CN112333162B - Service processing method and equipment - Google Patents

Service processing method and equipment Download PDF

Info

Publication number
CN112333162B
CN112333162B CN202011149505.6A CN202011149505A CN112333162B CN 112333162 B CN112333162 B CN 112333162B CN 202011149505 A CN202011149505 A CN 202011149505A CN 112333162 B CN112333162 B CN 112333162B
Authority
CN
China
Prior art keywords
virtual
card
board
network port
virtual network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011149505.6A
Other languages
Chinese (zh)
Other versions
CN112333162A (en
Inventor
朱学朋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202011149505.6A priority Critical patent/CN112333162B/en
Publication of CN112333162A publication Critical patent/CN112333162A/en
Application granted granted Critical
Publication of CN112333162B publication Critical patent/CN112333162B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a service processing method and equipment. The service processing method comprises the following steps: receiving a mirror image message flow sent to the plug-in card board; searching a virtual network port of a card inserting plate mapped by a destination MAC address or a source MAC address of each mirror image message of the mirror image message flow; storing each mirror image message in a receiving queue of a virtual network port of the mapped card-inserting plate; and each virtual firewall reads the mirror image message from the receiving queue of the associated card board virtual network port to perform bypass service processing, and discards each mirror image message after the bypass processing is completed.

Description

Service processing method and equipment
Technical Field
The present application relates to communications technologies, and in particular, to a method and an apparatus for processing a service.
Background
The virtualization of the firewall means that one physical firewall device is logically divided into a plurality of virtual firewall devices, but physical resources such as a CPU (central processing unit), a memory and the like are shared; different virtual firewalls are completely isolated in configuration and forwarding, so that function customization, personalized management and maximum utilization of resources are realized. A physical device is divided into a plurality of logical devices through virtualization technology, and each logical device is called a context. Each context has own exclusive software and hardware resources, and operates independently, so that the networking flexibility is improved.
The firewall equipment can also increase the special service requirements of the card inserting board for processing, such as running an artificial intelligence algorithm to analyze the flow, running an engine with consumption performance to detect viruses and the like. However, in a network scenario in which the firewall device is virtualized into multiple virtual firewalls, the card board of the firewall device cannot distinguish which virtual firewall the processed traffic belongs to. The reasons are that different service configurations cannot be applied to different virtual firewalls on the plug-in board, and that service packet isolation between different virtual firewalls cannot be performed on the plug-in board.
Among the firewall devices shown in fig. 1 are administrative contexts, as well as virtual firewall contexts 1 and context 2. The virtual firewall context1 and context2 perform ARP protocol interaction with the MAC addresses of the virtual network ports 21 and 22 bound to each other, and the source MAC addresses of the service packets sent by the virtual firewall context1 and context2 are the MAC addresses of the virtual network ports 21 and 22 bound to each other; the destination MAC addresses of the service messages sent to the virtual firewalls context1 and context2 are the MAC addresses of the respective bound virtual network ports 21 and 22. The firewall device receives the service message from the upper-level device through the input interface, performs two-layer forwarding according to the destination MAC address of the service message, and sends the service message to the interface 1 or the interface 2 corresponding to each destination MAC address.
In fig. 1, the interface board/switch board further duplicates service messages sent to virtual firewall context1 and context2, and sends them to interface 3 as mirror messages, the card board receives the mirror messages through physical network port 30 connected to interface 3, performs bypass service processing, sends the bypass service processing result to management context, and then discards the mirror messages. The bypass processing service does not distinguish virtual firewalls and cannot isolate service messages between different virtual firewalls.
Disclosure of Invention
The application aims to provide a service processing method and equipment, which provide bypass service processing for isolating different virtual firewalls on a card board of firewall equipment.
In order to achieve the above object, the present application provides a service processing method, where the method includes: receiving a mirror image message flow sent to the card inserting plate; searching a virtual network port of a card inserting plate mapped by a destination MAC address or a source MAC address of each mirror image message of the mirror image message flow; storing each mirror image message in a receiving queue of a virtual network port of the mapped card-inserting plate; and each virtual firewall reads the mirror image message from the receiving queue of the associated card board virtual network port to perform bypass service processing, and discards each mirror image message after the bypass processing is completed.
In order to achieve the above object, the present application further provides a service processing device, where the service processing device is used as a card board of a firewall device, and the service processing device includes: the receiving module is used for receiving the mirror image message flow sent to the plug-in card board; the distribution module is used for searching a virtual network port of the card-inserting plate mapped by a destination MAC address or a source MAC address of each mirror image message of the mirror image message flow; the virtual network port driving module is used for storing each mirror image message in a receiving queue of a virtual network port of the mapped card inserting plate; and each virtual firewall reads the mirror image message from the receiving queue of the associated card board virtual network port to perform bypass service processing, and discards each mirror image after the bypass processing is completed.
The beneficial effects of this application lie in, not only keep apart the mirror image message between the different virtual hot wall that prevents at the plug-in card board of hot wall equipment to the isolation bypass business that provides the plug-in card board between the different virtual hot wall is handled, is favorable to preventing that hot wall equipment provides different business processing according to the kind of bypass business demand on the plug-in card board, has improved the flexibility of the bypass business processing who prevents hot wall equipment.
Drawings
Fig. 1 is a schematic diagram illustrating a state of a conventional firewall card board processing a packet;
Fig. 2 is a flowchart illustrating a service processing method provided in the present application;
fig. 3 is a schematic diagram of a service processing device provided in the present application.
Detailed Description
A detailed description will be given of a number of examples shown in a number of figures. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the present application. Well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the examples.
The term "including" as that term is used is meant to include, but is not limited to; the term "comprising" means including but not limited to; the terms "above," "within," and "below" include the instant numbers; the terms "greater than" and "less than" mean that the number is not included. The term "based on" means based on at least a portion thereof.
Fig. 2 is a flowchart illustrating a service processing method provided in the present application; the method comprises the following steps:
step 201, receiving a mirror image message flow sent to a plug-in card board;
step 202, searching a virtual network port of a card-inserting plate mapped by a destination MAC address or a source MAC address of each mirror image message of the mirror image message flow;
step 203, storing each mirror image message in a receiving queue of a virtual network port of the mapped card-inserting board;
Step 204, each virtual firewall reads the mirror image message from the receiving queue of the associated card board virtual network port to perform bypass service processing;
and step 205, each virtual firewall discards each mirror image message after the bypass processing is completed.
The method shown in fig. 2 has the beneficial effects that the mirror image messages between different virtual firewalls are isolated on the card board of the firewall device, and isolation bypass service processing between different virtual firewalls of the card board is provided.
Fig. 3 is a schematic diagram of a service processing device 40 provided in the present application, where the service processing device 40 may be used as a card board of a firewall device. The service processing device 40 comprises a processor CPU41, a memory 42 and a transceiver module 43.
The memory 42 is used to store processor executable instructions; processor 41 implements virtual portal driver module 421, configuration management module 422, and distribution module 423 by executing processor-executable instructions of memory 42.
The virtual port driver module 421 is configured to generate the virtual ports 31, 32, and 33 of the card board 40, and respectively associate the virtual firewall context1, the virtual firewall context2, and the management context.
A configuration management module 422, which obtains the association relationship between the virtual firewall context1 and the virtual internet access 21 and the association relationship between the virtual firewall context2 and the virtual internet access 22 based on the configuration information synchronized by the management context of the firewall; acquiring a MAC address MAC21 corresponding to the virtual network port 21 and a MAC address MAC22 corresponding to the virtual network port 22; the association relationship between virtual firewall context1 and virtual port 31 and the association relationship between virtual firewall context2 and virtual port 32 are obtained from virtual port driver module 421.
The configuration management module 422 generates a mapping relationship between virtual network port addresses of the card board, and is used to record that the MAC address MAC21 of the virtual network port 21 is mapped to the virtual network port 31, and the MAC address MAC22 of the virtual network port 22 is mapped to the virtual network port 32. The management configuration module 42 sends the generated mapping relationship of virtual network port addresses of the card-plugged board to the distribution module 423. The receiving module 43 receives the mirror image message flow from the physical network port 30 of the card 40. The receiving module 43 may be a physical network card, and caches each mirror image message of the mirror image message stream read from the physical port 30, and sends each mirror image message to the message distribution module 423 in a manner of dpdk (data Plane Development kit), libpcap (packet Capture library), or the like.
The distributing module 423 searches the mapping relationship of the virtual network port address of the card board according to the destination MAC address or the source MAC address of each mirror image message of the mirror image message flow. Because, the source MAC address of the message sent by the virtual firewall context1 or context2 of the firewall board is the MAC address of the virtual port 21 or 22, respectively; and the destination MAC address of the message sent by the previous device to the virtual firewall context1 or context2 of the firewall board is also the MAC address of the virtual port 21 or 22.
The distribution module 423 determines the virtual network port 31 or 32 of the virtual firewall context1 or context2 on the card board 40 by searching the card board virtual network port address mapping relationship.
The distributing module 423 provides an interface according to the virtual network port driver module 421, and writes each mirror message into a receiving queue of the virtual network port 31 or 32 in the virtual network port driver module 421.
The virtual portal driver 421 may notify the virtual firewall context1 or context2 on the card board 40 that a message is received by triggering a soft interrupt. Thus, virtual firewall context1 or context2 receives their respective mirror messages through virtual portal 31 or 32, respectively.
On the card board 40, the virtual firewall context1 or context2 reads the mirror image messages from the receiving queues of the respective associated virtual network ports 31 or 32, performs bypass service processing, and discards each mirror image message after the bypass processing is completed; virtual firewall context1 or context2 may further record the results of the bypass traffic processing in a local bypass traffic log of virtual firewall context1 or context2 of paddle-card 40.
The distributing module 423 finds out no corresponding virtual network port 31 or 32 in the generated mapping relationship of the virtual network port address of the card board based on the source MAC address or the destination MAC address of the received mirror image packet.
The virtual network port driver module 421 also stores each mirror image message that is not mapped to the virtual network port of the card-insertion board in the receiving queue of the virtual network port 33, i.e. the receiving queue of the virtual network port managed by the card-insertion board. Similarly, the distributing module 423 provides an interface according to the virtual network port driver module 421, and writes each mirror image packet that fails to find and match into the receiving queue of the virtual network port 33 in the virtual network port driver module 421.
The virtual portal driver 421 may notify the card board 40 that the management context receives the message by triggering a soft interrupt. The management context on the card board 30 receives the mirror message through the virtual network port 33.
On the card 40, the management context reads each stored image message from the receiving queue of the associated virtual network port 33 for bypass processing, and discards each image message which completes the bypass processing in the receiving queue of the management virtual network port. The management context records the result of the bypass service processing in the local management context bypass service log of the card 40.
On the card-inserting board 40, the virtual firewall context1 or context2 synchronizes the local bypass service logs stored on the card-inserting board 40 to the service logs of the respective virtual firewall on the firewall board respectively; and managing the context, namely synchronizing the bypass service log of the management context stored on the plug-in board 40 to the service log of the management context on the firewall board.
The method and the device have the advantages that the problem that multi-user virtualization is supported in the scene that the firewall device processes the flow of the bypass mirror image message can be solved, the mirror image messages between virtual firewalls of different users are isolated by the card inserting plate of the firewall device, and the flexibility of bypass service processing of the firewall device is improved.
The present invention is not intended to be limited to the particular embodiments shown and described, but is to be accorded the widest scope consistent with the principles and novel features herein disclosed.

Claims (8)

1. A method for processing a service, the method comprising:
generating each card-inserting board virtual network port related to each virtual fireproof wallboard on the card-inserting board and the card-inserting board management virtual network port related to the management virtual fireproof wall;
acquiring the association relation between each virtual firewall on the fireproof wallboard and each virtual net opening of the fireproof wallboard;
acquiring the MAC address of each virtual net opening of the fireproof wallboard;
acquiring the incidence relation between each virtual firewall and each card board virtual network port;
generating a card-inserting plate virtual net port address mapping relation for recording the association relation between the MAC address of each fire wall plate virtual net port associated with each virtual fire wall and each card-inserting plate virtual net port associated with each virtual fire wall;
receiving a mirror image message flow sent to the plug-in card board;
searching a virtual network port of a card inserting plate mapped by a destination MAC address or a source MAC address of each mirror image message of the mirror image message flow;
Storing the mirror image messages in a receiving queue of a virtual network port of a mapped card board;
and each virtual firewall reads the mirror image message from the receiving queue of the associated card board virtual network port to perform bypass service processing, and discards each mirror image message after the bypass processing is completed.
2. The method of claim 1, further comprising:
storing each mirror image message which is not mapped to the virtual network port of the card-inserting board in a receiving queue of the virtual network port managed by the card-inserting board;
and the management virtual firewall reads each stored mirror image message from the associated receiving queue of the card board management virtual network port to perform bypass processing, and discards each mirror image message which completes the bypass processing in the receiving queue of the card board management virtual network port.
3. The method of claim 1, further comprising:
synchronizing the bypass service logs of each virtual firewall stored on the plug-in board to the service logs of each virtual firewall on the firewall board;
and synchronizing the bypass service log for managing the virtual firewall stored on the plug-in board to the service log for managing the virtual firewall on the firewall board.
4. The method according to claim 1, wherein the finding of the virtual network port of the card board mapped by the destination MAC address or the source MAC address of each mirror message of the mirror message stream means finding the mapping relationship of the virtual network port address of the card board based on the destination MAC address or the source MAC address of each mirror message of the mirror message stream to obtain the mapped virtual network port of the card board.
5. A service processing device as a card board of a firewall device, the device comprising:
the receiving module is used for receiving the mirror image message flow sent to the plug-in card board;
the distribution module is used for searching a virtual network port of the card-inserting plate mapped by a destination MAC address or a source MAC address of each mirror image message of the mirror image message flow;
the virtual network port driving module is used for storing the mirror image messages in a receiving queue of a virtual network port of the mapped card inserting plate; each virtual firewall reads the mirror image message from the receiving queue of the associated card board virtual network port to perform bypass service processing, and discards each mirror image after the bypass processing is completed;
the virtual network port driving module is further configured to generate each card-insertion board virtual network port on the card-insertion board, which is associated with each virtual firewall board, and the card-insertion board management virtual network port, which is associated with a management virtual firewall;
The configuration management module is used for acquiring the association relation between each virtual firewall and each virtual net mouth of the firewall boards on the firewall boards; acquiring the MAC address of each virtual net opening of the fireproof wallboard; acquiring the association relationship between each virtual firewall and each card board virtual network port; generating a virtual network port address mapping relation of the card inserting plate; sending the generated virtual network port address mapping relation of the card insertion board to the distribution module; the card board virtual network port address mapping relation is used for recording the association relation between the MAC address of each firewall board virtual network port associated with each virtual firewall and each card board virtual network port associated with each virtual firewall.
6. The apparatus of claim 5,
the distribution module is also used for determining that the mirror image messages of the virtual network ports of the mapping card board are not found;
the virtual network port driving module is also used for storing each mirror image message which is not mapped to the virtual network port of the card inserting plate in a receiving queue of the card inserting plate management virtual network port;
and the management virtual firewall is used for reading the stored mirror image messages from the associated receiving queue of the card board management virtual network port to perform bypass processing, and discarding the mirror image messages which complete the bypass processing in the receiving queue of the card board management virtual network port.
7. The apparatus of claim 5,
the virtual firewalls synchronize the bypass service logs of the virtual firewalls stored on the plug-in board to the service logs of the virtual firewalls on the firewall board respectively;
and the management virtual firewall synchronizes the bypass service log of the management virtual firewall stored on the plug-in board to the service log of the management virtual firewall on the firewall board.
8. The apparatus according to claim 5, wherein the distribution module searches mapping relation of virtual network port addresses of the card board based on destination MAC addresses or source MAC addresses of each mirror message of the mirror message stream to obtain mapped virtual network ports of the card board.
CN202011149505.6A 2020-10-23 2020-10-23 Service processing method and equipment Active CN112333162B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011149505.6A CN112333162B (en) 2020-10-23 2020-10-23 Service processing method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011149505.6A CN112333162B (en) 2020-10-23 2020-10-23 Service processing method and equipment

Publications (2)

Publication Number Publication Date
CN112333162A CN112333162A (en) 2021-02-05
CN112333162B true CN112333162B (en) 2022-05-24

Family

ID=74312022

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011149505.6A Active CN112333162B (en) 2020-10-23 2020-10-23 Service processing method and equipment

Country Status (1)

Country Link
CN (1) CN112333162B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113794640B (en) * 2021-08-20 2022-11-18 新华三信息安全技术有限公司 Message processing method, device, equipment and machine readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101651680A (en) * 2009-09-14 2010-02-17 杭州华三通信技术有限公司 Network safety allocating method and network safety device
CN103533096A (en) * 2013-10-09 2014-01-22 杭州华三通信技术有限公司 Binding method and device of network card interface
CN109831390A (en) * 2019-01-21 2019-05-31 新华三云计算技术有限公司 Message transmission control method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8024787B2 (en) * 2006-05-02 2011-09-20 Cisco Technology, Inc. Packet firewalls of particular use in packet switching devices
US10708299B2 (en) * 2018-03-19 2020-07-07 Fortinet, Inc. Mitigating effects of flooding attacks on a forwarding database

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101651680A (en) * 2009-09-14 2010-02-17 杭州华三通信技术有限公司 Network safety allocating method and network safety device
CN103533096A (en) * 2013-10-09 2014-01-22 杭州华三通信技术有限公司 Binding method and device of network card interface
CN109831390A (en) * 2019-01-21 2019-05-31 新华三云计算技术有限公司 Message transmission control method and device

Also Published As

Publication number Publication date
CN112333162A (en) 2021-02-05

Similar Documents

Publication Publication Date Title
US7983257B2 (en) Hardware switch for hypervisors and blade servers
US7586936B2 (en) Host Ethernet adapter for networking offload in server environment
US8073966B2 (en) Virtual interface
US7684423B2 (en) System and method for virtual network interface cards based on internet protocol addresses
JP4068166B2 (en) Search engine architecture for high performance multilayer switch elements
US7653754B2 (en) Method, system and protocol that enable unrestricted user-level access to a network interface adapter
CN109547580B (en) Method and device for processing data message
US9727508B2 (en) Address learning and aging for network bridging in a network processor
US8005022B2 (en) Host operating system bypass for packets destined for a virtual machine
US7515596B2 (en) Full data link bypass
US7386628B1 (en) Methods and systems for processing network data packets
US9356844B2 (en) Efficient application recognition in network traffic
EP0889623A2 (en) System and method for efficient remote disk I/O
JP2018011331A (en) Framework and interface for offload device-based packet processing
CN113326228B (en) Message forwarding method, device and equipment based on remote direct data storage
JP2005006303A (en) Virtual network address
US9253089B2 (en) System and method for routing using path identifiers
CN112333162B (en) Service processing method and equipment
RU2602333C2 (en) Network system, packet processing method and storage medium
CN112583655B (en) Data transmission method and device, electronic equipment and readable storage medium
US20050111447A1 (en) Technique for tracing source addresses of packets
US20220166718A1 (en) Systems and methods to prevent packet reordering when establishing a flow entry
WO2021103657A1 (en) Network operation method, apparatus, and device and storage medium
US8050266B2 (en) Low impact network debugging
WO2001016742A2 (en) Network shared memory

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant