CN120880803A - Method and apparatus for supporting both bridge forwarding and proxy forwarding in transparent mode - Google Patents
Method and apparatus for supporting both bridge forwarding and proxy forwarding in transparent modeInfo
- Publication number
- CN120880803A CN120880803A CN202511386508.4A CN202511386508A CN120880803A CN 120880803 A CN120880803 A CN 120880803A CN 202511386508 A CN202511386508 A CN 202511386508A CN 120880803 A CN120880803 A CN 120880803A
- Authority
- CN
- China
- Prior art keywords
- data packet
- original data
- xdp
- forwarding
- bridge
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a device for simultaneously supporting bridge forwarding and proxy forwarding in a transparent mode, and relates to the technical field of network security. The method comprises the steps of receiving and analyzing an original data packet through a network interface of WAF equipment, identifying key characteristic information for traffic classification in the original data packet, carrying out strategy matching on the original data packet containing the key characteristic information through a dynamic strategy table preset by a Linux kernel of the WAF equipment, and forwarding the original data packet to an agent processing module through a Linux kernel protocol stack if the key characteristic information is matched with a transparent agent mode in the dynamic strategy table. The invention has the advantages of bridge forwarding and proxy forwarding, and can meet the flexible deployment requirement of users.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and apparatus for supporting bridge forwarding and proxy forwarding in a transparent mode.
Background
A Web application firewall (Web Application Firewall, WAF) is a security device that is dedicated to protecting Web applications from various network attacks. The WAF provides real-time protection for Web applications by monitoring, filtering, and blocking malicious requests in HTTP/HTTPs traffic. To adapt to flexible network topologies, WAFs typically have multiple deployment modes for user selection, e.g., reverse proxy mode, traffic mirror mode, transparent bridge mode, transparent proxy mode, etc.
The core goal of both the transparent bridge mode and the transparent proxy mode of deployment is to transparently insert WAF devices in network links without changing the network topology, which have their own advantages and disadvantages and rely on different technology stacks. Referring to fig. 1, the transparent bridge mode does not implement the receiving and sending of the network data packet through the Linux kernel protocol stack, and then completes the detection of the data packet in the user mode. The transparent proxy mode relies on some HTTP proxy software to complete the proxy of HTTP traffic, and the proxy software often runs on a Linux system and relies on a network protocol stack of a Linux kernel to complete the transceiving of network data packets.
Because the network transceiver technology stacks on which the transparent bridge mode and the transparent proxy mode depend are inconsistent, it is difficult to run the two modes on the same device at the same time, and a user must select one of the transparent modes for deployment when deploying the WAF. If the deployment mode needs to be changed, the modes need to be manually switched, which brings complexity to operation and maintenance, and the user cannot enjoy the advantages of the dual modes of the transparent bridge and the transparent proxy.
Disclosure of Invention
In view of the foregoing drawbacks or shortcomings of the prior art, the present invention provides a method and apparatus for supporting both bridge forwarding and proxy forwarding in transparent mode, which can solve the technical problems mentioned in the background art.
In one aspect of the present invention, there is provided a method for supporting both bridge forwarding and proxy forwarding in a transparent mode, including:
Receiving and analyzing an original data packet through a WAF equipment network interface, and identifying key characteristic information for traffic classification in the original data packet;
The method comprises the steps of carrying out strategy matching on an original data packet containing key characteristic information through a dynamic strategy table preset by a Linux kernel of WAF equipment, forwarding the original data packet to a proxy processing module through a Linux kernel protocol stack if the key characteristic information is matched with a transparent proxy mode in the dynamic strategy table, sending the original data packet to the bridge processing module by bypassing the Linux kernel protocol stack if the key characteristic information is matched with a transparent bridge mode in the dynamic strategy table, and directly sending the original data packet to an opposite-end network interface if the original data packet is non-TCP service flow.
In another aspect of the present invention, there is also provided an apparatus for supporting both bridge forwarding and proxy forwarding in a transparent mode, including:
the data packet analysis module is used for receiving and analyzing the original data packet through the WAF equipment network interface and identifying key characteristic information for traffic classification in the original data packet;
The flow diversion scheduling module is used for carrying out strategy matching on an original data packet containing the key characteristic information through a dynamic strategy table preset by a Linux kernel of the WAF equipment, forwarding the original data packet to the proxy processing module through a Linux kernel protocol stack if the key characteristic information is matched with a transparent proxy mode in the dynamic strategy table, sending the original data packet to the bridge processing module by bypassing the Linux kernel protocol stack if the key characteristic information is matched with a transparent bridge mode in the dynamic strategy table, and directly sending the original data packet to an opposite-end network interface if the original data packet is non-TCP service flow.
The method and the device for simultaneously supporting the bridge forwarding and the proxy forwarding in the transparent mode provided by the invention simultaneously support the bridge forwarding and the proxy forwarding in the transparent mode, and solve the problem that WAF equipment in the prior art can only select only one transparent mode for deployment. The invention has the advantages of bridge forwarding and proxy forwarding, can meet the flexible deployment requirement of users, does not need the users to switch modes between a transparent bridge mode and a transparent proxy mode, reduces the operation and maintenance complexity caused by the mode switching, reduces the deployment and maintenance cost of WAF equipment, and improves the practicability and adaptability of the WAF equipment.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:
FIG. 1 is a technical schematic diagram of a transparent bridge mode and a transparent proxy mode in the prior art;
FIG. 2 is a flow diagram of a method for supporting both bridge forwarding and proxy forwarding in transparent mode according to one embodiment of the present application;
FIG. 3 is a second flow chart of a method for supporting both bridge forwarding and proxy forwarding in transparent mode according to one embodiment of the present application;
FIG. 4 is a flow chart of an AF_XDP socket for a bridge processing module according to one embodiment of the present application;
Fig. 5 is a schematic structural diagram of an apparatus for supporting both bridge forwarding and proxy forwarding in a transparent mode according to another embodiment of the present application;
fig. 6 is a schematic structural diagram of a WAF device according to another embodiment of the application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the prior art, a transparent bridge mode and a transparent proxy mode have technical stack conflict, a transparent bridge needs to avoid a kernel stack protocol, a transparent proxy depends on a kernel protocol stack, no matter what transparent mode is used for traffic, the traffic needs to monopolize a network card or a specific network naming space, the traffic cannot dynamically switch traffic paths according to strategies when in operation, if the two types of traffic are forcefully mixed, the performance of the bridge mode is sacrificed, or the proxy function is sacrificed, the two types of traffic cannot coexist in the same network interface, and a user can only select one transparent mode for deployment.
In order to overcome the technical problems, the application provides a method and a device for supporting bridge forwarding and proxy forwarding in a transparent mode, which realize the collection, the distribution and the transmission of network traffic through AF_XDP and XDP/ebpf technologies provided by a Linux kernel, so that encrypted traffic such as https and other TCP traffic which needs to be processed by the transparent proxy mode are distributed to a transparent proxy module, unencrypted traffic such as http and other TCP traffic which does not need to be processed by the transparent proxy mode are distributed to a transparent bridge module, and thus the transparent proxy mode and the transparent bridge mode are realized in WAF simultaneously.
Referring to fig. 2-3, one embodiment of the present application provides a method for supporting both bridge forwarding and proxy forwarding in transparent mode, comprising the steps of:
Step S101, receiving and analyzing the original data packet through the WAF equipment network interface, and identifying key characteristic information for flow diversion in the original data packet.
The embodiment constructs a flow diversion scheduling module through a series of XDP/ebpf programs, which is used for collecting, diverting and sending network flow. The principle of the flow diversion scheduling module is that a series of XDP/ebpf programs are inserted into a network interface of WAF equipment, all data packets on the network interface are received by the XDP/ebpf programs, all preset network flow processing strategies are stored in the XDP/ebpf programs in a mapping table mode, the network flow processing strategies determine how to process various types of flows, after the analysis of the data packets is completed by the XDP/ebpf programs, the matching of the network flow processing strategies is executed, and finally the processing action of the strategy is executed according to the matched strategy.
Specifically, the traffic splitting scheduling module analyzes the header of the ethernet frame header, the IP header, the TCP/UDP header, etc. byte by byte in the byte stream of the original data packet received from the network interface of the WAF device, and performs a series of validity checks, such as checksum, version number, length, etc. The invalid packets or non-TCP/IP packets are discarded or passed directly to the peer network interface at this stage. Five-tuple information (source IP, destination IP, source port, destination port, protocol) and/or payload information for policy matching is then extracted from the original packet header, which constitutes key feature information for subsequent traffic classification identification. For example, the http traffic or the https traffic can be identified according to the key feature information, and then the http traffic and the https traffic can be distributed to different transparent modes according to the classification strategy.
Step S102, carrying out strategy matching on an original data packet containing the key feature information through a dynamic strategy table preset by a Linux kernel of WAF equipment, forwarding the original data packet to a proxy processing module through a Linux kernel protocol stack if the key feature information is matched with a transparent proxy mode in the dynamic strategy table, sending the original data packet to the bridge processing module by bypassing the Linux kernel protocol stack if the key feature information is matched with a transparent bridge mode in the dynamic strategy table, and directly sending the original data packet to an opposite-end network interface if the original data packet is non-TCP traffic.
Specifically, the dynamic policy table preset by the Linux kernel preferably exists in the form of eBPF Map mapping tables. eBPF Map the mapping table stores different processing modes of different flow data, which are supported by efficient hash algorithms, and policy matching can be completed within constant time complexity through matching key characteristic information, so that the speed is extremely high.
And if the key characteristic information is matched with a transparent proxy mode in the dynamic policy table, forwarding the original data packet to a proxy processing module through a Linux kernel protocol stack. And if the key characteristic information is matched with the transparent bridge mode in the dynamic policy table, the original data packet bypasses the Linux kernel protocol stack and is sent to the bridge processing module. If the original data packet is non-TCP traffic, the original data packet is directly sent to an opposite network interface or is selected to be discarded.
The contents of eBPF Map mapping tables (i.e., dynamic policy tables) can be seen in the following table:
The policy matching process is exemplified as follows:
(1) For the traffic with access destination IP address 29.1.1.3 and access port 443, executing TO_PROXY action, and sending the traffic TO the transparent PROXY module for processing;
(2) For TCP traffic accessing other IP/Ports, TO_BRIDGE action is executed, and the traffic is sent TO a transparent BRIDGE processing module for processing;
(3) For other non-TCP traffic (e.g., ping traffic), the data packets are sent directly from the network interface of the opposite end of the network interface pair without any complex processing.
Furthermore, the key point of realizing the flow diversion scheduling is to ensure that the flow data in the transparent bridge mode can bypass the Linux kernel protocol stack to be sent to the bridge processing module, namely, the bridge processing module is ensured to be matched with the flow diversion scheduling module to capture the data packet, which is another key point of the invention after the flow diversion scheduling strategy. To achieve this object, the present method designs a high performance forwarding mode based on af_xdp socket as follows.
It should be noted that, the conventional af_xdp technology requires that the user state application program (e.g., the bridge processing module) must first install the XDP program (e.g., the traffic offload scheduling module) by itself, so as to ensure that a "correspondence table between the af_xdp socket and the network interface data queue" existing in the XDP program (e.g., the traffic offload scheduling module) can be obtained when the af_xdp socket is created, and then the af_xdp socket created by the user state application program itself is injected into the correspondence table, so as to implement mapping between the user state socket and the kernel state XDP program. This requires that the XDP program (e.g., traffic splitting scheduler module) must be loaded onto the network card by the user mode application itself (e.g., bridge processing module) without supporting the XDP program (e.g., traffic splitting scheduler module) before the user mode application (e.g., bridge processing module). This strongly bound relationship results in a stiff, fixed deployment order for the "user-state bridge processing module" and the "kernel-state traffic splitting scheduling module", severely limiting the deployment flexibility of the system.
In order to overcome the technical problems, referring to fig. 4, the present invention adopts a dynamic discovery mechanism supporting the installed XDP program (for example, a traffic split scheduling module), and through the mechanism, the creation of the af_xdp socket of the bridge processing module is realized, so that the deployment sequence of the user-state bridge processing module and the kernel-state traffic split scheduling module is more flexible.
First, the system obtains all loaded XDP program information through the Linux kernel, and identifies a target XDP program (such as a traffic split scheduling module) for classifying the traffic of the original data packet from all loaded XDP programs.
Next, a file descriptor of a correspondence table between af_xdp sockets and a network interface data queue already existing in the target XDP program (e.g., a traffic offload scheduling module) is obtained.
And finally, creating an AF_XDP socket of the bridge processing module, and updating the AF_XDP socket of the bridge processing module into an entry of a network interface data queue of the corresponding relation table through the file descriptor.
Thus, the bridge processing module creates the AF_XDP socket, establishes the mapping relation between the AF_XDP socket and the kernel state flow diversion scheduling module, and establishes the corresponding relation between the AF_XDP socket and the network interface data queue. The method can be used for deploying the target XDP program (such as a flow distribution scheduling module) in a kernel mode firstly, then deploying the bridge processing module application program in a user mode, and vice versa, and the deployment sequence is quite flexible.
Furthermore, in the prior art, since a data packet needs to undergo multiple data copying from the network card to the kernel memory and from the kernel mode to the user mode when reaching the user mode application program (bridge proxy module), the data transmission efficiency is low and the consumption of CPU resources is caused. In order to solve the technical problems, the invention pre-distributes and shares the same physical memory for the AF_XDP socket of the bridge processing module in the user mode and the flow diversion scheduling module/network card in the kernel mode. The network card directly writes the original data packet in the bridge processing mode distributed by the kernel-state flow diversion scheduling module into the shared memory through the DMA, the data itself stays in the shared memory all the time, and the kernel-state flow diversion scheduling module sends a pointer or index pointing to a data position in the shared memory to the user-state bridge processing module, and the user-state bridge processing module directly reads the data packet content from the shared memory for processing. Thus, the data is not required to be transmitted from the kernel mode to the user mode, and the resources of the CPU are not occupied.
Further, after the af_xdp socket of the bridge processing module is created and the shared memory area is set, responding to the decision of traffic splitting, inquiring the corresponding relation between the af_xdp socket and the network interface data queue, obtaining the af_xdp socket corresponding to the target network interface data queue, writing the original data packet transmitted by the target network interface data queue into the corresponding memory position of the af_xdp socket in the shared memory area, then enabling the bridge processing module to read the original data packet in the shared memory area, performing security detection on the original data packet, and transmitting traffic data passing through the security detection to the opposite network interface, thereby realizing the transparent bridge mode of the WAF.
Furthermore, after the flow split scheduling module analyzes and matches the flow, if the flow is found to need transparent proxy processing, a specific mark/sign is marked on the original data packet, so that the original data packet can be correctly received by the Linux kernel network protocol stack and finally sent to the proxy processing module in a user state, and the proxy processing module can smoothly realize proxy forwarding processing of HTTP flow.
Further, after the traffic split scheduling module analyzes and matches the traffic, if the traffic is found not to be TCP traffic, for example, ping traffic, the traffic split scheduling module may optionally select to discard or directly send to the peer network interface.
The method of the embodiment supports two forwarding modes of bridge forwarding and proxy forwarding in the transparent mode at the same time, and solves the problem that WAF equipment in the prior art can only select only one transparent mode for deployment. The embodiment has the advantages of bridge forwarding and proxy forwarding, can meet the flexible deployment requirement of users, does not need the users to switch modes between a transparent bridge mode and a transparent proxy mode, reduces the operation and maintenance complexity caused by the mode switching, reduces the deployment and maintenance cost of WAF equipment, and improves the practicability and adaptability of the WAF equipment.
Referring to fig. 5, another embodiment of the present invention further provides an apparatus 200 for supporting both bridge forwarding and proxy forwarding in a transparent mode, including a packet parsing module 201 and a traffic offload scheduling module 202, where the apparatus 200 is capable of performing the method for supporting both bridge forwarding and proxy forwarding in the transparent mode in the method embodiment.
Specifically, the apparatus 200 for supporting both bridge forwarding and proxy forwarding in transparent mode includes:
the data packet analysis module 201 is configured to receive and analyze an original data packet through a WAF device network interface, and identify key feature information for traffic classification in the original data packet;
The traffic diversion scheduling module 202 is configured to perform policy matching on an original data packet containing the key feature information through a dynamic policy table preset by a Linux kernel of the WAF device, forward the original data packet to a proxy processing module through a Linux kernel protocol stack if the key feature information is matched with a transparent proxy mode in the dynamic policy table, send the original data packet to the bridge processing module by bypassing the Linux kernel protocol stack if the key feature information is matched with a transparent bridge mode in the dynamic policy table, and send the original data packet to an opposite-end network interface directly if the original data packet is a non-TCP traffic.
The system further comprises a socket creation module, a network interface data queue and a bridge processing module, wherein the socket creation module is used for creating AF_XDP sockets belonging to the bridge processing module and creating a corresponding relation between each AF_XDP socket and the network interface data queue; the system comprises a bridge processing module, a data processing module, a network interface data queue, an AF_XDP socket, a bridge processing module and a peer-to-peer network interface, wherein the bridge processing module is used for responding to the decision of traffic distribution, inquiring the corresponding relation between the AF_XDP socket and the network interface data queue, acquiring the AF_XDP socket corresponding to the target network interface data queue, writing an original data packet transmitted by the target network interface data queue into a corresponding storage position of the AF_XDP socket in the shared memory area, and the bridge processing module is used for reading the original data packet in the shared memory area, carrying out security detection on the original data packet and transmitting traffic data passing the security detection to the peer-to-peer network interface.
Further, the traffic offload scheduling module 202 is further configured to enable a bridge processing module to obtain all loaded XDP program information of the system through a Linux kernel, identify a target XDP program for offloading the original packet traffic from all loaded XDP programs, obtain a file descriptor of a correspondence table of af_xdp sockets and a network interface data queue that are already present in the target XDP program, create an af_xdp socket of the bridge processing module, and update the af_xdp socket of the bridge processing module to an entry of the network interface data queue of the correspondence table through the file descriptor.
Further, the key feature information includes five-tuple data and/or payload features.
Further, the traffic distribution scheduling module 202 is further configured to add a tag for identifying a Linux kernel protocol stack to an original data packet, identify and parse the original data packet with the tag by using the Linux kernel protocol stack, and forward the processed original data packet to the proxy processing module.
It should be noted that, in the transparent mode provided in this embodiment, the technical solutions corresponding to the device 200 for supporting both bridge forwarding and proxy forwarding in the transparent mode may be used to execute the embodiments of the methods, and the implementation principle and technical effects are similar to those of the methods, and are not repeated herein.
Referring to fig. 6, another embodiment of the present invention further provides a schematic structural diagram of an electronic device 300, where the electronic device 300 is configured to implement a method for supporting both bridge forwarding and proxy forwarding in a transparent mode in a method embodiment. The electronic device 300 in the embodiment of the present invention may include, but is not limited to, WAF devices formed by smart phones, tablet computers, PCs, notebook computers, servers, and the like. The electronic device 300 shown in fig. 6 is only an example and should not be construed as limiting the functionality and scope of use of embodiments of the invention.
As shown in fig. 6, the electronic device 300 may include a processing means (e.g., a central processing unit, a graphics processor, etc.) 301 that may perform various suitable actions and processes to implement the methods of embodiments of the present invention according to programs stored in a Read Only Memory (ROM) 302 or loaded from a storage 308 into a Random Access Memory (RAM) 303. In the RAM 303, various programs and data required for the operation of the electronic apparatus 300 are also stored. The processing device 301, the ROM 302, and the RAM 303 are connected to each other via a bus 305. An input/output (I/O) interface 304 is also connected to bus 305.
In general, devices may be connected to I/O interface 304 including input devices 306 such as a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc., output devices 307 including a Liquid Crystal Display (LCD), speaker, vibrator, etc., storage devices 308 including magnetic tape, hard disk, etc., and communication devices 309. The communication means 309 may allow the electronic device 300 to communicate with other devices wirelessly or by wire to exchange data. While fig. 6 shows an electronic device 300 having various means, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
The foregoing description is only of the preferred embodiments of the invention. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in the present invention is not limited to the specific combinations of technical features described above, but also covers other technical features formed by any combination of the technical features described above or their equivalents without departing from the spirit of the disclosure. Such as the above-mentioned features and the technical features disclosed in the present invention (but not limited to) having similar functions are replaced with each other.
Claims (10)
1. A method for supporting both bridge forwarding and proxy forwarding in a transparent mode, comprising the steps of:
Receiving and analyzing an original data packet through a WAF equipment network interface, and identifying key characteristic information for traffic classification in the original data packet;
The method comprises the steps of carrying out strategy matching on an original data packet containing key characteristic information through a dynamic strategy table preset by a Linux kernel of WAF equipment, forwarding the original data packet to a proxy processing module through a Linux kernel protocol stack if the key characteristic information is matched with a transparent proxy mode in the dynamic strategy table, sending the original data packet to the bridge processing module by bypassing the Linux kernel protocol stack if the key characteristic information is matched with a transparent bridge mode in the dynamic strategy table, and directly sending the original data packet to an opposite-end network interface if the original data packet is non-TCP service flow.
2. A method for supporting both bridge forwarding and proxy forwarding in transparent mode as claimed in claim 1, further comprising:
Establishing AF_XDP sockets belonging to the bridge processing module, and establishing a corresponding relation between each AF_XDP socket and a network interface data queue;
Responding to the decision of flow diversion, inquiring the corresponding relation between the AF_XDP socket and the network interface data queue, acquiring the AF_XDP socket corresponding to the target network interface data queue, and writing the original data packet transmitted by the target network interface data queue into the corresponding storage position of the AF_XDP socket in the shared memory area;
And enabling the bridge processing module to read the original data packet in the shared memory area, carrying out security detection on the original data packet, and transmitting the traffic data passing the security detection to an opposite-end network interface.
3. A method for supporting both bridge forwarding and proxy forwarding in transparent mode according to claim 2, wherein the step of creating an af_xdp socket belonging to a bridge processing module comprises:
the bridge processing module acquires all loaded XDP program information of the system through a Linux kernel, and identifies a target XDP program for flow diversion of an original data packet from all loaded XDP programs;
acquiring a file descriptor of a corresponding relation table of an AF_XDP socket and a network interface data queue which are already existing in the target XDP program;
and creating an AF_XDP socket of the bridge processing module, and updating the AF_XDP socket of the bridge processing module into an entry of a network interface data queue of the corresponding relation table through the file descriptor.
4. A method for supporting both bridge forwarding and proxy forwarding in transparent mode according to claim 1 wherein the key characteristics information includes five tuple data and/or payload characteristics.
5. The method for supporting both bridge forwarding and proxy forwarding in transparent mode according to claim 1, wherein the step of forwarding the original data packet to the proxy processing module through the Linux kernel protocol stack comprises:
Adding a mark for identifying a Linux kernel protocol stack to an original data packet;
the Linux kernel protocol stack identifies and analyzes the original data packet with the mark, and forwards the processed original data packet to the proxy processing module.
6. An apparatus for supporting both bridge forwarding and proxy forwarding in a transparent mode, comprising:
the data packet analysis module is used for receiving and analyzing the original data packet through the WAF equipment network interface and identifying key characteristic information for traffic classification in the original data packet;
The flow diversion scheduling module is used for carrying out strategy matching on an original data packet containing the key characteristic information through a dynamic strategy table preset by a Linux kernel of the WAF equipment, forwarding the original data packet to the proxy processing module through a Linux kernel protocol stack if the key characteristic information is matched with a transparent proxy mode in the dynamic strategy table, sending the original data packet to the bridge processing module by bypassing the Linux kernel protocol stack if the key characteristic information is matched with a transparent bridge mode in the dynamic strategy table, and directly sending the original data packet to an opposite-end network interface if the original data packet is non-TCP service flow.
7. An apparatus for supporting both bridge forwarding and proxy forwarding in transparent mode as claimed in claim 6, further comprising:
The socket creation module is used for creating the AF_XDP sockets belonging to the bridge processing module, and establishing the corresponding relation between each AF_XDP socket and the network interface data queue;
The data processing module is used for responding to the decision of flow diversion, inquiring the corresponding relation between the AF_XDP socket and the network interface data queue, acquiring the AF_XDP socket corresponding to the target network interface data queue, and writing the original data packet transmitted by the target network interface data queue into the corresponding storage position of the AF_XDP socket in the shared memory area;
And the bridge processing module is used for reading the original data packet in the shared memory area, carrying out safety detection on the original data packet, and transmitting the flow data passing the safety detection to the opposite-end network interface.
8. The apparatus for supporting both bridge forwarding and proxy forwarding in transparent mode as claimed in claim 7, wherein said traffic offload scheduling module is further configured to:
The bridge processing module acquires all loaded XDP program information of the system through the Linux kernel, and identifies a target XDP program for the flow diversion of the original data packet from all loaded XDP programs;
acquiring a file descriptor of a corresponding relation table of an AF_XDP socket and a network interface data queue which are already existing in the target XDP program;
and creating an AF_XDP socket of the bridge processing module, and updating the AF_XDP socket of the bridge processing module into an entry of a network interface data queue of the corresponding relation table through the file descriptor.
9. An apparatus for supporting both bridge forwarding and proxy forwarding in transparent mode as claimed in claim 6 wherein the key characteristics information includes five tuple data and/or payload characteristics.
10. The apparatus for supporting both bridge forwarding and proxy forwarding in transparent mode as claimed in claim 6, wherein said traffic offload scheduling module is further configured to:
Adding a mark for identifying a Linux kernel protocol stack to an original data packet;
the Linux kernel protocol stack identifies and analyzes the original data packet with the mark, and forwards the processed original data packet to the proxy processing module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202511386508.4A CN120880803A (en) | 2025-09-26 | 2025-09-26 | Method and apparatus for supporting both bridge forwarding and proxy forwarding in transparent mode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202511386508.4A CN120880803A (en) | 2025-09-26 | 2025-09-26 | Method and apparatus for supporting both bridge forwarding and proxy forwarding in transparent mode |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN120880803A true CN120880803A (en) | 2025-10-31 |
Family
ID=97470505
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202511386508.4A Pending CN120880803A (en) | 2025-09-26 | 2025-09-26 | Method and apparatus for supporting both bridge forwarding and proxy forwarding in transparent mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN120880803A (en) |
-
2025
- 2025-09-26 CN CN202511386508.4A patent/CN120880803A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11221972B1 (en) | Methods and systems for increasing fairness for small vs large NVMe IO commands | |
| US8150981B2 (en) | Flexible and extensible receive side scaling | |
| CN108476208B (en) | Multipath transmission design | |
| US8458280B2 (en) | Apparatus and method for packet transmission over a high speed network supporting remote direct memory access operations | |
| CN107181738B (en) | Software intrusion detection system and method | |
| US9407577B2 (en) | Communication control system, switch node and communication control method | |
| US8149705B2 (en) | Packet communications unit | |
| US10095558B2 (en) | Systems and methods for offloading inline SSL processing to an embedded networking device | |
| US7764678B2 (en) | Routing based on dynamic classification rules | |
| JPWO2012098774A1 (en) | Network system, controller, and QoS control method | |
| US7742474B2 (en) | Virtual network interface cards with VLAN functionality | |
| CN106973053A (en) | The acceleration method and system of BAS Broadband Access Server | |
| CN113810397A (en) | Protocol data processing method and device | |
| CN120880803A (en) | Method and apparatus for supporting both bridge forwarding and proxy forwarding in transparent mode | |
| JP7395615B2 (en) | Data leak prevention | |
| JP2000235536A (en) | Data communication system and device | |
| US7607168B1 (en) | Network interface decryption and classification technique | |
| US20050086390A1 (en) | Efficient packet desegmentation on a network adapter | |
| US7675920B1 (en) | Method and apparatus for processing network traffic associated with specific protocols | |
| US8660143B2 (en) | Data packet interception system | |
| US7672299B2 (en) | Network interface card virtualization based on hardware resources and software rings | |
| CN116405235B (en) | Two-way encryption/decryption device for carrying out and overlaying operations. | |
| Oppermann | Optimizing the FreeBSD IP and TCP stack | |
| Vassiliadis et al. | Network Processors: Issues and Prospectives | |
| KR20000054521A (en) | System and method for blocking an attack from hacking robot program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |