CN103685321B - Packet forwards and safety protection detection, load-balancing method and device - Google Patents

Packet forwards and safety protection detection, load-balancing method and device Download PDF

Info

Publication number
CN103685321B
CN103685321B CN201310753226.4A CN201310753226A CN103685321B CN 103685321 B CN103685321 B CN 103685321B CN 201310753226 A CN201310753226 A CN 201310753226A CN 103685321 B CN103685321 B CN 103685321B
Authority
CN
China
Prior art keywords
security engine
data
circle queue
security
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310753226.4A
Other languages
Chinese (zh)
Other versions
CN103685321A (en
Inventor
彭权
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201310753226.4A priority Critical patent/CN103685321B/en
Publication of CN103685321A publication Critical patent/CN103685321A/en
Application granted granted Critical
Publication of CN103685321B publication Critical patent/CN103685321B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses packet to forward and safety protection detection, including: packet forwarding module, multiple security engines and with multiple security engines circle queue one to one, wherein: packet forwarding module includes that bag collects module, packet handing module and bag sending module;Security engine, for obtaining data to be forwarded bag from the described circle queue corresponding with self;Packet to be forwarded is carried out security protection detection;The data to be forwarded bag carrying safety detection result mark is put in the circle queue corresponding with self;Circle queue, for storing data to be forwarded bag and the data to be forwarded bag carrying the safety detection result mark representing safety of the security engine corresponding with self transmission that packet handing module sends.The scheme using the embodiment of the present invention to provide, improves and forwards packet and the treatment effeciency of security protection detection.

Description

Packet forwards and safety protection detection, load-balancing method and device
Technical field
The present invention relates to the communications field, particularly relate to packet and forward and safety protection detection, load-balancing method And device.
Background technology
When carrying out packet forwarding in network communications, packet working lining in network service, can be through thing Reason layer, data link layer, Internet, transport layer and application layer etc., during data forward, packet may be pacified Full threat, such as, packet may be attacked by DTP, and ARP Flood attacks, and SYN Flood attacks and the disease of application layer Poison injections etc., therefore, for the packet forwarded in network communications, need to carry out security protection detection, to ensure to forward number Safety according to bag.
At present, the existing packet that carries out forwards and security protection is mainly the processing data packets mode of string type, specifically For: obtain a data to be forwarded bag, current data to be forwarded bag is carried out security protection detection, when detecting that this currently waits to turn Sending out packet when there is security threat, block this current data to be forwarded bag or discard processing, when detection, this is currently treated When forwarding security data packet, this current data to be forwarded bag is sent to receiving terminal, when this current data to be forwarded bag forwards knot Shu Hou, carries out above-mentioned forwarding to next data to be forwarded bag and security protection processes.
Above-mentioned existing packet forward and security protection processing mode in, due to use serial packet forward and Security protection processing mode, can only carry out forwarding and security protection detection for a packet every time, and packet forwards and peace The efficiency of full protection detection is low.
Summary of the invention
The embodiment of the present invention provides packet to forward and safety protection detection, load-balancing method and device, in order to Solve packet to be forwarded present in prior art and problem that the treatment effeciency of security protection detection is low.
The embodiment of the present invention provides a kind of packet to forward and safety protection detection, it is characterised in that including: data Packet forward module, multiple security engines and with multiple security engines circle queue one to one, wherein:
Described packet forwarding module includes that bag collects module, packet handing module and bag sending module;
Module collected by described bag, is used for receiving multiple data to be forwarded bag;Multiple described data to be forwarded bags are sent to Described packet handing module;
Described packet handing module, collects, for receiving described bag, the multiple described data to be forwarded bag that module sends;According to Preset load-balancing algorithm, described data to be forwarded bag is sent to the security engine that in multiple security engine, load capacity is the strongest Corresponding circle queue;Receive the described data to be forwarded carrying safety detection result mark in multiple described circle queue Bag;The data to be forwarded bag carrying the safety detection result mark representing safety is sent to described bag sending module;To carrying The data to be forwarded bag that the safety detection result having expression data to be surrounded by security threat identifies carries out abandoning or blocking at forwarding Reason;
For receiving to carry described in the transmission of described packet handing module, described bag sending module, represents that the safety of safety is examined Survey the data to be forwarded bag of result mark;Data to be forwarded bag by the described safety detection result mark carrying and representing safety It is sent to receiving terminal;
Described security engine, for obtaining data to be forwarded bag from the described circle queue corresponding with self;To described Data to be forwarded bag carries out security protection detection;The data to be forwarded bag carrying safety detection result mark is put into and self In corresponding circle queue;
Described circle queue, for storing the described data to be forwarded bag and corresponding with self that described packet handing module sends Described security engine send carry represent safety safety detection result mark data to be forwarded bag.
Use the said system that the present invention provides, owing to using multiple security engines concurrently to packet to be forwarded simultaneously Carry out safety detection, improve and packet is forwarded and the treatment effeciency of security protection detection.
Further, described packet handing module, specifically for from described bag collect module receive multiple described in wait turn Send out packet and carry out underlying security protection detection;For each described data to be forwarded bag, when the inspection to this data to be forwarded bag Survey result be this data to be forwarded bag safe time, according to default load-balancing algorithm, this data to be forwarded bag is sent to multiple The circle queue that security engine that in security engine, load capacity is the strongest is corresponding;When to the testing result of this data to be forwarded bag being When this data to be forwarded is surrounded by security threat, this data to be forwarded bag is abandoned or blocks forward process.
Further, said system, also include: Command Line Parsing module, for according to performance requirement and processor hardware system The about number of threads of packet forwarding module described in condition setting and the number of security engine, to described packet forwarding module and Security engine carries out Initialize installation.
Further, described Command Line Parsing module, it is additionally operable to the number according to configured described security engine, is respectively The circle queue that the distribution of each security engine is corresponding with self.
The embodiment of the present invention provides a kind of load-balancing method, is applied to packet and forwards and safety protection detection, Described packet forward and safety protection detection include: multiple security engines for packet being carried out safety detection and With multiple security engines circle queue one to one, described circle queue draws for storing the safety corresponding with this circle queue Holding up the packet that will carry out detecting, the method includes:
The number of source IP, purpose IP and described security engine according to data to be forwarded bag carries out Hash operation, is breathed out Uncommon operation result;
Determine whether there is the circle queue index corresponding with described Hash operation result;
When there is the circle queue index corresponding with described Hash operation result, determine described circle queue index correspondence Security engine be the security engine that described data to be forwarded bag will be carried out safety detection;
When there is not the circle queue index corresponding with described Hash operation result, from the plurality of security engine really The fixed security engine that described data to be forwarded bag is carried out safety detection, and set up described Hash operation result and this peace determined Corresponding relation between the circle queue index that full engine is corresponding.
Use the said method that the embodiment of the present invention provides, due to by judging that data to be forwarded bag carries out Hash operation Whether result exists the circle queue index of correspondence, determines the security engine that packet to be forwarded carries out safety detection, treats Forward packet reasonably to distribute, improve security engine and packet is carried out the performance of safety detection.
Further, when there is the circle queue index corresponding with described Hash operation result, determine described annular team The security engine that column index is corresponding is the security engine that described data to be forwarded bag will carry out safety detection, specifically includes:
When there is the circle queue index corresponding with described Hash operation result, determine described circle queue index correspondence The load weights of security engine whether not less than preset weights threshold value, described load weights are work based on described security engine The current data of this security engine making state, CPU usage and acquisition processes what flow determined, and described load weights represent this The current data package processing capability of security engine, in described current data process flow represents this security engine current one time The flow of the packet processed;
When the load weights of the security engine of described circle queue index correspondence are not less than preset weights threshold value, determine this The security engine that circle queue index is corresponding is the security engine that described data to be forwarded bag will carry out safety detection.
Further, said method, also include:
When the load weights of the security engine of described circle queue index correspondence are less than preset weights threshold value, determine described Whether the load weights of the security engine that circle queue index is corresponding are zero;
When the load weights of the security engine of described circle queue index correspondence are not zero, determine except this circle queue rope Draw the security engine of load maximum weight beyond the security engine of correspondence for described data to be forwarded bag will be carried out safety The security engine of detection.
Further, said method, also include:
When the load weights of the security engine of described circle queue index correspondence are zero, will be distributed to this security engine Packet marking be safe condition;Or
When the load weights of the security engine of described circle queue index correspondence are zero, will be distributed to this security engine Packet delivery give the security engine of load maximum weight in addition to this security engine;Or
When the load weights of the security engine of described circle queue index correspondence are zero, will be distributed to this security engine Packet average mark issue the security engine in addition to this security engine.
Further, determine the load weights of described security engine, specifically include:
Every predetermined period, this security engine of duty based on described security engine, CPU usage and acquisition Current data processes flow and determines the load weights of described security engine.
Further, when there is not the circle queue index corresponding with described Hash operation result, from the plurality of peace Full engine determines the security engine that described data to be forwarded bag carries out safety detection, specifically includes:
When there is not the circle queue index corresponding with described Hash operation result, from the plurality of security engine really The security engine of fixed load maximum weight is the security engine that described data to be forwarded bag carries out safety detection, and described load is weighed The current data that value is this security engine of duty based on described security engine, CPU usage and acquisition processes flow Determining, described load weights represent the current data package processing capability of this security engine, and described current data processes flow meter The flow of the packet processed in showing this security engine current one time.
Further, for each security engine, duty based on this security engine, CPU usage and acquisition The current data of this security engine processes flow and determines the load weights of this security engine, specifically includes:
Equation below is used to determine the load weights of this security engine:
F ( i ) = K × Q × [ a × ( 1 - C i / Σ i = 1 n C i ) + b × ( 1 - S i / Σ i = 1 n S i ) ] ;
Wherein, F (i) is the load weights of i-th security engine, and K is constant, and Q represents the work shape of i-th security engine State, Q=0 represents that the duty of this security engine is abnormal, and Q=1 represents that the duty of this security engine is normal, CiIt is The CPU usage of i security engine,For the sum of the CPU usage of each security engine, SiWorking as i-th security engine Front data process flow,Current data for each security engine processes the sum of flow, and n is the number of all security engines, A, b are constant, a > b.
The embodiment of the present invention additionally provides a kind of load balancing apparatus, is applied to safety detecting system, described safety detection System includes: multiple security engines for packet carries out safety detection and the most annular with multiple security engines Queue, described circle queue is for storing the packet that the security engine corresponding with this circle queue will carry out detecting;Described Device, including:
Arithmetic element, the number for source IP, purpose IP and described security engine according to data to be forwarded bag is breathed out Uncommon computing, obtains Hash operation result;
Index determines unit, is used to determine whether to there is the circle queue index corresponding with described Hash operation result;
First determines unit, for when there is the circle queue index corresponding with described Hash operation result, determining institute The security engine stating circle queue index corresponding is the security engine that described data to be forwarded bag will carry out safety detection;
Second determines unit, for when there is not the circle queue index corresponding with described Hash operation result, from institute State and multiple security engine determines the security engine that described data to be forwarded bag carries out safety detection, and set up described Hash fortune Calculate the corresponding relation between the circle queue index that result is corresponding with this security engine determined.
Further, described first determines unit, specifically for when there is the annular corresponding with described Hash operation result During queue index, determine that whether the load weights of the security engine that described circle queue index is corresponding are not less than preset weights threshold Value, described load weights are the current of this security engine of duty based on described security engine, CPU usage and acquisition Data process what flow determined, and described load weights represent the current data package processing capability of this security engine, described current number According to the flow processing in flow represents this security engine current one time the packet processed;When described circle queue index is right When the load weights of the security engine answered are not less than preset weights threshold value, determine that the security engine that this circle queue index is corresponding is Described data to be forwarded bag will be carried out the security engine of safety detection.
Further, said apparatus, also include:
3rd determines unit, for being less than, when the load weights of the security engine of described circle queue index correspondence, the power of presetting During value threshold value, determine whether the load weights of the security engine that described circle queue index is corresponding are zero;
4th determines unit, is used for when the load weights of the security engine of described circle queue index correspondence are not zero, Determine that the security engine of load maximum weight in addition to the security engine that this circle queue index is corresponding will be for will treat described Packet is forwarded to carry out the security engine of safety detection.
Further, said apparatus, also include:
Dispatching Unit, is used for, when the load weights of the security engine of described circle queue index correspondence are zero, dividing The packet marking issuing this security engine is safe condition;Or
When the load weights of the security engine of described circle queue index correspondence are zero, will be distributed to this security engine Packet delivery give the security engine of load maximum weight in addition to this security engine;Or
When the load weights of the security engine of described circle queue index correspondence are zero, will be distributed to this security engine Packet average mark issue the security engine in addition to this security engine.
Further, described first determines unit, specifically for every predetermined period, work based on described security engine The current data of this security engine of state, CPU usage and acquisition processes flow and determines the load weights of described security engine.
Further, described second determines unit, specifically for not there is the ring corresponding with described Hash operation result During shape queue index, from the plurality of security engine, determine that the security engine of load maximum weight is for described data to be forwarded Bag carries out the security engine of safety detection, described load weights be duty based on described security engine, CPU usage and The current data of this security engine obtained processes what flow determined, and described load weights represent the current data of this security engine Package processing capability, described current data processes in flow represents this security engine current one time the stream of the packet processed Amount.
Further, described first determines unit, specifically for using equation below to determine the load of described security engine Weights:
F ( i ) = K × Q × [ a × ( 1 - C i / Σ i = 1 n C i ) + b × ( 1 - S i / Σ i = 1 n S i ) ] ;
Wherein, F (i) is the load weights of i-th security engine, and K is constant, and Q represents the work shape of i-th security engine State, Q=0 represents that the duty of this security engine is abnormal, and Q=1 represents that the duty of this security engine is normal, CiIt is The CPU usage of i security engine,For the sum of the CPU usage of each security engine, SiWorking as i-th security engine Front data process flow,Current data for each security engine processes the sum of flow, and n is the number of all security engines, A, b are constant, a > b.
Use the said apparatus that the embodiment of the present invention provides, due to by judging that data to be forwarded bag carries out Hash operation Whether result exists the circle queue index of correspondence, determines the security engine that packet to be forwarded carries out safety detection, treats Forward packet reasonably to distribute, improve security engine and packet is carried out the performance of safety detection.
Other features and advantage will illustrate in the following description, and, partly become from description Obtain it is clear that or understand by implementing the application.The purpose of the application and other advantages can be by the explanations write Structure specifically noted in book, claims and accompanying drawing realizes and obtains.
Accompanying drawing explanation
Accompanying drawing is for providing a further understanding of the present invention, and constitutes a part for description, implements with the present invention Example is used for explaining the present invention together, is not intended that limitation of the present invention.In the accompanying drawings:
Fig. 1 forwards and the structural representation of safety protection detection for the packet that the embodiment of the present invention provides;
The structural representation of the packet forwarding module that Fig. 2 provides for the embodiment of the present invention;
The flow chart of the load-balancing method that Fig. 3 provides for the embodiment of the present invention 1;
The flow chart of the load-balancing method that Fig. 4 provides for the embodiment of the present invention 2;
The structural representation of the load balancing apparatus that Fig. 5 provides for the embodiment of the present invention 3.
Detailed description of the invention
In order to provide the implementation improving the treatment effeciency that packet carries out forwarding and security protection detection, the present invention is real Execute example and provide packet forwarding and safety protection detection, load-balancing method and device, below in conjunction with Figure of description The preferred embodiments of the present invention are illustrated, it will be appreciated that preferred embodiment described herein is merely to illustrate and explains The present invention, is not intended to limit the present invention.And in the case of not conflicting, the embodiment in the application and the spy in embodiment Levy and can be mutually combined.
Embodiments provide a kind of packet to forward and safety protection detection, as it is shown in figure 1, include: number According to packet forward module 101, multiple security engines 102 and with multiple security engines circle queue 103 one to one, wherein:
Described packet forwarding module 101, as in figure 2 it is shown, include: bag collects module 201, packet handing module 202 and bag Sending module 203;
Module 201 collected by described bag, is used for receiving multiple data to be forwarded bag;Multiple described data to be forwarded bags are sent To described packet handing module;
Described packet handing module 202, collects, for receiving described bag, the multiple described data to be forwarded bag that module sends;Root According to default load-balancing algorithm, described data to be forwarded bag is sent to the safety that in multiple security engine, load capacity is the strongest and draws Hold up the circle queue of correspondence;Receive the described data to be forwarded carrying safety detection result mark in multiple described circle queue Bag;The data to be forwarded bag carrying the safety detection result mark representing safety is sent to described bag sending module;To carrying The data to be forwarded bag that the safety detection result having expression data to be surrounded by security threat identifies carries out abandoning or blocking at forwarding Reason;
Described bag sending module 203, carries, described in the transmission of described packet handing module, the peace representing safe for receiving The data to be forwarded bag of full testing result mark;Number to be forwarded by the described safety detection result mark carrying and representing safety It is sent to receiving terminal according to bag;
Described security engine 101, for obtaining data to be forwarded bag from the described circle queue corresponding with self;To institute State data to be forwarded bag and carry out security protection detection;The data to be forwarded bag carrying safety detection result mark is put into and oneself In the circle queue that body is corresponding;
Described circle queue 103, for store described packet handing module send described data to be forwarded bag and and self What corresponding described security engine sent carries the data to be forwarded bag of the safety detection result mark representing safety.
Further, packet handing module 202, specifically for collecting the multiple described to be forwarded of module reception to from described bag Packet carries out underlying security protection detection;For each described data to be forwarded bag, when the detection to this data to be forwarded bag Result be this data to be forwarded bag safe time, according to default load-balancing algorithm, this data to be forwarded bag is sent to multiple peace The circle queue that security engine that in full engine, load capacity is the strongest is corresponding;When to the testing result of this data to be forwarded bag for should When data to be forwarded is surrounded by security threat, this data to be forwarded bag is abandoned or blocks forward process.
Further, said system, also include: Command Line Parsing module 104, for according to performance requirement and processor hardware Restriction condition arranges number of threads and the number of security engine of described packet forwarding module, to described packet forwarding module Initialize installation is carried out with security engine.
In the embodiment of the present invention, when packet forwards and safety protection detection initializes, Command Line Parsing module root According to known Command Line Parsing mode, set up an one-dimensional functions array of pointers, with the id of cpu for index, deposit each safety and draw The address of the thread body function held up and the address of each thread body function of data packet forward module;When thread is debugged, directly Traveling through this array finds function address then to arrange the CPU mask bit that thread function is run, and then on corresponding CPU, binding is adjusted Spend.This initialization procedure can configure with processor hardware restriction condition according to performance requirement, say, that hardware is Adaptable, the most flexibly.As a example by packet forwarding module, Command Line Parsing module is according to performance requirement and processor hardware system The about number of threads of this packet forwarding module of condition setting, when at system initialization, according to known Command Line Parsing file In, thread CPU mask bit is set for each thread and this thread is scheduling, when number of threads is 0, initial configuration is wrong By mistake, and output error daily record, initialize unsuccessfully;When number of threads is 1, by packet forwarding module and a CPU specified Binding, arranges thread CPU mask bit;When number of threads is 2, the bag in packet forwarding module is collected module and bag sends Module and a CPU binding specified, bind packet handing module with another CPU specified, arrange thread CPU mask bit; When number of threads is 3, respectively bag is collected the CPU binding that module, packet handing module and bag sending module are respectively specified with, And it is respectively provided with thread CPU mask bit.
Further, Command Line Parsing module 104, it is additionally operable to the number according to configured described security engine, is respectively The circle queue that the distribution of each security engine is corresponding with self.
Forward and in safety protection detection at packet, for receiving the packet forwarding module of packet, by number It is distributed in each circle queue according to bag, for each circle queue, the peace that this packet forwarding module is corresponding with this circle queue Full engine shares this annular to row, and this packet forwarding module is by after in packet delivery to this circle queue, with this annular team After the security engine that row are corresponding carries out safety detection to the packet in this circle queue, by this packet with secure ID Be reentered into this circle queue, this packet forwarding module can by this circle queue with secure ID this packet from This circle queue takes out and does respective handling.When packet forwards and safety protection detection initializes, Command Line Parsing Module, according to the number of configured security engine, is that each security engine distributes 2^12 data in the shared drive of system The circle queue of bag size is also shared with this packet forwarding module, and according to the connection shape in known CONFIG.SYS State Track Table size predistribution can go out transmission control protocol (TCP, Transmission in the shared drive of system Control Protocol) connection status Track Table and User Datagram Protocol (UDP, User Data Protocol) connect shape State Track Table, have recorded the relevant information of packet, such as in connection status Track Table: the source IP of TCP or UDP message bag, Purpose IP, source port and destination interface information etc..Meanwhile, this connection status Track Table is also recorded for TCP or UDP message bag Status information, such as: service quality (QOS, Quality of Service) control mark and intrusion prevention system (IPS, Intrusion Prevention System) detection state etc..
Below in conjunction with the accompanying drawings, the method and device provided the present invention with specific embodiment is described in detail.
Embodiment 1:
Fig. 3 provides a kind of load-balancing method for the embodiment of the present invention 1, is applied to packet and forwards and security protection detection System, this system includes: packet forwarding module, multiple security engines and with multiple security engines one to one annular team Row, the method specifically includes and processes step as follows:
Step 301, the number of source IP, purpose IP and described security engine according to data to be forwarded bag carry out Hash fortune Calculate, obtain Hash operation result.
Step 302, determine whether there is corresponding with this Hash operation result circle queue index.
When step 303, the circle queue corresponding with this Hash operation result when existence index, determine that this circle queue indexes Corresponding security engine is the security engine that this data to be forwarded bag will carry out safety detection.
Step 304, when there is not corresponding with this Hash operation result circle queue index, from multiple security engines Determine the security engine that this data to be forwarded bag is carried out safety detection, and set up this Hash operation result and this safety determined Corresponding relation between the circle queue index that engine is corresponding.
Embodiment 2:
The flow chart of the load-balancing method that Fig. 4 provides for the embodiment of the present invention 2, the method application and safety detection system System, specifically includes and processes step as follows:
Step 401, number according to source IP, purpose IP and the security engine of data to be forwarded bag carry out Hash operation, To Hash operation result.
In this step, equation below can be used to carry out Hash operation:
Index=P* (Sip ∧ Dip) mod (n);
Wherein, Index is Hash operation result, and P is constant, such as P=1, and Sip is the source IP, Dip of data to be forwarded bag For purpose IP of data to be forwarded bag, ∧ represents that XOR, mod represent modular arithmetic, and n is the number of security engine.
Step 402, for each security engine, duty based on this security engine, CPU usage and acquisition should The current data of security engine processes flow, determines the load weights of this security engine.
Wherein, load weights represent the current data package processing capability of this security engine, and this current data processes flow meter The flow of the packet processed in showing this security engine current one time.
In this step, equation below can be used to determine the load weights of this security engine:
F ( i ) = K × Q × [ a × ( 1 - C i / Σ i = 1 n C i ) + b × ( 1 - S i / Σ i = 1 n S i ) ] ;
Wherein, F (i) is the load weights of i-th security engine, and K is constant, and such as, K=100, Q represent i-th safety The duty of engine, Q=0 represents that the duty of this security engine is abnormal, and Q=1 represents the duty of this security engine For normally, CiFor the CPU usage of i-th security engine,For the sum of the CPU usage of each security engine, SiFor i-th Security engine current data processes flow,Process the sum of flow for each security engine current data, n is that all safety is drawn The number held up, a, b are constant, a > b, such as a=0.8, b=0.2.
For each security engine, the load weights of each security engine, this predetermined period every predetermined period, can be determined Can arrange flexibly according to practical experience and needs.
Strict sequencing is not had between above-mentioned steps 401 and step 402.
Step 403, determine whether there is corresponding with this Hash operation result circle queue index, if it is, enter step Rapid 404, if it does not, enter step 409.
When step 404, the circle queue corresponding with this Hash operation result when existence index, determine that this circle queue indexes Whether the load weights of corresponding security engine are not less than preset weights threshold value, if it is, enter step 405, if it does not, enter Step 406.
Wherein, this preset weights threshold value can be arranged flexibly according to practical experience and needs.
Step 405, when the load weights of security engine corresponding to this circle queue index are not less than preset weights threshold value, Determine that the security engine that this circle queue index is corresponding is the security engine that this data to be forwarded bag will carry out safety detection.
Step 406, when the load weights of security engine corresponding to this circle queue index are less than preset weights threshold value, really Whether the load weights of the security engine that fixed this circle queue index is corresponding are zero, if it is, enter step 407, if it does not, enter Enter step 408.
Step 407, when the load weights of security engine corresponding to circle queue index are zero, to being distributed to this safety The data to be forwarded bag of engine processes.
In this step, the load weights of security engine are that this security engine of zero expression has collapsed, and will not be further continued for this Security engine packet distribution, needs to process the data to be forwarded bag being distributed to this security engine, can use such as The data to be forwarded bag being distributed to this security engine is processed by lower three kinds of modes:
First kind of way: be safe condition by the data to be forwarded packet making being distributed to this security engine;
The second way: by remaining security engine in addition to this security engine, according to load weights from big to small suitable Remaining security engine of ordered pair is ranked up, and the data to be forwarded bag being distributed to this security engine is distributed to remaining safety Engine loads the security engine of maximum weight;
The third mode: the packet average mark being distributed to this security engine is issued treating in addition to this security engine Detection security engine.
Step 408, when the load weights of security engine corresponding to circle queue index are not zero, determine except this annular team The security engine of the load maximum weight beyond the security engine that column index is corresponding will be for will pacify this data to be forwarded bag The security engine of full detection.
In this step, when the load weights of the security engine of circle queue index correspondence are not zero, will draw safely except this Remaining security engine beyond holding up, is ranked up remaining security engine according to load weights order from big to small, determines The security engine loading maximum weight in remaining security engine is the peace that this data to be forwarded bag will carry out safety detection Full engine.
Step 409, when there is not corresponding with this Hash operation result circle queue index, from multiple security engines Determine the security engine that this data to be forwarded bag is carried out safety detection.
In this step, can be from multiple security engines, using the security engine of load maximum weight as to be forwarded to this Packet carries out the security engine of safety detection;A security engine can also be randomly choosed as right from multiple security engines This data to be forwarded bag carries out the security engine of safety detection.
Between step 410, the circle queue that to set up this Hash operation result corresponding with this security engine determined index Corresponding relation.
Further, between the circle queue index that this security engine setting up this Hash operation result with determine is corresponding Corresponding relation after, when the Hash operation result that new data to be forwarded bag is obtained by Hash operation and this Hash operation When result is identical, can index according to the circle queue that this Hash operation result is corresponding, determine this circle queue index correspondence Security engine is the security engine that the data to be forwarded bag that this is new will carry out safety detection.
Further, it is also possible to according to source IP, purpose IP and the peace of data to be forwarded bag corresponding to this Hash operation result The number of full engine, obtains the number of source IP, purpose IP and the security engine of data to be forwarded bag and this security engine determined The corresponding corresponding relation between circle queue index, and by this corresponding relation record in connection status Track Table, when for new Data to be forwarded bag distribution security engine time, can search whether to exist in connection status Track Table and this is new to be forwarded The information that the number of source IP, purpose IP and the security engine of packet is identical, if it does, can be at this connection status Track Table The annular team that the middle lookup information identical with the number of source IP, purpose IP and the security engine of this new data to be forwarded bag is corresponding Column index, determines that the security engine that this circle queue index is corresponding is the data to be forwarded bag that this is new to be carried out safety detection Security engine.
The method provided by the above embodiment of the present invention 1 and 2, due to by judging that data to be forwarded bag carries out Hash fortune Whether the result calculated exists the circle queue index of correspondence, determines the security engine that packet to be forwarded carries out safety detection, Packet to be forwarded is reasonably distributed, improves security engine and packet is carried out the performance of safety detection.
Embodiment 3:
Based on same inventive concept, according to the load-balancing method of the above embodiment of the present invention offer, correspondingly, the present invention Embodiment 3 additionally provides load balancing apparatus, is applied to safety detecting system, and described safety detecting system includes: multiple for Packet is carried out safety detection security engine and with multiple security engines circle queue one to one, described circle queue Will carry out, for storing the security engine corresponding with this circle queue, the packet that detects, its structural representation as it is shown in figure 5, Specifically include:
Arithmetic element 501, the number for source IP, purpose IP and described security engine according to data to be forwarded bag is carried out Hash operation, obtains Hash operation result;
Index determines unit 502, is used to determine whether to there is the circle queue index corresponding with described Hash operation result;
First determines unit 503, for when there is the circle queue index corresponding with described Hash operation result, determining The security engine that described circle queue index is corresponding is the security engine that described data to be forwarded bag will carry out safety detection;
Second determines unit 504, is used for when there is not the circle queue index corresponding with described Hash operation result, from The plurality of security engine determines the security engine that described data to be forwarded bag carries out safety detection, and sets up described Hash Corresponding relation between the circle queue index that operation result is corresponding with this security engine determined.
Further, first determines unit 503, specifically for when there is the annular team corresponding with described Hash operation result During column index, determine whether the load weights of the security engine that described circle queue index is corresponding are not less than preset weights threshold value, Described load weights are the current number of this security engine of duty based on described security engine, CPU usage and acquisition According to processing what flow determined, described load weights represent the current data package processing capability of this security engine, described current data Process in flow represents this security engine current one time the flow of the packet processed;When described circle queue index correspondence The load weights of security engine not less than preset weights threshold value time, determine that security engine that this circle queue index is corresponding will be for will Described data to be forwarded bag is carried out the security engine of safety detection.
Further, said apparatus, also include:
3rd determines unit 505, for being less than pre-when the load weights of the security engine of described circle queue index correspondence If during weight threshold, determine whether the load weights of the security engine that described circle queue index is corresponding are zero;
4th determines unit 506, for being not zero when the load weights of the security engine of described circle queue index correspondence Time, determine that the security engine of the load maximum weight in addition to the security engine that this circle queue index is corresponding is will be to described Data to be forwarded bag carries out the security engine of safety detection.
Further, said apparatus, also include:
Dispatching Unit 507, is used for when the load weights of the security engine of described circle queue index correspondence are zero, by The packet marking being distributed to this security engine is safe condition;Or
When the load weights of the security engine of described circle queue index correspondence are zero, will be distributed to this security engine Packet delivery give the security engine of load maximum weight in addition to this security engine;Or
When the load weights of the security engine of described circle queue index correspondence are zero, will be distributed to this security engine Packet average mark issue the security engine in addition to this security engine.
Further, first determines unit 503, specifically for every predetermined period, work based on described security engine The current data of this security engine of state, CPU usage and acquisition processes flow and determines the load weights of described security engine.
Further, first determines unit 503, specifically for using equation below to determine the load power of described security engine Value:
F ( i ) = K × Q × [ a × ( 1 - C i / Σ i = 1 n C i ) + b × ( 1 - S i / Σ i = 1 n S i ) ] ;
Wherein, F (i) is the load weights of i-th security engine, and K is constant, and such as, K=100, Q represent i-th safety The duty of engine, Q=0 represents that the duty of this security engine is abnormal, and Q=1 represents the duty of this security engine For normally, CiFor the CPU usage of i-th security engine,For the sum of the CPU usage of each security engine, SiFor i-th Security engine current data processes flow,Process the sum of flow for each security engine current data, n is that all safety is drawn The number held up, a, b are constant, a > b.
Further, second determines unit 504, specifically for not there is the annular corresponding with described Hash operation result During queue index, from the plurality of security engine, determine that the security engine of load maximum weight is for described data to be forwarded bag Carrying out the security engine of safety detection, described load weights are duty based on described security engine, CPU usage and obtain The current data of this security engine taken processes what flow determined, and described load weights represent the current data packet of this security engine Disposal ability, described current data processes in flow represents this security engine current one time the flow of the packet processed.
The function of above-mentioned each unit may correspond to the respective handling step in flow process shown in Fig. 3 or Fig. 4, the most superfluous at this State.
In sum, the scheme that the embodiment of the present invention provides, including packet forwarding module, multiple security engines and with Multiple security engines circle queue one to one, wherein: described packet forwarding module includes that module collected by bag, and bag processes mould Block and bag sending module;Module collected by described bag, is used for receiving multiple data to be forwarded bag;By multiple described data to be forwarded bags It is sent to described packet handing module;Described packet handing module, for receive described bag collect module send multiple described in wait turn Send out packet;According to default load-balancing algorithm, described data to be forwarded bag is sent to load capacity in multiple security engine The circle queue that the strongest security engine is corresponding;Receive the institute carrying safety detection result mark in multiple described circle queue State data to be forwarded bag;The number to be forwarded carrying the safety detection result mark representing safety is sent to described bag sending module According to bag;To carry represent data be surrounded by security threat safety detection result mark data to be forwarded bag abandon or Block forward process;Described bag sending module, represents safety for receiving to carry described in the transmission of described packet handing module The data to be forwarded bag of safety detection result mark;The described safety detection result carrying expression safety identified is to be forwarded Packet is sent to receiving terminal;Described security engine, for obtaining number to be forwarded from the described circle queue corresponding with self According to bag;Described data to be forwarded bag is carried out security protection detection;The data to be forwarded of safety detection result mark will be carried Bag is put in the circle queue corresponding with self;Described circle queue, treats described in the transmission of described packet handing module for storing The safety detection result carrying expression safety forwarding packet and the described security engine corresponding with self to send identifies Data to be forwarded bag.The scheme using the embodiment of the present invention to provide, improves and forwards packet and security protection detection Treatment effeciency.
The packet that embodiments herein is provided forwards and can lead to safety protection detection and load balancing apparatus Cross computer program to realize.Those skilled in the art are it should be appreciated that above-mentioned Module Division mode is only numerous module draws One in the mode of dividing, if being divided into other modules or not dividing module, as long as packet forwards and security protection detection is System and load balancing apparatus have above-mentioned functions, all should be within the protection domain of the application.
The application is with reference to method, equipment (system) and the flow process of computer program according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that can the most first-class by computer program instructions flowchart and/or block diagram Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided Instruction arrives the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce A raw machine so that the instruction performed by the processor of computer or other programmable data processing device is produced for real The device of the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame now.
These computer program instructions may be alternatively stored in and computer or other programmable data processing device can be guided with spy Determine in the computer-readable memory that mode works so that the instruction being stored in this computer-readable memory produces and includes referring to Make the manufacture of device, this command device realize at one flow process of flow chart or multiple flow process and/or one square frame of block diagram or The function specified in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that at meter Perform sequence of operations step on calculation machine or other programmable devices to produce computer implemented process, thus at computer or The instruction performed on other programmable devices provides for realizing at one flow process of flow chart or multiple flow process and/or block diagram one The step of the function specified in individual square frame or multiple square frame.
Obviously, those skilled in the art can carry out various change and the modification essence without deviating from the present invention to the present invention God and scope.So, if these amendments of the present invention and modification belong to the scope of the claims in the present invention and equivalent technologies thereof Within, then the present invention is also intended to comprise these change and modification.

Claims (16)

1. a packet forwards and safety protection detection, it is characterised in that including: packet forwarding module, Duo Gean Full engine and with multiple security engines circle queue one to one, wherein:
Described packet forwarding module includes that bag collects module, packet handing module and bag sending module;
Module collected by described bag, is used for receiving multiple data to be forwarded bag;Multiple described data to be forwarded bags are sent to described Packet handing module;
Described packet handing module, collects, for receiving described bag, the multiple described data to be forwarded bag that module sends;According to presetting Load-balancing algorithm, is sent to the security engine that in multiple security engine, load capacity is the strongest corresponding by described data to be forwarded bag Circle queue;Receive the described data to be forwarded bag carrying safety detection result mark in multiple described circle queue;To Described bag sending module sends the data to be forwarded bag carrying the safety detection result mark representing safety;To carrying expression The data to be forwarded bag of the safety detection result mark that data are surrounded by security threat carries out abandoning or blocking forward process;
For receiving to carry described in the transmission of described packet handing module, described bag sending module, represents that the safety detection of safety is tied The data to be forwarded bag of fruit mark;The data to be forwarded bag of the described safety detection result mark carrying and representing safety is sent To receiving terminal;
Described security engine, for obtaining data to be forwarded bag from the described circle queue corresponding with self;Described waiting is turned Send out packet and carry out security protection detection;The data to be forwarded bag carrying safety detection result mark is put into corresponding with self Circle queue in;
Described circle queue, for storing described data to be forwarded bag and the institute corresponding with self that described packet handing module sends State the data to be forwarded bag carrying the safety detection result mark representing safety that security engine sends.
2. the system as claimed in claim 1, it is characterised in that described packet handing module, specifically for collecting from described bag The multiple described data to be forwarded bag that module receives carries out underlying protocol security protection detection;For each described data to be forwarded Bag, when to the testing result of this data to be forwarded bag be this data to be forwarded bag safe time, according to default load-balancing algorithm, will This data to be forwarded bag is sent to the circle queue that security engine that in multiple security engine, load capacity is the strongest is corresponding;When to this The testing result of data to be forwarded bag is this data to be forwarded when being surrounded by security threat, and this data to be forwarded bag is abandoned or hindered Disconnected forward process.
3. the system as claimed in claim 1, it is characterised in that also include: Command Line Parsing module, for according to performance requirement and Processor hardware restriction condition arranges number of threads and the number of security engine of described packet forwarding module, to described data Packet forward module and security engine carry out Initialize installation.
4. system as claimed in claim 3, it is characterised in that described Command Line Parsing module, is additionally operable to according to configured institute State the number of security engine, the circle queue that the distribution of the most each security engine is corresponding with self.
5. a load-balancing method, it is characterised in that be applied to packet and forward and safety protection detection, described data Bag forwards and safety protection detection includes: multiple security engines for packet being carried out safety detection and with multiple peaces Full engine circle queue one to one, described circle queue will enter for storing the security engine corresponding with this circle queue The packet of row detection;Described method includes:
The number of source IP, purpose IP and described security engine according to data to be forwarded bag carries out Hash operation, obtains Hash fortune Calculate result;
Determine whether there is the circle queue index corresponding with described Hash operation result;
When there is the circle queue index corresponding with described Hash operation result, determine the peace that described circle queue index is corresponding Full engine is the security engine that described data to be forwarded bag will carry out safety detection;
When there is not the circle queue index corresponding with described Hash operation result, determine negative from the plurality of security engine The security engine carrying maximum weight is the security engine that described data to be forwarded bag carries out safety detection, and described load weights are The current data of this security engine of duty based on described security engine, CPU usage and acquisition processes flow and determines , described load weights represent the current data package processing capability of this security engine, and described current data processes flow and represents this The flow of the packet processed in the security engine current one time, and set up described Hash operation result and this safety determined Corresponding relation between the circle queue index that engine is corresponding.
6. method as claimed in claim 5, it is characterised in that when there is the circle queue corresponding with described Hash operation result During index, determine that the security engine of described circle queue index correspondence will be for will carry out safety detection to described data to be forwarded bag Security engine, specifically include:
When there is the circle queue index corresponding with described Hash operation result, determine the peace that described circle queue index is corresponding Whether the load weights of full engine are not less than preset weights threshold value, and described load weights are work shape based on described security engine The current data of this security engine of state, CPU usage and acquisition processes what flow determined, and described load weights represent this safety The current data package processing capability of engine, described current data processes in flow represents this security engine current one time and processes The flow of packet;
When the load weights of the security engine of described circle queue index correspondence are not less than preset weights threshold value, determine this annular The security engine that queue index is corresponding is the security engine that described data to be forwarded bag will carry out safety detection.
7. method as claimed in claim 6, it is characterised in that also include:
When the load weights of the security engine of described circle queue index correspondence are less than preset weights threshold value, determine described annular Whether the load weights of the security engine that queue index is corresponding are zero;
When the load weights of the security engine of described circle queue index correspondence are not zero, determine except this circle queue index is right The security engine of the load maximum weight beyond the security engine answered will be for will carry out safety detection to described data to be forwarded bag Security engine.
8. method as claimed in claim 7, it is characterised in that also include:
When the load weights of the security engine of described circle queue index correspondence are zero, will be distributed to the number of this security engine It is safe condition according to packet making;Or
When the load weights of the security engine of described circle queue index correspondence are zero, will be distributed to the number of this security engine According to wrapping the security engine being distributed to the load maximum weight in addition to this security engine;Or
When the load weights of the security engine of described circle queue index correspondence are zero, will be distributed to the number of this security engine The security engine in addition to this security engine is issued according to bag average mark.
9. method as claimed in claim 6, it is characterised in that determine the load weights of described security engine, specifically include:
Every predetermined period, this security engine of duty based on described security engine, CPU usage and acquisition current Data process flow and determine the load weights of described security engine.
10. the method as described in claim 6-9 is arbitrary, it is characterised in that for each security engine, based on this security engine The current data of this security engine of duty, CPU usage and acquisition process flow and determine the load of this security engine Weights, specifically include:
Equation below is used to determine the load weights of this security engine:
F ( i ) = K × Q × [ a × ( 1 - C i / Σ i = 1 n C i ) + b × ( 1 - S i / Σ i = 1 n S i ) ] ;
Wherein, F (i) is the load weights of i-th security engine, and K is constant, and Q represents the duty of i-th security engine, Q =0 represents that the duty of this security engine is abnormal, and Q=1 represents that the duty of this security engine is normal, CiIt is i-th The CPU usage of individual security engine,For the sum of the CPU usage of each security engine, SiCurrent for i-th security engine Data process flow,Current data for each security engine processes the sum of flow, and n is the number of all security engines, a, b For constant, a > b.
11. 1 kinds of load balancing apparatus, it is characterised in that be applied to safety detecting system, described safety detecting system includes: many Individual security engine for packet being carried out safety detection and with multiple security engines circle queue one to one, described ring Shape queue is for storing the packet that the security engine corresponding with this circle queue will carry out detecting;Described device, including:
Arithmetic element, the number for source IP, purpose IP and described security engine according to data to be forwarded bag carries out Hash fortune Calculate, obtain Hash operation result;
Index determines unit, is used to determine whether to there is the circle queue index corresponding with described Hash operation result;
First determines unit, for when there is the circle queue index corresponding with described Hash operation result, determining described ring The security engine that shape queue index is corresponding is the security engine that described data to be forwarded bag will carry out safety detection;
Second determines unit, for when there is not the circle queue index corresponding with described Hash operation result, from described many Individual security engine determining, the security engine loading maximum weight is the safety that described data to be forwarded bag carries out safety detection Engine, described load weights are working as of this security engine of duty based on described security engine, CPU usage and acquisition Front data process flow and determine, described load weights represent the current data package processing capability of this security engine, described currently Data process in flow represents this security engine current one time the flow of the packet processed, and set up described Hash operation Corresponding relation between the circle queue index that result is corresponding with this security engine determined.
12. devices as claimed in claim 11, it is characterised in that described first determines unit, specifically for when existing and institute When stating circle queue index corresponding to Hash operation result, determine the load power of the security engine that described circle queue index is corresponding Value whether not less than preset weights threshold value, described load weights be duty based on described security engine, CPU usage and The current data of this security engine obtained processes what flow determined, and described load weights represent the current data of this security engine Package processing capability, described current data processes in flow represents this security engine current one time the stream of the packet processed Amount;When the load weights of the security engine of described circle queue index correspondence are not less than preset weights threshold value, determine this annular The security engine that queue index is corresponding is the security engine that described data to be forwarded bag will carry out safety detection.
13. devices as claimed in claim 12, it is characterised in that also include:
3rd determines unit, for being less than preset weights threshold when the load weights of the security engine of described circle queue index correspondence During value, determine whether the load weights of the security engine that described circle queue index is corresponding are zero;
4th determines unit, for when the load weights of the security engine of described circle queue index correspondence are not zero, determining The security engine of the load maximum weight in addition to the security engine that this circle queue index is corresponding is will be to described to be forwarded Packet carries out the security engine of safety detection.
14. devices as claimed in claim 13, it is characterised in that also include:
Dispatching Unit, is used for, when the load weights of the security engine of described circle queue index correspondence are zero, being distributed to The packet marking of this security engine is safe condition;Or
When the load weights of the security engine of described circle queue index correspondence are zero, will be distributed to the number of this security engine According to wrapping the security engine being distributed to the load maximum weight in addition to this security engine;Or
When the load weights of the security engine of described circle queue index correspondence are zero, will be distributed to the number of this security engine The security engine in addition to this security engine is issued according to bag average mark.
15. devices as claimed in claim 12, it is characterised in that described first determines unit, specifically for every default week Phase, it is true that the current data of this security engine of duty based on described security engine, CPU usage and acquisition processes flow The load weights of fixed described security engine.
16. devices as described in claim 12-15 is arbitrary, it is characterised in that described first determines unit, specifically for using Equation below determines the load weights of described security engine:
F ( i ) = K × Q × [ a × ( 1 - C i / Σ i = 1 n C i ) + b × ( 1 - S i / Σ i · = 1 n S i ) ] ;
Wherein, F (i) is the load weights of i-th security engine, and K is constant, and Q represents the duty of i-th security engine, Q =0 represents that the duty of this security engine is abnormal, and Q=1 represents that the duty of this security engine is normal, CiIt is i-th The CPU usage of individual security engine,For the sum of the CPU usage of each security engine, SiCurrent for i-th security engine Data process flow,Current data for each security engine processes the sum of flow, and n is the number of all security engines, a, b For constant, a > b.
CN201310753226.4A 2013-12-31 2013-12-31 Packet forwards and safety protection detection, load-balancing method and device Active CN103685321B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310753226.4A CN103685321B (en) 2013-12-31 2013-12-31 Packet forwards and safety protection detection, load-balancing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310753226.4A CN103685321B (en) 2013-12-31 2013-12-31 Packet forwards and safety protection detection, load-balancing method and device

Publications (2)

Publication Number Publication Date
CN103685321A CN103685321A (en) 2014-03-26
CN103685321B true CN103685321B (en) 2016-09-14

Family

ID=50321635

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310753226.4A Active CN103685321B (en) 2013-12-31 2013-12-31 Packet forwards and safety protection detection, load-balancing method and device

Country Status (1)

Country Link
CN (1) CN103685321B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016008079A1 (en) * 2014-07-14 2016-01-21 华为技术有限公司 Packet processing method and related device for network device
CN106027405B (en) * 2016-05-03 2020-04-10 浙江宇视科技有限公司 Data stream shunting method and device
CN108650215A (en) * 2018-03-19 2018-10-12 山东超越数控电子股份有限公司 A kind of net based on label installs standby network data flow preprocess method
CN113691607B (en) * 2021-08-20 2023-06-02 绿盟科技集团股份有限公司 Flow load balancing control method and device and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1838592A (en) * 2006-04-26 2006-09-27 南京大学 Firewall method and system based on high-speed network data processing platform
CN101631139A (en) * 2009-05-19 2010-01-20 华耀环宇科技(北京)有限公司 Load balancing software architecture based on multi-core platform and method therefor
CN101977162A (en) * 2010-12-03 2011-02-16 电子科技大学 Load balancing method of high-speed network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4413965B2 (en) * 2005-03-17 2010-02-10 富士通株式会社 Load balancing communication device and load balancing management device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1838592A (en) * 2006-04-26 2006-09-27 南京大学 Firewall method and system based on high-speed network data processing platform
CN101631139A (en) * 2009-05-19 2010-01-20 华耀环宇科技(北京)有限公司 Load balancing software architecture based on multi-core platform and method therefor
CN101977162A (en) * 2010-12-03 2011-02-16 电子科技大学 Load balancing method of high-speed network

Also Published As

Publication number Publication date
CN103685321A (en) 2014-03-26

Similar Documents

Publication Publication Date Title
CN101610209B (en) Method and device for multi-core parallel concurrent processing of network traffic flows
CN104283806B (en) Business chain processing method and equipment
CN103685321B (en) Packet forwards and safety protection detection, load-balancing method and device
US20160248671A1 (en) Packet steering
CN109845218A (en) Channel data package system and method for being used together with client-server data channel
CN107852368A (en) Highly usable service chaining for network service
CN104601467B (en) A kind of method and apparatus for sending message
CN102811169A (en) Virtual private network (VPN) implementation method and system for performing multi-core parallel processing by using Hash algorithm
CN105871741B (en) A kind of message diversion method and device
CN102752198A (en) Multi-core message forwarding method, multi-core processor and network equipment
CN104683255B (en) Equally loaded sharing method, device and the link aggregation system of physical port
CN102801635A (en) Packet ordering method used in multi-core processor system
CN106357726A (en) Load balancing method and device
CN108200092A (en) Accelerate the method and system of message ACL matching treatments based on NFV technologies
CN104618253A (en) Dynamically changed transmission message processing method and device
CN105939284A (en) Message control strategy matching method and device
CN105471756B (en) A kind of data package processing method and device
CN105159779A (en) Method and system for improving data processing performance of multi-core CPU
CN103560958B (en) Method and device for rule matching of data packets
CN105516012B (en) To the load-balancing method and system of the processing of super large network flow
CN102387219A (en) Multi-network-card load balancing system and method
CN107995199A (en) The port speed constraint method and device of the network equipment
CN106161522A (en) The communication means of a kind of LA Management Room, the network equipment and distributed network
US9025597B2 (en) Methods and apparatus for providing one-arm node clustering using a port channel
KR101429114B1 (en) Apparatus and method for processing packet using multiprocessr

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee after: NSFOCUS Technologies Group Co.,Ltd.

Patentee after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Patentee before: NSFOCUS TECHNOLOGIES Inc.

CP01 Change in the name or title of a patent holder