Summary of the invention
The problem of business expansion be cannot carry out for system in correlation technique, a kind of firewall system and the data processing method based on this firewall system the invention provides, at least to address the above problem.
According to an aspect of the present invention, a kind of firewall system is provided, this system comprises: two main control modules, multiple Service Processing Modules, multiple diverter modules, multiple I/O modules and a Switching Module, wherein, two main control modules main and standby relation each other, be used for controlling above-mentioned multiple Service Processing Module, above-mentioned multiple diverter module, above-mentioned multiple I/O module and above-mentioned Switching Module, this Switching Module is for forwarding the packet of each intermodule, multiple I/O modules and the binding of multiple diverter module, each I/O module for by the Packet Generation receiving to the diverter module of its binding, each diverter module in multiple diverter modules is for giving same Service Processing Module by the Packet Generation of same session, each Service Processing Module, for the packet receiving is processed, is exported this packet after finishing dealing with by an I/O module in multiple I/O modules.
Above-mentioned diverter module comprises: load determining unit, when receiving first packet of a session, determine the loading condition of above-mentioned multiple Service Processing Modules; Selected cell, for the loading condition definite according to load determining unit, selects the Service Processing Module that first packet is corresponding; The first dividing cell, for the Service Processing Module that first package forward is selected to selected cell.
Above-mentioned diverter module comprises: map unit, and when receiving first packet of a session, the information of carrying according to the packet header of first packet is shone upon; Determining unit, for determining according to the mapping result of map unit the Service Processing Module that first packet is corresponding; The second dividing cell, for by first package forward to the definite Service Processing Module of determining unit.
Above-mentioned Service Processing Module comprises: receiving element, for receiving first packet; Creating unit, for creating the data structure of above-mentioned session according to first packet; Response unit, for replying response message to diverter module, wherein this response message carries the corresponding relation of the mark of above-mentioned session identification and Service Processing Module; Diverter module comprises: correspondence relation storage, for storing the corresponding relation of mark of above-mentioned session identification that above-mentioned response message carries and Service Processing Module; The 3rd dividing cell, for according to the above-mentioned corresponding relation of correspondence relation storage storage, is transmitted to Service Processing Module by the follow-up data bag in above-mentioned session.
Above-mentioned diverter module comprises: lock unit, for receiving after upgrading indication, is synchronized to another diverter module in multiple diverter modules by the above-mentioned corresponding relation of storing in correspondence relation storage; The first upgrading unit, for upgrading according to above-mentioned upgrading indication; Another diverter module comprises: stores synchronized unit, for storing the synchronous corresponding relation of lock unit; Switching Module comprises: unit is revised in binding, for indicating and revise above-mentioned multiple I/O modules and above-mentioned multiple diverter module binding relationship according to system configuration.
Above-mentioned Service Processing Module comprises: information synchronizing unit, and for receiving after upgrading indication, the above-mentioned data structure that creating unit is created is synchronized to another Service Processing Module in multiple Service Processing Modules; Notification unit, for send above-mentioned corresponding relation amendment advice to diverter module, wherein this amendment advice carries the mark of Service Processing Module and the mark of another Service Processing Module at self place; The second upgrading unit, for upgrading according to above-mentioned upgrading indication; Diverter module comprises: corresponding relation is revised unit, for the amendment advice sending according to notification unit, mark identical with the mark of first Service Processing Module in above-mentioned amendment advice in above-mentioned corresponding relation is revised as to the mark of second Service Processing Module in amendment advice; The 4th dividing cell, is forwarded to another Service Processing Module for revising the amended corresponding relation in unit according to corresponding relation by the follow-up data bag of above-mentioned session; Another Service Processing Module comprises: information memory cell, for storing the synchronous above-mentioned data structure of information synchronizing unit; Service Processing Unit, for processing the follow-up data bag of above-mentioned session according to the above-mentioned data structure of information memory cell storage.
According to a further aspect in the invention, provide a kind of data processing method based on above-mentioned firewall system, the method comprises: the each I/O module in multiple I/O modules receives after packet, by Packet Generation to the diverter module of its binding; Each diverter module in multiple diverter modules receives after this packet, gives the shunting rule of same Service Processing Module according to the Packet Generation in same session, gives corresponding Service Processing Module by this package forward; Each Service Processing Module receives after this packet, and this packet is processed, and after finishing dealing with, this packet is exported by an I/O module in multiple I/O modules.
Above-mentioned diverter module comprises above-mentioned package forward to corresponding Service Processing Module: diverter module receives after first packet of a session, determines the loading condition of above-mentioned multiple Service Processing Modules; Diverter module, according to the loading condition of multiple Service Processing Modules of determining, is selected the Service Processing Module that first packet is corresponding; Diverter module is given first package forward the Service Processing Module of selecting.
Above-mentioned diverter module comprises above-mentioned package forward to corresponding Service Processing Module: diverter module receives after first packet of a session, and the information of carrying according to the packet header of first packet is shone upon; Diverter module determines according to mapping result the Service Processing Module that first packet is corresponding; First package forward is given definite Service Processing Module by diverter module.
Each Service Processing Module comprises after receiving above-mentioned packet: Service Processing Module receives after first packet, creates the data structure of above-mentioned session according to first packet; Service Processing Module is replied response message to diverter module, and wherein, this response message carries the corresponding relation of the mark of above-mentioned session identification and Service Processing Module; Diverter module is stored the corresponding relation of the mark of the above-mentioned session identification that carries in above-mentioned response message and Service Processing Module; Diverter module, according to the above-mentioned corresponding relation of storage, is transmitted to Service Processing Module by the follow-up data bag in above-mentioned session.
Said method also comprises: diverter module receives after upgrading indication, and the above-mentioned corresponding relation of storage is synchronized to another diverter module in above-mentioned multiple diverter module; Then, upgrade according to above-mentioned upgrading indication; After Switching Module receiving system configuration indication, revise above-mentioned multiple I/O modules and above-mentioned multiple diverter module binding relationship according to said system configuration indication, forward the follow-up data bag in above-mentioned session according to amended binding relationship; After the synchronous corresponding relation of another diverter module storage diverter module, according to the above-mentioned corresponding relation of storage, the follow-up data bag in the above-mentioned session that Switching Module is forwarded is transmitted to Service Processing Module.
Said method also comprises: Service Processing Module receives after upgrading indication, the above-mentioned data structure creating is synchronized to another Service Processing Module in above-mentioned multiple Service Processing Module, and send above-mentioned corresponding relation amendment advice to diverter module, wherein, this amendment advice carries the mark of Service Processing Module and the mark of another Service Processing Module at self place, then, upgrade according to above-mentioned upgrading indication; Diverter module, according to the amendment advice of Service Processing Module transmission, is revised as mark identical with the mark of first Service Processing Module in above-mentioned amendment advice in above-mentioned corresponding relation the mark of second Service Processing Module in above-mentioned amendment advice; Diverter module is forwarded to another Service Processing Module according to amended above-mentioned corresponding relation by the follow-up data bag in above-mentioned session; The above-mentioned data structure that another Service Processing Module storage service processing module is synchronous, and according to the above-mentioned data structure of storage, the follow-up data bag in above-mentioned session is processed.
By the present invention, multiple I/O modules in firewall system and the binding of multiple diverter module, each I/O module by the Packet Generation receiving to the diverter module of its binding, then each diverter module receives after packet, give same Service Processing Module by the Packet Generation in same session, each Service Processing Module is exported by an I/O module after packet is processed, solve the problem that in correlation technique, system cannot be carried out business expansion, this system has multiple Service Processing Modules, the quantity of this Service Processing Module can be configured according to demand, make the expansion of this system supporting business, and then improve the performance of firewall system.
Embodiment
Hereinafter also describe the present invention in detail with reference to accompanying drawing in conjunction with the embodiments.It should be noted that, in the situation that not conflicting, the feature in embodiment and embodiment in the application can combine mutually.
In the prior art, be responsible for carrying out the processing of business because firewall system only has a CPU, therefore this systematic function is limited to the disposal ability of CPU, can not extension process performance.Based on this, the embodiment of the present invention provides a kind of firewall system and the data processing method based on this firewall system.The multiple Service Processing Modules of this firewall system, are convenient to carry out business expansion.Be elaborated below by embodiment.
This example provides a kind of firewall system, and this system comprises: two main control modules, multiple Service Processing Module, multiple diverter module, multiple I/O module and an exchange (Switch) modules.As shown in Figure 3 be the structured flowchart of firewall system, in Fig. 3, two main control modules describe as an example of the first main control module 30a and the second main control module 30b example respectively, multiple Service Processing Modules are respectively with the first Service Processing Module 32a, the second Service Processing Module 32b and the 3rd Service Processing Module 32c are that example describes, multiple diverter modules are respectively with the first diverter module 34a, the second diverter module 34b and the 3rd diverter module 34c are that example describes, multiple I/O modules are respectively with an I/O module 36a, the 2nd I/O module 36b and the 3rd I/O module 36c are that example describes, a Switching Module describes as an example of Switching Module 38 example.Below this structure is described.
Two main control modules main and standby relation each other, for controlling multiple Service Processing Modules, described multiple diverter modules, multiple I/O module and Switching Module; Switching Module (such as the Switching Module 38 in Fig. 3), is all connected with above-mentioned module, for forwarding the packet of each intermodule;
Multiple I/O modules and the binding of multiple diverter module, each I/O module (such as the I/O module 36a in Fig. 3) is connected to Switching Module 38, for by the Packet Generation receiving to the diverter module (such as the first diverter module 34a of Fig. 3) of its binding; Each diverter module (such as the first diverter module 34a in Fig. 3) in multiple diverter modules is connected to Switching Module 38, for giving same Service Processing Module (such as the first Service Processing Module 32a in Fig. 3) by the Packet Generation of same session;
Each Service Processing Module (such as the first Service Processing Module 32a in Fig. 3) is connected to Switching Module 38, for the packet receiving is processed, after finishing dealing with, this packet is exported by an I/O module in multiple I/O modules (such as the I/O module 36a in Fig. 3).
Wherein, the processing procedure of above-mentioned Service Processing Module has comprised the process that finds out interface, if the packet receiving is three layer data bags, by route querying outgoing interface; If the packet receiving is Layer 2 data bag, determine interface by target MAC (Media Access Control) address; The I/O module at outgoing interface place is exactly selecteed I/O module, and the output that specifically which I/O module to complete packet by can realize with reference to correlation technique, no longer describes in detail here.
Pass through said system, multiple I/O modules in firewall system and the binding of multiple diverter module, each I/O module by the Packet Generation receiving to the diverter module of its binding, then each diverter module receives after packet, give same Service Processing Module by the Packet Generation in same session, each Service Processing Module is exported by an I/O module after packet is processed, solve the problem that in correlation technique, system cannot be carried out business expansion, this system has multiple Service Processing Modules, the quantity of this Service Processing Module can be configured according to demand, make the expansion of this system supporting business, and then improve the performance of firewall system.
Each diverter module is after receiving the packet of I/O module transmission, give the shunting rule of same Service Processing Module according to the Packet Generation in same session, give same Service Processing Module by above-mentioned Packet Generation, carry out the transmission of packet for diverter module receiving How to choose Service Processing Module after first packet, the present embodiment provides two kinds of preferred implementations, certainly, the present invention is not limited to this two kinds of execution modes, below diverter module is described respectively receiving two kinds of preferred implementations of How to choose Service Processing Module after first packet, wherein, this preferred implementation is elaborated as an example of the first diverter module 34a in Fig. 3 example.
First kind of way, the first diverter module 34a of this firewall system comprises: load determining unit, when receiving first packet of a session, determine the loading condition of multiple Service Processing Modules; Selected cell, for the loading condition definite according to load determining unit, selects the first Service Processing Module 32a that above-mentioned first packet is corresponding; The first dividing cell, is connected to selected cell, for the first Service Processing Module 32a that first package forward is selected to selected cell.Which is that the loading condition based on Service Processing Module is selected, and generally, diverter module selects a lower Service Processing Module of load to carry out the transmission of packet.
The second way, this firewall system the first diverter module 34a comprises: map unit, when receiving first packet of a session, the information of carrying according to the packet header of first packet is shone upon; Determining unit, is connected to map unit, for determine corresponding the first Service Processing Module 32a of above-mentioned first packet according to the mapping result of map unit; The second dividing cell, is connected to determining unit, for the first Service Processing Module 32a that first package forward is determined to determining unit.Which is that the mapping relations between the packet header based on first packet information and the first Service Processing Module 32a that carry are carried out the selection of Service Processing Module, such as adopting the mode of fixing mapping, 5 tuples (the object IP address, source of IP packet of calculated data bag, source destination interface and protocol number) hash (hash or be called Hash, also can be written as HASH) value, by corresponding the packet of same hash value and same Service Processing Unit, set up the mapping relations between first packet and Service Processing Module with this, thereby make the first diverter module 34a in the time receiving first packet, select the first Service Processing Module 32a and carry out the transmission of packet.In the time that diverter module receives first packet, above-mentioned two kinds of preferred implementations are convenient to the suitable Service Processing Module of rapid and simple selection.
After Service Processing Module receives first packet of diverter module transmission, Service Processing Module can be recorded, be convenient to reception and the processing of follow-up packet, therefore, in a preferred implementation of the present embodiment, to achieve these goals, Service Processing Module (this preferred implementation describes as an example of the first Service Processing Module 32a example) can comprise: receiving element, for receiving first packet; Creating unit, is connected to receiving element, for create the data structure of session according to above-mentioned first packet; Response unit, is connected to creating unit, and for replying response message to the first diverter module 34a, wherein this response message carries the corresponding relation of the mark of session identification and the first Service Processing Module 32a.By this preferred implementation, Service Processing Module can manage record by the convenient follow-up data bag effectively diverter module being sended over.Wherein, the data structure that the present embodiment creates can comprise: 5 tuples, packet incoming interface, source data packet MAC Address, the security strategy ID of 5 tuples of packet, packet outgoing interface, packet next-hop mac address, reverse data bag, process the part or all of parameter in the Service Processing Module ID etc. of the packet of this session.This session identification can be 5 tuples of carrying in 5 tuples of carrying in packet and reverse data bag etc.
After diverter module receives this response message, the corresponding relation of the mark of above-mentioned session identification and Service Processing Module can be recorded, be convenient to diverter module in the time receiving follow-up packet, give corresponding Service Processing Module according to this corresponding relation by Packet Generation.Diverter module (this preferred implementation describes as an example of the first diverter module 34a example) can comprise: correspondence relation storage, for storing the corresponding relation of mark of the session identification that carries of response message that the first Service Processing Module 32a sends and the first Service Processing Module 32a; The 3rd dividing cell, is connected to correspondence relation storage, for according to this corresponding relation of correspondence relation storage storage, the follow-up data bag in session is transmitted to the first Service Processing Module 32a.
The above-mentioned corresponding relation of above-mentioned correspondence relation storage storage can be chosen in and in shunting table, carry out record, diverter module is receiving after packet, can first search shunting table, if found the corresponding relation of the session identification of this packet and the mark of Service Processing Module in this shunting table, just can determine according to the information of record which Service Processing Module this packet should send to.If do not find this corresponding relation, according to above-mentioned diverter module in two kinds of preferred implementations that receive How to choose Service Processing Module after first packet, select a Service Processing Module that load is lower, or select a Service Processing Module according to the mode of fixing mapping.In shunting table, canned data just can constantly expand like this.The corresponding relation that this preferred implementation provides make diverter module can be simple and direct fast and have planning and send packet to Service Processing Module.
The quantity of the Service Processing Module in the firewall system in above-described embodiment and each preferred implementation can be configured by demand, realize like this extensibility of systematic function, and in the time that internal system is carried out data processing, can more be added with autotelic the carrying out of planning.Firewall system is also faced with the problem of upgrading, some system of the prior art is wanted interrupting service in the time of upgrading, to cause the business procession of this system reliable not like this, although also some system is without interrupting service in the time of upgrading, this upgrading mode is only supported the system that the processing of all business is all carried out on master control borad.Therefore, the present embodiment provides a preferred implementation, as shown in Figure 4 be the concrete structure block diagram of firewall system, this system, except comprising the modules in Fig. 3, also comprises:
Diverter module (take the first diverter module 34a in Fig. 4 as example) comprising: lock unit 34a0, be used for receiving after upgrading indication, the corresponding relation of storing in correspondence relation storage is synchronized to another diverter module (take the second diverter module 34b in Fig. 4 as example) in multiple diverter modules; The first upgrading unit 34a2, is connected to lock unit 34a0, for upgrading according to above-mentioned upgrading indication;
Another diverter module (being the second diverter module 34b in Fig. 4) comprising: stores synchronized unit 34b0, is connected to lock unit 34a0, for storing the synchronous corresponding relation of lock unit 34a0; Follow-up, this diverter module will carry out the forwarding of packet according to the corresponding relation after synchronous.
Switching Module 38 comprises: unit 380 is revised in binding, for indicating and revise multiple I/O modules and multiple diverter module binding relationship according to system configuration.
In this preferred implementation, when the first diverter module 34a will upgrade, the corresponding relation of its storage is synchronized to the second diverter module 34b, then Switching Module 38 is revised I/O module and diverter module binding relationship, like this in the time that an I/O module 36a receives packet, by this Packet Generation to the second diverter module 34b; And if the packet of a session will be sent to the first Service Processing Module 32a on the first diverter module 34a, the second diverter module 34b in this preferred implementation is by this Packet Generation to the first Service Processing Module 32a.In the process that has guaranteed like this to upgrade at diverter module, the transmission of packet can not be interrupted, certainly, in the time that the first diverter module 34a will upgrade, it is selected will carry out other synchronous diverter modules of corresponding relation and have more than and be limited to the second diverter module 34b, can be any one diverter module except itself.By this preferred implementation, firewall system can carry out the updating operation of diverter module in the unbroken situation of business, has improved the reliability of the Business Processing of this firewall system.
After the upgrading of diverter module is described, below the escalation process of Service Processing Module is described.The present embodiment provides another preferred implementation, and which comprises:
Service Processing Module (take the first Service Processing Module 32a in Fig. 4 as example) comprising: information synchronizing unit, be used for receiving after upgrading indication, the data structure that creating unit is created is synchronized to another Service Processing Module (take the second Service Processing Module 32b in Fig. 4 as example) in multiple Service Processing Modules; Notification unit, for sending corresponding relation amendment advice to diverter module (take the 3rd diverter module 34c of Fig. 4 as example), wherein this amendment advice carries the mark (i.e. the mark of the first Service Processing Module 32a) of Service Processing Module at self place and the mark of the second Service Processing Module 32b, and which Service Processing Module is these two marks indicated to be switched to which Service Processing Module; The second upgrading unit, is connected to notification unit, for upgrading according to above-mentioned upgrading indication.After the business migration of the present embodiment, main control module can be restarted, and then loads new software version.
Diverter module (i.e. the first diverter module 34a) comprising: corresponding relation is revised unit, for the amendment advice sending according to notification unit, mark identical with the mark of first Service Processing Module in this amendment advice in above-mentioned corresponding relation is revised as to the mark of second Service Processing Module in this amendment advice, the present embodiment for example, is revised as the mark of the second Service Processing Module 32b by the mark of the first Service Processing Module 32a in above-mentioned corresponding relation (shunting table); The 4th dividing cell, is connected to corresponding relation and revises unit, for revising the amended corresponding relation in unit according to corresponding relation, the follow-up data bag of above-mentioned session is forwarded to the second Service Processing Module 32b;
Another Service Processing Module (being the second Service Processing Module 32b in Fig. 4) comprising: information memory cell, is connected to information synchronizing unit, for storing the synchronous data structure of information synchronizing unit; Service Processing Unit, is connected to information memory cell, processes for the follow-up data bag of stating session according to the data structure of information memory cell storage.
In this preferred implementation, when the first Service Processing Module 32a will upgrade, the data structure of its establishment is synchronized to the second Service Processing Module 32b, then the corresponding relation of first session identification of diverter module 34c Update Table bag and the mark of the second Service Processing Module 32b, in the time that the first diverter module 34a will send packet to the first Service Processing Module 32a, the first diverter module 34a in this preferred implementation is by this Packet Generation to the second Service Processing Module 32b like this.In the process that has guaranteed like this to upgrade at Service Processing Module, make the transmission of packet can not interrupt, certainly, in the time that the first Service Processing Module 32a will upgrade, it is selected will carry out other synchronous Service Processing Modules of data structure and have more than and be limited to the second Service Processing Module 32b, can be any one Service Processing Module except itself.By this preferred implementation, firewall system can carry out the updating operation of Service Processing Module in the unbroken situation of business, has improved the reliability of the Business Processing of this firewall system.
Above-mentioned preferred implementation have been described in detail respectively the upgrading mode of diverter module and Service Processing Module, for the upgrading mode of main control module, is introduced below by preferred implementation.Two main control modules main and standby relation each other, supposes that the first main control module 30a is the main control module in major state, and the second main control module 30b is the main control module in standby state, and certainly, the main and standby relation of the two is not limited to this.Configuration, state information on the first main control module 30a can be synchronized to the second main control module 30b at any time, first to carrying out updating operation in the second main control module 30b of standby state, the first main control module 30a can continue the modules in this system to control during this period, after the updating operation of the second main control module 30b finishes, main and standby relation to two main control modules is switched, and then carries out updating operation to after switching in the first main control module 30a of standby state.This sample preferred implementation has just completed the updating operation of two main control modules under the prerequisite of non-interrupting service, has improved the traffic handing capacity of system.
In above-mentioned firewall system, employing business shifts between generic module of the same race, the scheme of each module of upgrading has in turn realized the smooth upgrade of systems soft ware.This system can be carried out business expansion, and can under the prerequisite of non-interrupting service, carry out the updating operation of system, this embodiment can also realize in machine frame formula system, such as building the firewall system of a machine frame formula, this firewall system can have 16 groove positions, comprise two master control board slot positions and two exchange board slot positions and 12 universal vat positions, I/O plate, service processing board and flow distribution plate can be inserted in this universal vat position.Main control module in the corresponding above-described embodiment of master control borad, Switching Module in the corresponding above-described embodiment of power board, I/O module in the corresponding above-described embodiment of I/O plate, the Service Processing Module in the corresponding above-described embodiment of service processing board, the diverter module in the corresponding above-described embodiment of flow distribution plate.I/O plate, what the quantity of service processing board and flow distribution plate can be according to network processes need to carry out flexible configuration.This system can configure two master control borads, two or more service processing board, and two or more flow distribution plate, this firewall system can be realized the smooth upgrade of software.While being upgrade software, do not need to restart whole system, and Business Processing is unaffected.
A kind of firewall system providing corresponding to above-described embodiment, the present embodiment provides a kind of data processing method based on this firewall system, and this firewall system can be made up of main control module, Service Processing Module, diverter module, Switching Module and I/O port.The data packet stream of this system is to as shown in Figure 5, and first, packet enters the I/O port of this firewall system, by I/O port by Packet Generation to Switch module, through Switch module forwards to diverter module; Then, diverter module is given the shunting rule of same Service Processing Module according to the Packet Generation in above-mentioned same session, give corresponding Service Processing Module by this packet via Switch module forwards; Then, this Service Processing Module is processed this packet, and packet after treatment is arrived to I/O port through Switch module forwards; Finally, I/O port will be exported in this packet slave firewall system.System in the present embodiment describes as example to comprise two main control modules, several Service Processing Modules, several diverter modules, several I/O ports and a Switch (exchange) system.Fig. 6 is according to the flow chart of the data processing method based on firewall system of the embodiment of the present invention, and as shown in Figure 6, the method comprises the following steps (step S602-step S606):
Step S602, the each I/O module in multiple I/O modules receives after packet, by this Packet Generation to the diverter module of its binding.First the packet coming from an I/O port needs to give diverter module processing, in the time of system initialization, I/O port and diverter module are bound, and all packets that come from an I/O port are all given preassigned diverter module, and this binding relationship also can be changed in the time of operation.
Step S604, the each diverter module in multiple diverter modules receives after packet, gives the shunting rule of same Service Processing Module according to the Packet Generation in same session, gives corresponding Service Processing Module by this package forward.
Step S606, each Service Processing Module receives after above-mentioned packet, and this packet is processed, and after finishing dealing with, packet is exported by an I/O module in multiple I/O modules.
Wherein, the processing procedure of above-mentioned Service Processing Module has comprised the process that finds out interface, if the packet receiving is three layer data bags, by route querying outgoing interface; If the packet receiving is Layer 2 data bag, determine interface by target MAC (Media Access Control) address; The I/O module at outgoing interface place is exactly selecteed I/O module, and the output that specifically which I/O module to complete packet by can realize with reference to correlation technique, no longer describes in detail here.
Pass through said method, multiple I/O modules in firewall system and the binding of multiple diverter module, each I/O module by the Packet Generation receiving to the diverter module of its binding, then each diverter module receives after packet, give same Service Processing Module by the Packet Generation in same session, each Service Processing Module is exported by an I/O module after packet is processed, solve the problem that in correlation technique, system cannot be carried out business expansion, this system has multiple Service Processing Modules, the quantity of this Service Processing Module can be configured according to demand, make the expansion of this system supporting business, and then improve the performance of firewall system.
Each diverter module is after receiving the packet of I/O module transmission, give the shunting rule of same Service Processing Module according to the Packet Generation in same session, give same Service Processing Module by above-mentioned Packet Generation, carry out the transmission of packet for diverter module receiving How to choose Service Processing Module after first packet, the present embodiment provides two kinds of preferred implementations, certainly, the present invention is not limited to this two kinds of execution modes, below diverter module is described respectively receiving two kinds of preferred implementations of How to choose Service Processing Module after first packet.
First kind of way, diverter module receives after first packet of a session, determine the loading condition of multiple Service Processing Modules, then diverter module is according to the loading condition of multiple Service Processing Modules of determining, select the Service Processing Module that first packet is corresponding, last diverter module is given above-mentioned first package forward the Service Processing Module of selecting.Which is that the loading condition based on Service Processing Module is selected, and generally, diverter module selects a lower Service Processing Module of load to carry out the transmission of packet.
The second way, diverter module receives after first packet of a session, the information of carrying according to the packet header of this first packet is shone upon, then diverter module determines according to the result of mapping the Service Processing Module that first packet is corresponding, and first package forward is given definite Service Processing Module by last diverter module.Such as adopting the mode of fixing mapping, 5 tuples (the object IP address, source of IP packet of calculated data bag, source destination interface and protocol number) hash (hash or be called Hash, also can be written as HASH) value, by corresponding the packet of same hash value and same Service Processing Unit, set up the mapping relations between first packet and Service Processing Module with this, carry out the transmission of packet thereby make diverter module select Service Processing Module in the time receiving first packet.In the time that diverter module receives first packet, above-mentioned two kinds of preferred implementations are convenient to the suitable Service Processing Module of rapid and simple selection.
After Service Processing Module receives first packet of diverter module transmission, Service Processing Module can be recorded, be convenient to reception and the processing of follow-up packet, therefore, in a preferred implementation of the present embodiment, to achieve these goals, receiving after first packet of diverter module transmission, Service Processing Module can create according to first packet the data structure of session, then Service Processing Module is replied response message to this diverter module, wherein this response message carries the corresponding relation of the mark of session identification and Service Processing Module, the corresponding relation of the session identification then carrying in above-mentioned diverter module memory response message and the mark of Service Processing Module, like this in the time that diverter module is received follow-up packet, can be according to the corresponding relation of storage, follow-up data bag in session is transmitted to Service Processing Module.By this preferred implementation, Service Processing Module can manage record by the convenient follow-up data bag effectively diverter module being sended over, then diverter module can be recorded the corresponding relation of the mark of above-mentioned session identification and Service Processing Module, be convenient to diverter module in the time receiving follow-up packet, give corresponding Service Processing Module according to this corresponding relation by Packet Generation.Wherein, the data structure that the present embodiment creates can comprise: 5 tuples, packet incoming interface, source data packet MAC Address, the security strategy ID of 5 tuples of packet, packet outgoing interface, packet next-hop mac address, reverse data bag, process the part or all of parameter in the Service Processing Module ID etc. of the packet of this session.This session identification can be 5 tuples of carrying in 5 tuples of carrying in packet and reverse data bag etc.
Firewall system in above-described embodiment and each preferred implementation thereof can meet the requirement of business expansion, and in the time that internal system is carried out data processing, can more be added with autotelic the carrying out of planning.The problem of necessary interrupting service when firewall system of the prior art is also faced with upgrading.Therefore, the present embodiment provides a preferred implementation, receiving after upgrading indication, diverter module can be synchronized to the corresponding relation of storage another diverter module in multiple diverter modules, then this diverter module is upgraded according to above-mentioned upgrading indication, then after Switching Module receiving system configuration indication, revise the binding relationship of multiple I/O modules and multiple diverter modules according to this system configuration indication, forward the follow-up data bag in described session according to amended binding relationship, another diverter module is stored after the synchronous corresponding relation of above-mentioned diverter module, according to the corresponding relation of storage, follow-up data bag in the session that Switching Module is forwarded is transmitted to Service Processing Module.
Suppose that system has multiple diverter modules, wherein have two diverter modules to be called A and B, the now preparation diverter module A that will upgrade.First the shunting table on diverter module A is synchronized to diverter module B upper, follow-up, diverter module B will carry out the forwarding of packet according to the corresponding relation after synchronous.After simultaneous operation completes, the configuration of change Switch module, the flow of the I/O port of original and diverter module A binding is all transmitted to diverter module B to be processed, at this moment diverter module A will no longer receive business data packet, can upgrade and not traffic affecting processing to it, after diverter module A has upgraded.Again according to similar process upgrading diverter module B.Certainly,, in the time that diverter module will be upgraded, it is selected will carry out other synchronous diverter modules of corresponding relation and have more than and be limited to some specific diverter modules, can be any one diverter module except itself.
In the process that this preferred implementation has guaranteed to upgrade at diverter module, make the transmission of packet can not interrupt, by this preferred implementation, firewall system can carry out the updating operation of diverter module in the unbroken situation of business, has improved the reliability of the Business Processing of this firewall system.
After the upgrading of diverter module is described, below the escalation process of Service Processing Module is described.The present embodiment provides another preferred implementation, and the process of which is as follows.Service Processing Module receives after upgrading indication, the data structure of establishment is synchronized to another Service Processing Module in multiple Service Processing Modules, and send corresponding relation amendment advice to diverter module, wherein this amendment advice carries the mark of Service Processing Module and the mark of above-mentioned another Service Processing Module at self place, which Service Processing Module is these two marks indicated to be switched to which Service Processing Module, then, above-mentioned Service Processing Module is upgraded according to upgrading indication.After the business migration of the present embodiment, main control module can be restarted, and then loads new software version.The amendment advice that diverter module sends according to above-mentioned Service Processing Module, mark identical with the mark of above-mentioned Service Processing Module in this amendment advice in corresponding relation is revised as to the mark of above-mentioned another Service Processing Module in this amendment advice, above-mentioned diverter module is forwarded to above-mentioned another Service Processing Module according to amended corresponding relation by the follow-up data bag in session, this another Service Processing Module is stored the synchronous data structure of above-mentioned Service Processing Module, then according to the data structure of storage, the follow-up data bag in session is processed.
Suppose that firewall system has multiple Service Processing Modules, wherein have two Service Processing Modules to be called A and B, prepare to want now staging business processing module A.First the session on Service Processing Module A (session) information is synchronized to Service Processing Module B upper, after simultaneous operation completes, the flow that was originally transmitted to Service Processing Module A is all transmitted to Service Processing Module B by notice diverter module.After processing like this, Service Processing Module A will no longer receive business data packet, at this moment just can upgrade to Service Processing Module A, and after the upgrading of Service Processing Module A completes, according to similar approach, then to other Service Processing Module upgradings.Certainly,, in the time that Service Processing Module will be upgraded, it is selected will carry out other synchronous Service Processing Modules of data structure and have more than and be limited to some specific Service Processing Modules, can be any one Service Processing Module except itself.
In the process that this preferred implementation has guaranteed to upgrade at Service Processing Module, make the transmission of packet can not interrupt, by this preferred implementation, firewall system can carry out the updating operation of Service Processing Module in the unbroken situation of business, has improved the reliability of the Business Processing of this firewall system.
Above-mentioned preferred implementation have been described in detail respectively the upgrading mode of diverter module and Service Processing Module, for the upgrading mode of main control module, is introduced below by preferred implementation.Two main control modules in firewall system are in active and standby logic, Your Majesty's configuration, state information can be synchronized to standby at any time, in the time that system is upgraded, and the first main control module of the standby state of upgrading, after having upgraded, more active and standby logic is switched, and then the main control module of the new standby state of upgrading.Which has completed the updating operation of two main control modules under the prerequisite of non-interrupting service, has improved the traffic handing capacity of system.
Below in conjunction with preferred embodiments and drawings, the implementation procedure of above-described embodiment is elaborated.
Embodiment mono-
Fig. 7 is according to the flow chart of the data processing method based on firewall system of the embodiment of the present invention one, and this firewall system can be made up of main control module, Service Processing Module, diverter module, Switch (exchange) module and I/O port.Main control module is responsible for the control plane processing of system, two main control modules form master-slave redundancy, Service Processing Module is responsible for firewall services processing, diverter module is responsible for packet delivery to Service Processing Module, Switch module is interconnected for each module, and the business that each intermodule is mutual and control data will be forwarded by Switch module.As shown in Figure 7, the method comprises the steps (step S702-step S724):
Step S702, system upgrade is for the main control module of state.
Step S704, after the main control module of standby state has been upgraded, two main control modules carry out active and standby switching.
Step S706, the main control module of the standby state of upgrading (being the main control module of original major state).
Step S708, all Service Processing Modules are queued up, the Service Processing Module that the Service Processing Module of selecting team's head is first upgrading, next Service Processing Module is its backup module, this selection mode is not limited to this, and the present embodiment only describes in this way.
Step S710, the Service Processing Module that upgrading is selected.
Step S712, judges whether the upgrading of all Service Processing Modules all completes, if all Service Processing Modules have all been upgraded, execution step S714, if Service Processing Module has all been upgraded, performs step S716.
Step S714, ranks to all diverter modules, the diverter module that the diverter module of selecting team's head is first upgrading, next diverter module is its backup module, this selection mode is not limited to this, and the present embodiment only describes in this way, then performs step S718.
Step S716, the next module in selection queue, as upgrading module, then performs step S710;
Step S718, the diverter module that upgrading is selected.
Step S720, judges whether the upgrading of all diverter modules all completes, if all diverter modules have all been upgraded, execution step S724, if diverter module has all been upgraded, performs step S722.
Step S722, the next module in selection queue, as upgrading module, then performs step S718.
Step S724, system upgrade completes.
The method of the present embodiment can make firewall system carry out performance expansion, and the continual smooth upgrade of the business that realizes, and that this system has is highly reliable, the easily advantage such as expansion of performance.
From above description, can find out, the present invention program can realize an extendible firewall system of performance, and this system adopts, and business shifts between generic module of the same race, the scheme of each module of upgrading has in turn realized smooth upgrade, thereby realize the performance expansion of firewall system, and under the unbroken prerequisite of business, can carry out the upgrading of system, improve the reliability of system business processing.
Obviously, those skilled in the art should be understood that, above-mentioned of the present invention each module or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on the network that multiple calculation elements form, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in storage device and be carried out by calculation element, and in some cases, can carry out shown or described step with the order being different from herein, or they are made into respectively to each integrated circuit modules, or the multiple modules in them or step are made into single integrated circuit module to be realized.Like this, the present invention is not restricted to any specific hardware and software combination.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.