CN101079873B - A firewall device based on ACP framework - Google Patents
A firewall device based on ACP framework Download PDFInfo
- Publication number
- CN101079873B CN101079873B CN2006100607626A CN200610060762A CN101079873B CN 101079873 B CN101079873 B CN 101079873B CN 2006100607626 A CN2006100607626 A CN 2006100607626A CN 200610060762 A CN200610060762 A CN 200610060762A CN 101079873 B CN101079873 B CN 101079873B
- Authority
- CN
- China
- Prior art keywords
- ram
- plug
- packet message
- session connection
- pci bridge
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005540 biological transmission Effects 0.000 abstract description 7
- 238000004891 communication Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 239000000872 buffer Substances 0.000 description 2
- 238000000034 method Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 238000005303 weighing Methods 0.000 description 1
Images
Abstract
This invention provides a hardware fire wall device based on an ACP structure, in which, CPU prepares session connection lists and a first package of messages in RAM of PCI and sends related information of its address pointer and data length to chip ASIC, which finishes the successive work only in stead of CPU, so that CPU resource is saved, at the same time, chip ASIC reads session connection list in the way of Burst Read to increase data transmission efficiency of PCI bus line and reduce configuration time of session connection lists, after that, chip ASIC reads messages in the mode of BurstRead and it' s not necessary for CPU to inquire if the session connection lists are configured so as to reduce transmission time of the first package of messages.
Description
Technical field
The invention belongs to network safety filed, relate in particular to a kind of firewall box based on the ACP framework.
Background technology
Newly-built connection rate (Connection Per Second, CPS) be transmission control protocol (the Transmission Control Protocol of the newly-built maximum of institute's energy in fire compartment wall each second, TCP) or User Datagram Protoco (UDP) (User Datagram Protocol, UDP) linking number is an important performance indexes weighing state-inspection firewall.The newly-built connection rate of fire compartment wall directly influences the service request of fire compartment wall response from the internet.If the newly-built connection rate of fire compartment wall is not high enough, when numerous Internet users ask network when service simultaneously, fire compartment wall can abandon the request that does not connect, and causes these certain customers can not the access destination network.
As shown in Figure 1, in ACP (asic chip+CPU+PCI bus) framework, application-specific integrated circuit (ASIC) (Application Specific Integrated Circuit, ASIC) after chip 20 receives message (Packets), from plug-in random access memory (Random Access Memory, RAM) read the session connection table in 22, whether needs are transmitted according to the fixed message that receives of session connection voting.Receive one when also not setting up the first packet message of session connection, this first packet message is write cache module 204.PCI Target (PCI is from interface) module 206 is by peripheral component interconnect (Peripheral Component Interconnect, PCI) bus 18 is given central processing unit (CentralProcessing Unit, CPU) 12 through PCI bridge sheet (Bridge) 14 with this first packet message reporting.CPU 12 is temporarily stored in this first packet message among the plug-in RAM 16 of PCI bridge sheet, carries out processing such as routing table, safety regulation, and whether allows to transmit this first packet message according to processing such as routing table, safety regulation decision.If allow to transmit, CPU 12 is issued to asic chip 20 with the session connection table that increases by pci bus 18.
From said process as can be known, it is as follows to influence the factor of the newly-built connection rate of fire compartment wall:
1, the session connection table that issues of CPU is long, and 128 bytes even more are arranged usually.CPU writes asic chip with the I/O communication mode of session connection table by pci bus, once can only write the session connection table data of 8 bytes at most, therefore CPU need carry out repeatedly the pci bus RQ cycle and the configuration of session connection table could be finished, and the time of implementation is long.
2, CPU issues a session connection table needs the multi-pass operation pci bus, and has seriously consumed cpu resource.
3, CPU could send message after affirmation session connection table writes RAM.Then whether CPU needs frequent inquiry asic chip session connection table to set up, and to determine whether sending message, has expended more cpu resource.
In sum, in hardware firewall equipment based on the ACP framework, the mode of setting up of session connection has seriously consumed cpu resource, the first packet message amount that reports that makes CPU can handle in the unit interval reduces, and multi-pass operation pci bus, take the pci bus bandwidth, cause the session connection table configuration time of implementation long, be difficult to improve the newly-built connection rate of fire compartment wall.
Summary of the invention
The object of the present invention is to provide a kind of hardware firewall equipment based on the ACP framework, be intended to solve exist in the prior art in hardware firewall equipment based on the ACP framework, the mode of setting up of session connection has seriously consumed cpu resource, the first packet message amount that reports that makes CPU can handle in the unit interval reduces, and multi-pass operation pci bus, take the pci bus bandwidth, cause the session connection table configuration time of implementation long, be difficult to improve the problem of the newly-built connection rate of fire compartment wall.
The present invention is achieved in that a kind of hardware firewall equipment based on the ACP framework, and described equipment comprises CPU, the PCI bridge sheet that is connected with described CPU, the plug-in RAM of PCI bridge sheet, the asic chip that is connected with described PCI bridge sheet by pci bus, and the plug-in RAM of asic chip, wherein:
The plug-in RAM of PCI bridge sheet is used to store CPU and is the session connection table that first packet message that asic chip reports increases, and the first packet message;
The plug-in RAM of asic chip is used to store the session connection table that asic chip writes;
CPU, be used for issuing the idle address pointer of the plug-in RAM of PCI bridge sheet by PCI bridge sheet and pci bus to asic chip, session connection table that the first packet message that reports for asic chip increases and described first packet message are in address pointer and the data length information of the plug-in RAM of PCI bridge sheet;
Asic chip, be used to receive the first packet message, idle address pointer according to the plug-in RAM of PCI bridge sheet writes the plug-in RAM of PCI bridge sheet with the first packet message, and read session connection table and first packet message among the plug-in RAM of PCI bridge sheet in the address pointer of the plug-in RAM of PCI bridge sheet and data length information according to session connection table and described first packet message, session connection table is write the plug-in RAM of asic chip, and transmit described first packet message.
Described asic chip comprises message receiver module, cache module, PCI Target (PCI is from interface) module, address RAM, DMA control module and message sending module, wherein:
Cache module is used for session connection table and first packet message that first packet message that the stored messages receiver module writes and DMA control module write; And session connection table write the plug-in RAM of asic chip, the first packet message sends to the message sending module;
Address RAM is used to store session connection table that the idle address pointer of the plug-in RAM of PCI bridge sheet that CPU issues, the first packet message that reports for asic chip increase and first packet message address pointer and the data length information at the plug-in RAM of PCI bridge sheet
The message receiver module is used to receive the first packet message, and the first packet message is write cache module;
PCI Target (PCI is from interface) module, session connection table and first packet message that being used for the idle address pointer of the plug-in RAM of PCI bridge sheet that CPU is issued, the first packet message that reports for asic chip increases write address RAM in address pointer and the data length information of the plug-in RAM of PCI bridge sheet;
The DMA control module, be used for the first packet message that the idle address pointer according to the plug-in RAM of PCI bridge sheet receives cache module and write the plug-in RAM of PCI bridge sheet, and write cache module at session connection table and the first packet message that address pointer and the data length information of the plug-in RAM of PCI bridge sheet reads among the plug-in RAM of PCI bridge sheet according to session connection table and first packet message;
The message sending module is used to send the first packet message that cache module is delivered.
Described DMA control module adopts burst to read disposable session connection table and the first packet message that reads continuously among the plug-in RAM of PCI bridge sheet of mode.
By the present invention, can save the resource of CPU, improve the data-transmission efficiency of pci bus, save the session connection table configuration time of implementation, and shortened the transmission time of implementation of first packet message.
Description of drawings
Fig. 1 is based on the structured flowchart of the hardware firewall equipment of ACP framework in the prior art;
Fig. 2 is the structured flowchart of the hardware firewall equipment based on the ACP framework provided by the invention.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with drawings and Examples.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
As shown in Figure 2, CPU 12 regularly obtains the idle address pointer of the plug-in RAM 16 of PCI bridge sheet, and idle address pointer is write among the address RAM 214 by PCI Target module 206 by PCI bridge sheet 14.Message sending module 202 receives one when also not setting up the first packet message of session connection, and this first packet message is write cache module 204.DMA control module 212 is obtained the idle address pointer of the plug-in RAM 16 of PCI bridge sheet from address RAM 214, (Burst) mode is disposable to be write among the plug-in RAM 16 of PCI bridge sheet continuously by happening suddenly with the first packet message in the cache module 204 then.Whether CPU 12 allows to transmit this message according to decisions such as routing table, safety regulations.Transmit if allow, CPU 12 writes the session connection table that increases among the plug-in RAM 16 of PCI bridge sheet, by PCI Target module 206 the session connection table of the plug-in RAM 16 of PCI bridge sheet and the address pointer and the data length of first packet message is write among the address RAM 214 then.
In the aforesaid operations process, CPU 12 is ready in the plug-in RAM16 of PCI bridge sheet with session connection table and first packet message, and after relevant informations such as its address pointer and data length are sent to asic chip 20, follow-up work is finished by asic chip 20, no longer need CPU 12 to participate in the resource of having saved CPU 12.Simultaneously, the session connection table reads by Burst Read burst mode, improved the data-transmission efficiency of pci bus 14, saved the session connection table configuration time of implementation, and after the configuration of session connection table finishes, whether DMA control module 212 adopts Burst Read mode to read message at once, do not need CPU 12 inquiry session connection tables to dispose and finish, and has shortened the transmission time of implementation of first packet message.
If have continuous session connection table and first packet message to issue, can be under the situation that asic chip 20 inner buffers allow, do not need to wait for that the transmission of previous session connection table and first packet message finishes, carry out buffer memory and continuously the address pointer of session connection table and first packet message and data length information are sent to asic chip 20, take out one by one by asic chip 20 and to operate continuously, thereby further alleviate the burden of CPU 12, improve the newly-built connection rate of fire compartment wall.
The above only is preferred embodiment of the present invention, not in order to restriction the present invention, all any modifications of being done within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.
Claims (3)
1. hardware firewall equipment based on asic chip, CPU and pci bus three framework, it is characterized in that, described equipment comprises CPU, the PCI bridge sheet that is connected with described CPU, the plug-in RAM of PCI bridge sheet, the asic chip that is connected with described PCI bridge sheet by pci bus, and the plug-in RAM of asic chip, wherein:
The plug-in RAM of PCI bridge sheet is used to store CPU and is the session connection table that first packet message that asic chip reports increases, and the first packet message;
The plug-in RAM of asic chip is used to store the session connection table that asic chip writes;
CPU, be used for issuing the idle address pointer of the plug-in RAM of PCI bridge sheet by PCI bridge sheet and pci bus to asic chip, session connection table that the first packet message that reports for asic chip increases and described first packet message are in address pointer and the data length information of the plug-in RAM of PCI bridge sheet;
Asic chip, be used to receive the first packet message, idle address pointer according to the plug-in RAM of PCI bridge sheet writes the plug-in RAM of PCI bridge sheet with the first packet message, and read session connection table and first packet message among the plug-in RAM of PCI bridge sheet in the address pointer of the plug-in RAM of PCI bridge sheet and data length information according to session connection table and described first packet message, session connection table is write the plug-in RAM of asic chip, and transmit described first packet message.
2. the hardware firewall equipment based on asic chip, CPU and pci bus three framework as claimed in claim 1, it is characterized in that, described asic chip comprises message receiver module, cache module, PCITarget module, address RAM, DMA control module and message sending module, wherein:
Cache module is used for session connection table and first packet message that first packet message that the stored messages receiver module writes and DMA control module write, and session connection table is write the plug-in RAM of asic chip, and the first packet message is sent to the message sending module;
Address RAM is used to store session connection table that the idle address pointer of the plug-in RAM of PCI bridge sheet that CPU issues, the first packet message that reports for asic chip increase and first packet message address pointer and the data length information at the plug-in RAM of PCI bridge sheet;
The message receiver module is used to receive the first packet message, and the first packet message is write cache module;
PCI Target module, session connection table and first packet message that being used for the idle address pointer of the plug-in RAM of PCI bridge sheet that CPU is issued, the first packet message that reports for asic chip increases write address RAM in address pointer and the data length information of the plug-in RAM of PCI bridge sheet;
The DMA control module, be used for the first packet message that the idle address pointer according to the plug-in RAM of PCI bridge sheet of address RAM storage receives cache module and write the plug-in RAM of PCI bridge sheet, and write cache module at session connection table and the first packet message that address pointer and the data length information of the plug-in RAM of PCI bridge sheet reads among the plug-in RAM of PCI bridge sheet according to session connection table and first packet message;
The message sending module is used to send the first packet message that cache module is delivered.
3. the hardware firewall equipment based on asic chip, CPU and pci bus three framework as claimed in claim 2, it is characterized in that described DMA control module adopts Burst Read burst to read disposable session connection table and the first packet message that reads continuously among the plug-in RAM of PCI bridge sheet of mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006100607626A CN101079873B (en) | 2006-05-25 | 2006-05-25 | A firewall device based on ACP framework |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006100607626A CN101079873B (en) | 2006-05-25 | 2006-05-25 | A firewall device based on ACP framework |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101079873A CN101079873A (en) | 2007-11-28 |
| CN101079873B true CN101079873B (en) | 2010-04-21 |
Family
ID=38907104
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2006100607626A Active CN101079873B (en) | 2006-05-25 | 2006-05-25 | A firewall device based on ACP framework |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101079873B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075421B (en) * | 2010-12-30 | 2013-10-02 | 杭州华三通信技术有限公司 | Service quality processing method and device |
| CN117640511B (en) * | 2024-01-25 | 2024-03-29 | 无锡沐创集成电路设计有限公司 | Wired communication system, communication chip, communication method and medium thereof |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6701432B1 (en) * | 1999-04-01 | 2004-03-02 | Netscreen Technologies, Inc. | Firewall including local bus |
-
2006
- 2006-05-25 CN CN2006100607626A patent/CN101079873B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6701432B1 (en) * | 1999-04-01 | 2004-03-02 | Netscreen Technologies, Inc. | Firewall including local bus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101079873A (en) | 2007-11-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220231962A1 (en) | System and method for facilitating data request management in a network interface controller (nic) | |
| CN101867511B (en) | Pause frame sending method, associated equipment and system | |
| CN101202707B (en) | Method for transmitting message of high speed single board, field programmable gate array and high speed single board | |
| US7996583B2 (en) | Multiple context single logic virtual host channel adapter supporting multiple transport protocols | |
| US7865633B2 (en) | Multiple context single logic virtual host channel adapter | |
| CN108536543A (en) | With the receiving queue based on the data dispersion to stride | |
| US20100146157A1 (en) | Multi-radio interfacing and direct memory access based data transferring methods and sink node for performing the same in wireless sensor network | |
| US7493431B2 (en) | Method and apparatus for extending the range of the universal serial bus protocol | |
| CN101385296A (en) | Gateway for the automatic routing of messages between buses | |
| US20080059686A1 (en) | Multiple context single logic virtual host channel adapter supporting multiple transport protocols | |
| CN103647726A (en) | Message dispatching method and device thereof | |
| KR20160054007A (en) | Memory module access method and device | |
| CN103164266A (en) | Dynamic resource allocation for transaction requests issued by initiator to recipient devices | |
| CN102480426A (en) | Communication method based on peripheral component interconnect-express (PCIE) switching bus and PCIE switching system | |
| CN103746938A (en) | Method and device for transmitting data packet | |
| US7099961B2 (en) | System including real-time data communication features | |
| CN101079873B (en) | A firewall device based on ACP framework | |
| CN101022414B (en) | Message retransmitting method and apparatus | |
| EP3579507A1 (en) | Dynamic scheduling method, device, and system | |
| CN100486248C (en) | Zero-copy communication method under real-time environment | |
| EP2169986B1 (en) | Controlling the transmission timing of a multicast packet | |
| CN106375240B (en) | Ethernet message forwarding method and system between a kind of Multi-netmouth | |
| CN103124400A (en) | Short message cache method and system | |
| CN107659456A (en) | A kind of data collision transmission method based on RS485 communications | |
| CN101902398A (en) | Method and system for receiving and transmitting data packet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: SHENZHEN CITY HENGYANG SCIENCE CO., LTD. Free format text: FORMER OWNER: LI HAO Effective date: 20080314 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20080314 Address after: Room 605, Tsinghua information harbor complex, North Zone, Nanshan District science and Technology Park, Guangdong, Shenzhen Province, China: 518057 Applicant after: Semptian Technologies Ltd. Address before: Room 605, Tsinghua information harbor complex, North Zone, Nanshan District science and Technology Park, Guangdong, Shenzhen Province, China: 518057 Applicant before: Li Hao |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: SHENZHEN SEMPTIAN TECHNOLOGIES?CO.,?LTD. Free format text: FORMER NAME: SEMPTIAN TECHNOLOGY CO., LTD. |
|
| CP03 | Change of name, title or address |
Address after: 518000, Guangdong Shenzhen hi tech Southern District, Haitian two road 14, software industry base, 5D block, 7, Nanshan District Patentee after: SEMPTIAN TECHNOLOGIES LTD. Address before: 605 room 518057, Tsinghua information harbor complex, north of Nanshan District Science Park, Shenzhen, Guangdong Patentee before: Semptian Technologies Ltd. |
|
| C56 | Change in the name or address of the patentee | ||
| CP03 | Change of name, title or address |
Address after: 518000 Guangdong city of Shenzhen province Nanshan District Guangdong streets two Haitian Road No. 14, block 5D 8 layer software industry base Patentee after: Shenzhen Hengxin data Limited by Share Ltd Address before: 518000, Guangdong Shenzhen hi tech Southern District, Haitian two road 14, software industry base, 5D block, 7, Nanshan District Patentee before: SEMPTIAN TECHNOLOGIES LTD. |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A firewall device based on ACP framework Effective date of registration: 20170713 Granted publication date: 20100421 Pledgee: Bank of Beijing Limited by Share Ltd Shenzhen branch Pledgor: Shenzhen Hengxin data Limited by Share Ltd Registration number: 2017990000630 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20190520 Granted publication date: 20100421 Pledgee: Bank of Beijing Limited by Share Ltd Shenzhen branch Pledgor: Shenzhen Hengxin data Limited by Share Ltd Registration number: 2017990000630 |