CN108769084B - Processor and firewall - Google Patents

Processor and firewall Download PDF

Info

Publication number
CN108769084B
CN108769084B CN201810987386.8A CN201810987386A CN108769084B CN 108769084 B CN108769084 B CN 108769084B CN 201810987386 A CN201810987386 A CN 201810987386A CN 108769084 B CN108769084 B CN 108769084B
Authority
CN
China
Prior art keywords
processor
data
data packet
processing
plane
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810987386.8A
Other languages
Chinese (zh)
Other versions
CN108769084A (en
Inventor
赵瑞东
李若寒
孙大军
孙晓妮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Chaoyue CNC Electronics Co Ltd
Original Assignee
Shandong Chaoyue CNC Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Chaoyue CNC Electronics Co Ltd filed Critical Shandong Chaoyue CNC Electronics Co Ltd
Priority to CN201810987386.8A priority Critical patent/CN108769084B/en
Publication of CN108769084A publication Critical patent/CN108769084A/en
Application granted granted Critical
Publication of CN108769084B publication Critical patent/CN108769084B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0246Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a processor and a firewall, comprising: a control plane for providing management of various interfaces; the data plane is used for data packet exchange and data analysis processing; the control plane processes and manages control flow, the data plane processes service flow, and the control plane and the data plane are connected through a bus. The invention can effectively guarantee the network security.

Description

Processor and firewall
Technical Field
The present invention relates to the field of network security, and more particularly, to a processor and firewall.
Background
As traffic volume in networks has increased explosively, the demand for firewall performance has also increased. Manufacturers continuously improve and perfect the hardware and software architecture of the firewall, so that the processing performance of the firewall is continuously improved. In 2009, Gartner, a famous IT research and counselor consultant company, studied the development trend of the firewall market, and proposed the concept of the next-generation firewall.
According to Gartner's research report, the next-generation firewall should have transparent deployment capability, and have functions of packet filtering, state detection, NAT (network address translation), VPN (virtual private network), and the like of the conventional firewall, and in addition, it should have an integration engine, multi-security module intelligent data linkage, deep application identification and control, and flexible expansion capability. In the following years, security manufacturers at home and abroad launch next-generation firewall products.
For a long time, the firewall equipment sold in China adopts foreign chips and software systems, and is seriously restricted by people. Firewall systems, which are the foundation of information security, employ foreign chips and systems, where the hidden risks are self-evident. Aiming at the problem that the prior art lacks of a firewall using a domestic processor, an effective solution is not available at present.
Disclosure of Invention
In view of this, an embodiment of the present invention provides a processor and a firewall, which can effectively guarantee network security.
In view of the above object, an aspect of the embodiments of the present invention provides a processor, including:
a control plane for providing management of various interfaces;
the data plane is used for data packet exchange and data analysis processing;
the control plane processes and manages control flow, the data plane processes service flow, and the control plane and the data plane are connected through a bus.
In some embodiments, the control plane and the data plane each include at least one core group, each core group including at least one processing core.
In some embodiments, the control plane includes a core group including four processing cores to process at least one of: web management, network configuration management, remote management, SDN control, intelligent learning, monitoring alarm, day-to-day audit and security reinforcement.
In some embodiments, the data plane includes 15 core groups, each core group including four processing cores, the four processing cores being respectively configured to perform on the data packet: receiving and preprocessing, stream recombination and analysis, deep content detection and sending.
In some embodiments, the four processing cores run concurrently in a pipelined fashion.
In some embodiments, the data plane is further compatible with a packet processing acceleration mechanism of at least one of: DPDK frame, polling packet receiving and transmitting mode, lock-free mechanism, zero copy technology and large page memory technology.
In some embodiments, the bus comprises at least one of: the system comprises a configuration bus, a monitoring bus, a log bus and an alarm bus.
In some embodiments, the processor uses a model of a Feiteng 2000+ with 64 processing cores.
In another aspect of the embodiments of the present invention, a data processing method is further provided, which uses the processor described above.
In another aspect of the embodiments of the present invention, there is also provided a firewall, including a memory, at least one processor, and a computer program stored on the memory and executable on the processor, where the processor is the aforementioned processor, or executes the aforementioned method when executing the program.
The invention has the following beneficial technical effects: the processor and the firewall provided by the embodiment of the invention can effectively ensure the network security by using the technical scheme that the control plane of the processor is used for processing and managing the control flow, the data plane is used for processing the service flow, and the control plane and the data plane are connected through the bus.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are required to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
FIG. 1 is a schematic diagram of a processor according to the present invention;
FIG. 2 is a detailed block diagram of a processor provided by the present invention;
fig. 3 is a schematic hardware structure diagram of an embodiment of a firewall provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it should be noted that "first" and "second" are merely for convenience of description and should not be construed as limitations of the embodiments of the present invention, and they are not described in any more detail in the following embodiments.
In view of the above object, a first aspect of the embodiments of the present invention provides a processor. Fig. 1 is a schematic structural diagram of a processor provided by the present invention.
The processor includes:
a control plane 1 for providing management of various interfaces;
the data plane 2 is used for data packet exchange and data analysis processing;
the control plane 1 processes management control flow, the data plane 2 processes service flow, and the control plane 1 and the data plane 2 are connected through a bus.
The specific processes of packet exchange and data processing are classified into the data plane 2, and the functions of the data plane 2 need to occupy most resources of the device to ensure the performance of message processing. The control plane 1 has the functions of providing various management interfaces for network managers to manage the equipment by using the modes of Web, SSH (secure Shell protocol), NETconf (network configuration protocol) and the like, supporting the setting of the equipment functions, controlling the data plane 2 to finish the forwarding and filtering of messages, and occupying less equipment resources by the control plane 1.
In some embodiments, control plane 1 and data plane 2 each include at least one core group, each core group including at least one processing core.
In some embodiments, the control plane 1 comprises a core group comprising four processing cores for processing at least one of: web management, network configuration management, remote management, SDN control, intelligent learning, monitoring alarm, log audit and security reinforcement. All programs of the control plane 1 are bound on a core group, and most cores are reserved for the data plane 2.
In some embodiments, the data plane 2 includes 15 core groups, each core group including four processing cores, the four processing cores being respectively configured to perform on the data packet: receiving and preprocessing, stream recombination and analysis, deep content detection and sending. The data plane 2 divides the whole flow of data packet processing into four steps, which are respectively receiving and preprocessing, stream recombination and deep analysis, deep content detection and sending of data packets. And respectively binding the four steps to 4 processing cores of one core group by utilizing a core binding technology.
In some embodiments, the four processing cores run concurrently in a pipelined fashion. 4 cores process data packets by pipelines, and 15 functional core groups are 15 pipelines and concurrently process network data packets, so that the throughput of the next-generation firewall is improved.
In some embodiments, the data plane 2 is further compatible with a packet processing acceleration mechanism of at least one of: DPDK frame, polling packet receiving and transmitting mode, lock-free mechanism, zero copy technology and large page memory technology.
In some embodiments, the bus comprises at least one of: the system comprises a configuration bus, a monitoring bus, a log bus and an alarm bus.
In some embodiments, the processor uses a model of a Feiteng 2000+ with 64 processing cores.
In one embodiment, as shown in FIG. 2, the 64 cores of the Feiteng 2000+ processor are divided into 16 functional core groups 0-15, each having 4 cores. The control plane runs on the functional core group 0, and the functions include Web management, network configuration management, remote management and the like, and are responsible for receiving and managing control flow, monitoring the operation of the firewall, configuring the function of the firewall, processing log, warning and other information. The data plane runs on the functional core groups 1-15 and is responsible for data packet processing. The data plane applies DPDK frame, and adopts polling packet receiving and transmitting mode, lock-free mechanism, zero-copy technology, large page memory technology and the like to accelerate the data packet receiving and transmitting.
And 4 cores of each functional core group of the data plane run according to a production line and are respectively responsible for receiving and preprocessing data packets, recombining and deeply analyzing data packet streams, detecting deep contents of the data packets and sending the data packets. The data packet receiving and preprocessing mainly completes the receiving of data packets and the analysis process of data packets of 3 layers and below, and determines whether to enter the data packet stream recombination and deep analysis processing flow of the next stage according to the analysis result, otherwise, the data packets directly enter the data packet sending flow to carry out forwarding processing; the data packet stream recombination and deep analysis mainly complete the stream recombination of the data packet, carry out deep data analysis, identify the application type, and deliver the analysis result to the data packet deep content detection process for further processing; the deep content detection of the data packet completes the firewall filtration, the application recognition filtration, the deep content detection filtration and other work according to the firewall strategy and the threat characteristic library according to the analysis result of the data packet, the detected data packet enters the next stage, and otherwise, the data packet is discarded; and the data packet transmission distributes the data packet to a transmission queue of the corresponding network card according to the data packet routing query result, and the data packet is transmitted from the network card hardware, so that the message processing is completed and the cache is released.
It can be seen from the foregoing embodiments that, in the processor provided in the embodiments of the present invention, the control plane of the processor is used to process and manage the control traffic, the data plane is used to process the service traffic, and the control plane and the data plane are connected via the bus, so that network security can be effectively guaranteed.
In view of the above object, a second aspect of the embodiments of the present invention provides a data processing method. The data processing method uses the aforementioned processor.
It can be seen from the foregoing embodiments that, in the data processing method provided in the embodiments of the present invention, the control plane of the processor is used to process and manage the control traffic, the data plane is used to process the service traffic, and the control plane and the data plane are connected via the bus, so that network security can be effectively guaranteed.
In view of the above object, a third aspect of the embodiments of the present invention provides a firewall. The firewall comprises a memory, at least one processor and a computer program stored on the memory and executable on the processor, wherein the processor is the processor described above, or when executing the program, the method described above is performed.
Fig. 3 is a schematic diagram of a hardware structure of an embodiment of a firewall according to the present invention.
Taking the firewall shown in fig. 3 as an example, the firewall includes a processor 301 and a memory 302, and may further include: an input device 303 and an output device 304.
The processor 301, the memory 302, the input device 303 and the output device 304 may be connected by a bus or other means, and fig. 3 illustrates the connection by a bus as an example.
The memory 302 is a non-volatile computer-readable storage medium and can be used for storing non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules corresponding to the processor in the embodiments of the present application. The processor 301 executes various functional applications of the server and data processing by executing nonvolatile software programs, instructions, and modules stored in the memory 302, that is, a processor implementing the above-described method embodiments.
The memory 302 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of the processor, and the like. Further, the memory 302 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 302 optionally includes memory located remotely from processor 301, which may be connected to a local module via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 303 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the processor. The output means 304 may comprise a display device such as a display screen.
Program instructions/modules corresponding to the one or more processors are stored in the memory 302 and, when executed by the processor 301, perform the processor in any of the method embodiments described above.
Any embodiment of the computer device executing a processor may achieve the same or similar effects as any of the preceding method embodiments corresponding thereto.
Finally, it should be noted that, as will be understood by those skilled in the art, all or part of the processes of the methods of the above embodiments may be implemented by a computer program, which may be stored in a computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like. Embodiments of the computer program may achieve the same or similar effects as any of the preceding method embodiments to which it corresponds.
In addition, the apparatuses, devices and the like disclosed in the embodiments of the present invention may be various electronic terminal devices, such as a mobile phone, a Personal Digital Assistant (PDA), a tablet computer (PAD), a smart television and the like, or may be a large terminal device, such as a server and the like, and therefore the scope of protection disclosed in the embodiments of the present invention should not be limited to a specific type of apparatus, device. The client disclosed in the embodiment of the present invention may be applied to any one of the above electronic terminal devices in the form of electronic hardware, computer software, or a combination of both.
Furthermore, the method disclosed according to an embodiment of the present invention may also be implemented as a computer program executed by a CPU, and the computer program may be stored in a computer-readable storage medium. The computer program, when executed by the CPU, performs the above-described functions defined in the method disclosed in the embodiments of the present invention.
Further, the above method steps and system elements may also be implemented using a controller and a computer readable storage medium for storing a computer program for causing the controller to implement the functions of the above steps or elements.
Further, it should be appreciated that the computer-readable storage media (e.g., memory) described herein can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. By way of example, and not limitation, nonvolatile memory can include Read Only Memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM), which can act as external cache memory. By way of example and not limitation, RAM is available in a variety of forms such as synchronous RAM (DRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The storage devices of the disclosed aspects are intended to comprise, without being limited to, these and other suitable types of memory.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosed embodiments of the present invention.
The various illustrative logical blocks, modules, and circuits described in connection with the disclosure herein may be implemented or performed with the following components designed to perform the functions described herein: a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination of these components. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP, and/or any other such configuration.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
In one or more exemplary designs, the functions may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk, blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the present disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that, as used herein, the singular forms "a," "an," "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The numbers of the embodiments disclosed in the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, of embodiments of the invention is limited to these examples; within the idea of an embodiment of the invention, also technical features in the above embodiment or in different embodiments may be combined and there are many other variations of the different aspects of an embodiment of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.

Claims (10)

1. A processor, comprising:
a control plane for providing management of various interfaces;
the data plane is used for data packet exchange and data analysis processing;
the control plane processes and manages control flow, the data plane processes service flow, and the control plane is connected with the data plane through a bus; the data plane comprises at least one core group, each core group comprises at least one processing core, and four cores of each functional core group of the data plane run according to a production line and are respectively responsible for receiving and preprocessing data packets, recombining and deeply analyzing data packet streams, detecting deep content of the data packets, and sending the data packets: wherein, the data packet receiving and preprocessing is used for completing the receiving of data packets and the analysis process of three layers or less of data packets, and determining to enter the data packet stream recombination and the deep analysis of the next stage or directly enter the data packet sending for forwarding processing according to the analysis result; the data packet stream recombination and deep analysis are used for completing the stream recombination of the data packet and carrying out deep data analysis to identify the application type, and the analysis result is delivered to the deep content detection of the data packet; the deep content detection of the data packet executes firewall filtering, application recognition filtering and deep content detection filtering on the analysis result based on a firewall strategy and a threat feature library, retains the data packet passing the detection and discards the data packet not passing the detection; and the data packet transmission distributes the data packet to a transmission queue of a corresponding network card according to the routing query result of the data packet, and the data packet is transmitted from the network card hardware to complete message processing and release cache.
2. The processor of claim 1, wherein the control plane comprises at least one core group, each core group comprising at least one processing core.
3. The processor of claim 2, wherein the control plane comprises one of the core groups comprising four of the processing cores, the four processing cores to process at least one of: web management, network configuration management, remote management, SDN control, intelligent learning, monitoring alarm, log audit and security reinforcement.
4. The processor of claim 2, wherein the data plane comprises 15 of the core groups.
5. The processor of claim 4, wherein the four processing cores run concurrently in a pipelined manner.
6. The processor of claim 4, wherein the data plane is further compatible with a packet processing acceleration mechanism of at least one of: DPDK frame, polling packet receiving and transmitting mode, lock-free mechanism, zero copy technology and large page memory technology.
7. The processor of claim 1, wherein the bus comprises at least one of: the system comprises a configuration bus, a monitoring bus, a log bus and an alarm bus.
8. The processor of claim 1, wherein the processor uses a model of a Feiteng 2000+ with 64 of the processing cores.
9. A data processing method, characterized in that a processor according to any of claims 1-6 is used.
10. A firewall comprising a memory, at least one processor and a computer program stored on the memory and executable on the processor, wherein the processor is a processor according to any of claims 1-8 or the processor performs the method according to claim 9 when executing the program.
CN201810987386.8A 2018-08-28 2018-08-28 Processor and firewall Active CN108769084B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810987386.8A CN108769084B (en) 2018-08-28 2018-08-28 Processor and firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810987386.8A CN108769084B (en) 2018-08-28 2018-08-28 Processor and firewall

Publications (2)

Publication Number Publication Date
CN108769084A CN108769084A (en) 2018-11-06
CN108769084B true CN108769084B (en) 2020-12-15

Family

ID=63966612

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810987386.8A Active CN108769084B (en) 2018-08-28 2018-08-28 Processor and firewall

Country Status (1)

Country Link
CN (1) CN108769084B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111600852A (en) * 2020-04-27 2020-08-28 中国舰船研究设计中心 Firewall design method based on programmable data plane
CN112637017B (en) * 2020-12-25 2022-02-08 深圳市高德信通信股份有限公司 Network data analysis method based on application layer data

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101304322A (en) * 2008-06-30 2008-11-12 杭州华三通信技术有限公司 Network equipment and packet forwarding method
CN106789152A (en) * 2016-11-17 2017-05-31 东软集团股份有限公司 Processor extended method and device based on many queue network interface cards

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7496955B2 (en) * 2003-11-24 2009-02-24 Cisco Technology, Inc. Dual mode firewall
CN100479368C (en) * 2007-06-15 2009-04-15 中兴通讯股份有限公司 Switcher firewall plug board
CN202004785U (en) * 2010-11-30 2011-10-05 汉柏科技有限公司 Small-volume and high-processing capacity firewall system based on multi-core technology
US9538563B2 (en) * 2014-10-13 2017-01-03 At&T Intellectual Property I, L.P. System and methods for managing a user data path

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101304322A (en) * 2008-06-30 2008-11-12 杭州华三通信技术有限公司 Network equipment and packet forwarding method
CN106789152A (en) * 2016-11-17 2017-05-31 东软集团股份有限公司 Processor extended method and device based on many queue network interface cards

Also Published As

Publication number Publication date
CN108769084A (en) 2018-11-06

Similar Documents

Publication Publication Date Title
US20200007445A1 (en) Enhanced service function chain
US10805187B2 (en) Logging of traffic in a computer network
CN109981403A (en) Virtual machine network data traffic monitoring method and device
CN102763368A (en) Methods and systems for cross site forgery protection
CN108769084B (en) Processor and firewall
US20110055364A1 (en) Automatic network discovery for host configurations
CN111104232A (en) Method, device and medium for accelerating message writing of message queue
CN112261094A (en) Message processing method and proxy server
US11914579B2 (en) Blockchain-based data processing method and apparatus, device, and readable storage medium
CN109688153A (en) Use threat detection on the zero of host application/program to user agent mapping
US20150100670A1 (en) Transporting multi-destination networking traffic by sending repetitive unicast
CN111147340A (en) Method, equipment and medium for carrying out networked access on CAN bus interface
CN107797859A (en) A kind of dispatching method of timed task and a kind of dispatch server
CN111211942A (en) Data packet receiving and transmitting method, equipment and medium
US9479438B2 (en) Link aggregation based on virtual interfaces of VLANs
US9692723B2 (en) Network management of devices residing behind a network device
Tarnaras et al. Efficient topology discovery algorithm for software‐defined networks
CN116582365B (en) Network traffic safety control method and device and computer equipment
CN114172731A (en) Method, device, equipment and medium for quickly verifying and tracing IPv6 address
CN109803030A (en) A kind of anonymity intermediate proxy server and its communication means
CN112688924A (en) Network protocol analysis system
US9374308B2 (en) Openflow switch mode transition processing
US9083732B2 (en) Establishing communication between entities in a shared network
CN114629744A (en) Data access method, system and related device based on macvlan host computer network
Lan et al. Future network architectures and core technologies

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant