CN111181985B - Data transmission method, data transmission system, firewall device and storage medium - Google Patents
Data transmission method, data transmission system, firewall device and storage medium Download PDFInfo
- Publication number
- CN111181985B CN111181985B CN201911425660.3A CN201911425660A CN111181985B CN 111181985 B CN111181985 B CN 111181985B CN 201911425660 A CN201911425660 A CN 201911425660A CN 111181985 B CN111181985 B CN 111181985B
- Authority
- CN
- China
- Prior art keywords
- firewall
- data packet
- response data
- packet
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 83
- 230000005540 biological transmission Effects 0.000 title claims abstract description 73
- 230000004044 response Effects 0.000 claims abstract description 233
- 238000004458 analytical method Methods 0.000 claims abstract description 20
- 230000015654 memory Effects 0.000 claims description 12
- 238000004590 computer program Methods 0.000 abstract description 15
- 230000008569 process Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 10
- 230000000694 effects Effects 0.000 description 5
- 238000007689 inspection Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000014509 gene expression Effects 0.000 description 4
- 230000006855 networking Effects 0.000 description 3
- 239000013589 supplement Substances 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000003672 processing method Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 239000000758 substrate Substances 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
技术领域technical field
本公开涉及计算机技术领域,更具体地,涉及一种数据传输方法,一种数据传输系统和一种防火墙设备、一种可读存储介质和一种计算机程序产品。The present disclosure relates to the field of computer technology, and more specifically, to a data transmission method, a data transmission system, a firewall device, a readable storage medium, and a computer program product.
背景技术Background technique
在部署多台防火墙设备(以下简称防火墙)时,因客户网络环境复杂,普遍存在一些特殊需求,例如:不改变当前网络组网、不能因防火墙部署带来其他网络设备的采购、防火墙之间独立工作且互为备份、支持非对称路由结构下的路径冗余。When deploying multiple firewall devices (hereinafter referred to as firewalls), due to the complex network environment of customers, there are generally some special requirements, such as: not changing the current network networking, not causing the purchase of other network devices due to firewall deployment, independent firewalls Work and backup each other, support path redundancy under asymmetric routing structure.
目前主流厂商防火墙,基于链路级的多重冗余能力,能提供多种环境下灵活组网,具体部署时可以依据具体客户网络环境选择主/备和主/主结构下的口型或Full Mesh组网方式,支持多台防火墙独立工作时的会话同步。在支持多台防火墙会话同步时,防火墙之间需要传输各自创建的会话数据,然后基于创建的会话数据进行数据包的转发。At present, firewalls of mainstream manufacturers, based on link-level multiple redundancy capabilities, can provide flexible networking in various environments. When deploying, you can choose the active/standby and active/main structure or Full Mesh according to the specific customer network environment. The networking mode supports session synchronization when multiple firewalls work independently. When multiple firewalls support session synchronization, the firewalls need to transmit the session data created by each, and then forward the data packets based on the created session data.
在实现本公开构思的过程中,发明人发现相关技术中至少存在如下问题:如果防火墙在无会话数据的情况下收到服务端返回的数据包,可能会出现本该转发给客户端却丢包的情况,导致客户端需要重新发起连接建立过程,从而影响数据传输效率。In the process of implementing the disclosed concept, the inventor found that there are at least the following problems in the related technology: if the firewall receives the data packet returned by the server without session data, the packet that should have been forwarded to the client may be lost In this case, the client needs to re-initiate the connection establishment process, thus affecting the data transmission efficiency.
发明内容Contents of the invention
有鉴于此,本公开提供了一种数据传输方法,一种数据传输系统和一种防火墙设备。In view of this, the present disclosure provides a data transmission method, a data transmission system and a firewall device.
本公开的一个方面提供了一种数据传输方法,应用于第一防火墙,所述方法包括:在通过第二防火墙向服务端发送来自客户端的请求数据包的情况下,接收来自所述服务端的响应数据包,其中,所述第一防火墙为所述第二防火墙的备份防火墙;对所述响应数据包进行解析,得到解析数据;根据所述解析数据查找是否存在与所述响应数据包匹配的会话数据,以确定是否向所述第二防火墙发送所述响应数据包;以及在不存在与所述响应数据包匹配的会话数据的情况下,向所述第二防火墙发送所述响应数据包,以使得通过所述第二防火墙对所述响应数据包进行处理。One aspect of the present disclosure provides a data transmission method applied to a first firewall, the method comprising: receiving a response from the server when a request data packet from the client is sent to the server through the second firewall A data packet, wherein the first firewall is a backup firewall of the second firewall; analyze the response data packet to obtain analysis data; find whether there is a session matching the response data packet according to the analysis data data to determine whether to send the response data packet to the second firewall; and if there is no session data matching the response data packet, send the response data packet to the second firewall to The response data packet is processed through the second firewall.
根据本公开的实施例,所述的方法还包括:在不存在与所述响应数据包匹配的会话数据的情况下,在向所述第二防火墙发送所述响应数据包之前,确定所述响应数据包的协议类型;判断所述响应数据包的协议类型是否配置了转发策略;以及在所述响应数据包的协议类型配置了转发策略的情况下,向所述第二防火墙发送所述响应数据包。According to an embodiment of the present disclosure, the method further includes: if there is no session data matching the response data packet, before sending the response data packet to the second firewall, determining the response The protocol type of the data packet; judging whether the protocol type of the response data packet is configured with a forwarding strategy; and in the case of the protocol type of the response data packet configured with a forwarding strategy, sending the response data to the second firewall Bag.
根据本公开的实施例,所述的方法还包括:在所述响应数据包的协议类型没有配置转发策略的情况下,对所述响应数据包执行检查操作;在所述响应数据包检查通过的情况下,创建与所述响应数据包对应的会话,并向所述客户端发送所述响应数据包;以及在所述响应数据包检查不通过的情况下,对所述响应数据包进行丢包处理。According to an embodiment of the present disclosure, the method further includes: when the protocol type of the response data packet is not configured with a forwarding policy, performing a check operation on the response data packet; case, create a session corresponding to the response data packet, and send the response data packet to the client; and when the response data packet fails to check, discard the response data packet deal with.
根据本公开的实施例,所述的方法还包括:在存在与所述响应数据包匹配的会话数据的情况下,向所述客户端发送所述响应数据包。According to an embodiment of the present disclosure, the method further includes: if there is session data matching the response data packet, sending the response data packet to the client.
根据本公开的实施例,通过所述第二防火墙对所述响应数据包进行处理包括:判断所述第二防火墙是否存在与所述响应数据包匹配的会话数据;以及在所述第二防火墙不存在与所述响应数据包匹配的会话数据的情况下,对所述响应数据包进行丢包处理。According to an embodiment of the present disclosure, processing the response data packet through the second firewall includes: judging whether there is session data matching the response data packet in the second firewall; If there is session data matching the response data packet, packet loss processing is performed on the response data packet.
根据本公开的实施例,所述的方法还包括:在所述第二防火墙存在与所述响应数据包匹配的会话数据的情况下,向所述客户端发送所述响应数据包;以及向所述第一防火墙发送所述会话数据,以便所述第一防火墙保存所述会话数据。According to an embodiment of the present disclosure, the method further includes: when there is session data matching the response data packet in the second firewall, sending the response data packet to the client; and sending the response data packet to the client; The first firewall sends the session data, so that the first firewall saves the session data.
本公开的另一个方面提供了一种数据传输方法,应用于第二防火墙,所述方法包括:向服务端发送来自客户端的请求数据包;接收来自第一防火墙的响应数据包,对所述响应数据包进行处理。其中,所述第一防火墙为所述第二防火墙的备份防火墙,所述响应数据包是在所述第一防火墙执行如下操作后发送的:接收来自所述服务端的响应数据包;对所述响应数据包进行解析,得到解析数据;根据所述解析数据查找是否存在与所述响应数据包匹配的会话数据,以确定是否向所述第二防火墙发送所述响应数据包;以及根据所述解析数据查找不存在与所述响应数据包匹配的会话数据,向所述第二防火墙发送所述响应数据包。Another aspect of the present disclosure provides a data transmission method applied to the second firewall, the method comprising: sending a request packet from the client to the server; receiving a response packet from the first firewall, and responding to the response Packets are processed. Wherein, the first firewall is a backup firewall of the second firewall, and the response data packet is sent after the first firewall performs the following operations: receiving the response data packet from the server; Analyzing the data packet to obtain analysis data; searching whether there is session data matching the response data packet according to the analysis data, so as to determine whether to send the response data packet to the second firewall; and according to the analysis data Finding that there is no session data matching the response data packet, and sending the response data packet to the second firewall.
根据本公开的实施例,对所述响应数据包进行处理包括:判断所述第二防火墙是否存在与所述响应数据包匹配的会话数据;在所述第二防火墙不存在与所述响应数据包匹配的会话数据的情况下,对所述响应数据包进行丢包处理;在所述第二防火墙存在与所述响应数据包匹配的会话数据的情况下,向所述客户端发送所述响应数据包;以及向所述第一防火墙发送所述会话数据,以便所述第一防火墙保存所述会话数据。According to an embodiment of the present disclosure, processing the response data packet includes: judging whether there is session data matching the response data packet in the second firewall; In the case of matching session data, packet loss processing is performed on the response data packet; when there is session data matching the response data packet in the second firewall, sending the response data to the client packet; and sending the session data to the first firewall, so that the first firewall saves the session data.
本公开的另一个方面提供了一种数据传输系统,包括第一防火墙和第二防火墙,其中,所述第一防火墙为所述第二防火墙的备份防火墙,其中:Another aspect of the present disclosure provides a data transmission system, including a first firewall and a second firewall, wherein the first firewall is a backup firewall of the second firewall, wherein:
所述第一防火墙用于执行:在通过所述第二防火墙向服务端发送来自客户端的请求数据包的情况下,接收来自所述服务端的响应数据包;对所述响应数据包进行解析,得到解析数据;根据所述解析数据查找是否存在与所述响应数据包匹配的会话数据,以确定是否向所述第二防火墙发送所述响应数据包;以及在不存在与所述响应数据包匹配的会话数据的情况下,向所述第二防火墙发送所述响应数据包;The first firewall is used to execute: when sending a request packet from the client to the server through the second firewall, receiving a response packet from the server; parsing the response packet to obtain Analyzing the data; searching whether there is session data matching the response data packet according to the analysis data, so as to determine whether to send the response data packet to the second firewall; and if there is no session data matching the response data packet In the case of session data, sending the response data packet to the second firewall;
所述第二防火墙用于执行:向服务端发送来自客户端的请求数据包;接收来自所述第一防火墙的响应数据包;以及对所述响应数据包进行处理。The second firewall is used for: sending the request data packet from the client to the server; receiving the response data packet from the first firewall; and processing the response data packet.
本公开的另一个方面提供了一种防火墙设备,包括:一个或多个处理器;存储器,用于存储一个或多个程序,其中,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述一个或多个处理器实现如上所述的方法。Another aspect of the present disclosure provides a firewall device, including: one or more processors; memory for storing one or more programs, wherein, when the one or more programs are used by the one or more When the processors are executed, the one or more processors are made to implement the method as described above.
本公开的另一方面提供了一种可读存储介质,存储有计算机可执行指令,所述指令在被执行时用于实现如上所述的方法。Another aspect of the present disclosure provides a readable storage medium storing computer-executable instructions, which are used to implement the above-mentioned method when executed.
本公开的另一方面提供了一种计算机程序产品,包括可执行指令,该指令被处理器执行时使处理器实现如上所述的方法。Another aspect of the present disclosure provides a computer program product including executable instructions, which when executed by a processor cause the processor to implement the method as described above.
根据本公开的实施例,在第一防火墙接收到来自服务端的响应数据包的情况下,对响应数据包进行解析,根据解析数据查找是否存在与响应数据包匹配的会话数据,并在不存在与响应数据包匹配的会话数据的情况下,向第二防火墙发送响应数据包,以使得通过第二防火墙对响应数据包进行处理。由于第二防火墙可以根据自身创建的会话数据确定是否向客户端转发响应数据包,所以至少部分地克服了如果第一防火墙在无会话的情况下收到服务端返回的数据包,可能会出现本该转发给客户端却丢包的情况,导致客户端需要重新发起连接建立过程的技术问题,进而达到了提高数据传输效率的技术效果。According to an embodiment of the present disclosure, when the first firewall receives a response data packet from the server, it parses the response data packet, finds whether there is session data matching the response data packet according to the parsed data, and checks if there is no session data matching the response data packet. If the response data packet matches the session data, the response data packet is sent to the second firewall, so that the response data packet is processed by the second firewall. Since the second firewall can determine whether to forward the response data packet to the client according to the session data created by itself, it at least partially overcomes the possible occurrence of this problem if the first firewall receives the data packet returned by the server without a session. The situation of forwarding to the client but losing the packet leads to the technical problem that the client needs to re-initiate the connection establishment process, thereby achieving the technical effect of improving the data transmission efficiency.
附图说明Description of drawings
通过以下参照附图对本公开实施例的描述,本公开的上述以及其他目的、特征和优点将更为清楚,在附图中:The above and other objects, features and advantages of the present disclosure will be more clearly described through the following description of the embodiments of the present disclosure with reference to the accompanying drawings, in which:
图1示意性示出了根据本公开实施例的可以应用数据传输方法及数据传输系统的示例性系统架构;FIG. 1 schematically shows an exemplary system architecture in which a data transmission method and a data transmission system can be applied according to an embodiment of the present disclosure;
图2示意性示出了根据本公开另一实施例的可以应用数据传输方法及数据传输系统的示例性系统架构;FIG. 2 schematically shows an exemplary system architecture in which a data transmission method and a data transmission system can be applied according to another embodiment of the present disclosure;
图3示意性示出了根据本公开实施例的应用于第一防火墙的数据传输方法的流程图;FIG. 3 schematically shows a flowchart of a data transmission method applied to a first firewall according to an embodiment of the present disclosure;
图4示意性示出了根据本公开另一实施例的应用于第一防火墙的数据传输方法的流程图;FIG. 4 schematically shows a flowchart of a data transmission method applied to a first firewall according to another embodiment of the present disclosure;
图5示意性示出了根据本公开另一实施例的应用于第一防火墙的数据传输方法的流程图;FIG. 5 schematically shows a flowchart of a data transmission method applied to a first firewall according to another embodiment of the present disclosure;
图6示意性示出了根据本公开另一实施例的应用于数据传输系统的数据传输方法的流程图;FIG. 6 schematically shows a flowchart of a data transmission method applied to a data transmission system according to another embodiment of the present disclosure;
图7示意性示出了根据本公开实施例的应用于第一防火墙的数据传输装置的框图;FIG. 7 schematically shows a block diagram of a data transmission device applied to a first firewall according to an embodiment of the present disclosure;
图8示意性示出了根据本公开实施例的应用于第二防火墙的数据传输装置的框图;以及FIG. 8 schematically shows a block diagram of a data transmission device applied to a second firewall according to an embodiment of the present disclosure; and
图9示意性示出了根据本公开实施例的适于实现上文描述的数据传输方法的防火墙设备的框图。Fig. 9 schematically shows a block diagram of a firewall device suitable for implementing the data transmission method described above according to an embodiment of the present disclosure.
具体实施方式Detailed ways
以下,将参照附图来描述本公开的实施例。但是应该理解,这些描述只是示例性的,而并非要限制本公开的范围。在下面的详细描述中,为便于解释,阐述了许多具体的细节以提供对本公开实施例的全面理解。然而,明显地,一个或多个实施例在没有这些具体细节的情况下也可以被实施。此外,在以下说明中,省略了对公知结构和技术的描述,以避免不必要地混淆本公开的概念。Hereinafter, embodiments of the present disclosure will be described with reference to the drawings. It should be understood, however, that these descriptions are exemplary only, and are not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Also, in the following description, descriptions of well-known structures and techniques are omitted to avoid unnecessarily obscuring the concepts of the present disclosure.
在此使用的术语仅仅是为了描述具体实施例,而并非意在限制本公开。在此使用的术语“包括”、“包含”等表明了所述特征、步骤、操作和/或部件的存在,但是并不排除存在或添加一个或多个其他特征、步骤、操作或部件。The terminology used herein is for the purpose of describing particular embodiments only, and is not intended to be limiting of the present disclosure. The terms "comprising", "comprising", etc. used herein indicate the presence of stated features, steps, operations and/or components, but do not exclude the presence or addition of one or more other features, steps, operations or components.
在此使用的所有术语(包括技术和科学术语)具有本领域技术人员通常所理解的含义,除非另外定义。应注意,这里使用的术语应解释为具有与本说明书的上下文相一致的含义,而不应以理想化或过于刻板的方式来解释。All terms (including technical and scientific terms) used herein have the meaning commonly understood by one of ordinary skill in the art, unless otherwise defined. It should be noted that the terms used herein should be interpreted to have a meaning consistent with the context of this specification, and not be interpreted in an idealized or overly rigid manner.
在使用类似于“A、B和C等中至少一个”这样的表述的情况下,一般来说应该按照本领域技术人员通常理解该表述的含义来予以解释(例如,“具有A、B和C中至少一个的系统”应包括但不限于单独具有A、单独具有B、单独具有C、具有A和B、具有A和C、具有B和C、和/或具有A、B、C的系统等)。在使用类似于“A、B或C等中至少一个”这样的表述的情况下,一般来说应该按照本领域技术人员通常理解该表述的含义来予以解释(例如,“具有A、B或C中至少一个的系统”应包括但不限于单独具有A、单独具有B、单独具有C、具有A和B、具有A和C、具有B和C、和/或具有A、B、C的系统等)。Where expressions such as "at least one of A, B, and C, etc." are used, they should generally be interpreted as those skilled in the art would normally understand the expression (for example, "having A, B, and C A system of at least one of "shall include, but not be limited to, systems with A alone, B alone, C alone, A and B, A and C, B and C, and/or A, B, C, etc. ). Where expressions such as "at least one of A, B, or C, etc." are used, they should generally be interpreted as those skilled in the art would normally understand the expression (for example, "having A, B, or C A system of at least one of "shall include, but not be limited to, systems with A alone, B alone, C alone, A and B, A and C, B and C, and/or A, B, C, etc. ).
图1示意性示出了根据本公开实施例的可以应用数据传输方法及数据传输系统的示例性系统架构。Fig. 1 schematically shows an exemplary system architecture in which a data transmission method and a data transmission system can be applied according to an embodiment of the present disclosure.
如图1所示,数据传输系统100包括第一防火墙101和第二防火墙102,其中,第一防火墙101为第二防火墙102的备份防火墙。As shown in FIG. 1 , the
根据本公开的实施例,数据传输系统100可以属于非对称路由网络,其路由策略为:第二防火墙102接收来自客户端104的请求数据包Syn(req),通过第二防火墙102向服务端103发送来自客户端104的请求数据包Syn(req),服务端103发送的响应数据包Syn(req,Ack)可能会通过第一防火墙101返回给客户端104,这种路由策略简称为异路返回。According to an embodiment of the present disclosure, the
在数据传输方面,流经第二防火墙102的数据包,第二防火墙102会依据策略建立会话(Session),通过会话匹配后续的数据包,如果能匹配,则快速转发数据包。如果服务端102返回的数据包流经第一防火墙101,第一防火墙101也需要根据返回的数据包进行会话匹配。In terms of data transmission, for data packets passing through the
根据本公开的实施例,为了保证异路返回的数据包不被第一防火墙101丢弃,互为备份的第一防火墙101和第二防火墙102可以利用心跳线连接,第二防火墙102可以实时完成会话数据Session sync同步到第一防火墙101,使得在第一防火墙101也存在相同Session实现正常匹配响应数据包,当存在session时,则可以快速转发,不再执行状态检查、安全策略检查等操作,正常转发响应数据包。According to the embodiment of the present disclosure, in order to ensure that the data packets returned by different paths are not discarded by the
但是,如果第一防火墙101在无会话的情况下收到数据包,会根据配置执行状态检查、安全策略检查等操作。如检查通过,则创建新的会话并转包;如检查不通过,可能会直接进行丢包处理,防火墙后续也无法建立针对响应数据包建立新的会话。However, if the
在实现本公开的过程中,发明人发现,如果第二防火墙102将会话数据Sessionsync同步到第一防火墙101,会话数据可能在第一防火墙101接收到响应数据包之后才到来,可能会造成响应数据包因执行状态检查、安全策略检查等操作而不通过,导致首包或前几包被第一防火墙101丢弃。In the process of implementing the present disclosure, the inventor found that if the
此外,如果使用UDP协议同步传输会话数据,难以保证对方防火墙能接收到,在没有接收到会话数据的情况下,也不再重传会话数据同步包,即会话数据同步包可能会丢包,可能会造成响应数据包因其他检查不通过,始终被防火墙丢弃。严重降低了非对称网络环境下网络连接的成功率,尤其对于TCP连接,由于TCP连接在网络中的使用占比一般超过90%,因此,影响了网络正常使用。In addition, if the UDP protocol is used to transmit session data synchronously, it is difficult to ensure that the other firewall can receive it. If the session data is not received, the session data synchronization packet will not be retransmitted, that is, the session data synchronization packet may be lost It will cause the response packet to be discarded by the firewall because other checks fail. Seriously reduces the success rate of network connections in an asymmetric network environment, especially for TCP connections, because TCP connections generally account for more than 90% of the network usage, thus affecting the normal use of the network.
通过本公开的实施例,在通过第二防火墙102向服务端103发送来自客户端104的请求数据包的情况下,第一防火墙101接收来自服务端103的响应数据包,通过对响应数据包进行解析,得到解析数据;根据解析数据查找是否存在与响应数据包匹配的会话数据,以确定是否向第二防火墙102发送响应数据包;在不存在与响应数据包匹配的会话数据的情况下,第一防火墙101向第二防火墙102发送响应数据包。第二防火墙102接收到来自第一防火墙101的响应数据包,对响应数据包进行处理。Through the embodiment of the present disclosure, when the
由于第二防火墙可以根据自身创建的会话数据确定是否向客户端转发响应数据包,所以至少部分地克服了如果第一防火墙在无会话的情况下收到服务端返回的数据包,可能会出现本该转发给客户端却丢包的情况,导致客户端需要重新发起连接建立过程的技术问题,进而达到了提高数据传输效率的技术效果。Since the second firewall can determine whether to forward the response data packet to the client according to the session data created by itself, it at least partially overcomes the possible occurrence of this problem if the first firewall receives the data packet returned by the server without a session. The situation of forwarding to the client but losing the packet leads to the technical problem that the client needs to re-initiate the connection establishment process, thereby achieving the technical effect of improving the data transmission efficiency.
本公开通过第一防火墙101向第二防火墙102发送响应数据包,有效提升了TCP连接建立成功率,保障了非对称网络的稳定,有效增加了用户体验。In the present disclosure, the
本公开提出了在非对称网络环境下,防火墙针对异路回包特殊处理的方法,实现了非对称网络下防火墙异路回包的零丢包。解决了防火墙丢弃回包的问题,提升了防火墙的可靠性。The present disclosure proposes a special processing method for firewalls to return packets from different paths in an asymmetric network environment, and realizes zero packet loss of packets returned from different paths by the firewall under an asymmetric network. Solved the problem of the firewall discarding the return packet, and improved the reliability of the firewall.
根据本公开的实施例,在服务端103与第一防火墙101和第二防火墙102之间可以包括路由器105,用于实现服务端103与第一防火墙101和第二防火墙102之间的数据传输。According to an embodiment of the present disclosure, a
根据本公开的实施例,在客户端104与第一防火墙101和第二防火墙102之间可以包括路由器106,用于实现客户端104与第一防火墙101和第二防火墙102之间的数据传输。According to an embodiment of the present disclosure, a
需要注意的是,图1所示仅为可以应用本公开实施例的系统架构的示例,以帮助本领域技术人员理解本公开的技术内容,但并不意味着本公开实施例不可以用于其他设备、系统、环境或场景。It should be noted that, what is shown in FIG. 1 is only an example of the system architecture to which the embodiments of the present disclosure can be applied, so as to help those skilled in the art understand the technical content of the present disclosure, but it does not mean that the embodiments of the present disclosure cannot be used in other device, system, environment or scenario.
例如,图2示意性示出了根据本公开另一实施例的可以应用数据传输方法及数据传输系统的示例性系统架构。For example, FIG. 2 schematically shows an exemplary system architecture in which a data transmission method and a data transmission system can be applied according to another embodiment of the present disclosure.
如图2所示,在局域网Lan中,可以包括一个或多个客户端,一个或多个客户端可以发送请求数据包,经由路由器201或者路由器202路由转发,通过数据传输系统200中的防火墙203或防火墙204创建会话,检测等处理后,将请求数据包经由路由器205或者路由器206路由转发至广域网Internet。其中,关于防火墙203或防火墙204的执行流程可以参考图1中的描述,在此不再赘述。As shown in FIG. 2 , in the local area network Lan, one or more clients may be included, and one or more clients may send request data packets, routed and forwarded via
应该理解,图1和图2中的防火墙、客户端和服务端的数目仅仅是示意性的。根据实现需要,可以具有任意数目的防火墙、客户端和服务端。It should be understood that the numbers of firewalls, clients and servers in Fig. 1 and Fig. 2 are only illustrative. According to the implementation needs, there can be any number of firewalls, clients and servers.
图3示意性示出了根据本公开实施例的应用于第一防火墙的数据传输方法的流程图。Fig. 3 schematically shows a flowchart of a data transmission method applied to a first firewall according to an embodiment of the present disclosure.
如图3所示,应用于第一防火墙的数据传输方法包括操作S301~S304。As shown in FIG. 3 , the data transmission method applied to the first firewall includes operations S301-S304.
在操作S301,在通过第二防火墙向服务端发送来自客户端的请求数据包的情况下,接收来自服务端的响应数据包,其中,第一防火墙为第二防火墙的备份防火墙。In operation S301, when a request data packet from the client is sent to the server through the second firewall, a response data packet is received from the server, wherein the first firewall is a backup firewall of the second firewall.
根据本公开的实施例,第二防火墙可以先向服务端发送来自客户端的请求数据包,然后第一防火墙接收来自服务端的响应数据包。换言之,应用于第一防火墙的数据传输方法适用于异路回包的场景。其中,第一防火墙为第二防火墙的备份防火墙是指,在第二防火墙接收到请求数据包,并且建立与该请求数据包对应的会话数据之后,在一般情况下,第二防火墙会将与该请求数据包对应的会话数据同步发送给第一防火墙,使得第一防火墙可以保存与该请求数据包对应的会话数据。According to an embodiment of the present disclosure, the second firewall may first send the request packet from the client to the server, and then the first firewall receives the response packet from the server. In other words, the data transmission method applied to the first firewall is applicable to the scenario of packet return through different paths. Wherein, the first firewall is the backup firewall of the second firewall means that after the second firewall receives the request data packet and establishes the session data corresponding to the request data packet, under normal circumstances, the second firewall will associate with the The session data corresponding to the request data packet is sent to the first firewall synchronously, so that the first firewall can save the session data corresponding to the request data packet.
在操作S302,对响应数据包进行解析,得到解析数据。In operation S302, the response data packet is parsed to obtain parsed data.
根据本公开的实施例,解析数据可以包括客户端的IP地址,服务端的IP地址,客户端的端口地址,服务端的端口地址,传输协议类型等等数据。According to an embodiment of the present disclosure, the analysis data may include the IP address of the client, the IP address of the server, the port address of the client, the port address of the server, the transmission protocol type and other data.
在操作S303,根据解析数据查找是否存在与响应数据包匹配的会话数据,以确定是否向第二防火墙发送响应数据包。In operation S303, it is searched according to the parsed data whether there is session data matching the response data packet, so as to determine whether to send the response data packet to the second firewall.
根据本公开的实施例,会话数据可以包括用于标识发送请求数据包的客户端的标识信息,例如,客户端的IP地址,客户端的端口地址。当然,会话数据还可以包括服务端的IP地址,服务端的端口地址,传输协议类型等等数据。According to an embodiment of the present disclosure, the session data may include identification information used to identify the client sending the request data packet, for example, the IP address of the client, and the port address of the client. Of course, the session data may also include data such as the IP address of the server, the port address of the server, the type of transmission protocol, and the like.
根据本公开的实施例,可以将解析数据中所包含的客户端的IP地址与第一防火墙中存储的客户端的IP地址进行匹配。如果第一防火墙中存储的客户端的IP地址包括解析数据中所包含的客户端的IP地址,则匹配成功;如果第一防火墙中存储的客户端的IP地址不包括解析数据中所包含的客户端的IP地址,则匹配不成功。According to an embodiment of the present disclosure, the IP address of the client included in the analysis data may be matched with the IP address of the client stored in the first firewall. If the IP address of the client stored in the first firewall includes the IP address of the client included in the analysis data, the match is successful; if the IP address of the client stored in the first firewall does not include the IP address of the client included in the analysis data , the match is unsuccessful.
根据本公开的实施例,在第一防火墙查找之后确定存在与响应数据包匹配的会话数据的情况下,可以直接向客户端发送响应数据包。According to an embodiment of the present disclosure, if it is determined that there is session data matching the response data packet after the first firewall search, the response data packet may be directly sent to the client.
在操作S304,在不存在与响应数据包匹配的会话数据的情况下,向第二防火墙发送响应数据包,以使得通过第二防火墙对响应数据包进行处理。In operation S304, if there is no session data matching the response data packet, the response data packet is sent to the second firewall, so that the response data packet is processed by the second firewall.
根据本公开的实施例,第二防火墙的数量不做限定,例如,可以包括1个防火墙,也可以包括2个防火墙等等。换言之,在不存在与响应数据包匹配的会话数据的情况下,第一防火墙可以向多个第二防火墙发送响应数据包。According to the embodiment of the present disclosure, the number of the second firewall is not limited, for example, it may include 1 firewall, or may include 2 firewalls, and so on. In other words, if there is no session data matching the response data packet, the first firewall may send the response data packet to multiple second firewalls.
根据本公开的实施例,第二防火墙对响应数据包进行处理包括:判断第二防火墙是否存在与响应数据包匹配的会话数据,在第二防火墙不存在与响应数据包匹配的会话数据的情况下,对响应数据包进行丢包处理。According to an embodiment of the present disclosure, the processing of the response data packet by the second firewall includes: judging whether there is session data matching the response data packet in the second firewall, and if there is no session data matching the response data packet in the second firewall , and perform packet loss processing on the response data packet.
根据本公开的实施例,在第二防火墙存在与响应数据包匹配的会话数据的情况下,向客户端发送响应数据包,并向第一防火墙发送会话数据,以便第一防火墙保存会话数据。According to an embodiment of the present disclosure, when there is session data matching the response data packet in the second firewall, the response data packet is sent to the client, and the session data is sent to the first firewall, so that the first firewall saves the session data.
通过本公开的实施例,在第二防火墙存在与响应数据包匹配的会话数据的情况下,向第一防火墙发送会话数据,可以使得第一防火墙再次接收到响应数据包时,直接根据接收的会话数据进行匹配,无需再次将响应数据包发给第二防火墙进行处理,本公开对非对称网络环境的防火墙会话同步机制进行了优化,提升了防火墙的会话同步成功率。Through the embodiments of the present disclosure, when the second firewall has session data matching the response data packet, the session data is sent to the first firewall, so that when the first firewall receives the response data packet again, it can directly The data is matched, and there is no need to send the response data packet to the second firewall for processing again. This disclosure optimizes the firewall session synchronization mechanism in an asymmetric network environment, and improves the session synchronization success rate of the firewall.
根据本公开的实施例,在第一防火墙接收到来自服务端的响应数据包的情况下,对响应数据包进行解析,根据解析数据查找是否存在与响应数据包匹配的会话数据,并在不存在与响应数据包匹配的会话数据的情况下,向第二防火墙发送响应数据包,以使得通过第二防火墙对响应数据包进行处理。由于第二防火墙可以根据自身创建的会话数据确定是否向客户端转发响应数据包,所以至少部分地克服了如果第一防火墙在无会话的情况下收到服务端返回的数据包,可能会出现本该转发给客户端却丢包的情况,导致客户端需要重新发起连接建立过程的技术问题,进而达到了提高数据传输效率的技术效果。According to an embodiment of the present disclosure, when the first firewall receives a response data packet from the server, it parses the response data packet, finds whether there is session data matching the response data packet according to the parsed data, and checks if there is no session data matching the response data packet. If the response data packet matches the session data, the response data packet is sent to the second firewall, so that the response data packet is processed by the second firewall. Since the second firewall can determine whether to forward the response data packet to the client according to the session data created by itself, it at least partially overcomes the possible occurrence of this problem if the first firewall receives the data packet returned by the server without a session. The situation of forwarding to the client but losing the packet leads to the technical problem that the client needs to re-initiate the connection establishment process, thereby achieving the technical effect of improving the data transmission efficiency.
通过第一防火墙向第二防火墙发送响应数据包,使得可以通过第二防火墙对响应数据包进行处理,实现了防火墙非对称网络异路回包的零丢包,并将其应用到防火墙非对称组网环境,提升防火墙在非对称网络的可靠性和实用性。可以解决第二防火墙发送给第一台防火墙的Session会话同步包丢失或同步包晚到达,导致响应数据包丢失的技术问题,是对非对称网络下防火墙会话同步机制和异路回包数据传输的有效补充。The response data packet is sent to the second firewall through the first firewall, so that the response data packet can be processed through the second firewall, and the zero packet loss of the asymmetric network of the firewall is realized, and it is applied to the asymmetric group of the firewall Network environment, improve the reliability and practicability of the firewall in the asymmetric network. It can solve the technical problem that the session synchronization packet sent by the second firewall to the first firewall is lost or the synchronization packet arrives late, resulting in the loss of the response data packet. effective supplement.
下面参考图4~图6,结合具体实施例对图3所示的方法做进一步说明。Referring to FIGS. 4 to 6 , the method shown in FIG. 3 will be further described in conjunction with specific embodiments.
图4示意性示出了根据本公开另一实施例的应用于第一防火墙的数据传输方法的流程图。Fig. 4 schematically shows a flowchart of a data transmission method applied to a first firewall according to another embodiment of the present disclosure.
如图4所示,应用于第一防火墙的数据传输方法除了包括操作S301~S304之外,还包括操作S401~S403。As shown in FIG. 4 , the data transmission method applied to the first firewall includes operations S401 to S403 in addition to operations S301 to S304 .
在操作S401,在不存在与响应数据包匹配的会话数据的情况下,在向第二防火墙发送响应数据包之前,确定响应数据包的协议类型。In operation S401, in case there is no session data matching the response data packet, before sending the response data packet to the second firewall, the protocol type of the response data packet is determined.
根据本公开的实施例,在数据传输过程中,数据包的处理的协议类型为主要为TCP协议,其他协议(不限传输层协议)也可以参考借鉴此方法处理。According to the embodiments of the present disclosure, in the process of data transmission, the protocol type of data packet processing is mainly TCP protocol, and other protocols (not limited to transport layer protocols) can also refer to this method for processing.
在操作S402,判断响应数据包的协议类型是否配置了转发策略。In operation S402, it is determined whether the protocol type of the response data packet is configured with a forwarding policy.
根据本公开的实施例,可以为TCP协议、UDP协议等协议中的一种或多种协议配置转发策略。由于网络数据传输中TCP占比高,可以默认只开启TCP类型数据包的转发,其他协议类型的数据包可以根据实际应用场景需要执行开启命令,才可以执行该方法。According to the embodiments of the present disclosure, a forwarding policy may be configured for one or more of protocols such as the TCP protocol and the UDP protocol. Due to the high proportion of TCP in network data transmission, only the forwarding of TCP type data packets can be enabled by default, and the data packets of other protocol types can be enabled according to the actual application scenario.
在操作S403,在响应数据包的协议类型配置了转发策略的情况下,向第二防火墙发送响应数据包。In operation S403, if the protocol type of the response data packet is configured with a forwarding policy, send the response data packet to the second firewall.
图5示意性示出了根据本公开另一实施例的应用于第一防火墙的数据传输方法的流程图。Fig. 5 schematically shows a flowchart of a data transmission method applied to a first firewall according to another embodiment of the present disclosure.
如图5所示,应用于第一防火墙的数据传输方法除了包括操作S301~S304,S401~S403之外,还包括操作S501~S503。As shown in FIG. 5, the data transmission method applied to the first firewall further includes operations S501-S503 in addition to operations S301-S304 and S401-S403.
在操作S501,在响应数据包的协议类型没有配置转发策略的情况下,对响应数据包执行检查操作。In operation S501, if the protocol type of the response data packet is not configured with a forwarding policy, a check operation is performed on the response data packet.
根据本公开的实施例,例如,检查操作可以包括执行状态检查、安全策略检查等操作。According to an embodiment of the present disclosure, for example, the checking operation may include performing status checking, security policy checking, and other operations.
在操作S502,在响应数据包检查通过的情况下,创建与响应数据包对应的会话,并向客户端发送响应数据包。In operation S502, if the response data packet passes the inspection, create a session corresponding to the response data packet, and send the response data packet to the client.
在操作S503,在响应数据包检查不通过的情况下,对响应数据包进行丢包处理。In operation S503, in the case that the response data packet fails to pass the inspection, the response data packet is discarded.
根据本公开的实施例,因此,以TCP连接建立过程来描述上述向第二防火墙发送响应数据包的方法。According to an embodiment of the present disclosure, therefore, the above method of sending a response data packet to the second firewall is described by using a TCP connection establishment process.
a)第一防火墙收到Tcp响应数据包,执行如下处理:a) the first firewall receives the Tcp response packet, and performs the following processing:
i.检测Session会话匹配,如果匹配,则直接发送Tcp响应数据包给客户端。i. Detect that the Session session matches, and if it matches, send the Tcp response packet directly to the client.
ii如果无session会话匹配,则判断Tcp响应数据包类型是否配置了转发开关,如果配置了则执行下一步:b)第一防火墙转发响应数据包sync(req,ack)给第二防火墙。ii If there is no session session matching, it is judged whether the Tcp response packet type is configured with a forwarding switch, and if so, the next step is performed: b) the first firewall forwards the response packet sync (req, ack) to the second firewall.
iii.Tcp响应数据包类型未配置转发开关,则按第一防火墙原有数据包处理方法进行处理,例如,执行各种检查操作,如果检查操作通过,则创建新Session并转发,如果检查不通过,则直接丢包处理。iii. If the forwarding switch is not configured for the Tcp response packet type, it will be processed according to the original packet processing method of the first firewall, for example, perform various inspection operations, if the inspection operation passes, create a new Session and forward it, if the inspection fails , the packet is discarded directly.
b)第一防火墙转发响应数据包sync(req,ack)给第二防火墙。b) The first firewall forwards the response data packet sync(req, ack) to the second firewall.
c)第二防火墙收到第一防火墙转发的响应数据包,执行如下处理:c) The second firewall receives the response packet forwarded by the first firewall, and performs the following processing:
i.检测Session匹配,如果不匹配,直接丢包。i. Detect Session match, if not match, directly drop the packet.
ii如果匹配,则转发响应数据包给客户端,保证了Tcp连接的建立,并执行下一步iii。ii If it matches, forward the response packet to the client, ensuring the establishment of the Tcp connection, and execute the next step iii.
iii.由于收到了第一防火墙的响应数据包,说明Session同步有可能失败,第二防火墙再次发起Session同步到第一防火墙的过程。第一防火墙有了Tcp连接的Session,后续服务端发送的其他Tcp响应数据包,第一防火墙可以正常快速转发给客户端。iii. Since the response packet from the first firewall is received, it indicates that the session synchronization may fail, and the second firewall initiates the process of session synchronization to the first firewall again. The first firewall has a Tcp connection session, and other Tcp response data packets sent by the server can be normally and quickly forwarded by the first firewall to the client.
图6示意性示出了根据本公开另一实施例的应用于数据传输系统的数据传输方法的流程图。Fig. 6 schematically shows a flowchart of a data transmission method applied to a data transmission system according to another embodiment of the present disclosure.
参考图1,在该实施例中,描述的是第一防火墙101处理从服务端103返回的响应数据包的过程。第一防火墙101和第二防火墙102可以互为主备防火墙,可以适用于第二防火墙102的Session同步包可能丢失或者到达太晚,即step0中第二防火墙102的Session同步包发送给第一防火墙101时出现Session同步包丢失或者到达太晚的情况。Referring to FIG. 1 , in this embodiment, the process of processing the response data packet returned from the
如图6所示,该方法包括操作S601~S616。As shown in FIG. 6, the method includes operations S601-S616.
在操作S601,备防火墙(此时第一防火墙101为备防火墙,简称备墙)收到服务端103返回的数据报文(即响应数据包)。In operation S601, the standby firewall (at this time, the
在操作S602,备防火墙解析数据报文五元组,查找匹配的会话Session。其中,五元组可以包括客户端的IP地址,服务端的IP地址,客户端的端口地址,服务端的端口地址,传输协议类型。In operation S602, the standby firewall parses the quintuple of the data message to find a matching session Session. Wherein, the five-tuple may include the IP address of the client, the IP address of the server, the port address of the client, the port address of the server, and the transmission protocol type.
在操作S603,备防火墙判断是否存在匹配Session,若存在匹配Session,执行操作S612;不存在执行操作S604。In operation S603, the standby firewall judges whether there is a matching session, and if there is a matching session, perform operation S612; if not, perform operation S604.
在操作S604,获取报文的数据包类型,并查找特殊处理配置。In operation S604, the packet type of the message is obtained, and special processing configuration is searched.
在操作S605,判断是否需要执行数据包转发。若该类型的数据包配置了处理开关,则执行操作S607,未配置则执行操作S613In operation S605, it is determined whether data packet forwarding needs to be performed. If the data packet of this type is configured with a processing switch, perform operation S607, and if not configured, perform operation S613
在操作S606,备防火墙转发数据报文给主防火墙(即第二防火墙102,,简称主墙)。In operation S606, the standby firewall forwards the data packet to the primary firewall (that is, the
在操作S607,主防火墙分析报文的五元组,查找匹配Session。In operation S607, the main firewall analyzes the 5-tuple of the message to find a matching Session.
在操作S608,主防火墙判断Session是否存在,存在匹配执行操作S609,不存在执行操作S614。In operation S608, the main firewall judges whether the Session exists, if there is a match, perform operation S609, and if not exist, perform operation S614.
在操作S609,主防火墙转发报文给客户端。In operation S609, the main firewall forwards the packet to the client.
在操作S610,主防火墙再次同步Session给备防火墙。In operation S610, the active firewall synchronizes the session to the standby firewall again.
在操作S611,备防火墙保存同步过来的Session。In operation S611, the standby firewall saves the synchronized Session.
在操作S612,备防火墙存在报文匹配的会话,直接转发报文给客户端。In operation S612, the standby firewall has a session matching the message, and directly forwards the message to the client.
在操作S613,若该类型的数据包在备防火墙不存在特殊处理开关,按照正常数据包执行各种检查,判断检查是否通过,检查通过执行操作S616,未通过执行操作S615。In operation S613, if there is no special processing switch for this type of data packet in the standby firewall, various checks are performed according to normal data packets to determine whether the check is passed.
在操作S614,备防火墙检查不通过,丢弃报文。In operation S614, the standby firewall fails to pass the check, and discards the packet.
在操作S615,备防火墙检查通过,创建新的会话,并转发报文。In operation S615, the standby firewall passes the check, creates a new session, and forwards the message.
在操作S616,主防火墙无报文匹配的Session,则丢弃报文。In operation S616, the main firewall discards the message if there is no session matching the message.
根据本公开的实施例,在第一防火墙接收到来自服务端的响应数据包的情况下,对响应数据包进行解析,根据解析数据查找是否存在与响应数据包匹配的会话数据,并在不存在与响应数据包匹配的会话数据的情况下,向第二防火墙发送响应数据包,以使得通过第二防火墙对响应数据包进行处理。由于第二防火墙可以根据自身创建的会话数据确定是否向客户端转发响应数据包,所以至少部分地克服了如果第一防火墙在无会话的情况下收到服务端返回的数据包,可能会出现本该转发给客户端却丢包的情况,导致客户端需要重新发起连接建立过程的技术问题,进而达到了提高数据传输效率的技术效果。According to an embodiment of the present disclosure, when the first firewall receives a response data packet from the server, it parses the response data packet, finds whether there is session data matching the response data packet according to the parsed data, and checks if there is no session data matching the response data packet. If the response data packet matches the session data, the response data packet is sent to the second firewall, so that the response data packet is processed by the second firewall. Since the second firewall can determine whether to forward the response data packet to the client according to the session data created by itself, it at least partially overcomes the possible occurrence of this problem if the first firewall receives the data packet returned by the server without a session. The situation of forwarding to the client but losing the packet leads to the technical problem that the client needs to re-initiate the connection establishment process, thereby achieving the technical effect of improving the data transmission efficiency.
通过第一防火墙向第二防火墙发送响应数据包,使得可以通过第二防火墙对响应数据包进行处理,实现了防火墙非对称网络异路回包的零丢包,并将其应用到防火墙非对称组网环境,提升防火墙在非对称网络的可靠性和实用性。可以解决第二防火墙发送给第一台防火墙的Session会话同步包丢失或同步包晚到达,导致响应数据包丢失的技术问题,是对非对称网络下防火墙会话同步机制和异路回包数据传输的有效补充。The response data packet is sent to the second firewall through the first firewall, so that the response data packet can be processed through the second firewall, and the zero packet loss of the asymmetric network of the firewall is realized, and it is applied to the asymmetric group of the firewall Network environment, improve the reliability and practicability of the firewall in the asymmetric network. It can solve the technical problem that the session synchronization packet sent by the second firewall to the first firewall is lost or the synchronization packet arrives late, resulting in the loss of the response data packet. effective supplement.
图7示意性示出了根据本公开实施例的应用于第一防火墙的数据传输装置的框图。Fig. 7 schematically shows a block diagram of a data transmission device applied to a first firewall according to an embodiment of the present disclosure.
如图7所示,应用于第一防火墙的数据传输装置700包括第一接收模块701、解析模块702、查找模块703和第一发送模块704。As shown in FIG. 7 , the
第一接收模块701用于在通过第二防火墙向服务端发送来自客户端的请求数据包的情况下,接收来自所述服务端的响应数据包,其中,所述第一防火墙为所述第二防火墙的备份防火墙。The
解析模块702用于对所述响应数据包进行解析,得到解析数据。The
查找模块703用于根据所述解析数据查找是否存在与所述响应数据包匹配的会话数据,以确定是否向所述第二防火墙发送所述响应数据包。The searching
第一发送模块704用于在不存在与所述响应数据包匹配的会话数据的情况下,向所述第二防火墙发送所述响应数据包,以使得通过所述第二防火墙对所述响应数据包进行处理。The
图8示意性示出了根据本公开实施例的应用于第二防火墙的数据传输装置的框图。Fig. 8 schematically shows a block diagram of a data transmission device applied to a second firewall according to an embodiment of the present disclosure.
如图8所示,应用于第二防火墙的数据传输装置800包括第二发送模块801、第二接收模块802和处理模块803。As shown in FIG. 8 , the
第二发送模块801用于向服务端发送来自客户端的请求数据包。The
第二接收模块802用于接收来自第一防火墙的响应数据包,其中,第一防火墙为第二防火墙的备份防火墙,响应数据包是在第一防火墙执行如下操作后发送的;接收来自服务端的响应数据包;对响应数据包进行解析,得到解析数据;根据解析数据查找是否存在与响应数据包匹配的会话数据,以确定是否向第二防火墙发送响应数据包;根据解析数据查找不存在与响应数据包匹配的会话数据。The
处理模块803用于对响应数据包进行处理。The
通过本公开的实施例,在第二防火墙存在与响应数据包匹配的会话数据的情况下,向第一防火墙发送会话数据,可以使得第一防火墙再次接收到响应数据包时,直接根据接收的会话数据进行匹配,无需再次将响应数据包发给第二防火墙进行处理,本公开对非对称网络环境的防火墙会话同步机制进行了优化,提升了防火墙的会话同步成功率。Through the embodiments of the present disclosure, when the second firewall has session data matching the response data packet, the session data is sent to the first firewall, so that when the first firewall receives the response data packet again, it can directly The data is matched, and there is no need to send the response data packet to the second firewall for processing again. This disclosure optimizes the firewall session synchronization mechanism in an asymmetric network environment, and improves the session synchronization success rate of the firewall.
根据本公开的实施例,在第一防火墙接收到来自服务端的响应数据包的情况下,对响应数据包进行解析,根据解析数据查找是否存在与响应数据包匹配的会话数据,并在不存在与响应数据包匹配的会话数据的情况下,向第二防火墙发送响应数据包,以使得通过第二防火墙对响应数据包进行处理。由于第二防火墙可以根据自身创建的会话数据确定是否向客户端转发响应数据包,所以至少部分地克服了如果第一防火墙在无会话的情况下收到服务端返回的数据包,可能会出现本该转发给客户端却丢包的情况,导致客户端需要重新发起连接建立过程的技术问题,进而达到了提高数据传输效率的技术效果。According to an embodiment of the present disclosure, when the first firewall receives a response data packet from the server, it parses the response data packet, finds whether there is session data matching the response data packet according to the parsed data, and checks if there is no session data matching the response data packet. If the response data packet matches the session data, the response data packet is sent to the second firewall, so that the response data packet is processed by the second firewall. Since the second firewall can determine whether to forward the response data packet to the client according to the session data created by itself, it at least partially overcomes the possible occurrence of this problem if the first firewall receives the data packet returned by the server without a session. The situation of forwarding to the client but losing the packet leads to the technical problem that the client needs to re-initiate the connection establishment process, thereby achieving the technical effect of improving the data transmission efficiency.
通过第一防火墙向第二防火墙发送响应数据包,使得可以通过第二防火墙对响应数据包进行处理,实现了防火墙非对称网络异路回包的零丢包,并将其应用到防火墙非对称组网环境,提升防火墙在非对称网络的可靠性和实用性。可以解决第二防火墙发送给第一台防火墙的Session会话同步包丢失或同步包晚到达,导致响应数据包丢失的技术问题,是对非对称网络下防火墙会话同步机制和异路回包数据传输的有效补充。The response data packet is sent to the second firewall through the first firewall, so that the response data packet can be processed through the second firewall, and the zero packet loss of the asymmetric network of the firewall is realized, and it is applied to the asymmetric group of the firewall Network environment, improve the reliability and practicability of the firewall in the asymmetric network. It can solve the technical problem that the session synchronization packet sent by the second firewall to the first firewall is lost or the synchronization packet arrives late, resulting in the loss of the response data packet. effective supplement.
根据本公开的实施例的模块中的任意多个、或其中任意多个的至少部分功能可以在一个模块中实现。根据本公开实施例的模块中的任意一个或多个可以被拆分成多个模块来实现。根据本公开实施例的模块中的任意一个或多个可以至少被部分地实现为硬件电路,例如现场可编程门阵列(FPGA)、可编程逻辑阵列(PLA)、片上系统、基板上的系统、封装上的系统、专用集成电路(ASIC),或可以通过对电路进行集成或封装的任何其他的合理方式的硬件或固件来实现,或以软件、硬件以及固件三种实现方式中任意一种或以其中任意几种的适当组合来实现。或者,根据本公开实施例的模块中的一个或多个可以至少被部分地实现为计算机程序模块,当该计算机程序模块被运行时,可以执行相应的功能。Any number of modules according to the embodiments of the present disclosure, or at least part of the functions of any number of them, may be implemented in one module. Any one or more of the modules according to the embodiments of the present disclosure may be implemented by being divided into multiple modules. Any one or more of modules according to embodiments of the present disclosure may be at least partially implemented as a hardware circuit, such as a field programmable gate array (FPGA), a programmable logic array (PLA), a system on a chip, a system on a substrate, A system on a package, an application-specific integrated circuit (ASIC), or hardware or firmware that can be implemented in any other reasonable manner that integrates or packages circuits, or in any of the three implementations of software, hardware, and firmware, or It can be realized by any suitable combination of any of them. Alternatively, one or more of the modules according to the embodiments of the present disclosure may be at least partially implemented as a computer program module, and when the computer program module is executed, corresponding functions may be performed.
例如,第一接收模块701、解析模块702、查找模块703和第一发送模块704中的任意多个可以合并在一个模块/单元/子单元中实现,或者其中的任意一个模块/单元/子单元可以被拆分成多个模块/单元/子单元。或者,这些模块/单元/子单元中的一个或多个模块/单元/子单元的至少部分功能可以与其他模块/单元/子单元的至少部分功能相结合,并在一个模块/单元/子单元中实现。根据本公开的实施例,第一接收模块701、解析模块702、查找模块703和第一发送模块704中的至少一个可以至少被部分地实现为硬件电路,例如现场可编程门阵列(FPGA)、可编程逻辑阵列(PLA)、片上系统、基板上的系统、封装上的系统、专用集成电路(ASIC),或可以通过对电路进行集成或封装的任何其他的合理方式等硬件或固件来实现,或以软件、硬件以及固件三种实现方式中任意一种或以其中任意几种的适当组合来实现。或者,第一接收模块701、解析模块702、查找模块703和第一发送模块704中的至少一个可以至少被部分地实现为计算机程序模块,当该计算机程序模块被运行时,可以执行相应的功能。For example, any number of the
需要说明的是,本公开的实施例中应用于第一防火墙的数据传输装置与本公开的实施例中应用于第一防火墙的数据传输方法部分是相对应的,应用于第一防火墙的数据传输装置部分的描述具体参考应用于第一防火墙的数据传输方法部分,应用于第一防火墙的数据传输装置可以实现应用于第一防火墙的数据传输方法中的所有操作,在此不再赘述。It should be noted that the data transmission device applied to the first firewall in the embodiment of the present disclosure corresponds to the part of the data transmission method applied to the first firewall in the embodiment of the present disclosure, and the data transmission device applied to the first firewall For the description of the device part, refer specifically to the part of the data transmission method applied to the first firewall. The data transmission device applied to the first firewall can implement all the operations in the data transmission method applied to the first firewall, and will not be repeated here.
需要说明的是,本公开的实施例中应用于第二防火墙的数据传输装置与本公开的实施例中应用于第二防火墙的数据传输方法部分是相对应的,应用于第二防火墙的数据传输装置部分的描述具体参考应用于第二防火墙的数据传输方法部分,应用于第二防火墙的数据传输装置可以实现应用于第二防火墙的数据传输方法中的所有操作,在此不再赘述。It should be noted that the data transmission device applied to the second firewall in the embodiment of the present disclosure corresponds to the part of the data transmission method applied to the second firewall in the embodiment of the present disclosure, and the data transmission device applied to the second firewall For the description of the device part, refer specifically to the part of the data transmission method applied to the second firewall. The data transmission device applied to the second firewall can implement all operations in the data transmission method applied to the second firewall, and details are not repeated here.
根据本公开的实施例,还提供了一种防火墙设备,包括:一个或多个处理器;存储器,用于存储一个或多个程序,其中,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述一个或多个处理器实现如上所述的方法。According to an embodiment of the present disclosure, there is also provided a firewall device, including: one or more processors; a memory for storing one or more programs, wherein, when the one or more programs are executed by the one or more When executed by multiple processors, the one or more processors are made to implement the method as described above.
图9示意性示出了根据本公开实施例的适于实现上文描述的方法的防火墙设备的框图。图9示出的防火墙设备仅仅是一个示例,不应对本公开实施例的功能和使用范围带来任何限制。Fig. 9 schematically shows a block diagram of a firewall device suitable for implementing the method described above according to an embodiment of the present disclosure. The firewall device shown in FIG. 9 is only an example, and should not limit the functions and scope of use of the embodiments of the present disclosure.
如图9所示,根据本公开实施例的防火墙设备900包括处理器901,其可以根据存储在只读存储器(ROM)902中的程序或者从存储部分908加载到随机访问存储器(RAM)903中的程序而执行各种适当的动作和处理。处理器901例如可以包括通用微处理器(例如CPU)、指令集处理器和/或相关芯片组和/或专用微处理器(例如,专用集成电路(ASIC)),等等。处理器901还可以包括用于缓存用途的板载存储器。处理器901可以包括用于执行根据本公开实施例的方法流程的不同动作的单一处理单元或者是多个处理单元。As shown in FIG. 9, a
在RAM 903中,存储有防火墙设备900操作所需的各种程序和数据。处理器901、ROM902以及RAM 903通过总线904彼此相连。处理器901通过执行ROM 902和/或RAM 903中的程序来执行根据本公开实施例的方法流程的各种操作。需要注意,所述程序也可以存储在除ROM 902和RAM 903以外的一个或多个存储器中。处理器901也可以通过执行存储在所述一个或多个存储器中的程序来执行根据本公开实施例的方法流程的各种操作。In the
根据本公开的实施例,防火墙设备900还可以包括输入/输出(I/O)接口905,输入/输出(I/O)接口905也连接至总线904。防火墙设备900还可以包括连接至I/O接口905的以下部件中的一项或多项:包括键盘、鼠标等的输入部分906;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分907;包括硬盘等的存储部分908;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分909。通信部分909经由诸如因特网的网络执行通信处理。驱动器910也根据需要连接至I/O接口905。可拆卸介质911,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器910上,以便于从其上读出的计算机程序根据需要被安装入存储部分908。According to an embodiment of the present disclosure, the
根据本公开的实施例,根据本公开实施例的方法流程可以被实现为计算机软件程序。例如,本公开的实施例包括一种计算机程序产品,其包括承载在可读存储介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分909从网络上被下载和安装,和/或从可拆卸介质911被安装。在该计算机程序被处理器901执行时,执行本公开实施例的防火墙设备中限定的上述功能。根据本公开的实施例,上文描述的设备、装置、模块、单元等可以通过计算机程序模块来实现。According to the embodiments of the present disclosure, the method flow according to the embodiments of the present disclosure can be implemented as a computer software program. For example, the embodiments of the present disclosure include a computer program product, which includes a computer program carried on a readable storage medium, where the computer program includes program codes for executing the methods shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via
本公开还提供了一种可读存储介质,该可读存储介质可以是上述实施例中描述的设备/装置/系统中所包含的;也可以是单独存在,而未装配入该设备/装置/系统中。上述可读存储介质承载有一个或者多个程序,当上述一个或者多个程序被执行时,实现根据本公开实施例的方法。The present disclosure also provides a readable storage medium. The readable storage medium may be included in the device/device/system described in the above embodiments; it may also exist independently without being assembled into the device/device/system system. The above-mentioned readable storage medium carries one or more programs, and when the above-mentioned one or more programs are executed, the method according to the embodiment of the present disclosure is realized.
根据本公开的实施例,可读存储介质可以是非易失性的可读存储介质。例如可以包括但不限于:便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本公开中,可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。According to an embodiment of the present disclosure, the readable storage medium may be a non-volatile readable storage medium. Examples may include, but are not limited to: portable computer diskettes, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), portable compact disk read-only memory (CD- ROM), optical storage devices, magnetic storage devices, or any suitable combination of the above. In the present disclosure, a readable storage medium may be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.
例如,根据本公开的实施例,可读存储介质可以包括上文描述的ROM 902和/或RAM903和/或ROM 902和RAM 903以外的一个或多个存储器。For example, according to an embodiment of the present disclosure, the readable storage medium may include
附图中的流程图和框图,图示了按照本公开各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,上述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图或流程图中的每个方框、以及框图或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。本领域技术人员可以理解,本公开的各个实施例和/或权利要求中记载的特征可以进行多种组合和/或结合,即使这样的组合或结合没有明确记载于本公开中。特别地,在不脱离本公开精神和教导的情况下,本公开的各个实施例和/或权利要求中记载的特征可以进行多种组合和/或结合。所有这些组合和/或结合均落入本公开的范围。The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or portion of code that includes one or more logical functions for implementing specified executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block in the block diagrams or flowchart illustrations, and combinations of blocks in the block diagrams or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified function or operation, or can be implemented by a A combination of dedicated hardware and computer instructions. Those skilled in the art can understand that various combinations and/or combinations can be made in the various embodiments of the present disclosure and/or the features described in the claims, even if such combinations or combinations are not explicitly recorded in the present disclosure. In particular, without departing from the spirit and teaching of the present disclosure, the various embodiments of the present disclosure and/or the features described in the claims can be combined and/or combined in various ways. All such combinations and/or combinations fall within the scope of the present disclosure.
以上对本公开的实施例进行了描述。但是,这些实施例仅仅是为了说明的目的,而并非为了限制本公开的范围。尽管在以上分别描述了各实施例,但是这并不意味着各个实施例中的措施不能有利地结合使用。本公开的范围由所附权利要求及其等同物限定。不脱离本公开的范围,本领域技术人员可以做出多种替代和修改,这些替代和修改都应落在本公开的范围之内。The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the various embodiments have been described separately above, this does not mean that the measures in the various embodiments cannot be advantageously used in combination. The scope of the present disclosure is defined by the appended claims and their equivalents. Various substitutions and modifications can be made by those skilled in the art without departing from the scope of the present disclosure, and these substitutions and modifications should all fall within the scope of the present disclosure.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911425660.3A CN111181985B (en) | 2019-12-31 | 2019-12-31 | Data transmission method, data transmission system, firewall device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911425660.3A CN111181985B (en) | 2019-12-31 | 2019-12-31 | Data transmission method, data transmission system, firewall device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111181985A CN111181985A (en) | 2020-05-19 |
| CN111181985B true CN111181985B (en) | 2022-11-11 |
Family
ID=70650797
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911425660.3A Active CN111181985B (en) | 2019-12-31 | 2019-12-31 | Data transmission method, data transmission system, firewall device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111181985B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112866245B (en) * | 2021-01-18 | 2022-09-09 | 中国工商银行股份有限公司 | Message routing method and device |
| CN113965347B (en) * | 2021-09-09 | 2024-03-15 | 山石网科通信技术股份有限公司 | Firewall data processing method and device |
| CN113783872B (en) * | 2021-09-09 | 2023-08-18 | 山石网科通信技术股份有限公司 | Firewall data processing method and device |
| CN116707860A (en) * | 2023-04-25 | 2023-09-05 | 杭州迪普科技股份有限公司 | Message forwarding method and device in dual-machine asymmetric routing network |
| CN120034540B (en) * | 2025-04-23 | 2025-10-24 | 紫光恒越技术有限公司 | Firewall traffic balancing method, device, electronic device and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101199187A (en) * | 2004-07-23 | 2008-06-11 | 茨特里克斯系统公司 | System and method for optimization of communication between network nodes |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7188365B2 (en) * | 2002-04-04 | 2007-03-06 | At&T Corp. | Method and system for securely scanning network traffic |
| CN107241208B (en) * | 2016-03-29 | 2020-02-21 | 华为技术有限公司 | A message forwarding method, first switch and related system |
| CN107888500B (en) * | 2017-11-03 | 2020-04-17 | 东软集团股份有限公司 | Message forwarding method and device, storage medium and electronic equipment |
| US20190215306A1 (en) * | 2018-01-11 | 2019-07-11 | Nicira, Inc. | Rule processing and enforcement for interleaved layer 4, layer 7 and verb based rulesets |
-
2019
- 2019-12-31 CN CN201911425660.3A patent/CN111181985B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101199187A (en) * | 2004-07-23 | 2008-06-11 | 茨特里克斯系统公司 | System and method for optimization of communication between network nodes |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111181985A (en) | 2020-05-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111181985B (en) | Data transmission method, data transmission system, firewall device and storage medium | |
| US10484518B2 (en) | Dynamic port type detection | |
| CN102647406B (en) | Intelligent integrated network security device for high-availability applications | |
| CN113709057B (en) | Network congestion notification method, proxy node, network node and computer equipment | |
| CN110178342B (en) | Scalable application level monitoring of SDN networks | |
| US9264402B2 (en) | Systems involving firewall of virtual machine traffic and methods of processing information associated with same | |
| US9154418B1 (en) | Efficient packet classification in a network device | |
| US8861369B2 (en) | Virtual network interface with packet filtering hooks | |
| EP3232611B1 (en) | Method, device and system for performing bidirectional forwarding detection on an aggregated link | |
| US20130054817A1 (en) | Disaggregated server load balancing | |
| CN107241208B (en) | A message forwarding method, first switch and related system | |
| WO2022105730A1 (en) | Method and apparatus for ensuring same source and same destination of sctp multi-homing packet | |
| CN114303349B (en) | Bidirectional Forwarding Detection (BFD) offloading in virtual network interface controllers | |
| KR101326983B1 (en) | Apparatus and method for controlling traffic | |
| US9832069B1 (en) | Persistence based on server response in an IP multimedia subsystem (IMS) | |
| CN107332793B (en) | A message forwarding method, related equipment and system | |
| EP4380128A1 (en) | Establishing forward and reverse segment routing (sr) tunnels for bidirectional forwarding detection (bfd) continuity checks | |
| CN109710423B (en) | Method and equipment for communication between virtual machines | |
| US11929924B1 (en) | Establishing forward and reverse segment routing (SR) tunnels for bidirectional forwarding detection (BFD) continuity checks | |
| KR101457314B1 (en) | A method for routing and associated routing device and destination device | |
| WO2024159952A1 (en) | Bidirectional forwarding detection method and apparatus, and electronic device and readable storage medium | |
| US8050266B2 (en) | Low impact network debugging | |
| US9736080B2 (en) | Determination method, device and storage medium | |
| CN116032594A (en) | Judgment method, device, equipment and medium for authentic source address verification of IPv6 network | |
| US20130238811A1 (en) | Accelerating UDP Traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: QAX Technology Group Inc. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant before: QAX Technology Group Inc. Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |