When a packet is transmitted in a network, a network device usually needs to perform processing for the received packet and then transmits the packet. Here, all the processing performed for the packet may be called service processing by a joint name, e.g. establishing a session, address transition, and etc. In practical applications contents of the service processing may be different according to different service requirements.
FIG. 1 is a schematic diagram illustrating an internal structure of a typical network device in the prior art. The network device mainly includes a master control module, service processing modules and interface modules, and all the service processing modules are connected with a service control module in the master control module through a connection module. When a certain interface module, e.g. an interface module 1, in the network device receives a packet, the interface module 1 transmits the received packet to a service processing module 1 which is fixedly connected with the interface module 1, and the service processing module 1 performs service processing for the received packet under the control of the service control module in the master control module. Here, the control of the service control module on the service processing module includes session control information, e.g. a session table, a session processing action, and etc., generated according to an initial packet of a session.
The above mentioned just is a simple service processing for a packet performed by a certain service processing module in the network device. In practical applications, a network device relating to a security product, e.g. a firewall, not only needs to perform general service processing for packets of a session, but also needs to perform tunnel encapsulation for a forward flow of a session and transmit the forward flow, and needs to perform processing relating to tunnel technologies, e.g. decapsulation, for a reverse flow; and usually a specific service processing module is designated to uniformly perform tunnel processing for a certain tunnel. In this way, one packet in the session may be processed by different service processing modules.
For example, the interface module 1 receives a forward flow needing tunnel processing, and transmits the forward flow to the service processing module 1 which is fixedly connected with the interface module 1; after the service processing module 1 performs service processing for the received forward flow and if the service processing module 1 determines that a service processing module 2 corresponding to an interface module 2 should perform tunnel processing, the service processing module 1 transmits the forward flow to the service processing module 2; after performing tunnel encapsulation for the forward flow, the service processing module 2 transmits a tunnel packet generated after the tunnel encapsulation through the interface module 2. Correspondingly, after receiving a returned reverse stream tunnel packet, the interface module 2 transmits the reverse stream tunnel packet to the service processing module 2 corresponding to the interface module 2; the service processing module 2 performs processing, e.g. decapsulation for the reverse stream tunnel packet, and transmits the packet after the decapsulation to the service processing module 1; and then the service processing module 1 performs service processing for the packet and transmits the packet through the interface module 1 corresponding to the service processing module 1. In practical applications, the service processing module 1 and the service processing module 2 may perform partial service processing for the packet separately, which will not be described here in detail.
Because the service processing module corresponding to the interface module receiving the packet from the outside of the network device and the service processing module performing the tunnel processing may be two different service processing modules, if it is needed to perform tunnel processing for a session packet, the same session packet will be processed by different service processing modules. In this way, in order to guarantee that a session proceeds normally, it is not only needed to store session states in different service processing modules processing the same session packet, but also needed to perform synchronization between different service processing modules, which greatly increases complexity of processing the packet by the network device, consumes system bandwidth, and is not beneficial to perform the service processing for the packet by the network device.