CN114500470A - Data packet processing method and device - Google Patents

Abstract

The invention provides a data packet processing method and a device, wherein the method comprises the following steps: the first CPU reads a data packet from a client in a queue associated with the first CPU in a polling mode, modifies a source IP address of the data packet from an IP address of the client to a local IP address of the first CPU, and sends the modified data packet to a service system which the client requests to access. Therefore, each CPU manages the session processed by each CPU, and different CPUs have no lock conflict, so that the processing efficiency of the data packet can be improved.

Description

A data packet processing method and device

technical field

The present invention relates to the field of network technology and security, and in particular, to a data packet processing method and device.

Background technique

The access gateway system began to be developed in the computer project, mainly to meet the secure access of cloud computer clients to cloud business systems, and to meet the fast access of different cloud computer clients to cloud business systems through general transformation.

The cloud computer client to the cloud business system mainly transmits images, files and user operation instruction data, which has the characteristics of large amount of data and high requirements for real-time interaction. The traditional gateway system is mainly implemented at the application layer. After the client establishes a connection with the gateway system and completes the authentication, the data uploaded by the client is cached in the local memory and forwarded to the corresponding business system. This implementation method mainly adopts the traditional The data packet processing method is interrupted by the central processing unit (CPU), that is, after the network card driver receives the data packet, it notifies the CPU to process it through an interrupt, and then the CPU copies the data and hands it to the protocol stack. When the amount of data is large, this method will generate a large number of CPU interrupts, so that the CPU cannot run other programs.

The main factors that cause network IO bottlenecks in traditional packet processing methods include:

1. The traditional method of sending and receiving messages must use hard interrupts for communication. Each hard interrupt consumes about 100 microseconds, which is not counting the cache miss (Cache Miss) caused by the termination of the context.

2. Data must be copied between kernel mode and user mode, and global lock competition brings a lot of CPU consumption.

3. There is a system call overhead for sending and receiving packets.

4. The kernel works on multiple cores, and the performance loss caused by the lock bus and memory barrier cannot be avoided.

Therefore, a new data packet processing method is urgently needed to overcome the above problems.

SUMMARY OF THE INVENTION

The present invention provides a data packet processing method and device for improving the data packet processing efficiency.

In a first aspect, the present invention provides a data packet processing method, the method comprising: a first CPU reads a data packet from a client in a queue associated with itself in a polling manner; Modify the IP address of the client to the local IP address of the first CPU; and send the modified data packet to the business system that the client requests to access.

Therefore, by adopting the above method, each CPU manages the session handled by itself, and there is no lock conflict between different CPUs, which greatly reduces the waiting time of the global lock, and thus can improve the processing efficiency of data packets.

In a possible design, the method further includes: saving the session information of the client in the connection pool;

In a possible design, the method further includes: receiving a backhaul data packet from the service system, where the destination IP address of the backhaul data packet is the local IP address of the first CPU; querying the connection pool for all the session information corresponding to the backhaul data packet; when the session information corresponding to the backhaul data packet is the session information of the client, modify the destination IP address of the first data packet from the local IP address of the first CPU is the IP address of the client; send the modified backhaul data packet to the client.

In a possible design, the method further includes: before modifying the source IP address of the data packet to the local IP address of the first CPU, performing a handshake between the first CPU and the client corresponding to the data packet and security certification process.

In a second aspect, the present invention provides a data packet processing method, comprising: a gateway system configuring at least one local IP address and a queue for multiple CPUs respectively; receiving data packets from clients; determining the queue to which the data packets belong, and The data packet is buffered in a queue to which the data packet belongs, the queue to which the data packet belongs is associated with a first CPU, and the first CPU is one of the plurality of CPUs.

In a possible design, the method further includes: the gateway system publishes a virtual IP address, and the virtual IP address is used for the client to access the service system.

In a possible design, the method further includes: receiving a backhaul data packet from the service system, and when the source IP address of the backhaul data packet is the local IP address of the first CPU, converting the backhaul data The packet is sent to the first CPU.

In a possible design, the method further includes: when the gateway system establishes a connection with the client, a preset algorithm is used to verify the packets sent by the client at least twice.

In a third aspect, the present application further provides an apparatus. The device can perform the above-mentioned method design. The apparatus may be a chip or circuit capable of performing the functions corresponding to the above method, or a device including the chip or circuit.

In one possible implementation, the apparatus includes: a memory for storing computer-executable program code; and a processor coupled to the memory. The program code stored in the memory includes instructions, and when the processor executes the instructions, the apparatus or the device installed with the apparatus executes the method in any of the above possible designs.

Wherein, the device may further include a communication interface, which may be a transceiver, or if the device is a chip or a circuit, the communication interface may be an input/output interface of the chip, such as input/output pins.

In a possible design, the device includes corresponding functional units, which are respectively used to implement the steps in the above method. The functions can be implemented by hardware, or by executing corresponding software by hardware. The hardware or software includes one or more units corresponding to the above-mentioned functions.

In a fourth aspect, the present application provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program runs on an apparatus, the method in any of the above possible designs is executed.

In addition, for the technical effects brought by any one of the implementation manners of the third aspect to the fourth aspect, reference may be made to the technical effects brought by different implementation manners in the first aspect, and details are not described herein again.

Description of drawings

Fig. 1 is a gateway system architecture diagram provided by an embodiment of the present invention;

2 is an overview flowchart of a data packet processing method provided by an embodiment of the present invention;

3 is a flowchart of a client access service system provided by an embodiment of the present invention;

FIG. 4 is a schematic diagram of a connection establishment and security authentication process between a client and a gateway system provided by an embodiment of the present invention;

FIG. 5 is one of the schematic structural diagrams of a device provided by an embodiment of the present invention;

FIG. 6 is a second schematic structural diagram of an apparatus provided by an embodiment of the present invention.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. . Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

The application scenarios described in the embodiments of the present invention are for the purpose of illustrating the technical solutions of the embodiments of the present invention more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of the present invention. It appears that the technical solutions provided by the embodiments of the present invention are also applicable to similar technical problems. Wherein, in the description of the present invention, unless otherwise specified, "plurality" means two or more.

The gateway system provided by the present invention adopts the data plane development kit (DPDK) technology. Compared with the traditional data packet processing method, the DPDK adopts the polling method to realize the data packet processing process: the DPDK overloads the network card driver, the After receiving the data packet, the driver does not interrupt to notify the CPU, but stores the data packet into the memory through zero-copy technology. At this time, the application layer program can directly read the data packet from the memory through the interface provided by DPDK. This processing method saves CPU interruption time and memory copying time, and provides a simple and efficient packet processing method to the application layer, which makes the development of network applications more convenient.

Using DPDK to send and receive packets has the following advantages: reducing the number of CPU interrupts; reducing the number of memory copies; bypassing the linux protocol stack and entering the user protocol stack, the user gains control over the protocol stack, and can customize the protocol stack to reduce complexity degree; large page memory is used to reduce cache loss.

In order to improve the versatility and expansibility of the gateway system, the present invention adopts a general forwarding framework, and users can customize forwarding rules. Compared with the traditional application gateway, the gateway system is further decoupled from business functions. At the same time, the system adopts the border gateway protocol (BGP) protocol to publish the virtual IP (VIP) address route of the gateway to form an equal-cost route, realizes the deployment of multi-gateway clusters, and improves the reliability of the system and the scalability of throughput. .

In the embodiment of the present invention, the gateway system is used as a "gateway" for the access between the client and the cloud service system. The following factors need to be mainly considered:

High data packet forwarding performance, the present invention adopts DPDK technology to directly bypass the traffic received by the network card to the user mode in a polling manner, and implements a lightweight TCP/IP protocol stack in the user mode to achieve high-performance forwarding of business traffic.

High throughput, the gateway system of the present invention adopts a 25G high-performance network card, combined with the DPDK software package, to greatly improve the use efficiency of the network card. At the same time, the system load balance is deployed. If the system throughput is insufficient, the capacity can be quickly expanded to meet the business throughput requirements of different business systems.

For security protection, the gateway system needs to perform security authentication on the access client and protect the back-end business system to prevent traffic attacks (sys flood) from causing the business system to crash. High reliability, the invention adopts the BGP protocol to publish the VIP address route of the gateway to form an equal-cost route, and realizes multi-gateway cluster deployment. When a single gateway node fails, it does not affect the external service provided by the business system.

The gateway system of this application is mainly divided into two parts: the data plane and the control plane. Refer to Figure 1 for the overall architecture of the system. The data plane part mainly implements functions such as client data forwarding, session management, security authentication, and traffic statistics, mainly including the following Module:

(1) Network device layer: Use DPDK to implement functions such as network card sending and receiving data, port aggregation, VLAN, and flow control.

(2) IP protocol stack: Refer to the Linux kernel protocol stack, simplify the kernel protocol stack, and implement a lightweight IP protocol stack.

(3) Access gateway layer: The main realization of gateway data forwarding, session management, security authentication, traffic statistics and other functions.

The control plane part mainly realizes the functions of gateway configuration delivery management and traffic monitoring, and mainly includes the following modules: logic control layer; proxy layer; Web display layer; configuration management layer.

The following takes the specific process of the client accessing the service system as an example, and with reference to FIG. 2 , the data packet processing process is described.

Step 200: The gateway system configures at least one local IP address and a queue for the multiple CPUs respectively.

Exemplarily, when the gateway system is started, the gateway program is bound to run on each CPU (for example, 16 CPUs are bound) by setting the kernel affinity, and each CPU is assigned at least one local IP (local IP, LIP) address. , the number of local IP addresses determines the maximum concurrent number supported by the gateway system. For example, when the number of CPUs is 16 and one local IP address is allocated to each CPU, the maximum concurrent number is: 16 × 1 × 65000 = 1.04 million. For example, as shown in Figure 3, the gateway system configures queue 1 for CPU1, queue 2 for CPU2, queue 3 for CPU3, ..., queue n for CPUn.

Step 210: The client sends a data packet to the gateway system.

Step 220: The gateway system determines the queue to which the data packet belongs, and buffers the data packet in the queue to which the data packet belongs. The queue to which the data packet belongs is the first CPU, and the first CPU is one of the multiple CPUs.

Exemplarily, the gateway system also uses quagga to publish a virtual IP address (ie, VIP) to the outside world, and the virtual IP address is used by the client to access the service system.

For example, the VIP address is 115.34.154.1:80, and the client's IP is 100.124.101.3:2468. The client can access the gateway system and further access the business system by accessing the VIP.

The gateway system performs hash calculation according to the quintuple corresponding to the data packet, determines the queue to which the data packet belongs, and buffers it in the queue to which the data packet belongs, such as queue 3 shown in FIG. 3 .

Step 230: The first CPU processes the data packets in the queue associated with the first CPU in a polling manner.

Wherein, the data packet at this time may be a data packet processed by a custom lightweight IP protocol stack, and the content of the data segment of the transmission control protocol (transmission control protocol, TCP) layer is obtained. By using a lightweight IP protocol stack, the complexity of logical judgment can be reduced.

For example, as shown in FIG. 3 , the first CPU is CPU3, and the queue associated with CPU3 is queue 3. In step 200, the gateway system configures or binds queue 3 for CPU3.

Among them, using the polling method to directly read the data packets from the queue can reduce the kernel interrupt and the copying of the kernel to the user space.

Step 240: The first CPU modifies the source IP address of the data packet from the IP address of the client to the local ID address of the first CPU.

For example, in Figure 3, the local IP address of CPU3 is 192.168.1.3.

In addition, the first CPU also modifies the destination IP port of the data packet to the IP port of the service system. For example, in Figure 3, the IP port of the business system is 192.168.244.1:8080. The source port uses an unassigned port (eg, 1001).

In addition, before modifying the source IP address of the data packet to the local IP address of the first CPU, the first CPU performs a handshake and security authentication process with the client corresponding to the data packet. Illustratively, the following first to fourth stages may be referred to.

Step 250: The first CPU sends the modified data packet to the business system that the client requests to access.

Exemplarily, the first CPU 3 sends the modified data packet to the service system that the client requests to access, and establishes a connection with the service system, and the connection pool stores the current session information, that is, the session information of the client.

Therefore, by adopting the above method, each CPU manages the session handled by itself, and there is no lock conflict between different CPUs, which greatly reduces the waiting time of the global lock, and thus can improve the processing efficiency of data packets.

Optionally, the method further includes:

Step 260: The service system sends a backhaul data packet to the gateway system.

Step 270: When the source IP address of the backhaul data packet is the local IP address of the first CPU, the gateway system sends the backhaul data packet to the first CPU.

Step 280: The first CPU queries the connection pool for the session information corresponding to the backhaul data packet, and when the session information corresponding to the backhaul data packet is the session information of the client, changes the destination IP address of the first data packet from the local IP address of the first CPU. Change it to the IP address of the client.

Exemplarily, the first CPU performs hash calculation according to the quintuple corresponding to the backhaul data packet, searches the connection pool for session information corresponding to the backhaul data packet according to the hash value, and the session information corresponding to the backhaul data packet is the session of the client. When the information is received, change the destination IP address of the return packet to the IP address of the client, and change the port of the return packet to the port of the client. Therefore, the round-trip packets are all processed by the same CPU, the session management is CPU localized, and there are no lock conflicts.

The gateway system may buffer the backhaul data packets into the backhaul data packets in the queue associated with the first CPU, and the first CPU may process the backhaul data packets in the queue associated with the first CPU in a polling manner.

Step 290: The first CPU sends the modified backhaul data packet to the client.

The connection establishment and security authentication process between the client and the gateway system is another innovation point of this system. The entire connection establishment and security authentication process is divided into 4 stages, as shown in Figure 4.

Phase 1: Establishing connections and preventing traffic attacks (syn flood)

1. The client sends a Synchronize (Syn) message to the gateway system. The gateway system uses a preset algorithm at the TCP layer to reply to a Syn message or an acknowledgement (acknowledge, Ack) message, where the preset algorithm may be a syn-cookie algorithm or other algorithms for preventing traffic attacks.

2. When the Ack message of the client's three-way handshake reaches the gateway system, the gateway system uses the preset algorithm of the TCP layer for verification. If the verification fails, the packet is discarded. If the verification passes, the three-way handshake with the client is completed.

3. The gateway system caches the client's Ack message.

Stage 2: Security Certification

1. After completing the three-way handshake, the gateway system sends the public key of the gateway system to the client.

2. The client generates a series of random numbers (keys), encrypts the data with the public key of the gateway system, and sends the data to the gateway system.

3. The gateway system uses the private key to decrypt the received data, and uses the decryption result to symmetrically encrypt the received data and send it to the client.

4. The client uses a random number (key) to decrypt the received data. If the decrypted plaintext is consistent with the last sent data, continue to the next step, otherwise stop the authentication.

5. The client uses a random number (key) to encrypt the authentication information and sends it to the gateway system.

6. After the gateway system obtains the authentication information, it determines the IP and port of the business system to be connected.

The third stage: the gateway system establishes a connection with the application system

1. The gateway system sends a Syn message to the service system to establish a connection.

2. After receiving the Syn message or the Ack message, the gateway system sends the Ack message of the client cached in the first stage to the service system to complete the three-way handshake connection.

Stage 4: Data Forwarding

When the subsequent data packets arrive at the gateway system, they are directly forwarded to the service system according to the connection established in the third stage, without buffering in the middle.

In terms of data packet forwarding performance using the method provided by the embodiments of the present application, compared with the traditional gateway implementation based on kernel-mode forwarding, the performance is significantly improved, and the packet forwarding rate is increased from 2 million pps to 8 million pps. Secondly, the gateway system implements syn-cookies verification in the handshake phase, which can effectively block syn flood attacks and protect the security of the back-end business system. The gateway system implements the transport layer security (TLS) security protocol at the TCP layer, and the client uses a different key for each connection to ensure security authentication and data transmission security. Thirdly, the gateway system adopts a general forwarding framework, and services based on TCP transmission can be accessed through the gateway system, and the gateway system and services are completely decoupled. Finally, the system adopts the BGP protocol to advertise the gateway's VIP address route to form an equal-cost route, realizes the multi-gateway cluster deployment, and ensures the reliability and scalability of the gateway.

The gateway system is written in C language, and DPDK uses version 18.11. During deployment, MellanoxMT27710 25G network card is used, 16 CPU cores are exclusively used, and the huge page memory is set to 32G. The BGP protocol is used to publish the gateway's VIP address route to form an equal-cost route.

The division of units in the embodiments of the present invention is schematic, and is only a logical function division. In actual implementation, there may be other division methods. In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit. In the device, it can also exist physically alone, or two or more units can be integrated into one unit. The above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.

An embodiment of the present invention further provides an apparatus 500 , as shown in FIG. 5 , including: a processing module 510 and a transceiver module 520 .

The transceiver module 520 may include a receiving unit and a transmitting unit. The processing module 510 is used to control and manage the actions of the device 500 . The transceiver module 520 is used to support the communication between the device 500 and other devices. Optionally, the apparatus 500 may further include a storage unit for storing program codes and data of the apparatus 500 .

Optionally, each module in the apparatus 500 may be implemented by software.

Optionally, the processing module 510 may be a processor or a controller, for example, may be a general-purpose central processing unit (central processing unit, CPU), a general-purpose processor, a digital signal processing (digital signal processing, DSP), an application specific integrated circuit (application specific integrated circuit) integrated circuits, ASIC), field programmable gate array (FPGA), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It may implement or execute various exemplary logical blocks, modules and circuits described in connection with the disclosure of the embodiments of this application. The processor may also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a DSP and a microprocessor, and the like. The transceiver module 520 may be a communication interface, a transceiver or a transceiver circuit, etc., where the communication interface is a general term, and in a specific implementation, the communication interface may include multiple interfaces, and the storage unit may be a memory.

Wherein, in an implementation manner, the processing module 510 is configured to read data packets from the client in the queue associated with itself in a polling manner; change the source IP address of the data packet from the IP address of the client The address is modified to the local IP address of the first CPU; the transceiver module 520 is configured to send the modified data packet to the service system that the client requests to access.

In an implementation manner, the processing module 510 is used to configure at least one local IP address and a queue for the multiple CPUs respectively; the transceiver module 520 is used to receive data packets from the client; the processing module 510 is used to determine the The queue to which the data packet belongs, and the data packet is buffered to the queue to which the data packet belongs, and the queue to which the data packet belongs is associated with the first CPU, and the first CPU is one of the multiple CPUs .

An embodiment of the present invention further provides another apparatus 600, as shown in FIG. 6, including:

communication interface 601, memory 602 and processor 603;

The communication device 600 communicates with other devices through the communication interface 601, such as sending and receiving messages; the memory 602 is used to store program instructions; the processor 603 is used to call the program instructions stored in the memory 602, according to The method of execution of the obtained program.

The communication interface 601 obtains the network load rate of the N servers at the Kth moment, where K and N are positive integers;

In an implementation manner, the processor 603 invokes the program instructions stored in the memory 602 to execute: read the data packets from the client in the queue associated with itself in a polling manner; change the source IP address of the data packets from all The IP address of the client is modified to the local IP address of the first CPU; the modified data packet is sent to the business system that the client requests to access.

In an implementation manner, the processor 603 invokes the program instructions stored in the memory 602 to execute: configure at least one local IP address and a queue for multiple CPUs respectively; receive data packets from clients; determine the queue to which the data packets belong , and buffer the data packet in the queue to which the data packet belongs, the queue to which the data packet belongs is associated with the first CPU, and the first CPU is one of the multiple CPUs.

The specific connection medium between the communication interface 601, the memory 602, and the processor 603, such as a bus, is not limited in the embodiments of the present invention, and the bus can be divided into an address bus, a data bus, a control bus, and the like.

In this embodiment of the present invention, the processor may be a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, which may implement or The methods, steps and logic block diagrams disclosed in the embodiments of the present invention are executed. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in conjunction with the embodiments of the present invention may be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor.

In this embodiment of the present invention, the memory may be a non-volatile memory, such as a hard disk drive (HDD) or a solid-state drive (SSD), etc., and may also be a volatile memory (volatile memory), such as random access Access memory (random-access memory, RAM). The memory may also be, but is not limited to, any other medium that can be used to carry or store the desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory in this embodiment of the present invention may also be a circuit or any other device capable of implementing a storage function, for storing program instructions and/or data.

Embodiments of the present invention further provide a computer-readable storage medium, including program codes, and when the program codes are run on a computer, the program codes are used to make the computer execute the steps of the methods provided in the foregoing embodiments of the present invention.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

Although preferred embodiments of the present invention have been described, additional changes and modifications to these embodiments may occur to those skilled in the art once the basic inventive concepts are known. Therefore, the appended claims are intended to be construed to include the preferred embodiment and all changes and modifications that fall within the scope of the present invention.

Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the scope of the present invention. Thus, provided that these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include these modifications and variations.

Claims (10)

1. A method for processing a data packet, comprising:

a first Central Processing Unit (CPU) reads a data packet from a client in a queue associated with the first CPU in a polling mode;

modifying the source IP address of the data packet from the IP address of the client to the local IP address of the first CPU;

and sending the modified data packet to a service system which the client requests to access.

2. The method of claim 1, further comprising:

and saving the session information of the client in a connection pool.

3. The method of claim 2, further comprising:

receiving a backhaul data packet from the service system, wherein a target IP address of the backhaul data packet is a local IP address of the first CPU;

inquiring session information corresponding to the backhaul data packet in the connection pool;

when the session information corresponding to the backhaul data packet is the session information of the client, modifying the destination IP address of the first data packet from the local IP address of the first CPU to the IP address of the client;

and sending the modified backhaul data packet to the client.

4. The method of any one of claims 1-3, further comprising:

the first CPU obtains the authentication result of handshake and security authentication executed by the gateway system and the client corresponding to the data packet;

and modifying the source IP address of the data packet into the local IP address of the first CPU according to the authentication result.

5. A method for processing a data packet, comprising:

the gateway system respectively configures at least one local IP address and a queue for a plurality of CPUs;

receiving a data packet from a client;

determining a queue to which the data packet belongs, and caching the data packet to the queue to which the data packet belongs, wherein the queue to which the data packet belongs is associated with a first CPU, and the first CPU is one of the CPUs.

6. The method of claim 5, further comprising:

and the gateway system issues a virtual IP address, and the virtual IP address is used for the client to access the service system.

7. The method of claim 6, further comprising:

receiving a backhaul data packet from the business system;

and when the source IP address of the backhaul data packet is the local IP address of the first CPU, sending the backhaul data packet to the first CPU.

8. The method of any one of claims 5-7, further comprising:

and when the gateway system establishes connection with the client, verifying the message sent by the client at least twice by adopting a preset algorithm.

9. A packet processing apparatus comprising a processor and interface circuitry for receiving signals from or transmitting signals to or from a device other than the apparatus, the processor being arranged to implement the method of any one of claims 1 to 4 or 5 to 8 by means of logic circuitry or executing code instructions.

10. A computer-readable storage medium having stored thereon computer instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1 to 8.

Images