[go: up one dir, main page]

WO2015176682A1 - Forwarding a packet - Google Patents

Forwarding a packet Download PDF

Info

Publication number
WO2015176682A1
WO2015176682A1 PCT/CN2015/079556 CN2015079556W WO2015176682A1 WO 2015176682 A1 WO2015176682 A1 WO 2015176682A1 CN 2015079556 W CN2015079556 W CN 2015079556W WO 2015176682 A1 WO2015176682 A1 WO 2015176682A1
Authority
WO
WIPO (PCT)
Prior art keywords
policy
packet
flow directing
vfw
vswitch
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2015/079556
Other languages
French (fr)
Inventor
Zhenfeng Lv
Songer SUN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Publication of WO2015176682A1 publication Critical patent/WO2015176682A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/131Protocols for games, networked simulations or virtual reality
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/63Routing a service request depending on the request content or context

Definitions

  • a traditional firewall device can implement security protection and service separation for flows in a network.
  • FIG. 1 is a schematic diagram illustrating a deployment model based on KVM (Kernel-based Virtual Machine) according to an example of the present disclosure
  • FIG. 2A is a flowchart illustrating a method for forwarding packet according to an example of the present disclosure
  • FIG. 2B is a flowchart illustrating a method for forwarding packet according to an example of the present disclosure
  • FIG. 3 is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual firewall according to an example of the present disclosure
  • FIG. 4A is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual switch according to an example of the present disclosure
  • FIG. 4B is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual switch according to an example of the present disclosure
  • FIG. 5 is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual firewall according to an example of the present disclosure
  • FIG. 6A is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual switch according to an example of the present disclosure
  • FIG. 6B is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual switch according to an example of the present disclosure.
  • VM virtual machines
  • the physical firewall is outside the server.
  • Such inter-VM flows are not transmitted to the physical firewall outside the server. And thus the physical firewall cannot implement security protection for the flows among the virtual machines.
  • One approach to overcome this and implement security protection is to direct flows between VMs to a designated security device, such as a physical firewall, outside the server.
  • the flow may be directed through a physical switch between the physical server and the physical security device.
  • the security device performs security processing for the flow, e.g., filtering and protection etc.
  • an external access switch i.e., a designated physical switch, is used to direct the inter-VM flows to the physical firewall.
  • a virtual firewall is established based on a virtual platform.
  • the virtual firewall may be a designated virtual machine that runs on a virtual platform, and may have the same security protection function as a traditional physical firewall.
  • an administrator may configure a security policy corresponding to the flow on the VFW.
  • the VFM may automatically configure a flow directing policy in a virtual switch (vSwitch) .
  • the flow directing policy is stored in the vSwitch in a flow table format.
  • the vSwitch may match a flow with the content of flow table.
  • the flow from a designated VM is directed to the VFW.
  • the VFW performs security protection processing for the flow among the VMs.
  • the flow processed by the VFW returns to the vSwitch to be forwarded.
  • the VFW can perform protection for the flow among the VMs inside the server, so as to avoid that the flow is forwarded to an external physical switch to be processed, and further to avoid resources consumption of the server and the physical switch.
  • the virtual platform above may include VMware, Xen, Kernel-based Virtual Machine (KVM) , etc.
  • KVM Kernel-based Virtual Machine
  • implementation based on the KVM.
  • the VM, the VFW and the vSwitch are established based on the KVM.
  • FIG. 1 is a schematic diagram illustrating a deployment model based on KVM according to an example of the present disclosure.
  • a vSwitch 13 a VM 11_1, a VM 11_2, a VM 11_3 and a VFW 12 are established on a physical server 15 by a KVM virtual software management program (referred as to Hypervisor 14) running on the physical server.
  • the vSwitch connects the VMs to each other and flows between the VMs may be routed through the vSwitch, which may forward flows in accordance with a flow table of the vSwitch.
  • Each VM has functions of a traditional computing device
  • the vSwitch 13 has functions of a traditional switch
  • the VFW 12 has functions of a traditional firewall.
  • the VFW 12 may be deemed as a VM.
  • the VFW is created via establishing a virtual network card based on KVM and connecting its virtual port to a vSwitch 13. In a practical application, various virtual devices may be established in demand based on the virtual platform.
  • the VFW 12 and a physical firewall may have same functions, such as attack protection and network separation.
  • a user e.g., an administrator, may configure a security policy. It can be seen from a flow direction in FIG. 1, after a flow from a source VM 11_1 inside the physical server 15 is directed to the vSwitch 13, the flow is further directed to the VFW 12. After the security protection performed for the flow in the VFW 12, the flow returns to the vSwitch 13, and then the vSwitch 13 directs the flow to a target VM 11_3 inside the physical server 15.
  • the source VM 11_1 and the target VM 11_3 may be located in a same physical server 15.
  • the security policy is performed by the VFW 12 inside the physical server 15 for the flow between the source VM 11_1 and the target VM 11_3.
  • the security policy is performed by the VFW 12 inside the physical server 15 for the flow between the source VM 11_1 and the target VM 11_3.
  • the flow between the source VM 11_1 and the target VM 11_3 do not need to pass through a physical firewall outside the physical server 15 for security protection.
  • a method for forwarding packet is provided based on an example in FIG. 1. As illustrated in FIG. 2, the method includes procedures as follows.
  • the VFW notifies a vSwtich to establish a flow directing policy corresponding to the security policy.
  • the vSwitch directs a packet that is received from a source VM and which matches the flow directing policy to the VFW. That is the vSwitch checks if a received flow matches with a flow directly policy and, in response to determining that the received flow matches the flow directing policy, the vSwitch directs the flow to the VFW.
  • the VFW and the vSwitch may be established in a same physical machine based on a virtual platform.
  • a flow directing policy is used to direct a flow to a designated apparatus based on MAC address, IP address, etc., carried by the flow.
  • An administrator may configure a security policy for the VFW via a VFW manager.
  • the security policy may include security processing, e.g., access control and security protection.
  • the security protection may include filtering whether a flow includes flooding attack.
  • the access control in the VFW may support to divide apparatuses into different security domains based on information such as VM identifiers, IP addresses, MAC addresses, host computer names. Flows among the security domains may be protected by configuring a policy among the security domains. For example, VMs that are in a same network segment and process a same service are set in a same security domain. Thus, a VM may transmit a flow to (or, receive a flow form) another VM in the same security domain.
  • a VM may not transmit a flow to (or, receive a flow form) another VM in different security domains. There may be a limitation for a flow between VMs in different security domains.
  • the VFW knows a flow for which the security protection is to be performed. Further, a flow directing policy is configured for the vSwitch, so that the vSwitch may direct the flow which matches the flow directing policy to the VFW for processing.
  • the VMs may be divided into a WEB server, an APP server and a database server etc.
  • the security policy for access control may be configured as follows. A flow from the WEB server to the APP server may be allowed to pass through the VFW, i.e., a flow from an source IP address (the WEB server) to a target IP address (APP server) may be allowed to pass through the VFW.
  • the VFW After the user configures the security policy for the VFW, according to content to be protected in the security policy (i.e., a flow for which the security protection is to be performed) , the VFW notifies the vSwitch to establish a flow directing policy corresponding to the security policy, so that the vSwitch directs the flow which need to be protected into the VFW.
  • the VFW At block 701 in FIG. 2B, according to the security policy, the VFW generates the flow directing policy.
  • the VFW transmits a message carrying the flow directing policy to the vSwitch, and notifies the vSwitch to establish the flow directing policy.
  • a message format may be a JavaScript Object Notation (JSON) format including content as follows.
  • Version is a version number, a value of which may be set as 1.0, 1.1 in an example
  • Type is a packet format, a value of which may be set as 1, 2 or 3 in an example, the value 1 may indicate adding a flow directing policy, the value 2 may indicate modifying a flow directing policy, and the value 3 may indicate deleting a flow directing policy.
  • Src_IP is an IP address of a source VM
  • Src_name is a source VM name or a source VM identifier (id) ;
  • Dest_IP is an IP address of a target VM
  • Dest_name is a target VM name or a target VM id
  • Src_MAC is MAC address information of the source VM, a format of which is “xx-xx-xx-xx-xx-xx” in an example;
  • Dest_MAC is MAC address information of the target VM, a format of which is “xx-xx-xx-xx-xx-xx” in an example;
  • VLAN is a VLAN id to which the VM belongs
  • In_port is an interface via which the VM is connected with the vSwtich;
  • Protocol is a protocol name
  • Src_port is a protocol source port
  • Dest_port is a protocol target port
  • Pri is a priority of the policy, when a received packet matches some policies, the packet is processed according to a policy with a highest priority in the policies;
  • Action is an action performed after the packet matches the policy, VFW represents a port on the VFW to which the flow is forwarded;
  • Aging is aging time, when time during which no flow matches the policy is longer than the aging time, the policy is automatically deleted.
  • the vSwitch may store the flow directing policy in a flow table.
  • the vSwitch adds an item corresponding to the flow directing policy into a flow table.
  • a flow table item may include a matching field, a priority, a matching action, aging time and a matching count etc.
  • the aging time may be set as null.
  • the flow table is illustrated as Table 1.
  • the flow directing policy corresponds to the security policy configured for the VFW, and is carried in the message to be transmitted to the vSwitch.
  • the flow to be protected according to the security policy is represented in the flow directing policy, so that the vSwitch can direct the flow to the VFW based on the flow directing policy, and the VFW performs security processing for the flow.
  • Each flow to be protected may be represented as an item in a flow table.
  • Each item in the flow table may represent a flow or a category of flows.
  • security protection is performed for a flow transmitted to a designated VM, or is performed for a flow between two VMs.
  • the flow is prohibited to be transmitted, or protocol inspection is performed when transmitting the flow.
  • a flow directing policy corresponding to the security policy is configured for the flow transmitted to the designated VM or the flow among the two VMs, so that after receiving a flow, the vSwitch may confirm that the flow and an item in the flow table are matched, and may direct the flow to the VFW.
  • the VFW may know whether the security protection is in demand for a flow between two VMs.
  • the vSwitch may generate a flow directing policy, so that the flow is directed to the VFM to perform the security protection.
  • the security protection is performed for a flow from a VM with an IP address 192. 168. 0. 1 to a VM with an IP address 192. 168. 2. 2, and the flow is allowed to pass through the VFW.
  • a flow directing policy corresponding to the flow is established, and a matching field is set for an item in the flow table as follows.
  • Src_IP is set as 192. 168. 0. 1
  • Dest_IP is set as 192. 168. 2.
  • Pri is set as 100
  • Action is set as forwarding packet to the port on the VFW.
  • the vSwitch compares the packet with items in the flow table.
  • the packet and the item in the flow table match, according to Action of the item, the packet is forwarded to the port on the VFW, so that the flow to be protected is directed to the VFW.
  • the port on the VFW may be set as a designated category, i.e., a port profile VFW is added to a virtual network card of the VFW, so that a port number of the VFW is not cared, and the VM can be migrate among different server.
  • VM1, VM2 and VM3 are configured as a security domain.
  • the security protection is performed for a flow transmitted from another VM outside the security domain to a VM in the security domain.
  • a flow directing policy corresponding to the security policy is generated.
  • An item in the flow table is generated for a flow transmitted from a VM outside the security domain to any of VM1, VM2 and VM3.
  • the vSwitch may compare the packet with items in the flow table. When confirming that the packet and the item matched, the vSwitch directs the follow to the VFW.
  • the VFW when receiving a packet forwarded from the vSwitch, the VFW performs security processing for the packet according to the security policy configured for the VFW, and forwards the packet satisfying the security policy to a target VM via the vSwitch.
  • the source VM and the target VM may locate in a same physical server.
  • the VFW is established inside the physical server.
  • the VFW performs the security protection for the flow transmitted from the source VM, and forwards the flow to the target VM in the same physical server, so as to implement security protection for the flow among VMs inside the same physical server.
  • a flow to be protected is directed to the VFW.
  • the VFW performs the security processing for the flow.
  • the VFW confirms whether the flow satisfies the security policy such as access control and security protection.
  • the VFW forwards the packet satisfying the security policy to the target VM, and discards the packet not satisfying the security policy.
  • the VFW may notifies the vSwitch to update the flow directing policy corresponding to the security policy.
  • An updating processing may include deleting, adding and modifying.
  • a new flow directing policy is generated to replace the previous flow directing policy.
  • the VFW may notify the vSwitch to delete, add or modify the flow directing policy. For example, when a new security policy is added to perform security protection for a flow between VM1 and VM2.
  • a flow directing policy corresponding to the flow between the VM1 and VM2 is generated.
  • the VFW may notify the vSwitch to add a new item in the flow table.
  • aging time may not be set for the new flow directing policy.
  • the flow directing policy is always valid.
  • security protection is not performed for the flow between the VM1 and the VM2
  • the security policy is deleted.
  • the flow directing policy corresponding to the flow between the VM1 and the VM2 is deleted.
  • the VFW may notify the vSwitch to delete the item in the flow table.
  • the VFW may notify the vSwitch to add a new flow directing policy to directly forward other packets of the same flow with the packet to the target VM, so that the other packets cannot be forwarded to the VFW to be processed.
  • flows passing through the VFW are decreased, processing efficiency is improved, and flow security is ensured.
  • the VFW confirms that the packet matches the security policy (the flow from the source IP address 192. 168. 0. 1 to the target IP address 192. 168. 2. 2 is allowed to pass through the VFW) , and is not an attack packet, the packet is allowed to pass through the VFW.
  • the VFW may notify the vSwitch to add a new flow directing policy corresponding to a flow to which the packet belongs.
  • Content of a new item corresponding to the new flow directing policy in the flow table is as follows.
  • a matching field includes that Src_IP is 192. 168. 0. 1, Dest_IP is 192. 168. 2. 2, Pri is 200, and Action is to directly forward a packet to the target VM.
  • the matching field of the new item is same with the old item.
  • the Pri of the new item is higher than that of the old item.
  • There are two items corresponding to the flow in the flow table i.e., the old item corresponding to the old flow directing policy matching the flow and the new item corresponding to the new flow directing policy matching the flow.
  • the matching action is to directly forward a packet belonging to the same flow with the packet satisfying the security policy to the target address after entering the vSwitch, which is not forwarded to the VFW, and the priority of the new flow directing policy is higher than the priority of the old flow directing policy matching the flow to which the packet belongs.
  • the vSwitch directly forwards a subsequently received packet belonging to a same flow as the packet satisfying the security policy to the target VM.
  • the new flow directing policy may be a forwarding policy.
  • aging time is configured for the new flow directing policy, so that when the aging time expires after the flow to which the packet belongs finishes, the new flow directing policy is automatically deleted.
  • the vSwitch may automatically delete the flow directing policy of directly forwarding the packet to the target VM.
  • the vSwitch may direct the flow to the port on the VFW. According to this dynamic adjustment, both security and processing efficiency can be improved.
  • a new item corresponding to the new flow directing policy of forwarding the flow to the target VM is generated in the flow table.
  • the aging time is not set for the old item corresponding to the old flow directing item of directing the flow to the VFW, and is set for the new item.
  • the vSwitch directs the flow to a port on the VFW that is configured in the old flow directing policy.
  • procedures at blocks 703-705 may be performed at the same time, or may be performed in sequence. Procedures at blocks 703-705 may be performed as illustrated as FIG. 2B or may be performed in another sequence. For example, procedures at block 705 may be firstly performed, and then procedures at block 704 may be performed, and procedures at block 703 may be lastly performed, which is not limited according to examples of the present disclosure.
  • the security policy configured for the VFW and the flow directing policy established in the vSwitch are not limited into examples above.
  • the flowing direction may be performed according to ways as follows.
  • the flow direction is performed based on a source VM MAC address and a target VM MAC address, or the flow direction is performed based on a source VM id and a target VM id.
  • the flow direction is performed based on the source VM MAC address, or the flow direction is performed based on a target VM IP address, or the flow direction is performed based on the target VM id.
  • the VFW established in a physical server may perform security processing for a flow from a VM outside the physical server.
  • the VFW may perform security processing for a flow from a VM inside the physical server.
  • the VFW may be configured to reject the flow from the VM outside the physical server.
  • the security policy may be configured that the source IP address and the target IP address in the security policy correspond to VMs inside the physical server, and the flow inside the physical server is processed through the VFW.
  • the VM may migrate among different physical servers. After the VM migrates, a flow security interaction may be implemented.
  • VFW1 is established in the physical server 1
  • the VM 2 migrates to the physical server 2
  • the VFW2 is established in the physical server 2.
  • a security policy configured for VFW2 is same as that configured for VFW1.
  • a flow from VM 1 passes through the VFW1 and the VFW2 in sequence to the VM 2 so as to implement security protection after the VM migrates.
  • the security policy corresponding to the VM 2 is deleted from the physical server 1.
  • a flow from the VM 1 in the physical server 1 passes through the physical firewall outside the physical server 1 to the VM 2 in the physical server 2.
  • security protection after the VM migrates is performed.
  • FIG. 3 is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a VFW according to an example of the present disclosure.
  • the apparatus includes a notification module 301 and a processing module 302.
  • the modules may be implemented by hardware.
  • the hardware may include hardware logic circuitry such as an application specific integrated chip (ASIC) or field programmable gate array (FPGA) or a general purpose processor such as a central processing unit (CPU) for executing instructions.
  • ASIC application specific integrated chip
  • FPGA field programmable gate array
  • CPU central processing unit
  • the notification module 301 is to notify a vSwitch to establish a flow directing policy according to a security policy configured for the VFW, wherein the vSwitch directs a received packet matching the flow directing policy to the VFW according to the flow directing policy.
  • the processing module 302 is to perform security processing for the packet according to the security policy when receiving the packet forwarded from the vSwitch, and forward the processed packet satisfying the security policy to a target VM, wherein the VFW and the vSwitch are established in a same physical machine based on a virtual platform.
  • the notification module 301 when the security policy is changed, the notification module 301 is to notify the vSwitch to update the flow directing policy according to the changed security policy.
  • the updating includes deleting, adding and modifying.
  • the notification module 301 is to generate the flow directing policy according to the security policy, transmit a message carrying the flow directing policy to the virtual switch.
  • the vSwitch may store the flow directing policy in a flow table.
  • a flow table item may include a matching field, a priority, a matching action, aging time and a matching count etc.
  • the notification module 301 is to notify the vSwitch to add a new flow directing policy matching the packet, wherein a priority of the new flow directing policy is higher than a priority of the flow directing policy matching the packet, the vSwitch forwards a received packet belonging to a same flow with the packet to the target VM according to the new flow directing policy.
  • the vSwitch deletes the new flow directing policy when the aging time expires.
  • FIG. 4A is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a vSwitch according to an example of the present disclosure.
  • the apparatus shown in FIG. 4A includes a comparing module 401 and a directing module 402.
  • the modules may be implemented by hardware.
  • the hardware may include hardware logic circuitry such as an application specific integrated chip (ASIC) or field programmable gate array (FPGA) or a general purpose processor such as a central processing unit (CPU) for executing instructions.
  • ASIC application specific integrated chip
  • FPGA field programmable gate array
  • CPU central processing unit
  • the comparing module 401 is to establish a flow directing policy when receiving a notification transmitted from a VFW based on a security policy configured for the VFW, when receiving a packet transmitted from a source VM, compare the packet with the flow directing policy.
  • the directing module 402 is to direct the packet to the VFW according to the flow directing policy when determining that the packet matches the flow directing policy, so that the VFW performs security processing for the packet, wherein the VFW and the vSwitch are established in a same physical machine based on a virtual platform.
  • the apparatus further includes an adding module 403.
  • the adding module 403 is to when the notification comprises the flow directing policy, add an item corresponding to the flow directing policy into a flow table, wherein the item in the flow table comprises a matching field, a priority, a matching action and a matching count.
  • the apparatus further includes a receiving module 404.
  • the receiving module 404 is to receive a notification of adding a new flow directing policy transmitted from the VFW, wherein the new flow directing policy matches the packet, a priority of the new flow directing policy is higher than a priority of the flow directing policy matching the packet.
  • the adding module 403 is further to add an item corresponding to the new flow directing policy into the flow table according to the notification of adding the new flow directing policy.
  • the directing module 402 is further to forward a received packet belonging to a same flow with the packet to a target VM according to the new flow directing policy.
  • FIG. 5 is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual firewall according to an example of the present disclosure.
  • the apparatus includes a non-transitory machine readable storage medium, e.g., a memory 501 and a processor 502.
  • the processor 502 may execute machine readable instructions stored in the memory 501.
  • the instructions include a notification instruction 5011 and a processing instruction 5012.
  • the notification instruction 5011 is to notify a vSwitch to establish a flow directing policy according to a security policy configured for the VFW, wherein the vSwitch directs a received packet matching the flow directing policy to the VFW according to the flow directing policy.
  • the processing instruction 5012 is to perform security processing for the packet according to the security policy when receiving the packet forwarded from the vSwitch, and forward the processed packet satisfying the security policy to a target VM, wherein the VFW and the vSwitch are established in a same physical machine based on a virtual platform.
  • the notification instruction 5011 is further to when the security policy is changed, notify the vSwitch to update the flow directing policy according to the changed security policy.
  • the notification instruction 5011 is to generate the flow directing policy according to the security policy, transmit a message carrying the flow directing policy to the virtual switch.
  • the notification instruction 5011 is to when the VFW determines that the processed packet satisfies the security policy, notify the vSwitch to add a new flow directing policy matching the packet, wherein a priority of the new flow directing policy is higher than a priority of the flow directing policy matching the packet, the vSwitch forwards a received packet belonging to a same flow with the packet to the target VM according to the new flow directing policy.
  • the vSwitch deletes the new flow directing policy when the aging time expires.
  • FIG. 6A is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual switch according to an example of the present disclosure.
  • the apparatus includes a non-transitory machine readable storage medium, e.g., a memory 601 and a processor 602.
  • the processor 602 may execute machine readable instructions stored in the memory 601.
  • the instructions include a comparing instruction 6011 and a directing instruction 6012.
  • the comparing instruction 6011 is to establish a flow directing policy when receiving a notification transmitted from a VFW based on a security policy configured for the VFW, when receiving a packet transmitted from a source VM, compare the packet with the flow directing policy.
  • the directing instruction 6012 is to direct the packet to the VFW according to the flow directing policy when determining that the packet matches the flow directing policy, so that the VFW performs security processing for the packet, wherein the VFW and the vSwitch are established in a same physical machine based on a virtual platform.
  • the apparatus further includes an adding instruction 6013.
  • the adding instruction 6013 is to when the notification comprises the flow directing policy, add an item corresponding to the flow directing policy into a flow table, wherein the item in the flow table comprises a matching field, a priority, a matching action and a matching count.
  • the apparatus further includes a receiving instruction 6014.
  • the receiving instruction 6014 is to receive a notification of adding a new flow directing policy transmitted from the VFW, wherein the new flow directing policy matches the packet, a priority of the new flow directing policy is higher than a priority of the flow directing policy matching the packet.
  • the adding instruction 6013 is further to add an item corresponding to the new flow directing policy into the flow table according to the notification of adding the new flow directing policy.
  • the directing instruction 6012 is further to forward a received packet belonging to a same flow with the packet to a target VM according to the new flow directing policy.
  • the VFW can perform protection for a flow among the VMs inside the server, so as to avoid that the flow is forwarded to the external physical switch to be processed, and further to avoid resources consumption of the service and the physical switch. Further, flow directing policy can be dynamically adjusted, thus, both security and processing efficiency can be improved
  • the above examples can be implemented by hardware, software or firmware or a combination thereof.
  • the various methods, processes and functional modules described herein may be implemented by a processor (the term processor is to be interpreted broadly to include a CPU, processing unit, ASIC, logic unit, or programmable gate array etc. ) .
  • the processes, methods and functional modules may all be performed by a single processor or split between several processers; reference in this disclosure or the claims to a ‘processor’ should thus be interpreted to mean ‘one or more processors’ .
  • the processes, methods and functional modules can be implemented as machine readable instructions executable by one or more processors, hardware logic circuitry of the one or more processors or a combination thereof. Further the teachings herein may be implemented in the form of a software product.
  • the computer software product is stored in a storage medium and comprises a plurality of instructions for making a computer device (which can be a personal computer, a server or a network device such as a router, switch, access point etc. ) implement the method recited in the examples of the present disclosure.
  • a computer device which can be a personal computer, a server or a network device such as a router, switch, access point etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A virtual firewall (VFW) notifies a virtual switch (vSwitch) to establish a flow directing policy according to a security policy configured for the VFW. The vSwitch directs a received packet matching the flow directing policy to the VFW according to the flow directing policy. When receiving the packet forwarded from the vSwitch, the VFW performs security processing for the packet according to the security policy, and forwards the processed packet satisfying the security policy to a target virtual machine (VM). The VFW and the vSwitch are established in a same physical machine based on a virtual platform.

Description

FORWARDING A PACKET BACKGROUND
With rapid development of Cloud Computing Technology, a virtual data center can store a huge amount of data. Thus, the security of the virtual data center becomes more and more important. A traditional firewall device can implement security protection and service separation for flows in a network.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a schematic diagram illustrating a deployment model based on KVM (Kernel-based Virtual Machine) according to an example of the present disclosure;
FIG. 2A is a flowchart illustrating a method for forwarding packet according to an example of the present disclosure;
FIG. 2B is a flowchart illustrating a method for forwarding packet according to an example of the present disclosure;
FIG. 3 is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual firewall according to an example of the present disclosure;
FIG. 4A is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual switch according to an example of the present disclosure;
FIG. 4B is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual switch according to an example of the present disclosure;
FIG. 5 is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual firewall according to an example of the present disclosure;
FIG. 6A is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual switch according to an example of the present disclosure;
FIG. 6B is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual switch according to an example of the present disclosure.
DETAILED DESCRIPTION
In a virtual environment, flows among virtual machines (VM) in a same physical server may exist inside the server. However, the physical firewall is outside the server. Such inter-VM flows are not transmitted to the physical firewall outside the server. And thus the physical firewall cannot implement security protection for the flows among the virtual machines.
One approach to overcome this and implement security protection is to direct flows between VMs to a designated security device, such as a physical firewall, outside the server. The flow may be directed through a physical switch between the physical server and the physical security device. The security device performs security processing for the flow, e.g., filtering and protection etc. However, with this approach, since the flow inside the server is directed to the security device outside the server, flow processing payload is increased, and performance of the server and performance of the switch are impacted. Further, an external access switch, i.e., a designated physical switch, is used to direct the inter-VM flows to the physical firewall.
According to an example of the present disclosure, e.g., in a server, a virtual firewall (VFW) is established based on a virtual platform. The virtual firewall may be a designated virtual machine that runs on a virtual platform, and may have the same security protection function as a traditional physical firewall. When security protection for a flow among virtual machines of a server is in demand, an administrator may configure a security policy corresponding to the flow on the VFW. The VFM may automatically configure a flow directing policy in a virtual switch (vSwitch) . The flow directing policy is stored in the vSwitch in a flow table format. The vSwitch may match a flow with the content of flow table. The flow from a designated VM is directed to the VFW. The VFW performs security protection processing for the flow among the VMs. The flow processed by the VFW returns to the vSwitch to be forwarded. In the virtual environment, the VFW can perform protection for the flow among the VMs inside the server, so as to avoid that the flow is forwarded to an  external physical switch to be processed, and further to avoid resources consumption of the server and the physical switch.
The virtual platform above may include VMware, Xen, Kernel-based Virtual Machine (KVM) , etc. In an example, implementation based on the KVM. The VM, the VFW and the vSwitch are established based on the KVM.
FIG. 1 is a schematic diagram illustrating a deployment model based on KVM according to an example of the present disclosure. As shown in FIG. 1, a vSwitch 13, a VM 11_1, a VM 11_2, a VM 11_3 and a VFW 12 are established on a physical server 15 by a KVM virtual software management program (referred as to Hypervisor 14) running on the physical server. The vSwitch connects the VMs to each other and flows between the VMs may be routed through the vSwitch, which may forward flows in accordance with a flow table of the vSwitch. Each VM has functions of a traditional computing device, the vSwitch 13 has functions of a traditional switch, and the VFW 12 has functions of a traditional firewall. The VFW 12 may be deemed as a VM. The VFW is created via establishing a virtual network card based on KVM and connecting its virtual port to a vSwitch 13. In a practical application, various virtual devices may be established in demand based on the virtual platform.
In the example, the VFW 12 and a physical firewall may have same functions, such as attack protection and network separation. According to the functions provided, a user, e.g., an administrator, may configure a security policy. It can be seen from a flow direction in FIG. 1, after a flow from a source VM 11_1 inside the physical server 15 is directed to the vSwitch 13, the flow is further directed to the VFW 12. After the security protection performed for the flow in the VFW 12, the flow returns to the vSwitch 13, and then the vSwitch 13 directs the flow to a target VM 11_3 inside the physical server 15. The source VM 11_1 and the target VM 11_3 may be located in a same physical server 15. The security policy is performed by the VFW 12 inside the physical server 15 for the flow between the source VM 11_1 and the target VM 11_3. Thus the flow between the source VM 11_1 and the target VM 11_3 do not need to pass through a physical firewall outside the physical server 15 for security protection.
A method for forwarding packet is provided based on an example in FIG. 1. As illustrated in FIG. 2, the method includes procedures as follows.
At block 21, according to a security policy configured for a VFW, the VFW notifies a vSwtich to establish a flow directing policy corresponding to the security policy. According to the flow directing policy, the vSwitch directs a packet that is received from a source VM and which matches the flow directing policy to the VFW. That is the vSwitch checks if a received flow matches with a flow directly policy and, in response to determining that the received flow matches the flow directing policy, the vSwitch directs the flow to the VFW.
The VFW and the vSwitch may be established in a same physical machine based on a virtual platform. A flow directing policy is used to direct a flow to a designated apparatus based on MAC address, IP address, etc., carried by the flow.
An administrator may configure a security policy for the VFW via a VFW manager. The security policy may include security processing, e.g., access control and security protection. The security protection may include filtering whether a flow includes flooding attack. The access control in the VFW may support to divide apparatuses into different security domains based on information such as VM identifiers, IP addresses, MAC addresses, host computer names. Flows among the security domains may be protected by configuring a policy among the security domains. For example, VMs that are in a same network segment and process a same service are set in a same security domain. Thus, a VM may transmit a flow to (or, receive a flow form) another VM in the same security domain. A VM may not transmit a flow to (or, receive a flow form) another VM in different security domains. There may be a limitation for a flow between VMs in different security domains. After the security policy configuration is completed for the VFW, the VFW knows a flow for which the security protection is to be performed. Further, a flow directing policy is configured for the vSwitch, so that the vSwitch may direct the flow which matches the flow directing policy to the VFW for processing.
In an example, there are some VMs in the server. The VMs may be divided into a WEB server, an APP server and a database server etc. When security domains are divided into different apparatuses based on IP addresses by the VFW, the security policy for access  control may be configured as follows. A flow from the WEB server to the APP server may be allowed to pass through the VFW, i.e., a flow from an source IP address (the WEB server) to a target IP address (APP server) may be allowed to pass through the VFW.
After the user configures the security policy for the VFW, according to content to be protected in the security policy (i.e., a flow for which the security protection is to be performed) , the VFW notifies the vSwitch to establish a flow directing policy corresponding to the security policy, so that the vSwitch directs the flow which need to be protected into the VFW. In an example, at block 701 in FIG. 2B, according to the security policy, the VFW generates the flow directing policy. At block 702 in FIG. 2B, the VFW transmits a message carrying the flow directing policy to the vSwitch, and notifies the vSwitch to establish the flow directing policy. In an example, a message format may be a JavaScript Object Notation (JSON) format including content as follows.
{ "Version" : "1.0" , "Type" : 1, "Src_IP" : "192. 168. 0. 1" , "Src_Name" : "src-vm" , "Dest_IP" : "192. 168. 2. 2" , "Dest_Name" : "dest-vm" , "Src_MAC" : "11-22-33-cc-dd-ee" , "Dest_MAC" : "11-22-33-cc-dd-ff" , "Vlan" : 500, "In_port" : "eth0/0" , "Protocol" : "tcp" , "Src_port" : 8080, "Dest_port" : 443, "Pri" : 100, "Action" : "vfw" , "Aging" : 20, }
In the message, Version is a version number, a value of which may be set as 1.0, 1.1 in an example;
Type is a packet format, a value of which may be set as 1, 2 or 3 in an example, the value 1 may indicate adding a flow directing policy, the value 2 may indicate modifying a flow directing policy, and the value 3 may indicate deleting a flow directing policy.
Src_IP is an IP address of a source VM;
Src_name is a source VM name or a source VM identifier (id) ;
Dest_IP is an IP address of a target VM;
Dest_name is a target VM name or a target VM id;
Src_MAC is MAC address information of the source VM, a format of which is “xx-xx-xx-xx-xx-xx” in an example;
Dest_MAC is MAC address information of the target VM, a format of which is “xx-xx-xx-xx-xx-xx” in an example;
VLAN is a VLAN id to which the VM belongs;
In_port is an interface via which the VM is connected with the vSwtich;
Protocol is a protocol name;
Src_port is a protocol source port;
Dest_port is a protocol target port;
Pri is a priority of the policy, when a received packet matches some policies, the packet is processed according to a policy with a highest priority in the policies;
Action is an action performed after the packet matches the policy, VFW represents a port on the VFW to which the flow is forwarded;
Aging is aging time, when time during which no flow matches the policy is longer than the aging time, the policy is automatically deleted.
As shown in FIG. 2B, at block 703, after receiving the message carrying the flow directing policy, the vSwitch may store the flow directing policy in a flow table. The vSwitch adds an item corresponding to the flow directing policy into a flow table. A flow table item may include a matching field, a priority, a matching action, aging time and a matching count etc. In an example, for a flow directing policy of directing the flow to the VFW, the aging time may be set as null. The flow table is illustrated as Table 1.
Table 1
Figure PCTCN2015079556-appb-000001
Figure PCTCN2015079556-appb-000002
The flow directing policy corresponds to the security policy configured for the VFW, and is carried in the message to be transmitted to the vSwitch. The flow to be protected according to the security policy is represented in the flow directing policy, so that the vSwitch can direct the flow to the VFW based on the flow directing policy, and the VFW performs security processing for the flow. Each flow to be protected may be represented as an item in a flow table. Each item in the flow table may represent a flow or a category of flows.
In an example, in a security policy, security protection is performed for a flow transmitted to a designated VM, or is performed for a flow between two VMs. For example, the flow is prohibited to be transmitted, or protocol inspection is performed when transmitting the flow. A flow directing policy corresponding to the security policy is configured for the flow transmitted to the designated VM or the flow among the two VMs, so that after receiving a flow, the vSwitch may confirm that the flow and an item in the flow table are matched, and may direct the flow to the VFW. After the user configures the security  policy for the VFW, the VFW may know whether the security protection is in demand for a flow between two VMs. For the flow to be performed security protection, the vSwitch may generate a flow directing policy, so that the flow is directed to the VFM to perform the security protection.
In an example, in the security policy configured by the user, the security protection is performed for a flow from a VM with an IP address 192. 168. 0. 1 to a VM with an IP address 192. 168. 2. 2, and the flow is allowed to pass through the VFW. A flow directing policy corresponding to the flow is established, and a matching field is set for an item in the flow table as follows. In the matching field, Src_IP is set as 192. 168. 0. 1, Dest_IP is set as 192. 168. 2. 2, Pri is set as 100, and Action is set as forwarding packet to the port on the VFW. Thus, after receiving a packet the source IP address 192. 168. 0. 1 and the target IP address 192. 168. 2. 2, the vSwitch compares the packet with items in the flow table. When the packet and the item in the flow table match, according to Action of the item, the packet is forwarded to the port on the VFW, so that the flow to be protected is directed to the VFW. The port on the VFW may be set as a designated category, i.e., a port profile VFW is added to a virtual network card of the VFW, so that a port number of the VFW is not cared, and the VM can be migrate among different server.
In another example, it is assumed that in the security policy configured for the VFW by the user, VM1, VM2 and VM3 are configured as a security domain. The security protection is performed for a flow transmitted from another VM outside the security domain to a VM in the security domain. A flow directing policy corresponding to the security policy is generated. An item in the flow table is generated for a flow transmitted from a VM outside the security domain to any of VM1, VM2 and VM3. Thus, when receiving a packet, the vSwitch may compare the packet with items in the flow table. When confirming that the packet and the item matched, the vSwitch directs the follow to the VFW.
At block 22, when receiving a packet forwarded from the vSwitch, the VFW performs security processing for the packet according to the security policy configured for the VFW, and forwards the packet satisfying the security policy to a target VM via the vSwitch.
As illustrated at block 21, after the packet from the source IP address 192. 168. 0. 1 to the target IP address 192. 168. 2. 2 is directed to the VFW, when the VFW confirms that the packet is not an attack packet according to the security policy (the flow from the source IP address 192. 168. 0. 1 to the target IP address 192. 168. 2. 2 is allowed to pass through the VFW) , the packet is allowed to pass through the VFW, and is transmitted to the vSwitch, and the vSwitch forwards the packet to the target VM.
It can be seen from the above that, in the method, the source VM and the target VM may locate in a same physical server. For example, the VFW is established inside the physical server. The VFW performs the security protection for the flow transmitted from the source VM, and forwards the flow to the target VM in the same physical server, so as to implement security protection for the flow among VMs inside the same physical server.
A flow to be protected is directed to the VFW. The VFW performs the security processing for the flow. The VFW confirms whether the flow satisfies the security policy such as access control and security protection. The VFW forwards the packet satisfying the security policy to the target VM, and discards the packet not satisfying the security policy.
As illustrated at block 704 in FIG. 2B, when the security policy of the VFW is changed, the VFW may notifies the vSwitch to update the flow directing policy corresponding to the security policy. An updating processing may include deleting, adding and modifying. When the user configures a new security policy or changes the previous security policy for the VFW, a new flow directing policy is generated to replace the previous flow directing policy. The VFW may notify the vSwitch to delete, add or modify the flow directing policy. For example, when a new security policy is added to perform security protection for a flow between VM1 and VM2. A flow directing policy corresponding to the flow between the VM1 and VM2 is generated. The VFW may notify the vSwitch to add a new item in the flow table. When the new flow directing policy is to direct a flow to the VFW, aging time may not be set for the new flow directing policy. Thus, the flow directing policy is always valid. For another example, when security protection is not performed for the flow between the VM1 and the VM2, the security policy is deleted. The flow directing policy corresponding to the flow between the VM1 and the VM2 is deleted. The VFW may notify the vSwitch to delete the item in the flow table.
As illustrated at block 705 in FIG. 2B, after the security processing is performed for the packet, when it is confirmed that the packet satisfies the security policy, the VFW may notify the vSwitch to add a new flow directing policy to directly forward other packets of the same flow with the packet to the target VM, so that the other packets cannot be forwarded to the VFW to be processed. Thus, flows passing through the VFW are decreased, processing efficiency is improved, and flow security is ensured. For example, the VFW confirms that the packet matches the security policy (the flow from the source IP address 192. 168. 0. 1 to the target IP address 192. 168. 2. 2 is allowed to pass through the VFW) , and is not an attack packet, the packet is allowed to pass through the VFW. The VFW may notify the vSwitch to add a new flow directing policy corresponding to a flow to which the packet belongs. Content of a new item corresponding to the new flow directing policy in the flow table is as follows. A matching field includes that Src_IP is 192. 168. 0. 1, Dest_IP is 192. 168. 2. 2, Pri is 200, and Action is to directly forward a packet to the target VM. The matching field of the new item is same with the old item. The Pri of the new item is higher than that of the old item. There are two items corresponding to the flow in the flow table, i.e., the old item corresponding to the old flow directing policy matching the flow and the new item corresponding to the new flow directing policy matching the flow. For the new flow directing policy, the matching action is to directly forward a packet belonging to the same flow with the packet satisfying the security policy to the target address after entering the vSwitch, which is not forwarded to the VFW, and the priority of the new flow directing policy is higher than the priority of the old flow directing policy matching the flow to which the packet belongs. According to the new flow directing policy, the vSwitch directly forwards a subsequently received packet belonging to a same flow as the packet satisfying the security policy to the target VM. Thus, processing efficiency is improved. As the matching action in the new flow directing policy is to forward a received packet to the target VM, the new flow directing policy may be a forwarding policy.
It should be noted that in a condition that the VFW confirms that the processed packet satisfies the security policy, aging time is configured for the new flow directing policy, so that when the aging time expires after the flow to which the packet belongs finishes, the new flow directing policy is automatically deleted. After the flow to be directly forwarded finishes, according to the aging time configured in the new flow directing policy, the vSwitch may automatically delete the flow directing policy of directly forwarding the packet to the target VM. When a new flow matches the old flow directing policy, the vSwitch may direct  the flow to the port on the VFW. According to this dynamic adjustment, both security and processing efficiency can be improved. It can be seen that in the condition that the VFW confirms that the processed packet satisfies the security policy, a new item corresponding to the new flow directing policy of forwarding the flow to the target VM is generated in the flow table. The aging time is not set for the old item corresponding to the old flow directing item of directing the flow to the VFW, and is set for the new item. Thus, after the new item in the flow table ages, according to the old flow directing policy, the vSwitch directs the flow to a port on the VFW that is configured in the old flow directing policy.
It should be noted that in FIG. 2B, procedures at blocks 703-705 may be performed at the same time, or may be performed in sequence. Procedures at blocks 703-705 may be performed as illustrated as FIG. 2B or may be performed in another sequence. For example, procedures at block 705 may be firstly performed, and then procedures at block 704 may be performed, and procedures at block 703 may be lastly performed, which is not limited according to examples of the present disclosure.
In addition, the security policy configured for the VFW and the flow directing policy established in the vSwitch are not limited into examples above. The flowing direction may be performed according to ways as follows.
The flow direction is performed based on a source VM MAC address and a target VM MAC address, or the flow direction is performed based on a source VM id and a target VM id.
Alternatively, the flow direction is performed based on the source VM MAC address, or the flow direction is performed based on a target VM IP address, or the flow direction is performed based on the target VM id.
The VFW established in a physical server may perform security processing for a flow from a VM outside the physical server. Alternatively, the VFW may perform security processing for a flow from a VM inside the physical server. In an example, in order to distinguish the flow from the VM outside the physical server between the flow from the VM inside the physical server, the VFW may be configured to reject the flow from the VM outside the physical server. In the VFW of the physical server, the security policy may be  configured that the source IP address and the target IP address in the security policy correspond to VMs inside the physical server, and the flow inside the physical server is processed through the VFW.
The VM may migrate among different physical servers. After the VM migrates, a flow security interaction may be implemented. In an example, it is assumed that VM 1 and VM 2 initially locate in same physical server 1. VFW1 is established in the physical server 1, and the VM 2 migrates to the physical server 2, the VFW2 is established in the physical server 2. A security policy configured for VFW2 is same as that configured for VFW1. Thus, a flow from VM 1 passes through the VFW1 and the VFW2 in sequence to the VM 2 so as to implement security protection after the VM migrates. In another example, as the VM 2 migrates from the physical server 1 to the physical server 2, the security policy corresponding to the VM 2 is deleted from the physical server 1. A flow from the VM 1 in the physical server 1 passes through the physical firewall outside the physical server 1 to the VM 2 in the physical server 2. Thus, security protection after the VM migrates is performed.
An apparatus for forwarding packet is provided according to an example of the present disclosure. FIG. 3 is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a VFW according to an example of the present disclosure. The apparatus includes a notification module 301 and a processing module 302. The modules may be implemented by hardware. The hardware may include hardware logic circuitry such as an application specific integrated chip (ASIC) or field programmable gate array (FPGA) or a general purpose processor such as a central processing unit (CPU) for executing instructions.
The notification module 301 is to notify a vSwitch to establish a flow directing policy according to a security policy configured for the VFW, wherein the vSwitch directs a received packet matching the flow directing policy to the VFW according to the flow directing policy.
The processing module 302 is to perform security processing for the packet according to the security policy when receiving the packet forwarded from the vSwitch, and forward the processed packet satisfying the security policy to a target VM, wherein the VFW and the vSwitch are established in a same physical machine based on a virtual platform.
In the apparatus shown in FIG. 3, when the security policy is changed, the notification module 301 is to notify the vSwitch to update the flow directing policy according to the changed security policy. The updating includes deleting, adding and modifying.
The notification module 301 is to generate the flow directing policy according to the security policy, transmit a message carrying the flow directing policy to the virtual switch. The vSwitch may store the flow directing policy in a flow table. A flow table item may include a matching field, a priority, a matching action, aging time and a matching count etc.
When the VFW determines that the processed packet satisfies the security policy, the notification module 301 is to notify the vSwitch to add a new flow directing policy matching the packet, wherein a priority of the new flow directing policy is higher than a priority of the flow directing policy matching the packet, the vSwitch forwards a received packet belonging to a same flow with the packet to the target VM according to the new flow directing policy.
Aging time is set for the new flow directing policy. The vSwitch deletes the new flow directing policy when the aging time expires.
An apparatus for forwarding packet is provided according to an example of the present disclosure. FIG. 4A is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a vSwitch according to an example of the present disclosure. The apparatus shown in FIG. 4A includes a comparing module 401 and a directing module 402. The modules may be implemented by hardware. The hardware may include hardware logic circuitry such as an application specific integrated chip (ASIC) or field programmable gate array (FPGA) or a general purpose processor such as a central processing unit (CPU) for executing instructions.
The comparing module 401 is to establish a flow directing policy when receiving a notification transmitted from a VFW based on a security policy configured for the VFW, when receiving a packet transmitted from a source VM, compare the packet with the flow directing policy.
The directing module 402 is to direct the packet to the VFW according to the flow directing policy when determining that the packet matches the flow directing policy, so that  the VFW performs security processing for the packet, wherein the VFW and the vSwitch are established in a same physical machine based on a virtual platform.
In an example, as shown in FIG. 4B, the apparatus further includes an adding module 403. The adding module 403 is to when the notification comprises the flow directing policy, add an item corresponding to the flow directing policy into a flow table, wherein the item in the flow table comprises a matching field, a priority, a matching action and a matching count.
In an example, as shown in FIG. 4B, the apparatus further includes a receiving module 404. The receiving module 404 is to receive a notification of adding a new flow directing policy transmitted from the VFW, wherein the new flow directing policy matches the packet, a priority of the new flow directing policy is higher than a priority of the flow directing policy matching the packet.
The adding module 403 is further to add an item corresponding to the new flow directing policy into the flow table according to the notification of adding the new flow directing policy.
The directing module 402 is further to forward a received packet belonging to a same flow with the packet to a target VM according to the new flow directing policy.
FIG. 5 is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual firewall according to an example of the present disclosure. The apparatus includes a non-transitory machine readable storage medium, e.g., a memory 501 and a processor 502. The processor 502 may execute machine readable instructions stored in the memory 501. The instructions include a notification instruction 5011 and a processing instruction 5012.
The notification instruction 5011 is to notify a vSwitch to establish a flow directing policy according to a security policy configured for the VFW, wherein the vSwitch directs a received packet matching the flow directing policy to the VFW according to the flow directing policy.
The processing instruction 5012 is to perform security processing for the packet according to the security policy when receiving the packet forwarded from the vSwitch, and forward the processed packet satisfying the security policy to a target VM, wherein the VFW and the vSwitch are established in a same physical machine based on a virtual platform.
In the apparatus shown in FIG. 5, the notification instruction 5011 is further to when the security policy is changed, notify the vSwitch to update the flow directing policy according to the changed security policy.
The notification instruction 5011 is to generate the flow directing policy according to the security policy, transmit a message carrying the flow directing policy to the virtual switch.
The notification instruction 5011 is to when the VFW determines that the processed packet satisfies the security policy, notify the vSwitch to add a new flow directing policy matching the packet, wherein a priority of the new flow directing policy is higher than a priority of the flow directing policy matching the packet, the vSwitch forwards a received packet belonging to a same flow with the packet to the target VM according to the new flow directing policy.
Aging time is set for the new flow directing policy. The vSwitch deletes the new flow directing policy when the aging time expires.
FIG. 6A is a schematic diagram illustrating a structure of an apparatus for forwarding packet applying to a virtual switch according to an example of the present disclosure. The apparatus includes a non-transitory machine readable storage medium, e.g., a memory 601 and a processor 602. The processor 602 may execute machine readable instructions stored in the memory 601. The instructions include a comparing instruction 6011 and a directing instruction 6012.
The comparing instruction 6011 is to establish a flow directing policy when receiving a notification transmitted from a VFW based on a security policy configured for the VFW, when receiving a packet transmitted from a source VM, compare the packet with the flow directing policy.
The directing instruction 6012 is to direct the packet to the VFW according to the flow directing policy when determining that the packet matches the flow directing policy, so that the VFW performs security processing for the packet, wherein the VFW and the vSwitch are established in a same physical machine based on a virtual platform.
In an example, as shown in FIG. 6B, the apparatus further includes an adding instruction 6013. The adding instruction 6013 is to when the notification comprises the flow directing policy, add an item corresponding to the flow directing policy into a flow table, wherein the item in the flow table comprises a matching field, a priority, a matching action and a matching count.
In an example, as shown in FIG. 6B, the apparatus further includes a receiving instruction 6014. The receiving instruction 6014 is to receive a notification of adding a new flow directing policy transmitted from the VFW, wherein the new flow directing policy matches the packet, a priority of the new flow directing policy is higher than a priority of the flow directing policy matching the packet.
The adding instruction 6013 is further to add an item corresponding to the new flow directing policy into the flow table according to the notification of adding the new flow directing policy.
The directing instruction 6012 is further to forward a received packet belonging to a same flow with the packet to a target VM according to the new flow directing policy.
According to examples above, in the virtual environment, the VFW can perform protection for a flow among the VMs inside the server, so as to avoid that the flow is forwarded to the external physical switch to be processed, and further to avoid resources consumption of the service and the physical switch. Further, flow directing policy can be dynamically adjusted, thus, both security and processing efficiency can be improved
The above examples can be implemented by hardware, software or firmware or a combination thereof. For example the various methods, processes and functional modules described herein may be implemented by a processor (the term processor is to be interpreted broadly to include a CPU, processing unit, ASIC, logic unit, or programmable gate array etc. ) . The processes, methods and functional modules may all be performed by a single processor  or split between several processers; reference in this disclosure or the claims to a ‘processor’ should thus be interpreted to mean ‘one or more processors’ . The processes, methods and functional modules can be implemented as machine readable instructions executable by one or more processors, hardware logic circuitry of the one or more processors or a combination thereof. Further the teachings herein may be implemented in the form of a software product. The computer software product is stored in a storage medium and comprises a plurality of instructions for making a computer device (which can be a personal computer, a server or a network device such as a router, switch, access point etc. ) implement the method recited in the examples of the present disclosure.
The foregoing is only preferred examples of the present disclosure and is not used to limit the protection scope of the present disclosure. Any modification, equivalent substitution and improvement without departing from the spirit and principle of the present disclosure are within the protection scope of the present disclosure.

Claims (15)

  1. A method for forwarding a packet, comprising:
    notifying, by a virtual firewall (VFW) , a virtual switch (vSwitch) to establish a flow directing policy according to a security policy configured for the VFW, wherein the vSwitch directs a received packet matching the flow directing policy to the VFW according to the flow directing policy;
    performing, by the VFW, security processing for the packet according to the security policy when receiving the packet forwarded from the vSwitch; and
    forwarding, by the VFW, the processed packet satisfying the security policy to a target virtual machine (VM) , wherein the VFW and the vSwitch are established in a same physical machine based on a virtual platform.
  2. The method of claim 1, further comprising:
    when the security policy is changed, notifying the vSwitch to update the flow directing policy according to the changed security policy.
  3. The method of claim 1, wherein notifying the vSwitch to establish the flow directing policy comprises:
    generating, by the VFW, the flow directing policy according to the security policy;
    transmitting, by the VFW, a message carrying the flow directing policy to the virtual switch.
  4. The method of claim 1, further comprising:
    when the VFW determines that the processed packet satisfies the security policy, notifying the vSwitch to add a new flow directing policy matching the packet, wherein a priority of the new flow directing policy is higher than a priority of the flow directing policy matching the packet, such that the vSwitch forwards a subsequently received packet belonging to a same flow as the packet to the target VM according to the new flow directing policy.
  5. The method of claim 4, further comprising the vSwitch setting an aging time for the new flow directing policy, and the vSwitch deleting the new flow directing policy when the aging time expires.
  6. A method for forwarding packet, comprising:
    establishing, by a virtual switch (vSwitch) , a flow directing policy when receiving a notification transmitted from a virtual firewall (VFW) based on a security policy configured for the VFW;
    when receiving a packet transmitted from a source virtual machine (VM) , comparing, by the vSwitch, the packet with the flow directing policy;
    directing, by the vSwitch, the packet to the VFW according to the flow directing policy when determining that the packet matches the flow directing policy, so that the VFW performs security processing for the packet, wherein the VFW and the vSwitch are established in a same physical machine based on a virtual platform.
  7. The method of claim 6, wherein the vSwitch establishing the flow directing policy comprises:
    when the notification comprises the flow directing policy, adding, by the vSwitch, an item corresponding to the flow directing policy into a flow table, wherein the item in the flow table comprises a matching field, a priority, a matching action and a matching count.
  8. The method of claim 6, further comprising:
    receiving, by the vSwitch, a notification of adding a new flow directing policy transmitted from the VFW, wherein the new flow directing policy matches the packet, a priority of the new flow directing policy is higher than a priority of the flow directing policy matching the packet;
    adding, by the vSwitch, an item corresponding to the new flow directing policy into the flow table according to the notification of adding the new flow directing policy;
    forwarding, by the vSwitch, a received packet belonging to a same flow with the packet to a target VM according to the new flow directing policy.
  9. An apparatus for forwarding packet, applying to a virtual firewall (VFW) comprising:
    a processor and a non-transitory machine readable storage medium storing machine readable instructions that are executable by the processor to:
    notify a virtual switch (vSwitch) to establish a flow directing policy according to a security policy configured for the VFW, wherein the vSwitch directs a received packet matching the flow directing policy to the VFW according to the flow directing policy;
    perform security processing for the packet according to the security policy when receiving the packet forwarded from the vSwitch; and
    forward the processed packet satisfying the security policy to a target virtual machine (VM) , wherein the VFW and the vSwitch are established in a same physical machine based on a virtual platform.
  10. The apparatus of claim 9, wherein the instructions are further to:
    when the security policy is changed, notify the vSwitch to update the flow directing policy according to the changed security policy.
  11. The apparatus of claim 10, wherein the instructions are to:
    generate the flow directing policy according to the security policy;
    transmit a message carrying the flow directing policy to the virtual switch.
  12. The apparatus of claim 9, wherein the instructions are to:
    when the VFW determines that the processed packet satisfies the security policy, notify the vSwitch to add a new flow directing policy matching the packet, wherein a priority of the new flow directing policy is higher than a priority of the flow directing policy matching the packet, such that the vSwitch forwards a subsequently received packet belonging to a same flow as the packet to the target VM according to the new flow directing policy.
  13. An apparatus for forwarding packet, applying to a virtual switch (vSwitch) , comprising:
    a processor and a non-transitory storage machine readable medium storing machine readable instructions that are executable by the processor to:
    establish a flow directing policy when receiving a notification transmitted from a virtual firewall (VFW) based on a security policy configured for the VFW;
    when receiving a packet transmitted from a source virtual machine (VM) compare the packet with the flow directing policy;
    direct the packet to the VFW according to the flow directing policy when determining that the packet matches the flow directing policy, so that the VFW performs security processing for the packet, wherein the VFW and the vSwitch are established in a same physical machine based on a virtual platform.
  14. The apparatus of claim 13, wherein the instructions are to:
    when the notification comprises the flow directing policy, add an item corresponding to the flow directing policy in a flow table, wherein the item in the flow table comprises a matching field, a priority, a matching action and a matching count.
  15. The apparatus of claim 13, wherein the instructions are further to:
    receive a notification of adding a new flow directing policy transmitted from the VFW, wherein the new flow directing policy matches the packet, a priority of the new flow directing policy is higher than a priority of the flow directing policy matching the packet;
    add an item corresponding to the new flow directing policy into the flow table according to the notification of adding the new flow directing policy;
    forward a received packet belonging to a same flow with the packet to a target VM according to the new flow directing policy.
PCT/CN2015/079556 2014-05-22 2015-05-22 Forwarding a packet Ceased WO2015176682A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410218519.7A CN105100026B (en) 2014-05-22 2014-05-22 A kind of safe retransmission method of message and device
CN201410218519.7 2014-05-22

Publications (1)

Publication Number Publication Date
WO2015176682A1 true WO2015176682A1 (en) 2015-11-26

Family

ID=54553448

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/079556 Ceased WO2015176682A1 (en) 2014-05-22 2015-05-22 Forwarding a packet

Country Status (2)

Country Link
CN (1) CN105100026B (en)
WO (1) WO2015176682A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106101011A (en) * 2016-08-22 2016-11-09 杭州华三通信技术有限公司 A kind of message processing method and device
CN106909439A (en) * 2017-02-27 2017-06-30 郑州云海信息技术有限公司 A kind of migration control method and device of virtual machine
WO2020220977A1 (en) * 2019-04-28 2020-11-05 华为技术有限公司 Data flow guiding apparatus and data flow guiding method in virtual network

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105530259B (en) * 2015-12-22 2019-01-18 华为技术有限公司 Message filtering method and equipment
CN105681313B (en) * 2016-01-29 2018-11-09 博雅网信(北京)科技有限公司 A kind of flow quantity detecting system and method for virtualized environment
CN106131020B (en) * 2016-07-17 2020-05-01 合肥赑歌数据科技有限公司 Firewall virtualization module and management method
CN106534346B (en) * 2016-12-07 2019-12-10 北京奇虎科技有限公司 Flow control method, device and system based on virtual WAF
CN107276798B (en) * 2017-06-12 2020-08-04 苏州浪潮智能科技有限公司 Method and device for realizing virtualized network service function chain
CN107888500B (en) * 2017-11-03 2020-04-17 东软集团股份有限公司 Message forwarding method and device, storage medium and electronic equipment
CN109922021B (en) * 2017-12-12 2022-03-08 中国电信股份有限公司 Safety protection system and safety protection method
CN109639551B (en) * 2018-11-15 2020-11-03 北京六方云信息技术有限公司 Virtualization drainage device and method
CN109587063B (en) * 2018-12-29 2021-08-31 奇安信科技集团股份有限公司 A kind of data drainage method and device
CN110247928B (en) * 2019-06-29 2020-09-15 河南信大网御科技有限公司 Simulation switch safety flow control device and method
CN110365577B (en) * 2019-07-24 2021-10-15 绿盟科技集团股份有限公司 Drainage system of safety resource pool and safety inspection method
CN111510435B (en) * 2020-03-25 2022-02-22 新华三大数据技术有限公司 Network security policy migration method and device
CN113810348B (en) * 2020-06-17 2023-04-07 华为技术有限公司 Network security detection method, system, equipment and controller
CN114172718B (en) * 2021-12-03 2024-01-23 北京天融信网络安全技术有限公司 Security policy configuration method and device, electronic equipment and storage medium
CN114363027B (en) * 2021-12-27 2023-05-12 武汉思普崚技术有限公司 Control method and device for drainage, backflow and remote access
CN114567481B (en) * 2022-02-28 2024-03-12 天翼安全科技有限公司 Data transmission method and device, electronic equipment and storage medium
CN115202824A (en) * 2022-07-28 2022-10-18 济南浪潮数据技术有限公司 Data drainage analysis method and device and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102244622A (en) * 2011-07-25 2011-11-16 北京网御星云信息技术有限公司 Virtual gateway protection method, virtual security gateway and system for server virtualization
CN103354530A (en) * 2013-07-18 2013-10-16 北京启明星辰信息技术股份有限公司 Virtualization network boundary data flow gathering method and apparatus
CN103458003A (en) * 2013-08-15 2013-12-18 中电长城网际系统应用有限公司 Access control method and system of self-adaptation cloud computing environment virtual security domain
US20140096183A1 (en) * 2012-10-01 2014-04-03 International Business Machines Corporation Providing services to virtual overlay network traffic

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2458154B (en) * 2008-03-07 2012-06-27 Hewlett Packard Development Co Routing across a virtual network
CN102710669B (en) * 2012-06-29 2016-03-02 杭州华三通信技术有限公司 A kind of method that firewall policy controls and device
CN103763310B (en) * 2013-12-31 2017-04-12 曙光云计算技术有限公司 Firewall service system and method based on virtual network
CN103746997A (en) * 2014-01-10 2014-04-23 浪潮电子信息产业股份有限公司 Network security solution for cloud computing center

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102244622A (en) * 2011-07-25 2011-11-16 北京网御星云信息技术有限公司 Virtual gateway protection method, virtual security gateway and system for server virtualization
US20140096183A1 (en) * 2012-10-01 2014-04-03 International Business Machines Corporation Providing services to virtual overlay network traffic
CN103354530A (en) * 2013-07-18 2013-10-16 北京启明星辰信息技术股份有限公司 Virtualization network boundary data flow gathering method and apparatus
CN103458003A (en) * 2013-08-15 2013-12-18 中电长城网际系统应用有限公司 Access control method and system of self-adaptation cloud computing environment virtual security domain

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106101011A (en) * 2016-08-22 2016-11-09 杭州华三通信技术有限公司 A kind of message processing method and device
CN106101011B (en) * 2016-08-22 2019-12-06 新华三技术有限公司 message processing method and device
CN106909439A (en) * 2017-02-27 2017-06-30 郑州云海信息技术有限公司 A kind of migration control method and device of virtual machine
WO2020220977A1 (en) * 2019-04-28 2020-11-05 华为技术有限公司 Data flow guiding apparatus and data flow guiding method in virtual network

Also Published As

Publication number Publication date
CN105100026B (en) 2018-07-20
CN105100026A (en) 2015-11-25

Similar Documents

Publication Publication Date Title
WO2015176682A1 (en) Forwarding a packet
US12010093B1 (en) Allocating addresses from pools
US12218956B2 (en) Providing a virtual security appliance architecture to a virtual cloud infrastructure
US11991077B2 (en) Data interfaces with isolation for containers deployed to compute nodes
US11323487B1 (en) Scalable policy management for virtual networks
US11329918B2 (en) Facilitating flow symmetry for service chains in a computer network
US11700236B2 (en) Packet steering to a host-based firewall in virtualized environments
EP3731104B1 (en) Network interface card switching for virtual networks
US11159366B1 (en) Service chaining for virtual execution elements
US10728145B2 (en) Multiple virtual network interface support for virtual execution elements
US10728288B2 (en) Policy-driven workload launching based on software defined networking encryption policies
US9948579B1 (en) NIC-based packet assignment for virtual networks
US9641435B1 (en) Packet segmentation offload for virtual networks
WO2016004781A1 (en) Service deployment method and network function accelerating platform
EP4333403B1 (en) Auto-scaling service mesh for virtual machines

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15796054

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15796054

Country of ref document: EP

Kind code of ref document: A1