CN111147520A - Information processing method and device executed by firewall - Google Patents
Information processing method and device executed by firewall Download PDFInfo
- Publication number
- CN111147520A CN111147520A CN201911425002.4A CN201911425002A CN111147520A CN 111147520 A CN111147520 A CN 111147520A CN 201911425002 A CN201911425002 A CN 201911425002A CN 111147520 A CN111147520 A CN 111147520A
- Authority
- CN
- China
- Prior art keywords
- source port
- data packet
- identification
- firewall
- receiving end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000010365 information processing Effects 0.000 title claims abstract description 22
- 238000003672 processing method Methods 0.000 title claims abstract description 16
- 238000000034 method Methods 0.000 claims abstract description 28
- 238000004590 computer program Methods 0.000 claims description 11
- 230000015654 memory Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000010276 construction Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/146—Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides an information processing method performed by a firewall, the firewall being configured to establish a virtual extended local area network, the method comprising: the method comprises the steps of receiving a data packet, obtaining a first source port identification based on the data packet, processing the first source port identification to obtain a second source port identification, and establishing a session corresponding to the data packet based on the second source port identification, wherein a source port in a five-tuple of the session corresponds to the second source port identification.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an information processing method and apparatus performed by a firewall, a computer system, and a computer-readable storage medium.
Background
Virtual eXtensible Local Area Network (VXLAN) is an overlay Network technology. The VXLAN network may include a VTEP (VXLAN Tunnel End Point), which is an edge device of the VXLAN network and may be implemented by a switch, a router, a firewall, or the like. The VTEP may perform data communication by establishing a tunnel to traverse a three-layer network, for example, the VTEP may encapsulate data packets sent by the virtual machine in UDP (User Datagram Protocol), encapsulate the data packets using IP/MAC of a physical network as an outer-layer header (outer-header), transmit the encapsulated data packets on the physical IP network, decapsulate the data packets by the VTEP of the destination after reaching the destination, and send the data packets to the target virtual machine.
Current firewalls, which are typically based on stateful inspection techniques, establish sessions for each different five tuple. It is to be appreciated that when a firewall is acting as a VTEP node for a VXLAN network, the firewall will also establish sessions for VXLAN messages flowing into or out of the firewall.
In implementing the disclosed concept, the inventors found that there are at least the following problems in the related art: in the VXLAN network, the range of the source port is too large, and the source ports of the messages are different, so that huge session data needs to be established and stored by the firewall, a large amount of memory is occupied, and the normal operation of the firewall is influenced.
Disclosure of Invention
In view of the above, the present disclosure provides an information processing method and apparatus performed by a firewall.
An aspect of the present disclosure provides an information processing method performed by a firewall for constructing a virtual extended local area network, the method including: receiving a data packet, obtaining a first source port identifier based on the data packet, processing the first source port identifier to obtain a second source port identifier, and establishing a session corresponding to the data packet based on the second source port identifier, wherein a source port in a five-tuple of the session corresponds to the second source port identifier.
According to an embodiment of the present disclosure, the receiving the data packet includes: and receiving a data packet sent by a remote electronic device outside the virtual expanded local area network. The obtaining a first source port identification based on the packet includes: and analyzing the data packet to obtain a source port identifier in the data packet as a first source port identifier. The processing the first source port identifier to obtain a second source port identifier includes: and modifying the first source port identification into a preset identification to obtain a second source port identification.
According to the embodiment of the present disclosure, the modifying the first source port identifier into a preset identifier to obtain a second source port identifier includes: and analyzing the data packet to obtain a destination address of the data packet, and modifying the first source port identification into the preset identification to obtain a second source port identification when the destination address is the address of the firewall about the virtual extended local area network.
According to an embodiment of the present disclosure, the receiving the data packet includes: and receiving a data packet sent by the local electronic equipment in the virtual extended local area network. The obtaining a first source port identification based on the packet includes: and carrying out hash processing on the data packet to obtain a hash value, wherein the hash value is the first source port identification. The processing the first source port identifier to obtain a second source port identifier includes: and obtaining the second source port identification based on the initial port corresponding to the receiving end of the data packet, the port range and the first port identification.
According to an embodiment of the present disclosure, the port range corresponding to the receiving end of the data packet includes: the network data packet receiving end comprises a network card receiving end expansion value of a data packet receiving end, a network equivalent multipath number and a minimum common multiple between the network equivalent multipath number and the network card receiving end expansion value, wherein the network equivalent multipath number is the network equivalent multipath number between the local electronic equipment and the data packet receiving end, and the network card receiving end expansion value is the network card receiving end expansion value of the data packet receiving end.
Another aspect of the present disclosure provides an information processing apparatus applied to a firewall for constructing a virtual extended local area network, the apparatus including a receiving module, an obtaining module, a processing module, and an establishing module. The receiving module is used for receiving the data packet. The obtaining module is configured to obtain a first source port identifier based on the packet. The processing module is used for processing the first source port identification to obtain a second source port identification. The establishing module is configured to establish a session corresponding to the packet based on the second source port identifier, where a source port in a five-tuple of the session corresponds to the second source port identifier.
According to an embodiment of the present disclosure, the receiving module is further configured to: and receiving a data packet sent by a remote electronic device outside the virtual expanded local area network. The obtaining module is further configured to: and analyzing the data packet to obtain a source port identifier in the data packet as a first source port identifier. The processing module is further configured to: and modifying the first source port identification into a preset identification to obtain a second source port identification.
According to the embodiment of the present disclosure, the modifying the first source port identifier into a preset identifier to obtain a second source port identifier includes: and analyzing the data packet to obtain a destination address of the data packet, and modifying the first source port identification into the preset identification to obtain a second source port identification when the destination address is the address of the firewall about the virtual extended local area network.
According to an embodiment of the present disclosure, the receiving module is further configured to: and receiving a data packet sent by the local electronic equipment in the virtual extended local area network. The obtaining module is further configured to: and carrying out hash processing on the data packet to obtain a hash value, wherein the hash value is the first source port identification. The processing module is further configured to: and obtaining the second source port identification based on the initial port corresponding to the receiving end of the data packet, the port range and the first port identification.
According to an embodiment of the present disclosure, the port range corresponding to the receiving end of the data packet includes: the network data packet receiving end comprises a network card receiving end expansion value of a data packet receiving end, a network equivalent multipath number and a minimum common multiple between the network equivalent multipath number and the network card receiving end expansion value, wherein the network equivalent multipath number is the network equivalent multipath number between the local electronic equipment and the data packet receiving end, and the network card receiving end expansion value is the network card receiving end expansion value of the data packet receiving end.
Another aspect of the present disclosure provides a computer system comprising: one or more processors, and a computer readable storage medium storing one or more programs, which when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the disclosure provides a non-volatile storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario of an information processing method and apparatus according to an embodiment of the present disclosure;
fig. 2 schematically shows a flow chart of an information processing method performed by a firewall according to an embodiment of the present disclosure;
FIG. 3 schematically shows a schematic diagram of a data packet according to an embodiment of the disclosure;
fig. 4 schematically shows a block diagram of an information processing apparatus according to an embodiment of the present disclosure; and
FIG. 5 schematically shows a block diagram of a computer system suitable for the information processing method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). It will be further understood by those within the art that virtually any disjunctive word and/or phrase presenting two or more alternative terms, whether in the description, claims, or drawings, should be understood to contemplate the possibilities of including one of the terms, either of the terms, or both terms. For example, the phrase "a or B" should be understood to include the possibility of "a" or "B", or "a and B".
An embodiment of the present disclosure provides an information processing method performed by a firewall, where the firewall is used to establish a virtual extended local area network, and the method includes: the method comprises the steps of receiving a data packet, obtaining a first source port identification based on the data packet, processing the first source port identification to obtain a second source port identification, and establishing a session corresponding to the data packet based on the second source port identification, wherein a source port in a five-tuple of the session corresponds to the second source port identification.
Fig. 1 schematically illustrates an application scenario 100 of an information processing method and apparatus according to an embodiment of the present disclosure.
It should be noted that fig. 1 is only an example of an application scenario in which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, but does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, an application scenario 100 according to an embodiment of the present disclosure may include a first virtual expansion local area network 110 and a second virtual expansion local area network 120. The first virtual extended lan 110 and the second virtual extended lan 120 may be connected via VXLAN tunnels.
The first virtual extended local area network 110 may include local electronic devices 111, 112, 113, 114, 115 and a firewall 116. The firewall 116 may be used to construct the first virtual expansion lan 110, for example, the firewall 116 may be an edge device of the first virtual expansion lan 110. The firewall 116 may be coupled to the local electronic devices 111, 112, 113, 114, 115, and packets incoming and outgoing to and from the local electronic devices 111, 112, 113, 114, 115 may all pass through the firewall 116.
The second virtual extended local area network 120 may include remote electronic devices 121, 122, 123, 124, 125 and a firewall 126. The firewall 126 may be used to construct the first virtual extended lan 120, for example, the firewall 126 may be an edge device of the first virtual extended lan 120. The firewall 126 may be coupled to the remote electronic devices 121, 122, 123, 124, 125, and the data packets flowing into and out of the remote electronic devices 121, 122, 123, 124, 125 may all pass through the firewall 126.
It should be noted that the information processing method provided by the embodiment of the present disclosure may be generally executed by the firewall 116 (or the firewall 126). Accordingly, the information processing apparatus provided by the embodiment of the present disclosure may be generally disposed in the firewall 116 (or the firewall 126). The information processing method provided by the embodiment of the present disclosure may also be performed by a server or a server cluster that is different from the firewall 116 (or the firewall 126) and is capable of communicating with the local electronic devices 111, 112, 113, 114, 115 and/or the firewall 116 (or the firewall 126). Accordingly, the information processing apparatus provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster different from the firewall 116 and capable of communicating with the local electronic devices 111, 112, 113, 114, 115 and/or the firewall 116 (or the firewall 126).
For example, the firewall 116 may receive a data packet from the second virtual expansion lan 120, for example, a data packet from the remote electronic device 121 to the first virtual machine expansion lan 110 via the firewall 126. Firewall 116 may parse the packet, obtain a source port identifier in the packet as a first source port identifier, modify the first source port identifier into a preset identifier, obtain a second source port identifier, and establish a session corresponding to the packet based on the second source port identifier.
For another example, the firewall 116 may also receive a data packet sent from the local electronic device 111, for example, a data packet sent by the local electronic device 111 to the second vm-lan 120 via the firewall 116. Firewall 116 may hash the packet to obtain a hash value, where the hash value may serve as a first source port identifier, obtain a second source port identifier based on the start port, the port range, and the first source port identifier corresponding to local electronic device 111, and establish a session corresponding to the packet based on the second source port identifier.
It should be understood that the number of local electronic devices, firewalls, and remote electronic devices in fig. 1 are merely illustrative. There may be any number of local electronic devices, firewalls, and remote electronic devices, as desired for the implementation.
Fig. 2 schematically shows a flow chart of an information processing method performed by a firewall according to an embodiment of the present disclosure;
as shown in fig. 2, the method includes operations S201 to S204.
In operation S201, a data packet is received.
In operation S202, a first source port identification is obtained based on the packet.
In operation S203, the first source port identifier is processed to obtain a second source port identifier.
In operation S204, a session corresponding to the packet is established based on the second source port identifier, wherein the source port in the five-tuple of the session corresponds to the second source port.
The firewall of the embodiment of the disclosure can be used for establishing a virtual extended local area network. For example, the firewall in the embodiment of the present disclosure may be used as an edge device of a virtual extended local area network.
In the embodiment of the present disclosure, a data packet sent by a local electronic device in an extended lan needs to be encapsulated by the firewall and then sent to a specified address. The data packet sent by the remote electronic equipment outside the extended local area network also needs to be decapsulated by the firewall and then sent to the specified address.
The firewall of the embodiment of the present disclosure may establish and store a session for incoming or outgoing packets according to its five-tuple. However, the optional range of the source port in the quintuple of the data packets flowing between the extended local area networks is too large, and the source ports of the data packets are different, so that huge session data needs to be established and stored by the firewall, a large amount of memory is occupied, and the normal operation of the firewall is influenced.
In view of this, the embodiment of the present disclosure may obtain the source port identifier of the packet as the first source port identifier, but instead of establishing the session corresponding to the packet based on the first source port identifier, the first source port identifier is processed to obtain the second source port identifier, and then the session corresponding to the packet is established based on the second source port identifier, so that the number of sessions related to the extended local area network may be reduced.
Referring now to FIG. 3, the method illustrated in FIG. 2 is further described in conjunction with specific embodiments.
According to the embodiment of the disclosure, a firewall may receive a packet sent by a remote electronic device outside a virtual expansion local area network, parse the packet, obtain a source port identifier in the packet as a first source port identifier, modify the first source port identifier into a preset identifier, obtain a second source port identifier, establish a session corresponding to the packet based on the second source port identifier, where a source port in a five-tuple of the session corresponds to the second source port identifier.
In the embodiment of the present disclosure, the format of the data packet sent to the firewall by the remote electronic device outside the virtual extended lan may be as shown in fig. 3, for example. The data packet may include, for example, a first portion 310, a second portion 320, a third portion 330, and a fourth portion 340.
According to the embodiment of the disclosure, the firewall may parse the received data packet to obtain the destination address of the data packet. And when the destination address is the address of the firewall about the virtual expansion local area network, obtaining the source port of the data packet as a first source port identifier, and modifying the first port identifier into a preset identifier.
For example, when configuring a virtual extensible local area network, the address of the firewall used to establish the VXLAN tunnel may be recorded in the firewall. When the firewall receives the sent data packet, the destination address 311 in the first part 310 is obtained by analyzing the data packet, and if the destination address 311 is the same as the address stored in the firewall, the data packet is considered as the data packet sent to the virtual extensible local area network. The source port 321 of the packet may then be obtained from the second portion 320 and then modified to a fixed value (e.g., 49152). So that the firewall can establish the session corresponding to the data packet with the fixed value. Thus, an external VTEP can only establish one session with the firewall, reducing the number of sessions.
According to the embodiment of the disclosure, when the firewall receives a data packet sent by a remote electronic device (for example, VTEP of other virtual expansion local area networks), the source port address of the data packet may be modified to be a fixed address, so that the number of packet sessions may be reduced, and each VTEP (external VTEP) of other virtual expansion local area networks may be packed with only one session.
According to another embodiment of the present disclosure, a firewall may receive a packet sent by a local electronic device in a virtual expansion lan, hash the packet to obtain a hash value, where the hash value is a first source port identifier, obtain a second source port identifier based on a start port, a port range, and the first port identifier corresponding to a receiving end of the packet, and establish a session corresponding to the packet based on the second source port identifier, where a source port in a five-tuple of the session corresponds to the second source port identifier.
In the embodiment of the present disclosure, the data packet sent by the local electronic device in the virtual extensible lan to the firewall may be, for example, the fourth part 340 as shown in fig. 3, and the firewall encapsulates the part, adds vxlan Header, Outer UDP Header, and Outer IPv4 Header to the part in sequence, and then sends the part to the destination, where the destination may be, for example, a VTEP (external VTEP) of another virtual extensible lan.
According to the embodiment of the disclosure, when the interconnection relationship of the virtual extensible local area network is configured, a start port and a port range can be configured for the interconnected external VTEP. For example, (192.168.100.200(VTEP address), 49152 (start port), 32 (port range)), and stored in the firewall. Wherein the starting port and the port range are between 49152 and 65535 as specified by RFC.
In the embodiment of the present disclosure, the port range may be a least common multiple between the number of paths of the network equal cost multipath and the network card receiving end expansion value, where the number of paths of the network equal cost multipath is the number of paths of the network equal cost multipath between the local electronic device and the data packet receiving end, and the network card receiving end expansion value is the network card receiving end expansion value of the data packet receiving end.
For example, the port range may be the least common multiple of the maximum number of ECMP paths on the network and the RSS value of the VTEP network card at the receiving end. If the load is not uniform, the least common multiple can be multiplied by the multiple which is gradually increased from 2, so that the load is relatively balanced when the VXLAN transmits. For example, the port range may be selected from 16, 32, 64, … …, etc.
According to the disclosed embodiments, all external VTEPs interconnected with the firewall may be configured with the same initial port and port range to reduce the complexity of the configuration.
In the embodiment of the present disclosure, when the firewall receives a data packet sent by the local electronic device, the hash value of the data packet (e.g., the fourth portion 340 shown in fig. 3) is calculated. When the packet is subjected to VXLAN encapsulation, according to the VTEP address of the opposite end of the VXLAN tunnel, in the firewall, the start port and the port range corresponding to the VTEP address are queried, a second source port identifier (for example, the second source port identifier is the start port + (hash value% port range)) is obtained based on the start port, the port range and the hash value, the second source port identifier is filled in the source port 321 of the Outer UDP Header of the second part 320, and then subsequent packet processing is completed, so that the session corresponding to the packet is the session established based on the second source port identifier.
The disclosed embodiments set a reasonable, smaller source port range for the tail VTEP to reduce the number of sessions associated with VXLAN packet forwarding while still ensuring load balancing.
This disclosed embodiment obtains second source port sign through handling first source port sign, replaces first source port sign through second source port sign and establishes the conversation, can reduce the quantity of VXLAN relevant conversation, has less the memory of conversation storage to preventing hot wall and has taken up, has improved the reliability and the session capacity of preventing hot wall.
Fig. 4 schematically shows a block diagram of an information processing apparatus 400 according to an embodiment of the present disclosure.
As shown in fig. 4, the apparatus 400 includes a receiving module 410, an obtaining module 420, a processing module 430, and a establishing module 440.
The receiving module 410 is used for receiving data packets.
The obtaining module 420 is configured to obtain a first source port identification based on the packet.
The processing module 430 is configured to process the first source port identifier to obtain a second source port identifier.
The establishing module 440 is configured to establish a session corresponding to the packet based on a second source port identifier, where the source port in the five-tuple of the session corresponds to the second source port identifier.
According to the embodiment of the present disclosure, the receiving module 410 is further configured to receive a data packet sent by a remote electronic device outside the virtual extensible local area network. The obtaining module 420 is further configured to parse the packet, and obtain a source port identifier in the packet as the first source port identifier. The processing module 430 is further configured to modify the first source port identifier into a preset identifier, so as to obtain a second source port identifier.
According to this disclosure's embodiment, will first source port sign is revised as presetting the sign into, obtains second source port sign, includes: and analyzing the data packet to obtain a destination address of the data packet, and when the destination address is an address of the firewall about the virtual extensible local area network, modifying the first source port identification into a preset identification to obtain a second source port identification.
According to the embodiment of the present disclosure, the receiving module 410 is further configured to receive a data packet sent by a local electronic device in the virtual extensible local area network. The obtaining module 420 further performs hash processing on the data packet to obtain a hash value, where the hash value is the first source port identifier. The processing module 430 is further configured to: and obtaining a second source port identification based on the initial port, the port range and the first port identification corresponding to the receiving end of the data packet.
According to the embodiment of the present disclosure, the port range corresponding to the receiving end of the data packet includes: the network data packet receiving end comprises a network card receiving end expansion value of a data packet receiving end, a network equivalent multipath number and a minimum common multiple between the network equivalent multipath number and the network card receiving end expansion value, wherein the network equivalent multipath number is the network equivalent multipath number between the local electronic equipment and the data packet receiving end, and the network card receiving end expansion value is the network card receiving end expansion value of the data packet receiving end.
It should be noted that the implementation, solved technical problems, implemented functions, and achieved technical effects of each module/unit/subunit and the like in the apparatus part embodiment are respectively the same as or similar to the implementation, solved technical problems, implemented functions, and achieved technical effects of each corresponding step in the method part embodiment, and are not described herein again.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
FIG. 5 schematically shows a block diagram of a computer system suitable for the information processing method according to an embodiment of the present disclosure. The computer system illustrated in FIG. 5 is only one example and should not impose any limitations on the scope of use or functionality of embodiments of the disclosure.
As shown in fig. 5, a computer system 500 according to an embodiment of the present disclosure includes a processor 501, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. The processor 501 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 501 may also include onboard memory for caching purposes. Processor 501 may include a single processing unit or multiple processing units for performing different acts of the method flows described with reference to fig. 2 in accordance with embodiments of the disclosure.
In the RAM 503, various programs and data necessary for the operation of the system 500 are stored. The processor 501, the ROM 502, and the RAM 503 are connected to each other by a bus 504. The processor 501 performs various operations described above with reference to fig. 2 by executing programs in the ROM 502 and/or the RAM 503. Note that the programs may also be stored in one or more memories other than the ROM 502 and the RAM 503. The processor 501 may also perform the various operations described above with reference to fig. 2 by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, system 500 may also include an input/output (I/O) interface 505, input/output (I/O) interface 505 also being connected to bus 504. The system 500 may also include one or more of the following components connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
According to an embodiment of the present disclosure, the method described above with reference to the flow chart may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program, when executed by the processor 501, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
It should be noted that the computer readable media shown in the present disclosure may be computer readable signal media or computer readable storage media or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer-readable signal medium may include a propagated data signal with computer-readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing. According to embodiments of the present disclosure, a computer-readable medium may include ROM 502 and/or RAM 503 and/or one or more memories other than ROM 502 and RAM 503 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
As another aspect, the present disclosure also provides a computer-readable medium, which may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to perform the method as described above.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (10)
1. An information processing method performed by a firewall for constructing a virtual extended local area network, the method comprising:
receiving a data packet;
obtaining a first source port identification based on the data packet;
processing the first source port identification to obtain a second source port identification;
and establishing a session corresponding to the data packet based on the second source port identification, wherein the source port in the five-tuple of the session corresponds to the second source port identification.
2. The method of claim 1, wherein:
the receiving data packet comprises:
receiving a data packet sent by a remote electronic device outside the virtual extended local area network;
the obtaining a first source port identification based on the packet includes:
analyzing the data packet to obtain a source port identifier in the data packet as a first source port identifier;
the processing the first source port identifier to obtain a second source port identifier includes:
and modifying the first source port identification into a preset identification to obtain a second source port identification.
3. The method of claim 2, wherein the modifying the first source port identification to a preset identification to obtain a second source port identification comprises:
analyzing the data packet to obtain a destination address of the data packet;
and when the destination address is the address of the firewall about the virtual expansion local area network, obtaining a second source port identification by modifying the first source port identification into the preset identification.
4. The method of claim 1, wherein:
the receiving data packet comprises:
receiving a data packet sent by a local electronic device in the virtual extensible local area network;
the obtaining a first source port identification based on the packet includes:
performing hash processing on the data packet to obtain a hash value, wherein the hash value is the first source port identifier;
the processing the first source port identifier to obtain a second source port identifier includes:
and obtaining the second source port identification based on the initial port corresponding to the receiving end of the data packet, the port range and the first port identification.
5. The method of claim 4, wherein the port range corresponding to a receiving end of a packet comprises:
the network data packet receiving end comprises a network card receiving end expansion value of a data packet receiving end, a network equivalent multipath number and a minimum common multiple between the network equivalent multipath number and the network card receiving end expansion value, wherein the network equivalent multipath number is the network equivalent multipath number between the local electronic equipment and the data packet receiving end, and the network card receiving end expansion value is the network card receiving end expansion value of the data packet receiving end.
6. An information processing apparatus applied to a firewall for constructing a virtual extended local area network, the apparatus comprising:
the receiving module is used for receiving the data packet;
an obtaining module, configured to obtain a first source port identifier based on the packet;
the processing module is used for processing the first source port identification to obtain a second source port identification;
and the establishing module is used for establishing a session corresponding to the data packet based on the second source port identifier, wherein the source port in the five-tuple of the session corresponds to the second source port identifier.
7. The apparatus of claim 6, wherein:
the receiving module is further configured to:
receiving a data packet sent by a remote electronic device outside the virtual extended local area network;
the obtaining module is further configured to:
analyzing the data packet to obtain a source port identifier in the data packet as a first source port identifier;
the processing module is further configured to:
and modifying the first source port identification into a preset identification to obtain a second source port identification.
8. A computer system, comprising:
one or more processors;
a computer-readable storage medium for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-5.
9. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 5.
10. A computer program product comprising computer readable instructions, wherein the computer readable instructions, when executed, are for performing the method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911425002.4A CN111147520B (en) | 2019-12-31 | 2019-12-31 | Information processing method and device executed by firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911425002.4A CN111147520B (en) | 2019-12-31 | 2019-12-31 | Information processing method and device executed by firewall |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111147520A true CN111147520A (en) | 2020-05-12 |
| CN111147520B CN111147520B (en) | 2022-02-25 |
Family
ID=70523186
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911425002.4A Active CN111147520B (en) | 2019-12-31 | 2019-12-31 | Information processing method and device executed by firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111147520B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104184842A (en) * | 2013-05-24 | 2014-12-03 | 中兴通讯股份有限公司 | Message forwarding method and device |
| CN106170015A (en) * | 2016-07-26 | 2016-11-30 | 杭州迪普科技有限公司 | A kind of method and device of limiting concurrent session number |
| CN106899474A (en) * | 2016-12-07 | 2017-06-27 | 新华三技术有限公司 | A kind of method and apparatus of message forwarding |
| US20180191561A1 (en) * | 2015-09-02 | 2018-07-05 | Huawei Technologies Co., Ltd. | Network element upgrade method and device |
| CN109547316A (en) * | 2018-12-29 | 2019-03-29 | 瑞斯康达科技发展股份有限公司 | Method, the system, storage medium of VXLAN message cross-over NAT equipment |
| CN109756411A (en) * | 2018-12-17 | 2019-05-14 | 新华三技术有限公司成都分公司 | Message forwarding method, device, the first VTEP equipment and storage medium |
-
2019
- 2019-12-31 CN CN201911425002.4A patent/CN111147520B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104184842A (en) * | 2013-05-24 | 2014-12-03 | 中兴通讯股份有限公司 | Message forwarding method and device |
| US20180191561A1 (en) * | 2015-09-02 | 2018-07-05 | Huawei Technologies Co., Ltd. | Network element upgrade method and device |
| CN106170015A (en) * | 2016-07-26 | 2016-11-30 | 杭州迪普科技有限公司 | A kind of method and device of limiting concurrent session number |
| CN106899474A (en) * | 2016-12-07 | 2017-06-27 | 新华三技术有限公司 | A kind of method and apparatus of message forwarding |
| CN109756411A (en) * | 2018-12-17 | 2019-05-14 | 新华三技术有限公司成都分公司 | Message forwarding method, device, the first VTEP equipment and storage medium |
| CN109547316A (en) * | 2018-12-29 | 2019-03-29 | 瑞斯康达科技发展股份有限公司 | Method, the system, storage medium of VXLAN message cross-over NAT equipment |
Non-Patent Citations (1)
| Title |
|---|
| 王富广: "基于等价多路径的数据中心短流加速技术研究", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111147520B (en) | 2022-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107113298B (en) | Method, apparatus, physical host and computer readable storage medium for providing multi-tenancy support for RDMA | |
| CN110313163B (en) | Load balancing in distributed computing systems | |
| US9590820B1 (en) | Methods and apparatus for improving load balancing in overlay networks | |
| CN110022264B (en) | Method for controlling network congestion, access device and computer readable storage medium | |
| CN113326228B (en) | Message forwarding method, device and equipment based on remote direct data storage | |
| US9641435B1 (en) | Packet segmentation offload for virtual networks | |
| US9762508B2 (en) | Relay optimization using software defined networking | |
| TWI504193B (en) | Method and system for offloading tunnel packet processing in cloud computing | |
| US9602416B2 (en) | Overlay capabilities exchange using DCBX | |
| US10205609B2 (en) | Overlay switch | |
| CN107948077B (en) | Method and device for forwarding data message | |
| CN112333135B (en) | Gateway determination method, device, server, distributor, system and storage medium | |
| CN109936492B (en) | Method, device and system for transmitting message through tunnel | |
| CN109412922B (en) | Method, forwarding device, controller and system for transmitting message | |
| CN110177128B (en) | Data transmission system and method for establishing VPN connection, terminal and VPN proxy thereof | |
| US11102114B2 (en) | Method, apparatus, and computer-readable storage medium for network optimization for accessing cloud service from on-premises network | |
| CN108471374B (en) | Data message forwarding method and device | |
| CN111147520B (en) | Information processing method and device executed by firewall | |
| CN111800340B (en) | Data packet forwarding method and device | |
| US9246820B1 (en) | Methods and apparatus for implementing multiple loopback links | |
| CN113709016A (en) | Communication system, communication method, communication apparatus, communication device, and storage medium | |
| CN113709015A (en) | Data transmission method, electronic device and storage medium | |
| CN114900458B (en) | Message forwarding method, device, medium and product | |
| US20230018873A1 (en) | Method and system for processing encapsulated wireless traffic | |
| WO2018113909A1 (en) | Systems and methods for passing pseudo-tunnel information during session initialization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Patentee after: QAX Technology Group Inc. Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Patentee before: QAX Technology Group Inc. Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |