CN113965401B - Message forwarding method and device and electronic equipment - Google Patents

Message forwarding method and device and electronic equipment Download PDF

Info

Publication number
CN113965401B
CN113965401B CN202111284064.5A CN202111284064A CN113965401B CN 113965401 B CN113965401 B CN 113965401B CN 202111284064 A CN202111284064 A CN 202111284064A CN 113965401 B CN113965401 B CN 113965401B
Authority
CN
China
Prior art keywords
area
acl
address
zone
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111284064.5A
Other languages
Chinese (zh)
Other versions
CN113965401A (en
Inventor
高唱
赵海峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd Hefei Branch
Original Assignee
New H3C Technologies Co Ltd Hefei Branch
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd Hefei Branch filed Critical New H3C Technologies Co Ltd Hefei Branch
Priority to CN202111284064.5A priority Critical patent/CN113965401B/en
Publication of CN113965401A publication Critical patent/CN113965401A/en
Application granted granted Critical
Publication of CN113965401B publication Critical patent/CN113965401B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a message forwarding method, a message forwarding device and electronic equipment. Comprising the following steps: deleting a first ACL table item set for each host of the first area in the access control list ACL when the number of hosts of the first area is more than a preset threshold value; determining a zone identifier corresponding to an IP address of a host for each host in the first zone; issuing a second ACL table item according to the zone identification corresponding to the IP address of each host in the first zone; determining a first ACL table item in the message to be forwarded according to a first source IP address and a first destination IP address of the message to be forwarded; if the message to be forwarded does not hit any first ACL table item in the ACL, determining a first source area identifier corresponding to a first source IP address and a first destination area identifier corresponding to a first destination IP address; determining a second ACL table item in a message to be forwarded according to the first source area identifier and the first destination area identifier; and processing the message to be forwarded according to the forwarding strategy in the second ACL table item in the message to be forwarded. ACL entry resources may be saved.

Description

Message forwarding method and device and electronic equipment
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for forwarding a message, and an electronic device.
Background
In some application scenarios, such as INOF (Intelligent Lossless NVME Over Fabric, intelligent lossless storage network) networks, it is necessary to divide a plurality of hosts having communication connections into a plurality of zones, and enable data interaction between hosts belonging to the same zone, while hosts belonging to different zones are not capable of data interaction.
Because of the communication connection between hosts belonging to different zones, one host may send messages to another host not belonging to the same zone. In order to realize that hosts belonging to different areas cannot perform data interaction, switching equipment in a network needs to judge whether a host sending a message and a host to which the message is sent belong to the same area or not when the message is forwarded.
In the related art, the following ACL entries may be set for each region in the access control list (Access Control Lists, ACL): a1→a2 limit; a1→a2 limit; …; a1→an limit; a1→any y, any→a1 any y; a2→a1 limit; …; any→an deny. Where a1 represents the IP address of a first host in the zone, a2 represents the IP address of a second host in the zone, n is the number of hosts included in the zone, limit represents the allowed forwarding, and dense represents the refused forwarding.
However, in this scheme, n×n+1 ACL entries need to be set for each region, and ACL entry resources that can be set by the switching device are limited. When the number of hosts included in an area is excessive, a large number of ACL entries need to be set for the area, resulting in shortage of ACL entry resources of the switching device.
Disclosure of Invention
The embodiment of the invention aims to provide a message forwarding method, a message forwarding device and electronic equipment, so as to save ACL (access control list) table entry resources. The specific technical scheme is as follows:
in a first aspect of an embodiment of the present invention, a method for forwarding a packet is provided, where the method includes:
when the number of hosts in a first area is more than a preset threshold value, deleting a first ACL (access control list) table item set for each host in the first area in an Access Control List (ACL), wherein the first ACL table item is used for recording a first mapping relation of a source IP address, a destination IP address and a forwarding strategy, and the first area is any area;
determining, for each host in the first area, an area identifier corresponding to an IP address of the host, where the area identifier is used to represent all areas to which the host belongs;
issuing a second ACL table item to the ACL according to the zone identifiers corresponding to the IP addresses of the hosts in the first zone, wherein the second ACL table item is used for recording a second mapping relation of a source zone identifier, a destination zone identifier and a forwarding strategy, and forwarding strategies corresponding to the same source zone identifier and destination zone identifier in the second mapping relation are allowed to be forwarded;
Determining a first ACL table item in the message to be forwarded according to a first source IP address and a first destination IP address of the message to be forwarded;
if the message to be forwarded does not hit any first ACL table item in the ACL, determining a first source area identifier corresponding to the first source IP address and a first destination area identifier corresponding to the first destination IP address;
determining a second ACL table item in the message to be forwarded according to the first source area identifier and the first destination area identifier;
and processing the message to be forwarded according to the forwarding strategy in the second ACL list item in the message to be forwarded.
In a possible embodiment, the determining the area identifier corresponding to the IP address of the host includes:
determining the respective corresponding bit of each region to which the host belongs as a target bit, wherein the bits corresponding to different regions are different;
setting each target position in a binary number group with a preset length, and taking the set binary number group as a zone identifier corresponding to the IP address of the host;
the same source area identifier and destination area identifier comprise:
there is an intersection between the bit set in the source zone identity and the bit set in the destination zone identity.
In a possible embodiment, the determining the area identifier corresponding to the IP address of the host includes:
if no intersection exists between the first area and other areas, determining a value corresponding to the first area as a target value, wherein the values corresponding to different areas are different;
adjusting independent identification bits in a binary number group with preset length so that the value represented by the independent identification bits is equal to the target value, and taking the adjusted binary number group as a zone identifier corresponding to the IP address of the host;
if the intersection exists between the first area and other areas, determining the respective corresponding bit of each area to which the host belongs as a target bit, wherein the corresponding bits of different areas are different;
setting each target position in the interaction identification bit in the binary number group with the preset length, and taking the set binary number group as a region identification corresponding to the IP address of the host, wherein the interaction identification bit and the independent identification bit have no intersection;
the same source area identifier and destination area identifier comprise:
the value represented by the independent identification bit of the source area identification is equal to the value represented by the independent identification bit of the destination area identification, and is not a default value; or alternatively, the process may be performed,
There is an intersection between the set interaction identification bit in the source zone identity and the set interaction identification bit in the destination zone identity.
In a possible embodiment, the issuing, according to the area identifier corresponding to the IP address of each host in the first area, a second ACL entry to the ACL includes:
issuing the following second ACL table items to the ACL:
a third ACL table item used for representing that if the source area identification is the same as the destination area identification, the forwarding strategy is allowed to be forwarded;
the forwarding policy is a fourth ACL table item for refusing forwarding if the source area identifier is an area identifier corresponding to the IP address of any host in the first area and the destination area identifier is any area identifier;
the forwarding policy is a fifth ACL table item for refusing forwarding if the zone identifier is any identifier and the destination zone identifier is the zone identifier corresponding to the IP address of any host in the first zone;
wherein the third ACL entry has a higher priority than the fourth ACL entry and the third ACL entry has a higher priority than the fifth ACL entry.
In a second aspect of the embodiment of the present invention, there is provided a packet forwarding apparatus, including:
the system comprises an entry deletion module, a first Access Control List (ACL), a first forwarding policy management module and a second Access Control List (ACL), wherein the entry deletion module is used for deleting a first ACL entry set for each host of a first area in an Access Control List (ACL) when the number of hosts of the first area is more than a preset threshold, wherein the first ACL entry is used for recording a first mapping relation of a source IP address, a destination IP address and the forwarding policy, and the first area is an arbitrary area;
The identification management module is used for determining a zone identification corresponding to the IP address of each host in the first zone, wherein the zone identification is used for representing all zones to which the host belongs;
the table entry issuing module is configured to issue a second ACL table entry to the ACL according to the area identifier corresponding to the IP address of each host in the first area, where the second ACL table entry is configured to record a second mapping relationship between the source area identifier, the destination area identifier, and the forwarding policy corresponding to the destination area identifier, where the forwarding policy corresponding to the same source area identifier and destination area identifier in the second mapping relationship is to allow forwarding;
the first table item matching module is used for determining a first ACL table item of a message to be forwarded according to a first source IP address and a first destination IP address of the message to be forwarded;
the identification determining module is used for determining a first source area identification corresponding to the first source IP address and a first destination area identification corresponding to the first destination IP address if the message to be forwarded is not hit in any first ACL table item in the ACL;
the second table entry matching module is used for determining a second ACL table entry in the message to be forwarded according to the first source area identifier and the first destination area identifier;
And the forwarding module is used for processing the message to be forwarded according to the forwarding strategy in the second ACL table item of the message to be forwarded.
In a possible embodiment, the identifier management module is specifically configured to determine, as a target bit, a bit corresponding to each region to which the host belongs, where bits corresponding to different regions are different;
setting each target position in a binary number group with a preset length, and taking the set binary number group as a zone identifier corresponding to the IP address of the host;
the same source area identifier and destination area identifier comprise:
there is an intersection between the bit set in the source zone identity and the bit set in the destination zone identity.
In a possible embodiment, the identifier management module is specifically configured to determine, if there is no intersection between the first area and the other area, a value corresponding to the first area as the target value, where values corresponding to different areas are different;
adjusting independent identification bits in a binary number group with preset length so that the value represented by the independent identification bits is equal to the target value, and taking the adjusted binary number group as a zone identifier corresponding to the IP address of the host;
If the intersection exists between the first area and other areas, determining the respective corresponding bit of each area to which the host belongs as a target bit, wherein the corresponding bits of different areas are different;
setting each target position in the interaction identification bit in the binary number group with the preset length, and taking the set binary number group as a region identification corresponding to the IP address of the host, wherein the interaction identification bit and the independent identification bit have no intersection;
the same source area identifier and destination area identifier comprise:
the value represented by the independent identification bit of the source area identification is equal to the value represented by the independent identification bit of the destination area identification, and is not a default value; or alternatively, the process may be performed,
there is an intersection between the set interaction identification bit in the source zone identity and the set interaction identification bit in the destination zone identity.
In a possible embodiment, the table entry issuing module is specifically configured to issue, to the ACL, the following second ACL table entry:
a third ACL table item used for representing that if the source area identification is the same as the destination area identification, the forwarding strategy is allowed to be forwarded;
the forwarding policy is a fourth ACL table item for refusing forwarding if the source area identifier is an area identifier corresponding to the IP address of any host in the first area and the destination area identifier is any area identifier;
The forwarding policy is a fifth ACL table item for refusing forwarding if the zone identifier is any identifier and the destination zone identifier is the zone identifier corresponding to the IP address of any host in the first zone;
wherein the third ACL entry has a higher priority than the fourth ACL entry and the third ACL entry has a higher priority than the fifth ACL entry.
In a third aspect of the embodiments of the present invention, there is provided an electronic device including a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory perform communication with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of the above first aspects when executing a program stored on a memory.
In a fourth aspect of embodiments of the present invention, there is provided a computer readable storage medium having stored therein a computer program which when executed by a processor implements the method steps of any of the first aspects described above.
The embodiment of the invention has the beneficial effects that:
according to the message forwarding method, the message forwarding device and the electronic equipment provided by the embodiment of the invention, when the number of the hosts in the first area is excessive, the first ACL list item based on the IP address and arranged for each host in the first area is deleted from the ACL, and the corresponding relation between the IP address and the area identifier is established for each host in the first area. So that a subsequent message sent to the host in the first zone, or a message sent by the host in the first zone, may determine the forwarding policy according to the second ACL entry based on the zone representation. Because the second ACL list item is used for recording the second mapping relation of the source area identifier, the destination area identifier and the forwarding strategy, the area identifier can reflect the area to which the host belongs, so if two hosts belong to the same area, the area identifiers of the two hosts are the same, and because the forwarding strategy corresponding to the same source area identifier and destination area identifier in the second mapping relation is the forwarding permission, the forwarding strategy between any two hosts belonging to the same area can be represented by the same second ACL list item, and the first ACL list item does not need to be set for each pair of hosts belonging to the same area, therefore, compared with the first ACL list item based on the IP address, the second ACL list item based on the area identifier saves ACL list item resources more.
Of course, it is not necessary for any one product or method of practicing the application to achieve all of the advantages set forth above at the same time.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the application, and other embodiments may be obtained according to these drawings to those skilled in the art.
Fig. 1 is a schematic flow chart of a message forwarding method according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a method for determining a zone identifier for forwarding a message according to an embodiment of the present application;
fig. 3 is another flow chart of a method for determining a zone identifier for forwarding a message according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a message forwarding device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. Based on the embodiments of the present application, all other embodiments obtained by the person skilled in the art based on the present application are included in the scope of protection of the present application.
Referring to fig. 1, a flow diagram of a packet forwarding method according to an embodiment of the present invention may include:
s101, deleting a first ACL table item set for each host of the first area in the ACL table item when the number of hosts of the first area is more than a preset threshold value.
S102, for each host in the first zone, determining a zone identifier corresponding to the IP address of the host.
S103, according to the zone identifiers corresponding to the IP addresses of the hosts in the first zone, a second ACL table item is issued to the ACL.
S104, determining a first ACL table item in the message to be forwarded according to the first source IP address and the first destination IP address of the message to be forwarded.
S105, if the message to be forwarded does not hit any first ACL table item in the ACL, determining a first source area identifier corresponding to the first source IP address and a first destination area identifier corresponding to the first destination IP address.
S106, determining a second ACL table item in the message to be forwarded according to the first source area identification and the first destination area identification.
S107, the message to be forwarded is processed according to the forwarding strategy in the second ACL list item of the message to be forwarded.
With this embodiment, when the number of hosts in the first area is too large, the first ACL entry based on the IP address set for each host in the first area may be deleted in the ACL, and a correspondence between the IP address and the area identifier may be established for each host in the first area. So that a subsequent message sent to the host in the first zone, or a message sent by the host in the first zone, may determine the forwarding policy according to the second ACL entry based on the zone representation. Because the second ACL list item is used for recording the second mapping relation of the source area identifier, the destination area identifier and the forwarding strategy, the area identifier can reflect the area to which the host belongs, so if two hosts belong to the same area, the area identifiers of the two hosts are the same, and because the forwarding strategy corresponding to the same source area identifier and destination area identifier in the second mapping relation is the forwarding permission, the forwarding strategy between any two hosts belonging to the same area can be represented by the same second ACL list item, and the first ACL list item does not need to be set for each pair of hosts belonging to the same area, therefore, compared with the first ACL list item based on the IP address, the second ACL list item based on the area identifier saves ACL list item resources more.
For example, assuming that the first area includes 3 hosts in total, and IP addresses of the three hosts are denoted as a1, a2, and a3, respectively, the following entries need to be established in the ACL entries in the related art:
a1→a2 permit;a1→a3 permit;a1→any deny;any→a1 deny;
a2→a1 permit;a2→a3 permit;a2→any deny;any→a2 deny;
a3→a1 permit;a3→a2permit;a3→any deny;any→a3 deny。
a total of 12 first ACL entries may be found to be established.
In the message forwarding method provided by the embodiment of the present invention, it is assumed that the area identifier for representing the first area is 0x01;
then in one possible embodiment only the following second ACL entries need to be established:
0x01→0x01 permit;0x01→any deny;any→0x01 deny。
as a total of 3 second ACL entries need to be established, since in the message forwarding method provided by the embodiment of the present invention, the first ACL entries set for each host in the first area in the ACL will be deleted, i.e. in this example, 12 first ACL entries are deleted in total, and only 3 second ACL entries need to be established, so that a total of 9 ACL entries are saved.
On the other hand, the message forwarding method provided by the embodiment of the invention can effectively save ACL table entry resources, so that more hosts can be allowed to be included in the area. So that the user can design the network more conveniently according to the actual demands.
The following will explain the foregoing S101 to S107, respectively:
in S101, the first area is any one of the plurality of divided areas, and the preset threshold may be set according to actual requirements, and it is assumed that the preset threshold may be a value of 30, 50, 60, 62, or the like, for example. And in a possible embodiment, the more the ACL table entry resources of the execution subject are, the higher the preset threshold can be set, and the fewer the ACL table entry resources of the execution subject are, the lower the preset threshold is, and the embodiment can prevent the first ACL table entry established for the host of a single area from occupying excessive ACL table entry resources.
The first ACL table entry is used for recording a first mapping relation of a source IP address, a destination IP address and a forwarding strategy. The representation mode of the first ACL table entry may be different according to different application scenarios, and hereinafter, for convenience of description, the first ACL table entry is represented in a form of "src ip→dst IP forwarding policy", where src IP is a source IP address recorded by the first ACL table entry, and dst IP is a destination IP address recorded by the first ACL table entry.
The first ACL entries set for each host of the first zone include: the recorded source IP address is a first ACL table entry of the IP address of the host in the first area, and the recorded destination IP address is a first ACL table entry of the IP address of the host in the first area.
Illustratively, assume a total of 2 zones, denoted as zone A and zone B, respectively, and assume that there are two hosts in zone A with IP addresses a1, a2, respectively, and assume that there are two hosts in zone B with IP addresses B1, B2, respectively.
Theoretically, there is the following first ACL entry:
a1→a2 permit;a1→any deny;any→a1 deny;
a2→a1 permit;a2→any deny;any→a2 deny;
b1→b2 permit;b1→any deny;any→b1 deny;
b2→a1 permit;b2→any deny;any→b2 deny;
and assuming that the first area is the area a, since the source IP address a1 and the destination IP address a2 recorded in the first ACL entry "a1→a2 limit" are addresses of hosts of the first area, the first ACL entry "a1→a2 limit" is a first ACL entry set for a host of the first area, and since the source IP address a1 recorded in the first ACL entry "a1→any other y is an address of a host of the first area, the first ACL entry" a1→any other y "is a first ACL entry set for a host of the first area. Similarly, the first ACL entries "any→a1den", "a2→a1 limit", "a2→any den", "any→a2 den" are first ACL entries set for the host in the first area.
Thus, after deleting the first ACL entries set for each host of the first zone, the following first ACL entries remain in the ACL:
b1→b2 permit;b1→any deny;any→b1 deny;
b2→a1 permit;b2→any deny;any→b2 deny;
in S102, the zone identifier is used to represent all zones to which the host belongs, and it is understood that in some application scenarios, a host may belong to only one zone, or may belong to multiple zones at the same time. In other applications, each host belongs to only one zone.
If a host belongs to only one zone, the zone identifier corresponding to the IP address of the host is used to represent the zone to which the host belongs, and at this time, the zone identifier corresponding to the IP address of the host may be regarded as the zone identifier of the zone. If a host belongs to multiple zones, the zone identifier corresponding to the IP address of the host needs to be able to represent each zone to which the host belongs.
The form of the area identifier may be different according to the application scenario, and how to determine the area identifier corresponding to the host will be described below, which is not described herein. But the region representation should fulfil the following condition: if there is an intersection between the areas to which the two hosts belong, the area identities corresponding to the IP addresses of the two hosts are the same. If there is no intersection between the areas to which the two hosts belong, the area identities corresponding to the IP addresses of the two hosts are different.
After determining the region identifier corresponding to the IP address, the execution body may record the corresponding relationship between the IP address and the region identifier by correspondingly recording the IP address and the corresponding region identifier. For example, in one possible embodiment, the executing body may record, in the routing table, for each IP address of the host in the first area, a corresponding area identifier corresponding to the host, so as to establish a correspondence between the IP address and the area representation.
In S103, the second ACL entry is used to record a second mapping relationship of the source area identifier, the destination area identifier, and the forwarding policy corresponding to the same source area identifier and destination area identifier in the second mapping relationship is to allow forwarding.
The same source area identifier and destination area identifier refer to: there is an intersection between the region represented by the source region identification and the region represented by the destination region identification. Illustratively, assuming that the source zone identity represents zone a, zone B, and the destination zone identity represents zone a, the source zone identity is the same as the destination zone identity. Again, assuming that the source zone identity represents zone a and the destination zone identity represents zone B, the source zone identity is different from the destination zone identity. How to determine whether the source zone identifier is the same as the destination zone identifier is described in the following by way of example, and will not be described in detail herein.
The representation of the second ACL entry may also be different according to application scenarios, and in one possible embodiment, the second ACL entry may be represented in the form of "src zoneid→dst zoneid forwarding policy", where src zoneid is a source area identifier of the second ACL entry record, dst zoneid is a destination area identifier of the second ACL entry record, for example, the second ACL entry "0x01→0x01 limit" is used to record a mapping relationship between the source area identifier 0x01, the destination area identifier 0x01, and the forwarding policy limit, and hit the second ACL entry when the source area identifier is 0x01 and the destination area identifier is 0x 01.
In another possible embodiment, the second ACL entry may also be expressed in terms of a "proposition, forwarding policy," where a proposition is a proposition regarding a source zone identity and a destination zone identity, and an exemplary second ACL entry may be expressed in terms of a "if the source zone identity is the same as the destination zone identity, the second ACL entry is used to record a mapping relationship between any same source zone identity and destination zone identity, and forwarding policy, and hit the second ACL entry when the source zone identity is the same as the destination zone identity.
In S104, the message to be forwarded is any message that is received by the executing body and has not yet been processed. The first ACL table item in the message to be forwarded is the first ACL table item meeting the following conditions: the source IP address recorded by the first ACL table entry is a first source IP address, and the destination IP address recorded by the first ACL table entry is a first destination IP address.
In the embodiment of the invention, when the number of the hosts in the first area is more than the preset threshold, the first ACL table entry set for each host in the first area is deleted, so that the message to be forwarded may not hit any first ACL table entry.
Taking the foregoing S101 example as an example, assuming that the message to be forwarded is a message sent by one host in the area a to another host in the area a, if the first source IP address is a1 and the first destination IP address is a2, the following first ACL entries remain in the ACL:
b1→b2 permit;b1→any deny;any→b1 deny;
b2→a1 permit;b2→any deny;any→b2 deny;
so the message to be forwarded will not hit any of the first ACL entries.
If the message to be forwarded is a message sent by one host in the area a to one host in the area B, or a message with a forwarding message sent by one host in the area B to another host in the area B, if the first source IP address is a1 and the first destination IP address is B1, the message to be forwarded hits the first ACL entry "any→b1deny", and the message to be forwarded is discarded at this time. If the first source IP address is b1 and the first destination IP address is b2, the message to be forwarded hits the first ACL entry "b1→b2 limit", and the message to be forwarded is forwarded at this time.
In S105, if the message to be forwarded does not hit any first ACL entry in the ACL, it may be considered that all ACL entries that the message to be forwarded can hit have been deleted from the ACL. If the ACL entry of the message to be forwarded is deleted from the ACL, the first source IP address and the first destination IP address may be considered as the IP address of the host in the first zone, as in the analysis in S101. By way of illustration, still taking the example of S101 above as an example, since the following first ACL entries remain in the ACL:
b1→b2 permit;b1→any deny;any→b1 deny;
b2→a1 permit;b2→any deny;any→b2 deny;
thus, if the message to be forwarded does not hit any of the first ACL entries, the first source IP address may be considered to be one of a1 and a2, and the first destination IP address may be considered to be the other of a1 and a 2. It can be seen that the first source IP address and the first destination IP address are both IP addresses of hosts in the first zone.
The IP address of the host in the first area has already established a correspondence with the area identifier, so that the first source area identifier corresponding to the IP address to be first source and the first destination area identifier corresponding to the IP address to be first destination can be determined.
It can be understood that in the embodiment of the present invention, the second ACL entry in the message to be forwarded is determined only when the message to be forwarded misses any first ACL entry, so that in the embodiment of the present invention, the first ACL entry has a higher priority than the second ACL entry.
In S106, if the message to be forwarded does not hit any of the first ACL entries, the first source IP address and the first destination IP address are both IP addresses of the hosts in the first area, so the first source area identifier is an area identifier corresponding to the IP address of the host in the first area, and the first destination area identifier is also an area identifier corresponding to the IP address of the host in the first area. The second ACL entries have been issued as a result of the zone identities corresponding to the IP addresses of the respective hosts of the first zone. Therefore, the second ACL table item of the message to be forwarded and hit can be determined in the ACL.
By way of illustration, taking the foregoing example of S101 as an example, and assuming that the second ACL entry is expressed in the form of "src zoneid→dst zoneid forwarding policy", the zone identities corresponding to a1 and a2 are 0x01, the following second ACL entry will be issued to the ACL for the zone identity corresponding to the IP address of each host of the first zone:
0x01→0x01 permit;any→0x01 deny;0x01→any deny;
if the message to be forwarded does not hit any first ACL entry, the first source IP address is one of a1 and a2, and the first destination IP address is the other of a1 and a2, so the first source identifier and the first destination identifier are both 0x01, and hit the second ACL entry "0x01→0x01 limit".
In S107, if the forwarding policy in the hit second ACL entry is permission forwarding, that is, permission, forwarding the packet to be forwarded. And if the forwarding policy in the hit second ACL entry is to reject forwarding, namely, the foregoing deny, forwarding the message to be forwarded is rejected.
For the sake of more clear explanation of the message forwarding method provided by the embodiment of the present invention, an exemplary explanation will be made below in conjunction with a specific application scenario, assuming that there are three areas in total, which are respectively denoted as an area a, an area B, and an area C, where three hosts are respectively denoted as A1, A2, and A3 in the area a, two hosts are respectively denoted as B1 and B2 in the area B, and three hosts are respectively denoted as C1, C2, and C3 in the area C. And the IP address of host A1 is denoted as A1, the IP address of host A2 is denoted as A2, the IP address of host B1 is denoted as B1, and so on.
Then to achieve that hosts belonging to the same zone are able to interact with data, while hosts belonging to different zones are not able to interact with data, the ACL is theoretically (hereinafter ACL 1):
a1→a2 permit;a1→a3 permit;a1→any deny;any→a1 deny;
a2→a1 permit;a2→a3 permit;a2→any deny;any→a2 deny;
a3→a1 permit;a3→a2 permit;a3→any deny;any→a3 deny;
b1→b2 permit;b1→any deny;any→b1 deny;
b2→b1 permit;b2→any deny;any→b2 deny;
c1→c2 permit;c1→c3 permit;c1→any deny;any→c1 deny;
c2→c1 permit;c2→c3 permit;c2→any deny;any→c2 deny;
c3→c1 permit;c3→c2 permit;c3→any deny;any→c3 deny;
if the preset threshold is 2, the number of hosts in the area A and the area C is more than the preset threshold, so that the first ACL table item set for each host in the area A and the area C is deleted in the ACL, and the deleted ACL comprises the following ACL table items:
b1→b2 permit;b1→any deny;any→b1 deny;
b2→b1 permit;b2→any deny;any→b2 deny;
For convenience of description, assuming that the area identifications corresponding to a1, a2, a3 are 0x01 and the area identifications corresponding to c1, c2, c3 are 0x02, the following second ACL entries are issued to the ACL in this example:
0x01→0x01 permit;any→0x01 deny;0x01→any deny;
0x02→0x02 permit;any→0x02 deny;0x02→any deny;
i.e. the ACL at this time is (hereinafter ACL 2):
b1→b2 permit;b1→any deny;any→b1 deny;
b2→b1 permit;b2→any deny;any→b2 deny;
0x01→0x01 permit;any→0x01 deny;0x01→any deny;
0x02→0x02 permit;any→0x02 deny;0x02→any deny;
if the message to be forwarded is a message sent by the host A1 to the host A2, the first source IP address of the message to be forwarded is A1, and the destination IP address is A2. According to the first source IP address a1 and the first destination IP address a2, any first ACL table item which is not hit in the message to be forwarded can be determined.
Therefore, determining the first source area identifier corresponding to a1 and the first destination area identifier corresponding to a2 can determine that the first source area identifier is 0x01, and the first destination area identifier is 0x01. According to the first source area identifier 0x01 and the first destination area identifier 0x01, a second forwarding table item '0 x 01-0 x01 limit' in the ACL of the message to be forwarded can be determined, so that the message to be forwarded is forwarded.
If the message to be forwarded is a message sent by the host A1 to the host B1, the first source IP address of the message to be forwarded is A1, and the destination IP address is B1. According to the first source IP address a1 and the first destination IP address b1, the first ACL entry "any- & gt b1 dense" of the message to be forwarded can be determined, so that the message to be forwarded is refused to be forwarded.
If the message to be forwarded is a message sent by the host A1 to the host C1, the first source IP address of the message to be forwarded is A1, and the destination IP address is C1. According to the first source IP address a1 and the first destination IP address c, any first ACL table item can be determined to be missed by the message to be forwarded.
Thus, determining the first source area identifier corresponding to a1 and the first destination area identifier corresponding to c1 may determine that the first source area identifier is 0x01 and the first destination area identifier is 0x02. According to the first source area identifier 0x01 and the first destination area identifier 0x02, it can be determined that the second forwarding table entry "0x01 → any y" and "any → 0x02 y" in the ACL of the message to be forwarded have a higher priority, so that the message to be forwarded is refused to be forwarded.
In this example, hosts in the same zone can normally send messages to each other, whereas hosts not belonging to the same zone cannot normally send messages to each other. Meanwhile, only 12 ACL entries are included in ACL2 in this example, whereas ACL1 in the same case in the related art requires 30 ACL entries. Therefore, the message forwarding method provided by the embodiment of the invention can effectively save ACL table entry resources under the condition that the host computers in different areas are isolated.
How to determine the zone identity will be described as follows:
if any two areas do not have an intersection, that is, the hosts included in any two areas do not have the same host, the area identifier corresponding to the IP address of the host may look at the identifier of the first area, so in this case, the identifier may be allocated to the first area, and the identifier allocated to the first area may be used as the area identifier corresponding to the IP address of the host.
The identification assigned to the first zone may be of any form, but it should be satisfied that the identifications assigned to the different zones are different. By way of example, in one possible embodiment, the identification of an area may be represented by a value ranging from 0-255, and if one area has been assigned a value of "211" as an identification, then the value of "211" cannot be assigned to another area anymore.
However, if there are at least two areas and there is an intersection of the two areas, since there are hosts belonging to a plurality of areas, if the area identifier corresponding to the IP address of the host is directly the identifier allocated for the area, the area identifier cannot represent all the areas to which the host belongs for the host belonging to the plurality of areas.
Therefore, in order to enable the zone identifier corresponding to the IP address of the host to indicate all the zones to which the host belongs even if there are hosts belonging to a plurality of zones, in a possible embodiment, as shown in fig. 2, it may include:
S201, determining the respective corresponding bit of each region to which the host belongs as a target bit.
Wherein the bits corresponding to the different regions are different. For example, assuming that there are a total of 3 zones, respectively designated zone a, zone B, and zone C, and there are a total of 8 bits, it may be that zone a corresponds to the first bit, zone B corresponds to the second bit, zone C corresponds to the third bit, or that a corresponds to the second bit, zone B corresponds to the fourth bit, and zone C corresponds to the first bit. And the corresponding relation between each region and the bit may be established in advance, or when the bit corresponding to the region needs to be determined, the corresponding relation between the region and the bit may be established.
S202, setting each target position in a binary number group with a preset length, and taking the set binary number group as a zone identifier corresponding to the IP address of the host.
The preset length may be different according to different application scenarios, and hereinafter, for convenience of description, only 16 bits of the preset length is taken as an example for illustration, and the principles of the preset length are the same for other lengths, such as 8 bits, 24 bits, 128 bits, so that the description is omitted.
And the bits corresponding to any one of the regions should belong to a binary number set, and by way of example, assuming that the binary number set has a length of 16 bits, i.e., the binary number set includes 16 bits, respectively denoted as first bit, second bit, third bit, …, and so on, the bits corresponding to any one of the regions should be one of the first bit through sixteenth bit.
Setting the target bit refers to changing the value of the target bit, and illustratively, assuming that each bit in the binary set is 0, setting the target bit refers to changing the value of the target bit in the binary set to 1. For example, assuming that the target bits are the first, second, and fifth bits, and that the first bit is the last bit of the binary array, the second bit is the penultimate bit of the binary array, and so on, the set binary array is 0000000000010011.
In this embodiment, the same source zone identification and destination zone identification refer to: there is an intersection between the bits in the source zone identity that are set and the bits in the destination zone identity that are set. For example, assuming that the first, second, and fifth bits in the source zone identifier are set and the first, fourth bits in the destination zone identifier are set, the source zone identifier is the same as the destination zone identifier. For another example, assuming that the first, second, and third bits in the source zone identity are set and the fourth bit in the destination zone identity is set, the source zone identity is different from the destination zone identity.
It can be understood that, in this embodiment, since the target bit in the area identifier corresponding to the IP address of the host is set, the target bit is the bit corresponding to the area to which the host belongs, and thus the set bit in the area identifier may represent all the areas to which the host belongs. And then, whether the intersection exists between the source zone identifier and the zone represented by the destination zone identifier or not can be judged through the set bit in the destination zone identifier, namely, whether the source zone identifier and the destination zone identifier are the same or not is judged.
By selecting the embodiment, the area identifier obtained by determination can effectively represent each area to which the host belongs by the way that different areas correspond to different areas and the binary number group is set according to the area to which the host belongs.
It will be appreciated that this embodiment requires that: the bits corresponding to any region should belong to a binary group and the bits corresponding to different regions are different. The number of zones in this embodiment cannot be greater than the length of the binary number set, which tends to be limited, resulting in a limited number of zones. For example, taking a binary array length of 16 bits as an example, the number of regions should not be more than 16, and this embodiment cannot be applied if the user needs to divide 17 and more regions for practical needs.
Based on this, in one possible embodiment, as shown in fig. 3, it comprises:
s301, if there is no intersection between the first area and the other area, determining a value corresponding to the first area as the target value.
The other areas refer to other areas except the first area in the network, and the corresponding values of the different areas are different.
S302, adjusting independent identification bits in the binary number group with preset length so that the value represented by the independent identification bits is equal to the target value, and taking the adjusted binary number group as the zone identification corresponding to the IP address of the host.
The independent identification bits are part of bits in the binary number group, namely, the length of the independent identification bits is smaller than the preset length. For convenience of description, only the preset length is 16 bits, and the length of the independent identification bit is 8 bits, and for the case that the preset length is other than 16 bits and/or the length of the independent identification bit is other than 8 bits, the principle is the same, so that the description is omitted here.
It will be appreciated that a binary number of length k has a maximum identifiable value of 2 k -1, whereas the target value should be a value that can be represented by an independent identity, and therefore the target value should be no greater than 2 m -1, where m is the length of the independent identification bit, e.g. if m=8, the target value has a value in the range of [0, 255]. Similarly, the value corresponding to any region should be not more than 2 m -1。
Assuming that the first region corresponds to a value of 3, the preset length is 16 bits, the length of the independent identification bit is 8 bits, and the independent identification bit is the first 8 bits in the binary array, the binary array is initially 0000000000000000, the binary array is adjusted to 0000001100000000 in this example.
S303, if the intersection exists between the first area and the other areas, determining the respective corresponding bit of each area to which the host belongs as a target bit.
Wherein the bits corresponding to the different regions are different.
S304, setting each target position in the interaction identification bit in the binary number group with the preset length, and taking the set binary number group as a zone identification corresponding to the IP address of the host.
The interaction identification bit and the independent identification bit do not have intersection, namely any bit in the binary number group cannot be used as the interaction identification bit and the independent identification bit at the same time. And in this embodiment the bit corresponding to any one zone belongs to the interaction identification bit. And if there is no intersection between one region and the other region, the one region does not have a corresponding bit. In other possible embodiments.
For the setting, reference may be made to the description of S202, and the description is omitted here. The binary number group may include only the interactive identification bit and the independent identification bit, or may include other identification bits other than the interactive identification bit and the independent identification bit. For convenience of description, only the binary number set may include only the interaction identification bit and the independent identification bit, and the same applies to the case that the binary number set includes other identification bits, which is not described herein.
Assuming that the preset length is 16 bits, the length of the independent identification bit is 8 bits, and the independent identification bit is the first 8 bits in the binary group, the interactive identification bit is the last 8 bits in the binary group in this example. If the host belongs to the area A and the area C, and the bit corresponding to the area A is the first last bit in the interaction identification bit, and the bit corresponding to the area C is the third last bit in the interaction identification bit, the area identification is 0000000000000101.
In this embodiment, the same source zone identification and destination zone identification refer to:
the value represented by the independent identification bit of the source area identification is equal to the value represented by the independent identification bit of the destination area identification, and is not a default value; alternatively, the set cross-over identifier in the source identifier is located in the destination identifier with an intersection between the set cross-over identifier bits. The default value refers to a value represented by the independent identification bit when not adjusted, for example, if the independent identification bit of the binary number group defaults to 00000000, the default value is 0.
For example, assuming that the independent identification bit of the source area identifier is 00000111, the interactive identification bit is 00000000, the independent identification bit of the destination area identifier is 00000111, and the interactive identification bit is 00000000, the values of the independent identification bit of the source area identifier and the independent identification bit of the destination area identifier are 7, so that the source area identifier and the destination area identifier are the same.
Assuming that the independent identification bit of the source area identification is 00000111, the interaction identification bit is 00000000, the independent identification bit of the destination area identification is 00000101 and the interaction identification bit is 00000000, the value represented by the independent identification bit of the source area identification is 7, the value represented by the independent identification bit of the destination area identification is 5, the independent identification bit of the source area identification and the value represented by the independent identification bit of the destination area identification are different, and the interaction identification set in the source area identification is located in the interaction identification bit set in the destination area identification, so that the source area identification and the destination area identification are different.
And assuming that the independent identification bits of the source area identification are 00000000 and the interaction identification bits are 00000111, and the independent identification bits of the destination area identification are 00000000 and the interaction identification bits are 00000101, because the interaction identification set in the source area identification is located between the interaction identification bits set in the destination area identification, the source area identification is identical to the destination area identification.
It can be appreciated that, if the first area does not intersect with other areas, each host in the first area can be considered to belong to only the first area, that is, the area representation corresponding to the IP address of each host in the first area only needs to represent the first area, so that the numerical value can be directly used as the area identifier, so as to save the area identifier resource. If there is an intersection with other zones, it can be considered that at least one host in the first zone belongs to multiple zones, and the zone identity can be set to indicate all zones to which the host belongs. Therefore, with this embodiment, the area identifier may be determined in different manners according to whether the first area intersects with other areas, so as to save area identifier resources as much as possible on the premise that the area identifier can represent all areas to which the host belongs. Therefore, the message forwarding method provided by the embodiment of the invention can be suitable for scenes with more areas.
For example, taking a preset length of 16 bits, a length of 8 bits of the independent identification bits, and a length of 8 bits of the interactive identification bits as an example, there are at most 255 regions that do not intersect with other regions in the scene and at most 8 regions that intersect with other regions in the scene in theory, that is, at most 263 regions in the scene.
Still taking the foregoing ACL2 as an example, there are two second ACL entries "0x01→0x01 limit" and "0x02→0x02 limit" in ACL2, which can be replaced by one second ACL entry "if source zone identification is the same as destination zone identification, forwarding is allowed" to further save ACL entry resources.
Thus, in one possible embodiment, when the second ACL entry is issued to the ACL according to the zone identification corresponding to the IP address of each host of the first zone, the following entry may be issued:
a third ACL table item used for representing that if the source area identification is the same as the destination area identification, the forwarding strategy is allowed to be forwarded;
the forwarding policy is a fourth ACL table item for rejecting forwarding if the source area identifier is an area identifier corresponding to an IP address of any host in the first area and the destination area identifier is an arbitrary area identifier;
and the fifth ACL list item is used for rejecting forwarding if the zone identifier is any identifier and the destination zone identifier is the zone identifier corresponding to the IP address of any host in the first zone.
The priority of the third forwarding table item is higher than the priority of the fourth forwarding table item, and the priority of the third forwarding table item is higher than the priority of the fifth forwarding table item.
For example, assuming that the area identifier corresponding to the IP address of each host in the first area is 0x01, the third ACL entry is: "if the source area identifier is the same as the destination area identifier, forwarding is allowed", the fourth ACL entry is: "0x01 → any y", the fifth ACL entry is: "0x01".
Assuming that the area identifier corresponding to the first source IP address of the message to be forwarded is 0x01 and the area identifier corresponding to the first destination IP address is 0x01, in the second ACL table entry in the message to be forwarded, although the message to be forwarded can hit the third ACL table entry, the fourth ACL table entry and the fifth ACL table entry theoretically, the message to be forwarded can hit the third ACL table entry, and the third ACL table entry has the highest priority, so that the message to be forwarded hits the third ACL table entry, and the forwarding policy recorded by the third ACL table entry is to allow forwarding, so that the message to be forwarded is forwarded.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a packet forwarding device according to an embodiment of the present invention, where the device includes:
the table entry deletion module 401 is configured to delete, in an access control list ACL, a first ACL table entry set for each host in a first area when the number of hosts in the first area is greater than a preset threshold, where the first ACL table entry is used to record a first mapping relationship of a source IP address, a destination IP address, and a forwarding policy, and the first area is an arbitrary area;
An identifier management module 402, configured to determine, for each host in the first area, an area identifier corresponding to an IP address of the host, where the area identifier is used to represent all areas to which the host belongs;
an entry issuing module 403, configured to issue a second ACL entry to the ACL according to a zone identifier corresponding to an IP address of each host in the first zone, where the second ACL entry is used to record a second mapping relationship of a source zone identifier, a destination zone identifier, and a forwarding policy, where forwarding policies corresponding to the same source zone identifier and destination zone identifier in the second mapping relationship are forwarding permission;
a first table entry matching module 404, configured to determine a first ACL table entry in a message to be forwarded according to a first source IP address and a first destination IP address of the message to be forwarded;
the identifier determining module 405 is configured to determine a first source area identifier corresponding to the first source IP address and a first destination area identifier corresponding to the first destination IP address, if the message to be forwarded does not hit any first ACL entry in the ACL;
a second table entry matching module 406, configured to determine a second ACL table entry in the message to be forwarded according to the first source area identifier and the first destination area identifier;
And the forwarding module 407 is configured to process the message to be forwarded according to the forwarding policy in the second ACL entry in the message to be forwarded.
In a possible embodiment, the identifier management module 402 is specifically configured to determine, as the target bit, a bit corresponding to each region to which the host belongs, where bits corresponding to different regions are different;
setting each target position in a binary number group with a preset length, and taking the set binary number group as a zone identifier corresponding to the IP address of the host;
the same source area identifier and destination area identifier comprise:
there is an intersection between the bit set in the source zone identity and the bit set in the destination zone identity.
In a possible embodiment, the identifier management module 402 is specifically configured to determine, as the target value, a value corresponding to the first area if there is no intersection between the first area and the other area, where the values corresponding to the different areas are different;
adjusting independent identification bits in a binary number group with preset length so that the value represented by the independent identification bits is equal to the target value, and taking the adjusted binary number group as a zone identifier corresponding to the IP address of the host;
If the intersection exists between the first area and other areas, determining the respective corresponding bit of each area to which the host belongs as a target bit, wherein the corresponding bits of different areas are different;
setting each target position in the interaction identification bit in the binary number group with the preset length, and taking the set binary number group as a region identification corresponding to the IP address of the host, wherein the interaction identification bit and the independent identification bit have no intersection;
the same source area identifier and destination area identifier comprise:
the value represented by the independent identification bit of the source area identification is equal to the value represented by the independent identification bit of the destination area identification, and is not a default value; or alternatively, the process may be performed,
there is an intersection between the set interaction identification bit in the source zone identity and the set interaction identification bit in the destination zone identity.
In a possible embodiment, the table entry issuing module 403 is specifically configured to issue, to the ACL, the following second ACL table entry:
a third ACL table item used for representing that if the source area identification is the same as the destination area identification, the forwarding strategy is allowed to be forwarded;
the forwarding policy is a fourth ACL table item for refusing forwarding if the source area identifier is an area identifier corresponding to the IP address of any host in the first area and the destination area identifier is any area identifier;
The forwarding policy is a fifth ACL table item for refusing forwarding if the zone identifier is any identifier and the destination zone identifier is the zone identifier corresponding to the IP address of any host in the first zone;
wherein the third ACL entry has a higher priority than the fourth ACL entry and the third ACL entry has a higher priority than the fifth ACL entry.
The embodiment of the invention also provides an electronic device, as shown in fig. 5, which comprises a processor 501, a communication interface 502, a memory 503 and a communication bus 504, wherein the processor 501, the communication interface 502 and the memory 503 complete communication with each other through the communication bus 504,
a memory 503 for storing a computer program;
the processor 501 is configured to execute the program stored in the memory 503, and implement the following steps:
when the number of hosts in a first area is more than a preset threshold value, deleting a first ACL (access control list) table item set for each host in the first area in an Access Control List (ACL), wherein the first ACL table item is used for recording a first mapping relation of a source IP address, a destination IP address and a forwarding strategy, and the first area is any area;
determining, for each host in the first area, an area identifier corresponding to an IP address of the host, where the area identifier is used to represent all areas to which the host belongs;
Issuing a second ACL table item to the ACL according to the zone identifiers corresponding to the IP addresses of the hosts in the first zone, wherein the second ACL table item is used for recording a second mapping relation of a source zone identifier, a destination zone identifier and a forwarding strategy, and forwarding strategies corresponding to the same source zone identifier and destination zone identifier in the second mapping relation are allowed to be forwarded;
determining a first ACL table item in the message to be forwarded according to a first source IP address and a first destination IP address of the message to be forwarded;
if the message to be forwarded does not hit any first ACL table item in the ACL, determining a first source area identifier corresponding to the first source IP address and a first destination area identifier corresponding to the first destination IP address;
determining a second ACL table item in the message to be forwarded according to the first source area identifier and the first destination area identifier;
and processing the message to be forwarded according to the forwarding strategy in the second ACL list item in the message to be forwarded.
The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the electronic device and other devices.
The Memory may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
In yet another embodiment of the present invention, a computer readable storage medium is provided, in which a computer program is stored, the computer program implementing the steps of any one of the above-mentioned message forwarding methods when executed by a processor.
In yet another embodiment of the present invention, a computer program product containing instructions that, when run on a computer, cause the computer to perform any of the message forwarding methods of the embodiments described above is also provided.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present invention, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), etc.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for embodiments of the apparatus, electronic device, computer readable storage medium, computer program product, the description is relatively simple as it is substantially similar to the method embodiments, where relevant see also part of the description of the method embodiments.
The foregoing description is only of the preferred embodiments of the present invention and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims (10)

1. A method for forwarding a message, the method comprising:
when the number of hosts in a first area is more than a preset threshold value, deleting a first ACL (access control list) table item set for each host in the first area in an Access Control List (ACL), wherein the first ACL table item is used for recording a first mapping relation of a source IP address, a destination IP address and a forwarding strategy, and the first area is any area;
determining, for each host in the first area, an area identifier corresponding to an IP address of the host, where the area identifier is used to represent all areas to which the host belongs;
issuing a second ACL table item to the ACL according to the zone identifiers corresponding to the IP addresses of the hosts in the first zone, wherein the second ACL table item is used for recording a second mapping relation of a source zone identifier, a destination zone identifier and a forwarding strategy, and forwarding strategies corresponding to the same source zone identifier and destination zone identifier in the second mapping relation are allowed to be forwarded;
Determining a first ACL table item in the message to be forwarded according to a first source IP address and a first destination IP address of the message to be forwarded;
if the message to be forwarded does not hit any first ACL table item in the ACL, determining a first source area identifier corresponding to the first source IP address and a first destination area identifier corresponding to the first destination IP address;
determining a second ACL table item in the message to be forwarded according to the first source area identifier and the first destination area identifier;
and processing the message to be forwarded according to the forwarding strategy in the second ACL list item in the message to be forwarded.
2. The method of claim 1, wherein the determining the zone identifier corresponding to the IP address of the host comprises:
determining the respective corresponding bit of each region to which the host belongs as a target bit, wherein the bits corresponding to different regions are different;
setting each target position in a binary number group with a preset length, and taking the set binary number group as a zone identifier corresponding to the IP address of the host;
the same source area identifier and destination area identifier comprise:
there is an intersection between the bit set in the source zone identity and the bit set in the destination zone identity.
3. The method of claim 1, wherein the determining the zone identifier corresponding to the IP address of the host comprises:
if no intersection exists between the first area and other areas, determining a value corresponding to the first area as a target value, wherein the values corresponding to different areas are different;
adjusting independent identification bits in a binary number group with preset length so that the value represented by the independent identification bits is equal to the target value, and taking the adjusted binary number group as a zone identifier corresponding to the IP address of the host;
if the intersection exists between the first area and other areas, determining the respective corresponding bit of each area to which the host belongs as a target bit, wherein the corresponding bits of different areas are different;
setting each target position in the interaction identification bit in the binary number group with the preset length, and taking the set binary number group as a region identification corresponding to the IP address of the host, wherein the interaction identification bit and the independent identification bit have no intersection;
the same source area identifier and destination area identifier comprise:
the value represented by the independent identification bit of the source area identification is equal to the value represented by the independent identification bit of the destination area identification, and is not a default value; or alternatively, the process may be performed,
There is an intersection between the set interaction identification bit in the source zone identity and the set interaction identification bit in the destination zone identity.
4. A method according to any one of claims 1-3, wherein said issuing a second ACL entry to said ACL according to a zone identifier corresponding to an IP address of each host of said first zone comprises:
issuing the following second ACL table items to the ACL:
a third ACL table item used for representing that if the source area identification is the same as the destination area identification, the forwarding strategy is allowed to be forwarded;
the forwarding policy is a fourth ACL table item for refusing forwarding if the source area identifier is an area identifier corresponding to the IP address of any host in the first area and the destination area identifier is any area identifier;
the forwarding policy is a fifth ACL table item for refusing forwarding if the zone identifier is any identifier and the destination zone identifier is the zone identifier corresponding to the IP address of any host in the first zone;
wherein the third ACL entry has a higher priority than the fourth ACL entry and the third ACL entry has a higher priority than the fifth ACL entry.
5. A message forwarding device, the device comprising:
the system comprises an entry deletion module, a first Access Control List (ACL), a first forwarding policy management module and a second Access Control List (ACL), wherein the entry deletion module is used for deleting a first ACL entry set for each host of a first area in an Access Control List (ACL) when the number of hosts of the first area is more than a preset threshold, wherein the first ACL entry is used for recording a first mapping relation of a source IP address, a destination IP address and the forwarding policy, and the first area is an arbitrary area;
The identification management module is used for determining a zone identification corresponding to the IP address of each host in the first zone, wherein the zone identification is used for representing all zones to which the host belongs;
the table entry issuing module is configured to issue a second ACL table entry to the ACL according to the area identifier corresponding to the IP address of each host in the first area, where the second ACL table entry is configured to record a second mapping relationship between the source area identifier, the destination area identifier, and the forwarding policy corresponding to the destination area identifier, where the forwarding policy corresponding to the same source area identifier and destination area identifier in the second mapping relationship is to allow forwarding;
the first table item matching module is used for determining a first ACL table item of a message to be forwarded according to a first source IP address and a first destination IP address of the message to be forwarded;
the identification determining module is used for determining a first source area identification corresponding to the first source IP address and a first destination area identification corresponding to the first destination IP address if the message to be forwarded is not hit in any first ACL table item in the ACL;
the second table entry matching module is used for determining a second ACL table entry in the message to be forwarded according to the first source area identifier and the first destination area identifier;
And the forwarding module is used for processing the message to be forwarded according to the forwarding strategy in the second ACL table item of the message to be forwarded.
6. The apparatus according to claim 5, wherein the identifier management module is specifically configured to determine, as the target bit, a bit corresponding to each region to which the host belongs, where bits corresponding to different regions are different;
setting each target position in a binary number group with preset length, and setting the set binary number group
As the zone identifier corresponding to the IP address of the host;
the same source area identifier and destination area identifier comprise:
there is an intersection between the bit set in the source zone identity and the bit set in the destination zone identity.
7. The apparatus according to claim 5, wherein the identification management module is specifically configured to determine, as the target value, a value corresponding to the first area if there is no intersection between the first area and the other area, wherein the values corresponding to the different areas are different;
adjusting independent identification bits in a binary number group with preset length so that the value represented by the independent identification bits is equal to the target value, and taking the adjusted binary number group as a zone identifier corresponding to the IP address of the host;
If the intersection exists between the first area and other areas, determining the respective corresponding bit of each area to which the host belongs as a target bit, wherein the corresponding bits of different areas are different;
setting each target position in the interaction identification bit in the binary number group with the preset length, and taking the set binary number group as a region identification corresponding to the IP address of the host, wherein the interaction identification bit and the independent identification bit have no intersection;
the same source area identifier and destination area identifier comprise:
the value represented by the independent identification bit of the source area identification is equal to the value represented by the independent identification bit of the destination area identification, and is not a default value; or alternatively, the process may be performed,
there is an intersection between the set interaction identification bit in the source zone identity and the set interaction identification bit in the destination zone identity.
8. The apparatus according to any one of claims 5-7, wherein the entry issuing module is specifically configured to issue, to the ACL, the following second ACL entry:
a third ACL table item used for representing that if the source area identification is the same as the destination area identification, the forwarding strategy is allowed to be forwarded;
the forwarding policy is a fourth ACL table item for refusing forwarding if the source area identifier is an area identifier corresponding to the IP address of any host in the first area and the destination area identifier is any area identifier;
The forwarding policy is a fifth ACL table item for refusing forwarding if the zone identifier is any identifier and the destination zone identifier is the zone identifier corresponding to the IP address of any host in the first zone;
wherein the third ACL entry has a higher priority than the fourth ACL entry and the third ACL entry has a higher priority than the fifth ACL entry.
9. The electronic equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
a memory for storing a computer program;
a processor for carrying out the method steps of any one of claims 1-4 when executing a program stored on a memory.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored therein a computer program which, when executed by a processor, implements the method steps of any of claims 1-4.
CN202111284064.5A 2021-11-01 2021-11-01 Message forwarding method and device and electronic equipment Active CN113965401B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111284064.5A CN113965401B (en) 2021-11-01 2021-11-01 Message forwarding method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111284064.5A CN113965401B (en) 2021-11-01 2021-11-01 Message forwarding method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN113965401A CN113965401A (en) 2022-01-21
CN113965401B true CN113965401B (en) 2023-09-19

Family

ID=79468638

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111284064.5A Active CN113965401B (en) 2021-11-01 2021-11-01 Message forwarding method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN113965401B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115426258B (en) * 2022-08-23 2023-10-24 迈普通信技术股份有限公司 Information configuration method, device, switch and readable storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103718527A (en) * 2013-03-30 2014-04-09 华为技术有限公司 Communication security processing method, apparatus and system
CN103947160A (en) * 2011-12-07 2014-07-23 华为技术有限公司 Method to carry FCOE frames over a TRILL based network
CN104717290A (en) * 2015-03-19 2015-06-17 杭州华三通信技术有限公司 SAN access control method and device
CN107968825A (en) * 2017-11-28 2018-04-27 新华三技术有限公司 A kind of message transmission control method and device
CN110197079A (en) * 2018-02-26 2019-09-03 国际商业机器公司 Safety zone in knowledge figure
CN111953599A (en) * 2020-07-14 2020-11-17 锐捷网络股份有限公司 Terminal authority control method and device, electronic equipment and storage medium
CN113079097A (en) * 2021-03-24 2021-07-06 新华三信息安全技术有限公司 Message processing method and device
CN113452594A (en) * 2021-06-28 2021-09-28 新华三信息安全技术有限公司 Inner layer message matching method and device of tunnel message

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8321908B2 (en) * 2007-06-15 2012-11-27 Cisco Technology, Inc. Apparatus and method for applying network policy at a network device
SE545400C2 (en) * 2017-06-26 2023-08-01 Telia Co Ab Methods, System and Apparatuses for Routing Data Packets in a Network Topology
US10819576B2 (en) * 2018-03-23 2020-10-27 Juniper Networks, Inc. Enforcing policies in cloud domains with different application nomenclatures

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103947160A (en) * 2011-12-07 2014-07-23 华为技术有限公司 Method to carry FCOE frames over a TRILL based network
CN103718527A (en) * 2013-03-30 2014-04-09 华为技术有限公司 Communication security processing method, apparatus and system
CN104717290A (en) * 2015-03-19 2015-06-17 杭州华三通信技术有限公司 SAN access control method and device
CN107968825A (en) * 2017-11-28 2018-04-27 新华三技术有限公司 A kind of message transmission control method and device
CN110197079A (en) * 2018-02-26 2019-09-03 国际商业机器公司 Safety zone in knowledge figure
CN111953599A (en) * 2020-07-14 2020-11-17 锐捷网络股份有限公司 Terminal authority control method and device, electronic equipment and storage medium
CN113079097A (en) * 2021-03-24 2021-07-06 新华三信息安全技术有限公司 Message processing method and device
CN113452594A (en) * 2021-06-28 2021-09-28 新华三信息安全技术有限公司 Inner layer message matching method and device of tunnel message

Also Published As

Publication number Publication date
CN113965401A (en) 2022-01-21

Similar Documents

Publication Publication Date Title
US8081640B2 (en) Network system, network management server, and access filter reconfiguration method
CN109565500B (en) On-demand security architecture
EP1648118B1 (en) Bridge node with MAC address table overflow protection
US7814311B2 (en) Role aware network security enforcement
US10038668B2 (en) Computerized system and method for handling network traffic
JP3568850B2 (en) How the data packet filter works
US20160080483A1 (en) Method for setting gateway device identity, and management gateway device
CN103795644B (en) Policy Table's list item collocation method, apparatus and system
US10659389B2 (en) Efficient cascading of flow tables in software defined networks (SDN)
CN106878084B (en) Authority control method and device
US9369492B1 (en) Out-of band network security management
CN113079097B (en) Message processing method and device
CN112311674B (en) Message sending method, device and storage medium
CN113965401B (en) Message forwarding method and device and electronic equipment
US11102172B2 (en) Transfer apparatus
CN115174139B (en) Node isolation method, switching equipment and Ethernet storage system
US10320839B2 (en) Automatic anti-spoof for multicast routing
WO2017000861A1 (en) Method and apparatus for learning mac address in virtual local area network of switch
US7957325B2 (en) Method and network element configured for limiting the number virtual local area networks creatable by GVRP
CN115209378A (en) Service resource dynamic allocation method, system, management server and medium for vehicle
JP4302004B2 (en) Packet filter setting method and packet filter setting system
CN113918504A (en) Method and device for realizing isolation group
CN112532594B (en) Method and device for creating aggregation group and forwarding message
US9712541B1 (en) Host-to-host communication in a multilevel secure network
CN113992565A (en) Multicast message processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant