CN113259220B - Method and server for sharing private information in message - Google Patents
Method and server for sharing private information in message Download PDFInfo
- Publication number
- CN113259220B CN113259220B CN202110793508.1A CN202110793508A CN113259220B CN 113259220 B CN113259220 B CN 113259220B CN 202110793508 A CN202110793508 A CN 202110793508A CN 113259220 B CN113259220 B CN 113259220B
- Authority
- CN
- China
- Prior art keywords
- message
- vni
- docker container
- vxlan
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/90—Buffering arrangements
- H04L49/901—Buffering arrangements using storage descriptor, e.g. read or write pointers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a server for sharing private information in a message, wherein the method comprises the following steps: the network card stores a first vxlan message comprising a first encapsulation message and an original message to a message cache region; the first docker container analyzes the first encapsulation message to obtain a first vni and stores the first vni in the extended information cache region; the second docker container respectively extracts the original message and the first vni from the message cache region and the extended information cache region, and stores the determined nat inner layer message header information and the second vni into the extended information cache region; the first docker container extracts the second vni from the extended information cache region, and stores the determined second encapsulation message into the extended information cache region, the original message, the nat inner layer message header information and the second encapsulation message jointly form a second vxlan message, namely private information in the message is shared by opening up the extended information cache region, and the working efficiency of the server is improved.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a method and a server for sharing private information in a message.
Background
VXLAN (Virtual eXtensible LAN, eXtensible Virtual local area network) is a technology that uses the encapsulation form of "MAC in UDP" to encapsulate a two-layer message into a three-layer network, and the VXLAN technology has been widely used with the rapid development of virtualization technology.
In the same server in the VXLAN technology, different VNFs (Virtual Network features) need to perform different operations on the messages of the Network card to obtain corresponding information, and the information obtained through the operations between the different VNFs cannot be shared, where at least one VNF needs to perform the same operation as that performed by at least one other VNF to obtain corresponding information before performing subsequent operations, that is, operations performed by at least two VNFs in the server are partially repeated, thereby reducing the work efficiency of the server.
Therefore, there is a need for a method and a server for sharing private information in a message, which can improve the working efficiency of the server.
Disclosure of Invention
The embodiment of the invention provides a method and a server for sharing private information in a message.A buffer area of an expanded information is opened in a buffer area of a network card, a first docker container peels off a first vni in a first vxlan message and stores the first vni in the expanded information buffer area, and a second docker container can directly share the first vni in the expanded information buffer area to determine corresponding nat information and a second vni; the problem that the work efficiency of a server is low due to the fact that the second docker container needs to execute the same operation as the operation executed by the first docker container to obtain corresponding information at present is solved.
The embodiment of the invention provides a method for sharing private information in a message, which is applied to a server, wherein the server comprises a network card, a first docker container and a second docker container, the network card comprises a cache region, the cache region comprises a message cache region and an extended information cache region, and the method for sharing the private information in the message comprises the following steps:
the network card receives a first vxlan message, and stores the first vxlan message to the message cache area, wherein the first vxlan message comprises a first encapsulation message and an original message, and the first encapsulation message comprises a first vni;
the first docker container analyzes the first encapsulation message from the first vxlan message, acquires the first vni, and stores the first vni in the extended information cache region;
the second docker container extracts the original message from the message cache region, extracts the first vni from the extended information cache region, and determines corresponding nat inner layer message header information and second vni according to the original message and the first vni;
the second docker container stores the nat inner layer message header information and the second vni to the extended information cache region;
and the first docker container extracts the second vni from the extended information cache region, determines a second encapsulated message according to the second vni, and stores the second encapsulated message to the extended information cache region, so that the original message located in the message cache region, and the nat inner layer message header information and the second encapsulated message located in the extended information cache region jointly form a second vxlan message.
In an embodiment, the step of extracting, by the second docker container, the original packet from the packet buffer, extracting the first vni from the extended information buffer, and determining, according to the original packet and the first vni, corresponding nat inner layer packet header information and second vni includes:
the second docker container extracts an original inner layer message header from the original message and extracts the first vni from the extended information buffer area;
the second docker container searches corresponding nat IP, nat PORT and second vni in the nat conversion table and the vni conversion table respectively according to the original inner layer message header and the first vni;
and the second docker container determines the nat inner layer message header information according to the nat IP and the nat PORT.
In an embodiment, before the step of analyzing, by the first docker container, the first encapsulated packet from the first vxlan packet and acquiring the first vni, and storing the first vni in the extended information buffer, the method includes:
the network card sends a pointer of the first vxlan message to the first docker container;
and the first docker container accesses the first vxlan message according to the pointer of the first vxlan message.
In an embodiment, before the steps of extracting, by the second docker container, the original packet from the packet buffer, extracting the first vni from the extended information buffer, and determining, according to the original packet and the first vni, corresponding nat inner layer packet header information and second vni, the method includes:
the network card sends a pointer of the original message to the second docker container;
and the second docker container determines the extended information buffer area according to the pointer of the original message, and accesses the original message and the first vni.
In an embodiment, after the step of extracting, by the first docker container, the second vni from the extended information cache region, determining a second encapsulated packet according to the second vni, and storing the second encapsulated packet in the extended information cache region, so that the original packet located in the packet cache region and the nat inner layer packet header information and the second encapsulated packet located in the extended information cache region jointly form a second vxlan packet, the method includes:
the network card determines a corresponding sending tunnel according to the second vxlan message;
and the network card sends the second vxlan message according to the sending tunnel.
In an embodiment, the server further includes a third docker container, where the first encapsulation packet further includes a source IP address and a destination IP address, the network card receives a first vxlan packet, and stores the first vxlan packet to the packet buffer, where the first vxlan packet includes a first encapsulation packet and an original packet, and after the step of the first encapsulation packet including a first vni, the method includes:
the first docker container analyzes the first encapsulation message from the first vxlan message, obtains the source IP address and the destination IP address, and stores the source IP address and the destination IP address to the extended information cache region;
the third docker container extracts the source IP address and the destination IP address from the extended information cache region, and judges whether the first vxlan message is a legal message or not according to the source IP address and the destination IP address;
if the first vxlan message is a legal message, the third docker container processes the original message;
and if the first vxlan message is not a legal message, discarding the original message by the third docker container.
The embodiment of the invention provides a server, which comprises a network card, a first docker container and a second docker container, wherein the network card comprises a cache region, and the cache region comprises a message cache region and an extended information cache region;
the network card is used for receiving a first vxlan message and storing the first vxlan message to the message cache area, wherein the first vxlan message comprises a first encapsulation message and an original message, and the first encapsulation message comprises a first vni;
the first docker container is configured to parse the first encapsulation packet from the first vxlan packet, obtain the first vni, and store the first vni in the extended information cache region;
the second docker container is used for extracting the original message from the message cache region, extracting the first vni from the extended information cache region, and determining corresponding nat inner layer message header information and second vni according to the original message and the first vni;
the second docker container is further configured to store the nat inner layer packet header information and the second vni in the extended information cache region;
the first docker container is further configured to extract the second vni from the extended information cache region, determine a second encapsulated packet according to the second vni, and store the second encapsulated packet to the extended information cache region, so that the original packet located in the packet cache region and the nat inner layer packet header information and the second encapsulated packet located in the extended information cache region jointly form a second vxlan packet.
In an embodiment, the second docker container is further configured to extract an original inner layer packet header from the original packet, and extract the first vni from the extended information buffer; and
and the second docker container is used for searching corresponding nat IP and second vni in the nat conversion table and the vni conversion table respectively according to the original inner layer message header and the first vni.
In an embodiment, the network card is further configured to send a pointer of the first vxlan message to the first docker container; and
the first docker container is further configured to determine the packet buffer according to the pointer of the first vxlan packet, and access the first vxlan packet.
In an embodiment, the network card is further configured to send a pointer of the original packet to the second docker container; and
the second docker container is further configured to determine the extended information buffer according to the pointer of the original packet, and access the original packet and the first vni.
The invention provides a method and a server for sharing private information in a message, wherein a cache region in a network card comprises a message cache region and an extended information cache region, a first docker container analyzes a first vni from a first vxlan message, and the first vni is stored in the extended information cache region; the second docker container extracts the first vni from the extended information cache region, and determines corresponding nat inner layer message header information and second vni according to the first vni; the second docker container stores the nat inner layer message header information and the second vni to the extended information cache region; and the first docker container extracts the second vni from the extended information buffer area to perform corresponding operation. In the scheme, an expanded information cache region is opened in a cache region in a network card, and first vni, nat inner layer message header information and second vni which are obtained by processing a first docker container and a second docker container are temporarily stored in the expanded information cache region, so that the first docker container and the second docker container can share information obtained by processing each other, and the situation that operations executed by the first docker container and the second docker container are partially repeated is avoided; and when the first docker container and the second docker container acquire the corresponding information in the first vxlan message and execute corresponding operations, the integrity of the first vxlan message is still ensured, so that other containers can normally acquire the information of the first vxlan message, and the server is prevented from acquiring the first vxlan message from the outside again to supply the first vxlan message to other containers for use. To sum up, this scheme has improved the work efficiency of server.
Drawings
The invention is further illustrated by the following figures. It should be noted that the drawings in the following description are only for illustrating some embodiments of the invention, and that other drawings may be derived from those drawings by a person skilled in the art without inventive effort.
Fig. 1 is a schematic view of a scenario of a system for sharing private information in a message according to an embodiment of the present invention;
fig. 2 is a schematic interval diagram of a cache area in a network card according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating a first method for sharing private information in a message according to an embodiment of the present invention;
fig. 4 is a schematic interval diagram of a buffer area in another network card according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a first vxlan packet according to an embodiment of the present invention;
fig. 6 is a flowchart illustrating a second method for sharing private information in a message according to an embodiment of the present invention;
fig. 7 is a flowchart illustrating a third method for sharing private information in a message according to an embodiment of the present invention;
fig. 8 is a flowchart illustrating a fourth method for sharing private information in a message according to an embodiment of the present invention;
fig. 9 is a schematic flowchart of a fifth method for sharing private information in a message according to an embodiment of the present invention;
fig. 10 is a flowchart illustrating a sixth method for sharing private information in a message according to an embodiment of the present invention;
fig. 11 is a schematic signaling interaction diagram of a method for sharing private information in a message according to an embodiment of the present invention;
fig. 12 is a schematic structural diagram of a first server according to an embodiment of the present invention;
fig. 13 is a schematic structural diagram of a second server according to an embodiment of the present invention;
fig. 14 is a schematic structural diagram of a third server according to an embodiment of the present invention.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first", "second", and the like in the present invention are used for distinguishing different objects, not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or modules is not limited to the listed steps or modules but may alternatively include other steps or modules not listed or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the invention. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The execution main body of the method for sharing private information in a message provided by the embodiment of the present invention may be a server provided by the embodiment of the present invention, or an electronic device integrated with the server, and the server may be implemented in a hardware or software manner.
Some basic concepts involved in embodiments of the present invention are first described below.
Network card: a piece of computer hardware designed to allow computers to communicate over a computer network, so that users can connect to each other by cable or wirelessly. Each network card has a unique 48-bit serial number, called the MAC address, which is written in a ROM on the network card. The network card is not a stand-alone autonomous unit because the network card itself does not have a power source but rather needs to use the power source of the inserted computer and be controlled by that computer. When the network card receives an erroneous frame, it discards the frame without having to notify the computer into which it is inserted. When the network card receives a correct frame, it uses an interrupt to notify the computer and deliver it to the network layer in the protocol stack. When the computer wants to send an IP data packet, it is sent to the network card by the protocol stack to be assembled into a frame and then sent to the local area network.
A docker container: an open source application container engine, which enables developers to pack their applications and dependencies in a uniform manner into a portable container and then distribute the container to any server (including popular Linux machines and windows machines) installed with a docker engine, and also enables virtualization. The containers are fully sandboxed without any interface between each other (like apps of iphones). With little performance overhead, they can easily run in machines and data centers, they are not dependent on any language, framework, including systems. In particular, a docker vessel herein is to be understood as a VNF as mentioned in the foregoing, i.e. any docker vessel herein operated on may be applied to any VNF as mentioned in the foregoing.
A cache region: a data storage area shared by a plurality of hardware or program processes running at different speeds or priorities. The speed smoothing function is performed between the high-speed device and the low-speed device, data are temporarily stored, frequently accessed data can be placed in a buffer area, and the access to the low-speed device is reduced so as to improve the efficiency of the system.
Message: the data units exchanged and transmitted in the network, i.e. the data blocks that the station has to send at once. The message contains complete data information to be sent, and the message is very inconsistent in length, unlimited in length and variable. When a station wants to send a message, it attaches a destination address to the message, and the network node sends the message to the next node according to the destination address information on the message, and forwards the message to the destination node one by one. After each node receives the whole message and checks it, it temporarily stores the message, then uses the route information to find out the address of the next node, and then transmits the whole message to the next node.
NAT protocol: the full Network Address Translation protocol refers to a protocol for translating between private addresses and global addresses.
The embodiment of the invention provides a method and a server for sharing private information in a message. The details will be described below separately.
Referring to fig. 1, fig. 1 is a schematic view of a scenario of a system for sharing private information in a message according to an embodiment of the present invention, where the system for sharing private information in a message may include a network card 100, a first docker container 200, and a second docker container 300, where the network card includes a buffer area, and the buffer area includes a message buffer area and an extended information buffer area.
In this embodiment of the application, as shown in fig. 2, the buffer area is located in the network card 100, the network card 100 configures 2048 bytes of space for the buffer area, where each reference number represents a serial number of a corresponding byte in the buffer area, for example, "0" represents a 0 th byte, and "2047" represents a 2047 th byte. The interval where the first 1600 bytes are located is a message buffer area for storing messages, namely, the 0 th byte to the 1599 th byte are used for storing messages; further, the extended information buffer area for storing the private information in the message can be selected from the interval from 1600 th byte to 2047 th byte as long as 256 bytes. It should be noted that, after the message buffer and the extended information buffer are determined, if the message buffer is known, the extended information buffer may be determined according to a preset relative position between a first byte of the message buffer and a first byte of the extended information buffer.
A preset interval may be reserved between the extended information buffer and the packet buffer to appropriately distinguish the packet from the private information in the packet, for example, as shown in fig. 2, the extended information buffer may be an interval between 1663 rd byte and 1918 th byte in the buffer; or the extended information buffer area and the message buffer area can also be adjacently arranged, and the extended information buffer area is determined only according to the relative position of the first byte of the preset message buffer area and the first byte of the extended information buffer area. Of course, the space corresponding to the extended information buffer area can be reasonably selected according to the length of the private information in the message.
In this embodiment, the network card 100 is mainly configured to receive a first vxlan message, and store the first vxlan message to the message cache area, where the first vxlan message includes a first vni and a first original message of a first encapsulation message, and the first encapsulation message includes the first vni; the first docker container is mainly used for analyzing the first encapsulation message from the first vxlan message, acquiring the first vni, and storing the first vni to the extended information cache region; the second docker container is mainly used for extracting the original message from the message cache region, extracting the first vni from the extended information cache region, determining corresponding nat inner layer message header information and second vni according to the original message and the first vni, and storing the nat inner layer message header information and the second vni into the extended information cache region; the first docker container is further configured to extract the second vni from the extended information cache region, determine a second encapsulated packet according to the second vni, and store the second encapsulated packet to the extended information, so that the original packet located in the packet cache region, the nat inner layer packet header information located in the extended information cache region, and the second encapsulated packet together form a second vxlan packet.
In this embodiment, the system for sharing private information in a message may be included in a server, that is, the network card 100, the first docker container 200, and the second docker container 300 may all be included in a server. The server may be an independent server, or may be a server network or a server cluster composed of servers, for example, the server includes but is not limited to a computer, a network host, a single network server, a plurality of network server sets, or a cloud server composed of a plurality of servers. The cloud server is composed of a large number of computers or network servers based on cloud computing.
Further, the server may include a plurality of physical ports and a plurality of virtual ports. The physical ports may be included in the network card 100, and the physical ports are used to receive a message sent by a terminal or a bras (broadband access server), or send a message to a terminal or a bras (broadband access server). The network card 100, the first docker container 200, and the second docker container 300 may communicate with each other through the plurality of virtual ports. As shown in fig. 1, for example, one of the physical ports of the network card 100 receives a message, the network card driver may send a "message pointer" to the first docker container 200 or the second docker container 300 and notify the first docker container 200 or the second docker container 300 of processing the message, the first docker container 200 and the second docker container 300 may respectively send an "decapsulation/encapsulation message task completion instruction" and a "processing message information task completion instruction" to different virtual ports through the network card driver to indicate that corresponding tasks are completed, corresponding receiving and sending messages between different virtual ports may be performed through the network card driver, and the first docker container 200 may also notify the other physical port of sending the message to the outside of the server.
In the embodiment of the present application, the terminal may be a general-purpose computer device or a special-purpose computer device. In a specific implementation, the terminal may be a desktop, a laptop, a network server, a Personal Digital Assistant (PDA), a mobile phone, a tablet computer, a wireless terminal device, a communication device, an embedded device, and the like, and the embodiment does not limit the type of the terminal.
In the embodiment of the application, after the first docker container 200 and the second docker container 300 are created in the server, a virtual network card docker0 may be created in the server, the first docker container 200 and the second docker container 300 may implement network intercommunication with a virtual network card docker0 through corresponding virtual network stack pairs, one end of each virtual network stack pair is connected to the docker0, and the other end of each virtual network stack pair is connected to the first docker container 200 or the second docker container 300. Further, the network card 100 in the server may communicate with the virtual network card docker0 to implement communication with the first docker container 200 and the second docker container 300; conversely, the first docker container 200 and the second docker container 300 may communicate with the virtual network card docker0 to implement communication with the network card 100.
Those skilled in the art can understand that the application environment shown in fig. 1 is only one application scenario related to the present embodiment, and does not constitute a limitation on the application scenario related to the present embodiment, and that other application environments may further include more docker containers than those shown in fig. 1, for example, only 2 docker containers are shown in fig. 1, and it is understood that the system for sharing private information in a message may further include one or more other docker containers that can access the network card 100, which is not limited herein.
It should be noted that the scene diagram of the private information in the shared message shown in fig. 1 is only an example, the system and the scene for sharing the private information in the message described in the embodiment of the present invention are for more clearly illustrating the technical solution of the embodiment of the present invention, and do not form a limitation on the technical solution provided in the embodiment of the present invention, and as can be known by those skilled in the art, along with the evolution of the system for sharing the private information in the message and the occurrence of a new service scene, the technical solution provided in the embodiment of the present invention is also applicable to similar technical problems.
The embodiment of the invention provides a method for sharing private information in a message, wherein the execution main body of the method for sharing the private information in the message is a server, the server comprises a network card, a first docker container and a second docker container, the network card comprises a cache area, the cache area comprises a message cache area and an extended information cache area, and the method for sharing the private information in the message comprises the following steps: the network card receives a first vxlan message, and stores the first vxlan message to the message cache area, wherein the first vxlan message comprises a first encapsulation message and an original message, and the first encapsulation message comprises a first vni; the first docker container analyzes the first encapsulation message from the first vxlan message, acquires the first vni, and stores the first vni in the extended information cache region; the second docker container extracts the original message from the message cache region, extracts the first vni from the extended information cache region, and determines corresponding nat inner layer message header information and second vni according to the original message and the first vni; the second docker container stores the nat inner layer message header information and the second vni to the extended information cache region; and the first docker container extracts the second vni from the extended information cache region, determines a second encapsulated message according to the second vni, and stores the second encapsulated message to the extended information cache region, so that the original message located in the message cache region, and the nat inner layer message header information and the second encapsulated message located in the extended information cache region jointly form a second vxlan message.
As shown in fig. 3, which is a flowchart illustrating an embodiment of a method for sharing private information in a message according to an embodiment of the present invention, the method for sharing private information in a message includes:
s101, the network card receives a first vxlan message, and stores the first vxlan message to the message cache area, wherein the first vxlan message comprises a first encapsulation message and an original message, and the first encapsulation message comprises first vni.
In this embodiment, the network card may be the network card 100 shown in fig. 1, where the first vxlan message may be a message received by a physical port of the network card 100 and sent from a terminal or a bras (broadband access server).
As shown in fig. 4, the buffer area includes the packet buffer area and an extended information buffer area, and the packet buffer area may be located before the extended information buffer area, that is, the packet buffer area may be located in a previous portion of the buffer area. Further, the first vxlan packet may include the first encapsulated packet and the original packet, where the first encapsulated packet is located before the original packet, and the first vni is included in the first encapsulated packet. It should be noted that, in fig. 4, the division of the interval lengths of the first vni, the first encapsulated packet, and the original packet is only for convenience of drawing, and no limitation is made on the proportional relationship of the interval lengths of the first vni, the first encapsulated packet, and the original packet.
Specifically, as shown in fig. 5, the first vxlan packet may include the first encapsulation packet and the original packet, which is specifically described as follows:
according to the distance from the original message from near to far, the first encapsulated message may sequentially include a VXLAN header501, an Outer UDP header502, an Outer IP header503, and an Outer Ethernet header504, and further, according to the distance from far to near from the original message, the VXLAN header501 includes VXLAN Flags505 and VNI 506. The VNI is a first VNI in the above description, where the first VNI (VNI) is a VXLAN network identifier, and is used to identify a tenant to which the first VXLAN packet belongs, where one tenant may have one or more VNIs, and tenants of different VNIs cannot directly perform two-layer mutual communication; wherein, VXLAN Flags is a flag bit, and includes 8 bits, and when the format is "RRRRIRRR", "I" bit is 1, it indicates that the first vni (vni) is valid, and is 0, it indicates that the first vni (vni) is invalid, and "R" bit is left unused and is set to 0; a Reserved507 is also included between VXLAN Flags505 and VNI506, and between VNI and the primitive packet, and is used for leaving unused and is set to 0.
According to the distance from the first encapsulation packet from the near to the far, the original packet may sequentially include an Inner Ethernet header508, an Inner IP header509, an Inner TCP header601, and a Payload 602. The Inner Ethernet header comprises an MAC address of a sending end and an MAC address of a lan interface of the second docker container, the Inner IP header comprises an IP address of the sending end and an IP address of a receiving end, and the Inner TCP header comprises a port number of the sending end. The sending end and the receiving end correspond to the server, the terminal and the bras according to the actual condition of receiving and sending the first vxlan message; the Payload may include instruction information or data information.
S102, the first docker container analyzes the first encapsulation message from the first vxlan message, obtains the first vni, and stores the first vni in the extended information buffer area.
The first docker container may access the first vxlan message, analyze the first encapsulated message in the first vxlan message, and obtain the first vni in the first encapsulated message according to an analysis result. Specifically, the first docker container may obtain VXLAN Flags505 information in the first encapsulation message, and for VXLAN Flags505 with the format of "RRRRIRRR", if the "I" bit is 1, the step S102 is executed, and if the "I" bit is 0, the step S102 is not executed.
It can be understood that, at this time, the original packet is stored in the packet buffer, and the first vni is stored in the extended information buffer. As can be seen from the above analysis, a preset interval may be reserved between the extended information buffer and the packet buffer to properly distinguish the packet from the private information in the packet, so that, here, a preset interval may be reserved between the first vni and the original packet, so that when the first vni is obtained at a later stage, on the premise that the extended information buffer is determined according to a preset relative position of a first byte of the packet buffer and a first byte of the extended information buffer, the embodiment may further verify the first vni, for example, may further determine whether a preset interval exists between the "first vni determined through the above steps" and the packet buffer, so as to determine whether the "determined first vni" is the true first vni.
It can be understood that after the first docker container stores the first vni in the extended information cache region, the first docker container may send a relevant instruction such as an "decapsulation message task completion instruction" to the network card, so as to inform the network card that the first docker container has completed relevant operations such as decapsulation messages, so that the network card performs the next operation. Meanwhile, the first docker container may obtain a pointer of the original packet at this time, and the first docker container may also send the pointer of the original packet to the network card.
S103, the second docker container extracts the original message from the message buffer area, extracts the first vni from the extended information buffer area, and determines corresponding nat inner layer message header information and second vni according to the original message and the first vni.
As can be seen from the above description, the first vni may be understood as a VXLAN network identifier of a sender sending the first VXLAN message to the network card, where the sender may be a terminal or a bras. For example, when the terminal sends the first vxlan packet to the network card, the first vni may be referred to as lan vni, where the first vni (lan vni) corresponds to an Outer UDP header, an Outer IP header, and an Outer Ethernet header in the first encapsulation packet, and the second vni may be determined according to the first vni.
When the terminal sends the first vxlan message to the network card, the Inner IP header in the original message contains a private network IP address, and NAT IP information corresponding to the private network IP address and NAT PORT information corresponding to the private network IP address can be acquired from a mapping relation established according to an NAT protocol. As can be known from the above discussion, an Inner TCP header is further included between the Inner IP header and the Payload in the original packet, where the Inner IP header, and the Inner TCP header may be referred to as an encapsulated packet in the original packet, which is abbreviated as an original Inner packet header, and other protocol types such as an Inner UDP header, an Inner ICMP header, and the like may also be included between the Inner IP header and the Payload. Further, the original inner layer packet header may be updated to the nat inner layer packet header according to the nat IP information and the nat PORT information.
It should be noted that, here, after or at the same time when the second docker container extracts the first vni from the extended information buffer, the first vni may also be stripped from the extended information buffer, that is, the first vni is removed, so as to avoid an influence on subsequent storage of new information in the extended information buffer.
And S104, the second docker container stores the nat inner layer message header information and the second vni to the extended information cache region.
Specifically, the second docker container may also access the first vxlan packet and "strip" the original Inner header in the first vxlan packet, where the original Inner header includes an Inner Ethernet header, an Inner IP header, and an Inner TCP header, as discussed above as an example, it should be noted that, at this time, the second docker container may point a pointer to Payload in the original packet to "strip" the original Inner header in the first vxlan packet, and is not to actually strip the original Inner header in the first vxlan packet. It can be understood that, at this time, the Payload in the original message is stored in the message buffer, and the nat information and the second vni are stored in the extended information buffer. Similarly, a preset interval may be reserved between the second vni, the nat information, and the original packet, so that when the second vni and the nat inner layer packet header information are acquired at a later stage, on the premise that the extended information buffer is determined according to a preset relative position of a first byte of the packet buffer and a first byte of the extended information buffer, the second vni and the nat information may be further verified in this embodiment.
It can be understood that, after the second docker container completes the step S104, the second docker container may send a relevant instruction such as a "message information task processing completion instruction" to the network card, so as to inform the network card that the second docker container has completed relevant operations such as message information task processing, so as to facilitate the network card to perform a next operation. Meanwhile, the second docker container may obtain a pointer of Payload in the original message at this time, and the second docker container may also send the pointer of Payload in the original message to the network card.
S105, the first docker container extracts the second vni from the extended information cache region, determines a second encapsulated message according to the second vni, and stores the second encapsulated message to the extended information cache region, so that the original message located in the message cache region, and the nat inner layer message header information and the second encapsulated message located in the extended information cache region jointly form a second vxlan message.
The second vni may determine a new outbound tunnel ID, and may obtain a new corresponding out UDP header, an out IP header, and an out Ethernet header according to the second vni and the outbound tunnel ID, specifically, the first docker container may configure a new corresponding out UDP header, an out IP header, and an out Ethernet header for the second vni according to the second vni, and the second vni may also form a new corresponding VXLAN header, where the new corresponding out UDP header, the out IP header, the out Ethernet header, and the VXLAN header together form the second encapsulation packet; specifically, the second encapsulation packet may be stored in the extended information cache region after the nat inner layer packet header information.
It should be noted that after or at the same time when the first docker container extracts the second vni from the extended information buffer, the second vni may also be stripped from the extended information buffer, that is, the second vni is removed, so as to avoid an influence on subsequent storage of new information in the extended information buffer.
According to the analysis, the nat inner layer message header information is the updated original inner layer message header, namely the original inner layer message header is converted into the nat inner layer message header information, and at the moment, the pointer points to Payload in the original message; therefore, it should be noted that "the original packet located in the packet buffer, the nat inner layer packet header information located in the extended information buffer, and the second encapsulation packet together form a second vxlan packet" mentioned in step S105 actually indicates that: the Payload in the original message in the message cache region, the nat inner layer message header information in the extended information cache region, and the second encapsulation message together form the second vxlan message.
It can be understood that after the steps S101 to S105, the first vxlan packet still exists in the packet buffer completely, that is, the whole method step does not modify or destroy the first vxlan packet. Therefore, the method of this embodiment may ensure the integrity of the first vxlan message while the first docker container and the second docker container acquire the corresponding information in the first vxlan message and perform the corresponding operation, so that other containers may normally acquire or process the information of the first vxlan message.
In this embodiment, as shown in fig. 6, before the step S102, the following steps may be included:
s201, the network card sends a pointer of the first vxlan message to the first docker container.
It can be understood that the first vxlan message is located in the message buffer area in the network card, and therefore, after the physical port of the network card receives the first vxlan message and stores the first vxlan message in the message buffer area, the network card may send a pointer of the first vxlan message to the first docker container, so as to notify the address of the message buffer area to the first docker container.
S202, the first docker container accesses the first vxlan message according to the pointer of the first vxlan message.
It can be understood that, after the first docker container obtains the pointer of the first vxlan packet, that is, obtains the address of the packet buffer, the first vxlan packet may be obtained, and the relevant operation of step S102 may be performed on the first vxlan packet.
In this embodiment, as shown in fig. 7, before the step S103, the following steps may be included:
s301, the network card sends the pointer of the original message to the second docker container.
As can be seen from the above analysis, after the step S102 is executed, the first docker container may send the pointer of the original packet to the network card, that is, the pointer of the original packet is also sent by the network card to the second docker container, so that the second docker container may be quickly located to the initial position of the original packet, and at this time, only the original packet and the content located behind the original packet are visible to the second docker container, thereby avoiding interference of the content located before the original packet on the second docker container, and improving the work efficiency of the second docker container.
S302, the second docker container accesses the original message and the first vni according to the original message.
It can be understood that, after the second docker container obtains the pointer of the original packet, the original packet may be obtained, and the extended information buffer may be determined according to the analysis above, and the relative position of the first byte of the packet buffer and the first byte of the extended information buffer that are preset according to the backward search of the interval where the original packet is located, so that the extended information buffer may also be indirectly determined according to the pointer of the original packet, so as to obtain the first vni; and then, the related operations of the step S103 are performed on the original packet and the first vni.
In this embodiment, as shown in fig. 8, the step S103 may include the following steps:
and S1031, the second docker container extracts an original inner layer message header from the original message, and extracts the first vni from the extended information cache region.
As can be seen from the above analysis, the first vni is saved to the extended information buffer by the first docker container, that is, the second docker container may directly extract the first vni from the extended information buffer. It can be understood that, in this embodiment, the first vni obtained through analysis and acquisition by the first docker container may be stored in the extended information cache region, and may be directly extracted by the second docker container for use, that is, the step of "analyzing and acquiring the first vni from the first vxlan packet" also performed by the second docker container may be avoided, so that the work efficiency of the server is improved.
Wherein the original Inner layer packet header is an Inner IP header in the original packet in step S103, that is, the second docker container extracts the first vni from the extended information buffer according to the pointer of the original packet.
And S1032, the second docker container searches corresponding nat IP, nat PORT and second vni in the nat conversion table and the vni conversion table respectively according to the original inner layer message header and the first vni.
The nat conversion table may be a private network IP-nat IP conversion table, each nat IP may correspond to a private network IP, that is, the corresponding nat IP and the corresponding nat PORT may be obtained in the nat conversion table according to the private network IP obtained from the original inner layer packet header.
Wherein each first vni in the vni conversion table may correspond to one second vni. Specifically, when the terminal sends the first vxlan message to the network card, the first vni may be referred to as lan vni, and the first vni (lan vni) corresponds to an Outer UDP header, an Outer IP header, and an Outer Ethernet header in the first encapsulation message; the second vni obtained through the vni conversion table may be referred to as wan vni, and further, new corresponding Outer UDP header, Outer IP header, and Outer Ethernet header may also be determined according to the second vni (wan vni).
And S1033, the second docker container determines nat inner layer message header information according to the nat IP and the nat PORT.
Specifically, in the above discussion as an example, the original Inner header may include an original Inner Ethernet header, an original Inner IP header, and an original Inner TCP header, and taking the example that the terminal sends the first vxlan packet to the server as an example: at this time, the MAC address of the sending end in the original Inner Ethernet header and the MAC address of the lan interface of the second docker container may be updated to the MAC address of the wan interface of the second docker container and the MAC address of the next hop device, respectively; the IP address of the sending end in the original Inner IP header can be modified into the nat IP; the PORT of the sending end in the original Inner TCP header can be modified into the nat PORT; and updating the original inner layer message header into the nat inner layer message header.
It is understood that the step S105 may include the following steps:
step one, the network card sends a pointer of Payload in the original message to the first docker container.
As can be seen from the above analysis, in step S104, the second docker container obtains the pointer of Payload in the original message, and sends the pointer of Payload in the original message to the network card, and then the network card may also send the pointer of Payload in the original message to the first docker container. Therefore, the first docker container can be quickly positioned to the initial position of the Payload in the original message, and at the moment, only the Payload in the original message and the content behind the Payload are visible to the first docker container, so that interference of the content in front of the Payload in the original message on the first docker container is avoided, and the working efficiency of the first docker container is improved.
And step two, the first docker container determines to access the second vni according to a pointer of Payload in the original message.
It can be understood that, after the first docker container obtains the pointer of Payload in the original message, the first docker container searches backwards according to the section where Payload in the original message is located, and according to the above analysis, it can be known that the extended information buffer area is determined according to the preset relative position of the first byte of the message buffer area and the first byte of the extended information buffer area, and then the extended information buffer area can also be indirectly determined according to the pointer of Payload in the original message to obtain the second vni; and then, the related operations of the step S105 are performed on the original packet and the second vni.
In this embodiment, as shown in fig. 9, after the step S105, the following steps may be included:
and S106, the network card determines a corresponding sending tunnel according to the second vxlan message.
The second encapsulating message in the second vxlan message may determine an IP address of both ends of a pair of tunnels and a source MAC address of the tunnel, but one end of different tunnels may correspond to the same source MAC address and IP address; further, the second vni in the second VXLAN message may determine the sending tunnel through a VXLAN network identifier.
And S107, the network card sends the second vxlan message according to the sending tunnel.
It can be understood that the sending tunnel is a path through which the second vxlan message is transmitted. For example, when the terminal sends the first vxlan message to the network card, the first vxlan message is converted into the second vni, one end of the sending tunnel determined by the second vxlan message is the physical port of the network card, and the other end of the sending tunnel is the physical port of the bras, that is, the second vxlan message may be transmitted from the network card to the bras.
In this embodiment, as shown in fig. 10, the server further includes a third docker container, the first encapsulated packet further includes a source IP address and a destination IP address, and the following steps may be included after step S101:
s401, the first docker container analyzes the first encapsulation message from the first vxlan message, obtains the source IP address and the destination IP address, and stores the source IP address and the destination IP address in the extended information cache region.
Specifically, as shown in fig. 5, the Outer IP header503 in the first VXLAN message includes an IP SA603 and an IP DA604, where the IP SA is the source IP address, that is, the IP address of the source VTEP of the VXLAN tunnel, and the IP DA is the destination IP address, that is, the IP address of the destination VTEP of the VXLAN tunnel.
The first docker container may access the first vxlan message, analyze the first encapsulated message in the first vxlan message, and obtain the Outer IP header in the first encapsulated message according to an analysis result to obtain the source IP address and the destination IP address therein. It can be understood that, at this time, the original packet is stored in the packet buffer, and the source IP address and the destination IP address are stored in the extended information buffer. As can be seen from the above analysis, a preset interval may be reserved between the extended information buffer and the packet buffer to properly distinguish the packet from the private information in the packet, and thus, a corresponding preset space may be reserved between the source IP address, the destination IP address and the original packet, so that when the source IP address and the destination IP address are obtained at a later stage, on the premise that the extended information buffer is determined according to the relative position of the first byte of the packet buffer and the first byte of the extended information buffer, the embodiment may further verify the source IP address and the destination IP address, for example, may further determine whether a preset interval exists between the "source IP address and the destination IP address determined through the above steps" and the packet buffer, so as to determine whether the "determined source IP address and destination IP address" are the true source IP address and the true destination IP address The destination IP address.
Similarly, after the first docker container completes the step S401, the first docker container may send a relevant instruction such as a "decapsulation message task completion instruction" to the network card, so as to inform the network card that the first docker container has completed a relevant operation such as a "decapsulation message" and facilitate the network card to perform a next operation. Meanwhile, the first docker container may obtain a pointer of the original packet at this time, and the first docker container may also send the pointer of the original packet to the network card.
S402, the third docker container extracts the source IP address and the destination IP address from the extended information cache region, and judges whether the first vxlan message is a legal message or not according to the source IP address and the destination IP address.
Similarly, after receiving the pointer of the original message, the network card may also send the pointer of the original message to the third docker container, so that the third docker container is quickly positioned to the original message according to the pointer of the original message, thereby improving the working efficiency of the third docker container.
As can be seen from the above description, the source IP address and the destination IP address are an IP address of a source VTEP and an IP address of a destination VTEP of a VXLAN tunnel, respectively, that is, the third docker container may determine multiple VXLAN tunnels capable of transmitting the first VXLAN packet according to the source IP address and the destination IP address. Further, the third docker container may include a VXLAN tunnel table, where the VXLAN tunnel table lists the legal status of the VXLAN packet passing through each VXLAN tunnel. Therefore, according to the VXLAN tunnel corresponding to the first VXLAN message, the VXLAN tunnel table is searched, and whether the first VXLAN message is legal or not can be judged.
And S403, if the first vxlan message is a legal message, the third docker container processes the original message.
Specifically, when the first vxlan packet is a legal packet, the third docker container may read the original packet, modify the original packet, and send the original packet.
S404, if the first vxlan message is not a legal message, the third docker container discards the original message.
Specifically, when the first vxlan packet is not a legal packet, the third docker container may ignore the original packet and continue to perform operations related to other packets.
The steps S401 to S404 may be executed before the step S101, that is, it may be determined whether the first vxlan packet is a legal packet or not, the step S101 may be executed only when the first vxlan packet is a legal packet, or the step S101 may not be executed otherwise.
In this embodiment, as shown in fig. 11, a schematic diagram of signaling interaction of a method for sharing private information in a message in the embodiment of the present invention is shown, where the schematic diagram of signaling interaction of the method for sharing private information in a message includes the following steps:
s1, the network card receives a first vxlan message and stores the first vxlan message to a message buffer area;
s2, the network card sends a pointer of the first vxlan message to a first docker container;
s3, the first docker container analyzes a first encapsulated message in the first vxlan message from the first vxlan message, and obtains a first vni in the first encapsulated message;
s4, the first docker container stores the first vni to an extended information buffer area;
s5, the first docker container sends an 'decapsulation message task completion instruction' to the network card;
s6, the network card sends a pointer of an original message in the first vxlan message to the second docker container;
s7, extracting the original message from the message buffer area and extracting the first vni from the extended information buffer area by a second docker container;
s8, the second docker container determines corresponding nat inner layer message header information and second vni according to the original message and the first vni;
s9, the second docker container stores the nat inner layer message header information to the extended information buffer area;
s10, the second docker container stores the second vni to the extended information cache region;
s11, the second docker container sends a 'message information processing task completion instruction' to the network card;
s12, the network card sends a pointer of Payload in an original message in the first vxlan message to the first docker container;
s13, the first docker container extracts the second vni from the extended information buffer area, and determines a second encapsulated message according to the second vni;
s14, the first docker container stores the second encapsulated packet into the extended information cache region, so that the original packet in the packet cache region, the nat inner layer packet header information in the extended information cache region, and the second encapsulated packet together form a second vxlan packet;
s15, the first docker container sends an encapsulation message task completion instruction to the network card.
In order to better implement the method for sharing private information in a message in the embodiment of the present invention, based on the method for sharing private information in a message, as shown in fig. 12, a server is further provided in the embodiment of the present invention, where the server 400 includes a network card 401, a first docker container 402, and a second docker container 403, the network card 401 includes a buffer area, and the buffer area includes a message buffer area and an extended information buffer area;
the network card 401 is configured to receive a first vxlan message, and store the first vxlan message to the message cache area, where the first vxlan message includes a first encapsulation message and an original message, and the first encapsulation message includes a first vni;
the first docker container 402 is configured to parse the first encapsulated packet from the first vxlan packet, acquire the first vni, and store the first vni in the extended information cache region;
the second docker container 403 is configured to extract the original packet from the packet buffer, extract the first vni from the extended information buffer, and determine corresponding nat inner layer packet header information and second vni according to the original packet and the first vni;
the second docker container 403 is further configured to store the nat inner layer packet header information and the second vni in the extended information cache region;
the first docker container 402 is further configured to extract the second vni from the extended information cache region, determine a second encapsulated packet according to the second vni, and store the second encapsulated packet in the extended information cache region, so that the original packet located in the packet cache region, the nat inner layer packet header information located in the extended information cache region, and the second encapsulated packet together form a second vxlan packet.
In some embodiments of the present application, the second docker container 403 is further configured to extract an original inner layer packet header from the original packet, and extract the first vni from the extended information buffer; and
and the nat conversion table is used for searching a corresponding nat IP and a second vni in the nat conversion table and the vni conversion table respectively according to the original inner layer message header and the first vni.
In some embodiments of the present application, the network card 401 is further configured to send a pointer of the first vxlan message to the first docker container 402; and
the first docker container 402 is further configured to access the first vxlan packet according to the pointer of the first vxlan packet.
In some embodiments of the present application, the network card 401 is further configured to send a pointer of the original packet to the second docker container; and
the second docker container 403 is further configured to access the primitive packet and the first vni according to the pointer of the primitive packet.
In some embodiments of the present application, the network card 401 is further configured to determine a corresponding sending tunnel according to the second vxlan message; and
the network card 401 is further configured to send the second vxlan message according to the sending tunnel.
In some embodiments of the present application, as shown in fig. 13, the server further includes a third docker container 404, the first encapsulated packet further includes a source IP address and a destination IP address, and the first docker container 402 is further configured to parse the first encapsulated packet from the first vxlan packet to obtain the source IP address and the destination IP address, and store the source IP address and the destination IP address in the extended information cache region; and
the third docker container 404 is specifically configured to:
extracting the source IP address and the destination IP address from the extended information cache region, and judging whether the first vxlan message is a legal message or not according to the source IP address and the destination IP address;
if the first vxlan message is a legal message, the third docker container processes the original message;
and if the first vxlan message is not a legal message, discarding the original message by the third docker container.
The invention provides a method and a server for sharing private information in a message, wherein a cache region in a network card comprises a message cache region and an extended information cache region, a first docker container analyzes a first vni from a first vxlan message, and the first vni is stored in the extended information cache region; the second docker container extracts the first vni from the extended information cache region, and determines corresponding nat inner layer message header information and second vni according to the first vni; the second docker container stores the nat inner layer message header information and the second vni to the extended information cache region; and the first docker container extracts the second vni from the extended information buffer area to perform corresponding operation. In the scheme, an expanded information cache region is opened in a cache region in a network card, and first vni, nat inner layer message header information and second vni which are obtained by processing a first docker container and a second docker container are temporarily stored in the expanded information cache region, so that the first docker container and the second docker container can share information obtained by processing each other, and the situation that operations executed by the first docker container and the second docker container are partially repeated is avoided; and when the first docker container and the second docker container acquire the corresponding information in the first vxlan message and execute corresponding operations, the integrity of the first vxlan message is still ensured, so that other containers can normally acquire the information of the first vxlan message, and the server is prevented from acquiring the first vxlan message from the outside again to supply the first vxlan message to other containers for use. To sum up, this scheme has improved the work efficiency of server.
An embodiment of the present invention further provides a server, as shown in fig. 14, which shows a schematic structural diagram of the server according to the embodiment of the present invention, specifically:
the server may include components such as a processor 801 of one or more processing cores, memory 802 of one or more computer-readable storage media, a power supply 803, and an input unit 804. Those skilled in the art will appreciate that the server architecture shown in FIG. 14 is not meant to be limiting, and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
the processor 801 is a control center of the server, connects various parts of the entire server using various interfaces and lines, and performs various functions of the server and processes data by running or executing software programs and/or modules stored in the memory 802 and calling data stored in the memory 802, thereby performing overall monitoring of the server. Alternatively, processor 801 may include one or more processing cores; the Processor 801 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, preferably the processor 801 may integrate an application processor, which handles primarily the operating system, user interfaces, application programs, etc., and a modem processor, which handles primarily wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 801.
The memory 802 may be used to store software programs and modules, and the processor 801 executes various functional applications and data processing by operating the software programs and modules stored in the memory 802. The memory 802 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to the use of the server, and the like. Further, the memory 802 may include high speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 802 may also include a memory server to provide the processor 801 access to the memory 802.
The server further includes a power supply 803 for supplying power to the various components, and preferably, the power supply 803 may be logically connected to the processor 801 via a power management system, so that functions of managing charging, discharging, and power consumption are performed via the power management system. The power supply 803 may also include one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and any like components.
The server may further include an input unit 804, and the input unit 804 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.
Although not shown, the server may further include a display unit and the like, which will not be described in detail herein. Specifically, in this embodiment, the processor 801 in the server loads an executable file corresponding to a process of one or more application programs into the memory 802 according to the following instructions, and the processor 801 runs the application programs stored in the memory 802, so as to implement various functions, where the processor 801 may send instructions to the network card, the first docker container, and the second docker container in the server, so that the network card, the first docker container, and the second docker container sequentially perform the following steps:
the network card receives a first vxlan message, and stores the first vxlan message to the message cache area, wherein the first vxlan message comprises a first encapsulation message and an original message, and the first encapsulation message comprises a first vni;
the first docker container analyzes the first encapsulation message from the first vxlan message, acquires the first vni, and stores the first vni in the extended information cache region;
the second docker container extracts the original message from the message cache region, extracts the first vni from the extended information cache region, and determines corresponding nat inner layer message header information and second vni according to the original message and the first vni;
the second docker container stores the nat inner layer message header information and the second vni to the extended information cache region;
and the first docker container extracts the second vni from the extended information cache region, determines a second encapsulated message according to the second vni, and stores the second encapsulated message to the extended information cache region, so that the original message located in the message cache region, and the nat inner layer message header information and the second encapsulated message located in the extended information cache region jointly form a second vxlan message.
It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor.
To this end, an embodiment of the present invention provides a computer-readable storage medium, which may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like. The computer program is loaded by a processor to send instructions to a network card, a first docker container and a second docker container in a server, so that the network card, the first docker container and the second docker container sequentially execute the following steps:
the network card receives a first vxlan message, and stores the first vxlan message to the message cache area, wherein the first vxlan message comprises a first encapsulation message and an original message, and the first encapsulation message comprises a first vni;
the first docker container analyzes the first encapsulation message from the first vxlan message, acquires the first vni, and stores the first vni in the extended information cache region;
the second docker container extracts the original message from the message cache region, extracts the first vni from the extended information cache region, and determines corresponding nat inner layer message header information and second vni according to the original message and the first vni;
the second docker container stores the nat inner layer message header information and the second vni to the extended information cache region;
and the first docker container extracts the second vni from the extended information cache region, determines a second encapsulated message according to the second vni, and stores the second encapsulated message to the extended information cache region, so that the original message located in the message cache region, and the nat inner layer message header information and the second encapsulated message located in the extended information cache region jointly form a second vxlan message.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and parts that are not described in detail in a certain embodiment may refer to the above detailed descriptions of other embodiments, and are not described herein again.
In a specific implementation, each unit or structure may be implemented as an independent entity, or may be combined arbitrarily to be implemented as one or several entities, and the specific implementation of each unit or structure may refer to the foregoing method embodiment, which is not described herein again.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.
The method and the server for sharing private information in a message provided by the embodiment of the present invention are described in detail, a specific example is applied in the description to explain the principle and the embodiment of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for those skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A method for sharing private information in a message is characterized in that the method is applied to a server, the server comprises a network card, a first docker container and a second docker container, the network card comprises a buffer area, the buffer area comprises a message buffer area and an extended information buffer area, and the method for sharing the private information in the message comprises the following steps:
the network card receives a first vxlan message, and stores the first vxlan message to the message cache area, wherein the first vxlan message comprises a first encapsulation message and an original message, and the first encapsulation message comprises a first vni;
the first docker container analyzes the first encapsulation message from the first vxlan message, acquires the first vni, and stores the first vni in the extended information cache region;
the second docker container extracts the original message from the message cache region, extracts the first vni from the extended information cache region, and determines corresponding nat inner layer message header information and second vni according to the original message and the first vni;
the second docker container stores the nat inner layer message header information and the second vni to the extended information cache region;
and the first docker container extracts the second vni from the extended information cache region, determines a second encapsulated message according to the second vni, and stores the second encapsulated message to the extended information cache region, so that the original message located in the message cache region, and the nat inner layer message header information and the second encapsulated message located in the extended information cache region jointly form a second vxlan message.
2. The method according to claim 1, wherein the step of extracting the original packet from the packet buffer and the first vni from the extended information buffer by the second docker container, and determining corresponding nat inner layer packet header information and second vni according to the original packet and the first vni includes:
the second docker container extracts an original inner layer message header from the original message and extracts the first vni from the extended information buffer area;
the second docker container searches corresponding nat IP, nat PORT and second vni in the nat conversion table and the vni conversion table respectively according to the original inner layer message header and the first vni;
and the second docker container determines the nat inner layer message header information according to the nat IP and the nat PORT.
3. The method according to claim 1, wherein the step of parsing the first encapsulated packet and obtaining the first vni from the first vxlan packet by the first docker container, and storing the first vni in the extended information buffer includes:
the network card sends a pointer of the first vxlan message to the first docker container;
and the first docker container accesses the first vxlan message according to the pointer of the first vxlan message.
4. The method according to claim 1, wherein before the steps of extracting the original packet from the packet buffer and extracting the first vni from the extended information buffer by the second docker container, and determining corresponding nat inner layer packet header information and second vni according to the original packet and the first vni, the method comprises:
the network card sends a pointer of the original message to the second docker container;
and the second docker container accesses the original message and the first vni according to the pointer of the original message.
5. The method according to claim 1, wherein the step of extracting, by the first docker container, the second vni from the extended information buffer, determining a second encapsulated packet according to the second vni, and storing the second encapsulated packet in the extended information buffer, so that the original packet in the packet buffer and the nat inner layer packet header information and the second encapsulated packet in the extended information buffer together form a second vxlan packet is followed by the step of:
the network card determines a corresponding sending tunnel according to the second vxlan message;
and the network card sends the second vxlan message according to the sending tunnel.
6. The method for sharing private information in a message according to claim 1, wherein the server further includes a third docker container, the first encapsulated message further includes a source IP address and a destination IP address, the network card receives a first vxlan message and stores the first vxlan message in the message buffer, the first vxlan message includes a first encapsulated message and an original message, and after the step of the first encapsulated message includes a first vni, the method includes:
the first docker container analyzes the first encapsulation message from the first vxlan message, obtains the source IP address and the destination IP address, and stores the source IP address and the destination IP address to the extended information cache region;
the third docker container extracts the source IP address and the destination IP address from the extended information cache region, and judges whether the first vxlan message is a legal message or not according to the source IP address and the destination IP address;
if the first vxlan message is a legal message, the third docker container processes the original message;
and if the first vxlan message is not a legal message, discarding the original message by the third docker container.
7. A server is characterized by comprising a network card, a first docker container and a second docker container, wherein the network card comprises a cache region which comprises a message cache region and an extended information cache region;
the network card receives a first vxlan message, and stores the first vxlan message to the message cache area, wherein the first vxlan message comprises a first encapsulation message and an original message, and the first encapsulation message comprises a first vni;
the first docker container analyzes the first encapsulation message from the first vxlan message, acquires the first vni, and stores the first vni in the extended information cache region;
the second docker container extracts the original message from the message cache region, extracts the first vni from the extended information cache region, and determines corresponding nat inner layer message header information and second vni according to the original message and the first vni;
the second docker container stores the nat inner layer message header information and the second vni to the extended information cache region;
and the first docker container extracts the second vni from the extended information cache region, determines a second encapsulated message according to the second vni, and stores the second encapsulated message to the extended information cache region, so that the original message located in the message cache region, and the nat inner layer message header information and the second encapsulated message located in the extended information cache region jointly form a second vxlan message.
8. The server according to claim 7, wherein the second docker container is further configured to extract an original inner layer packet header from the original packet and extract the first vni from the extended information buffer; and
and the second docker container is used for searching corresponding nat IP and second vni in the nat conversion table and the vni conversion table respectively according to the original inner layer message header and the first vni.
9. The server according to claim 7, wherein the network card is further configured to send a pointer of the first vxlan message to the first docker container; and
the first docker container is further configured to access the first vxlan packet according to the pointer of the first vxlan packet.
10. The server of claim 7, wherein the network card is further configured to send a pointer of the original packet to the second docker container; and
the second docker container is further configured to determine the extended information buffer according to the pointer of the original packet, and access the original packet and the first vni.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110793508.1A CN113259220B (en) | 2021-07-14 | 2021-07-14 | Method and server for sharing private information in message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110793508.1A CN113259220B (en) | 2021-07-14 | 2021-07-14 | Method and server for sharing private information in message |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113259220A CN113259220A (en) | 2021-08-13 |
| CN113259220B true CN113259220B (en) | 2021-09-10 |
Family
ID=77191270
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110793508.1A Active CN113259220B (en) | 2021-07-14 | 2021-07-14 | Method and server for sharing private information in message |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113259220B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111756612A (en) * | 2019-03-29 | 2020-10-09 | 瞻博网络公司 | Extensible multi-tenant underlying network supporting multi-tenant overlay network |
| CN112422393A (en) * | 2015-12-31 | 2021-02-26 | 华为技术有限公司 | Method for transmitting message of extensible virtual local area network, computer equipment and readable medium |
| CN112835775A (en) * | 2021-01-29 | 2021-05-25 | 许继集团有限公司 | Simulation network communication method and device and relay protection device simulation test system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4221646B2 (en) * | 2002-06-26 | 2009-02-12 | 日本電気株式会社 | Shared cache server |
| US10868742B2 (en) * | 2017-03-29 | 2020-12-15 | Juniper Networks, Inc. | Multi-cluster dashboard for distributed virtualization infrastructure element monitoring and policy control |
-
2021
- 2021-07-14 CN CN202110793508.1A patent/CN113259220B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112422393A (en) * | 2015-12-31 | 2021-02-26 | 华为技术有限公司 | Method for transmitting message of extensible virtual local area network, computer equipment and readable medium |
| CN111756612A (en) * | 2019-03-29 | 2020-10-09 | 瞻博网络公司 | Extensible multi-tenant underlying network supporting multi-tenant overlay network |
| CN112835775A (en) * | 2021-01-29 | 2021-05-25 | 许继集团有限公司 | Simulation network communication method and device and relay protection device simulation test system |
Non-Patent Citations (1)
| Title |
|---|
| Docker网络通信研究与实现;肖小芳等;《通讯世界》;20171125(第22期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113259220A (en) | 2021-08-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108259291B (en) | VXLAN message processing method, device and system | |
| US9774532B2 (en) | Information processing system, information processing apparatus and control method of information processing system | |
| CN111131037B (en) | Data transmission method, device, medium and electronic equipment based on virtual gateway | |
| CN107426077B (en) | Method and equipment for realizing intercommunication between physical network and virtual network | |
| CN112040030B (en) | Message transmission method and device, computer equipment and storage medium | |
| JP6269999B2 (en) | Packet processing method and apparatus | |
| CN112702252A (en) | Message processing method, system and related equipment | |
| CN112486627A (en) | Method and device for determining virtual machine migration | |
| WO2021013046A1 (en) | Communication method and network card | |
| WO2024067336A1 (en) | Packet processing method, programmable network card device, physical server, and storage medium | |
| CN113132202B (en) | Message transmission method and related equipment | |
| CN110311860B (en) | Multilink load balancing method and device under VXLAN | |
| CN107682275B (en) | Message monitoring method and device | |
| US20220029917A1 (en) | Executing workloads across multiple cloud service providers | |
| CN106992918B (en) | Message forwarding method and device | |
| CN115589383A (en) | eBPF-based virtual machine data transmission method, device, equipment and storage medium | |
| WO2022116850A1 (en) | Method and device for identifying private network user, service system, and storage medium | |
| CN113630341B (en) | Data information processing method and server | |
| CN114584526A (en) | ARP protocol processing method, system, storage medium and electronic equipment | |
| CN113596038B (en) | Data packet parsing method and server | |
| CN113259220B (en) | Method and server for sharing private information in message | |
| CN108353017B (en) | Computing system and method for operating multiple gateways on a multi-gateway virtual machine | |
| CN109450767A (en) | A kind of message processing method and device | |
| EP3913865A1 (en) | Message decapsulation method and device, message encapsulation method and device, electronic device, and storage medium | |
| CN114389905A (en) | Network flow statistical method, related device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |