Búsqueda Imágenes Maps Play YouTube Noticias Gmail Drive Más »
Iniciar sesión
Usuarios de lectores de pantalla: deben hacer clic en este enlace para utilizar el modo de accesibilidad. Este modo tiene las mismas funciones esenciales pero funciona mejor con el lector.

Patentes

  1. Búsqueda avanzada de patentes
Número de publicaciónCN102761534 B
Tipo de publicaciónConcesión
Número de solicitudCN 201110119721
Fecha de publicación11 May 2016
Fecha de presentación29 Abr 2011
Fecha de prioridad29 Abr 2011
También publicado comoCN102761534A
Número de publicación201110119721.0, CN 102761534 B, CN 102761534B, CN 201110119721, CN-B-102761534, CN102761534 B, CN102761534B, CN201110119721, CN201110119721.0
Inventores冯景辉
Solicitante北京瑞星信息技术股份有限公司
Exportar citaBiBTeX, EndNote, RefMan
Enlaces externos:  SIPO, Espacenet
实现媒体接入控制层透明代理的方法和装置 Implement media access control layer transparent proxy method and apparatus traducido del chino
CN 102761534 B
Resumen  traducido del chino
公开了一种实现媒体接入控制(MAC)层透明代理的方法和装置。 Discloses a method and apparatus for implementing transparent proxy layer media access control (MAC). 在网关中能够与源站进行通信的第一网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据被进行处理之后,要响应于所述第一帧而发给所述目的站的、包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息被修改为所述源站的MAC地址,并且,通过调用所述网关中能够与所述目的站进行通信的第二网卡的发送函数,所述第二帧被发送给所述目的站。 The first card in the gateway can communicate with the source station, taken after being processed in response to the first frame to the source station to the destination station sent the first application layer data contained in the frame from the hair to the destination, the source MAC address in the message header contains the processed data of the application layer of the second frame is modified to the MAC address of the source station, and by calling the gateway is capable of being said second destination station card in communication transmission function, the second frame is transmitted to the destination station.
Reclamaciones(18)  traducido del chino
1.一种实现媒体接入控制(MAC)层透明代理的方法,包括: 由网关中的应用层代理对由所述网关中能够与源站进行通信的第一物理网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据进行处理; 由所述网关中的虚拟网卡接收基于经所述虚拟网卡修改后的所述网关的路由策略而被路由到所述虚拟网卡的、要响应于所述第一帧而发给所述目的站的包含经处理的所述应用层数据的第二帧; 由所述虚拟网卡将所述第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及由所述虚拟网卡通过直接调用所述网关中能够与所述目的站进行通信的第二物理网卡的发送函数将所述第二帧发送给所述目的站,避免了通过网络协议栈来针对该第二物理网卡进行成帧的过程。 An implement media access control (MAC) layer of transparent proxy method comprising: the application layer gateway proxy to the gateway from the source station capable of communicating with the first physical network cards taken from the application layer data contained in the first frame of the source station sent to the destination station for processing; by the virtual gateway card to receive policy-based routing via the virtual NIC modified the gateway and are routed to the virtual NIC, in response to the second frame to the first frame and sent to the destination of the treated contains application-layer data; by the virtual network adapter the first portion of the second frame source MAC modify the address information of the source station MAC address; and by the virtual card via the gateway can direct calls to the destination with a second physical NIC communication function of transmitting the second frame sent to the said destination station to avoid the process through the network protocol stack for the second physical network card for framing.
2.根据权利要求1所述的方法,还包括: 当所述第一帧被所述第一物理网卡截取时,记录所述第一帧的首部中的源MAC地址信息,作为所述源站的MAC地址。 2. A method according to claim 1, further comprising: when the first frame is the first physical NIC when the interception, recording the source MAC address information of the first frame header as the source station MAC address.
3.根据权利要求2所述的方法,其中, 所述记录的步骤还包括:记录所述第一帧的首部中的目的MAC地址信息,作为所述目的站的MAC地址。 3. The method according to claim 2, wherein said step of recording further comprises: recording the information of the first frame of the destination MAC address in the header, as the MAC address of the destination station.
4.根据权利要求2所述的方法,其中,所述第一帧具有虚拟局域网(VLAN)标记,并且其中, 所述记录的步骤还包括:记录所述第一帧的VLAN标记中的VLAN标识符;并且所述修改的步骤还包括:将所述第二帧的VLAN标记中的VLAN标识符修改为所记录的第一帧的VLAN标识符。 Step 4. The method of claim 2, wherein said first frame has a virtual local area network (VLAN) tag, and wherein said recording further comprises: recording the first frame of the VLAN tag of VLAN tag character; and said step of modifying further comprising: the second frame VLAN tag VLAN identifier modify the recorded first frame VLAN identifier.
5.根据权利要求1所述的方法,还包括: 当要求在所述源站和所述目的站之间建立连接的请求帧被所述第一物理网卡截取时,记录所述请求帧的首部中的源MAC地址信息,作为所述源站的MAC地址,其中,所述第一帧是通过所要建立的连接来传输的。 5. The method according to claim 1, further comprising: When asked to establish a connection request frame is the first physical NIC when intercepted, recorded between the source station and the destination of the request header frame source MAC address, MAC address as the source station, wherein the first frame is a connection to be established through the transmission.
6.根据权利要求5所述的方法,其中, 所述记录的步骤还包括:记录所述请求帧的首部中的目的MAC地址信息,作为所述目的站的MAC地址。 6. The method according to claim 5, wherein the step of recording further comprises: recording the request frame header information of the destination MAC address as the destination MAC address.
7.根据权利要求6所述的方法,还包括: 将响应于所述请求帧的应答帧的首部中的源MAC地址信息修改为所记录的所述目的站的MAC地址;以及通过调用所述第一物理网卡的发送函数,将所述应答帧发送给所述源站。 7. The method according to claim 6, further comprising: in response to the source MAC address information in the header of the response frame request frame is modified to the destination MAC address recorded; and by calling the sending function first physical NIC, the response frame transmitted to the source station.
8.根据权利要求5所述的方法,其中,所述请求帧具有虚拟局域网(VLAN)标记,并且其中, 所述记录的步骤还包括:记录所述请求帧的VLAN标记中的VLAN标识符;并且所述修改的步骤还包括:将所述第二帧的VLAN标记中的VLAN标识符修改为所记录的请求帧的VLAN标识符。 8. The method of claim 5, wherein said request frame with a virtual LAN (VLAN) tag, and the step wherein said recording further comprises: recording frame VLAN tag VLAN identifier of the request; and the step of modifying further comprises: the second frame of the VLAN tag of VLAN identifier VLAN identifier for the request to modify the recorded frames.
9.根据权利要求2至8之任一所述的方法,其中,所记录的信息被存储在经扩展的连接跟踪中。 9. The method according to any of the 2-8 of a claim, wherein the recorded information is stored in the extended connection trace.
10.—种实现媒体接入控制(MAC)层透明代理的装置,包括: 修改模块,用于在由网关中的应用层代理对由所述网关中能够与源站进行通信的第一物理网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据进行处理之后,由所述网关中的虚拟网卡将所接收的基于经所述虚拟网卡修改后的所述网关的路由策略而被路由到所述虚拟网卡的、要响应于所述第一帧而发给所述目的站的包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及发送模块,用于由所述虚拟网卡通过直接调用所述网关中能够与所述目的站进行通信的第二物理网卡的发送函数将所述第二帧发送给所述目的站,避免了通过网络协议栈来针对该第二物理网卡进行成帧的过程。 10.- Species implement media access control (MAC) layer of transparent proxy, comprising: modifying module for the gateway application layer proxy for the source station can be carried out by the first physical NIC gateway communication after from the source station to the destination station sent the application layer data contained in the first frame intercepted processed by the gateway in the gateway's virtual NICs based on the received after the virtual NIC modified routing policy and be routed to the virtual network card, to respond to the first frame and sent to the destination of the application layer data containing the processed first portion of the second frame in the source MAC address information modify the MAC address of the source station; and a transmission module for the NIC by the virtual gateway can communicate with the destination station by directly calling a second physical NIC transmission function of the second frame sent to the destination, avoiding the network protocol stack to be framed against the second physical NIC process.
11.根据权利要求10所述的装置,还包括: 记录模块,用于当所述第一帧被所述第一物理网卡截取时,记录所述第一帧的首部中的源MAC地址信息,作为所述源站的MAC地址。 11. The apparatus according to claim 10, further comprising: a recording module for, when the first frame is the first physical NIC interception, the source MAC address information of the first frame of the first portion of the record, as the MAC address of the source station.
12.根据权利要求11所述的装置,其中, 所述记录模块还记录所述第一帧的首部中的目的MAC地址信息,作为所述目的站的MAC地址。 12. The apparatus according to claim 11, wherein the module further records the recording information of the first frame of the destination MAC address in the header, as the MAC address of the destination station.
13.根据权利要求11所述的装置,其中,所述第一帧具有虚拟局域网(VLAN)标记,并且其中, 所述记录模块还记录所述第一帧的VLAN标记中的VLAN标识符;并且所述修改模块还将所述第二帧的VLAN标记中的VLAN标识符修改为所记录的第一帧的VLAN标识符。 13. The apparatus according to claim 11, wherein said first frame has a virtual local area network (VLAN) tag, and wherein said recording module is further recording of the first frame in the VLAN tag of VLAN identifier; and the module will also modify the second frame VLAN tag VLAN identifier modify the recorded first frame VLAN identifier.
14.根据权利要求10所述的装置,还包括: 记录模块,用于当要求在所述源站和所述目的站之间建立连接的请求帧被所述第一物理网卡截取时,记录所述请求帧的首部中的源MAC地址信息,作为所述源站的MAC地址,其中,所述第一帧是通过所要建立的连接来传输的。 14. The apparatus according to claim 10, further comprising: a recording module for the request when asked to frame a connection between the source and the destination station is the first physical NIC interception, recording said request frame header in the MAC source address, MAC address as the source station, wherein the first frame is a connection to be established through the transmission.
15.根据权利要求14所述的装置,其中, 所述记录模块还记录所述请求帧的首部中的目的MAC地址信息,作为所述目的站的MAC地址。 15. The apparatus according to claim 14, wherein said recording module also records the request frame header information of the destination MAC address as the MAC address of the destination station.
16.根据权利要求15所述的装置,还包括: 用于将响应于所述请求帧的应答帧的首部中的源MAC地址信息修改为所记录的所述目的站的MAC地址的模块;以及用于通过调用所述第一物理网卡的发送函数,将所述应答帧发送给所述源站的模块。 16. The apparatus according to claim 15, further comprising: means for in response to the request response frame header of the frame source MAC address information of the destination modifying module is recorded in the MAC address; and by calling for the first physical NIC transmission function, the response frame is sent to the module for the source station.
17.根据权利要求14所述的装置,其中,所述请求帧具有虚拟局域网(VLAN)标记,并且其中, 所述记录模块还记录所述请求帧的VLAN标记中的VLAN标识符;并且所述修改模块还将所述第二帧的VLAN标记中的VLAN标识符修改为所记录的请求帧的VLAN标识符。 17. The apparatus according to claim 14, wherein said request frame with a virtual LAN (VLAN) tag, and wherein said recording module records the request frame further VLAN tag VLAN identifier; and the modification module also the second frame VLAN tag VLAN identifier modify VLAN identifier request of the recorded frames.
18.根据权利要求11至17之任一项所述的装置,其中,所记录的信息被存储在经扩展的连接跟踪中。 18. according to any one of 11-17 apparatus according to claim, wherein the recorded information is stored in the extended connection trace.
Descripción  traducido del chino
实现媒体接入控制层透明代理的方法和装置 Implement media access control layer transparent proxy method and apparatus

技术领域 TECHNICAL FIELD

[0001]本发明总体上涉及信息处理领域,更具体地,涉及一种实现媒体接入控制(MAC)层透明代理的方法和装置。 Relates generally to the field of information processing [0001] The present invention and, more particularly, to a realization of media access control (MAC) method and apparatus for transparent proxy layer.

背景技术 Background technique

[0002]基于网关的内容过滤设备(例如,防火墙)通常有两种实现方式:一种为过滤型,一种为代理型。 [0002] gateway-based content filtering devices (such as firewalls) are usually implemented in two ways: one for the filter type, one for the agent type. 所谓过滤型网关是指网络上传输的数据在经过网关设备时被该网关设备截获并分析其中的内容;而代理型网关则是由向服务器进行通信的客户端首先与网关代理进行通信,而网关代理再去与真实的服务器进行通信,在这个过程中,网关代理可以缓存数据内容。 The so-called filter-type gateway refers to data transmitted over the network at the time through the gateway device is intercepted and analyzed the contents of the gateway device; and Proxy Gateway is set by the server to communicate with the client first and gateway proxy to communicate, and the gateway agents go to the real server to communicate, in the process, the gateway proxy can cache data content.

[0003]更具体地,作为一种实现透明传输的代理型网关,客户端和服务器之间的通信被代理到中间的网关设备身上;客户端以为是在与服务器直接进行通信,但实际上它是与网关设备进行通信,而网关设备再以客户端的身份与服务器进行通信。 [0003] More specifically, as a transparent proxy type transmission gateway between the client and server communication is delegated to the middle of the gateway device body; a client that is in direct communication with the server, but in fact it communicate with the gateway device, the gateway device and then to the identity of the client communicate with the server. 而且,该代理型网关可以模拟服务器的身份来改变与客户端通信的行为和细节;可以选择仅将与服务器通信的安全的数据返还给客户端。 Moreover, the type of proxy server gateway can emulate identity and behavior and to change the details of client communications; you can select only the data with the security server communicates back to the client.

[0004]在这种透明传输模型中,如前所述,网关设备是以客户端的身份来与服务器进行通信。 [0004] In this transparent transmission model, as described above, the gateway is the identity of the client to communicate with the server. 所谓客户端的身份,在通常的代理模型中是以客户端的网际协议(IP)地址来标识的。 The so-called identity of the client, based on the client's Internet Protocol (IP) address to identify in a general agent model. 例如,网关设备使用客户端的IP地址来与服务器进行通信并传输数据,具体地,作为透明代理,网关设备保证发往服务器的分组的源IP地址信息与真实客户端的IP地址是一样的。 For example, the gateway device using the client's IP address to communicate with the server and data transmission, in particular, as a transparent proxy, the gateway device to ensure that the IP address of the source IP address information is sent to the server a packet with the real client is the same. 在典型的网络七层协议体系结构中,IP处于网络层(即,第三层),因此通常的代理模型实现了第三层透明。 In a typical seven-layer protocol network architecture, the IP is the network layer (i.e., third layer), it is often the proxy model to achieve the third transparent layer.

发明内容 SUMMARY

[0005]根据本发明的一个实施例,公开了一种实现MAC层透明代理的方法。 [0005] In accordance with one embodiment of the present invention, discloses a method for implementing the MAC layer of transparent proxy. 所述方法包括:在网关中能够与源站进行通信的第一网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据被进行处理之后,把要响应于所述第一帧而发给所述目的站的、包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及,通过调用所述网关中能够与所述目的站进行通信的第二网卡的发送函数,将所述第二帧发送给所述目的站。 The method comprising: in a gateway from the source station can be a first application layer data frame of the first card of the intercepted communication from the source station sent to the destination station is included after processing, to the response to the said first frame and sent to the destination, the source MAC address information of the second frame header contains processed the application layer data is modified to the source station MAC address; and by calling the gateway and the destination station can transmit a second communication function card, the second frame is sent to the destination station.

[0006]根据本发明的另一个实施例,公开了一种实现MAC层透明代理的装置。 [0006] In accordance with another embodiment of the present invention, it discloses a MAC layer to achieve transparent proxy means. 所述装置包括:修改模块,用于在网关中能够与源站进行通信的第一网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据被进行处理之后,把要响应于所述第一帧而发给所述目的站的、包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及发送模块,用于通过调用所述网关中能够与所述目的站进行通信的第二网卡的发送函数,将所述第二帧发送给所述目的站。 The apparatus comprising: modifying module, can be used in the gateway after the application layer data contained in the first card of the intercepted communications the first frame from the source station to the destination station is sent for processing to the source station, the response to the first frame to be issued to the destination, the source MAC address in the message header contains the processed data of the application layer of the second frame to modify the source station's MAC address; and sending module via a call to the gateway and the destination station capable of transmitting a communication function of the second card, the second frame is sent to the destination station.

附图说明 BRIEF DESCRIPTION

[0007]参照下列附图描述了本发明的示例性实施例。 [0007] reference to the following drawings describe exemplary embodiments of the present invention. 应该理解,这些附图仅是示例性的、而非限制性的,并且附图中相同或相似的参考标记指示对应的或类似的要素。 Understanding that these drawings are merely illustrative, and not restrictive, and the drawings in which like or similar reference numerals indicate corresponding or analogous elements.

[0008]图1示出了根据本发明的一个示例性实施例的系统的概览; [0008] FIG. 1 shows an overview of the present invention, an exemplary embodiment of the system according to;

[0009]图2更详细地示出了根据本发明的一个示例性实施例的系统; [0009] Figure 2 shows in greater detail an exemplary embodiment of the system according to one embodiment of the present invention;

[0010]图3示出了根据本发明的一个示例性实施例的方法的流程图;以及 [0010] FIG. 3 shows a flow chart of a method of the present invention, an exemplary embodiment; and

[0011]图4示出了根据本发明的一个示例性实施例的装置的框图。 [0011] FIG. 4 shows a block diagram of an exemplary embodiment of the device according to the present invention.

具体实施方式 detailed description

[0012]在下面的详细说明中,给出了大量的具体细节,以提供对本发明的实施例的透彻理解。 [0012] In the following detailed description, numerous specific details in order to provide an embodiment of the present invention is a thorough understanding. 然而,本领域技术人员应该理解,这些具体细节仅仅是示例性的而非限制性的,可以在没有这些具体细节的情况下实现本发明。 However, those skilled in the art will appreciate that these specific details are merely exemplary and not limiting, the invention may be practiced without these specific details. 在说明书中,并未详细描述一些公知的部件、结构和操作,以免不当地模糊本发明。 In the specification, it has not been described in detail some of the well-known components, structures and operations, so as not to unduly obscure the present invention.

[0013]说明书中提及的短语“一个实施例”或“实施例”等表示结合该实施例而描述的特定特征、结构或特性被包括在本发明的至少一个实施例中。 [0013] mentioned in the specification or the phrase "embodiment," etc. "One embodiment" means that a particular feature of this embodiment described, structure, or characteristic is included in at least one embodiment of the present invention. 因此,在本说明书中各处出现的短语“在一个实施例中”或“根据一个实施例”等并不一定指代同一个实施例。 Accordingly, in the present specification, the appearances of the phrase "in one embodiment" or "in accordance with one embodiment," etc. are not necessarily referring to the same embodiment.

[0014]本领域技术人员可以理解,本文所述的实施例可以由硬件、软件、固件、中间件、微代码或其任意组合来实现。 [0014] Those skilled in the art can appreciate that the embodiments described herein may be implemented by hardware, software, firmware, middleware, microcode, or any combination thereof.

[0015]首先参考图1,其示出了根据本发明的一个示例性实施例的系统100的概览。 [0015] Referring first to FIG. 1, which shows an overview of a system 100 of the present invention according to an exemplary embodiment.

[0016]在系统100的一种典型实现中,客户端101位于网络(例如,局域网,未示出)的一个区域中,服务器102位于同一网络的另一区域中,而网关103则位于这两个区域之间,起到桥接的作用。 [0016] In one exemplary implementation of system 100, the client 101 on a network (e.g., LAN, not shown), a region, a server 102 located in another area of the same network, and the gateway 103 located at the two between regions, play a role in bridging. 为了简便起见,对于该系统的各个组成部件,这里仅示出了单个的设备,然而本发明并不限于此。 For simplicity, the various components of the system, where only a single device is shown, but the present invention is not limited thereto.

[0017]客户端101可以包括多种基于处理器的计算设备中的任意一种,其在网络内具有自己的唯一身份标识,例如,包括但不限于该客户端的物理地址(即,媒体接入控制(MAC)地址)、IP地址等等。 [0017] The client 101 may include a variety of processor based computing apparatus of any one of which has its own unique identity within the network, for example, including but not limited to the physical address of the client (i.e., the media access control (MAC) address), IP address, and so on. 所述客户端可以运行有各种操作系统中的一种或多种,例如,包括但不限 The client can run a variety of operating systems, one or more, e.g., including but not limited to,

[0018] 类似地,服务器102和网关103也可以分别包括多种基于处理器的计算设备中的任意一种;同样,服务器102和网关103也可以分别运行有各种操作系统中的一种或多种。 [0018] Similarly, the server 102 and the gateway 103 may also include a variety of processor-based, respectively, any of a computing device; Likewise, the server 102 and the gateway 103 can also run a variety of operating systems, respectively, of one or variety. 服务器102用于为包括客户端101在内的各种请求设备提供各种类型的服务。 The server 102 for providing various types of services to include a variety of client devices 101, including a request. 网关103处于桥接模式,用于实现客户端101和服务器102之间的通信。 Gateway 103 in bridge mode for enabling communication between the client and the server 102 101 between. 在本发明的实施例中,网关102还能够提供应用层代理服务,并且其代理功能对于网络七层协议体系结构中的第二层(数据链路层,更具体地说,其中的MAC子层)来说也是透明的。 In an embodiment of the present invention, the gateway 102 also provides application-layer proxy services, and its proxy feature for seven network protocol architecture of the second layer (data link layer, and more specifically, where the MAC sublayer ) is also transparent.

[0019]下面,以源站(例如,客户端101)向目的站(例如,服务器102)发送数据为例,说明在网关(或透明代理网关)103存在的情况下,客户端101与服务器102之间实际发生的一种通信过程。 [0019] Next, the source station (e.g., client 101) to a destination station (e.g., server 102) to send data, for example, described in the case of the gateway (transparent proxy or gateway) 103 exists, the client 101 and server 102 a communication process between the actual happening. 本领域技术人员可以理解,这里以客户端101作为源站、以服务器102作为目的站仅是一种示例情况,本发明并不限于此。 Skilled in the art can appreciate that where a client 101 as the source station to the destination station as the server 102 is merely an exemplary case, the present invention is not limited thereto.

[0020]客户端101发出的数据会首先被透明代理网关103所截取,而后者再去以客户端101的身份向服务器102发送该数据。 [0020] Data sent by the client 101 will first be intercepted transparent Proxy Gateway 103, which go to the identity of the client 101 transmits the data to the server 102. 由此,通过居间的透明代理网关103,在客户端101和服务器102之间实现数据传输。 Thus, by transparent proxy gateway 103 intervening between the client 101 and the server 102 for data transmission. 从客户端101的角度来看,它是在直接与服务器102进行通信,但实际并非如此。 From the perspective of client 101 point of view, it is in direct communication with the server 102, but it was not.

[0021] 更具体地,参照图1,在透明代理网关103接收(或截取)到客户端101向服务器102发出的帧110(如图中左侧的箭头所示)时,可以对该帧110的首部中所含的MAC层信息进行记录,例如,至少包括源MAC地址信息(S卩,客户端101自身的MAC地址),等等。 [0021] More specifically, referring to FIG. 1, when 103 receives (or intercepted) frame 110 to the client 101 sent to the server 102 (as shown in the left of the arrow shown) transparent proxy gateway, the frames 110 the MAC layer of information contained in the recording head portion, for example, including at least a source MAC address information (S Jie, the client 101 own MAC address), and so on. 所记录的MAC层信息还可以包括帧110的目的MAC地址信息(S卩,服务器202的MAC地址)。 MAC layer information recorded therein may also include a destination MAC address 110 of the information frame (S Zhyuan, the server MAC address 202). 此外,取决于实际需要,还可以记录其它信息,例如在使用802.1Q虚拟局域网(VLAN)的情况下(其中在以太网的帧格式中插入一个4字节的VLAN标记),还可以记录VLAN标记中的VLAN标识符(ID)等等,本发明并不限于此。 In addition, depending on the actual needs, you can also record other information, such as in the case of using 802.1Q virtual local area network (VLAN) for (insert a 4-byte VLAN tag in the Ethernet frame format), you can also record VLAN tag VLAN identifier (ID), etc., the present invention is not limited thereto.

[0022]在上述记录操作完毕之后,在一个实施例中,可以开始对所接收到的帧110中包含的应用层数据进行应用层代理处理。 [0022] After the above recording operation is completed, in one embodiment, can start the application layer data of the received frame 110 contains application layer proxy process. 所述应用层数据是指与应用进程的操作相关的数据,例如,包括但不限于电子邮件、HTTP报文等等,其是在分层协议信息结构的应用层中被进行处理的。 The application layer data is data associated with the operation of the application process, for example, including but not limited to e-mail, HTTP packets and so on, which are being processed at the application layer protocol information hierarchical structure. 在透明代理网关103中,应用层代理处理例如包括但不限于查杀病毒、内容过滤等等,如现有技术中所用到的那样。 Transparent Proxy Gateway 103, an application layer proxy processing includes, for example, but not limited to killing the virus, content filtering, etc., such as those used in the prior art above.

[0023]在应用层代理处理完毕之后,在适当的时机,透明代理网关103将以客户端101的身份来向服务器102发出帧111(如图中右侧的箭头所示),该帧111中包含了之前处理完的应用层数据。 [0023] After the application layer proxy process is complete, at the appropriate time, the transparent proxy gateway 103 will be the identity of the client 101 to issue a frame 111 (as shown in the right of the arrow shown) to the server 102, the frame 111 It includes application layer data before it finishes processing. 需要注意的是,根据本发明,对于该帧111,可以使用之前所记录的帧110的源MAC地址信息来修改帧111的首部中的对应信息,然后再将修改后的帧111发给服务器102。 It should be noted that, according to the present invention, for the frame 111, the source MAC address information before you can use the recorded frame 110 to modify the header frame 111 corresponding information, then the modified frame 111 to the server 102 . 通过这样的处理,可以理解,透明代理网关103发出的帧111的MAC层信息是同客户端101发出的原始帧110保持一致的,因此能够实现第二层透明。 By such processing, it is understood, the MAC layer information transparent proxy gateway 103 to the frame 111 of the same original frame is sent by the client 101 consistent with the 110, it is possible to achieve the second transparent layer.

[0024]与之相比,在运行例如Linux系统的现有透明代理网关上,尽管可以通过调用系统API修改发起方的IP地址和端口(以使得从网关转发往目标服务器的分组看起来是从原始的客户端直接发出的,以此来实现第三层透明,如前所述),但是却无法修改源MAC地址。 [0024] In contrast, in the prior example, running a transparent proxy gateway Linux systems, although you can modify the IP address and port of the initiator system by calling the API (such forward the packet to the target server from the gateway appears to be from the original client issued directly, in order to achieve the third transparent layer, as described above), but it can not modify the source MAC address. 在这种情况下,例如,作为网关设备和服务器之间的一些第二层过滤设备,可能完全看不到本来真实的客户端MAC地址,而导致相应的控制、准入策略等一系列的问题无法解决,造成这样的代理实现不是真正的透明,也就是说,其在对数据传输进行代理的过程中修改了客户端的一些身份标识信息。 In this case, for example, some of the second layer as a filter device between the gateway device and the server, you may not see the original client's MAC address, which led to a series of questions corresponding control, admission policies, etc. can not be resolved, the agent causing this implementation is not truly transparent, that is, it revised some information about the client's identity in the process of data transfer agent's.

[0025]如前所述,利用本发明的设计,能够实现第二层透明,从而便利了用户网络部署,同时改进了用户体验。 [0025] As described above, design of the present invention, it is possible to achieve a transparent layer of a second, thus facilitating the deployment of the network user, while improving the user experience.

[0026]图2更详细地示出了根据本发明的一个示例性实施例的系统200。 [0026] Figure 2 shows in more detail a system of the present invention according to an exemplary embodiment 200. 在下文中,省略了针对与图1中相同的单元(例如,客户端201、服务器202等等)的说明,而着重具体描述本发明的网关(或透明代理)203。 In the following, FIG. 1 is omitted for the same unit (for example, a client 201, server 202, etc.) a description of and focus on the gateway (or transparent proxy) 203 detailed description of the present invention.

[0027] 如图所示,根据本发明的一个实施例,透明代理网关203可以包括记录逻辑204、应用层代理205、以及虚拟网卡(VIF)206。 [0027] As shown, according to one embodiment of the present invention, the transparent proxy gateway logic 203 may include a record 204, the application layer proxy 205, and virtual LAN (VIF) 206. 作为处于桥接模式的网关,其典型地具有多个接口(即,网卡)以用于与各自对应的目标站进行通信。 As a gateway in bridge mode, which typically has multiple interfaces (ie, NIC) for the respective target station to communicate. 为了描述的方便,在图2中针对透明代理网关203仅示出了两个接口,即能够与客户端201进行通信的网卡207、以及能够与服务器202进行通信的网卡208。 For convenience of description, in FIG. 2 for the transparent proxy gateway 203 shows only two interfaces, namely the client can communicate with the card 201 207, and the ability to communicate with the server NIC 202 208.

[0028]如本领域技术人员所已知的,通常网关设备中维护有一个转发表(未示出),其中的条目(如果有的话)表明目标站(用其MAC地址来标识)与该网关的一个接口之间的对应关系,例如客户端201对应于网卡207、服务器202对应于网卡208等等。 [0028] As known to those skilled in the normally gateway device maintains a forwarding table (not shown), in which the entries (if any) that the target station (identified by its MAC address) and the correspondence between an interface between the gateway, such as a client 201 corresponds to the NIC 207, 202 corresponding to the server NIC 208, and so on. 透明代理网关203(更具体地,例如,网卡207)在截取到从作为源站的客户端201发往作为目的站的服务器202的一个帧(例如,帧210)时,确定该网关能够与服务器202进行通信,例如,通过搜索转发表,发现存在与服务器202相对应的网卡208。 Transparent Proxy Gateway 203 (more specifically, for example, NIC 207) in the interception from the end of the 201 hair as the source station customers to as a frame server 202 of destination station (for example, frame 210), it is determined that the gateway can server 202 communication, for example, by searching the forwarding table, found the server 202 corresponding to the NIC 208.

[0029] 在图2中,记录逻辑204用于记录网卡207所截取的从客户端201发往服务器202的帧210的有关信息。 [0029] In FIG. 2, recording logic 204 is used to record the intercepted 207,201 card information sent to the server 202 of the frame 210 from the client. 在本发明的一个示例性实施例中,所述信息至少包括帧210的源(S卩,客户端201 )MAC地址,这可以从该帧的首部中获得。 In an exemplary embodiment of the present invention, the information frame including at least a source 210 (S Zhyuan, client 201) MAC address, which can be obtained from the header portion of the frame. 所述信息例如还可以包括但不限于:帧210的目的(即,服务器202)MAC地址,这也可以从该帧的首部中获得;与该目的MAC地址相对应的属于网关203的接口(S卩,网卡208),这可以从所述转发表中获得;等等。 The information may also include, but are not limited to: the purpose of the frame 210 (i.e., server 202) a MAC address, which can be obtained from the header of the frame; and the destination MAC address corresponding to the part of the gateway 203 interfaces (S Jie, NIC 208), which can be obtained from the forwarding table; and so on. 这些信息可以被相关联地存储,以便于使用。 This information can be stored in association with, for ease of use.

[0030]作为一个非限定性的例子,在基于Linux的透明代理网关中,可以使用连接跟踪来允许内核跟踪并记录所有的逻辑网络连接或会话。 [0030] As a non-limiting example, in Linux-based transparent proxy gateway, you can use the connection tracking allows the kernel to track and record all of the logical network connection or session. 在本发明的一种示例实现中,可以扩展针对每个连接而维护的数据结构(例如,以IP地址和端口作为其标识)以便存储更多的信息。 In one exemplary implementation of the invention can be extended for each connection and maintenance of data structures (for example, the IP address and port as its identity) to store more information. 例如,记录逻辑204可以将所需的信息(例如,帧210的源和目的MAC地址等等)相关联地记录在扩展后的结构中,供后续过程使用。 For example, logic 204 may record the required information (for example, the frame 210 of the source and destination MAC address, etc.) associated record in the expanded configuration, the process for subsequent use.

[0031]通过网络协议栈,之前接收到的帧210被逐层剥去首部并向更高层传递,最终其中包含的应用层数据被传递给应用层代理206以进行常规的应用层代理处理,例如,包括但不限于查杀病毒、内容过滤等等。 [0031] through the network protocol stack, prior to receiving the frame 210 is peeled off layer by layer to the higher layer transfer header, which contains the final application layer data is transmitted to the application layer proxy 206 for a conventional application layer proxy processing, for example, including but not limited to killing the virus, content filtering, and so on. 本发明的主要改进不在于此,因此省略对其的进一步描述。 The main improvement of the present invention is not limited to, thus further description thereof is omitted.

[0032]继续参考图2,在本发明的一个示例性实施例中,对于透明代理网关203响应于接收到的帧210、而以客户端101的身份向服务器102发送的帧211,通过VIF 206能够实现该帧中源MAC地址的恢复。 [0032] With continuing reference to FIG. 2, in one exemplary embodiment of the present invention, the transparent proxy gateway 203 in response to the received frame 210, and a client frame identification 101 to the server 102 sending 211, by the VIF 206 enabling the frame to restore the source MAC address.

[0033]虚拟网卡VIF 206可以通过网卡驱动的形式来实现。 [0033] Virtual LAN VIF 206 may be implemented by NIC driver form. 在操作系统中加载该驱动从而对该网卡进行注册之后,VIF 206被操作系统识别成是一块普通的网卡。 After loading the driver in the operating system in order to carry out the registration card, VIF 206 by the operating system is recognized as an ordinary card. 根据本发明的一个示例性实施例,VIF 206可以修改透明代理网关203的路由策略(例如,路由表),以使得对于经应用层代理205处理的、需要透明发送出去(例如,发给服务器202)的数据都被路由到VIF 206来进行发送。 According to an exemplary embodiment of the present invention embodiment, VIF 206 can modify the transparent proxy gateway routing policy 203 (for example, routing table), so that by the application layer proxy 205 for processing, the need for transparency sent (for example, to the server 202 ) the data is routed to the VIF 206 for transmission.

[0034] VIF 206具有修改与帧210对应的帧211的源MAC地址的能力。 [0034] VIF 206 has the ability to modify the source MAC address of the frame 210 corresponding to the frame 211. 按照本发明的一个实施例,例如,VIF 206可以参考之前由记录逻辑204记录(在扩展的连接跟踪中)的帧210的有关信息中的对应内容,作为客户端201的MAC地址;接着,将帧211的首部中的源MAC地址信息修改为所记录的源MAC地址(S卩,客户端201的MAC地址);然后,直接调用网卡208的发送函数将修改后的帧211发送给服务器202。 According to one embodiment of the present invention, for example, VIF 206 can before the reference by the recording logic 204 record (in the extended connection tracking) frame information 210 of the corresponding content, as a client 201 MAC address; Next, the source MAC address information frame 211 header modify the record source MAC address (S Jie, the client 201 MAC address); and then directly call the NIC 208 transmits function will frame the modified 211 sent to the server 202.

[0035]由此,在透明代理网关203以客户端201的身份发送给服务器202的帧211中,能够确保源MAC地址信息也是与客户端201自身的MAC地址一样的,从而实现了第二层(MAC层)透明。 [0035] Thus, the transparent proxy gateway to send 203 to 201 of the identity of the client server frame 211 202, it is possible to ensure that the source MAC address information is the client's own MAC address as 201 in order to achieve the second layer (MAC layer) transparent.

[0036]在本发明的一个实施例中,例如可以利用之前记录的信息,参考该网关的转发表,来确定通过网卡208进行发送。 [0036] In one embodiment of the present invention, for example, you can use a previously recorded information, refer to the forwarding of the gateway, to determine the transmission through the NIC 208.

[0037] 这里,由VIF 206直接调用物理网卡(例如,网卡208)的发送函数,避免了通过网络协议栈来针对该物理网卡进行成帧的过程,从而确保了经该物理网卡发出的帧的源MAC地址保持为经上述修改后的源MAC地址(S卩,客户端201的MAC地址)。 [0037] Here, the VIF 206 directly call the physical NIC (for example, NIC 208) transmission function, to avoid the framing for the physical NICs through the network protocol stack process, thus ensuring the frame via the physical NIC emitted source MAC address as the source MAC address maintained by the above-mentioned modified (S Jie, the MAC address of the client 201).

[0038]本领域技术人员可以理解,上述各个部件的功能也可以相互组合,例如,记录逻辑204和VIF 205可以被在实现单个部件中。 [0038] Those skilled in the art can appreciate that the respective functions of the above components may be combined with each other, e.g., VIF 205, and records logic 204 may be realized in a single component.

[0039]另外,考虑802.1Q VLAN的情况,根据本发明的一个实施例,记录逻辑204还可以附加地记录所接收到的帧(例如,帧210)的VLAN ID,例如,可以将其与该帧的MAC地址等信息相关联地记录在连接跟踪的扩展结构中;相应地,VIF 206还可以利用所记录的该VLAN ID来更改要发给服务器202的帧(例如,帧211)的VLAN ID,从而针对VLAN也能实现第二层透明代理。 [0039] In addition, consider the case of 802.1Q VLAN, according to one embodiment of the present invention, the recording logic 204 may also be received frames (for example, frame 210) of the VLAN ID attached to the record, for example, may be the MAC address of the frame and other associated information recorded in connection tracking extended structure; accordingly, VIF 206 can also be recorded using the VLAN ID to change the frame (for example, frame 211) 202 server to be sent to the VLAN ID and thus can be achieved for the second layer VLAN transparent proxy.

[0040]此外,利用本发明的设计思想,本领域技术人员可以理解,对于从服务器202发往客户端201的数据(这时,服务器202可以被看成是源站,而客户端201则可以被看成是目的站),透明代理网关203可以进行类似的处理,使得在客户端201看来,是真实的服务器202在与它进行直接通信,而事实上则是居间的透明代理网关203在以服务器202的身份与其进行通信。 [0040] Further, with the design of the present invention, those skilled in the art can appreciate that the server 202 from the data sent to the client 201 (in this case, the server 202 can be seen as a source station and the client 201 can is seen as a destination), the transparent proxy gateway 203 may be similar processing, so that the client 201 seems to be true in the server 202 to communicate directly with it, and in fact is an intervening transparent proxy gateway 203 the identity of the server 202 to communicate with it.

[0041]此外,考虑需要通过握手来建立连接(或会话)以进行数据传输的情况(例如,使用传输控制协议(TCP))。 [0041] In addition, consider the need to establish a connection (or session) by handshake in a case where data transmission (for example, using Transmission Control Protocol (TCP)). 根据本发明的一个示例性实施例,在这种情况下,当客户端201初次向服务器202发出连接建立请求时,相应的请求帧会被透明代理网关203的网卡207所截取。 According to an exemplary embodiment of the present invention, in this case, when the client 201 first 202 issues request to the server when the connection is established, the corresponding request frame will be transparent proxy gateway card 203 intercepted 207. 网关203确认自己能够与服务器202进行通信,例如,这里是通过网卡208(否则的话,网关203可以选择将该请求帧直接通过该网关上除网卡207以外的其它网卡进行广播,如现有技术中的桥接设备所实现的那样)。 Gateway server 203 and 202 confirm that they can communicate, e.g., through a network 208 here (Otherwise, the gateway 203 may select the request frame is broadcast directly through the gateway card 207 in addition to other than the card, such as the prior art bridging device as implemented). 然后,记录逻辑204可以记录该请求帧的有关信息,例如,该帧的首部中的源MAC地址作为客户端201的MAC地址,该帧的首部中的目的MAC地址作为服务器202的MAC地址,等等,本发明并不限于此。 Then, the recording logic 204 can record information about the request frame, for example, the source MAC address of the head portion of the frame as the client 201 MAC address, the first section of the destination MAC address of the frame as the MAC address of the server 202, etc. etc., the present invention is not limited thereto.

[0042]根据本发明的一个示例性实施例,在这样的信息被记录之后,按照握手协议,作为透明代理网关203响应于该请求帧而以服务器202的身份向客户端201发出的应答帧,VIF206可以将该应答帧的首部中的源MAC地址信息修改为所记录的服务器202的MAC地址,并通过直接调用网卡207的发送函数来将修改后的该应答帧发给客户端201。 [0042] According to an exemplary embodiment of the present invention, after such information is recorded, according to the handshake protocol, as a transparent proxy gateway 203 in response to the request frame and to the identity of the server 202 to the client response frame 201 issued VIF206 can answer the frame header source MAC address information for the server to modify the recorded MAC address 202, and function by directly calling card to send 207 to the frame of the revised response to the client 201. 本领域技术人员可以理解,客户端201然后会响应于接收到该应答帧而发出再次确认帧,正如现有技术所实现的那样。 Those skilled in the art can appreciate that the client 201 then responds to receiving the acknowledgment frames sent again to confirm the frame, as implemented in the prior art as. 通过这样的握手过程,在客户端201与透明代理网关203之间建立了连接(当然,在客户端201看来,它是直接与服务器202建立了连接)。 With this handshake between the client 201 and the transparent proxy gateway 203 to establish a connection (of course, the client 201 opinion, it is the establishment of a direct connection to the server 202). 另外,在之后适当的时机,透明代理网关203以客户端201的身份(更具体地,该客户端的MAC地址)与服务器202之间建立连接的情况与上述类似,在此不再详述。 In addition, after an appropriate time, transparent proxy gateway 203 as clients 201 (more specifically, the client's MAC address) to establish a connection with the situation between 202 and server similar to the above, this will not elaborate.

[0043]客户端201与服务器202之间的数据传输(例如,帧210)正是通过这样建立的连接来进行的。 [0043] Client 201 and server 202 between data transmission (e.g., frame 210) is through the connection thus established is performed. 利用之前所记录的信息,VIF 206可以把要发给服务器202的、与帧210相对应的帧211的首部中的源MAC地址信息修改为所记录的客户端201的MAC地址,以此来实现第二层透明,如前所述。 Before using the recorded information, VIF 206 can be sent to the server 202, the frame 210 corresponding to the source MAC address information of the frame header 211 is amended as recorded in the MAC address of the client 201, in order to achieve a second transparent layer, as previously described.

[0044]下面参考图3,示出了根据本发明的一个示例性实施例的方法300的流程图。 [0044] Referring to Figure 3, it illustrates a flowchart 300 according to an exemplary embodiment of the present invention, a method embodiment. 所述方法300可以在具有应用层代理功能的网关(例如,透明代理网关103、203)中实现。 The method 300 may have application layer gateway proxy functionality (for example, transparent proxy gateway 103,203) implemented.

[0045]如图所示,该过程开始于步骤S301,在该步骤中,对网关中的第一网卡所截取的从源站发往目的站的第一帧中包含的应用层数据进行处理。 [0045] As shown, the process begins in step S301, in this step, from the source station to the destination station sent the application layer data contained in the first frame of the first card in the gateway, taken for processing. 参考结合图2给出的例子,对于透明代理网关203(更具体地,其中的能够与客户端201进行通信的网卡207)所截取的从客户端201发往服务器202的帧210中包含的应用层数据,例如包括但不限于电子邮件、HTTP报文等等,作为具有应用层代理功能的网关203,其中的应用层代理205可以对该应用层数据进行处理,例如包括但不限于查杀病毒、内容过滤等等。 Incorporated by reference in Figure 2 gives an example of the transparent proxy gateway 203 (more specifically, where the client can communicate with the card 201 207), taken from the client to the server application 201 202 210 included in the frame layer data, for example, including but not limited to, email, HTTP packets, etc., having as a gateway application layer proxy function 203, wherein the application layer proxy 205 can handle the application layer data, for example, including but not limited to killing the virus , content filtering, and so on.

[0046]网关为了实现代理功能,需要以源站的身份来将之前从源站截取的数据(其已经过了网关的处理)发往目的端。 [0046] In order to achieve the gateway proxy, we need to identity the source station to the source station before from intercepted data (which has been the Gateway) is sent to the destination. 根据本发明的一个示例性实施例,在步骤S302,把要响应于所述第一帧而发给所述目的站的、包含经处理的应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址。 According to an exemplary embodiment of the present invention, in step S302, to be in response to the first frame and sent to the destination of the first portion of the second frame in the source MAC address contains the processed data to the application layer information modify the source station's MAC address. 继续参考图2,在应用层代理205对帧210中包含的应用层数据进行处理之后,VIF 206可以把所形成的包含经处理的该应用层数据的第二帧211的首部中的源MAC地址信息修改为客户端201自身的MAC地址。 After continued reference to FIG. 2, in the application layer proxy application layer data 205 frame 210 contained in the processing, VIF 206 can be the first portion of the second frame 211 formed containing processed the application layer data in the source MAC address modify information for the client's own MAC address 201. 也就是说,这样修改后的帧211的首部中的MAC地址信息是与客户端201原始发出的帧210的首部中的MAC地址信息保持一致的。 That is, this modified frame header in the MAC address information 211 is the client's first frame 210 in the MAC address information 201 of the original issue consistent.

[0047]然后,该过程前进到步骤S303,在该步骤中,通过直接调用所述网关中的第二网卡的发送函数,将所述第二帧发送给所述目的站。 [0047] The process then proceeds to step S303, in this step, by directly calling the gateway function to send a second card, the second frame is sent to the destination station. 继续参考图2,VIF 206可以在上述修改操作完成之后,直接调用透明代理网关203中真实的物理网卡208(其能够与服务器202进行通信)的发送函数,使得帧211被真正发给服务器202。 With continued reference to FIG. 2, VIF 206 may be performed after the above modification is complete, transparent proxy gateway directly call 203 real physical NICs 208 (which can communicate with the server 202) transmission function, so that the frame 211 is actually sent to the server 202. 由此,根据本发明的一个实施例的能够实现MAC层透明代理的方法300可以结束。 Thus, according to one embodiment of the present invention can be realized in the MAC layer transparent proxy method 300 may end.

[0048]此外,在本发明的一个实施例中,在步骤S301之前,还可以当所述第一帧(例如,帧210)被所述第一网卡(例如,网卡207)所截取时,记录帧210的首部中的源MAC地址信息,作为客户端201的MAC地址,以供后续的修改步骤使用。 [0048] Furthermore, in one embodiment of the present invention, prior to step S301, also when the first frame (eg, frame 210) is the first network card (for example, NIC 207) when intercepted, recorded 210 frame source MAC address information in the header as the MAC address of the client 201 for subsequent modification steps to use. 此外,在该记录步骤中,还可以记录帧210的首部中的目的MAC地址信息,作为服务器202的MAC地址。 Further, in the recording step, you can also record 210 frame destination MAC address in the message header as the MAC address of the server 202. 而且,在帧210具有VLAN标记的情况下,在该记录步骤中,还可以记录帧210的VLAN标识符;并且在所述修改步骤S302中,还可以将帧211的VLAN标识符修改为所记录的帧210的VLAN标识符。 Furthermore, in the case of frames with VLAN tag 210, in the recording step, you can also record 210 frames VLAN identifier; and said modifying step S302, it is also possible to modify the frame 211 VLAN identifier is recorded frame VLAN identifier 210. 作为一种具体的实现方式,所记录的这些信息,例如包括但不限于源站的MAC地址、目的站的MAC地址以及VLAN标识符等等,可以被存储在经扩展的连接跟踪中,如前所述。 As a specific implementation, the information recorded, for example, including but not limited to the source station's MAC address, destination MAC address and VLAN identifier, etc., can be expanded in connection tracking, as before storage said.

[0049]此外,在本发明的一个实施例中,在步骤S301之前,还可以在要求在作为源站的客户端201和作为目的站的服务器202之间建立连接的请求帧被网卡207所截取时(例如,考虑需要通过握手来建立连接以继续数据传输的情况,其中,包含应用层数据的帧210是通过建立后的连接来进行传输的),记录该请求帧的首部中的源MAC地址信息,作为客户端201的MAC地址,以供后续的修改步骤S302使用。 [0049] Furthermore, in one embodiment of the present invention, before the step S301, the requirements may be used as the source station server 201 and client station as the destination of connection setup request frame 202 between the NIC 207 is intercepted (for example, consider the needs of handshake to establish a connection to the case to continue data transmission, wherein the frame contains application-layer data 210 are ligated established by for transmission), the record header in the source MAC address of the request frame information as the MAC address of the client 201, for subsequent use in modifying step S302. 类似地,还可以记录该请求帧的目的MAC地址信息以作为服务器202的MAC地址、以及VLAN标识符,等等。 Similarly, it can also record the destination MAC address of the request frame as the MAC address of the server information 202, and VLAN identifier, and so on. 而且,响应于所截取的该请求帧,作为透明代理网关203以服务器202的身份与客户端201通过握手建立连接的一部分,还可以例如通过VIF 206,将响应于该请求帧的应答帧的首部中的源MAC地址信息修改为所记录的服务器202的MAC地址,然后调用网卡207的发送函数来将这样的应答帧发送给客户端201。 Moreover, in response to the first portion to the intercepted the request frame as a transparent proxy gateway 203 to the server 202 the identity of the client 201 to establish some connection handshake, you can also, for example by VIF 206, the response acknowledgment frame to the request frame the source MAC address information for the server to modify the recorded MAC address 202, then call the function card to send 207 to such a response frame is sent to the client 201.

[0050]以上参照图3描述了示例性的方法300,本领域技术人员可以理解,上述方法步骤仅仅是示例性的而非限制性的,取决于具体实现,所述方法还可以包含更多附加的/替代的步骤。 [0050] Figure 3 above depicts an exemplary method 300 of reference, those skilled in the art can appreciate that the method steps described above is merely illustrative and not restrictive, depending on the particular implementation, the method may further comprise more additional the / alternative steps. 在一个或多个方案中,这些方法步骤对应的功能可以在硬件、软件、固件或其任意组合中实现。 In one or more aspects, the method steps corresponding functions can be implemented in hardware, software, firmware, or any combination thereof.

[0051 ]图4示出了根据本发明的一个示例性实施例的装置400的框图。 [0051] FIG. 4 shows a block diagram of an exemplary apparatus 400 in accordance with one embodiment of the present invention.

[0052]所述装置400至少包括如下部分:修改模块401,用于在网关中能够与源站进行通信的第一网卡所截取的从所述源站发往目的站的第一帧中包含的应用层数据被进行处理之后,把要响应于所述第一帧而发送给所述目的站的、包含经处理的所述应用层数据的第二帧的首部中的源MAC地址信息修改为所述源站的MAC地址;以及,发送模块402,用于通过调用所述网关中能够与所述目的站进行通信的第二网卡的发送函数,将所述第二帧发送给所述目的站。 [0052] The apparatus 400 includes at least the following components: modifying module 401, it can be used in the gateway station with a first frame of the source from the source station to the destination station at a first of the intercepted communication card included after the application layer data is processed, the response to the first frame to be transmitted to the destination station, the source MAC address in the message header contains the processed data in the application layer of the second frame modification said the source station's MAC address; and transmitting module 402 via a call to the gateway and the destination station capable of transmitting a communication function of the second card, the second frame is sent to the destination station.

[0053]此外,所述装置400还可以包括附加的/替代的模块,用以实现更多对应的功能,例如,前面结合方法300所描述的。 [0053] In addition, the apparatus 400 may also include additional / alternative modules for realizing more functions corresponding to, for example, as described above in conjunction with the method 300. 所述装置400例如可以对应于图1、图2所示的网关设备103、203,或者是其中的一个或多个组件。 The apparatus 400 may correspond to FIG. 1, for example, the gateway device 103, 203 shown in FIG. 2, or one or more components. 应当理解的是,装置400被描述为包括多个模块,其可以是表示由硬件、软件或其组合所实现的功能模块。 It should be appreciated that the apparatus 400 is described as including a plurality of modules, which may be represented by hardware, software, or a combination of functional modules implemented.

[0054]尽管前面描述并示出了本发明的一些实施例,但是本领域技术人员很容易就能够想到,对于这些实施例的许多修改和变型也同样是可行的。 [0054] While the foregoing description and illustrate some embodiments of the present invention, those skilled in the art will readily be able to think, for these many modifications and variations of the embodiments are also feasible. 因此,应该理解,所附权利要求旨在涵盖落入本发明的实质和范围之内的所有这样的修改和变型。 Accordingly, it should be understood that intended to cover fall within the spirit and scope of the present invention all such modifications and variations in the appended claims.

Citas de patentes
Patente citada Fecha de presentación Fecha de publicación Solicitante Título
CN1765090A *24 Mar 200426 Abr 2006雷·斯尔科有限公司Multiconfigurable device masking shunt and method of use
US7249191 *20 Sep 200224 Jul 2007Blue Coat Systems, Inc.Transparent bridge that terminates TCP connections
US7290050 *20 Sep 200230 Oct 2007Blue Coat Systems, Inc.Transparent load balancer for network connections
Clasificaciones
Clasificación internacionalH04L29/08, H04L29/06
Eventos legales
FechaCódigoEventoDescripción
31 Oct 2012C06Publication
26 Dic 2012C10Entry into substantive examination
11 May 2016C14Grant of patent or utility model
11 May 2016CORChange of bibliographic data