TWI721103B - Cluster accurate speed limiting method and device - Google Patents

Abstract

The embodiment of the present invention provides a cluster accurate speed limiting method and device, which relate to the technical field of computers. The method of the present invention includes: receiving a data package; judging whether the data package is a data package of a client that is responsible for responding by itself; if the data package is not a data package of a client that is responsible for responding, forwarding the data package To the service entity responsible for responding to the client to which the data package belongs; if the data package is a data package of the client that is responsible for responding to the data package, the data package is subjected to speed limit processing based on the identity information of the data package. The present invention does not need to separately set a flow control entity in the cluster to limit the speed of the service entities in the entire cluster, and will not affect the normal operation of the entire cluster due to the failure of the flow control entity, and has strong applicability. Moreover, it is only simple forwarding of data packets between service entities, with low complexity.

Description

Cluster accurate speed limiting method and device

The invention relates to the field of computer technology, in particular to a cluster accurate speed limiting method and a cluster accurate speed limiting device.

With the popularization of the Internet, the application environment of the Internet has become more and more diversified. For example, a cluster composed of a group of cooperative service entities is used to provide services to multiple clients or multiple users. In this type of application environment, in order to prevent the excessive traffic of a client from affecting other clients or the demand for broadband traffic purchased by a client, it is necessary to limit the rate of traffic of each client or user. Because the cluster contains multiple service entities, such as servers. Each service entity provides services at the same time, which will cause the traffic of the same client to fall on multiple service entities in the cluster. In this way, if each service entity individually limits the rate, then as the cluster scale expands, the total rate-limiting bandwidth of each client is also expanding. Therefore, it is necessary to provide an accurate cluster-wide rate-limiting solution.

In order to achieve the purpose of precise speed limiting for clusters, there are currently three types of solutions as follows:

The first type: use a dedicated flow control entity in the cluster, such as a flow control servo It is used to control the speed limit of each service entity. The flow control entity is responsible for monitoring the flow rate of each rate-limiting unit on the service entity, and dynamically allocates the size of the rate-limiting bandwidth.

The second type: each service entity in the cluster equally distributes the bandwidth purchased by the client or user. Assuming that there are N service entities in the cluster, and the bandwidth purchased by the user is B, then the speed limit of each service entity is B/N.

The third category: Provide a special rate-limiting node composed of a device with a rate-limiting function between the client and the cluster.

But for the above three types of methods, there are different shortcomings:

For the first type of solution, it is first necessary to provide a flow control entity in the cluster to control the rate limit. If the flow control entity fails, it will affect the normal operation of the cluster, and the applicability is not strong. Secondly, because the flow control entity needs to monitor the flow rate of the service entity, it needs to conduct a lot of communication with the service entity to decide the size of the rate limit issued to each service entity, and the complexity is high.

For the second type of solution, it is difficult to ensure that the traffic of each client falls evenly on each service entity, and the operability is low. Secondly, if the client's traffic is uneven, then there will be some service entities for some clients whose traffic is greater than the specific rate limit, resulting in packet loss, causing the user's actual bandwidth to fall short of the bandwidth purchased, which is more accurate low.

For the third type of solution, special speed-limiting nodes are added and the cost is increased, which is not applicable to small clusters.

In view of the above problems, the embodiments of the present invention are proposed in order to provide a A cluster accurate speed limiting method and a corresponding cluster accurate speed limiting device that satisfy the above-mentioned problems or at least partially solve the above-mentioned problems.

In order to solve the above problems, the present invention discloses a cluster accurate rate limiting method, including: receiving a data packet; determining whether the data packet is a data packet of a client that is responsible for responding to it; if the data packet is not responsible for responding to it The data package of the client is forwarded to the service entity responsible for responding to the client to which the data package belongs; if the data package is the data package of the client to which it is responsible, it is based on the identity information of the data package , Perform speed limit processing on the data packet.

Preferably, the step of forwarding the data packet to a service entity responsible for responding to the client to which the data packet belongs includes: based on the identity information of the data packet, and then according to the network transmission outside the data packet The rules of the protocol encapsulate the protocol header; the data packet encapsulated with the protocol header is forwarded through the switch to the service entity responsible for responding to the client to which the data packet belongs.

Preferably, based on the identity information of the data packet, the step of encapsulating the protocol header in addition to the data packet according to the rules of the network transmission protocol includes: based on the identity information of the data packet, in the data packet Outside the packet, encapsulate a layer of IP header and UDP message according to the rules of the network transmission protocol Header, or based on the identity information of the data packet, a layer of IP header and TCP header is encapsulated in addition to the data packet in accordance with the rules of the network transmission protocol.

Preferably, based on the identity information of the data packet, a layer of IP header and UDP header is encapsulated in addition to the data packet in accordance with the rules of the network transmission protocol, or based on the identity information of the data packet, The step of encapsulating a layer of IP header and TCP header in addition to the data packet according to the rules of the network transmission protocol includes: obtaining the identity information corresponding to the data packet; selecting the same five yuan according to the identity information Group; the five-tuple includes: source IP address, destination IP address, source port, destination port, transmission protocol type; the destination IP address is the IP address corresponding to the service entity; based on the five-tuple Encapsulating a layer of IP header and UDP header outside the data packet according to the rules of the network transmission protocol; or, based on the five-tuple, according to the rules of the network transmission protocol outside the data packet Encapsulate a layer of IP header and TCP header.

Preferably, when the identity information is an IP address, the step of obtaining the identity information corresponding to the data packet includes: parsing the IP header of the data packet at the network layer to obtain the IP address.

Preferably, when the identity information is the user ID, the step of obtaining the identity information corresponding to the data packet includes: temporarily storing the data packet in the network layer, and at the same time uploading the data packet Send to the application layer; analyze the data area of the data packet at the application layer to obtain the user ID of the data packet.

Preferably, the step of selecting the same quintuple based on the identity information includes: selecting the same quintuple based on the identity information at the application layer; then selecting the same quintuple based on the identity information After the quintuple step, it also includes: sending the quintuple obtained at the application layer to the network layer.

Preferably, the step of encapsulating a layer of IP header and UDP header in addition to the data packet according to the rules of the network transmission protocol based on the quintuple includes: The source port and the destination port are encapsulated into the UDP header outside the data packet; the source IP address, destination IP address and transmission protocol type in the five-tuple are encapsulated into the IP outside the data packet In the header of the message.

Preferably, the step of encapsulating a layer of IP header and TCP header in addition to the data packet according to the rules of the network transmission protocol based on the quintuple includes: The source port and the destination port are encapsulated into the TCP header outside the data packet; the source IP address, destination IP address, and transmission protocol type in the five-tuple are encapsulated into the IP outside the data packet In the header of the message.

Preferably, said judging whether said data packet is handled by itself The step of the data package of the client includes: determining whether the data package is a data package forwarded by a service entity or a data package sent by a client; if the data package is a data package forwarded by the service entity, confirming the data package The data package is the data package of the client that is responsible for the response; if the data package is a data package sent by the client, it is confirmed that the data package is not the data package of the client that is responsible for the response.

Preferably, the step of judging whether the data packet is a data packet forwarded by the service entity or a data packet sent by the client includes: for any data packet, judging whether there is a data packet outside the data packet according to the network The protocol header encapsulated by the rules of the transmission protocol; if there is a protocol header encapsulated in accordance with the rules of the network transmission protocol outside the data packet, it is confirmed that the data packet is the data packet of the client that it is responsible for responding to; If there is no protocol header encapsulated in accordance with the rules of the network transmission protocol outside the data packet, it is confirmed that the data packet is not a data packet of the client for which it is responsible for responding.

Preferably, the step of performing rate limiting processing on the data packet based on the identity information of the data packet includes: releasing the protocol header encapsulated in accordance with the rules of the network transmission protocol outside the data packet; and obtaining The identity information of the data packet; determine whether the flow corresponding to the identity information exceeds the flow threshold; if the flow corresponding to the identity information exceeds the flow threshold, discard The data package.

Preferably, when the identity information is an IP address, the step of judging whether the traffic corresponding to the identity information reaches a threshold includes: searching the user ID corresponding to the IP address; searching according to the user ID Corresponding flow threshold; calculating whether the flow corresponding to the IP address exceeds the flow threshold; if the flow corresponding to the IP address exceeds the flow threshold, discarding the data packet.

Correspondingly, the present invention also discloses a cluster accurate rate limiting device, including: a receiving module, suitable for receiving data packets; a judging module, suitable for judging whether the data packet is a data packet of a client that is responsible for its response; If the data packet is not a data packet of a client that is handled by itself, then it enters the forwarding module; if the data packet is a data packet of a client that is handled by itself, it enters the rate limiting module; the forwarding module is suitable. After forwarding the data packet to a service entity responsible for responding to the client to which the data packet belongs; the rate limiting module is adapted to perform rate limiting processing on the data packet based on the identity information of the data packet.

Preferably, the forwarding module includes: an encapsulation sub-module, adapted to encapsulate a protocol header in addition to the data packet according to the rules of the network transmission protocol based on the identity information of the data packet; and the forwarding sub-module Module, suitable for passing the data packet encapsulating the protocol header The replacement is forwarded to the service entity responsible for responding to the client to which the data packet belongs.

Preferably, the encapsulation sub-module includes: a first encapsulation sub-module, adapted to encapsulate a layer of IP packets in addition to the data packet in accordance with the rules of the network transmission protocol based on the identity information of the data packet Header and UDP header; or, the second encapsulation sub-module is adapted to encapsulate a layer of IP header and TCP header in addition to the data packet according to the rules of the network transmission protocol based on the identity information of the data packet .

Preferably, the first packaging sub-module or the second packaging sub-module includes: an identity information obtaining sub-module, adapted to obtain the identity information corresponding to the data packet; and a quintuple selection sub-module , Suitable for selecting the same quintuple according to the identity information; the quintuple includes: source IP address, destination IP address, source port, destination port, transmission protocol type; the destination IP address is The IP address corresponding to the service entity; the first packet header encapsulation submodule is suitable for encapsulating a layer of IP packet header and UDP packet header in addition to the data packet according to the rules of the network transmission protocol based on the quintuple Or, the second packet header encapsulation submodule is adapted to encapsulate a layer of IP packet header and TCP packet header in addition to the data packet according to the rules of the network transmission protocol based on the five-tuple.

Preferably, wherein, when the identity information is an IP address, the identity information acquisition sub-module includes: a first identity information acquisition sub-module adapted to analyze the data at the network layer The IP header of the material packet to obtain the IP address.

Preferably, when the identity information is a user ID, the identity information acquisition sub-module includes: an upward sending sub-module, which is adapted to temporarily store the data packet in the network layer and at the same time upload the data packet Sent to the application layer; the second identity information acquisition sub-module is adapted to parse the data area of the data packet at the application layer to obtain the user ID of the data packet.

Preferably, the quintuple selection submodule includes: an application layer quintuple selection submodule, which is suitable for selecting the same quintuple at the application layer according to the identity information; then selecting the quintuple at the application layer After the sub-module, it further includes: a sending sub-module, adapted to send the quintuple obtained at the application layer to the network layer; preferably, the first header encapsulation sub-module includes: a first port The encapsulation submodule is suitable for encapsulating the source port and the destination port in the quintuple into a UDP header outside the data packet; the IP address encapsulation submodule is suitable for encapsulating the quintuple The source IP address, destination IP address, and transmission protocol type in the data packet are encapsulated in the IP header outside the data packet.

Preferably, the second packet header encapsulation sub-module includes: a second port encapsulation sub-module, adapted to encapsulate the source port and the destination port in the five-tuple to the TCP outside the data packet In the message header: IP address encapsulation sub-module, suitable for encapsulating the source IP address, destination IP address and transmission protocol type in the five-tuple out of the data packet In the IP packet header.

Preferably, the judging module includes: a judging sub-module, adapted to judge whether the data packet is a data packet forwarded by a service entity or a data packet sent by a client; if the data packet is a data packet sent by the service entity If the data packet is forwarded, it is confirmed that the data packet is the data packet of the client that it is responsible for responding to; if the data packet is a data packet sent by the client, it is confirmed that the data packet is not the data of the client that it is responsible for responding to package.

Preferably, the judging sub-module includes: a protocol header judging sub-module, which is suitable for determining whether there is a protocol header encapsulated according to the rules of the network transmission protocol outside the data packet for any data packet Section; if there is a protocol header encapsulated in accordance with the rules of the network transmission protocol outside the data packet, enter the first confirmation submodule; if there is no rule according to the network transmission protocol outside the data packet The encapsulated protocol header enters the second confirmation sub-module.

Preferably, the rate-limiting module includes: a release sub-module adapted to release the protocol header encapsulated in accordance with the rules of the network transmission protocol other than the data packet; the data packet identity information acquisition sub-module, suitable To obtain the identity information of the data packet; the flow judging sub-module is suitable for judging whether the flow corresponding to the identity information exceeds the flow threshold; if the flow corresponding to the identity information exceeds the flow threshold, enter the discarding sub-module ; Discarding sub-module, suitable for discarding the data packet.

Preferably, when the identity information is an IP address, the traffic judgment sub-module includes: a user ID search sub-module, adapted to search for the user ID corresponding to the IP address; and a traffic threshold search sub-module Group, adapted to find the corresponding traffic threshold according to the user ID; the first traffic judging sub-module, adapted to calculate whether the traffic corresponding to the IP address exceeds the traffic threshold; if the traffic corresponding to the IP address If the traffic threshold is exceeded, then enter the discarding sub-module.

The embodiments of the present invention include the following advantages: The embodiments of the present invention can forward the data package of the client that is not responsible for handling the data package to the client in the same cluster that is responsible for handling the data package without increasing the complexity of the system. The service entity on the client side ensures that the traffic of the same client falls on the same service entity, and then on the service entity, based on the identity information of the corresponding data packet, the data packet of the client is subjected to speed limit processing. First of all, compared to the first type of solution in the background art, the embodiment of the present invention does not need to set a separate flow control entity in the cluster to limit the rate of the service entities in the entire cluster, and will not affect the entire cluster due to the failure of the flow control entity. The normal work, strong applicability. Moreover, there is no large amount of communication between the flow control entity and the service entity to determine the speed limit size issued to each service entity. It is only the simple forwarding of the data packets between the service entities, and the complexity is low.

Secondly, compared to the second type of solution in the background art, in the embodiment of the present invention, the same service entity is responsible for processing the data packets of the same client. For specific business logic processing, it is decided whether to proceed to the next processing or discard it. Therefore, the traffic of each client can be accurately controlled, and the operability is high.

Thirdly, compared to the third type of solution in the background technology, the embodiment of the present invention improves the processing flow of data packets under the original architecture of the cluster, and forwards the data packets of the same client received by each service entity to the same one. The service entity performs speed limit processing without increasing the complexity of the system, nor using additional hardware facilities, and without increasing hardware costs. In addition, the embodiment of the present invention only uses the computing function of the cluster itself, that is, realizes the rate limiting processing of the traffic of the same client, and can be applied to clusters of any size, with wider applicability.

In summary, compared with the background technology, the embodiments of the present invention improve the applicability, operability, and accuracy of cluster rate limiting without increasing system complexity and cost.

110‧‧‧Step

120‧‧‧Step

130‧‧‧Step

140‧‧‧Step

210‧‧‧Step

220‧‧‧Step

230‧‧‧Step

240‧‧‧Step

250‧‧‧Step

310‧‧‧Step

320‧‧‧Step

330‧‧‧Step

340‧‧‧Step

350‧‧‧Step

360‧‧‧Step

370‧‧‧Step

380‧‧‧Step

410‧‧‧Switch

420‧‧‧Service entity

421‧‧‧Receiving Module

422‧‧‧Judgment Module

423‧‧‧ Forwarding Module

424‧‧‧Speed Limiting Module

510‧‧‧Switch

520‧‧‧Service entity

521‧‧‧Receiving Module

522‧‧‧Judgment Module

523‧‧‧Transmitting Module

5231‧‧‧Package submodule

52311‧‧‧Second package sub-module

5232‧‧‧Transfer submodule

524‧‧‧Speed Limiting Module

610‧‧‧Switch

620‧‧‧Service entity

621‧‧‧Receiving Module

622‧‧‧Judgment Module

6221‧‧‧Judgment submodule

623‧‧‧ Forwarding Module

6231‧‧‧Package submodule

62311‧‧‧The first package sub-module

6232‧‧‧Transfer submodule

624‧‧‧Speed Limiting Module

6241‧‧‧Release submodule

6242‧‧‧Data package identity information acquisition sub-module

6243‧‧‧Flow Judgment Submodule

6244‧‧‧Discard submodule

Figure 1 is a flow chart of steps of an embodiment of a cluster accurate speed limiting method of the present invention; Figure 1A is a schematic diagram of an application scenario of the present invention; Figure 2 is a step flow chart of another embodiment of a cluster accurate speed limiting method of the present invention; Fig. 3 is a flow chart of the steps of another embodiment of the cluster accurate rate limiting method of the present invention; Fig. 4 is the structure of an embodiment of the cluster accurate rate limiting device of the present invention Block diagram; Figure 5 is a structural block diagram of another embodiment of a cluster accurate speed limiting device of the present invention; Figure 6 is a structural block diagram of another embodiment of a cluster accurate rate limiting device of the present invention.

In order to make the above-mentioned objects, features and advantages of the present invention more obvious and easy to understand, the following further describes the present invention in detail with reference to the drawings and specific embodiments.

One of the core concepts of the embodiments of the present invention is that the cluster accurate rate limiting method and device proposed by the present invention can forward data packets of clients that are not responsible for the system without increasing the complexity of the system. Give the service entity in the same cluster that is responsible for the client that the data package belongs to, so as to ensure that the traffic of the same client falls on the same service entity, and then on the service entity, based on the identity information of the corresponding data package, the data package of the client Perform speed limit processing. Therefore, compared with the background technology, the applicability, operability, and accuracy of the cluster speed limit are improved without increasing the complexity and cost of the system.

Example one

Referring to Fig. 1, there is shown a flow chart of the steps of an embodiment of a cluster accurate rate limiting method of the present invention, which may specifically include the following steps:

Step 110: Receive a data packet.

Figure 1A is a schematic diagram of an application scenario of the present invention. It can be seen that there are 4 service entities in the cluster. The service entity communicates with the outside, such as the client, through each switch. The data packet sent by the client first passes through the switch, and then is distributed by the switch to at least one service entity. deal with.

Among them, a cluster refers to a group of service entities that work together to provide a service platform that is more scalable and usable than a single service entity. It mainly includes a high availability cluster (High Availability Cluster), a load balance cluster (Load Balance Cluster), and a scientific computing cluster (High Performance Computing Cluster). The present invention is mainly aimed at a high availability cluster and a load balance cluster. The service entity is a device that can provide certain services, such as a server, and can receive data packets and perform rate limiting operations in the embodiment of the present invention.

In the Internet, the client interacts with the server by first sending its request and other information to the server in the form of data packets. Moreover, in the present invention, since the cluster contains multiple service entities that can provide services at the same time, the data packets sent by the same client may fall on multiple service entities in the cluster.

Taking the current Internet as an example, Internet protocols such as the TCP/IP protocol are basically used. Then the data packet of the TCP/IP protocol is the TCP/IP (Transmission Control Protocol/Internet Protocol) protocol communication transmission The data unit in, is generally called "Packet". In the process of network information transmission, a single message is divided into multiple data blocks. These data blocks are called data Packet, which contains the address information of the sender and receiver. These data packets are then transmitted in one or more networks along different paths and reassembled at the destination. In practical applications, the data packet is mainly composed of two parts: the message header and the data.

In practical applications, the TCP/IP protocol is a protocol family, which includes TCP ((Transmission Control Protocol), IP (Internet Protocol, Internet Protocol), UDP (User Datagram Protocol, user data packet protocol) , ICMP (Internet Control Message Protocol), RIP (Routing Information Protocol), SMTP (Simple Mail Transfer Protocol), SNMP (Simple Network manage Protocol) Management Protocol), ARP (Address Resolution Protocol), FTP (File Transfer Protocol, File Transfer Protocol) and many other protocols. TCP/IP protocol adopts a layered structure, and its layered model and protocol are as follows (1) :

Different protocol layers have different names for data packets. They are called segments at the transport layer, datagrams at the network layer, and frames at the link layer.

A cluster accurate speed limiting method of the present invention is aimed at information transmission The data packet in is subject to speed limit, so the data packet needs to be received first.

Step 120: Determine whether the data package is the data package of the client that is responsible for the response; if the data package is not the data package of the client that is responsible for the response, go to step 130; if the data package is the data package of the client that is responsible for the response For the data package of the corresponding client, go to step 140.

In the embodiment of the present invention, for each service entity in the cluster, the switch can determine the client that each service entity in the cluster is responsible for, according to a certain algorithm, that is, a certain service entity in the cluster can only be responsible for the algorithm determined by the algorithm. The data packet sent by the corresponding client is limited in rate. In the embodiment of the present invention, this specific client may be referred to as the client that the data packet itself is responsible for responding to.

Therefore, after receiving the data package of the client, it is necessary to further determine whether the data package is the data package of the client which is responsible for the response. If the data package is not the data package of the client which is responsible for the response, the service entity Only the data packet sent by the client responsible for the response is limited, so the data packet needs to be forwarded to the service entity responsible for the client of the data packet; and if the data packet is sent by itself The data packet of the client responsible for responding can then directly limit the rate of the data packet based on the identity information of the data packet.

Step 130: Forward the data packet to a service entity responsible for handling the client to which the data packet belongs.

As shown in the example of the scenario diagram shown in Figure 1A, after receiving the data packet sent by the client, the service entity can pass through the switch and forward the received data packet that it is not responsible for responding to the client responsible for responding to the data packet. Service entity at the end. For example, the service entity 1 receives a data packet, and the client to which the data packet belongs is handled by the service entity 3. After the service entity receives the data packet, it will send the data packet to the switch 1 again, and then The switch 1 then sends the data packet to the service entity 3.

In another preferred embodiment of the present invention, step 130 includes:

Sub-step 131, based on the identity information of the data packet, encapsulate the protocol header in accordance with the rules of the network transmission protocol outside the data packet.

In the embodiment of the present invention, the protocol header may be encapsulated outside the data packet based on the identity information of the data packet, and the protocol header is encapsulated outside the data packet according to the rules of the network transmission protocol.

Among them, the identity information of the data packet can include the user ID, and/or the IP address of the client, etc.; the network transmission protocol (Communications Protocol) generally refers to the network layer protocol and the transport layer protocol, for example, as shown in Table (1) Show IP (Internet Protocol, network protocol) protocol, TCP protocol, UDP protocol, etc. In practical applications, only one type of TCP protocol and UDP protocol can be used for the same data packet.

The main differences between the TCP protocol and the UDP protocol are as follows: 1. The TCP protocol requires a connection between objects that have a communication relationship, and the UDP protocol does not require a connection between objects that have a communication relationship; 2. The transmission speed of the TCP protocol Slower, the transmission speed of UDP protocol is faster; 3. TCP protocol can guarantee the order of data, UDP protocol cannot guarantee the order of data; 4. TCP protocol can guarantee the correctness of data, while UDP protocol is possible Packet loss; 5. TCP protocol requires more system resources, while UDP protocol requires less system resources.

Therefore, it can be understood that the present invention encapsulates the protocol header according to the rules of the network transmission protocol in addition to the data packet, and can encapsulate the protocol header according to the rules of the IP protocol + TCP protocol or the IP protocol + UDP protocol.

In practical applications, when the present invention encapsulates the above-mentioned protocol header, first data such as the identity information of the client to which the data packet belongs will be encapsulated in the protocol header. For the same client, the above-mentioned first data encapsulated in the protocol header of any data packet is unique and can be distinguished from other clients.

In sub-step 132, the data packet encapsulated with the protocol header is forwarded through the switch to the service entity responsible for responding to the client to which the data packet belongs.

In the embodiment of the present invention, the data packets sent by the same client need to be merged into the preset service entity corresponding to the client, and then the rate is accurately limited. For data packets that encapsulate the protocol header, you can According to the content of the protocol header, the switch is used to forward the data packet encapsulating the protocol header to the service entity responsible for the client to which the data packet belongs.

In practical applications, the HASH (hash/hash) strategy of the switch can be used to accurately forward the data packet encapsulating the protocol header to the service entity responsible for the client to which the data packet belongs.

In practical applications, the switch of the cluster hashes the above-mentioned first data in the protocol header of the data packet, and then distributes the data packet to the corresponding service entity according to the hash result. For example, calculating the hash of the first data Value, and then take the remainder of the hash value from the total number of service entities, and then send the data packet to the service entity corresponding to the remainder according to the correspondence between the remainder and the service entity.

Step 140: Perform rate limiting processing on the data packet based on the identity information of the data packet.

In practical applications, the cluster needs to provide services to multiple clients. In order to prevent excessive traffic of a client from affecting other clients or causing high bandwidth charges for the client, it is necessary to limit the rate of each client. In the embodiment of the present invention, after all the data packages of each client are merged into the service entity corresponding to the client, one service entity can be used to implement rate limiting on a certain client.

In practical applications, you can first preset different traffic thresholds according to different clients, and then determine whether the traffic of each data packet of the client corresponding to the service entity exceeds the range of the traffic threshold corresponding to the client, if a certain data If the flow of the packet exceeds the range of the flow threshold corresponding to the client, the data packet can be discarded, and if the flow of the data packet does not exceed the range of the flow threshold corresponding to the client, the data packet is retained.

In the embodiment of the present invention, without increasing the complexity of the system, the data package of the client that is not responsible for its response is forwarded to the service entity in the same cluster that is responsible for responding to the client to which the data package belongs, thereby ensuring the same The client's traffic falls on the same service entity, and then on the service entity, based on the identity information of the corresponding data packet, the data packet of the client is subjected to speed limit processing. Therefore, the present invention has the following advantages: First, compared with the background art The first type of solution, the embodiment of the present invention does not Setting a single flow control entity in the cluster to limit the speed of the service entities in the entire cluster will not affect the normal operation of the entire cluster due to the failure of the flow control entity, which has strong applicability. Moreover, there is no large amount of communication between the flow control entity and the service entity to determine the speed limit size issued to each service entity. It is only the simple forwarding of the data packets between the service entities, and the complexity is low.

Secondly, compared to the second type of solution in the background technology, in the embodiment of the present invention, the same service entity is responsible for the specific business logic processing of the data packet of the same client, and it is determined whether to proceed with the next step or discard it. Therefore, it can be Accurately control the flow of each client, with high operability.

Thirdly, compared to the third type of solution in the background technology, the embodiment of the present invention improves the processing flow of data packets under the original architecture of the cluster, and forwards the data packets of the same client received by each service entity to the same one. The service entity performs speed limit processing without increasing the complexity of the system, nor using additional hardware facilities, and without increasing hardware costs. In addition, the embodiment of the present invention only uses the computing function of the cluster itself, that is, realizes the rate limiting processing of the traffic of the same client, and can be applied to clusters of any size, with wider applicability.

In short, compared with the three types of cluster speed limiting solutions in the background technology, the applicability, operability, and accuracy of cluster speed limiting are improved without increasing system complexity and cost.

Example two

Referring to FIG. 2, there is shown a step flow chart of an embodiment of a cluster accurate rate limiting method of the present invention, which may specifically include the following steps:

Step 210: Receive a data packet.

Step 220: Judge whether the data package is a data package of a client that is handled by itself; if the data package is not a data package of a client that is handled by itself, go to step 230; if the data package is handled by itself For the data package of the corresponding client, go to step 250.

Step 230: Based on the identity information of the data packet, encapsulate a layer of IP header and TCP header in addition to the data packet according to the rules of the network transmission protocol.

Based on the aforementioned advantages of TCP, in order to ensure the correctness of the data in the forwarding process of the data packet, in the embodiment of the present invention, the identity information of the data packet can be based on the data packet according to the network transmission protocol. The rule encapsulates a layer of IP header and TCP header. A layer of TCP header is encapsulated according to the TCP protocol, and then a layer of IP header is encapsulated according to the IP protocol.

Among them, TCP is a connection-oriented transmission protocol, and a connection relationship needs to be established between a client and a service entity that need to communicate, and between different service entities. TCP uses the "three-way handshake" method to establish a connection. Take the client and the service entity as an example. The specific steps are as follows: The first handshake: When the connection is established, the client sends a syn packet (syn=j) to the service entity and enters SYN_SEND Status, waiting for confirmation from the service entity; the second handshake: the service entity receives the syn package and must confirm the customer’s SYN (ack=j+1), and at the same time send a SYN packet (syn=k), that is, SYN+ACK packet, at this time the service entity enters the SYN_RECV state; the third handshake: the client receives the SYN+ from the service entity ACK packet, send an acknowledgment packet ACK (ack=k+1) to the service entity. After this packet is sent, the client and the service entity enter the ESTABLISHED state and complete the three-way handshake.

After completing the three-way handshake, the client and the service entity can start to transmit data.

The data format of the TCP header is shown in Table (2):

Among them, serial number: TCP serial number, that is, the serial number of the first byte of the data sent in this segment.

Confirmation number: the serial number of the first byte of the data sent by the other party is expected to be received next time.

Data Offset: Indicate the distance between the beginning of the data of the TCP message segment and the TCP message segment, which is actually the length of the TCP header. Note that the unit of data offset is not byte but 32bit, that is, 4 bytes. The maximum length of the TVP header is (2^4-1)*4=60 bytes.

Reserved: reserved for future use, currently set to 0 uniformly.

Code bit:

1. URG: Urgent bit. When URG=1, it indicates that the urgent pointer field is valid. The message should be transmitted as soon as possible. Don't send them in the original queue order.

2. ACK: Acknowledge bit. When ACK=1, the acknowledgment number field is valid, and when ACK=0, it indicates that the acknowledgment number is invalid.

3. PSH: Push bits: Transmit to the other party according to the team, do not submit to the upper layer after the cache is full, but submit it immediately.

4. RST: Reset bit. A serious error occurred in the TCP connection, and the connection must be immediately released and re-established. It is also used to refuse an illegal segment or refuse to open a connection.

5. SYN: synchronization bit. Used to synchronize the serial number when the connection is established. When SYN=1 and ACK=0, it indicates that this is a connection request segment. If the other party agrees to establish a connection, it should use SYN=1 and ACK=1 in the response segment. Therefore, when SYN=1, it indicates that this is a connection request or connection acceptance.

6. FIN: Termination bit. Used to release a connection. When FIN=1, it indicates that the data has been sent and the connection is required to be released.

Window: The receiving end informs its own receiving capability, that is, the size of its own receiving window, and the sender will send data according to this size.

Checksum: The scope of the check includes two parts: the header and the data. When calculating the checksum, a 12-byte pseudo header should be added in front of the TCP message segment.

Urgent pointer: When the emergency pointer code bit is set, it is a valid field. If valid, this value indicates the offset value of the octet of the current serial number, that is, the starting position of the first non-emergency data.

In another preferred embodiment of the present invention, step 230 includes: sub-step 231, obtaining the identity information corresponding to the data packet; sub-step 232, selecting the same quintuple according to the identity information; The quintuple includes: source IP address, destination IP address, source port, destination port, and transmission protocol type; the destination IP address is the IP address corresponding to the service entity; sub-step 233 is based on the quintuple , Encapsulating a layer of IP header and TCP header in addition to the data packet according to the rules of the network transmission protocol.

If you want to encapsulate a layer of IP header and TCP header outside the data packet, then the transport protocol type in the five-tuple is the TCP protocol, that is, outside the data packet, another layer of IP packet is encapsulated in accordance with the rules of the TCP protocol. Header and TCP header. According to the IP header structure and TCP header structure shown in Table (2) and Table (4), in practical applications, the source IP address, destination IP address, and transmission protocol type in the quintuple are respectively related to The source address, destination address, and protocol in the IP packet header correspond one-to-one, and the source port and destination port in the five-tuple correspond to the source port number and destination port number in the TCP packet header respectively. The content of other parts in the IP header and the TCP header is not limited in the embodiment of the present invention.

In another preferred embodiment of the present invention, step 233 includes:

In sub-step 2331, the source port and destination port in the five-tuple Encapsulated into the TCP packet header outside the data packet.

Specifically, the source port and destination port in the 5-tuple are respectively encapsulated into the source port number and destination port number in the TCP header outside the data packet. For the data content of other parts in the TCP packet header, any data applicable to the TCP packet header can be used, which is not limited in the embodiment of the present invention.

Sub-step 2332, encapsulating the source IP address, destination IP address, and transmission protocol type in the five-tuple into an IP header outside the data packet.

In step 240, the data packet encapsulated with the protocol header is forwarded through the switch to the service entity responsible for responding to the client to which the data packet belongs.

Step 250: Perform rate limiting processing on the data packet based on the identity information of the data packet.

In the embodiment of the present invention, also without increasing the complexity of the system, by forwarding the data package of the client that is not responsible for handling the data package to the service entity in the same cluster responsible for handling the client to which the data package belongs, so as to ensure The traffic of the same client falls on the same service entity, and then on the service entity, based on the identity information of the corresponding data packet, the data packet of the client is subjected to speed limit processing. Compared with the existing three types of cluster speed limitation schemes, it improves the applicability, operability, and accuracy of cluster speed limitation without increasing system complexity and cost.

In addition, in the embodiment of the present invention, a layer of IP header and TCP header is encapsulated in addition to the data packet sent by the client received by the service entity, and then the encapsulated data packet is forwarded to the data packet responsible for responding to the data packet. In the service entity of the client to which it belongs, compared with UDP, the embodiment of the present invention needs to establish a connection between the entities, which can further ensure the accuracy of the data in the data packet, and accurately forward the data packet to the corresponding service entity. Further improve the accuracy of the cluster speed limit.

Example three

Referring to FIG. 3, there is shown a flow chart of the steps of another embodiment of the cluster accurate rate limiting method of the present invention, which may specifically include the following steps:

Step 310: Receive a data packet.

Step 320: Determine whether the data packet is a data packet forwarded by the service entity or a data packet sent by the client; if the data packet is a data packet forwarded by the service entity, then it is confirmed that the data packet is not handled by itself If the data package is a data package sent by the client, confirm that the data package is the data package of the client that it is responsible for, and then go to step 350.

It can be seen from the first embodiment that, in practical applications, if the data packet received by the service entity is a data packet from the client, the data packet will be forwarded to the service entity responsible for responding to the client to which the data packet belongs, and Before forwarding, the service entity cannot confirm whether the data packet sent by the client it receives is the data packet sent by the client that it is responsible for. In addition, generally speaking, only one forwarding process is required to forward the data packet to the service entity responsible for responding to the client to which the data packet belongs.

In the embodiment of the present invention, it is confirmed that a certain data packet is not a data packet of a client that is handled by a certain service entity itself that has received the data packet. The service entity needs to forward the received data packet to forward the data packet to the service entity responsible for responding to the client to which the data packet belongs.

In the embodiment of the present invention, confirming that a certain data packet is a data packet of a client that is handled by a certain service entity itself indicates that the service entity does not need to forward the data packet again.

Therefore, in the embodiment of the present invention, if the data packet received by the service entity is a data packet forwarded by the service entity, it can be confirmed that the data packet is a data packet of the client that it is responsible for responding to; and if the data packet received by the service entity If the package is a data package sent by the client, it can be assumed that the data package is not the data package of the client that the service entity itself is responsible for. This step is the preferred solution of step 120 in the first embodiment. It should be noted that, in this embodiment of the present invention, the data packet received by the service entity may be a data packet forwarded by itself.

For example, for service entity A, it receives two data packets: data packet a and data packet b. Data packet a is forwarded by service entity B, and data packet b is sent by client C. After the above steps, it can be directly confirmed that the data package a is the data package of the client that the service entity A is responsible for responding to, and the data package b is not the data package of the client that the service entity A is responsible for responding to. Moreover, before the service entity A forwards the data packet b, it cannot be confirmed whether the client C to which the data packet b belongs is the client that the service entity A is responsible for. In addition, the service entity A and the service entity B may be the same Service entity.

In another preferred embodiment of the present invention, step 320 includes:

Sub-step 321, for any data packet, determine whether there is a protocol header outside the data packet that is encapsulated according to the rules of the network transmission protocol; if there is outside the data packet encapsulated according to the rules of the network transmission protocol The protocol header of the data packet is confirmed to be the data packet of the client that it is responsible for, and then go to step 350; if there is no protocol header encapsulated in accordance with the rules of the network transmission protocol outside the data packet, then It is confirmed that the data package is not the data package of the client that is responsible for the response, and then step 330 is entered.

According to the content of the first embodiment, in the embodiment of the present invention, if the service entity wants to forward the received data packet, it needs to encapsulate the protocol header outside the data packet according to the rules of the network transmission protocol. If the service entity does not forward the received data packet, it does not need to encapsulate the protocol header in accordance with the rules of the network transmission protocol in addition to the data packet.

Therefore, in the embodiment of the present invention, for any data packet received by the service entity, it is determined whether there is a protocol header encapsulated according to the rules of the network transmission protocol outside the data packet. If there is a protocol header encapsulated in accordance with the rules of the network transmission protocol outside the data packet, it means that the data packet received by the service entity is a data packet forwarded by the service entity, so that it can be confirmed that the data packet is from The service entity itself is responsible for the data packet of the client; if there is no protocol header encapsulated according to the rules of the network transmission protocol outside the data packet, it means that the data packet received by the service entity was sent by the client Data package, so that it can be confirmed that the data package is not the data package of the client that is responsible for the response.

Step 330, based on the identity information of the data packet, in the data Outside the packet, a layer of IP header and UDP header is encapsulated according to the rules of the network transmission protocol.

As mentioned above, if the received data packet is to be forwarded, it is necessary to first encapsulate the protocol header based on the identity information of the data packet in accordance with the rules of the network transmission protocol outside the data packet.

Among them, UDP is a connectionless data report service. The source service entity does not need to establish a connection with the target service entity before transmitting data. The data is prefixed with UDP header fields such as source and destination port numbers and then directly sent to the destination service entity. At this time, the reliability of each data segment depends on the upper layer protocol to ensure. In the case of transmitting less and smaller data, UDP is more efficient than TCP. Considering that the UDP protocol does not need to establish a connection between the communicating service entities, in the embodiment of the present invention, based on the identity information of the data packet, a layer of IP header is encapsulated outside the data packet according to the rules of the network transmission protocol And UDP packet header, which can avoid the process of establishing a connection between service entities. In the embodiment of the present invention, the process of encapsulating a layer of IP header and UDP header in addition to the data packet according to the rules of the network transmission protocol does not affect the data packet itself.

In practical applications, the format of the IP header is shown in Table (3):

Among them, the version (Version) field: occupies 4 bits. It is used to indicate the version number implemented by the IP protocol. Currently, it is generally IPv4, which is 0100.

Header Length (Internet Header Length, IHL) field: occupies 4 bits. It is a 32-bit number in the header, including optional options. Normal IP datagram (without any options), the value of this field is 5, that is, 160 bits = 20 bytes. The maximum value of this field is 60 bytes.

Type of Service (TOS) field: occupies 8 bits. The first 3 bits are the priority subfield (Precedence, now ignored). The 8th bit is reserved unused. The 4th to 7th bits represent delay, throughput, reliability, and cost, respectively. When their value is 1, they represent the minimum delay, maximum throughput, maximum reliability, and minimum cost. Only one of the four bits of the service type can be set to 1. It can be all 0, if all 0 means general service. The service type field declares how the data report can be processed when it is transmitted by the network system. For example: TELNET protocol may require minimum delay, FTP protocol (data) may require maximum throughput, SNMP protocol may require maximum reliability, and NNTP (Network News Transfer Protocol) may require minimum cost. The ICMP protocol may have no special requirements (4 bits are all 0). In fact, most hosts ignore this field, but some dynamic routing protocols such as OSPF (Open Shortest Path First Protocol) and IS-IS (Intermediate System to Intermediate System Protocol) can make routing decisions based on the values of these fields.

Total length field: occupies 16 bits. Specify the length of the entire data report (in bytes). The maximum length is 65535 bytes.

Flag field: occupies 16 bits. Used to uniquely identify each data report sent by the host. Usually every time a message is sent, its value will increase by 1.

Flag bit field: occupies 3 bits. Mark whether an information report requires segmentation.

Segment offset field: occupies 13 bits. If an information report requires segmentation, this field indicates where the segment is offset from the beginning of the original information report.

Time to Live (TTL: Time to Live) field: occupies 8 bits. Used to set the maximum number of routers that the data report can pass through. It is set by the source host sending the data, usually 32, 64, 128, etc. After passing through a router, its value is reduced by 1 until the data report is discarded at 0.

Protocol field: occupies 8 bits. Specify the upper layer protocol type encapsulated by the IP layer, such as ICMP (1), IGMP (2), TCP (6), UDP (17), etc.

Header checksum field: occupies 16 bits. The content is the checksum code calculated based on the IP header. The calculation method is to perform the binary complement summation for each 16 bits in the header. (Unlike ICMP, IGMP, TCP, UDP, IP does not verify the data after the header).

Source IP address and destination IP address fields: each occupies 32 bits. It is used to indicate the source host address of sending IP data packets and the destination host address of receiving IP packets.

Optional field: occupies 32 bits. Used to define some options: such as record path, timestamp, etc. These options are rarely used, and not all hosts and routers support these options. The length of the optional field must be an integer multiple of 32 bits. If it is not enough, it must be filled with 0 to achieve this Length requirement.

The UDP header format is shown in Table (4):

Among them, the source and destination port number field: occupies 16 bits. Used to identify the source and target application processes.

Length: occupies 16 bits, indicating the length of the UDP header and UDP data.

Checksum: occupies 16 bits, used to check the UDP header and UDP data.

In another preferred embodiment of the present invention, step 330 includes:

In sub-step 331, the identity information corresponding to the data packet is obtained.

As described in step 330, before encapsulating the data packet, the identity information corresponding to the data packet needs to be obtained first. Generally speaking, the identity information corresponding to the data packet can be an IP address, such as the IP address of the client sending the data packet, or a user ID, such as the user ID of the user sending the data packet. Of course, the user identity can also be other available information, which is not limited in the embodiment of the present invention.

In another preferred embodiment of the present invention, when the identity information is an IP address, sub-step 351 includes:

In sub-step 3311, the IP header of the data packet is parsed at the network layer to obtain an IP address.

If the identity information to be obtained is an IP address, for example, send the information The IP address of the client of the package. As shown in Table (1), the network layer of the TCP/IP protocol supports the IP protocol. Therefore, in the embodiment of the present invention, the IP header of the data packet is parsed at the network layer to obtain the required IP address. . The IP header of the data packet is the IP header of the data packet itself, which is not related to the IP header that is encapsulated outside the data packet. However, the structure of the IP header of the data packet itself is also shown in Table (3). The source address of is the IP address to be obtained in the embodiment of the present invention. For the specific analysis process, any available analysis method in the prior art can be used, which is not limited in the embodiment of the present invention.

In another preferred embodiment of the present invention, when the identity information is a user ID, sub-step 331 includes:

Sub-step 3312, temporarily storing the data packet in the network layer, and at the same time sending the data packet upward to the application layer.

And if the identity information to be obtained is the user ID, such as the user ID that sent the data packet, the user ID and other information need to be obtained at the application layer. Therefore, in the embodiment of the present invention, the data packet is temporarily stored on the network. In the memory of the road layer, the data packet is sent up to the application layer at the same time. In the embodiment of the present invention, the IP data packet of the network layer is uploaded to the transport layer, and the transport layer parses the TCP packet header or the UDP packet header, and then uploads the content of the data area to the application layer. The application layer analyzes the content of the data area.

Sub-step 3313: parse the data area of the data package at the application layer to obtain the user ID of the data package.

In practical applications, the user ID and other information are stored in the data area of the data packet. After the data packet is sent to the application layer, the data can be analyzed at the application layer. In the data area of the package, get the user ID of the package. Similarly, for the specific analysis process, any available analysis method in the prior art can be used, which is not limited in the embodiment of the present invention.

In sub-step 332, the same quintuple is selected based on the identity information; the quintuple includes: source IP address, destination IP address, source port, destination port, transmission protocol type; said destination IP address The IP address corresponding to the service entity.

In practical applications, the five-tuple can distinguish different communications, and the corresponding communications are unique. Therefore, in the embodiment of the present invention, the same quintuple is selected to correspond to the identity information based on the identity information, and the quintuple is used to completely distinguish user terminals corresponding to different identity information.

In the embodiment of the present invention, the source IP address included in the quintuple refers to the IP address of the user end, the destination IP address is the IP address corresponding to the service entity, the source port is the port through which the user terminal sends the data packet, and the destination port It is the port for the service entity to receive the data packet, and the transmission protocol type is the specific protocol type for sending the data packet.

The source port can use the unique identification ID of the client's port. In addition, because the client's IP address is unique, the last 2 bytes of the client's IP address can be used as the source port. Of course, other available methods can also be used for identification. The source port is not limited in this embodiment of the present invention. For the destination port, a fixed port is used to uniquely mark the destination port of the data packet for the same cluster. In the embodiment of the present invention, the type of transmission protocol is related to the type of header re-encapsulated outside the data packet. For example, if the type of transmission protocol is If the UDP protocol is used, then another layer of IP header and UDP header is encapsulated outside the data packet; if the transmission protocol type is TCP protocol, another layer of IP header and TCP header is encapsulated outside the data packet.

It should be noted that, in the embodiment of the present invention, the target is a cluster composed of a group of cooperative service entities, and in practical applications, the unified service address provided by the cluster service entity is a virtual IP address. It is also called a cluster VIP (Virtual IP, virtual IP) address. The client obtains the functions of each service entity in the cluster by accessing the cluster VIP address. Therefore, the above-mentioned destination IP address is the cluster VIP address. For service entities in the same cluster, the destination IP addresses in the quintuple are the same.

Sub-step 333, based on the five-tuple, encapsulate a layer of IP header and UDP header in addition to the data packet according to the rules of the network transmission protocol.

If you want to encapsulate a layer of IP header and UDP header outside the data packet, the transport protocol type in the five-tuple at this time is UDP protocol, that is, outside the data packet, another layer of IP packet is encapsulated according to the rules of UDP protocol. Header and UDP header. According to the IP header structure and UDP header structure shown in Table (3) and Table (4), in practical applications, the source IP address, destination IP address, and transmission protocol type in the quintuple are respectively related to The source address, destination address, and protocol in the IP packet header correspond one-to-one, and the source port and destination port in the five-tuple correspond to the source port number and destination port number in the UDP packet header respectively. The content of other parts in the IP header and the UDP header is not limited in the embodiment of the present invention.

In another preferred embodiment of the present invention, step 333 includes:

In substep A3331, the 5-tuple obtained at the application layer is sent to the network layer.

Since the operation of encapsulating data packets needs to be performed at the network layer, in the embodiment of the present invention, the quintuple obtained at the application layer needs to be sent to the network layer. As mentioned above, if the quintuple information is obtained based on the user ID information, it can be the quintuple obtained at the application layer. At this time, the quintuple obtained at the application layer needs to be sent to the network layer, and if it is based on the IP bit The five-tuple obtained by the address can be the five-tuple obtained at the network layer. In this case, the sending process of this step is not required. Of course, no matter what type of user information is obtained based on the quintuple, as long as the quintuple obtained is not in the network layer, the obtained quintuple needs to be sent to the network layer.

Sub-step A3332, based on the quintuple at the network layer, encapsulate a layer of IP header and UDP header in addition to the data packet according to the rules of the network transmission protocol.

In the embodiment of the present invention, specifically, the network layer encapsulates a layer of UDP headers in accordance with the rules of the UDP protocol in addition to the data packet based on quintuples, and then encapsulates a layer of IP headers in accordance with the UDP protocol.

Of course, for the embodiment of the present invention, it is also possible to encapsulate a layer of IP header and TCP header in addition to the data packet based on the five-tuple at the network layer according to the rules of the network transmission protocol. The principle is basically similar.

In another preferred embodiment of the present invention, step 333 includes:

Sub-step B3331, encapsulating the source port and destination port in the five-tuple into the UDP header outside the data packet.

Specifically, the source port and destination port in the 5-tuple are respectively encapsulated into the source port number and destination port number in the UDP header outside the data packet. For the data content of other parts in the UDP message header, any data applicable to the UDP message header can be used, which is not limited in the embodiment of the present invention.

Sub-step B3332, encapsulating the source IP address, destination IP address, and transmission protocol type in the five-tuple into an IP header outside the data packet.

Specifically, the source IP address, destination IP address, and transmission protocol type in the 5-tuple are respectively encapsulated into the source port number, destination port number, and protocol in the IP header outside the data packet. For the data of other parts in the IP message header, any data applicable to the IP message header can be used, which is not limited in the embodiment of the present invention.

In another preferred embodiment of the present invention, the sub-step 332 includes:

In sub-step 3321, the same quintuple is selected at the application layer according to the identity information.

In practical applications, the information contained in the quintuple exists in the application layer, so the same quintuple can be selected at the application layer based on the identity information.

After the sub-step 332, it also includes:

In sub-step 334, the five-tuple obtained at the application layer is sent to the network layer.

Because the specific process of encapsulating data packets based on quintuples is on the Internet The road layer is executed, so the five-tuple obtained at the application layer needs to be sent to the network layer. This step is executed before sub-step 353.

In step 340, the data packet encapsulated with the protocol header is forwarded through the switch to the service entity responsible for responding to the client to which the data packet belongs.

Through the foregoing steps, it can be seen that in the embodiment of the present invention, the five-tuples of the data packets for the same client are the same. In addition, because the IP address of the same client is unique, the IP addresses of different clients are different, so The five-tuples of data packets for different clients are inconsistent.

In the embodiment of the present invention, the service entity responsible for handling different clients can be preset according to the quintuple. In practical applications, the HASH strategy of the switch can be used to ensure that data packets of the same quintuple are sent to the service entity corresponding to the quintuple.

In step 350, the protocol header encapsulated in accordance with the rules of the network transmission protocol other than the data packet is released.

In the embodiment of the present invention, the IP packet header and UDP packet header encapsulated outside the data packet are released. Of course, if the protocol header encapsulated outside the data packet is the IP packet header and the TCP packet header, then it is released at this time. The protocol headers encapsulated outside the data packet are the IP header and the TCP header.

In addition, in the embodiment of the present invention, any existing decapsulation method can be used to release the protocol header encapsulated in accordance with the rules of the network transmission protocol other than the data packet, which is not limited by the present invention.

Step 360: Obtain the identity information of the data package.

This step is similar to the aforementioned sub-step 331, and will not be repeated here.

Step 370: Determine whether the flow corresponding to the identity information exceeds the flow threshold; if the flow corresponding to the identity information exceeds the flow threshold, go to step 380; and if the flow corresponding to the identity information exceeds the flow threshold, then keep the flow. The data package corresponding to the identity information.

The flow threshold may be preset according to actual conditions, which is not limited in the embodiment of the present invention. The traffic corresponding to the identity information refers to the traffic of the data packet corresponding to the identity information, that is, the traffic of the data packet of the client corresponding to the identity information. If the flow corresponding to the identity information exceeds the flow threshold, the data packet corresponding to the identity information is discarded, and if the flow corresponding to the identity information does not exceed the flow threshold, the data packet corresponding to the identity information is retained.

For example, if the bandwidth purchased by user A is 50M/s, that is, the traffic threshold is 50M/s. After the terminal device corresponding to user A receives the current data packet, it calculates whether the traffic speed of user A is greater than 50M/s based on the data packet records received within 1 second from the current moment to the previous one, and if it is greater than that, the data is discarded If it is not larger than the package, keep the data package.

In another preferred embodiment of the present invention, when the identity information is an IP address, step 370 includes:

Sub-step 371, searching for the user ID corresponding to the IP address.

In practical applications, the traffic threshold generally corresponds to the user ID, so in the embodiment of the present invention, the user ID corresponding to it is searched according to the IP address. Wherein, the corresponding relationship between the IP address and the user ID is preset, and can be placed in a configuration file in advance, or stored in other ways, which is not limited in the embodiment of the present invention.

Sub-step 372: Find the corresponding traffic threshold according to the user ID value.

The corresponding relationship between the user ID and the flow threshold is preset, and can be stored in a configuration file in advance, or stored in other ways, which is not limited in the embodiment of the present invention.

In addition, in the embodiment of the present invention, the corresponding relationship between the user and the traffic threshold and the above-mentioned corresponding relationship between the IP address and the user ID can be stored in the same configuration file, or stored in a different configuration file, or use Different storage methods are not limited in this embodiment of the present invention.

Sub-step 373: Calculate whether the traffic corresponding to the IP address exceeds the traffic threshold; if the traffic corresponding to the IP address exceeds the traffic threshold, go to step 3110.

At this time, the traffic corresponding to the IP address refers to the traffic of the data packet corresponding to the IP address, that is, the traffic of the data packet of the client corresponding to the IP address.

Step 380: Discard the data packet.

If the data packet's traffic exceeds the corresponding traffic threshold, the data packet will be deleted from the client's traffic to ensure that the client's network speed is within the browsing threshold.

In the embodiment of the present invention, also without increasing the complexity of the system, by forwarding the data package of the client that is not responsible for handling the data package to the service entity in the same cluster responsible for handling the client to which the data package belongs, so as to ensure The traffic of the same client falls on the same service entity, and then on the service entity, based on the identity information of the corresponding data packet, the data packet of the client is subjected to speed limit processing. Compared with the existing three types of cluster speed limit schemes, it improves the integration without increasing system complexity and cost. The applicability, operability, and accuracy of group rate limiting.

In addition, in the embodiment of the present invention, a layer of IP header and UDP header is encapsulated in addition to the data packet sent by the client received by the service entity, and then the encapsulated data packet is forwarded to the data packet responsible for responding to the data packet. In the service entity of the client to which it belongs, the data packet can be forwarded to the corresponding service entity without establishing a connection, which further improves the applicability, operability, and accuracy of the cluster rate limit. Moreover, for data packets that encapsulate the IP header and the TCP header, it is necessary to establish a connection between the received service entity and the forwarded service entity before it can be forwarded between the two, so compared to the second embodiment In the manner of encapsulating the IP header and the TCP header outside the data packet, the method of encapsulating the IP header and the UDP header outside the data packet described in the embodiment of the present invention has higher adaptability, operability and efficiency.

It should be noted that for the method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should know that the embodiments of the present invention are not limited by the described sequence of actions, because According to the embodiments of the present invention, some steps may be performed in other order or simultaneously. Secondly, those skilled in the art should also be aware that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required by the embodiments of the present invention.

Example four

4, there is shown a structural block diagram of an embodiment of a cluster accurate rate limiting device of the present invention. The cluster includes at least one switch 410 and multiple Each service entity 420 may specifically include the following modules: a receiving module 421 adapted to receive data packets.

The judging module 422 is suitable for judging whether the data packet is a data packet of a client that it is responsible for responding to. If the data packet is not the data packet of the client to which the user is responsible for responding, the forwarding module 423 is entered; if the data packet is the data packet of the client to which the user is responsible for responding, the rate limiting module 424 is entered.

The forwarding module 423 is adapted to forward the data packet to a service entity responsible for responding to the client to which the data packet belongs.

In another preferred embodiment of the present invention, the forwarding module includes: an encapsulation sub-module, which is adapted to, based on the identity information of the data packet, follow the network transmission protocol in addition to the data packet The rule encapsulates the protocol header.

The forwarding sub-module is adapted to forward the data packet encapsulated with the protocol header through the switch to the service entity responsible for responding to the client to which the data packet belongs.

The rate limiting module 424 is adapted to perform rate limiting processing on the data packet based on the identity information of the data packet.

In the embodiment of the present invention, without increasing the complexity of the system, the data package of the client that is not responsible for its response is forwarded to the service entity in the same cluster that is responsible for responding to the client to which the data package belongs, thereby ensuring the same The client's traffic falls on the same service entity, and then on the service entity, based on the identity information of the corresponding data packet, the data packet of the client is subjected to speed limit processing. Therefore, the present invention has the following advantages: First, compared with the background art The first type of solution, the embodiment of the present invention does not Setting a single flow control entity in the cluster to limit the speed of the service entities in the entire cluster will not affect the normal operation of the entire cluster due to the failure of the flow control entity, which has strong applicability. Moreover, there is no large amount of communication between the flow control entity and the service entity to determine the speed limit size issued to each service entity. It is only the simple forwarding of the data packets between the service entities, and the complexity is low.

Secondly, compared to the second type of solution in the background technology, in the embodiment of the present invention, the same service entity is responsible for the specific business logic processing of the data packet of the same client, and it is determined whether to proceed with the next step or discard it. Therefore, it can be Accurately control the flow of each client, with high operability.

Thirdly, compared to the third type of solution in the background technology, the embodiment of the present invention improves the processing flow of data packets under the original architecture of the cluster, and forwards the data packets of the same client received by each service entity to the same one. The service entity performs speed limit processing without increasing the complexity of the system, nor using additional hardware facilities, and without increasing hardware costs. In addition, the embodiment of the present invention only uses the computing function of the cluster itself, that is, realizes the rate limiting processing of the traffic of the same client, and can be applied to clusters of any size, with wider applicability.

In short, compared with the three types of cluster speed limiting solutions in the background technology, the applicability, operability, and accuracy of cluster speed limiting are improved without increasing system complexity and cost.

Example five

5, there is shown a structural block diagram of an embodiment of a cluster accurate rate limiting device of the present invention. The cluster includes at least one switch 510 and multiple service entities 520. Each service entity may specifically include the following modules: Group 521, suitable for receiving data packets.

The judging module 522 is suitable for judging whether the data packet is a data packet of a client that it is responsible for responding to; if the data packet is not a data packet of the client that it is responsible for responding, then it enters the forwarding module 523; if said The data packet is the data packet of the client that is responsible for the response, and it enters the rate limiting module 524.

The forwarding module 523 is adapted to forward the data packet to a service entity responsible for responding to the client to which the data packet belongs, and specifically includes: an encapsulation submodule 5231, adapted to be based on the identity information of the data packet, in the data packet In addition to the packet, the protocol header is encapsulated according to the rules of the network transmission protocol, which specifically includes: a second encapsulation submodule 52311, which is adapted to be based on the identity information of the data packet, and according to the network transmission protocol outside the data packet The rule encapsulates a layer of IP header and TCP header.

In another preferred embodiment of the present invention, the second encapsulation sub-module 52311 includes: an identity information acquisition sub-module, adapted to acquire the identity information corresponding to the data packet.

The quintuple selection submodule is adapted to select the same quintuple according to the identity information; the quintuple includes: source IP address, destination IP address, source port, destination port, and transmission protocol type; The destination IP bit The address is the IP address corresponding to the service entity.

The second packet header encapsulation submodule is adapted to encapsulate a layer of IP packet header and TCP packet header in addition to the data packet according to the rules of the network transmission protocol based on the five-tuple.

In another preferred embodiment of the present invention, the second header encapsulation sub-module includes: a second port encapsulation sub-module, adapted to encapsulate the source port and the destination port in the five-tuple into In the TCP packet header outside the data packet.

The IP address encapsulation sub-module is adapted to encapsulate the source IP address, destination IP address, and transmission protocol type in the five-tuple into an IP header outside the data packet.

The forwarding submodule 5232 is adapted to forward the data packet encapsulated with the protocol header to the service entity responsible for responding to the client to which the data packet belongs through the switch.

The rate limiting module 524 is adapted to perform rate limiting processing on the data packet based on the identity information of the data packet.

In the embodiment of the present invention, also without increasing the complexity of the system, by forwarding the data package of the client that is not responsible for handling the data package to the service entity in the same cluster responsible for handling the client to which the data package belongs, so as to ensure The traffic of the same client falls on the same service entity, and then on the service entity, based on the identity information of the corresponding data packet, the data packet of the client is subjected to speed limit processing. Compared with the existing three types of cluster speed limitation schemes, it improves the applicability, operability, and accuracy of cluster speed limitation without increasing system complexity and cost.

In addition, in the embodiment of the present invention, a layer of IP header and TCP header is encapsulated in addition to the data packet sent by the client received by the service entity, and then the encapsulated data packet is forwarded to the data packet responsible for responding to the data packet. In the service entity of the client to which it belongs, compared with UDP, the embodiment of the present invention needs to establish a connection between the entities, which can further ensure the accuracy of the data in the data packet, and accurately forward the data packet to the corresponding service entity. Further improve the accuracy of the cluster speed limit.

Example Six

Referring to FIG. 6, there is shown a structural block diagram of an embodiment of a cluster accurate rate limiting device of the present invention. The cluster includes at least one switch 610 and multiple service entities 620. Each service entity may specifically include the following modules: Group 621, suitable for receiving data packets.

The judging module 622 is adapted to judge whether the data packet is a data packet of a client that is handled by itself; if the data packet is not a data packet of a client that is handled by itself, enter the forwarding module 623; if said The data packet is the data packet of the client that is responsible for the response, and it enters the rate limiting module 624. Specifically, it includes: a judging submodule 6221, adapted to judge whether the data packet is a data packet forwarded by a service entity or a data packet sent by a client; if the data packet is a data packet forwarded by the service entity, confirm that the data packet is a data packet forwarded by the service entity; The data package is the data package of the client for which it is responsible for responding, and then enters the rate limiting module 624; if the data package is a data package sent by the client, it is confirmed that the data package is not the data of the client for which it is responsible for responding Package, and then enter the turn Hair module 623.

In another preferred embodiment of the present invention, the judging sub-module 6221 includes: a protocol header judging sub-module, which is suitable for determining whether there is any data packet outside the data packet according to the network transmission The protocol header encapsulated by the rules of the protocol; if there is a protocol header encapsulated in accordance with the rules of the network transmission protocol outside the data packet, confirm that the data packet is the data packet of the client that it is responsible for, and then enter the limit Speed module 624; if there is no protocol header encapsulated in accordance with the rules of the network transmission protocol outside the data packet, confirm that the data packet is not a data packet of the client for which it is responsible for responding, and then enter the forwarding module 623.

The forwarding module 623 is adapted to forward the data packet to a service entity responsible for responding to the client to which the data packet belongs, and specifically includes: an encapsulation submodule 6231, adapted to be based on the identity information of the data packet, in the data packet In addition to the packet, the protocol header is encapsulated according to the rules of the network transmission protocol, which specifically includes: the first encapsulation submodule 62311, which is adapted to be based on the identity information of the data packet, and according to the network transmission protocol outside the data packet The rule encapsulates a layer of IP header and UDP header.

The forwarding submodule 6232 is adapted to forward the data packet encapsulated with the protocol header to the service entity responsible for responding to the client to which the data packet belongs through the switch.

In another preferred embodiment of the present invention, the first packaging sub-module 62311 includes: The identity information acquisition sub-module is suitable for acquiring the identity information corresponding to the data package.

In another preferred embodiment of the present invention, when the identity information is an IP address, the identity information acquisition sub-module includes: a first identity information acquisition sub-module, which is suitable for analyzing the identity information at the network layer Describe the IP header of the data packet to obtain the IP address.

When the identity information is a user ID, the identity information acquisition submodule includes: an upward sending submodule, which is adapted to temporarily store the data packet in the network layer and at the same time send the data packet upward to the application layer .

The second identity information acquisition sub-module is adapted to parse the data area of the data packet at the application layer to obtain the user ID of the data packet.

The quintuple selection submodule is adapted to select the same quintuple according to the identity information; the quintuple includes: source IP address, destination IP address, source port, destination port, and transmission protocol type; The destination IP address is the IP address corresponding to the service entity.

The first packet header encapsulation sub-module is adapted to encapsulate a layer of IP packet header and UDP packet header in addition to the data packet according to the rules of the network transmission protocol based on the five-tuple.

In another embodiment of the present invention in another preferred embodiment of the present invention, the quintuple selection submodule includes: an application layer quintuple selection submodule, which is suitable for the application layer according to the For identity information, select the same 5-tuple.

After the application layer quintuple selects the sub-module, it also includes: The sending sub-module is suitable for sending the five-tuple obtained at the application layer to the network layer.

In another embodiment of the present invention in another preferred embodiment of the present invention, the first header encapsulation sub-module includes: a first port encapsulation sub-module, which is suitable for combining the quintuple The source port and destination port of is encapsulated in the UDP header outside the data packet.

The IP address encapsulation sub-module is adapted to encapsulate the source IP address, destination IP address, and transmission protocol type in the five-tuple into an IP header outside the data packet.

The rate limiting module 624 is adapted to perform rate limiting processing on the data packet based on the identity information of the data packet. Specifically, it includes: the release submodule 6241, which is adapted to release the protocol header encapsulated in accordance with the rules of the network transmission protocol other than the data packet.

The data packet identity information acquisition sub-module 6242 is suitable for acquiring the identity information of the data packet.

The flow judging sub-module 6243 is adapted to judge whether the flow corresponding to the identity information exceeds the flow threshold; if the flow corresponding to the identity information exceeds the flow threshold, enter the discarding sub-module 6244.

In another preferred embodiment of the present invention, when the identity information is an IP address, the traffic determination sub-module includes: a user ID search sub-module, which is adapted to search for the corresponding IP address User ID.

The flow threshold searching sub-module is suitable for searching the corresponding flow threshold according to the user ID.

The first traffic judging sub-module is adapted to calculate whether the traffic corresponding to the IP address exceeds the traffic threshold. If the traffic corresponding to the IP address exceeds the traffic threshold, enter the discarding submodule 6244.

The discarding submodule 6244 is adapted to discard the data packet.

In the embodiment of the present invention, also without increasing the complexity of the system, by forwarding the data package of the client that is not responsible for handling the data package to the service entity in the same cluster responsible for handling the client to which the data package belongs, so as to ensure The traffic of the same client falls on the same service entity, and then on the service entity, based on the identity information of the corresponding data packet, the data packet of the client is subjected to speed limit processing. Compared with the existing three types of cluster speed limitation schemes, it improves the applicability, operability, and accuracy of cluster speed limitation without increasing system complexity and cost.

In addition, in the embodiment of the present invention, a layer of IP header and UDP header is encapsulated in addition to the data packet sent by the client received by the service entity, and then the encapsulated data packet is forwarded to the data packet responsible for responding to the data packet. In the service entity of the client to which it belongs, the data packet can be forwarded to the corresponding service entity without establishing a connection, which further improves the applicability, operability, and accuracy of the cluster rate limit. Moreover, for data packets that encapsulate the IP header and the TCP header, it is necessary to establish a connection between the received service entity and the forwarded service entity before it can be forwarded between the two, so compared to the second embodiment In the manner of encapsulating the IP header and the TCP header outside the data packet, the method of encapsulating the IP header and the UDP header outside the data packet described in the embodiment of the present invention has higher adaptability, operability and efficiency.

As for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.

The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same or similar parts between the various embodiments can be referred to each other.

Those skilled in the art should understand that the embodiments of the present invention can be provided as methods, devices, or computer program products. Therefore, the embodiments of the present invention may adopt the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware. Moreover, the embodiments of the present invention may adopt computer program products implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes. form.

In a typical configuration, the computer equipment includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory. Memory may include non-permanent memory in computer readable media, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory ( flash RAM). Memory is an example of computer readable media. Computer-readable media include permanent and non-permanent, movable and non-movable media, and information storage can be realized by any method or technology. Information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), and other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital Versatile discs (DVD) or other optical storage, cassette tapes, magnetic tape storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include non-persistent computer-readable media (transitory media), such as modulated data signals and carrier waves.

The embodiments of the present invention are described with reference to the flowcharts and/or block diagrams of the methods, terminal devices (systems), and computer program products according to the embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to the processors of general-purpose computers, dedicated computers, embedded processors, or other programmable data processing terminal equipment to generate a machine that can be executed by the processor of the computer or other programmable data processing terminal equipment A device for realizing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram is generated.

These computer program instructions can also be stored in a computer-readable storage that can guide a computer or other programmable data processing terminal equipment to work in a specific manner, so that the instructions stored in the computer-readable storage produce a manufactured product including the instruction device , The instruction device realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

These computer program instructions can also be loaded into a computer or other programmable data On processing terminal equipment, a series of operation steps are executed on a computer or other programmable terminal equipment to produce computer-implemented processing, so that the instructions executed on the computer or other programmable terminal equipment are provided for realizing a process or flow in the flowchart. Multiple processes and/or block diagrams A block or steps of a function specified in multiple blocks.

Although the preferred embodiments of the embodiments of the present invention have been described, those skilled in the art can make additional changes and modifications to these embodiments once they learn the basic progressive concepts. Therefore, the scope of the attached patent application is intended to be interpreted as including the preferred embodiments and all changes and modifications falling within the scope of the embodiments of the present invention.

Finally, it should be noted that in this article, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply these entities. Or there is any such actual relationship or sequence between operations. Moreover, the terms "including", "including" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or terminal device including a series of elements not only includes those elements, but also includes those elements that are not explicitly listed. Other elements listed, or also include elements inherent to this process, method, article, or terminal device. Without more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other same elements in the process, method, article, or terminal device that includes the element.

The above is a detailed introduction to a cluster accurate speed limiting method and a cluster accurate speed limiting device provided by the present invention. The specific A few examples illustrate the principles and implementation of the present invention. The descriptions of the above examples are only used to help understand the methods and core ideas of the present invention; at the same time, for those of ordinary skill in the art, according to the ideas of the present invention, in specific There will be changes in the implementation and the scope of application. In summary, the content of this specification should not be construed as limiting the present invention.

Claims (24)

A cluster accurate rate limiting method includes: receiving a data packet; judging whether the data packet is a data packet of a client that is responsible for responding to it; if the data packet is not a data packet of a client that is responsible for responding, then The data packet is forwarded to the service entity responsible for responding to the client to which the data packet belongs; if the data packet is a data packet of the client that is responsible for responding to the data packet, the rate of the data packet is limited based on the identity information of the data packet Processing, wherein the step of forwarding the data packet to a service entity responsible for responding to the client to which the data packet belongs includes: based on the identity information of the data packet, and then according to the network transmission outside the data packet The rules of the protocol encapsulate the protocol header; the data packet encapsulated with the protocol header is forwarded through the switch to the service entity responsible for responding to the client to which the data packet belongs. The method according to the scope of patent application, wherein, based on the identity information of the data packet, the step of encapsulating the protocol header in accordance with the rules of the network transmission protocol outside the data packet includes: based on the data The identity information of the packet is encapsulated with a layer of IP header and UDP header in accordance with the rules of the network transmission protocol in addition to the data packet, or based on the identity information of the data packet, in accordance with the network The rules of the transmission protocol encapsulate a layer of IP headers and TCP packets Wen head. The method according to item 2 of the scope of patent application, wherein, based on the identity information of the data packet, a layer of IP header and UDP header is encapsulated in addition to the data packet in accordance with the rules of the network transmission protocol, Or based on the identity information of the data packet, the step of encapsulating a layer of IP header and TCP header in addition to the data packet in accordance with the rules of the network transmission protocol includes: obtaining the identity information corresponding to the data packet; The identity information selects the same quintuple; the quintuple includes: source IP address, destination IP address, source port, destination port, transmission protocol type; the destination IP address is corresponding to the service entity IP address; based on the quintuple, a layer of IP header and UDP header is encapsulated in addition to the data packet in accordance with the rules of the network transmission protocol; or, based on the quintuple, in the data packet In addition, a layer of IP header and TCP header are encapsulated in accordance with the rules of the network transmission protocol. The method according to item 3 of the scope of patent application, wherein, when the identity information is an IP address, the step of obtaining the identity information corresponding to the data packet includes: parsing the data packet at the network layer IP header to obtain the IP address. The method according to item 3 of the scope of patent application, wherein, when the identity information is a user ID, the step of obtaining the identity information corresponding to the data package includes: The data packet is temporarily stored in the network layer, and the data packet is sent up to the application layer at the same time; the data area of the data packet is parsed at the application layer to obtain the user ID of the data packet. The method according to item 5 of the scope of patent application, wherein the step of selecting the same quintuple based on the identity information includes: selecting the same quintuple based on the identity information at the application layer; then After the step of selecting the same quintuple based on the identity information, the method further includes: sending the quintuple obtained at the application layer to the network layer. The method according to item 3 of the scope of patent application, wherein the step of encapsulating a layer of IP header and UDP header in addition to the data packet according to the rules of the network transmission protocol based on the five-tuple, Including: encapsulating the source port and destination port in the quintuple into the UDP header outside the data packet; and encapsulating the source IP address, destination IP address and transmission protocol type in the quintuple Encapsulated into the IP header outside the data packet. The method according to item 3 of the scope of patent application, wherein the step of encapsulating a layer of IP header and TCP header in addition to the data packet according to the rules of the network transmission protocol based on the five-tuple, Including: encapsulating the source port and the destination port in the five-tuple into a TCP header outside the data packet; Encapsulate the source IP address, destination IP address, and transmission protocol type in the five-tuple into an IP packet header outside of the data packet. The method according to any one of items 1 to 7 of the scope of patent application, wherein the step of determining whether the data package is a data package of a client that is responsible for responding by itself includes: determining that the data package is made by The data packet forwarded by the service entity is still a data packet sent by the client; if the data packet is a data packet forwarded by the service entity, it is confirmed that the data packet is the data packet of the client that it is responsible for responding; if the data packet is If it is a data packet sent by the client, it is confirmed that the data packet is not a data packet of the client for which it is responsible for responding. The method according to item 9 of the scope of patent application, wherein the step of judging whether the data packet is a data packet forwarded by a service entity or a data packet sent by a client includes: for any data packet, judging whether the data packet is in place Whether there is a protocol header encapsulated in accordance with the rules of the network transmission protocol outside the data packet; if there is a protocol header encapsulated in accordance with the rules of the network transmission protocol outside the data packet, confirm that the data packet is itself The data packet of the client responsible for the response; if there is no protocol header encapsulated according to the rules of the network transmission protocol outside the data packet, it is confirmed that the data packet is not the data packet of the client that is responsible for the response. The method according to any one of items 1 to 7 of the scope of patent application, wherein the data package is entered based on the identity information of the data package The speed limit processing step includes: removing the protocol header encapsulated in accordance with the rules of the network transmission protocol outside the data packet; obtaining the identity information of the data packet; determining whether the traffic corresponding to the identity information exceeds the traffic Threshold; if the traffic corresponding to the identity information exceeds the traffic threshold, the data packet is discarded. The method according to item 11 of the scope of patent application, wherein, when the identity information is an IP address, the step of judging whether the traffic corresponding to the identity information reaches a threshold includes: searching for the corresponding IP address According to the user ID, look up the corresponding flow threshold; calculate whether the flow corresponding to the IP address exceeds the flow threshold; if the flow corresponding to the IP address exceeds the flow threshold, discard the Information package. A cluster accurate rate limiting device includes: a receiving module, suitable for receiving data packets; a judging module, suitable for judging whether the data packet is a data packet of a client that is responsible for responding by itself; if the data packet is not owned by itself The data packet of the client responsible for responding enters the forwarding module; if the data packet is the data packet of the client responsible for responding, it enters the rate limiting module; the forwarding module is suitable for forwarding the data packet to The service entity responsible for responding to the client to which the data package belongs; The rate limiting module is adapted to perform rate limiting processing on the data packet based on the identity information of the data packet, wherein the forwarding module includes: an encapsulation sub-module, adapted to be based on the identity of the data packet Information, in addition to the data packet, the protocol header is encapsulated according to the rules of the network transmission protocol; the forwarding sub-module is suitable for forwarding the data packet encapsulated with the protocol header through the switch to the client responsible for responding to the data packet Service entity at the end. The device according to item 13 of the scope of patent application, wherein the encapsulation sub-module includes: a first encapsulation sub-module, adapted to be based on the identity information of the data packet, according to the network outside the data packet The rules of the road transmission protocol then encapsulate a layer of IP headers and UDP headers; or, the second encapsulation sub-module is adapted to be based on the identity information of the data packet and in accordance with the rules of the network transmission protocol outside the data packet Then encapsulate a layer of IP header and TCP header. The device according to item 14 of the scope of patent application, wherein the first packaging sub-module or the second packaging sub-module includes: an identity information acquisition sub-module, which is suitable for acquiring information corresponding to the data package Identity information; the quintuple selection sub-module is suitable for selecting the same quintuple according to the identity information; the quintuple includes: source IP address, destination IP address, source port, destination port, transmission Protocol type; the destination IP address is the IP address corresponding to the service entity; the first packet header encapsulation sub-module is suitable for being based on the quintuple, in all In addition to the data packet, a layer of IP header and UDP header is encapsulated according to the rules of the network transmission protocol; or, the second header encapsulation sub-module is suitable for being based on the quintuple, outside the data packet According to the rules of the network transmission protocol, a layer of IP header and TCP header are encapsulated. The device according to item 15 of the scope of patent application, wherein, when the identity information is an IP address, the identity information acquisition sub-module includes: a first identity information acquisition sub-module, which is suitable for the network layer Parse the IP header of the data packet to obtain an IP address. The device according to item 15 of the scope of patent application, wherein when the identity information is a user ID, the identity information acquisition sub-module includes: an upward sending sub-module adapted to temporarily store the data packet on the network At the same time, it sends the data packet upwards to the application layer; the second identity information acquisition sub-module is adapted to parse the data area of the data packet at the application layer to obtain the user ID of the data packet. The device according to item 17 of the scope of patent application, wherein the five-tuple selection sub-module includes: an application-level five-tuple selection sub-module, which is suitable for selecting the same one at the application layer according to the identity information Five-tuple; after the five-tuple selection sub-module, it also includes a sending sub-module, which is suitable for sending the five-tuple obtained at the application layer to the network layer. The device according to item 15 of the scope of patent application, wherein: The first packet header encapsulation sub-module includes: a first port encapsulation sub-module, adapted to encapsulate the source port and the destination port in the quintuple into a UDP packet header outside the data packet; The IP address encapsulation sub-module is adapted to encapsulate the source IP address, destination IP address, and transmission protocol type in the five-tuple into an IP header outside the data packet. The device according to item 15 of the scope of patent application, wherein the second packet header encapsulation sub-module includes: a second port encapsulation sub-module adapted to combine the source port and the destination port in the quintuple Encapsulated in the TCP header outside the data packet; IP address encapsulation sub-module, suitable for encapsulating the source IP address, destination IP address and transmission protocol type in the five-tuple into the data In the IP header outside the packet. The device according to any one of items 14 to 19 in the scope of patent application, wherein the judgment module includes: a judgment sub-module adapted to judge whether the data packet is a data packet forwarded by a service entity or A data package sent by the client; if the data package is a data package forwarded by the service entity, confirm that the data package is a data package of the client that it is responsible for responding; if the data package is a data package sent by the client , It is confirmed that the data package is not the data package of the client that is responsible for the response. The device according to item 21 of the scope of patent application, wherein the judging sub-module includes: a protocol header judging sub-module, which is suitable for judging any data packet Whether there is a protocol header encapsulated according to the rules of the network transmission protocol outside the data packet; if there is a protocol header encapsulated according to the rules of the network transmission protocol outside the data packet, enter the first confirmation sub-module Group; if there is no protocol header encapsulated according to the rules of the network transmission protocol outside the data packet, enter the second confirmation submodule. The device according to any one of items 14 to 19 in the scope of the patent application, wherein the rate-limiting module includes: a release sub-module, adapted to release the data packet that is encapsulated in accordance with the rules of the network transmission protocol Protocol header; data packet identity information acquisition sub-module, suitable for acquiring the identity information of the data packet; traffic judging sub-module, suitable for judging whether the flow corresponding to the identity information exceeds the flow threshold; if the identity When the traffic corresponding to the information exceeds the traffic threshold, it enters the discarding sub-module; the discarding sub-module is suitable for discarding the data packet. The device according to item 23 of the scope of patent application, wherein, when the identity information is an IP address, the traffic judging sub-module includes: a user ID search sub-module, which is suitable for searching the IP address Corresponding user ID; a flow threshold search sub-module, adapted to search for the corresponding flow threshold according to the user ID; a first flow judging sub-module, adapted to calculate whether the flow corresponding to the IP address exceeds the flow threshold ; If the stream corresponding to the IP address If the amount exceeds the flow threshold, it enters the discarding sub-module.

Images