1. Field of the Invention
The present invention relates to a packet relay technology for performing a filter process when relaying packets.
2. Description of the Related Art
Recently packet relay devices are provided with an advanced filter function to shut out unnecessary communication.
More particularly, a technology called “stateful inspection” can more finely control the passage permission/non-permission of packets by monitoring the states of higher-order communication sessions than an IP layer.
The stateful inspection recognizes a connection every time it receives a packet, updates the state of each connection and determines whether to pass the packet by checking it with filter conditions. The above-mentioned process must be applied to almost all packets, and it is not also limited to simple packet processes, such as the monitoring of both the higher-order layer header and payload section of a packet, their state management, the de-fragment/re-fragment of a packet and the like. For this reason, when embodied by hardware, the scale of the device becomes large.
Therefore, a method using a network processor is also considered. However, since this cannot ensure sufficient performance and programmable memory is also limited, it is proved that in reality the network processor cannot be mounted.
However, there is a technology for distributing the packet to the server and analyzing it in detail when a packet is analyzed in detail in the relay process of the network connection device in a system composed of a server and a network connection device. In this technology, firstly, the server, which is the distribution destination, must be recognized by a policy table beforehand. When receiving a packet, a process distribution unit distributing a packet to a service processing unit transfers the packet to the relevant packet service processing unit or a prescribed server according to the policy table. By this transfer, the process is externally distributed, and the process load of the network connection device can be reduced (see Patent Reference 1).
Patent Reference 1: Japanese Patent Application No. 2002-359637
As described above, in the technology for distributing the packet to a server, the distribution destination is designated in the policy table. Thus, the process distribution unit can distribute a process to each service processing unit or an external server.
However, when a server, being the distribution destination, is frequently shifted or a service provided by the server is changed, the distribution destination server designated in the policy table must be re-designated.
Therefore, much time and effort is necessary for the adjustment of a relay device due to the addition, modification and the like of a server, which is a problem.