤1, 0≤k i ≤1. 如权利要求1-5中任一项所述的方法,其中:The method of any one of claims 1-5, wherein: 所述预设匹配长度根据报文协议设定或者由用户设定。The preset matching length is set according to the message protocol or set by the user. 一种访问控制列表下发装置,包括:A device for issuing an access control list, including: ACL匹配表生成模块,用于根据访问控制列表ACL规则生成ACL匹配表;所述ACL匹配表中的每一条记录对应一条ACL规则的所有匹配字段;The ACL matching table generating module is configured to generate an ACL matching table according to the ACL rules of the access control list; each record in the ACL matching table corresponds to all matching fields of an ACL rule; ACL匹配表更新模块,用于遍历所述ACL匹配表,确定所述ACL匹配表中每一条记录的芯片逻辑单元匹配长度,对所述ACL匹配表进行更新处理:当所述ACL匹配表中存在芯片逻辑单元匹配长度超过预设匹配长度的记录时,对所述ACL匹配表进行字段剔除处理使所述ACL匹配表中所有记录的芯片逻辑单元匹配长度均不超过所述预设匹配长度;The ACL matching table update module is used to traverse the ACL matching table, determine the matching length of the chip logic unit of each record in the ACL matching table, and update the ACL matching table: when the ACL matching table exists When the chip logic unit matches a record whose length exceeds the preset matching length, performing field elimination processing on the ACL matching table so that the chip logic unit matching length of all records in the ACL matching table does not exceed the preset matching length; ACL匹配表下发模块,用于将更新后的ACL匹配表下发至芯片的逻辑单元中。The ACL matching table distribution module is used to distribute the updated ACL matching table to the logic unit of the chip. 如权利要求7所述的装置,其中:The device of claim 7, wherein: ACL匹配表更新模块,用于采用以下方式对所述ACL匹配表进行字段剔除处理:The ACL matching table update module is used to remove fields from the ACL matching table in the following manner: 确定所述ACL匹配表中所有匹配字段的剔除优先级;对所有匹配字段按照剔除优先级从高到低进行排序;Determine the elimination priority of all matching fields in the ACL matching table; sort all the matching fields according to the elimination priority from high to low; 遍历所述ACL匹配表中所有芯片逻辑单元匹配长度超过预设匹配长度的记录生成待处理记录集合;对所述待处理记录集合中的第i条记录进行如下处理:将所述第i条记录包含的剔除优先级高的前m i个匹配字段确定为该条记录的剔除字段,从所述记录中剔除所述m i个剔除字段;其中,所述m i是使得所述记录的芯片逻辑单元匹配长度不超过预设匹配长度的最小值。 Traverse all the records in the ACL matching table whose matching length of the chip logic unit exceeds the preset matching length to generate a set of records to be processed; perform the following processing on the i-th record in the set of records to be processed: comprising a high priority before culling m i is determined to eliminate matching field which records the field, removed from the record fields excluding the number m i; wherein m i is the logic chip such that the recording The unit matching length does not exceed the minimum value of the preset matching length. 一种访问控制列表下发装置,包括:A device for issuing an access control list, including: 存储器、处理器及存储在所述存储器上并可在所述处理器上运行的访问控制列表下发程序,所述访问控制列表下发程序被所述处理器执行时实现上述权利要求1-6中任一项所述的访问控制列表下发方法的步骤。A memory, a processor, and an access control list issuing program stored in the memory and running on the processor, and the access control list issuing program is executed by the processor to implement the above claims 1-6 Steps of any one of the method for issuing an access control list. 一种计算机可读存储介质,所述计算机可读存储介质上存储有访问控制列表下发程序,所述访问控制列表下发程序被处理器执行时实现上述权利要求1-6中任一项所述的访问控制列表下发方法的步骤。A computer-readable storage medium, the computer-readable storage medium stores an access control list issuance program, and when the access control list issuance program is executed by a processor, implements any one of the foregoing claims 1-6 The steps of the method for issuing an access control list described above.
PCT/CN2020/083582 2019-06-10 2020-04-07 Access control list issuing method and device WO2020248675A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910497981.8 2019-06-10
CN201910497981.8A CN112073357A (en) 2019-06-10 2019-06-10 Method and device for issuing access control list

Publications (1)

Publication Number Publication Date
WO2020248675A1 true WO2020248675A1 (en) 2020-12-17

Family

ID=73658213

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/083582 WO2020248675A1 (en) 2019-06-10 2020-04-07 Access control list issuing method and device

Country Status (2)

Country Link
CN (1) CN112073357A (en)
WO (1) WO2020248675A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115633097B (en) * 2022-12-21 2023-04-28 新华三信息技术有限公司 ACL (access control list) compression method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1863142A (en) * 2005-08-19 2006-11-15 华为技术有限公司 Method for providing different service quality tactics to data stream
US20090125470A1 (en) * 2007-11-09 2009-05-14 Juniper Networks, Inc. System and Method for Managing Access Control Lists
CN102857510A (en) * 2012-09-18 2013-01-02 杭州华三通信技术有限公司 Method and device for issuing ACL (access control list) items

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101364947A (en) * 2008-09-08 2009-02-11 中兴通讯股份有限公司 Rule matching method and system for control list access
CN103001793B (en) * 2012-10-26 2015-06-10 杭州迪普科技有限公司 Method and device for managing ACL (access control list)
CN104125232B (en) * 2014-08-04 2018-10-12 上海斐讯数据通信技术有限公司 A method of quickly issuing acl rule
CN106506388B (en) * 2016-10-14 2019-12-20 盛科网络(苏州)有限公司 Implementation method and device for searching ACL (access control list) based on TCAM (ternary content addressable memory) resource binding
CN108259504A (en) * 2018-01-30 2018-07-06 盛科网络(苏州)有限公司 It is a kind of based on group realize accesses control list a method and device
CN109088894B (en) * 2018-10-25 2021-04-06 新华三技术有限公司合肥分公司 ACL (access control list) issuing method and network equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1863142A (en) * 2005-08-19 2006-11-15 华为技术有限公司 Method for providing different service quality tactics to data stream
US20090125470A1 (en) * 2007-11-09 2009-05-14 Juniper Networks, Inc. System and Method for Managing Access Control Lists
CN102857510A (en) * 2012-09-18 2013-01-02 杭州华三通信技术有限公司 Method and device for issuing ACL (access control list) items

Also Published As

Publication number Publication date
CN112073357A (en) 2020-12-11

Similar Documents

Publication Publication Date Title
EP2597829A1 (en) Method and apparatus for managing MAC address table
US8627448B2 (en) Selective invalidation of packet filtering results
EP3258657B1 (en) Ip route caching with two search stages on prefix length
CN108259328B (en) Message forwarding method and device
US20160065452A1 (en) Protection against rule map update attacks
WO2018001020A1 (en) Aggregated link based message forwarding method and device
US9001839B2 (en) Communication control device and method
WO2020248675A1 (en) Access control list issuing method and device
US20140133309A1 (en) Method and Apparatus for Sending Packet
WO2021115160A1 (en) Acl rule management method and apparatus, computer device, and computer readable medium
CN104333882A (en) Wireless network traffic control method
CN112015575A (en) Message processing method, device and related equipment
WO2021027645A1 (en) Method for sending network message, device and network processor
CN111224964A (en) Access control method and device
Lee et al. Improving bloom filter forwarding architectures
US20170295097A1 (en) System and method for creating session entry
CN106357688B (en) A kind of method and apparatus for defending ICMP flood attack
CN107528782A (en) A kind of update method, device and the TCAM of TCAM list items
CN112291310B (en) Method and device for counting connection number
CN111327543A (en) Message forwarding method and device, storage medium, and electronic device
WO2021254079A1 (en) Method for issuing route in campus network, and network device
CN113890855A (en) Message forwarding method, system, equipment and medium
CN111131197B (en) Filtering strategy management system and method thereof
TW201828084A (en) User log storage method and apparatus capable of effectively avoiding the problem of disordered logs and ensuring the orderliness of the entire cloud platform log system
CN114035752A (en) Urban carbon neutralization data processing system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20823617

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20823617

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 13/05/2022)