CN114401218B - Bypass forwarding method and device for data message - Google Patents

Bypass forwarding method and device for data message Download PDF

Info

Publication number
CN114401218B
CN114401218B CN202111620330.7A CN202111620330A CN114401218B CN 114401218 B CN114401218 B CN 114401218B CN 202111620330 A CN202111620330 A CN 202111620330A CN 114401218 B CN114401218 B CN 114401218B
Authority
CN
China
Prior art keywords
network card
address
memory space
data message
queue
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111620330.7A
Other languages
Chinese (zh)
Other versions
CN114401218A (en
Inventor
赵刚
谢正明
叶建伟
黄�俊
叶晓虎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN202111620330.7A priority Critical patent/CN114401218B/en
Publication of CN114401218A publication Critical patent/CN114401218A/en
Application granted granted Critical
Publication of CN114401218B publication Critical patent/CN114401218B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/24Multipath
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/28Routing or path finding of packets in data switching networks using route fault recovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a bypass forwarding method and device of a data message, which are used for solving the problem that forwarding through a network card is inflexible or CPU (Central processing Unit) resources are occupied by a software method when network security equipment software is upgraded or security processing logic is abnormal. The method provided by the application comprises the following steps: the DMA controller is controlled to acquire the received data message of the second network card according to the address of the second receiving queue of the second network card, and the data message is sent out through the first network card; and controlling the DMA controller to acquire the data message received by the first network card according to the address of the first receiving queue of the first network card, and sending the data message out through the second network card.

Description

Bypass forwarding method and device for data message
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a bypass forwarding method and apparatus for a data packet.
Background
Network security devices are typically employed between two or more networks, such as an intranet and an extranet. An application within the network security appliance will analyze the network packets passing through it to determine if a threat exists. The network security appliance has a "virtual line" mode by which intrusion into the customer network is reduced by deployment, in which the network security appliance resembles a network line and transmits in accordance with a pre-configured network card map, e.g., directly receives messages from one portal and transmits them to the other. When a network security device fails, such as a security device software upgrade, or security handling logic is abnormal, then all networks connected to the device lose contact. At this time, if the communication state between the networks is required, the bypass mode needs to be started. After the bypass mode is started, the networks connected to the device can be mutually conducted, and the network security device does not process the packets in the networks. The bypass function supported by the network card at present mainly uses a relay or software method and the like, but the relay-based method is set before the network card leaves the factory and can not realize the forwarding among other network cards, so the forwarding of the network card is inflexible. In addition, the software realizes that message forwarding occupies a CPU, and when program logic has a problem, CPU resources are occupied by abnormal programs, so that message forwarding efficiency is low and packet loss is caused.
Disclosure of Invention
The embodiment of the application provides a bypass forwarding method and device for a data message, which are used for solving the problems that when network security equipment software is upgraded or security processing logic is abnormal, forwarding through a network card is inflexible or CPU resources are occupied higher through a software method.
In a first aspect, an embodiment of the present application provides a bypass forwarding method for a data packet, including:
when the network security equipment software is upgraded or the security processing logic is abnormal, controlling the DMA controller to acquire a data message received by the second network card according to the address of a second receiving queue of the second network card, and sending the data message through the first network card; and controlling the DMA controller to acquire the data message received by the first network card from the first receiving queue according to the address of the first receiving queue of the first network card, and sending the data message through the second network card.
Based on the scheme, the data message received by the second network card can be sent out from the first network card, and the data message received by the first network card can be sent out from the second network card, so that the data message is forwarded when the security equipment software of the security equipment network is upgraded or the security processing logic is abnormal. Because only the address of the data message to be sent is acquired by the DMA controller to be changed, processing resources are not needed to control the forwarding of the message, and the processing speed can be improved. In addition, when the network security equipment comprises a plurality of network cards, the method can set which network card to forward from according to the requirement, and compared with a relay mode, the method can improve the flexibility of configuration.
In a possible implementation manner, the controlling the DMA controller to obtain the data packet received by the second network card according to the address of the second receive queue of the second network card includes: updating the address of the DMA controller, which is used for acquiring the data message to be transmitted through the first network card, from the address of a first transmission queue to the address of the second receiving queue; the address of the first memory space is stored in the memory space indicated by the address of the first transmitting queue, the first memory space is used for storing the data message to be transmitted by the first network card, the address of the second memory space is stored in the memory space indicated by the address of the second receiving queue, and the second memory space is used for storing the data message received by the second network card.
Based on the scheme, the DMA controller is controlled to send the data message received by the second receiving queue from the first network card, and the received data is not subjected to packet processing through the network security equipment, so that the bypass forwarding of the data message is realized, and the processing efficiency can be improved.
In a possible implementation manner, a first indication information is further stored in a memory space indicated by the address of the first sending queue, where the first indication information is used to indicate whether the first memory space contains a data packet to be sent, so that when the DMA controller determines that the first memory space contains the data packet to be sent according to the first indication information, the data packet to be sent is obtained from the first memory space. The first memory space comprises a plurality of first subspaces, and different first subspaces are used for storing different data messages to be sent. The first indication information comprises a plurality of identifiers, and the identifiers are in one-to-one correspondence with the first subspaces. The identifier is used for indicating whether the corresponding first subspace stores the data message to be transmitted.
After the network card receives the data message, determining a first subspace with an empty storage state from the plurality of first subspaces according to the first indication information, storing the data message in the first subspace with the empty storage state, and setting the first subspace as the storage state in which the data message is stored.
Based on the scheme, the memory space indicated by the address of the first sending queue stores the indication information, so that the received data message can be quickly determined to be stored in the subspace with the empty storage state according to the indication information, the free subspace is not required to be traversed, and the storage efficiency is improved.
In a possible implementation manner, the method further includes: when the network security equipment does not execute software upgrading and the security processing logic is normal and the indication information of the first memory space indicates that the first memory space contains the data message to be sent, controlling the DMA controller to acquire the data message to be sent from the first memory space according to the address of the first sending queue, and sending the data to be sent of the first memory space through the first network card.
Based on the scheme, when the network security equipment does not execute software upgrading and the security processing logic is normal, the network security equipment is switched to a normal state, and the DMA controller is controlled to acquire a data message to be transmitted from the first memory space according to the address of the first transmission queue and transmit the data message through the first network card, so that simplicity and effectiveness are realized.
In a possible implementation manner, controlling the DMA controller to obtain a data packet received by the first network card according to an address of a first receive queue of the first network card includes: and updating the address of the DMA controller, which is used for acquiring the data message to be transmitted through the second network card, from the address of the second transmission queue to the address of the first receiving queue. The address of a third memory space is stored in the memory space indicated by the address of the first receiving queue, and the third memory space is used for storing the data message received by the first network card; and storing an address of a fourth space memory in a memory space indicated by the address of the second transmission queue, wherein the fourth memory space is used for storing a data message to be transmitted by the second network card.
Based on the scheme, the DMA controller is controlled to send the data message received by the first receiving queue through the second network card, and the received data is not subjected to packet processing through the network security equipment, so that the bypass forwarding of the data message is realized, and the processing efficiency can be improved.
In a possible implementation manner, the memory space indicated by the address of the second transmit queue further stores second indication information, where the second indication information is used to indicate whether the fourth memory space contains a data packet to be transmitted.
Based on the above scheme, the memory space indicated by the address of the second transmit queue stores the indication information, and it can be determined whether to store the received data packet in the subspace corresponding to the indication information according to the indication information.
In a possible implementation manner, the method further includes: and when the network security equipment does not execute software upgrading and the security processing logic is normal and the second indication information indicates that the fourth memory space contains the data message to be sent, controlling the DMA controller to acquire the data message to be sent from the fourth memory space according to the address of the second sending queue, and sending the data message to be sent in the fourth memory space through the second network card.
Based on the above scheme, when the network security device does not execute software upgrading and the security processing logic is normal, the network security device is switched to a normal state, and the DMA controller obtains the data message to be sent from the fourth memory space according to the address of the second transmission queue and sends the data message through the second network card.
In a second aspect, an embodiment of the present application provides a network security device, including a processor, a DMA controller, a first network card, and a second network card;
The processor is used for controlling the DMA controller to acquire the received data message of the second network card according to the address of the second receiving queue of the second network card when the network security equipment software is upgraded or the security processing logic is abnormal;
the first network card is used for sending the data message received by the second network card and acquired by the DMA controller;
the processor is further configured to control the DMA controller to obtain a data packet received by the first network card according to an address of a first receiving queue of the first network card;
the second network card is configured to send the data packet received by the first network card and acquired by the DMA controller.
In a possible implementation manner, the processor is specifically configured to: updating the address of the DMA controller, which is used for acquiring the data message to be transmitted through the first network card, from the address of a first transmission queue to the address of the second receiving queue; the address of a first memory space is stored in a memory space indicated by the address of the first transmission queue, and the first memory space is used for storing a data message to be transmitted by the first network card; and storing the address of a second memory space in the memory space indicated by the address of the second receiving queue, wherein the second memory space is used for storing the data message received by the second network card.
In a possible implementation manner, the memory space indicated by the address of the first transmit queue further stores first indication information, where the first indication information is used to indicate whether the first memory space includes a data packet to be transmitted.
In a possible implementation, the processor is further configured to: and when the network security equipment does not execute software upgrading and the security processing logic is normal and the first indication information indicates that the first memory space contains the data message to be sent, controlling the DMA controller to acquire the data message to be sent from the first memory space according to the address of the first sending queue and sending the data message through the first network card.
In a possible implementation manner, the processor is specifically configured to: and updating the address of the DMA controller, which is used for acquiring the data message to be transmitted through the second network card, from the address of the second transmission queue to the address of the first receiving queue. The address of a third memory space is stored in the memory space indicated by the address of the first receiving queue, and the third memory space is used for storing the data message received by the first network card; and storing an address of a fourth memory space in a memory space indicated by the address of the second transmission queue, wherein the fourth memory space is used for storing a data message to be transmitted by the second network card.
In a possible implementation manner, the memory space indicated by the address of the second transmit queue further stores second indication information, where the second indication information is used to indicate whether the fourth memory space contains a data packet to be transmitted.
In a possible implementation, the processor is further configured to: and when the network security equipment does not execute software upgrading and the security processing logic is normal and the second indication information indicates that the fourth memory space contains the data message to be sent, controlling the DMA controller to acquire the data message to be sent from the fourth memory space according to the address of the second transmission queue, and sending the data message to be sent in the fourth memory space through the second network card.
In a third aspect, an embodiment of the present application provides a bypass forwarding device for a data packet, including a memory and a processor.
The memory is used for storing program instructions;
the processor is configured to call the program instruction stored in the memory, and execute the method according to the first aspect and the different implementation manners of the first aspect according to the obtained program.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing computer instructions that, when executed on a computer, cause the computer to perform the method of the first aspect and the different implementation manners of the first aspect.
In addition, the technical effects caused by any implementation manner of the second aspect to the fourth aspect may be referred to the technical effects caused by the first aspect and any different implementation manner of the first aspect, which are not described herein.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.
FIG. 1 is a schematic diagram of a method for processing data by a network security device;
FIG. 2 is a schematic diagram of a method of implementing bypass using a relay;
fig. 3 is a schematic flow chart of a bypass forwarding method of a data packet according to an embodiment of the present application;
fig. 4 is a schematic diagram of a queue structure according to an embodiment of the present application;
fig. 5 is a schematic diagram of bypass forwarding of a data packet according to an embodiment of the present application;
fig. 6 is a schematic diagram of a storage state of a data packet according to an embodiment of the present application;
Fig. 7 is a schematic diagram of a network card queue in a normal state according to an embodiment of the present application;
fig. 8 is a schematic diagram of a network security device according to an embodiment of the present application;
fig. 9 is a schematic diagram of a bypass forwarding device for a data packet according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, as provided in the accompanying drawings, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, are intended to be within the scope of the present application.
It is noted that relational terms such as "first" and "second", and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Network security devices are applied between two or more networks for connecting different networks. An application program in the network complete equipment analyzes the network packet passing through the network equipment, and forwards the packet according to a certain routing rule after processing. When a network security device fails, such as after a power outage or a crash, the connection between the different networks connected to the network security device is broken. Therefore, when the network security device fails, the network card needs to support a bypass function (bypass), that is, two networks can be directly and physically conducted through a specific trigger state without passing through the system of the network security device, and at this time, the application software in the network security device will not process the packets in the network, see fig. 1.
The bypass method can be realized based on a hardware level or a software level. On the hardware level, bypass is implemented mainly using relays. The relay is mainly connected to each of the two Bypass ports, and one of the two ports is used for explaining the working mode of the relay, as shown in fig. 2. Taking the power trigger as an example, when the power is off, the switch in the relay will jump to the state of 1, that is, rx on the RJ45 interface of LAN1 is directly connected to Tx on the RJ45 interface of LAN2, and when the device is powered on, the switch will be connected to 2, so that if the communication between the networks on LAN1 and LAN2 is required to be implemented by the application program on the device. The software layer can control and trigger bypass by means of General-Purpose Input/Output (GPIO) interface. By operating the GPIO, the relay on the hardware is controlled by the GPIO to jump correspondingly. When the GPIO is set high, the relay jumps to position 1 accordingly, whereas if the GPIO is set low, the relay jumps to position 2. However, the bypass is set before leaving the factory by adopting the relay method, that is, the network connection between the network cards is set by executing the relay method, so that the forwarding between other network cards cannot be realized, and the relay method has certain limitation. And the software realizes that message forwarding occupies the process of the CPU, so that the occupancy rate of the CPU becomes high, and the processing speed of the CPU is further influenced.
The application provides a bypass forwarding method and device for a data message, wherein when network security equipment software is upgraded or security processing logic is abnormal, a sending address of a network card is configured, the data message is directly obtained from a memory pointed by the sending address, and then the data message is sent out. The method does not need to realize message forwarding between network cards by a relay method, so that the configuration of the network port is more flexible, the CPU is not occupied in the processing process, and the processing speed is improved.
The embodiment of the application provides a bypass forwarding method based on a data message, as shown in fig. 3, the method can be executed by a processor or a processing module in network security equipment. The specific flow is as follows:
301, when the network security equipment software is upgraded or the security processing logic is abnormal, controlling the DMA controller to acquire a data message received by the second network card according to the address of the second receiving queue of the second network card, and sending the data message through the first network card. In order to facilitate distinguishing from the receiving queue of the first network card, in this embodiment of the present application, the receiving queue of the first network card is referred to as a first receiving queue, and the receiving queue of the second network card is referred to as a second receiving queue.
In some embodiments, the DMA controller may be controlled to obtain the data packet received by the second network card according to the address of the second receiving queue of the second network card, and send the data packet out through the first network card, which is understood as updating the address of the DMA controller for obtaining the data packet to be sent through the first network card from the address of the first sending queue to the address of the second receiving queue. The DMA controller acquires the data message received by the second network card from the second receiving queue and sends the data message out through the first network card. The method comprises the steps that an address of a first memory space is stored in a memory space indicated by an address of a first sending queue, and the first memory space is used for storing a data message to be sent by a first network card; and storing the address of a second memory space in the memory space indicated by the address of the second receiving queue, wherein the second memory space is used for storing the data message received by the second network card. In some embodiments, when the DMA controller obtains the data packet received by the second network card from the second receive queue, the following manner may be implemented: the DMA controller determines the memory space of the data message received by the second network card from the second receiving queue, and then reads the data message received by the second network card from the determined memory space.
In some embodiments, for convenience of description, the first network card is referred to as network card 1, and the second network card is referred to as network card 2. When the network security device software upgrades or the security processing logic is abnormal, the address of the second receiving queue of the network card 2 can be obtained through the GET_DMA_ADDR function, and for convenience of explanation, the second receiving queue is represented by the RX 2_BD_ARRAY. Further, the address of the network card 1 may be modified from the address of the transmit queue of the network card 1 to the address of the receive queue of the network card 2 by the set_dma_addr function. The transmit queue of the network card 1 may be denoted by TX1 bd_array, and the receive queue of the network card 2 may be denoted by RX2 bd_array. For example, the transmission address of the network card 1 may be modified from a TX1 bd_address to a RX2 bd_address by the SET DMA ADDR function. After the address modification, the DMA controller obtains the data packet to be sent from the second memory space indicated by the address of the receiving queue of the network card 2 (i.e. the address of RX2 BD _ ARRAY) and sends the data packet out through the network card 1. Specifically, after the network card 2 receives the message data, the DMA controller stores the received message data into a receiving queue (RX 2_bd_array) of the network card 2. At this time, when the DMA controller detects that the transmission queue of the network card 1 (i.e. the receiving queue of the network card 2) contains the data packet to be transmitted, the DMA controller may acquire the data packet from the memory space indicated by the space address information in the receiving queue of the network card 2, and send the acquired data packet out through the network card 1, as shown in fig. 5.
In some embodiments, the memory space indicated by the address of the first transmit queue further stores first indication information, where the first indication information is used to indicate whether the first memory space includes a data packet to be transmitted. The first memory space comprises a plurality of first subspaces, and different subspaces are used for storing different data messages to be sent. Similarly, the memory space indicated by the address of the second receive queue also stores indication information, where the indication information is used to indicate whether the second memory space contains a received data packet, so that when the first network card determines that the second memory space contains the received data packet according to the indication information in the memory space indicated by the address of the second receive queue, the first network card obtains the received data packet from the second memory space and sends the received data packet.
In some embodiments, the second memory space includes a plurality of subspaces, different subspaces being used to store different received data messages. The first indication information comprises a plurality of identifiers, and the identifiers are in one-to-one correspondence with the subspaces. The identifier is used for indicating whether the corresponding subspace stores the data message to be sent. The receive queue and the transmit queue may each include a plurality of elements, each of which stores storage state information and memory space address information, as shown in fig. 4. In some embodiments, each element included in the receive queue or each element included in the transmit queue is referred to as a packet description array. In fig. 4, status represents storage state information, and address represents subspace address information. For example, the message description array 1 includes status1 and address 1.Address 1 is the address of subspace 1 (pkt_buff1), and status1 indicates whether the subspace 1 pointed to by address 1 stores a data message.
In some embodiments, when the second network card receives the data packet, determining a subspace with an empty storage state from the multiple subspaces according to the indication information in the memory space indicated by the address of the second receiving queue, storing the data packet in the subspace with the empty storage state, and updating the storage state of the subspace to store the data packet. For example, RX2_bd_array represents a receive queue of the network card 2, and is used to store the data packet received by the network card 2. The RX2 BD ARRAY stores the identification information of the storage state, wherein the empty indicates that the subspace does not contain the data message and can be written with data. ready indicates that the subspace contains data messages, which can be sent. For example, when the network card 2 receives a data packet, a subspace in which the data packet is not stored (i.e. the storage state is empty) may be determined according to the indication information in the receiving queue of the network card 2, the received data packet is stored in the subspace, and the storage state of the subspace is updated to ready, as shown in fig. 6.
In other embodiments, after the DMA controller obtains the data packet received by the second network card from the second receive queue and sends the data packet out through the first network card, the storage state of the subspace where the data packet is located is updated to be empty. For example, the DMA controller determines an element whose storage state is ready from the receive queue (rx2_bd_array) of the network card 2, and determines the subspace in which the data packet is located according to the space address information stored in the element. And the DMA controller acquires the data message according to the subspace pointed by the pkt_buff and sends the data message out through the network card 1. In some embodiments, after the DMA controller obtains the data packet from the subspace or sends the data packet out through the network card 1, the storage state of the subspace may be updated to be empty.
302, the DMA controller is controlled to obtain the data message received by the first network card according to the address of the first receiving queue of the first network card, and send the data message out through the second network card.
In some embodiments, the DMA controller may be controlled to obtain the data packet received by the first network card according to the address of the first receiving queue of the first network card, and send the data packet out through the second network card, which is understood as updating the address of the DMA controller for obtaining the data packet to be sent through the second network card from the address of the second sending queue to the address of the first receiving queue. The DMA controller acquires the data message received by the first network card from the first receiving queue and sends the data message out through the second network card. The address of a third memory space is stored in the memory space indicated by the address of the first receiving queue, and the third memory space is used for storing the data message received by the first network card. And storing an address of a fourth memory space in the memory space indicated by the address of the second transmission queue, wherein the fourth memory space is used for storing a data message to be transmitted by the second network card. In some embodiments, when the DMA controller obtains the data packet received by the first network card from the first receive queue, the following manner may be implemented: the DMA controller determines the memory space of the data message received by the first network card from the first receiving queue, and then reads the data message received by the first network card from the determined memory space.
In some embodiments, taking still the network card 1 and the network card 2 as an example, as shown in fig. 5, when the network security device software upgrades or the security processing logic is abnormal, the address of the first receive queue of the network card 1 may be obtained through the get_dma_addr function, and for convenience of explanation, the first receive queue is denoted by RX 1_bd_array. Further, the address of the network card 2 may be modified from the address of the transmit queue of the network card 2 to the address of the receive queue of the network card 1 by the set_dma_addr function. The transmit queue of the network card 2 may be represented by TX2 bd_array, and the receive queue of the network card 1 may be represented by RX1 bd_array. For example, the transmission address of the network card 2 may be modified from a TX2 bd_address to a RX1 bd_address by the SET DMA ADDR function. After the address modification, the DMA controller obtains the data message to be sent from the third memory space from the address of the receiving queue of the network card 1 (i.e. the RX1_bd_array address) and sends the data message to be sent through the network card 2. Specifically, after the network card 1 receives the message data, the DMA controller stores the message data into a receiving queue (RX 1_bd_array) of the network card 1. At this time, when the DMA controller detects that the transmission queue of the network card 2 (i.e., the receiving queue of the network card 1) contains the data packet, the DMA controller obtains the data packet from the memory space indicated by the space address information in the receiving queue of the network card 1, and sends the obtained data packet out through the network card 2.
In some embodiments, the memory space indicated by the address of the second transmit queue further stores second indication information, where the second indication information is used to indicate whether the fourth memory space contains a received data packet.
In some embodiments, the fourth memory space includes a plurality of second subspaces, and different second subspaces are used for storing different data messages to be sent. The second indication information comprises a plurality of identifiers, and the identifiers are in one-to-one correspondence with the second subspaces. The identifier is used for indicating whether the corresponding second subspace stores the data message to be transmitted.
In some embodiments, when the first network card receives the data packet, determining a subspace with an empty storage state from the multiple subspaces according to the indication information, storing the data packet in the subspace with the empty storage state, and updating the storage state of the subspace to store the data packet. For example, when the network card 1 receives a data packet, a subspace in which the data packet is not stored (i.e. the storage state is empty) may be determined according to the indication information in the receiving queue of the network card 1, the received data packet is stored in the subspace, and the storage state of the subspace is set to ready.
In other embodiments, after the DMA controller obtains the data packet received by the first network card from the first receive queue and sends the data packet out through the second network card, the storage state of the second subspace where the data packet is located is updated to be empty. For example, the first receive queue of network card 1 may be represented by RX1 BD ARRAY. The RX1_BD_ARRAY contains storage state information, wherein the empty indicates that the subspace does not contain data messages and can be written with data; ready indicates that the subspace contains data messages, which can be sent. The pkt_buff points to a second subspace of the memory space and is used for storing the data message received by the network card 1. The DMA controller determines an element whose storage state is ready from the reception queue (rx1_bd_array) of the network card 1, and determines the subspace in which the data packet is located based on the space address information stored in the element. The DMA controller acquires the data message according to the subspace pointed by the pkt_buff and sends the data message out through the network card 2. In some embodiments, after the DMA controller obtains the data packet from the subspace or sends the data packet out through the network card 2, the storage state of the subspace may be updated to be empty.
Based on the scheme, when the network security equipment software is upgraded or the security processing logic is abnormal, the data message received by the first network card can be sent out through the second network card, and the data message received by the second network card can be sent out through the first network card, so that the data message forwarding among different network cards is realized. The method adopts a DMA mode to directly acquire data from the receiving address and send the data out, and the processing process does not occupy memory, so that the processing speed is high, and the processing speed of the CPU is not influenced. In addition, the method can also set the association relation among different network cards, so that the flexibility is higher.
In some embodiments, when the network security device does not execute software upgrade and the security processing logic is normal and the second instruction information indicates that the fourth memory space contains the data packet to be sent, the DMA controller is controlled to obtain the data packet to be sent from the first memory space according to the address of the first transmission queue, and send the data packet to be sent in the first memory space through the first network card, and the DMA controller is controlled to obtain the data packet to be sent from the fourth memory space according to the address of the second transmission queue and send the data packet to be sent out through the second network card. Illustratively, following the example shown in fig. 5, when the network security device is not performing a software upgrade and the security processing logic is normal, the first receive queue address and the first transmit queue address of network card 1, and the second receive queue address and the second transmit queue address of network card 2 may be obtained through the get_dma_addr function. Wherein the first receive queue may be represented by RX1 bd_array, the first transmit queue may be represented by TX1 bd_array, the second receive queue may be represented by RX2 bd_array, and the second transmit queue may be represented by TX2 bd_array. After the receiving queue addresses and the transmitting queue addresses of the network card 1 and the network card 2 are obtained, the transmitting address of the network card 1 is modified from the receiving queue address (Rx2_BD_ARRAY address) of the network card 2 to the transmitting queue address (Tx1_BD_ARRAY address) of the network card 1 through the SET_DMA_ADDR function. At this time, the DMA controller obtains the data packet to be transmitted from the first memory space according to the address of the transmission queue of the network card 1 (TX 1_bd_array address) and transmits the data packet through the network card 1. It will be appreciated that the transmit address of network card 2 may be modified from the receive queue address of network card 1 (rx1_bd_array address) to the transmit queue address of network card 2 (tx2_bd_array address) by the set_dma_addr function. At this time, the DMA controller obtains the data packet to be transmitted from the fourth memory space according to the address of the transmission queue of the network card 2 (TX 2_bd_array address) and transmits the data packet through the network card 2, as shown in fig. 7.
Based on the same technical concept, the embodiment of the present application provides a network security device 800, as shown in fig. 8, where the device 800 may perform each step in the bypass forwarding method of the data packet, and in order to avoid repetition, a description is omitted here. The device 800 comprises a processor 801, a first network card 802, a second network card 803, and a DMA controller 804;
the processor 801 controls the DMA controller 804 to obtain the data message received by the second network card according to the address of the second receiving queue of the second network card when the network security equipment software is upgraded or the security processing logic is abnormal;
the first network card 802 is configured to send a data packet received by the second network card and acquired by the DMA controller 804;
the processor 801 is further configured to control the DMA controller 804 to obtain a data packet received by the first network card 802 according to an address of a first receive queue of the first network card;
the second network card 803 is further configured to send a data packet received by the first network card 802 and acquired by the DMA controller 804.
In some embodiments, the processor 801 is specifically configured to: the DMA controller 804 updates the address for obtaining the data packet to be sent by the first network card 802 from the address of the first transmit queue to the address of the second receive queue. The memory space indicated by the address of the first transmit queue stores an address of a first memory space, where the first memory space is used to store a data packet to be transmitted by the first network card 802. The memory space indicated by the address of the second receive queue stores an address of a second memory space, where the second memory space is used to store the data packet received by the second network card 803.
In some embodiments, the memory space indicated by the address of the first transmit queue further stores first indication information, where the first indication information is used to indicate whether the first memory space includes a data packet to be transmitted.
In some embodiments, the processor 801 is further configured to: when the network security device does not perform software upgrade and the security processing logic is normal and the first indication information indicates that the first memory space contains a data packet to be sent, the DMA controller 804 is controlled to obtain the data packet to be sent from the first memory space according to the address of the first transmission queue, and send the data packet to be sent in the first memory space through the first network card 802.
In some embodiments, the processor 801 is specifically configured to: and updating the address of the data message to be sent by the second network card 803 by the DMA controller 804 from the address of the second sending queue to the address of the first receiving queue. The memory space indicated by the address of the first receive queue stores an address of a third memory space, where the third memory space is used to store the data packet received by the first network card 802. And storing an address of a fourth memory space in the memory space indicated by the address of the second transmit queue, where the fourth memory space is used to store the data packet to be transmitted by the second network card 803.
In some embodiments, the memory space indicated by the address of the second transmit queue further stores second indication information, where the second indication information is used to indicate whether the fourth memory space contains a data packet to be transmitted.
In some embodiments, the processor 801 is further configured to: when the network security device does not perform software upgrade and the security processing logic is normal and the second indication information indicates that the fourth memory space contains the data message to be sent, the DMA controller 804 is controlled to obtain the data message to be sent from the fourth memory space according to the address of the second transmission queue, and send the data message to be sent in the fourth memory space through the second network card 803.
Based on the same technical concept, the embodiment of the present application further provides a bypass forwarding device 900 for a data packet, as shown in fig. 9, including:
a memory 901 for storing program instructions;
and the processor 902 is configured to call the program instructions stored in the memory, and execute the bypass forwarding method of the data packet according to the obtained program.
In the embodiments of the present application, the processor may be a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in the processor for execution.
The memory is used as a non-volatile computer readable storage medium for storing non-volatile software programs, non-volatile computer executable programs, and modules. The Memory may include at least one type of storage medium, which may include, for example, flash Memory, hard disk, multimedia card, card Memory, random access Memory (Random Access Memory, RAM), static random access Memory (Static Random Access Memory, SRAM), programmable Read-Only Memory (Programmable Read Only Memory, PROM), read-Only Memory (ROM), charged erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM), magnetic Memory, magnetic disk, optical disk, and the like. The memory is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory in the embodiments of the present application may also be circuitry or any other device capable of implementing a memory function for storing program instructions and/or data.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims (10)

1. A method for bypass forwarding of a data packet, applied to a network security device, the network security device including a DMA controller, comprising:
when the network security equipment software is upgraded or the security processing logic is abnormal, controlling the DMA controller to acquire a data message received by the second network card according to the address of a second receiving queue of the second network card, and sending the data message through the first network card;
And controlling the DMA controller to acquire the data message received by the first network card according to the address of the first receiving queue of the first network card, and sending the data message out through the second network card.
2. The method of claim 1, wherein controlling the DMA controller to obtain the data message received by the second network card according to the address of the second receive queue of the second network card, and send the data message through the first network card, comprises:
updating the address of the DMA controller, which is used for acquiring the data message to be transmitted through the first network card, from the address of the first transmission queue to the address of the second receiving queue;
the address of a first memory space is stored in a memory space indicated by the address of the first transmission queue, and the first memory space is used for storing a data message to be transmitted by the first network card; and storing a second memory space in the memory space indicated by the address of the second receiving queue, wherein the second memory space is used for storing the data message received by the second network card.
3. The method of claim 2, wherein the memory space indicated by the address of the first transmit queue further stores first indication information, where the first indication information is used to indicate whether the first memory space contains a data packet to be transmitted.
4. A method as claimed in claim 3, wherein the method further comprises:
and when the network security equipment does not execute software upgrading and the security processing logic is normal and the first indication information indicates that the first memory space contains the data message to be sent, controlling the DMA controller to acquire the data message to be sent from the first memory space according to the address of the first sending queue, and sending the data message to be sent in the first memory space through the first network card.
5. The method according to any one of claims 1-4, wherein controlling the DMA controller to obtain, from a first receive queue of a first network card, a data packet received by the first network card according to an address of the first receive queue, and send the data packet through a second network card includes:
updating the address of the DMA controller, which is used for acquiring the data message to be transmitted through the second network card, from the address of the second transmission queue to the address of the first receiving queue;
the address of a third memory space is stored in the memory space indicated by the address of the first receiving queue, and the third memory space is used for storing the data message received by the first network card; and storing an address of a fourth memory space in a memory space indicated by the address of the second transmission queue, wherein the fourth memory space is used for storing a data message to be transmitted by the second network card.
6. The method of claim 5, wherein the memory space indicated by the address of the second transmit queue further stores second indication information, where the second indication information is used to indicate whether the fourth memory space contains a data packet to be transmitted.
7. The method of claim 6, wherein the method further comprises:
and when the network security equipment does not execute software upgrading and the security processing logic is normal and the second indication information indicates that the fourth memory space contains the data message to be sent, controlling the DMA controller to acquire the data message to be sent from the fourth memory space according to the address of the second transmission queue, and sending the data message to be sent in the fourth memory space through the second network card.
8. The network security equipment is characterized by comprising a processor, a DMA controller, a first network card and a second network card;
the processor is used for controlling the DMA controller to acquire the received data message of the second network card according to the address of the second receiving queue of the second network card when the network security equipment software is upgraded or the security processing logic is abnormal;
The first network card is used for sending the data message received by the second network card and acquired by the DMA controller;
the processor is further configured to control the DMA controller to obtain a data packet received by the first network card according to an address of a first receiving queue of the first network card;
the second network card is configured to send the data packet received by the first network card and acquired by the DMA controller.
9. The bypass forwarding device of the data message is characterized by comprising a memory and a processor;
the memory is used for storing program instructions;
the processor being operative to invoke program instructions stored in the memory, to perform the method of any of claims 1-7 in accordance with the obtained program.
10. A computer readable storage medium storing computer instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1-7.
CN202111620330.7A 2021-12-28 2021-12-28 Bypass forwarding method and device for data message Active CN114401218B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111620330.7A CN114401218B (en) 2021-12-28 2021-12-28 Bypass forwarding method and device for data message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111620330.7A CN114401218B (en) 2021-12-28 2021-12-28 Bypass forwarding method and device for data message

Publications (2)

Publication Number Publication Date
CN114401218A CN114401218A (en) 2022-04-26
CN114401218B true CN114401218B (en) 2023-07-21

Family

ID=81229446

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111620330.7A Active CN114401218B (en) 2021-12-28 2021-12-28 Bypass forwarding method and device for data message

Country Status (1)

Country Link
CN (1) CN114401218B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115665073B (en) * 2022-12-06 2023-04-07 江苏为是科技有限公司 Message processing method and device

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6389479B1 (en) * 1997-10-14 2002-05-14 Alacritech, Inc. Intelligent network interface device and system for accelerated communication
US6529518B1 (en) * 1998-06-11 2003-03-04 Sun Microsystems, Inc. Method and apparatus for providing a network interface
CN101165667A (en) * 2006-10-17 2008-04-23 国际商业机器公司 Apparatus and method for managing address conversion in data processing system
US7600143B1 (en) * 2004-08-19 2009-10-06 Unisys Corporation Method and apparatus for variable delay data transfer
CN108628684A (en) * 2017-03-20 2018-10-09 华为技术有限公司 A kind of message processing method and computer equipment based on DPDK
CN110134623A (en) * 2018-02-08 2019-08-16 赛灵思公司 Customized more queue DMA interfaces
CN110417791A (en) * 2019-08-02 2019-11-05 成都卫士通信息产业股份有限公司 A kind of encryption device and network data method, apparatus
CN110798342A (en) * 2019-10-14 2020-02-14 杭州迪普科技股份有限公司 Method and device for realizing bypass mode based on software
CN111147132A (en) * 2019-12-31 2020-05-12 杭州迪普科技股份有限公司 Bypass device and network optical interface module comprising same
CN112055058A (en) * 2020-08-19 2020-12-08 广东省新一代通信与网络创新研究院 Data storage method and device and computer readable storage medium
CN113296899A (en) * 2021-06-04 2021-08-24 海光信息技术股份有限公司 Transaction master machine, transaction slave machine and transaction processing method based on distributed system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU6361601A (en) * 1999-02-23 2001-10-18 Alcatel Internetworking, Inc. Multi-service network switch with a generic forwarding interface
US8316228B2 (en) * 2008-12-17 2012-11-20 L-3 Communications Corporation Trusted bypass for secure communication
US10523540B2 (en) * 2017-03-29 2019-12-31 Ca, Inc. Display method of exchanging messages among users in a group
US10929310B2 (en) * 2019-03-01 2021-02-23 Cisco Technology, Inc. Adaptive address translation caches
CN112910802B (en) * 2021-01-13 2022-05-24 新华三大数据技术有限公司 Message processing method and device

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6389479B1 (en) * 1997-10-14 2002-05-14 Alacritech, Inc. Intelligent network interface device and system for accelerated communication
US6529518B1 (en) * 1998-06-11 2003-03-04 Sun Microsystems, Inc. Method and apparatus for providing a network interface
US7600143B1 (en) * 2004-08-19 2009-10-06 Unisys Corporation Method and apparatus for variable delay data transfer
CN101165667A (en) * 2006-10-17 2008-04-23 国际商业机器公司 Apparatus and method for managing address conversion in data processing system
CN108628684A (en) * 2017-03-20 2018-10-09 华为技术有限公司 A kind of message processing method and computer equipment based on DPDK
CN110134623A (en) * 2018-02-08 2019-08-16 赛灵思公司 Customized more queue DMA interfaces
CN110417791A (en) * 2019-08-02 2019-11-05 成都卫士通信息产业股份有限公司 A kind of encryption device and network data method, apparatus
CN110798342A (en) * 2019-10-14 2020-02-14 杭州迪普科技股份有限公司 Method and device for realizing bypass mode based on software
CN111147132A (en) * 2019-12-31 2020-05-12 杭州迪普科技股份有限公司 Bypass device and network optical interface module comprising same
CN112055058A (en) * 2020-08-19 2020-12-08 广东省新一代通信与网络创新研究院 Data storage method and device and computer readable storage medium
CN113296899A (en) * 2021-06-04 2021-08-24 海光信息技术股份有限公司 Transaction master machine, transaction slave machine and transaction processing method based on distributed system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
唐宏伟.虚拟机安全保障及其性能优化关键技术研究.《 中国科学院大学(中国科学院深圳先进技术研究院)》.2017,全文. *

Also Published As

Publication number Publication date
CN114401218A (en) 2022-04-26

Similar Documents

Publication Publication Date Title
CN107820693B (en) Method, equipment and system for forwarding message in NVMe over Fabric
CN109688058B (en) Message processing method and device and network equipment
CN111542081B (en) Communication switching method and device and Internet of things communication module
WO2017032112A1 (en) Method for communicating with board having no central processing unit and communication device
CN114401218B (en) Bypass forwarding method and device for data message
CN113328916B (en) BFD detection mode switching method, device and equipment
CN105897623A (en) Data transmission method and apparatus
CN105763463B (en) Method and device for transmitting link detection message
CN111431668B (en) Baud rate switching method based on multi-node UART communication, air conditioning system and processor
CN104394012A (en) Cluster router, MPU (microprocessor unit), determining method for faults of MPU and sensing controller
KR20140030184A (en) Control device and method for operating such a control device
US8984634B2 (en) Quarantine network system, server apparatus, and program
CN113141267B (en) Firmware upgrading and information processing method, device and equipment
JP5500332B2 (en) IC chip, information processing apparatus, software module control method, information processing system and method, and program
CN112491570A (en) Method, device and storage medium for setting link state of virtual network card
CN105406989A (en) Message processing method, network card and system, information updating method and host
CN112311671B (en) Method, apparatus, medium and device for issuing aggregated link configuration to switch chip
CN104038426A (en) Network switch and data updating method
US11604670B2 (en) Virtual machine live migration method, apparatus, and system
CN114706594A (en) Bulk Molding Compound (BMC) software batch installation method, device, equipment and readable storage medium
US11825247B2 (en) Wiring information generation system, and wiring information generation method
CN112152941B (en) Method for expanding single-port large-capacity table item, network transmission equipment and storage medium
CN112511344B (en) Master-slave equipment network sharing method and device and Internet of things equipment
CN112929912B (en) LTE module monitoring method and device, communication equipment and readable storage medium
CN115086219B (en) Virtual router determining method, device and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant