CN109617920A - A kind of message processing method, device, router and firewall box - Google Patents

A kind of message processing method, device, router and firewall box Download PDF

Info

Publication number
CN109617920A
CN109617920A CN201910063647.1A CN201910063647A CN109617920A CN 109617920 A CN109617920 A CN 109617920A CN 201910063647 A CN201910063647 A CN 201910063647A CN 109617920 A CN109617920 A CN 109617920A
Authority
CN
China
Prior art keywords
firewall box
routing information
router
information
effective
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910063647.1A
Other languages
Chinese (zh)
Other versions
CN109617920B (en
Inventor
李永波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201910063647.1A priority Critical patent/CN109617920B/en
Publication of CN109617920A publication Critical patent/CN109617920A/en
Application granted granted Critical
Publication of CN109617920B publication Critical patent/CN109617920B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]

Abstract

The embodiment of the invention provides a kind of message processing method, device, router and firewall box, router sends the request message for carrying the direct-connected routing iinformation of the router to firewall box;Firewall box compares the local routing information of direct-connected routing iinformation and the firewall box, determines effective routing information identical with local routing information in direct-connected routing iinformation, and the confirmation message for carrying effective routing iinformation is sent to router;Router sends the corresponding ARP entry of effective routing information to firewall box according to effective routing information;Firewall box stores ARP entry.By this programme, Message processing efficiency can be promoted.

Description

A kind of message processing method, device, router and firewall box
Technical field
The present invention relates to Prevention-Security technical fields, more particularly to a kind of message processing method, device, router and prevent Wall with flues equipment.
Background technique
Firewall box be between a shielded internal network and internet, execute one of access control policy or One group of system.Firewall box can be software, hardware or their combination, and the purpose is to protect network not by external network It invades.Security strategy rule can be configured on firewall box, to control Intranet user access outer net or other specific resources.
The interior planar network architecture of firewall box connection at present may include terminal device and router, and the course of work is general are as follows: Terminal device sends business access message to firewall box by router, and firewall box is after safety detection, by this Business access message is sent to outer net, and after receiving the service response message for the business access message, is rung to business It answers message to carry out safety detection, returns to router after safety detection, then by the service response message, router again should Service response message returns to terminal device.
In order to go on smoothly the above process, router can be by the ARP (Address for the terminal device that itself learns Resolution Protocol, address resolution protocol) list item is sent to firewall box, after message reaches firewall box, According to the corresponding ARP entry of source IP (Internet Protocol, Internet protocol) address lookup of the message, Jin Ercha MAC (Media Access Control, the media access control) address for sending the terminal device of the message is found, firewall is set It is standby message to be handled according to the default filter condition for being directed to MAC Address.
Since the number for being connected to the terminal device of router is often more, not all terminal device is all to visiting abroad It asks, and which terminal device Outside Access router can not accurately know, therefore, router often will be all direct-connected The ARP entry of terminal device be all sent to firewall box, cause to be stored with a large amount of useless ARP tables in firewall box , so that message increases query time when reaching firewall box and needing to inquire the corresponding ARP entry of source IP address, from And affect the efficiency of Message processing.
Summary of the invention
The embodiment of the present invention is designed to provide a kind of message processing method, device, router and firewall box, with Promote Message processing efficiency.Specific technical solution is as follows:
In a first aspect, being applied to router, the method packet the embodiment of the invention provides a kind of message processing method It includes:
Request message is sent to firewall box, the request message carries the direct-connected routing iinformation of the router;
Receive the confirmation message that the firewall box is replied, the confirmation message carry in the direct-connected routing iinformation with The identical effective routing information of the local routing information of the firewall box, the local routing information include the firewall The routing iinformation for the Outside Access that equipment is supported;
According to the effective routing information, the corresponding Address Resolution Protocol ARP list item of the effective routing information is sent extremely The firewall box, so that the firewall box stores the ARP entry.
Second aspect, the embodiment of the invention provides a kind of message processing methods, are applied to firewall box, the method Include:
The request message that receiving router is sent, the request message carry the direct-connected routing iinformation of the router;
The local routing information of the direct-connected routing iinformation and the firewall box is compared, is determined described direct-connected Effective routing information identical with the local routing information in routing iinformation, the local routing information include the firewall The routing iinformation for the Outside Access that equipment is supported;
Confirmation message is sent to the router, the confirmation message carries the effective routing information;
Receive and store the corresponding ARP entry of the effective routing information that the router is sent.
The third aspect, the embodiment of the invention provides a kind of message process devices, are applied to router, described device packet It includes:
Sending module, for sending request message to firewall box, the request message carries the straight of the router Even routing iinformation;
Receiving module, the confirmation message replied for receiving the firewall box, the confirmation message carry described straight Even effective routing information identical with the local routing information of the firewall box in routing iinformation, the local routing information Routing iinformation including the Outside Access that the firewall box is supported;
The sending module is also used to send the corresponding ARP of the effective routing information according to the effective routing information List item is to the firewall box, so that the firewall box stores the ARP entry.
Fourth aspect, the embodiment of the invention provides a kind of message process devices, are applied to firewall box, described device Include:
Receiving module, for the request message that receiving router is sent, the request message carries the straight of the router Even routing iinformation;
Contrast module, for carrying out pair the local routing information of the direct-connected routing iinformation and the firewall box Than determining effective routing information identical with the local routing information in the direct-connected routing iinformation, the local routing letter Breath includes the routing iinformation for the Outside Access that the firewall box is supported;
Sending module, for sending confirmation message to the router, the confirmation message carries the effective routing letter Breath;
Memory module, the corresponding ARP entry of the effective routing information sent for receiving and storing the router.
5th aspect, the embodiment of the invention provides a kind of router, including processor and machine readable storage medium, institutes It states machine readable storage medium and is stored with the machine-executable instruction that can be executed by the processor, the processor is described Machine-executable instruction promotes: executing method and step described in first aspect of the embodiment of the present invention.
6th aspect, the embodiment of the invention provides a kind of machine readable storage medium, the machine readable storage medium It is inside stored with machine-executable instruction, when the machine-executable instruction is executed by processor, realizes the embodiment of the present invention first Method and step described in aspect.
7th aspect, the embodiment of the invention provides a kind of firewall boxes, including processor and machine readable storage to be situated between Matter, the machine readable storage medium are stored with the machine-executable instruction that can be executed by the processor, the processor Promoted by the machine-executable instruction: executing method and step described in second aspect of the embodiment of the present invention.
Eighth aspect, the embodiment of the invention provides a kind of machine readable storage medium, the machine readable storage medium It is inside stored with machine-executable instruction, when the machine-executable instruction is executed by processor, realizes the embodiment of the present invention second Method and step described in aspect.
A kind of message processing method, device, router and firewall box provided in an embodiment of the present invention, router are sent The request message of the direct-connected routing iinformation of the router is carried to firewall box;Firewall box is by direct-connected routing iinformation and is somebody's turn to do The local routing information of firewall box compares, and determines identical with local routing information effective in direct-connected routing iinformation Routing iinformation, and the confirmation message for carrying effective routing iinformation is sent to router;Router is according to effective routing information, hair Send the corresponding ARP entry of effective routing information to firewall box;Firewall box stores ARP entry.Due to firewall box Local routing information include the firewall box support Outside Access routing iinformation, therefore, firewall box pass through by Direct-connected routing iinformation is compared with local routing information, can determine the routing iinformation of Outside Access in direct-connected routing iinformation (i.e. effective routing information), in this way, router is after receiving the confirmation message for carrying effective routing iinformation, it can be according to effective Routing iinformation selectively sends the corresponding ARP entry of effective routing information to firewall box, avoids firewall box and deposit The excessive useless ARP entry of storage ensure that the validity of the ARP entry of firewall box storage, to improve Message processing Efficiency.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is the group-network construction schematic diagram of the embodiment of the present invention;
Fig. 2 is the flow diagram of the message processing method applied to router of the embodiment of the present invention;
Fig. 3 is the flow diagram of the message processing method applied to firewall box of the embodiment of the present invention;
Fig. 4 is the flow diagram for the message processing method that the router of the embodiment of the present invention is interacted with firewall box;
Fig. 5 is the flow diagram of the message processing method applied to router of the embodiment of the present invention;
Fig. 6 is the structural schematic diagram of the message process device applied to router of the embodiment of the present invention;
Fig. 7 is the structural schematic diagram of the message process device applied to firewall box of the embodiment of the present invention;
Fig. 8 is the structural schematic diagram of the router of the embodiment of the present invention;
Fig. 9 is the structural schematic diagram of the firewall box of the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
In order to promote Message processing efficiency, the embodiment of the invention provides a kind of message processing method, device, router and Firewall box.
The networking structure that the embodiment of the present invention is applicable in is as shown in Figure 1, include terminal device, router in the networking structure And message provided by the embodiment of the present invention may be implemented by interaction between router and firewall box in firewall box Processing method.In the following, being provided for the embodiments of the invention report using router and firewall box as executing subject respectively first Literary processing method is introduced.
As shown in Fig. 2, a kind of message processing method provided by the embodiment of the present invention, it is applied to router, at the message Reason method may include:
S201 sends request message to firewall box, wherein the direct-connected routing iinformation of request message carrying router.
Router can to each terminal device currently direct-connected with it routing iinformation (such as terminal device network segment, cover Code etc.) it is recorded, and these direct-connected routing iinformations are carried to request message, it is sent to firewall box, informs firewall The routing iinformation for the terminal device which equipment has direct-connected with the router at present.
S202 receives the confirmation message that firewall box is replied, wherein confirmation message carries in direct-connected routing iinformation and anti- The identical effective routing information of the local routing information of wall with flues equipment, local routing information include the external of firewall box support The routing iinformation of access.
Router will receive the confirmation message of firewall box reply, in the confirmation message after sending request message Effective routing information is carried, effective routing information is that firewall box believes the direct-connected routing iinformation and local routing received The identical routing iinformation that breath filters out after comparing, router can determine direct-connected road after receiving effective routing information It is effective by which routing iinformation in information.
S203 sends the corresponding ARP entry of effective routing information to firewall box according to effective routing information, so that Firewall box stores the ARP entry.
Router can selectively send corresponding ARP entry to firewall box, only will according to effective routing information The effective corresponding ARP entry of routing iinformation is sent to firewall box, reduces the quantity of list item on firewall box, avoids not The presence of necessary list item, lifting system working efficiency.
As shown in figure 3, a kind of message processing method provided by the embodiment of the present invention, is applied to firewall box, the report Literary processing method may include:
S301, the request message that receiving router is sent, wherein the direct-connected routing iinformation of request message carrying router.
S302 compares the local routing information of direct-connected routing iinformation and firewall box, determines direct-connected routing letter Effective routing information identical with local routing information in breath, wherein local routing information includes pair that firewall box is supported The routing iinformation of outer access.
S303 sends confirmation message to router, wherein confirmation message carries effective routing iinformation.
S304 receives and stores the corresponding ARP entry of effective routing information of router transmission.
Router carries direct-connected routing iinformation into request message, is sent to firewall box, and firewall box will be straight Even routing iinformation is compared with local routing information, determines effective routing information, firewall box again believes effective routing Breath is carried into confirmation message, router is fed back to, in this way, router can selectively send effective routing information pair For the ARP entry answered to firewall box, firewall box only needs to store the corresponding ARP entry of effective routing iinformation, reduces The quantity of list item on firewall box, avoids the presence of unnecessary list item, to improve the working efficiency of system.
In order to make it easy to understand, being provided below from the interactive process of router and firewall box the embodiment of the present invention Message processing method be introduced, as shown in figure 4, a kind of message processing method provided by the embodiment of the present invention, can wrap Include following steps:
S401, router send request message to firewall box, wherein the direct-connected routing of request message carrying router Information.
The direct-connected routing iinformation of router is the routing iinformation of each terminal device direct-connected with router, may include terminal The network segment information of equipment and mask information etc., such as shown in Fig. 1, with router direct-connected terminal device include terminal sub-network 1, Terminal device in terminal sub-network 2 and terminal sub-network 3;The network segment information of terminal device in terminal sub-network 1 is 20.1.1.0, mask information 255.255.255.0, the network segment information of the terminal device in terminal sub-network 2 be 20.1.2.0, Mask information is 255.255.255.0, and the network information of the terminal device in terminal sub-network 3 is 20.1.3.0, mask information For 255.255.255.0;Then router can carry these direct-connected routing iinformations in request message, and request message is sent To firewall box.
Router records the direct-connected routing iinformation of direct-connected each terminal device, specifically, can be with routing table Form records direct-connected routing iinformation, and routing table is as shown in table 1.
Table 1
Number Network segment information Mask information
1 20.1.1.0 255.255.255.0
2 20.1.2.0 255.255.255.0
3 20.1.3.0 255.255.255.0
Router can carry the direct-connected routing iinformation in routing table shown in table 1, example in the specific field of request message Such as, it is possible to specify certain fields carry the network segment information of direct-connected routing, and certain fields carry mask information.Firewall box is connecing After receiving request message, request message is parsed, parses the network segment information and mask information of direct-connected routing, recomposition is such as Routing table shown in table 1.
Since there are many number of terminal device in networking, for the ease of being managed to terminal device, network rack shown in Fig. 1 Structure mostly uses SNMP (Simple Network Management Protocol, Simple Network Management Protocol).SNMP is by one group The standard of network management forms, it is generally the case that SNMP Agent (SNMP agent) module is arranged on the router, in firewall SNMP Server (SNMP service) module is set in equipment, then transmits information using SNMP Agent and SNMP Server, Achieve the purpose that firewall box is managed router and Intranet equipment.In an optional implementation, router After the SNMP Server of SNMP Agent and firewall box establishes connection, SNMP Agent will carry the direct-connected road of router SNMP Server is sent to by the request message of information.
S402, firewall box compare the local routing information of direct-connected routing iinformation and firewall box, determine Effective routing information identical with local routing information in direct-connected routing iinformation, wherein local routing information includes that firewall is set The routing iinformation of the standby Outside Access supported.
Firewall box is after receiving request message, by the local of the direct-connected routing iinformation and firewall box that receive Routing iinformation compares, and the local routing information of firewall box includes the routing for the Outside Access that firewall box is supported Information, for example, firewall box shown in FIG. 1 support Outside Access routing iinformation include network segment 20.1.1.0, 40.1.2.0,60.1.3.0,70.3.3.0, then local routing information may include above-mentioned network segment information and corresponding mask letter Breath.
Firewall box can record local routing information, specifically, can in the form of routing table minute book Ground routing iinformation, routing table are as shown in table 2.
Table 2
Number Network segment information Mask information
1 20.1.1.0 255.255.255.0
2 40.1.2.0 255.255.255.0
3 60.1.3.0 255.255.255.0
4 70.3.3.0 255.255.255.0
That is, firewall box will by the direct-connected routing iinformation of comparison router and the local routing information of firewall box Table 1 is compared with table 2, can determine effective routing information identical with local routing information in direct-connected routing iinformation, i.e., The routing iinformation of Outside Access in direct-connected routing iinformation, for example, by comparison Tables 1 and 2, identical routing in Tables 1 and 2 Information is the routing iinformation that network segment information is 20.1.1.0, mask information is 255.255.255.0, then can determine effective road By the routing table that information is as shown in table 3.
Table 3
Number Network segment information Mask information
1 20.1.1.0 255.255.255.0
S403, firewall box send confirmation message to router, wherein confirmation message carries effective routing iinformation.
Firewall box can carry effective routing information in confirmation message after determining effective routing information, It is sent to router.Due to the routing iinformation that effective routing information is the Outside Access in direct-connected routing iinformation, only effective road It can just be accessed by firewall box to outer net by the message of the corresponding terminal device of information;Due to not having on firewall box There are other routing iinformations in direct-connected routing iinformation in addition to effective routing information, then the corresponding terminal device of these routing iinformations Message can not return, will not Outside Access.
Firewall box can carry the letter of the effective routing in routing table shown in table 3 in the specific field of confirmation message Breath, such as, it is possible to specify certain fields carry the network segment information of effective routing, and certain fields carry mask information.Router exists After receiving confirmation message, confirmation message is parsed, parses the network segment information and mask information of effective routing, then foundation The effective routing information parsed executes step S404.
S404, router send the corresponding ARP entry of effective routing information to firewall and set according to effective routing information It is standby.
When receiving the message of terminal device transmission corresponding ARP entry just may be learned, due to router in router Direct-connected terminal device it is very much, the ARP entry of storage is more.Router receive firewall box transmission confirmation message after, The effective routing information that can be carried according to confirmation message, inquires ARP entry, it is corresponding to find effective routing information ARP entry.
Optionally, query router, send ARP entry mode, be specifically as follows:
According to effective routing information, from the arp cache table being locally stored, network segment model represented by effective routing information is searched Enclose interior ARP entry;ARP entry is sent to firewall box.
It is stored with arp cache table on router, has recorded the IP address and MAC Address of terminal device, effective routing information For the network segment information of the terminal device of the Outside Access of firewall box support in terminal device, router can be from arp cache In table, the ARP entry within the scope of network segment shown in effective routing information is searched, these ARP entry are then sent to firewall and are set It is standby.Specifically, including the corresponding relationship of MAC Address and IP address in ARP entry, router can be according in effective routing information Network segment information and mask information, carry out matching inquiry in the IP address of ARP entry, the ARP entry of successful match is should The corresponding ARP entry of effective routing information.Such as effective road routing iinformation, router shown in table 3 can only fall in IP address ARP entry in network segment information 20.1.1.0 is sent to firewall box, and IP address falls in network segment information 20.1.2.0 and net ARP entry in segment information 20.1.3.0 is will not to be sent to firewall box.
Optionally, following steps can also be performed in message processing method provided by the embodiment of the present invention:
If receiving specified network segment information, according to network segment information is specified, the specified corresponding ARP table of network segment information is sent To firewall box.
It is off the net in some specific groups, such as in the case where asymmetrical paths, network administrator can force to specify certain nets Intranet user under section carries out extranet access, for example, the Intranet that network administrator forces specified network segment information to be 50.1.1.0 is used Family carries out extranet access, then the corresponding ARP entry of network segment information can be sent to firewall box by router, so that network segment is believed Breath is that the message of the Intranet user terminal of 50.1.1.0 accesses to outer net by firewall box.
S405, firewall box store ARP entry.
Since ARP entry corresponds to effective routing information, effective routing information is the Outside Access in direct-connected routing iinformation Routing iinformation, therefore, firewall box is filtered received message based on the ARP entry of storage, only effective routing The message of the corresponding terminal device of information just can be allowed to pass through by firewall box.Herein, effective routing information corresponding end The message of end equipment can be the business access message of terminal device transmission, be also possible to the industry sent for the terminal device The service response message of business access message.
Using the present embodiment, request message to the firewall for the direct-connected routing iinformation that router transmission carries the router is set It is standby;Firewall box compares the local routing information of direct-connected routing iinformation and the firewall box, determines direct-connected road By effective routing information identical with local routing information in information, and the confirmation message for carrying effective routing iinformation is sent to Router;Router sends the corresponding ARP entry of effective routing information to firewall box according to effective routing information;Fire prevention Wall equipment stores ARP entry.Since the local routing information of firewall box includes the Outside Access that the firewall box is supported Routing iinformation, therefore, firewall box can be determined by comparing direct-connected routing iinformation with local routing information The routing iinformation (i.e. effective routing information) of Outside Access in direct-connected routing iinformation, in this way, router is receiving carrying effectively After the confirmation message of routing iinformation, the corresponding ARP table of effective routing information can selectively be sent according to effective routing information Item avoids the useless ARP entry of firewall box storing excess, ensure that firewall box storage to firewall box The validity of ARP entry, to improve Message processing efficiency.
Due to network connection it is possible that the problems such as network interruption, cause the terminal device of Outside Access and router disconnected Open connection, at this point, in the direct-connected routing iinformation of router may the not no terminal device of Outside Access routing iinformation, in this way, Firewall box is receiving request message, when carrying out the comparison of direct-connected routing iinformation and local routing information, it is possible to can not Comparison obtains effective routing information, then firewall box may can't reply confirmation message, or in the confirmation message replied Effective routing iinformation is not carried, in order to cope with such situation, is not carried in the confirmation message of the reply received with router For imitating routing iinformation, the embodiment of the invention also provides a kind of message processing methods applied to router, as shown in figure 5, It may include steps of:
S501 sends request message to firewall box, wherein the direct-connected routing iinformation of request message carrying router.
S502 receives the confirmation message that firewall box is replied.
S503 judges the local routing information phase in direct-connected routing iinformation with firewall box whether is carried in confirmation message Same effective routing information otherwise when reaching predetermined period, returns if so then execute S504 and executes S501.
The case where for not carrying effective routing iinformation in confirmation message, illustrates not deposit in current direct-connected routing iinformation In the routing iinformation of Outside Access, the case where being likely to occur disconnecting is judged, it therefore, can be according to predetermined period, period Property execution request message send, the received operation of confirmation message.
S504 sends the corresponding ARP entry of effective routing information to firewall box according to effective routing information.
S501, S502, S504 are similar to S401, S403, S404 of embodiment illustrated in fig. 4 respectively, and which is not described herein again.
Request message is being received for firewall box, is carrying out the comparison of direct-connected routing iinformation and local routing information When, can not compare to obtain effective routing information leads to the case where not replying confirmation message, can also be arranged between a preset time Every after sending request message, if not receiving confirmation message also, router can then weigh when arrival prefixed time interval It is new to send request message.
Using the present embodiment, since the local routing information of firewall box includes firewall box support to visiting abroad The routing iinformation asked, therefore, firewall box can be determined by comparing direct-connected routing iinformation with local routing information Out in direct-connected routing iinformation Outside Access routing iinformation (i.e. effective routing information), in this way, router is carried receiving After the confirmation message for imitating routing iinformation, the corresponding ARP of effective routing information can selectively be sent according to effective routing information List item avoids the useless ARP entry of firewall box storing excess, ensure that firewall box storage to firewall box The validity of ARP entry, to improve Message processing efficiency.
Also, the problems such as being likely to occur network interruption for network connection, by effective to whether being carried in confirmation message Routing iinformation is judged, request message is periodically executed under conditions of not carrying effective routing iinformation and sends, confirm report The received operation of text, ensure that Message processing not and will receive the influence of network connection interruption.
Corresponding to above method embodiment, the embodiment of the invention provides a kind of Message processing dresses applied to router It sets, as shown in fig. 6, the message process device may include:
Sending module 610, for sending request message to firewall box, the request message carries the router Direct-connected routing iinformation;
Receiving module 620, the confirmation message replied for receiving the firewall box, described in the confirmation message carries Effective routing information identical with the local routing information of the firewall box in direct-connected routing iinformation, the local routing letter Breath includes the routing iinformation for the Outside Access that the firewall box is supported;
The sending module 610 is also used to that it is corresponding to send the effective routing information according to the effective routing information ARP entry is to the firewall box, so that the firewall box stores the ARP entry.
Optionally, the sending module 610, can be also used for:
If receiving specified network segment information, according to the specified network segment information, it is corresponding to send the specified network segment information ARP entry to the firewall box.
Optionally, the sending module 610, can be also used for:
If the confirmation message does not carry the effective routing information, when reaching predetermined period, the request is sent Message is to the firewall box.
Optionally, the sending module 610, specifically can be used for:
According to the effective routing information, from the arp cache table being locally stored, effective routing information institute table is searched Show the ARP entry within the scope of network segment;
The ARP entry is sent to the firewall box.
The embodiment of the invention provides a kind of message process devices applied to firewall box, as shown in fig. 7, the message Processing unit may include:
Receiving module 710, for the request message that receiving router is sent, the request message carries the router Direct-connected routing iinformation;
Contrast module 720, for carrying out the local routing information of the direct-connected routing iinformation and the firewall box Comparison, determines effective routing information identical with the local routing information, the local routing in the direct-connected routing iinformation Information includes the routing iinformation for the Outside Access that the firewall box is supported;
Sending module 730, for sending confirmation message to the router, the confirmation message carries the effective routing Information;
Memory module 740, the corresponding ARP table of the effective routing information sent for receiving and storing the router ?.
Using the present embodiment, request message to the firewall for the direct-connected routing iinformation that router transmission carries the router is set It is standby;Firewall box compares the local routing information of direct-connected routing iinformation and the firewall box, determines direct-connected road By effective routing information identical with local routing information in information, and the confirmation message for carrying effective routing iinformation is sent to Router;Router sends the corresponding ARP entry of effective routing information to firewall box according to effective routing information;Fire prevention Wall equipment stores ARP.Since the local routing information of firewall box includes the road for the Outside Access that the firewall box is supported By information, therefore, firewall box can be determined direct-connected by comparing direct-connected routing iinformation with local routing information The routing iinformation (i.e. effective routing information) of Outside Access in routing iinformation, in this way, router is receiving carrying effective routing After the confirmation message of information, the corresponding ARP entry of effective routing information can selectively be sent extremely according to effective routing information Firewall box avoids the useless ARP entry of firewall box storing excess, ensure that the ARP table of firewall box storage The validity of item, to improve Message processing efficiency.
Also, the problems such as being likely to occur network interruption for network connection, by effective to whether being carried in confirmation message Routing iinformation is judged, request message is periodically executed under conditions of not carrying effective routing iinformation and sends, confirm report The received operation of text, ensure that Message processing not and will receive the influence of network connection interruption.
The embodiment of the invention also provides a kind of routers, as shown in figure 8, including processor 801 and machine readable storage Medium 802, the machine readable storage medium 802 are stored with the machine-executable instruction that can be executed by the processor 801, The processor 801 is promoted by the machine-executable instruction: executing provided by the embodiment of the present invention applied to router The step of message processing method.
The embodiment of the invention also provides a kind of firewall boxes, as shown in figure 9, including processor 901 and machine readable Storage medium 902, the machine readable storage medium 902, which is stored with, can be performed by the machine that the processor 901 executes Instruction, the processor 901 are promoted by the machine-executable instruction: executing and be applied to fire prevention provided by the embodiment of the present invention The step of message processing method of wall equipment.
Above-mentioned machine readable storage medium may include RAM (Random Access Memory, random access memory), It also may include NVM (Non-volatile Memory, nonvolatile memory), for example, at least a magnetic disk storage.It is optional , machine readable storage medium can also be that at least one is located remotely from the storage device of aforementioned processor.
Above-mentioned processor can be general processor, including CPU (Central Processing Unit, central processing Device), NP (Network Processor, network processing unit) etc.;Can also be DSP (Digital Signal Processor, Digital signal processor), ASIC (Application Specific Integrated Circuit, specific integrated circuit), FPGA (Field-Programmable Gate Array, field programmable gate array) or other programmable logic device are divided Vertical door or transistor logic, discrete hardware components.
Between machine readable storage medium 802 and processor 801, between machine readable storage medium 902 and processor 901 Can be carried out data transmission by way of wired connection or wireless connection, and between router and firewall box and It can be led to by wired communication interface or wireless communication interface between router and firewall box and other equipment Letter.Fig. 8 and the example shown in Fig. 9 only carried out data transmission by bus, not as the restriction of specific connection type.
In the present embodiment, processor 801 refers to by the way that the machine stored in read machine readable storage medium storing program for executing 802 is executable It enables, processor 901 can be performed by machine and be referred to by the machine-executable instruction stored in read machine readable storage medium storing program for executing 902 Order promotes can be realized: the request message of the direct-connected routing iinformation of the router transmission carrying router to firewall box;It is anti- Wall with flues equipment compares the local routing information of direct-connected routing iinformation and the firewall box, determines direct-connected routing iinformation In effective routing information identical with local routing information, and the confirmation message for carrying effective routing iinformation is sent to routing Device;Router sends the corresponding ARP entry of effective routing information to firewall box according to effective routing information;Firewall is set Standby storage ARP entry.Since the local routing information of firewall box includes the road for the Outside Access that the firewall box is supported By information, therefore, firewall box can be determined direct-connected by comparing direct-connected routing iinformation with local routing information The routing iinformation (i.e. effective routing information) of Outside Access in routing iinformation, in this way, router is receiving carrying effective routing After the confirmation message of information, the corresponding ARP entry of effective routing information can selectively be sent extremely according to effective routing information Firewall box avoids the useless ARP entry of firewall box storing excess, ensure that the ARP table of firewall box storage The validity of item, to improve Message processing efficiency.
In addition, the embodiment of the invention also provides a kind of machine readable storage medium, in the machine readable storage medium It is stored with machine-executable instruction, when the machine-executable instruction is executed by processor, the embodiment of the present invention is executed and is provided The message processing method applied to router the step of.
The embodiment of the invention also provides a kind of machine readable storage medium, it is stored in the machine readable storage medium Machine-executable instruction when the machine-executable instruction is executed by processor, executes application provided by the embodiment of the present invention In the message processing method of firewall box the step of.
In the present embodiment, machine readable storage medium executes at runtime is applied to routing provided by the embodiment of the present invention The machine-executable instruction of the message processing method of device and protection wall equipment, therefore can be realized: router, which is sent, carries the road By device direct-connected routing iinformation request message to firewall box;Firewall box sets direct-connected routing iinformation and the firewall Standby local routing information compares, and determines effective routing letter identical with local routing information in direct-connected routing iinformation Breath, and the confirmation message for carrying effective routing iinformation is sent to router;Router is sent effective according to effective routing information The corresponding ARP entry of routing iinformation is to firewall box;Firewall box stores ARP entry.Due to the local of firewall box Routing iinformation includes the routing iinformation for the Outside Access that the firewall box is supported, therefore, firewall box is by by direct-connected road It is compared by information and local routing information, can determine that the routing iinformation of Outside Access in direct-connected routing iinformation (has Imitate routing iinformation), in this way, router is after receiving the confirmation message for carrying effective routing iinformation, it can be according to effective routing Information selectively sends the corresponding ARP entry of effective routing information to firewall box, avoids firewall box and stored More useless ARP entry ensure that the validity of the ARP entry of firewall box storage, to improve Message processing efficiency.
For router, firewall box and machine readable storage medium embodiment, the method that is related to due to it Content is substantially similar to embodiment of the method above-mentioned, so being described relatively simple, referring to the portion of embodiment of the method in place of correlation It defends oneself bright.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device, For router, firewall box and machine readable storage medium embodiment, since it is substantially similar to the method embodiment, institute To be described relatively simple, the relevent part can refer to the partial explaination of embodiments of method.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention It is interior.

Claims (12)

1. a kind of message processing method, which is characterized in that be applied to router, which comprises
Request message is sent to firewall box, the request message carries the direct-connected routing iinformation of the router;
Receive the confirmation message that the firewall box is replied, the confirmation message carry in the direct-connected routing iinformation with it is described The identical effective routing information of the local routing information of firewall box, the local routing information include the firewall box The routing iinformation of the Outside Access of support;
According to the effective routing information, the corresponding Address Resolution Protocol ARP list item of the effective routing information is sent to described Firewall box, so that the firewall box stores the ARP entry.
2. the method according to claim 1, wherein the method also includes:
If receiving specified network segment information, according to the specified network segment information, the corresponding ARP of the specified network segment information is sent List item is to the firewall box.
3. the method according to claim 1, wherein in the confirmation report for receiving the firewall box and replying After text, the method also includes:
If the confirmation message does not carry the effective routing information, when reaching predetermined period, returns and execute the transmission The step of request message to firewall box.
4. having described in transmission the method according to claim 1, wherein described according to the effective routing information The corresponding Address Resolution Protocol ARP list item of routing iinformation is imitated to the firewall box, comprising:
According to the effective routing information, from the arp cache table being locally stored, net represented by the effective routing information is searched ARP entry in segment limit;
The ARP entry is sent to the firewall box.
5. a kind of message processing method, which is characterized in that be applied to firewall box, which comprises
The request message that receiving router is sent, the request message carry the direct-connected routing iinformation of the router;
The local routing information of the direct-connected routing iinformation and the firewall box is compared, determines the direct-connected routing Effective routing information identical with the local routing information in information, the local routing information include the firewall box The routing iinformation of the Outside Access of support;
Confirmation message is sent to the router, the confirmation message carries the effective routing information;
Receive and store the corresponding ARP entry of the effective routing information that the router is sent.
6. a kind of message process device, which is characterized in that be applied to router, described device includes:
Sending module, for sending request message to firewall box, the request message carries the direct-connected road of the router By information;
Receiving module, the confirmation message replied for receiving the firewall box, the confirmation message carry the direct-connected road By effective routing information identical with the local routing information of the firewall box in information, the local routing information includes The routing iinformation for the Outside Access that the firewall box is supported;
The sending module is also used to send the corresponding ARP entry of the effective routing information according to the effective routing information To the firewall box, so that the firewall box stores the ARP entry.
7. device according to claim 6, which is characterized in that the sending module is also used to:
If receiving specified network segment information, according to the specified network segment information, the corresponding ARP of the specified network segment information is sent List item is to the firewall box.
8. device according to claim 6, which is characterized in that the sending module is also used to:
If the confirmation message does not carry the effective routing information, when reaching predetermined period, the request message is sent To the firewall box.
9. device according to claim 6, which is characterized in that the sending module is specifically used for:
According to the effective routing information, from the arp cache table being locally stored, net represented by the effective routing information is searched ARP entry in segment limit;
The ARP entry is sent to the firewall box.
10. a kind of message process device, which is characterized in that be applied to firewall box, described device includes:
Receiving module, for the request message that receiving router is sent, the request message carries the direct-connected road of the router By information;
Contrast module, for comparing the local routing information of the direct-connected routing iinformation and the firewall box, really Effective routing information identical with the local routing information in the fixed direct-connected routing iinformation, the local routing information include The routing iinformation for the Outside Access that the firewall box is supported;
Sending module, for sending confirmation message to the router, the confirmation message carries the effective routing information;
Memory module, the corresponding ARP entry of the effective routing information sent for receiving and storing the router.
11. a kind of router, which is characterized in that including processor and machine readable storage medium, the machine readable storage is situated between Matter is stored with the machine-executable instruction that can be executed by the processor, and the processor is promoted by the machine-executable instruction Make: perform claim requires the described in any item method and steps of 1-4.
12. a kind of firewall box, which is characterized in that described machine readable to deposit including processor and machine readable storage medium Storage media is stored with the machine-executable instruction that can be executed by the processor, and the processor is by the executable finger of the machine Order promotes: method and step described in perform claim requirement 5.
CN201910063647.1A 2019-01-23 2019-01-23 Message processing method and device, router and firewall equipment Active CN109617920B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910063647.1A CN109617920B (en) 2019-01-23 2019-01-23 Message processing method and device, router and firewall equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910063647.1A CN109617920B (en) 2019-01-23 2019-01-23 Message processing method and device, router and firewall equipment

Publications (2)

Publication Number Publication Date
CN109617920A true CN109617920A (en) 2019-04-12
CN109617920B CN109617920B (en) 2021-07-20

Family

ID=66017138

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910063647.1A Active CN109617920B (en) 2019-01-23 2019-01-23 Message processing method and device, router and firewall equipment

Country Status (1)

Country Link
CN (1) CN109617920B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110138656A (en) * 2019-05-28 2019-08-16 新华三技术有限公司 Method for processing business and device
CN113992395A (en) * 2021-10-26 2022-01-28 新华三信息安全技术有限公司 Terminal identification method and device, electronic equipment and medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101753637A (en) * 2009-12-17 2010-06-23 北京星网锐捷网络技术有限公司 Method and network address translation device preventing network attacks
CN102215158A (en) * 2010-04-08 2011-10-12 杭州华三通信技术有限公司 Method for realizing VRRP (Virtual Router Redundancy Protocol) flow transmission and routing equipment
WO2016184283A1 (en) * 2015-05-19 2016-11-24 腾讯科技(深圳)有限公司 Data stream management method and system for virtual machine
CN106453308A (en) * 2016-10-10 2017-02-22 合肥红珊瑚软件服务有限公司 Method for preventing ARP cheating
CN107517119A (en) * 2016-06-17 2017-12-26 阿里巴巴集团控股有限公司 Virtual network detection method and device under VPC environment
CN107547503A (en) * 2017-06-12 2018-01-05 新华三信息安全技术有限公司 A kind of session entry processing method and processing device
CN108471397A (en) * 2018-01-31 2018-08-31 华为技术有限公司 Firewall configuration, file transmitting method and device
CN109067615A (en) * 2018-08-21 2018-12-21 北京金风科创风电设备有限公司 network configuration method and device, monitoring system and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101753637A (en) * 2009-12-17 2010-06-23 北京星网锐捷网络技术有限公司 Method and network address translation device preventing network attacks
CN102215158A (en) * 2010-04-08 2011-10-12 杭州华三通信技术有限公司 Method for realizing VRRP (Virtual Router Redundancy Protocol) flow transmission and routing equipment
WO2016184283A1 (en) * 2015-05-19 2016-11-24 腾讯科技(深圳)有限公司 Data stream management method and system for virtual machine
CN107517119A (en) * 2016-06-17 2017-12-26 阿里巴巴集团控股有限公司 Virtual network detection method and device under VPC environment
CN106453308A (en) * 2016-10-10 2017-02-22 合肥红珊瑚软件服务有限公司 Method for preventing ARP cheating
CN107547503A (en) * 2017-06-12 2018-01-05 新华三信息安全技术有限公司 A kind of session entry processing method and processing device
CN108471397A (en) * 2018-01-31 2018-08-31 华为技术有限公司 Firewall configuration, file transmitting method and device
CN109067615A (en) * 2018-08-21 2018-12-21 北京金风科创风电设备有限公司 network configuration method and device, monitoring system and storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110138656A (en) * 2019-05-28 2019-08-16 新华三技术有限公司 Method for processing business and device
CN113992395A (en) * 2021-10-26 2022-01-28 新华三信息安全技术有限公司 Terminal identification method and device, electronic equipment and medium
CN113992395B (en) * 2021-10-26 2023-10-24 新华三信息安全技术有限公司 Terminal identification method, device, electronic equipment and medium

Also Published As

Publication number Publication date
CN109617920B (en) 2021-07-20

Similar Documents

Publication Publication Date Title
CN1937589B (en) Routing configuration validation apparatus and methods
CN102165741B (en) Method for intercepting and searching host in IPV6 network
CN101662393B (en) Inter-domain prefix hijack detection and location method
CN108259425A (en) The determining method, apparatus and server of query-attack
CN104717107B (en) The method, apparatus and system of network equipment detection
CN100413290C (en) Method for setting up notification function for route selection according to border gateway protocol
CN105554179B (en) Dns resolution method, system in local area network
CN101917434B (en) Method for verifying intra-domain Internet protocol (IP) source address
CN104468554A (en) Attack detection method and device based on IP and HOST
CN103095676A (en) Filtrating system and filtrating method
CN110062064A (en) A kind of Address Resolution Protocol ARP request message response method and device
CN102868758B (en) The method of door propelling movement and the network equipment
CN110311929A (en) A kind of access control method, device and electronic equipment and storage medium
CN102137111A (en) Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server
CN102970306A (en) Intrusion detection system under Internet protocol version 6 (IPv6) network environment
CN109617780A (en) Access method, apparatus, terminal device and the machine readable storage medium of network
CN108768879A (en) A kind of policy priority grade method of adjustment and device
CN101820432A (en) Safety control method and device of stateless address configuration
CN106161362A (en) A kind of network application means of defence and equipment
CN109240796A (en) Virtual machine information acquisition methods and device
CN109617920A (en) A kind of message processing method, device, router and firewall box
CN106302384A (en) DNS message processing method and device
CN100499590C (en) Message access controlling method and a network apparatus
CN101436965B (en) Detection method, apparatus and system sharing access client terminal quantity
CN101330409B (en) Method and system for detecting network loophole

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant