CN107483341B - Method and device for rapidly forwarding firewall-crossing messages - Google Patents
Method and device for rapidly forwarding firewall-crossing messages Download PDFInfo
- Publication number
- CN107483341B CN107483341B CN201710755205.4A CN201710755205A CN107483341B CN 107483341 B CN107483341 B CN 107483341B CN 201710755205 A CN201710755205 A CN 201710755205A CN 107483341 B CN107483341 B CN 107483341B
- Authority
- CN
- China
- Prior art keywords
- message
- tuple
- virtual
- virtual firewall
- forwarding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/54—Organization of routing tables
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a method for rapidly forwarding a cross-firewall message, which comprises the following steps: analyzing the received message by a quintuple; acquiring a virtual firewall identifier according to a preset corresponding relation between a message input interface and the virtual firewall identifier; forming a six-tuple group by the five-tuple group analysis result and the virtual firewall identifier; searching a forwarding table item according to the six-tuple; and forwarding the message according to the search result. Compared with the prior art, the method supports cross-virtual firewall forwarding on the original fast forwarding process, and the virtual firewall can simplify networking and facilitate management.
Description
Technical Field
The present application relates to the field of computer communications, and in particular, to a method and an apparatus for fast forwarding a packet across firewalls.
Background
With the continuous development of network technologies, on one hand, the processing performance requirements on network devices such as firewalls, switches and the like are higher and higher, and on the other hand, various new applications and new services such as audio, video, cloud computing and the like are developed endlessly, so that the security protection service integrated by the network devices is more and more complex, and the forwarding performance of the whole machine is sharply reduced. In view of this, a concept of fast forwarding is proposed, that is, data stream features are recorded in a fast forwarding table, which aims to simplify and optimize a processing flow of a packet, so as to improve the forwarding performance of network equipment. The fast forwarding technology uses a five-tuple matching router forwarding table entry to realize message forwarding. The so-called five-tuple typically includes a source IP address, a destination IP address, a source port number, a destination port number, and a protocol type.
The prior technical scheme is that networking is realized by using a plurality of physical firewalls, and messages are quickly forwarded in the networking, wherein the prior quick forwarding process comprises the following steps: when a message is received, matching a router forwarding table item by analyzing a quintuple in the message; processing the message by using the information in the forwarding table entry of the router; and forwarding the message according to an output interface in the router forwarding table entry.
The defects of the prior art are that the networking realized by using the physical firewall is complicated, a plurality of network devices need to be configured, and more manpower, material resources and financial resources are consumed. And subsequent regular routine checks on the network devices are required to ensure the security of the physical firewall, and daily management is complicated.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for fast forwarding a packet across a firewall.
Specifically, the method is realized through the following technical scheme:
a method for rapidly forwarding a packet across firewalls, the method comprising:
analyzing the received message by a quintuple;
acquiring a virtual firewall identifier according to a preset corresponding relation between a message input interface and the virtual firewall identifier;
forming a six-tuple group by the five-tuple group analysis result and the virtual firewall identifier;
searching a forwarding table item according to the six-tuple;
and forwarding the message according to the search result.
An apparatus for fast forwarding of packets across a firewall, the apparatus comprising:
a quintuple parsing unit, configured to perform quintuple parsing on a received packet;
the identifier acquisition unit is used for acquiring a virtual firewall identifier according to the corresponding relation between a preset message input interface and the virtual firewall identifier;
the six-tuple forming unit is used for forming a six-tuple by the five-tuple analysis result and the virtual firewall identifier;
a forwarding table item searching unit, configured to search a forwarding table item according to the six-tuple;
and the message forwarding unit is used for forwarding the message according to the search result.
The scheme adopts six-tuple to match forwarding table items, namely, a one-tuple virtual firewall identifier is added on the basis of the original five-tuple, and the virtual firewall identifier is in one-to-one correspondence with the message input interface. Compared with the prior art, the method supports cross-virtual firewall forwarding on the original fast forwarding process, and the virtual firewall can simplify networking and facilitate management.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required in the description of the embodiments will be briefly introduced below, and it is apparent that the drawings in the following description are only some embodiments described in the present invention, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a flowchart illustrating an implementation of a method for fast forwarding a packet across a firewall according to an exemplary embodiment of the present application;
fig. 2 is a schematic structural diagram of a cross-firewall packet fast forwarding apparatus according to an exemplary embodiment of the present application.
Detailed Description
First, a method for quickly forwarding a packet across a firewall provided in an embodiment of the present invention is described, where the method includes the following steps:
analyzing the received message by a quintuple;
acquiring a virtual firewall identifier according to a preset corresponding relation between a message input interface and the virtual firewall identifier;
forming a six-tuple group by the five-tuple group analysis result and the virtual firewall identifier;
searching a forwarding table item according to the six-tuple;
and forwarding the message according to the search result.
The quintuple usually comprises a source IP address, a destination IP address, a source port number, a destination port number and a protocol type, and the scheme adds a unary virtual firewall identifier on the basis of the original quintuple, namely, the message is rapidly forwarded in the virtual firewall by adopting a hexatomic group matched forwarding table entry. The virtual firewall is a firewall that can logically divide a firewall into multiple virtual firewalls, and each virtual firewall system can be regarded as a completely independent firewall device and can have independent system resources, administrators, security policies, user authentication databases, and the like.
In the process of fast forwarding the message, analyzing the received message by five tuples; acquiring a virtual firewall identifier according to the one-to-one correspondence relationship between the message input interface and the virtual firewall identifier, wherein the message input interface can be a message physical input interface or a message virtual input interface; forming a six-tuple according to the quintuple analysis result and the virtual firewall identifier, wherein the quintuple analysis result can be in one-to-one correspondence with the virtual firewall identifier to form the six-tuple, the quintuple analysis result can be in correspondence with a plurality of virtual firewall identifiers to form the six-tuple, the six-tuple can be a combination of the two situations, namely, the six-tuple analysis result and the virtual firewall identifier are simultaneously contained in one-to-one correspondence to form the six-tuple, and the quintuple analysis result can be in correspondence with the six-tuple formed by the virtual firewall identifiers; searching a forwarding table item according to the hexahydric group for forwarding; and forwarding the message according to the searched forwarding table item information.
In order that those skilled in the art will better understand the technical solutions of the present invention, exemplary embodiments will be described herein in detail, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims. All other embodiments that can be derived from the embodiments of the present invention by a person of ordinary skill in the art are intended to fall within the scope of the present invention.
As shown in fig. 1, an implementation flowchart of a method for quickly forwarding a packet across firewalls according to the present invention specifically includes the following steps:
s101, analyzing a received message by a quintuple;
the aforementioned five-tuple generally includes a source IP address, a destination IP address, a source port number, a destination port number, and a protocol type, for example: 192.168.1.110000 TCP 121.14.88.7680 forms a quintuple. The meaning is that a terminal with an IP address of 192.168.1.1 is connected to a terminal with an IP address of 121.14.88.76 and a port of 80 by using the TCP protocol through a port 10000. The quintuple can distinguish different messages, and the corresponding message is unique. Generally, a message carries information such as a source IP address, a destination IP address, a source port number, a destination port number, and a protocol type, and a result of five-tuple analysis is obtained by performing five-tuple analysis on a received message, so that a terminal of the source IP address can be known to be connected with a terminal of the destination port number and a certain protocol through the source port number. The received message information is shown in table 1 below, and the table listed here is merely exemplary.
| Source IP address | Source port number | Destination IP address | Destination port number | Type of protocol |
| 192.168.1.10 | 10000 | 121.17.88.76 | 80 | TCP |
| 192.168.1.10 | 53 | 121.17.88.80 | 69 | UDP |
TABLE 1
The five-tuple analysis is performed on the message information, and it can be known that the source IP addresses are 192.168.1.10 and 192.168.1.10, the source port numbers are 10000 and 53, the destination IP addresses are 121.17.88.76 and 121.17.88.80, the destination port numbers are 80 and 69, and the protocol types are TCP and UDP (user datagram protocol). Then, in one message, the terminal with the IP address of 192.168.1.10 is connected with the terminal with the IP address of 121.17.88.76 and the port of 80 through the port 10000 by using the TCP protocol; in the other message, the terminal with the IP address of 192.168.1.10 is connected with the terminal with the IP address of 121.17.88.80 and the port of 69 by using the UDP protocol through the port 53.
S102, acquiring a virtual firewall identifier according to a corresponding relation between a preset message input interface and the virtual firewall identifier;
the virtual firewall is actually a firewall that can logically divide a firewall into multiple virtual firewalls, and each virtual firewall system can be regarded as a completely independent firewall device and can have independent system resources, administrators, security policies, a user authentication database, and the like. Here, each virtual firewall is labeled, meaning that each virtual firewall has its own unique identification. The virtual firewall identification is preset to be in one-to-one correspondence with the message input interface, namely one message input interface corresponds to one virtual firewall identification. Assuming that the virtual interface 1_0 is the packet input interface of the virtual firewall 1, and the packet input interface corresponds to the virtual firewall identifier one to one, the virtual firewall identifier of the virtual firewall 1, for example, the virtual firewall identifier 1_0, can be found according to the packet input interface virtual 1_ 0.
It should be particularly noted here that the firewall is divided into a physical firewall and a virtual firewall, and the corresponding message input interface may be a message physical input interface or a message virtual input interface. Under the condition that the message input interface is a message physical input interface, the method can be used for realizing the fast forwarding of the message across the physical firewall, namely, only one-time fast forwarding process is carried out, of course, the message physical input interface can also be used for realizing the fast forwarding of the message across the virtual firewall, in the fast forwarding process across the virtual firewall, only the message input interface of the first-time fast forwarding process is the message physical input interface, if the message needs to be forwarded across a plurality of virtual firewalls in one device and is sent to the virtual firewall 2 from the virtual firewall 1, the message input interface of the virtual firewall 1 is the message physical input interface, the message is received through the message physical input interface, the message input interface of the virtual firewall 2 is the message virtual input interface, and the message is received through the message virtual input interface. Meanwhile, as can be seen from the above, in the case that the message input interface is the message virtual input interface, in the fast forwarding flow across the virtual firewall, the message input interfaces of the other fast forwarding flows except the first one are the message virtual input interfaces,
s103, forming a six-tuple by the quintuple analysis result and the virtual firewall identifier;
according to the one-to-one correspondence relationship between the packet-in interface and the virtual firewall, a plurality of virtual firewall identifications are obtained, and it is assumed here that the virtual firewall identifications may be 1_0, 2_0, 3_0, and 4_0 … …. According to the aforementioned quintuple analysis result, a quintuple can be formed with the obtained virtual firewall identifier. Each group of quintuple analysis results and each virtual firewall identifier form a six-tuple, namely the quintuple analysis results correspond to the virtual firewall identifiers one to one; each group of quintuple analysis result can form a plurality of groups of six tuples with a plurality of virtual firewall identifiers, which means that even if the quintuple analysis results in the six tuples are the same, the virtual firewall identifiers are different, and each group of six tuples has a unique virtual firewall identifier, namely the quintuple analysis result corresponds to a plurality of virtual firewall identifiers; wherein, part of the quintuple analysis results and the virtual firewall identifications are in one-to-one correspondence to form six tuples, and the other part of the quintuple analysis results can form a plurality of groups of six tuples with a plurality of virtual firewall identifications. The above three different cases are that the quintuple parsing result and the virtual firewall identifier form a six-tuple, and the following three cases are respectively illustrated:
each group of quintuple parsing results corresponds to each virtual firewall identifier one by one, the quintuple parsing results parsed from table 1 are applied, the quintuple parsing results correspond to the virtual firewall identifiers one by one to form a six-tuple, the message quintuple parsing results 192.168.1.1010000121.17.88.7680 TCP and the virtual firewall identifier 1_0 form a six-tuple, and the message quintuple parsing results 192.168.1.1053121.17.88.8069 UDP and the virtual firewall identifier 2_0 form a six-tuple, as shown in table 2 below, the listed tables are only exemplary.
TABLE 2
Each group of quintuple parsing results corresponds to a plurality of virtual firewall identifications, the quintuple parsing results parsed from table 1 are applied, the quintuple parsing results form a six-tuple by using a plurality of virtual firewalls, the message quintuple parsing result 192.168.1.1010000121.17.88.7680 TCP and the virtual firewall identification 1_0 form a six-tuple, and the message quintuple parsing result 192.168.1.1010000121.17.88.7680 TCP and the virtual firewall identification 3_0 also form a six-tuple, as shown in table 3 below, the listed table is only exemplary.
TABLE 3
Wherein, part of the quintuple analysis results and the virtual firewall identifications are in one-to-one correspondence to form a quintuple; in addition, each quintuple parsing result and the virtual firewall identifications can form a plurality of groups of six tuples. The packet quintuple parsing result 192.168.1.1010000121.17.88.7680 TCP and the virtual firewall id 1_0 form a six-tuple, the packet quintuple parsing result 192.168.1.1010000121.17.88.7680 TCP also forms a six-tuple with the virtual firewall id 3_0, and the packet quintuple parsing result 192.168.1.1523121.17.88.1080 TCP and the virtual firewall id 2_0 form a six-tuple, as shown in table 4 below, which is only exemplary.
TABLE 4
S104, searching a forwarding table item according to the six-tuple;
and forming a six-tuple based on the five-tuple analysis result and the virtual firewall identifier, searching a forwarding table item according to the six-tuple, and indicating that the current forwarding table item is the forwarding table item required by message forwarding when the information contained in the searched forwarding table item is consistent with the information of the six-tuple. A message fast forwarding table is preset and established, and the forwarding table is stored in firewall equipment. Assuming that the fast forwarding table pre-stored in the firewall device is as shown in table 5 above, the omitted part of the table is other information, which is not shown one by one here.
TABLE 5
For example, the result of the quintuple analysis is 192.168.1.1523121.17.88.1080, the identifier of the virtual firewall is 2_0, and according to the quintuple 192.168.1.1523121.17.88.10802 _0 composed of the result of the quintuple analysis and the identifier of the virtual firewall, the forwarding table entry is searched in the fast forwarding table, which may be first screened according to the identifier of the virtual firewall and then screened according to the destination IP, or the forwarding table entry may be searched according to the source IP address, the source port number, the destination IP address, the destination port number, the protocol type, and the identifier of the virtual firewall in the quintuple in advance, that is, the forwarding table entry is searched according to the priority, which is not limited to this, the searching method is not described here any more, and the third forwarding table entry in the fast forwarding table.
And S105, forwarding the message according to the search result.
And according to the forwarding table entry searched by the hexahydric group, the forwarding table entry information comprises message output interface information. And the message is rapidly forwarded through the message output interface.
The aforementioned message input interface may be a message physical input interface or a message virtual input interface, and the corresponding message output interface may be a message physical output interface or a message virtual output interface. The physical message output interface can directly forward the message, and the virtual message output interface obtains the next message virtual input interface reentry message fast forwarding flow by searching the virtual interface relation table. Assuming that there is a pair of virtual interfaces between the virtual firewall 1 and the virtual firewall 1, virtuallif1_1 is a packet virtual out-interface of the virtual firewall 1, and virtuallif2_0 is a packet virtual in-interface of the virtual firewall 2. If the outlet is the message virtual outlet interface during message forwarding, searching a virtual interface connection relation table to obtain a message virtual outlet interface virtualallif 1_1 of the virtual firewall 1 corresponding to a message inlet interface virtualallif 2_0 of the virtual firewall 2, using virtualallif 2_0 as a new message inlet interface reentry fast forwarding flow, using the new message inlet interface to obtain a virtual firewall identifier of the virtual firewall 2, and searching a forwarding table item according to a new six-element group for forwarding.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Corresponding to the foregoing embodiment of the method for quickly forwarding a firewall-crossing message, the present application further provides an embodiment of a device for quickly forwarding a firewall-crossing message, which, as shown in fig. 2, includes a quintuple parsing unit 210, an identifier obtaining unit 220, a hexahtuple forming unit 230, a forwarding table entry searching unit 240, and a message forwarding unit 250.
The quintuple parsing unit 210 is configured to perform quintuple parsing on the received packet, and send a quintuple parsing result to the six-tuple composing unit 230;
an identifier obtaining unit 220, configured to obtain a virtual firewall identifier according to a correspondence between a preset packet ingress interface and the virtual firewall identifier, and send the obtained virtual firewall identifier to a six-tuple forming unit 230;
a hexahedron forming unit 230, configured to form a hexahedron by the quintuple analysis result and the virtual firewall identifier, and send the formed hexahydric group to the forwarding table entry searching unit 240;
a forwarding table item searching unit 240, configured to search a forwarding table item according to the hexahydric group, and send the searched forwarding table item to the message forwarding unit 250;
a message forwarding unit 250, configured to forward the message according to the search result.
The implementation process of the functions of each unit in the system is specifically described in the implementation process of the corresponding step in the method, and is not described herein again.
For the system embodiment, since it basically corresponds to the method embodiment, reference may be made to the partial description of the method embodiment for relevant points. The above-described system embodiments are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The foregoing is directed to embodiments of the present invention, and it is understood that various modifications and improvements can be made by those skilled in the art without departing from the spirit of the invention.
Claims (6)
1. A method for fast forwarding a packet across firewalls is characterized in that the method comprises the following steps:
analyzing the received message by a quintuple;
acquiring a virtual firewall identifier according to a preset corresponding relation between a message input interface and the virtual firewall identifier, wherein the message input interface comprises a message virtual input interface of the virtual firewall;
forming a six-tuple group by the five-tuple group analysis result and the virtual firewall identifier;
searching a forwarding table entry containing information consistent with the hexahydric group in a preset fast forwarding table, wherein the forwarding table entry contains message virtual outgoing interface information;
and forwarding the message according to the message virtual output interface in the search result.
2. The method according to claim 1, wherein the obtaining of the firewall identifier according to the correspondence between the preset message input interface and the virtual firewall identifier comprises:
and acquiring the virtual firewall identification according to the one-to-one correspondence relationship between the message input interface and the virtual firewall identification.
3. The method according to claim 1, wherein the forming the five-tuple parsing result and the virtual firewall identifier into a six-tuple comprises:
the five-tuple analysis result corresponds to the virtual firewall identification one by one to form a six-tuple;
and/or
And the five-tuple analysis result corresponds to a plurality of virtual firewall identifications to form a six-tuple.
4. A device for fast forwarding packets across firewalls, the device comprising:
a quintuple parsing unit, configured to perform quintuple parsing on a received packet;
the identification obtaining unit is used for obtaining a virtual firewall identification according to a preset corresponding relation between a message input interface and a virtual firewall identification, wherein the message input interface comprises a message virtual input interface of a virtual firewall;
the six-tuple forming unit is used for forming a six-tuple by the five-tuple analysis result and the virtual firewall identifier;
a forwarding table item searching unit, configured to search a forwarding table item that includes information consistent with the hexahydric group in a preset fast forwarding table, where the forwarding table item includes information of a virtual outgoing interface of a packet;
and the message forwarding unit is used for forwarding the message according to the virtual message output interface in the search result.
5. The apparatus according to claim 4, wherein the identifier obtaining unit is specifically configured to:
and acquiring the virtual firewall identification according to the one-to-one correspondence relationship between the message input interface and the virtual firewall identification.
6. The apparatus of claim 4, wherein the six-tuple comprises units, and is specifically configured to:
the five-tuple analysis result is in one-to-one correspondence with the virtual firewall identification to form a six-tuple;
and/or
And corresponding the five-tuple analysis result to a plurality of virtual firewall identifications to form a six-tuple.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710755205.4A CN107483341B (en) | 2017-08-29 | 2017-08-29 | Method and device for rapidly forwarding firewall-crossing messages |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710755205.4A CN107483341B (en) | 2017-08-29 | 2017-08-29 | Method and device for rapidly forwarding firewall-crossing messages |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107483341A CN107483341A (en) | 2017-12-15 |
| CN107483341B true CN107483341B (en) | 2020-10-02 |
Family
ID=60602785
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710755205.4A Active CN107483341B (en) | 2017-08-29 | 2017-08-29 | Method and device for rapidly forwarding firewall-crossing messages |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107483341B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110311866B (en) * | 2019-06-28 | 2021-11-02 | 杭州迪普科技股份有限公司 | Method and device for rapidly forwarding message |
| CN111132170A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Communication method and device of virtual firewall, virtual firewall and topological structure |
| CN112511439B (en) * | 2020-11-25 | 2023-03-14 | 杭州迪普科技股份有限公司 | Data forwarding method, device, equipment and computer readable storage medium |
| CN112866245B (en) * | 2021-01-18 | 2022-09-09 | 中国工商银行股份有限公司 | Message routing method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105577628A (en) * | 2014-11-11 | 2016-05-11 | 中兴通讯股份有限公司 | Method and device for realizing virtual firewall |
| CN105939356A (en) * | 2016-06-13 | 2016-09-14 | 北京网康科技有限公司 | Virtual firewall dividing method and device |
| CN105939274A (en) * | 2016-05-17 | 2016-09-14 | 杭州迪普科技有限公司 | Message forwarding method and apparatus |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100426794C (en) * | 2005-10-11 | 2008-10-15 | 华为技术有限公司 | Method for processing data stream between different fire-proof walls |
| US8127347B2 (en) * | 2006-12-29 | 2012-02-28 | 02Micro International Limited | Virtual firewall |
| CN101478533B (en) * | 2008-11-29 | 2012-05-23 | 成都市华为赛门铁克科技有限公司 | Method and system for transmitting and receiving data across virtual firewall |
| CN101834783B (en) * | 2010-03-29 | 2012-01-25 | 北京星网锐捷网络技术有限公司 | Method and device for forwarding messages and network equipment |
| US8904511B1 (en) * | 2010-08-23 | 2014-12-02 | Amazon Technologies, Inc. | Virtual firewalls for multi-tenant distributed services |
-
2017
- 2017-08-29 CN CN201710755205.4A patent/CN107483341B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105577628A (en) * | 2014-11-11 | 2016-05-11 | 中兴通讯股份有限公司 | Method and device for realizing virtual firewall |
| CN105939274A (en) * | 2016-05-17 | 2016-09-14 | 杭州迪普科技有限公司 | Message forwarding method and apparatus |
| CN105939356A (en) * | 2016-06-13 | 2016-09-14 | 北京网康科技有限公司 | Virtual firewall dividing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107483341A (en) | 2017-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107483341B (en) | Method and device for rapidly forwarding firewall-crossing messages | |
| US10069764B2 (en) | Ruled-based network traffic interception and distribution scheme | |
| US20190238410A1 (en) | Verifying network intents | |
| CA2947325C (en) | Protocol type identification method and apparatus | |
| CN105591973B (en) | Application identification method and device | |
| CN106921578B (en) | Method and device for generating forwarding table item | |
| US20140365634A1 (en) | Programmable Network Analytics Processing via an Inspect/Apply-Action Applied to Physical and Virtual Entities | |
| US11743206B2 (en) | Systems and methods for intelligent application grouping | |
| CN111953552B (en) | Data flow classification method and message forwarding equipment | |
| CN106878181A (en) | A kind of message transmitting method and device | |
| CN103475746A (en) | Terminal service method and apparatus | |
| CN105939324A (en) | Message forwarding method and device | |
| Kulkarni et al. | Neo-NSH: Towards scalable and efficient dynamic service function chaining of elastic network functions | |
| CN104994016A (en) | Method and apparatus for packet classification | |
| CN103441927A (en) | Message processing method and device | |
| CN113746654A (en) | IPv6 address management and flow analysis method and device | |
| CN105743687B (en) | Method and device for judging node fault | |
| CN109474713B (en) | Message forwarding method and device | |
| CN111131041B (en) | VPN flow obtaining method and device based on NetFlow and BGP | |
| CN109510821B (en) | Message processing method and device | |
| CN105207904A (en) | Message processing method, device and router | |
| WO2022237879A1 (en) | Routing obtaining method and apparatus, storage medium, and electronic apparatus | |
| CN110035010A (en) | The matching process and relevant apparatus of matching domain | |
| CN115514579B (en) | Method and system for realizing service identification based on IPv6 address mapping flow label | |
| CN102763376B (en) | Method and system for common group action filtering in telecom network environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |