CN112202795B - Data processing method, gateway equipment and medium - Google Patents

Data processing method, gateway equipment and medium Download PDF

Info

Publication number
CN112202795B
CN112202795B CN202011069915.XA CN202011069915A CN112202795B CN 112202795 B CN112202795 B CN 112202795B CN 202011069915 A CN202011069915 A CN 202011069915A CN 112202795 B CN112202795 B CN 112202795B
Authority
CN
China
Prior art keywords
gateway
target gateway
target
command packet
access command
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011069915.XA
Other languages
Chinese (zh)
Other versions
CN112202795A (en
Inventor
宋淮
帅涛
陶宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202011069915.XA priority Critical patent/CN112202795B/en
Publication of CN112202795A publication Critical patent/CN112202795A/en
Application granted granted Critical
Publication of CN112202795B publication Critical patent/CN112202795B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application discloses a data processing method, gateway equipment and a medium, which can be used in the technical field of cloud security to realize network protection. The method comprises the following steps: the method comprises the steps that a first target gateway receives an access request and determines an access command packet corresponding to the access request, wherein the first target gateway is one of a plurality of first gateways; if the first target gateway receives an inquiry request sent by a second target gateway, the first target gateway sends the access command packet to the second target gateway, wherein the second target gateway is a second gateway corresponding to the first target gateway; and the first target gateway receives data sent by the second target gateway in response to the access command packet. By implementing the method, the network protection effect is improved, and the network safety is ensured.

Description

Data processing method, gateway equipment and medium
Technical Field
The present disclosure relates to the field of security technologies, and in particular, to a data processing method, gateway device, and medium.
Background
Along with the rapid development of electronic technology and internet technology, more and more enterprises generally have an internal network, namely an intranet, and meanwhile, more and more enterprises also need to access the intranet through an external network to perform data transmission, so that the remote collaborative work of the whole enterprise is realized. How to ensure the safety of the intranet in the data transmission process becomes a current research hot spot problem.
Disclosure of Invention
The embodiment of the application provides a data processing method, gateway equipment and a medium, which are beneficial to improving the network protection effect and guaranteeing the network security.
The first aspect of the embodiment of the application discloses a data processing method, which comprises the following steps:
the method comprises the steps that a first target gateway receives an access request and determines an access command packet corresponding to the access request, wherein the first target gateway is one of a plurality of first gateways;
if the first target gateway receives an inquiry request sent by a second target gateway, the first target gateway sends the access command packet to the second target gateway, wherein the second target gateway is a second gateway corresponding to the first target gateway;
and the first target gateway receives data sent by the second target gateway in response to the access command packet.
Another data processing method is disclosed in a second aspect of the embodiments of the present application, where the method includes:
a second target gateway sends an inquiry request to a first target gateway, wherein the first target gateway is one of the plurality of first gateways, and the second target gateway is a second gateway corresponding to the first target gateway;
The second target gateway receives an access command packet sent by the first target gateway;
the second target gateway obtains data corresponding to the access command packet according to the access command packet, and sends the data corresponding to the access command packet to the first target gateway.
A third aspect of an embodiment of the present application discloses a data processing apparatus, the apparatus including:
the determining unit is used for receiving the access request by the first target gateway and determining an access command packet corresponding to the access request, wherein the first target gateway is one of the plurality of first gateways;
a sending unit, configured to send, if the first target gateway receives an inquiry request sent by a second target gateway, the access command packet to the second target gateway by using the first target gateway, where the second target gateway is a second gateway corresponding to the first target gateway;
and the receiving unit is used for receiving the data sent by the second target gateway in response to the access command packet by the first target gateway.
In a fourth aspect, another data processing apparatus is disclosed, including:
a sending unit, configured to send an inquiry request to a first target gateway by using a second target gateway, where the first target gateway is one of the plurality of first gateways, and the second target gateway is a second gateway corresponding to the first target gateway;
The receiving unit is used for receiving the access command packet sent by the first target gateway by the second target gateway;
the sending unit is further configured to obtain, by using the second target gateway according to the access command packet, data corresponding to the access command packet, and send, to the first target gateway, the data corresponding to the access command packet.
A fifth aspect of the embodiments of the present application discloses a gateway device, comprising a processor, a memory and a network interface, the processor, the memory and the network interface being connected to each other, wherein the memory is configured to store a computer program, the computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method of the first aspect and/or the second aspect.
A sixth aspect of the embodiments of the present application discloses a computer readable storage medium storing a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the method of the first and/or second aspects described above.
A seventh aspect of the embodiments of the present application discloses a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions are read from a computer-readable storage medium by a processor of a computer device, the computer instructions being executed by the processor, causing the computer device to perform the methods of the first and/or second aspects described above.
In this embodiment of the present application, the first target gateway may receive an access request sent by a user through a client, determine an access command packet corresponding to the access request, and if the first target gateway receives an inquiry request sent by the second target gateway, the first target gateway may send the access command packet to the second target gateway, so that the second target gateway obtains data corresponding to the access command packet according to the access command packet, and further, the first target gateway may receive data sent by the second target gateway in response to the access command packet. By implementing the method, the network security can be effectively ensured, and the network protection effect is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1a is a schematic architecture diagram of a cloud data system according to an embodiment of the present application;
FIG. 1b is a schematic architecture diagram of another cloud data system provided in an embodiment of the present application;
FIG. 1c is a schematic architecture diagram of yet another cloud data system provided by an embodiment of the present application;
fig. 1d is a schematic diagram of a data flow between a first gateway and a second gateway according to an embodiment of the present disclosure;
FIG. 2 is a schematic flow chart of a data processing method according to an embodiment of the present application;
fig. 3a is a schematic flow chart of a client accessing a first network through the first network according to an embodiment of the present application;
fig. 3b is a schematic flow chart of another client accessing a first network through the first network according to an embodiment of the present application;
FIG. 4 is a flowchart of another data processing method according to an embodiment of the present disclosure;
FIG. 5 is a schematic diagram of a data processing apparatus according to an embodiment of the present application;
FIG. 6 is a schematic diagram of another data processing apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a gateway device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Fig. 1a is a schematic diagram of a cloud data system according to an embodiment of the present application. The cloud data system described in the present embodiment includes a first network and a plurality of second networks. The first network may be an external network, or a network with lower security (such as a non-secret-involved network), etc., and the second network may be an internal network, or a network with higher security (such as a secret-involved network), etc. Wherein the first network comprises a plurality of first gateways and each second network comprises a second gateway. The first gateway and the second gateway have a corresponding relation, and unidirectional connection from the second gateway to the first gateway is established between the first gateway and the second gateway.
In this application, unidirectional connection may refer to that the second network may first access the first network to establish a connection between the first network and the second network without allowing the first network to directly access the second network. It will be appreciated that the unidirectional connection may also be referred to as unidirectional access or the remaining names, and is not limited in this application. Optionally, the second gateway in the second network may send an inquiry request to the first gateway in the first network to inquire whether the first gateway has data to be transmitted, and if it is determined that there is data to be transmitted, a communication connection between the first network and the second network is established, which may be said to be that the first gateway and the second gateway are connected in communication, so as to facilitate the subsequent data transmission. The communication connection between the first network and the second network is established by utilizing the unidirectional connection, so that the access of the client to the second network through the first network can be efficiently and reliably realized, and meanwhile, the security of the second network can be effectively ensured.
In one implementation, the cloud data system described above may further include a client, a routing device, a network isolation device, and a server. Fig. 1b is a schematic architecture diagram of another cloud data system according to an embodiment of the present application. As shown in fig. 1b, the first network may include a routing device and a plurality of first gateways, and each of the second networks may include a second gateway and a server. Alternatively, the second gateway may be deployed in a server. The plurality of second networks included in the cloud data system provided in the implementation of the present application may be different logical areas that are isolated, which provides assistance to hierarchical management of the networks.
Alternatively, the client may be an access proxy deployed at the terminal, through which the user may initiate an access request to the second network, e.g., an IOA client. The terminal can be a smart phone, a tablet computer, a notebook computer, a desktop computer and the like.
Alternatively, the routing device may be a device having a routing function, such as a next generation network (NextGenerationNetwork, NGN) gateway or the like, which may be multi-accessed into a different second network according to the second network accessed by the user.
Optionally, the network isolation device may include any one of a gatekeeper, a shutter and a firewall, where the network isolation device may perform security isolation on the first network and the second network, so that high security in a data transmission process may be ensured, and confidentiality of data in the second network is ensured.
Optionally, the server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligence platforms, or an internet data center (Internet Data Center, IDC) machine room.
In one implementation, fig. 1c is a schematic architecture diagram of another cloud data system according to an embodiment of the present application. Fig. 1c may be a schematic architecture diagram of a practical application scenario for a cloud data system. The border gateway labeled 11 in fig. 1c may be a first gateway and the border gateway labeled 12 may be a second gateway, the security border being the network isolated device. Alternatively, the full-flow agent in fig. 1c may be a transmission medium, and after the client receives the user's access request, the access request may be forwarded to the routing device by the full-flow agent. The full-flow agent may hijack the access request to take over the access request. After the full-flow proxy takes over the access request, the access request may be sent to the routing device in a proxy manner.
In one implementation, a data flow diagram between a first gateway and a second gateway is shown in fig. 1 d. Alternatively, the first gateway or the second gateway may comprise Bridge and Sockman. Wherein Bridge can be responsible for creating, maintaining, data reorganizing, transceiving and retrying a unidirectional connection channel from the second network to the first network, and the Sockman can be responsible for placing received data, such as access request data of a user and application data of a server, into Bridge. The first gateway and the second gateway are boundary gateways of the first network and the second network respectively, and when a user needs to access the second network through the first network to perform data transmission, the first gateway needs to respond to an inquiry request sent by the second gateway so as to establish communication connection between the first network and the second network. After the communication connection is established, the access request of the user can be sent to the second gateway through the first gateway, and then the second gateway can acquire the data corresponding to the access request according to the access request and send the data to the first gateway. It can be seen that the second network can communicate with the first network through the first gateway and the second gateway, so that the first network and the second network are communicated, access stability and link stability are ensured, and the client can reliably access the second network across the networks.
The implementation details of the technical solutions of the embodiments of the present application are described in detail below:
fig. 2 is a schematic flow chart of a data processing method according to an embodiment of the present application. The data processing method described in the present embodiment includes the steps of:
201: the first target gateway receives the access request and determines an access command packet corresponding to the access request, wherein the first target gateway is one of a plurality of first gateways.
In one implementation, the first target gateway may receive an access request of a user, and determine, according to the access request, a corresponding access command packet thereof, where the access command packet includes data to be accessed by the user. The access command packet may include the following three parts: request line, request header and request body. Wherein the request line is in the first line of the access command packet and contains the request method, the request resource path and the version of the protocol. The request header adds some additional information to the access command packet, such as the length of the request body, etc. The request body is the data to be sent by the user via the client.
In one implementation, the first target gateway may also perform security verification on the received access request after receiving the access request. After the security verification is passed, determining an access data packet corresponding to the access request. Specifically, the first target gateway may perform security verification on the identity of the user corresponding to the access request or perform security verification on data in the access request.
Optionally, the first target gateway may perform security verification on the identity of the user corresponding to the access request. The first target gateway may preset a user list, and determine whether the identity of the user corresponding to the access request is safe according to the user list. Optionally, the first target gateway presets a white list and a black list. If the user corresponding to the access request is in the white list, the identity of the user is proved to be safe, that is, the security verification of the access request is passed, the first target gateway can determine an access data packet corresponding to the access request. If the user corresponding to the access request is not in the blacklist or is not in the whitelist or the blacklist, the identity of the user is proved to be unsafe, that is, the security verification of the access request is not passed, the first target gateway can intercept the access request without carrying out subsequent steps. Specifically, the access request carries an account number of the user, and the first target gateway can determine whether the account number is in a white list or a black list preset by the first target gateway. If the first target gateway judges that the account number is in the white list, the first target gateway can determine an access data packet corresponding to the access request. If the first target gateway determines that the account number is in the blacklist or the first target gateway determines that the account number is not in the whitelist or the blacklist, the first target gateway intercepts the access request without performing subsequent steps.
Optionally, the first target gateway may perform security verification on the data in the access request. The access request carries data required by access, the first target gateway can detect whether the data are abnormal data, if the first target gateway detects that the data are not abnormal data, the security verification of the access request is passed, and then the first target gateway can determine an access data packet corresponding to the access request. If the first target gateway detects that the data is anomalous, the security verification of the access request is not passed, and the first target gateway may intercept the access request without subsequent steps. Alternatively, the anomalous data may be junk data or malicious data.
Optionally, the first target gateway may perform security verification on the identity of the user corresponding to the access request, and also perform security verification on the data in the access request. And the first target gateway can determine the access command packet corresponding to the access request only if the identity security verification of the user corresponding to the access request passes and the data security verification in the access request passes. If either of the two security verifications does not pass, the first target gateway may intercept the access request without subsequent steps.
In one implementation, the access request is routed by the routing device to the first target gateway, which may alternatively be an NGN gateway. Specifically, for example, as shown in fig. 3a, which is a schematic flow chart of a client accessing a first network through the first network, a user may send an access request through the client shown in fig. 3a, and a routing device may receive the access request. Alternatively, after the client receives the user's access request, the access request may be forwarded to the routing device via a medium, which may be a full-flow proxy, which may hijack the access request to take over the access request, and after the full-flow proxy takes over the access request, the access request may be sent to the routing device in a proxy manner. After the routing device receives the access request, the routing device may determine the first target gateway according to the target identifier carried by the access request. After the routing device determines the first target gateway, the access request may be routed to the first target gateway.
Optionally, the target identifier may be a domain name of the second network, and after determining the domain name of the second network, the routing device determines a second target gateway corresponding to the second network, and then determines, according to a correspondence between the first gateway and the second gateway, a first target gateway corresponding to the second target gateway.
Optionally, the specific implementation manner of determining, by the routing device, the first target gateway according to the target identifier may be that the routing device stores in advance a correspondence between the second gateway and the domain name and a correspondence between the first gateway and the second gateway. The routing device obtains the target identifier in the access request, that is, after obtaining the domain name of the second network in the access request, the second target gateway corresponding to the domain name can be determined according to the domain name and the corresponding relation between the second gateway and the domain name, and then the first target gateway corresponding to the second target gateway is determined according to the second target gateway and the corresponding relation between the first gateway and the second gateway.
Optionally, the specific implementation manner of determining the first target gateway by the routing device according to the target identifier may be that the routing device stores the correspondence relationship among the domain name, the second gateway and the first gateway in advance. The routing device obtains the target identifier in the access request, that is, after obtaining the domain name in the access request, the first target gateway corresponding to the domain name can be determined according to the domain name and the corresponding relationship among the domain name, the second gateway and the first gateway.
Optionally, the routing device may also perform security verification on the access request after receiving the access request. If the security verification passes, the routing device may route the access request to the first target gateway. If the security verification is not passed, the routing device may intercept the access request without subsequent steps. Optionally, the security verification manner of the routing device may be identical to the security verification manner of the first target gateway on the access request, which is not described herein.
202: and the second target gateway sends an inquiry request to the first target gateway, wherein the second target gateway is a second gateway corresponding to the first target gateway.
In one implementation, the plurality of second gateways may send the query requests to the plurality of first gateways, where the second gateways and the first gateways have a correspondence, and the second gateways may send the query requests to the corresponding first gateways. Alternatively, the interrogation request may be used to interrogate the first gateway as to whether the second gateway is to be accessed. If the first gateway is to access the second gateway, the first gateway may respond to the interrogation request and send an access command packet to the second gateway. The query request may not be responded to if the first gateway does not access the second gateway. Optionally, the second gateway may set a duration for the first gateway to respond to the query request, and if the first gateway does not respond to the query request within the duration after the second gateway sends the query request to the first gateway, it is determined that the first gateway does not need to access the second gateway.
In one implementation, the plurality of second gateways send query requests to the corresponding first gateways in a polling manner, and taking the case that the second target gateway sends the query requests to the first target gateway, when the polling opportunity of the second target gateway arrives, the second target gateway sends the query requests to the first target gateway.
In one implementation, the polling manner may be to sort the plurality of second gateways in advance, and send, to each second gateway in turn, an inquiry request to the corresponding first gateway according to the sorting result. When the plurality of second gateways are ranked, the plurality of second gateways may be randomly ranked to obtain a ranking result. The plurality of second gateways may also be ranked according to the history of the second gateways being accessed, so as to obtain a ranking result. Alternatively, the ordering position of the second gateway in a polling period can be determined according to the number of times the second gateway is accessed to the history record; for example, if the number of times a history of a certain second gateway is accessed is greater, the ranking corresponding to the second gateway is more forward, and if the number of times a history of a certain second gateway is accessed is less, the ranking corresponding to the second gateway is more backward. And/or, optionally, determining the polling times of the second gateway in a polling period according to the times of the history accessed by the second gateway; for example, the more times a certain second gateway is accessed to the history, the more times the second gateway appears in the polling period may be, that is, the second gateway may participate in the ordering multiple times or have multiple polling opportunities; as another example, if the number of times a history of a certain second gateway is accessed exceeds a threshold, the second gateway increases a polling opportunity in a polling period. Other ordering methods are also possible, and are not limited in this application. Therefore, the access command packet of the first gateway is facilitated to be timely sent to the corresponding second gateway, timeliness of data acquisition is improved, data acquisition in time can be ensured, simultaneously inquiry request data in a system is reduced, and polling overhead is reduced.
For example, taking 5 second gateways (second gateway 1, second gateway 2, second gateway 3, second gateway 4, and second gateway 5) as an example, the number of times the history of the 5 second gateways being accessed is ordered from high to low as second gateway 3, second gateway 1, second gateway 4, second gateway 5, and second gateway 2. Wherein, the result of ordering the 5 second gateways according to the order of the number of times the second gateway is accessed from top to bottom may be the second gateway 3, the second gateway 1, the second gateway 4, the second gateway 5, and the second gateway 2. Each polling period may poll in turn in the order of the second gateway 3, the second gateway 1, the second gateway 4, the second gateway 5, and the second gateway 2 to send an inquiry request.
As another example, taking the above 5 second gateways as an example, according to the ranking of the number of times of the history records accessed by the 5 second gateways from top to bottom, it can be seen that the number of times of the history records accessed by the second gateway 3 is higher, and when ranking the 5 second gateways, the second gateway 3 may be ranked multiple times. For example, one of the ordering results may be the second gateway 3, the second gateway 1, the second gateway 4, the second gateway 3, the second gateway 5, and the second gateway 2, and each polling period may poll sequentially in the order of the second gateway 3, the second gateway 1, the second gateway 4, the second gateway 3, the second gateway 5, and the second gateway 2 to send the query request. As another example, the ordering result may be the second gateway 3, the second gateway 1, the second gateway 2, the second gateway 3, the second gateway 4, and the second gateway 5, and then each polling period may poll sequentially in the order of the second gateway 3, the second gateway 1, the second gateway 2, the second gateway 3, the second gateway 4, and the second gateway 5. Or other ordering methods are also possible, and only the second gateway 3 needs to be guaranteed to appear in the ordering result for a plurality of times, which is not listed here.
In one implementation, the polling may also be performed by the plurality of second gateways sending the interrogation request to the first gateway at preset time intervals, where the time intervals may be 1 second, 3 seconds, etc. Alternatively, the plurality of second gateways may correspond to one time interval, or the plurality of second gateways may correspond to different time intervals, where the time interval corresponding to each second gateway is not limited in this application.
For example, taking 3 second gateways (second gateway 1, second gateway 2, and second gateway 3) as an example, the 3 second gateways respectively correspond to one time interval, the second gateway 1 corresponds to the time interval T1, the second gateway 2 corresponds to the time interval T2, and the second gateway 3 corresponds to the time interval T3. The second gateway 1 sends a challenge request to the corresponding first gateway at time interval T1, the second gateway 2 sends a challenge request to the corresponding first gateway at time interval T2, and the second gateway 3 sends a challenge request to the corresponding first gateway at time interval T3.
203: and if the first target gateway receives the inquiry request sent by the second target gateway, the first target gateway sends an access command packet to the second target gateway.
In one implementation manner, the plurality of second gateways may all send an inquiry request to the first target gateway, so after the first target gateway receives an access request of a user and determines an access command packet corresponding to the access request, the first target gateway may continuously monitor the inquiry request sent by the second gateway until it monitors the second gateway corresponding to the first target gateway, that is, the second target gateway sends the inquiry request, and may receive the inquiry request sent by the second target gateway. After the first target gateway receives the inquiry request sent by the second target gateway, the first target gateway can establish communication connection with the second target gateway, and then the first target gateway can send an access command packet to the second target gateway.
204: the second target gateway receives the access command packet sent by the first target gateway.
205: the second target gateway obtains data corresponding to the access command packet according to the access command packet, and sends the data corresponding to the access command packet to the first target gateway.
In one implementation manner, after the second target gateway receives the access command packet sent by the first target gateway, the second target gateway may also send the access command packet to a server corresponding to the second target gateway as shown in fig. 3a, and after the server receives the access command packet, acquire data corresponding to the access command packet according to the access command packet. After the server acquires the data corresponding to the access command packet, the server sends the data corresponding to the access command packet to the second target gateway. After receiving the data corresponding to the access command packet, the second target gateway can send the data corresponding to the access command packet to the first target gateway.
In an implementation manner, fig. 3b is a schematic flow chart of another client accessing the first network through the first network, and fig. 3b may be a schematic flow chart of an actual application scenario for the client accessing the first network through the first network. The border gateway labeled 31 in fig. 3b is the first target gateway and the border gateway labeled 32 is the second target gateway.
206: the first target gateway receives data sent by the second target gateway in response to the access command packet.
In one implementation, the first target gateway may receive data sent by the second target gateway in response to the access command packet. And after the first target gateway receives the data, the data can be returned to the user. And after the first target gateway receives the data, the first target gateway may disconnect from the second target gateway.
Alternatively, in the present application, the communication connection established by the client through the first network and the second network may be a short connection.
In one implementation, the short connection may be implemented by establishing a communication connection between the first target gateway and the second target gateway before the first target gateway sends the access command packet to the second target gateway, and disconnecting the communication connection between the first target gateway and the second target gateway after the first target gateway receives the data sent by the second target gateway in response to the access command packet.
In one implementation manner, the specific implementation manner of the short connection may also be that before the first target gateway sends the access command packet to the second target gateway, communication connection between the first target gateway and the second target gateway is established, if a duration condition is met, for example, a preset duration is reached, communication connection between the first target gateway and the second target gateway is disconnected, for example, a connection duration may be determined according to feature information corresponding to the access command packet, and when the connection is reached (i.e., the duration condition is met), the second target gateway disconnects communication connection with the first target gateway. Alternatively, the operation of disconnecting the communication connection between the first target gateway and the second target gateway may be implemented by a timer preset in the second target gateway. And when the preset time length (connection time length) of the timer is reached, disconnecting the communication connection between the first target gateway and the second target gateway. Alternatively, the preset duration may be determined by the second target gateway. Alternatively, the second target gateway may determine the duration according to the size of the data volume of the access command packet received by the second target gateway, the priority of the user corresponding to the access command packet, the transmission quality of the current network, or other manners.
For example, if the data size of the access command packet received by the second target gateway is larger, the preset duration set by the second target gateway is longer, so that the second target gateway obtains the corresponding data according to the access command packet and returns the corresponding data to the first target gateway. Correspondingly, if the data size of the access command packet received by the second target gateway is smaller, the preset duration set by the second target gateway is shorter.
For another example, the second target gateway presets a user access priority, and the higher the priority is, the shorter the preset duration is. Optionally, the user access priority may be that after the first target gateway and the second target gateway receive the access command packet and determine the user corresponding to the access command packet, the preset duration may be determined according to the user access priority corresponding to the user. For another example, the second target gateway may determine the preset duration according to the transmission quality of the current network, if the transmission quality of the current network is poor, the preset duration is longer, and if the transmission quality of the current network is better, the preset duration is shorter.
It should be noted that, the determining manner of the preset duration is not limited to the foregoing description, but may be determined according to other manners, for example, the preset duration may be determined by combining any of several determining manners described above, for example, the preset duration is determined jointly according to the data size of the access command packet received by the second target gateway and the priority of the user corresponding to the access command packet, or the preset duration is determined jointly according to the priority of the user corresponding to the access command packet and the transmission quality of the current network. The manner in which the predetermined time period is determined is not limited in this application.
In one implementation manner, the specific implementation manner of the short connection may further be that before the first target gateway sends the access command packet to the second target gateway, communication connection between the first target gateway and the second target gateway is established, and whether to disconnect the communication connection between the first target gateway and the second target gateway is determined together according to the data sent by the first target gateway in response to the access command packet and the preset duration set by the second target gateway. Optionally, the communication connection between the first target gateway and the second target gateway may be directly disconnected when the first target gateway receives the data sent by the second target gateway in response to the access command packet, but before the preset duration is not reached, so as to ensure the security of data transmission and the second network. By utilizing the short connection mode in the application, the maintenance of a long connection link is not needed, the consumption level of the server connection is lower, the requirement on network quality is lower, the flexibility of network connection can be effectively improved, and the safety of a second network can be ensured.
In this embodiment of the present application, the first target gateway may receive the access request and determine an access command packet corresponding to the access request. And a second gateway corresponding to the first target gateway, i.e. the second target gateway may send an interrogation request to the first target gateway. And if the first target gateway receives the inquiry request sent by the second target gateway, the first target gateway sends an access command packet to the second target gateway. After receiving the access command packet sent by the first target gateway, the second target gateway may obtain data corresponding to the access command packet according to the access command packet, and send the data corresponding to the access command packet to the first target gateway. And the first target gateway receives data sent by the second target gateway in response to the access command packet. By implementing the method, the network security can be effectively ensured, and the network protection effect is improved.
Fig. 4 is a flow chart of another data processing method according to an embodiment of the present application. The data processing method described in the present embodiment includes the steps of:
401: the first target gateway receives the access request and determines an access command packet corresponding to the access request.
402: the second target gateway sends an interrogation request to the first target gateway.
In one implementation, the second target gateway may send an interrogation request to the first target gateway through the network isolation device.
403: if the first target gateway receives the inquiry request sent by the second target gateway, the first target gateway determines the transmission protocol of the network isolation equipment and determines the access command packet after protocol according to the transmission protocol.
In one implementation, the first target gateway may determine a transmission protocol of a network isolation device, where the network isolation device may include any one of a firewall, a gatekeeper, and a shutter, and different network isolation devices may also have different transmission protocols. The first target gateway may adapt the transport protocol of the network isolated device without affecting the security protection capabilities of the network isolated device. For example, the transmission protocol may be a transmission control protocol (TCP, transmission Control Protocol), or a user datagram protocol (UDP, user Datagram Protocol), or may be other protocols, which are not limited in this application. Then the first target gateway needs to determine the transmission protocol of the network isolation device before sending the access command packet to the second target gateway via the network isolation device in order to convert the access command packet into a protocol-formatted access command packet according to the transmission protocol of the network isolation device.
Optionally, the specific implementation of determining the access command packet after protocol may also be implemented in the network isolation device. For example, if the first target gateway receives the query request sent by the second target gateway, the first target gateway sends the access command packet to the network isolation device, and after the network isolation device receives the access command packet, the network isolation device may convert the access command packet into a protocol access command packet according to a transmission protocol of the network isolation device.
404: the first target gateway sends the access command packet after protocol to the network isolation device.
In one implementation, if the first target gateway has multiple protocol access command packets, the first target gateway may send the protocol access command packets to the network isolation device according to the user access priority. Optionally, the first target gateway may sort the access command packets according to the access priority of the user, where the access command packet corresponding to the high priority is sent to the network isolation device first, and the access command packet corresponding to the low priority is sent to the network isolation device after the access command packet corresponding to the low priority. Optionally, the user access priority may be determined according to a historical access rate of the user to the second target gateway through the first target gateway, where the higher the historical access rate of the user to the second target gateway through the first target gateway, the higher the user access priority of the access command packet corresponding to the user. User access priority may also be determined by other means, not limited in this application.
405: the network isolation device sends the access command packet after protocol processing to the second target gateway.
In one implementation, after the first target gateway determines the agreed-upon access command packet, the agreed-upon access command packet may be sent to the network isolation device. And after the network isolation equipment receives the protocol access command packet, the network isolation equipment sends the protocol access command packet to the second target gateway.
In one implementation, the network isolation device may set a data size of the data transmission, and then the network isolation device sends the access command packet after protocol processing to the second target gateway according to the data size. Specifically, the network isolation device sets a threshold value in advance, which is the maximum data amount that the network isolation device can transmit data. The network isolation device may further detect the data size of the protocol access command packet after receiving the protocol access command packet sent by the first target gateway. If the network isolation device detects that the data amount of the access command packet is less than the threshold, the network isolation device may send the access command packet directly to the second target gateway. If the network isolation device detects that the data amount of the access command packet is greater than the threshold value, the network isolation device may split the access command packet into a plurality of sub-access command packets, and after the network isolation device splits the access command packet into a plurality of sub-access command packets, the access command packet may be sent to the second target gateway in the form of the plurality of sub-access command packets. Optionally, when splitting the access command packet into a plurality of sub-access command packets, the access command packet may be split into a plurality of sub-access command packets with equal data size according to the data size of the access command packet, or the access command packet may be split into a plurality of sub-access command packets with unequal data size, which only needs to ensure that the data size of the sub-access command packet is less than or equal to the threshold value. The manner in which the access command packet is split into a plurality of sub-access command packets is not limited in this application.
406: and the second target gateway receives the protocol access command packet sent by the network isolation equipment and acquires data corresponding to the access command packet according to the access command packet.
In one implementation, the second target gateway may receive an access command packet sent by the network isolation device, where the access command packet is a protocol-formatted access command packet. The second target gateway receives the protocol access command packet according to the data size of the protocol access command packet. If the data volume of the access command packet is less than or equal to the threshold set by the network isolation device, where the threshold is the maximum data volume of data that the network isolation device can send, the second target gateway receives a complete access command packet sent by the network isolation device. If the data volume of the access command packet is greater than the threshold set by the network isolation device, the second target gateway receives a plurality of sub-access command packets sent by the network isolation device. Then in the case that the second target gateway receives a plurality of sub-access command packets sent by the network isolation device, the second target gateway may also combine the plurality of sub-access command packets to obtain a complete access command packet.
In one implementation, after the second target gateway receives the access command packet after the protocol sent by the network isolation device, the second target gateway may send the access command packet to a server corresponding to the second target gateway. After receiving the access command packet, the server acquires data corresponding to the access command packet according to the access command packet. After the server obtains the data corresponding to the access command packet, the server sends the data corresponding to the access command packet to the second target gateway, wherein the data sent by the server to the second target gateway can be sent in the form of a data packet. After receiving the data packet corresponding to the access command packet, the second target gateway can send the data packet to the network isolation device.
407: and the second target gateway sends data corresponding to the access command packet to the network isolation equipment.
In one implementation, it is also necessary to determine the transmission protocol of the network isolation device before the second target gateway sends the data packet to the network isolation device, and the second target gateway may adapt the transmission protocol of the network isolation device without affecting the security protection capability of the network isolation device. After the second target gateway determines the transmission protocol of the network isolation device, the data packet is converted into a data packet after protocol conversion according to the transmission protocol, and then the data packet after protocol conversion is sent to the network isolation device.
408: the network isolation device sends the data sent by the access command packet to the first target gateway.
In one implementation, after the network isolation device receives the data corresponding to the access command packet sent by the second target gateway. Alternatively, the data corresponding to the access command packet received by the network isolation device may be in the form of a data packet. Then the network isolation device may send the protocol-formatted data packet to the first target gateway after receiving the protocol-formatted data packet sent by the second target gateway. Optionally, after the network isolation device receives the data packet after the protocol, the network isolation device may further detect the data size of the data packet, so that the network isolation device sends the data packet to the first target gateway according to the data size of the data packet. If the data volume of the data packet received by the network isolation device is less than or equal to a threshold set by the network isolation device, where the threshold is the maximum data volume of the data that can be sent by the network isolation device, the network isolation device may directly send the data packet to the first target gateway. If the amount of data of the data packet received by the network isolation device is greater than the threshold, the network isolation device may split the data packet into a plurality of sub-data packets. Optionally, when splitting the data packet into a plurality of sub-data packets, the data packet may be split into a plurality of sub-data packets with equal data sizes according to the data sizes of the data packets, or the data packet may be split into a plurality of sub-data packets with unequal data sizes, which only needs to ensure that the data sizes of the sub-data packets are less than or equal to a threshold value. After the network isolation device splits the data packet into a plurality of sub-data packets, the plurality of data packets may be sent to the first target gateway.
409: the first target gateway receives data sent by an access command packet sent by the network isolation device.
In one implementation, the first target gateway may receive data sent by the network isolation device to send the access command packet, where the data may be sent in the form of a data packet, and the data packet is a data packet after protocol. The data packets received by the first target gateway after the protocol are different according to the data size of the data packets after the protocol are processed. If the data volume of the data packet is smaller than or equal to the threshold value set by the network isolation device, the first target gateway receives a complete data packet sent by the network isolation device. If the data volume of the data packet is larger than the threshold value set by the network isolation device, the first target gateway receives a plurality of sub-data packets sent by the network isolation device. Then, in the case that the first target gateway receives a plurality of sub-packets sent by the network isolation device, the first target gateway may further combine the plurality of sub-packets to obtain a complete data packet.
In one implementation, after receiving the data sent by the access command packet sent by the network isolation device, the first target gateway may return the data to the user. And after the first target gateway receives the data, the first target gateway may disconnect from the second target gateway.
The specific implementation of steps S401 and S402 may be referred to the specific description of steps S201 and S202 in the above embodiment, and will not be repeated here.
In this embodiment of the present application, the first target gateway may receive the access request and determine an access command packet corresponding to the access request. And a second gateway corresponding to the first target gateway, i.e. the second target gateway may send an interrogation request to the first target gateway. If the first target gateway receives the inquiry request sent by the second target gateway, the first target gateway determines a transmission protocol of the network isolation device, determines a protocol access command packet according to the transmission protocol, and sends the protocol access command packet to the network isolation device. Then the network isolation device may send the access command packet to the second target gateway after receiving the access command packet sent by the first target gateway. And after the second target gateway receives the access command packet sent by the network isolation device, the second target gateway can acquire data corresponding to the access command packet according to the access command packet and send the data corresponding to the access command packet to the network isolation device. Further, the network isolation device may receive the data sent by the second target gateway and send the data to the first target gateway. After the first target gateway receives the data sent by the network isolation device, the data can be returned to the user. By implementing the method, the network security can be effectively ensured, and the network protection effect is improved.
Fig. 5 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application. Optionally, the data processing apparatus may be configured in a gateway device, for example, in the first target gateway. The gateway device, such as a first target gateway, may be deployed to a cloud data system that may include a plurality of first gateways and a plurality of second gateways, the first gateway establishing a unidirectional connection with the second gateway from the second gateway to the first gateway. The data processing apparatus described in this embodiment includes:
a determining unit 501, configured to receive an access request from a first target gateway, and determine an access command packet corresponding to the access request, where the first target gateway is one of the plurality of first gateways;
a sending unit 502, configured to send, if the first target gateway receives an inquiry request sent by a second target gateway, the access command packet to the second target gateway, where the second target gateway is a second gateway corresponding to the first target gateway;
a receiving unit 503, configured to receive, by using the first target gateway, data sent by the second target gateway in response to the access command packet.
In one implementation, the cloud data system further comprises a network isolation device; the sending unit 502 is specifically configured to:
the first target gateway determines a transmission protocol of the network isolation equipment and determines a protocol access command packet according to the transmission protocol;
and the first target gateway sends the access command packet after protocol processing to the second target gateway through the network isolation equipment.
In one implementation manner, the cloud data system further comprises a routing device, and the access request comprises a target identifier, wherein the target identifier is used for indicating a first target gateway corresponding to the access request; the access request is routed by the routing device to the first target gateway according to the target identification.
In one implementation, the apparatus further includes a connection unit 504, specifically configured to:
if the first target gateway receives an inquiry request sent by a second target gateway according to a preset condition, the first target gateway and the second target gateway establish communication connection;
and after the first target gateway receives the data sent by the second target gateway in response to the access command packet, the first target gateway and the second target gateway are disconnected from communication.
Fig. 6 is a schematic structural diagram of another data processing apparatus according to an embodiment of the present application. Optionally, the data processing device may be configured in a gateway device, for example, in the second target gateway. The gateway device, such as a second target gateway, may be deployed to a cloud data system that may include a plurality of first gateways and a plurality of second gateways, the first gateway establishing a unidirectional connection with the second gateway from the second gateway to the first gateway. The data processing apparatus described in this embodiment includes:
a sending unit 601, configured to send an inquiry request to a first target gateway by using a second target gateway, where the first target gateway is one of the plurality of first gateways, and the second target gateway is a second gateway corresponding to the first target gateway;
a receiving unit 602, configured to receive, by using the second target gateway, an access command packet sent by the first target gateway;
the sending unit 601 is further configured to obtain, by using the second target gateway according to the access command packet, data corresponding to the access command packet, and send, to the first target gateway, the data corresponding to the access command packet.
In one implementation, the plurality of second gateways send query requests to the corresponding first gateways in a polling manner; the sending unit 601 is specifically configured to:
and when the polling time of the second target gateway arrives, sending an inquiry request to the first target gateway.
In an implementation manner, the apparatus further comprises a connection unit 603, specifically configured to:
the second target gateway establishes communication connection with the first target gateway;
determining connection duration according to the characteristic information corresponding to the access command packet, wherein the characteristic information comprises at least one of the following items: the data size of the access command packet, the priority of the user corresponding to the access command packet and the network transmission quality;
and if the connection duration is up, disconnecting the second target gateway from the first target gateway.
In one implementation, the cloud data system further comprises a network isolation device; the sending unit 601 is specifically configured to:
and the second target gateway receives an access command packet sent by the first target gateway through the network isolation equipment.
Fig. 7 is a schematic structural diagram of a gateway device according to an embodiment of the present application. The gateway device may be the first target gateway and/or the second target gateway described above, or may perform some or all of the steps performed by the first target gateway and/or the second target gateway described above. The gateway device described in the present embodiment includes: a processor 701, a memory 702 and a network interface 703. Data may be interacted between the processor 701, the memory 702, and the network interface 703.
The processor 701 may be a central processing unit (Central Processing Unit, CPU) which may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 702 may include read only memory and random access memory and provides program instructions and data to the processor 701. A portion of the memory 702 may also include non-volatile random access memory.
Alternatively, in some embodiments, the gateway device may be the first target gateway, or may perform some or all of the steps performed by the first target gateway. The gateway device, such as a first target gateway, may be deployed to a cloud data system that may include a plurality of first gateways and a plurality of second gateways, the first gateway establishing a unidirectional connection with the second gateway from the second gateway to the first gateway. For example, the processor 701, when calling the program instructions, is configured to execute:
The call network interface 703 receives an access request and determines an access command packet corresponding to the access request, where the first target gateway is one of the plurality of first gateways;
if an inquiry request sent by a second target gateway is received, the network interface 703 is called to send the access command packet to the second target gateway, where the second target gateway is a second gateway corresponding to the first target gateway;
the call network interface 703 receives the data sent by the second target gateway in response to the access command packet.
In one implementation, the processor 701 is specifically configured to:
determining a transmission protocol of the network isolation equipment, and determining a protocol access command packet according to the transmission protocol;
and sending the access command packet after protocol processing to the second target gateway through the network isolation equipment.
In one implementation manner, the cloud data system further comprises a routing device, and the access request comprises a target identifier, wherein the target identifier is used for indicating a first target gateway corresponding to the access request; the access request is routed by the routing device to the first target gateway according to the target identification.
In one implementation, the processor 701 is further configured to:
if an inquiry request sent by a second target gateway according to preset conditions is received, the first target gateway and the second target gateway establish communication connection;
after the call network interface 703 receives the data sent by the second target gateway in response to the access command packet, the first target gateway disconnects the communication connection with the second target gateway.
Alternatively, in some embodiments, the gateway device may be the second target gateway, or may perform some or all of the steps performed by the second target gateway. The gateway device, such as a second target gateway, may be deployed to a cloud data system that may include a plurality of first gateways and a plurality of second gateways, the first gateway establishing a unidirectional connection with the second gateway from the second gateway to the first gateway. For example, the processor 701, when calling the program instructions, is configured to perform:
invoking a network interface 703 to send an interrogation request to a first target gateway, wherein the first target gateway is one of the plurality of first gateways, and the second target gateway is a second gateway corresponding to the first target gateway;
The call network interface 703 receives an access command packet sent by the first target gateway;
and acquiring data corresponding to the access command packet according to the access command packet, and sending the data corresponding to the access command packet to the first target gateway.
In one implementation, the plurality of second gateways send query requests to the corresponding first gateways in a polling manner; the processor 701 is specifically configured to:
and when the polling time of the second target gateway arrives, sending an inquiry request to the first target gateway.
In one implementation, the processor 701 is further configured to:
determining connection duration according to the characteristic information corresponding to the access command packet, wherein the characteristic information comprises at least one of the following items: the data size of the access command packet, the priority of the user corresponding to the access command packet and the network transmission quality;
and if the connection duration is up, disconnecting the second target gateway from the first target gateway.
In one implementation, the cloud data system further comprises a network isolation device; the processor 701 is specifically configured to:
the call network interface 703 receives an access command packet sent by the first target gateway through the network isolation device.
The embodiments of the present application further provide a computer storage medium, where program instructions are stored, where the program may include some or all of the steps of a data processing method in the corresponding embodiment of fig. 2 or fig. 4 when executed.
It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of action combinations, but it should be understood by those skilled in the art that the present application is not limited by the described order of action, as some steps may take other order or be performed simultaneously according to the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required in the present application.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of the above embodiments may be implemented by a program to instruct related hardware, the program may be stored in a computer readable storage medium, and the storage medium may include: flash disk, read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.
Embodiments of the present application also provide a computer program product or computer program that may include computer instructions that may be stored in a computer-readable storage medium. The computer instructions may be read by a processor of a computer device from a computer-readable storage medium and executed by the processor, such that the computer device performs some or all of the steps performed in the embodiments of the methods described above.
The foregoing has described in detail a data processing method, gateway device and medium provided in the embodiments of the present application, and specific examples have been applied herein to illustrate the principles and embodiments of the present application, where the foregoing description of the embodiments is only for aiding in understanding the method and core idea of the present application; meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims (8)

1. A data processing method, wherein the method is applied to a cloud data system, the cloud data system includes a first network and a plurality of second networks isolated from each other, the first network includes a routing device and a plurality of first gateways, each of the plurality of second networks includes a second gateway, the first gateway and the second gateway have a correspondence, the routing device pre-stores a correspondence between a domain name of the second network and the second gateway and a correspondence between the first gateway and the second gateway, the first gateway and the second gateway establish a unidirectional connection from the second gateway to the first gateway, and the unidirectional connection is a short connection, the method includes:
A first target gateway receives an access request carrying a target identifier and determines an access command packet corresponding to the access request, wherein the target identifier is a domain name of a second network to be accessed, the first target gateway is a first gateway corresponding to a second target gateway determined by the routing equipment according to the corresponding relation between the first gateway and the second gateway in the plurality of first gateways, the second target gateway is a second gateway corresponding to the target identifier determined by the routing equipment according to the corresponding relation between the domain name of the second network and the second gateway, and the access request is routed to the first target gateway by the routing equipment according to the target identifier;
if the first target gateway receives an inquiry request sent by the second target gateway when the second target gateway arrives at a polling time, the first target gateway sends the access command packet to the second target gateway, wherein a plurality of second gateways send the inquiry request to the corresponding first gateway in a polling mode, and the polling mode comprises: ordering the plurality of second gateways according to the number of times of the history records accessed by each second gateway in the plurality of second gateways, and indicating each second gateway to sequentially send the query request to the corresponding first gateway according to the ordering result of the plurality of second gateways; the more times the second target gateway is accessed to the history record, the more front the ordering position of the second target gateway in the ordering results of the plurality of second gateways; and/or the more times the history of the second target gateway is accessed, the more times the second target gateway appears in one polling period;
The first target gateway receives data sent by the second target gateway in response to the access command packet;
and after the first target gateway receives the data sent by the second target gateway in response to the access command packet, disconnecting the communication connection between the first target gateway and the second target gateway.
2. The method of claim 1, wherein the cloud data system further comprises a network isolation device; the first target gateway sends the access command packet to the second target gateway through the network isolation device, and the method comprises the following steps:
the first target gateway determines a transmission protocol of the network isolation equipment and determines a protocol access command packet according to the transmission protocol;
and the first target gateway sends the access command packet after protocol processing to the second target gateway through the network isolation equipment.
3. The method according to claim 1 or 2, wherein before the first target gateway sends the access command packet to the second target gateway, further comprising:
and if the first target gateway receives an inquiry request sent by the second target gateway according to a preset condition, the first target gateway establishes communication connection with the second target gateway.
4. A data processing method, wherein the method is applied to a cloud data system, the cloud data system includes a first network and a plurality of second networks isolated from each other, the first network includes a routing device and a plurality of first gateways, each of the plurality of second networks includes a second gateway, the first gateway and the second gateway have a correspondence, the routing device pre-stores a correspondence between a domain name of the second network and the second gateway and a correspondence between the first gateway and the second gateway, the first gateway and the second gateway establish a unidirectional connection from the second gateway to the first gateway, and the unidirectional connection is a short connection, the method includes:
a second target gateway sends an inquiry request to a first target gateway when a polling time is reached, wherein the first target gateway is one of the plurality of first gateways, and the second target gateway is a second gateway corresponding to the first target gateway; the plurality of second gateways send the query request to the corresponding first gateway in a polling mode, wherein the polling mode comprises the following steps: ordering the plurality of second gateways according to the number of times of the history records accessed by each second gateway in the plurality of second gateways, and indicating each second gateway to sequentially send the query request to the corresponding first gateway according to the ordering result of the plurality of second gateways; the more times the second target gateway is accessed to the history record, the more front the ordering position of the second target gateway in the ordering results of the plurality of second gateways; and/or the more times the history of the second target gateway is accessed, the more times the second target gateway appears in one polling period;
The second target gateway receives an access command packet sent by the first target gateway, the access command packet is determined by the first target gateway according to a received access request, the access request is routed to the first target gateway by the routing equipment according to a target identifier carried in the access request, the target identifier is a domain name of a second network to be accessed, the routing equipment determines the second target gateway corresponding to the target identifier according to a corresponding relation between the domain name of the second network and the second gateway, and determines the first target gateway corresponding to the second target gateway according to a corresponding relation between the first gateway and the second gateway;
the second target gateway obtains data corresponding to the access command packet according to the access command packet, and sends the data corresponding to the access command packet to the first target gateway;
and after the first target gateway receives the data sent by the second target gateway in response to the access command packet, disconnecting the communication connection between the second target gateway and the first target gateway.
5. The method of claim 4, further comprising, after the second target gateway sends an interrogation request to a first target gateway and before the second target gateway receives an access command packet sent by the first target gateway:
The second target gateway establishes communication connection with the first target gateway;
after the second target gateway receives the access command packet sent by the first target gateway, the method further comprises:
determining connection duration according to the characteristic information corresponding to the access command packet, wherein the characteristic information comprises at least one of the following items: the data size of the access command packet, the priority of the user corresponding to the access command packet and the network transmission quality;
and if the connection duration is up, disconnecting the second target gateway from the first target gateway.
6. The method of claim 4, wherein the cloud data system further comprises a network isolation device; the second target gateway receives an access command packet sent by the first target gateway, and the access command packet comprises:
and the second target gateway receives an access command packet sent by the first target gateway through the network isolation equipment.
7. A gateway device comprising a processor, a memory and a network interface, the processor, the memory and the network interface being interconnected, wherein the memory is adapted to store a computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method of any of claims 1-6.
8. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the method of any of claims 1-6.
CN202011069915.XA 2020-09-30 2020-09-30 Data processing method, gateway equipment and medium Active CN112202795B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011069915.XA CN112202795B (en) 2020-09-30 2020-09-30 Data processing method, gateway equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011069915.XA CN112202795B (en) 2020-09-30 2020-09-30 Data processing method, gateway equipment and medium

Publications (2)

Publication Number Publication Date
CN112202795A CN112202795A (en) 2021-01-08
CN112202795B true CN112202795B (en) 2023-07-14

Family

ID=74013028

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011069915.XA Active CN112202795B (en) 2020-09-30 2020-09-30 Data processing method, gateway equipment and medium

Country Status (1)

Country Link
CN (1) CN112202795B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114202947B (en) * 2021-12-07 2023-07-25 北京百度网讯科技有限公司 Internet of vehicles data transmission method and device and automatic driving vehicle
CN114726854A (en) * 2021-12-27 2022-07-08 天翼云科技有限公司 Service request processing method and device and cloud service system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104780215A (en) * 2015-04-21 2015-07-15 广州多益网络科技有限公司 File transfer system and method thereof
CN105208043A (en) * 2015-10-13 2015-12-30 网易(杭州)网络有限公司 Outer network agent module, inner network agent module and data transmitting method and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9992083B1 (en) * 2015-09-22 2018-06-05 Amazon Technologies, Inc. System to detect network egress points
CN110365779B (en) * 2019-07-17 2022-04-01 腾讯科技(深圳)有限公司 Communication control method and device, electronic equipment and storage medium
CN110351379B (en) * 2019-07-17 2021-09-03 腾讯科技(深圳)有限公司 Communication control method and device, electronic equipment and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104780215A (en) * 2015-04-21 2015-07-15 广州多益网络科技有限公司 File transfer system and method thereof
CN105208043A (en) * 2015-10-13 2015-12-30 网易(杭州)网络有限公司 Outer network agent module, inner network agent module and data transmitting method and system

Also Published As

Publication number Publication date
CN112202795A (en) 2021-01-08

Similar Documents

Publication Publication Date Title
US7945676B2 (en) Processing requests transmitted using a first communication protocol directed to an application that uses a second communication protocol
US20170034174A1 (en) Method for providing access to a web server
US9825909B2 (en) Dynamic detection and application-based policy enforcement of proxy connections
CN112202795B (en) Data processing method, gateway equipment and medium
US10637794B2 (en) Resource subscription method, resource subscription apparatus, and resource subscription system
US20050165885A1 (en) Method and apparatus for forwarding data packets addressed to a cluster servers
US20230031062A1 (en) Data processing method and apparatus, related device, and storage medium
CN107682267B (en) Network data forwarding method and system of Linux equipment
CN111064742B (en) Method, device and related equipment for realizing intranet access based on network agent
US7218714B2 (en) Method of calling service among devices in home network
EP3043534B1 (en) Managing traffic overload on a dns server
CN111064729B (en) Message processing method and device, storage medium and electronic device
CN113132218B (en) Home gateway access method, device, system processor and storage medium
EP3018883A1 (en) Login method and system for client unit
CN110830419B (en) Access control method and device for internet protocol camera
CN113162922B (en) Client data acquisition method and device, storage medium and electronic equipment
CN109981725A (en) A kind of communication means across security domain, server and readable storage medium storing program for executing
CN112929417B (en) Message processing method and device
WO2017161840A1 (en) Data stream transmission method and device
CN108650179B (en) Method for configuring forwarding table, forwarding device and computer readable storage medium
CN108307683A (en) The means of communication, micro-base station, micro-base station controller, terminal and system
CN101868945A (en) Communication system, communication method, and communication session integration device
US9722953B2 (en) BNG-pool-based response method, system and related device
EP4231607A1 (en) Data transmission method and communication apparatus
US11902315B2 (en) Privacy preserving vulnerability detection for devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant