Search

CN-122027319-A - ACL rule matching method and device based on prefix index

CN122027319ACN 122027319 ACN122027319 ACN 122027319ACN-122027319-A

Abstract

The application relates to an ACL rule matching method and device based on prefix indexes. The method comprises the steps of obtaining matching field information of a message, wherein the matching field information comprises an address field, executing step-by-step matching operation in a pre-constructed prefix index structure based on the matching field information, obtaining candidate ACL rules associated with index nodes in a step-by-step matching process, and determining target ACL rules from the candidate ACL rules as a matching result according to a preset matching priority strategy. The prefix index-based ACL rule matching method and device can convert the ACL rule matching process into a step-by-step searching process along an index path, and avoid the linear influence of the increase of the rule number on the matching performance.

Inventors

  • SUN ZHICHAO
  • ZHANG NING
  • ZHANG QIAN
  • FANG QIAN
  • ZHANG CHENG
  • CHEN JIANGYUAN
  • MA WEIQI
  • YANG CHEN
  • Xue Boxuan

Assignees

  • 杭州迪普信息技术有限公司

Dates

Publication Date
20260512
Application Date
20260306

Claims (10)

  1. 1. An ACL rule matching method based on prefix indexes is characterized by comprising the following steps: acquiring matching field information of a message, wherein the matching field information comprises an address field; performing step-by-step matching operation in a pre-constructed prefix index structure based on the matching field information; In the step-by-step matching process, acquiring a candidate ACL rule associated with the index node; and determining a target ACL rule from the candidate ACL rules as a matching result according to a preset matching priority policy.
  2. 2. The method as recited in claim 1, further comprising: Acquiring ACL rules to be added; Positioning a corresponding index path in the prefix index structure according to the matching field and prefix length of the ACL rule to be added; When no corresponding index node exists in the index path, generating index nodes step by step along the index path; And adding the identification information of the ACL rule in the index node corresponding to the prefix length.
  3. 3. The method as recited in claim 2, further comprising: Before writing the ACL rule into the prefix index structure, checking the number of existing ACL rules having prefix inclusion relation with the ACL rule.
  4. 4. A method as recited in claim 3, wherein verifying the number of existing ACL rules having a prefix inclusion relationship with the ACL rules comprises: Traversing along an index path corresponding to the prefix length of the ACL rule, and counting the number of recorded ACL rules on the index path; and when the number of the recorded ACL rules exceeds a preset threshold, judging that the ACL rule check fails.
  5. 5. The method as recited in claim 1, further comprising: acquiring each configured ACL rule, wherein the ACL rule comprises an IP address and a mask length; Starting from a root node of the prefix index structure, creating index nodes layer by layer according to bits corresponding to the prefix length of the IP address; and storing the identification information of the ACL rule in the index node.
  6. 6. The method of claim 5, wherein, The prefix index structure is a tree index structure, index nodes of different levels respectively correspond to different prefix lengths of the matching fields, and father-son relations among the nodes are used for representing prefix inclusion relations among ACL rules.
  7. 7. The method of claim 1, wherein obtaining the candidate ACL rule associated with the inode during a step-wise matching process comprises: Traversing a plurality of index nodes along an index path corresponding to the matching field information in a step-by-step matching process; and acquiring the ACL rule in the index node as a candidate ACL rule.
  8. 8. The method of claim 1, wherein determining a target ACL rule from the candidate ACL rules as a match result according to a preset match priority policy, comprises: And determining the ACL rule with the longest prefix length from the candidate ACL rules as the target ACL rule.
  9. 9. An ACL rule matching device based on prefix index, comprising: the information module is used for acquiring matching field information of the message, wherein the matching field information comprises an address field; the matching module is used for executing step-by-step matching operation in a pre-constructed prefix index structure based on the matching field information; The rule module is used for acquiring candidate ACL rules associated with the index nodes in a step-by-step matching process; And the result module is used for determining a target ACL rule from the candidate ACL rules as a matching result according to a preset matching priority strategy.
  10. 10. The apparatus as recited in claim 9, further comprising: The adding module is used for obtaining an ACL rule to be added, positioning a corresponding index path in the prefix index structure according to a matching field and prefix length of the ACL rule to be added, generating index nodes step by step along the index path when no corresponding index node exists in the index path, and adding identification information of the ACL rule in the index nodes corresponding to the prefix length.

Description

ACL rule matching method and device based on prefix index Technical Field The application relates to the field of computer information processing, in particular to an ACL rule matching method and device based on prefix indexes. Background In the data processing process of the network device, it is generally required to identify and filter the received data packet, and configure a corresponding access control rule according to the service requirement of the user, so as to implement release, discard or other policy processing on the data packet. The access control rules are generally matched based on address information of the message, and different matching conditions correspond to different rule configurations. In an actual service scenario, in order to meet the requirement of fine control, the longest matching rule based on address prefix is often adopted, wherein a matching item of each rule is a network segment, and is commonly represented by an IP address and a corresponding mask length. To avoid an increase in management complexity and resource consumption caused by an excessive number of rules having a prefix inclusion relationship, an upper limit is generally set on the number of rules having an inclusion relationship, that is, a preset number of rules are allowed to be configured at most for a network segment in which a prefix inclusion relationship exists. Under the rule system, the network device generally adopts an implementation manner that a control plane is separated from a forwarding plane, wherein the control plane is responsible for adding, deleting, inquiring and maintaining a rule table, and the forwarding plane performs matching and forwarding processing on the data message according to the rule table issued by the control plane. Along with the expansion of the service scale, the number of rules shows a rapid increase trend, the related rule scale can reach a million level, and higher requirements are put on rule loading and management efficiency. In the prior art, in order to support the storage and query of large-scale rules, a rule management mode based on a hash structure is often adopted. However, in the rule addition or update process, it is necessary to verify the number of rules having a prefix inclusion relationship with the rule to be added among the existing rules. Since the hash structure does not have prefix hierarchy relation expression capability, in a multiprocessor environment, in order to ensure data consistency and correctness, the hash bucket is usually required to be locked and protected, so that the time cost of rule traversal or verification operation is high. Therefore, a new prefix index-based ACL rule matching method and apparatus are needed. The above information disclosed in the background section is only for enhancement of understanding of the background of the application and therefore it may contain information that does not form the prior art that is already known to a person of ordinary skill in the art. Disclosure of Invention In view of this, the application provides a prefix index-based ACL rule matching method and device, which can convert an ACL rule matching process into a step-by-step searching process along an index path, avoid the linear influence of increasing the number of rules on the matching performance, and can complete the effective judgment of the number of prefix containing relation rules without performing full table scanning, thereby obviously reducing the time complexity and the system resource consumption in the rule management process while ensuring the rule configuration correctness. Other features and advantages of the application will be apparent from the following detailed description, or may be learned by the practice of the application. According to one aspect of the application, an ACL rule matching method based on prefix indexes is provided, and the method comprises the steps of obtaining matching field information of a message, wherein the matching field information comprises an address field, executing step-by-step matching operation in a pre-constructed prefix index structure based on the matching field information, obtaining candidate ACL rules associated with index nodes in a step-by-step matching process, and determining target ACL rules from the candidate ACL rules as matching results according to a preset matching priority strategy. In an exemplary embodiment of the application, the method further comprises the steps of obtaining an ACL rule to be added, positioning a corresponding index path in the prefix index structure according to a matching field and prefix length of the ACL rule to be added, generating index nodes step by step along the index path when no corresponding index node exists in the index path, and adding identification information of the ACL rule in the index nodes corresponding to the prefix length. In an exemplary embodiment of the application, it further comprises checking a number of existing AC