CN112333162A - Service processing method and device - Google Patents
Service processing method and device Download PDFInfo
- Publication number
- CN112333162A CN112333162A CN202011149505.6A CN202011149505A CN112333162A CN 112333162 A CN112333162 A CN 112333162A CN 202011149505 A CN202011149505 A CN 202011149505A CN 112333162 A CN112333162 A CN 112333162A
- Authority
- CN
- China
- Prior art keywords
- virtual
- card
- network port
- board
- virtual network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a service processing method and equipment. The service processing method comprises the following steps: receiving a mirror image message flow sent to the plug-in card board; searching a virtual network port of a card inserting plate mapped by a destination MAC address or a source MAC address of each mirror image message of the mirror image message flow; storing each mirror image message in a receiving queue of a virtual network port of the mapped card-inserting plate; and each virtual firewall reads the mirror image message from the receiving queue of the associated card board virtual network port to perform bypass service processing, and discards each mirror image message after the bypass processing is completed.
Description
Technical Field
The present application relates to communications technologies, and in particular, to a method and an apparatus for processing a service.
Background
The virtualization of the firewall means that one physical firewall device is logically divided into a plurality of virtual firewall devices, but physical resources such as a CPU (central processing unit), a memory and the like are shared; different virtual firewalls are completely isolated in configuration and forwarding, so that function customization, personalized management and maximum utilization of resources are realized. A physical device is divided into a plurality of logical devices through virtualization technology, and each logical device is called a context. Each context has own exclusive software and hardware resources, and operates independently, so that the networking flexibility is improved.
The firewall equipment can also increase the special business requirements of the plug-in board processing, such as running an artificial intelligence algorithm to analyze the flow, running an engine with consumption performance to detect viruses and the like. However, in a network scenario in which the firewall device is virtualized into multiple virtual firewalls, the card board of the firewall device cannot distinguish which virtual firewall the processed traffic belongs to. The reasons are that different service configurations cannot be applied to different virtual firewalls on the plug-in board, and that service packet isolation between different virtual firewalls cannot be performed on the plug-in board.
Among the firewall devices shown in fig. 1 are administrative contexts, as well as virtual firewall contexts 1 and context 2. The virtual firewall context1 and context2 perform ARP protocol interaction by using the MAC addresses of the virtual network ports 21 and 22 bound respectively, and the source MAC addresses of the service messages sent by the virtual firewall context1 and context2 are the MAC addresses of the virtual network ports 21 and 22 bound respectively; the destination MAC addresses of the service messages sent to the virtual firewalls context1 and context2 are the MAC addresses of the respective bound virtual network ports 21 and 22. The firewall device receives the service message from the upper-level device through the input interface, performs two-layer forwarding according to the destination MAC address of the service message, and sends the service message to the interface 1 or the interface 2 corresponding to each destination MAC address.
In fig. 1, the interface board/switch board further duplicates service messages sent to virtual firewall context1 and context2, and sends them to interface 3 as mirror messages, the card board receives the mirror messages through physical network port 30 connected to interface 3, performs bypass service processing, sends the bypass service processing result to management context, and then discards the mirror messages. The bypass processing service does not distinguish virtual firewalls and cannot isolate service messages between different virtual firewalls.
Disclosure of Invention
The application aims to provide a service processing method and equipment, which provide bypass service processing for isolating different virtual firewalls on a card board of firewall equipment.
In order to achieve the above object, the present application provides a service processing method, where the method includes: receiving a mirror image message flow sent to the plug-in card board; searching a virtual network port of a card inserting plate mapped by a destination MAC address or a source MAC address of each mirror image message of the mirror image message flow; storing each mirror image message in a receiving queue of a virtual network port of the mapped card-inserting plate; and each virtual firewall reads the mirror image message from the receiving queue of the associated card board virtual network port to perform bypass service processing, and discards each mirror image message after the bypass processing is completed.
In order to achieve the above object, the present application further provides a service processing device, where the service processing device is used as a card board of a firewall device, and the service processing device includes: the receiving module is used for receiving the mirror image message flow sent to the plug-in card board; the distribution module is used for searching a virtual network port of the card-inserting plate mapped by a destination MAC address or a source MAC address of each mirror image message of the mirror image message flow; the virtual network port driving module is used for storing each mirror image message in a receiving queue of the virtual network port of the mapped card-inserting plate; and each virtual firewall reads the mirror image message from the receiving queue of the associated card board virtual network port to perform bypass service processing, and discards each mirror image after the bypass processing is completed.
The beneficial effects of this application lie in, not only keep apart the mirror image message between the different virtual hot wall that prevents at the plug-in card board of hot wall equipment to the isolation bypass business that provides the plug-in card board between the different virtual hot wall is handled, is favorable to preventing that hot wall equipment provides different business processing according to the kind of bypass business demand on the plug-in card board, has improved the flexibility of the bypass business processing who prevents hot wall equipment.
Drawings
Fig. 1 is a schematic diagram illustrating a state of a conventional firewall card board processing a packet;
fig. 2 is a flowchart illustrating a service processing method provided in the present application;
fig. 3 is a schematic diagram of a service processing device provided in the present application.
Detailed Description
A detailed description will be given of a number of examples shown in a number of figures. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the present application. Well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the examples.
The term "including" as that term is used is meant to include, but is not limited to; the term "comprising" means including but not limited to; the terms "above," "within," and "below" include the instant numbers; the terms "greater than" and "less than" mean that the number is not included. The term "based on" means based on at least a portion thereof.
Fig. 2 is a flowchart illustrating a service processing method provided in the present application; the method comprises the following steps:
in step 205, each virtual firewall discards each mirror image packet after the bypass processing is completed.
The method shown in fig. 1 has the beneficial effects that the mirror image messages between different virtual firewalls are isolated on the card board of the firewall device, and isolation bypass service processing between different virtual firewalls of the card board is provided.
Fig. 3 is a schematic diagram of a service processing device 40 provided in the present application, where the service processing device 40 may be used as a card board of a firewall device. The service processing device 40 comprises a processor CPU41, a memory 42 and a transceiver module 43.
The memory 42 is for storing processor-executable instructions; processor 41 implements virtual portal driver module 421, configuration management module 422, and distribution module 423 by executing processor-executable instructions of memory 42.
The virtual port driver module 421 is configured to generate the virtual ports 31, 32, and 33 of the card board 40, and respectively associate the virtual firewall context1, the virtual firewall context2, and the management context.
A configuration management module 422, which obtains the association relationship between the virtual firewall context1 and the virtual internet access 21 and the association relationship between the virtual firewall context2 and the virtual internet access 22 based on the configuration information synchronized by the management context of the firewall; acquiring a MAC address MAC21 corresponding to the virtual network port 21 and a MAC address MAC222 corresponding to the virtual network port 22; the association relationship between virtual firewall context1 and virtual port 31 and the association relationship between virtual firewall context2 and virtual port 32 are obtained from virtual port driver module 421.
The configuration management module 422 generates a mapping relationship between virtual network port addresses of the card board, and is used to record that the MAC address MAC21 of the virtual network port 21 is mapped to the virtual network port 31, and the MAC address MAC22 of the virtual network port 22 is mapped to the virtual network port 32. The management configuration module 42 sends the generated mapping relationship of virtual network port addresses of the card-plugged board to the distribution module 423. The receiving module 43 receives the mirror image message flow from the physical network port 30 of the card 40. The receiving module 43 may be a physical network card, and caches each mirror image message of the mirror image message stream read from the physical port 30, and sends each mirror image message to the message distribution module 423 in a manner of dpdk (data Plane Development kit), libpcap (packet Capture library), or the like.
The distributing module 423 searches the mapping relationship of the virtual network port address of the card board according to the destination MAC address or the source MAC address of each mirror image message of the mirror image message flow. Because, the source MAC address of the message sent by the virtual firewall context1 or context2 of the firewall board is the MAC address of the virtual port 21 or 22, respectively; and the destination MAC address of the message sent by the previous device to the virtual firewall context1 or context2 of the firewall board is also the MAC address of the virtual port 21 or 22.
The distribution module 423 determines the virtual network port 31 or 32 of the virtual firewall context1 or context2 on the card board 40 by searching the card board virtual network port address mapping relationship.
The distributing module 423 provides an interface according to the virtual network port driver module 421, and writes each mirror message into a receiving queue of the virtual network port 31 or 32 in the virtual network port driver module 421.
The virtual portal driver 421 may notify the virtual firewall context1 or context2 on the card board 40 that a message is received by triggering a soft interrupt. Thus, virtual firewall context1 or context2 receives their respective mirror messages through virtual portal 31 or 32, respectively.
On the card board 40, the virtual firewall context1 or context2 reads the mirror image messages from the receiving queues of the respective associated virtual network ports 31 or 32, performs bypass service processing, and discards each mirror image message after the bypass processing is completed; virtual firewall context1 or context2 may further record the results of the bypass traffic processing in a local bypass traffic log of virtual firewall context1 or context2 of paddle-card 40.
The distributing module 423 finds out no corresponding virtual network port 31 or 32 in the generated mapping relationship of the virtual network port address of the card board based on the source MAC address or the destination MAC address of the received mirror image packet.
The virtual network port driver module 421 also stores each mirror image message that is not mapped to the virtual network port of the card-insertion board in the receiving queue of the virtual network port 33, i.e. the receiving queue of the virtual network port managed by the card-insertion board. Similarly, the distributing module 423 provides an interface according to the virtual network port driver module 421, and writes each mirror image packet that fails to find and match into the receiving queue of the virtual network port 33 in the virtual network port driver module 421.
The virtual portal driver 421 may notify the card socket 40 that the management context receives the message by triggering a soft interrupt. The management context on the card 30 receives the mirror message through the virtual port 33.
On the card 40, the management context reads each stored image message from the receiving queue of the associated virtual network port 33 for bypass processing, and discards each image message which completes the bypass processing in the receiving queue of the management virtual network port. The management context records the result of the bypass service processing in the local management context bypass service log of the card 40.
On the card-inserting board 40, the virtual firewall context1 or context2 synchronizes the local bypass service logs stored on the card-inserting board 40 to the service logs of the respective virtual firewall on the firewall board respectively; and managing the context, namely synchronizing the bypass service log of the management context stored on the plug-in board 40 to the service log of the management context on the firewall board.
The method and the device have the advantages that the problem that multi-user virtualization is supported in the scene that the firewall device processes the flow of the bypass mirror image message can be solved, the mirror image messages between virtual firewalls of different users are isolated by the card inserting plate of the firewall device, and the flexibility of bypass service processing of the firewall device is improved.
The present invention is not intended to be limited to the particular embodiments shown and described, but is to be accorded the widest scope consistent with the principles and novel features herein disclosed.
Claims (10)
1. A method for processing a service, the method comprising:
receiving a mirror image message flow sent to the plug-in card board;
searching a virtual network port of a card inserting plate mapped by a destination MAC address or a source MAC address of each mirror image message of the mirror image message flow;
storing the mirror image messages in a receiving queue of a virtual network port of a mapped card-inserting plate;
and each virtual firewall reads the mirror image message from the receiving queue of the associated card board virtual network port to perform bypass service processing, and discards each mirror image message after the bypass processing is completed.
2. The method of claim 1, further comprising:
storing each mirror image message which is not mapped to the virtual network port of the card-inserting board in a receiving queue of the virtual network port managed by the card-inserting board;
and the management virtual firewall reads the stored mirror image messages from the associated receiving queue of the card board management virtual network port to perform bypass processing, and discards the mirror image messages which complete the bypass processing in the receiving queue of the card board management virtual network port.
3. The method of claim 1, further comprising:
synchronizing the bypass service logs of each virtual firewall stored on the plug-in board to the service logs of each virtual firewall on the firewall board;
and synchronizing the bypass service log of the management virtual firewall stored on the plug-in board to the service log of the management virtual firewall on the firewall board.
4. The method of claim 3, wherein prior to receiving the mirrored message stream to the plug-in board, the method further comprises:
generating each card-card board virtual network port related to each virtual firewall board on the card-card board and the card-card board management virtual network port related to the management virtual firewall;
acquiring the association relation between each virtual firewall on the fireproof wallboard and each virtual net opening of the fireproof wallboard;
acquiring the MAC address of each virtual net opening of the fireproof wallboard;
acquiring the incidence relation between each virtual firewall and each card board virtual network port;
and generating a card-inserting plate virtual network port address mapping relation for recording the association relation between the MAC address of each fire wall plate virtual network port associated with each virtual fire wall and each card-inserting plate virtual network port associated with each virtual fire wall.
5. The method according to claim 1, wherein the virtual network port of the card board for searching the mapping of the destination MAC address or the source MAC address of each mirror image message of the mirror image message flow means that the mapping relationship of the virtual network port address of the card board is searched based on the destination MAC address or the source MAC address of each mirror image message of the mirror image message flow to obtain the mapped virtual network port of the card board.
6. A service processing device as a card board of a firewall device, the device comprising:
the receiving module is used for receiving the mirror image message flow sent to the plug-in card board;
the distribution module is used for searching a virtual network port of the card-inserting plate mapped by a destination MAC address or a source MAC address of each mirror image message of the mirror image message flow;
the virtual network port driving module is used for storing the mirror image messages in a receiving queue of the virtual network port of the mapped card-inserting plate; and each virtual firewall reads the mirror image message from the receiving queue of the associated card board virtual network port to perform bypass service processing, and discards each mirror image after the bypass processing is completed.
7. The apparatus of claim 6,
the distribution module is also used for determining that the mirror image messages of the virtual network ports of the mapping card board are not found;
the virtual network port driving module is also used for storing each mirror image message which is not mapped to the virtual network port of the card inserting plate in a receiving queue of the card inserting plate management virtual network port;
and the management virtual firewall is used for reading the stored mirror image messages from the associated receiving queue of the card board management virtual network port to perform bypass processing, and discarding the mirror image messages which are subjected to the bypass processing in the receiving queue of the card board management virtual network port.
8. The apparatus of claim 6,
the virtual firewalls synchronize the bypass service logs of the virtual firewalls stored on the plug-in board to the service logs of the virtual firewalls on the firewall board respectively;
and the management virtual firewall synchronizes the bypass service log of the management virtual firewall stored on the plug-in card board to the service log of the management virtual firewall on the firewall board.
9. The apparatus of claim 8, further comprising: configuring a management module;
the virtual network port driving module is configured to generate each card-insertion board virtual network port associated with each virtual firewall board on the card-insertion board and the card-insertion board management virtual network port associated with the management virtual firewall;
the configuration management module is used for acquiring the association relation between each virtual firewall on the firewall board and each virtual net mouth of the firewall board; acquiring the MAC address of each virtual net opening of the fireproof wallboard; acquiring the incidence relation between each virtual firewall and each card board virtual network port; generating a virtual network port address mapping relation of the card-inserting plate; sending the generated virtual network port address mapping relation of the card-inserting board to the distribution module; the card board virtual network port address mapping relation is used for recording the association relation between the MAC address of each firewall board virtual network port associated with each virtual firewall and each card board virtual network port associated with each virtual firewall.
10. The apparatus according to claim 9, wherein the distribution module searches mapping relationship of virtual network port addresses of the card board based on destination MAC addresses or source MAC addresses of each mirror message of the mirror message stream to obtain mapped virtual network ports of the card board.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011149505.6A CN112333162B (en) | 2020-10-23 | 2020-10-23 | Service processing method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011149505.6A CN112333162B (en) | 2020-10-23 | 2020-10-23 | Service processing method and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112333162A true CN112333162A (en) | 2021-02-05 |
| CN112333162B CN112333162B (en) | 2022-05-24 |
Family
ID=74312022
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011149505.6A Active CN112333162B (en) | 2020-10-23 | 2020-10-23 | Service processing method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112333162B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113794640A (en) * | 2021-08-20 | 2021-12-14 | 新华三信息安全技术有限公司 | Message processing method, device, equipment and machine readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070261110A1 (en) * | 2006-05-02 | 2007-11-08 | Cisco Technology, Inc., A California Corporation | Packet firewalls of particular use in packet switching devices |
| CN101651680A (en) * | 2009-09-14 | 2010-02-17 | 杭州华三通信技术有限公司 | Network safety allocating method and network safety device |
| CN103533096A (en) * | 2013-10-09 | 2014-01-22 | 杭州华三通信技术有限公司 | Binding method and device of network card interface |
| CN109831390A (en) * | 2019-01-21 | 2019-05-31 | 新华三云计算技术有限公司 | Message transmission control method and device |
| US20190289033A1 (en) * | 2018-03-19 | 2019-09-19 | Fortinet, Inc. | Mitigating effects of flooding attacks on a forwarding database |
-
2020
- 2020-10-23 CN CN202011149505.6A patent/CN112333162B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070261110A1 (en) * | 2006-05-02 | 2007-11-08 | Cisco Technology, Inc., A California Corporation | Packet firewalls of particular use in packet switching devices |
| CN101651680A (en) * | 2009-09-14 | 2010-02-17 | 杭州华三通信技术有限公司 | Network safety allocating method and network safety device |
| CN103533096A (en) * | 2013-10-09 | 2014-01-22 | 杭州华三通信技术有限公司 | Binding method and device of network card interface |
| US20190289033A1 (en) * | 2018-03-19 | 2019-09-19 | Fortinet, Inc. | Mitigating effects of flooding attacks on a forwarding database |
| CN109831390A (en) * | 2019-01-21 | 2019-05-31 | 新华三云计算技术有限公司 | Message transmission control method and device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113794640A (en) * | 2021-08-20 | 2021-12-14 | 新华三信息安全技术有限公司 | Message processing method, device, equipment and machine readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112333162B (en) | 2022-05-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8073966B2 (en) | Virtual interface | |
| US7983257B2 (en) | Hardware switch for hypervisors and blade servers | |
| US7653754B2 (en) | Method, system and protocol that enable unrestricted user-level access to a network interface adapter | |
| JP4068166B2 (en) | Search engine architecture for high performance multilayer switch elements | |
| US9727508B2 (en) | Address learning and aging for network bridging in a network processor | |
| US7274706B1 (en) | Methods and systems for processing network data | |
| US5884313A (en) | System and method for efficient remote disk I/O | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| EP2725749B1 (en) | Method, apparatus and system for processing service flow | |
| US20050163123A1 (en) | Method and apparatus for implementing a MAC address pool for assignment to a virtual interface aggregate | |
| JP2005006303A (en) | Virtual network address | |
| CN114217902A (en) | Data transmission method and device | |
| JP2005521273A (en) | Protection against “denial of service” | |
| JP2003508851A (en) | Network processor, memory configuration and method | |
| JP2003508954A (en) | Network switch, components and operation method | |
| US9253089B2 (en) | System and method for routing using path identifiers | |
| JP2003508951A (en) | VLSI network processor and method | |
| US7992206B1 (en) | Pre-scanner for inspecting network traffic for computer viruses | |
| CN109617816A (en) | A kind of transmission method and device of data message | |
| RU2602333C2 (en) | Network system, packet processing method and storage medium | |
| CN112333162B (en) | Service processing method and equipment | |
| US6993033B1 (en) | Method and apparatus for synchronizing aging operations associated with an address table | |
| CN103618778A (en) | System and method for achieving data high concurrency through Linux virtual host | |
| CN112583655B (en) | Data transmission method and device, electronic equipment and readable storage medium | |
| US20220166718A1 (en) | Systems and methods to prevent packet reordering when establishing a flow entry |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |