[go: up one dir, main page]

CN115460148B - A method and network device for configuring ACL rules and matching messages - Google Patents

A method and network device for configuring ACL rules and matching messages Download PDF

Info

Publication number
CN115460148B
CN115460148B CN202211049123.5A CN202211049123A CN115460148B CN 115460148 B CN115460148 B CN 115460148B CN 202211049123 A CN202211049123 A CN 202211049123A CN 115460148 B CN115460148 B CN 115460148B
Authority
CN
China
Prior art keywords
value
range
code
port
table entry
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211049123.5A
Other languages
Chinese (zh)
Other versions
CN115460148A (en
Inventor
杨逸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd Hefei Branch
Original Assignee
New H3C Technologies Co Ltd Hefei Branch
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd Hefei Branch filed Critical New H3C Technologies Co Ltd Hefei Branch
Priority to CN202211049123.5A priority Critical patent/CN115460148B/en
Publication of CN115460148A publication Critical patent/CN115460148A/en
Application granted granted Critical
Publication of CN115460148B publication Critical patent/CN115460148B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/30Routing of multiclass traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/54Organization of routing tables

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本说明书提供一种配置ACL规则、匹配报文的方法和网络设备,该方法包括:获取待下发的目标ACL规则,并获取所述目标ACL规则对应的目标端口号的取值,确定所述目标端口号的取值是精准值或者是范围值,若是范围值,则通过范围数据库获取对应的范围编码并构建TCAM表项,或者,若是精准值,则根据所述精准值构建TCAM表项。通过该方法,可以实现一段或者多段端口范围的ACL规则,只占用一条TCAM表项空间,大幅节约了TCAM存储资源。

The present specification provides a method and network device for configuring ACL rules and matching messages, the method comprising: obtaining a target ACL rule to be issued, and obtaining the value of a target port number corresponding to the target ACL rule, determining whether the value of the target port number is an exact value or a range value, and if it is a range value, obtaining the corresponding range code through a range database and constructing a TCAM table entry, or, if it is an exact value, constructing a TCAM table entry according to the exact value. Through this method, ACL rules for one or more port ranges can be implemented, occupying only one TCAM table entry space, greatly saving TCAM storage resources.

Description

Method for configuring ACL rule and matching message and network equipment
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method and a network device for configuring ACL rules and matching messages.
Background
In the core node of the communication network, the method has extremely high requirements on the message forwarding performance, and the forwarding performance of hundred G or even T levels is difficult to achieve by using a software forwarding model alone.
The TCAM (ternary content addressable memory ) chip acts as a hardware acceleration engine for ACL lookup, essentially becoming a necessary option for high-end routing switching devices.
As shown in FIG. 1, a typical TCAM chip-based message forwarding architecture is provided in which CPU running software forms a control plane and a message processing engine and a TCAM engine together form a data plane. The control plane transmits the relevant table items to the message processing engine, and transmits ACL to the TCAM engine. The message entering device is processed by the message processing engine, and relates to ACL searching, the searched key is transmitted to the TCAM engine, and the message processing is completed according to the returned result of the TCAM engine and then forwarded.
Disclosure of Invention
The embodiment of the disclosure provides a method for configuring ACL rules and matching messages and network equipment, by the method, ACL rules of one or more sections of port ranges can be realized, only one TCAM table entry space is occupied, and TCAM storage resources are greatly saved.
The embodiment of the disclosure provides a method for configuring ACL rules, which comprises the following steps:
acquiring a target ACL rule to be issued, and acquiring a value of a target port number corresponding to the target ACL rule;
determining whether the value of the target port number is an accurate value or a range value;
If the range value is the range value, acquiring a corresponding range code through a range database and constructing a TCAM table item;
Or if the TCAM table entry is the accurate value, constructing the TCAM table entry according to the accurate value.
The method further comprises the step of constructing a range database, wherein the range database comprises the corresponding relation between the port number sections and the range codes.
When the value of the target port number is a range value, acquiring a target range code corresponding to the range value of the target port number according to the range database;
and performing code conversion on the target range code to obtain a first code value, wherein the first code value is used as a port domain range value of the TCAM table entry, and the mask is used as a port domain precision value of the TCAM table entry.
When the value of the target port number is an accurate value, performing code conversion on the accurate value to obtain a second code value, taking the second code value as a port domain accurate value of the TCAM table entry, and taking the mask as a port domain range value of the TCAM table entry.
The destination port number comprises an original port number or a destination port number.
According to the embodiments, when the TCAM table entry is issued according to the ACL rule to be issued, the ACL rule can be issued to the TCAM table entry according to the value of the target port number corresponding to the ACL rule, and the ACL rule of the port in the same range can be issued to the same TCAM table entry, so that TCAM storage resources are greatly saved.
The embodiment of the disclosure also provides a method for matching messages based on TCAM, which comprises the following steps:
receiving a first message, and acquiring a first port number of the first message;
inquiring a range database according to the first port number, acquiring a corresponding first range code, performing code conversion on the first range code to acquire a third code value, and performing code conversion on the first port number to acquire a fourth code value;
Matching the third code value and/or the fourth code value with TCAM table items to obtain matched ACL rules;
The TCAM table entry comprises a port domain range value and a port domain precision value, wherein the port domain range value is determined according to a port range value corresponding to an ACL rule, and the port domain precision value is determined according to a port precision value corresponding to the ACL rule.
The embodiment of the disclosure also provides a network device, which supports ACL matching based on TCAM, comprising:
the acquisition module is used for acquiring a target ACL rule to be issued and acquiring a value of a target port number corresponding to the target ACL rule;
the judging module is used for determining whether the value of the target port number is an accurate value or a range value;
The processing module is used for acquiring a corresponding range code through the range database and constructing a TCAM table item if the judging module determines that the range value is the range value;
Or if the TCAM table entry is the accurate value, constructing the TCAM table entry according to the accurate value.
The processing module is further used for constructing a range database, and the range database comprises a corresponding relation between the port number section and the range code.
The processing module is specifically configured to obtain a range value of a target port number if the judging module determines that the range value is the range value, obtain a target range code corresponding to the range value of the target port number according to the range database, perform code conversion on the target range code to obtain a first code value, use the first code value as a port domain range value of a TCAM table entry, and use a mask as a port domain precision value of the TCAM table entry.
The processing module is specifically configured to, if the determination module determines that the determination module is the accurate value, perform code conversion on the accurate value to obtain a second code value, use the second code value as a port domain accurate value of the TCAM entry, and use the mask as a port domain range value of the TCAM entry.
The embodiment of the disclosure also provides a network device, which includes:
the device comprises an acquisition module, a transmission module and a transmission module, wherein the acquisition module is used for receiving a first message and acquiring a first port number of the first message;
The query module is used for querying a range database according to the first port number, obtaining a corresponding first range code, performing code conversion on the first range code to obtain a third code value, and performing code conversion on the first port number to obtain a fourth code value;
The processing module is used for matching the TCAM table entry with the third code value and/or the fourth code value to obtain a matched ACL rule;
The TCAM table entry comprises a port domain range value and a port domain precision value, wherein the port domain range value is determined according to a port range value corresponding to an ACL rule, and the port domain precision value is determined according to a port precision value corresponding to the ACL rule.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is a schematic diagram of a message forwarding architecture based on a TCAM chip according to an embodiment of the present disclosure.
Fig. 2 is a logic schematic diagram of a method for configuring ACL rules according to an embodiment of the present disclosure.
Fig. 3 is a schematic diagram of an architecture for adding additional range encoding fields in a key of an ACL according to an embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present description as detailed in the accompanying claims.
The terminology used in the description presented herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in this specification to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present description. The term "if" as used herein may be interpreted as "at..once" or "when..once" or "in response to a determination", depending on the context.
Currently, in the ACL rule matching technology based on TCAM, a range needs to be converted into a plurality of prefixes, and only if a key matches any one of the prefixes, the result is considered to be found.
For example, if an ACL rule R concerns a message with a range of TCP destination port numbers of [100,150], the rule R needs to be extended into 7 sub-rules, and destination ports of the 7 sub-rules are converted into prefix in table 1 respectively:
Sub-ranges Corresponding prefix
[100,103] 0110 01**
[104,111] 0110 1***
[112,127] 0111 ****
[128,143] 1000 ****
[144,147] 1001 00**
[148,149] 1001 010*
[150,150] 1001 0110
TABLE 1
Because of the limited capacity of TCAM chips, the way in which an ACL rule is extended to multiple prefixes has a significant impact on chip capacity. Taking port numbers as an example, in the worst case, a port number range needs to be expanded into 31 prefixes, and if both source ports and destination ports are ranges, a rule needs to be expanded into 31×31 prefixes, so that the number of ACL rules with ranges which can be accommodated by the TCAM chip is drastically reduced.
In order to solve the above technical problem, an embodiment of the present disclosure provides a method for configuring ACL rules, as shown in fig. 2, including:
S201, acquiring a target ACL rule to be issued, and acquiring a value of a target port number corresponding to the target ACL rule;
s202, determining whether the value of the target port number is an accurate value or a range value;
S203, if the range value is the range value, acquiring a corresponding range code through a range database and constructing a TCAM table item;
s204, or if the TCAM table entry is the precision value, constructing the TCAM table entry according to the precision value.
By the method, the occupation condition of the ACL rule with the range on the TCAM storage space is greatly reduced by the coding technology of the range domain in the ACL.
In this embodiment, the method of the present disclosure may be applied to a network device, such as a switch, a router, and a server, and may be particularly applied to a core router and a core switch of my department.
The inventor finds that M ACL rules are concerned with N sections of port number range through analysis of an ACL model which is actually issued, the value of M is far larger than N, for example, 100K ACL rules, and the concerned port number range is only 1K sections or even less.
For example, rule 1 focuses on the UDP packet with destination port number [100,150], and rule 2 focuses on the TCP packet with destination port number [100,150], and it is seen that the range of port numbers corresponding to rule 1 and rule 2 is the same.
For another example, rule 1 focuses on UDP messages in destination IP 1.1.1, destination port number [100,150], rule 2 focuses on UDP messages in destination IP 2.2.2, destination port number [100,150 ];
in the above case, it can be seen that there may be a many-to-one mapping between ACL rules and port number value ranges, so that the disclosure constructs a separate range database for the same type of range (specific construction modes are not limited by the present invention, and arrays or INTERVAL TREE may be used for convenience of description, and an array mode is used for example).
In step S201, after the target ACL rule to be issued is obtained, the value of the target port number corresponding to the target ACL rule may be obtained, that is, the value of the target port number focused by the target ACL is obtained, where the target port number may be a source port number or a destination port number.
In general, the destination port number corresponding to the destination ACL may be a range value (e.g., 100,150 in the foregoing embodiment), or may be an accurate value, for example, a port number 128 or 256.
In step S202, it is determined that the target port number corresponding to the target ACL is a precision value or a range value.
When the range value is yes, step S203 is performed.
In this embodiment, a range database is also constructed in the device, where the range database includes a correspondence between port number segments and range codes, as shown in table 2:
port number section Range encoding
[100,150] 001
[160,200] 002
[210,240] 003
TABLE 2
The port number section is used for matching a range value corresponding to the ACL rule.
To consider the case where the port number precision value and the range coexist, an additional range encoding field is added to the key of the ACL, as shown in fig. 3, to consider the case where the range and the precision value coexist.
In step S203, when it is determined that the value of the target port number is a range value, a corresponding range code is acquired through a range database, and code conversion is performed.
For example, if the ACL rule R1 to be issued has a destination port number of [100,150], the range code 001 is obtained by looking up the table 2 in the range database, the first code value 0x0001 is obtained by transcoding the 001, and a TCAM table entry is constructed, where in this embodiment, the TCAM table entry may include a port domain precision value and a port domain range value, at this time, 0x0001 is taken as the port domain range value, and a mask is taken as the port domain precision value, and an example of a TCAM table entry is as shown in table 3:
Port domain range value Port domain precision value
0x0001 ****************
TABLE 3 Table 3
And after determining that the value of the target port number is the accurate value, performing code conversion on the accurate value to obtain a second code value, taking the second code value as the port domain accurate value of the TCAM table entry, and taking the mask as the port domain range value of the TCAM table entry.
For another example, if the ACL rule R2 to be issued has a destination port number of 128 as the precise value, and because the destination port number is the precise value, the destination port number is 128 is converted into 0x00000080 by code conversion without querying the range database, and a TCAM table entry is constructed, and at this time, the port domain range value is a mask, the port domain precise value is 0x00000080, as shown in table 4,
Port domain range value Port domain precision value
**** 0x00000080
TABLE 4 Table 4
For another example, an ACL rule R3 is issued, the destination port number is a precision value 256, the precision value does not need to look up a range database, TCAM table entries are issued, the destination port domain range code is a mask, the destination port domain precision value is 0x00000100, as shown in table 5,
Port domain range value Port domain precision value
**** 0x00000100
TABLE 5
As can be seen from the above embodiments, in this solution, there is no need to extend an ACL rule into several sub-rules, and convert destination ports of the sub-rules into prefixes, respectively, by the solution in this disclosure, ACL rules of the same port number or port number range can be corresponding to the same TCAM table item, so that one TCAM table item corresponds to a plurality of ACL rules, and resources of the TCAM table item are greatly saved.
Based on the above embodiments, the embodiments of the present disclosure further provide a TCAM-based method for matching messages, where the method includes:
receiving a first message, and acquiring a first port number of the first message;
inquiring a range database according to the first port number, acquiring a corresponding first range code, performing code conversion on the first range code to acquire a third code value, and performing code conversion on the first port number to acquire a fourth code value;
Matching the third code value and/or the fourth code value with TCAM table items to obtain matched ACL rules;
The TCAM table entry comprises a port domain range value and a port domain precision value, wherein the port domain range value is determined according to a port range value corresponding to an ACL rule, and the port domain precision value is determined according to a port precision value corresponding to the ACL rule.
In this embodiment, the first packet may be a TCP/UDP packet, and after the network device receives the first packet, the first port number (source port number or destination port number) of the first packet is obtained according to a preset, which is described by taking the destination port number as an example for convenience of description in this embodiment, where the source port number is easy to be the same).
In general, the first port number carried in the first packet is an accurate value, for example, the first port number carried in the first packet is 149, and the corresponding range code is searched through the range database according to the first port number, if the range code corresponding to 149 is obtained as 001 through table 2, when the packet processing engine group key gives the TCAM engine, the destination port domain range code is assigned to 0x0001, and meanwhile, the accurate value is 0x00000095, and at this time, according to the above embodiment, it is known that the ACL rule R1 corresponds to the range code 001, and then the first packet is determined to correspond to the ACL rule R1.
In another embodiment, if the first port number carried in the first packet is 128, the corresponding range code is searched through the range database according to the first port number, and if the range code corresponding to 128 is 001 as obtained through table 2, and if the port number corresponding to ACL rule R2 is 128 as well as known from the above embodiment, it is determined that the rule corresponding to the first packet has ACL rule R1 and AC rule R2.
In another embodiment, if the first port number carried in the first packet is 256, it is determined that there is no corresponding range code in the range database according to the first port number through the range database, and meanwhile, according to the above embodiment, it is known that the port number 256 corresponds to the ACL rule R3, and at this time, the ACL rule R3 when the rule corresponding to the first packet is determined.
And the message processing engine completes the processing of the first message according to the returned result of the TCAM engine and then forwards the first message.
According to the embodiments, it can be seen that, through the ACL rule issued in steps S201-S204, in actual use, the received message can be processed in a rule processing manner without expanding prefix, and meanwhile, the ACL rule issued by the port in the same range section is issued to the same TCAM table entry, so that TCAM storage resources are greatly saved.
Based on the above method embodiments, the embodiments of the present disclosure further provide a network device, where the network device supports TCAM-based ACL matching, and the network device includes:
the acquisition module is used for acquiring a target ACL rule to be issued and acquiring a value of a target port number corresponding to the target ACL rule;
the judging module is used for determining whether the value of the target port number is an accurate value or a range value;
The processing module is used for acquiring a corresponding range code through the range database and constructing a TCAM table item if the judging module determines that the range value is the range value;
Or if the TCAM table entry is the accurate value, constructing the TCAM table entry according to the accurate value.
The processing module is further used for constructing a range database, and the range database comprises a corresponding relation between the port number section and the range code.
The processing module is specifically configured to obtain a range value of a target port number if the judging module determines that the range value is the range value, obtain a target range code corresponding to the range value of the target port number according to the range database, perform code conversion on the target range code to obtain a first code value, use the first code value as a port domain range value of a TCAM table entry, and use a mask as a port domain precision value of the TCAM table entry.
The processing module is specifically configured to, if the determination module determines that the determination module is the accurate value, perform code conversion on the accurate value to obtain a second code value, use the second code value as a port domain accurate value of the TCAM entry, and use the mask as a port domain range value of the TCAM entry.
The embodiment of the disclosure also provides a network device, which includes:
the device comprises an acquisition module, a transmission module and a transmission module, wherein the acquisition module is used for receiving a first message and acquiring a first port number of the first message;
The query module is used for querying a range database according to the first port number, obtaining a corresponding first range code, performing code conversion on the first range code to obtain a third code value, and performing code conversion on the first port number to obtain a fourth code value;
The processing module is used for matching the TCAM table entry with the third code value and/or the fourth code value to obtain a matched ACL rule;
The TCAM table entry comprises a port domain range value and a port domain precision value, wherein the port domain range value is determined according to a port range value corresponding to an ACL rule, and the port domain precision value is determined according to a port precision value corresponding to the ACL rule.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It is to be understood that the present description is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The foregoing description of the preferred embodiments is provided for the purpose of illustration only, and is not intended to limit the scope of the disclosure, since any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the disclosure are intended to be included within the scope of the disclosure.

Claims (7)

1.一种配置访问控制列表ACL规则的方法,其特征在于,所述方法包括:1. A method for configuring access control list (ACL) rules, characterized in that the method comprises: 获取待下发的目标ACL规则,并获取所述目标ACL规则对应的目标端口号的取值;Obtain the target ACL rule to be issued, and obtain the value of the target port number corresponding to the target ACL rule; 确定所述目标端口号的取值是精准值或者是范围值;Determine whether the value of the target port number is an exact value or a range value; 若是范围值,则通过范围数据库获取对应的范围编码并构建三态内容寻址存储器TCAM表项;If it is a range value, the corresponding range code is obtained through the range database and a ternary content addressable memory TCAM table entry is constructed; 或者,若是精准值,则根据所述精准值构建TCAM表项;Alternatively, if it is an accurate value, constructing a TCAM table entry according to the accurate value; 其中,所述若是范围值,则通过范围数据库获取对应的范围编码并构建TCAM表项,包括:If the value is a range value, obtaining a corresponding range code through a range database and constructing a TCAM table entry includes: 获取目标端口号的范围值,根据所述范围数据库获取与目标端口号的范围值对应的目标范围编码;Obtaining a range value of a target port number, and obtaining a target range code corresponding to the range value of the target port number according to the range database; 将所述目标范围编码进行编码转换,获得第一编码值,将第一编码值作为TCAM表项的端口域范围值,将掩码作为TCAM表项的端口域精准值;Performing code conversion on the target range code to obtain a first code value, using the first code value as the port domain range value of the TCAM table entry, and using the mask as the port domain precise value of the TCAM table entry; 其中,所述若是精准值,则根据所述精准值构建TCAM表项,包括:If the value is a precise value, constructing a TCAM table entry according to the precise value includes: 将所述精准值进行编码转换,获得第二编码值,将第二编码值作为TCAM表项的端口域精准值,将掩码作为TCAM表项的端口域范围值。The precise value is converted into a code to obtain a second code value, the second code value is used as the port domain precise value of the TCAM table entry, and the mask is used as the port domain range value of the TCAM table entry. 2.根据权利要求1所述的方法,其特征在于,所述方法还包括:2. The method according to claim 1, characterized in that the method further comprises: 构建范围数据库,所述范围数据库包括:端口号区段与范围编码的对应关系。A range database is constructed, wherein the range database includes: a correspondence between port number segments and range codes. 3.根据权利要求1所述的方法,其特征在于,所述目标端口号包括:原端口号或目的端口号。3. The method according to claim 1 is characterized in that the target port number includes: an original port number or a destination port number. 4.一种基于三态内容寻址存储器TCAM的匹配报文的方法,其特征在于,所述方法包括:4. A method for matching messages based on a ternary content addressable memory TCAM, characterized in that the method comprises: 接收第一报文,获取所述第一报文的第一端口号;Receive a first message and obtain a first port number of the first message; 根据所述第一端口号查询范围数据库,获取对应的第一范围编码,将第一范围编码进行编码转换,获得第三编码值,以及将第一端口号进行编码转换获得第四编码值;querying a range database according to the first port number to obtain a corresponding first range code, performing code conversion on the first range code to obtain a third code value, and performing code conversion on the first port number to obtain a fourth code value; 利用所述第三编码值和/或所述第四编码值与TCAM表项进行匹配,获得匹配后的访问控制列表ACL规则;Using the third coding value and/or the fourth coding value to match the TCAM table entry to obtain a matched access control list (ACL) rule; 其中,所述TCAM表项包括:端口域范围值和端口域精准值,其中,端口域范围值为根据ACL规则对应的端口范围值确定的,所述端口域精准值为根据ACL规则对应的端口精准值确定的;The TCAM table entry includes: a port domain range value and a port domain precise value, wherein the port domain range value is determined according to the port range value corresponding to the ACL rule, and the port domain precise value is determined according to the port precise value corresponding to the ACL rule; 其中,当目标端口号的取值是范围值时,根据所述范围数据库获取与目标端口号的范围值对应的目标范围编码;将所述目标范围编码进行编码转换,获得第一编码值,将第一编码值作为TCAM 表项的端口域范围值,将掩码作为TCAM 表项的端口域精准值;Wherein, when the value of the target port number is a range value, a target range code corresponding to the range value of the target port number is obtained according to the range database; the target range code is converted to obtain a first code value, the first code value is used as the port domain range value of the TCAM table entry, and the mask is used as the port domain precise value of the TCAM table entry; 其中,当目标端口号的取值是精准值时,将所述精准值进行编码转换,获得第二编码值,将第二编码值作为TCAM 表项的端口域精When the value of the target port number is an accurate value, the accurate value is converted into a code to obtain a second code value, and the second code value is used as the port field accurate value of the TCAM table entry. 准值,将掩码作为TCAM 表项的端口域范围值。The mask is used as the port domain range value of the TCAM table entry. 5.一种网络设备,其特征在于,所述网络设备支持基于三态内容寻址存储器TCAM的访问控制列表ACL匹配,所述网络设备包括:5. A network device, characterized in that the network device supports access control list (ACL) matching based on a ternary content addressable memory (TCAM), and the network device comprises: 获取模块,用于获取待下发的目标ACL规则,并获取所述目标ACL规则对应的目标端口号的取值;An acquisition module is used to acquire a target ACL rule to be issued, and acquire a value of a target port number corresponding to the target ACL rule; 判断模块,用于确定所述目标端口号的取值是精准值或者是范围值;A judgment module, used to determine whether the value of the target port number is an exact value or a range value; 处理模块,用于若判断模块确定是范围值,则通过范围数据库获取对应的范围编码并构建TCAM表项;A processing module, configured to obtain a corresponding range code from a range database and construct a TCAM table entry if the judgment module determines that the value is a range value; 或者,若是精准值,则根据所述精准值构建TCAM表项;Alternatively, if it is an accurate value, constructing a TCAM table entry according to the accurate value; 其中,所述处理模块,具体用于若判断模块确定是范围值时,获取目标端口号的范围值,根据所述范围数据库获取与目标端口号的范围值对应的目标范围编码,将所述目标范围编码进行编码转换,获得第一编码值,将第一编码值作为TCAM表项的端口域范围值,将掩码作为TCAM表项的端口域精准值;Wherein, the processing module is specifically used to obtain the range value of the target port number if the judgment module determines that it is a range value, obtain the target range code corresponding to the range value of the target port number according to the range database, perform code conversion on the target range code, obtain a first code value, use the first code value as the port domain range value of the TCAM table entry, and use the mask as the port domain precise value of the TCAM table entry; 其中,所述处理模块,具体用于若判断模块确定是精准值时,将所述精准值进行编码转换,获得第二编码值,将第二编码值作为TCAM表项的端口域精准值,将掩码作为TCAM表项的端口域范围值。Among them, the processing module is specifically used to encode the precise value to obtain a second encoded value if the judgment module determines that it is an exact value, and use the second encoded value as the port domain precise value of the TCAM table entry and the mask as the port domain range value of the TCAM table entry. 6.根据权利要求5所述的网络设备,其特征在于,6. The network device according to claim 5, characterized in that: 所述处理模块,还用于构建范围数据库,所述范围数据库包括:端口号区段与范围编码的对应关系。The processing module is further used to construct a range database, which includes: a correspondence between port number segments and range codes. 7.一种网络设备,其特征在于,所述网络设备包括:7. A network device, characterized in that the network device comprises: 获取模块,用于接收第一报文,获取所述第一报文的第一端口号;An acquisition module, used for receiving a first message and acquiring a first port number of the first message; 查询模块,用于根据所述第一端口号查询范围数据库,获取对应的第一范围编码,将第一范围编码进行编码转换,获得第三编码值,以及将第一端口号进行编码转换获得第四编码值;A query module, configured to query a range database according to the first port number, obtain a corresponding first range code, perform code conversion on the first range code to obtain a third code value, and perform code conversion on the first port number to obtain a fourth code value; 处理模块,用于利用所述第三编码值和/或所述第四编码值与三态内容寻址存储器TCAM表项进行匹配,获得匹配后的访问控制列表ACL规则;A processing module, configured to match a ternary content addressable memory TCAM table entry using the third coding value and/or the fourth coding value to obtain a matched access control list ACL rule; 其中,所述TCAM表项包括:端口域范围值和端口域精准值,其中,端口域范围值为根据ACL规则对应的端口范围值确定的,所述端口域精准值为根据ACL规则对应的端口精准值确定的;The TCAM table entry includes: a port domain range value and a port domain precise value, wherein the port domain range value is determined according to the port range value corresponding to the ACL rule, and the port domain precise value is determined according to the port precise value corresponding to the ACL rule; 其中,当目标端口号的取值是范围值时,根据所述范围数据库获取与目标端口号的范围值对应的目标范围编码;将所述目标范围编码进行编码转换,获得第一编码值,将第一编码值作为TCAM 表项的端口域范围值,将掩码作为TCAM 表项的端口域精准值;Wherein, when the value of the target port number is a range value, a target range code corresponding to the range value of the target port number is obtained according to the range database; the target range code is converted to obtain a first code value, the first code value is used as the port domain range value of the TCAM table entry, and the mask is used as the port domain precise value of the TCAM table entry; 其中,当目标端口号的取值是精准值时,将所述精准值进行编码转换,获得第二编码值,将第二编码值作为TCAM 表项的端口域精准值,将掩码作为TCAM 表项的端口域范围值。When the value of the target port number is an exact value, the exact value is converted to obtain a second coded value, the second coded value is used as the port domain exact value of the TCAM table entry, and the mask is used as the port domain range value of the TCAM table entry.
CN202211049123.5A 2022-08-30 2022-08-30 A method and network device for configuring ACL rules and matching messages Active CN115460148B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211049123.5A CN115460148B (en) 2022-08-30 2022-08-30 A method and network device for configuring ACL rules and matching messages

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211049123.5A CN115460148B (en) 2022-08-30 2022-08-30 A method and network device for configuring ACL rules and matching messages

Publications (2)

Publication Number Publication Date
CN115460148A CN115460148A (en) 2022-12-09
CN115460148B true CN115460148B (en) 2025-02-11

Family

ID=84300422

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211049123.5A Active CN115460148B (en) 2022-08-30 2022-08-30 A method and network device for configuring ACL rules and matching messages

Country Status (1)

Country Link
CN (1) CN115460148B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1674557A (en) * 2005-04-01 2005-09-28 清华大学 Parallel IP packet sorter matched with settling range based on TCAM and method thereof

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8909857B2 (en) * 2012-06-29 2014-12-09 Broadcom Corporation Efficient storage of ACL frequent ranges in a ternary memory
US8943268B2 (en) * 2012-08-17 2015-01-27 Broadcom Corporation Ternary content addressable memory (TCAM) storage system
CN103546378B (en) * 2013-05-20 2018-06-01 北京百卓网络技术有限公司 Scope based on TCAM matches 2 stage layered lookup methods more
CN105515997B (en) * 2015-12-07 2018-07-06 刘航天 The higher efficiency range matching process of zero scope expansion is realized based on BF_TCAM

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1674557A (en) * 2005-04-01 2005-09-28 清华大学 Parallel IP packet sorter matched with settling range based on TCAM and method thereof

Also Published As

Publication number Publication date
CN115460148A (en) 2022-12-09

Similar Documents

Publication Publication Date Title
JP4452183B2 (en) How to create a programmable state machine data structure to parse the input word chain, how to use the programmable state machine data structure to find the resulting value corresponding to the input word chain, deep wire speed A method for performing packet processing, a device for deep packet processing, a chip embedding device, and a computer program including programming code instructions (method and device for deep packet processing)
US7315547B2 (en) Packet forwarding device
US6778984B1 (en) Flexible and high-performance packet classification algorithm
EP1168723B1 (en) Method and apparatus for longest matching prefix determination in a communication network
US20030174717A1 (en) System and method for longest prefix match for internet protocol lookup
CN111984835B (en) IPv4 mask quintuple rule storage compression method and device
US20040015494A1 (en) Multi-bit patricia trees
CN115297056B (en) Mask matching method and system based on FPGA
US7042884B2 (en) Network address forwarding table lookup apparatus and method
CN113992579B (en) Routing table entry storage method, routing table entry searching method and routing table entry searching device
US20030009474A1 (en) Binary search trees and methods for establishing and operating them
US20040044868A1 (en) Method and apparatus for high-speed longest prefix match of keys in a memory
US20070121632A1 (en) Method and system for routing an IP packet
US10193804B2 (en) Method of forwarding data packets, method of creating merged FIB key entry and method of creating a search key
US12132653B2 (en) Method and device for processing routing table entries
CN115834515B (en) Message processing method, device, equipment and medium
CN115086221B (en) Message processing method, device, forwarding equipment and storage medium
CN110046286B (en) Method and apparatus for search engine caching
CN115460148B (en) A method and network device for configuring ACL rules and matching messages
US20090141716A1 (en) Method and apparatus for packet rule matching
JP3569802B2 (en) Routing table search device and search method
US20030193956A1 (en) Routing method for a telecommunications network and router for implementing said method
EP3255571B1 (en) System and method for efficient interval search using locality-preserving hashing
US12432211B2 (en) Interleaved exact-match lookup table for multiple packet processing applications in a network device
US9444731B2 (en) Methods and systems for data packet routing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant