CN111614689A - Message forwarding method and device for state firewall - Google Patents
Message forwarding method and device for state firewall Download PDFInfo
- Publication number
- CN111614689A CN111614689A CN202010464685.0A CN202010464685A CN111614689A CN 111614689 A CN111614689 A CN 111614689A CN 202010464685 A CN202010464685 A CN 202010464685A CN 111614689 A CN111614689 A CN 111614689A
- Authority
- CN
- China
- Prior art keywords
- forwarding
- necessary information
- connection table
- message
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0254—Stateful filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a message forwarding method and a device for a state firewall, wherein the message forwarding method comprises the following steps: acquiring a first packet message; performing second matching on the first packet message and a connection table in a state firewall to obtain a connection table item corresponding to the first packet message, wherein the connection table comprises a connection table item, the connection table item is associated with forwarding necessary information corresponding to the first packet message, and the connection table item is established when the first packet message fails to be matched for the first time; searching and forwarding necessary information according to the connection table item; and forwarding the first packet message according to the forwarding necessary information. By means of the technical scheme, the verification of the connection table can be achieved, the follow-up non-first packet message can be ensured to be inquired to corresponding necessary forwarding information according to the connection table, and the problem that the stability of the state firewall is poor is solved.
Description
Technical Field
The present application relates to the field of computers, and in particular, to a method and an apparatus for forwarding a packet for a stateful firewall.
Background
A Stateful firewall (Stateful firewall) is a firewall capable of providing a state packet inspection or state viewing function, and is capable of continuously tracking the state of various network connections (e.g., Transmission Control Protocol (TCP) connections and User Datagram Protocol (UDP) connections) passing through the firewall. The firewall is designed to distinguish legitimate packets under different connection types, and only packets that match the active connection are allowed to pass through the firewall, while other packets are rejected. At present, after the first packet of message passes the rule search of the state firewall, a corresponding connection table entry can be established in a connection table in the state firewall. Subsequently, the necessary forwarding information is obtained by route lookup and further Address Resolution Protocol (ARP) lookup. And then, forwarding the first packet message according to the forwarding necessary information, and associating the forwarding necessary information with the established connection table entry for fast forwarding of the subsequent message.
In the process of implementing the invention, the inventor finds that the following problems exist in the prior art: because the process of forwarding the first packet message and the process of associating the forwarding necessary information to the established connection table entry are independent of each other, in some cases, the action of associating the forwarding necessary information to the established connection table entry is even later than the action of forwarding the first packet message. Because only the first packet message can create the connection, if the first packet message is forwarded, but the necessary forwarding information cannot be guaranteed to be effectively associated with the established connection table entry, the necessary forwarding information cannot be obtained after the connection is matched, that is, the forwarding of the subsequent message cannot be realized, and thus the service flow is stopped.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for forwarding a packet for a stateful firewall, so as to solve a problem in the prior art that a stateful firewall is poor in stability.
In a first aspect, an embodiment of the present application provides a packet forwarding method for a stateful firewall, where the packet forwarding method includes: acquiring a first packet message; performing second matching on the first packet message and a connection table in a state firewall to obtain a connection table item corresponding to the first packet message, wherein the connection table comprises a connection table item, the connection table item is associated with forwarding necessary information corresponding to the first packet message, and the connection table item is established when the first packet message fails to be matched for the first time; searching and forwarding necessary information according to the connection table item; and forwarding the first packet message according to the forwarding necessary information.
Therefore, in the embodiment of the present application, the connection table entry corresponding to the first packet of packet. Therefore, by the technical scheme, the verification of the connection table can be realized, the follow-up non-first packet message can be ensured to inquire the corresponding necessary forwarding information according to the connection table, and the problem of poor stability of the state firewall is solved.
In a possible embodiment, before the second matching is performed on the first packet and the connection table in the stateful firewall, the packet forwarding method further includes: matching the first packet message with the connection table for the first time; under the condition that the first matching between the first packet message and the connection table fails, establishing a connection table item in the connection table; and associating the connection table entry with the forwarding necessary information.
In one possible embodiment, the forwarding necessary information includes an egress interface and a next hop media access control MAC address; or, the forwarding necessary information includes an outgoing interface, a virtual local area network VLAN number, and a next hop media access control MAC address.
In one possible embodiment, associating the connection table entry with the forwarding necessary information includes: obtaining a routing table in a state firewall; inquiring a routing table, and acquiring a next hop IP address and an outgoing interface of the first packet message; under the condition that the next hop MAC address corresponding to the next hop IP address is failed to be obtained by inquiring an Address Resolution Protocol (ARP) table, updating the ARP table to obtain an updated ARP table; determining a next hop MAC address according to the updated ARP table and the next hop IP address; and under the condition that the working mode of the outgoing interface is not the exchange mode, establishing forwarding necessary information according to the outgoing interface and the next hop MAC address, and associating the connection table entry with the forwarding necessary information.
Therefore, in the embodiment of the present application, only when the ARP entry is aged and the working mode of the egress interface is the routing mode, the first packet is used for the second matching, so that compared with a scheme in which all the first packet packets need to be matched with the connection table for the second time, the problem of efficiency reduction caused by that all the first packet packets need to be matched with the connection table for the second time and necessary information is searched and forwarded according to the matched connection entry can be avoided.
In a possible embodiment, in the case that the next-hop MAC address is obtained through the ARP table, or the working mode of the egress interface is the switching mode, the packet forwarding method further includes: determining the forwarding necessary information according to a preset table for storing the forwarding necessary information in the state firewall; associating the connection table item with the forwarding necessary information; and forwarding the first packet message according to the forwarding necessary information.
Therefore, after the connection table entry is associated with the forwarding necessary information, the first packet message is forwarded, so that the follow-up non-first packet message can be ensured to inquire the corresponding forwarding necessary information according to the connection table.
In one possible embodiment, determining the forwarding necessary information according to a preset table for storing the forwarding necessary information in the stateful firewall includes: acquiring the forwarding necessary information under the condition that the forwarding necessary information is found through the preset table; or, under the condition that the forwarding necessary information is found to fail through the preset table, the forwarding necessary information is established according to the outgoing interface and the next hop MAC address.
In a second aspect, an embodiment of the present application provides a packet forwarding apparatus for a stateful firewall, where the packet forwarding apparatus includes: the acquisition module is used for acquiring the first packet message; the matching module is used for matching the first packet message with a connection table in the state firewall for the second time to obtain a connection table item corresponding to the first packet message, wherein the connection table comprises a connection table item, the connection table item is associated with forwarding necessary information corresponding to the first packet message, and the connection table item is established when the first packet message fails to be matched for the first time; the searching module is used for searching and forwarding necessary information according to the connection table item; and the forwarding module is used for forwarding the first packet message according to the necessary forwarding information.
In a possible embodiment, the matching module is further configured to perform first matching on the first packet message and the connection table; the message forwarding device further comprises: the establishing module is used for establishing a connection table item in the connection table under the condition that the first matching of the first packet message and the connection table fails; and the association module is used for associating the connection table item with the forwarding necessary information.
In one possible embodiment, the forwarding necessary information includes an egress interface and a next hop media access control MAC address; or, the forwarding necessary information includes an outgoing interface, a virtual local area network VLAN number, and a next hop media access control MAC address.
In a possible embodiment, the obtaining module is further configured to obtain a routing table in the stateful firewall; the association module comprises: the query module is used for querying the routing table and acquiring the next hop IP address and the outgoing interface of the first packet message; the updating module is used for updating the ARP table under the condition that the next hop MAC address corresponding to the next hop IP address is failed to be obtained by inquiring the ARP table, and obtaining the updated ARP table; the determining module is used for determining the next hop MAC address according to the updated ARP table and the next hop IP address; and the association establishing module is used for establishing the necessary forwarding information according to the outgoing interface and the next hop MAC address under the condition that the working mode of the outgoing interface is not the exchange mode, and associating the connection table entry with the necessary forwarding information.
In a possible embodiment, the determining module is further configured to determine the forwarding necessary information according to a preset table for storing the forwarding necessary information in the state firewall; the association module is also used for associating the connection table item with the necessary forwarding information; and the forwarding module is also used for forwarding the first packet message according to the necessary forwarding information.
In one possible embodiment, the determining module is further configured to: acquiring the forwarding necessary information under the condition that the forwarding necessary information is found through the preset table; or, under the condition that the forwarding necessary information is found to fail through the preset table, the forwarding necessary information is established according to the outgoing interface and the next hop MAC address.
In a third aspect, an embodiment of the present application provides a storage medium, where a computer program is stored on the storage medium, and when the computer program is executed by a processor, the computer program performs the method according to the first aspect or any optional implementation manner of the first aspect.
In a fourth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the method of the first aspect or any of the alternative implementations of the first aspect.
In a fifth aspect, the present application provides a computer program product which, when run on a computer, causes the computer to perform the method of the first aspect or any possible implementation manner of the first aspect.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a flow chart illustrating a message forwarding method for a stateful firewall in the prior art;
fig. 2 is a flowchart illustrating a message forwarding method for a stateful firewall according to an embodiment of the present application;
fig. 3 shows a specific flowchart of a message forwarding method for a stateful firewall according to an embodiment of the present application;
fig. 4 is a specific flowchart illustrating another packet forwarding method for a stateful firewall according to an embodiment of the present application;
fig. 5 shows a block diagram of a message forwarding apparatus for a stateful firewall according to an embodiment of the present application;
fig. 6 shows a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
The largest flows in Internet Protocol (IP) are TCP, UDP, and Internet Control Message Protocol (ICMP). For both TCP and UDP protocols, even ICMP protocols may define so-called connections, and a quintuple may uniquely represent a connection. The quintuple comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol.
And the header related information of all messages on the same connection is the same, so that it is not necessary to repeatedly search the firewall rules for all messages on the same connection. If the connection of the message on the firewall is registered through the connection table, and the firewall rule search result of the connection is also registered in the connection table. Then, for the message belonging to the same connection, only the connection table needs to be queried to complete the search of the firewall rule. The above is the basic principle of stateful firewalls, which is essentially a caching principle, that is, caching the results of the same work that needs to be repeated for the next use.
Therefore, in the stateful firewall, how to realize stable and fast forwarding based on the created connection table is very important.
Referring to fig. 1, fig. 1 is a flowchart illustrating a packet forwarding method for a stateful firewall in the prior art. The method shown in fig. 1 comprises:
step S110, obtaining the message.
Step S120, matching the message with the connection table. Wherein, the connection table is the connection table in the state firewall.
In case of a failure in matching the packet with the connection table, it may be determined that the packet is a first packet, and step S130 is performed. In case that the matching of the packet and the connection table is successful, it may be determined that the packet is a non-first packet, and step S160 is performed.
Step S130, establishing a connection table item corresponding to the first packet message in the connection table.
Step S140, obtaining the forwarding necessary information corresponding to the first packet message.
Step S150, the necessary forwarding information is associated with the connection table entry corresponding to the first packet message.
Step S160, according to the necessary forwarding information, the packet is encapsulated and forwarded.
It should be understood that the message in step S160 may be an initial packet message or a non-initial packet message.
With reference to fig. 1, since the process of forwarding the first packet message and the process of associating the forwarding necessary information with the connection table entry corresponding to the first packet message are independent from each other, in some cases, the action of associating the forwarding necessary information with the connection table entry corresponding to the first packet message may even be later than the action of forwarding the first packet message. Because only the first packet message can create the connection, if the first packet message is forwarded, but the necessary forwarding information cannot be guaranteed to be effectively associated with the established connection table entry, the subsequent non-first packet message cannot be matched with the necessary forwarding information, and thus the service flow corresponding to the connection is stopped.
That is, the existing packet forwarding method has at least the problem of poor stability of the stateful firewall.
Based on this, an embodiment of the present application provides a packet forwarding scheme for a state firewall, where a first packet is obtained, and then a second matching is performed on the first packet and a connection table in the state firewall to obtain a connection table entry corresponding to the first packet, where the connection table includes a connection table entry, the connection table entry is associated with forwarding necessary information corresponding to the first packet, the connection table entry is established when the first packet fails to be matched for the first time, and then the forwarding necessary information is searched according to the connection table entry, and finally the first packet is forwarded according to the forwarding necessary information.
Therefore, in the embodiment of the present application, the connection table entry corresponding to the first packet of packet. Therefore, by the technical scheme, the verification of the connection table can be realized, the follow-up non-first packet message can be ensured to inquire the corresponding necessary forwarding information according to the connection table, and the problem of poor stability of the state firewall is solved.
To facilitate understanding of the embodiments of the present application, some terms in the embodiments of the present application are first explained herein as follows:
the "initial packet message" may be a message for establishing a session connection.
The "connection table entry" may include a five-tuple extracted by the first packet message and a recording result of the five-tuple. And the connection table entry can be associated with the necessary forwarding information.
Wherein, the recording result of the quintuple can be either allowed to pass or forbidden to pass.
The "forwarding necessary information" may be information necessary for forwarding a message.
It should be understood that the information included in the forwarding necessary information may be set according to actual requirements, and the embodiments of the present application are not limited thereto.
For example, in the case where the forwarding necessary information corresponds to a routing mode, the forwarding necessary information may include an egress interface and a next hop Media Access Control (MAC) address.
For another example, in the case that the forwarding necessary information corresponds to a switching pattern, the forwarding necessary information may include an outgoing interface, a Virtual Local Area Network (VLAN) number, and a next hop MAC address. The message forwarding mode of the switching mode and the message forwarding mode of the routing mode are different, the switching mode can be two-layer forwarding, and the routing mode can be three-layer forwarding.
The entries in the "routing table" may include an egress interface and a next hop IP address.
The ARP table may record a mapping relationship between IP addresses and MAC addresses.
The MAC table can store the corresponding relation between the MAC address of the local area network host and the interface of the switch.
Referring to fig. 2, fig. 2 is a flowchart illustrating a message forwarding method for a stateful firewall according to an embodiment of the present application. It should be understood that the message forwarding method shown in fig. 2 may be performed by a message forwarding apparatus for a stateful firewall, which may correspond to the message forwarding apparatus shown in fig. 5 below, and the apparatus may be various devices capable of performing the method, such as a personal computer, a server, or a network device, for example, and the embodiments of the present application are not limited thereto. The method shown in fig. 2 comprises:
step S210, the first packet message is obtained.
Step S220, the first packet message is matched with the connection table for the first time.
It should be appreciated that, since the connection table may include entries corresponding to the packets, the packets and the connection table may be matched to determine whether the connection table includes a connection entry corresponding to the current packet.
Step S230, in case of a first matching failure between the first packet message and the connection table, creating a connection table entry corresponding to the first packet message in the connection table.
It should be understood that in the case where the first packet and the connection table do not match the connection table entry, the first matching result may be considered as a failure.
Step S240, associating the connection table entry with the forwarding necessary information corresponding to the first packet of messages.
It should be understood that the connection table and the association form of the forwarding necessary information may be set according to actual requirements, as long as it is ensured that the forwarding necessary information can be found through the connection table entry, and the embodiment of the present application is not limited thereto.
For example, an index path may be set in the connection table entry, and the corresponding forwarding necessary information may be subsequently searched through the index path.
It should also be understood that the specific process of associating the connection table with the forwarding necessary information corresponding to the first packet of packet may be set according to actual requirements, and the embodiment of the present application is not limited thereto.
In order to facilitate understanding of the embodiments of the present application, the following description will be given by way of specific examples.
Optionally, after establishing a new connection table entry, forwarding necessary information may be obtained. Subsequently, the forwarding necessary information is associated with the connection table entry. Subsequently, the first packet message and the connection table may be secondarily matched.
That is to say, all the first packets of messages in the implementation of the present application need to be matched with the connection table for the second time, so that the problem of poor stability of the state firewall in the prior art can be solved.
Optionally, after establishing the new connection table entry, a routing table in the stateful firewall may be obtained. Because the routing table entry in the routing table can record the outgoing interface and the next hop IP address, the routing table can be inquired to obtain the next hop IP address and the outgoing interface.
Subsequently, it can be determined whether the next hop MAC address corresponding to the next hop IP address can be found through the ARP entry in the ARP table.
It should be understood that in the case where the next hop MAC address is found by the ARP table, the lookup may be considered successful. And, in the case that the next hop MAC address cannot be found through the ARP table due to aging of the ARP table, etc., it may be considered that the finding is failed.
And under the condition of failure in searching, the ARP table can be updated, and then the updated ARP can be provided with a target table entry recorded with the mapping relation between the next hop IP and the next hop MAC address. The next hop MAC address may then be determined based on the target table entry and the next hop IP address. Subsequently, it can be determined whether the operation mode of the interface is the exchange mode. And, if the operation mode of the outgoing interface is not the switching mode (or, if the operation mode of the outgoing interface is the routing mode), establishing the forwarding necessary information according to the next-hop MAC address and the outgoing interface. And the established connection table item is associated with the forwarding necessary information, and then the second matching of the first packet message and the connection table is executed.
It should be understood that, according to the next-hop MAC address and the egress interface, the specific process of establishing forwarding necessary information may be set according to actual requirements, and the embodiment of the present application is not limited thereto.
For example, in the case that the forwarding necessary information may be maintained in the form of a MAC entry in the MAC table, the MAC entry may be created according to the next-hop MAC address and the egress interface, that is, the MAC entry stores the forwarding necessary information.
In addition, it should be noted that, although the MAC entry store and forward necessary information is described as an example, those skilled in the art should understand that the MAC entry store and forward necessary information may also be stored by other entries, and the embodiment of the present application is not limited to this.
In addition, it should be further noted that, in this embodiment of the present application, only when the ARP entry is aged and the working mode of the egress interface is the routing mode, the first packet is used for the second matching, so that compared with a scheme in which all the first packet packets need to be matched with the connection table for the second time, the problem of efficiency reduction caused by that all the first packet packets need to be matched with the connection table for the second time and necessary information is searched and forwarded according to the matched connection entry can be avoided.
Meanwhile, it should be further explained that the reason why the ARP entry is selected to be aged and the working mode of the egress interface is that the routing mode is used as the trigger condition for the second matching is as follows:
when the ARP table is triggered to be updated, according to the ARP protocol, after a return packet of an ARP request is received, a data packet triggering ARP update, namely an established first packet message, is directly sent from an ARP buffer queue. At this time, if the operation mode of the egress interface is the routing mode, the MAC entry of the MAC table for managing the forwarding necessary information is not created yet (if the operation mode of the egress interface is the switching mode, the MAC entry of the MAC table for managing the forwarding necessary information is already automatically established when the return packet of the ARP request is received). Then, the situation occurs that the first packet message is sent first, then the forwarding necessary information is established, and the forwarding necessary information is associated with the newly-built connection table entry.
In addition, in case the lookup is successful (or, in case the operation mode of the output interface is the exchange mode), the forwarding necessary information may be determined according to a preset table for storing the forwarding necessary information in the stateful firewall. And associating the connection table entry with the forwarding necessary information. And finally, forwarding the first packet message according to the forwarding necessary information. That is, in this case, it is not necessary to perform the second matching of the first packet and the connection table, and it is sufficient to forward the first packet in the process of the first matching.
It should be understood that the specific form of the preset table may be set according to actual requirements, and the embodiment of the present application is not limited thereto.
For example, the preset table may be a MAC table.
It should also be understood that, according to the preset table for storing the forwarding necessary information in the stateful firewall, the specific process for determining the forwarding necessary information may also be set according to actual requirements, and the embodiment of the present application is not limited thereto.
For example, whether or not the forwarding necessary information can be found can be determined by referring to a preset table. When the preset table entry corresponding to the forwarding necessary information is queried, it may be considered that the query result is a successful query, and may also obtain the forwarding necessary information (for example, in the case where the preset table is an MAC table, the forwarding necessary information may include an outgoing interface, a VLAN number, a next-hop MAC address, and the like); under the condition that the preset table entry corresponding to the forwarding necessary information is not inquired, the inquiry result is considered to be inquiry failure, and the forwarding necessary information can be established according to the output interface and the next hop MAC address.
And step S250, performing second matching on the first packet message and the connection table in the state firewall to obtain a connection table item corresponding to the first packet message.
The connection table may include a connection table entry, where the connection table entry is associated with necessary forwarding information corresponding to the first packet message, and the connection table entry is established when the first packet message fails to be matched for the first time.
In addition, it should be noted here that the first packet message in step S250 may be any one of the first packet messages, or the first packet message in the ARP entry aging mode and the egress interface being in the routing mode, which is not limited in this embodiment of the present invention.
Step S260, searching and forwarding necessary information according to the connection table item.
And step S270, forwarding the first packet message according to the necessary forwarding information.
Therefore, in the embodiment of the present application, the connection table entry corresponding to the first packet of packet. Therefore, by the technical scheme, the verification of the connection table can be realized, the follow-up non-first packet message can be ensured to inquire the corresponding necessary forwarding information according to the connection table, and the problem of poor stability of the state firewall is solved.
In order to facilitate understanding of the embodiments of the present application, the following description will be given by way of specific examples.
Referring to fig. 3, fig. 3 is a specific flowchart illustrating a message forwarding method for a stateful firewall according to an embodiment of the present application. The method shown in fig. 3 comprises:
step S310, obtaining the message.
Step S320, matching the message with the connection table.
In case of a failure in matching the packet with the connection table, it may be determined that the packet is a first packet, and step S330 is performed. In case the matching of the packet and the connection table is successful, step S360 may be executed.
It should be understood that, in the case that no connection table entry is matched in the connection table, the matching result of this time may be considered as a matching failure. And under the condition that the connection table item corresponding to the message is matched in the connection table, the matching result of the matching is considered to be successful.
In addition, it should be noted here that the matching between the first packet and the connection table may include two matching procedures.
Step S330, a connection table entry is established in the connection table. The connection table entry may be a connection table entry corresponding to the first packet message.
Step S340, acquiring the forwarding necessary information. Wherein, the necessary forwarding information is corresponding to the first packet message.
Step S350, associating the forwarding necessary information with the established connection table entry.
In addition, after the association is completed, the process returns to step S320, so that the first packet message and the connection table are subjected to secondary matching to verify the connection table.
Step S360, judging whether the necessary forwarding information can be found according to the connection table items obtained by matching.
Step S370 may be executed if the necessary forwarding information is found according to the connection table entry obtained by matching. And returning to step S340 when the necessary forwarding information is not found according to the connection table entry obtained by matching.
Step S370, according to the necessary forwarding information, the packet is encapsulated and forwarded.
Referring to fig. 4, fig. 4 is a specific flowchart illustrating another packet forwarding method for a stateful firewall according to an embodiment of the present application. The method shown in fig. 4 includes:
step S411, acquiring the message.
Step S412, matching the message with the connection table.
In case of a failure in matching the packet with the connection table, the packet may be a first packet, and step S413 is executed. If the matching between the packet and the connection table is successful, the packet may be the first packet or the non-first packet, and step S423 is executed.
It should be understood that, when no connection table entry is matched from the connection table, the matching result of the current matching may be considered as a matching failure. Under the condition that the connection table item is matched from the connection table, the matching result of the current matching is considered to be successful matching.
Step S413, a connection table entry corresponding to the first packet message is established in the connection table.
Step S414, according to the routing table, the next hop IP address and the outgoing interface are obtained.
It should be understood that the next hop IP address may be the next hop IP address of the first packet message.
Step S415, it is determined whether the next-hop MAC address can be found according to the next-hop IP address.
In the case where the next-hop MAC address cannot be found from the next-hop IP address, step S416 is performed. In the case where the next-hop MAC address is found from the next-hop IP address, step S419 is performed.
Step S416, the ARP table is updated to obtain the next hop MAC address.
In step S417, it is determined whether the operation mode of the interface is the switching mode.
In the case where the operation mode of the output interface is not the exchange mode, step S418 is executed. In the case where the operation mode of the outgoing interface is the exchange mode, step S419 is executed.
Step S418, an MAC entry is established according to the next-hop MAC address and the egress interface, and the MAC entry is associated with the newly-established connection entry.
After the MAC table entry and the connection table entry are associated, the process returns to step S412 to perform the second matching between the first packet message and the connection table.
Step S419 determines whether the necessary forwarding information can be found according to the MAC table.
The forwarding necessary information can be obtained under the condition that the forwarding necessary information is found according to the MAC table, and the forwarding necessary information comprises an outbound interface, a VLAN number and a next hop MAC address. In case that the forwarding necessary information cannot be found from the MAC table, step S420 is performed.
Step S420, an MAC entry is established according to the next-hop MAC address and the egress interface, and the MAC entry is associated with the newly-established connection entry.
Step S421, associate the newly-built connection table entry with the forwarding necessary information.
Step S422, according to the necessary forwarding information, the first packet message is forwarded.
Step S423, determining whether the necessary forwarding information corresponding to the current packet can be found according to the matching connection table entry.
It should be understood that the current packet may be a first packet or a non-first packet.
And executing the step S422 when the necessary forwarding information is found according to the connection table entry obtained by matching. And executing the step S414 if the necessary forwarding information is not found according to the connection table entry obtained by matching.
It should be understood that the above-mentioned message forwarding method for the stateful firewall is only an example, and those skilled in the art may make various modifications according to the above-mentioned method, and the solution after the modification also belongs to the protection scope of the present application.
Referring to fig. 5, fig. 5 shows a block diagram of a message forwarding apparatus 500 for a stateful firewall according to an embodiment of the present application, and it should be understood that the message forwarding apparatus 500 can perform the steps in the foregoing method embodiment, and specific functions of the message forwarding apparatus 500 may be referred to the description above, and a detailed description is appropriately omitted here to avoid repetition. The message forwarding device 500 includes at least one software function module that can be stored in a memory in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the message forwarding device 500. Specifically, the message forwarding apparatus 500 includes:
an obtaining module 510, configured to obtain a first packet message; a matching module 520, configured to perform a second matching on the first packet message and a connection table in the state firewall to obtain a connection table entry corresponding to the first packet message, where the connection table includes a connection table entry, the connection table entry is associated with necessary forwarding information corresponding to the first packet message, and the connection table entry is established when the first packet message fails to be matched for the first time; a searching module 530, configured to search for necessary forwarding information according to the connection table entry; the forwarding module 540 is configured to forward the first packet message according to the forwarding necessary information.
In a possible embodiment, the matching module 520 is further configured to perform a first matching on the first packet message and the connection table; the message forwarding apparatus 500 further includes: an establishing module (not shown) configured to establish a connection table entry in the connection table when the first packet fails to match the connection table for the first time; and an association module (not shown) for associating the connection table entry with the forwarding necessary information.
In one possible embodiment, the forwarding necessary information includes an egress interface and a next hop media access control MAC address; or, the forwarding necessary information includes an outgoing interface, a virtual local area network VLAN number, and a next hop media access control MAC address.
In a possible embodiment, the obtaining module 510 is further configured to obtain a routing table in the stateful firewall; the association module comprises: a query module (not shown) configured to query the routing table, and obtain a next-hop IP address and an egress interface of the first packet; an updating module (not shown) configured to update the ARP table to obtain an updated ARP table when it fails to obtain a next-hop MAC address corresponding to the next-hop IP address by querying the ARP table; a determining module (not shown) configured to determine a next hop MAC address according to the updated ARP table and the next hop IP address; and an association establishing module (not shown) configured to establish forwarding necessary information according to the outgoing interface and the next-hop MAC address and associate the connection table entry with the forwarding necessary information, when the operation mode of the outgoing interface is not the switching mode.
In a possible embodiment, the determining module is further configured to determine the forwarding necessary information according to a preset table for storing the forwarding necessary information in the state firewall; the association module is also used for associating the connection table item with the necessary forwarding information; the forwarding module 540 is further configured to forward the first packet message according to the necessary forwarding information.
In one possible embodiment, the determining module is further configured to: acquiring the forwarding necessary information under the condition that the forwarding necessary information is found through the preset table; or, under the condition that the forwarding necessary information is found to fail through the preset table, the forwarding necessary information is established according to the outgoing interface and the next hop MAC address.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
Fig. 6 shows a block diagram of an electronic device 600 according to an embodiment of the present application. As shown in fig. 6, electronic device 600 may include a processor 610, a communication interface 620, a memory 630, and at least one communication bus 640. Wherein communication bus 640 is used to enable direct, coupled communication of these components. The communication interface 620 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The processor 610 may be an integrated circuit chip having signal processing capabilities. The Processor 610 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete gate or transistor logic device, or discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 610 may be any conventional processor or the like.
The Memory 630 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 630 stores computer readable instructions that, when executed by the processor 610, the electronic device 600 may perform the steps of the above-described method embodiments.
The electronic device 600 may further include a memory controller, an input-output unit, an audio unit, and a display unit.
The memory 630, the memory controller, the processor 610, the peripheral interface, the input/output unit, the audio unit, and the display unit are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, these components may be electrically coupled to each other via one or more communication buses 640. The processor 610 is configured to execute executable modules stored in the memory 630, such as software functional modules or computer programs included in the electronic device 600.
The input and output unit is used for providing input data for a user to realize the interaction of the user and the server (or the local terminal). The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
The audio unit provides an audio interface to the user, which may include one or more microphones, one or more speakers, and audio circuitry.
The display unit provides an interactive interface (e.g. a user interface) between the electronic device and a user or for displaying image data to a user reference. In this embodiment, the display unit may be a liquid crystal display or a touch display. In the case of a touch display, the display can be a capacitive touch screen or a resistive touch screen, which supports single-point and multi-point touch operations. The support of single-point and multi-point touch operations means that the touch display can sense touch operations simultaneously generated from one or more positions on the touch display, and the sensed touch operations are sent to the processor for calculation and processing.
It will be appreciated that the configuration shown in FIG. 6 is merely illustrative and that the electronic device 600 may include more or fewer components than shown in FIG. 6 or have a different configuration than shown in FIG. 6. The components shown in fig. 6 may be implemented in hardware, software, or a combination thereof.
The present application provides a storage medium having stored thereon a computer program which, when executed by a processor, performs the method of an embodiment.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the system described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (14)
1. A message forwarding method for a state firewall is characterized by comprising the following steps:
acquiring a first packet message;
performing second matching on the first packet message and a connection table in the state firewall to obtain a connection table entry corresponding to the first packet message, wherein the connection table includes the connection table entry, the connection table entry is associated with forwarding necessary information corresponding to the first packet message, and the connection table entry is established when the first packet message fails to be matched for the first time;
searching the forwarding necessary information according to the connection table item;
and forwarding the first packet message according to the forwarding necessary information.
2. The message forwarding method according to claim 1, wherein before the second matching of the first packet message with the connection table in the stateful firewall, the message forwarding method further comprises:
matching the first packet message with the connection table for the first time;
under the condition that the first matching between the first packet message and the connection table fails, establishing the connection table item in the connection table;
and associating the connection table entry with the necessary forwarding information.
3. The message forwarding method according to claim 2, wherein the forwarding necessary information includes an egress interface and a next hop media access control MAC address; alternatively, the first and second electrodes may be,
the forwarding necessary information includes an outgoing interface, a virtual local area network VLAN number and a next hop media access control MAC address.
4. The message forwarding method according to claim 3, wherein the associating the connection table entry with the forwarding necessary information includes:
obtaining a routing table in the state firewall;
inquiring the routing table to obtain a next hop IP address and the outgoing interface of the first packet message;
under the condition that the next hop MAC address corresponding to the next hop IP address is failed to be obtained by inquiring an Address Resolution Protocol (ARP) table, updating the ARP table to obtain an updated ARP table;
determining the next hop MAC address according to the updated ARP table and the next hop IP address;
and under the condition that the working mode of the outgoing interface is not the exchange mode, establishing the forwarding necessary information according to the outgoing interface and the next hop MAC address, and associating the connection table entry with the forwarding necessary information.
5. The message forwarding method according to claim 4, wherein when the next-hop MAC address is obtained through the ARP table or the working mode of the egress interface is an exchange mode, the message forwarding method further comprises:
determining the forwarding necessary information according to a preset table for storing the forwarding necessary information in the state firewall;
associating the connection table entry with the forwarding necessary information;
and forwarding the first packet message according to the forwarding necessary information.
6. The message forwarding method according to claim 5, wherein the determining the forwarding necessary information according to a preset table in the state firewall for storing the forwarding necessary information includes:
obtaining the forwarding necessary information under the condition that the forwarding necessary information is found through the preset table; alternatively, the first and second electrodes may be,
and under the condition that the forwarding necessary information is found to fail through the preset table, establishing the forwarding necessary information according to the outgoing interface and the next hop MAC address.
7. A message forwarding apparatus for a stateful firewall, comprising:
the acquisition module is used for acquiring the first packet message;
a matching module, configured to perform a second matching on the first packet message and a connection table in the state firewall to obtain a connection table entry corresponding to the first packet message, where the connection table includes the connection table entry, the connection table entry is associated with necessary forwarding information corresponding to the first packet message, and the connection table entry is established when the first packet message fails to be matched for the first time;
the searching module is used for searching the forwarding necessary information according to the connection table item;
and the forwarding module is used for forwarding the first packet message according to the forwarding necessary information.
8. The message forwarding device according to claim 7, wherein the matching module is further configured to match the first packet message with the connection table for the first time;
the message forwarding device further comprises:
the establishing module is used for establishing the connection table item in the connection table under the condition that the first matching of the first packet message and the connection table fails;
and the association module is used for associating the connection table entry with the forwarding necessary information.
9. The message forwarding device according to claim 8, wherein the forwarding necessary information includes an egress interface and a next hop media access control MAC address; alternatively, the first and second electrodes may be,
the forwarding necessary information includes an outgoing interface, a virtual local area network VLAN number and a next hop media access control MAC address.
10. The message forwarding device according to claim 9, wherein the obtaining module is further configured to obtain a routing table in the stateful firewall;
the association module comprises:
the query module is used for querying the routing table and acquiring the next hop IP address and the outgoing interface of the first packet message;
the updating module is used for updating the ARP table to obtain an updated ARP table under the condition that the next hop MAC address corresponding to the next hop IP address is failed to be obtained by inquiring the ARP table;
a determining module, configured to determine the next hop MAC address according to the updated ARP table and the next hop IP address;
and the association establishing module is used for establishing the forwarding necessary information according to the outgoing interface and the next hop MAC address and associating the connection table entry with the forwarding necessary information under the condition that the working mode of the outgoing interface is not the exchange mode.
11. The message forwarding device according to claim 10, wherein the determining module is further configured to determine the forwarding necessary information according to a preset table in the state firewall for storing the forwarding necessary information;
the association module is further configured to associate the connection table entry with the forwarding necessary information;
and the forwarding module is further configured to forward the first packet message according to the forwarding necessary information.
12. The message forwarding device of claim 11, wherein the determining module is further configured to: obtaining the forwarding necessary information under the condition that the forwarding necessary information is found through the preset table; or, when the forwarding necessary information is found to fail through the preset table, the forwarding necessary information is established according to the outbound interface and the next-hop MAC address.
13. A storage medium having stored thereon a computer program for executing the method for packet forwarding for a stateful firewall according to any one of claims 1 to 6 when executed by a processor.
14. An electronic device, characterized in that the electronic device comprises: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is operating, the machine-readable instructions when executed by the processor performing the message forwarding method for a stateful firewall according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010464685.0A CN111614689B (en) | 2020-05-27 | 2020-05-27 | Message forwarding method and device for state firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010464685.0A CN111614689B (en) | 2020-05-27 | 2020-05-27 | Message forwarding method and device for state firewall |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111614689A true CN111614689A (en) | 2020-09-01 |
| CN111614689B CN111614689B (en) | 2021-02-19 |
Family
ID=72201641
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010464685.0A Active CN111614689B (en) | 2020-05-27 | 2020-05-27 | Message forwarding method and device for state firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111614689B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114697076A (en) * | 2022-02-24 | 2022-07-01 | 深圳融安网络科技有限公司 | Application access control method and device, terminal equipment and medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1466340A (en) * | 2002-06-24 | 2004-01-07 | �人��������������ι�˾ | Method for forwarding data by strategic stream mode and data forwarding equipment |
| WO2004028053A1 (en) * | 2002-09-18 | 2004-04-01 | Flarion Technologies, Inc. | Methods and apparatus for using a care of address option |
| CN1835500A (en) * | 2005-03-15 | 2006-09-20 | 华为技术有限公司 | Melthod of moving IPv6 data to cross status fireproof wall |
| EP1500250A4 (en) * | 2002-05-01 | 2010-11-10 | Firebridge Systems Pty Ltd | Firewall with stateful inspection |
| CN102790773A (en) * | 2012-07-30 | 2012-11-21 | 深圳市共进电子股份有限公司 | Method for realizing firewall in household gateway |
| CN103516613A (en) * | 2013-09-25 | 2014-01-15 | 汉柏科技有限公司 | Quick message forwarding method |
| CN103546374A (en) * | 2012-07-10 | 2014-01-29 | 杭州华三通信技术有限公司 | Message forwarding method and device in two-layered edge network |
| CN107547523A (en) * | 2017-08-08 | 2018-01-05 | 新华三信息安全技术有限公司 | Message processing method, device, the network equipment and machinable medium |
| CN109361609A (en) * | 2018-12-14 | 2019-02-19 | 东软集团股份有限公司 | Message forwarding method, device, equipment and the storage medium of firewall box |
| CN109561108A (en) * | 2019-01-07 | 2019-04-02 | 中国人民解放军国防科技大学 | Policy-based container network resource isolation control method |
| CN109639694A (en) * | 2018-12-20 | 2019-04-16 | 国云科技股份有限公司 | A kind of data packet matched algorithm of firewall of rule-based tree retrieval |
-
2020
- 2020-05-27 CN CN202010464685.0A patent/CN111614689B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1500250A4 (en) * | 2002-05-01 | 2010-11-10 | Firebridge Systems Pty Ltd | Firewall with stateful inspection |
| CN1466340A (en) * | 2002-06-24 | 2004-01-07 | �人��������������ι�˾ | Method for forwarding data by strategic stream mode and data forwarding equipment |
| WO2004028053A1 (en) * | 2002-09-18 | 2004-04-01 | Flarion Technologies, Inc. | Methods and apparatus for using a care of address option |
| CN1835500A (en) * | 2005-03-15 | 2006-09-20 | 华为技术有限公司 | Melthod of moving IPv6 data to cross status fireproof wall |
| CN103546374A (en) * | 2012-07-10 | 2014-01-29 | 杭州华三通信技术有限公司 | Message forwarding method and device in two-layered edge network |
| CN102790773A (en) * | 2012-07-30 | 2012-11-21 | 深圳市共进电子股份有限公司 | Method for realizing firewall in household gateway |
| CN103516613A (en) * | 2013-09-25 | 2014-01-15 | 汉柏科技有限公司 | Quick message forwarding method |
| CN107547523A (en) * | 2017-08-08 | 2018-01-05 | 新华三信息安全技术有限公司 | Message processing method, device, the network equipment and machinable medium |
| CN109361609A (en) * | 2018-12-14 | 2019-02-19 | 东软集团股份有限公司 | Message forwarding method, device, equipment and the storage medium of firewall box |
| CN109639694A (en) * | 2018-12-20 | 2019-04-16 | 国云科技股份有限公司 | A kind of data packet matched algorithm of firewall of rule-based tree retrieval |
| CN109561108A (en) * | 2019-01-07 | 2019-04-02 | 中国人民解放军国防科技大学 | Policy-based container network resource isolation control method |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114697076A (en) * | 2022-02-24 | 2022-07-01 | 深圳融安网络科技有限公司 | Application access control method and device, terminal equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111614689B (en) | 2021-02-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8073936B2 (en) | Providing support for responding to location protocol queries within a network node | |
| WO2017000878A1 (en) | Message processing | |
| US9609014B2 (en) | Method and apparatus for preventing insertion of malicious content at a named data network router | |
| EP2214357A1 (en) | Method and System for Facilitating Forwarding a Packet in a Content-Centric Network | |
| CN112615784B (en) | Method, device, storage medium and electronic equipment for forwarding message | |
| US10616175B2 (en) | Forwarding information to forward data to proxy devices | |
| CN106878168B (en) | Message forwarding method and device | |
| US20160373356A1 (en) | Method for processing host route in virtual subnet, related device, and communications system | |
| JP2015512231A (en) | Method and system for fast and large longest prefix matching | |
| US9906449B2 (en) | System and method for reduced forwarding information storage | |
| CA3104756C (en) | Loop avoidance communications method, device, and system | |
| CN109412926B (en) | Tunnel establishment method and device | |
| CN109379241B (en) | Path information determination method and device | |
| US10404598B1 (en) | Managing next hop groups in routers | |
| US20230015922A1 (en) | Mac address sending method, apparatus, and system, and related device | |
| CN111988445B (en) | Message forwarding method and device, storage medium and electronic equipment | |
| US20160164952A1 (en) | Systems and Methods For Information Centric Networking | |
| CN111614689B (en) | Message forwarding method and device for state firewall | |
| CN109561172B (en) | DNS transparent proxy method, device, equipment and storage medium | |
| US20210203695A1 (en) | Anti-spoofing attack check method, device, and system | |
| US20230041395A1 (en) | Method and Device for Processing Routing Table Entries | |
| US10009258B2 (en) | Methods, systems, and computer readable media for routing a redirected request message | |
| CN107528929B (en) | ARP (Address resolution protocol) entry processing method and device | |
| US20220150167A1 (en) | Bier packet processing method, network device, and system | |
| EP3026862A1 (en) | Routing loop determining method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |