CN113630301B - Data transmission method, device and equipment based on intelligent decision and storage medium - Google Patents

Data transmission method, device and equipment based on intelligent decision and storage medium Download PDF

Info

Publication number
CN113630301B
CN113630301B CN202110954681.5A CN202110954681A CN113630301B CN 113630301 B CN113630301 B CN 113630301B CN 202110954681 A CN202110954681 A CN 202110954681A CN 113630301 B CN113630301 B CN 113630301B
Authority
CN
China
Prior art keywords
data packet
matching
bridge
data
host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110954681.5A
Other languages
Chinese (zh)
Other versions
CN113630301A (en
Inventor
张宏波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN202110954681.5A priority Critical patent/CN113630301B/en
Publication of CN113630301A publication Critical patent/CN113630301A/en
Priority to PCT/CN2022/071690 priority patent/WO2023019876A1/en
Application granted granted Critical
Publication of CN113630301B publication Critical patent/CN113630301B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • H04L12/462LAN interconnection over a bridge based backbone
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the field of artificial intelligence technology and big data, and discloses a data transmission method, a device, equipment and a storage medium based on intelligent decision. The method comprises the following steps: receiving a data packet sent by a first host through an integrated network bridge, and performing flow matching on the data packet by adopting a preset kernel flow table to obtain a flow matching result; if the matching is successful, performing transmission state detection on the data packet through each detection point, creating a connection tracking record corresponding to the data packet, and performing state filtering on the data packet by adopting the connection tracking record to obtain a state filtering result; based on the connection tracking record, transmitting the data packet to a protocol stack through the integrated network bridge, and performing host protocol configuration on the data packet through the protocol stack and returning the data packet to the integrated network bridge; the host protocol configured data packet is transmitted by the integrating bridge to the provisioning bridge and forwarded to the second host. The invention improves the host forwarding performance of data transmission based on the distributed firewall and reduces the occupation of computing resources.

Description

Data transmission method, device and equipment based on intelligent decision and storage medium
Technical Field
The invention relates to the field of artificial intelligence technology and big data, in particular to a data transmission method, a device, equipment and a storage medium based on intelligent decision.
Background
When OVS (OpenvSwitch, virtual switch) is used, linux _ bridge qbr needs to be introduced as a mount point of IPTables rules in order to use a code framework of an original Distributed FireWall (DFW), and OVS Integration bridge needs to be introduced at the same time in order to aggregate data. That is, the OVS based on the DFW needs to use a plurality of bridge-type virtual machine devices, which may cause a decrease in host forwarding performance due to a packet passing through the plurality of virtual devices, thereby occupying too many computing resources that may be used by tenants, and being unfavorable for operation and maintenance and problem tracking due to the fact that the host sees many virtual devices. Namely, the existing data transmission method based on the distributed firewall and based on the intelligent decision has the technical problem of low forwarding performance.
Disclosure of Invention
The invention mainly aims to solve the technical problem that the existing data transmission method based on the distributed firewall and based on the intelligent decision has low forwarding performance.
The invention provides a data transmission method based on intelligent decision, which is applied to a data transmission system based on intelligent decision, wherein the data transmission system based on intelligent decision comprises a protocol stack, an integrated bridge and a supply bridge, the integrated bridge comprises a plurality of detection points, and the data transmission method based on intelligent decision comprises the following steps: receiving a data packet sent by a first host through the integrated network bridge, and performing flow matching on the data packet by adopting a preset kernel flow table to obtain a flow matching result; if the stream matching result is successful, detecting the transmission state of the integrated network bridge when transmitting the data packet through each detection point; according to the detection result, creating a connection tracking record corresponding to the data packet, and filtering the transmission state of the data packet by using the connection tracking record to obtain a state filtering result; based on the connection tracking record, transmitting the data packet to the protocol stack through the integrated network bridge, performing host protocol configuration on the data packet through the protocol stack to obtain a new data packet, and returning the new data packet to the integrated network bridge; transmitting the new data packet to the provisioning bridge through the integrating bridge and sending the new data packet to a second host through the provisioning bridge.
Optionally, in a first implementation manner of the first aspect of the present invention, the detecting point includes a receiving detecting node, a process detecting node, and a sending detecting node, and the creating, according to the detection result, a connection trace record corresponding to the data packet, and filtering the transmission state of the data packet by using the connection trace record, where obtaining the state filtering result includes: detecting a transmission target address of the data packet through the receiving detection node according to a detection result and a preset first state rule table, and configuring a connection tracking record corresponding to the data packet by adopting the transmission target address; traversing and presetting a second state rule table by the process detection node by adopting the connection tracking record to obtain a traversal result, and selecting a connection state matched with the connection tracking record from the state rule table according to the traversal result; and confirming the connection state by adopting a preset third state rule table through the sending detection node, and taking the successfully confirmed connection state as a state filtering result corresponding to the data packet.
Optionally, in a second implementation manner of the first aspect of the present invention, the configuring, with the transmission target address, a connection trace record corresponding to the data packet includes: analyzing the transmission target address to obtain a virtual machine domain address and a physical machine network card address for receiving the data packet; and configuring a connection tracking record corresponding to the data packet by adopting the domain address of the virtual machine and the network card address of the physical machine.
Optionally, in a third implementation manner of the first aspect of the present invention, the performing, by using a preset kernel flow table, flow matching on the data packet, and obtaining a flow matching result includes: extracting transmission packet characteristics corresponding to the data packet, wherein the transmission packet characteristics comprise kernel identification information and a plurality of matching tuples corresponding to the data packet; converting the kernel identification information into a matching key value, and selecting a preset kernel flow table matched with the matching key value, wherein the kernel flow table comprises a first priority flow table and a second priority flow table; respectively adopting each matching tuple and the first priority flow table to carry out accurate matching, and respectively judging whether each matching tuple is accurately matched successfully; if the accurate matching is successful, selecting an execution action instruction matched with the matching tuple from the first priority flow table and taking the execution action instruction as a flow matching result; if the precise matching fails, fuzzy matching is carried out on the second priority flow table by adopting the corresponding matching tuple, and whether the fuzzy matching of the corresponding matching tuple is successful or not is judged; and if the fuzzy matching is successful, selecting an execution action instruction matched with the matched tuple from the second priority flow table and taking the execution action instruction as a flow matching result.
Optionally, in a fourth implementation manner of the first aspect of the present invention, after the determining whether the corresponding matching tuple is matched in the fuzzy matching successfully, the method further includes: and if the fuzzy matching of the corresponding matching tuples fails, storing the matching tuples into the first priority flow table and the second priority flow table so as to update the first priority flow table and the second priority flow table.
Optionally, in a fifth implementation manner of the first aspect of the present invention, the sending, by the provisioning bridge, the new data packet to the second host includes: the new data packet is subjected to segment preprocessing through the supply network bridge according to a preset data volume segment threshold to obtain a plurality of data segments, and control data required by first data segment encryption are configured; encrypting the first data segment by the control data through the provisioning network bridge to obtain an encrypted data segment, and sending the encrypted data segment to the second host; receiving, by the provisioning bridge, response information sent by the second host regarding the encrypted data segment, and determining, based on the response information, whether the second host successfully received the encrypted data segment; if the data packet is successfully encrypted, the next data segment is encrypted and sent to the second host through the supply network bridge, and the data packet is not encrypted until all data segments corresponding to the data packet are sent to the second host; and if the encrypted data segment fails, retransmitting the encrypted data segment to the second host through the supply network bridge until the second host successfully receives the encrypted data segment or the transmission times reach a preset transmission threshold value.
The second aspect of the present invention provides a data transmission device based on intelligent decision, including: the flow matching module is used for receiving a data packet sent by the first host through the integrated network bridge and performing flow matching on the data packet by adopting a preset kernel flow table to obtain a flow matching result; a state filtering module, configured to detect, through each detection point, a transmission state of the integrated network bridge when transmitting the data packet if the stream matching result is that matching is successful; creating a connection tracking record corresponding to the data packet according to the detection result, and filtering the transmission state of the data packet by using the connection tracking record to obtain a state filtering result; the configuration module is used for transmitting the data packet to the protocol stack through the integrated network bridge based on the connection tracking record, performing host protocol configuration on the data packet through the protocol stack to obtain a new data packet, and returning the new data packet to the integrated network bridge; and the sending module is used for transmitting the new data packet to the supply bridge through the integrated bridge and sending the new data packet to a second host through the supply bridge.
Optionally, in a first implementation manner of the second aspect of the present invention, the detection point includes a receiving detection node, a process detection node, and a sending detection node, and the state filtering module includes: a configuration unit, configured to detect, according to a detection result and a preset first state rule table, a transmission target address of the data packet through the receiving detection node, and configure, using the transmission target address, a connection tracking record corresponding to the data packet; the filtering unit is used for traversing and presetting a second state rule table by adopting the connection tracking record through the process detection node to obtain a traversal result, and selecting a connection state matched with the connection tracking record from the state rule table according to the traversal result; and the confirming unit is used for confirming the connection state by adopting a preset third state rule table through the sending detection node and taking the successfully confirmed connection state as a state filtering result corresponding to the data packet.
Optionally, in a second implementation manner of the second aspect of the present invention, the configuration unit is further configured to: analyzing the transmission target address to obtain a virtual machine domain address and a physical machine network card address for receiving the data packet; and configuring a connection tracking record corresponding to the data packet by adopting the domain address of the virtual machine and the network card address of the physical machine.
Optionally, in a third implementation manner of the second aspect of the present invention, the stream matching module includes: the extraction unit is used for extracting transmission packet characteristics corresponding to the data packet, wherein the transmission packet characteristics comprise kernel identification information and a plurality of matching tuples corresponding to the data packet; the conversion unit is used for converting the kernel identification information into a matching key value and selecting a preset kernel flow table matched with the matching key value, wherein the kernel flow table comprises a first priority flow table and a second priority flow table; the accurate matching unit is used for respectively adopting each matching tuple and the first priority flow table to carry out accurate matching and respectively judging whether each matching tuple is accurately matched successfully; if the accurate matching is successful, selecting an execution action instruction matched with the matching tuple from the first priority flow table and taking the execution action instruction as a flow matching result; the fuzzy matching unit is used for carrying out fuzzy matching on the second priority flow table by adopting the corresponding matching tuple if the precise matching fails and judging whether the corresponding matching tuple is successfully subjected to fuzzy matching or not; and if the fuzzy matching is successful, selecting an execution action instruction matched with the matched tuple from the second priority flow table and taking the execution action instruction as a flow matching result.
Optionally, in a fourth implementation manner of the second aspect of the present invention, the flow matching module further includes an updating unit, configured to store the matching tuple in the first priority flow table and the second priority flow table if the fuzzy matching of the corresponding matching tuple fails, so as to update the first priority flow table and the second priority flow table.
Optionally, in a fifth implementation manner of the second aspect of the present invention, the sending module includes: the segmentation processing unit is used for carrying out segmentation preprocessing on the new data packet through the supply network bridge according to a preset data volume segmentation threshold value to obtain a plurality of data segments and configuring control data required by first data segment encryption; the encryption unit is used for encrypting the first data segment by adopting the control data through the supply network bridge to obtain an encrypted data segment and sending the encrypted data segment to the second host; a determining unit, configured to receive, through the provisioning bridge, response information about the encrypted data segment sent by the second host, and determine, according to the response information, whether the second host successfully receives the encrypted data segment; the circular processing unit is used for encrypting the next data segment and sending the next data segment to the second host through the supply network bridge if the data packet is successfully encrypted and stopping until all the data segments corresponding to the data packet are encrypted and sent to the second host; and if the encrypted data segment fails, retransmitting the encrypted data segment to the second host through the supply bridge until the second host successfully receives the encrypted data segment or the transmission times reach a preset transmission threshold value.
A third aspect of the present invention provides a data transmission device based on intelligent decision, including: a memory and at least one processor, the memory having instructions stored therein; the at least one processor invokes the instructions in the memory to cause the intelligent decision-based data transfer device to perform the intelligent decision-based data transfer method described above.
A fourth aspect of the present invention provides a computer-readable storage medium having stored therein instructions, which, when run on a computer, cause the computer to execute the above-mentioned intelligent decision-based data transmission method.
In the technical scheme provided by the invention, compared with the existing distributed firewall architecture, a Linux Bridge qbr Bridge is not required to be introduced, a data packet sent by a first host is directly received through an integrated Bridge, a preset kernel flow table is adopted to carry out flow matching on the data packet, transmission state detection is carried out on the data packet through a plurality of detection points, a connection tracking record corresponding to the data packet is created according to the transmission state detection result, and the data packet is subjected to state filtering by adopting the connection tracking record to obtain a state filtering result; finally, based on the connection tracking record, transmitting the data packet to a protocol stack through the integrated network bridge, and performing host protocol configuration on the data packet through the protocol stack and returning the data packet to the integrated network bridge; and transmitting the data packet after the host protocol configuration to the supply bridge through the integration bridge, and transmitting the data packet after the host protocol configuration to the second host through the supply bridge. The number of bridges is reduced, the forwarding efficiency of data transmission based on intelligent decision is improved, and the loss of the Linux Bridge qbr Bridge to the performance is reduced, so that the computing performance of the system is improved.
Drawings
FIG. 1 is a schematic diagram of an embodiment of an intelligent decision-based data transmission system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of another embodiment of an intelligent decision-based data transmission system according to an embodiment of the present invention;
FIG. 3 is a diagram of a first embodiment of an intelligent decision-based data transmission method according to an embodiment of the present invention;
FIG. 4 is a diagram of a second embodiment of an intelligent decision-based data transmission method according to an embodiment of the present invention;
FIG. 5 is a diagram of a third embodiment of an intelligent decision-based data transmission method according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of an embodiment of an intelligent decision-based data transmission apparatus according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of another embodiment of an intelligent decision-based data transmission apparatus according to an embodiment of the present invention;
fig. 8 is a schematic diagram of an embodiment of an intelligent decision-based data transmission device in the embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a data transmission method, a device, equipment and a storage medium based on intelligent decision, which receive a data packet sent by a first host through an integrated network bridge, and adopt a preset kernel flow table to carry out flow matching on the data packet to obtain a flow matching result; if the matching is successful, if the stream matching result is successful, detecting the transmission state of the integrated network bridge when the data packet is transmitted through each detection point, creating a connection tracking record corresponding to the data packet according to the detection result of the transmission state, and performing state filtering on the data packet by adopting the connection tracking record to obtain a state filtering result; based on the connection tracking record, transmitting the data packet to a protocol stack through the integrated network bridge, and performing host protocol configuration on the data packet through the protocol stack and returning the data packet to the integrated network bridge; and transmitting the data packet after the host protocol configuration to the supply bridge through the integrated bridge, and transmitting the data packet after the host protocol configuration to the second host through the supply bridge. The invention improves the host forwarding performance of the data transmission based on the intelligent decision based on the distributed firewall and reduces the occupation of computing resources.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," or "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For the convenience of understanding, first, a data transmission system based on intelligent decision applied in the data transmission method based on intelligent decision in the present invention is described, please refer to fig. 1, in an embodiment of the data transmission system based on intelligent decision in the present invention, the data transmission system based on intelligent decision 100 includes a protocol stack 110, an integrated bridge 120 and a provisioning bridge 130, and the integrated bridge 120 may include a plurality of detection points 121. The integrated network bridge 120 is configured to receive a data packet sent by a first host, perform flow matching on the data packet by using a preset kernel flow table, sequentially detect a transmission state of the integrated network bridge 120 when the data packet is transmitted through a plurality of detection points 121 in the integrated network bridge, create a connection trace record corresponding to the data packet according to a detection result, and filter the transmission state of the data packet by using the connection trace record to obtain a state filtering result; finally, the data packet is transmitted to the protocol stack 110 and a new data packet returned from the protocol stack 110 is transmitted to the provisioning bridge 130; the protocol stack 110 is configured to perform host protocol configuration on the data packet to obtain a new data packet, and return the new data packet to the integrated bridge 120; the provisioning bridge 130 is used to interface the second host with new data packets to the second host.
Referring to fig. 2, in another embodiment of the data transmission system based on intelligent decision according to the present invention, a preferred embodiment of the data transmission system based on intelligent decision is described, in the data transmission system based on intelligent decision 100, the integrated bridge 120 interfaces with the first host 200 through the interface Port qvo122, receives and aggregates the data packets sent by the first host 200; the integrated network bridge 120 performs transmission state of the data packet when the integrated network bridge 120 transmits the data packet through the receiving detection node 123, the process detection node 124 and the sending detection node 125; then, the integrated network bridge 120 is in butt joint with the protocol stack 110 through the interface Port126, and sends the data packet to the virtual network card device Tap111 for host protocol configuration; the integrated bridge is in butt joint with a Patch B131 of the supply bridge through an interface Patch A127, and sends a new data packet after host protocol configuration to the supply bridge; finally, the provisioning bridge sends the new packet to the second host 500 through a pair of Interface ports, interface132-Interface140, via the physical network infrastructure 300 and the internet 400.
Referring to fig. 3, a detailed flow of an embodiment of the present invention is described below, where a first embodiment of a data transmission method based on an intelligent decision in the embodiment of the present invention includes:
301. receiving a data packet sent by a first host through an integrated network bridge, and performing flow matching on the data packet by adopting a preset kernel flow table to obtain a flow matching result;
it is to be understood that the executing subject of the present invention may be a data transmission device based on intelligent decision, and may also be a terminal or a server, which is not limited herein. The embodiment of the present invention is described by taking a server as an execution subject.
In this embodiment, in the existing DFW code architecture using OVS, linux _ bridge qbr needs to be introduced as a mount point for detecting a transmission state at a detection point, and data is aggregated through an integrated bridge (OVS Integration bridge) therein, so that the forwarding performance of a data packet is reduced. In the implementation, the Linux _ bridge qbr is directly removed, the integrated network bridge is hung at a monitoring point, the data packet is directly received to carry out transmission state detection, virtual equipment of a plurality of network bridges is not needed, data forwarding is reduced, and therefore computing resource occupation caused by data forwarding is reduced. In addition, due to the reduction of bridge virtual equipment, the host can follow the operation and maintenance and problem tracking process more clearly, and the operation and maintenance efficiency and fault location are improved.
Specifically, the integrated bridge interfaces the virtual machines deployed in the host through the virtual interface Port qvo, and applies a uniform security policy to the instances in all the virtual machines to realize centralized management of data, before, the tap eth0 of the virtual machine needs to be interfaced through the virtual interface Port tap of the Linux _ bridge qbr, and then the virtual interface Port qvo of the integrated bridge is interfaced through the virtual interface Port qvb of the Linux _ bridge to forward the data packet to the integrated bridge, and here, the Port tap of the virtual machine is directly interfaced through the Port qvo of the integrated bridge, and the Linux _ bridge qbr is not needed to forward.
In addition, flow matching for the packets is also implemented in the legacy bridge and before the packets are transport turntable detected at the checkpoint. The details are as follows:
calling ovs _ flow _ key _ extract to generate a key value of the data packet, and checking whether an error exists; and calling the ovs _ dp _ process _ packet, delivering to a datapath of the integrated bridge, and searching whether a matched flow table exists in the core flow table of the data packet or not in the ovs _ dp _ process _ packet. Then processing the data packet; then, through ovs _ flow _ tbl _ lookup _ stats, flow table searching is carried out based on the key value generated in the previous step, a matched kernel flow table is returned, and the structure is sw _ flow; if no matched kernel flow table exists, calling ovs _ dp _ upcall to be uploaded to user space for matching; if the matched kernel flow table exists, the ovs _ execute _ actions is directly called to execute the corresponding action, for example, a vlan header is added, and the corresponding action is forwarded to a certain port.
302. If the flow matching result is successful, detecting the transmission state of the integrated network bridge when the data packet is transmitted through each detection point;
303. according to the transmission state detection result and the detection result, creating a connection tracking record corresponding to the data packet, and performing state filtering on the data packet by adopting the connection tracking record to obtain a state filtering result;
IN this embodiment, IN the OVS, for data packet transmission, the data packet transmission may include data packet filtering performed by NF _ IP _ LOCAL _ IN the same VPC (Virtual Private network) and based on intelligent decision among different Virtual machines; and in different VPCs, data transmission based on intelligent decision among different virtual machines needs to be filtered through NF _ IP _ FORWARD; the detection and the distribution can be carried out through different detection nodes, and corresponding data packet forwarding operation is executed. However, the forwarding of the data packet in different VPC scenarios is considered here.
Under different VPC conditions, it can be expected that all packets transmitted and received on the OVS-datapath should be FORWARD chain, and referring to the implementation of Bridge-Netfilter in Linux _ Bridge qbr, multiple detection points (Hook points) can be implemented on the OVS-datapath, transmission state detection is performed on the data packets, and meanwhile, a connection trace record (ConnTrack entry, CT) is generated. Specifically, the detection point may be added to the do _ output function of the actions.c file of the OVS-datapath source code, so as to implement the deployment of the detection point.
Specifically, an IPtable is added to each detection point, the IPtable comprises a plurality of detection rules and corresponding execution actions, a firewall is formed, the state of the data packet is filtered, the corresponding actions can be executed only when the detection rules are matched, and the state detection of the data packet by the IPtable is started through each detection point through ipt _ do _ table, so that the DFW framework and the detection rules are used by the OVS.
304. Based on the connection tracking record, transmitting the data packet to a protocol stack through the integrated network bridge, performing host protocol configuration on the data packet through the protocol stack to obtain a new data packet, and returning the new data packet to the integrated network bridge;
in this embodiment, the integrated network bridge interfaces with an interface Tap of the protocol stack through an interface Port, and transmits the data packet to the protocol stack, so as to perform host protocol configuration on the data packet on the protocol stack. The Protocol stack may perform Host Protocol Configuration on the data packet through a DHCP (Dynamic Host Configuration Protocol) mechanism.
Specifically, host protocol configuration is performed on the data packet on the application layer through the DHCP, the IP address of the second host is set to be a dynamic acquisition mode, and the DHCP server allocates an IP to the second host according to the DHCP protocol, so that the data packet of the first host can be sent to the second host by using the IP. The details are as follows: the integrated bridge transmits a DHCP Discover packet to the protocol stack; after receiving the Discover packet, the available DHCP server gives the integrated bridge an answer by sending a DHCP Offer packet, intended to tell the integrated bridge that it can provide an IP address; after receiving the Offer packet, the integrated bridge sends a DHCP Request packet to the integrated bridge to Request the allocation of an IP address; and the available DHCP server sends an ACK data packet and confirms information to obtain complete IP parameters of the second main host, including an IP address, a network mask, a default gateway, a DNS server IP and the like. Finally, the integrated bridge may send the data packet to the provisioning bridge, transmitting the data packet to the identified second host.
305. The new data packet is transmitted by the integrating bridge to the provisioning bridge and sent to the second host by the provisioning bridge.
In this embodiment, the provisioning Bridge (OVS Provider Bridge) interfaces with other VPCs than the VPC where the first host is located, and sends the data packet to hosts of other VPCs. The supply bridge is connected with the physical Network infrastructure through a pair of Port Interface-interfaces, is connected with the Internet through physical contact Network infrastructure, and is connected with other VPCs through the Internet, wherein the Port Interface-interfaces of the supply bridge are mainly connected with the physical Network infrastructure through a Virtual Local Area Network (VLAN) to transmit data packets.
Specifically, when the integrated bridge transmits the data packet configured by the host protocol to the provisioning bridge, the integrated bridge adds an internal VLAN tag to the data packet; then the patch port of the integrated bridge 'int-br-provider' sends a data packet to the patch port of the 'phy-br-provider' of the provisioning bridge; the provisioning bridge replacing the internal VLAN tag of the packet with the actual VLAN tag; a provider network port of a supply bridge sends a data packet to a physical network Interface; the physical network interface forwards the data packet to the physical network infrastructure for transmission to the second host over the internet.
The embodiment of the application can acquire and process related data based on an artificial intelligence technology. Among them, artificial Intelligence (AI) is a theory, method, technique and application system that simulates, extends and expands human Intelligence using a digital computer or a machine controlled by a digital computer, senses the environment, acquires knowledge and uses the knowledge to obtain the best result.
The artificial intelligence infrastructure generally includes technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and the like.
In the embodiment of the invention, compared with the existing distributed firewall architecture, a network Bridge of Linux Bridge qbr is not required to be introduced, a data packet sent by a first host is directly received through an integrated network Bridge, a preset kernel flow table is adopted to carry out flow matching on the data packet, transmission state detection is carried out on the data packet through multiple detection points, a connection tracking record corresponding to the data packet is established according to the transmission state detection result, and the data packet is subjected to state filtering by adopting the connection tracking record to obtain a state filtering result; finally, based on the connection tracking record, transmitting the data packet to a protocol stack through the integrated network bridge, and performing host protocol configuration on the data packet through the protocol stack and returning the data packet to the integrated network bridge; the data packet after the host protocol configuration is transmitted to the supply network Bridge through the integrated network Bridge, and is sent to the second host through the supply network Bridge, so that the number of the network bridges is reduced, the forwarding efficiency of the data transmission based on intelligent decision is improved, the loss of the Linux Bridge qbr network Bridge to the performance is reduced, and the computing performance of the system is improved.
Referring to fig. 4, a second embodiment of the data transmission method based on intelligent decision according to the embodiment of the present invention includes:
401. receiving a data packet sent by a first host through an integrated network bridge, and performing flow matching on the data packet by adopting a preset kernel flow table to obtain a flow matching result;
402. if the flow matching result is successful, detecting the transmission state of the integrated network bridge when the data packet is transmitted through each detection point;
403. detecting a transmission target address of the data packet by receiving the detection node according to the detection result and a preset first state rule table, and configuring a connection tracking record corresponding to the data packet by adopting the transmission target address;
in this embodiment, the detection points may include a receiving detection node (PREROUTING), a FORWARD detection node (FORWARD) and a sending detection node (post routing), which form Netfliter, and control, modify and filter the data packet, and each detection point may include three detection results: releasing, not modifying the data packet, exiting the detection logic, and continuing the following normal packet processing; modifying, for example, modifying the IP address to perform NAT, and then putting the packet back to the normal data packet processing logic; discarding, implementing security policy or firewall functionality.
In this embodiment, in the receiving detection node, rule matching is performed through the first state rule table, and a conntrack _ in operation is performed on the NF _ INET _ PRE _ ROUTING hook to generate a connection trace record, where the connection trace record is configured from a transmission target address of the data packet, that is, the connection trace record includes a transmission target address of the second host, which is specifically shown as follows:
(1) Analyzing the transmission target address to obtain a virtual machine domain address and a physical machine network card address of the received data packet;
(2) Configuring a connection tracking record corresponding to the data packet by adopting a domain address of a virtual machine and an address of a network card of a physical machine;
the conventional Linux _ bridge qbr allows the same IP address/address field of different VPCs, and when the same address of different VPCs is installed in different virtual machines of the same physical machine, the same connection trace record generated by the data packets of the virtual machines in different VPCs may be recorded, which may cause a security problem.
Therefore, by further adopting the virtual machine domain address (Zone ID) and the physical machine network card address (MAC address) to configure the new machine domain address and the physical machine network card address, the connection tracking record can distinguish different virtual machines of different VPCs and the same physical machine. Specifically, two virtual machine domain address rules may be added to the physical machine where each virtual machine is located:
ptables-t raw-I PREROUTING-i{VM_TAP_NAME}-j CT--zone{VPC_ZONE_ID};
iptables-t raw-I PREROUTING-i vxlan_sys_4789-m mac--mac-destine{VM_MAC}-j CT--zone{VPC_ZONE_ID};
for the second rule, the rule that can be directly used currently needs to develop an iptables plug-in to check the network card address of the destination physical machine that receives the packet, such as "-m mac-source XX: XX: XX: XX: XX". And setting Zone-ID by VXLAN Network Identifier (VXLAN ID) field in the ip tables rule matching VXLAN, and also developing a new ip tables extension to match VNI field).
404. Traversing and presetting a second state rule table by using the connection tracking record through the process detection node to obtain a traversal result, and selecting a connection state matched with the connection tracking record from the state rule table according to the traversal result;
in this embodiment, each detection point detects the data packet through the filtering rule of the IPtable, and specifically includes the following iptables: 1) filter table: the functions of filtering and firewall are realized; corresponding to a kernel module iptables _ filter; 2) nat table: the function of network address conversion is realized; and a corresponding kernel module: iptable _ nat; 3) mangle Table: the functions of disassembling the data packet, modifying the data packet and re-encapsulating the data packet are realized; corresponding to a kernel module iptable _ command; 4) raw table: closing a connection tracking mechanism started on the nat table; corresponding to the kernel module iptable _ raw.
Specifically, the types of iptables that may be deployed at each detection point are different, and the iptables deployed at the corresponding detection points may include: the receiving detection node can comprise a raw table, a mangle table and a nat table; the process detection node can comprise a mangle table and a filter table; the sending detecting node can contain a mangle table and a nat table.
The process check node only contains the filter table, the filtering function is realized by traversing the second state rule table, the connection state matched with the connection tracking record is screened, other connection states are directly filtered, and the action corresponding to the connection state is subsequently executed. The ip tables rule is then suspended in the second state rule table of the process detection node (i.e., NF _ INET _ FORWARD hook point), and the rules are executed when the data packet passes through, and the generated connection trace record can be used to perform state filtering on the data packet when the rules are executed.
405. Confirming the connection state by adopting a preset third state rule table through the sending detection node, and taking the successfully confirmed connection state as a state filtering result corresponding to the data packet;
in this embodiment, the sending detection node is a final detection point when the data packet leaves the second host, and after the state filtering is performed on the data packet, the connection state is confirmed again at the sending detection node (i.e., NF _ INET _ POST _ ROUTING hook point), and the connection state that is successfully confirmed is used as a state filtering result of the data packet. Specifically, the connection state of the packet may be determined by nf _ conntrack _ confirm (), and after the determination is successful, the connection state of the packet is IPS _ configured and used as the state filtering result of the packet.
406. Based on the connection tracking record, transmitting the data packet to a protocol stack through the integrated network bridge, performing host protocol configuration on the data packet through the protocol stack to obtain a new data packet, and returning the new data packet to the integrated network bridge;
407. the new data packet is transmitted by the integrating bridge to the provisioning bridge and sent to the second host by the provisioning bridge.
In the embodiment of the invention, the distributed firewall function of the data packet is realized by mounting the IPtable at three detection points, the connection tracking record is generated and the state filtering is carried out through the three detection points, the point-to-point safety transmission is carried out on the data packet transmission of the virtual machine among different hosts, the safety performance of the data transmission based on the intelligent decision is improved, the detection points and the IPtable are mounted on the integrated network bridge, the number of the network bridges is reduced, and the forwarding performance of the data transmission based on the intelligent decision is improved.
Referring to fig. 5, a third embodiment of the data transmission method based on intelligent decision according to the embodiment of the present invention includes:
501. receiving a data packet sent by a first host through an integrated network bridge, and extracting transmission packet characteristics corresponding to the data packet, wherein the transmission packet characteristics comprise kernel identification information corresponding to the data packet and a plurality of matching tuples;
in this embodiment, the data packet includes a transmission packet feature, the kernel identification information (SKB, socket Buffer) is used to search a matched kernel flow table, and the matching tuple is used to perform flow matching in the matched kernel flow table, specifically including accurate flow matching and fuzzy flow matching. The matching tuples comprise 12 inport, dl _ src, dl _ dst, dl _ vlan _ pcp, dl _ type, nw _ tos, nw _ proto, nw _ src, nw _ dst, tp _ src, tp _ dst and the like. And may be represented by a 12-bit mask, one bit representing a tuple, such as 0000000000011, which may indicate tp _ src, tp _ dst are given, and none of the others are given.
502. Converting the kernel identification information into a matching key value, and selecting a preset kernel flow table matched with the matching key value, wherein the kernel flow table comprises a first priority flow table and a second priority flow table;
in this embodiment, before stream matching from the OVS-datapat to the Netfilter, kernel identification information in a transmission packet feature needs to be initialized to a value supported by the Netfilter, that is, a matching Key value, and specifically, the matching Key value (that is, a Key value) may be generated by calling OVS _ flow _ Key _ extract and using the kernel identification information. The number of the core flow tables is multiple, and the corresponding core flow tables are queried by taking the matching key values as indexes.
In addition, the first priority flow table is used for exact matching, and the second priority flow table is used for fuzzy matching, that is, exact matching needs to be performed first and then fuzzy matching needs to be performed. Here, fuzzy matching means that there may be 1 or more tuples not specified, while exact matching means that each tuple must be specified.
503. Respectively adopting each matching tuple and the first priority flow table to carry out accurate matching, and respectively judging whether each matching tuple is accurately matched successfully;
504. if the accurate matching is successful, selecting an execution action instruction matched with the matched tuple from the first priority flow table and taking the execution action instruction as a flow matching result;
505. if the precise matching fails, carrying out fuzzy matching on the second priority flow table by adopting the corresponding matching tuple, and judging whether the corresponding matching tuple is successfully subjected to fuzzy matching or not;
506. if the fuzzy matching is successful, selecting an execution action instruction matched with the matched tuple from the second priority flow table and taking the execution action instruction as a flow matching result;
in this embodiment, the logical core has two stages of flow tables: the first priority flow table is a flow table used for accurate matching, the second priority flow table is a flow table used for fuzzy matching, the second priority flow table is a matching item with Mask, and the matching item is matched after upcall is carried out to a user state when the accurate matching of the data packet in the first priority flow table is not hit. For example, when a packet is delivered to the core flow table, the first priority flow table is searched first, and if there is no hit, the matching item in the second priority is searched again.
In addition, the two flow tables may also be merged into one Megaflow table, where the Megaflow table includes Mask _ cache _ entry, mask _ array, and hmap, and the lookup is performed by performing Hash processing on matching entries with and without Mask, first, the Mask _ cache _ entry table is looked up, if hit, the corresponding Mask is found according to the found matching entry of the Mask _ array, if not, the Mask _ array is traversed, then the bucket chain in the hmap is found according to the Mask of the corresponding Mask and key value, and then the bucket chain is traversed.
507. If the corresponding matching tuple fails to be matched in a fuzzy manner, storing the matching tuple in a first priority flow table and a second priority flow table so as to update the first priority flow table and the second priority flow table;
in this embodiment, if the matching tuple is missed in both the first priority flow table and the second priority flow table, upcall goes to the user state and hits, and if not, packet-in goes to the controller, and the user state processes the matching tuple by transferring all information to the first priority flow table of the kernel state for next accurate matching; and the matching tuple in the fuzzy matching is put into a second priority flow table in a kernel mode for the next fuzzy matching.
508. If the flow matching result is successful, detecting the transmission state of the integrated network bridge when the data packet is transmitted through each detection point;
509. according to the transmission state detection result and the detection result, creating a connection tracking record corresponding to the data packet, and performing state filtering on the data packet by adopting the connection tracking record to obtain a state filtering result;
510. based on the connection tracking record, transmitting the data packet to a protocol stack through the integrated network bridge, performing host protocol configuration on the data packet through the protocol stack to obtain a new data packet, and returning the new data packet to the integrated network bridge;
511. the new data packet is transmitted by the integrating bridge to the provisioning bridge and sent to the second host by the provisioning bridge.
In this embodiment, when sending a new data packet to the second host through the provisioning bridge, encrypted sending may also be performed, which is specifically shown as follows:
(1) Carrying out segmentation pretreatment on a new data packet through a supply network bridge according to a preset data volume segmentation threshold to obtain a plurality of data segments, and configuring control data required by first data segment encryption;
(2) Encrypting the first data segment by the supply network bridge by using the control data to obtain an encrypted data segment, and sending the encrypted data segment to the second host;
(3) Receiving response information about the encrypted data segment sent by the second host through the provisioning network bridge, and judging whether the second host successfully receives the encrypted data segment according to the response information;
(4) If the data packet is successfully encrypted, the next data segment is encrypted and sent to the second host through the supply network bridge until all the data segments corresponding to the data packet are encrypted and sent to the second host;
(5) If the encrypted data segment fails, the encrypted data segment is retransmitted to the second host through the provisioning bridge until the second host successfully receives the encrypted data segment or the number of transmissions reaches a preset transmission threshold.
Specifically, when a data packet is segmented, determining a total length L of the data packet and a preset data volume segmentation threshold L ', wherein the data volume segmentation threshold L' is a segment length of a standard segment; segmenting the data packet according to the total length L of the data packet and a preset data volume segmentation threshold value L ', dividing the data packet into a maximum positive integer number of segments with the length equal to the data volume segmentation threshold value L' and a last remaining segment, and determining the number N of the segments and the segment length L _ N of the last remaining segment; L/L' = N, where N is the upper integer value; determining the segment length of each segment as follows: l _1, L _2, L _3 \8230, L _ N-1, L _ N; wherein L _1= L _2 _8230 = L _ N-1= L ', L _ N ≦ L'; wherein, L = L _1+ L _2+ \8230L, L _ N-1+ L _ = L' (N-1) + L _ N; and then, pre-allocating each segmented storage space according to the data volume segmentation threshold and a preset encryption method.
Specifically, the size of the storage space of each segment is the sum of the data volume segment threshold and the size of the reserved storage space; the control data required by the sectional encryption configuration takes the section as a unit; the control data includes encryption control data and transmission control data. When executing each preset subsection sending process, configuring encryption control data and sending control data for the current subsection encryption; and encrypting the original segments according to the encryption control data of the current segment, covering the source data with the encrypted data of each segment, and simultaneously executing the operations of sending the data of the previous segment, configuring the encryption control data for the encryption of the next segment and sending the control data.
In the embodiment of the invention, the core flow tables are divided into the first priority flow table and the second priority flow table which are accurately matched, if the accurate matching with higher priority is hit, the downward search is not continued, if the accurate matching is not hit, the downward search is continued, the fuzzy matching is performed in the second priority flow table, each core flow table does not need to be matched every time, the matching item with the highest priority corresponding to the matching tuple can be selected, the calculation amount is reduced, and the calculation efficiency is improved.
With reference to fig. 6, the data transmission method based on intelligent decision in the embodiment of the present invention is described above, and a data transmission device based on intelligent decision in the embodiment of the present invention is described below, where an embodiment of the data transmission device based on intelligent decision in the embodiment of the present invention includes:
the flow matching module 601 is configured to receive a data packet sent by a first host through the integrated network bridge, and perform flow matching on the data packet by using a preset kernel flow table to obtain a flow matching result;
a state filtering module 602, configured to detect, if the stream matching result is that matching is successful, a transmission state of the integrated network bridge when transmitting the data packet through each detection point; creating a connection tracking record corresponding to the data packet according to the detection result, and filtering the transmission state of the data packet by using the connection tracking record to obtain a state filtering result;
a configuration module 603, configured to transmit the data packet to the protocol stack through the integrated network bridge based on the connection tracking record, perform host protocol configuration on the data packet through the protocol stack to obtain a new data packet, and return the new data packet to the integrated network bridge;
a sending module 604, configured to transmit the new data packet to the provisioning bridge through the integration bridge, and send the new data packet to a second host through the provisioning bridge.
In the embodiment of the invention, compared with the existing distributed firewall architecture, a network Bridge of Linux Bridge qbr is not required to be introduced, a data packet sent by a first host is directly received through an integrated network Bridge, a preset kernel flow table is adopted to carry out flow matching on the data packet, transmission state detection is carried out on the data packet through multiple detection points, a connection tracking record corresponding to the data packet is established according to the transmission state detection result, and the data packet is subjected to state filtering by adopting the connection tracking record to obtain a state filtering result; finally, based on the connection tracking record, transmitting the data packet to a protocol stack through the integrated network bridge, and performing host protocol configuration on the data packet through the protocol stack and returning the data packet to the integrated network bridge; and transmitting the data packet after the host protocol configuration to the supply bridge through the integration bridge, and sending the data packet after the host protocol configuration to the second host through the supply bridge. The number of bridges is reduced, the forwarding efficiency of data transmission based on intelligent decision is improved, and the loss of the Linux Bridge qbr Bridge to the performance is reduced, so that the computing performance of the system is improved.
Referring to fig. 7, another embodiment of the data transmission apparatus based on intelligent decision according to the embodiment of the present invention includes:
the flow matching module 601 is configured to receive a data packet sent by a first host through the integrated network bridge, and perform flow matching on the data packet by using a preset kernel flow table to obtain a flow matching result;
a state filtering module 602, configured to detect, if matching is successful, a transmission state of the integrated network bridge when transmitting the data packet through each detection point if the stream matching result is successful; creating a connection tracking record corresponding to the data packet according to the detection result, and filtering the transmission state of the data packet by using the connection tracking record to obtain a state filtering result;
a configuration module 603, configured to transmit the data packet to the protocol stack through the integrated network bridge based on the connection trace record, perform host protocol configuration on the data packet through the protocol stack to obtain a new data packet, and return the new data packet to the integrated network bridge;
a sending module 604, configured to transmit the new data packet to the provisioning bridge through the integration bridge, and send the new data packet to a second host through the provisioning bridge.
Specifically, the detection points include a receiving detection node, a process detection node, and a sending detection node, and the state filtering module 602 includes:
a configuration unit 6021, configured to detect a transmission target address of the data packet through the receiving detection node according to a detection result and a preset first state rule table, and configure a connection tracking record corresponding to the data packet by using the transmission target address;
a filtering unit 6022, configured to traverse a preset second state rule table by using the connection tracking record through the process detection node to obtain a traversal result, and select a connection state matching the connection tracking record from the state rule table according to the traversal result;
a confirming unit 6023, configured to confirm the connection state by using a preset third state rule table through the sending detection node, and use the successfully confirmed connection state as a state filtering result corresponding to the data packet.
Specifically, the configuration unit 6021 is further configured to:
analyzing the transmission target address to obtain a virtual machine domain address and a physical machine network card address for receiving the data packet;
and configuring a connection tracking record corresponding to the data packet by adopting the domain address of the virtual machine and the network card address of the physical machine.
Specifically, the stream matching module 601 includes:
an extracting unit 6011, configured to extract a transmission packet feature corresponding to the data packet, where the transmission packet feature includes kernel identification information corresponding to the data packet and a plurality of matching tuples;
a converting unit 6012, configured to convert the kernel identification information into a matching key, and select a preset kernel flow table matched with the matching key, where the kernel flow table includes a first priority flow table and a second priority flow table;
an exact matching unit 6013, configured to perform exact matching with the first priority flow table by using each matching tuple, and respectively determine whether each matching tuple is successfully matched; if the accurate matching is successful, selecting an execution action instruction matched with the matching tuple from the first priority flow table and taking the execution action instruction as a flow matching result;
a fuzzy matching unit 6014, configured to perform fuzzy matching on the second priority flow table by using the corresponding matching tuple if the exact matching fails, and determine whether the fuzzy matching of the corresponding matching tuple is successful; and if the fuzzy matching is successful, selecting an execution action instruction matched with the matched tuple from the second priority flow table and taking the execution action instruction as a flow matching result.
Specifically, the stream matching module 601 further includes an updating unit 6015, configured to store the matching tuple in the first priority stream table and the second priority stream table if the fuzzy matching of the corresponding matching tuple fails, so as to update the first priority stream table and the second priority stream table.
Specifically, the sending module 604 includes:
a segment processing unit 6041, configured to perform segment preprocessing on the new data packet according to a preset data volume segment threshold through the provisioning bridge, to obtain multiple data segments, and configure control data required by first data segment encryption;
an encrypting unit 6042, configured to encrypt the first data segment by using the control data through the provisioning network bridge to obtain an encrypted data segment, and send the encrypted data segment to the second host;
a discrimination unit 6043, configured to receive, through the provisioning bridge, response information about the encrypted data segment sent by the second host, and determine, according to the response information, whether the second host successfully receives the encrypted data segment;
a loop processing unit 6044, configured to, if the data packet is successfully encrypted, encrypt and send a next data segment to the second host through the provisioning bridge, and stop sending the next data segment to the second host until all data segments corresponding to the data packet are encrypted and sent to the second host; and if the encrypted data segment fails, retransmitting the encrypted data segment to the second host through the supply network bridge until the second host successfully receives the encrypted data segment or the transmission times reach a preset transmission threshold value.
In the embodiment of the invention, the distributed firewall function of the data packet is realized by mounting the IPtable at three detection points, the connection tracking record is generated and the state filtering is carried out through the three detection points, the point-to-point safety transmission is carried out on the data packet transmission of the virtual machine among different hosts, the safety performance of the data transmission based on the intelligent decision is improved, the detection points and the IPtable are mounted on the integrated network bridge, the number of the network bridges is reduced, and the forwarding performance of the data transmission based on the intelligent decision is improved; in addition, the core flow tables are divided into a first priority flow table and a second priority flow table which are accurately matched, if the accurate matching with higher priority is hit, the core flow tables cannot be searched downwards, if the accurate matching with higher priority is not hit, the core flow tables are searched downwards continuously, fuzzy matching is performed in the second priority flow tables, each core flow table does not need to be matched every time, a matching item with the highest priority corresponding to a matching tuple can be selected, the calculation amount is reduced, and the calculation efficiency is improved.
Fig. 6 and fig. 7 describe the data transmission device based on intelligent decision in the embodiment of the present invention in detail from the perspective of the modular functional entity, and the data transmission device based on intelligent decision in the embodiment of the present invention is described in detail from the perspective of hardware processing.
Fig. 8 is a schematic structural diagram of an intelligent decision-based data transmission apparatus 800 according to an embodiment of the present invention, which may have a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 810 (e.g., one or more processors) and a memory 820, and one or more storage media 830 (e.g., one or more mass storage devices) for storing applications 833 or data 832. Memory 820 and storage medium 830 may be, among other things, transitory or persistent storage. The program stored on the storage medium 830 may include one or more modules (not shown), each of which may include a sequence of instructions operating on the intelligent decision-based data transmission device 800. Still further, the processor 810 may be configured to communicate with the storage medium 830 to execute a series of instruction operations in the storage medium 830 on the intelligent decision-based data transmission apparatus 800.
The intelligent decision-based data transmission apparatus 800 may also include one or more power supplies 840, one or more wired or wireless network interfaces 850, one or more input-output interfaces 860, and/or one or more operating systems 831, such as Windows Server, mac OS X, unix, linux, freeBSD, and the like. Those skilled in the art will appreciate that the intelligent decision-based data transmission facility architecture illustrated in fig. 8 does not constitute a limitation of intelligent decision-based data transmission facilities, and may include more or fewer components than those illustrated, or some components in combination, or a different arrangement of components.
The invention further provides an intelligent decision-based data transmission device, which includes a memory and a processor, where the memory stores computer-readable instructions, and when the computer-readable instructions are executed by the processor, the processor executes the steps of the intelligent decision-based data transmission method in the foregoing embodiments.
The present invention also provides a computer-readable storage medium, which may be a non-volatile computer-readable storage medium, and which may also be a volatile computer-readable storage medium, having stored therein instructions, which, when run on a computer, cause the computer to perform the steps of the intelligent decision-based data transmission method.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention, which is substantially or partly contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. An intelligent decision-based data transmission method applied to an intelligent decision-based data transmission system, wherein the intelligent decision-based data transmission system comprises a protocol stack, an integrated bridge and a provisioning bridge, the integrated bridge comprises a plurality of detection points, and the intelligent decision-based data transmission method comprises:
receiving a data packet sent by a first host through the integrated network bridge, and performing flow matching on the data packet by adopting a preset kernel flow table to obtain a flow matching result;
if the flow matching result is successful, detecting the transmission state of the integrated network bridge when the integrated network bridge transmits the data packet through each detection point;
according to the detection result, creating a connection tracking record corresponding to the data packet, starting a detection rule corresponding to the data packet in an IPtable at each detection point through an ipt _ do _ table by using the connection tracking record, constructing a firewall according to an execution action corresponding to the detection rule, and filtering the transmission state of the data packet according to the constructed firewall to obtain a state filtering result;
based on the connection tracking record, transmitting the data packet to the protocol stack through the integrated network bridge, performing host protocol configuration on the data packet through the protocol stack to obtain a new data packet, and returning the new data packet to the integrated network bridge;
transmitting, by the integration bridge, the new data packet to the provisioning bridge and sending, by the provisioning bridge, the new data packet to a second host.
2. The intelligent decision-making based data transmission method according to claim 1, wherein the detection points include a receiving detection node, a process detection node, and a sending detection node, and the creating a connection trace record corresponding to the data packet according to the detection result, and filtering the transmission state of the data packet by using the connection trace record to obtain a state filtering result includes:
detecting a transmission target address of the data packet through the receiving detection node according to a detection result and a preset first state rule table, and configuring a connection tracking record corresponding to the data packet by adopting the transmission target address;
traversing and presetting a second state rule table by the process detection node by adopting the connection tracking record to obtain a traversal result, and selecting a connection state matched with the connection tracking record from the state rule table according to the traversal result;
and confirming the connection state by adopting a preset third state rule table through the sending detection node, and taking the successfully confirmed connection state as a state filtering result corresponding to the data packet.
3. The intelligent decision-making based data transmission method according to claim 2, wherein the configuring, with the transmission destination address, the connection trace record corresponding to the data packet comprises:
analyzing the transmission target address to obtain a virtual machine domain address and a physical machine network card address for receiving the data packet;
and configuring a connection tracking record corresponding to the data packet by adopting the domain address of the virtual machine and the network card address of the physical machine.
4. The intelligent decision-based data transmission method according to claim 1, wherein the performing flow matching on the data packet by using a preset kernel flow table to obtain a flow matching result comprises:
extracting transmission packet characteristics corresponding to the data packet, wherein the transmission packet characteristics comprise kernel identification information and a plurality of matching tuples corresponding to the data packet;
converting the kernel identification information into a matching key value, and selecting a preset kernel flow table matched with the matching key value, wherein the kernel flow table comprises a first priority flow table and a second priority flow table;
respectively adopting each matching tuple and the first priority flow table to carry out accurate matching, and respectively judging whether each matching tuple is successfully matched accurately;
if the accurate matching is successful, selecting an execution action instruction matched with the matching tuple from the first priority flow table and taking the execution action instruction as a flow matching result;
if the precise matching fails, fuzzy matching is carried out on the second priority flow table by adopting the corresponding matching tuple, and whether the fuzzy matching of the corresponding matching tuple is successful or not is judged;
and if the fuzzy matching is successful, selecting an execution action instruction matched with the matched tuple from the second priority flow table and taking the execution action instruction as a flow matching result.
5. The intelligent decision-based data transmission method according to claim 4, wherein after the determining whether the corresponding matching tuple is matched in the fuzzy manner successfully, the method further comprises:
and if the fuzzy matching of the corresponding matching tuple fails, storing the matching tuple in the first priority flow table and the second priority flow table so as to update the first priority flow table and the second priority flow table.
6. An intelligent decision-based data transmission method according to any of claims 1-5, wherein said sending the new data packet to a second host via the provisioning bridge comprises:
the new data packet is subjected to segment preprocessing according to a preset data volume segment threshold value through the supply network bridge to obtain a plurality of data segments, and control data required by first data segment encryption is configured;
encrypting the first data segment by the control data through the provisioning network bridge to obtain an encrypted data segment, and sending the encrypted data segment to the second host;
receiving, by the provisioning bridge, response information sent by the second host regarding the encrypted data segment, and determining, based on the response information, whether the second host successfully received the encrypted data segment;
if the data packet is successfully encrypted, the next data segment is encrypted and sent to the second host through the supply network bridge, and the data packet is not encrypted until all data segments corresponding to the data packet are sent to the second host;
and if the encrypted data segment fails, retransmitting the encrypted data segment to the second host through the supply bridge until the second host successfully receives the encrypted data segment or the transmission times reach a preset transmission threshold value.
7. An intelligent decision-based data transmission device, applied to an intelligent decision-based data transmission system, wherein the intelligent decision-based data transmission system comprises a protocol stack, an integrated bridge and a provisioning bridge, the integrated bridge comprises a plurality of detection points, and the intelligent decision-based data transmission device comprises:
the flow matching module is used for receiving a data packet sent by the first host through the integrated network bridge and performing flow matching on the data packet by adopting a preset kernel flow table to obtain a flow matching result;
a state filtering module, configured to detect, through each detection point, a transmission state of the integrated network bridge when transmitting the data packet if the stream matching result is a successful match; according to the detection result, creating a connection tracking record corresponding to the data packet, starting a detection rule corresponding to the data packet in IPtables at each detection point through ipt _ do _ table by using the connection tracking record, constructing a firewall according to an execution action corresponding to the detection rule, and filtering the transmission state of the data packet according to the constructed firewall to obtain a state filtering result;
the configuration module is used for transmitting the data packet to the protocol stack through the integrated network bridge based on the connection tracking record, performing host protocol configuration on the data packet through the protocol stack to obtain a new data packet, and returning the new data packet to the integrated network bridge;
and the sending module is used for transmitting the new data packet to the supply bridge through the integration bridge and sending the new data packet to a second host through the supply bridge.
8. An intelligent decision-making based data transmission apparatus according to claim 7, wherein the detection points include a reception detection node, a process detection node and a transmission detection node, and the state filtering module includes:
a configuration unit, configured to detect a transmission target address of the data packet through the receiving detection node according to a detection result and a preset first state rule table, and configure a connection tracking record corresponding to the data packet by using the transmission target address;
the filtering unit is used for traversing and presetting a second state rule table by adopting the connection tracking record through the process detection node to obtain a traversal result, and selecting a connection state matched with the connection tracking record from the state rule table according to the traversal result;
and the confirming unit is used for confirming the connection state by adopting a preset third state rule table through the sending detection node and taking the successfully confirmed connection state as a state filtering result corresponding to the data packet.
9. An intelligent decision-based data transmission device, characterized in that the intelligent decision-based data transmission device comprises: a memory and at least one processor, the memory having instructions stored therein;
the at least one processor invoking the instructions in the memory to cause the intelligent decision-based data transfer device to perform the steps of the intelligent decision-based data transfer method of any one of claims 1-6.
10. A computer-readable storage medium having instructions stored thereon, wherein the instructions, when executed by a processor, implement the steps of the intelligent decision-based data transmission method according to any one of claims 1-6.
CN202110954681.5A 2021-08-19 2021-08-19 Data transmission method, device and equipment based on intelligent decision and storage medium Active CN113630301B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202110954681.5A CN113630301B (en) 2021-08-19 2021-08-19 Data transmission method, device and equipment based on intelligent decision and storage medium
PCT/CN2022/071690 WO2023019876A1 (en) 2021-08-19 2022-01-13 Intelligent decision-based data transmission method, apparatus, and device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110954681.5A CN113630301B (en) 2021-08-19 2021-08-19 Data transmission method, device and equipment based on intelligent decision and storage medium

Publications (2)

Publication Number Publication Date
CN113630301A CN113630301A (en) 2021-11-09
CN113630301B true CN113630301B (en) 2022-11-08

Family

ID=78386645

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110954681.5A Active CN113630301B (en) 2021-08-19 2021-08-19 Data transmission method, device and equipment based on intelligent decision and storage medium

Country Status (2)

Country Link
CN (1) CN113630301B (en)
WO (1) WO2023019876A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630301B (en) * 2021-08-19 2022-11-08 平安科技(深圳)有限公司 Data transmission method, device and equipment based on intelligent decision and storage medium
CN117459765B (en) * 2023-12-20 2024-03-12 杭州海康威视数字技术股份有限公司 Multimedia security protection method, device and system based on storage service

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105190557A (en) * 2012-10-16 2015-12-23 思杰系统有限公司 Systems and methods for bridging between public and private clouds through multi-level api integration
CN107547439A (en) * 2017-09-08 2018-01-05 中国银联股份有限公司 A kind of method for controlling network flow and calculate node
CN108463830A (en) * 2015-11-18 2018-08-28 e2因特莱科迪伏有限公司 Bridge for domestic transaction mandate
CN108471383A (en) * 2018-02-08 2018-08-31 华为技术有限公司 Message forwarding method, device and system
CN111131037A (en) * 2019-12-27 2020-05-08 网易(杭州)网络有限公司 Data transmission method, device, medium and electronic equipment based on virtual gateway
CN112565090A (en) * 2020-11-09 2021-03-26 烽火通信科技股份有限公司 High-speed forwarding method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8743888B2 (en) * 2010-07-06 2014-06-03 Nicira, Inc. Network control apparatus and method
US10263870B2 (en) * 2016-07-07 2019-04-16 International Business Machines Corporation Suspending and resuming virtual machines in a network
CN108322467B (en) * 2018-02-02 2021-11-05 云宏信息科技股份有限公司 OVS-based virtual firewall configuration method, electronic equipment and storage medium
CN109361602B (en) * 2018-11-12 2021-06-22 网宿科技股份有限公司 Method and system for forwarding message based on OpenStack cloud platform
CN113630301B (en) * 2021-08-19 2022-11-08 平安科技(深圳)有限公司 Data transmission method, device and equipment based on intelligent decision and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105190557A (en) * 2012-10-16 2015-12-23 思杰系统有限公司 Systems and methods for bridging between public and private clouds through multi-level api integration
CN108463830A (en) * 2015-11-18 2018-08-28 e2因特莱科迪伏有限公司 Bridge for domestic transaction mandate
CN107547439A (en) * 2017-09-08 2018-01-05 中国银联股份有限公司 A kind of method for controlling network flow and calculate node
CN108471383A (en) * 2018-02-08 2018-08-31 华为技术有限公司 Message forwarding method, device and system
CN111131037A (en) * 2019-12-27 2020-05-08 网易(杭州)网络有限公司 Data transmission method, device, medium and electronic equipment based on virtual gateway
CN112565090A (en) * 2020-11-09 2021-03-26 烽火通信科技股份有限公司 High-speed forwarding method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Development And Performance Evaluation of a BR-DBA Algorithm;Seung-Kun Lee,Jong-Wook Jang,Moon-Han Bae;《2008 Third International Conference on Convergence and Hybrid Information Technology》;20081118;全文 *
面向网络空间的攻防靶场设计;吴怡晨,王轶骏,薛质;《通信技术》;20171031;全文 *

Also Published As

Publication number Publication date
WO2023019876A1 (en) 2023-02-23
CN113630301A (en) 2021-11-09

Similar Documents

Publication Publication Date Title
Bremler-Barr et al. Deep packet inspection as a service
US9794370B2 (en) Systems and methods for distributed network-aware service placement
US9935829B1 (en) Scalable packet processing service
WO2018099249A1 (en) Method, device and system for detecting fault in nfv system
CN113630301B (en) Data transmission method, device and equipment based on intelligent decision and storage medium
US9674080B2 (en) Proxy for port to service instance mapping
US20090106439A1 (en) Virtual dispersive routing
CN105052113B (en) Method, equipment and the medium of common agency frame for the network equipment are provided
US10050859B2 (en) Apparatus for processing network packet using service function chaining and method for controlling the same
US11983611B2 (en) System and method for determining device attributes using a classifier hierarchy
JP2016528630A (en) Application-aware network management
CN113691460B (en) Data transmission method, device, equipment and storage medium based on load balancing
US20120167222A1 (en) Method and apparatus for diagnosing malicous file, and method and apparatus for monitoring malicous file
US7924829B2 (en) Technique for enabling network statistics on software partitions
KR101527377B1 (en) Service chaining system based on software defined networks
KR20110071817A (en) Apparatus and method for controlling traffic
US10715353B2 (en) Virtual local area network identifiers for service function chaining fault detection and isolation
CN109040028A (en) A kind of industry control full flow analysis method and device
Xu et al. Identifying SDN state inconsistency in OpenStack
JP2018516001A (en) Communication apparatus, system, method, and program
CN113660279B (en) Security protection method, device, equipment and storage medium of network host
US20180198704A1 (en) Pre-processing of data packets with network switch application -specific integrated circuit
US20180217860A1 (en) Integrated network data collection apparatus and method
CN110099015A (en) Determine device attribute
CN112152854B (en) Information processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant