CN102404339A - Fire wall system and data processing method based on fire wall system - Google Patents
Fire wall system and data processing method based on fire wall system Download PDFInfo
- Publication number
- CN102404339A CN102404339A CN2011104249518A CN201110424951A CN102404339A CN 102404339 A CN102404339 A CN 102404339A CN 2011104249518 A CN2011104249518 A CN 2011104249518A CN 201110424951 A CN201110424951 A CN 201110424951A CN 102404339 A CN102404339 A CN 102404339A
- Authority
- CN
- China
- Prior art keywords
- module
- service processing
- packet
- processing module
- diverter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 13
- 238000012545 processing Methods 0.000 claims abstract description 308
- 238000000034 method Methods 0.000 claims description 42
- 230000001360 synchronised effect Effects 0.000 claims description 31
- 230000004044 response Effects 0.000 claims description 22
- 238000013507 mapping Methods 0.000 claims description 12
- 230000004048 modification Effects 0.000 claims description 5
- 238000012986 modification Methods 0.000 claims description 5
- 230000003760 hair shine Effects 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 description 17
- 230000008569 process Effects 0.000 description 16
- 238000004364 calculation method Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 238000013439 planning Methods 0.000 description 3
- 230000015572 biosynthetic process Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000005012 migration Effects 0.000 description 2
- 238000013508 migration Methods 0.000 description 2
- 230000009897 systematic effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a fire wall system and a data processing method based on the fire wall system, wherein the system comprises two main control modules, a plurality of service processing modules, a plurality of diverter modules, a plurality of I/O (input/output) modules and a switching module; two main control modules are in a primary-backup relationship with each other to control each module, the switching module is used for forwarding data packages among all modules, the plurality of I/O modules are bound with the plurality of the diverter modules, and each I/O module is used for transmitting the received data packages to the diverter module which is bound with the I/O module; each diverter module is used for transmitting the received data packages in the same session to a service processing module; each service processing module is used for outputting the processed data packages by the I/O module. By the fire wall system, the problem that the business expansion can not be performed to a system is solved, and the quantity of the service processing module in the system can be configured as required, so as to support the business expansion of the system, thereby improving the performances of the system.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of firewall system with based on the data processing method of this firewall system.
Background technology
At present, firewall system generally includes a CPU (Central Processing Unit abbreviates CPU as); Switch (exchange) system and some I/O (Input/output abbreviates I/O as) port is formed, firewall system structural representation as shown in Figure 1; Wherein, CPU is responsible for accomplishing the Business Processing of all fire compartment walls, and the data packet stream of this firewall system is to as shown in Figure 2; At first; Packet gets into the I/O port of this firewall system, by the I/O port packet is sent to the Switch system, through the Switch system forwards to CPU; Then, CPU handles this packet, and the packet after handling is arrived the I/O port through the Switch system forwards; At last, the I/O port is with exporting in this packet slave firewall system.Above-mentioned firewall system has only a CPU to carry out Business Processing; Its performance is subject to the disposal ability of the CPU in the system; Can not the extension process performance; And when carrying out system upgrade, the CPU of firewall system wants interrupting service could accomplish escalation process, will cause the Business Processing process of this system reliable inadequately like this.
Also have a kind of facility communication system at present, this facility communication system comprises mainboard and slave board, and mainboard is responsible for the treatment system business, and slave board is responsible for receiving the synchronizing information from mainboard.Mainboard will dispose with state information and be synchronized to slave board in real time; When carrying out software upgrading; Earlier slave board is carried out, will dispose then with state information and be synchronized to this slave board, carry out active and standby switching after the simultaneous operation of this configuration and state information is accomplished; Slave board originally becomes mainboard, the original mainboard of then upgrading again.The software of whole system just upgrades to new software version like this, the situation that the business that this upgrading mode need only to support CPU to handle is all handled on master control borad.
Problem to system in the correlation technique can't carry out professional expansion does not propose effective solution at present as yet.
Summary of the invention
To the problem that system in the correlation technique can't carry out professional expansion, the invention provides a kind of firewall system and based on the data processing method of this firewall system, to address the above problem at least.
According to an aspect of the present invention; A kind of firewall system is provided; This system comprises: two main control modules, a plurality of Service Processing Module, a plurality of diverter module, a plurality of I/O module and Switching Modules, and wherein, two main control modules are main and standby relation each other; Be used to control above-mentioned a plurality of Service Processing Module, above-mentioned a plurality of diverter modules, above-mentioned a plurality of I/O modules and above-mentioned Switching Module; This Switching Module is used to transmit the packet of each intermodule, and a plurality of I/O modules and a plurality of diverter module are bound, and each I/O module is used for the packet that receives is sent to the diverter module with its binding; Each diverter module in a plurality of diverter modules is used for the packet of same session is sent to same Service Processing Module; Each Service Processing Module is used for the packet that receives is handled, and after finishing dealing with this packet is exported through an I/O module in a plurality of I/O modules.
Above-mentioned diverter module comprises: the unit is confirmed in load, when being used to receive first packet of a session, confirms the loading condition of above-mentioned a plurality of Service Processing Modules; Selected cell is used for confirming the loading condition that the unit is confirmed according to load, selects first packet corresponding service processing module; First dividing cell is used for first packet is transmitted to the Service Processing Module that selected cell is selected.
Above-mentioned diverter module comprises: map unit, when being used to receive first packet of a session, shine upon according to the information that carry in the packet header of first packet; Confirm the unit, be used for confirming first packet corresponding service processing module according to the mapping result of map unit; Second dividing cell is used for first packet is transmitted to the Service Processing Module of confirming that the unit is confirmed.
Above-mentioned Service Processing Module comprises: receiving element is used to receive first packet; Create the unit, be used for creating the data structure of above-mentioned session according to first packet; Response unit is used for replying response message to diverter module, and wherein this response message carries the corresponding relation of the sign of above-mentioned session identification and Service Processing Module; Diverter module comprises: correspondence relation storage is used for storing the corresponding relation of the sign of above-mentioned session identification that above-mentioned response message carries and Service Processing Module; The 3rd dividing cell is used for the above-mentioned corresponding relation according to the correspondence relation storage storage, and the follow-up data bag in the above-mentioned session is transmitted to Service Processing Module.
Above-mentioned diverter module comprises: lock unit, be used to receive upgrading indication after, with the above-mentioned corresponding relation of storing in the correspondence relation storage another diverter module to a plurality of diverter modules synchronously; The first upgrading unit is used for upgrading according to above-mentioned upgrading indication; Another diverter module comprises: the stores synchronized unit is used to store the synchronous corresponding relation of lock unit; Switching Module comprises: bind and revise the unit, be used for according to the system configuration indication above-mentioned a plurality of I/O modules of modification and above-mentioned a plurality of diverter module binding relationship.
Above-mentioned Service Processing Module comprises: information synchronizing unit, be used to receive upgrading indication after, with creating the above-mentioned data structure created the unit another Service Processing Module to a plurality of Service Processing Modules synchronously; Notification unit is used for sending above-mentioned corresponding relation amendment advice to diverter module, and wherein this amendment advice carries the sign of the Service Processing Module that self belongs to and the sign of another Service Processing Module; The second upgrading unit is used for upgrading according to above-mentioned upgrading indication; Diverter module comprises: corresponding relation is revised the unit; Be used for the amendment advice that sends according to notification unit, with in the above-mentioned corresponding relation with above-mentioned amendment advice in the identical sign of sign of first Service Processing Module be revised as the sign of second Service Processing Module in the amendment advice; The 4th dividing cell is used for revising the amended corresponding relation in unit according to corresponding relation the follow-up data bag of above-mentioned session is forwarded to another Service Processing Module; Another Service Processing Module comprises: information memory cell is used for the synchronous above-mentioned data structure of stored information lock unit; Service Processing Unit is used for according to the above-mentioned data structure of information memory cell storage the follow-up data bag of above-mentioned session being handled.
According to a further aspect in the invention, a kind of data processing method based on above-mentioned firewall system is provided, this method comprises: after each the I/O module in a plurality of I/O modules receives packet, packet is sent to the diverter module with its binding; After each diverter module in a plurality of diverter modules received this packet, the shunting that sends to same Service Processing Module according to the packet in the same session was regular, and this packet is transmitted to the corresponding service processing module; After each Service Processing Module receives this packet, this packet is handled, after finishing dealing with this packet is exported through an I/O module in a plurality of I/O modules.
Above-mentioned diverter module is transmitted to the corresponding service processing module with above-mentioned packet and comprises: after diverter module receives first packet of a session, confirm the loading condition of above-mentioned a plurality of Service Processing Modules; Diverter module is selected first packet corresponding service processing module according to the loading condition of a plurality of Service Processing Modules of confirming; Diverter module is transmitted to first packet the Service Processing Module of selection.
Above-mentioned diverter module is transmitted to the corresponding service processing module with above-mentioned packet and comprises: diverter module shines upon according to the information that carry in the packet header of first packet after receiving first packet of a session; Diverter module is confirmed first packet corresponding service processing module according to mapping result; Diverter module is transmitted to definite Service Processing Module with first packet.
Each Service Processing Module comprises after receiving above-mentioned packet: after Service Processing Module receives first packet, create the data structure of above-mentioned session according to first packet; Service Processing Module is replied response message to diverter module, and wherein, this response message carries the corresponding relation of the sign of above-mentioned session identification and Service Processing Module; Diverter module is stored the corresponding relation of the sign of the above-mentioned session identification that carries in the above-mentioned response message and Service Processing Module; Diverter module is transmitted to Service Processing Module according to the above-mentioned corresponding relation of storage with the follow-up data bag in the above-mentioned session.
Said method also comprises: after diverter module receives the upgrading indication, with another diverter module in the synchronous extremely above-mentioned a plurality of diverter modules of the above-mentioned corresponding relation of storage; Then, upgrade according to above-mentioned upgrading indication; After the Switching Module receiving system configuration indication, revise above-mentioned a plurality of I/O modules and above-mentioned a plurality of diverter module binding relationship, transmit the follow-up data bag in the above-mentioned session according to amended binding relationship according to said system configuration indication; After another diverter module is stored the synchronous corresponding relation of diverter module,, the follow-up data bag in the above-mentioned session of Switching Module forwarding is transmitted to Service Processing Module according to the above-mentioned corresponding relation of storage.
Said method also comprises: after Service Processing Module receives the upgrading indication; With another Service Processing Module in the synchronous extremely above-mentioned a plurality of Service Processing Modules of the above-mentioned data structure of creating; And send above-mentioned corresponding relation amendment advice to diverter module, wherein, this amendment advice carries sign and the sign of another Service Processing Module of the Service Processing Module at self place; Then, upgrade according to above-mentioned upgrading indication; The amendment advice that diverter module sends according to Service Processing Module, with in the above-mentioned corresponding relation with above-mentioned amendment advice in the identical sign of sign of first Service Processing Module be revised as the sign of second Service Processing Module in the above-mentioned amendment advice; Diverter module is forwarded to another Service Processing Module according to amended above-mentioned corresponding relation with the follow-up data bag in the above-mentioned session; The above-mentioned data structure that another Service Processing Module storage service processing module is synchronous, and according to the storage above-mentioned data structure the follow-up data bag in the above-mentioned session is handled.
Through the present invention, a plurality of I/O modules in the firewall system and a plurality of diverter module are bound, and each I/O module sends to the diverter module with its binding with the packet that receives; After each diverter module receives packet then; Packet in the same session is sent to same Service Processing Module, and each Service Processing Module is handled the back through an I/O module output to packet, has solved the problem that system can't carry out professional expansion in the correlation technique; There are a plurality of Service Processing Modules in this system; The quantity of this Service Processing Module can be configured according to demand, makes the expansion of this system's supporting business, and then has improved the performance of firewall system.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the sketch map according to the firewall system structure of correlation technique;
Fig. 2 be according to the data packet stream of the firewall system of correlation technique to sketch map;
Fig. 3 is the structured flowchart according to the firewall system of the embodiment of the invention;
Fig. 4 is the concrete structure block diagram according to the firewall system of the embodiment of the invention;
Fig. 5 be according to the data packet stream of the firewall system of the embodiment of the invention to sketch map;
Fig. 6 is according to the flow chart based on the data processing method of firewall system of the embodiment of the invention;
Fig. 7 is according to the flow chart based on the data processing method of firewall system of the embodiment of the invention one.
Embodiment
Hereinafter will and combine embodiment to specify the present invention with reference to accompanying drawing.Need to prove that under the situation of not conflicting, embodiment and the characteristic among the embodiment among the application can make up each other.
In the prior art, because firewall system has only a CPU to be responsible for carrying out professional processing, so this systematic function is subject to the disposal ability of CPU, can not the extension process performance.Based on this, the embodiment of the invention provides a kind of firewall system and based on the data processing method of this firewall system.This firewall system is used a plurality of Service Processing Modules, is convenient to carry out the business expansion.Be elaborated through embodiment below.
This instance provides a kind of firewall system, and this system comprises: two main control modules, a plurality of Service Processing Module, a plurality of diverter module, a plurality of I/O module and an exchange (Switch) modules.As shown in Figure 3 is the structured flowchart of firewall system; Two main control modules are that example describes with the first main control module 30a and the second main control module 30b respectively in Fig. 3; A plurality of Service Processing Modules are that example describes with the first Service Processing Module 32a, the second Service Processing Module 32b and the 3rd Service Processing Module 32c respectively; A plurality of diverter modules are that example describes with the first diverter module 34a, the second diverter module 34b and the 3rd diverter module 34c respectively; A plurality of I/O modules are that example describes with an I/O module 36a, the 2nd I/O module 36b and the 3rd I/O module 36c respectively, and a Switching Module is that example describes with Switching Module 38.Describe in the face of this structure down.
Two main control modules are main and standby relation each other, is used to control a plurality of Service Processing Modules, said a plurality of diverter modules, a plurality of I/O module and Switching Module; Switching Module (such as the Switching Module among Fig. 3 38) all links to each other with above-mentioned module, is used to transmit the packet of each intermodule;
A plurality of I/O modules and a plurality of diverter module are bound, and each I/O module (such as the I/O module 36a among Fig. 3) is connected to Switching Module 38, are used for the packet that receives is sent to the diverter module (such as the first diverter module 34a of Fig. 3) with its binding; Each diverter module in a plurality of diverter modules (such as the first diverter module 34a among Fig. 3) is connected to Switching Module 38, is used for the packet of same session is sent to same Service Processing Module (such as the first Service Processing Module 32a among Fig. 3);
Each Service Processing Module (such as the first Service Processing Module 32a among Fig. 3) is connected to Switching Module 38; Be used for the packet that receives is handled, after finishing dealing with this packet exported through an I/O module in a plurality of I/O modules (such as the I/O module 36a among Fig. 3).
Wherein, comprised the process that finds out interface in the processing procedure of above-mentioned Service Processing Module, if the packet that receives is three layer data bags, through the route querying outgoing interface; If the packet that receives is the Layer 2 data bag, then determine interface through target MAC (Media Access Control) address; The I/O module at outgoing interface place is exactly selecteed I/O module, and specifically the output through which I/O module completion packet can realize with reference to correlation technique, no longer details here.
Through said system, a plurality of I/O modules in the firewall system and a plurality of diverter module are bound, and each I/O module sends to the diverter module with its binding with the packet that receives; After each diverter module receives packet then; Packet in the same session is sent to same Service Processing Module, and each Service Processing Module is handled the back through an I/O module output to packet, has solved the problem that system can't carry out professional expansion in the correlation technique; There are a plurality of Service Processing Modules in this system; The quantity of this Service Processing Module can be configured according to demand, makes the expansion of this system's supporting business, and then has improved the performance of firewall system.
Each diverter module is after the packet that receives the transmission of I/O module; Send to the shunting rule of same Service Processing Module according to the packet in the same session; Above-mentioned packet is sent to same Service Processing Module; After receiving first packet, how to select Service Processing Module to carry out the transmission of packet for diverter module, present embodiment provides two kinds of preferred implementations, certainly; The present invention is not limited to this two kinds of execution modes; After receiving first packet, how to select two kinds of preferred implementations of Service Processing Module to describe respectively in the face of diverter module down, wherein, this preferred implementation is that example is elaborated with the first diverter module 34a among Fig. 3.
First kind of mode, the first diverter module 34a of this firewall system comprises: the unit is confirmed in load, when being used to receive first packet of a session, confirms the loading condition of a plurality of Service Processing Modules; Selected cell is used for confirming the loading condition that the unit is confirmed according to load, selects the first corresponding Service Processing Module 32a of above-mentioned first packet; First dividing cell is connected to selected cell, is used for first packet is transmitted to the first Service Processing Module 32a that selected cell is selected.This mode is based on that the loading condition of Service Processing Module selects, and generally speaking, diverter module selects the lower Service Processing Module of load to carry out the transmission of packet.
The second way, this firewall system first diverter module 34a comprises: map unit, when being used to receive first packet of a session, shine upon according to the information that carry in the packet header of first packet; Confirm the unit, be connected to map unit, be used for confirming the corresponding first Service Processing Module 32a of above-mentioned first packet according to the mapping result of map unit; Second dividing cell is connected to definite unit, is used for first packet is transmitted to the first Service Processing Module 32a that confirms that the unit is confirmed.This mode is based on the information of packet header of first packet carrying and the mapping relations between the first Service Processing Module 32a are carried out the selection of Service Processing Module; Such as the mode that can adopt fixing mapping; 5 tuples of calculated data bag (the purpose IP address, source of IP packet; Source destination interface and protocol number) hash (hash or be called Hash; Also can be written as HASH) value; With the corresponding and same Service Processing Unit of packet of same hash value, set up the mapping relations between first packet and the Service Processing Module with this, carry out the transmission of packet thereby make the first diverter module 34a when receiving first packet, select the first Service Processing Module 32a.When diverter module received first packet, above-mentioned two kinds of preferred implementations were convenient to the suitable Service Processing Module of rapid and simple selection.
After Service Processing Module receives first packet of diverter module transmission; Service Processing Module can be noted it, is convenient to the reception and the processing of follow-up packet, therefore; In a preferred implementation of present embodiment; To achieve these goals, Service Processing Module (this preferred implementation is that example describes with the first Service Processing Module 32a) can comprise: receiving element is used to receive first packet; Create the unit, be connected to receiving element, be used for creating the data structure of session according to above-mentioned first packet; Response unit is connected to the establishment unit, is used for replying response message to the first diverter module 34a, and wherein this response message carries the corresponding relation of the sign of the session identification and the first Service Processing Module 32a.Through this preferred implementation, Service Processing Module can carry out management accounts by the convenient follow-up data bag that effectively diverter module is sended over.Wherein, the data structure created of present embodiment can comprise: 5 tuples of 5 tuples of packet, packet outgoing interface, packet next-hop mac address, reverse data bag, packet incoming interface, source data packet MAC Address, security strategy ID, handle the part or all of parameter among the Service Processing Module ID etc. of packet of this session.This session identification can be 5 tuples of carrying in 5 tuples of carrying in the packet and the reverse data bag etc.
After diverter module receives this response message; Can the corresponding relation of the sign of above-mentioned session identification and Service Processing Module be noted; Be convenient to diverter module when receiving follow-up packet, packet sent to the corresponding service processing module according to this corresponding relation.Diverter module (this preferred implementation is that example describes with the first diverter module 34a) can comprise: correspondence relation storage is used for storing the corresponding relation of the sign of the session identification that response message that the first Service Processing Module 32a sends carries and the first Service Processing Module 32a; The 3rd dividing cell is connected to correspondence relation storage, is used for this corresponding relation according to the correspondence relation storage storage, and the follow-up data bag in the session is transmitted to the first Service Processing Module 32a.
The above-mentioned corresponding relation of above-mentioned correspondence relation storage storage can be chosen in and carry out record in the shunting table; Diverter module is after receiving packet; Can search the shunting table earlier; If in this shunting table, found the corresponding relation of sign of session identification and the Service Processing Module of this packet, just can confirm according to information recorded which Service Processing Module this packet should send to.If do not find this corresponding relation; Then after receiving first packet, how to select two kinds of preferred implementations of Service Processing Module according to above-mentioned diverter module; Select the Service Processing Module that load is lower, perhaps select a Service Processing Module according to the mode of fixing mapping.Canned data just can constantly expand in the shunting table like this.The corresponding relation that this preferred implementation provides makes diverter module simple and directly send packet to Service Processing Module fast and planning is arranged.
The quantity of the Service Processing Module in the firewall system in the foregoing description and each preferred implementation can be configured by demand; Realize the extensibility of systematic function like this, and when internal system is carried out data processing, can more be added with autotelic the carrying out of planning.Firewall system also is faced with the problem of upgrading; Some system of the prior art wants interrupting service when upgrading; To cause the Business Processing process of this system reliable inadequately like this; Though also without interrupting service, this upgrading mode is only supported the system that all professional processing are all carried out on master control borad when upgrading in some system.Therefore, present embodiment provides a preferred implementation, and as shown in Figure 4 is the concrete structure block diagram of firewall system, this system each module in comprising Fig. 3, also comprises:
Diverter module (the first diverter module 34a with among Fig. 4 is an example) comprising: lock unit 34a0; After being used to receive the upgrading indication, with another diverter module (the second diverter module 34b with among Fig. 4 is an example) in the synchronous extremely a plurality of diverter modules of stored relation in the correspondence relation storage; The first upgrading unit 34a2 is connected to lock unit 34a0, is used for upgrading according to above-mentioned upgrading indication;
Another diverter module (being the second diverter module 34b among Fig. 4) comprising: stores synchronized unit 34b0, be connected to lock unit 34a0, and be used to store the synchronous corresponding relation of lock unit 34a0; Follow-up, this diverter module will carry out the forwarding of packet according to the corresponding relation synchronously.
Switching Module 38 comprises: bind and revise unit 380, be used for according to the system configuration indication a plurality of I/O modules of modification and a plurality of diverter module binding relationship.
In this preferred implementation; When the first diverter module 34a will upgrade; Its stored relation is synchronized to the second diverter module 34b; Switching Module 38 is revised I/O module and diverter module binding relationship then, when an I/O module 36a receives packet, this packet is sent to the second diverter module 34b like this; And if the packet of a session will be sent to the first Service Processing Module 32a on the first diverter module 34a, the second diverter module 34b in this preferred implementation is sent to the first Service Processing Module 32a with this packet.The transmission that has guaranteed packet in the process that diverter module is upgraded so can not interrupted; Certainly; When the first diverter module 34a will upgrade; It is selected will to carry out other synchronous diverter modules of corresponding relation and has more than and be limited to the second diverter module 34b, can be any diverter module except that itself.Through this preferred implementation, firewall system can carry out the updating operation of diverter module under the unbroken situation of business, has improved the reliability of the Business Processing of this firewall system.
After the upgrading to diverter module is described, describe in the face of the escalation process of Service Processing Module down.Present embodiment provides other a kind of preferred implementation, and this mode comprises:
Service Processing Module (the first Service Processing Module 32a with among Fig. 4 is an example) comprising: information synchronizing unit; After being used to receive upgrading indication, with creating the data structure created the unit another Service Processing Module (the second Service Processing Module 32b with among Fig. 4 is an example) to a plurality of Service Processing Modules synchronously; Notification unit; Be used for sending the corresponding relation amendment advice to diverter module (the 3rd diverter module 34c with Fig. 4 is an example); Wherein this amendment advice carries the sign (i.e. the sign of the first Service Processing Module 32a) of the Service Processing Module that self belongs to and the sign of the second Service Processing Module 32b, and which Service Processing Module is these two signs indicated to switch to which Service Processing Module; The second upgrading unit is connected to notification unit, is used for upgrading according to above-mentioned upgrading indication.After the business migration of present embodiment finished, main control module can be restarted it, loaded new software version then.
Diverter module (i.e. the first diverter module 34a) comprising: corresponding relation is revised the unit; Be used for amendment advice according to the notification unit transmission; With in the above-mentioned corresponding relation with this amendment advice in the identical sign of sign of first Service Processing Module be revised as the sign of second Service Processing Module in this amendment advice, the sign that present embodiment is about to the first Service Processing Module 32a in the above-mentioned corresponding relation (for example shunting table) is revised as the sign of the second Service Processing Module 32b; The 4th dividing cell is connected to corresponding relation and revises the unit, is used for revising the amended corresponding relation in unit according to corresponding relation the follow-up data bag of above-mentioned session is forwarded to the second Service Processing Module 32b;
Another Service Processing Module (being the second Service Processing Module 32b among Fig. 4) comprising: information memory cell, be connected to information synchronizing unit, and be used for stored information lock unit data in synchronization structure; Service Processing Unit is connected to information memory cell, and the follow-up data bag that is used for stating according to the data structure of information memory cell storage session is handled.
In this preferred implementation; Data structure with its establishment when the first Service Processing Module 32a will upgrade is synchronized to the second Service Processing Module 32b; The first diverter module 34c revises the corresponding relation of sign of session identification and the second Service Processing Module 32b of packet then; When the first diverter module 34a will send packet to the first Service Processing Module 32a, the first diverter module 34a in this preferred implementation was sent to the second Service Processing Module 32b with this packet like this.Guaranteed in the process that Service Processing Module is upgraded, to make the transmission of packet can not interrupt like this; Certainly; When the first Service Processing Module 32a will upgrade; It is selected will to carry out other synchronous Service Processing Modules of data structure and has more than and be limited to the second Service Processing Module 32b, can be any Service Processing Module except that itself.Through this preferred implementation, firewall system can carry out the updating operation of Service Processing Module under the unbroken situation of business, has improved the reliability of the Business Processing of this firewall system.
Above-mentioned preferred implementation is described in detail respectively the upgrading mode of diverter module and Service Processing Module, to the upgrading mode of main control module, introduces through preferred implementation below.Two main control modules are main and standby relation each other, supposes that the first main control module 30a is the main control module that is in major state, and the second main control module 30b is in the main control module of state fully, and certainly, the main and standby relation of the two is not limited to this.Configuration on the first main control module 30a, state information can be synchronized to the second main control module 30b at any time; At first the second main control module 30b of state carries out updating operation to being in fully; The first main control module 30a can continue each module in this system is controlled during this period; After the updating operation of the second main control module 30b finishes, the main and standby relation of two main control modules is switched, and then the first main control module 30a of state carries out updating operation to being in fully after switching.This sample preferred implementation has just been accomplished the updating operation of two main control modules under the prerequisite of non-interrupting service, improved the traffic handing capacity of system.
In above-mentioned firewall system, the employing business shifts between generic module of the same race, the scheme of each module of upgrading has in turn realized the smooth upgrade of systems soft ware.This system can carry out the business expansion; And can under the prerequisite of non-interrupting service, carry out the updating operation of system; This embodiment can also realize in machine frame formula system that such as the firewall system that makes up a machine frame formula, this firewall system can have 16 groove positions; Comprise two master control board slot positions and two exchange board slot positions and 12 universal vat positions, I/O plate, service processing board and flow distribution plate can be inserted in this universal vat position.Main control module in the corresponding the foregoing description of master control borad; Switching Module in the corresponding the foregoing description of power board; I/O module in the corresponding the foregoing description of I/O plate, the Service Processing Module in the corresponding the foregoing description of service processing board, the diverter module in the corresponding the foregoing description of flow distribution plate.The I/O plate, the quantity of service processing board and flow distribution plate can be carried out flexible configuration according to the needs of network processes.This system can dispose two master control borads, two or more a plurality of service processing boards, and two or more a plurality of flow distribution plates, this firewall system can be realized the smooth upgrade of software.Need not restart whole system when being upgrade software, and Business Processing is unaffected.
A kind of firewall system that provides corresponding to the foregoing description; Present embodiment provides a kind of data processing method based on this firewall system, and this firewall system can be made up of main control module, Service Processing Module, diverter module, Switching Module and I/O port.The data packet stream of this system is to as shown in Figure 5, and at first, packet gets into the I/O port of this firewall system, by the I/O port packet is sent to the Switch module, through the Switch module forwards to diverter module; Then, diverter module is regular according to the shunting that the packet in the above-mentioned same session sends to same Service Processing Module, gives the corresponding service processing module with this packet via the Switch module forwards; Then, this Service Processing Module is handled this packet, and the packet after handling is arrived the I/O port through the Switch module forwards; At last, the I/O port is with exporting in this packet slave firewall system.System in the present embodiment is to comprise that two main control modules, several Service Processing Modules, several diverter modules, several I/O ports and a Switch (exchange) system are that example describes.Fig. 6 is the flow chart based on the data processing method of firewall system according to the embodiment of the invention, and as shown in Figure 6, this method may further comprise the steps (step S602-step S606):
Step S602 after each the I/O module in a plurality of I/O modules receives packet, sends to the diverter module with its binding with this packet.At first need give the diverter module processing from the packet that an I/O port comes; When system initialization; I/O port and diverter module are bound, and all packets that promptly come from an I/O port are all given preassigned diverter module, and this binding relationship also can be changed when operation.
Step S604, after each diverter module in a plurality of diverter modules received packet, the shunting that sends to same Service Processing Module according to the packet in the same session was regular, and this packet is transmitted to the corresponding service processing module.
Step S606 after each Service Processing Module receives above-mentioned packet, handles this packet, after finishing dealing with packet is exported through an I/O module in a plurality of I/O modules.
Wherein, comprised the process that finds out interface in the processing procedure of above-mentioned Service Processing Module, if the packet that receives is three layer data bags, through the route querying outgoing interface; If the packet that receives is the Layer 2 data bag, then determine interface through target MAC (Media Access Control) address; The I/O module at outgoing interface place is exactly selecteed I/O module, and specifically the output through which I/O module completion packet can realize with reference to correlation technique, no longer details here.
Through said method, a plurality of I/O modules in the firewall system and a plurality of diverter module are bound, and each I/O module sends to the diverter module with its binding with the packet that receives; After each diverter module receives packet then; Packet in the same session is sent to same Service Processing Module, and each Service Processing Module is handled the back through an I/O module output to packet, has solved the problem that system can't carry out professional expansion in the correlation technique; There are a plurality of Service Processing Modules in this system; The quantity of this Service Processing Module can be configured according to demand, makes the expansion of this system's supporting business, and then has improved the performance of firewall system.
Each diverter module is after the packet that receives the transmission of I/O module; Send to the shunting rule of same Service Processing Module according to the packet in the same session; Above-mentioned packet is sent to same Service Processing Module; After receiving first packet, how to select Service Processing Module to carry out the transmission of packet for diverter module, present embodiment provides two kinds of preferred implementations, certainly; The present invention is not limited to this two kinds of execution modes, after receiving first packet, how to select two kinds of preferred implementations of Service Processing Module to describe respectively in the face of diverter module down.
First kind of mode; After diverter module receives first packet of a session; Confirm the loading condition of a plurality of Service Processing Modules; Diverter module is selected first packet corresponding service processing module according to the loading condition of a plurality of Service Processing Modules of confirming then, and last diverter module is transmitted to above-mentioned first packet the Service Processing Module of selection.This mode is based on that the loading condition of Service Processing Module selects, and generally speaking, diverter module selects the lower Service Processing Module of load to carry out the transmission of packet.
The second way; After diverter module receives first packet of a session; Information according to carry in the packet header of this first packet is shone upon; Diverter module is confirmed first packet corresponding service processing module according to the result of mapping then, and last diverter module is transmitted to definite Service Processing Module with first packet.Such as the mode that can adopt fixing mapping; 5 tuples of calculated data bag (the purpose IP address, source of IP packet; Source destination interface and protocol number) hash (hash or be called Hash, also can be written as HASH) value, with the packet of same hash value corresponding with same Service Processing Unit; Set up the mapping relations between first packet and the Service Processing Module with this, thereby make diverter module when receiving first packet, select the transmission that Service Processing Module carries out packet.When diverter module received first packet, above-mentioned two kinds of preferred implementations were convenient to the suitable Service Processing Module of rapid and simple selection.
After Service Processing Module receives first packet of diverter module transmission; Service Processing Module can be noted it, is convenient to the reception and the processing of follow-up packet, therefore; In a preferred implementation of present embodiment; To achieve these goals, behind first packet that receives the diverter module transmission, Service Processing Module can be created the data structure of session according to first packet; Service Processing Module is replied response message to this diverter module then; Wherein this response message carries the corresponding relation of the sign of session identification and Service Processing Module, and the corresponding relation of the session identification that carries in the above-mentioned then diverter module memory response message and the sign of Service Processing Module is like this when diverter module is received follow-up packet; Can the follow-up data bag in the session be transmitted to Service Processing Module according to stored relation.Through this preferred implementation; Service Processing Module can carry out management accounts by the convenient follow-up data bag that effectively diverter module is sended over; Diverter module can be noted the corresponding relation of the sign of above-mentioned session identification and Service Processing Module then; Be convenient to diverter module when receiving follow-up packet, packet sent to the corresponding service processing module according to this corresponding relation.Wherein, the data structure created of present embodiment can comprise: 5 tuples of 5 tuples of packet, packet outgoing interface, packet next-hop mac address, reverse data bag, packet incoming interface, source data packet MAC Address, security strategy ID, handle the part or all of parameter among the Service Processing Module ID etc. of packet of this session.This session identification can be 5 tuples of carrying in 5 tuples of carrying in the packet and the reverse data bag etc.
Firewall system in the foregoing description and each preferred implementation thereof can satisfy the requirement of professional expansion, and when internal system is carried out data processing, can more be added with autotelic the carrying out of planning.The problem of necessary interrupting service when firewall system of the prior art also is faced with upgrading.Therefore; Present embodiment provides a preferred implementation; After receiving the upgrading indication, diverter module can be with another diverter module in the synchronous extremely a plurality of diverter modules of stored relation, and this diverter module is upgraded according to above-mentioned upgrading indication then; Then after the Switching Module receiving system configuration indication; According to the binding relationship of these system configuration indication a plurality of I/O modules of modification and a plurality of diverter modules, transmit the follow-up data bag in the said session according to amended binding relationship, after another diverter module is stored the synchronous corresponding relation of above-mentioned diverter module; According to stored relation, the follow-up data bag in the session of Switching Module forwarding is transmitted to Service Processing Module.
Suppose that there are a plurality of diverter modules in system, wherein have two diverter modules to be called A and B respectively, the diverter module A that will upgrade of preparation now.At first the shunting table on the diverter module A is synchronized on the diverter module B, follow-up, diverter module B will carry out the forwarding of packet according to the corresponding relation synchronously.After simultaneous operation is accomplished; Change Switch modules configured; Flow original and the I/O port that diverter module A binds all is transmitted to diverter module B to be handled; At this moment diverter module A will no longer receive business data packet, can upgrade and not traffic affecting processing to it, after diverter module A upgrading is accomplished.Again according to similar process upgrading diverter module B.Certainly, when diverter module will be upgraded, it is selected will to carry out other synchronous diverter modules of corresponding relation and has more than and be limited to some specific diverter modules, can be any diverter module except that itself.
This preferred implementation has guaranteed in the process that diverter module is upgraded, to make the transmission of packet can not interrupt; Through this preferred implementation; Firewall system can carry out the updating operation of diverter module under the unbroken situation of business, improved the reliability of the Business Processing of this firewall system.
After the upgrading to diverter module is described, describe in the face of the escalation process of Service Processing Module down.Present embodiment provides other a kind of preferred implementation, and the process of this mode is as follows.After Service Processing Module receives the upgrading indication; With another Service Processing Module in the synchronous extremely a plurality of Service Processing Modules of the data structure of creating; And to diverter module transmission corresponding relation amendment advice; Wherein this amendment advice carries the sign of the Service Processing Module that self belongs to and the sign of above-mentioned another Service Processing Module; Which Service Processing Module is these two signs indicated to switch to which Service Processing Module, and then, above-mentioned Service Processing Module is upgraded according to the upgrading indication.After the business migration of present embodiment finished, main control module can be restarted it, loaded new software version then.The amendment advice that diverter module sends according to above-mentioned Service Processing Module; With in the corresponding relation with this amendment advice in the identical sign of sign of above-mentioned Service Processing Module be revised as the sign of above-mentioned another Service Processing Module in this amendment advice; Above-mentioned diverter module is forwarded to above-mentioned another Service Processing Module according to amended corresponding relation with the follow-up data bag in the session; This another Service Processing Module is stored above-mentioned Service Processing Module data in synchronization structure, according to the data structure of storage the follow-up data bag in the session is handled then.
Suppose that firewall system has a plurality of Service Processing Modules, wherein have two Service Processing Modules to be called A and B respectively, prepare to want staging business processing module A now.At first with the session on the Service Processing Module A (session) information synchronization to Service Processing Module B, after simultaneous operation was accomplished, the flow that the notice diverter module will be transmitted to Service Processing Module A originally all was transmitted to Service Processing Module B.After handling like this, Service Processing Module A will no longer receive business data packet, at this moment just can upgrade to Service Processing Module A, after the upgrading of Service Processing Module A is accomplished, according to similar approach, again to other Service Processing Module upgradings.Certainly, when Service Processing Module will be upgraded, it is selected will to carry out other synchronous Service Processing Modules of data structure and has more than and be limited to some specific Service Processing Modules, can be any Service Processing Module except that itself.
This preferred implementation has guaranteed in the process that Service Processing Module is upgraded, to make the transmission of packet can not interrupt; Through this preferred implementation; Firewall system can carry out the updating operation of Service Processing Module under the unbroken situation of business, improved the reliability of the Business Processing of this firewall system.
Above-mentioned preferred implementation is described in detail respectively the upgrading mode of diverter module and Service Processing Module, to the upgrading mode of main control module, introduces through preferred implementation below.Two main control modules in the firewall system are in active and standby logic; Your Majesty's configuration, state information can be synchronized at any time and be equipped with, and when upgrading in system, upgrading earlier is equipped with the main control module of state; Upgrading is switched active and standby logic after accomplishing again, and then the new main control module that is equipped with state of upgrading.This mode has been accomplished the updating operation of two main control modules under the prerequisite of non-interrupting service, improved the traffic handing capacity of system.
Be elaborated below in conjunction with preferred embodiment and accompanying drawing implementation procedure to the foregoing description.
Embodiment one
Fig. 7 is the flow chart based on the data processing method of firewall system according to the embodiment of the invention one, and this firewall system can be made up of main control module, Service Processing Module, diverter module, Switch (exchange) module and I/O port.Main control module is responsible for the control plane of system and is handled; Two main control modules constitute master-slave redundancy; Service Processing Module is responsible for firewall services and is handled; Diverter module is responsible for packet delivery to Service Processing Module, and the Switch module is used for the interconnected of each module, and business that each intermodule is mutual and control data will be transmitted by the Switch module.As shown in Figure 7, this method comprises the steps (step S702-step S724):
Step S702, system upgrade are equipped with the main control module of state.
Step S704, after the main control module upgrading that is equipped with state was accomplished, two main control modules carried out active and standby switching.
Step S706, upgrading is equipped with the main control module (being the main control module of original major state) of state.
Step S708; To all Service Processing Module queuings, selecting the Service Processing Module of team's head is the Service Processing Module of first upgrading, and next Service Processing Module is its backup module; This selection mode is not limited to this, and present embodiment only describes in this way.
Step S710, the Service Processing Module that upgrading is selected.
Step S712 judges whether the upgrading of all Service Processing Modules is all accomplished, the completion if all Service Processing Modules have all been upgraded, and execution in step S714, if not all upgrading completion of Service Processing Module, execution in step S716.
Step S714 ranks to all diverter modules, and selecting the diverter module of team's head is the diverter module of first upgrading; Next diverter module is its backup module; This selection mode is not limited to this, and present embodiment only describes in this way, then execution in step S718.
Step S716, the next module in the selection formation is as upgrading module, execution in step S710 then;
Step S718, the diverter module that upgrading is selected.
Step S720 judges whether the upgrading of all diverter modules is all accomplished, the completion if all diverter modules have all been upgraded, and execution in step S724, if not all upgrading completion of diverter module, execution in step S722.
Step S722, the next module in the selection formation is as upgrading module, execution in step S718 then.
Step S724, system upgrade is accomplished.
The method of present embodiment can make firewall system carry out performance expansion, and realizes professional continual smooth upgrade, and that this system has is highly reliable, performance is prone to advantages such as expansion.
From above description; Can find out; The present invention program can realize an extendible firewall system of performance, and this system adopts, and business shifts between generic module of the same race, the scheme of each module of upgrading has in turn realized smooth upgrade, thereby has realized the performance expansion of firewall system; And under the unbroken prerequisite of business, can carry out the upgrading of system, improve the system business processing reliability.
Obviously, it is apparent to those skilled in the art that above-mentioned each module of the present invention or each step can realize with the general calculation device; They can concentrate on the single calculation element; Perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element; Thereby; Can they be stored in the storage device and carry out, and in some cases, can carry out step shown or that describe with the order that is different from here by calculation element; Perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is merely the preferred embodiments of the present invention, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.All within spirit of the present invention and principle, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (12)
1. a firewall system is characterized in that, comprising: two main control modules, a plurality of Service Processing Module, a plurality of diverter module, a plurality of I/O I/O module and Switching Modules; Wherein,
Two main control modules are main and standby relation each other, is used to control said a plurality of Service Processing Module, said a plurality of diverter modules, said a plurality of I/O modules and said Switching Module;
Said Switching Module is used to transmit the packet of each intermodule;
Said a plurality of I/O module and said a plurality of diverter module are bound, and each said I/O module is used for the packet that receives is sent to the diverter module with its binding;
Each said diverter module in said a plurality of diverter module is used for the packet of same session is sent to same Service Processing Module;
Each said Service Processing Module is used for the said packet that receives is handled, and after finishing dealing with said packet is exported through an I/O module in said a plurality of I/O modules.
2. system according to claim 1 is characterized in that, said diverter module comprises:
The unit is confirmed in load, when being used to receive first packet of a session, confirms the loading condition of said a plurality of Service Processing Modules;
Selected cell is used for confirming the loading condition that the unit is confirmed according to said load, selects said first packet corresponding service processing module;
First dividing cell is used for said first packet is transmitted to the Service Processing Module that said selected cell is selected.
3. system according to claim 1 is characterized in that, said diverter module comprises:
Map unit when being used to receive first packet of a session, is shone upon according to the information that carry in the packet header of said first packet;
Confirm the unit, be used for confirming said first packet corresponding service processing module according to the mapping result of said map unit;
Second dividing cell is used for said first packet is transmitted to the Service Processing Module that said definite unit is confirmed.
4. according to claim 2 or 3 described systems, it is characterized in that said Service Processing Module comprises:
Receiving element is used to receive said first packet;
Create the unit, be used for creating the data structure of said session according to said first packet;
Response unit is used for replying response message to said diverter module, and wherein, said response message carries the corresponding relation of the sign of said session identification and said Service Processing Module;
Said diverter module comprises: correspondence relation storage is used for storing the corresponding relation of the sign of said session identification that said response message carries and said Service Processing Module; The 3rd dividing cell is used for the said corresponding relation according to said correspondence relation storage storage, and the follow-up data bag in the said session is transmitted to said Service Processing Module.
5. system according to claim 4 is characterized in that,
Said diverter module comprises: lock unit, be used to receive upgrading indication after, with the said corresponding relation of storing in the said correspondence relation storage another diverter module to said a plurality of diverter modules synchronously; The first upgrading unit is used for upgrading according to said upgrading indication;
Said another diverter module comprises: the stores synchronized unit is used to store the synchronous corresponding relation of said lock unit;
Said Switching Module comprises: bind and revise the unit, be used for according to the system configuration indication said a plurality of I/O modules of modification and said a plurality of diverter module binding relationship.
6. system according to claim 4 is characterized in that,
Said Service Processing Module comprises: information synchronizing unit, be used to receive upgrading indication after, the said data structure that said establishment unit is created is another Service Processing Module to said a plurality of Service Processing Modules synchronously; Notification unit is used for sending said corresponding relation amendment advice to said diverter module, and wherein, said amendment advice carries the sign of the said Service Processing Module that self belongs to and the sign of said another Service Processing Module; The second upgrading unit is used for upgrading according to said upgrading indication;
Said diverter module comprises: corresponding relation is revised the unit; Be used for the amendment advice that sends according to said notification unit, with in the said corresponding relation with said amendment advice in the identical sign of sign of first said Service Processing Module be revised as the sign of second said Service Processing Module in the said amendment advice; The 4th dividing cell is used for revising the amended corresponding relation in unit according to said corresponding relation the follow-up data bag of said session is forwarded to said another Service Processing Module;
Said another Service Processing Module comprises: information memory cell is used to store the synchronous said data structure of said information synchronizing unit; Service Processing Unit is used for according to the said data structure of said information memory cell storage the follow-up data bag of said session being handled.
7. the data processing method based on the described firewall system of claim 1 is characterized in that, comprising:
After each said I/O module in said a plurality of I/O module receives packet, said packet is sent to the diverter module with its binding;
After each said diverter module in said a plurality of diverter module received said packet, the shunting that sends to same Service Processing Module according to the packet in the same session was regular, and said packet is transmitted to the corresponding service processing module;
After each said Service Processing Module receives said packet, said packet is handled, after finishing dealing with said packet is exported through an I/O module in said a plurality of I/O modules.
8. method according to claim 7 is characterized in that, said diverter module is transmitted to the corresponding service processing module with said packet and comprises:
After said diverter module receives first packet of a session, confirm the loading condition of said a plurality of Service Processing Modules;
Said diverter module is selected said first packet corresponding service processing module according to the loading condition of said a plurality of Service Processing Modules of confirming;
Said diverter module is transmitted to said first packet the said Service Processing Module of selection.
9. method according to claim 7 is characterized in that, said diverter module is transmitted to the corresponding service processing module with said packet and comprises:
Said diverter module shines upon according to the information that carry in the packet header of said first packet after receiving first packet of a session;
Said diverter module is confirmed said first packet corresponding service processing module according to mapping result;
Said diverter module is transmitted to definite said Service Processing Module with said first packet.
10. according to Claim 8 or 9 described methods, it is characterized in that, comprise after each said Service Processing Module receives said packet:
After said Service Processing Module receives said first packet, create the data structure of said session according to said first packet;
Said Service Processing Module is replied response message to said diverter module, and wherein, said response message carries the corresponding relation of the sign of said session identification and said Service Processing Module;
Said diverter module is stored the corresponding relation of the sign of the said session identification that carries in the said response message and said Service Processing Module;
Said diverter module is transmitted to said Service Processing Module according to the said corresponding relation of storage with the follow-up data bag in the said session.
11. method according to claim 10 is characterized in that, said method also comprises:
After said diverter module receives the upgrading indication, with another diverter module in the synchronous extremely said a plurality of diverter modules of the said corresponding relation of storage; Then, upgrade according to said upgrading indication;
After the said Switching Module receiving system configuration indication, revise said a plurality of I/O modules and said a plurality of diverter module binding relationship, transmit the follow-up data bag in the said session according to amended binding relationship according to said system configuration indication;
After said another diverter module is stored the synchronous corresponding relation of said diverter module,, the follow-up data bag in the said session of said Switching Module forwarding is transmitted to said Service Processing Module according to the said corresponding relation of storage.
12. method according to claim 10 is characterized in that, said method also comprises:
After said Service Processing Module receives the upgrading indication; With another Service Processing Module in the synchronous extremely said a plurality of Service Processing Modules of the said data structure of creating; And send said corresponding relation amendment advice to said diverter module, wherein, said amendment advice carries sign and the sign of said another Service Processing Module of the said Service Processing Module at self place; Then, upgrade according to said upgrading indication;
The amendment advice that said diverter module sends according to said Service Processing Module, with in the said corresponding relation with said amendment advice in the identical sign of sign of first said Service Processing Module be revised as the sign of second said Service Processing Module in the said amendment advice; Said diverter module is forwarded to said another Service Processing Module according to amended said corresponding relation with the follow-up data bag in the said session;
Said another Service Processing Module is stored the synchronous said data structure of said Service Processing Module, and according to the said data structure of storage the follow-up data bag in the said session is handled.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110424951.8A CN102404339B (en) | 2011-12-16 | 2011-12-16 | Fire wall system and data processing method based on fire wall system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110424951.8A CN102404339B (en) | 2011-12-16 | 2011-12-16 | Fire wall system and data processing method based on fire wall system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102404339A true CN102404339A (en) | 2012-04-04 |
| CN102404339B CN102404339B (en) | 2014-06-18 |
Family
ID=45886125
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110424951.8A Active CN102404339B (en) | 2011-12-16 | 2011-12-16 | Fire wall system and data processing method based on fire wall system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102404339B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103220273A (en) * | 2013-03-19 | 2013-07-24 | 汉柏科技有限公司 | Method and system for central processing unit (CPU) to forward message rapidly |
| CN106789862A (en) * | 2016-04-25 | 2017-05-31 | 新华三技术有限公司 | A kind of method of data synchronization and device |
| CN110928568A (en) * | 2019-11-05 | 2020-03-27 | 杭州衣科信息技术有限公司 | Method for uninterrupted service when issuing and updating web application program |
| CN113595802A (en) * | 2021-08-09 | 2021-11-02 | 山石网科通信技术股份有限公司 | Upgrading method and device of distributed firewall |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060171413A1 (en) * | 2005-02-03 | 2006-08-03 | Samsung Electronics Co., Ltd | Data processing system and data interfacing method thereof |
| CN101105782A (en) * | 2007-08-22 | 2008-01-16 | 中兴通讯股份有限公司 | Border scanning system based on high-performance computer communication framework |
| CN102073562A (en) * | 2010-12-31 | 2011-05-25 | 山石网科通信技术(北京)有限公司 | Hardware-based main/standby switch arbitration method |
| CN102185753A (en) * | 2011-01-30 | 2011-09-14 | 广东佳和通信技术有限公司 | Device for realizing dual-backup switching of Ethernet link inside communication equipment |
-
2011
- 2011-12-16 CN CN201110424951.8A patent/CN102404339B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060171413A1 (en) * | 2005-02-03 | 2006-08-03 | Samsung Electronics Co., Ltd | Data processing system and data interfacing method thereof |
| CN101105782A (en) * | 2007-08-22 | 2008-01-16 | 中兴通讯股份有限公司 | Border scanning system based on high-performance computer communication framework |
| CN102073562A (en) * | 2010-12-31 | 2011-05-25 | 山石网科通信技术(北京)有限公司 | Hardware-based main/standby switch arbitration method |
| CN102185753A (en) * | 2011-01-30 | 2011-09-14 | 广东佳和通信技术有限公司 | Device for realizing dual-backup switching of Ethernet link inside communication equipment |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103220273A (en) * | 2013-03-19 | 2013-07-24 | 汉柏科技有限公司 | Method and system for central processing unit (CPU) to forward message rapidly |
| CN103220273B (en) * | 2013-03-19 | 2016-01-06 | 汉柏科技有限公司 | A kind of method and system of CPU fast-forwarding message |
| CN106789862A (en) * | 2016-04-25 | 2017-05-31 | 新华三技术有限公司 | A kind of method of data synchronization and device |
| CN110928568A (en) * | 2019-11-05 | 2020-03-27 | 杭州衣科信息技术有限公司 | Method for uninterrupted service when issuing and updating web application program |
| CN110928568B (en) * | 2019-11-05 | 2022-07-26 | 杭州衣科信息技术股份有限公司 | Method for uninterrupted service when issuing and updating web application program |
| CN113595802A (en) * | 2021-08-09 | 2021-11-02 | 山石网科通信技术股份有限公司 | Upgrading method and device of distributed firewall |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102404339B (en) | 2014-06-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7490161B2 (en) | Method and system for implementing OSPF redundancy | |
| CN101425961B (en) | Method for implementing link state database synchronization, router, circuit board and main control board | |
| TWI393401B (en) | System, apparatus, method and memory having computer program embodied thereon for managing multicast routing | |
| US7861109B2 (en) | Method and system for optimized switchover of redundant forwarding engines | |
| US7155632B2 (en) | Method and system for implementing IS-IS protocol redundancy | |
| US7680030B2 (en) | Router providing continuity of service of the state machines associated with the neighboring routers | |
| CN101753362B (en) | Configuring method and device of stacking virtual local area network of distributed network device | |
| CN112367254B (en) | Cross-device link aggregation method and device and electronic device | |
| KR20070027566A (en) | Apparatus and method for neighbor cache table synchronization | |
| JP2000299698A (en) | Data communication equipment | |
| US9954723B2 (en) | Packet switch modules for computer networks with efficient management of databases used in forwarding of network traffic | |
| CN102404339B (en) | Fire wall system and data processing method based on fire wall system | |
| CN101989953A (en) | Method and equipment for sending bidirectional forwarding detection message | |
| CN106330786A (en) | MAC address synchronization method, apparatus and system | |
| CN101534253A (en) | Message forwarding method and device | |
| CN101547147B (en) | Method, device, line card and management unit for message processing | |
| JP2006020034A (en) | Module type packet communication node device | |
| US9596129B2 (en) | Communication system, control apparatus, communication apparatus, information-relaying method, and program | |
| CN102281158A (en) | Line fault processing method and device | |
| JP4806382B2 (en) | Redundant system | |
| CN107547605A (en) | A kind of message reading/writing method and node device based on node queue | |
| CN102843253A (en) | Multi-sub-rack communication device and method and device of communication of multi-sub-rack communication device | |
| CN114268596A (en) | Method for stack system damage protection based on exchange chip and application | |
| KR101641496B1 (en) | Method and apparatus for updating switch states of software defined network | |
| CN117118991A (en) | ARP forwarding table synchronization method and system, storage medium and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: HILLSTONE NETWORKS COMMUNICATION TECHNOLOGY CO., L Free format text: FORMER OWNER: HILLSTONE NETWORKS (BEIJING) INC. Effective date: 20140716 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100085 HAIDIAN, BEIJING TO: 215163 SUZHOU, JIANGSU PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20140716 Address after: 215163 Jiangsu city of Suzhou province high tech Zone (Suzhou city) kolding Road No. 78 Gaoxin Software Park Building 7 floor 3 Patentee after: HILLSTONE NETWORKS Address before: 100085 Beijing city Haidian District on the seven Street No. 1 Huizhong 3 storey building Patentee before: Hillstone Networks Communication Technology (Beijing) Co., Ltd. |
|
| CB03 | Change of inventor or designer information |
Inventor after: Yang Qijun Inventor after: Liu Xiangming Inventor after: Wang Zhong Inventor after: Mo Ning Inventor after: Luo Dongping Inventor before: Yang Qijun Inventor before: Liu Xiangming Inventor before: Wang Zhong Inventor before: Mo Ning |
|
| CB03 | Change of inventor or designer information | ||
| CP03 | Change of name, title or address |
Address after: 215163 No. 181 Jingrun Road, Suzhou High-tech Zone, Jiangsu Province Patentee after: SHANSHI NETWORK COMMUNICATION TECHNOLOGY CO., LTD. Address before: 215163 3rd Floor, 7th Building, High-tech Software Park, 78 Keling Road, Suzhou Science and Technology City, Jiangsu Province Patentee before: HILLSTONE NETWORKS |
|
| CP03 | Change of name, title or address |