Search

CN-122027243-A - Processing method of access control list, electronic equipment and computer program product

CN122027243ACN 122027243 ACN122027243 ACN 122027243ACN-122027243-A

Abstract

The application discloses a processing method of an access control list, electronic equipment and a computer program product, and belongs to the field of data processing. The method comprises the steps of setting a rule logic table and a rule physical table, wherein the table entry structures of the rule logic table and the rule physical table are consistent, determining and executing logic table entry operations required for updating the rule logic table from a current state to a target state based on the table entry structure of the rule logic table in response to the change of an access control list, generating an operation instruction sequence according to the logic table entry operations, wherein instructions in the operation instruction sequence are used for executing corresponding physical table entry operations on the rule physical table, and sending the operation instruction sequence to complete updating of the rule physical table.

Inventors

  • ZHU LINGYUN
  • WU WEI

Assignees

  • 中兴通讯股份有限公司

Dates

Publication Date
20260512
Application Date
20260122

Claims (11)

  1. 1. A method for processing an access control list, applied to a network device, comprising the steps of: setting a rule logic table and a rule physical table, wherein the table entry structures of the rule logic table and the rule physical table are consistent; Determining and executing a logic table entry operation required for updating the rule logic table from a current state to a target state based on the table entry structure of the rule logic table in response to a change of the access control list; Generating an operation instruction sequence according to the logical table item operation, wherein an instruction in the operation instruction sequence is used for executing corresponding physical table item operation on the rule physical table; And sending the operation instruction sequence to finish updating the rule physical table.
  2. 2. The method of claim 1, wherein the consistent table entry structure of the rule logical table and rule physical table comprises consistent table entry ordering and/or consistent field mapping.
  3. 3. The method of claim 1, wherein the sequence of operation instructions directly performs the physical table entry operation on the regular physical table through a specific instruction interface.
  4. 4. The method of claim 3, wherein the physical table entry operation comprises at least one of: Write operations to physical memory cells; a purge operation of the physical memory location.
  5. 5. The method of claim 1, wherein the determining and performing logic entry operations required to update the rule logic table from a current state to a target state based on an entry structure of the rule logic table in response to a change in an access control list comprises the steps of: receiving a configuration information table corresponding to the change of the access control list, wherein the configuration information table comprises an update mode mark; determining the logical entry operation in an incremental update manner in response to the update mode flag indicating an incremental update; and executing the logic table item operation to update the rule logic table.
  6. 6. The method of claim 5, wherein said determining the logical entry operation in an incremental update manner responsive to the update mode being marked as indicating an incremental update comprises the steps of: obtaining an insertion position mark of the newly added rule entry from the configuration information table; Determining a target insertion position in the rule logic table according to the insertion position mark; Calculating an existing table item and a moving path thereof which need to be moved for inserting the new rule entry based on a minimum moving algorithm under the condition that the target inserting position is occupied; and determining the logical table entry operation according to the existing table entry needing to be moved and the moving path thereof.
  7. 7. The method of claim 5, wherein the configuration information table further comprises an end marker; the determining the logical entry operation in an incremental update manner in response to the update mode flag indicating an incremental update includes the steps of: caching the received configuration information tables until the ending mark is identified; Taking all the cached configuration information tables as the same processing batch; Based on the same processing batch, determining the logic table entry operation required by all the newly added rule entries.
  8. 8. The method of claim 5, wherein the logical entry operation is configured such that, in the sequence of operation instructions generated therefrom, write operation instructions corresponding to all new added rule entries are arranged before clear operation instructions of all replaced rule entries.
  9. 9. The method according to claim 1, characterized in that the method further comprises the steps of: in response to a plurality of non-contiguous free physical storage locations in the storage space of the regular physical table, determining a logical entry operation for moving at least one entry from one physical storage location to another physical storage location.
  10. 10. An electronic device comprising a processor and a memory storing a program or instructions executable on the processor, which when executed by the processor, implement the steps of the method of processing an access control list according to any one of claims 1 to 9.
  11. 11. A computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform the steps of the method of processing an access control list according to any of claims 1 to 9.

Description

Processing method of access control list, electronic equipment and computer program product Technical Field The present application relates to the field of data processing, and in particular, to a method for processing an access control list, an electronic device, and a computer program product. Background In the access control list (Access Control List, ACL) processing of the existing network device, a rule logic table maintained by a software processing layer and a rule physical table maintained by a hardware processing layer adopt different table entry structures and ordering algorithms, and structural differences exist between the two. When ACL service is changed, the software processing layer adjusts the logic table item by item according to the algorithm of the software processing layer and then issues the logic table item by item to the hardware processing layer, and the hardware processing layer needs to recalculate and execute additional shifting and integration operations according to the independent table structure of the hardware processing layer, so that a great amount of redundant shifting actions and performance loss exist in the updating process, and the response speed and the network stability of service change are affected. Disclosure of Invention The embodiment of the application provides a processing method of an access control list, electronic equipment and a computer program product, which can solve the problems of a large number of redundant moving actions and performance loss of a hardware processing layer in the related technology. In order to solve the technical problems, the application is realized as follows: in a first aspect, a method for processing an access control list is provided, which is applied to a network device, and includes the following steps: setting a rule logic table and a rule physical table, wherein the table entry structures of the rule logic table and the rule physical table are consistent; Determining and executing a logic table entry operation required for updating the rule logic table from a current state to a target state based on the table entry structure of the rule logic table in response to a change of the access control list; Generating an operation instruction sequence according to the logical table item operation, wherein an instruction in the operation instruction sequence is used for executing corresponding physical table item operation on the rule physical table; And sending the operation instruction sequence to finish updating the rule physical table. In a second aspect, an electronic device is provided, the electronic device comprising a processor and a memory storing a program or instructions executable on the processor, which when executed by the processor, implement the steps of the method of processing an access control list as described above. In a third aspect, a computer program product is provided, the computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform the steps of the method of processing an access control list as described above. According to the processing method, the electronic equipment and the computer program product of the access control list, which are provided by the embodiment of the application, by setting the rule logic table and the rule physical table with the consistent table entry structures, the extra moving and conversion work of a hardware processing layer caused by the difference of the table entry structures can be avoided, and the performance loss in the ACL updating process can be reduced. When the software processing layer responds to ACL change, the logic table operation is directly determined and executed based on the rule logic table, and the corresponding operation instruction sequence is synchronously generated and sent to the hardware processing layer, so that the hardware processing layer can directly execute the corresponding physical table operation without independent calculation, and the efficient coordination of software and hardware update is realized, thereby shortening the table update time when ACL service is changed, reducing the flow interruption risk caused by update delay, and enhancing the service stability and reliability of network equipment under high-load and high-capacity ACL scenes. It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application as claimed. Drawings The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application. FIG. 1 illustrates a hierarchical schematic of prior art ACL traffic processing; FIG.