CN111371723B - Method and device for realizing PPTP VPN network isolation under DPDK framework - Google Patents

Method and device for realizing PPTP VPN network isolation under DPDK framework Download PDF

Info

Publication number
CN111371723B
CN111371723B CN201811496567.7A CN201811496567A CN111371723B CN 111371723 B CN111371723 B CN 111371723B CN 201811496567 A CN201811496567 A CN 201811496567A CN 111371723 B CN111371723 B CN 111371723B
Authority
CN
China
Prior art keywords
pptp vpn
pptp
tenant
vpn
space
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811496567.7A
Other languages
Chinese (zh)
Other versions
CN111371723A (en
Inventor
李竞佳
曹志文
范少卓
许加烜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangsu Science and Technology Co Ltd
Original Assignee
Wangsu Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangsu Science and Technology Co Ltd filed Critical Wangsu Science and Technology Co Ltd
Priority to CN201811496567.7A priority Critical patent/CN111371723B/en
Publication of CN111371723A publication Critical patent/CN111371723A/en
Application granted granted Critical
Publication of CN111371723B publication Critical patent/CN111371723B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a device for realizing PPTP VPN network isolation under a DPDK framework, belonging to the technical field of virtual networks. The method comprises the following steps: the PPTP VPN control process loads a PPTP VPN configuration file, and obtains isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file; the PPTP VPN control process establishes user-state isolation spaces corresponding to different tenants according to isolation space information and configuration option values corresponding to the different tenants; for each tenant, the PPTP VPN control process establishes PPTP VPN control connection with a client of the tenant based on the space resources of the user-state isolation space corresponding to the tenant, and negotiates to determine a PPTP VPN data channel; the PPTP VPN data process is based on space resources of a user state isolation space and carries out message transmission with a client of a tenant through a PPTP VPN data channel. By adopting the invention, the user-state network isolation can be realized for the PPTP VPN, so that the performance loss of the PPTP VPN service end is saved, and the PPTP VPN service efficiency is improved.

Description

Method and device for realizing PPTP VPN network isolation under DPDK framework
Technical Field
The invention relates to the technical field of virtual networks, in particular to a method and a device for realizing PPTP VPN network isolation under a DPDK framework.
Background
The network isolation technology in the network equipment is a technology for receiving service data through different network cards on the network equipment and storing the service data in different network isolation spaces for processing, and because the network isolation spaces are completely isolated, service programs in the network isolation spaces do not interfere with each other, so that stable concurrence of the service programs can be realized, and data safety in the service processing process is ensured.
The Linux system provides a kernel-level environment isolation method based on a Namespace mechanism, wherein Network Namespaces (NS) can be used for realizing the Network isolation effect inside the Network equipment, logically, each Network Namespace can be understood as a copy of a Network protocol stack, an independent Network environment is provided, and the Linux system has independent Network resources such as a routing table, an adjacency table, a Netfilter table, Network sockets and the like an independent system.
The inventor finds that the prior art has at least the following problems:
at present, more and more service programs run depending on a user mode Protocol stack, the user mode Protocol stack is deployed in a user space, after a DPDK (Data Plane Development Kit) is reconstructed, because a PPTP (Point to Point Tunneling Protocol Virtual Private Network) does not support user mode Network resource isolation, if all Data messages of the PPTP VPN are guided to a kernel space in an exception-path manner and a kernel-level Network isolation technology is used, processing of the kernel mode and the user mode is frequently switched, so that performance loss of Network equipment is caused, and PPTP VPN service efficiency is low.
Disclosure of Invention
In order to solve the problems in the prior art, embodiments of the present invention provide a method and an apparatus for implementing PPTP VPN network isolation under a DPDK framework. The technical scheme is as follows:
in a first aspect, a method for implementing PPTP VPN network isolation under a DPDK framework is provided, where the method includes:
the PPTP VPN control process loads a PPTP VPN configuration file and acquires isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file;
the PPTP VPN control process establishes user-state isolation spaces corresponding to different tenants according to isolation space information and configuration option values corresponding to the different tenants;
for each tenant, the PPTP VPN control process establishes PPTP VPN control connection with a client of the tenant based on the space resources of the user-state isolation space corresponding to the tenant, and negotiates to determine a PPTP VPN data channel;
and the PPTP VPN data process carries out message transmission with the client of the tenant through the PPTP VPN data channel based on the space resource of the user state isolation space.
Optionally, the obtaining isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file includes:
the PPTP VPN control process reads and stores isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file through an isolation space configuration structure body added in advance in an execution code of the PPTP VPN control process.
Optionally, the configuration option value at least includes a VPN public network IP address corresponding to each tenant.
Optionally, before the PPTP VPN control process establishes PPTP VPN control connection with the tenant based on the space resource of the user-state isolation space corresponding to the tenant and negotiates to determine the PPTP VPN data channel, the method further includes:
the PPTP VPN control process establishes and monitors a control connection socket corresponding to each tenant in a binding manner based on the isolation space information corresponding to each tenant and the VPN public network IP address;
the PPTP VPN control process carries out resource isolation on original control configuration information, generates multiple pieces of control configuration information, and associates each piece of control configuration information with a user state isolation space.
Optionally, the PPTP VPN control process establishes PPTP VPN control connection with the client of the tenant based on the space resource of the user-state isolation space corresponding to the tenant, and negotiates to determine a PPTP VPN data channel, where the PPTP VPN control process includes:
when a dial-up connection request of a target client is received through a control connection socket corresponding to a target tenant, the PPTP VPN control process determines a target user state isolation space corresponding to the target tenant;
and the PPTP VPN control process carries out PPP negotiation with the target client through the control configuration information associated with the target user state isolation space, establishes PPTP VPN control connection and determines a target message forwarding port corresponding to the PPTP VPN data channel.
Optionally, after the PPTP VPN control connection is established and the target packet forwarding port corresponding to the PPTP VPN data channel is determined, the method further includes:
and the PPTP VPN control process transmits the space identifier of the target user state isolation space and the port identifier of the target message forwarding port to a PPTP VPN data process in an inter-process communication mode.
Optionally, the PPTP VPN data process performs packet transmission with the client of the tenant through the PPTP VPN data channel based on the space resource of the user-state isolation space, and includes:
the PPTP VPN data process establishes a data connection socket corresponding to the target client according to the space identifier and the port identifier;
and the PPTP VPN data process carries out message transmission with the target client through the data connection socket based on the space resource of the target user state isolation space.
In a second aspect, a device for implementing PPTP VPN network isolation under a DPDK framework is provided, where the device runs a PPTP VPN control process and a PPTP VPN data process modified by the DPDK framework, where:
the PPTP VPN control process is used for loading a PPTP VPN configuration file and acquiring isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file;
the PPTP VPN control process is used for establishing user-state isolation spaces corresponding to different tenants according to isolation space information and configuration option values corresponding to the different tenants;
the PPTP VPN control process is used for establishing PPTP VPN control connection with a client of each tenant and negotiating to determine a PPTP VPN data channel for each tenant based on the space resources of the user-state isolation space corresponding to the tenant;
the PPTP VPN data process is configured to perform message transmission with the client of the tenant through the PPTP VPN data channel based on the space resource of the user-state isolation space.
Optionally, the PPTP VPN control process is specifically configured to:
and reading and storing isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file through an isolation space configuration structure body added in advance in an execution code of the PPTP VPN configuration file.
Optionally, the configuration option value at least includes a VPN public network IP address corresponding to each tenant.
Optionally, the PPTP VPN control process is further configured to:
establishing and binding and monitoring a control connection socket corresponding to each tenant based on the isolation space information and the VPN public network IP address corresponding to each tenant;
the method comprises the steps of carrying out resource isolation on original control configuration information, generating multiple pieces of control configuration information, and associating each piece of control configuration information with a user state isolation space.
Optionally, the PPTP VPN control process is specifically configured to:
when a dial-up connection request of a target client is received through a control connection socket corresponding to a target tenant, determining a target user state isolation space corresponding to the target tenant;
PPP negotiation is carried out with the target client through the control configuration information associated with the target user state isolation space, PPTP VPN control connection is established, and a target message forwarding port corresponding to a PPTP VPN data channel is determined.
Optionally, the PPTP VPN control process is further configured to:
and transmitting the space identifier of the target user state isolation space and the port identifier of the target message forwarding port to a PPTP VPN data process in an inter-process communication mode.
Optionally, the PPTP VPN data process is specifically used for
Establishing a data connection socket corresponding to the target client according to the space identifier and the port identifier;
and carrying out message transmission with the target client through the data connection socket based on the space resource of the target user state isolation space.
In a third aspect, a network device is provided, which includes a processor and a memory, where at least one instruction, at least one program, a set of codes, or a set of instructions is stored in the memory, and the at least one instruction, the at least one program, the set of codes, or the set of instructions is loaded and executed by the processor to implement the method for implementing PPTP VPN network isolation under a DPDK framework according to the first aspect.
In a fourth aspect, a computer-readable storage medium is provided, in which at least one instruction, at least one program, a set of codes, or a set of instructions is stored, which is loaded and executed by a processor to implement the method for implementing PPTP VPN network isolation under a DPDK framework as described in the first aspect.
The technical scheme provided by the embodiment of the invention has the following beneficial effects:
in the embodiment of the invention, a PPTP VPN control process loads a PPTP VPN configuration file to acquire isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file; the PPTP VPN control process establishes user-state isolation spaces corresponding to different tenants according to isolation space information and configuration option values corresponding to the different tenants; for each tenant, the PPTP VPN control process establishes PPTP VPN control connection with a client of the tenant based on the space resources of the user-state isolation space corresponding to the tenant, and negotiates to determine a PPTP VPN data channel; the PPTP VPN data process is based on space resources of a user state isolation space and carries out message transmission with a client of a tenant through a PPTP VPN data channel. Therefore, the PPTP VPN realizes user-mode network isolation from three aspects of the PPTP VPN configuration file, the PPTP VPN control process and the PPTP VPN data process, the support of multi-tenant PPTP VPN service is realized, the frequent switching between the kernel mode and the user mode is avoided, the performance loss of the PPTP VPN service end is further saved, and the PPTP VPN service efficiency is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a method for implementing PPTP VPN network isolation under a DPDK framework according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a network device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
The embodiment of the invention provides a method for realizing network isolation of a PPTP VPN under a DPDK framework, which can be applied to network equipment (called a PPTP VPN server) provided with a PPTP VPN program modified by the DPDK, and is mainly realized by a PPTP VPN control process and a PPTP VPN data process. The PPTP VPN server side can establish PPTP VPN control connection with the PPTP VPN client side through a PPTP VPN control process, and establish a PPTP VPN data channel by negotiating related configuration parameters of the PPTP VPN data channel with the PPTP VPN client side based on the PPTP VPN control connection; and then, the PPTP VPN server side can perform message transmission with the PPTP VPN client side through the PPTP VPN data process based on the established PPTP VPN data channel. Further, the network device isolates the PPTP VPN program in a user mode, specifically, through the PPTP VPN control process and the PPTP VPN data process, mutually isolated VPN channels are established for different tenants, so as to distinguish data messages of different tenants.
The network device may include a processor, a memory, and a transceiver, wherein the processor may be configured to perform the processes performed by the PPTP VPN control process and the PPTP VPN data process in the following processes, the memory may be configured to store data required and generated during the following processes, and the transceiver may be configured to receive and transmit data associated with the following processes. It can be understood that, in the present application, the processing performed by the PPTP VPN control process and the PPTP VPN data process is performed by the network device running the PPTP VPN control process and the PPTP VPN data process through corresponding processes.
The process flow shown in fig. 1 will be described in detail below with reference to specific embodiments, and the contents may be as follows:
step 101, the PPTP VPN control process loads the PPTP VPN configuration file, and obtains isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file.
The isolation space information may at least include a space identifier of each isolation space, and the space identifier is preferably a tenant identifier; the configuration option values may be divided into a SECTIONS dimension and an OPTIONS dimension, where each tenant corresponds to multiple SECTIONSs, and each SECTIONS contains a different OPTIONS.
In implementation, a technician at the PPTP VPN service end may modify the PPTP VPN configuration file in advance according to tenant information of all tenants that have opened the PPTP VPN service. Specifically, a plurality of "@ NS _ NAME { }" word samples may be added to the PPTP VPN configuration file, isolation space information corresponding to different tenants is respectively recorded through different "@ NS _ NAME { }" word samples, and a configuration option value of each isolation space information is specified for distinguishing data messages of different tenants, where NS _ NAMEs corresponding to different tenants are different, and the NS _ NAMEs may directly use identification information of the tenants, so as to facilitate identification of different network isolation spaces. In this way, after the PPTP VPN control process is started, the PPTP VPN configuration file may be loaded, and then the isolation space information and the configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file may be obtained through the above-mentioned typeface.
Optionally, the PPTP VPN control process may store the isolation space information and the configuration option value in a form of a structure, and accordingly, the processing of acquiring the isolation space information and the configuration option value in step 101 may specifically be as follows: the PPTP VPN control process reads and stores isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file through an isolation space configuration structure body added in advance in an execution code of the PPTP VPN control process.
In implementation, a technician at the service end of the PPTP VPN may add an isolated space configuration structure "conf _ ns _ t" used for reading isolated space information and configuration option values in advance to an execution code of the PPTP VPN control process, and the specific structure may be as follows:
Figure GDA0003520769310000071
in this way, after the PPTP VPN control process is started, the isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file can be read and stored through the isolation space configuration structure "conf _ ns _ t" added in advance in the execution code.
Optionally, the configuration option value at least includes a VPN public network IP address corresponding to each tenant.
In implementation, in the process that a technician at the PPTP VPN service end adds an "@ NS _ NAME { }" typeface in the PPTP VPN configuration file, a bind option may be added in the typeface, where the bind option is used for binding a VPN public network IP address corresponding to each tenant. Therefore, when the PPTP VPN control process establishes the user-state isolation space, the information such as "NS _ NAME", "SECTIONS", "OPTIONS" and the like can be analyzed from the PPTP VPN configuration file, wherein the "SECTIONS" information includes bind option information, and then the user-state isolation space is established based on the information.
And 102, the PPTP VPN control process establishes user-state isolation spaces corresponding to different tenants according to isolation space information and configuration option values corresponding to the different tenants.
In implementation, after acquiring isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file, the PPTP VPN control process may establish, for each tenant, a user-state isolation space corresponding to the tenant according to the isolation space information and the configuration option values.
Step 103, for each tenant, the PPTP VPN control process establishes PPTP VPN control connection with the client of the tenant based on the space resources of the user-state isolation space corresponding to the tenant, and negotiates to determine a PPTP VPN data channel.
In implementation, for each tenant, after the PPTP VPN control process establishes the user-state isolation space corresponding to the tenant, when it needs to perform packet transmission with the client of the tenant, the PPTP VPN control connection may be established with the client of the tenant based on a space resource of the user-state isolation space corresponding to the tenant, and PPP (Point to Point Protocol) negotiation may be performed with the client of the tenant through the PPTP VPN control connection, so as to negotiate and determine a PPTP VPN data channel between the PPTP VPN server and the PPTP VPN client.
Optionally, based on the VPN public network IP address corresponding to each tenant in the configuration option value, before the PPTP VPN control process establishes the PPTP VPN control connection with the PPTP VPN client, a control connection socket needs to be established first, and resource isolation is performed on the original control configuration information, so that the following processing may be performed before step 103: the PPTP VPN control process establishes and binds and monitors a control connection socket corresponding to each tenant on the basis of the isolation space information corresponding to each tenant and the VPN public network IP address; the PPTP VPN control process carries out resource isolation on the original control configuration information, generates a plurality of pieces of control configuration information, and associates each piece of control configuration information with a user state isolation space.
The control configuration information may be original in a PPTP VPN control process, and the structure body to be called in the process of establishing a PPTP VPN control connection with a PPTP VPN client mainly includes "PPTP _ server _ t", "PPP _ t", and "ap _ session", where "PPTP _ server _ t" is mainly used for performing related processing of PPTP VPN dial-up connection, "PPP _ t" is mainly used for performing related processing of PPP negotiation, and "ap _ session" is mainly used for performing related processing of establishing a PPTP VPN control connection.
In implementation, after the PPTP VPN control process analyzes the PPTP VPN configuration file to obtain VPN public network IP addresses corresponding to different tenants, a control connection socket corresponding to each tenant may be established for each tenant based on the VPN public network IP address corresponding to each tenant. Therefore, the PPTP VPN control process can distribute data messages of different tenants to different user state isolation control spaces by utilizing the non-repeatability of the public network IP address. Meanwhile, for each original control configuration information, the PPTP VPN control process can perform resource isolation on the original control configuration information to generate corresponding multiple pieces of control configuration information, so that each piece of control configuration information can be associated with one user-state isolation space. Therefore, the PPTP VPN control process can monitor the control connection socket corresponding to different tenants through binding, and wait for the data message sent by the client of the corresponding tenant to trigger the subsequent processing of establishing the PPTP VPN control connection with the PPTP VPN client through the control configuration information associated with the corresponding user-state isolation space.
Optionally, after a control connection socket is established for each tenant based on the PPTP VPN control process, a PPTP VPN control connection may be established with the PPTP VPN client through the control connection socket, and the PPTP VPN data channel is determined, and correspondingly, the processing in step 104 may specifically be as follows: when a dial-up connection request of a target client is received through a control connection socket corresponding to a target tenant, a PPTP VPN control process determines a target user state isolation space corresponding to the target tenant; the PPTP VPN control process carries out PPP negotiation with the target client through the control configuration information associated with the target user state isolation space, establishes PPTP VPN control connection and determines a target message forwarding port corresponding to the PPTP VPN data channel.
In implementation, after the PPTP VPN control process establishes the control connection socket corresponding to each tenant, each control connection socket may be monitored. When a dial-up connection request of a target client is received through a control connection socket corresponding to a target tenant, a PTTP control process may determine a target user-state isolation space corresponding to the target tenant based on the data connection socket, and then a PPTP VPN control process may perform PPP negotiation with the target client through control configuration information associated with the target user-state isolation space, and may further establish a PPTP VPN control connection with the target client based on a negotiation result, and determine a target packet forwarding PORT (i.e., DIVERT _ PORT information) corresponding to a PPTP VPN data channel.
Further, after determining a target message forwarding port corresponding to the PPTP VPN data channel, the PPTP VPN control process may transfer the space identifier of the target user-state isolation space and the port identifier of the target message forwarding port to the PPTP VPN data process in an IPC inter-process communication manner.
And 104, the PPTP VPN data process transmits a message with a client of a tenant through a PPTP VPN data channel based on the space resource of the user-state isolation space.
In an implementation, the PPTP VPN data process may be started prior to the PPTP VPN control process and perform an initialization process. After the PPTP VPN control process negotiates to determine the PPTP VPN data channel corresponding to the client of a certain tenant, the PPTP VPN data process may implement, based on the space resource of the user-state isolation space corresponding to the tenant, the packet transmission processing with the client of the tenant through the PPTP VPN data channel. It can be understood that different PPTP VPN data channels are established based on resources of different user state isolation spaces, so that message transmission between different PPTP VPN data channels is independent and does not affect each other, and network isolation of the PPTP VPN can be achieved. Here, the resource of the user-mode isolation space may include a private isolation space address, and a network resource table entry including an IP address table, a routing table, a socket table, a connection tracking table, and the like.
Optionally, after the PPTP VPN control process determines the PPTP VPN data channel, the PPTP VPN data process may establish a corresponding data connection socket, and implement the PPTP VPN function through the data connection socket, and correspondingly, the processing in step 104 may specifically be as follows: the PPTP VPN data process establishes a data connection socket corresponding to the target client according to the space identifier and the port identifier; the PPTP VPN data process carries out message transmission with a target client through a data connection socket based on space resources of a target user state isolation space.
In implementation, after the PPTP VPN control process transmits the space identifier of the target user-state isolation space and the port identifier of the target message forwarding port to the PPTP VPN data process through the IPC, the PPTP VPN data process may establish a data connection socket corresponding to the target client according to the space identifier and the port identifier. And then, the PPTP VPN data process can perform message transmission with the target client through the established data connection socket based on the space resource of the target user state isolation space.
In the embodiment of the invention, a PPTP VPN control process loads a PPTP VPN configuration file and acquires isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file; the PPTP VPN control process establishes user-state isolation spaces corresponding to different tenants according to isolation space information and configuration option values corresponding to the different tenants; for each tenant, the PPTP VPN control process establishes PPTP VPN control connection with a client of the tenant based on the space resources of the user-state isolation space corresponding to the tenant, and negotiates to determine a PPTP VPN data channel; the PPTP VPN data process is based on space resources of the user state isolation space, and message transmission is carried out between the PPTP VPN data channel and a client of a tenant. Therefore, the PPTP VPN realizes user-mode network isolation from three aspects of the PPTP VPN configuration file, the PPTP VPN control process and the PPTP VPN data process, the support of multi-tenant PPTP VPN service is realized, the frequent switching between the kernel mode and the user mode is avoided, the performance loss of the PPTP VPN service end is further saved, and the PPTP VPN service efficiency is improved.
Based on the same technical concept, an embodiment of the present invention further provides a device for implementing PPTP VPN network isolation under a DPDK framework, where the device runs a PPTP VPN control process and a PPTP VPN data process modified by the DPDK, where:
the PPTP VPN control process is used for loading a PPTP VPN configuration file and acquiring isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file;
the PPTP VPN control process is used for establishing user-state isolation spaces corresponding to different tenants according to isolation space information and configuration option values corresponding to the different tenants;
the PPTP VPN control process is used for establishing PPTP VPN control connection with a client of each tenant and negotiating to determine a PPTP VPN data channel for each tenant based on the space resources of the user-state isolation space corresponding to the tenant;
the PPTP VPN data process is configured to perform message transmission with the client of the tenant through the PPTP VPN data channel based on the space resource of the user-state isolation space.
Optionally, the PPTP VPN control process is specifically configured to:
and reading and storing isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file through an isolation space configuration structure body added in advance in an execution code of the PPTP VPN configuration file.
Optionally, the configuration option value at least includes a VPN public network IP address corresponding to each tenant.
Optionally, the PPTP VPN control process is further configured to:
establishing and binding and monitoring a control connection socket corresponding to each tenant based on the isolation space information and the VPN public network IP address corresponding to each tenant;
the method comprises the steps of carrying out resource isolation on original control configuration information, generating multiple pieces of control configuration information, and associating each piece of control configuration information with a user state isolation space.
Optionally, the PPTP VPN control process is specifically configured to:
when a dial-up connection request of a target client is received through a control connection socket corresponding to a target tenant, determining a target user state isolation space corresponding to the target tenant;
PPP negotiation is carried out with the target client through the control configuration information associated with the target user state isolation space, PPTP VPN control connection is established, and a target message forwarding port corresponding to a PPTP VPN data channel is determined.
Optionally, the PPTP VPN control process is further configured to:
and transmitting the space identifier of the target user state isolation space and the port identifier of the target message forwarding port to a PPTP VPN data process in an inter-process communication mode.
Optionally, the PPTP VPN data process is specifically used for
Establishing a data connection socket corresponding to the target client according to the space identifier and the port identifier;
and carrying out message transmission with the target client through the data connection socket based on the space resource of the target user state isolation space.
In the embodiment of the invention, a PPTP VPN control process loads a PPTP VPN configuration file and acquires isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file; the PPTP VPN control process establishes user-state isolation spaces corresponding to different tenants according to isolation space information and configuration option values corresponding to the different tenants; for each tenant, the PPTP VPN control process establishes PPTP VPN control connection with a client of the tenant based on the space resources of the user-state isolation space corresponding to the tenant, and negotiates to determine a PPTP VPN data channel; the PPTP VPN data process is based on space resources of a user state isolation space and carries out message transmission with a client of a tenant through a PPTP VPN data channel. Therefore, the PPTP VPN realizes user-mode network isolation from three aspects of the PPTP VPN configuration file, the PPTP VPN control process and the PPTP VPN data process, the support of multi-tenant PPTP VPN service is realized, the frequent switching between the kernel mode and the user mode is avoided, the performance loss of the PPTP VPN service end is further saved, and the PPTP VPN service efficiency is improved.
It should be noted that: in the device for implementing PPTP VPN network isolation under the DPDK framework according to the foregoing embodiments, when implementing PPTP VPN network isolation, only the division of the above functional modules is used for illustration, and in practical applications, the above function allocation may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the above described functions. In addition, the apparatus for implementing PPTP VPN network isolation under a DPDK frame provided in the foregoing embodiment and the method embodiment for implementing PPTP VPN network isolation under a DPDK frame belong to the same concept, and specific implementation processes thereof are detailed in the method embodiment and are not described herein again.
Fig. 2 is a schematic structural diagram of a network device according to an embodiment of the present invention. The network device 200, which may vary considerably in configuration or performance, may include one or more central processors 222 (e.g., one or more processors) and memory 232, one or more storage media 230 (e.g., one or more mass storage devices) that store applications 242 or data 244. Memory 232 and storage medium 230 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 230 may include one or more modules (not shown), each of which may include a sequence of instructions operating on the network device 200. Still further, the central processor 222 may be configured to communicate with the storage medium 230 to execute a series of instruction operations in the storage medium 230 on the network device 200.
The network device 200 may also include one or more power supplies 229, one or more wired or wireless network interfaces 250, one or more input-output interfaces 258, one or more keyboards 256, and/or one or more operating systems 241, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc.
Network device 200 may include memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors to include instructions for implementing PPTP VPN network isolation under a DPDK framework as described above.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (16)

1. A method for realizing PPTP VPN network isolation under a DPDK framework is characterized in that the method is applied to network equipment, the network equipment runs a PPTP VPN control process and a PPTP VPN data process which are transformed by the DPDK, and the method comprises the following steps:
the PPTP VPN control process loads a PPTP VPN configuration file and acquires isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file;
the PPTP VPN control process establishes user-state isolation spaces corresponding to different tenants according to isolation space information and configuration option values corresponding to the different tenants;
for each tenant, the PPTP VPN control process establishes PPTP VPN control connection with a client of the tenant based on the space resources of the user-state isolation space corresponding to the tenant, and negotiates to determine a PPTP VPN data channel;
and the PPTP VPN data process carries out message transmission with the client of the tenant through the PPTP VPN data channel based on the space resource of the user state isolation space.
2. The method as claimed in claim 1, wherein said obtaining isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file comprises:
the PPTP VPN control process reads and stores isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file through an isolation space configuration structure body added in advance in an execution code of the PPTP VPN control process.
3. The method of claim 1, wherein the configuration option value comprises at least a VPN public network IP address corresponding to each tenant.
4. The method as claimed in claim 3, wherein the PPTP VPN control process establishes PPTP VPN control connections with the tenants based on space resources of user-state isolation spaces corresponding to the tenants, and further comprises, before negotiating to determine PPTP VPN data channels:
the PPTP VPN control process establishes and monitors a control connection socket corresponding to each tenant in a binding manner based on the isolation space information corresponding to each tenant and the VPN public network IP address;
the PPTP VPN control process carries out resource isolation on original control configuration information, generates multiple pieces of control configuration information, and associates each piece of control configuration information with a user state isolation space.
5. The method as claimed in claim 4, wherein the PPTP VPN control process establishes PPTP VPN control connection with the client of the tenant based on the space resources of the user-state isolation space corresponding to the tenant, and negotiates to determine PPTP VPN data channels, including:
when a dial-up connection request of a target client is received through a control connection socket corresponding to a target tenant, the PPTP VPN control process determines a target user state isolation space corresponding to the target tenant;
and the PPTP VPN control process carries out PPP negotiation with the target client through the control configuration information associated with the target user state isolation space, establishes PPTP VPN control connection and determines a target message forwarding port corresponding to the PPTP VPN data channel.
6. The method as claimed in claim 5, wherein after establishing the PPTP VPN control connection and determining the target packet forwarding port corresponding to the PPTP VPN data tunnel, the method further comprises:
and the PPTP VPN control process transmits the space identifier of the target user state isolation space and the port identifier of the target message forwarding port to a PPTP VPN data process in an inter-process communication mode.
7. The method as recited in claim 6, wherein the PPTP VPN data process messaging clients of the tenants over the PPTP VPN data tunnel based on space resources of the user-state isolation space, comprising:
the PPTP VPN data process establishes a data connection socket corresponding to the target client according to the space identifier and the port identifier;
and the PPTP VPN data process carries out message transmission with the target client through the data connection socket based on the space resource of the target user state isolation space.
8. A device for realizing PPTP VPN network isolation under a DPDK framework is characterized in that a PPTP VPN control process and a PPTP VPN data process which are transformed by the DPDK are operated on the device, wherein:
the PPTP VPN control process is used for loading a PPTP VPN configuration file and acquiring isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file;
the PPTP VPN control process is used for establishing user state isolation spaces corresponding to different tenants according to the isolation space information and configuration option values corresponding to the different tenants;
the PPTP VPN control process is used for establishing PPTP VPN control connection with a client of each tenant and negotiating to determine a PPTP VPN data channel for each tenant based on the space resources of the user-state isolation space corresponding to the tenant;
the PPTP VPN data process is used for carrying out message transmission with the client of the tenant through the PPTP VPN data channel based on the space resource of the user state isolation space.
9. The apparatus as claimed in claim 8, wherein the PPTP VPN control process is specifically configured to:
and reading and storing isolation space information and configuration option values corresponding to different tenants recorded in the PPTP VPN configuration file through an isolation space configuration structure body added in advance in an execution code of the PPTP VPN configuration file.
10. The apparatus of claim 8, wherein the configuration option value comprises at least a VPN public network IP address corresponding to each tenant.
11. The apparatus as recited in claim 10, wherein said PPTP VPN control process is further configured to:
establishing and binding and monitoring a control connection socket corresponding to each tenant based on the isolation space information and the VPN public network IP address corresponding to each tenant;
the method comprises the steps of carrying out resource isolation on original control configuration information, generating multiple pieces of control configuration information, and associating each piece of control configuration information with a user state isolation space.
12. The apparatus as claimed in claim 11, wherein the PPTP VPN control process is specifically configured to:
when a dial-up connection request of a target client is received through a control connection socket corresponding to a target tenant, determining a target user state isolation space corresponding to the target tenant;
PPP negotiation is carried out with the target client through the control configuration information associated with the target user state isolation space, PPTP VPN control connection is established, and a target message forwarding port corresponding to a PPTP VPN data channel is determined.
13. The apparatus as recited in claim 12, wherein said PPTP VPN control process is further configured to:
and transmitting the space identifier of the target user state isolation space and the port identifier of the target message forwarding port to a PPTP VPN data process in an inter-process communication mode.
14. The apparatus as claimed in claim 13, wherein the PPTP VPN data process is specifically adapted for
Establishing a data connection socket corresponding to the target client according to the space identifier and the port identifier;
and carrying out message transmission with the target client through the data connection socket based on the space resource of the target user state isolation space.
15. A network device comprising a processor and a memory, the memory having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, the at least one instruction, the at least one program, the set of codes, or the set of instructions being loaded and executed by the processor to implement the method for PPTP VPN network isolation under a DPDK framework according to any one of claims 1 to 7.
16. A computer readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, which is loaded and executed by a processor to implement the method for PPTP VPN network isolation under a DPDK framework as claimed in any one of claims 1 to 7.
CN201811496567.7A 2018-12-07 2018-12-07 Method and device for realizing PPTP VPN network isolation under DPDK framework Active CN111371723B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811496567.7A CN111371723B (en) 2018-12-07 2018-12-07 Method and device for realizing PPTP VPN network isolation under DPDK framework

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811496567.7A CN111371723B (en) 2018-12-07 2018-12-07 Method and device for realizing PPTP VPN network isolation under DPDK framework

Publications (2)

Publication Number Publication Date
CN111371723A CN111371723A (en) 2020-07-03
CN111371723B true CN111371723B (en) 2022-06-17

Family

ID=71209733

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811496567.7A Active CN111371723B (en) 2018-12-07 2018-12-07 Method and device for realizing PPTP VPN network isolation under DPDK framework

Country Status (1)

Country Link
CN (1) CN111371723B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103391234A (en) * 2013-08-01 2013-11-13 厦门市美亚柏科信息股份有限公司 Method for realizing multi-user fixed port mapping and PPTP VPN server side
CN103593189A (en) * 2013-11-14 2014-02-19 昆明理工大学 Method for implementing user mode drive program in embedded Linux
CN104050036A (en) * 2014-05-29 2014-09-17 汉柏科技有限公司 Control system and method of multi-core processor network equipment
CN106549850A (en) * 2016-12-06 2017-03-29 东软集团股份有限公司 Virtual special network server and its message transmitting method
CN107070958A (en) * 2017-06-19 2017-08-18 河海大学 A kind of mass data high-efficiency transmission method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170324707A1 (en) * 2016-05-03 2017-11-09 At&T Intellectual Property I, L.P. Network service provider architecture with internet-route-free control plane

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103391234A (en) * 2013-08-01 2013-11-13 厦门市美亚柏科信息股份有限公司 Method for realizing multi-user fixed port mapping and PPTP VPN server side
CN103593189A (en) * 2013-11-14 2014-02-19 昆明理工大学 Method for implementing user mode drive program in embedded Linux
CN104050036A (en) * 2014-05-29 2014-09-17 汉柏科技有限公司 Control system and method of multi-core processor network equipment
CN106549850A (en) * 2016-12-06 2017-03-29 东软集团股份有限公司 Virtual special network server and its message transmitting method
CN107070958A (en) * 2017-06-19 2017-08-18 河海大学 A kind of mass data high-efficiency transmission method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于DPDK的高性能VPN网关的研究与实现;穆瑞超;《中国优秀硕士学位论文全文数据库 信息科技辑》;20180228;全文 *

Also Published As

Publication number Publication date
CN111371723A (en) 2020-07-03

Similar Documents

Publication Publication Date Title
CN109547580B (en) Method and device for processing data message
EP3213200B1 (en) System and method for providing a dynamic cloud with subnet administration (sa) query caching
US10831527B2 (en) Providing link aggregation and high availability through network virtualization layer
US7512139B2 (en) Methods and systems for enabling remote booting of remote boot clients in a switched network defining a plurality of virtual local area networks (VLANS)
US7451197B2 (en) Method, system, and article of manufacture for network protocols
US9473596B2 (en) Using transmission control protocol/internet protocol (TCP/IP) to setup high speed out of band data communication connections
WO2017000593A1 (en) Packet processing method and device
CN110048963B (en) Message transmission method, medium, device and computing equipment in virtual network
CN108491278B (en) Method and network device for processing service data
US9619272B1 (en) Virtual machine networking
CN111294319B (en) Network isolation method and device, network equipment and readable storage medium
EP4307639A1 (en) Containerized router with virtual networking
CN103905510A (en) Processing method and background server for data package
CN114518969A (en) Inter-process communication method, system, storage medium and computer device
CN113691589A (en) Message transmission method, device and system
CN113765867B (en) Data transmission method, device, equipment and storage medium
WO2020113817A1 (en) Network isolation method and apparatus based on user mode protocol stack
CN111371723B (en) Method and device for realizing PPTP VPN network isolation under DPDK framework
US10735541B2 (en) Distributed inline proxy
CN113489775B (en) Seven-layer load balancing server and load balancing method based on VPP
CN111669358B (en) Method and device for processing vrouter network isolation spaces in batch
CN112422457B (en) Message processing method and device and computer storage medium
CN108848175B (en) Method and device for establishing TCP connection
CN113765799A (en) Method for transmitting and receiving container message, storage medium and container communication system
CN113709264A (en) Address acquisition method, equipment, system and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant