CN114401218A - Bypass forwarding method and device for data message - Google Patents

Bypass forwarding method and device for data message Download PDF

Info

Publication number
CN114401218A
CN114401218A CN202111620330.7A CN202111620330A CN114401218A CN 114401218 A CN114401218 A CN 114401218A CN 202111620330 A CN202111620330 A CN 202111620330A CN 114401218 A CN114401218 A CN 114401218A
Authority
CN
China
Prior art keywords
network card
address
data message
memory space
queue
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111620330.7A
Other languages
Chinese (zh)
Other versions
CN114401218B (en
Inventor
赵刚
谢正明
叶建伟
黄�俊
叶晓虎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN202111620330.7A priority Critical patent/CN114401218B/en
Publication of CN114401218A publication Critical patent/CN114401218A/en
Application granted granted Critical
Publication of CN114401218B publication Critical patent/CN114401218B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/24Multipath
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/28Routing or path finding of packets in data switching networks using route fault recovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a bypass forwarding method and device of data messages, which are used for solving the problems that when network security equipment software is upgraded or security processing logic is abnormal, forwarding through a network card is not flexible, or CPU (Central processing Unit) resources are occupied highly through a software method. The method provided by the application comprises the following steps: controlling the DMA controller to acquire a data message received by the second network card according to the address of a second receiving queue of the second network card and send the data message out through the first network card; and controlling the DMA controller to acquire the data message received by the first network card according to the address of the first receiving queue of the first network card and send the data message out through the second network card.

Description

Bypass forwarding method and device for data message
Technical Field
The present application relates to the field of communications technologies, and in particular, to a bypass forwarding method and apparatus for data packets.
Background
Network security devices are typically employed between two or more networks, such as between an intranet and an extranet. An application within the network security appliance analyzes the network packets passing through it to determine if a threat exists. The network security device has a "virtual line" mode, and the intrusion to the client network is reduced by the deployment of the mode, and in the mode, the network security device is similar to a network line and sends messages according to the preconfigured network card mapping, for example, messages are directly received from one network port and sent from the other network port. When a network security device fails, such as a security device software upgrade or security processing logic is abnormal, all networks connected to the device lose contact with each other. At this time, if the networks are required to be in a connected state, the bypass mode needs to be started. After the bypass mode is started, the networks connected to the equipment can be conducted with each other, and the network security equipment does not process the packets in the networks any more. At present, the bypass function supported by the network card is mainly realized by using a relay or a software method, but the relay-based method is set before the network card leaves a factory, and the forwarding among other network cards cannot be realized, so that the forwarding of the network card is not flexible. In addition, the software implementation of message forwarding occupies the CPU, and when program logic has a problem, CPU resources are occupied by an abnormal program, which results in low message forwarding efficiency and packet loss.
Disclosure of Invention
The embodiment of the application provides a bypass forwarding method and device for data messages, and aims to solve the problems that when network security equipment software is upgraded or security processing logic is abnormal, forwarding through a network card is not flexible, or CPU (Central processing Unit) resources are occupied highly through a software method.
In a first aspect, an embodiment of the present application provides a method for bypassing forwarding a data packet, including:
when the software of the network security equipment is upgraded or the security processing logic is abnormal, controlling the DMA controller to acquire a data message received by the second network card according to the address of a second receiving queue of the second network card and sending the data message out through the first network card; and controlling the DMA controller to acquire the data message received by the first network card from the first receiving queue according to the address of the first receiving queue of the first network card, and sending the data message out through the second network card.
Based on the scheme, the data message received by the second network card can be sent out from the first network card, and the data message received by the first network card can be sent out from the second network card, so that the data message can be forwarded when the network security equipment of the security equipment is upgraded or the security processing logic is abnormal. Because only the address of the data message to be sent acquired by the DMA controller is changed, the forwarding of the message is controlled without processing resources, and the processing speed can be improved. In addition, when the network security device comprises a plurality of network cards, the method can set which network card to forward from according to requirements, and compared with a relay mode, the method can improve the flexibility of configuration.
In a possible implementation manner, controlling the DMA controller to obtain the data packet received by the second network card according to the address of the second receive queue of the second network card includes: updating the address of the DMA controller for acquiring the data message to be transmitted through the first network card from the address of the first transmitting queue to the address of the second receiving queue; the address of a first memory space is stored in the memory space indicated by the address of the first sending queue, the first memory space is used for storing the data message to be sent by the first network card, the address of a second memory space is stored in the memory space indicated by the address of the second receiving queue, and the second memory space is used for storing the data message received by the second network card.
Based on the scheme, the DMA controller is controlled to send the data message received by the second receiving queue out of the first network card, and the received data is not subjected to packet processing through the network security equipment, so that the bypass forwarding of the data message is realized, and the processing efficiency can be improved.
In a possible implementation manner, first indication information is further stored in a memory space indicated by an address of the first send queue, where the first indication information is used to indicate whether the first memory space contains a data packet to be sent, so that when the DMA controller determines that the first memory space contains the data packet to be sent according to the first indication information, the DMA controller obtains the data packet to be sent from the first memory space. The first memory space includes a plurality of first subspaces, and different first subspaces are used for storing different data messages to be sent. The first indication information comprises a plurality of identifications, and the plurality of identifications correspond to the plurality of first subspaces one by one. The identifier is used for indicating whether the corresponding first subspace stores the data message to be sent.
After the network card receives the data message, determining a first subspace with an empty storage state from the plurality of first subspaces according to the first indication information, storing the data message in the first subspace with the empty storage state, and setting the first subspace as a storage state in which the data message is stored.
Based on the scheme, the memory space indicated by the address of the first sending queue stores the indication information, the received data message can be rapidly determined to be stored in the subspace with the empty storage state according to the indication information, the idle subspace does not need to be searched in a traversing manner, and the storage efficiency is improved.
In a possible implementation, the method further includes: and when the network security equipment does not execute software upgrading and the security processing logic is normal and the indication information of the first memory space indicates that the first memory space contains a data message to be sent, controlling the DMA controller to acquire the data message to be sent from the first memory space according to the address of the first sending queue and send the data to be sent in the first memory space through the first network card.
Based on the scheme, when the network security device does not execute software upgrading and the security processing logic is normal, the network security device is switched to a normal state, and the DMA controller is controlled to acquire the data message to be sent from the first memory space according to the address of the first sending queue and send the data message out through the first network card, so that the method is simple and effective to implement.
In a possible implementation manner, controlling the DMA controller to obtain the data packet received by the first network card according to the address of the first receive queue of the first network card includes: and updating the address of the DMA controller for acquiring the data message to be transmitted through the second network card from the address of the second transmission queue to the address of the first receiving queue. The address of a third memory space is stored in the memory space indicated by the address of the first receiving queue, and the third memory space is used for storing the data message received by the first network card; and storing an address of a fourth space memory in the memory space indicated by the address of the second sending queue, wherein the fourth memory space is used for storing the data message to be sent by the second network card.
Based on the scheme, the DMA controller is controlled to send out the data message received by the first receiving queue through the second network card, and the received data is not subjected to packet processing through the network security equipment, so that bypass forwarding of the data message is realized, and the processing efficiency can be improved.
In a possible implementation manner, second indication information is further stored in the memory space indicated by the address of the second sending queue, where the second indication information is used to indicate whether the fourth memory space contains a data packet to be sent.
Based on the above scheme, the memory space indicated by the address of the second sending queue stores the indication information, and whether to store the received data packet into the subspace corresponding to the indication information can be determined according to the indication information.
In a possible implementation, the method further includes: and when the network security device does not execute software upgrading and the security processing logic is normal and the second indication information indicates that the fourth memory space contains a data message to be sent, controlling the DMA controller to acquire the data message to be sent from the fourth memory space according to the address of the second sending queue and send the data message to be sent in the fourth memory space through the second network card.
Based on the scheme, when the network security device does not execute software upgrading and the security processing logic is normal, the network security device is switched to a normal state, and the DMA controller acquires the data message to be sent from the fourth memory space according to the address of the second sending queue and sends the data message out through the second network card.
In a second aspect, an embodiment of the present application provides a network security device, including a processor, a DMA controller, a first network card, and a second network card;
the processor controls the DMA controller to acquire the data message received by the second network card according to the address of a second receiving queue of the second network card when the software of the network security equipment is upgraded or the security processing logic is abnormal;
the first network card is used for sending the data message which is acquired by the DMA controller and received by the second network card;
the processor is further configured to control the DMA controller to obtain the data message received by the first network card according to the address of the first receive queue of the first network card;
and the second network card is used for sending the data message which is acquired by the DMA controller and received by the first network card.
In one possible implementation, the processor is specifically configured to: updating the address of the DMA controller for acquiring the data message to be transmitted through the first network card from the address of the first transmitting queue to the address of the second receiving queue; the address of a first memory space is stored in the memory space indicated by the address of the first sending queue, and the first memory space is used for storing a data message to be sent by the first network card; and storing the address of a second memory space in the memory space indicated by the address of the second receiving queue, wherein the second memory space is used for storing the data message received by the second network card.
In a possible implementation manner, a memory space indicated by an address of the first sending queue further stores first indication information, where the first indication information is used to indicate whether the first memory space contains a data packet to be sent.
In one possible implementation, the processor is further configured to: and when the network security equipment does not execute software upgrading and the security processing logic is normal and the first indication information indicates that the first memory space contains a data message to be sent, controlling the DMA controller to acquire the data message to be sent from the first memory space according to the address of the first sending queue and send the data message to be sent through the first network card.
In one possible implementation, the processor is specifically configured to: and updating the address of the DMA controller for acquiring the data message to be transmitted through the second network card from the address of the second transmission queue to the address of the first receiving queue. The address of a third memory space is stored in the memory space indicated by the address of the first receiving queue, and the third memory space is used for storing the data message received by the first network card; and storing an address of a fourth memory space in the memory space indicated by the address of the second sending queue, wherein the fourth memory space is used for storing the data message to be sent by the second network card.
In a possible implementation manner, second indication information is further stored in the memory space indicated by the address of the second sending queue, where the second indication information is used to indicate whether the fourth memory space contains a data packet to be sent.
In one possible implementation, the processor is further configured to: and when the network security device does not execute software upgrading and the security processing logic is normal and the second indication information indicates that the fourth memory space contains a data message to be sent, controlling the DMA controller to acquire the data message to be sent from the fourth memory space according to the address of the second sending queue and send the data message to be sent in the fourth memory space through the second network card.
In a third aspect, an embodiment of the present application provides a bypass forwarding apparatus for data packets, including a memory and a processor.
The memory to store program instructions;
the processor is configured to call a program instruction stored in the memory, and execute the method according to the first aspect and the different implementation manners of the first aspect according to an obtained program.
In a fourth aspect, the present application provides a computer-readable storage medium storing computer instructions that, when executed on a computer, cause the computer to perform the method according to the first aspect and different implementations of the first aspect.
In addition, for technical effects brought by any implementation manner of the second aspect to the fourth aspect, reference may be made to technical effects brought by any different implementation manner of the first aspect and the first aspect, and details are not described here.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without inventive exercise.
FIG. 1 is a schematic diagram of a network security device performing a data processing method;
FIG. 2 is a schematic diagram of a method for implementing bypass using a relay;
fig. 3 is a schematic flowchart of a bypass forwarding method for a data packet according to an embodiment of the present application;
fig. 4 is a schematic diagram of a queue structure according to an embodiment of the present application;
fig. 5 is a schematic diagram of bypass forwarding of a data packet according to an embodiment of the present application;
fig. 6 is a schematic diagram of a storage state of a data packet according to an embodiment of the present application;
fig. 7 is a schematic diagram of a network card queue in a normal state according to an embodiment of the present application;
fig. 8 is a schematic diagram of a network security device according to an embodiment of the present application;
fig. 9 is a schematic diagram of a bypass forwarding device for data packets according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
It is noted that relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The network security equipment is applied between two or more networks and used for connecting different networks. The application program in the network complete equipment analyzes the network packet passing through the network equipment, and forwards the packet according to a certain routing rule after processing. When the network security device fails, such as after power failure or crash, the connection between different networks connected to the network security device is disconnected. Therefore, when the network security device fails, the network card needs to support a bypass function (bypass), that is, the two networks can be directly and physically conducted through a specific trigger state without passing through the system of the network security device, and at this time, the application software in the network security device does not process the packet in the network, as shown in fig. 1.
The bypass method can be realized on the basis of a hardware layer and also can be realized through a software layer. On the hardware level, bypass is mainly realized by using a relay. The relay is mainly connected to the signal lines of each of the two Bypass ports, and the working mode of the relay in the relay is described by using one signal line, as shown in fig. 2. Taking power triggering as an example, in case of power failure, the switch in the relay will jump to the state 1, i.e. Rx on RJ45 interface of LAN1 is directly conducted to Tx on RJ45 interface of LAN2, and when the device is powered on, the switch will be conducted to the state 2, so that if the communication between the networks on LAN1 and LAN2 is to be realized by the application program on the device. And the software layer can control and trigger bypass in a General-Purpose Input/Output (GPIO) interface mode. By operating the GPIO, the relay on the hardware is controlled by the GPIO to make corresponding jump. When the GPIO is set high, the relay correspondingly jumps to position 1, whereas if the GPIO is set low, the relay jumps to position 2. However, bypass is set before shipping by using the relay method, that is, network connection between network cards is set by using the relay method, so that forwarding between other network cards cannot be realized, and certain limitations are provided. The software for realizing message forwarding occupies the CPU process, so that the occupancy rate of the CPU is increased, and the processing speed of the CPU is further influenced.
When network security equipment software is upgraded or security processing logic is abnormal, a sending address of a network card is configured, a data message is directly acquired from a memory pointed by the sending address, and then the data message is sent out. The method does not need to realize the message forwarding between the network cards by a relay method, so the configuration of the network port is more flexible, the CPU is not occupied in the processing process, and the processing speed is improved.
The embodiment of the present application provides a bypass forwarding method based on data packets, as shown in fig. 3, the method may be executed by a processor or a processing module in a network security device. The specific process is as follows:
301, when the network security device software is upgraded or the security processing logic is abnormal, controlling the DMA controller to obtain the data message received by the second network card according to the address of the second receive queue of the second network card, and sending out the data message through the first network card. In order to facilitate distinction from the receive queue of the first network card, in this embodiment, the receive queue of the first network card is referred to as a first receive queue, and the receive queue of the second network card is referred to as a second receive queue.
In some embodiments, controlling the DMA controller to obtain the data message received by the second network card according to the address of the second receive queue of the second network card and send the data message through the first network card may be understood as updating the address for controlling the DMA controller to obtain the data message to be sent through the first network card from the address of the first send queue to the address of the second receive queue. And the DMA controller acquires the data message received by the second network card from the second receiving queue and sends the data message out through the first network card. The address of the first memory space is stored in the memory space indicated by the address of the first sending queue, and the first memory space is used for storing a data message to be sent by the first network card; and storing the address of the second memory space in the memory space indicated by the address of the second receiving queue, wherein the second memory space is used for storing the data message received by the second network card. In some embodiments, when the DMA controller obtains the data packet received by the second network card from the second receive queue, the DMA controller may be implemented by: and the DMA controller determines the memory space of the data message received by the second network card from the second receiving queue, and then reads the data message received by the second network card from the determined memory space.
In some embodiments, for convenience of description, the first network card is referred to as network card 1, and the second network card is referred to as network card 2. When the network security device software is upgraded or the security processing logic is abnormal, the address of the second receive queue of the network card 2 can be obtained through the GET _ DMA _ ADDR function, and for convenience of description, the second receive queue is represented by RX2_ BD _ ARRAY. Further, the sending address of the network card 1 can be modified from the address of the sending queue of the network card 1 to the address of the receiving queue of the network card 2 through the SET _ DMA _ ADDR function. The transmission queue of the network card 1 may be represented by TX1_ BD _ ARRAY, and the reception queue of the network card 2 may be represented by RX2_ BD _ ARRAY. Illustratively, the sending address of the network card 1 can be modified from the TX1_ BD _ arm address to the RX2_ BD _ arm address through the SET _ DMA _ ADDR function. After the address modification, the DMA controller obtains the data packet to be sent from the second memory space indicated by the address (i.e., RX2_ BD _ ARRAY address) of the receive queue of the network card 2 and sends out the data packet to be sent through the network card 1. Specifically, after the network card 2 receives the message data, the DMA controller stores the received message data in the receive queue (RX2_ BD _ ARRAY) of the network card 2. At this time, when the DMA controller detects that the transmission queue of the network card 1 (i.e., the receiving queue of the network card 2) contains the data message to be processed, the DMA controller may obtain the data message from the memory space indicated by the spatial address information in the receiving queue of the network card 2, and send the obtained data message out through the network card 1, as shown in fig. 5.
In some embodiments, the memory space indicated by the address of the first transmit queue further stores first indication information, where the first indication information is used to indicate whether the first memory space contains a data packet to be transmitted. The first memory space includes a plurality of first subspaces, and different subspaces are used for storing different data messages to be sent. Similarly, the memory space indicated by the address of the second receive queue also stores indication information, where the indication information is used to indicate whether the second memory space contains the received data packet, so that when the first network card determines that the second memory space contains the received data packet according to the indication information in the memory space indicated by the address of the second receive queue, the first network card obtains the received data packet from the second memory space and sends the received data packet.
In some embodiments, the second memory space includes a plurality of subspaces, and different subspaces are used for storing different received data packets. The first indication information comprises a plurality of identifications, and the plurality of identifications correspond to the plurality of subspaces one by one. The identifier is used for indicating whether the corresponding subspace stores the data message to be sent. The receive queue and the transmit queue may respectively include a plurality of elements, each of which stores storage status information and memory space address information, as shown in fig. 4. In some embodiments, each element included in the receive queue or each element included in the transmit queue is referred to as a packet description array. In fig. 4, status indicates storage status information, and address indicates subspace address information. For example, the message description array 1 includes status1 and address 1. address 1 is the address of subspace 1(pkt _ buff 1), and status1 indicates whether the subspace 1 to which address 1 points stores the data packet.
In some embodiments, when the second network card receives the data packet, a subspace with an empty storage state is determined from the plurality of subspaces according to the indication information in the memory space indicated by the address of the second receive queue, the data packet is stored in the subspace with the empty storage state, and the storage state of the subspace is updated to store the data packet. For example, RX2_ BD _ ARRAY represents a receive queue of the network card 2 for storing data packets received by the network card 2. RX2_ BD _ ARRAY stores identification information of storage status, where empty indicates that the subspace does not contain data packets, and data can be written. ready indicates that the subspace contains data messages and can be transmitted. For example, when the network card 2 receives a data packet, a subspace where no data packet is stored (that is, the storage state is empty) may be determined according to the indication information in the receiving queue of the network card 2, the received data packet is stored in the subspace, and the storage state of the subspace is updated to ready, as shown in fig. 6.
In other embodiments, after the DMA controller obtains the data message received by the second network card from the second receive queue and sends the data message out through the first network card, the storage state of the subspace where the data message is located is updated to empty. For example, the DMA controller determines an element whose storage status is ready from the receive queue (RX2_ BD _ ARRAY) of the network card 2, and determines the subspace where the data packet is located according to the spatial address information stored in the element. The DMA controller acquires the data message according to the subspace pointed by the pkt _ buff and sends the data message out through the network card 1. In some embodiments, after the DMA controller obtains the data packet from the subspace or sends the data packet out through the network card 1, the storage state of the subspace may be updated to empty.
And 302, controlling the DMA controller to acquire the data message received by the first network card according to the address of the first receiving queue of the first network card, and sending the data message out through the second network card.
In some embodiments, controlling the DMA controller to obtain the data message received by the first network card according to the address of the first receive queue of the first network card, and send the data message out through the second network card may be understood as updating the address of the DMA controller, which is used for obtaining the data message to be sent through the second network card, from the address of the second send queue to the address of the first receive queue. And the DMA controller acquires the data message received by the first network card from the first receiving queue and sends the data message out through the second network card. The address of the third memory space is stored in the memory space indicated by the address of the first receiving queue, and the third memory space is used for storing the data message received by the first network card. And storing the address of a fourth memory space in the memory space indicated by the address of the second sending queue, wherein the fourth memory space is used for storing the data message to be sent by the second network card. In some embodiments, when the DMA controller obtains the data packet received by the first network card from the first receive queue, the DMA controller may be implemented by: and the DMA controller determines the memory space where the data message received by the first network card is located from the first receiving queue, and then reads the data message received by the first network card from the determined memory space.
In some embodiments, still taking the network card 1 and the network card 2 as an example, as shown in fig. 5, when the network security device software is upgraded or the security processing logic is abnormal, the address of the first receive queue of the network card 1 may be obtained through a GET _ DMA _ ADDR function, and for convenience of description, the first receive queue is represented by RX1_ BD _ ARRAY. Further, the sending address of the network card 2 can be modified from the address of the sending queue of the network card 2 to the address of the receiving queue of the network card 1 through the SET _ DMA _ ADDR function. The transmission queue of the network card 2 may be represented by TX2_ BD _ ARRAY, and the reception queue of the network card 1 may be represented by RX1_ BD _ ARRAY. Illustratively, the sending address of the network card 2 can be modified from the TX2_ BD _ arm address to the RX1_ BD _ arm address through the SET _ DMA _ ADDR function. After the address modification, the DMA controller obtains the data packet to be sent from the third memory space from the address of the receive queue of the network card 1 (i.e., RX1_ BD _ ARRAY address) and sends out the data packet to be sent through the network card 2. Specifically, after the network card 1 receives the message data, the DMA controller stores the message data into the receive queue (RX1_ BD _ ARRAY) of the network card 1. At this time, when the DMA controller detects that the transmission queue of the network card 2 (i.e., the receiving queue of the network card 1) contains a data message, the DMA controller obtains the data message from the memory space indicated by the space address information in the receiving queue of the network card 1, and sends out the obtained data message through the network card 2.
In some embodiments, the memory space indicated by the address of the second send queue further stores second indication information, where the second indication information is used to indicate whether the fourth memory space contains the received data packet.
In some embodiments, the fourth memory space includes a plurality of second subspaces, and different second subspaces are used for storing different data packets to be sent. The second indication information comprises a plurality of identifications, and the plurality of identifications correspond to the plurality of second subspaces one by one. The identifier is used for indicating whether the corresponding second subspace stores the data message to be sent.
In some embodiments, when the first network card receives the data packet, the subspace with the empty storage state is determined from the plurality of subspaces according to the indication information, the data packet is stored in the subspace with the empty storage state, and the storage state of the subspace is updated to store the data packet. For example, when the network card 1 receives a data packet, a subspace where no data packet is stored (that is, the storage state is empty) may be determined according to the indication information in the receive queue of the network card 1, the received data packet is stored in the subspace, and the storage state of the subspace is set to ready.
In other embodiments, after the DMA controller obtains the data message received by the first network card from the first receiving queue and sends the data message out through the second network card, the storage state of the second subspace where the data message is located is updated to empty. For example, RX1_ BD _ ARRAY may be used to represent the first receive queue of network card 1. RX1_ BD _ ARRAY contains storage status information, where empty indicates that the subspace does not contain a data packet and can be written with data; ready indicates that the subspace contains data messages and can be transmitted. pkt _ buff points to the second subspace of the memory space, and is used to store the data message received by the network card 1. The DMA controller determines an element with a ready storage state from a receiving queue (RX1_ BD _ ARRAY) of the network card 1, and determines a subspace where the data message is located according to the spatial address information stored in the element. The DMA controller acquires the data message according to the subspace pointed by the pkt _ buff and sends the data message out through the network card 2. In some embodiments, after the DMA controller obtains the data packet from the subspace or sends the data packet out through the network card 2, the storage state of the subspace may be updated to empty.
Based on the scheme, when the software of the network security device is upgraded or the security processing logic is abnormal, the data message received by the first network card can be sent out through the second network card, and the data message received by the second network card can be sent out through the first network card, so that the data message forwarding among different network cards is realized. The method adopts DMA mode to directly obtain data from the receiving address and send out, and the processing process does not occupy memory, so the processing speed is fast and the processing speed of CPU is not affected. In addition, the method can also set the incidence relation among different network cards, so the flexibility is higher.
In some embodiments, when the network security device does not execute software upgrade and the security processing logic is normal and the second indication information indicates that the fourth memory space contains a data message to be sent, the DMA controller is controlled to obtain the data message to be sent from the first memory space according to the address of the first sending queue, send the data message to be sent from the first memory space through the first network card, and obtain the data message to be sent from the fourth memory space according to the address of the second sending queue and send the data message to be sent through the second network card. Illustratively, following the example shown in fig. 5, when the network security device does not perform software upgrade and the security processing logic is normal, the first receive queue address and the first transmit queue address of the network card 1, and the second receive queue address and the second transmit queue address of the network card 2 may be obtained through a GET _ DMA _ ADDR function. Wherein the first receive queue may be denoted by RX1_ BD _ ARRAY, the first transmit queue may be denoted by TX1_ BD _ ARRAY, the second receive queue may be denoted by RX2_ BD _ ARRAY, and the second transmit queue may be denoted by TX2_ BD _ ARRAY. After the receiving queue addresses and the sending queue addresses of the network card 1 and the network card 2 are obtained, the sending address of the network card 1 is modified from the receiving queue address (RX2_ BD _ ARRAY address) of the network card 2 to the sending queue address (TX1_ BD _ ARRAY address) of the network card 1 through an SET _ DMA _ ADDR function. At this time, the DMA controller obtains the data packet to be sent from the first memory space according to the address (TX1_ BD _ ARRAY address) of the sending queue of the network card 1 and sends out the data packet through the network card 1. It is understood that the sending address of the network card 2 can be modified from the receiving queue address of the network card 1 (RX1_ BD _ ARRAY address) to the sending queue address of the network card 2 (TX2_ BD _ ARRAY address) by the SET _ DMA _ ADDR function. At this time, the DMA controller obtains the data packet to be sent from the fourth memory space according to the address (TX2_ BD _ ARRAY address) of the sending queue of the network card 2 and sends out the data packet to be sent through the network card 2, as shown in fig. 7.
Based on the same technical concept, an embodiment of the present application provides a network security device 800, as shown in fig. 8, the device 800 may perform each step in the bypass forwarding method for data packets, and details are not described here to avoid repetition. The device 800 includes a processor 801, a first network card 802, a second network card 803, and a DMA controller 804;
the processor 801, when the network security device software is upgraded or the security processing logic is abnormal, controls the DMA controller 804 to obtain the data message received by the second network card according to the address of the second receiving queue of the second network card;
the first network card 802 is configured to send the data packet received by the second network card, which is acquired by the DMA controller 804;
the processor 801 is further configured to control the DMA controller 804 to obtain the data packet received by the first network card according to the address of the first receive queue of the first network card 802;
the second network card 803 is further configured to send the data packet received by the first network card 802, which is acquired by the DMA controller 804.
In some embodiments, the processor 801 is specifically configured to: the DMA controller 804 updates the address for acquiring the data packet to be transmitted by the first network card 802 from the address of the first transmit queue to the address of the second receive queue. The address of the first memory space is stored in the memory space indicated by the address of the first transmit queue, and the first memory space is used for storing the data packet to be transmitted by the first network card 802. The address of the second memory space is stored in the memory space indicated by the address of the second receive queue, and the second memory space is used for storing the data packet received by the second network card 803.
In some embodiments, a memory space indicated by the address of the first transmit queue further stores first indication information, where the first indication information is used to indicate whether the first memory space contains a data packet to be transmitted.
In some embodiments, the processor 801 is further configured to: when the network security device does not execute software upgrade and the security processing logic is normal and the first indication information indicates that the first memory space contains a data message to be sent, the DMA controller 804 is controlled to obtain the data message to be sent from the first memory space according to the address of the first sending queue and send the data message to be sent in the first memory space through the first network card 802.
In some embodiments, the processor 801 is specifically configured to: the DMA controller 804 updates the address for acquiring the data packet to be transmitted by the second network card 803 from the address of the second transmit queue to the address of the first receive queue. The memory space indicated by the address of the first receive queue stores an address of a third memory space, where the third memory space is used to store the data packet received by the first network card 802. The address of a fourth memory space is stored in the memory space indicated by the address of the second send queue, where the fourth memory space is used to store the data packet to be sent by the second network card 803.
In some embodiments, the memory space indicated by the address of the second sending queue further stores second indication information, where the second indication information is used to indicate whether the fourth memory space contains a data packet to be sent.
In some embodiments, the processor 801 is further configured to: when the network security device does not execute software upgrade and the security processing logic is normal and the second indication information indicates that the fourth memory space contains a data message to be sent, the DMA controller 804 is controlled to obtain the data message to be sent from the fourth memory space according to the address of the second sending queue, and send the data message to be sent from the fourth memory space through the second network card 803.
Based on the same technical concept, an embodiment of the present application further provides a bypass forwarding apparatus 900 for data packets, as shown in fig. 9, including:
a memory 901 for storing program instructions;
the processor 902 is configured to invoke a program instruction stored in the memory, and execute the bypass forwarding method of the data packet according to the obtained program.
In the embodiments of the present application, the processor may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor.
The memory, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory may include at least one type of storage medium, and may include, for example, a flash Memory, a hard disk, a multimedia card, a card-type Memory, a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Programmable Read Only Memory (PROM), a Read Only Memory (ROM), a charged Erasable Programmable Read Only Memory (EEPROM), a magnetic Memory, a magnetic disk, an optical disk, and so on. The memory is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory in the embodiments of the present application may also be circuitry or any other device capable of performing a storage function for storing program instructions and/or data.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. A bypass forwarding method of data message is applied to a network security device, wherein the network security device includes a Direct Memory Access (DMA) controller, and the method includes:
when the software of the network security equipment is upgraded or the security processing logic is abnormal, controlling the DMA controller to acquire a data message received by the second network card according to the address of a second receiving queue of the second network card and sending the data message out through the first network card;
and controlling the DMA controller to acquire the data message received by the first network card according to the address of the first receiving queue of the first network card and send the data message out through the second network card.
2. The method of claim 1, wherein controlling the DMA controller to obtain the data message received by the second network card according to the address of the second receive queue of the second network card and send the data message through the first network card comprises:
updating the address of the DMA controller for acquiring the data message to be transmitted through the first network card from the address of the first transmitting queue to the address of the second receiving queue;
the address of a first memory space is stored in the memory space indicated by the address of the first sending queue, and the first memory space is used for storing a data message to be sent by the first network card; and storing a ground stop of a second memory space in the memory space indicated by the address of the second receiving queue, wherein the second memory space is used for storing the data message received by the second network card.
3. The method according to claim 2, wherein a memory space indicated by the address of the first transmission queue further stores first indication information, and the first indication information is used to indicate whether the first memory space contains a data packet to be transmitted.
4. The method of claim 3, wherein the method further comprises:
and when the network security equipment does not execute software upgrading and the security processing logic is normal and the first indication information indicates that the first memory space contains a data message to be sent, controlling the DMA controller to acquire the data message to be sent from the first memory space according to the address of the first sending queue and send the data message to be sent in the first memory space through the first network card.
5. The method according to any one of claims 1 to 4, wherein controlling the DMA controller to obtain the data packet received by the first network card from the first receive queue according to the address of the first receive queue of the first network card, and to send out the data packet through the second network card comprises:
updating the address of the DMA controller for acquiring the data message to be transmitted through the second network card from the address of a second transmission queue to the address of the first receiving queue;
the address of a third memory space is stored in the memory space indicated by the address of the first receiving queue, and the third memory space is used for storing the data message received by the first network card; and storing an address of a fourth memory space in the memory space indicated by the address of the second sending queue, wherein the fourth memory space is used for storing a data message to be sent by the second network card.
6. The method according to claim 5, wherein the memory space indicated by the address of the second transmission queue further stores second indication information, and the second indication information is used to indicate whether the fourth memory space contains a data packet to be transmitted.
7. The method of claim 6, wherein the method further comprises:
and when the network security device does not execute software upgrading and the security processing logic is normal and the second indication information indicates that the fourth memory space contains a data message to be sent, controlling the DMA controller to acquire the data message to be sent from the fourth memory space according to the address of the second sending queue and send the data message to be sent in the fourth memory space through the second network card.
8. A network security device is characterized by comprising a processor, a DMA controller, a first network card and a second network card;
the processor is used for controlling the DMA controller to acquire the data message received by the second network card according to the address of a second receiving queue of the second network card when the software of the network security equipment is upgraded or the security processing logic is abnormal;
the first network card is used for sending the data message which is acquired by the DMA controller and received by the second network card;
the processor is further configured to control the DMA controller to obtain the data message received by the first network card according to the address of the first receive queue of the first network card;
and the second network card is used for sending the data message which is acquired by the DMA controller and received by the first network card.
9. The bypass forwarding device of the data message is characterized by comprising a memory and a processor;
the memory to store program instructions;
the processor, for calling program instructions stored in the memory, for executing the method of any one of claims 1-7 according to the obtained program.
10. A computer-readable storage medium having stored thereon computer instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1-7.
CN202111620330.7A 2021-12-28 2021-12-28 Bypass forwarding method and device for data message Active CN114401218B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111620330.7A CN114401218B (en) 2021-12-28 2021-12-28 Bypass forwarding method and device for data message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111620330.7A CN114401218B (en) 2021-12-28 2021-12-28 Bypass forwarding method and device for data message

Publications (2)

Publication Number Publication Date
CN114401218A true CN114401218A (en) 2022-04-26
CN114401218B CN114401218B (en) 2023-07-21

Family

ID=81229446

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111620330.7A Active CN114401218B (en) 2021-12-28 2021-12-28 Bypass forwarding method and device for data message

Country Status (1)

Country Link
CN (1) CN114401218B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115665073A (en) * 2022-12-06 2023-01-31 江苏为是科技有限公司 Message processing method and device

Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU6361601A (en) * 1999-02-23 2001-10-18 Alcatel Internetworking, Inc. Multi-service network switch with a generic forwarding interface
US6389479B1 (en) * 1997-10-14 2002-05-14 Alacritech, Inc. Intelligent network interface device and system for accelerated communication
US6529518B1 (en) * 1998-06-11 2003-03-04 Sun Microsystems, Inc. Method and apparatus for providing a network interface
CN101165667A (en) * 2006-10-17 2008-04-23 国际商业机器公司 Apparatus and method for managing address conversion in data processing system
US7600143B1 (en) * 2004-08-19 2009-10-06 Unisys Corporation Method and apparatus for variable delay data transfer
US20100153704A1 (en) * 2008-12-17 2010-06-17 L3 Communications Corporation Trusted Bypass For Secure Communication
US20180287903A1 (en) * 2017-03-29 2018-10-04 Ca, Inc. Adjusting monitoring based on inspection of network traffic
CN108628684A (en) * 2017-03-20 2018-10-09 华为技术有限公司 A kind of message processing method and computer equipment based on DPDK
US20190243781A1 (en) * 2018-02-08 2019-08-08 Xilinx, Inc. Customizable multi queue dma interface
CN110417791A (en) * 2019-08-02 2019-11-05 成都卫士通信息产业股份有限公司 A kind of encryption device and network data method, apparatus
CN110798342A (en) * 2019-10-14 2020-02-14 杭州迪普科技股份有限公司 Method and device for realizing bypass mode based on software
CN111147132A (en) * 2019-12-31 2020-05-12 杭州迪普科技股份有限公司 Bypass device and network optical interface module comprising same
US20200278935A1 (en) * 2019-03-01 2020-09-03 Cisco Technology, Inc. Adaptive address translation caches
CN112055058A (en) * 2020-08-19 2020-12-08 广东省新一代通信与网络创新研究院 Data storage method and device and computer readable storage medium
CN112910802A (en) * 2021-01-13 2021-06-04 新华三大数据技术有限公司 Message processing method and device
CN113296899A (en) * 2021-06-04 2021-08-24 海光信息技术股份有限公司 Transaction master machine, transaction slave machine and transaction processing method based on distributed system

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6389479B1 (en) * 1997-10-14 2002-05-14 Alacritech, Inc. Intelligent network interface device and system for accelerated communication
US6529518B1 (en) * 1998-06-11 2003-03-04 Sun Microsystems, Inc. Method and apparatus for providing a network interface
AU6361601A (en) * 1999-02-23 2001-10-18 Alcatel Internetworking, Inc. Multi-service network switch with a generic forwarding interface
US7600143B1 (en) * 2004-08-19 2009-10-06 Unisys Corporation Method and apparatus for variable delay data transfer
CN101165667A (en) * 2006-10-17 2008-04-23 国际商业机器公司 Apparatus and method for managing address conversion in data processing system
US20080189720A1 (en) * 2006-10-17 2008-08-07 Moertl Daniel F Apparatus and Method for Communicating with a Network Adapter Using a Queue Data Structure and Cached Address Translations
US20100153704A1 (en) * 2008-12-17 2010-06-17 L3 Communications Corporation Trusted Bypass For Secure Communication
CN108628684A (en) * 2017-03-20 2018-10-09 华为技术有限公司 A kind of message processing method and computer equipment based on DPDK
US20180287903A1 (en) * 2017-03-29 2018-10-04 Ca, Inc. Adjusting monitoring based on inspection of network traffic
US20190243781A1 (en) * 2018-02-08 2019-08-08 Xilinx, Inc. Customizable multi queue dma interface
CN110134623A (en) * 2018-02-08 2019-08-16 赛灵思公司 Customized more queue DMA interfaces
US20200278935A1 (en) * 2019-03-01 2020-09-03 Cisco Technology, Inc. Adaptive address translation caches
CN110417791A (en) * 2019-08-02 2019-11-05 成都卫士通信息产业股份有限公司 A kind of encryption device and network data method, apparatus
CN110798342A (en) * 2019-10-14 2020-02-14 杭州迪普科技股份有限公司 Method and device for realizing bypass mode based on software
CN111147132A (en) * 2019-12-31 2020-05-12 杭州迪普科技股份有限公司 Bypass device and network optical interface module comprising same
CN112055058A (en) * 2020-08-19 2020-12-08 广东省新一代通信与网络创新研究院 Data storage method and device and computer readable storage medium
CN112910802A (en) * 2021-01-13 2021-06-04 新华三大数据技术有限公司 Message processing method and device
CN113296899A (en) * 2021-06-04 2021-08-24 海光信息技术股份有限公司 Transaction master machine, transaction slave machine and transaction processing method based on distributed system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
唐宏伟: "虚拟机安全保障及其性能优化关键技术研究", 《 中国科学院大学(中国科学院深圳先进技术研究院)》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115665073A (en) * 2022-12-06 2023-01-31 江苏为是科技有限公司 Message processing method and device

Also Published As

Publication number Publication date
CN114401218B (en) 2023-07-21

Similar Documents

Publication Publication Date Title
JP6193879B2 (en) Method for routing in a mobile terminal emulating a contactless payment card
CN109688058B (en) Message processing method and device and network equipment
CN109889411B (en) Data transmission method and device
CN113328916B (en) BFD detection mode switching method, device and equipment
CN114401218B (en) Bypass forwarding method and device for data message
CN109976926A (en) Method, circuit, terminal and the storage medium of protection BMC renewal process are restarted in a kind of shielding
CN105763463B (en) Method and device for transmitting link detection message
CN104394012B (en) Cluster routers, MPU and its failure determination method, sensing controller
CN111417216B (en) Application program cross-system communication method and related device
US20130081139A1 (en) Quarantine network system, server apparatus, and program
RU2693903C1 (en) Method, apparatus and processing system for expanded port
CN113886153B (en) Network card pressure testing method and device based on container
CN115665035A (en) Information processing method and device, first node and storage medium
JP2010067200A (en) Ic chip, information processing apparatus, software module control method, information processing system and method, and program
EP3974989A1 (en) Link state setting method and device for virtual network interface card, and storage medium
CN110535743B (en) Data packet processing method and device, storage medium and electronic device
CN111124445B (en) Home gateway upgrading method and home gateway
CN113141267A (en) Firmware upgrading and information processing method, device and equipment
CN107783722B (en) Data transmission method and data forwarding device
CN115086219B (en) Virtual router determining method, device and computer readable storage medium
CN104038426A (en) Network switch and data updating method
CN110620725A (en) Method for expanding out-of-band interface of switching equipment and switching equipment
CN116886463B (en) Cascade communication method, device, equipment and medium
CN117278345B (en) Energy saving method and device applied to network equipment
CN112152941B (en) Method for expanding single-port large-capacity table item, network transmission equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant