CN113890864B - Data packet processing method, device, electronic equipment and storage medium - Google Patents
Data packet processing method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN113890864B CN113890864B CN202111218575.7A CN202111218575A CN113890864B CN 113890864 B CN113890864 B CN 113890864B CN 202111218575 A CN202111218575 A CN 202111218575A CN 113890864 B CN113890864 B CN 113890864B
- Authority
- CN
- China
- Prior art keywords
- edge node
- data packet
- address
- network address
- present disclosure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003860 storage Methods 0.000 title claims abstract description 25
- 238000003672 processing method Methods 0.000 title abstract description 24
- 238000004891 communication Methods 0.000 claims abstract description 46
- 238000004590 computer program Methods 0.000 claims abstract description 26
- 238000012545 processing Methods 0.000 claims abstract description 25
- 238000006243 chemical reaction Methods 0.000 claims abstract description 10
- 238000000034 method Methods 0.000 claims description 41
- 230000015654 memory Effects 0.000 claims description 11
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 8
- 238000013519 translation Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 5
- 238000009826 distribution Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000009472 formulation Methods 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 239000000758 substrate Substances 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000000630 rising effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides a data packet processing method, which comprises the following steps: responding to a communication request from a target service in a cloud host, and acquiring a data packet carried in the communication request; determining a target network address of a first edge node associated with a target service based on a routing table maintained in a routing gateway to which the cloud host belongs; modifying the address of the data packet into a target network address through network address conversion; and transmitting the data packet to the first edge node through the first data channel, so that the data packet is output to the Internet from the network outlet of the first edge node. Furthermore, the present disclosure provides a data packet processing apparatus, an electronic device, a readable storage medium and a computer program product.
Description
Technical Field
The present disclosure relates to the field of cloud technology, and more particularly, to a data packet processing method, a data packet processing apparatus, an electronic device, a readable storage medium, and a computer program product.
Background
With the development of internet technology and cloud technology, cloud hosts are increasingly applied to the construction of enterprise internal systems due to the characteristics of high-performance servers, high-quality network bandwidths and the like, and the demands of enterprises on low cost, high reliability and easy management of host renting services can be comprehensively met.
In the process of implementing the disclosed concept, the inventor finds that at least one cloud host provides a plurality of proxy services simultaneously in the related art, the service is easy to be regarded as attack, and therefore the service is unstable.
Disclosure of Invention
In view of this, the present disclosure provides a data packet processing method, a data packet processing apparatus, an electronic device, a readable storage medium, and a computer program product.
One aspect of the present disclosure provides a data packet processing method, including: responding to a communication request from a target service in a cloud host, and acquiring a data packet carried in the communication request; determining a target network address of a first edge node associated with the target service based on a routing table maintained in a routing gateway to which the cloud host belongs; modifying the address of the data packet into the target network address through network address conversion; and transmitting the data packet to the first edge node through a first data channel, so that the data packet is output to the internet from a network outlet of the first edge node.
According to an embodiment of the present disclosure, the communication request further carries a connection request for connecting the first edge node; the method further comprises the following steps: authenticating the connection request; and establishing the first data channel between the first edge node and the routing gateway under the condition that authentication is successful.
According to an embodiment of the present disclosure, the above method further includes: under the condition that an unregistered edge node is detected to request to access the routing gateway, acquiring a physical address of the edge node; encoding the physical address to generate an identifier of the edge node so as to finish the registration of the edge node; wherein the identification of the edge node is used as an authentication credential for communication between the routing gateway and the edge node.
According to an embodiment of the present disclosure, the authenticating the connection request includes: acquiring the identifier of the first edge node carried in the connection request; and authenticating the connection request by taking the identification of the first edge node as a certificate.
According to an embodiment of the present disclosure, the above method further includes: and under the condition that the authentication is unsuccessful, sending feedback information for rejecting the communication request to the target service.
According to an embodiment of the present disclosure, the above method further includes: acquiring a second edge node connected with the routing gateway under the condition that the first edge node is in downtime is monitored, wherein a second data channel is established between the second edge node and the routing gateway; writing the association relation between the target service and the second edge node into the routing table; and transmitting the data packet to the second edge node through the second data channel.
According to an embodiment of the present disclosure, the determining, based on a routing table maintained in a routing gateway to which the cloud host belongs, a target network address of a first edge node associated with the target service includes: determining an internet protocol address of the first edge node based on the routing table; and performing logical AND operation on the Internet protocol address of the first edge node and a preset subnet mask to obtain the target network address of the first edge node.
Another aspect of the present disclosure provides a data packet processing apparatus, including an acquisition module, a determination module, an address conversion module, and a transmission module. The acquisition module is used for responding to a communication request from a target service in the cloud host and acquiring a data packet carried in the communication request; a determining module, configured to determine a target network address of a first edge node associated with the target service based on a routing table maintained in a routing gateway to which the cloud host belongs; the address conversion module is used for modifying the address of the data packet into the target network address through network address conversion; and the sending module is used for sending the data packet to the first edge node through a first data channel so as to enable the data packet to be output to the Internet from a network outlet of the first edge node.
Another aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more instructions that, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions that, when executed, are configured to implement a method as described above.
Another aspect of the present disclosure provides a computer program product comprising computer executable instructions which, when executed, are for implementing a method as described above.
According to the embodiment of the disclosure, a cloud host performs line distribution and surfing through a routing gateway, a node with a plurality of edge nodes is established in the routing gateway by using a data channel, when a communication request from a target service in the cloud host is received, an address of a data packet carried in the communication request can be converted, and a first edge node connected with the routing gateway is used as a network outlet of the data packet. By the technical means, the technical problem that service is unstable due to the fact that a business party is easily considered as attack under the condition that one cloud host simultaneously provides a plurality of proxy services in the related technology is at least partially solved, private domain traffic service can be effectively provided for customization, and stability of the cloud host service is improved.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments thereof with reference to the accompanying drawings in which:
Fig. 1 schematically illustrates an exemplary system architecture to which a packet processing method may be applied according to an embodiment of the present disclosure.
Fig. 2 schematically illustrates a flow chart of a data packet processing method according to an embodiment of the present disclosure.
Fig. 3A schematically illustrates a flow chart of a method of packet processing according to another embodiment of the present disclosure.
Fig. 3B schematically illustrates a flow chart of a data packet processing method according to yet another embodiment of the present disclosure.
Fig. 4 schematically illustrates a schematic diagram of a packet processing flow according to an embodiment of the disclosure.
Fig. 5 schematically illustrates a block diagram of a packet processing device according to an embodiment of the disclosure.
Fig. 6 schematically illustrates a block diagram of an electronic device adapted to implement a data packet processing method according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a convention should be interpreted in accordance with the meaning of one of skill in the art having generally understood the convention (e.g., "a system having at least one of A, B and C" would include, but not be limited to, systems having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a formulation similar to at least one of "A, B or C, etc." is used, in general such a formulation should be interpreted in accordance with the ordinary understanding of one skilled in the art (e.g. "a system with at least one of A, B or C" would include but not be limited to systems with a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Cloud hosts are IT infrastructure capability leasing services that integrate computing, storage, and network resources, and can provide server leasing services for on-demand use and pay-as-needed capabilities based on a cloud computing model. The client can deploy the required server environment through the self-service platform of the web interface, and the defects of higher renting price, uneven service quality and the like of the traditional host are effectively overcome.
However, in the actual production environment, since the data packets of the proxy service in the cloud host all flow out from the network outlet of the cloud host, one cloud host can only provide proxy service for limited clients at the same time, otherwise, the service party of the service is easily treated as DDoS attack (Distribution Denial of Service, distributed denial of service attack) or request swiping action, so that the IP of the cloud host is blocked by the service party.
In order to solve the technical problem, a large number of cloud hosts are used in the related art to realize switching of different IP addresses so as to provide proxy services. However, the IP cost in the resource pool of the cloud host is higher, and as the traffic increases, using more IP addresses means that a large amount of IP resources need to be purchased, which greatly increases the cost; on the other hand, once the IP resources of the cloud host are disabled, the cloud host cannot be reused, and a great risk exists; meanwhile, the IP resources of the cloud host are limited, and the IP addresses cannot be expanded in an unlimited manner along with the access of various clients, so that the rising space of the service is limited.
In view of this, the embodiments of the present disclosure may implement each cloud host to use an independent terminal network by modifying the edge node to be an extranet outlet of the proxy service. In particular, embodiments of the present disclosure provide a data packet processing method, a data packet processing apparatus, an electronic device, a readable storage medium, and a computer program product. The method comprises the following steps: responding to a communication request from a target service in a cloud host, and acquiring a data packet carried in the communication request; determining a target network address of a first edge node associated with a target service based on a routing table maintained in a routing gateway to which the cloud host belongs; modifying the address of the data packet into a target network address through network address conversion; and transmitting the data packet to the first edge node through the first data channel, so that the data packet is output to the Internet from the network outlet of the first edge node.
Fig. 1 schematically illustrates an exemplary system architecture to which a packet processing method may be applied according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which embodiments of the present disclosure may be applied to assist those skilled in the art in understanding the technical content of the present disclosure, but does not mean that embodiments of the present disclosure may not be used in other devices, systems, environments, or scenarios.
As shown in fig. 1, a system architecture 100 according to this embodiment may include client devices 101, 102, 103, a network 104, a cloud host 105, a routing gateway 106, and edge devices 107, 108, 109.
The client devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
Various client applications may be installed on the client devices 101, 102, 103, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients and/or social platform software, and the like.
The network 104 is the medium used to provide communication links between the client devices 101, 102, 103 and the cloud host 105. The network 104 may include various connection types, such as wired and/or wireless communication links, and the like.
The cloud host 105 may provide proxy services for users, and the cloud host 105 may be composed of multiple servers.
A user may use the computing and storage resources of the cloud host 105 through an installed client application on the client device 101, 102, 103 to implement functionality that is difficult to implement on the client device 101, 102, 103.
The routing gateway 106 may allocate an internet surfing exit for the cloud host 105, where the routing gateway 106 and the cloud host 105 are in the same local area network. In some embodiments, one routing gateway 106 may manage multiple cloud hosts 105; in other embodiments, routing gateway 106 may be integrated in cloud host 105.
The edge devices 107, 108, 109 may be any electronic device having network egress and communication functions, including but not limited to routers, computers, etc.
The routing gateway 106 and the edge devices 107, 108, 109 may be communicatively coupled by a data tunnel, which may be implemented using VPN technology.
It should be noted that the packet processing method provided in the embodiments of the present disclosure may be generally performed by the routing gateway 106. Accordingly, the packet processing device provided in the embodiments of the present disclosure may be generally disposed in the routing gateway 106. The packet processing method provided by the embodiments of the present disclosure may also be performed by other servers or server clusters capable of communicatively coupling with the routing gateway 106. Accordingly, the packet processing device provided in the embodiments of the present disclosure may also be disposed in other servers or server clusters capable of being communicatively connected to the routing gateway 106. Or the data packet processing method provided by the embodiment of the present disclosure may also be performed by the cloud host 105, or may also be performed by another cloud host different from the cloud host 105. Accordingly, the data packet processing device provided in the embodiments of the present disclosure may also be disposed in the cloud host 105, or disposed in another cloud host different from the cloud host 105.
For example, a client may issue a data communication request by using a client program installed on any one of the client devices 101, 102, 103 (e.g., the client device 101, but not limited thereto); after the request is transmitted to the cloud host 105 through the network 104, the packet processing method provided by the embodiments of the present disclosure may be performed by the cloud host 105, so that the data in the data communication request flows out from the network outlet of any one of the edge devices 107, 108, 109; or may send the request to the routing gateway 106, and the routing gateway 106 performs the packet processing method provided by the embodiments of the present disclosure; or the request may be sent to other servers or server clusters in the local area network where the cloud host 105 and the routing gateway 106 are located, where the other servers or server clusters perform the packet processing method provided by the embodiments of the present disclosure.
It should be understood that the number of client devices, networks, cloud hosts, routing gateways, and edge devices in fig. 1 are merely illustrative. There may be any number of client devices, networks, cloud hosts, routing gateways, and edge devices, as desired for implementation.
Fig. 2 schematically illustrates a flow chart of a data packet processing method according to an embodiment of the present disclosure.
As shown in fig. 2, the method includes operations S201 to S204.
In operation S201, in response to a communication request from a target service in a cloud host, a data packet carried in the communication request is acquired.
In operation S202, a target network address of a first edge node associated with a target service is determined based on a routing table maintained in a routing gateway to which the cloud host belongs.
In operation S203, the address of the data packet is modified to the target network address through network address translation.
In operation S204, the data packet is transmitted to the first edge node through the first data channel, so that the data packet is output from the network outlet of the first edge node to the internet.
According to embodiments of the present disclosure, the target service may be a proxy service provided by a cloud host for clients, and a cloud host may provide proxy services for multiple users.
According to embodiments of the present disclosure, the first edge node may be any electronic device, such as a wireless router, computer, etc., having a network egress and capable of authentication with the routing gateway.
According to the embodiment of the disclosure, when a client requests a target service from a cloud host, a routing gateway can provide an initial IP address for a data packet in the target service and allocate a special first edge node as a network outlet of the target service; the IP address of the first edge node and the destination network address of the subnet in which the first edge node is located may then be determined from the routing table.
According to embodiments of the present disclosure, the address of the data packet may be modified using a network address translation (Network Address Translation, NAT) or the like, but is not limited thereto.
According to embodiments of the present disclosure, the first data path may be a VPN path implemented using openVPN or the like. The routing gateway is provided with a VPN client, the first edge node is provided with a VPN server, and communication connection can be established between the VPN client and the VPN server, so that a first data channel is formed.
According to the embodiment of the disclosure, a cloud host performs line distribution and surfing through a routing gateway, a node with a plurality of edge nodes is established in the routing gateway by using a data channel, when a communication request from a target service in the cloud host is received, an address of a data packet carried in the communication request can be converted, and a first edge node connected with the routing gateway is used as a network outlet of the data packet. By the technical means, the technical problem that service is unstable due to the fact that a business party is easily considered as attack under the condition that one cloud host simultaneously provides a plurality of proxy services in the related technology is at least partially solved, private domain traffic service can be effectively provided for customization, and stability of the cloud host service is improved.
The method illustrated in fig. 2 is further described below with reference to fig. 3A, 3B, and 4, in conjunction with specific embodiments.
Fig. 3A schematically illustrates a flow chart of a method of packet processing according to another embodiment of the present disclosure.
As shown in fig. 3A, the method includes operations S301 to S307.
It should be noted that, unless there is an execution sequence between different operations or an execution sequence between different operations in technical implementation, the execution sequence between multiple operations may be different, and multiple operations may also be executed simultaneously in the embodiment of the disclosure.
In operation S301, a connection request for a target service to connect to a first edge node is acquired.
In operation S302, the connection request is authenticated.
In operation S303, it is determined whether authentication is successful. In case of authentication failure, performing operation S304; in case the authentication is successful, operation S305 is performed.
In operation S304, feedback information rejecting the request is transmitted to the client associated with the target service.
In operation S305, a first data path is established between the routing gateway and the first edge node.
In operation S306, the address of the data packet sent by the target service is modified to the target network address associated with the first edge node.
In operation S307, the data packet is transmitted to the first edge node through the first data channel.
According to embodiments of the present disclosure, the connection request may be included in a communication request of the target service; or after receiving the communication request of the target service, the routing gateway determines a first edge node associated with the target service according to the routing table and generates the connection request.
According to embodiments of the present disclosure, an edge node may actively discover a routing gateway and request access to the routing gateway; then, the routing gateway can encode the physical address of the edge node to obtain the identification of the edge node so as to finish the registration of the edge node; and records the identification for use by the target service.
According to the embodiment of the disclosure, when the routing gateway obtains the verification authorization of the manufacturer of the edge node, the routing gateway can also verify the validity of the equipment of the edge node when detecting that the unregistered edge node requests access, and register the edge node after the verification is passed.
According to embodiments of the present disclosure, the target service may use the identity of the edge node as an authentication credential for communication between the routing gateway and the edge node.
According to the embodiment of the disclosure, the connection request of the first edge node can carry an identifier of the first edge node, and the identifier can be used as a certificate to authenticate the connection request.
According to the embodiment of the disclosure, the routing gateway can maintain the identification of the edge node; after the customer registers the target service, the routing gateway may authorize the identification of the first edge node to the target service for use, thereby providing the customer with the private domain traffic service.
According to the embodiment of the disclosure, the operation of authenticating the connection request can also be used for supervising the time limit of using the target service by the client, and when the time limit of using the target service by the client exceeds the expected time limit, the default authentication result can be set as authentication failure so as to limit the use of the client.
According to the embodiment of the disclosure, in the case of authentication failure, feedback information for rejecting the connection request can be sent to the target service to prompt the client to renew the target service.
According to an embodiment of the present disclosure, the target network address may be a network address of a subnet to which the first edge node belongs.
According to the embodiment of the disclosure, through a routing table maintained in a routing gateway, an internet protocol address (IP address) of a first edge node associated with a target service may be determined, and the IP address and a preset subnet mask may be logically and operated to obtain a network address of the subnet.
Fig. 3B schematically illustrates a flow chart of a data packet processing method according to yet another embodiment of the present disclosure.
As shown in fig. 3B, the method further includes operations S308 to S314 on the basis of the methods of operations S301 to S307 in fig. 3A, wherein the methods of operations S301 to S307 and the methods of operations S308 to S314 may be asynchronously performed.
In operation S308, the operating state of the edge node is monitored.
In operation S309, it is determined whether the first edge node is abnormally operated; under the condition that the first edge node can work normally, continuing to execute the method of operation S308, and monitoring the working state; in case it is determined that the first edge node is abnormally operated, operation S310 is performed.
In operation S310, a second edge node is acquired.
In operation S311, a second data path between the second edge node and the routing gateway is established.
In operation S312, the address of the data packet sent by the destination service is modified to the destination network address associated with the second edge node.
In operation S313, the data packet is transmitted to the second edge node through the second data channel.
In operation S314, the association relationship of the target service and the second edge node is written in the routing table.
According to the embodiment of the disclosure, the working states of the edge node may include normal operation, shutdown, downtime, and the like, and all working states except the normal operation may be identified as abnormal working.
According to embodiments of the present disclosure, a plurality of edge nodes connected by a routing gateway may be monitored in a polling manner.
According to an embodiment of the present disclosure, the second edge node may be an edge node that has registered in the routing gateway and has not been assigned a proxy service.
According to the embodiment of the disclosure, after modifying the content in the routing table, the identification of the second edge node may be authorized for the target service to use, so that the authentication operation is completed in the next communication request using the identification of the second edge node.
Fig. 4 schematically illustrates a schematic diagram of a packet processing flow according to an embodiment of the disclosure.
As shown in fig. 4, a cloud host 401 may provide proxy services 402 for multiple clients; after the client completes registration of the proxy service 402, the routing gateway 403 may assign an initial IP address, e.g., 10.0.0.100, to the proxy service.
The edge node 404 may actively connect to the routing gateway 403, the edge node 404 having a separate IP address, such as 172.16.1.3.
After registering the edge node 404, the routing gateway 403 may communicate with the edge node 404 by establishing a data path.
After receiving the data packet or message sent in the proxy service 402, the address 10.0.0.100 of the original data packet or message may be modified by NAT or other methods to be the network address 172.16.1.1 corresponding to the edge node 404, and the data packet or message is sent to the edge node 404 through a data channel, and is sent to the internet 405 through the network outlet of the edge node 404.
Fig. 5 schematically illustrates a block diagram of a packet processing device according to an embodiment of the disclosure.
As shown in fig. 5, the packet processing device 500 includes an acquisition module 510, a determination module 520, an address conversion module 530, and a transmission module 540.
And the obtaining module 510 is configured to obtain, in response to a communication request from a target service in the cloud host, a data packet carried in the communication request.
A determining module 520 is configured to determine a target network address of the first edge node associated with the target service based on a routing table maintained in a routing gateway to which the cloud host belongs.
An address translation module 530, configured to modify the address of the data packet to a target network address through network address translation.
The sending module 540 is configured to send the data packet to the first edge node through the first data channel, so that the data packet is output from the network outlet of the first edge node to the internet.
According to the embodiment of the disclosure, a cloud host performs line distribution and surfing through a routing gateway, a node with a plurality of edge nodes is established in the routing gateway by using a data channel, when a communication request from a target service in the cloud host is received, an address of a data packet carried in the communication request can be converted, and a first edge node connected with the routing gateway is used as a network outlet of the data packet. By the technical means, the technical problem that service is unstable due to the fact that a business party is easily considered as attack under the condition that one cloud host simultaneously provides a plurality of proxy services in the related technology is at least partially solved, private domain traffic service can be effectively provided for customization, and stability of the cloud host service is improved.
According to the embodiment of the disclosure, the communication request further carries a connection request for connecting the first edge node.
According to an embodiment of the present disclosure, the apparatus 500 further comprises an authentication module, wherein the authentication module comprises a first authentication unit and a second authentication unit.
And the first authentication unit is used for authenticating the connection request.
And the second authentication unit is used for establishing a first data channel between the first edge node and the routing gateway under the condition that authentication is successful.
According to an embodiment of the present disclosure, the apparatus 500 further comprises a registration module, wherein the registration module comprises a first registration unit and a second registration unit.
And the first registration unit is used for acquiring the physical address of the edge node under the condition that the unregistered edge node is detected to request to access the routing gateway.
The second registration unit is used for encoding the physical address and generating an identifier of the edge node so as to finish registration of the edge node; wherein the identity of the edge node is used as an authentication credential for communication between the routing gateway and the edge node.
According to an embodiment of the present disclosure, the first authentication unit comprises a first authentication subunit and a second authentication subunit.
And the first authentication subunit is used for acquiring the identifier of the first edge node carried in the connection request.
And the second authentication subunit is used for authenticating the connection request by taking the identification of the first edge node as a certificate.
According to an embodiment of the present disclosure, the authentication module further comprises a third authentication unit.
And the third authentication unit is used for sending feedback information for rejecting the communication request to the target service under the condition that the authentication is unsuccessful.
According to an embodiment of the present disclosure, the apparatus 500 further includes an exception handling module, wherein the exception handling module includes a first exception handling unit, a second exception handling unit, and a third exception handling unit.
The first exception processing unit is used for acquiring a second edge node connected with the routing gateway under the condition that the first edge node is in downtime, wherein a second data channel is established between the second edge node and the routing gateway.
And the second exception processing unit is used for writing the association relation between the target service and the second edge node into the routing table.
And the third exception processing unit is used for sending the data packet to the second edge node through the second data channel.
According to an embodiment of the present disclosure, the determination module 520 includes a first determination unit and a second determination unit.
A first determining unit for determining an internet protocol address of the first edge node based on the routing table.
And the second determining unit is used for performing logical AND operation on the Internet protocol address of the first edge node and a preset subnet mask to obtain the target network address of the first edge node.
Any number of modules, sub-modules, units, sub-units, or at least some of the functionality of any number of the sub-units according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented as split into multiple modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an Application Specific Integrated Circuit (ASIC), or in any other reasonable manner of hardware or firmware that integrates or encapsulates the circuit, or in any one of or a suitable combination of three of software, hardware, and firmware. Or one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be at least partially implemented as computer program modules, which, when executed, may perform the corresponding functions.
For example, any of the acquisition module 510, determination module 520, address translation module 530, and transmission module 540 may be combined in one module/unit/sub-unit or any of the modules/units/sub-units may be split into multiple modules/units/sub-units. Or at least some of the functionality of one or more of these modules/units/sub-units may be combined with at least some of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to embodiments of the present disclosure, at least one of the acquisition module 510, determination module 520, address translation module 530, and transmission module 540 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), programmable Logic Array (PLA), system on a chip, system on a substrate, system on a package, application Specific Integrated Circuit (ASIC), or in hardware or firmware, such as any other reasonable way of integrating or packaging circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Or at least one of the acquisition module 510, the determination module 520, the address translation module 530, and the transmission module 540 may be at least partially implemented as a computer program module which, when executed, may perform the corresponding functions.
It should be noted that, in the embodiment of the present disclosure, the data packet processing device portion corresponds to the data packet processing method portion in the embodiment of the present disclosure, and the description of the data packet processing device portion specifically refers to the data packet processing method portion and is not described herein again.
Fig. 6 schematically illustrates a block diagram of an electronic device adapted to implement a data packet processing method according to an embodiment of the disclosure. The electronic device shown in fig. 6 is merely an example and should not be construed to limit the functionality and scope of use of the disclosed embodiments.
As shown in fig. 6, a computer electronic device 600 according to an embodiment of the present disclosure includes a processor 601 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. The processor 601 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 601 may also include on-board memory for caching purposes. The processor 601 may comprise a single processing unit or a plurality of processing units for performing different actions of the method flows according to embodiments of the disclosure.
In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 600 are stored. The processor 601, the ROM 602, and the RAM 603 are connected to each other through a bus 604. The processor 601 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 602 and/or the RAM 603. Note that the program may be stored in one or more memories other than the ROM 602 and the RAM 603. The processor 601 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, the electronic device 600 may also include an input/output (I/O) interface 605, the input/output (I/O) interface 605 also being connected to the bus 604. The electronic device 600 may also include one or more of the following components connected to the I/O interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608.
According to embodiments of the present disclosure, the method flow according to embodiments of the present disclosure may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 601. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 602 and/or RAM 603 and/or one or more memories other than ROM 602 and RAM 603 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program comprising program code for performing the methods provided by the embodiments of the present disclosure, the program code for causing an electronic device to implement the data packet processing methods provided by the embodiments of the present disclosure when the computer program product is run on the electronic device.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 601. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of signals over a network medium, and downloaded and installed via the communication section 609, and/or installed from the removable medium 611. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be combined in various combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. These examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (11)
1. A method of packet processing, comprising:
responding to a communication request from a target service in a cloud host, and acquiring a data packet carried in the communication request;
determining a target network address of a first edge node associated with the target service based on a routing table maintained in a routing gateway to which the cloud host belongs;
modifying the address of the data packet into the target network address through network address conversion; and
And sending the data packet to the first edge node through a first data channel, so that the data packet is output to the Internet from a network outlet of the first edge node based on a target network address of the first edge node.
2. The method of claim 1, wherein the communication request further carries a connection request for connecting the first edge node;
the method further comprises the steps of:
Authenticating the connection request; and
And under the condition that authentication is successful, establishing the first data channel between the first edge node and the routing gateway.
3. The method of claim 2, further comprising:
under the condition that an unregistered edge node is detected to request to access the routing gateway, acquiring a physical address of the edge node; and
Encoding the physical address to generate an identifier of the edge node so as to finish the registration of the edge node;
wherein the identity of the edge node is used as an authentication credential for communication between the routing gateway and the edge node.
4. A method according to claim 3, wherein said authenticating said connection request comprises:
Acquiring the identification of the first edge node carried in the connection request; and
And authenticating the connection request by taking the identification of the first edge node as a certificate.
5. The method of claim 2, further comprising:
And under the condition that the authentication is unsuccessful, sending feedback information for rejecting the communication request to the target service.
6. The method of claim 1, further comprising:
acquiring a second edge node connected with the routing gateway under the condition that the first edge node is in downtime is monitored, wherein a second data channel is established between the second edge node and the routing gateway;
writing the association relation between the target service and the second edge node into the routing table; and
And sending the data packet to the second edge node through the second data channel.
7. The method of claim 1, wherein the determining the target network address of the first edge node associated with the target service based on a routing table maintained in a routing gateway to which the cloud host belongs comprises:
Determining an internet protocol, a protocol address of the first edge node based on the routing table; and
And performing logical AND operation on the Internet protocol address of the first edge node and a preset subnet mask to obtain a target network address of the first edge node.
8. A data packet processing apparatus comprising:
the acquisition module is used for responding to a communication request from a target service in the cloud host and acquiring a data packet carried in the communication request;
A determining module, configured to determine a target network address of a first edge node associated with the target service based on a routing table maintained in a routing gateway to which the cloud host belongs;
The address conversion module is used for modifying the address of the data packet into the target network address through network address conversion; and
And the sending module is used for sending the data packet to the first edge node through a first data channel so that the data packet is output to the Internet from a network outlet of the first edge node based on the target network address of the first edge node.
9. An electronic device, comprising:
one or more processors;
A memory for storing one or more instructions,
Wherein the one or more instructions, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1 to 7.
10. A computer readable storage medium having stored thereon executable instructions which when executed by a processor cause the processor to implement the method of any of claims 1 to 7.
11. A computer program product comprising computer executable instructions for implementing the method of any one of claims 1 to 7 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111218575.7A CN113890864B (en) | 2021-10-19 | 2021-10-19 | Data packet processing method, device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111218575.7A CN113890864B (en) | 2021-10-19 | 2021-10-19 | Data packet processing method, device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113890864A CN113890864A (en) | 2022-01-04 |
| CN113890864B true CN113890864B (en) | 2024-06-14 |
Family
ID=79003685
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111218575.7A Active CN113890864B (en) | 2021-10-19 | 2021-10-19 | Data packet processing method, device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113890864B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174526A (en) * | 2022-06-29 | 2022-10-11 | 京东方科技集团股份有限公司 | Network adaptation method and device between devices, storage medium and electronic device |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111556514A (en) * | 2020-04-14 | 2020-08-18 | 北京航空航天大学 | Decentralized mobile edge computing resource discovery and selection method and system |
Family Cites Families (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6771651B1 (en) * | 2000-09-29 | 2004-08-03 | Nortel Networks Limited | Providing access to a high-capacity packet network |
| US7624195B1 (en) * | 2003-05-08 | 2009-11-24 | Cisco Technology, Inc. | Method and apparatus for distributed network address translation processing |
| CN103873497B (en) * | 2012-12-11 | 2017-08-15 | 中国电信股份有限公司 | Methods, devices and systems for schedule information |
| US10826868B2 (en) * | 2016-03-29 | 2020-11-03 | T-Mobile Usa, Inc. | NAT aware DNS |
| WO2017171743A1 (en) * | 2016-03-30 | 2017-10-05 | Ale Usa Inc. | Edge network node and method for configuring a service therein |
| TWI675572B (en) * | 2018-11-23 | 2019-10-21 | 財團法人工業技術研究院 | Network service system and network service method |
| CN110198307B (en) * | 2019-05-10 | 2021-05-18 | 深圳市腾讯计算机***有限公司 | Method, device and system for selecting mobile edge computing node |
| CN112333108A (en) * | 2019-08-05 | 2021-02-05 | 南京中兴新软件有限责任公司 | Service scheduling method and device |
| CN111314464B (en) * | 2020-02-17 | 2021-06-29 | 腾讯科技(深圳)有限公司 | Communication method, medium and electronic device applied to edge computing scene |
| CN111343092B (en) * | 2020-03-15 | 2021-10-22 | 腾讯科技(深圳)有限公司 | Communication method, device, medium and electronic equipment based on edge calculation |
| CN114995214A (en) * | 2021-05-28 | 2022-09-02 | 上海云盾信息技术有限公司 | Method, system, device, equipment and storage medium for remotely accessing application |
-
2021
- 2021-10-19 CN CN202111218575.7A patent/CN113890864B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111556514A (en) * | 2020-04-14 | 2020-08-18 | 北京航空航天大学 | Decentralized mobile edge computing resource discovery and selection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113890864A (en) | 2022-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11245576B2 (en) | Blockchain-based configuration profile provisioning system | |
| US9007945B2 (en) | Automated network service discovery and communication | |
| WO2017024791A1 (en) | Authorization processing method and device | |
| WO2020143196A1 (en) | Communication method and device between blockchain nodes, storage medium and electronic apparatus | |
| CN104967609A (en) | Intranet development server access method, intranet development server access device and intranet development server access system | |
| US11743101B2 (en) | Techniques for accessing logical networks via a virtualized gateway | |
| US20180048588A1 (en) | Automated instantiation of wireless virtual private networks | |
| US11075915B2 (en) | System and method for securing communication between devices on a network | |
| CN113341798A (en) | Method, system, device, equipment and storage medium for remotely accessing application | |
| US11019032B2 (en) | Virtual private networks without software requirements | |
| CN116325655A (en) | Manipulating traffic on a per-flow basis through a single sign-on service | |
| US11233696B1 (en) | Preconfiguring a device for a network | |
| JP2023524173A (en) | shared resource identification | |
| CN113890864B (en) | Data packet processing method, device, electronic equipment and storage medium | |
| US9860225B1 (en) | Network directory and access service | |
| WO2023134557A1 (en) | Processing method and apparatus based on industrial internet identifier | |
| US11888898B2 (en) | Network configuration security using encrypted transport | |
| US10530658B2 (en) | Discovery of system with unique passwords by management console | |
| US10708129B1 (en) | Changing hardware capabilities of a device | |
| CN117546143A (en) | Virtual machine provisioning and directory service management | |
| CN113489695A (en) | Private cloud networking method, device and system, computer equipment and storage medium | |
| AU2012319193B2 (en) | Techniques for accessing logical networks via a programmatic service call | |
| US10454920B2 (en) | Non-transitory computer-readable recording medium, connection management method, and connection management device | |
| US20160344717A1 (en) | Communicating between a cluster and a node external to the cluster | |
| US20230370453A1 (en) | Authentication and enforcement of differentiated policies for a bridge mode virtual machine behind a wireless host in a mac based authentication network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |