Connect public, paid and private patent data with Google Patents Public Datasets

Method and device for realizing transparent proxy of media access control layer

Info

Publication number
CN102761534A
CN102761534A CN 201110119721 CN201110119721A CN102761534A CN 102761534 A CN102761534 A CN 102761534A CN 201110119721 CN201110119721 CN 201110119721 CN 201110119721 A CN201110119721 A CN 201110119721A CN 102761534 A CN102761534 A CN 102761534A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
station
destination
frame
source
layer
Prior art date
Application number
CN 201110119721
Other languages
Chinese (zh)
Other versions
CN102761534B (en )
Inventor
冯景辉
Original Assignee
北京瑞星信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Abstract

The invention provides a method and a device for realizing transparent proxy of a media access control (MAC) layer. After application layer data which is included in a first frame sent from a source station to a destination station and is intercepted by a first network card capable of communicating with the source station in a gateway is processed, source MAC address information in the head part of a second frame sent to the destination station in response to the first frame and including the application layer data is modified to be an MAC address of the source station, besides, a sending function of a second network card capable of communicating with the destination station in the gateway is called, and the second frame is sent to the destination station.

Description

实现媒体接入控制层透明代理的方法和装置 Method and apparatus for implementing media access control layer of transparent proxy

技术领域 FIELD

[0001] 本发明总体上涉及信息处理领域,更具体地,涉及一种实现媒体接入控制(MAC)层透明代理的方法和装置。 Relates generally to the field of information processing [0001] the present invention, more particularly, relates to an implementation of a medium access control (MAC) method and apparatus for transparent proxy layer.

背景技术 Background technique

[0002] 基于网关的内容过滤设备(例如,防火墙)通常有两种实现方式:一种为过滤型,一种为代理型。 [0002] Content-based filtering gateway device (e.g., a firewall) is usually implemented in two ways: one for the filtration type, one for the type of agent. 所谓过滤型网关是指网络上传输的数据在经过网关设备时被该网关设备截获并分析其中的内容;而代理型网关则是由向服务器进行通信的客户端首先与网关代理进行通信,而网关代理再去与真实的服务器进行通信,在这个过程中,网关代理可以缓存数据内容。 The so-called filtration type gateway refers to data transmission on the network are intercepted and analyzed for its content while passing through the gateway device to the gateway device; and Proxy Gateway is first to communicate with the gateway proxy by the client to communicate to the server, and gateway Acting again to communicate with the real server, in the process, the gateway proxy can cache data content. [0003] 更具体地,作为一种实现透明传输的代理型网关,客户端和服务器之间的通信被代理到中间的网关设备身上;客户端以为是在与服务器直接进行通信,但实际上它是与网关设备进行通信,而网关设备再以客户端的身份与服务器进行通信。 [0003] More specifically, as a transparent transmission of Proxy gateway between the client and the server is delegated to the intermediate communication gateway apparatus body; that is the client to communicate directly with the server, but in fact it It is to communicate with the gateway device and a gateway device and then to the identity of the client and server communicate. 而且,该代理型网关可以模拟服务器的身份来改变与客户端通信的行为和细节;可以选择仅将与服务器通信的安全的数据返还给客户端。 Moreover, the agent can simulate the type of gateway server's identity and behavior and to change the details of client communications; you can select only the data with the security server communication back to the client.

[0004] 在这种透明传输模型中,如前所述,网关设备是以客户端的身份来与服务器进行通信。 [0004] In the transparent transmission model, as described above, the gateway device is the identity of the client to communicate with the server. 所谓客户端的身份,在通常的代理模型中是以客户端的网际协议(IP)地址来标识的。 The so-called identity of the client, in the usual proxy model is based on the client's Internet Protocol (IP) address to identify the. 例如,网关设备使用客户端的IP地址来与服务器进行通信并传输数据,具体地,作为透明代理,网关设备保证发往服务器的分组的源IP地址信息与真实客户端的IP地址是一样的。 For example, the gateway device uses the client IP address to communicate with the server and transmit data, in particular, as a transparent proxy, the gateway device to ensure that the source IP address to the server of the packet and the real client's IP address is the same. 在典型的网络七层协议体系结构中,IP处于网络层(即,第三层),因此通常的代理模型实现了第三层透明。 In a typical seven-layer protocol network architecture, the IP is the network layer (i.e., third layer), it is often the proxy model to achieve the third transparent layer.

发明内容 SUMMARY

[0005] 根据本发明的一个实施例,公开了一种实现MAC层透明代理的方法。 [0005] According to one embodiment of the present invention, there is disclosed a method for implementing MAC layer transparent proxy. 所述方法包括:在网关中能够与源站进行通信的第一网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据被进行处理之后,把要响应于所述第一帧而发给所述目的站的、包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及,通过调用所述网关中能够与所述目的站进行通信的第二网卡的发送函数,将所述第二帧发送给所述目的站。 Said method comprising: a first possible application layer data frame of the first communication card taken from the source station sent to the destination station comprises the source station in the gateway after being processed, to be responsive to the said first frame and sent to the destination station, the source MAC address information contained in the processed application layer data of the second frame header is modified MAC address of the source station; and, by invoking the a function capable of transmitting a second network card to communicate with the destination gateway, transmitting the second frame to the destination station.

[0006] 根据本发明的另一个实施例,公开了一种实现MAC层透明代理的装置。 [0006] According to another embodiment of the present invention, there is disclosed an apparatus for implementing a MAC layer transparent proxy. 所述装置包括:修改模块,用于在网关中能够与源站进行通信的第一网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据被进行处理之后,把要响应于所述第一帧而发给所述目的站的、包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及发送模块,用于通过调用所述网关中能够与所述目的站进行通信的第二网卡的发送函数,将所述第二帧发送给所述目的站。 Said apparatus comprising: a modification module, after the first card for communicating application layer data taken contained sent to the destination station from the source station of the first frame is processed from the source station can be performed in the gateway, the response to the first frame to be sent to the destination station, the source MAC address information in the header portion of the second frame containing the processed data is modified for the application layer MAC address of the source station; and transmitting means for calling via the gateway function capable of transmitting a second network card to communicate with the destination station, sending the second frame to the destination station. 附图说明 BRIEF DESCRIPTION

[0007] 参照下列附图描述了本发明的示例性实施例。 [0007] reference to the following drawings describe exemplary embodiments of the present invention. 应该理解,这些附图仅是示例性的、而非限制性的,并且附图中相同或相似的参考标记指示对应的或类似的要素。 It should be understood that these drawings are merely illustrative, and not restrictive, and the drawings in which like or similar reference numerals indicate corresponding or analogous elements.

[0008] 图I示出了根据本发明的一个示例性实施例的系统的概览; [0008] Figure I shows an overview of a system according to an exemplary embodiment of the present invention;

[0009] 图2更详细地示出了根据本发明的一个示例性实施例的系统; [0009] Figure 2 shows in more detail an exemplary embodiment of a system according to one embodiment of the present invention is;

[0010] 图3示出了根据本发明的一个示例性实施例的方法的流程图;以及 [0010] FIG. 3 shows a flowchart of a method of the present invention, an exemplary embodiment; and

[0011] 图4示出了根据本发明的一个示例性实施例的装置的框图。 [0011] FIG. 4 shows a block diagram of an exemplary embodiment of the apparatus according to one embodiment of the present invention.

具体实施方式 detailed description

[0012] 在下面的详细说明中,给出了大量的具体细节,以提供对本发明的实施例的透彻理解。 [0012] In the following detailed description, numerous specific details to provide a thorough understanding of embodiments of the present invention. 然而,本领域技术人员应该理解,这些具体细节仅仅是示例性的而非限制性的,可以在没有这些具体细节的情况下实现本发明。 However, those skilled in the art will appreciate that these specific details are merely exemplary and not limiting, the invention may be practiced without these specific details. 在说明书中,并未详细描述一些公知的部件、结构和操作,以免不当地模糊本发明。 In the specification, not described in detail some known components, structures and operations, so as not to obscure the present invention is local.

[0013] 说明书中提及的短语“一个实施例”或“实施例”等表示结合该实施例而描述的特定特征、结构或特性被包括在本发明的至少一个实施例中。 [0013] Reference in the specification or the phrase "an embodiment", etc. to "one embodiment" means that a particular feature of the described embodiment, structure, or characteristic is included in at least one embodiment of the present invention. 因此,在本说明书中各处出现的短语“在一个实施例中”或“根据一个实施例”等并不一定指代同一个实施例。 Thus, in various places in the present specification, the phrase "in one embodiment" or "in accordance with an embodiment" and the like are not necessarily referring to the same embodiment.

[0014] 本领域技术人员可以理解,本文所述的实施例可以由硬件、软件、固件、中间件、微代码或其任意组合来实现。 [0014] Those skilled in the art can understand that the embodiments described herein may be implemented by hardware, software, firmware, middleware, microcode, or any combination thereof.

[0015] 首先参考图1,其示出了根据本发明的一个示例性实施例的系统100的概览。 [0015] Referring initially to Figure 1, which shows an overview of a system according to an exemplary embodiment of the present invention embodiment 100.

[0016] 在系统100的一种典型实现中,客户端101位于网络(例如,局域网,未示出)的一个区域中,服务器102位于同一网络的另一区域中,而网关103则位于这两个区域之间,起到桥接的作用。 [0016] In one exemplary implementation of system 100, a client 101 located in the network (e.g., a local area network, not shown), a region, a server 102 located in another area of ​​the same network, and the gateway 103 are located in the two between the regions, the bridging functions. 为了简便起见,对于该系统的各个组成部件,这里仅示出了单个的设备,然而本发明并不限于此。 For simplicity, the various components for the system, where only shows a single device, but the present invention is not limited thereto.

[0017] 客户端101可以包括多种基于处理器的计算设备中的任意一种,其在网络内具有自己的唯一身份标识,例如,包括但不限于该客户端的物理地址(即,媒体接入控制(MAC)地址)、IP地址等等。 [0017] The client 101 may comprise any of a variety of computing-based device in a processor, which has its own unique identity within the network, e.g., including but not limited to the physical address of the client (i.e., a Media Access control (MAC) address), IP address and so on. 所述客户端可以运行有各种操作系统中的一种或多种,例如,包括但不限于各种版本的Linux™、Unix™、Windows™,等等。 The client can run with one or more of a variety of operating systems, such as, but not limited to various versions of Linux ™, Unix ™, Windows ™, and the like.

[0018] 类似地,服务器102和网关103也可以分别包括多种基于处理器的计算设备中的任意一种;同样,服务器102和网关103也可以分别运行有各种操作系统中的一种或多种。 [0018] Similarly, servers 102 and gateway 103 may each comprise any of a variety of computing-based device in a processor; Likewise, the server 102 and the gateway 103 may operate in one of a variety of operating systems, respectively, or variety. 服务器102用于为包括客户端101在内的各种请求设备提供各种类型的服务。 The server 102 for providing various types of services including client 101 includes a requesting device. 网关103处于桥接模式,用于实现客户端101和服务器102之间的通信。 Gateway 103 in bridge mode for enabling communication between the client 101 and the server 102. 在本发明的实施例中,网关102还能够提供应用层代理服务,并且其代理功能对于网络七层协议体系结构中的第二层(数据链路层,更具体地说,其中的MAC子层)来说也是透明的。 In an embodiment of the present invention, gateway 102 can also provide application proxy services, and its proxy function for the second layer (data link layer, and more specifically, wherein the MAC sublayer of the network protocol architecture of the seven ) is also transparent.

[0019] 下面,以源站(例如,客户端101)向目的站(例如,服务器102)发送数据为例,说明在网关(或透明代理网关)103存在的情况下,客户端101与服务器102之间实际发生的一种通信过程。 [0019] Next, the source station (e.g., client 101) to a destination station (e.g., server 102) to send data, for example, described in a case where the gateway (or a transparent proxy gateway) 103 is present, the client 101 and server 102 a communication process between actually occurs. 本领域技术人员可以理解,这里以客户端101作为源站、以服务器102作为目的站仅是一种示例情况,本发明并不限于此。 Those skilled in the art will appreciate, where a client 101 as the source station to the destination station as the server 102 is only one exemplary case, the present invention is not limited thereto.

[0020] 客户端101发出的数据会首先被透明代理网关103所截取,而后者再去以客户端101的身份向服务器102发送该数据。 [0020] Data sent by the client 101 will first be taken transparent proxy gateway 103, which go to the identity of the client 101 transmits the data to the server 102. 由此,通过居间的透明代理网关103,在客户端101和服务器102之间实现数据传输。 Accordingly, 103, 101 between the client 102 and the server data transmission through the transparent intervening proxy gateway. 从客户端101的角度来看,它是在直接与服务器102进行通信,但实际并非如此。 From the point of view of client 101, which is in direct communication with the server 102, but it was not.

[0021] 更具体地,参照图1,在透明代理网关103接收(或截取)到客户端101向服务器102发出的帧110(如图中左侧的箭头所示)时,可以对该帧110的首部中所含的MAC层信息进行记录,例如,至少包括源MAC地址信息(即,客户端101自身的MAC地址),等等。 [0021] More specifically, referring to FIG. 1, when the transparent proxy gateway 103 receives (or taken) to the frame 110 (left side shown by an arrow in FIG.) Issued to the client 101 the server 102, the frame 110 may be the MAC layer of the information contained in the recording head portion, for example, at least includes a source MAC address (i.e., client 101 own MAC address), and the like. 所记录的MAC层信息还可以包括帧110的目的MAC地址信息(即,服务器202的MAC地址)。 The MAC layer information may further include recording destination MAC address 110 of the information frame (i.e., the MAC address of the server 202). 此外,取决于实际需要,还可以记录其它信息,例如在使用802. IQ虚拟局域网(VLAN)的情况下(其中在以太网的帧格式中插入一个4字节的VLAN标记),还可以记录VLAN标记中的VLAN标识符(ID)等等,本发明并不限于此。 Further, depending on the actual needs, other information may be recorded, for example in the case 802. IQ virtual local area network (VLAN) (where a 4-byte is inserted in the VLAN tag of the Ethernet frame format), may be recorded VLAN VLAN identifier (ID) tag, etc., the present invention is not limited thereto.

[0022] 在上述记录操作完毕之后,在一个实施例中,可以开始对所接收到的帧110中包含的应用层数据进行应用层代理处理。 [0022] After the recording operation is completed, in one embodiment, can start the application layer data of the received frame 110 included in the application layer proxy processing. 所述应用层数据是指与应用进程的操作相关的数据,例如,包括但不限于电子邮件、HTTP报文等等,其是在分层协议信息结构的应用层中被进行处理的。 The application layer data is data related to the operation of the application process, e.g., including, but not limited to, email, HTTP packets and the like, which are processed in an application layer protocol information hierarchical structure. 在透明代理网关103中,应用层代理处理例如包括但不限于查杀病毒、内容过滤等等,如现有技术中所用到的那样。 A transparent proxy gateway 103, an application layer proxy processing includes, for example, but not limited to killing the virus, content filtering, etc., as used in the prior art as above.

[0023] 在应用层代理处理完毕之后,在适当的时机,透明代理网关103将以客户端101的身份来向服务器102发出帧111 (如图中右侧的箭头所示),该帧111中包含了之前处理完的应用层数据。 [0023] After the application proxy has been processed, at the appropriate time, transparent proxy gateway 103 will identity of the client terminal 101 issues a frame 111 (shown by an arrow on the right in FIG.) To the server 102, the frame 111 comprising the application layer data is processed before. 需要注意的是,根据本发明,对于该帧111,可以使用之前所记录的帧110的源MAC地址信息来修改帧111的首部中的对应信息,然后再将修改后的帧111发给服务器102。 It is noted that, according to the present invention, for the frame 111, the source MAC address of the previously recorded information frame 110 may be used to modify the header information corresponding to the frame 111, and then the modified frame 111 to the server 102 . 通过这样的处理,可以理解,透明代理网关103发出的帧111的MAC层信息是同客户端101发出的原始帧110保持一致的,因此能够实现第二层透明。 By such processing, it will be understood, the MAC layer is transparent proxy gateway 103 information frames sent the original frame 111 is sent by client 101 with 110 remains the same, thus enabling the second transparent layer.

[0024] 与之相比,在运行例如Linux系统的现有透明代理网关上,尽管可以通过调用系统API修改发起方的IP地址和端口(以使得从网关转发往目标服务器的分组看起来是从原始的客户端直接发出的,以此来实现第三层透明,如前所述),但是却无法修改源MAC地址。 [0024] In contrast, in the conventional transparent proxy gateway operating system such as Linux, although the IP address and port can be modified by calling the initiator system API (such that packets forwarded to the destination server from the gateway appears from the original client emitted directly, in order to achieve a third transparent layer, as described above), but can not modify the source MAC address. 在这种情况下,例如,作为网关设备和服务器之间的一些第二层过滤设备,可能完全看不到本来真实的客户端MAC地址,而导致相应的控制、准入策略等一系列的问题无法解决,造成这样的代理实现不是真正的透明,也就是说,其在对数据传输进行代理的过程中修改了客户端的一些身份标识信息。 In this case, for example, some of the second layer as a filter between the device and the gateway device servers, may not have been totally real client MAC address, a series of problems caused by the corresponding control, admission strategy can not be resolved, the agent causing this implementation is not real clear, that is to say, it had modified the identity information of the client in the process of data transfer agent's.

[0025] 如前所述,利用本发明的设计,能够实现第二层透明,从而便利了用户网络部署,同时改进了用户体验。 [0025] As described above, using the design of the present invention, it is possible to realize a second transparent layer, thus facilitating the deployment of the network user, while improving the user experience.

[0026] 图2更详细地示出了根据本发明的一个示例性实施例的系统200。 [0026] FIG 2 shows in greater detail a system according to the present invention, an exemplary embodiment 200. 在下文中,省略了针对与图I中相同的单元(例如,客户端201、服务器202等等)的说明,而着重具体描述本发明的网关(或透明代理)203。 In the following, description thereof is omitted in FIG. I is the same unit (e.g., client 201, server 202, etc.), and focus the gateway (or transparent proxy) 203 of the present invention is specifically described.

[0027] 如图所示,根据本发明的一个实施例,透明代理网关203可以包括记录逻辑204、应用层代理205、以及虚拟网卡(VIF) 206。 [0027] As shown, according to one embodiment of the present invention, gateway 203 may include a transparent proxy records logic 204, application proxy 205, and the virtual NIC (VIF) 206. 作为处于桥接模式的网关,其典型地具有多个接口(即,网卡)以用于与各自对应的目标站进行通信。 As a gateway in bridge mode, which typically has a plurality of interfaces (i.e., network card) for the target station to communicate with the respective corresponding. 为了描述的方便,在图2中针对透明代理网关203仅示出了两个接口,即能够与客户端201进行通信的网卡207、以及能够与服务器202进行通信的网卡208。 For convenience of description, in FIG. 2 for a transparent proxy gateway 203 it shows only two interfaces, i.e., the client 201 can be a communication card 207, and 208 capable of communicating with the server NIC 202.

[0028] 如本领域技术人员所已知的,通常网关设备中维护有一个转发表(未示出),其中的条目(如果有的话)表明目标站(用其MAC地址来标识)与该网关的一个接口之间的对应关系,例如客户端201对应于网卡207、服务器202对应于网卡208等等。 [0028] As known to the skilled person, the gateway device typically maintains a forwarding table (not shown), wherein the entry (if any) indicates that the target station (identified by its MAC address) with the a correspondence between a gateway to, for example, the client 201 corresponds to the network card 207, the server 202 corresponds to the network card 208 and the like. 透明代理网关203 (更具体地,例如,网卡207)在截取到从作为源站的客户端201发往作为目的站的服务器202的一个帧(例如,帧210)时,确定该网关能够与服务器202进行通信,例如,通过搜索转发表,发现存在与服务器202相对应的网卡208。 Transparent Proxy Gateway 203 (more specifically, e.g., NIC 207) is taken into from a source station of the client 201 issued (e.g., frame 210), it is determined that the gateway is capable server to as a frame server 202 destination station 202 communicate, for example, by searching the forwarding table 202 found with the server 208 corresponding to the card.

[0029] 在图2中,记录逻辑204用于记录网卡207所截取的从客户端201发往服务器202的帧210的有关信息。 [0029] In FIG. 2, logic 204 for recording the recording card 207 taken 201 to send information about the frame 210 of the server 202 from the client. 在本发明的一个示例性实施例中,所述信息至少包括帧210的源(即,客户端201)MAC地址,这可以从该帧的首部中获得。 In one exemplary embodiment of the present invention, the information comprises at least the source of the frame 210 (i.e., client 201) MAC address, which can be obtained from the header portion of the frame. 所述信息例如还可以包括但不限于:帧210的目的(即,服务器202)MAC地址,这也可以从该帧的首部中获得;与该目的MAC地址相对应的属于网关203的接口(即,网卡208),这可以从所述转发表中获得;等等。 The information may also include, but are not limited to: the purpose of the frame 210 (i.e., server 202) a MAC address, which can be obtained from the header portion of the frame; and the destination MAC address corresponding to the part of the gateway interface 203 (i.e. , NIC 208), which can be obtained from the forwarding table; and the like. 这些信息可以被相关联地存储,以便于使用。 The information may be stored in association, for use.

[0030] 作为一个非限定性的例子,在基于Linux的透明代理网关中,可以使用连接跟踪来允许内核跟踪并记录所有的逻辑网络连接或会话。 [0030] As a non-limiting example, in the Linux-based transparent proxy gateway may be used to allow the kernel connection tracking track and record all of the logical network connection or session. 在本发明的一种示例实现中,可以扩展针对每个连接而维护的数据结构(例如,以IP地址和端口作为其标识)以便存储更多的信息。 In an exemplary implementation of the present invention, a data structure can be expanded and maintained for each connection (e.g., IP address and port as its identity) to store more information. 例如,记录逻辑204可以将所需的信息(例如,帧210的源和目的MAC地址等等)相关联地记录在扩展后的结构中,供后续过程使用。 For example, logic 204 may record desired information (e.g., source and destination MAC address of the frame 210, etc.) are recorded in association in the extended configuration, the process for subsequent use.

[0031] 通过网络协议栈,之前接收到的帧210被逐层剥去首部并向更高层传递,最终其中包含的应用层数据被传递给应用层代理206以进行常规的应用层代理处理,例如,包括但不限于查杀病毒、内容过滤等等。 [0031], the previously received frame through the network protocol stack 210 is stripped layer by layer to the higher layer header is transmitted, which comprises the final application layer data is transmitted to the application proxy 206 for a conventional application layer proxy processing, e.g. , including but not limited to, killing the virus, content filtering and the like. 本发明的主要改进不在于此,因此省略对其的进一步描述。 The main improvement of the present invention is not limited to this, and therefore further description thereof is omitted.

[0032] 继续参考图2,在本发明的一个示例性实施例中,对于透明代理网关203响应于接收到的帧210、而以客户端101的身份向服务器102发送的帧211,通过VIF 206能够实现该帧中源MAC地址的恢复。 [0032] With continued reference to FIG. 2, in one exemplary embodiment of the present invention, the transparent proxy gateway 203 in response to the received frame 210, and to the client frame identity 101 of 102 transmits to the server 211, through the VIF 206 recovery can be achieved in the source MAC address of the frame.

[0033] 虚拟网卡VIF 206可以通过网卡驱动的形式来实现。 [0033] Virtual NIC VIF 206 may be realized by the form of network card driver. 在操作系统中加载该驱动从而对该网卡进行注册之后,VIF 206被操作系统识别成是一块普通的网卡。 After loading the driver in the operating system so that the card registration, VIF 206 by the operating system is identified as a normal card. 根据本发明的一个示例性实施例,VIF 206可以修改透明代理网关203的路由策略(例如,路由表),以使得对于经应用层代理205处理的、需要透明发送出去(例如,发给服务器202)的数据都被路由到VIF 206来进行发送。 According to an exemplary embodiment of the present invention embodiment, VIF 206 can modify the routing policy transparent proxy gateway 203 (e.g., a routing table), so that the proxy 205 for processing by the application layer, the need for transparency sent (e.g., sent to the server 202 ) data are routed to VIF 206 to transmit.

[0034] VIF 206具有修改与帧210对应的帧211的源MAC地址的能力。 [0034] VIF 206 has the ability to modify the frame source MAC address 210 corresponding to the frame 211. 按照本发明的一个实施例,例如,VIF 206可以参考之前由记录逻辑204记录(在扩展的连接跟踪中)的帧210的有关信息中的对应内容,作为客户端201的MAC地址;接着,将帧211的首部中的源MAC地址信息修改为所记录的源MAC地址(即,客户端201的MAC地址);然后,直接调用网卡208的发送函数将修改后的帧211发送给服务器202。 According to one embodiment of the present invention, e.g., VIF 206 may be recorded frame-corresponding content-related information 210 (in the extended connection tracking) as the client MAC address 201 ends earlier with reference to the recording logic 204; Subsequently, the source MAC address information in the frame header 211 modifies the source MAC address recorded (i.e., client MAC address 201); then, directly call transmission function card 208 will be sent to the server 202 modified 211.

[0035] 由此,在透明代理网关203以客户端201的身份发送给服务器202的帧211中,能够确保源MAC地址信息也是与客户端201自身的MAC地址一样的,从而实现了第二层(MAC层)透明。 [0035] Thus, a transparent proxy gateway to send 203 to the server 201 the identity of the client frames 211 202, it is possible to ensure the source MAC address is the MAC address 201 of the same client, enabling a second layer (MAC layer) transparent.

[0036] 在本发明的一个实施例中,例如可以利用之前记录的信息,参考该网关的转发表,来确定通过网卡208进行发送。 [0036] In one embodiment of the present invention, for example, using previously recorded information, the reference of the gateway forwarding table to determine the transmitted through the network card 208.

[0037] 这里,由VIF 206直接调用物理网卡(例如,网卡208)的发送函数,避免了通过网络协议栈来针对该物理网卡进行成帧的过程,从而确保了经该物理网卡发出的帧的源MAC地址保持为经上述修改后的源MAC地址(即,客户端201的MAC地址)。 [0037] Here, a direct call from the VIF 206 physical NIC (e.g., NIC 208) a transmission function, a procedure to avoid framing the physical NIC for a network protocol stack, to ensure that the frame sent by the physical NIC source MAC address as the source MAC address held by the above modifications (i.e., client MAC address 201).

[0038] 本领域技术人员可以理解,上述各个部件的功能也可以相互组合,例如,记录逻辑204和VIF 205可以被在实现单个部件中。 [0038] Those skilled in the art will be appreciated, the above-described functions of the respective components may be combined with one another, e.g., VIF 205, and records logic 204 may be implemented in a single component.

[0039] 另外,考虑802. IQ VLAN的情况,根据本发明的一个实施例,记录逻辑204还可以附加地记录所接收到的帧(例如,帧210)的VLAN ID,例如,可以将其与该帧的MAC地址等信息相关联地记录在连接跟踪的扩展结构中;相应地,VIF 206还可以利用所记录的该VLAN ID来更改要发给服务器202的帧(例如,帧211)的VLAN ID,从而针对VLAN也能实现第二层透明代理。 [0039] Further, consider the case of the 802. IQ VLAN, according to one embodiment of the present invention, logic 204 further records the frame (e.g., frame 210) to the received VLAN ID can be additionally recorded, for example, which may be the MAC address of the frame information recorded in association connection track extended configuration; accordingly, VIF 206 by using the VLAN ID can also be recorded to change the frame to be sent to the server 202 (e.g., frame 211) of the VLAN ID, VLAN can be achieved so that for the second layer of the transparent proxy.

[0040] 此外,利用本发明的设计思想,本领域技术人员可以理解,对于从服务器202发往客户端201的数据(这时,服务器202可以被看成是源站,而客户端201则可以被看成是目的站),透明代理网关203可以进行类似的处理,使得在客户端201看来,是真实的服务器202在与它进行直接通信,而事实上则是居间的透明代理网关203在以服务器202的身份与其进行通信。 [0040] Further, with the design according to the present invention, those skilled in the art will appreciate, the data 201 from the server 202 sent to the client (in this case, the server 202 may be viewed as a source station, and the client 201 can is seen as destination station), a transparent proxy gateway 203 may be similarly processed, so that the client 201 appears to be true in the server 202 to communicate directly with it, but in fact is a transparent proxy gateway 203 intervening in the identity of the server 202 to communicate with it.

[0041] 此外,考虑需要通过握手来建立连接(或会话)以进行数据传输的情况(例如,使用传输控制协议(TCP))。 [0041] In addition, considering the need to establish the connection (or session) by handshake in a case where the data transmission (e.g., Transmission Control Protocol (TCP)). 根据本发明的一个示例性实施例,在这种情况下,当客户端201初次向服务器202发出连接建立请求时,相应的请求帧会被透明代理网关203的网卡207所截取。 According to an exemplary embodiment of the present invention, in this case, when the client 201 to the server 202 sent the initial connection establishment request, a corresponding request frame is a transparent proxy gateway card 203 207 taken. 网关203确认自己能够与服务器202进行通信,例如,这里是通过网卡208 (否则的话,网关203可以选择将该请求帧直接通过该网关上除网卡207以外的其它网卡进行广播,如现有技术中的桥接设备所实现的那样)。 Gateway 203 confirms that they can communicate with the server 202, e.g., through the network card 208 here (Otherwise, the gateway 203 may select the request frame is broadcast directly through additional cards other than the gateway card 207, as in the prior art the bridge device implemented as). 然后,记录逻辑204可以记录该请求帧的有关信息,例如,该帧的首部中的源MAC地址作为客户端201的MAC地址,该帧的首部中的目的MAC地址作为服务器202的MAC地址,等等,本发明并不限于此。 Then, the recording logic 204 may record information about the request frame, e.g., the source MAC address of the frame header as the client MAC address 201 of the terminal, the destination MAC address in the header of the frame as the MAC address of the server 202, etc. etc., the present invention is not limited thereto.

[0042] 根据本发明的一个示例性实施例,在这样的信息被记录之后,按照握手协议,作为透明代理网关203响应于该请求帧而以服务器202的身份向客户端201发出的应答帧,VIF206可以将该应答帧的首部中的源MAC地址信息修改为所记录的服务器202的MAC地址,并通过直接调用网卡207的发送函数来将修改后的该应答帧发给客户端201。 [0042] According to an exemplary embodiment of the present invention, after such information is recorded in accordance with the handshake protocol, as a transparent proxy gateway 203 in response to the request frame and the identity of the server 202 the acknowledgment frame 201 sent to the client, the response can VIF206 source MAC address information in the header is modified to the MAC address recorded in the server 202, and transmitted through the NIC 207 functions to direct the call to a response frame to the client 201 after modification. 本领域技术人员可以理解,客户端201然后会响应于接收到该应答帧而发出再次确认帧,正如现有技术所实现的那样。 Those skilled in the art will appreciate, the client 201 will then reply in response to receiving the acknowledgment frames sent again to the frame, as the prior art to achieve above. 通过这样的握手过程,在客户端201与透明代理网关203之间建立了连接(当然,在客户端201看来,它是直接与服务器202建立了连接)。 By such a handshaking procedure between the client 201 and the transparent proxy gateway 203 establishes a connection (of course, it appears in the client 201, which is directly connected with the server 202 is established). 另外,在之后适当的时机,透明代理网关203以客户端201的身份(更具体地,该客户端的MAC地址)与服务器202之间建立连接的情况与上述类似,在此不再详述。 Further, after a suitable time, transparent proxy gateway client identity 201 to 203 (more specifically, the client's MAC address) and the case of connection between the server 202 similar to the above, not described in detail herein.

[0043] 客户端201与服务器202之间的数据传输(例如,帧210)正是通过这样建立的连接来进行的。 Data transmission between 202 [0043] The client 201 and the server (e.g., frame 210) is performed by the connection thus established. 利用之前所记录的信息,VIF 206可以把要发给服务器202的、与帧210相对应的帧211的首部中的源MAC地址信息修改为所记录的客户端201的MAC地址,以此来实现第二层透明,如前所述。 Using previously recorded information, VIF 206 can be sent to the server 202, the source MAC address information of the frame 210 corresponding to the frame 211 of the header record for the customer to modify the MAC address of the terminal 201, in order to achieve a second transparent layer, as described above.

[0044] 下面参考图3,示出了根据本发明的一个示例性实施例的方法300的流程图。 [0044] Referring to FIG 3, there is shown a flowchart of a method of an exemplary embodiment 300 according to one embodiment of the present invention. 所述方法300可以在具有应用层代理功能的网关(例如,透明代理网关103、203)中实现。 The method 300 may have an application layer gateway proxy functionality (e.g., transparent proxy gateway 103, 203) is implemented.

[0045] 如图所示,该过程开始于步骤S301,在该步骤中,对网关中的第一网卡所截取的从源站发往目的站的第一帧中包含的应用层数据进行处理。 [0045] As illustrated, the process begins at step S301, the in this step, the first gateway card taken a first application layer data contained in the frame sent from the source station to the destination station for processing. 参考结合图2给出的例子,对于透明代理网关203 (更具体地,其中的能够与客户端201进行通信的网卡207)所截取的从客户端201发往服务器202的帧210中包含的应用层数据,例如包括但不限于电子邮件、HTTP报文等等,作为具有应用层代理功能的网关203,其中的应用层代理205可以对该应用层数据进行处理,例如包括但不限于查杀病毒、内容过滤等等。 In conjunction with the examples given with reference to FIG. 2, (a communication network card More specifically, where the can end 201 and the client 207) to the transparent proxy gateway 203 taken application 201 to the server 202 comprising a frame 210 from the client layer data, for example, but not limited to, email, HTTP packets and the like, having a gateway as an application layer proxy function 203, where the application proxy 205 can process the application-layer data, including but not limited to, for example, killing the virus , content filtering, and so on.

[0046] 网关为了实现代理功能,需要以源站的身份来将之前从源站截取的数据(其已经过了网关的处理)发往目的端。 [0046] In order to achieve the gateway proxy function, need to be taken before the data from the source station to the source station identity (which has been processed gateway) sent to the destination terminal. 根据本发明的一个示例性实施例,在步骤S302,把要响应于所述第一帧而发给所述目的站的、包含经处理的应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址。 According to an exemplary embodiment of the present invention, In step S302, the response to the first frame to be sent to the destination station, the source MAC address of the head portion of the second frame containing the processed data to the application layer information modifying MAC address of the source station. 继续参考图2,在应用层代理205对帧210中包含的应用层数据进行处理之后,VIF 206可以把所形成的包含经处理的该应用层数据的第二帧211的首部中的源MAC地址信息修改为客户端201自身的MAC地址。 After continued reference to FIG. 2, the proxy application layer data 205 frame 210 contained in the process in the application layer, VIF 206 translates the source MAC header of the second frame 211 is formed comprising a through process in the application layer data in the address modify information to the client 201 the MAC address. 也就是说,这样修改后的帧211的首部中的MAC地址信息是与客户端201原始发出的帧210的首部中的MAC地址信息保持一致的。 That is, the frame address information thus modified MAC header 211 is header information of the MAC address of the frame 210 of the original 201 emitted consistent with the client.

[0047] 然后,该过程前进到步骤S303,在该步骤中,通过直接调用所述网关中的第二网卡的发送函数,将所述第二帧发送给所述目的站。 [0047] Then, the process proceeds to step S303, the step in which, by transmitting a second network card of the gateway function directly calls, sending the second frame to the destination station. 继续参考图2,VIF 206可以在上述修改操作完成之后,直接调用透明代理网关203中真实的物理网卡208 (其能够与服务器202进行通信)的发送函数,使得帧211被真正发给服务器202。 With continued reference to FIG. 2, VIF 206 after the above modifications can be done, directly call the real physical NIC 203 in a transparent proxy gateway 208 (which can communicate with the server 202) sending function, so that the frame 211 is actually sent to the server 202. 由此,根据本发明的一个实施例的能够实现MAC层透明代理的方法300可以结束。 Accordingly, the MAC layer transparent proxy method can be implemented with one embodiment of the present invention 300 may end.

[0048] 此外,在本发明的一个实施例中,在步骤S301之前,还可以当所述第一帧(例如,帧210)被所述第一网卡(例如,网卡207)所截取时,记录帧210的首部中的源MAC地址信息,作为客户端201的MAC地址,以供后续的修改步骤使用。 [0048] Further, in one embodiment of the present invention, before step S301, the can when the first frame (e.g., frame 210) by the first NIC (e.g., NIC 207) is taken, recorded 210 frame source MAC address information in the header, as the MAC address of the client 201 for subsequent modification steps. 此外,在该记录步骤中,还可以记录帧210的首部中的目的MAC地址信息,作为服务器202的MAC地址。 Further, in the recording step, the destination MAC address information may be recorded in the frame header 210, MAC address 202 as the server. 而且,在帧210具有VLAN标记的情况下,在该记录步骤中,还可以记录帧210的VLAN标识符;并且在所述修改步骤S302中,还可以将帧211的VLAN标识符修改为所记录的帧210的VLAN标识符。 Further, in the case where a frame 210 having a VLAN tag, in the recording step, the frame may be recorded VLAN identifier 210; and the modification in step S302, the frames may also be modified VLAN identifier 211 is recorded VLAN identifier 210 of a frame. 作为一种具体的实现方式,所记录的这些信息,例如包括但不限于源站的MAC地址、目的站的MAC地址以及VLAN标识符等等,可以被存储在经扩展的连接跟踪中,如前所述。 As a specific implementation, the information recorded, for example, include a MAC address, and VLAN identifier, but the MAC address, the destination station is not limited to the source station, etc., it may be extended in the track connection, as before storage the.

[0049] 此外,在本发明的一个实施例中,在步骤S301之前,还可以在要求在作为源站的客户端201和作为目的站的服务器202之间建立连接的请求帧被网卡207所截取时(例如,考虑需要通过握手来建立连接以继续数据传输的情况,其中,包含应用层数据的帧210是通过建立后的连接来进行传输的),记录该请求帧的首部中的源MAC地址信息,作为客户端201的MAC地址,以供后续的修改步骤S302使用。 [0049] Further, in one embodiment of the present invention, before step S301, the requirements can also be taken in the connection setup request frame 202 is between the card as the source station 201 and client server 207 as the destination station (e.g., considering the need to establish a connection to the case of continuing the data transmission, wherein the frame includes application layer data 210 for transmission by the connection after the establishment handshake), recording the source MAC address of the header portion of the request frame information as the MAC address of the client 201, for subsequent use in the modification step S302. 类似地,还可以记录该请求帧的目的MAC地址信息以作为服务器202的MAC地址、以及VLAN标识符,等等。 Similarly, the destination MAC address may be recorded in the request frame as the MAC address information server 202, and the VLAN identifier, and the like. 而且,响应于所截取的该请求帧,作为透明代理网关203以服务器202的身份与客户端201通过握手建立连接的一部分,还可以例如通过VIF 206,将响应于该请求帧的应答帧的首部中的源MAC地址信息修改为所记录的服务器202的MAC地址,然后调用网卡207的发送函数来将这样的应答帧发送给客户端201。 Further, in response to the first portion to the intercepted the request frame as a transparent proxy gateway 203 to the server 202 the identity of the client 201 establishes a portion of the connection handshake, may also be, for example, by a VIF 206, the response acknowledgment frame to the request frame the source MAC address information is recorded by modifying the server's MAC address 202, and then calls the function card 207 to send such a response frame will be sent to the client 201.

[0050] 以上参照图3描述了示例性的方法300,本领域技术人员可以理解,上述方法步骤仅仅是示例性的而非限制性的,取决于具体实现,所述方法还可以包含更多附加的/替代的步骤。 [0050] FIG. 3 above described with reference to exemplary method 300, one skilled in the art can understand that the above process steps are merely exemplary and not restrictive, depending on the particular implementation, the method may further comprise more additional alternate step /. 在一个或多个方案中,这些方法步骤对应的功能可以在硬件、软件、固件或其任意组合中实现。 In one or more embodiments, these functions corresponding method steps may be implemented in hardware, software, firmware, or any combination thereof.

[0051] 图4示出了根据本发明的一个示例性实施例的装置400的框图。 [0051] FIG. 4 shows a block diagram of an exemplary embodiment of a device 400 according to the present invention. [0052] 所述装置400至少包括如下部分:修改模块401,用于在网关中能够与源站进行通信的第一网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据被进行处理之后,把要响应于所述第一帧而发送给所述目的站的、包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及,发送模块402,用于通过调用所述网关中能够与所述目的站进行通信的第二网卡的发送函数,将所述第二帧发送给所述目的站。 [0052] The apparatus 400 includes at least the following components: a modification module 401 for enabling a first frame sent to the destination station from the source station of the first communication card taken from the source station included in the gateway after the application layer data is processed, the response to the first frame to be transmitted to the destination station, the source MAC address information in the header portion of the second frame containing the processed data to the application layer of the modified said MAC address of the source station; and a sending module 402, for the second NIC can transmit a communication function by calling the gateway and the destination, transmitting the second frame to the destination station.

[0053] 此外,所述装置400还可以包括附加的/替代的模块,用以实现更多对应的功能,例如,前面结合方法300所描述的。 [0053] Further, the apparatus 400 may further include additional / alternative module for the function corresponding to achieve more, for example, above in connection with method 300 described herein. 所述装置400例如可以对应于图I、图2所示的网关设备103、203,或者是其中的一个或多个组件。 The apparatus 400, for example 103, 203, or one or more components which may correspond to FIG I, the gateway device shown in Figure 2. 应当理解的是,装置400被描述为包括多个模块,其可以是表示由硬件、软件或其组合所实现的功能模块。 It will be appreciated that the apparatus 400 is described as including a plurality of modules, which may be represented by hardware, software, or a combination of functional modules implemented.

[0054] 尽管前面描述并示出了本发明的一些实施例,但是本领域技术人员很容易就能够想到,对于这些实施例的许多修改和变型也同样是可行的。 [0054] While the foregoing description and illustrate some embodiments of the present invention, those skilled in the art will readily be able to think, for many of these modifications and variations of the embodiments are likewise possible. 因此,应该理解,所附权利要求旨在涵盖落入本发明的实质和范围之内的所有这样的修改和变型。 Thus, it should be understood that the appended claims are intended to be embraced within the spirit and scope of the invention all such variations and modifications.

Claims (18)

1. 一种实现媒体接入控制(MAC)层透明代理的方法,包括: 在网关中能够与源站进行通信的第一网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据被进行处理之后,把要响应于所述第一帧而发给所述目的站的、包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及通过调用所述网关中能够与所述目的站进行通信的第二网卡的发送函数,将所述第二帧发送给所述目的站。 An implement media access control (MAC) layer of the transparent proxy, comprising: a source station can be performed in the gateway of the first frame sent to the destination station from the source station of the first communication card taken in containing application layer data are then processed, in response to the source MAC address of the head portion of the second frame of information comprises modifying the processed data to the application layer and the first frame sent to the destination station MAC address of the source station; and by calling the gateway capable of communicating with the second NIC the destination station sending function, transmitting the second frame to the destination station.
2.根据权利要求I所述的方法,还包括: 当所述第一帧被所述第一网卡截取时,记录所述第一帧的首部中的源MAC地址信息,作为所述源站的MAC地址。 2. The method of claim I, further comprising: when the first frame is taken the first card, recording the source MAC address information in the header of the first frame as the source station MAC address.
3.根据权利要求2所述的方法,其中, 所述记录的步骤还包括:记录所述第一帧的首部中的目的MAC地址信息,作为所述目的站的MAC地址。 3. The method according to claim 2, wherein the step of recording further comprises: recording the destination MAC address in the header information of the first frame, the MAC address of the destination station.
4.根据权利要求2所述的方法,其中,所述第一帧具有虚拟局域网(VLAN)标记,并且其中, 所述记录的步骤还包括:记录所述第一帧的VLAN标记中的VLAN标识符;并且所述修改的步骤还包括:将所述第二帧的VLAN标记中的VLAN标识符修改为所记录的第一帧的VLAN标识符。 Step 4. The method according to claim 2, wherein said first frame has a virtual local area network (VLAN) tag, and wherein said recording further comprises: recording the tag of VLAN tag of the first frame Fu; and said step of modifying further comprises: a second VLAN tag of the VLAN identifier in the frame to modify the VLAN identifier of the first frame is recorded.
5.根据权利要求I所述的方法,还包括: 当要求在所述源站和所述目的站之间建立连接的请求帧被所述第一网卡截取时,记录所述请求帧的首部中的源MAC地址信息,作为所述源站的MAC地址,其中,所述第一帧是通过所要建立的连接来传输的。 Header when required connection establishment request frame taken by the first card, the recording station between the source and the destination of the request frame: 5. The method of claim I, further comprising the source MAC address, the MAC address of the source station, wherein the first frame is to be established by connecting to the transmission.
6.根据权利要求5所述的方法,其中, 所述记录的步骤还包括:记录所述请求帧的首部中的目的MAC地址信息,作为所述目的站的MAC地址。 6. The method as claimed in claim 5, wherein the step of recording further comprises: a recording destination MAC address in the header information request frame as the destination MAC address.
7.根据权利要求6所述的方法,还包括: 将响应于所述请求帧的应答帧的首部中的源MAC地址信息修改为所记录的所述目的站的MAC地址;以及通过调用所述第一网卡的发送函数,将所述应答帧发送给所述源站。 7. The method according to claim 6, further comprising: a response to the source MAC address information in the header of a response frame to the request frame to modify the destination MAC address is recorded; and by invoking the a first transmission function of the network card, the response frame to the source station.
8.根据权利要求5所述的方法,其中,所述请求帧具有虚拟局域网(VLAN)标记,并且其中, 所述记录的步骤还包括:记录所述请求巾贞的VLAN标记中的VLAN标识符;并且所述修改的步骤还包括:将所述第二帧的VLAN标记中的VLAN标识符修改为所记录的请求帧的VLAN标识符。 Step 8. The method according to claim 5, wherein the request frame having a virtual LAN (VLAN) tag, and wherein said recording further comprises: recording the requested VLAN tag VLAN identifier in the towel Zhen ; and said step of modifying further comprises: the second VLAN tag of the VLAN frame identifier VLAN identifier modification request frame is recorded.
9.根据权利要求2至8之任一所述的方法,其中,所记录的信息被存储在经扩展的连接跟踪中。 9. A method of storing information according to any one of claim 2-8, wherein the recorded track extended in the connection.
10. 一种实现媒体接入控制(MAC)层透明代理的装置,包括: 修改模块,用于在网关中能够与源站进行通信的第一网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据被进行处理之后,把要响应于所述第一帧而发给所述目的站的、包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及发送模块,用于通过调用所述网关中能够与所述目的站进行通信的第二网卡的发送函数,将所述第二帧发送给所述目的站。 10. An implement media access control (MAC) layer of a transparent proxy apparatus, comprising: a modification module, used can be sent from the source station to the destination station of the first network card for communicating with the source taken in the gateway station the application layer data included in a first frame after being processed, to the response in the first frame and sent to the destination station comprises processed data to the application layer header of the second frame modifying the source MAC address information is the MAC address of the source station; and a transmitting means for transmitting function capable of communicating with the second NIC the destination station by calling the gateway, transmits to the second frame the destination station.
11.根据权利要求10所述的装置,还包括: 记录模块,用于当所述第一帧被所述第一网卡截取时,记录所述第一帧的首部中的源MAC地址信息,作为所述源站的MAC地址。 11. The apparatus according to claim 10, further comprising: a recording module, configured to, when the first frame taken by the first card, recording the source MAC address information in the header of the first frame, as MAC address of the source station.
12.根据权利要求11所述的装置,其中, 所述记录模块还记录所述第一帧的首部中的目的MAC地址信息,作为所述目的站的MAC地址。 12. The apparatus according to claim 11, wherein said recording module is further recording the destination MAC address in the header of the first frame, the MAC address of the destination station.
13.根据权利要求11所述的装置,其中,所述第一帧具有虚拟局域网(VLAN)标记,并且其中, 所述记录模块还记录所述第一帧的VLAN标记中的VLAN标识符;并且所述修改模块还将所述第二帧的VLAN标记中的VLAN标识符修改为所记录的第一帧的VLAN标识符。 13. The apparatus according to claim 11, wherein said first frame has a virtual local area network (VLAN) tag, and wherein said recording module is further recorded the VLAN identifier of the first VLAN tag in the frame; and the module further modification of the second VLAN tag of the VLAN frame to a VLAN identifier of the first identifier modified frame being logged.
14.根据权利要求10所述的装置,还包括: 记录模块,用于当要求在所述源站和所述目的站之间建立连接的请求帧被所述第一网卡截取时,记录所述请求帧的首部中的源MAC地址信息,作为所述源站的MAC地址,其中,所述第一帧是通过所要建立的连接来传输的。 14. The apparatus according to claim 10, further comprising: a recording module, when required for connection establishment request frame between the source station and the destination station by intercepting the first card, the recording the source MAC address information in the header portion of the request frame, the MAC address of the source station, wherein the first frame is to be established by connecting to the transmission.
15.根据权利要求14所述的装置,其中, 所述记录模块还记录所述请求帧的首部中的目的MAC地址信息,作为所述目的站的MAC地址。 15. The apparatus according to claim 14, wherein said recording module is further object of the MAC address recorded in the header portion of the request frame as the MAC address of the destination station.
16.根据权利要求15所述的装置,还包括: 用于将响应于所述请求帧的应答帧的首部中的源MAC地址信息修改为所记录的所述目的站的MAC地址的模块;以及用于通过调用所述第一网卡的发送函数,将所述应答帧发送给所述源站的模块。 16. The apparatus according to claim 15, further comprising: means responsive to the source MAC address information in the header portion of the request response frame modification module frame is the MAC address recorded in the destination station; and by calling a function for transmitting the first card, said response frame to said source station module.
17.根据权利要求14所述的装置,其中,所述请求帧具有虚拟局域网(VLAN)标记,并且其中, 所述记录模块还记录所述请求巾贞的VLAN标记中的VLAN标识符;并且所述修改模块还将所述第二帧的VLAN标记中的VLAN标识符修改为所记录的请求帧的VLAN标识符。 17. The apparatus according to claim 14, wherein the request frame having a virtual LAN (VLAN) tag, and wherein said recording module records the request further VLAN identifier of the VLAN tag towel Zhen; and the said module also modify the VLAN identifier of the VLAN tag of the second frame is a request to modify the VLAN identifier is recorded frames.
18.根据权利要求9至17之任一项所述的装置,其中,所记录的信息被存储在经扩展的连接跟S示中。 18. The information is stored in the device according to any one of claims 9-17 claim, wherein the recorded extended S shown in connection with the.
CN 201110119721 2011-04-29 2011-04-29 Method and apparatus for implementing media access control layer of transparent proxy CN102761534B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201110119721 CN102761534B (en) 2011-04-29 2011-04-29 Method and apparatus for implementing media access control layer of transparent proxy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201110119721 CN102761534B (en) 2011-04-29 2011-04-29 Method and apparatus for implementing media access control layer of transparent proxy

Publications (2)

Publication Number Publication Date
CN102761534A true true CN102761534A (en) 2012-10-31
CN102761534B CN102761534B (en) 2016-05-11

Family

ID=47055856

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201110119721 CN102761534B (en) 2011-04-29 2011-04-29 Method and apparatus for implementing media access control layer of transparent proxy

Country Status (1)

Country Link
CN (1) CN102761534B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103428095A (en) * 2013-08-26 2013-12-04 深信服网络科技(深圳)有限公司 Proxy server and proxy method thereof
CN104994137A (en) * 2015-05-27 2015-10-21 四川卫士通信息安全平台技术有限公司 Method of network readezvous point

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1765090A (en) * 2003-03-24 2006-04-26 雷·斯尔科有限公司 Multiconfigurable device masking shunt and method of use
US7249191B1 (en) * 2002-09-20 2007-07-24 Blue Coat Systems, Inc. Transparent bridge that terminates TCP connections
US7290050B1 (en) * 2002-09-20 2007-10-30 Blue Coat Systems, Inc. Transparent load balancer for network connections

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7249191B1 (en) * 2002-09-20 2007-07-24 Blue Coat Systems, Inc. Transparent bridge that terminates TCP connections
US7290050B1 (en) * 2002-09-20 2007-10-30 Blue Coat Systems, Inc. Transparent load balancer for network connections
CN1765090A (en) * 2003-03-24 2006-04-26 雷·斯尔科有限公司 Multiconfigurable device masking shunt and method of use

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王钢: "应用网关防火墙——网络的中间检查站", 《计算机安全》, 30 April 2004 (2004-04-30) *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103428095A (en) * 2013-08-26 2013-12-04 深信服网络科技(深圳)有限公司 Proxy server and proxy method thereof
CN103428095B (en) * 2013-08-26 2016-12-28 深信服网络科技(深圳)有限公司 One kind of proxy server and proxy method
CN104994137A (en) * 2015-05-27 2015-10-21 四川卫士通信息安全平台技术有限公司 Method of network readezvous point

Also Published As

Publication number Publication date Type
CN102761534B (en) 2016-05-11 grant

Similar Documents

Publication Publication Date Title
US7035281B1 (en) Wireless provisioning device
US6801528B2 (en) System and method for dynamic simultaneous connection to multiple service providers
US8019868B2 (en) Method and systems for routing packets from an endpoint to a gateway
US20050086295A1 (en) Asynchronous hypertext messaging system and method
US20030225889A1 (en) Method and system for layering an infinite request/reply data stream on finite, unidirectional, time-limited transports
US20060245414A1 (en) System, method and computer program product for communicating with a private network
US20090106439A1 (en) Virtual dispersive routing
US20070283429A1 (en) Sequence number based TCP session proxy
US7630368B2 (en) Virtual network interface card loopback fastpath
US20060023721A1 (en) Server device, method for controlling a server device, and method for establishing a connection using the server device
US20070101414A1 (en) Method for stateful firewall inspection of ice messages
US20120331160A1 (en) Multi-path transmission control protocol proxy service
US20030079146A1 (en) Method and apparatus for regulating access to a computer via a computer network
US20110142062A1 (en) iSCSI to FCoE Gateway
US7181612B1 (en) Facilitating IPsec communications through devices that employ address translation in a telecommunications network
US20060235980A1 (en) Enabling VoIP Calls to be Initiated When a Call Server is Unavailable
US6721274B2 (en) Controlling packet flow through a stack using service records
US20070233877A1 (en) Transparently proxying transport protocol connections using an external server
US7107609B2 (en) Stateful packet forwarding in a firewall cluster
US20070022164A1 (en) Relaying messages through a firewall
Ng et al. A Waypoint Service Approach to Connect Heterogeneous Internet Address Spaces.
CN1750512A (en) Single broadcast reverse path repeating method
CN1571398A (en) Network safety isolating and information exchanging system and method based on proxy mapping
US20100257226A1 (en) Communication module and application program provided with same
US20120054851A1 (en) Systems and methods for multiplexing network channels

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model
COR Change of bibliographic data