An ACL rule processing method, apparatus, electronic device, and storage medium
By monitoring the hardware resource usage of switch rule sets and merging similar rule sets, the problem of wasted switch hardware resources is solved, and resource utilization is improved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- INSPUR SUZHOU INTELLIGENT TECH CO LTD
- Filing Date
- 2023-05-26
- Publication Date
- 2026-06-30
AI Technical Summary
In existing technologies, the allocation of ACL rule sets on switches is unreasonable, leading to a waste of hardware resources.
By monitoring the hardware resource usage of rule sets, obtaining the rule content of each rule set, determining the content similarity between rule sets, merging rule sets, and removing merged rule sets, hardware resources are released.
Effectively free up switch hardware resources, improve hardware resource utilization, and avoid resource waste.
Smart Images

Figure CN116723009B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and in particular to an ACL rule processing method, apparatus, electronic device and storage medium. Background Technology
[0002] Access Control Lists (ACLs) are a common feature of switches. They are used to control various behaviors of packets and play a crucial role in the packet processing pipeline of switching chips.
[0003] In existing technologies, a rule set is typically created first, and then the rules in the rule set are arbitrarily combined to generate an ACL entry that meets the current ACL requirements. When none of the rule sets cover the rules specified in the current ACL requirements, the rule sets are expanded with additional rules, where each rule specifically refers to the attributes of a packet.
[0004] However, as a large number of ACL entries and related rule sets are created on the device, unreasonable rule allocation will occur, wasting the switch's hardware resources. Summary of the Invention
[0005] This application provides an ACL rule processing method, apparatus, electronic device, and storage medium to address the shortcomings of existing technologies, such as wasting switch hardware resources.
[0006] The first aspect of this application provides an ACL rule processing method, including:
[0007] Monitor the hardware resource usage of the monitoring rule set;
[0008] When the hardware resource occupancy of the rule set indicates that the hardware resources are insufficient, the rule content of each rule set is obtained.
[0009] Based on the rule content of each rule set, determine the content similarity between each rule set;
[0010] Based on the content similarity between the rule sets, the rule sets are merged, and the merged rule sets are removed to free up hardware resources.
[0011] Optionally, determining the content similarity between the rule sets based on their rule content includes:
[0012] Take any one of the rule sets as the target rule set, and determine the intersection rule content between the target rule set and each of the rule sets based on the rule content of each rule set;
[0013] Based on the number of intersection rule contents, the content similarity between each rule set and the rule set is determined.
[0014] Optionally, the step of performing rule set union based on the content similarity between the rule sets includes:
[0015] Take any one of the rule sets as the target rule set, and create a rule set linked list from largest to smallest based on the content similarity between the target rule set and each of the rule sets; wherein, the head of the rule set linked list is the target rule set;
[0016] Starting from the head of the rule set linked list, the rule sets in the rule set linked list are sequentially merged into the target rule set.
[0017] Optionally, the step of merging the rule sets in the rule set linked list sequentially to the target rule set, starting from the head of the rule set linked list, includes:
[0018] Starting from the head of the rule set linked list, determine the difference rules between the rule sets in the rule set linked list and the target rule set in sequence;
[0019] The difference rule content corresponding to the rule set in the rule set linked list is added to the target rule set in turn until the remaining space in the target rule set is insufficient to add the difference rule content of the current rule set.
[0020] Optionally, the rule set includes rule content and issued ACL entries, and the method further includes:
[0021] The issued ACL entries in the merged rule set will be migrated to the target rule set.
[0022] Optionally, the method further includes:
[0023] Get the current ACL entry's distribution requirements;
[0024] Based on the current ACL entry's distribution requirements, determine the target rule content;
[0025] Based on the degree of matching between the rule content of each rule set and the target rule content, determine the rule set to be issued for the current ACL entry;
[0026] If the set of rules to be issued does not completely cover the content of the target rule, then the rules to be expanded in the set of rules to be issued are determined.
[0027] Based on the monitoring results of the hardware resource usage of the rule set, it is determined whether the hardware resources meet the hardware resource requirements of the expanded rules of the rule set to be issued.
[0028] If the hardware resources do not meet the hardware resource requirements of the rules to be expanded in the rule set to be issued, then it is determined that the hardware resources are insufficient.
[0029] Optionally, the method further includes:
[0030] If the hardware resources meet the hardware resource requirements of the rules to be expanded in the rule set to be issued, then the rule set to be issued is reconstructed so that the rules to be expanded are added to the rule set to be issued.
[0031] A second aspect of this application provides an ACL rule processing apparatus, comprising:
[0032] The monitoring module is used to monitor the hardware resource usage of the rule set;
[0033] The acquisition module is used to acquire the rule content of each rule set when the hardware resource occupancy of the rule set indicates that the hardware resources are insufficient.
[0034] The determination module is used to determine the content similarity between the rule sets based on the rule content of each rule set;
[0035] The processing module is used to merge the rule sets based on the content similarity between the rule sets and remove the merged rule sets to free up hardware resources.
[0036] Optionally, the determining module is specifically used for:
[0037] Take any one of the rule sets as the target rule set, and determine the intersection rule content between the target rule set and each of the rule sets based on the rule content of each rule set;
[0038] Based on the number of intersection rule contents, the content similarity between each rule set and the rule set is determined.
[0039] Optionally, the processing module is specifically used for:
[0040] Take any one of the rule sets as the target rule set, and create a rule set linked list from largest to smallest based on the content similarity between the target rule set and each of the rule sets; wherein, the head of the rule set linked list is the target rule set;
[0041] Starting from the head of the rule set linked list, the rule sets in the rule set linked list are sequentially merged into the target rule set.
[0042] Optionally, the processing module is specifically used for:
[0043] Starting from the head of the rule set linked list, determine the difference rules between the rule sets in the rule set linked list and the target rule set in sequence;
[0044] The difference rule content corresponding to the rule set in the rule set linked list is added to the target rule set in turn until the remaining space in the target rule set is insufficient to add the difference rule content of the current rule set.
[0045] Optionally, the rule set includes rule content and issued ACL entries, and the processing module is further configured to:
[0046] The issued ACL entries in the merged rule set will be migrated to the target rule set.
[0047] Optionally, the device further includes:
[0048] The judgment module is used to obtain the current ACL entry distribution requirement; determine the target rule content based on the current ACL entry distribution requirement; determine the rule set to be distributed for the current ACL entry based on the matching degree between the rule content of each rule set and the target rule content; if the rule set to be distributed does not completely cover the target rule content, then determine the rules to be expanded in the rule set to be distributed; determine whether the hardware resources meet the hardware resource requirements of the rules to be expanded in the rule set to be distributed based on the monitoring results of the hardware resource usage of the rule set; if the hardware resources do not meet the hardware resource requirements of the rules to be expanded in the rule set to be distributed, then determine that the hardware resources are insufficient.
[0049] Optionally, the determination module is further configured to:
[0050] If the hardware resources meet the hardware resource requirements of the rules to be expanded in the rule set to be issued, then the rule set to be issued is reconstructed so that the rules to be expanded are added to the rule set to be issued.
[0051] A third aspect of this application provides an electronic device, comprising: at least one processor and a memory;
[0052] The memory stores computer-executed instructions;
[0053] The at least one processor executes computer execution instructions stored in the memory, causing the at least one processor to perform the method described in the first aspect above and various possible designs of the first aspect.
[0054] The fourth aspect of this application provides a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement the method described in the first aspect above and various possible designs of the first aspect.
[0055] The technical solution of this application has the following advantages:
[0056] This application provides an ACL rule processing method, apparatus, electronic device, and storage medium. The method includes: monitoring the hardware resource usage of rule sets; when the hardware resource usage of rule sets indicates insufficient hardware resources, obtaining the rule content of each rule set; determining the content similarity between rule sets based on their rule content; merging rule sets based on their content similarity, and removing merged rule sets to release hardware resources. The method provided above, by merging rule sets when switch hardware resources are insufficient, releases hardware resources occupied by duplicate rule sets, avoids wasting switch hardware resources, and improves hardware resource utilization. Attached Figure Description
[0057] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings.
[0058] Figure 1 This is a schematic diagram of the ACL rule processing system upon which the embodiments of this application are based;
[0059] Figure 2 A flowchart illustrating the ACL rule processing method provided in this application embodiment;
[0060] Figure 3 This is a schematic diagram of the ACL rule processing device provided in the embodiments of this application;
[0061] Figure 4 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application.
[0062] The accompanying drawings illustrate specific embodiments of this application, which will be described in more detail below. These drawings and descriptions are not intended to limit the scope of the present disclosure in any way, but rather to illustrate the concepts of this application to those skilled in the art through reference to particular embodiments. Detailed Implementation
[0063] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0064] Furthermore, the terms "first," "second," etc., are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. In the following descriptions of embodiments, "a plurality of" means two or more, unless otherwise explicitly defined.
[0065] In existing technologies, a rule set is typically created first, and then the rules within the rule set are arbitrarily combined to generate an ACL entry that meets the current ACL requirements. When no rule set covers the rules specified in the current ACL requirements, the rule set is expanded, where rules specifically refer to packet attributes. However, as a large number of ACL entries and related rule sets are created on the device, unreasonable rule allocation can occur, wasting switch hardware resources. For example, if the first issued ACL rule contains rules 1 and 2, rule set 1 containing rules 1 and 2 will be created. If the second issued ACL rule contains rules 3 and 4, rule set 2 containing rules 3 and 4 will be created. If the third issued ACL rule contains rules 1 to 4, rule set 1 will be reconstructed, expanding its rules to rules 1 to 4. In this scenario, rule set 2 is no longer needed, thus wasting hardware resources.
[0066] To address the aforementioned issues, the ACL rule processing method, apparatus, electronic device, and storage medium provided in this application monitor the hardware resource usage of rule sets. When the hardware resource usage of a rule set indicates insufficient hardware resources, the method acquires the rule content of each rule set. Based on the rule content of each rule set, it determines the content similarity between rule sets. Based on the content similarity between rule sets, it merges the rule sets and removes the merged rule sets to release hardware resources. The method provided above, by merging rule sets when switch hardware resources are insufficient, releases hardware resources occupied by some duplicate rule sets, avoids wasting switch hardware resources, and improves the utilization rate of hardware resources.
[0067] The following specific embodiments can be combined with each other, and the same or similar concepts or processes may not be described again in some embodiments. The embodiments of the present invention will now be described with reference to the accompanying drawings.
[0068] First, the structure of the ACL rule processing system on which this application is based will be described:
[0069] The ACL rule processing method, apparatus, electronic device, and storage medium provided in this application are applicable to merging ACL rules of communication devices such as switches. Figure 1The diagram shows the structure of the ACL rule processing system based on the embodiments of this application. It mainly includes a data acquisition device, multiple rule sets, and an ACL rule processing device. Specifically, the data acquisition device can acquire the hardware resource usage of each rule set in real time and send the acquired hardware resource usage information to the ACL rule processing device. Based on the obtained information, the device appropriately merges multiple rule sets to release certain hardware resources.
[0070] This application provides an ACL rule processing method for merging ACL rules of communication devices such as switches. The execution subject of this application is an electronic device, such as a server, desktop computer, laptop computer, tablet computer, or other electronic device that can be used to merge ACL rules.
[0071] like Figure 2 The diagram shown is a flowchart of an ACL rule processing method provided in an embodiment of this application. The method includes:
[0072] Step 201: Monitor the hardware resource usage of the monitoring rule set.
[0073] It should be noted that storing the rule set will consume hardware resources of the device chip.
[0074] Step 202: When the hardware resource usage of a rule set indicates insufficient hardware resources, obtain the rule content of each rule set.
[0075] Specifically, based on the hardware resource usage of the rule sets, the remaining hardware resources available for storing the rule sets can be determined. When the remaining hardware resources are lower than a preset standard, it is determined that the current hardware resources are insufficient, and the rule content of each rule set is further obtained. Here, the rule content specifically refers to the rules included in the rule set, and the rules are message attribute information, such as the message destination IP, message source IP, and message protocol type.
[0076] Step 203: Determine the content similarity between each rule set based on the rule content of each rule set.
[0077] Specifically, by comparing the rule content of each rule set, we can determine which rules are the same between the rule sets. The more identical rules two rule sets have, the higher their content similarity. Content similarity specifically refers to the proportion of identical rules.
[0078] Specifically, in one embodiment, any rule set can be used as the target rule set. Based on the rule content of each rule set, the intersection rule content between the target rule set and each rule set is determined. Based on the number of intersection rule contents, the content similarity between each rule set and the target rule set is determined.
[0079] Specifically, the existing rule set can be recursively traversed and used as the target rule set in turn. The rule content of each rule set is compared pairwise to determine the intersection rule content between the target rule set and each rule set. The content similarity between the two rule sets is determined by the ratio between the number of intersection rule content and the number of union rule content of the two rule sets.
[0080] Step 204: Based on the content similarity between each rule set, merge the rule sets and remove the merged rule sets to free up hardware resources.
[0081] Specifically, two rule sets can be merged when their content similarity reaches a preset threshold, or only the rule set with the highest content similarity can be merged at a time. After merging the rule sets, the merged rule set is removed from the hardware chip's storage area to release the hardware resources it occupies.
[0082] Based on the above embodiments, to ensure the efficiency of rule set merging, as an implementable approach, in one embodiment, rule set merging is performed according to the content similarity between each rule set, including:
[0083] Step 2041: Take any rule set as the target rule set, and create a rule set linked list from largest to smallest based on the content similarity between the target rule set and each rule set; wherein the head of the rule set linked list is the target rule set;
[0084] Step 2042: Starting from the head of the rule set linked list, merge the rule sets in the rule set linked list into the target rule set in turn.
[0085] For example, if there are a total of 5 rule sets, first, rule set 1 is taken as the target rule set. The similarity between rule set 1 and rule set 2 is determined to be 80%, the similarity with rule set 3 is 90%, the similarity with rule set 4 is 60%, and the similarity with rule set 5 is 20%. Rule set 1 is set as the head of the rule set linked list, rule set 3 as the first node, rule set 2 as the second node, rule set 4 as the third node, and rule set 5 as the fourth node. Then, rule set 3 is merged into rule set 1, then rule set 2 is merged into rule set 1, and so on, until the similarity between the current node's rule set and the target rule set is lower than a preset similarity threshold, or the remaining space in rule set 1 is insufficient to merge the current node's rule set, etc.
[0086] Specifically, in one embodiment, starting from the head of the rule set linked list, the difference rules between the rule sets in the rule set linked list and the target rule set can be determined sequentially; the difference rules corresponding to the rule sets in the rule set linked list can be added to the target rule set sequentially until the remaining space in the target rule set is insufficient to add the difference rules of the current rule set.
[0087] For example, referring to the example above, first, the differences between rule set 3 and rule set 1 are determined. Rules that rule set 3 has but rule set 1 does not are the differences. Merging rule set 3 into rule set 1 is equivalent to adding these differences to rule set 1. Before adding the differences, it is determined whether the current remaining space in rule set 1 is sufficient to add the differences of the current rule set (rule set 3). If so, it is added to rule set 1. Next, the differences between rule set 2 and the current rule set 1 (rule set 1 after merging rule set 3) are determined. It is determined whether the current remaining space in rule set 1 (the current target rule set) is sufficient to add the differences of rule set 2. If so, the differences of rule set 2 are added to rule set 1, and so on, until the remaining space in the target rule set is insufficient to add the differences of the current rule set.
[0088] Furthermore, in one embodiment, the rule set includes rule content and issued ACL entries, and the issued ACL entries in the merged rule set can also be migrated to the target rule set.
[0089] The rule set has a limited capacity to store issued ACL entries. When the number of ACL entries to be migrated exceeds the capacity limit of the target rule set, a new rule set is created, and the excess ACL entries are migrated to the new rule set. The new rule set contains rules consistent with the current rules of the target rule set.
[0090] Based on the above embodiments, to avoid the inability to issue ACL entries that meet the current ACL entry issuance requirements due to the rule set not being merged in a timely manner, as an implementable approach, in one embodiment, the method further includes:
[0091] Step 301: Obtain the current ACL entry's distribution requirements;
[0092] Step 302: Determine the target rule content based on the current ACL entry distribution requirements;
[0093] Step 303: Determine the set of rules to be issued for the current ACL entry based on the degree of matching between the rule content of each rule set and the target rule content;
[0094] Step 304: If the rule set to be issued does not completely cover the target rule content, then determine the rules to be expanded in the rule set to be issued.
[0095] Step 305: Based on the monitoring results of the hardware resource usage of the rule set, determine whether the hardware resources meet the hardware resource requirements of the expanded rules of the rule set to be issued.
[0096] Step 306: If the hardware resources do not meet the hardware resource requirements of the rules to be expanded in the rule set to be issued, then it is determined that the hardware resources are insufficient.
[0097] It's important to note that the principle for issuing ACL entries is as follows: if a rule set exists that covers all the rules required for the ACL entry, and that rule set can issue one ACL entry, then the corresponding ACL entry is issued based on the current ACL entry issuance requirements of that rule set. If a rule set exists that covers all the rules required for the ACL entry, but that rule set lacks the resources to issue one ACL entry, then that rule set is deemed unavailable for this instance. If an existing rule set does not cover all the rules required for the ACL entry, then the rule set with the highest coverage is selected, and its rules are expanded to meet the current ACL entry issuance requirements.
[0098] Specifically, based on the current ACL entry issuance requirements, the target rule content can be determined. This target rule content includes multiple target rules used to issue ACL entries. A temporary linked list is generated, ranked from largest to smallest, based on the target rule coverage of each rule set, which is represented by the degree of matching between the rule content of each rule set and the target rule content. Following this temporary linked list, each rule set (the rule set that completely covers the target rule content) is attempted to issue the ACL. If any rule set is successfully issued, the process ends. When an attempt to issue a rule set fails (i.e., no rule set that completely covers the target rule content has the resources to issue the current ACL entry), the rule sets that do not completely cover the target rule content are determined according to the order of the temporary linked list generated during rule comparison. The differences between the current rule content and the target rule content of the rule set to be issued are then determined, the rules to be expanded in the rule set to be issued are identified, and the amount of hardware resources to be occupied by the expanded rules is estimated (the hardware resource requirements of the expanded rules). Then, based on the monitoring results of the hardware resource usage of the rule sets and the amount of hardware resources to be occupied by the expanded rules, it is determined whether the hardware resources meet the hardware resource requirements of the expanded rules in the rule set to be issued. If not, it is determined that the hardware resources are insufficient, and the corresponding rule set should be set up and operated to release a certain amount of hardware resources.
[0099] Accordingly, in one embodiment, if the hardware resources meet the hardware resource requirements of the rules to be expanded in the rule set to be issued, the rule set to be issued is reconstructed so that the rules to be expanded are added to the rule set to be issued.
[0100] Specifically, the rule sets to be issued can be filtered in descending order of the coverage rate of the target rule content based on the temporary linked list. The final selected rule sets not only have a high coverage rate of the target rule content, but also have the resources to issue the current ACL entries. This avoids the waste of resources for rule set reconstruction due to the lack of resources to issue the current ACL entries in the reconstructed rule sets.
[0101] The ACL rule processing method provided in this application monitors the hardware resource usage of rule sets. When the hardware resource usage of a rule set indicates insufficient hardware resources, the method obtains the rule content of each rule set. Based on the rule content of each rule set, it determines the content similarity between the rule sets. Based on the content similarity between the rule sets, it merges the rule sets and removes the merged rule sets to release hardware resources. The method provided above, by merging rule sets when switch hardware resources are insufficient, releases hardware resources occupied by some duplicate rule sets, avoids wasting switch hardware resources, improves hardware resource utilization, and ensures maximum use of the hardware resources in the chip.
[0102] This application provides an ACL rule processing device for executing the ACL rule processing method provided in the above embodiments.
[0103] like Figure 3 The diagram shown is a structural schematic of the ACL rule processing device provided in an embodiment of this application. The ACL rule processing device 30 includes: a monitoring module 301, an acquisition module 302, a determination module 303, and a processing module 304.
[0104] The system includes a monitoring module for monitoring the hardware resource usage of rule sets; an acquisition module for acquiring the rule content of each rule set when the hardware resource usage of each rule set indicates insufficient hardware resources; a determination module for determining the content similarity between rule sets based on their rule content; and a processing module for merging rule sets based on their content similarity and removing merged rule sets to free up hardware resources.
[0105] Specifically, in one embodiment, the determining module is specifically used for:
[0106] Take any set of rules as the target set, and determine the intersection rules between the target set and each set of rules based on the rule content of each set of rules.
[0107] Based on the number of intersection rules, determine the content similarity between each rule set and the rule set.
[0108] Specifically, in one embodiment, the processing module is specifically used for:
[0109] Take any set of rules as the target set of rules, and create a linked list of rule sets from largest to smallest based on the content similarity between the target set of rules and each other; where the head of the linked list of rule sets is the target set of rules.
[0110] Starting from the head of the rule set linked list, merge the rule sets in the rule set linked list into the target rule set in sequence.
[0111] Specifically, in one embodiment, the processing module is specifically used for:
[0112] Starting from the head of the rule set linked list, determine the difference rules between the rule sets in the rule set linked list and the target rule set in sequence;
[0113] Add the difference rules corresponding to the rule sets in the rule set chain to the target rule set in turn, until there is not enough space left in the target rule set to add the difference rules of the current rule set.
[0114] Specifically, in one embodiment, the rule set includes rule content and issued ACL entries; the processing module is further configured to:
[0115] The issued ACL entries in the merged rule set will be migrated to the target rule set.
[0116] Specifically, in one embodiment, the device further includes:
[0117] The judgment module is used to obtain the current ACL entry distribution requirement; determine the target rule content based on the current ACL entry distribution requirement; determine the rule set to be distributed for the current ACL entry based on the matching degree between the rule content of each rule set and the target rule content; if the rule set to be distributed does not completely cover the target rule content, then determine the rules to be expanded for the rule set to be distributed; based on the monitoring results of the rule set's hardware resource usage, determine whether the hardware resources meet the hardware resource requirements of the rules to be expanded for the rule set to be distributed; if the hardware resources do not meet the hardware resource requirements of the rules to be expanded for the rule set to be distributed, then determine that the hardware resources are insufficient.
[0118] Specifically, in one embodiment, the determining module is further configured to:
[0119] If the hardware resources meet the hardware resource requirements of the rules to be expanded in the rule set to be issued, then the rule set to be issued is reconstructed so that the rules to be expanded can be added to the rule set to be issued.
[0120] Regarding the ACL rule processing device in this embodiment, the specific methods by which each module performs operations have been described in detail in the embodiments related to the method, and will not be elaborated here.
[0121] The ACL rule processing device provided in this application embodiment is used to execute the ACL rule processing method provided in the above embodiment. Its implementation method and principle are the same, and will not be described again.
[0122] This application provides an electronic device for executing the ACL rule processing method provided in the above embodiments.
[0123] like Figure 4 The diagram shown is a structural schematic of an electronic device provided in an embodiment of this application. The electronic device 40 includes at least one processor 41 and a memory 42.
[0124] The memory stores computer-executable instructions; at least one processor executes the computer-executable instructions stored in the memory, causing the at least one processor to execute the ACL rule processing method provided in the above embodiment.
[0125] This application provides an electronic device for executing the ACL rule processing method provided in the above embodiments. Its implementation method and principle are the same, and will not be described again.
[0126] This application provides a computer-readable storage medium storing computer-executable instructions. When a processor executes the computer-executable instructions, it implements the ACL rule processing method provided in any of the above embodiments.
[0127] The storage medium containing computer-executable instructions in this embodiment can be used to store computer-executable instructions for the ACL rule processing method provided in the foregoing embodiments. Its implementation method and principle are the same, and will not be described again.
[0128] In the several embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.
[0129] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0130] Furthermore, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or in a combination of hardware and software functional units.
[0131] The integrated units implemented as software functional units described above can be stored in a computer-readable storage medium. These software functional units, stored in a storage medium, include several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) or processor to execute some steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0132] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the above-described division of functional modules is merely an example. In practical applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the device can be divided into different functional modules to complete all or part of the functions described above. The specific working process of the device described above can be referred to the corresponding process in the foregoing method embodiments, and will not be repeated here.
[0133] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features therein. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of this application.
Claims
1. An ACL rule processing method, characterized in that, include: Monitor the hardware resource usage of the monitoring rule set; When the hardware resource occupancy of the rule set indicates that the hardware resources are insufficient, the rule content of each rule set is obtained. Based on the rule content of each rule set, determine the content similarity between each rule set; Based on the content similarity between the rule sets, the rule sets are merged, and the merged rule sets are removed to free up hardware resources; The step of performing rule set union based on the content similarity between each rule set includes: Take any one of the rule sets as the target rule set, and create a rule set linked list from largest to smallest based on the content similarity between the target rule set and each of the rule sets; wherein, the head of the rule set linked list is the target rule set; Starting from the head of the rule set linked list, the rule sets in the rule set linked list are sequentially merged into the target rule set; The method further includes: Get the current ACL entry's distribution requirements; Based on the current ACL entry's distribution requirements, determine the target rule content; Based on the degree of matching between the rule content of each rule set and the target rule content, determine the rule set to be issued for the current ACL entry; If the set of rules to be issued does not completely cover the content of the target rule, then the rules to be expanded in the set of rules to be issued are determined. Based on the monitoring results of the hardware resource usage of the rule set, it is determined whether the hardware resources meet the hardware resource requirements of the expanded rules of the rule set to be issued. If the hardware resources do not meet the hardware resource requirements of the rules to be expanded in the rule set to be issued, then it is determined that the hardware resources are insufficient.
2. The method according to claim 1, characterized in that, The step of determining the content similarity between the rule sets based on their rule content includes: Take any one of the rule sets as the target rule set, and determine the intersection rule content between the target rule set and each of the rule sets based on the rule content of each rule set; Based on the number of intersection rule contents, the content similarity between each rule set and the rule set is determined.
3. The method according to claim 1, characterized in that, The step of merging the rule sets in the rule set linked list sequentially to the target rule set, starting from the head of the linked list, includes: Starting from the head of the rule set linked list, determine the difference rules between the rule sets in the rule set linked list and the target rule set in sequence; The difference rule content corresponding to the rule set in the rule set linked list is added to the target rule set in turn until the remaining space in the target rule set is insufficient to add the difference rule content of the current rule set.
4. The method according to claim 3, characterized in that, The rule set includes rule content and issued ACL entries, and the method further includes: The issued ACL entries in the merged rule set will be migrated to the target rule set.
5. The method according to claim 1, characterized in that, The method further includes: If the hardware resources meet the hardware resource requirements of the rules to be expanded in the rule set to be issued, then the rule set to be issued is reconstructed so that the rules to be expanded are added to the rule set to be issued.
6. An ACL rule processing device, characterized in that, include: The monitoring module is used to monitor the hardware resource usage of the rule set; The acquisition module is used to acquire the rule content of each rule set when the hardware resource occupancy of the rule set indicates that the hardware resources are insufficient. The determination module is used to determine the content similarity between the rule sets based on the rule content of each rule set; The processing module is used to merge the rule sets according to the content similarity between the rule sets and remove the merged rule sets to free up hardware resources. The processing module is specifically used for: Take any one of the rule sets as the target rule set, and create a rule set linked list from largest to smallest based on the content similarity between the target rule set and each of the rule sets; wherein, the head of the rule set linked list is the target rule set; Starting from the head of the rule set linked list, the rule sets in the rule set linked list are sequentially merged into the target rule set; The device further includes: The judgment module is used to obtain the current ACL entry distribution requirement; determine the target rule content based on the current ACL entry distribution requirement; determine the rule set to be distributed for the current ACL entry based on the matching degree between the rule content of each rule set and the target rule content; if the rule set to be distributed does not completely cover the target rule content, then determine the rules to be expanded in the rule set to be distributed; determine whether the hardware resources meet the hardware resource requirements of the rules to be distributed for the expanded rules based on the monitoring results of the hardware resource usage of the rule set; if the hardware resources do not meet the hardware resource requirements of the rules to be distributed for the expanded rules, then determine that the hardware resources are insufficient.
7. An electronic device, characterized in that, include: At least one processor and memory; The memory stores computer-executed instructions; The at least one processor executes computer execution instructions stored in the memory, causing the at least one processor to perform the method as described in any one of claims 1 to 5.
8. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer-executable instructions, which, when executed by a processor, implement the method as described in any one of claims 1 to 5.