Búsqueda Imágenes Maps Play YouTube Noticias Gmail Drive Más »
Iniciar sesión
Usuarios de lectores de pantalla: deben hacer clic en este enlace para utilizar el modo de accesibilidad. Este modo tiene las mismas funciones esenciales pero funciona mejor con el lector.

Patentes

  1. Búsqueda avanzada de patentes
Número de publicaciónCN102761534 A
Tipo de publicaciónSolicitud
Número de solicitudCN 201110119721
Fecha de publicación31 Oct 2012
Fecha de presentación29 Abr 2011
Fecha de prioridad29 Abr 2011
También publicado comoCN102761534B
Número de publicación201110119721.0, CN 102761534 A, CN 102761534A, CN 201110119721, CN-A-102761534, CN102761534 A, CN102761534A, CN201110119721, CN201110119721.0
Inventores冯景辉
Solicitante北京瑞星信息技术有限公司
Exportar citaBiBTeX, EndNote, RefMan
Enlaces externos:  SIPO, Espacenet
Method and device for realizing transparent proxy of media access control layer
CN 102761534 A
Resumen
The invention provides a method and a device for realizing transparent proxy of a media access control (MAC) layer. After application layer data which is included in a first frame sent from a source station to a destination station and is intercepted by a first network card capable of communicating with the source station in a gateway is processed, source MAC address information in the head part of a second frame sent to the destination station in response to the first frame and including the application layer data is modified to be an MAC address of the source station, besides, a sending function of a second network card capable of communicating with the destination station in the gateway is called, and the second frame is sent to the destination station.
Reclamaciones(18)  traducido del chino
1. 一种实现媒体接入控制(MAC)层透明代理的方法,包括: 在网关中能够与源站进行通信的第一网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据被进行处理之后,把要响应于所述第一帧而发给所述目的站的、包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及通过调用所述网关中能够与所述目的站进行通信的第二网卡的发送函数,将所述第二帧发送给所述目的站。 An implement media access control (MAC) layer of a transparent proxy, comprising: in the gateway can be a first frame from the source station from the source station to the destination station is sent a first network card in the communication of the intercepted contained in the application layer data is then processed, the response to the first frame to be issued to the destination station, the first portion of the second frame of the source MAC address information comprises modifying the processed data in the application layer is the MAC address of the source station; and by calling the gateway with said second destination NIC communication transmission function, the second frame is sent to the destination station.
2.根据权利要求I所述的方法,还包括: 当所述第一帧被所述第一网卡截取时,记录所述第一帧的首部中的源MAC地址信息,作为所述源站的MAC地址。 2. The method of claim I, further comprising: when the first frame is the first interception of the card, the recording of the header information of the source MAC address of the first frame, as the source station MAC address.
3.根据权利要求2所述的方法,其中, 所述记录的步骤还包括:记录所述第一帧的首部中的目的MAC地址信息,作为所述目的站的MAC地址。 3. The method according to claim 2, wherein the step of recording further comprises: recording the information of the first frame of the destination MAC address in the header, as the MAC address of the destination station.
4.根据权利要求2所述的方法,其中,所述第一帧具有虚拟局域网(VLAN)标记,并且其中, 所述记录的步骤还包括:记录所述第一帧的VLAN标记中的VLAN标识符;并且所述修改的步骤还包括:将所述第二帧的VLAN标记中的VLAN标识符修改为所记录的第一帧的VLAN标识符。 Step 4. The method of claim 2, wherein said first frame has a virtual local area network (VLAN) tag, and wherein said recording further comprises: recording the first frame of the VLAN tag of VLAN ID in Fu; and said step of modifying further comprises: said second frame VLAN tag VLAN identifier modified for the first frame of the recorded VLAN identifier.
5.根据权利要求I所述的方法,还包括: 当要求在所述源站和所述目的站之间建立连接的请求帧被所述第一网卡截取时,记录所述请求帧的首部中的源MAC地址信息,作为所述源站的MAC地址,其中,所述第一帧是通过所要建立的连接来传输的。 Header when it is desired to establish the connection request frame is the first card when the intercept, recorded between the source station and the destination of the request frame: 5. The method of claim I, further comprising The source MAC address information as source MAC address of the station, wherein said first frame is a connection to be established by the transmission.
6.根据权利要求5所述的方法,其中, 所述记录的步骤还包括:记录所述请求帧的首部中的目的MAC地址信息,作为所述目的站的MAC地址。 6. The method according to claim 5, wherein the step of recording further comprises: recording the request frame header information of the destination MAC address as the destination MAC address.
7.根据权利要求6所述的方法,还包括: 将响应于所述请求帧的应答帧的首部中的源MAC地址信息修改为所记录的所述目的站的MAC地址;以及通过调用所述第一网卡的发送函数,将所述应答帧发送给所述源站。 7. The method according to claim 6, further comprising: in response to the source MAC address information in the header of the response frame request frame is modified to the destination MAC address recorded; and by calling the Send function of the first card, the response frame is sent to the source station.
8.根据权利要求5所述的方法,其中,所述请求帧具有虚拟局域网(VLAN)标记,并且其中, 所述记录的步骤还包括:记录所述请求巾贞的VLAN标记中的VLAN标识符;并且所述修改的步骤还包括:将所述第二帧的VLAN标记中的VLAN标识符修改为所记录的请求帧的VLAN标识符。 Step 8. A method according to claim 5, wherein the request frame with a virtual LAN (VLAN) tag, and wherein said recording further comprises: recording the request napkin Zhen VLAN tag of VLAN identifier ; and said step of modifying further comprises: said second frame VLAN tag VLAN identifier VLAN identifier for the request to modify the recorded frame.
9.根据权利要求2至8之任一所述的方法,其中,所记录的信息被存储在经扩展的连接跟踪中。 9. The method of any of claims 2 to 8, according to claim one, wherein, the recorded information is stored in the expanded connection trace.
10. 一种实现媒体接入控制(MAC)层透明代理的装置,包括: 修改模块,用于在网关中能够与源站进行通信的第一网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据被进行处理之后,把要响应于所述第一帧而发给所述目的站的、包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及发送模块,用于通过调用所述网关中能够与所述目的站进行通信的第二网卡的发送函数,将所述第二帧发送给所述目的站。 10. An implement media access control (MAC) layer transparent proxy apparatus, comprising: a modification module, used in the gateway can be sent from the source station from the source station first destination of the intercepted communication card The application layer data contained in the first frame after being processed, the response to the first frame to be issued to the destination station, the first portion of the second frame containing the processed data in the application layer modifying the source MAC address information as the source MAC address of the station; and a transmitting module, for the purpose of station capable of transmitting a second function of the communication card by calling the gateway, the frames are sent to the second the destination station.
11.根据权利要求10所述的装置,还包括: 记录模块,用于当所述第一帧被所述第一网卡截取时,记录所述第一帧的首部中的源MAC地址信息,作为所述源站的MAC地址。 11. The apparatus according to claim 10, further comprising: a recording module for, when the first frame is the first card interception, the source MAC address information of the first frame is recorded in the header, as MAC address of the source station.
12.根据权利要求11所述的装置,其中, 所述记录模块还记录所述第一帧的首部中的目的MAC地址信息,作为所述目的站的MAC地址。 12. The apparatus according to claim 11, wherein said recording module is further recorded the information of the first frame of the destination MAC address in the header, as the MAC address of the destination station.
13.根据权利要求11所述的装置,其中,所述第一帧具有虚拟局域网(VLAN)标记,并且其中, 所述记录模块还记录所述第一帧的VLAN标记中的VLAN标识符;并且所述修改模块还将所述第二帧的VLAN标记中的VLAN标识符修改为所记录的第一帧的VLAN标识符。 13. The apparatus according to claim 11, wherein said first frame has a virtual local area network (VLAN) tag, and wherein said recording module is further recording of the first frame in the VLAN tag VLAN identifier; and The modified module also the second frame VLAN tag VLAN identifier modified to the first frame of the recorded VLAN identifier.
14.根据权利要求10所述的装置,还包括: 记录模块,用于当要求在所述源站和所述目的站之间建立连接的请求帧被所述第一网卡截取时,记录所述请求帧的首部中的源MAC地址信息,作为所述源站的MAC地址,其中,所述第一帧是通过所要建立的连接来传输的。 14. The apparatus according to claim 10, further comprising: a recording module, when the request for the request frame to establish a connection between the source station and the destination station is the first card when the interception, the record request frame header information of the source MAC address as the MAC address of the source station, wherein the first frame is a connection to be established by the transmission.
15.根据权利要求14所述的装置,其中, 所述记录模块还记录所述请求帧的首部中的目的MAC地址信息,作为所述目的站的MAC地址。 15. The apparatus according to claim 14, wherein said recording module also records the request frame header information of the destination MAC address as the MAC address of the destination station.
16.根据权利要求15所述的装置,还包括: 用于将响应于所述请求帧的应答帧的首部中的源MAC地址信息修改为所记录的所述目的站的MAC地址的模块;以及用于通过调用所述第一网卡的发送函数,将所述应答帧发送给所述源站的模块。 16. The apparatus according to claim 15, further comprising: means for in response to the request response frame frame header information of the source MAC address as the destination modifying module recorded in the MAC address; and NIC via a call to the first transmission function, the response frame is sent to the module for the source station.
17.根据权利要求14所述的装置,其中,所述请求帧具有虚拟局域网(VLAN)标记,并且其中, 所述记录模块还记录所述请求巾贞的VLAN标记中的VLAN标识符;并且所述修改模块还将所述第二帧的VLAN标记中的VLAN标识符修改为所记录的请求帧的VLAN标识符。 17. The apparatus according to claim 14, wherein the request frame with a virtual LAN (VLAN) tag, and wherein said recording module is further recorded towel infidelity VLAN tag of the VLAN identifier of the request; and the module will be adapted to the second frame VLAN tag VLAN identifier for the request to modify the VLAN identifier of the recorded frames.
18.根据权利要求9至17之任一项所述的装置,其中,所记录的信息被存储在经扩展的连接跟S示中。 18. any one of claims 9-17 of the apparatus according to claim, wherein, the recorded information is stored in the expanded S are shown in connection with.
Descripción  traducido del chino

实现媒体接入控制层透明代理的方法和装置 Realize the media access control layer transparent proxy method and apparatus

技术领域 FIELD

[0001] 本发明总体上涉及信息处理领域,更具体地,涉及一种实现媒体接入控制(MAC)层透明代理的方法和装置。 Relates generally to the field of information processing [0001] the present invention, more particularly, relates to an implementation of a medium access control (MAC) method and apparatus for transparent proxy layer.

背景技术 BACKGROUND

[0002] 基于网关的内容过滤设备(例如,防火墙)通常有两种实现方式:一种为过滤型,一种为代理型。 [0002] gateway-based content filtering device (eg, firewalls) are usually implemented in two ways: one for the filter type, a type of proxy. 所谓过滤型网关是指网络上传输的数据在经过网关设备时被该网关设备截获并分析其中的内容;而代理型网关则是由向服务器进行通信的客户端首先与网关代理进行通信,而网关代理再去与真实的服务器进行通信,在这个过程中,网关代理可以缓存数据内容。 The so-called filter-type refers to the data gateway is transmitted over the network through the gateway device at the time of being intercepted and analyzed for the content of the gateway device; and Proxy Gateway is to communicate to the server by the client first communicates with the gateway agent, and the gateway go with the real proxy server to communicate, in this process, the gateway proxy can cache data content. [0003] 更具体地,作为一种实现透明传输的代理型网关,客户端和服务器之间的通信被代理到中间的网关设备身上;客户端以为是在与服务器直接进行通信,但实际上它是与网关设备进行通信,而网关设备再以客户端的身份与服务器进行通信。 [0003] More specifically, as a transparent proxy type transmission gateway between the client and server communication is delegated to the middle of the gateway device body; a client that is in direct communication with the server, but in fact it devices to communicate with the gateway, and the gateway device and then to the identity of the client to communicate with the server. 而且,该代理型网关可以模拟服务器的身份来改变与客户端通信的行为和细节;可以选择仅将与服务器通信的安全的数据返还给客户端。 Moreover, the Proxy Gateway can be simulated with the identity of the server to change the behavior and the details of client communications; you can select only the data with secure servers communicate back to the client.

[0004] 在这种透明传输模型中,如前所述,网关设备是以客户端的身份来与服务器进行通信。 [0004] In this transparent transmission model, as described above, the gateway device is the identity of the client to communicate with the server. 所谓客户端的身份,在通常的代理模型中是以客户端的网际协议(IP)地址来标识的。 The so-called identity of the client, based on the client's Internet Protocol (IP) address to identify the agent in the usual model. 例如,网关设备使用客户端的IP地址来与服务器进行通信并传输数据,具体地,作为透明代理,网关设备保证发往服务器的分组的源IP地址信息与真实客户端的IP地址是一样的。 For example, the gateway device using the client's IP address to communicate with the server and data transmission, in particular, as a transparent proxy, gateway IP address to ensure that the source IP address of packets sent to the server with the real client is the same. 在典型的网络七层协议体系结构中,IP处于网络层(即,第三层),因此通常的代理模型实现了第三层透明。 In a typical seven-layer protocol network architecture, IP is the network layer (i.e., the third layer), it is often the proxy model to achieve the third layer transparent.

发明内容 SUMMARY

[0005] 根据本发明的一个实施例,公开了一种实现MAC层透明代理的方法。 [0005] In accordance with one embodiment of the present invention, discloses a method for implementing MAC layer transparent proxy. 所述方法包括:在网关中能够与源站进行通信的第一网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据被进行处理之后,把要响应于所述第一帧而发给所述目的站的、包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及,通过调用所述网关中能够与所述目的站进行通信的第二网卡的发送函数,将所述第二帧发送给所述目的站。 The method comprising: in the gateway with the source station can be a first application layer data frame of the first card of the intercepted communication from the source station sent to the destination station included after being processed, to be responsive to the issued to said first frame of the destination station, the source MAC address information in the header of a second frame containing the processed data is modified for the application layer of the source MAC address of the station; and, by invoking the gateway and the destination station can send a second communication function of the network card, the second frame is transmitted to the destination station.

[0006] 根据本发明的另一个实施例,公开了一种实现MAC层透明代理的装置。 [0006] According to another embodiment of the present invention, discloses an implementation of the MAC layer transparent proxy apparatus. 所述装置包括:修改模块,用于在网关中能够与源站进行通信的第一网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据被进行处理之后,把要响应于所述第一帧而发给所述目的站的、包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及发送模块,用于通过调用所述网关中能够与所述目的站进行通信的第二网卡的发送函数,将所述第二帧发送给所述目的站。 Said apparatus comprising: a modification module, used in the gateway after the application layer data can be contained in a first network card of the intercepted communication from the first frame of the source station to the destination station is sent for processing to the source station, The response to the first frame to be issued to the destination station, the source MAC address information in the header that contains the processed data to the application layer of the second frame is modified to the MAC address of the source station; and means for transmitting the call through the gateway and the destination station capable of transmitting a second function of the communication card, the second frame is transmitted to the destination station. 附图说明 Brief Description

[0007] 参照下列附图描述了本发明的示例性实施例。 [0007] reference to the following figures depict exemplary embodiments of the present invention. 应该理解,这些附图仅是示例性的、而非限制性的,并且附图中相同或相似的参考标记指示对应的或类似的要素。 It should be understood that these drawings are merely illustrative, and not restrictive, and the drawings in which like or similar reference numerals indicate corresponding or similar elements.

[0008] 图I示出了根据本发明的一个示例性实施例的系统的概览; [0008] Figure I shows an overview of an exemplary embodiment of a system according to the present invention;

[0009] 图2更详细地示出了根据本发明的一个示例性实施例的系统; [0009] Figure 2 shows in more detail a system according to an exemplary embodiment of the present invention;

[0010] 图3示出了根据本发明的一个示例性实施例的方法的流程图;以及 [0010] Figure 3 shows a flow diagram of the present invention in accordance with one exemplary embodiment of the method; and

[0011] 图4示出了根据本发明的一个示例性实施例的装置的框图。 [0011] FIG. 4 shows a block diagram of an exemplary apparatus in accordance with one embodiment of the present invention.

具体实施方式 DETAILED DESCRIPTION

[0012] 在下面的详细说明中,给出了大量的具体细节,以提供对本发明的实施例的透彻理解。 [0012] In the detailed description below, numerous specific details are given to embodiments of the present invention to provide a thorough understanding. 然而,本领域技术人员应该理解,这些具体细节仅仅是示例性的而非限制性的,可以在没有这些具体细节的情况下实现本发明。 However, those skilled in the art should appreciate that these specific details are merely exemplary and not limiting, the invention may be practiced without these specific details. 在说明书中,并未详细描述一些公知的部件、结构和操作,以免不当地模糊本发明。 In the specification, have not been described in detail a number of well-known components, structures and operations, so as not to unduly obscure the present invention.

[0013] 说明书中提及的短语“一个实施例”或“实施例”等表示结合该实施例而描述的特定特征、结构或特性被包括在本发明的至少一个实施例中。 [0013] mentioned in the specification or the phrase "embodiment," etc., "an embodiment" means that a particular feature of the described embodiment, structure, or characteristic is included in at least one embodiment of the present invention. 因此,在本说明书中各处出现的短语“在一个实施例中”或“根据一个实施例”等并不一定指代同一个实施例。 Accordingly, throughout the present specification appearances of the phrases "in one embodiment" or "in accordance with one embodiment," etc. are not necessarily referring to the same embodiment.

[0014] 本领域技术人员可以理解,本文所述的实施例可以由硬件、软件、固件、中间件、微代码或其任意组合来实现。 [0014] Those skilled in the art can appreciate that the embodiments described herein may be implemented by hardware, software, firmware, middleware, microcode, or any combination thereof.

[0015] 首先参考图1,其示出了根据本发明的一个示例性实施例的系统100的概览。 [0015] Referring first to Figure 1, which shows an overview of a system 100 of the present invention according to an exemplary embodiment.

[0016] 在系统100的一种典型实现中,客户端101位于网络(例如,局域网,未示出)的一个区域中,服务器102位于同一网络的另一区域中,而网关103则位于这两个区域之间,起到桥接的作用。 [0016] In one exemplary implementation of the system 100, the client 101 located on a network (e.g., LAN, not shown) of a region, the server 102 is located in another region of the same network, and the gateway 103 is located in the two between regions, play a role in bridging. 为了简便起见,对于该系统的各个组成部件,这里仅示出了单个的设备,然而本发明并不限于此。 For simplicity, the various components for the system, where only shows a single device, but the present invention is not limited thereto.

[0017] 客户端101可以包括多种基于处理器的计算设备中的任意一种,其在网络内具有自己的唯一身份标识,例如,包括但不限于该客户端的物理地址(即,媒体接入控制(MAC)地址)、IP地址等等。 [0017] The client 101 may include a variety of processor based computing devices any one of which has its own unique identity within the network, for example, including but not limited to the physical address of the client (i.e., Media Access Control (MAC) address), IP address and so on. 所述客户端可以运行有各种操作系统中的一种或多种,例如,包括但不限于各种版本的Linux™、Unix™、Windows™,等等。 The client can run a variety of operating systems, one or more, for example, including, but not limited to, various versions of Linux ™, Unix ™, Windows ™, and so on.

[0018] 类似地,服务器102和网关103也可以分别包括多种基于处理器的计算设备中的任意一种;同样,服务器102和网关103也可以分别运行有各种操作系统中的一种或多种。 [0018] Similarly, the server 102 and the gateway 103 may also include a variety of processor-based, respectively, in any of a computing device; Likewise, the server 102 and the gateway 103 can also run a variety of operating systems, respectively, of one or variety. 服务器102用于为包括客户端101在内的各种请求设备提供各种类型的服务。 Server 102 for providing various types of services for the client 101, including those including requesting device. 网关103处于桥接模式,用于实现客户端101和服务器102之间的通信。 Gateway 103 in bridge mode, used to implement communications between the client 101 and the server 102 between. 在本发明的实施例中,网关102还能够提供应用层代理服务,并且其代理功能对于网络七层协议体系结构中的第二层(数据链路层,更具体地说,其中的MAC子层)来说也是透明的。 In an embodiment of the present invention, the gateway 102 can also provide application proxy services, and its proxy function for the seven network protocol architecture of the second layer (data link layer, and more particularly, wherein the MAC sublayer ) is also transparent.

[0019] 下面,以源站(例如,客户端101)向目的站(例如,服务器102)发送数据为例,说明在网关(或透明代理网关)103存在的情况下,客户端101与服务器102之间实际发生的一种通信过程。 [0019] Next, the source station (e.g., client 101) to the destination station (e.g., server 102) to send data, for example, described in the case of the gateway (or transparent proxy gateway) 103 exists, the client 101 and server 102 A communication process between the actual occurrence. 本领域技术人员可以理解,这里以客户端101作为源站、以服务器102作为目的站仅是一种示例情况,本发明并不限于此。 Skilled in the art will be appreciated, where a client 101 as the source station, to the server 102 as the destination is only an exemplary case, the present invention is not limited thereto.

[0020] 客户端101发出的数据会首先被透明代理网关103所截取,而后者再去以客户端101的身份向服务器102发送该数据。 [0020] 101 issued by the client data will first be intercepted transparent proxy gateway 103, which go to the identity of the client 101 sends the data to the server 102. 由此,通过居间的透明代理网关103,在客户端101和服务器102之间实现数据传输。 Thus, by intervening the transparent proxy gateway 103, between the client 101 and server 102 for data transmission. 从客户端101的角度来看,它是在直接与服务器102进行通信,但实际并非如此。 From the perspective of the client 101 of view, it is in direct communication with the server 102, but actually they are not.

[0021] 更具体地,参照图1,在透明代理网关103接收(或截取)到客户端101向服务器102发出的帧110(如图中左侧的箭头所示)时,可以对该帧110的首部中所含的MAC层信息进行记录,例如,至少包括源MAC地址信息(即,客户端101自身的MAC地址),等等。 [0021] More specifically, referring to FIG. 1, when 103 receives (or intercept) the frame 110 to the client 101 sent to the server 102 (as shown in the left of the arrow shown) transparent proxy gateway, the frames 110 The MAC layer information contained in the record header, e.g., including at least a source MAC address (i.e., client 101's own MAC address), and the like. 所记录的MAC层信息还可以包括帧110的目的MAC地址信息(即,服务器202的MAC地址)。 MAC layer information recorded may also include a destination MAC address information of the frame 110 (i.e., the MAC address of the server 202). 此外,取决于实际需要,还可以记录其它信息,例如在使用802. IQ虚拟局域网(VLAN)的情况下(其中在以太网的帧格式中插入一个4字节的VLAN标记),还可以记录VLAN标记中的VLAN标识符(ID)等等,本发明并不限于此。 In addition, depending on the actual needs, you can also record other information, such as in the case of using 802. IQ virtual LAN (VLAN) case (which inserts a 4-byte VLAN tag in the Ethernet frame format), you can also record VLAN The VLAN tag identifier (ID), etc., the present invention is not limited thereto.

[0022] 在上述记录操作完毕之后,在一个实施例中,可以开始对所接收到的帧110中包含的应用层数据进行应用层代理处理。 [0022] After the above recording operation is completed, in one embodiment, can start the application layer data of the received frame 110 to be included in the application layer proxy process. 所述应用层数据是指与应用进程的操作相关的数据,例如,包括但不限于电子邮件、HTTP报文等等,其是在分层协议信息结构的应用层中被进行处理的。 The application layer data refers to data associated with the operation of the application process, e.g., including but not limited to e-mail, HTTP packet, etc., which is to be processed in the application layer protocol information hierarchical structure. 在透明代理网关103中,应用层代理处理例如包括但不限于查杀病毒、内容过滤等等,如现有技术中所用到的那样。 Transparent proxy gateway 103, the application layer proxy processing includes but is not limited to killing the virus, content filtering, etc., such as those used in the prior art that.

[0023] 在应用层代理处理完毕之后,在适当的时机,透明代理网关103将以客户端101的身份来向服务器102发出帧111 (如图中右侧的箭头所示),该帧111中包含了之前处理完的应用层数据。 [0023] After the application layer proxy disposed of, at the appropriate time, the transparent proxy gateway client authentication 101 103 will be issued by the frame 111 (as shown in the right of the arrow shown) to the server 102, the frame 111 Prior to the application layer data contains complete process. 需要注意的是,根据本发明,对于该帧111,可以使用之前所记录的帧110的源MAC地址信息来修改帧111的首部中的对应信息,然后再将修改后的帧111发给服务器102。 Note that, according to the present invention, for the frame 111, the source MAC address information may be used prior to the recorded frame 110 to modify the frame header 111 of the corresponding information, then the modified frame 111 to the server 102 . 通过这样的处理,可以理解,透明代理网关103发出的帧111的MAC层信息是同客户端101发出的原始帧110保持一致的,因此能够实现第二层透明。 By such processing, will be appreciated, MAC layer information transparent proxy gateway 103 to frame 111 is the original frame 101 with the client 110 issued consistent, it is possible to achieve the second transparent layer.

[0024] 与之相比,在运行例如Linux系统的现有透明代理网关上,尽管可以通过调用系统API修改发起方的IP地址和端口(以使得从网关转发往目标服务器的分组看起来是从原始的客户端直接发出的,以此来实现第三层透明,如前所述),但是却无法修改源MAC地址。 [0024] In contrast, in the run such as a transparent proxy gateway existing Linux system, although you can change the IP address and port of the initiator system by calling the API (such forward the packet to the target server from the gateway appears to be from The original client issued directly, in order to achieve the third layer of transparent, as mentioned above), but it can not modify the source MAC address. 在这种情况下,例如,作为网关设备和服务器之间的一些第二层过滤设备,可能完全看不到本来真实的客户端MAC地址,而导致相应的控制、准入策略等一系列的问题无法解决,造成这样的代理实现不是真正的透明,也就是说,其在对数据传输进行代理的过程中修改了客户端的一些身份标识信息。 In this case, for example, as some of the second layer of filtration equipment between the gateway device and the server, you may not see the original real client MAC address, which led to a series of questions corresponding control, admission policies, etc. can not be resolved, resulting in such a transparent proxy implementation is not true, that is, its revised some information about the client's identity in the process of data transmission in the proxy.

[0025] 如前所述,利用本发明的设计,能够实现第二层透明,从而便利了用户网络部署,同时改进了用户体验。 [0025] As described above, design of the present invention, it is possible to achieve a second transparent layer, thereby facilitating the user network deployment, while improving the user experience.

[0026] 图2更详细地示出了根据本发明的一个示例性实施例的系统200。 [0026] Figure 2 shows in more detail the system of the present invention is an exemplary embodiment of the 200. 在下文中,省略了针对与图I中相同的单元(例如,客户端201、服务器202等等)的说明,而着重具体描述本发明的网关(或透明代理)203。 Hereinafter, explanation is omitted in Fig. I for the same unit (e.g., client 201, server 202, etc.), and focuses the gateway (or transparent proxy) 203 detailed description of the invention.

[0027] 如图所示,根据本发明的一个实施例,透明代理网关203可以包括记录逻辑204、应用层代理205、以及虚拟网卡(VIF) 206。 [0027] As shown, according to one embodiment of the invention, a transparent proxy gateway logic 203 may include a record 204, the application layer proxy 205, and virtual NICs (VIF) 206. 作为处于桥接模式的网关,其典型地具有多个接口(即,网卡)以用于与各自对应的目标站进行通信。 As the gateway is in bridge mode, which typically has a plurality of interfaces (i.e., network card) for the respective destination station to communicate. 为了描述的方便,在图2中针对透明代理网关203仅示出了两个接口,即能够与客户端201进行通信的网卡207、以及能够与服务器202进行通信的网卡208。 For convenience of description, in Figure 2 for a transparent proxy gateway 203 shows only two interfaces, i.e., the client 201 can perform communication with the card 207, and can communicate with the server 202 of the card 208.

[0028] 如本领域技术人员所已知的,通常网关设备中维护有一个转发表(未示出),其中的条目(如果有的话)表明目标站(用其MAC地址来标识)与该网关的一个接口之间的对应关系,例如客户端201对应于网卡207、服务器202对应于网卡208等等。 [0028] As is known to the skilled artisan, typically the gateway device maintains a forwarding table (not shown), in which the entries (if any) that the target station (identified by its MAC address) and the A correspondence relationship between a gateway interface, for example, the client 201 corresponds to the network card 207, the server 202 corresponds to the network card 208 and the like. 透明代理网关203 (更具体地,例如,网卡207)在截取到从作为源站的客户端201发往作为目的站的服务器202的一个帧(例如,帧210)时,确定该网关能够与服务器202进行通信,例如,通过搜索转发表,发现存在与服务器202相对应的网卡208。 Transparent Proxy Gateway 203 (more specifically, e.g., NIC 207) from the terminal 201 to the interception of hair as a source station as a frame to the client server 202 of the destination station (e.g., frame 210), it is determined that the gateway server is capable of 202 communicate, for example, by searching the forwarding table, the server 202 is found to exist corresponding to the card 208.

[0029] 在图2中,记录逻辑204用于记录网卡207所截取的从客户端201发往服务器202的帧210的有关信息。 [0029] In Figure 2, logic 204 for recording the recording card 207 201 the intercepted information sent to the server 202 of the frame 210 from the client. 在本发明的一个示例性实施例中,所述信息至少包括帧210的源(即,客户端201)MAC地址,这可以从该帧的首部中获得。 In one exemplary embodiment of the present invention, said information frame including at least a source 210 (i.e., client 201) MAC address, which can be obtained from the header portion of the frame. 所述信息例如还可以包括但不限于:帧210的目的(即,服务器202)MAC地址,这也可以从该帧的首部中获得;与该目的MAC地址相对应的属于网关203的接口(即,网卡208),这可以从所述转发表中获得;等等。 The information may also include, but are not limited to: The purpose of frame 210 (i.e., server 202) MAC address, which can be obtained from the header portion of the frame; and the destination MAC address corresponding to the part of the gateway interface 203 (i.e. , NIC 208), which can be obtained from the forwarding table; and so on. 这些信息可以被相关联地存储,以便于使用。 This information can be stored in association with ease of use.

[0030] 作为一个非限定性的例子,在基于Linux的透明代理网关中,可以使用连接跟踪来允许内核跟踪并记录所有的逻辑网络连接或会话。 [0030] As a non-limiting example, the Linux-based transparent proxy gateway, you can use the connection tracking to allow the kernel to track and record all of the logical network connection or session. 在本发明的一种示例实现中,可以扩展针对每个连接而维护的数据结构(例如,以IP地址和端口作为其标识)以便存储更多的信息。 In one exemplary implementation of the invention can be extended for each connection and maintains data structures (e.g., the IP address and port as its identity) to store more information. 例如,记录逻辑204可以将所需的信息(例如,帧210的源和目的MAC地址等等)相关联地记录在扩展后的结构中,供后续过程使用。 For example, logic 204 can record the desired information (e.g., the frame 210 of the source and destination MAC address, etc.) recorded in association with the structure after extension for subsequent use process.

[0031] 通过网络协议栈,之前接收到的帧210被逐层剥去首部并向更高层传递,最终其中包含的应用层数据被传递给应用层代理206以进行常规的应用层代理处理,例如,包括但不限于查杀病毒、内容过滤等等。 [0031] through the network protocol stack, before the received frame 210 is peeled off layer by layer to the higher layer transmitted header, which contains the final application layer data is transmitted to the application layer proxy 206 for a conventional application layer proxy processing, e.g. including, but not limited to killing the virus, content filtering, and so on. 本发明的主要改进不在于此,因此省略对其的进一步描述。 The main improvement of the present invention is not limited, and therefore further description thereof is omitted.

[0032] 继续参考图2,在本发明的一个示例性实施例中,对于透明代理网关203响应于接收到的帧210、而以客户端101的身份向服务器102发送的帧211,通过VIF 206能够实现该帧中源MAC地址的恢复。 [0032] With continued reference to Figure 2, in an exemplary embodiment of the present invention, the transparent proxy gateway 203 in response to the received frame 210, and the identity of the frame 101 to the client 102 sends to the server 211, through the VIF 206 enabling the frame to restore the source MAC address.

[0033] 虚拟网卡VIF 206可以通过网卡驱动的形式来实现。 [0033] VIF 206 virtual NICs can be achieved through the NIC driver form. 在操作系统中加载该驱动从而对该网卡进行注册之后,VIF 206被操作系统识别成是一块普通的网卡。 After loading the driver in the operating system so that the card registration, VIF 206 by the operating system is recognized as a common card. 根据本发明的一个示例性实施例,VIF 206可以修改透明代理网关203的路由策略(例如,路由表),以使得对于经应用层代理205处理的、需要透明发送出去(例如,发给服务器202)的数据都被路由到VIF 206来进行发送。 According to an exemplary embodiment of the present invention embodiment, VIF 206 can modify the transparent proxy gateway routing policy 203 (e.g., a routing table), such proxy 205 for processing by the application layer, and to transparently sent (e.g., sent to the server 202 ) data are routed to VIF 206 for transmission.

[0034] VIF 206具有修改与帧210对应的帧211的源MAC地址的能力。 [0034] VIF 206 has the ability to modify the source MAC address of the frame 210 corresponding frame 211. 按照本发明的一个实施例,例如,VIF 206可以参考之前由记录逻辑204记录(在扩展的连接跟踪中)的帧210的有关信息中的对应内容,作为客户端201的MAC地址;接着,将帧211的首部中的源MAC地址信息修改为所记录的源MAC地址(即,客户端201的MAC地址);然后,直接调用网卡208的发送函数将修改后的帧211发送给服务器202。 According to one embodiment of the present invention, e.g., VIF 206 may refer before recording by the recording logic 204 (in extended connection trace) of the frame information of the corresponding content 210, 201, as a client MAC address; Subsequently, The source MAC address 211 of the information frame header modification of the recorded source MAC address (i.e., the MAC address of the client 201); then, directly call the network card 208 of the modified transmission function of the frame 211 to the server 202.

[0035] 由此,在透明代理网关203以客户端201的身份发送给服务器202的帧211中,能够确保源MAC地址信息也是与客户端201自身的MAC地址一样的,从而实现了第二层(MAC层)透明。 [0035] Thus, transparent proxy sent to the gateway to the identity of the client 203 201 211 202 server frame, can ensure that the source MAC address is 201 and the client's own MAC address of the same, in order to achieve the second layer (MAC layer) transparent.

[0036] 在本发明的一个实施例中,例如可以利用之前记录的信息,参考该网关的转发表,来确定通过网卡208进行发送。 [0036] In one embodiment of the present invention, such as using the previously recorded information, the reference of the gateway forwarding table to determine the transmission through the network card 208.

[0037] 这里,由VIF 206直接调用物理网卡(例如,网卡208)的发送函数,避免了通过网络协议栈来针对该物理网卡进行成帧的过程,从而确保了经该物理网卡发出的帧的源MAC地址保持为经上述修改后的源MAC地址(即,客户端201的MAC地址)。 [0037] Here, by VIF 206 call direct physical NIC (for example, NIC 208) Send function, to avoid framing the physical NIC for network protocol stack through the process, ensuring the frame via the physical NIC emitted the source MAC address as the source MAC address maintained by the above-mentioned modified (i.e., the MAC address of the client 201).

[0038] 本领域技术人员可以理解,上述各个部件的功能也可以相互组合,例如,记录逻辑204和VIF 205可以被在实现单个部件中。 [0038] Those skilled in the art can appreciate that the respective functions of the above components may be combined with each other, for example, recording logic 204 and VIF 205 can be realized in a single component.

[0039] 另外,考虑802. IQ VLAN的情况,根据本发明的一个实施例,记录逻辑204还可以附加地记录所接收到的帧(例如,帧210)的VLAN ID,例如,可以将其与该帧的MAC地址等信息相关联地记录在连接跟踪的扩展结构中;相应地,VIF 206还可以利用所记录的该VLAN ID来更改要发给服务器202的帧(例如,帧211)的VLAN ID,从而针对VLAN也能实现第二层透明代理。 [0039] Further, consider the case of the 802. IQ VLAN, according to one embodiment of the present invention, logic 204 also records the received frame (e.g., frame 210) of the VLAN ID can be additionally recorded, for example, can be with VLAN Accordingly, VIF 206 can also use the VLAN ID recorded to change the frame to be sent to the server 202 (e.g., frame 211); MAC address of the frame and other associated information recorded in the extended structure of the connection tracking ID, and thus can be achieved for the second layer VLAN transparent proxy.

[0040] 此外,利用本发明的设计思想,本领域技术人员可以理解,对于从服务器202发往客户端201的数据(这时,服务器202可以被看成是源站,而客户端201则可以被看成是目的站),透明代理网关203可以进行类似的处理,使得在客户端201看来,是真实的服务器202在与它进行直接通信,而事实上则是居间的透明代理网关203在以服务器202的身份与其进行通信。 [0040] Further, with the design concept of the invention, those skilled in the art can appreciate that the server 202 for the data sent to the client 201 (in this case, the server 202 may be viewed as a source station, and the client 201 can is seen as the destination station), transparent proxy gateway 203 may perform a similar process, so that the client 201 seems to be true in the server 202 to communicate directly with it, but in fact is a transparent proxy gateway 203 intervening in server 202 as its communication.

[0041] 此外,考虑需要通过握手来建立连接(或会话)以进行数据传输的情况(例如,使用传输控制协议(TCP))。 [0041] Moreover, considering the need to establish the connection (or session) by handshake in a case where data transmission (e.g., Transmission Control Protocol (TCP)). 根据本发明的一个示例性实施例,在这种情况下,当客户端201初次向服务器202发出连接建立请求时,相应的请求帧会被透明代理网关203的网卡207所截取。 According to an exemplary embodiment of the present invention, in this case, when the client 201 to the server 202 issues a first connection establishment request, a corresponding request frame is transparent proxy gateway card 203 which is taken 207. 网关203确认自己能够与服务器202进行通信,例如,这里是通过网卡208 (否则的话,网关203可以选择将该请求帧直接通过该网关上除网卡207以外的其它网卡进行广播,如现有技术中的桥接设备所实现的那样)。 Gateway 203 confirms that they can communicate with the server 202, e.g., where by NIC 208 (otherwise, the gateway 203 may select the request frame is broadcast directly through the gateway other than the card in addition to the NIC 207, as in the prior art bridging device implemented as). 然后,记录逻辑204可以记录该请求帧的有关信息,例如,该帧的首部中的源MAC地址作为客户端201的MAC地址,该帧的首部中的目的MAC地址作为服务器202的MAC地址,等等,本发明并不限于此。 Then, the recorded logic 204 may record information about the request frame, for example, the source MAC address of the head of the frame as a client 201 MAC address, the first part of the destination MAC address of the frame as the MAC address of the server 202, etc. etc., the present invention is not limited thereto.

[0042] 根据本发明的一个示例性实施例,在这样的信息被记录之后,按照握手协议,作为透明代理网关203响应于该请求帧而以服务器202的身份向客户端201发出的应答帧,VIF206可以将该应答帧的首部中的源MAC地址信息修改为所记录的服务器202的MAC地址,并通过直接调用网卡207的发送函数来将修改后的该应答帧发给客户端201。 [0042] According to an exemplary embodiment of the present invention, after such information is recorded, in accordance with the handshake protocol, as a transparent proxy gateway 203 in response to the request frame and to the identity of the server 202 to the client 201 sent the acknowledgment frame, VIF206 can the response frame header information to modify the source MAC address for the server records the MAC address 202, and function by directly calling card to send 207 to the frame of the revised response to the client 201. 本领域技术人员可以理解,客户端201然后会响应于接收到该应答帧而发出再次确认帧,正如现有技术所实现的那样。 Those skilled in the art can appreciate that the client 201 then responds to receiving the response frame issued reconfirmed frame, as in the prior art to achieve above. 通过这样的握手过程,在客户端201与透明代理网关203之间建立了连接(当然,在客户端201看来,它是直接与服务器202建立了连接)。 By such a handshake between the client 201 and the transparent proxy gateway 203 to establish a connection (of course, the client 201 appears, it is established a direct connection with the server 202). 另外,在之后适当的时机,透明代理网关203以客户端201的身份(更具体地,该客户端的MAC地址)与服务器202之间建立连接的情况与上述类似,在此不再详述。 In addition, after an appropriate time, the transparent proxy gateway to the identity of the client 203 201 (more specifically, the client's MAC address) to establish a connection with the situation between the 202 and the server similar to the above, this will not elaborate.

[0043] 客户端201与服务器202之间的数据传输(例如,帧210)正是通过这样建立的连接来进行的。 [0043] The client 201 and the server 202 between the data transmission (e.g., frame 210) is through the connection thus established to carry out. 利用之前所记录的信息,VIF 206可以把要发给服务器202的、与帧210相对应的帧211的首部中的源MAC地址信息修改为所记录的客户端201的MAC地址,以此来实现第二层透明,如前所述。 Before the use of the recorded information, VIF 206 can be sent to the server 202, the frame 210 corresponding to the source MAC address information of the frame header 211 as modified by the client 201 records the MAC address, in order to achieve a second transparent layer, as previously described.

[0044] 下面参考图3,示出了根据本发明的一个示例性实施例的方法300的流程图。 [0044] Referring to Figure 3, illustrates a flowchart 300 of the present invention in accordance with one exemplary embodiment of a method. 所述方法300可以在具有应用层代理功能的网关(例如,透明代理网关103、203)中实现。 The method 300 may have the application layer in the gateway proxy functionality (e.g., transparent proxy gateway 103, 203) is implemented.

[0045] 如图所示,该过程开始于步骤S301,在该步骤中,对网关中的第一网卡所截取的从源站发往目的站的第一帧中包含的应用层数据进行处理。 [0045] As illustrated, the process begins at step S301, in this step, sent from the source station to the destination station of the first application layer data contained in the frame of a first gateway card, taken for processing. 参考结合图2给出的例子,对于透明代理网关203 (更具体地,其中的能够与客户端201进行通信的网卡207)所截取的从客户端201发往服务器202的帧210中包含的应用层数据,例如包括但不限于电子邮件、HTTP报文等等,作为具有应用层代理功能的网关203,其中的应用层代理205可以对该应用层数据进行处理,例如包括但不限于查杀病毒、内容过滤等等。 With reference to the example given in conjunction with Figure 2, the transparent proxy gateways 203 (more specifically, in which the client 201 is capable of communication with the card 207), taken from the client application 201 to the server 202 contained in a frame 210 layer data, such as including, but not limited to, e-mail, HTTP packets, etc., as an application-layer proxy gateway has 203, of which the application layer proxy 205 can be processed to the application layer data, including, but not limited to, for example, killing the virus , content filtering, and so on.

[0046] 网关为了实现代理功能,需要以源站的身份来将之前从源站截取的数据(其已经过了网关的处理)发往目的端。 [0046] In order to achieve a proxy gateway, you need to identity the source station to the station before the interception of data from the source (which has been dealing with the gateway) sent to the destination. 根据本发明的一个示例性实施例,在步骤S302,把要响应于所述第一帧而发给所述目的站的、包含经处理的应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址。 According to an exemplary embodiment of the present invention, in step S302, the response to the first frame to be issued to the destination station, the first portion of the second frame contains the source MAC address of the processed data to the application layer Information was revised to the source station's MAC address. 继续参考图2,在应用层代理205对帧210中包含的应用层数据进行处理之后,VIF 206可以把所形成的包含经处理的该应用层数据的第二帧211的首部中的源MAC地址信息修改为客户端201自身的MAC地址。 After continued reference to Figure 2, the application layer proxy in the application layer data 205 included in the frame 210 is processed, VIF 206 can be a header of the second frame 211 is formed comprising the processed data in the application layer MAC address of the source Information was revised to 201 clients own MAC address. 也就是说,这样修改后的帧211的首部中的MAC地址信息是与客户端201原始发出的帧210的首部中的MAC地址信息保持一致的。 That is, such a modified frame header in the MAC address information of the client 211 is a frame header 210 of the MAC address information 201 of the original sent consistent.

[0047] 然后,该过程前进到步骤S303,在该步骤中,通过直接调用所述网关中的第二网卡的发送函数,将所述第二帧发送给所述目的站。 [0047] Then, the process proceeds to step S303, in this step, by directly calling the gateway of the transmission function of the second card, the second frame is transmitted to the destination station. 继续参考图2,VIF 206可以在上述修改操作完成之后,直接调用透明代理网关203中真实的物理网卡208 (其能够与服务器202进行通信)的发送函数,使得帧211被真正发给服务器202。 With continued reference to Figure 2, VIF 206 may be performed after the above-described modification operation is completed, a direct call transparent proxy gateway 203's real physical NIC 208 (which is capable of communicating with the server 202) transmission function, so that the frame 211 is actually sent to the server 202. 由此,根据本发明的一个实施例的能够实现MAC层透明代理的方法300可以结束。 Thus, according to one embodiment of the present invention can realize the MAC layer transparent proxy method 300 may end.

[0048] 此外,在本发明的一个实施例中,在步骤S301之前,还可以当所述第一帧(例如,帧210)被所述第一网卡(例如,网卡207)所截取时,记录帧210的首部中的源MAC地址信息,作为客户端201的MAC地址,以供后续的修改步骤使用。 [0048] Furthermore, in one embodiment of the present invention, prior to step S301, also when the first frame (e.g., frame 210) by the first NIC (e.g., NIC 207) is intercepted, recorded 210 frame source MAC address information header as the MAC address of the client 201 for subsequent modification steps to use. 此外,在该记录步骤中,还可以记录帧210的首部中的目的MAC地址信息,作为服务器202的MAC地址。 In addition, in the recording step, you can record 210 frames destination MAC address information in the header, the MAC address as the server 202. 而且,在帧210具有VLAN标记的情况下,在该记录步骤中,还可以记录帧210的VLAN标识符;并且在所述修改步骤S302中,还可以将帧211的VLAN标识符修改为所记录的帧210的VLAN标识符。 Further, in the case of a frame 210 having a VLAN tag, in the recording step, the frame 210 may also be recorded VLAN identifier; and said modifying step S302, the frame 211 may also be modified to a VLAN identifier recorded frame VLAN identifier 210. 作为一种具体的实现方式,所记录的这些信息,例如包括但不限于源站的MAC地址、目的站的MAC地址以及VLAN标识符等等,可以被存储在经扩展的连接跟踪中,如前所述。 As a particular implementation, the information recorded, for example, including but not limited to, the source station MAC address, destination MAC address and the VLAN identifier, etc., can be tracked in the expanded connection, as before storage said.

[0049] 此外,在本发明的一个实施例中,在步骤S301之前,还可以在要求在作为源站的客户端201和作为目的站的服务器202之间建立连接的请求帧被网卡207所截取时(例如,考虑需要通过握手来建立连接以继续数据传输的情况,其中,包含应用层数据的帧210是通过建立后的连接来进行传输的),记录该请求帧的首部中的源MAC地址信息,作为客户端201的MAC地址,以供后续的修改步骤S302使用。 [0049] Furthermore, in one embodiment of the present invention, prior to step S301, can also be used as the source station at the request of the client 201 and the server as the destination station to establish a connection between the request frame 202 is NIC 207 interception (for example, consider the need handshake to establish a connection to the situation continues data transmission, wherein the frame comprises application layer data 210 is connected after the established by for transmission), the record header in the source MAC address of the request frame information, the client 201 as the MAC address, for subsequent use in step S302 changes. 类似地,还可以记录该请求帧的目的MAC地址信息以作为服务器202的MAC地址、以及VLAN标识符,等等。 Similarly, you can also record the destination MAC address of the frame of information request to the server 202 as the MAC address, and VLAN identifier, and so on. 而且,响应于所截取的该请求帧,作为透明代理网关203以服务器202的身份与客户端201通过握手建立连接的一部分,还可以例如通过VIF 206,将响应于该请求帧的应答帧的首部中的源MAC地址信息修改为所记录的服务器202的MAC地址,然后调用网卡207的发送函数来将这样的应答帧发送给客户端201。 Also, in response headers to the interception of the request frame, as a transparent proxy gateway 203 to server 202 identity and client 201 to establish some connection handshake, but also, for example by VIF 206, will respond to the response frame to the request frame The source MAC address information for the server to modify the recorded MAC address 202, then call the function 207 cards to send such a response frame is sent to the client 201.

[0050] 以上参照图3描述了示例性的方法300,本领域技术人员可以理解,上述方法步骤仅仅是示例性的而非限制性的,取决于具体实现,所述方法还可以包含更多附加的/替代的步骤。 [0050] Figure 3 above described with reference to exemplary method 300, one skilled in the art can appreciate that the above-described method steps are merely exemplary and not restrictive, depending on the particular implementation, the method may further comprise more additional The / alternative steps. 在一个或多个方案中,这些方法步骤对应的功能可以在硬件、软件、固件或其任意组合中实现。 In one or more programs, the method steps corresponding function can be implemented in hardware, software, firmware, or any combination thereof.

[0051] 图4示出了根据本发明的一个示例性实施例的装置400的框图。 [0051] FIG. 4 shows a block diagram of an exemplary apparatus 400 in accordance with one embodiment of the present invention. [0052] 所述装置400至少包括如下部分:修改模块401,用于在网关中能够与源站进行通信的第一网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据被进行处理之后,把要响应于所述第一帧而发送给所述目的站的、包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及,发送模块402,用于通过调用所述网关中能够与所述目的站进行通信的第二网卡的发送函数,将所述第二帧发送给所述目的站。 [0052] The apparatus 400 includes at least the following components: modification module 401, is used in the gateway can be a first frame from the source station from the source station to the destination station is sent a first communication network card contained in the intercepted After the application layer data are processed, the response to the first frame to be transmitted to the destination station, the source MAC address information in the header that contains the processed data to the application layer to the second frame modification said MAC address of the source station; and a transmitting module 402, via a call to the gateway and the destination station capable of transmitting a second function of the communication card, the second frame is transmitted to the destination station.

[0053] 此外,所述装置400还可以包括附加的/替代的模块,用以实现更多对应的功能,例如,前面结合方法300所描述的。 [0053] Further, the apparatus 400 may also include additional / alternative modules for realizing more functions corresponding to, for example, as described above in conjunction with the method 300. 所述装置400例如可以对应于图I、图2所示的网关设备103、203,或者是其中的一个或多个组件。 400 for example, may correspond to I, shown in Figure 2 the gateway device 103, 203, or one or more components of the apparatus. 应当理解的是,装置400被描述为包括多个模块,其可以是表示由硬件、软件或其组合所实现的功能模块。 It should be understood that the apparatus 400 is described as including a plurality of modules, which may be represented by hardware, software, or a combination of functional modules implemented.

[0054] 尽管前面描述并示出了本发明的一些实施例,但是本领域技术人员很容易就能够想到,对于这些实施例的许多修改和变型也同样是可行的。 [0054] While the foregoing description and illustrate some embodiments of the present invention, those skilled in the art will readily be able to think, for many modifications and variations of these embodiments are also feasible. 因此,应该理解,所附权利要求旨在涵盖落入本发明的实质和范围之内的所有这样的修改和变型。 Therefore, it should be understood that intended to fall within the spirit and scope of the cover of the present invention all such modifications and variations in the appended claims.

Citas de patentes
Patente citada Fecha de presentación Fecha de publicación Solicitante Título
CN1765090A *24 Mar 200426 Abr 2006雷·斯尔科有限公司Multiconfigurable device masking shunt and method of use
US7249191 *20 Sep 200224 Jul 2007Blue Coat Systems, Inc.Transparent bridge that terminates TCP connections
US7290050 *20 Sep 200230 Oct 2007Blue Coat Systems, Inc.Transparent load balancer for network connections
Otras citas
Referencia
1 *王钢: "应用网关防火墙——网络的中间检查站", 《计算机安全》, 30 April 2004 (2004-04-30)
Citada por
Patente citante Fecha de presentación Fecha de publicación Solicitante Título
CN103428095A *26 Ago 20134 Dic 2013深信服网络科技(深圳)有限公司Proxy server and proxy method thereof
CN103428095B *26 Ago 201328 Dic 2016深信服网络科技(深圳)有限公司一种代理服务器及其代理方法
CN104994137A *27 May 201521 Oct 2015四川卫士通信息安全平台技术有限公司Method of network readezvous point
Clasificaciones
Clasificación internacionalH04L29/06, H04L29/08
Eventos legales
FechaCódigoEventoDescripción
31 Oct 2012C06Publication
26 Dic 2012C10Entry into substantive examination
11 May 2016C14Grant of patent or utility model
11 May 2016CORChange of bibliographic data