CN106713260A - Dynamic data input method for VPDN (Virtual Private Dial-up Network) - Google Patents
Dynamic data input method for VPDN (Virtual Private Dial-up Network) Download PDFInfo
- Publication number
- CN106713260A CN106713260A CN201610699552.5A CN201610699552A CN106713260A CN 106713260 A CN106713260 A CN 106713260A CN 201610699552 A CN201610699552 A CN 201610699552A CN 106713260 A CN106713260 A CN 106713260A
- Authority
- CN
- China
- Prior art keywords
- packet
- flow table
- unit
- port
- stream
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention relates to a dynamic data input method, especially to a dynamic data input method for the VPDN. A dynamic data input device for the VPDN is connected to an original link in series, an external server generates different data packages according to different rules, and returns the data packets to the device via a returning port, the device inquires whether a stream to which the data packets belong exists via a classified matching unit, a forwarding port of the data packets is configured as an inquired port, the dynamic data packets are sent to the original link via the forwarding port, and thus, dynamic data injection for the VPDN is realized.
Description
The present invention is Application No. 201310731323.3, and the applying date is on December 27th, 2013, entitled one kind
For the divisional application of the devices and methods therefor of dynamic data injection in Virtual Private Dialup Network.
Technical field
It is especially a kind of for dynamic in Virtual Private Dialup Network the present invention relates to the device and method of dynamic data injection
The devices and methods therefor of data injection.
Background technology
VPDN (Virtual Private Dial-up Network, VPDN), is based on dial user
Virtual Private Dialup Network business, that is, surfed the Net in the way of dial-up access, when transmitting data by PSTN pair
The package of network data and encryption;Private data can be transmitted in VPDN, the level of security of private network is reached.It is to utilize IP
The safe Virtual Private Network that the bearing function of network is set up with reference to corresponding certification and licensing scheme, be recently as
The development of Internet technologies and a kind of technology for developing rapidly.
VPDN business the more commonly used at present is that the enterprise of enterprise employee on business trip and trans-regional office can remotely by public affairs
Common network network, the network connection by virtual encrypted tunnel and enterprises, and the user on public network then cannot be through void
Intend the internal network of the channel access enterprise;Other VPDN business also has some other typical services such as:Insurance industry is wireless
Setting loss application, the wireless mobile of power industry check meter using etc..Applying at present can in the operational forwarding shunting devices of VPDN
By various efficient querying methods by data stream filtering and forwarding, this apparatus and method can be very good to solve to VPDN
The demand that business is monitored and counts, but the behavior of Internet user can be monitored on same device if desired again
Customized data can be pushed to Internet user, i.e., to being returned again to user after the online intervention required of Internet user, if any non-
The request that the request of method or enterprises are specified needs the request for monitoring but not abandoning user, traditional dividing based on VPDN
Flow device can not meet this demand.
The structure chart of traditional shunting device is as shown in Figure 1.Wherein, the Internet data of network I is reached point by concatenating mouth
Monitoring device is arrived in can only be unidirectional after class matching module be exported by functional area.
The Chinese invention patent application of application number 0213628508 discloses turning for virtual special dialing network business data bag
Forwarding method, the quick search of corresponding session is carried out using session number, quickly navigates to corresponding VPDN data fields;By user's
Data are forwarded by after inquiry, can not change the request target of user, can not be accomplished the online row of Internet user
To return again to user, i.e., dynamically can not inject customized data to user after intervention.
The content of the invention
The problem to be solved in the present invention is can not to realize carrying out the internet behavior of Internet user during current VPDN is serviced
Returned again to after intervention to the present situation of user.
In order to solve the above-mentioned technical problem, concrete technical scheme proposed by the present invention is:One kind is used for virtual private dialup
The device of dynamic data injection in net, including:String interface unit 1, global control unit 2, classification and matching unit 3, business unit
4th, back propagation unit 5;
It is described string interface unit 1, be at least one pair of be serially connected between the webserver and interchanger as connect flow forwarding
Mouthful;
The global control unit 2, is that, by configuration interface configuration service mouthful and passback mouth, configuration needs are redirected to passback mouth
The rule of packet and behavior;Initialization flow table;
The classification and matching unit 3, is the packet for receiving string interface unit 1, and business is forwarded to according to result after rule searching
Unit 4, string interface unit 1 or back propagation unit 5;Receive back propagation unit 5 packet, inquire about flow table, analyze data bag it is upper
Down direction, the former port of inquiry;The forwarding port for putting packet is that string interface unit 1 is sent to behind the port for inquiring;
The business unit 4, is the packet for receiving classification and matching unit 3, is forwarded a packet to data according to the above results label
In specific equipment or other networks;
The back propagation unit 5, is the data for receiving classification and matching unit 3, sends data to external server, is received external
The packet of server simultaneously delivers a packet to classification and matching unit 3.
Above-mentioned string interface unit 1 is paired;There can be multipair concatenation mouth on device to meet concatenation multilink.
Above-mentioned string interface unit 1, comprising concatenation mouth A and concatenation mouth B, receives the packet of classification and matching unit output, root
It is forwarded in original link from concatenation mouth B and concatenation mouth A respectively according to up-downlink direction.
Above-mentioned global control unit 2 is run on the CPU of apparatus of the present invention, and other units are controlled by data/address bus.
Above-mentioned global control unit 2 is functional area or passback mouth, initialization by the attribute that administration interface sets interface
The space of flow table.Visible physical interface has been suffered in addition to concatenation mouth, management serial ports and management network port in apparatus of the present invention, other
All of interface can be functional area or passback mouth, and functional area and passback mouth need user clearly to define, but one connects
Mouth can not be both passback mouth and functional area.
Above-mentioned classification and matching unit 3 receives the packet of the string input of interface unit 1, and the User behavior in flow table, if
Flow table is flowed to without hit is then newly-built, then rule searching again;If the behavior of packet to be then set to the behavior of stream for hit;
Classification and matching unit 3 receives the packet of the input of back propagation unit 5 simultaneously, and inquiry stream whether there is in flow table, if in the presence of
The up-downlink direction of analyze data bag is then needed, port is inquired about according to up-downlink direction, the forwarding port of concatenated data bag is to look into
The port ask.
Above-mentioned back propagation unit 5 is received from classification and matching unit 3 and hits the packet of ad hoc rules, by the data
Bag is sent to external server;The packet of external server transmission is received to classification and matching unit 3.
The present invention is serially connected in original link, it is possible to external server, and the external server is according to different rules
Produce different packets, and the packet beamed back into apparatus of the present invention by returning mouth, apparatus of the present invention again by point
Flow table in class matching unit matches the former port of above-mentioned packet, and the result label of former port is stamped to above-mentioned packet,
Above-mentioned dynamic data packet is sent into original link according to result label finally, Virtual private dialup is achieved that since then
The dynamic data injection of net.
The present invention also provides a kind of method for dynamic data injection in Virtual Private Dialup Network, and step includes:
Step S1, string interface unit 1 receives the online request of Internet user, and extracts the stream feature of online request data package;
Step S2, the matching of classification and matching unit 3 needs to be forwarded to the packet of passback mouth;
Judge whether exist in flow table according to stream feature, if in the presence of the hit threshold value for judging the packet;If in the absence of if
According to the stream feature, dynamic creation one is flowed in flow table, and the newly-built stream is updated in flow table, then rule searching;
Judge the hits of packet, if more than the hit threshold value of stream, the behavior for putting the packet is the behavior of inquiry stream,
Rule searching is needed if less than flowing hit threshold value;
Hits are less than hit thresholding or the non-existent packet in flow table, three rule-likes that rule searching is concentrated, three classes
Rule is divided into:Target rules, L4 rules, L7 rules;
Behavior label result is stamped to packet according to rule query result;
Step S3, passback mouth receives the packet that external server is dynamically produced, and inquires about flow table;
The flow table refers to dynamic updated flow table in step S2;
Inquiry flow table represented, the stream feature according to the packet is inquired about in flow table and meets the stream of this feature and whether there is;If
In the presence of the up-downlink direction of the analysis packet;If putting the behavior of the packet in the absence of if to abandon;
Step S4, analyzes up-downlink direction, inquires about port numbers;
The analysis up-downlink direction represents, if the packet direction is up, needs to inquire about mesh in above-mentioned flow table
Port;If the direction of the packet is descending, need to inquire about source port in above-mentioned flow table;Packet described in juxtaposition
Forwarding port be the destination interface or source port for inquiring;
Step S5, behavior and forwarding port according to stream deliver a packet to original link.
Technique effect:
As shown in Fig. 2 when the employee on business trip of enterprise accesses the network of enterprises by public network, the network of enterprises
The Internet data of VPDN can be monitored and be intervened, the request specified if any illegal request or enterprises needs monitoring
But dynamic data injection device of the invention and method can be used when not abandoning the request of user.
Compared with prior art, invention increases back propagation unit, after solving the online intervention required to Internet user
Return again to the demand of user.Functional area in the present apparatus can realize known data filtering according to forwarding service, and can also
The business of dynamic data injection is realized, and the definition of functional area and passback mouth can flexibly be configured in global control unit, this
Planting flexibility and scalability can greatly meet increasingly complicated business demand.
Brief description of the drawings
Fig. 1 is traditional filtering retransmission unit structure chart.
Fig. 2 is the network insertion location drawing of apparatus of the present invention.
Fig. 3 is the structure drawing of device that the present invention injects towards the dynamic data of VPDN.
Fig. 4 is the construction module figure of the devices and methods therefor that the present invention injects towards the dynamic data of VPDN.
Fig. 5 is the basic flow sheet of the devices and methods therefor that the present invention injects towards the dynamic data of VPDN.
Fig. 6 is the detailed data flow chart of the devices and methods therefor that the present invention injects towards the dynamic data of VPDN.
Specific embodiment
The invention will be further described with implementation below in conjunction with the accompanying drawings.In the following description, reason as space is limited, no longer
The content of some existing common knowledges, including 26S Proteasome Structure and Function are repeated.
As shown in Fig. 2 the present invention provides one kind is serially connected in the webserver(Referred to as:LNS)Device and interchanger between,
Fig. 2 is the network insertion location drawing of the devices and methods therefor that the present invention injects towards the dynamic data of VPDN.
The structure chart of apparatus of the present invention is as shown in Figure 3.The Internet data of network I reaches classification and matching mould by concatenating mouth
Block, classification and matching module can realize traditional forward filtering, forwarding data to monitoring device, moreover it is possible to which above-mentioned data are led in realization
Passback mouth output is crossed to external server, and receives data back that external server produces in primitive network.
Fig. 4 is the construction module figure of the devices and methods therefor that the present invention injects towards the dynamic data of VPDN.
Including the concatenation mouthful A in string interface unit 1 and concatenation mouth B, global control unit 2, classification and matching unit 3, business
Unit 4, back propagation unit 5.
Concatenation mouth A:Wherein 1 of a pair of outer port is provided, is used to connect 2 be concatenated network element device wherein 1,
One of them of mouth is forwarded as concatenation flow.
Port A is visible physical interface, can be optical interface or electrical interface, possesses a kind of or multiple velocity ability.
Port A and port B are a pair of concatenations mouthful, and this belongs to known content, will not be repeated here.
Concatenation mouth B:Wherein 1 of a pair of outer port is provided, is used to connect 2 be concatenated network element device wherein 1,
One of them of mouth is forwarded as concatenation flow.
Port B is visible physical interface, can be optical interface or electrical interface, possesses a kind of or multiple velocity ability.
Port B and port A are a pair of concatenations mouthful, and this belongs to known content, will not be repeated here.
Global control unit 2:Configuration interface is provided, which is functional area to the interface on specified device, which is passback mouth,
Can be passback mouth with any number of channel of a nand string interface on specified device.
Classification and matching unit 3:The data of string interface unit 1 are received, the feature stream belonging to packet is inquired about in flow table, such as
Fruit successful inquiring then obtains matching result, the rule searching again if inquiry fails, and obtains matching result.
Specifically, the packet of the string input of interface unit 1 is received, stream feature is extracted, this stream is then inquired about in flow table
Whether there is.According to the newly-built stream of the Query Result or continuation rule searching.The successful packet of inquiry stream is directly obtained and turned
Hair result, otherwise rule searching obtain forwarding result.
The packet of passback mouth is received, the stream belonging to above-mentioned packet is inquired about in flow table and be whether there is, if it does, point
The up-downlink direction of the packet is analysed, and searches port numbers, finally according to forwarding port numbers forwarding raw data packets.This belongs to
Known content, will not be described in detail herein.
Business unit 4:Receive the packet of classification and matching unit 3 and according to forwarding behavior forwarding packet, this belongs to public
Content, will not be described in detail herein.
Back propagation unit 5:Receive the particular data packet of the matching of classification and matching unit 3 and forward the packet to external clothes
Business device;Receiving the packet of external server generation and the packet is forwarded into classification and matching unit 3 carries out behavior knot
Fruit inquiry and up-downgoing analysis.Passback mouth is physically visible port, can be the optical port of power port or transmitting-receiving.
If Fig. 5 is the method basic flow sheet that the present invention injects towards the dynamic data of VPDN.
Step S1, string interface unit 1 receives the online request of Internet user, and it is special to extract the stream of online request data package
Levy;
Step S2, the matching of classification and matching unit 3 needs to be forwarded to the packet of passback mouth;
Judge whether exist in flow table according to stream feature, if in the presence of the hit threshold value for judging the packet;If in the absence of if
According to the stream feature, dynamic creation one is flowed in flow table, and the newly-built stream is updated in flow table, then rule searching;
Judge the hits of packet, if more than the hit threshold value of stream, the behavior for putting the packet is the behavior of inquiry stream,
Rule searching is needed if less than flowing hit threshold value;
Hits are less than hit thresholding or the non-existent packet in flow table, three rule-likes that rule searching is concentrated, three classes
Rule is divided into:Target rules, L4 rules, L7 rules;
Behavior label result is stamped to packet according to rule query result;
Step S3, passback mouth receives the packet that external server is dynamically produced, and inquires about flow table;
The flow table refers to dynamic updated flow table in step S2;
Inquiry flow table represented, the stream feature according to the packet is inquired about in flow table and meets the stream of this feature and whether there is;If
In the presence of the up-downlink direction of the analysis packet;If putting the behavior of the packet in the absence of if to abandon;
Step S4, analyzes up-downlink direction, inquires about port numbers;
The analysis up-downlink direction represents, if the packet direction is up, needs to inquire about mesh in above-mentioned flow table
Port;If the direction of the packet is descending, need to inquire about source port in above-mentioned flow table;Packet described in juxtaposition
Forwarding port be the port for inquiring;
Step S5, behavior and concatenation mouth according to stream deliver a packet to original link.
With reference to Fig. 6 by taking a real needs of certain company as an example, the present invention is injected towards the dynamic data of VPDN
Device make exemplary illustration.
As shown in fig. 6, the entitled terminal 1 of user, sends domain name(domain)It is " www.wiki.com ", and the key searched for
Word enters apparatus of the present invention for the request of data of " VPDN " from concatenation mouth A.Apparatus of the present invention will can be accessed
The HTTP request message redirecting of " www.wiki.com " is scanned for in-company wiki server priorities, if in public affairs
The result that keyword is not searched out on wiki inside department just sends the requests to www.wiki.com.Apparatus of the present invention complete with
The method of upper function comprises the following steps:
In original state, the router of concatenation mouth A Connected Corp. internal lan, the router of concatenation mouth B Connected Corp. outer net,
Concatenation mouth C is connected to a server 1, it is assumed that the ip addresses of this server are " 192.168.8.100 ", and this server
On run in-company wiki websites.
User signs in the administration interface of equipment by SSH, and configuration interface C is passback mouth, configures a domain="
The rule of www.wiki.com ", sets the forwarding behavior of this rule for " from interface C forwardings.”
Step 6a01, terminal 1 initiates HTTP request to " www.wiki.com ", and keyword is " VPDN ".Assuming that the IP ground of terminal 1
Location is 192.168.8.111, and the gateway of the LAN is 192.168.8.1.
Step 6a02, after concatenation mouth A receives request message, extracts stream feature, i.e. sip=first from packet "
192.168.8.111", dip="192.168.8.1", sport="A", dport="B", protocol="http";Then
Into step 6a03.
As shown in following table table 1, usual stream is, including protocol type uniquely defined by five-tuple institute to the information of flow table item
(Protocol), source IP (sip), purpose IP (dip), source port (sport), destination interface (dport).With identical five-tuple
The packet of feature belongs to same stream.Because five-tuple has distinguished source and destination IP, therefore such stream has unidirectional spy
Levy.The interaction complete for one, its packet will belong to two different streams.The more company of being concerned with many applications
Connect, i.e., complete interaction.Connection includes two source IP address, source port and purpose IP address, destination interface and exchanges
Stream.For the ease of statement, connection, or perhaps bidirectional flow are represented with the concept of stream here.Such stream is by protocol type
Carry out unique definition with a pair of IP, port sets.Original state downstream table is sky, original port number, destination slogan and protocol type
It is 0 temporarily to fill out, and initial IP and temporary transient the filling out of purpose IP are 0.0.0.0, and it is to abandon (drop) that the behavior of stream is temporarily filled out.Table 1:
Step 6a03, flow table is searched using the stream feature extracted, if having found the stream for meeting this stream feature in flow table,
Step 6a04 is transferred to, otherwise into step 6a05.
Step 6a04, if the stream belonging to packet exists in flow table:The preceding threshold value of this stream
(matchCounter) individual bag all can rule searching table(Go to step 6a07), until can not find out matched rule, or more than this
Threshold value (matchCounter), the then pass-through mode of the behavior decision follow-up data bag of the user-defined passive flow.Thresholding
Value (matchCounter) is defaulted as 10, user can in order line self-defined this value.
Step 6a05, if being not matched to original port number in flow table for A, destination slogan is B, and initial IP is
192.168.8.111, destination slogan is 192.168.8.1, and protocol type is the stream of http, then in flow table it is newly-built this
Stream, and update in flow table, subsequently into second layer rule query.Flow table content after renewal see the table below shown in table 2:
Step 6a06, if stream exists and hits are more than the hit threshold value of stream, puts the behavior of inquiry stream for packet is final
Behavior.
Step 6a07, does not have the packet and the packet less than threshold value of hit in flow table, is required for carrying out second
The rule match of layer.
Regular fits through rule list to realize, the present invention is constituted comprising 4 rule sets and 3 rule-likes.3 rule-like bags
Include:Special object (target) rule, L4 rules, L7 rules.Target rules can be combined with L4 or L7 rules, i.e., hit simultaneously
During the classification list item of the classification list item of target rules and the classification list item of L4 rules or L7 rules is just told the fortune.
Each regular subclass is divided into 4 priority by different matching treatment and pass-through mode, and each priority can set
Put respective data processing and forwarding behavior.Each priority the inside can add 20K has the rule point of same treatment behavior
Class list item(class-entry).
The packet of miss any rule can automatically hit the list item as default, and defined by default
Behavior is processed.
Packet inquires about target rule lists first, and the table of L4 or L7 is then inquired about according to behavior.By setting
The default of target rule lists determines first to look into L4 or L7.
Target rules include two kinds of classification list items:Ip and name.Ip be user connection certification success after used it is upper
Net IP;Name is radius and ppp user names.
Target rules have 1-4 and default priority, and 1 is limit priority, and 4 is lowest priority, default
It is default priority.The capacity that each priority can add classification list item is 20K, and different priorities do not allow to store identical rule
Then, default priority default does not allow configuration rule.
The default behavior of default priority default is loop, and the default behavior of remaining priority is not provided with(UNSET).
The behavior of each priority can configure, and the behavior of target rules can be configured to loop, drop, fw hash, redirect
Hash, to l4, to l7, i.e., normal forwarding, abandon, hash forwardings (normal forwarding copies to passback mouth or delivery outlet simultaneously),
Redirect(It is redirected to delivery outlet or passback mouth), go to L4 rule queries, go to L7 rule queries.
Shown in the L4 rule following table tables 3 of list item, comprising ip, protocol, protocol+port, domain several types
Classification list item.Ip is the ip of packet L2TP internal layers;Protocol in protocol internal layers;Protocol+port is
UDP | and TCP }+port numbers;Domain is the domain name of dns requests, is finally the corresponding ip of matching domain name, and ip is obtained automatically by equipment
The study of dns response bags is taken to obtain.Regular list item is sky under default situations, does not insert any data temporarily.Table 3:
L4 rules have 1-4 and default priority, and 1 is limit priority, and 4 is lowest priority, and default is acquiescence
Priority.The capacity that each priority can add classification list item is 20K, and default priority does not allow configuration rule, different excellent
First level does not allow to store same rule.
The default behavior of default priority default is loop, and the default behavior of remaining priority is not provided with(UNSET).
The behavior of each priority can configure, and the behavior of L4 rules can be configured to loop, drop, fw hash, redirect hash, to
L7, i.e., normal forwarding, discarding, hash forwardings, hash are redirected, are gone to L7 rule queries.
The behavior of default priority may be arranged as to l7, go to L7 rule queries.If hitting different preferential simultaneously
Level, takes the corresponding forwarding behavior of highest priority rule.The dns packets that the corresponding ip of dns domain names can be received according to equipment are moved
State safeguards that each domain name at most preserves 256 ip, and the number of the ip of acquisition can automatically cover initially preservation more than the number
ip。
L7 rules include ud, host, uri, host+uri classification list item.Active control and PASSIVE SURVEILLANCE are at most supported respectively
128 ud classification list items, every 4 ud, each ud supports four bytes.
L7 rules have 1-4 and default priority, and 1 is limit priority, and 4 is lowest priority, and default is
Default priority.The capacity that each priority can add classification list item is 20K, and default priority does not allow configuration rule, no
Same priority does not allow to store same rule.
The default behavior of default priority default is loop, and the default behavior of remaining priority is not provided with(UNSET).
The behavior of each priority can configure, and the behavior of L7 rules can be configured to loop, drop, fw hash, redirect hash, to
L4, i.e., normal forwarding, discarding, hash forwardings, hash are redirected, are gone to L4 rule queries.
The behavior of default priority may also be configured to l4, go to L4 rule queries.If hitting different priorities simultaneously,
Take the corresponding forwarding behavior of highest priority rule.
The static rule priority match target rules that terminal 1 is set according to user, due in target rule list items not
To domain name(domain)Matched, and L4 rules can be matched to domain name (domian), so user can be by target's
Default rule settings are to turn to L4, and specific rule configuration is as follows:
add ruleset 1 control l4: 1 domain= "www.wiki.com"
Because company needs to be redirected to the request of " www.wiki.com " wiki of inside, it is necessary to match somebody with somebody in static rule
A behavior that the ruleset 1 in above-mentioned rule is forwarded from passback mouth C is put, concrete behavior configuration is as follows(Assuming that returning
The physical interface number in apparatus of the present invention for passing mouth C is 9):
set ruleset 1 control target: default to l4
set ruleset 1 control l4: 1 redirect hash s 9
Behavior forwarding and the corresponding table of rule set, due to being known content, this place is just no longer described in detail.
Step 6a08, if the data request packet of terminal 1 matches regular list item in rule set, just by the packet
Behavior is set to the behavior of rule.
Step 6a09, if it fails to match in rule set for the data request packet of terminal 1, puts the behavior of the packet to lose
Abandon.
Step 6b01, the request of data of terminal 1 sends the clothes for giving that IP address is 192.168.6.100 by returning mouth C
Business device 1.The search key in database of server 1 is the data of " VPDN ", and the result that will be inquired returns to interface C.
Step 6b02, passback mouth extracts the stream feature of packet first after receiving data, and is looked into the flow table described in table 1
Ask stream.If finding the stream for meeting feature, step 6b03 is gone to, otherwise go to 6b04.
Step 6b03, the packet that server 1 sends back, if there is the stream for meeting the packet feature in flow table,
Firstly the need of the up-downlink direction of analyze data bag.In this example, the request data of terminal 1 is returned after treatment in server 1
The data returned are likely to be up it could also be possible that descending;If have found keyword in the database of server 1 being
The information of " VPDN ", then packet is response bag, is just descending;If do not find keyword in the database of server 1 being
The information of " VPDN ", then in needing for the request of terminal 1 to back within link, now return packet that mouth C receives for please
Bag is sought, is up.Shown in the information following table table 4 of packet:
Step 6b04, if the match is successful in flow table for the packet beamed back of server 1, puts the behavior of the bag to lose
Abandon.
Step 6b05, according to the result that up-downgoing is analyzed in step 5,6b03, updates the content of table 4.If server 1 is beamed back
The packet for coming is upstream data, i.e., do not find the information that keyword is " VPDN ";Then need to be looked into the flow table shown in table 2
The original destination slogan of this data bag is looked for, destination interface is have found in table 2 for B.If the packet that server 1 sends back
It is downlink data, that is, have found the information that keyword is " VPDN ";Then need to search this data bag in the flow table shown in table 2
Be originally inputted port numbers, original port is have found in table 2 for A.Table 4 after renewal has two kinds of possibility, such as following table table 5 and table 6
It is shown.Table 5:
Table 6:
Step 610, the forwarding behavior according to packet forwards packet from particular port, or abandons.Here turn
It is distributed as that passback mouth can be forwarded to, it is also possible to be forwarded to concatenation mouth.
In sum, as a result it is:If the content of " VPDN " can be found on the server of company, then will be in-company
Wiki Web page push returns user terminal, will be searched in www.wiki.com if the data of " VPDN " is not found in intra-company
The request of " VPDN " sends the website for going to that domain name is www.wiki.com.
In sum, user asks to be carried out by the in-company network equipment by the online of VPDN in the present embodiment
Intervene, but do not abandon the request of user;And also it is preferential to Client-initiated the Internet request to have carried out internal data
Matching, data injection that will be in internal database gives the user of online, it is achieved that the dynamic data towards VPDN is noted
The demand for entering.
Claims (2)
1. it is a kind of in Virtual Private Dialup Network dynamic data injection method, it is characterised in that will be used for virtual private dial
Number net in dynamic data injection device serial connection in original link, external server, the external server is according to different rule
Then produce different packets, and the packet beamed back into the device by returning mouth, the device passes through classification and matching list
Stream belonging to unit's above-mentioned packet of inquiry whether there is, if there is no then abandoning the packet;If there is then analyzing above-mentioned
The up-downlink direction of packet, and according to up-downlink direction result queries port, the forwarding port for then putting above-mentioned packet is
The port for inquiring, sends into original link above-mentioned dynamic data packet finally according to forwarding port, realizes that Virtual is special
Injected with the dynamic data of dial-up network;
The device for dynamic data injection in Virtual Private Dialup Network, including:String interface unit(1), global control it is single
Unit(2), classification and matching unit(3), business unit(4), back propagation unit(5);Wherein:
The string interface unit(1), it is that at least one pair of is serially connected between the webserver and interchanger turning as series connection flow
Hair mouth;
The global control unit(2), it is that, by configuration interface configuration service mouthful and passback mouth, configuration needs are redirected to passback
The rule of mouth packet and behavior;Initialization flow table;
The classification and matching unit(3), it is the packet for receiving string interface unit 1, industry is forwarded to according to result after rule searching
Business unit(4), string interface unit(1)Or back propagation unit(5);Receive back propagation unit(5)Packet, inquire about flow table, analysis
The up-downlink direction of packet, the former port of inquiry;The forwarding port for putting packet is to be sent to concatenation mouth behind the port for inquiring
Unit(1);
The business unit(4), it is to receive classification and matching unit(3)Packet, according to the above results label by packet turn
It is dealt into specific equipment or other networks;
The back propagation unit(5), it is to receive classification and matching unit(3)Data, send data to external server, receive
The packet of external server simultaneously delivers a packet to classification and matching unit(3).
2. a kind of method for dynamic data injection in Virtual Private Dialup Network according to claim 1, step includes:
Step S1, string interface unit 1 receives the online request of Internet user, and extracts the stream feature of online request data package;
Step S2, the matching of classification and matching unit 3 needs to be forwarded to the packet of passback mouth;
Judge whether exist in flow table according to stream feature, if in the presence of the hit threshold value for judging the packet;If in the absence of if
According to the stream feature, dynamic creation one is flowed in flow table, and the newly-built stream is updated in flow table, then rule searching;
Judge the hits of packet, if more than the hit threshold value of stream, the behavior for putting the packet is the behavior of inquiry stream,
Rule searching is needed if less than flowing hit threshold value;
Hits are less than hit thresholding or the non-existent packet in flow table, three rule-likes that rule searching is concentrated, three classes
Rule is divided into:Target rules, L4 rules, L7 rules;
The behavior for putting packet according to rule query result is the regular behavior for inquiring;
Step S3, passback mouth receives the packet that external server is dynamically produced, and inquires about flow table;
The flow table refers to dynamic updated flow table in step S2;
Inquiry flow table represented, the stream feature according to the packet is inquired about in flow table and meets the stream of this feature and whether there is;If
In the presence of the up-downlink direction of the analysis packet;If putting the behavior of the packet in the absence of if to abandon;
Step S4, analyzes up-downlink direction, inquires about port numbers;
The analysis up-downlink direction represents, if the packet direction is up, needs to inquire about mesh in above-mentioned flow table
Port;If the direction of the packet is descending, need to inquire about source port number in above-mentioned flow table;Data described in juxtaposition
The forwarding port of bag is the destination interface or source port for inquiring;
Step S5, behavior and forwarding port according to stream deliver a packet to original link.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610699552.5A CN106713260B (en) | 2013-12-27 | 2013-12-27 | Method for dynamic data injection in virtual private dial-up network |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310731323.3A CN103685310B (en) | 2013-12-27 | 2013-12-27 | A kind of devices and methods therefor that dynamic data injects in Virtual Private Dialup Network |
| CN201610699552.5A CN106713260B (en) | 2013-12-27 | 2013-12-27 | Method for dynamic data injection in virtual private dial-up network |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310731323.3A Division CN103685310B (en) | 2013-12-27 | 2013-12-27 | A kind of devices and methods therefor that dynamic data injects in Virtual Private Dialup Network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106713260A true CN106713260A (en) | 2017-05-24 |
| CN106713260B CN106713260B (en) | 2020-07-10 |
Family
ID=50321624
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310731323.3A Active CN103685310B (en) | 2013-12-27 | 2013-12-27 | A kind of devices and methods therefor that dynamic data injects in Virtual Private Dialup Network |
| CN201610699552.5A Expired - Fee Related CN106713260B (en) | 2013-12-27 | 2013-12-27 | Method for dynamic data injection in virtual private dial-up network |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310731323.3A Active CN103685310B (en) | 2013-12-27 | 2013-12-27 | A kind of devices and methods therefor that dynamic data injects in Virtual Private Dialup Network |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN103685310B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112866289A (en) * | 2021-03-02 | 2021-05-28 | 恒为科技(上海)股份有限公司 | Method and system for extracting feature rule |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105099942B (en) | 2014-04-30 | 2019-05-03 | 华为技术有限公司 | A kind of data package processing method and equipment |
| CN108124021B (en) * | 2016-11-28 | 2021-04-16 | 阿里巴巴集团控股有限公司 | Method, device and system for obtaining Internet Protocol (IP) address and accessing website |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1471283A (en) * | 2002-07-26 | 2004-01-28 | 深圳市中兴通讯股份有限公司 | Virtual special dialing network business data packet retransmission method |
| CN1848799A (en) * | 2005-04-12 | 2006-10-18 | 华为技术有限公司 | Method for realizing virtual special network |
| CN101764741A (en) * | 2009-11-27 | 2010-06-30 | 上海恒为信息科技有限公司 | Filtering and shunting device and method supporting multi-service function |
| US20120144061A1 (en) * | 2009-08-28 | 2012-06-07 | Zte Corporation | Control element, forwarding element and routing method for internet protocol network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103227773B (en) * | 2012-03-31 | 2016-05-11 | 杭州华三通信技术有限公司 | A kind of method and system thereof of setting up VPDN connection |
-
2013
- 2013-12-27 CN CN201310731323.3A patent/CN103685310B/en active Active
- 2013-12-27 CN CN201610699552.5A patent/CN106713260B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1471283A (en) * | 2002-07-26 | 2004-01-28 | 深圳市中兴通讯股份有限公司 | Virtual special dialing network business data packet retransmission method |
| CN1848799A (en) * | 2005-04-12 | 2006-10-18 | 华为技术有限公司 | Method for realizing virtual special network |
| US20120144061A1 (en) * | 2009-08-28 | 2012-06-07 | Zte Corporation | Control element, forwarding element and routing method for internet protocol network |
| CN101764741A (en) * | 2009-11-27 | 2010-06-30 | 上海恒为信息科技有限公司 | Filtering and shunting device and method supporting multi-service function |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112866289A (en) * | 2021-03-02 | 2021-05-28 | 恒为科技(上海)股份有限公司 | Method and system for extracting feature rule |
| CN112866289B (en) * | 2021-03-02 | 2022-09-30 | 恒为科技(上海)股份有限公司 | Method and system for extracting feature rule |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103685310B (en) | 2017-01-04 |
| CN106713260B (en) | 2020-07-10 |
| CN103685310A (en) | 2014-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10728176B2 (en) | Ruled-based network traffic interception and distribution scheme | |
| CN104348716B (en) | A kind of message processing method and equipment | |
| CN102045252B (en) | Self adaptation multiplex roles for content networking uses | |
| US7225188B1 (en) | System and method for performing regular expression matching with high parallelism | |
| CN1829195B (en) | Packet forwarding apparatus | |
| CN100484077C (en) | Method and apparatus for routing information based on the traffic direction | |
| US8077738B2 (en) | Default internet traffic and transparent passthrough | |
| US8761182B2 (en) | Targeted flow sampling | |
| US20030149755A1 (en) | Client-controlled load balancer | |
| CN104754065B (en) | DYNAMIC DISTRIBUTION web resource management method and system based on content center network | |
| CN102075438B (en) | unicast data frame transmission method and device | |
| CN104519121A (en) | Session-aware service chaining within computer networks | |
| US20170048815A1 (en) | Location Awareness to Packet Flows using Network Service Headers | |
| CN1972240A (en) | Fast package filter processing method and its apparatus | |
| WO2018036254A1 (en) | Packet forwarding method and device | |
| CN100450037C (en) | Method and device for implementing sharing IP message load | |
| US20060203827A1 (en) | Method for facilitating application server functionality and access node comprising same | |
| US20080104688A1 (en) | System and method for blocking anonymous proxy traffic | |
| CN105812257A (en) | Business chain router management system and use method thereof | |
| CN106713260A (en) | Dynamic data input method for VPDN (Virtual Private Dial-up Network) | |
| WO2017097092A1 (en) | Method and system for processing cache cluster service | |
| CN107147581A (en) | The maintaining method and device of route table items | |
| CN104579939A (en) | Protecting method and device for gateway | |
| CN107404438A (en) | Network route method and network route system | |
| US10205658B1 (en) | Reducing size of policy databases using bidirectional rules |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| DD01 | Delivery of document by public notice |
Addressee: Constant technology (Shanghai) Limited by Share Ltd Document name: Notice of non patent agent (person) Addressee: Constant technology (Shanghai) Limited by Share Ltd Document name: Notification to Make Rectification |
|
| DD01 | Delivery of document by public notice |
Addressee: Constant technology (Shanghai) Limited by Share Ltd Document name: Notification of Passing Examination on Formalities |
|
| DD01 | Delivery of document by public notice | ||
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20200710 Termination date: 20201227 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |