CN102761534B - Realize the method and apparatus of media access control layer Transparent Proxy - Google Patents
Realize the method and apparatus of media access control layer Transparent Proxy Download PDFInfo
- Publication number
- CN102761534B CN102761534B CN201110119721.0A CN201110119721A CN102761534B CN 102761534 B CN102761534 B CN 102761534B CN 201110119721 A CN201110119721 A CN 201110119721A CN 102761534 B CN102761534 B CN 102761534B
- Authority
- CN
- China
- Prior art keywords
- frame
- vlan
- mac address
- destination
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The method and apparatus that one realizes media Access Control (MAC) layer Transparent Proxy is disclosed. What first network interface card that can communicate with source station in gateway intercepted mails to after the application layer data comprising the first frame of point of destination processed from described source station, to issue in response to described the first frame the MAC Address that source MAC address information in the stem of the second frame described point of destination, that comprise treated described application layer data is modified to described source station, and, by calling the transmission function of second network interface card that can communicate with described point of destination in described gateway, described the second frame is sent to described point of destination.
Description
Technical field
Present invention relates in general to field of information processing, more specifically, relate to one and realize media accessControl the method and apparatus of (MAC) layer Transparent Proxy.
Background technology
Content filtering equipment (for example, fire wall) based on gateway has two kinds of implementations conventionally: onePlant as filter-type, a kind of for acting on behalf of type. The data that so-called filter-type gateway refers to transmission over networks are at warpWhile crossing gateway device, intercepted and captured and analyze content wherein by this gateway device; The type gateway of agency be byFirst the client communicating to server communicates with gateway proxy, and gateway proxy go again withReal server communicates, and in this process, gateway proxy can data cached content.
More specifically, as a kind of type of acting on behalf of gateway of realizing transparent transmission, client and server itBetween communication acted on behalf of with it middle gateway device; Client is thought directly entering with serverSerial Communication, but in fact it is to communicate with gateway device, and gateway device is again with the body of clientPart communicates with server. And this is acted on behalf of the identity that type gateway can emulating server and changesBehavior and details with client communication; Only can select to return with the data of the safety of server communicationReturn client.
In this transparent transmission model, as previously mentioned, gateway device be with the identity of client come withServer communicates. The identity of called customer terminal, in common agent model with clientInternet protocol (IP) address identifies. For example, gateway device with the IP address of client come withServer communicates and transmits data, and particularly, as Transparent Proxy, gateway device ensures to mail toThe source IP address information of the grouping of server is the same with the IP address of actual customer end. Typical caseNetwork seven layer protocol architectures in, IP is in Internet (, the 3rd layer), therefore commonAgent model realized the 3rd layer transparent.
Summary of the invention
A kind of method of the MAC of realization layer Transparent Proxy is disclosed according to one embodiment of present invention.Described method comprises: first network interface card that can communicate with source station in gateway intercept from describedSource station is mail to after the application layer data comprising in the first frame of point of destination processed, respondingIssue in described the first frame described point of destination, comprise treated described application layer data secondSource MAC address information in the stem of frame is revised as the MAC Address of described source station; And, logicalCross the transmission function that calls second network interface card that can communicate with described point of destination in described gateway, willDescribed the second frame sends to described point of destination.
A kind of dress of the MAC of realization layer Transparent Proxy is disclosed according to another embodiment of the invention,Put. Described device comprises: modified module, for gateway can with source station communicate firstThe application layer data comprising the first frame of point of destination that mails to from described source station that network interface card intercepts is carried outAfter processing, to issue in response to described the first frame described point of destination, comprise treated instituteState source MAC address information in the stem of the second frame of application layer data and be revised as described source stationMAC Address; And sending module, for by call described gateway can with described point of destinationThe transmission function of the second network interface card communicating, sends to described point of destination by described the second frame.
Brief description of the drawings
With reference to following accompanying drawing, exemplary embodiment of the present invention is described. Should be appreciated that, these accompanying drawings onlyBe exemplary and nonrestrictive, and in accompanying drawing, same or analogous reference marker instruction is correspondingOr similar key element.
Fig. 1 shows according to the general view of the system of one exemplary embodiment of the present invention;
Fig. 2 illustrates in greater detail the system according to one exemplary embodiment of the present invention;
Fig. 3 shows according to the flow chart of the method for one exemplary embodiment of the present invention; And
Fig. 4 shows according to the block diagram of the device of one exemplary embodiment of the present invention.
Detailed description of the invention
In the following detailed description, provide a large amount of details, to provide reality of the present inventionExecute the thorough understanding of example. But, it should be appreciated by those skilled in the art that these details are onlyIllustrative rather than restrictive, can in the situation that there is no these details, realize the present invention.In description, do not describe some known parts, structure and operation in detail, in order to avoid improper topotypeStick with paste the present invention.
Phrase " embodiment " or " embodiment " etc. mentioning in description represents in conjunction with this enforcementSpecial characteristic, structure or characteristic routine and that describe are included at least one embodiment of the present invention.Therefore, in this manual everywhere occur phrase " in one embodiment " or " according to a realityExecute example " etc. might not refer to same embodiment.
It will be understood by those skilled in the art that embodiment as herein described can be by hardware, software, solidPart, middleware, microcode or its are combined to realize.
First with reference to figure 1, it shows the system 100 according to one exemplary embodiment of the present inventionGeneral view.
In the one typical case of system 100 realizes, client 101 be positioned at network (for example, LAN,Not shown) a region in, server 102 is arranged in another region of consolidated network, and gateway103 between these two regions, play the effect of bridge joint. For for simplicity, for this beEach building block of system, only show single equipment here, but the present invention is not limited to this.
Client 101 can comprise any one in the multiple computing equipment based on processor, itsIn network, there is the unique identify label of oneself, for example, include but not limited to this client physicallyLocation (, media Access Control (MAC) address), IP address etc. Described client can be transportedRow has one or more in various operating system, for example, includes but not limited to various versionLinuxTM、UnixTM、WindowsTM, etc.
Similarly, server 102 and gateway 103 also can comprise respectively the multiple meter based on processorAny one in calculation equipment; Equally, server 102 and gateway 103 also can move respectively respectivelyOne or more in kind operating system. Server 102 is used to each including client 101Plant requesting service various types of services are provided. Gateway 103 is in bridge mode, for realizing clientCommunication between end 101 and server 102. In an embodiment of the present invention, gateway 102 can alsoProvide application level proxy service, and its agent functionality is in network seven layer protocol architecturesTwo layers (data link layer, more particularly, media access control sublayer wherein) be also transparent.
Below, with source station (for example, client 101) to point of destination (for example, server 102) send outSend data instance, client is described in the situation that gateway (or transparent proxy gateway) 103 exists101 and server 102 between the actual a kind of communication process occurring. Those skilled in the art can manageSeparate, here using client 101 as source station, be only a kind of example using server 102 as point of destinationSituation, the present invention is not limited to this.
First the data that client 101 is sent can be intercepted by transparent proxy gateway 103, and the latter againGo to send these data with the identity of client 101 to server 102. Thus, transparent by between two partiesProxy gateway 103 is realized transfer of data between client 101 and server 102. From client101 angle, it is to communicate at direct and server 102, but actual really not so.
More specifically, with reference to Fig. 1, receive (or intercepting) at transparent proxy gateway 103 to clientWhen 101 frames that send to server 102 110 (as shown in the arrow in left side in figure), can be to this frameMAC layer information contained in 110 stem is carried out record, for example, at least comprises source MACInformation (, the MAC Address of client 101 self), etc. The MAC layer information recordingCan also comprise the target MAC (Media Access Control) address information (, the MAC Address of server 202) of frame 110.In addition, depend on actual needs, can also record out of Memory, for example, using 802.1Q virtual officeIn the situation of territory net (VLAN), (wherein in the frame format of Ethernet, insert the VLAN of 4 bytesMark), can also record vlan identifier (ID) in VLAN mark etc., the present invention is alsoBe not limited to this.
Above-mentioned record end of operation after, in one embodiment, can start receivedThe application layer data comprising in frame 110 carries out application level proxy processing. Described application layer data refer toThe relevant data of operation of application process, for example, include but not limited to Email, HTTP messageEtc., it is processed in the application layer of layered protocol message structure. At Transparent Proxy netClose in 103, application level proxy processing example is as included but not limited to killing virus, information filtering etc.,Used in prior art.
After application level proxy is disposed, be in due course, transparent proxy gateway 103 will be withThe identity of client 101 is sent frame 111 (as shown in the arrow on right side in figure) to server 102,The application layer data of having handled before having comprised in this frame 111. It should be noted that according to the present invention,For this frame 111, can revise frame by the source MAC address information of the frame 110 that recorded beforeCorresponding informance in 111 stem, and then amended frame 111 is issued to server 102. Pass throughSuch processing, is appreciated that the MAC layer information of the frame 111 that transparent proxy gateway 103 sendsBe that the primitive frame 110 that same client 101 is sent is consistent, therefore can realize the second layer transparent.
By comparison, on the existing transparent proxy gateway that moves for example linux system, although canIP address by calling system API amendment initiator and port are (to make from gateway forwards toward targetThe grouping of server looks like directly sends from original client, realizes the 3rd layer thoroughly with thisBright, as previously mentioned), but but cannot revise source MAC. In this case, for example, doFor some second layer filter plants between gateway device and server, may can't see original true completelyReal client mac address, and cause a series of problem such as corresponding control, access strategy withoutMethod solves, and causes such agency to realize not to be real transparent, that is to say, it at logarithm reportedlyBe input into some identification information of having revised client in the capable process of acting on behalf of.
As previously mentioned, utilize design of the present invention, can realize the second layer transparent, thus the use of facilitatingFamily network design has improved user's experience simultaneously.
Fig. 2 illustrates in greater detail the system 200 according to one exemplary embodiment of the present invention. ?Hereinafter, omitted for unit (for example, client 201, server 202 identical in Fig. 1Etc.) explanation, and specifically describe emphatically gateway of the present invention (or Transparent Proxy) 203.
As shown in the figure, according to one embodiment of present invention, transparent proxy gateway 203 can comprise noteRecord logic 204, application level proxy 205 and Microsoft Loopback Adapter (VIF) 206. As in bridge jointThe gateway of pattern, its typically have multiple interfaces (, network interface card) for each self-corresponding orderLabeling station communicates. For convenience of description, in Fig. 2, only illustrate for transparent proxy gateway 203Two interfaces, the network interface card 207 that can communicate with client 201 and can with serviceThe network interface card 208 that device 202 communicates.
As known to those skilled in the art, conventionally in gateway device, safeguard have one to transmit (notIllustrate), entry (if any) wherein shows Target Station (identifying with its MAC Address)And the corresponding relation between an interface of this gateway, for example client 201 corresponding to network interface card 207,Server 202 is corresponding to network interface card 208 etc. Transparent proxy gateway 203 (more specifically, for example,Network interface card 207) mail to the server 202 as point of destination being truncated to from the client 201 as source stationA frame (for example, frame 210) time, determine that this gateway can communicate with server 202,For example, transmit by search, find to exist the network interface card 208 corresponding with server 202.
In Fig. 2, record logic 204 for record that network interface card 207 intercepts from 201 of clientsThe frame 210 of past server 202 for information about. In one exemplary embodiment of the present invention, instituteSource (, the client 201) MAC Address that the information of stating at least comprises frame 210, this can be from this frameStem in obtain. Described information for example can also include but not limited to: the object of frame 210 (,Server 202) MAC Address, this also can obtain from the stem of this frame; With this object MACThe interface (, network interface card 208) of what address was corresponding belong to gateway 203, this can transmit from describedMiddle acquisition; Etc.. These information can be stored explicitly, so that use.
As a non-limiting example, in the transparent proxy gateway based on Linux, can makeAllow kernel to follow the tracks of and record all logical network connection or session with connecting to follow the tracks of. In the present inventionA kind of example implementation in, can expand the data structure safeguarded for each connection (for example, withIP address and port identify as it) to store more information. For example, recording logic 204 canFor example, so that required information (, source and destination MAC Address of frame 210 etc.) is remembered explicitlyIn the structure of record after expansion, for subsequent process.
By network protocol stack, the frame 210 before receiving is successively peelled off stem and to more high-rise biographyPass, the application layer data finally wherein comprising is delivered to application level proxy 206 to carry out conventional answeringUse layer proxy processing, for example, include but not limited to killing virus, information filtering etc. Of the present inventionMain improvement do not lie in this, therefore omits further describing it.
Continue with reference to figure 2, in one exemplary embodiment of the present invention, for transparent proxy gateway203 frames that send to server 102 with the identity of client 101 in response to the frame 210 receiving211, can realize the recovery of source MAC in this frame by VIF206.
The form that Microsoft Loopback Adapter VIF206 can drive by network interface card realizes. In operating system, addAfter thereby year this driving is registered this network interface card, it is one that VIF206 is identified as by operating systemCommon network interface card. According to one exemplary embodiment of the present invention, VIF206 can revise transparent generationThe routing policy (for example, routing table) of reason gateway 203, to make for through application level proxy 205Data that process, transparent the sending of needs (for example, issuing server 202) are all routed toVIF206 sends.
VIF206 has the ability of the source MAC of the amendment frame 211 corresponding with frame 210. According toOne embodiment of the present of invention, for example, VIF206 can be with reference to before by recording logic 204 records(expansion connection follow the tracks of in) frame 210 for information about in corresponding content, as client201 MAC Address; Then, the source MAC address information in the stem of frame 211 is revised as to instituteThe source MAC (, the MAC Address of client 201) of record; Then, directly call netAmended frame 211 is sent to server 202 by the transmission function of card 208.
Thus, send to server 202 at transparent proxy gateway 203 with the identity of client 201In frame 211, can guarantee that source MAC address information is also and the MAC ground of client 201 selfLocation is the same, thereby it is transparent to have realized the second layer (MAC layer).
In one embodiment of the invention, for example, before can the utilizing information of record, with reference to this netWhat close transmits, and determines to send by network interface card 208.
Here, directly called the transmission function of physical network card (for example, network interface card 208) by VIF206,Avoid carrying out the process of framing for this physical network card by network protocol stack, thereby guaranteed warpThe source MAC of the frame that this physical network card sends remains through above-mentioned amended source MAC(, the MAC Address of client 201).
The function that it will be understood by those skilled in the art that above-mentioned all parts also can combine mutually, exampleAs, recording logic 204 and VIF205 can be by realizing in single parts.
In addition, consider the situation of 802.1QVLAN, according to one embodiment of present invention, record is patrolledCollect 204 and can also additionally record the VLANID of received frame (for example, frame 210), exampleAs, it can be recorded in explicitly and be connected the expansion of following the tracks of with the information such as the MAC Address of this frameIn structure; Correspondingly, VIF206 can also utilize this recorded VLANID to change and will issueThe VLANID of the frame (for example, frame 211) of server 202, thus also can realize for VLANSecond layer Transparent Proxy.
In addition, utilize design philosophy of the present invention, it will be understood by those skilled in the art that for from clothesBusiness device 202 mail to client 201 data (at this moment, server 202 can be regarded as source station,Client 201 can be regarded as point of destination), transparent proxy gateway 203 can carry out similarlyProcessing, make in client 201, is that real server 202 is carrying out direct communication with it,In fact be that transparent proxy gateway 203 is between two parties leading to it with the identity of server 202Letter.
In addition, consideration need to be by shaking hands to connect (or session) to carry out the feelings of transfer of dataCondition (for example, using transmission control protocol (TCP)). According to one exemplary embodiment of the present invention,In this case, in the time that client 201 is sent connection foundation request to server 202 for the first time, phaseThe claim frame of answering can be intercepted by the network interface card of transparent proxy gateway 203 207. Gateway 203 is confirmed oneselfCan communicate with server 202, for example, be by network interface card 208 (otherwise, net hereClosing 203 can select this claim frame directly by other network interface card beyond inter nic on this gateway 207Broadcast, as realized in bridging device of the prior art). Then, record logic 204Can record this claim frame for information about, for example, the source MAC conduct in the stem of this frameThe MAC Address of client 201, the target MAC (Media Access Control) address in the stem of this frame is as server 202MAC Address, etc., the present invention is not limited to this.
According to one exemplary embodiment of the present invention, after such information is recorded, according to holdingHandball Association view, as transparent proxy gateway 203 in response to this claim frame with the identity of server 202 toThe acknowledgement frame that client 201 is sent, VIF206 can be by the source MAC ground in the stem of this acknowledgement frameLocation information is revised as the MAC Address of recorded server 202, and by directly calling network interface card 207Transmission function amended this acknowledgement frame is issued to client 201. Those skilled in the art canUnderstand, then client 201 can be sent and reaffirm frame in response to receiving this acknowledgement frame, asIt is such that prior art realizes. By such handshake procedure, at client 201 and Transparent Proxy(certainly,, in client 201, it is direct and server between gateway 203, to have set up connection202 have set up connection). In addition, after suitable opportunity, transparent proxy gateway 203 is with clientBetween 201 identity (more specifically, the MAC Address of this client) and server 202, set upSituation about connecting is similar to the above, is not described in detail in this.
Transfer of data (for example, frame 210) between client 201 and server 202 is passed through justThe connection of setting up is like this carried out. The information recording before utilizing, VIF206 can be sending outGive the source MAC address information in the stem of frame 211 server 202, corresponding with frame 210Be revised as the MAC Address of recorded client 201, realize the second layer with this transparent, as frontDescribed.
Below with reference to Fig. 3, show according to the method 300 of one exemplary embodiment of the present inventionFlow chart. Described method 300 can have the gateway of application level proxy function (for example, transparent generationReason gateway 103,203) middle realization.
As shown in the figure, this process starts from step S301, in this step, to the first net in gatewayWhat card intercepted mails to from source station the application layer data comprising the first frame of point of destination and processes. GinsengExamine the example providing in conjunction with Fig. 2, for transparent proxy gateway 203 (more specifically, wherein canThe network interface card 207 communicating with client 201) intercept mail to server 202 from client 201Frame 210 in the application layer data that comprises, for example include but not limited to Email, HTTP messageEtc., as the gateway 203 with application level proxy function, application level proxy 205 wherein canThis application layer data is processed, for example, included but not limited to killing virus, information filtering etc.
Gateway, need to be with the identity of source station by the number intercepting from source station before in order to realize agent functionalityMail to destination according to (it has passed through the processing of gateway). According to an exemplary enforcement of the present inventionExample, at step S302, to issue in response to described the first frame described point of destination, comprise through locatingSource MAC address information in the stem of the second frame of the application layer data of reason is revised as described source stationMAC Address. Continue with reference to figure 2 the application number of plies comprising in to frame 210 at application level proxy 205After processing, VIF206 can comprise this treated application layer data formedSource MAC address information in the stem of the second frame 211 is revised as the MAC of client 201 selfAddress. That is to say, the mac address information in the stem of amended like this frame 211 is and visitorMac address information in the stem of the original frame sending 210 of family end 201 is consistent.
Then, this process advances to step S303, in this step, by directly calling described gatewayIn the transmission function of the second network interface card, described the second frame is sent to described point of destination. Continue reference diagram2, VIF206 can, after above-mentioned retouching operation completes, directly call in transparent proxy gateway 203The transmission function of real physical network card 208 (it can communicate with server 202), makesFrame 211 is really issued server 202. Thus, according to an embodiment of the invention can be realThe method 300 of existing MAC layer Transparent Proxy can finish.
In addition, in one embodiment of the invention, before step S301, described in can also working asFor example, when the first frame (, frame 210) for example, is intercepted by described the first network interface card (, network interface card 207), noteSource MAC address information in the stem of record frame 210, as the MAC Address of client 201,Use for follow-up modify steps. In addition,, in this recording step, can also record frame 210Target MAC (Media Access Control) address information in stem, as the MAC Address of server 202. And,Frame 210 has in the situation of VLAN mark, in this recording step, can also record frame 210Vlan identifier; And in described modify steps S302, can also be by the VLAN of frame 211Identifier is revised as the vlan identifier of recorded frame 210. As a kind of concrete implementation,These information that record, for example, include but not limited to the MAC Address of source station, the MAC of point of destinationAddress and vlan identifier etc., can be stored in the connection of expansion is followed the tracks of, as front instituteState.
In addition in one embodiment of the invention, before step S301, can also require,The request connecting between the client 201 as source station and the server 202 as point of destinationWhen frame is intercepted by network interface card 207, (for example, consideration need to be by shaking hands to connect to continue dataThe situation of transmission, wherein, the frame 210 that comprises application layer data is to be undertaken by the connection after setting upTransmission), record the source MAC address information in the stem of this claim frame, as client 201MAC Address, uses for follow-up modify steps S302. Similarly, can also record this requestThe target MAC (Media Access Control) address information of frame is using the MAC Address as server 202 and VLAN markKnow symbol, etc. And, in response to this intercepted claim frame, as transparent proxy gateway 203 withThe part that the identity of server 202 and client 201 connect by shaking hands, can also be for exampleBy VIF206, the source MAC address information in the stem of the acknowledgement frame in response to this claim frame is repaiiedChange the MAC Address of recorded server 202 into, then call the transmission function of network interface card 207Such acknowledgement frame is sent to client 201.
Describe exemplary method 300 with reference to Fig. 3 above, it will be understood by those skilled in the art thatSaid method step is only illustrative rather than restrictive, depends on specific implementation, described methodCan also comprise how additional/alternative step. In one or more schemes, these method stepsCorresponding function can realize in hardware, software, firmware or its any combination.
Fig. 4 shows according to the block diagram of the device 400 of one exemplary embodiment of the present invention.
Described device 400 at least comprises following part: modified module 401, and for can at gatewayWhat the first network interface card communicating with source station intercepted wraps from the first frame of point of destination is mail in described source stationAfter the application layer data containing is processed, sending to described order in response to described the first frameThe stem of the second frame station, that comprise treated described application layer data in source MACInformation is revised as the MAC Address of described source station; And sending module 402, for by callingThe transmission function of second network interface card that can communicate with described point of destination in described gateway, by describedTwo frames send to described point of destination.
In addition, described device 400 can also comprise additional/alternative module, more multipair in order to realizeThe function of answering, for example, before associated methods 300 described. Described device 400 for example can be rightShould be in the gateway device 103,203 shown in Fig. 1, Fig. 2, or one or more assembly.Should be understood that, device 400 is described to comprise multiple modules, its can be represent by hardware,The functional module that software or its combination realize.
Although describe and show some embodiments of the present invention above, those skilled in the art veryEasily just can expect, be feasible for many amendments and the modification of these embodiment too. CauseThis, should be appreciated that, claims are intended to contain the institute falling within the spirit and scope of the inventionThere are such amendment and modification.
Claims (18)
1. a method that realizes media Access Control (MAC) layer Transparent Proxy, comprising:
By the application level proxy in gateway to the first thing by communicating with source station in described gatewayWhat reason network interface card intercepted mails to from described source station the application layer data comprising the first frame of point of destination and carries outProcess;
Received based on through the amended described gateway of described Microsoft Loopback Adapter by Microsoft Loopback Adapter in described gatewayRouting policy and be routed to described Microsoft Loopback Adapter, will be in response to described the first frame described in issuingSecond frame that comprises treated described application layer data of point of destination;
By described Microsoft Loopback Adapter, the source MAC address information in the stem of described the second frame is revised as to instituteState the MAC Address of source station; And
Can be communicated with described point of destination by directly calling in described gateway by described Microsoft Loopback AdapterThe transmission function of the second physical network card described the second frame is sent to described point of destination, avoided passing throughNetwork protocol stack carries out the process of framing for this second physical network card.
2. method according to claim 1, also comprises:
In the time that described the first frame is intercepted by described the first physical network card, record in the stem of described the first frameSource MAC address information, as the MAC Address of described source station.
3. method according to claim 2, wherein,
The step of described record also comprises: record the target MAC (Media Access Control) address in the stem of described the first frameInformation, as the MAC Address of described point of destination.
4. method according to claim 2, wherein, described the first frame has VLAN(VLAN) mark, and wherein,
The step of described record also comprises: record the VLAN in the VLAN mark of described the first frameIdentifier; And
The step of described amendment also comprises: by the VLAN mark in the VLAN mark of described the second frameKnow the vlan identifier that symbol is revised as the first recorded frame.
5. method according to claim 1, also comprises:
When the claim frame that requires to connect between described source station and described point of destination is by described the first thingWhen reason network interface card intercepts, record the source MAC address information in the stem of described request frame, as describedThe MAC Address of source station, wherein, described the first frame is that the connection of passing through to set up is transmitted.
6. method according to claim 5, wherein,
The step of described record also comprises: record the target MAC (Media Access Control) address in the stem of described request frameInformation, as the MAC Address of described point of destination.
7. method according to claim 6, also comprises:
Source MAC address information in the stem of the acknowledgement frame in response to described request frame is revised as to instituteThe MAC Address of the described point of destination of record; And
By calling the transmission function of described the first physical network card, described acknowledgement frame is sent to described sourceStand.
8. method according to claim 5, wherein, described request frame has VLAN(VLAN) mark, and wherein,
The step of described record also comprises: record the VLAN in the VLAN mark of described request frameIdentifier; And
The step of described amendment also comprises: by the VLAN mark in the VLAN mark of described the second frameKnow the vlan identifier that symbol is revised as recorded claim frame.
9. according to arbitrary described method of claim 2 to 8, wherein, the information recording is depositedDuring the connection of Chu Jing expansion is followed the tracks of.
10. a device of realizing media Access Control (MAC) layer Transparent Proxy, comprising:
Modified module, for the application level proxy by gateway in by described gateway can with source stationWhat the first physical network card communicating intercepted comprises from the first frame of point of destination is mail in described source stationApplication layer data process after, by the Microsoft Loopback Adapter in described gateway by received based on warpThe routing policy of the amended described gateway of described Microsoft Loopback Adapter and be routed to described Microsoft Loopback Adapter,To issue in response to described the first frame comprising of described point of destination of treated described application layer dataSource MAC address information in the stem of the second frame is revised as the MAC Address of described source station; And
Sending module, for can be with described by directly calling described gateway by described Microsoft Loopback AdapterDescribed the second frame is sent to described object by the transmission function of the second physical network card that point of destination communicatesStand, avoided carrying out for this second physical network card by network protocol stack the process of framing.
11. devices according to claim 10, also comprise:
Logging modle, in the time that described the first frame is intercepted by described the first physical network card, described in recordSource MAC address information in the stem of the first frame, as the MAC Address of described source station.
12. devices according to claim 11, wherein,
Described logging modle also records the target MAC (Media Access Control) address information in the stem of described the first frame, doesFor the MAC Address of described point of destination.
13. devices according to claim 11, wherein, described the first frame has VLAN(VLAN) mark, and wherein,
Described logging modle also records the vlan identifier in the VLAN mark of described the first frame;And
Described modified module is also by the vlan identifier amendment in the VLAN mark of described the second frameFor the vlan identifier of the first recorded frame.
14. devices according to claim 10, also comprise:
Logging modle, for the request when requiring to connect between described source station and described point of destinationWhen frame is intercepted by described the first physical network card, record the source MAC in the stem of described request frameInformation, as the MAC Address of described source station, wherein, described the first frame is to pass through to set upConnection is transmitted.
15. devices according to claim 14, wherein,
Described logging modle also records the target MAC (Media Access Control) address information in the stem of described request frame, doesFor the MAC Address of described point of destination.
16. devices according to claim 15, also comprise:
For the source MAC address information of the stem of the acknowledgement frame in response to described request frame is revisedFor the module of the MAC Address of recorded described point of destination; And
For by calling the transmission function of described the first physical network card, described acknowledgement frame is sent to instituteState the module of source station.
17. devices according to claim 14, wherein, described request frame has VLAN(VLAN) mark, and wherein,
Described logging modle also records the vlan identifier in the VLAN mark of described request frame;And
Described modified module is also by the vlan identifier amendment in the VLAN mark of described the second frameFor the vlan identifier of recorded claim frame.
18. according to claim 11 to the device described in 17 any one, wherein, and the letter recordingBreath is stored in the connection of expansion is followed the tracks of.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110119721.0A CN102761534B (en) | 2011-04-29 | 2011-04-29 | Realize the method and apparatus of media access control layer Transparent Proxy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110119721.0A CN102761534B (en) | 2011-04-29 | 2011-04-29 | Realize the method and apparatus of media access control layer Transparent Proxy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102761534A CN102761534A (en) | 2012-10-31 |
| CN102761534B true CN102761534B (en) | 2016-05-11 |
Family
ID=47055856
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110119721.0A Active CN102761534B (en) | 2011-04-29 | 2011-04-29 | Realize the method and apparatus of media access control layer Transparent Proxy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102761534B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2832050A4 (en) * | 2012-03-26 | 2015-12-09 | Hewlett Packard Development Co | Frame passing based on ethertype |
| CN103428095B (en) * | 2013-08-26 | 2016-12-28 | 深信服网络科技(深圳)有限公司 | A kind of proxy server and Proxy Method thereof |
| CN104994137B (en) * | 2015-05-27 | 2019-01-22 | 四川卫士通信息安全平台技术有限公司 | A kind of method of network readezvous point agency |
| CN107205005A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | A kind of transparent application level proxy Realization Method of Communication of link layer |
| CN106534794A (en) * | 2016-11-30 | 2017-03-22 | 浙江宇视科技有限公司 | Video monitoring system remote control method and device |
| CN109981701A (en) * | 2017-12-27 | 2019-07-05 | 新智数字科技有限公司 | Transmitting method, transparent transmission system and proxy server |
| CN108848202B (en) * | 2018-06-21 | 2021-05-04 | Oppo(重庆)智能科技有限公司 | Electronic device, data transmission method and related product |
| CN108924138B (en) * | 2018-07-05 | 2020-10-23 | 成都安恒信息技术有限公司 | Method for realizing TCP proxy complete transparency |
| CN110120895B (en) * | 2019-04-11 | 2023-01-17 | 北京字节跳动网络技术有限公司 | Method, device, medium and electronic equipment for testing communication of mobile terminal |
| CN114125030A (en) * | 2021-11-30 | 2022-03-01 | 北京天融信网络安全技术有限公司 | Connection tracking method, device, electronic equipment and computer readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1765090A (en) * | 2003-03-24 | 2006-04-26 | 雷·斯尔科有限公司 | Multiconfigurable device masking shunt and method of use |
| US7249191B1 (en) * | 2002-09-20 | 2007-07-24 | Blue Coat Systems, Inc. | Transparent bridge that terminates TCP connections |
| US7290050B1 (en) * | 2002-09-20 | 2007-10-30 | Blue Coat Systems, Inc. | Transparent load balancer for network connections |
-
2011
- 2011-04-29 CN CN201110119721.0A patent/CN102761534B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7249191B1 (en) * | 2002-09-20 | 2007-07-24 | Blue Coat Systems, Inc. | Transparent bridge that terminates TCP connections |
| US7290050B1 (en) * | 2002-09-20 | 2007-10-30 | Blue Coat Systems, Inc. | Transparent load balancer for network connections |
| CN1765090A (en) * | 2003-03-24 | 2006-04-26 | 雷·斯尔科有限公司 | Multiconfigurable device masking shunt and method of use |
Non-Patent Citations (1)
| Title |
|---|
| 应用网关防火墙——网络的中间检查站;王钢;《计算机安全》;20040430;第10-12页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102761534A (en) | 2012-10-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102761534B (en) | Realize the method and apparatus of media access control layer Transparent Proxy | |
| CN109347817B (en) | Method and device for network security redirection | |
| US10237230B2 (en) | Method and system for inspecting network traffic between end points of a zone | |
| US6003084A (en) | Secure network proxy for connecting entities | |
| US7630368B2 (en) | Virtual network interface card loopback fastpath | |
| WO2018032399A1 (en) | Server and method having high concurrency capability | |
| CN106302371B (en) | A kind of firewall control method and system based on subscriber service system | |
| CN103763194B (en) | A kind of message forwarding method and device | |
| US20150172153A1 (en) | Network introspection in an operating system | |
| US20150381563A1 (en) | Relay system for transmitting ip address of client to server and method therefor | |
| US10601777B2 (en) | Data inspection system and method | |
| CN105939240B (en) | Load-balancing method and device | |
| JP2006262193A (en) | Controller, packet transferring method, and packet processor | |
| KR101472685B1 (en) | Network connection gateway, a network isolation method and a computer network system using such a gateway | |
| US20200053052A1 (en) | System and method for covertly transmitting a payload of data | |
| CN104735071A (en) | Network access control implementation method between virtual machines | |
| CN105491169A (en) | Data proxy method and system | |
| WO2020154223A1 (en) | Systems and methods for processing network traffic using dynamic memory | |
| CN103001966B (en) | The process of a kind of private network IP, recognition methods and device | |
| US20150096009A1 (en) | Network traffic mangling application | |
| US20110276673A1 (en) | Virtually extending the functionality of a network device | |
| CN105991353A (en) | Fault location method and device | |
| CN113839824A (en) | Flow auditing method and device, electronic equipment and storage medium | |
| CN111526124B (en) | Isolated communication system and method based on internal and external networks | |
| JP2001077857A (en) | Filtering processing device, network provided with it and its storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| CB02 | Change of applicant information |
Address after: 100190 Beijing City, Haidian District Zhongguancun street, No. 22, building 1301 Applicant after: Beijing Rising Information Technology Co., Ltd Address before: 100190 Beijing City, Haidian District Zhongguancun street, No. 22, building 1301 Applicant before: Beijing Rising Information Technology Co., Ltd. |
|
| COR | Change of bibliographic data | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100190 Beijing City, Haidian District Zhongguancun street, No. 22, building 1301 Patentee after: Beijing net an Technology Limited by Share Ltd Address before: 100190 Beijing City, Haidian District Zhongguancun street, No. 22, building 1301 Patentee before: Beijing Rising Information Technology Co., Ltd |