Embodiment
In the detailed description below, provided a large amount of details, so that the thorough to embodiments of the invention to be provided.Yet, it should be appreciated by those skilled in the art that these details only are illustrative rather than restrictive, can not have to realize the present invention under the situation of these details.In specification, do not describe some known parts, structure and operation in detail, in order to avoid fuzzy undeservedly the present invention.
The phrase of mentioning in the specification " embodiment " or expressions such as " embodiment " combine this embodiment and special characteristic, structure or the characteristic described are included among at least one embodiment of the present invention.Therefore, the phrase " in one embodiment " that occurs everywhere in this manual or " according to an embodiment " etc. might not refer to same embodiment.
It will be understood by those skilled in the art that embodiment as herein described can be realized by hardware, software, firmware, middleware, microcode or its combination in any.
At first with reference to figure 1, it shows the general view according to the system 100 of one exemplary embodiment of the present invention.
In a kind of typical case of system 100 realized, client 101 was positioned in the zone of network (for example, local area network (LAN), not shown), and server 102 is arranged in another zone of consolidated network, and gateway 103 then between these two zones, plays the effect of bridge joint.For for simplicity,, only show single equipment here, yet the present invention is not limited to this for each building block of this system.
Client 101 can comprise multiple based in the computing equipment of processor any one; It has the unique identify label of oneself in network; For example, include but not limited to the physical address (that is medium access control, (MAC) address), IP address or the like of this client.Said client can be moved one or more in the various operating systems, for example, includes but not limited to the Linux of various version
TM, Unix
TM, Windows
TM, or the like.
Similarly, server 102 and gateway 103 also can comprise multiple based in the computing equipment of processor any one respectively; Equally, server 102 and gateway 103 also can move one or more in the various operating systems respectively.Server 102 is used to the various requesting services that comprise client 101 various types of services is provided.Gateway 103 is in bridge mode, is used to realize the communication between client 101 and the server 102.In an embodiment of the present invention, gateway 102 can also provide the application level proxy service, and its agent functionality also is transparent for the second layer in the network seven layer protocol architectures (data link layer, more particularly, media access control sublayer wherein).
Below, send data instance with source station (for example, client 101) to point of destination (for example, server 102), the actual a kind of communication process that takes place between client 101 and the server 102 is described under the situation that gateway (or Transparent Proxy gateway) 103 exists.It will be understood by those skilled in the art that only be a kind of sample situation as the source station, with server 102 as the point of destination with client 101 here, the present invention is not limited to this.
The data that client 101 is sent can be at first by 103 interceptings of Transparent Proxy gateway, and the latter goes to send these data with the identity of client 101 to server 102 again.Thus, through Transparent Proxy gateway 103 between two parties, between client 101 and server 102, realize transfer of data.From the angle of client 101, it is to communicate at direct and server 102, but actual really not so.
More specifically; With reference to Fig. 1, receive (or intercepting) to client 101 during at Transparent Proxy gateway 103 to frame 110 (shown in the arrow on the left of among the figure) that server 102 sends, can stem to this frame 110 in contained MAC layer information carry out record; For example; At least comprise source MAC address information (that is, the MAC Address of client 101 self), or the like.The MAC layer information that is write down can also comprise the target MAC (Media Access Control) address information (that is the MAC Address of server 202) of frame 110.In addition; Depend on actual needs; Can also write down out of Memory; For example under the situation of using the 802.1Q Virtual Local Area Network, (wherein insert the VLAN mark of one 4 byte in the frame format at Ethernet), can also write down vlan identifier (ID) in the VLAN mark or the like, the present invention is not limited to this.
After above-mentioned recording operation finishes, in one embodiment, can begin that the application layer data that comprises in the received frame 110 is carried out application level proxy and handle.Said application layer data is meant the data relevant with the operation of application process, for example, includes but not limited to Email, HTTP message or the like, and it is handled in the application layer of layered protocol message structure.In Transparent Proxy gateway 103, application level proxy is handled and is for example included but not limited to killing virus, information filtering or the like, as used in the prior art.
After application level proxy disposes, be in due course, Transparent Proxy gateway 103 will send frame 111 (shown in the arrow on right side among the figure), the application layer data of having handled before having comprised in this frame 111 to server 102 with the identity of client 101.It should be noted that according to the present invention for this frame 111, the source MAC address information of the frame 110 that is write down before can using is revised the corresponding informance in the stem of frame 111, and then amended frame 111 is issued server 102.Through such processing, the MAC layer information that is appreciated that the frame 111 that Transparent Proxy gateway 103 sends is to be consistent with the primitive frame 110 that client 101 is sent, and therefore can realize that the second layer is transparent.
By comparison; Moving on the existing Transparent Proxy gateway of linux system for example; Although the IP address that can revise the initiator through calling system API and port (directly send from original client so that look like from the grouping of the past destination server of gateway forwards; With this realize the 3rd layer transparent, as previously mentioned), but but can't revise source MAC.In this case; For example, as some second layer filter plants between gateway device and the server, possibly can't see original real client mac address fully; And cause a series of problems such as control corresponding, access strategy to solve; Cause such agency to realize not to be real transparent, that is to say, it is said that it has revised some identification information of client in logarithm is input into row agency's process.
As previously mentioned, utilize design of the present invention, can realize that the second layer is transparent, thereby convenient user network deployment has improved user experience simultaneously.
Fig. 2 illustrates in greater detail the system 200 according to one exemplary embodiment of the present invention.Hereinafter, omitted to Fig. 1 in the explanation of identical unit (for example, client 201, server 202 or the like), and specifically describe gateway of the present invention (or Transparent Proxy) 203 emphatically.
As shown in the figure, according to one embodiment of present invention, Transparent Proxy gateway 203 can comprise record logic 204, application level proxy 205 and Microsoft Loopback Adapter (VIF) 206.As the gateway that is in bridge mode, it typically has a plurality of interfaces (that is network interface card) and communicates with each self-corresponding Target Station being used for.For the convenience of describing, in Fig. 2, only show two interfaces to Transparent Proxy gateway 203, network interface card 207 that promptly can communicate with client 201 and the network interface card 208 that can communicate with server 202.
Known like those skilled in the art; Usually safeguarding in the gateway device has to transmit a (not shown); Clauses and subclauses wherein (if any) show the corresponding relation between the interface of Target Station (identifying with its MAC Address) and this gateway, for example client 201 corresponding to network interface card 207, server 202 corresponding to network interface card 208 or the like.Transparent Proxy gateway 203 (more specifically; For example, network interface card 207) be truncated to when mailing to the frame (for example, frame 210) as the server 202 of point of destination from client 201 as the source station; Confirm that this gateway can communicate with server 202; For example, transmit, find to exist and server 202 corresponding network interface cards 208 through search.
In Fig. 2, the frame 210 that mails to server 202 from client 201 that record logic 204 is used to write down 207 interceptings of network interface card for information about.In one exemplary embodiment of the present invention, said information comprises source (that is, the client 201) MAC Address of frame 210 at least, and this can obtain from the stem of this frame.Said information for example can also include but not limited to: the purpose of frame 210 (that is, server 202) MAC Address, and this also can obtain from the stem of this frame; With the corresponding interface (that is, network interface card 208) that belongs to gateway 203 of this target MAC (Media Access Control) address, this can acquisition from said transmitting; Or the like.These information can be by storage explicitly, so that use.
As the example of an indefiniteness, in Transparent Proxy gateway, can use connection tracking to allow kernel to follow the tracks of and write down all logical network and connect or session based on Linux.In a kind of example implementation of the present invention, can expand the data structure of safeguarding to each connection (for example, identifying as it) so that store more information with IP address and port.For example, record logic 204 can will required information (for example, source and destination MAC Address of frame 210 or the like) be recorded in the structure after the expansion explicitly, supplies the subsequent process use.
Pass through network protocol stack; The frame 210 that before receives is successively peelled off stem and is transmitted to more high-rise; The final application layer data that wherein comprises is delivered to application level proxy 206 and handles to carry out conventional application level proxy, for example, includes but not limited to killing virus, information filtering or the like.Main improvement of the present invention does not lie in this, therefore omits further describing it.
Continuation is with reference to figure 2; In one exemplary embodiment of the present invention; For Transparent Proxy gateway 203 in response to the frame that receives 210 with the identity of client 101 to the frame 211 that server 102 sends, can realize the recovery of source MAC in this frame through VIF 206.
Microsoft Loopback Adapter VIF 206 can realize through the form that network interface card drives.After thereby this driving of loading was registered this network interface card in operating system, it was a common network interface card that VIF 206 is identified as by operating system.According to one exemplary embodiment of the present invention; The routing policy that VIF 206 can revise Transparent Proxy gateway 203 (for example; Routing table); So that send for all being routed to VIF 206 through application level proxy 205 data that handle, that need transparent sending (for example, issuing server 202).
VIF 206 has the ability of the source MAC of revising the frame 211 corresponding with frame 210.According to one embodiment of the present of invention, for example, VIF 206 can with reference to before by the frame 210 of record logic 204 record (in the connection tracking of expansion) for information about in corresponding content, as the MAC Address of client 201; Then, the source MAC address information in the stem of frame 211 is revised as the source MAC (that is the MAC Address of client 201) that is write down; Then, the transmission function that directly calls network interface card 208 sends to server 202 with amended frame 211.
Thus, send in the frame 211 of server 202, can guarantee that source MAC address information also is the same with the MAC Address of client 201 self, thereby realize that the second layer (MAC layer) is transparent in the identity of Transparent Proxy gateway 203 with client 201.
In one embodiment of the invention, information recorded before for example can utilizing with reference to transmitting of this gateway, is confirmed to send through network interface card 208.
Here; (for example directly call physical network card by VIF 206; Network interface card 208) transmission function; Avoided to carry out the process of framing, thereby the source MAC of the frame of having guaranteed to send through this physical network card remains through above-mentioned amended source MAC (that is the MAC Address of client 201) to this physical network card through network protocol stack.
It will be understood by those skilled in the art that above-mentioned each functions of components also can make up each other, for example, record logic 204 can be by in realizing single parts with VIF 205.
In addition; Consider the situation of 802.1Q VLAN; According to one embodiment of present invention, record logic 204 can also additionally write down the VLAN ID of received frame (for example, frame 210); For example, can the information such as MAC Address of itself and this frame be recorded in the expansion structure of connection tracking explicitly; Correspondingly, the VLAN ID of the frame (for example, frame 211) that VIF 206 can also utilize this VLAN ID that is write down to change will to issue server 202, thus also can realize second layer Transparent Proxy to VLAN.
In addition; Utilize design philosophy of the present invention, it will be understood by those skilled in the art that (at this moment for the data that mail to client 201 from server 202; Server 202 can be regarded as the source station; Client 201 then can be regarded as the point of destination), Transparent Proxy gateway 203 can similarly be handled, and makes in client 201; Being that real server 202 is carrying out direct communication with it, in fact then is that between two parties Transparent Proxy gateway 203 communicates with it in the identity with server 202.
In addition, consideration need connect (or session) through shaking hands with the situation of carrying out transfer of data (for example, using transmission control protocol (TCP)).According to one exemplary embodiment of the present invention, in this case, send when connect setting up request to server 202 for the first time when client 201, corresponding claim frame can be by 207 interceptings of the network interface card of Transparent Proxy gateway 203.Gateway 203 is confirmed oneself can communicate with server 202; For example; Here be (otherwise through network interface card 208; Gateway 203 can be selected this claim frame is directly broadcasted through other network interface card beyond the inter nic on this gateway 207, as bridging device of the prior art is realized).Then, record logic 204 can write down this claim frame for information about, for example; Source MAC in the stem of this frame is as the MAC Address of client 201; Target MAC (Media Access Control) address in the stem of this frame is as the MAC Address of server 202, or the like, the present invention is not limited to this.
According to one exemplary embodiment of the present invention; After such information is write down; According to Handshake Protocol; As the acknowledgement frame that Transparent Proxy gateway 203 sends to client 201 with the identity of server 202 in response to this claim frame, VIF 206 can be revised as the source MAC address information in the stem of this acknowledgement frame the MAC Address of the server 202 that is write down, and through the transmission function that directly calls network interface card 207 amended this acknowledgement frame is issued client 201.It will be understood by those skilled in the art that client 201 can send and reaffirm frame then in response to receiving this acknowledgement frame, as prior art realized.Through such handshake procedure, between client 201 and Transparent Proxy gateway 203, set up and be connected (certainly, in client 201, it is directly to have set up with server 202 to be connected).In addition, after suitable opportunity, Transparent Proxy gateway 203 is not described in detail in this with situation about connecting between the identity (more specifically, the MAC Address of this client) of client 201 and the server 202 and above-mentioned similar.
Transfer of data between client 201 and the server 202 (for example, frame 210) is carried out through the connection of such foundation just.Institute's information recorded before utilizing; VIF 206 can to issue server 202, be revised as the MAC Address of the client 201 that is write down with source MAC address information in the stem of frame 210 corresponding frames 211; Realize that with this second layer is transparent, as previously mentioned.
With reference to figure 3, show flow chart below according to the method 300 of one exemplary embodiment of the present invention.Said method 300 can realize in the gateway with application level proxy function (for example, the Transparent Proxy gateway 103,203).
As shown in the figure, this process starts from step S301, in this step, and mailing to the application layer data that comprises first frame of point of destination from the source station and handle first network interface card institute intercepting in the gateway.With reference to the example that combines Fig. 2 to provide; For Transparent Proxy gateway 203 (more specifically; The network interface card 207 that can communicate with client 201 wherein) institute's intercepting mails to the application layer data that comprises the frame 210 of server 202 from client 201; For example include but not limited to Email, HTTP message or the like; As the gateway with application level proxy function 203, application level proxy 205 wherein can be handled this application layer data, for example includes but not limited to killing virus, information filtering or the like.
Gateway is in order to realize agent functionality, need with the identity of source station with before the data (it has passed through the processing of gateway) of intercepting from the source station mail to destination.According to one exemplary embodiment of the present invention,, be revised as the MAC Address of said source station to the source MAC address information in the stem that will issue second frame said point of destination, that comprise treated application layer data in response to said first frame at step S302.Continuation is with reference to figure 2; After the application layer data that in 205 pairs of frames 210 of application level proxy, comprises was handled, VIF 206 can be revised as the source MAC address information in the stem of formed second frame 211 that comprises this treated application layer data the MAC Address of client 201 self.That is to say that the mac address information in the stem of amended like this frame 211 is that the mac address information in the stem with the client 201 original frames that send 210 is consistent.
Then, this process advances to step S303, in this step, through directly calling the transmission function of second network interface card in the said gateway, said second frame is sent to said point of destination.Continuation is with reference to figure 2, and VIF 206 can directly call the transmission function of real physical network card 208 (it can communicate with server 202) in the Transparent Proxy gateway 203 after above-mentioned retouching operation is accomplished, make frame 211 really issued server 202.Thus, the method 300 of MAC layer Transparent Proxy that can realize according to an embodiment of the invention can finish.
In addition, in one embodiment of the invention, before step S301; (for example can also work as said first frame; During frame 210) by the intercepting of said first network interface card (for example, network interface card 207) institute, the source MAC address information in the stem of record frame 210; As the MAC Address of client 201, use for the subsequent modification step.In addition, in this recording step, can also write down the target MAC (Media Access Control) address information in the stem of frame 210, as the MAC Address of server 202.And, have at frame 210 under the situation of VLAN mark, in this recording step, can also write down the vlan identifier of frame 210; And in said modify steps S302, can also the vlan identifier of frame 211 be revised as the vlan identifier of the frame 210 that is write down.As a kind of concrete implementation, these information that write down for example include but not limited to be stored in MAC Address and the vlan identifier or the like of MAC Address, the point of destination of source station in the connection tracking of expansion, as previously mentioned.
In addition; In one embodiment of the invention, before step S301, can also the claim frame that requires between as the client 201 of source station and server 202, to connect as the point of destination during by 207 interceptings of network interface card (for example; Consideration need connect through shaking hands to continue the situation of transfer of data; Wherein, the frame 210 that comprises application layer data is to transmit through the connection after setting up), write down the source MAC address information in the stem of this claim frame; As the MAC Address of client 201, use for subsequent modification step S302.Similarly, the target MAC (Media Access Control) address information that can also write down this claim frame is with MAC Address and vlan identifier as server 202, or the like.And; This claim frame in response to institute's intercepting; A part that connects through shaking hands with the identity and the client 201 of server 202 as Transparent Proxy gateway 203; Can also for example pass through VIF 206, will be revised as the MAC Address of the server 202 that is write down in response to the source MAC address information in the stem of the acknowledgement frame of this claim frame, the transmission function that calls network interface card 207 then sends to client 201 with such acknowledgement frame.
Abovely described exemplary method 300, it will be understood by those skilled in the art that the said method step only is illustrative rather than restrictive, depended on concrete realization with reference to Fig. 3, said method can also comprise more additional/step that substitutes.In one or more schemes, the function that these method steps are corresponding can realize in hardware, software, firmware or its combination in any.
Fig. 4 shows the block diagram according to the device 400 of one exemplary embodiment of the present invention.
Said device 400 comprises like the lower part at least: modified module 401; Be used for being revised as the MAC Address of said source station to the source MAC address information in the stem that will send to second frame said point of destination, that comprise treated said application layer data in response to said first frame the mailing to from said source station after the application layer data that comprises first frame of point of destination handled of first network interface card institute intercepting that gateway can communicate with the source station; And sending module 402 is used for through calling the transmission function of second network interface card that said gateway can communicate with said point of destination said second frame being sent to said point of destination.
In addition, additional/alternative module that said device 400 can also comprise, in order to realize more corresponding functions, for example, front associated methods 300 is described.Said device 400 for example can be corresponding to Fig. 1, gateway device 103,203 shown in Figure 2, or one or more assembly.Should be understood that device 400 is described to comprise a plurality of modules, it can be the functional module that expression is realized by hardware, software or its combination.
Also show some embodiments of the present invention although the front is described, those skilled in the art are easy to just can expect, are feasible too for many modifications and the modification of these embodiment.Therefore, should be appreciated that accompanying claims is intended to contain all such modifications and the modification that falls within essence of the present invention and the scope.