CN116155838B - Flow transparent transmission method and device and electronic equipment - Google Patents

Flow transparent transmission method and device and electronic equipment Download PDF

Info

Publication number
CN116155838B
CN116155838B CN202310443546.3A CN202310443546A CN116155838B CN 116155838 B CN116155838 B CN 116155838B CN 202310443546 A CN202310443546 A CN 202310443546A CN 116155838 B CN116155838 B CN 116155838B
Authority
CN
China
Prior art keywords
interface
traffic
local area
area network
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310443546.3A
Other languages
Chinese (zh)
Other versions
CN116155838A (en
Inventor
贺情杰
肖宇凡
权鹏飞
刘高
张旋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shengbang Saiyun Technology Co ltd
Webray Tech Beijing Co ltd
Original Assignee
Beijing Shengbang Saiyun Technology Co ltd
Webray Tech Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shengbang Saiyun Technology Co ltd, Webray Tech Beijing Co ltd filed Critical Beijing Shengbang Saiyun Technology Co ltd
Priority to CN202310443546.3A priority Critical patent/CN116155838B/en
Publication of CN116155838A publication Critical patent/CN116155838A/en
Application granted granted Critical
Publication of CN116155838B publication Critical patent/CN116155838B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/35Switches specially adapted for specific applications
    • H04L49/351Switches specially adapted for specific applications for local area network [LAN], e.g. Ethernet switches
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/30Peripheral units, e.g. input or output ports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/35Switches specially adapted for specific applications
    • H04L49/354Switches specially adapted for specific applications for supporting virtual local area networks [VLAN]

Abstract

The invention discloses a flow transparent transmission method, a device and electronic equipment, wherein the electronic equipment comprises a switch and a kernel module, and belongs to the technical field of network security, and the method comprises the following steps: receiving a first access flow sent by a first external device through a switch; the number of interfaces of the electronic equipment is more than that of the electronic equipment without the built-in switch; forwarding the first access traffic to an ethernet interface in the kernel module via the switch; the first access traffic is forwarded to the second external device based on the ethernet interface. The invention can meet the requirement of the number of interfaces in the WAF complex application scene.

Description

Flow transparent transmission method and device and electronic equipment
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a traffic transparent transmission method, a traffic transparent transmission device and electronic equipment.
Background
While Web page (Web) applications are becoming more and more rich, web servers are becoming a major target of attack with their powerful computing power, processing performance, and higher value involved. Security events such as database language (Structured Query Language, SQL) injection, web tampering, web hanging, etc., occur frequently. With the advancement of hacking technology, it is difficult for a common firewall to detect and block the occurrence of such security events.
The physical network interfaces of conventional Web application protection systems (Web Application Firewall, WAF) are taken over by the kernel, which are all visible to the WAF device. In addition, the number of network interfaces which can be controlled by a central processing unit (Central Processing Unit, CPU) is limited, generally 6-8 network interfaces, due to the limitation of a main board, so that the traditional WAF equipment is difficult to cope with the requirement of the number of interfaces in the complex WAF application scene.
Disclosure of Invention
The invention provides a flow transparent transmission method, a flow transparent transmission device and electronic equipment, which are used for solving the defect that the number of network interfaces is limited in the prior art and can meet the requirement of the number of interfaces in a WAF complex application scene.
The invention provides a flow transparent transmission method which is applied to electronic equipment, wherein the electronic equipment comprises a switch and a kernel module and comprises the following steps:
receiving a first access flow sent by a first external device through the switch; the number of interfaces of the electronic device is greater than the number of interfaces of an electronic device without the switch built in,
forwarding the first access traffic to an ethernet interface in the kernel module through the switch;
forwarding the first access traffic to a second external device based on the ethernet interface.
According to the traffic transparent transmission method provided by the invention, the first access traffic comprises traffic carrying a virtual local area network tag and/or traffic not carrying a virtual local area network tag;
the receiving, by the switch, the first access traffic sent by the first external device, including:
performing interface configuration on the switch to obtain a configured interface; the interface after configuration is used for taking the received first access traffic as label-free traffic;
and receiving the first access flow sent by the first external device through the configured interface.
According to the traffic transparent transmission method provided by the invention, the configured interfaces comprise a first configuration interface and a second configuration interface, and before forwarding the first access traffic to the ethernet interface in the kernel module through the switch, the method further comprises:
receiving the first access traffic with the first configuration interface;
and adding the first virtual local area network tag to the first access traffic according to the first virtual local area network tag associated with the first configuration interface to obtain second access traffic with the first virtual local area network tag.
According to the traffic transparent transmission method provided by the invention, the switch comprises an uplink interface;
the forwarding, by the switch, the first access traffic to an ethernet interface in the kernel module includes:
forwarding the second access traffic to the uplink interface through the first configuration interface;
and forwarding the second access traffic to the Ethernet interface through the uplink interface.
According to the traffic transparent transmission method provided by the invention, based on the Ethernet interface, the first access traffic is forwarded to a second external device, and the traffic transparent transmission method comprises the following steps:
creating a virtual interface based on the ethernet interface;
and forwarding the first access traffic to a second external device based on the virtual interface.
According to the traffic transparent transmission method provided by the invention, the virtual interface comprises the following steps: a first virtual interface and a second virtual interface;
the creating a virtual interface based on the ethernet interface includes:
creating the first virtual interface according to a first virtual local area network tag associated with the first configuration interface;
and creating the second virtual interface according to a second virtual local area network tag associated with the second configuration interface.
According to the traffic transparent transmission method provided by the invention, the adding the first virtual local area network tag to the access traffic according to the first virtual local area network tag associated with the first configuration interface to obtain the second access traffic with the first virtual local area network tag comprises the following steps:
when the first access traffic is the traffic which does not carry the virtual local area network tag, adding a first virtual local area network tag associated with the first configuration interface to the first access traffic to obtain a second access traffic with the first virtual local area network tag;
and when the first access flow is the flow carrying the virtual local area network tags, adding one first virtual local area network tag associated with the first configuration interface to the first access flow to obtain second access flow with two first virtual local area network tags.
According to the traffic transparent transmission method provided by the invention, the forwarding the first access traffic to the second external device based on the virtual interface includes:
removing the first virtual local area network tag from the second access flow to obtain a third access flow;
Forwarding the third access traffic to the first virtual interface via the ethernet interface;
forwarding the third access traffic to the second virtual interface through the first virtual interface;
adding a second virtual local area network tag to the third access traffic according to a second virtual local area network tag associated with the second configuration interface to obtain fourth access traffic;
forwarding the fourth access traffic to the second external device through the second virtual interface.
According to the traffic transparent transmission method provided by the invention, the adding a second virtual local area network tag to the third access traffic according to the second virtual local area network tag associated with the second configuration interface to obtain a fourth access traffic includes:
when the third access flow is the flow which does not carry the virtual local area network tag, adding a second virtual local area network tag associated with the second configuration interface to the third access flow to obtain the fourth access flow with the second virtual local area network tag;
and when the third access flow is the flow carrying the virtual local area network tag, adding a second virtual local area network tag associated with the second configuration interface to the third access flow to obtain the fourth access flow with the second virtual local area network tag and the first virtual local area network tag.
According to the traffic transparent transmission method provided by the invention, the forwarding the fourth access traffic to the second external device through the second virtual interface includes:
forwarding the fourth access traffic to the ethernet interface via the second virtual interface;
forwarding the fourth access traffic to the upstream interface via the ethernet interface;
removing a second virtual local area network tag from the fourth access flow to obtain the first access flow;
forwarding the first access traffic to the second configuration interface through the uplink interface;
forwarding the first access traffic to the second external device through the second configuration interface.
The invention also provides a flow transparent transmission device which is applied to the electronic equipment, wherein the electronic equipment comprises a switch and a kernel module; the flow transparent transmission device comprises:
the receiving module is used for receiving a first access flow sent by the first external equipment through the switch; the number of interfaces of the electronic equipment is more than that of the electronic equipment without the switch;
a forwarding module, configured to forward, through the switch, the first access traffic to an ethernet interface in the kernel module;
The forwarding module is further configured to forward the first access traffic to a second external device based on the ethernet interface.
The invention also provides an electronic device comprising a processor and a memory storing a program or instructions executable on the processor, which when executed by the processor, implements a flow transparent method as described in the first aspect.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a flow transparent method as described in any of the above.
The present invention also provides a computer program product stored in a storage medium for execution by at least one processor to implement a traffic transparent method as described in the first aspect.
The invention provides a flow transparent transmission method, a flow transparent transmission device and electronic equipment, wherein the electronic equipment comprises a switch and a kernel module, and a first access flow sent by first external equipment is received through the switch; the number of interfaces of the electronic equipment is more than that of the electronic equipment without the switch; forwarding the first access traffic to an ethernet interface in the kernel module through the switch; forwarding the first access traffic to a second external device based on the ethernet interface. In the method, the switch is built in the WAF equipment, so that the number of interfaces is expanded on the basis of the network interfaces in the original WAF equipment, the flow is forwarded into the WAF equipment through the switch interfaces, and the WAF equipment forwards the flow to the switch interfaces, thereby meeting the requirement of the number of interfaces in the WAF complex application scene.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a flow transparent transmission method provided by the invention;
fig. 2 is a schematic diagram of a flow forwarding and interface setting effect provided by the present invention;
FIG. 3 is a second flow chart of the flow transparent transmission method according to the present invention;
FIG. 4 is a schematic diagram illustrating the effect of flow transparent transmission according to the present invention;
FIG. 5 is a schematic diagram showing the effect of flow transparent transmission according to the present invention;
fig. 6 is a schematic flow chart III of the flow transparent transmission method provided by the invention;
fig. 7 is a flow chart diagram of a flow transparent transmission method provided by the invention;
fig. 8 is a flow chart diagram of a flow transparent transmission method provided by the present invention;
fig. 9 is a flow chart diagram of a flow transparent transmission method provided by the invention;
fig. 10 is a flow chart of a flow transparent transmission method provided by the present invention;
FIG. 11 is a schematic flow diagram eight of a flow transparent transmission method according to the present invention;
FIG. 12 is a schematic diagram of a flow transparent device according to the present invention;
fig. 13 is a schematic diagram of an entity structure of an electronic device according to the present invention.
Detailed Description
The technical solutions of the embodiments of the present invention will be clearly described below with reference to the drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which are obtained by a person skilled in the art based on the embodiments of the present invention, fall within the scope of protection of the present invention.
The terms first, second and the like in the description and in the claims, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged, as appropriate, such that embodiments of the present invention may be implemented in sequences other than those illustrated or described herein, and that the objects identified by "first," "second," etc. are generally of a type, and are not limited to the number of objects, such as the first object may be one or more. Furthermore, in the description and claims, "and/or" means at least one of the connected objects, and the character "/", generally means that the associated object is an "or" relationship.
The flow transparent transmission method, the flow transparent transmission device, the electronic equipment and the readable storage medium provided by the embodiment of the invention are described in detail below through specific embodiments and application scenes thereof with reference to the accompanying drawings.
The flow transparent transmission method, the flow transparent transmission device and the electronic equipment of the invention are described below with reference to fig. 1 to 13.
In the embodiment of the present invention, as shown in fig. 1, fig. 1 is a schematic flow chart of a flow transmission method provided by the present invention, and the following steps will be specifically described.
S101, receiving a first access flow sent by a first external device through a switch; the number of interfaces of the electronic device is greater than the number of interfaces of the electronic device without the built-in switch.
In the embodiment of the invention, the switch is built in the electronic equipment, so that the number of interfaces is expanded on the basis of the network interfaces in the original equipment. And then the electronic equipment receives the traffic sent by the external equipment through the built-in switch.
In embodiments of the present invention, transparent transmission is a mode of information transfer or interaction for mobile devices, also known as push. The user can receive the information sent by the server through the Internet, the information can be text, pictures, videos or voices, the user can receive new information through the mode, and the user can screen and receive specific types of information according to the interests and the preferences of the user.
In the embodiment of the invention, the electronic equipment can be WAF equipment, and when the electronic equipment is the WAF equipment, the method related to the invention can be applied to the WAF equipment to realize flow transmission on the WAF equipment; the first external device and the second external device may each be an external switch.
S102, receiving the first access traffic through the switch and forwarding the first access traffic to the Ethernet interface in the kernel module.
In an embodiment of the invention, a switch in the electronic device receives the access traffic through its interface and sends the received access traffic to an ethernet interface in a kernel module of the electronic device.
In an embodiment of the invention, when the electronic device is a WAF device, the physical network interfaces of a conventional WAF device are taken over by the kernel module, which are all visible to the WAF device. The electronic device in the invention can be WAF device with built-in switch chip, and all other physical network interfaces except the management interface are controlled by the switch. These interfaces are not visible to the WAF device and can only communicate with interfaces in the core through the upstream interfaces in the switch. When the flow is forwarded from the external equipment to the WAF equipment, the external equipment reaches the switch interface of the WAF equipment, then the switch interface reaches the WAF equipment, the WAF equipment receives the flow and forwards the flow to the switch interface, and finally forwards the flow to the external equipment, so that the two-layer transparent serial deployment mode of the WAF equipment is realized.
S103, forwarding the first access traffic to the second external equipment based on the Ethernet interface.
In some embodiments of the invention, the electronic device forwards the first access traffic to the second external device on the basis of the ethernet interface.
In some embodiments of the present invention, traffic is forwarded to a built-in switch interface of the WAF device via an external device, then forwarded to an ethernet interface of the WAF device via the built-in switch interface, then forwarded to the built-in switch interface via the ethernet interface, and finally forwarded to another external device via the built-in switch interface.
In the embodiment of the present invention, as shown in fig. 2, fig. 2 is a schematic diagram of the flow forwarding and interface setting effects provided in the present invention. In fig. 2, three devices, external switch A, WAF and external switch B are shown. The WAF device is internally provided with a switch, and interfaces of G0/0 and G0/1 in the switch are configured. And virtualizing an Ethernet interface eth4 in the WAF device kernel module to obtain two virtual interfaces eth10 and eth11, and adding the two virtual interfaces into the network bridge. The general flow trend is: the switch interfaces G0/0, G0/0 forward to G0/25, G0/25 forward to eth4, eth4 forward to G0/25, G0/25 forward to G0/1, and G0/1 forward to external switch B. Wherein G0/25 is an uplink interface, and is butted with eth4 in the kernel.
It may be appreciated that, in the embodiment of the present invention, the first access traffic sent by the first external device is received by the switch; the number of interfaces of the electronic equipment is more than that of the electronic equipment without the built-in switch; forwarding the first access traffic to an ethernet interface in the kernel module via the switch; the first access traffic is forwarded to the second external device based on the ethernet interface. In the method, a switch is built in the WAF equipment, so that the number of interfaces is expanded on the basis of the network interfaces in the original WAF equipment, for example, the number of the interfaces is expanded to 32 from the original 6-8 network interfaces. The flow is forwarded into the WAF equipment through the switch interface, and then the WAF equipment forwards the flow to the switch interface, so that the requirement on the number of interfaces in the WAF complex application scene is met.
In the embodiment of the present invention, as shown in fig. 3, fig. 3 is a second flow chart of the flow transparent transmission method provided in the present invention, S101 may be implemented through S1011 to S1012, and the following steps will be specifically described.
S1011, carrying out interface configuration on the switch to obtain a configured interface; the configured interfaces are used for taking the received first access traffic as label-free traffic; the first access traffic comprises traffic carrying a virtual local area network tag and/or traffic not carrying a virtual local area network tag.
In the embodiment of the invention, the electronic equipment configures the interface of the switch to obtain the configured interface. The traffic sent by the external device is divided into traffic carrying a virtual local area network (virtual local area network, vlan) tag and traffic not carrying a virtual local area network tag, and the configured interface regards the received traffic carrying the virtual local area network tag and/or traffic not carrying the virtual local area network tag as non-tag traffic.
In the embodiment of the invention, the vlan is called a virtual local area network, which is a novel technology for dividing the logical address of equipment in the local area network into network segments so as to realize a virtual work group. Control of broadcast flow and control of information transfer are realized by dividing vlan. Generally, a port is divided into a vlan, and any device that has access to that port is divided into the corresponding vlan. And when the terminal sends a normal data frame to reach the corresponding interface of the switch, the interface is marked with a corresponding label. vlan Tag (vlan Tag): after the switch recognizes which vlan a frame belongs to, a tag is added to a specific location of the frame, where the tag explicitly identifies which vlan the frame belongs to. After receiving the tagged data frame, other switches can easily and directly identify which vlan the frame belongs to according to the tag information.
Illustratively, in configuring any two interfaces G0/0 and G0/1 in the switch, the following is true:
shell-execute cpssDxChBrgNestVlanAccessPortSet 0 0 1
configure
interface ethernet 0/0
switchport allowed vlan add 100 tagged1
switchport pvid 100
jumbo-frame 9000
end
shell-execute cpssDxChBrgNestVlanAccessPortSet 0 1 1
configure
interface ethernet 0/1
switchport allowed vlan add 101 tagged1
switchport pvid 101
jumbo-frame 9000
end
wherein shell-execute cpssDxChBrgNestVlanAccessPortSet 00 1 indicates that the set interface G0/0 treats the received traffic as unlabeled traffic. switchport allowed vlan add 100 tagged1, which means that interface G0/0 allows vlan100, i.e. G0/0 allows traffic of vlan100 tag to pass, vlan100 refers to dividing a subnet, and the subnet vlan number is defined as 100. In the case of dual vlan tag traffic (i.e., vlan100, vlan101 in fig. 4), the inner vlan tag is reserved at the time of the G0/0 interface. Shell-execute cpssDxChBrgNestVlanAccessPortSet 01 indicates that the set-up interface G0/1 treats the received traffic as unlabeled traffic. switchport allowed vlan add 101 tagged1 indicates that interface G0/1 allows vlan101, i.e. G0/1 allows traffic of vlan101 tag to pass, vlan101 designates a sub-network, and the number of the sub-network vlan is defined as 101. If the traffic is the dual vlan tag, the inner vlan tag is reserved at the time of the G0/1 interface. The pvid is a port vlan identification id, which is a virtual local area network id of a port, and relates to a vlan tag when the port receives and transmits a data frame.
S1012, receiving a first access flow sent by the first external device through the configured interface.
In the embodiment of the invention, the electronic device receives the traffic carrying the virtual local area network tag and/or the first access traffic not carrying the virtual local area network tag sent by the first external device through the configured interface.
It can be understood that in the embodiment of the present invention, the interface of the switch is configured, and then the configured interface is used to receive the traffic sent by the external device, where the configured interface can treat the received traffic as the unlabeled traffic, so that the same interface of the switch can accept the traffic that does not carry and/or carries vlan tags to enter and exit.
In some embodiments of the present invention, S201 to S202 are further included before S102, which will be described by the following steps.
S201, receiving first access traffic by using a first configuration interface.
In the embodiment of the invention, the electronic device receives the first access traffic sent by the first external device through the configured first configuration interface.
S202, adding a first virtual local area network tag to the first access traffic according to the first virtual local area network tag associated with the first configuration interface, and obtaining a second access traffic with the first virtual local area network tag.
In the embodiment of the invention, after the first access flow is forwarded to the first configuration interface corresponding to the switch by the first external device, according to the vlan tag flow allowed to pass through and set by the first configuration interface, a first virtual local area network tag corresponding to the first configuration interface is marked on the first access flow, so as to obtain a second access flow of the first virtual local area network tag.
It can be understood that in the embodiment of the present invention, the first configuration interface regards the received first access traffic as the non-label traffic, so that the first configuration interface can accept the traffic carrying and/or not carrying the virtual local area network label, then the access traffic is labeled with the associated label, and then the forwarding operation of the subsequent interface traffic is performed, thereby avoiding the distinguishing process of different traffic and making the traffic transmission more convenient.
In some embodiments of the present invention, fig. 4 is a schematic diagram illustrating the effect of flow transparent transmission provided by the present invention; fig. 5 is a schematic diagram showing the effect of flow transparent transmission provided by the present invention. In fig. 4, the traffic does not carry a tag, and the traffic forwarded by the first external switch to the switch interface is G0/0, where G0/0 is set in advance to allow the traffic of vlan100 to pass, and then vlan100 is tagged on the G0/0 interface. In fig. 5, the traffic carries a tag, and the traffic is tagged with vlan100 at the G0/0 interface as well.
In some embodiments of the invention, the first configuration interface and the second configuration interface are switch interfaces (the switch interfaces include interfaces of the original WAFs); the number of interfaces of the electronic device is greater than the number of interfaces of the electronic device without the built-in switch.
It can be understood that in the embodiment of the invention, after the switch is built in the electronic device, the network interface of the electronic device is expanded on the basis of the original number, so that the requirement of the electronic device on the number of interfaces under complex application is met.
In the embodiment of the present invention, as shown in fig. 6, fig. 6 is a flow chart three of the flow transparent transmission method provided in the present invention, S102 may be implemented through S1021 to S1022, and the following steps will be specifically described.
S1021, the second access traffic is forwarded to the uplink interface through the first configuration interface.
In some embodiments of the present invention, the built-in switch chip further includes an uplink interface, and the electronic device forwards the tagged second access traffic to the uplink interface through the first configuration interface.
S1022, forwarding the second access traffic to the Ethernet interface through the uplink interface.
In some embodiments of the invention, the electronic device then forwards the tagged second access traffic over the upstream interface into the ethernet interface of the kernel module.
It can be appreciated that in some embodiments of the present invention, after the switch is built in the electronic device, the traffic is forwarded to the configuration interface of the switch, then forwarded to the upstream interface in the switch by the configuration interface, and then forwarded to the ethernet interface by the upstream interface. After the switch is built in, all external physical network interfaces of the electronic equipment except the management interface are controlled by the switch. These interfaces are invisible to the WAF on the electronic device, and can only communicate with the interfaces in the kernel through the uplink interfaces in the switch, so as to further meet the requirement of the number of interfaces in the complex application scene of the electronic device.
In some embodiments of the present invention, S103 may be implemented through S1031 to S1032, which will be specifically described through the following steps.
S1031, creating a virtual interface based on the Ethernet interface.
In an embodiment of the invention, the electronic device creates the virtual interface according to the Ethernet interface in the kernel module.
In the embodiment of the invention, the virtual interface is to divide the ports on the existing ports. The vlan is generally configured through an internet protocol (ip) command between networks, after the virtual interface is created, the electronic device forwards the traffic to the virtual interface through the ethernet, and then forwards the traffic to other interfaces through the virtual interface for subsequent processing.
S1032, forwarding the first access traffic to the second external device based on the virtual interface.
In an embodiment of the invention, the electronic device forwards the first access traffic to the second external device based on the created virtual interface.
In the embodiment of the invention, the electronic device forwards the traffic to the Ethernet interface through the virtual interface created based on the Ethernet interface, forwards the traffic to the virtual interface through the Ethernet interface, and forwards the traffic to the second external device through the virtual interface. By creating a virtual interface, traffic can be forwarded out after entering the ethernet interface.
It can be appreciated that in some embodiments of the present invention, a virtual interface is created according to an ethernet interface in a kernel module, so as to solve the problem of forwarding interaction between a switch interface and the ethernet interface in the kernel.
In the embodiment of the present invention, as shown in fig. 7, fig. 7 is a flow chart of a flow transmission method provided by the present invention, and S1031 may be implemented through S10311 to S10312, which will be specifically described through the following steps.
S10311, creating a first virtual interface according to the first virtual local area network tag associated with the first configuration interface.
In some embodiments of the invention, the electronic device creates the first virtual interface from a first virtual local area network tag associated with the first configuration interface.
S10312, creating a second virtual interface according to the second virtual local area network label associated with the second configuration interface.
In some embodiments of the invention, the electronic device creates the second virtual interface from a second virtual local area network tag associated with the second configuration interface.
In some embodiments of the present invention, the two virtual interfaces eth10 and eth11 are virtualized by the ethernet interface eth4 by the following commands:
ip link add link eth4 name eth10 type vlan id 100;
ip link add link eth4 name eth11 type vlan id 101。
creating a virtual interface eth10 corresponding to the vlan100 and a virtual interface eth11 corresponding to the vlan101 on the eth4 interface, and adding the two virtual interfaces eth10 and eth11 into a network bridge after obtaining the two virtual interfaces eth10 and eth11, so that the access traffic is forwarded by eth4 after reaching the eth4 interface. The vlan can be configured through an ip command, specifically, the vlan is configured through an ip link add statement, and a virtual vlan network interface is created; two vlan interfaces vlan100, vlan101 are created, the corresponding vlan numbers are 100 and 101, and machines in the same vlan are accessible to each other with the ip of the vlan. However, if the two machines are each located in a different vlan, they cannot be accessed from each other through ip, nor can they communicate end-to-end.
It will be appreciated that in some embodiments of the invention, the electronic device creates a second virtual interface from a second virtual local area network tag associated with the second configuration interface; and creating a first virtual interface according to a first virtual local area network tag associated with the first configuration interface. After the two virtual interfaces are obtained, the two virtual interfaces can interact with the Ethernet interface for flow forwarding, so that better performance and higher efficiency and reliability are realized.
In the embodiment of the present invention, as shown in fig. 8, fig. 8 is a flow chart five of the flow transmission method provided by the present invention, S202 may be implemented by S2021 to S2022, and the following steps will be specifically described.
S2021, when the first access traffic is traffic without carrying a virtual local area network tag, adding a first virtual local area network tag associated with the first configuration interface to the first access traffic to obtain a second access traffic with the first virtual local area network tag.
In some embodiments of the present invention, when the first access traffic is traffic without vlan tag, the electronic device marks the first virtual local area network tag associated with the first configuration interface for the first access traffic, and the first access traffic does not carry the tag before, so that the second access traffic with the first virtual local area network tag is obtained after passing through the first configuration interface.
For example, as shown in fig. 4, after the external switch forwards the traffic without the label to the G0/0 interface of the internal switch, the electronic device tags the traffic with a v100 label, so as to obtain a second access traffic with the v100 label.
S2022, when the first access traffic is traffic carrying virtual local area network tags, adding one first virtual local area network tag associated with the first configuration interface to the first access traffic to obtain second access traffic carrying two first virtual local area network tags.
In some embodiments of the present invention, when the first access traffic is traffic with vlan tags, the electronic device marks a first virtual local area network tag associated with the first configuration interface for the first access traffic, and the first access traffic carries the tag before the first access traffic, so that after passing through the first configuration interface, a second access traffic with two first virtual local area network tags is obtained.
For example, as shown in fig. 5, after the external switch forwards the traffic carrying the tag to the G0/0 interface of the internal switch, the electronic device tags the traffic with v100, so as to obtain a second access traffic with two v100 tags.
It can be understood that in some embodiments of the present invention, when the access traffic is traffic that does not carry a virtual lan tag and/or traffic that carries a virtual lan tag, the first configuration interface regards the received first access traffic as no-tag traffic, so that the first configuration interface can accept ingress and egress of traffic that carries and/or does not carry a virtual lan tag, then the access traffic is marked with an associated tag, and then forwarding operation processing of subsequent interface traffic is performed, thereby avoiding a distinguishing process of different traffic and making traffic transmission more convenient.
In some embodiments of the present invention, as shown in fig. 9, fig. 9 is a flowchart of a flow transparent transmission method provided in the present invention, and S1022 may be implemented through S301 to S305, which will be implemented through the following steps.
S301, removing the first VLAN tag from the second access traffic to obtain a third access traffic.
In some embodiments of the present invention, the electronic device performs tag removal on the first virtual local area network carried by the second access traffic, so as to obtain a third access traffic after tag removal.
Illustratively, as shown in fig. 4, when the traffic is forwarded from eth4 to eth10, the v100 label marked on the traffic is removed, and the same is true in fig. 5.
S302, forwarding the third access traffic to the first virtual interface through the Ethernet interface.
In some embodiments of the invention, the electronic device forwards the third access traffic to the first virtual interface via the ethernet interface.
Illustratively, as shown in fig. 4, the electronic device forwards traffic with the v100 tag removed to the first virtual interface eth10 via the eth4 interface.
S303, forwarding the third access traffic to the second virtual interface through the first virtual interface.
In some embodiments of the invention, the electronic device forwards the third access traffic to the second virtual interface through the first virtual interface.
In some embodiments of the present invention, the physical network interface of a conventional WAF device is taken over by the kernel, and after an external device forwards traffic to the WAF device, another external device is forwarded by the interface in the kernel. The kernel interface in the WAF device of the built-in switch can only be communicated with the uplink interface in the switch, so after the configured interface in the switch receives the traffic sent by the external device, the traffic is forwarded to the Ethernet interface in the kernel through the configured interface and the uplink interface, and the Ethernet interface creates a corresponding virtual interface according to the configured interface of the switch, namely the virtual local area network label associated with the first configuration interface and the second configuration interface, so that the traffic can be forwarded out after entering the Ethernet interface. After the traffic passes through the virtual interface, it is forwarded to the ethernet interface and then to the upstream interface in the switch until it is forwarded to another external device.
Illustratively, the electronic device forwards the third access traffic to the second virtual interface eth11 via the eth10 interface.
S304, adding a second virtual local area network label for the third access flow according to the second virtual local area network label associated with the second configuration interface, and obtaining a fourth access flow.
In some embodiments of the present invention, the electronic device tags the third access traffic with a second virtual local area network tag according to a second virtual local area network tag associated with the second configuration interface, so as to obtain a fourth access traffic carrying the second virtual local area network tag.
S305, forwarding the fourth access traffic to the second external device through the second virtual interface.
In some embodiments of the present invention, the electronic device forwards the fourth access traffic carrying the second virtual local area network note to the second external device through the second virtual interface.
Illustratively, as shown in FIG. 4, the electronic device forwards the v101 tagged fourth visited traffic to external switch B via eth 11.
It will be appreciated that in some embodiments of the invention, the electronic device forwards traffic to the first virtual interface via the ethernet interface, forwards traffic to the second virtual interface via the first virtual interface, and forwards the traffic to the external device. The two virtual interfaces can interact with the Ethernet interface for traffic forwarding, so that better performance, higher efficiency and reliability are realized, and the problem of how the Ethernet interface in the kernel module is accessed for traffic to come out is solved.
In some embodiments of the present invention, as shown in fig. 10, fig. 10 is a flow chart seven of the flow transparent transmission method provided by the present invention, S304 may be implemented through S3041 to S3042, and the following steps will be specifically described.
S3041, when the third access flow is the flow which does not carry the virtual local area network label, adding a second virtual local area network label associated with the second configuration interface to the third access flow to obtain a fourth access flow with the second virtual local area network label.
In some embodiments of the present invention, when the third access traffic is traffic without vlan tag, the electronic device marks the second virtual local area network tag associated with the second configuration interface for the third access traffic, and the fourth access traffic with a second virtual local area network tag is obtained after passing through the second configuration interface because the third access traffic has not carried the tag before.
For example, as shown in fig. 4, the electronic device tags the traffic that does not carry the tag with v101, obtains a fourth access traffic with v101 tag, and forwards the fourth access traffic to eth4 through eth 11.
S3042, when the third access flow is the flow carrying the virtual local area network tag, adding a second virtual local area network tag associated with the second configuration interface to the third access flow to obtain a fourth access flow carrying the second virtual local area network tag and the first virtual local area network tag.
In some embodiments of the present invention, when the third access traffic is a traffic with vlan tag, the electronic device marks the third access traffic with a second virtual local area network tag associated with the second configuration interface, and the third access traffic carries the tag before the third access traffic, so that a fourth access traffic with a second virtual local area network tag and a first virtual local area network tag is obtained after passing through the second configuration interface.
For example, as shown in fig. 5, the electronic device tags the traffic carrying the v100 tag with the v101, obtains a fourth access traffic carrying the v100 and v101 tags, and forwards the fourth access traffic to eth4 through eth 11.
It can be understood that in some embodiments of the present invention, when the access traffic is traffic that does not carry a virtual lan tag and/or traffic that carries a virtual lan tag, the second configuration interface receives the third access traffic as no-tag traffic, so that the second configuration interface can accept ingress and egress of traffic that carries and/or does not carry a virtual lan tag, then apply an associated tag to the access traffic, and then perform forwarding operation processing of subsequent interface traffic, thereby avoiding a distinguishing process of different traffic and making traffic transmission more convenient.
In some embodiments of the present invention, as shown in fig. 11, fig. 11 is a schematic flow chart eight of the flow transparent transmission method provided in the present invention, S104 may be implemented by S1041 to S1045, and the following steps will be specifically described.
S1041, forwarding the fourth access traffic to the Ethernet interface through the second virtual interface.
In some embodiments of the present invention, the electronic device forwards the fourth access traffic carrying the second virtual local area network tag to the ethernet interface according to the second virtual interface.
Illustratively, as shown in FIG. 4, the electronic device forwards fourth interview traffic carrying the v101 tag from eth11 to eth4.
S1042, forwarding the fourth access traffic to the uplink interface via the Ethernet interface.
In some embodiments of the present invention, the electronic device forwards the fourth access traffic to an upstream interface built in the switch through the ethernet interface.
Illustratively, as shown in FIG. 4, the electronic device forwards fourth access traffic to the G0/25 interface over the eth4 interface.
S1043, removing the second VLAN tag from the fourth access traffic to obtain the first access traffic.
In some embodiments of the present invention, the electronic device removes the second virtual local area network tag carried by the fourth access traffic, to obtain the first access traffic.
In some embodiments of the present invention, the port is only an outlet where the device communicates with the outside, after the first external device forwards the access traffic to the WAF device of the internal switch, the first external device adds and removes the tag to the traffic through the switch configuration interface and the ethernet interface in the kernel, forwards the traffic, and finally sends the original access traffic to the second external device.
For example, as shown in fig. 4, the electronic device removes the v101 tag carried by the fourth access traffic, and obtains the first access traffic.
S1044, forwarding the first access traffic to the second configuration interface through the uplink interface.
In some embodiments of the present invention, the electronic device forwards the first access traffic to the second configuration interface through an upstream interface built in the switch.
In some embodiments of the present invention, when the electronic device is a WAF device, since the WAF device has a built-in switch, all other physical network interfaces except the management interface of the WAF device are controlled by the switch, and these interfaces are not visible to the WAF device, and can only communicate with the interfaces in the kernel module of the WAF device through the uplink interface in the switch.
Illustratively, as shown in FIG. 4, the electronic device forwards the first access traffic to G0/1 via G0/25.
S1045, forwarding the first access traffic to the second external device through the second configuration interface.
In some embodiments of the present invention, the electronic device forwards the acquired first access traffic to the second external device through the second configuration interface.
Illustratively, as shown in FIG. 4, the electronic device forwards the first access traffic to the second external switch B via G0/1.
It will be appreciated that in some embodiments of the present invention, the access traffic is forwarded to the ethernet interface in the kernel module via the virtual interface, then forwarded to the upstream interface in the switch via the ethernet interface, forwarded to the second configuration interface via the upstream interface, and finally forwarded to the second external device via the configuration interface. The switch interface can accept the traffic which does not carry and/or carries vlan tags to enter and exit, solves the problem of how to forward the traffic after the traffic enters the Ethernet interface in the kernel module, improves the reliability and performance of traffic transmission, and finally realizes the two-layer transparent serial deployment mode of the electronic equipment.
The flow transparent transmission device provided by the invention is described below, and the flow transparent transmission device described below and the flow transparent transmission method described above can be referred to correspondingly.
In the embodiment of the present invention, as shown in fig. 12, fig. 12 is a schematic structural diagram of a flow transparent transmission device provided by the present invention. The flow transparent transmission device comprises: a receiving module 1201 and a forwarding module 1202, wherein;
the receiving module 1201 is configured to receive, by using the switch, a first access traffic sent by a first external device; the number of interfaces of the electronic equipment is more than that of the electronic equipment without the switch;
the forwarding module 1202 is configured to forward, through the switch, the first access traffic to an ethernet interface in the kernel module;
the forwarding module 1202 is further configured to forward the first access traffic to a second external device based on the ethernet interface.
Optionally, the first access traffic includes traffic carrying a virtual local area network tag and/or traffic not carrying a virtual local area network tag; the receiving module 1201 is specifically configured to:
performing interface configuration on the switch to obtain a configured interface; the interface after configuration is used for taking the received first access traffic as label-free traffic;
and receiving the first access flow sent by the first external device through the configured interface.
Optionally, the configured interface includes a first configuration interface and a second configuration interface; before the forwarding, by the switch, the first access traffic to an ethernet interface in the kernel module, the receiving unit is specifically configured to:
receiving the first access traffic with the first configuration interface;
optionally, the flow transparent transmission device further includes an adding module 1203, specifically configured to:
and adding the first virtual local area network tag to the first access traffic according to the first virtual local area network tag associated with the first configuration interface to obtain second access traffic with the first virtual local area network tag.
Optionally, the switch includes an uplink interface; the forwarding module 1202 is specifically configured to:
forwarding the second access traffic to the uplink interface through the first configuration interface;
and forwarding the second access traffic to the Ethernet interface through the uplink interface.
Optionally, the forwarding module 1202 is specifically configured to:
creating a virtual interface based on the ethernet interface;
and forwarding the first access traffic to a second external device based on the virtual interface.
Optionally, the virtual interface includes: a first virtual interface and a second virtual interface; the flow transparent transmission device further comprises a creation module 1204, specifically configured to:
creating the first virtual interface according to a first virtual local area network tag associated with the first configuration interface;
and creating the second virtual interface according to a second virtual local area network tag associated with the second configuration interface.
Optionally, the adding module 1203 is specifically configured to:
when the first access traffic is the traffic which does not carry the virtual local area network tag, adding a first virtual local area network tag associated with the first configuration interface to the first access traffic to obtain a second access traffic with the first virtual local area network tag;
and when the first access flow is the flow carrying the virtual local area network tags, adding one first virtual local area network tag associated with the first configuration interface to the first access flow to obtain second access flow with two first virtual local area network tags.
Optionally, the forwarding module 1202 is specifically configured to:
removing the first virtual local area network tag from the second access flow to obtain a third access flow;
Forwarding the third access traffic to the first virtual interface via the ethernet interface;
forwarding the third access traffic to the second virtual interface through the first virtual interface;
adding a second virtual local area network tag to the third access traffic according to a second virtual local area network tag associated with the second configuration interface to obtain fourth access traffic;
forwarding the fourth access traffic to the second external device through the second virtual interface.
Optionally, the adding module 1203 is specifically configured to:
when the third access flow is the flow which does not carry the virtual local area network tag, adding a second virtual local area network tag associated with the second configuration interface to the third access flow to obtain the fourth access flow with the second virtual local area network tag;
and when the third access flow is the flow carrying the virtual local area network tag, adding a second virtual local area network tag associated with the second configuration interface to the third access flow to obtain the fourth access flow with the second virtual local area network tag and the first virtual local area network tag.
Optionally, the forwarding module 1202 is specifically configured to:
forwarding the fourth access traffic to the ethernet interface via the second virtual interface;
forwarding the fourth access traffic to the upstream interface via the ethernet interface;
removing a second virtual local area network tag from the fourth access flow to obtain the first access flow;
forwarding the first access traffic to the second configuration interface through the uplink interface;
forwarding the first access traffic to the second external device through the second configuration interface.
The device of the embodiment of the present invention is used for executing the method in any of the foregoing embodiments of the flow transmission method, and its implementation principle and technical effects are similar, and are not repeated here.
In an embodiment of the present invention, as shown in fig. 13, fig. 13 is a schematic diagram of an entity structure of an electronic device provided by the present invention, where the electronic device may include: processor 1301, communication interface (Communications Interface) 1302, memory 1303 and communication bus 1304, wherein processor 1301, communication interface 1302 and memory 1303 communicate with each other via communication bus 1304. Processor 1301 may invoke logic instructions in memory 1303 to perform traffic passing, the method comprising: receiving a first access flow sent by a first external device through the switch; the first access traffic comprises traffic carrying a virtual local area network tag and/or traffic not carrying a virtual local area network tag;
Forwarding the first access traffic to an ethernet interface in the kernel module through the switch;
creating a virtual interface based on the ethernet interface;
and forwarding the first access traffic to a second external device based on the virtual interface.
Further, the logic instructions in the memory 1303 described above may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, where the computer program product includes a computer program, where the computer program can be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, the computer can execute a traffic transparent transmission method provided by the above methods, and the method includes:
receiving a first access flow sent by a first external device through the switch; the first access traffic comprises traffic carrying a virtual local area network tag and/or traffic not carrying a virtual local area network tag;
forwarding the first access traffic to an ethernet interface in the kernel module through the switch;
creating a virtual interface based on the ethernet interface;
and forwarding the first access traffic to a second external device based on the virtual interface.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform a traffic transparent method provided by the above methods, the method comprising:
receiving a first access flow sent by a first external device through the switch; the first access traffic comprises traffic carrying a virtual local area network tag and/or traffic not carrying a virtual local area network tag;
Forwarding the first access traffic to an ethernet interface in the kernel module through the switch;
creating a virtual interface based on the ethernet interface;
and forwarding the first access traffic to a second external device based on the virtual interface.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (6)

1. The traffic transparent transmission method is characterized by being applied to electronic equipment, wherein the electronic equipment comprises a switch and a kernel module, the switch comprises an uplink interface, the kernel module comprises an Ethernet interface, and the electronic equipment is a WAF (web application protection) device, and the method comprises the following steps:
performing interface configuration on the switch to obtain a configured interface; the configured interfaces comprise a first configuration interface and a second configuration interface;
receiving a first access flow sent by a first external device through the first configuration interface;
adding the first virtual local area network tag to the first access traffic according to the first virtual local area network tag associated with the first configuration interface to obtain second access traffic with the first virtual local area network tag;
Forwarding the second access traffic to the uplink interface through the first configuration interface;
forwarding the second access traffic to the ethernet interface via the uplink interface;
removing the first virtual local area network tag from the second access flow to obtain a third access flow;
forwarding the third access traffic to a first virtual interface through the ethernet interface;
forwarding the third access traffic to a second virtual interface through the first virtual interface;
adding a second virtual local area network tag to the third access traffic according to a second virtual local area network tag associated with the second configuration interface to obtain fourth access traffic;
forwarding the fourth access traffic to the ethernet interface via the second virtual interface;
forwarding the fourth access traffic to the upstream interface via the ethernet interface;
removing a second virtual local area network tag from the fourth access flow to obtain the first access flow;
forwarding the first access traffic to the second configuration interface through the uplink interface;
forwarding the first access traffic to a second external device through the second configuration interface;
The first virtual interface is created according to a first virtual local area network label associated with the first configuration interface, and the second virtual interface is created according to a second virtual local area network label associated with the second configuration interface.
2. The traffic transparent transmission method according to claim 1, wherein the first access traffic includes traffic carrying a first virtual local area network tag and/or traffic not carrying a first virtual local area network tag; the configured interface is configured to use the received first access traffic as label-free traffic.
3. The traffic transparent transmission method according to claim 2, wherein the adding the first virtual local area network tag to the first access traffic according to the first virtual local area network tag associated with the first configuration interface, to obtain the second access traffic with the first virtual local area network tag, includes:
when the first access traffic is the traffic which does not carry the first virtual local area network tag, adding a first virtual local area network tag associated with the first configuration interface to the first access traffic to obtain a second access traffic with the first virtual local area network tag;
And when the first access flow is the flow carrying the first virtual local area network tag, adding one first virtual local area network tag associated with the first configuration interface to the first access flow to obtain second access flow with two first virtual local area network tags.
4. The traffic transparent transmission method according to claim 3, wherein adding a second virtual local area network tag to the third access traffic according to the second virtual local area network tag associated with the second configuration interface, to obtain a fourth access traffic, includes:
when the third access flow is the flow which does not carry the first virtual local area network tag, adding a second virtual local area network tag associated with the second configuration interface to the third access flow to obtain the fourth access flow with the second virtual local area network tag;
and when the third access flow is the flow carrying the first virtual local area network tag, adding a second virtual local area network tag associated with the second configuration interface to the third access flow to obtain the fourth access flow with the second virtual local area network tag and the first virtual local area network tag.
5. An electronic device, comprising a switch and a kernel module, wherein the electronic device is a WAF device of a web application protection system, and the electronic device is configured to perform the traffic transmission method according to any one of claims 1 to 4.
6. An electronic device comprising a processor and a memory storing a program or instructions executable on the processor, which when executed by the processor, implements a flow transparent method as claimed in any one of claims 1 to 4.
CN202310443546.3A 2023-04-24 2023-04-24 Flow transparent transmission method and device and electronic equipment Active CN116155838B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310443546.3A CN116155838B (en) 2023-04-24 2023-04-24 Flow transparent transmission method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310443546.3A CN116155838B (en) 2023-04-24 2023-04-24 Flow transparent transmission method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN116155838A CN116155838A (en) 2023-05-23
CN116155838B true CN116155838B (en) 2023-07-21

Family

ID=86341103

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310443546.3A Active CN116155838B (en) 2023-04-24 2023-04-24 Flow transparent transmission method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN116155838B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738217A (en) * 2020-12-28 2021-04-30 中国建设银行股份有限公司 Secure interaction system and method
CN113726637A (en) * 2021-09-09 2021-11-30 华云数据控股集团有限公司 Network traffic transparent transmission method and device based on cloud platform and storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534346B (en) * 2016-12-07 2019-12-10 北京奇虎科技有限公司 Flow control method, device and system based on virtual WAF
US10805269B2 (en) * 2017-02-17 2020-10-13 Royal Bank Of Canada Web application firewall
CN107948150B (en) * 2017-11-22 2020-12-01 新华三技术有限公司 Message forwarding method and device
US10868792B2 (en) * 2018-03-19 2020-12-15 Fortinet, Inc. Configuration of sub-interfaces to enable communication with external network devices
US10735291B2 (en) * 2018-07-27 2020-08-04 Centurylink Intellectual Property Llc Method and system for implementing high availability (HA) web application firewall (WAF) functionality
CN109889533B (en) * 2019-03-11 2021-07-20 北京网御星云信息技术有限公司 Security defense method and system under cloud environment and computer readable storage medium
CN113132387B (en) * 2021-04-20 2022-12-09 山石网科通信技术股份有限公司 Processing method and device for vulnerability scanning flow, storage medium and processor

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738217A (en) * 2020-12-28 2021-04-30 中国建设银行股份有限公司 Secure interaction system and method
CN113726637A (en) * 2021-09-09 2021-11-30 华云数据控股集团有限公司 Network traffic transparent transmission method and device based on cloud platform and storage medium

Also Published As

Publication number Publication date
CN116155838A (en) 2023-05-23

Similar Documents

Publication Publication Date Title
US11894996B2 (en) Technologies for annotating process and user information for network flows
CN102255903B (en) Safety isolation method for virtual network and physical network of cloud computing
CN114024880B (en) Network target range probe acquisition method and system based on proxy IP and flow table
CN110224917B (en) Data transmission method, device and system and server
US20230013640A1 (en) Session management in a forwarding plane
CN107294760A (en) Node administration system, node administration method and embodied on computer readable storage device
US9887962B2 (en) Translating network attributes of packets in a multi-tenant environment
EP3637698A1 (en) Packet forwarding method, device and apparatus, and storage medium
CN109639451A (en) Port configuration method, device, storage medium and electronic device
CN113630315A (en) Network drainage method and device, electronic equipment and storage medium
CN114650223A (en) Network configuration method and device of Kubernetes cluster and electronic equipment
CN112929206B (en) Method and device for configuring cloud physical machine in cloud network environment
CN116155838B (en) Flow transparent transmission method and device and electronic equipment
CN112702254A (en) Message processing method and device and electronic equipment
CN113676390A (en) VXLAN-based trigger type dynamic security channel method, user side and central console
CN111628883B (en) Method for deploying network configuration in data center with network-in point
CN109005068B (en) Configuration method of cluster virtual machine qos
CN109756409B (en) Bridge forwarding method
CN111262782A (en) Message processing method, device and equipment
CN105939242B (en) Realize the method and device of virtual system
CN110460917B (en) Method and system for realizing intercommunication of different users in PON access system
CN114629853A (en) Traffic classification control method based on security service chain analysis in security resource pool
CN107592340A (en) The method and apparatus of remote operation management server
CN112104509A (en) Configuration device and method of server
EP3627769A1 (en) Switch configuration based on templates

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant