CN111800340B - Data packet forwarding method and device - Google Patents

Data packet forwarding method and device Download PDF

Info

Publication number
CN111800340B
CN111800340B CN202010506257.XA CN202010506257A CN111800340B CN 111800340 B CN111800340 B CN 111800340B CN 202010506257 A CN202010506257 A CN 202010506257A CN 111800340 B CN111800340 B CN 111800340B
Authority
CN
China
Prior art keywords
address
data packet
network card
virtual
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010506257.XA
Other languages
Chinese (zh)
Other versions
CN111800340A (en
Inventor
肖力
刘辰
张涵
丛占龙
李国栋
韩志鹏
白石
崔巍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Jingdong Shangke Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN202010506257.XA priority Critical patent/CN111800340B/en
Publication of CN111800340A publication Critical patent/CN111800340A/en
Application granted granted Critical
Publication of CN111800340B publication Critical patent/CN111800340B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the disclosure discloses a data packet forwarding method and a data packet forwarding device. One embodiment of the method comprises: receiving a data packet sent by a virtual machine to a destination IP address, wherein the IP address of the virtual machine belongs to a tenant network, and the destination IP address belongs to a non-tenant network; sending a data packet to a virtual network card corresponding to a next hop address of the destination IP address, wherein the next hop address is a next address which is stored in a local routing table of the virtual machine and needs to pass by when reaching the destination IP address, and the virtual network card is used for connecting each virtual machine in the tenant network to a preset physical network card; and disguising the source IP address of the data packet as the IP address of the physical network card so as to send the data packet to the destination IP address. The implementation method can send the data packet from the tenant network to the non-tenant network, realizes the intercommunication between the tenant network and the non-tenant network, and enables the virtual machine in the tenant network to access the non-tenant network.

Description

Data packet forwarding method and device
Technical Field
The embodiment of the disclosure relates to the technical field of computers, in particular to a data packet forwarding method and device.
Background
Under the traditional centralized routing environment of OpenStack, a network created by a tenant may be referred to as a tenant network, and a network providing support for OpenStack tenant virtual resources may be referred to as a non-tenant network. The tenant network may also be referred to as a service network, a data network, and the like, and the non-tenant network may include a management network (a network for providing tenant resource management), a storage network (a network for providing tenant storage service), an external network (a network for providing tenant internet access service), and the like.
In the process of using openstack, a requirement that a tenant network accesses a non-tenant network often exists. For example, a virtual machine within a tenant network needs to access a private service in a software repository server, clock synchronization server, etc. that is in a non-tenant network. However, in the related art, the tenant network generally cannot access a non-tenant network such as a management network and a storage network of openstack.
Disclosure of Invention
The embodiment of the disclosure provides a data packet forwarding method and device.
In a first aspect, an embodiment of the present disclosure provides a method for forwarding a data packet, where the method includes: receiving a data packet sent by a virtual machine to a destination IP address, wherein the IP address of the virtual machine belongs to a tenant network, and the destination IP address belongs to a non-tenant network; sending a data packet to a virtual network card corresponding to a next-hop address of the destination IP address, wherein the next-hop address is the next-hop address stored in a local routing table of the virtual machine and required to pass by when reaching the destination IP address, and the virtual network card is used for connecting each virtual machine in the tenant network to a preset physical network card; and disguising the source IP address of the data packet as the IP address of the physical network card so as to send the data packet to the destination IP address.
In some embodiments, the tenant network is a virtual local area network; receiving a data packet sent by a virtual machine to a destination IP address, comprising: receiving a data packet through a first network card associated with a pre-established external network bridge, wherein the first network card is a network card in a host machine of the virtual machine, and the external network bridge is used for receiving the data packet from the first network card; and sending the data packet to an integrated bridge connected with the external bridge, wherein the integrated bridge is used for sending the data packet to the next hop address.
In some embodiments, the tenant network is a virtual extended local area network; receiving a data packet sent by a virtual machine to a destination IP address, comprising: acquiring a data packet from a virtual machine through a pre-established tunnel bridge, wherein the tunnel bridge is used for establishing tunnel connection with a host machine of the virtual machine; and sending the data packet to the comprehensive bridge connected with the tunnel bridge, wherein the comprehensive bridge is used for sending the data packet to the next hop address.
In some embodiments, after sending the data packet to the virtual network card corresponding to the next hop address of the destination IP address, the method further comprises: and responding to the fact that the source IP address and the destination IP address of the data packet meet the preset safety condition, and sending the data packet to the physical network card through the virtual network card.
In some embodiments, after the method sends the data packet to the virtual network card corresponding to the next hop address of the destination IP address, the method further includes: marking a node where the virtual network card is located as a main node, and setting keepalive service between the main node and a preset standby node so that the keepalive service generates a virtual IP (Internet protocol), wherein the standby node is a standby node of the main node; in response to determining that the virtual network card is faultless, controlling the keepalive service to connect the virtual IP to the virtual network card of the main node; and sending the data packet to a physical network card of the main node through the virtual network card.
In some embodiments, the method further comprises: in response to the fact that the virtual network card is determined to be in fault, the standby node is determined as the main node again, and the keepalive service is controlled to connect the virtual IP to the virtual network card of the determined main node; and sending the data packet to the determined physical network card of the main node through the determined virtual network card of the main node.
In some embodiments, after sending the data packet to the virtual network card corresponding to the next hop address of the destination IP address, the method further comprises: and responding to the fact that the virtual network card does not reach the upper limit of the preset network bandwidth, and sending the data packet to the physical network card through the virtual network card.
In a second aspect, an embodiment of the present disclosure provides a data packet forwarding apparatus, including: the receiving unit is configured to receive a data packet sent by a virtual machine to a destination IP address, wherein the IP address of the virtual machine belongs to a tenant network, and the destination IP address belongs to a non-tenant network; the first sending unit is configured to send a data packet to a virtual network card corresponding to a next-hop address of a destination IP address, wherein the next-hop address is stored in a local routing table of the virtual machine and is the next-hop of the next address which needs to pass by when the next-hop address reaches the destination IP address, and the virtual network card is used for connecting each virtual machine in the tenant network to a preset physical network card; and the address disguising unit is configured to disguise the source IP address of the data packet as the IP address of the physical network card so as to send the data packet to the destination IP address.
In some embodiments, the tenant network is a virtual local area network; the receiving unit is further configured to: receiving a data packet through a first network card associated with a pre-established external network bridge, wherein the first network card is a network card in a host machine of the virtual machine, and the external network bridge is used for receiving the data packet from the first network card; and sending the data packet to an integrated bridge connected with the external bridge, wherein the integrated bridge is used for sending the data packet to the next hop address.
In some embodiments, the tenant network is a virtual extended local area network; the receiving unit is further configured to: acquiring a data packet from a virtual machine through a pre-established tunnel bridge, wherein the tunnel bridge is used for establishing tunnel connection with a host machine of the virtual machine; and sending the data packet to the comprehensive network bridge connected with the tunnel network bridge, wherein the comprehensive network bridge is used for sending the data packet to the next hop address.
In some embodiments, the apparatus further comprises: and the second sending unit is configured to respond to the fact that the source IP address and the destination IP address of the data packet meet the preset safety condition, and send the data packet to the physical network card through the virtual network card.
In some embodiments, the apparatus further comprises: the system comprises a marking unit, a network management unit and a network management unit, wherein the marking unit is configured to mark a node where a virtual network card is located as a main node, and a keepalive service is arranged between the main node and a preset standby node so that the keepalive service generates a virtual IP (Internet protocol), wherein the standby node is a standby node of the main node; a first control unit configured to control a keepalived service to connect the virtual IP to the virtual network card of the master node in response to determining that the virtual network card is not faulty; and the third sending unit is configured to send the data packet to the physical network card of the main node through the virtual network card.
In some embodiments, the apparatus further comprises: the second control unit is configured to respond to the fact that the virtual network card is determined to be in fault, the standby node is determined as the main node again, and the keepalive service is controlled to connect the virtual IP to the virtual network card of the determined main node; and the fourth sending unit is configured to send the data packet to the determined physical network card of the main node through the determined virtual network card of the main node.
In some embodiments, the apparatus further comprises: and the fifth sending unit is configured to respond to the fact that the virtual network card does not reach the upper limit of the preset network bandwidth, and send the data packet to the physical network card through the virtual network card.
The data packet forwarding method and device provided by the embodiment of the disclosure can receive a data packet sent to a non-tenant network where a destination IP address is located from a virtual machine in a tenant network, and send the data packet to a virtual network card corresponding to a next hop address of the destination IP address, so as to send the data packet to a physical network card connected to the virtual network card, and finally disguise a source IP address of the data packet as an IP address of the physical network card, and send the data packet to the destination IP address, so that the data packet can be sent to the non-tenant network from the tenant network, and the intercommunication between the tenant network and the non-tenant network is realized, so that the virtual machine in the tenant network can access the non-tenant network.
Drawings
Other features, objects and advantages of the disclosure will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
FIG. 1 is an exemplary system architecture diagram in which some embodiments of the present disclosure may be applied;
fig. 2 is a flow diagram for one embodiment of a method of data packet forwarding according to the present disclosure;
fig. 3 is a schematic diagram of interaction between a virtual local area network type tenant network and a non-tenant network where a destination IP address is located in a packet forwarding method according to an embodiment of the present disclosure;
fig. 4 is a schematic diagram of interaction between a tenant network of a virtual extended local area network type and a non-tenant network where a destination IP address is located in a packet forwarding method according to an embodiment of the present disclosure;
fig. 5 is a flow diagram of yet another embodiment of a method of data packet forwarding according to the present disclosure;
fig. 6 is a schematic block diagram of one embodiment of a packet forwarding device according to the present disclosure;
FIG. 7 is a schematic structural diagram of an electronic device suitable for use in implementing embodiments of the present disclosure.
Detailed Description
The present disclosure is described in further detail below with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.
It should be noted that, in the present disclosure, the embodiments and features of the embodiments may be combined with each other without conflict. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Fig. 1 illustrates an exemplary system architecture 100 of a packet forwarding method or packet forwarding device to which embodiments of the present disclosure may be applied.
As shown in fig. 1, system architecture 100 may include a host 101, a control node 102, a destination node 103, and a switch 104. The host 101, the control node 102 and the destination node may be connected to the switch 104, so that the host 101 and the control node 102 may have a condition of network interworking through the switch 104, and the control node 102 and the destination node 103 may have a condition of network interworking through the switch 104.
The host node 101 may be a computing node in an openstack, and the node may include at least one virtual machine. Each virtual machine is in a tenant network, and the control node 102 and the destination node 103 may be in a non-tenant network such as a management network, a storage network, and the like.
In the related art, the virtual machine in the host node 101 generally cannot directly access the non-tenant network. According to the scheme disclosed by the embodiment, the virtual network card can be arranged in the control node 102, so that the tenant network of the virtual machine can access the non-tenant network where the destination node 103 is located, and the intercommunication between the tenant network and the non-tenant network is realized.
It should be noted that the packet forwarding method provided by the embodiment of the present disclosure may be executed by the control node 102, and accordingly, the packet forwarding apparatus may be disposed in the control node 102.
It should be understood that the number of hosts, control nodes, and destination nodes in fig. 1 is merely illustrative. There may be any number of hosts, control nodes, and destination nodes, as desired for implementation.
With continued reference to fig. 2, a flow 200 of one embodiment of a packet forwarding method according to the present disclosure is shown. The data packet forwarding method comprises the following steps:
step 201, receiving a data packet sent by a virtual machine to a destination IP address.
In this embodiment, when a virtual machine in a tenant network accesses a target service of a non-tenant network, a data packet may be forwarded from the virtual machine to a target node where the target service is located. When the virtual machine accesses the non-tenant network, an execution subject (for example, a control node shown in fig. 1) of the packet forwarding method may receive a packet addressed to the destination IP address by the virtual machine. The IP address of the virtual machine belongs to a tenant network, and the destination IP address belongs to a non-tenant network. Specifically, the execution body may receive, through the switch, a packet addressed to the destination IP address by the virtual machine.
Step 202, sending a data packet to the virtual network card corresponding to the next hop address of the destination IP address.
In this embodiment, the virtual machine may query, in a routing table pre-stored locally, a next hop address that the packet needs to pass through to the destination IP address. The execution entity (e.g., the control node shown in fig. 1) may send the packet to the next hop address after receiving the packet. The next hop address may be an address of a virtual network card created in advance by the execution subject, and the virtual network card may be used to connect each virtual machine in the tenant network to a preset physical network card, so that the execution subject may perform network interworking with the tenant network. Therefore, after the execution body sends the data packet to the virtual network card, the virtual network card can send the data packet to the physical network card connected with the virtual network card.
It can be understood that, if the target IP address to be accessed by the virtual machine is a management network or a storage network in the non-tenant network, the execution main body already has a physical network card that is intercommunicated with the tenant network, and at this time, no additional physical network card needs to be set. If the target IP address to be accessed by the virtual machine is neither a management network in the non-tenant network nor a storage network in the non-tenant network, and the execution main body does not have a physical network card intercommunicating with the tenant network, a physical network card needs to be additionally arranged at this time.
The execution body may create a virtual network card in advance thereon, and associate the virtual network card with a port created in advance in the tenant network. Then, the iface-id of the virtual network card can be set as the id of the port created by the tenant network, and the mac address of the virtual network card can be set as the mac address of the port created by the tenant network. Therefore, the virtual network card and all the virtual machines in the tenant network can realize intercommunication.
Step 203, disguising the source IP address of the data packet as the IP address of the physical network card, so as to send the data packet to the destination IP address.
In an embodiment, after the physical network card receives the data packet, the execution main body may modify the source IP address of the data packet into the IP address of the physical network card, so as to disguise the source IP address of the data packet. Then, the execution body may send the data packet with the modified source IP address to the destination IP address. Through this step, the source IP addresses of the data packets sent by the execution main body may all be IP addresses of a physical network card. It can be understood that, after receiving the data packet, the non-tenant network to which the destination IP address belongs may reply to the virtual machine if necessary, and the reply data packet may return back as it is, which is not described herein again.
In some optional implementations of this embodiment, the tenant network to which the IP address of the virtual machine belongs is a virtual local area network (vlan). In this case, the execution agent may receive a packet addressed to the destination IP address by the virtual machine as follows: receiving a data packet through a first network card associated with a pre-established external network bridge, wherein the first network card is a network card in a host machine of the virtual machine, and the external network bridge is used for receiving the data packet from the first network card; and sending the data packet to an integrated bridge connected with the external bridge, wherein the integrated bridge is used for sending the data packet to the next hop address.
As an example, interworking can be performed for the vlan-type tenant network 100.0.0.0/24 and the non-tenant network 192.168.0.0/24 as follows. In this example, a virtual machine with an IP address of 100.0.0.6/24 within the tenant network is specifically described as accessing a destination IP address 192.168.0.7/24 within the non-tenant network, as shown in FIG. 3. Fig. 3 is a schematic diagram illustrating interaction between a virtual local area network type tenant network and a non-tenant network where a destination IP address is located in a packet forwarding method according to an embodiment of the present disclosure. In fig. 3, for a virtual machine vm deployed in host computer 1, a next hop address 100.0.0.100/24 of non-tenant network 192.168.0.0/24 of destination IP address 192.168.0.7/24 can be determined in a local routing table, and an outgoing interface eth0 of the destination IP address can be obtained, so that a data packet can be sent out from outgoing interface eth 0. Host computer 1 may then send the packet to integrated bridge br-int through linux bridge qbr, where integrated bridge br-int may perform flow table query and send the packet to external bridge br-primary in host computer 1, so that external bridge br-primary may send the packet to the switch through network card bond0 in host computer 1, as shown in fig. 3. Finally, the switch sends the data packet to the external bridge Br-primary pre-constructed in the execution subject node1 of this scheme through the network card bond0, the external bridge Br-primary can send the data packet to the integrated bridge Br-int of the node1 through flow table query, and the integrated bridge Br-int of the node1 can send the data packet to the pre-constructed virtual network card int-port (the IP address of the virtual network card int-port is the next hop address 100.0.0.100/24 queried by the virtual machine vm), as shown in fig. 3. It should be noted that, in the present solution, the execution body node1 may locally query that the outgoing interface of the packet is the preset physical network card bond1, then modify the source IP address of the packet into the IP address 192.168.0.6 of the node1, and output the packet with the modified source IP address to the switch through the physical network card bond1, so that the switch may forward the packet to the destination IP address 192.168.0.7/24, as shown in fig. 3. It is understood that the address of the tenant network, the IP address of the virtual machine, the address of the non-tenant network, and the destination IP address are all exemplary, and in practical applications, the address of the tenant network, the IP address of the virtual machine, the address of the non-tenant network, and the destination IP address may be modified or set as needed.
In some optional implementations of this embodiment, the tenant network to which the IP address of the virtual machine belongs may also be a virtual extended local area network (vxlan). In this case, the execution entity may receive a packet addressed to the destination IP address by the virtual machine as follows: acquiring a data packet from a virtual machine through a pre-established tunnel bridge, wherein the tunnel bridge is used for establishing tunnel connection with a host machine of the virtual machine; and sending the data packet to the comprehensive bridge connected with the tunnel bridge, wherein the comprehensive bridge is used for sending the data packet to the next hop address.
As an example, interworking can be performed for the vxlan-type tenant network 110.0.0.0/24 and the non-tenant network 192.168.0.0/24 as follows. In this example, a virtual machine with an IP address of 110.0.0.6/24 within the tenant network is specifically described as accessing a destination IP address 192.168.0.7/24 within the non-tenant network, as shown in FIG. 4. Fig. 4 is a schematic diagram illustrating interaction between a tenant network of a virtual extended local area network type and a non-tenant network where a destination IP address is located in a packet forwarding method according to an embodiment of the present disclosure. In fig. 4, for a virtual machine vm deployed in host computer 1, a next hop address 110.0.0.100/24 of non-tenant network 192.168.0.0/24 of destination IP address 192.168.0.7/24 can be determined in a local routing table, and an outgoing interface eth0 of the destination IP address can be obtained, so that a data packet can be sent out from outgoing interface eth 0. Then, host computer 1 may send the data packet to integrated bridge Br-int through linux bridge qbr, where integrated bridge Br-int may perform flow table query, and send the data packet to tunnel bridge Br-tun of host computer 1, so that tunnel bridge Br-tun of host computer 1 may send the data packet directly to tunnel Br-tun of node1 executing the present scheme through vxlan tunnel, after receiving the data packet, tunnel bridge Br-tun of node1 may send the data packet to integrated bridge Br-int of node1 through flow table query, and integrated bridge Br-int of node1 may send the data packet to a pre-constructed virtual network card int-port (the IP address of virtual int-network card is the next hop address 110.0.0.100/24 queried by virtual machine vm), as shown in fig. 4. It should be noted that, in the present solution, the execution body node1 may locally query that the outgoing interface of the packet is the preset physical network card bond1, then modify the source IP address of the packet into the IP address 192.168.0.6 of the node1, and output the packet with the modified source IP address to the switch through the physical network card bond1, so that the switch may forward the packet to the destination IP address 192.168.0.7/24, as shown in fig. 4. It is understood that the address of the tenant network, the IP address of the virtual machine, the address of the non-tenant network, and the destination IP address are all exemplary, and in practical applications, the address of the tenant network, the IP address of the virtual machine, the address of the non-tenant network, and the destination IP address may be modified or set as needed.
Typically, the external bridge and the synthetic bridge in the execution master may be connected through the created patch port. For virtual local area networks, the created patch ports may be named int-br-priv, br-int, phy-br-priv, as shown in FIG. 3. For virtual extended LANs, the created pacc ports may be named patch-tun, br-int, patch-int, br-priv, as shown in FIG. 4.
The data packet forwarding method disclosed in the above embodiment of the present application may receive a data packet sent to a non-tenant network where a destination IP address is located from a virtual machine in a tenant network, and send the data packet to a virtual network card corresponding to a next hop address of the destination IP address, so as to send the data packet to a physical network card connected to the virtual network card, and finally disguise a source IP address of the data packet as an IP address of the physical network card, and send the data packet to the destination IP address, so that the data packet can be sent from the tenant network to the non-tenant network, thereby implementing intercommunication between the tenant network and the non-tenant network, and enabling the virtual machine in the tenant network to access the non-tenant network.
With further reference to fig. 5, a flow 500 of yet another embodiment of a packet forwarding method is shown. The flow 500 of the data packet forwarding method includes the following steps:
step 501, receiving a data packet sent by a virtual machine to a destination IP address.
In this embodiment, when the virtual machine accesses the non-tenant network, an execution subject (for example, the control node shown in fig. 1) of the packet forwarding method may receive a packet addressed to the destination IP address by the virtual machine. The IP address of the virtual machine belongs to a tenant network, and the destination IP address belongs to a non-tenant network. Specifically, the execution body may receive, through the switch, a packet addressed to the destination IP address by the virtual machine.
Step 502, sending a data packet to the virtual network card corresponding to the next hop address of the destination IP address.
In this embodiment, the virtual machine may look up a next hop address corresponding to the destination IP address of the packet in a routing table pre-stored locally. The execution entity (e.g., the control node shown in fig. 1) may send the packet to the next hop address after receiving the packet. The next hop address may be an address of a virtual network card created in advance by the execution subject, and the virtual network card may be used to connect each virtual machine in the tenant network to a preset physical network card, so that the execution subject may perform network interworking with the tenant network.
Step 503, in response to determining that the source IP address and the destination IP address of the data packet satisfy the preset security condition, sending the data packet to the physical network card through the virtual network card.
In this embodiment, in order to protect security of interworking between the tenant network and the non-tenant network, the execution subject may perform access control on the tenant network and the non-tenant network. Specifically, the execution subject may define a destination IP of the non-tenant network accessed by the tenant network, and the execution subject may further limit a virtual machine IP address of the tenant network accessed by the non-tenant network.
Therefore, after the data packet is transmitted to the virtual network card, the execution body may determine whether the address and the destination address of the virtual machine that transmitted the data packet are within the range of the security control. Specifically, the execution main body may determine whether a source IP address and a destination IP address of the data packet satisfy a preset security condition, and if the source IP address and the destination IP address of the data packet satisfy the preset security condition, it may be determined that the virtual machine is allowed to access the destination IP address, and at this time, the execution main body may continue to execute a data packet sending action, and send the data packet to the physical network card through the virtual network card.
It can be understood that, if the source IP address and the destination IP address of the data packet do not satisfy the preset security condition, it may be determined that the virtual machine is not allowed to access the destination IP address, and the data packet cannot be forwarded to the destination IP address.
Specifically, the execution subject may limit a non-tenant network IP accessed by the tenant network, and may also limit a tenant network accessed by the non-tenant network. For example, the IP address of the tenant network access destination is 192.168.0.11, and the other IP address is 192.168.0.0/24, which is not allowed to access, and the method can be specifically implemented by referring to the following commands:
iptables-I INPUT-d 192.168.0.0/24-j DROP
iptables-I INPUT-d 192.168.0.11-j ACCEPT
iptables-I FORWARD-d 192.168.0.0/24-j DROP
iptables-I FORWARD-d 192.168.0.11-j ACCEPT
as another example, the source IP address 100.0.0.13 is allowed to access the non-tenant network, and the other IP addresses 100.0.0.0/24 are not allowed to access, which may be implemented specifically with reference to the following commands:
iptables-I INPUT-s 100.0.0.0/24-j DROP
iptables-I INPUT-s 100.0.0.13-j ACCEPT
iptables-I FORWARD-s 100.0.0.0/24-j DROP
iptables-I FORWARD-s 100.0.0.13-j ACCEPT
further, if the number of source IP addresses and destination IP addresses that need to be subjected to security control is large, multiple iptables rules need to be created by using iptables. In order to improve the matching performance of the iptables rules, an ipset technology can be used, so that the number of iptables rules can be reduced. And then, the hash algorithm is used for searching the address of the safety control, so that the iptables rule matching performance can be improved.
In some optional implementation manners of this embodiment, the execution main body may further perform flexible security group policy control on the virtual network card, so as to further improve security of interworking between the tenant network and the non-tenant network. For example, a virtual network card is allowed to open into a direction tcp port 80, i.e., a web service that allows a tenant network to connect remotely to a non-tenant network.
In some optional implementation manners of this embodiment, the execution main body may further limit a network bandwidth of the virtual network card in advance. Therefore, before sending the data packet to the physical network card, the execution main body can determine whether the network bandwidth of the virtual network card reaches the upper limit. If the network bandwidth of the virtual network card does not reach the upper limit, the data packet can be sent to the physical network card through the virtual network card. According to the scheme disclosed by the implementation mode, the network bandwidth speed limit is carried out on the tenant network accessing the non-tenant network, so that the breakdown or fault of the non-tenant network caused by the large flow of the tenant network can be prevented.
As an example, the virtual network card may be rate limited using the ovs-vsctl command. The reference commands are as follows:
ovs-vsctl set interface int-port ingress_policing_rate=1000ingress_policing_burst=1000
wherein, burst is not less than rate, for example, burst can be set to be 1 time or 1.25 times of rate.
In some optional implementation manners of this embodiment, the execution subject may detect a working state of the virtual network card by using Keepalived technology. Specifically, a node where the virtual network card is located may be marked as a master node, and a keepalive service may be set between the master node and a preset standby node, where the keepalive service may generate a virtual IP, and the standby node is a standby node of the master node; and then, responding to the fact that the virtual network card is determined to be fault-free, controlling keepalive service to connect the virtual IP to the virtual network card of the main node, and sending the data packet to the physical network card of the main node through the virtual network card. It may be understood that, in response to determining that the virtual network card fails, the standby node may be determined as the main node again, the keepalived service is controlled to connect the virtual IP to the virtual network card of the determined main node, and the data packet is sent to the physical network card of the determined main node through the virtual network card of the determined main node. The implementation mode realizes high reliability of the intercommunication between the tenant network and the non-tenant network through the Keepalived technology, and solves the problem of single-point fault of the tenant network and the non-tenant network.
Step 504, disguise the source IP address of the data packet as the IP address of the physical network card, so as to send the data packet to the destination IP address.
In this embodiment, the execution main body may perform address masquerading on a source IP address of a packet sent to the physical network card, where the source IP address of the spoofed packet is the IP address of the physical network card. Then, the execution body may send the data packet with the modified source IP address to the destination IP address. Through this step, the source IP addresses of the data packets sent by the execution main body may all be IP addresses of a physical network card. It can be understood that, after receiving the data packet, the non-tenant network to which the destination IP address belongs may reply to the virtual machine if necessary, and the reply data packet may return back as it is, which is not described herein again.
As can be seen from fig. 5, compared with the embodiment corresponding to fig. 2, the process 500 of the data packet forwarding method in this embodiment may perform security control judgment on the source IP address and the destination IP address of the data packet after sending the data packet to the virtual network card corresponding to the next hop address of the destination IP address, and continue forwarding the data packet when the source IP address and the destination IP address of the data packet meet the preset security control condition. Therefore, according to the scheme described in this embodiment, in the process of forwarding the data packet in the tenant network and the non-tenant network, security control over data packet forwarding can be realized, and security of data packet forwarding is improved.
With further reference to fig. 6, as an implementation of the methods shown in the above-mentioned figures, the present disclosure provides an embodiment of a packet forwarding apparatus, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 2, and the apparatus may be specifically applied to various electronic devices.
As shown in fig. 6, the packet forwarding apparatus 600 of the present embodiment includes: a receiving unit 601, a first transmitting unit 602, and an address disguising unit 603. The receiving unit 601 is configured to receive a data packet sent by a virtual machine to a destination IP address, where the IP address of the virtual machine belongs to a tenant network and the destination IP address belongs to a non-tenant network; the first sending unit 602 is configured to send a data packet to a virtual network card corresponding to a next-hop address of a destination IP address, where the next-hop address is a next address stored in a local routing table of a virtual machine and required to pass through to reach the destination IP address, and the virtual network card is used to connect each virtual machine in a tenant network to a preset physical network card; the address masquerading unit 603 is configured to masquerade a source IP address of the packet as an IP address of the physical network card to transmit the packet to a destination IP address.
In some optional implementations of this embodiment, the tenant network is a virtual local area network; the receiving unit 601 is further configured to: receiving a data packet through a first network card associated with a pre-established external network bridge, wherein the first network card is a network card in a host machine of the virtual machine, and the external network bridge is used for receiving the data packet from the first network card; and sending the data packet to an integrated bridge connected with the external bridge, wherein the integrated bridge is used for sending the data packet to the next hop address.
In some optional implementations of this embodiment, the tenant network is a virtual extension local area network; the receiving unit 601 is further configured to: acquiring a data packet from a virtual machine through a pre-established tunnel bridge, wherein the tunnel bridge is used for establishing tunnel connection with a host machine of the virtual machine; and sending the data packet to the comprehensive bridge connected with the tunnel bridge, wherein the comprehensive bridge is used for sending the data packet to the next hop address.
In some optional implementations of this embodiment, the apparatus 600 further includes: and the second sending unit is configured to respond to the fact that the source IP address and the destination IP address of the data packet meet the preset safety condition, and send the data packet to the physical network card through the virtual network card.
In some optional implementations of this embodiment, the apparatus 600 further includes: the system comprises a marking unit, a network management unit and a network management unit, wherein the marking unit is configured to mark a node where a virtual network card is located as a main node, and a keepalive service is arranged between the main node and a preset standby node so that the keepalive service generates a virtual IP (Internet protocol), wherein the standby node is a standby node of the main node; a first control unit configured to control a keepalived service to connect the virtual IP to the virtual network card of the master node in response to determining that the virtual network card is not faulty; and the third sending unit is configured to send the data packet to the physical network card of the main node through the virtual network card.
In some optional implementations of this embodiment, the apparatus 600 further includes: the second control unit is configured to respond to the fact that the virtual network card is determined to be in fault, the standby node is determined as the main node again, and the keepalive service is controlled to connect the virtual IP to the virtual network card of the determined main node; and the fourth sending unit is configured to send the data packet to the determined physical network card of the main node through the determined virtual network card of the main node.
In some optional implementations of this embodiment, the apparatus 600 further includes: and the fifth sending unit is configured to respond to the fact that the virtual network card does not reach the upper limit of the preset network bandwidth, and send the data packet to the physical network card through the virtual network card.
The units recited in the apparatus 600 correspond to the various steps in the method described with reference to fig. 2. Thus, the operations and features described above for the method are equally applicable to the apparatus 600 and the units included therein, and are not described in detail here.
Referring now to fig. 7, a schematic diagram of an electronic device (e.g., the control node of fig. 1) 700 suitable for use in implementing embodiments of the present disclosure is shown. The electronic device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 7, electronic device 700 may include a processing means (e.g., central processing unit, graphics processor, etc.) 701 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)702 or a program loaded from storage 708 into a Random Access Memory (RAM) 703. In the RAM703, various programs and data necessary for the operation of the electronic apparatus 700 are also stored. The processing device 701, the ROM 702, and the RAM703 are connected to each other by a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
Generally, the following devices may be connected to the I/O interface 705: input devices 706 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 707 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 708 including, for example, magnetic tape, hard disk, etc.; and a communication device 709. The communication means 709 may allow the electronic device 700 to communicate wirelessly or by wire with other devices to exchange data. While fig. 7 illustrates an electronic device 700 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided. Each block shown in fig. 7 may represent one device or may represent multiple devices as desired.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such embodiments, the computer program may be downloaded and installed from a network via the communication means 709, or may be installed from the storage means 708, or may be installed from the ROM 702. The computer program, when executed by the processing device 701, performs the above-described functions defined in the methods of embodiments of the present disclosure. It should be noted that the computer readable medium described in the embodiments of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In embodiments of the disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In embodiments of the present disclosure, however, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may be separate and not incorporated into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: receiving a data packet sent by a virtual machine to a destination IP address, wherein the IP address of the virtual machine belongs to a tenant network, and the destination IP address belongs to a non-tenant network; sending a data packet to a virtual network card corresponding to a next hop address of the destination IP address, wherein the next hop address is an address corresponding to the destination IP address in a local routing table of the virtual machine, and the virtual network card is used for connecting each virtual machine in the tenant network to a preset physical network card; and disguising the source IP address of the data packet as the IP address of the physical network card so as to send the data packet to the destination IP address.
Computer program code for carrying out operations for embodiments of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. The described units may also be provided in a processor, and may be described as: a processor includes a receiving unit, a first transmitting unit, and an address disguising unit. The names of these units do not in some cases constitute a limitation on the unit itself, and for example, a receiving unit may also be described as a "unit that receives a packet addressed to a destination IP address by a virtual machine".
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention in the embodiments of the present disclosure is not limited to the specific combination of the above-mentioned features, but also encompasses other embodiments in which any combination of the above-mentioned features or their equivalents is made without departing from the inventive concept as defined above. For example, the above features and (but not limited to) the features with similar functions disclosed in the embodiments of the present disclosure are mutually replaced to form the technical solution.

Claims (10)

1. A data packet forwarding method comprises the following steps:
receiving a data packet sent by a virtual machine to a destination IP address, wherein the IP address of the virtual machine belongs to a tenant network, and the destination IP address belongs to a non-tenant network;
sending the data packet to a virtual network card corresponding to a next hop address, wherein the next hop address is a next address which is stored in the local routing table of the virtual machine and needs to pass by when reaching the destination IP address, and the virtual network card is used for connecting each virtual machine in the tenant network to a preset physical network card;
and disguising the source IP address of the data packet as the IP address of the physical network card so as to send the data packet to the destination IP address.
2. The method of claim 1, wherein the tenant network is a virtual local area network;
the receiving of the data packet sent by the virtual machine to the destination IP address includes:
receiving the data packet through a first network card associated with a pre-created external network bridge, wherein the first network card is a network card in a host of the virtual machine, and the external network bridge is used for receiving the data packet from the first network card;
and sending the data packet to a comprehensive bridge connected with the external bridge, wherein the comprehensive bridge is used for sending the data packet to the next hop address.
3. The method of claim 1, wherein the tenant network is a virtual extended local area network;
the receiving of the data packet sent by the virtual machine to the destination IP address includes:
acquiring the data packet from the virtual machine through a pre-established tunnel bridge, wherein the tunnel bridge is used for establishing tunnel connection with a host of the virtual machine;
and sending the data packet to a comprehensive bridge connected with the tunnel bridge, wherein the comprehensive bridge is used for sending the data packet to the next hop address.
4. The method of claim 1, wherein after sending the data packet to the virtual network card corresponding to the next hop address, the method further comprises:
and responding to the fact that the source IP address and the destination IP address of the data packet meet preset safety conditions, and sending the data packet to the physical network card through the virtual network card.
5. The method of claim 1, wherein after sending the data packet to the virtual network card corresponding to the next hop address, the method further comprises:
marking the node where the virtual network card is located as a main node, and setting keepalive service between the main node and a preset standby node to enable the keepalive service to generate a virtual IP (Internet protocol), wherein the standby node is a standby node of the main node;
in response to determining that the virtual network card is faultless, controlling keepalived service to connect the virtual IP to the virtual network card of the main node;
and sending the data packet to a physical network card of the main node through the virtual network card.
6. The method of claim 5, wherein the method further comprises:
in response to the fact that the virtual network card is determined to be in fault, the standby node is determined as the main node again, and the keepalive service is controlled to connect the virtual IP to the virtual network card of the determined main node;
and sending the data packet to the physical network card of the determined main node through the determined virtual network card of the main node.
7. The method of any of claims 1-6, wherein after sending the data packet to the virtual network card corresponding to the next hop address, the method further comprises:
and in response to determining that the virtual network card does not reach the upper limit of the preset network bandwidth, sending the data packet to the physical network card through the virtual network card.
8. A packet forwarding device comprising:
the receiving unit is configured to receive a data packet sent by a virtual machine to a destination IP address, wherein the IP address of the virtual machine belongs to a tenant network, and the destination IP address belongs to a non-tenant network;
a first sending unit, configured to send the data packet to a virtual network card corresponding to a next-hop address, where the next-hop address is a next address stored in the local routing table of the virtual machine and required to pass through to reach the destination IP address, and the virtual network card is used to connect each virtual machine in the tenant network to a preset physical network card;
and the address disguising unit is configured to disguise the source IP address of the data packet as the IP address of the physical network card so as to send the data packet to the destination IP address.
9. An electronic device, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method recited in any of claims 1-7.
10. A computer-readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the method of any one of claims 1-7.
CN202010506257.XA 2020-06-05 2020-06-05 Data packet forwarding method and device Active CN111800340B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010506257.XA CN111800340B (en) 2020-06-05 2020-06-05 Data packet forwarding method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010506257.XA CN111800340B (en) 2020-06-05 2020-06-05 Data packet forwarding method and device

Publications (2)

Publication Number Publication Date
CN111800340A CN111800340A (en) 2020-10-20
CN111800340B true CN111800340B (en) 2022-08-12

Family

ID=72802877

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010506257.XA Active CN111800340B (en) 2020-06-05 2020-06-05 Data packet forwarding method and device

Country Status (1)

Country Link
CN (1) CN111800340B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114650290B (en) * 2020-12-17 2024-07-26 中移(苏州)软件技术有限公司 Network communication method, processing device, terminal and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013003935A (en) * 2011-06-20 2013-01-07 Mitsubishi Electric Corp Information processing device, information processing method and program
CN105245504A (en) * 2015-09-10 2016-01-13 北京汉柏科技有限公司 North-south flow safety protection system in cloud computing network
CN106686085A (en) * 2016-12-29 2017-05-17 华为技术有限公司 Load balancing method, apparatus and system
CN107395781A (en) * 2017-06-29 2017-11-24 北京小度信息科技有限公司 Network communication method and device
CN108111461A (en) * 2016-11-24 2018-06-01 中移(苏州)软件技术有限公司 Realize method, apparatus, gateway and the system of virtual machine Access Management Access network
CN108199982A (en) * 2018-01-03 2018-06-22 腾讯科技(深圳)有限公司 Message processing method, device, storage medium and computer equipment
CN109889621A (en) * 2019-01-18 2019-06-14 北京百度网讯科技有限公司 The configuration method and device of virtual private cloud service
CN110704167A (en) * 2019-10-09 2020-01-17 腾讯科技(深圳)有限公司 Method, device, equipment and storage medium for creating virtual machine

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9930066B2 (en) * 2013-02-12 2018-03-27 Nicira, Inc. Infrastructure level LAN security
CN103747059B (en) * 2013-12-26 2016-10-05 华中科技大学 A kind of cloud computing server cluster network support method towards many tenants and system
CN106656719B (en) * 2016-09-26 2020-07-07 华为技术有限公司 Inter-cloud communication method and related equipment, inter-cloud communication configuration method and related equipment
CN106657442A (en) * 2017-01-11 2017-05-10 浙江广播电视集团 Method and system for realizing media shared storage network based on VxLAN
CN110737508A (en) * 2019-10-14 2020-01-31 浪潮云信息技术有限公司 cloud container service network system based on wave cloud and implementation method

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013003935A (en) * 2011-06-20 2013-01-07 Mitsubishi Electric Corp Information processing device, information processing method and program
CN105245504A (en) * 2015-09-10 2016-01-13 北京汉柏科技有限公司 North-south flow safety protection system in cloud computing network
CN108111461A (en) * 2016-11-24 2018-06-01 中移(苏州)软件技术有限公司 Realize method, apparatus, gateway and the system of virtual machine Access Management Access network
CN106686085A (en) * 2016-12-29 2017-05-17 华为技术有限公司 Load balancing method, apparatus and system
CN107395781A (en) * 2017-06-29 2017-11-24 北京小度信息科技有限公司 Network communication method and device
CN108199982A (en) * 2018-01-03 2018-06-22 腾讯科技(深圳)有限公司 Message processing method, device, storage medium and computer equipment
CN109889621A (en) * 2019-01-18 2019-06-14 北京百度网讯科技有限公司 The configuration method and device of virtual private cloud service
CN110704167A (en) * 2019-10-09 2020-01-17 腾讯科技(深圳)有限公司 Method, device, equipment and storage medium for creating virtual machine

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Openstack架构下的混合云组网设计及实现;郝凯;《中国优秀博硕士学位论文全文数据库(硕士)》;20180715;全文 *

Also Published As

Publication number Publication date
CN111800340A (en) 2020-10-20

Similar Documents

Publication Publication Date Title
US10949379B2 (en) Network traffic routing in distributed computing systems
CN112470436B (en) Systems, methods, and computer-readable media for providing multi-cloud connectivity
US10237230B2 (en) Method and system for inspecting network traffic between end points of a zone
US10623505B2 (en) Integrating service appliances without source network address translation in networks with logical overlays
CN110313163B (en) Load balancing in distributed computing systems
US9350608B2 (en) Method and system for using virtual tunnel end-point registration and virtual network identifiers to manage virtual extensible local area network access
US9875359B2 (en) Security management for rack server system
US9110703B2 (en) Virtual machine packet processing
US8819211B2 (en) Distributed policy service
US8743894B2 (en) Bridge port between hardware LAN and virtual switch
US20170264622A1 (en) Providing a virtual security appliance architecture to a virtual cloud infrastructure
US8650326B2 (en) Smart client routing
US9036638B2 (en) Avoiding unknown unicast floods resulting from MAC address table overflows
US20150358232A1 (en) Packet Forwarding Method and VXLAN Gateway
US7965714B2 (en) Method and system for offloading network processing
US10389628B2 (en) Exposing a subset of hosts on an overlay network to components external to the overlay network without exposing another subset of hosts on the overlay network
EP2920940B1 (en) Method and device for data flow processing
US20150172156A1 (en) Detecting end hosts in a distributed network environment
US11032369B1 (en) System and method for non-disruptive migration of software components to a public cloud system
WO2014089799A1 (en) Method and apparatus for determining virtual machine drifting
US12052173B2 (en) Executing workloads across multiple cloud service providers
EP3598705A1 (en) Routing control
CN115225634B (en) Data forwarding method, device and computer program product under virtual network
CN111800340B (en) Data packet forwarding method and device
CN113709016B (en) Communication system, communication method, communication apparatus, communication device, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant