CN111181861A - Policy routing implementation method and device - Google Patents
Policy routing implementation method and device Download PDFInfo
- Publication number
- CN111181861A CN111181861A CN202010030137.7A CN202010030137A CN111181861A CN 111181861 A CN111181861 A CN 111181861A CN 202010030137 A CN202010030137 A CN 202010030137A CN 111181861 A CN111181861 A CN 111181861A
- Authority
- CN
- China
- Prior art keywords
- data packet
- policy
- target
- target data
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for realizing a policy routing, which relate to the technical field of communication, and the method for realizing the policy routing comprises the following steps: receiving a target data packet from a first virtual machine; detecting whether a target policy rule matched with the target data packet exists in at least one preset policy rule or not according to the attribute information of the target data packet; if the target strategy rule matched with the target data packet exists, adding a path label matched with the target strategy rule for the target data packet; searching a routing table matched with the path label to obtain a next hop address recorded in the routing table, wherein the next hop address is used for identifying a second virtual machine; and forwarding the target data packet to the second virtual machine. The scheme can improve the flexibility of the routing function in the cloud environment.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a policy routing implementation method and apparatus.
Background
With the continuous development and progress of computer technology, cloud computing has become widely used, for example, OpenStack is one of the widely used cloud computing management platform projects. In a cloud environment where cloud computing is located, there are multiple virtual machines, and communication between the virtual machines needs to be implemented through a routing function.
At present, communication between virtual machines is implemented based on a static route, that is, after a virtual router in a cloud environment receives a data packet sent by one virtual machine, the virtual router forwards the data packet to a next-hop virtual router corresponding to a destination address according to the destination address included in the data packet.
Aiming at the static routing used in the current cloud environment, the virtual router forwards the data packet according to the destination address in the data packet, and a user cannot transmit the data packet according to a specific path according to actual requirements, so that the flexibility of the routing function in the cloud environment is poor.
Disclosure of Invention
The embodiment of the invention provides a method and a device for realizing policy routing, which can improve the flexibility of routing functions in a cloud environment.
In a first aspect, an embodiment of the present invention provides a policy routing implementation method, including:
receiving a target data packet from a first virtual machine;
detecting whether a target policy rule matched with the target data packet exists in at least one preset policy rule or not according to the attribute information of the target data packet;
if the target strategy rule matched with the target data packet exists, adding a path label matched with the target strategy rule for the target data packet;
searching a routing table matched with the path label to obtain a next hop address recorded in the routing table, wherein the next hop address is used for identifying a second virtual machine;
and forwarding the target data packet to the second virtual machine.
Optionally, after detecting whether there is a target policy rule matching the target data packet in at least one preset policy rule, the method further includes:
if the target policy rule matched with the target data packet does not exist, executing:
acquiring a destination address included in the target data packet;
and sending the target data packet to a third virtual machine corresponding to the destination address according to the destination address.
Optionally, before the receiving the target data packet from the first virtual machine, further comprising:
the reverse route check function is turned off.
Optionally, the policy routing implementation method further includes:
receiving a policy configuration instruction from a user, and performing policy configuration according to the policy configuration instruction, wherein the policy configuration includes at least one of deleting, modifying, viewing and adding a new policy rule to the at least one policy rule.
Optionally, the attribute information includes at least one of a source IP address, a destination IP address, a source port, a destination port, and a protocol type of the destination packet.
In a second aspect, an embodiment of the present invention further provides a policy routing implementing apparatus, including:
a data receiving module for receiving a target data packet from the first virtual machine;
a rule matching module, which detects whether a target policy rule matched with the target data packet exists in at least one preset policy rule according to the attribute information of the target data packet received by the data receiving module;
a labeling module, configured to add a path label matching the target policy rule to the target data packet when the rule matching module determines that the target policy rule matching the target data packet exists;
an address searching module, configured to search a routing table matched with the path label added by the labeling module, and obtain a next hop address recorded in the routing table, where the next hop address is used to identify a second virtual machine;
and the first data forwarding module is used for forwarding the target data packet to the second virtual machine identified by the next hop address obtained by the address searching module.
Optionally, the policy routing implementing apparatus further includes:
and the second data forwarding module is used for acquiring a destination address included by the target data packet when the rule matching module determines that the target policy rule matched with the target data packet does not exist, and sending the target data packet to a second virtual machine corresponding to the destination address according to the destination address.
Optionally, the policy routing implementing apparatus further includes:
and the check closing module is used for closing the reverse route check function.
Optionally, the policy routing implementing apparatus further includes:
and the policy configuration module is used for receiving a policy configuration instruction from a user and performing policy configuration according to the policy configuration instruction, wherein the policy configuration comprises at least one of deleting, modifying, viewing and adding a new policy rule to the at least one policy rule.
Optionally, the attribute information includes at least one of a source IP address, a destination IP address, a source port, a destination port, and a protocol type of the destination packet.
According to the technical scheme, after a target data packet from a first virtual machine is received, whether a target policy rule matched with the target data packet exists is judged according to attribute information of the target data packet, if the target policy rule matched with the target data packet exists, a path label matched with the target policy rule is added to the target data packet, then a routing table corresponding to the path label is inquired according to the path label to obtain a next hop address, and the target data packet is forwarded to a second virtual machine identified by the next hop address. Therefore, the user can forward the data packets meeting the corresponding policy rules to the designated virtual machine by setting the policy rules, so that the policy routing function is realized, the user can transmit the data packets according to a specific path according to actual requirements, and the flexibility of the routing function in the cloud environment can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a policy routing implementation method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of forwarding a data packet by using a policy routing function according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a device in which a policy routing implementing apparatus according to an embodiment of the present invention is located;
fig. 4 is a schematic diagram of a policy routing implementation apparatus according to an embodiment of the present invention;
fig. 5 is a schematic diagram of another policy routing implementation apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
As shown in fig. 1, an embodiment of the present invention provides a policy routing implementation method, where the method may include the following steps:
step 101: receiving a target data packet from a first virtual machine;
step 102: detecting whether a target policy rule matched with the target data packet exists in at least one preset policy rule or not according to the attribute information of the target data packet;
step 103: if the target strategy rule matched with the target data packet exists, adding a path label matched with the target strategy rule for the target data packet;
step 104: searching a routing table matched with the path label to obtain a next hop address recorded in the routing table, wherein the next hop address is used for identifying the second virtual machine;
step 105: and forwarding the target data packet to the second virtual machine.
In the embodiment of the invention, after a target data packet from a first virtual machine is received, whether a target policy rule matched with the target data packet exists is judged according to the attribute information of the target data packet, if the target policy rule matched with the target data packet exists, a path label matched with the target policy rule is added to the target data packet, then a routing table corresponding to the path label is inquired according to the path label to obtain a next hop address, and the target data packet is forwarded to a second virtual machine identified by the next hop address. Therefore, the user can forward the data packets meeting the corresponding policy rules to the designated virtual machine by setting the policy rules, so that the policy routing function is realized, the user can transmit the data packets according to a specific path according to actual requirements, and the flexibility of the routing function in the cloud environment can be improved.
In the embodiment of the invention, a plurality of strategy rules are preset by a user, and each strategy rule comprises a matching item and a next hop address. For any one policy rule, the matching item included in the policy rule is used for matching with the attribute information of the data packet to detect whether the corresponding data packet matches with the policy rule, and the next hop address is used for indicating a virtual machine to which the data packet needs to be forwarded when one data packet matches with the policy rule.
In the embodiment of the invention, the user can make different types of data packets forwarded through different links by setting the policy rules, so that the forwarding path of the data packets can be planned more reasonably, different data streams are forwarded through different links, the utilization rate of the links is further improved, and the speed of transmitting data among different virtual machines is faster.
Optionally, on the basis of the policy routing implementation method shown in fig. 1, after detecting whether there is a target policy rule matching the target data packet in step 102, if the detection result is that there is no target policy rule matching the target data packet, the destination address included in the target data packet is obtained, and the target data packet is sent to the third virtual machine corresponding to the destination address.
In the embodiment of the invention, if the target data packet is not matched with each policy rule, the user does not make a routing rule for the type of data packet, and the data packet is correspondingly forwarded according to the destination address in a static routing mode. Therefore, the method can not only realize the static routing function, but also realize the policy routing function, thereby further improving the flexibility and controllability of the routing function.
Optionally, on the basis of the policy routing implementation method described in fig. 1, the reverse routing checking function may be turned off before receiving the data packet from the virtual machine.
In this embodiment of the present invention, the policy routing implementation method provided in the embodiment of the present invention may be applied to a virtual router in a cloud environment, where the virtual router has a reverse routing checking function in a normal case, that is, after receiving a data packet sent by a virtual machine, the virtual router detects that the data packet can be sent to the virtual machine, that is, whether a reverse link between the virtual router and the virtual machine is connected, and if the detection result indicates that the data packet cannot be sent to the virtual machine, the virtual router will not forward the data packet sent by the virtual machine to other virtual machines. In order to realize the policy routing function, the reverse routing check function of the virtual router is closed, so that the virtual router does not check the communication state of the reverse routing any more, the virtual router is ensured to normally forward a data packet to other virtual machines after receiving the data packet of one virtual machine, and the policy routing function is ensured to be normally realized.
Optionally, on the basis of the policy routing implementation method shown in fig. 1, a policy configuration instruction from a user may be further received, and policy configuration is performed according to the received policy configuration instruction, where the policy configuration operation includes deleting, modifying, or viewing at least one existing policy rule, and may also include adding a new policy rule.
In the embodiment of the invention, one or more strategy rules are preset by a user, and in the process of using the strategy routing function, the user can add a new strategy rule according to the actual requirement and delete, modify and check the existing strategy rule, so that the rules for routing different types of data packets can be adjusted according to the actual requirement of the user, the personalized requirements of different users are met, and the use satisfaction of the user is improved.
Optionally, on the basis of the policy routing implementation method provided in each of the foregoing embodiments, the attribute information may include any one or more of a source IP address, a destination IP address, a source port, a destination port, and a protocol type of the target packet, where the source IP address is used to indicate an IP address of a virtual machine that sends the target packet, the destination IP address is used to indicate an IP address of a virtual machine that finally receives the target packet, the source port is used to indicate a port that sends the target packet, the destination port is used to indicate a port that receives the target packet, and the protocol type is used to transmit the target packet, for example, the protocol type may be TCP or UDP.
In the embodiment of the present invention, the attribute information of the data packet includes part or all of a source IP address, a destination IP address, a source port, a destination port, and a protocol type, and these pieces of information may be used to determine whether the data packet matches a corresponding policy rule, and a user specifies the policy rule based on these pieces of information, and may accurately classify different types of data packets, and may further accurately allocate the data packet to different links for forwarding, and while ensuring that a link has a higher utilization rate, it is ensured that a faster speed is provided when transmitting the data packet between different virtual machines.
It should be noted that the policy routing implementation method provided in the embodiment of the present invention may be applied to OpenStack and executed by a virtual router (router) in OpenStack, and the implementation process of the specific policy routing may be implemented by an extended neutron plug-in. The method for implementing policy routing in OpenStack is described in detail below.
The basic idea of implementing policy routing in OpenStack is as follows: in namespace created by the router by the neutron, the data packets are matched through iptables, matching items comprise source IP addresses, destination IP addresses, source ports, destination ports, protocol types and the like of the data packets, the successfully matched data packets are marked (path labels), then the data packets with the corresponding marks are routed by using corresponding routing tables through an IP rule (policy rule), and finally the routing table information is read and the data packets are sent out of the gateway.
When the policy way is implemented in OpenStack, the policy way is implemented based on the following five components: 1) a PBR policy management module; 2) a PBR message notification module; 3) a PBR function realization module; 4) PBR database module. Wherein, PBR is the abbreviation of Policy based route, namely, the Policy routing function.
1) PBR policy management module
The PBR strategy management module is responsible for the configuration management of the user PBR strategy data, receives a PBR configuration request (such as adding, deleting, modifying, checking the PBR configuration and the like) from a user, and records the user PBR configuration data into the PBR strategy database. This module is implemented in serviceplug form of neutron.
2) PBR message notification module
The PBR message notification module mainly includes two functions: 1) after receiving a PBR configuration request of a user, notifying the PBR information to a PBR function realization module; 2) and receiving a request of the PBR function realization module, and calling the PBR strategy management module to inquire the PBR information. This module is implemented by RPC remote call.
3) PBR function implementation module
The PBR function implementation module is extension of neutron-l3-agent, is responsible for managing routernamespace of data plane nodes (computing nodes), adds, deletes or modifies policy rules in the namespace of the corresponding router according to the PBR policy configured by the user, and has the following specific functions: 1) adding rule in neutron-l3-agent-PREROUTING chain of the rule table, and setting label of corresponding data packet through MARK; 2) adding an iprule rule, and enabling a packet of a corresponding mark value to search a corresponding routing table; 3) and adding a routing table through iproute, and adding a default route according to the PBR strategy. Because the handling of the mangle table is preferentially associated with the nat table and the filter table, after the corresponding data packet arrives, the mark is marked, then the corresponding data packet is routed by using the corresponding routing table through the iprule rule, and finally the default route in the routing table is read, and the data packet is sent to the next address. This module is implemented by the extension plug-in of neutron-l 3-agent.
4) PBR database module
The PBR strategy database is responsible for recording the PBR strategy configuration information of the user and providing data sources for the PBR strategy management module and the PBR function realization module.
The implementation of policy routing in OpenStack may specifically be performed by the following steps:
(1) and (3) starting a PBR (provider object manager) strategy management module, namely a service _ plugin of the neutron, providing a REST (representational state transfer) interface for a user, calling and creating a PBR strategy related interface by the user, and issuing rules (a packet matching item and a next address).
(2) The PBR strategy management module writes the rule information into the database module and sends the rule information to the PBR function realization module through the message notification module. And writing the rule information into the database module, and sending the rule information to the PBR function realization module through the message notification module.
(3) The PBR function realization module runs at each computing node, receives the rule information sent from the management module, and configures iptables, rule and route in namespace of the router:
1) reading a matching item in the PBR rule, and adding iptables, namely iptables-t mangle-A neutron-l 3-agent-PREROUTING-i qr-6ea75570-a 3-s 20.0.1.4-j MARK-set-MARK 10;
2) adding ip rule add fwmark 10 table 10 pref 10 according to MARK value;
3) adding a default route in a routing table, wherein the next address is the next address in the PBR rule: ip routeadd table 10 default via 10.0.0.2;
4) and modifying the Linux kernel parameter rp _ filter in namespace to be 0, and closing the reverse routing verification function.
(4) After the PBR function module configures the rule, the flow passing through the router preferentially uses the configured policy routing. As shown in fig. 2, two PBR policies are configured in router: the matching source address is 1.1.1.1, the next address of the traffic packet with the protocol of TCP is 3.3.3.2; the matching source address is 2.2.2.3, the protocol is UDP, and the next address of the packet for traffic with source port 100 is 1.1.1.1. Therefore, the TCP packet sent from the virtual machine with IP address 1.1.1.1 will be forwarded to the virtual machine with IP address 3.3.3.2 and then forwarded from the virtual machine with IP address 3.3.3.2; the UDP packet with a source port of 100 sent from the virtual machine with IP address 2.2.2.3 is forwarded to the virtual machine with IP address 1.1.1.1 and then forwarded from the virtual machine with IP address 1.1.1.1.
As shown in fig. 3 and 4, an embodiment of the present invention provides a policy routing implementing apparatus. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware level, as shown in fig. 3, a hardware structure diagram of a device where a policy routing implementation apparatus provided in the embodiment of the present invention is located is shown, where in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 3, the device where the apparatus is located in the embodiment may also generally include other hardware, such as a forwarding chip responsible for processing a packet, and the like. Taking a software implementation as an example, as shown in fig. 4, as a logical apparatus, the apparatus is formed by reading a corresponding computer program instruction in a non-volatile memory into a memory by a CPU of a device in which the apparatus is located and running the computer program instruction. The policy routing implementation apparatus provided in this embodiment includes:
a data receiving module 401, configured to receive a target data packet from a first virtual machine;
a rule matching module 402, configured to detect whether a target policy rule matching the target data packet exists in at least one preset policy rule according to the attribute information of the target data packet received by the data receiving module 401;
a tagging module 403, configured to add a path tag matching the target policy rule to the target data packet when the rule matching module 402 determines that the target policy rule matching the target data packet exists;
an address searching module 404, configured to search a routing table matched with the path label added by the labeling module 403, and obtain a next hop address recorded in the routing table, where the next hop address is used to identify the second virtual machine;
a first data forwarding module 405, configured to forward the destination data packet to the second virtual machine identified by the next hop address obtained by the address lookup module 404.
In the embodiment of the present invention, the data receiving module 401 may be configured to execute step 101 in the above-described method embodiment, the rule matching module 402 may be configured to execute step 102 in the above-described method embodiment, the tagging module 403 may be configured to execute step 103 in the above-described method embodiment, the address searching module 404 may be configured to execute step 104 in the above-described method embodiment, and the first data forwarding module 405 may be configured to execute step 105 in the above-described method embodiment.
Optionally, on the basis of the policy routing implementing apparatus shown in fig. 4, as shown in fig. 5, the policy routing implementing apparatus further includes:
and a second data forwarding module 406, configured to, when the rule matching module 402 determines that the target policy rule matching the target data packet does not exist, obtain a destination address included in the target data packet, and send the target data packet to a second virtual machine corresponding to the destination address according to the destination address.
Optionally, on the basis of the policy route implementing apparatus shown in fig. 4, the policy route implementing apparatus further includes:
and the check closing module is used for closing the reverse route check function.
Optionally, on the basis of the policy route implementing apparatus shown in fig. 4, the policy route implementing apparatus further includes:
and the policy configuration module is used for receiving a policy configuration instruction from a user and performing policy configuration according to the policy configuration instruction, wherein the policy configuration comprises at least one of deleting, modifying, checking and adding a new policy rule to at least one policy rule.
Optionally, on the basis of the policy routing implementing apparatus shown in fig. 4 or fig. 5, the attribute information includes at least one of a source IP address, a destination IP address, a source port, a destination port, and a protocol type of the destination packet.
It should be noted that, because the contents of information interaction, execution process, and the like between the modules in the apparatus are based on the same concept as the method embodiment of the present invention, specific contents may refer to the description in the method embodiment of the present invention, and are not described herein again.
The embodiment of the present invention further provides a readable medium, which includes an execution instruction, and when a processor of a storage controller executes the execution instruction, the storage controller executes the policy routing implementation method provided in each of the above embodiments.
An embodiment of the present invention further provides a storage controller, including: a processor, a memory, and a bus;
the memory is used for storing an execution instruction, the processor is connected with the memory through the bus, and when the storage controller runs, the processor executes the execution instruction stored in the memory, so that the storage controller executes the policy routing implementation method provided by the above embodiments.
In summary, the policy routing implementation method and apparatus provided by the present invention at least have the following beneficial effects:
1. in the embodiment of the invention, after a target data packet from a first virtual machine is received, whether a target policy rule matched with the target data packet exists is judged according to the attribute information of the target data packet, if the target policy rule matched with the target data packet exists, a path label matched with the target policy rule is added to the target data packet, then a routing table corresponding to the path label is inquired according to the path label to obtain a next hop address, and the target data packet is forwarded to a second virtual machine identified by the next hop address. Therefore, the user can forward the data packets meeting the corresponding policy rules to the designated virtual machine by setting the policy rules, so that the policy routing function is realized, the user can transmit the data packets according to a specific path according to actual requirements, and the flexibility of the routing function in the cloud environment can be improved.
2. In the embodiment of the invention, the user can make different types of data packets forwarded through different links by setting the policy rules, so that the forwarding path of the data packets can be planned more reasonably, different data streams are forwarded through different links, the utilization rate of the links is further improved, and the speed of transmitting data among different virtual machines is faster.
3. In the embodiment of the invention, if the target data packet is not matched with each policy rule, the user does not make a routing rule for the type of data packet, and the data packet is correspondingly forwarded according to the destination address in a static routing mode. Therefore, the method can not only realize the static routing function, but also realize the policy routing function, thereby further improving the flexibility and controllability of the routing function.
4. In the embodiment of the invention, in order to realize the policy routing function, the reverse routing check function of the virtual router is closed, so that the virtual router does not check the communication state of the reverse routing any more, the virtual router is ensured to be capable of normally forwarding the data packet to other virtual machines after receiving the data packet of one virtual machine, and the policy routing function is further ensured to be normally realized.
5. In the embodiment of the invention, one or more strategy rules are preset by a user, and in the process of using the strategy routing function, the user can add a new strategy rule according to the actual requirement and delete, modify and check the existing strategy rule, so that the rules for routing different types of data packets can be adjusted according to the actual requirement of the user, the personalized requirements of different users are met, and the use satisfaction of the user is improved.
6. In the embodiment of the present invention, the attribute information of the data packet includes part or all of a source IP address, a destination IP address, a source port, a destination port, and a protocol type, and these pieces of information may be used to determine whether the data packet matches a corresponding policy rule, and a user specifies the policy rule based on these pieces of information, and may accurately classify different types of data packets, and may further accurately allocate the data packet to different links for forwarding, and while ensuring that a link has a higher utilization rate, it is ensured that a faster speed is provided when transmitting the data packet between different virtual machines.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it is to be noted that: the above description is only a preferred embodiment of the present invention, and is only used to illustrate the technical solutions of the present invention, and not to limit the protection scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (10)
1. The policy routing implementation method is characterized by comprising the following steps:
receiving a target data packet from a first virtual machine;
detecting whether a target policy rule matched with the target data packet exists in at least one preset policy rule or not according to the attribute information of the target data packet;
if the target strategy rule matched with the target data packet exists, adding a path label matched with the target strategy rule for the target data packet;
searching a routing table matched with the path label to obtain a next hop address recorded in the routing table, wherein the next hop address is used for identifying a second virtual machine;
and forwarding the target data packet to the second virtual machine.
2. The method according to claim 1, wherein after the detecting whether there is a target policy rule matching the target packet in the preset at least one policy rule, the method further comprises:
if the target policy rule matched with the target data packet does not exist, executing:
acquiring a destination address included in the target data packet;
and sending the target data packet to a third virtual machine corresponding to the destination address according to the destination address.
3. The method of claim 1, prior to said receiving the target packet from the first virtual machine, further comprising:
the reverse route check function is turned off.
4. The method of claim 1, further comprising:
receiving a policy configuration instruction from a user, and performing policy configuration according to the policy configuration instruction, wherein the policy configuration includes at least one of deleting, modifying, viewing and adding a new policy rule to the at least one policy rule.
5. The method according to any one of claims 1 to 4,
the attribute information includes at least one of a source IP address, a destination IP address, a source port, a destination port, and a protocol type of the destination packet.
6. The policy routing implementing device is characterized by comprising:
a data receiving module for receiving a target data packet from the first virtual machine;
a rule matching module, which detects whether a target policy rule matched with the target data packet exists in at least one preset policy rule according to the attribute information of the target data packet received by the data receiving module;
a labeling module, configured to add a path label matching the target policy rule to the target data packet when the rule matching module determines that the target policy rule matching the target data packet exists;
an address searching module, configured to search a routing table matched with the path label added by the labeling module, and obtain a next hop address recorded in the routing table, where the next hop address is used to identify a second virtual machine;
and the first data forwarding module is used for forwarding the target data packet to the second virtual machine identified by the next hop address obtained by the address searching module.
7. The apparatus of claim 6, further comprising:
and the second data forwarding module is used for acquiring a destination address included by the target data packet when the rule matching module determines that the target policy rule matched with the target data packet does not exist, and sending the target data packet to a second virtual machine corresponding to the destination address according to the destination address.
8. The apparatus of claim 6, further comprising:
and the check closing module is used for closing the reverse route check function.
9. The apparatus of claim 6, further comprising:
and the policy configuration module is used for receiving a policy configuration instruction from a user and performing policy configuration according to the policy configuration instruction, wherein the policy configuration comprises at least one of deleting, modifying, viewing and adding a new policy rule to the at least one policy rule.
10. The apparatus according to any one of claims 6 to 9,
the attribute information includes at least one of a source IP address, a destination IP address, a source port, a destination port, and a protocol type of the destination packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010030137.7A CN111181861A (en) | 2020-01-13 | 2020-01-13 | Policy routing implementation method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010030137.7A CN111181861A (en) | 2020-01-13 | 2020-01-13 | Policy routing implementation method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111181861A true CN111181861A (en) | 2020-05-19 |
Family
ID=70623695
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010030137.7A Pending CN111181861A (en) | 2020-01-13 | 2020-01-13 | Policy routing implementation method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111181861A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112866008A (en) * | 2020-12-30 | 2021-05-28 | 北京天融信网络安全技术有限公司 | NAT rule enabling attribute configuration method and device, electronic equipment and storage medium |
| CN112910877A (en) * | 2021-01-27 | 2021-06-04 | 浪潮云信息技术股份公司 | Method and system for realizing security group blacklist based on openstack |
| CN112968841A (en) * | 2021-03-04 | 2021-06-15 | 杭州迪普信息技术有限公司 | Message convergence and distribution method and device and electronic equipment |
| CN113810283A (en) * | 2021-09-16 | 2021-12-17 | 中国联合网络通信集团有限公司 | Network security configuration method, device, server and storage medium |
| CN113992580A (en) * | 2021-09-23 | 2022-01-28 | 新华三信息安全技术有限公司 | Method and equipment for modifying policy routing |
| CN114285779A (en) * | 2021-12-21 | 2022-04-05 | 度小满科技(北京)有限公司 | Method, device and system for processing test request |
| WO2022127714A1 (en) * | 2020-12-14 | 2022-06-23 | 苏州盛科通信股份有限公司 | Chip implementation method for default policy based routing, and chip processing method and apparatus for data packet |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107846358A (en) * | 2016-09-19 | 2018-03-27 | 北京金山云网络技术有限公司 | A kind of data transmission method, device and network system |
| CN108123819A (en) * | 2016-11-30 | 2018-06-05 | 江南大学 | A kind of emulation mode of actual situation network seamless fusion |
| CN108737272A (en) * | 2017-04-19 | 2018-11-02 | 江南大学 | High-performance routing conversion in a kind of cloud computing |
| CN110061921A (en) * | 2019-04-17 | 2019-07-26 | 北京云杉世纪网络科技有限公司 | A kind of cloud platform packet delivery method and system |
| CN110650092A (en) * | 2019-09-24 | 2020-01-03 | 网易(杭州)网络有限公司 | Data processing method and device |
-
2020
- 2020-01-13 CN CN202010030137.7A patent/CN111181861A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107846358A (en) * | 2016-09-19 | 2018-03-27 | 北京金山云网络技术有限公司 | A kind of data transmission method, device and network system |
| CN108123819A (en) * | 2016-11-30 | 2018-06-05 | 江南大学 | A kind of emulation mode of actual situation network seamless fusion |
| CN108737272A (en) * | 2017-04-19 | 2018-11-02 | 江南大学 | High-performance routing conversion in a kind of cloud computing |
| CN110061921A (en) * | 2019-04-17 | 2019-07-26 | 北京云杉世纪网络科技有限公司 | A kind of cloud platform packet delivery method and system |
| CN110650092A (en) * | 2019-09-24 | 2020-01-03 | 网易(杭州)网络有限公司 | Data processing method and device |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022127714A1 (en) * | 2020-12-14 | 2022-06-23 | 苏州盛科通信股份有限公司 | Chip implementation method for default policy based routing, and chip processing method and apparatus for data packet |
| CN112866008A (en) * | 2020-12-30 | 2021-05-28 | 北京天融信网络安全技术有限公司 | NAT rule enabling attribute configuration method and device, electronic equipment and storage medium |
| CN112866008B (en) * | 2020-12-30 | 2023-09-01 | 北京天融信网络安全技术有限公司 | NAT rule enabling attribute configuration method, NAT rule enabling attribute configuration device, electronic equipment and storage medium |
| CN112910877A (en) * | 2021-01-27 | 2021-06-04 | 浪潮云信息技术股份公司 | Method and system for realizing security group blacklist based on openstack |
| CN112968841A (en) * | 2021-03-04 | 2021-06-15 | 杭州迪普信息技术有限公司 | Message convergence and distribution method and device and electronic equipment |
| CN113810283A (en) * | 2021-09-16 | 2021-12-17 | 中国联合网络通信集团有限公司 | Network security configuration method, device, server and storage medium |
| CN113992580A (en) * | 2021-09-23 | 2022-01-28 | 新华三信息安全技术有限公司 | Method and equipment for modifying policy routing |
| CN114285779A (en) * | 2021-12-21 | 2022-04-05 | 度小满科技(北京)有限公司 | Method, device and system for processing test request |
| CN114285779B (en) * | 2021-12-21 | 2024-05-14 | 度小满科技(北京)有限公司 | Processing method, device and system of test request |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111181861A (en) | Policy routing implementation method and device | |
| US10063475B2 (en) | Segment routing extension headers | |
| US9559954B2 (en) | Indexed segment ID | |
| US9246799B2 (en) | Data plane learning of bi-directional service chains | |
| JP6112165B2 (en) | COMMUNICATION SYSTEM, CONTROL DEVICE, COMMUNICATION METHOD, AND PROGRAM | |
| CN105872008B (en) | System and method for adaptive naming based on-demand content exchange in information-centric networks | |
| WO2020073685A1 (en) | Forwarding path determining method, apparatus and system, computer device, and storage medium | |
| CN108702326A (en) | Inspection software defines network(SDN)In control plane cycle mechanism | |
| US10616175B2 (en) | Forwarding information to forward data to proxy devices | |
| CN109495320B (en) | Data message transmission method and device | |
| CN103634423B (en) | Three-layered interface based MPLS-TP (multi-protocol label switching-transport profile) configuration method and device | |
| CN113296869B (en) | Virtual machine VM (virtual machine) migration method and device | |
| CN109756521B (en) | NSH message processing method, device and system | |
| CN112035216A (en) | Communication method for Kubernetes cluster network and OpenStack network | |
| WO2021143610A1 (en) | Method, apparatus and system for controlling flow entry | |
| CN110035006A (en) | The individual networks equipment of Forwarding plane resetting | |
| CN110430116A (en) | Data forwarding method and device, edge device and readable storage medium storing program for executing | |
| CN113438329A (en) | MAC address sending method, device and system | |
| CN106789664B (en) | Route aggregation method and device | |
| CN108322393A (en) | Routing link management method and system, virtual flow-line gateway and host gateway | |
| CN112511438B (en) | Method and device for forwarding message by using flow table and computer equipment | |
| CN110661713B (en) | Message forwarding method and device | |
| US11811901B2 (en) | Platform agnostic abstraction for forwarding equivalence classes with hierarchy | |
| CN116545665A (en) | Safe drainage method, system, equipment and medium | |
| CN106059810B (en) | Message notification method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200519 |
|
| RJ01 | Rejection of invention patent application after publication |