A port forwarding method, device, computer equipment and storage medium
By setting up virtual LANs and port forwarding rules in the LAN switch, the problem of difficulty in obtaining real-time information and recording source IP addresses within the GPU BOX in existing technologies is solved, enabling rapid fault location and efficient operation and maintenance.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- INSPUR SUZHOU INTELLIGENT TECH CO LTD
- Filing Date
- 2023-12-22
- Publication Date
- 2026-06-19
AI Technical Summary
In existing technologies, server maintenance personnel have difficulty quickly obtaining real-time information about the components within the GPU BOX, making fault location difficult. Furthermore, traditional port forwarding solutions cannot accurately record the operator's source IP address, affecting fault location efficiency.
By setting up a virtual LAN in the LAN switch, port forwarding rules are used to forward the client's network address data packets to the virtual LAN port of the GPU BOX, and the source IP address of the operating system is recorded in the audit log, enabling the client to access the GPU BOX and locate faults.
This enables clients to obtain real-time information about each component within the GPU BOX through specified port forwarding rules, quickly locate faults, save manpower, and improve operational efficiency and fault location accuracy.
Smart Images

Figure CN117749702B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network communication technology, and in particular to a port forwarding method, apparatus, computer device, and storage medium. Background Technology
[0002] With the rise of big data and AI, the market demand for servers with high computing performance is increasing. These servers possess powerful computing capabilities, typically provided by their integrated GPU (Graphics Processing Unit) modules. In terms of structural design, to better address module heat dissipation and power supply issues, the GPU is generally housed within a GPU BOX (GPU enclosure), managed as a separate computing resource pool. Besides the GPU module, the GPU BOX also contains a dedicated BMC (Baseboard Management Controller), power supply, fans, and PCIe devices. These components require real-time monitoring and management to ensure stable computing performance. For server maintenance personnel, it is crucial to be able to easily access real-time information about the components within the GPU BOX for production and user viewing. Summary of the Invention
[0003] Therefore, it is necessary to provide a port forwarding method, device, computer equipment, and storage medium that can obtain real-time information of each component within the GPU BOX, thereby facilitating rapid location of the fault.
[0004] To address the aforementioned technical issues, firstly, a port forwarding method is provided, which includes:
[0005] In response to receiving a request from a client to obtain the source IP address of the operating system, the port address for forwarding the GPU BOX to the outside is obtained, wherein the port address for forwarding the GPU BOX to the outside includes a first outward forwarding port address and a second outward forwarding port address;
[0006] According to the pre-configured port forwarding rules, the first external forwarding port address and the second external forwarding port address are forwarded to the first virtual LAN port and the second virtual LAN port corresponding to the LAN switch, respectively; the pre-configured port forwarding rules are configured with target address types, and the target address types include network address data packets;
[0007] The GPU BOX includes pre-generated target routing rules. Based on these rules, the client accesses the GPU BOX through the first virtual LAN port and the second virtual LAN port.
[0008] When a client accesses the server baseboard management controller via WEB / Redfish commands, the operating system source IP address is recorded in the audit log.
[0009] In one embodiment, the method further includes: a pre-configured port forwarding rule is set with a target address type, the target address type including network address packets, and the method includes:
[0010] In response to the network address packet containing the target address type, the network address packet is sent to the iptables tool. After the network address packet enters the PREROUTING chain of the NAT table in the iptables tool, the client uses the network address packet to jump to the first VLAN port and the second VLAN port.
[0011] In one embodiment, the method further includes: calling open-source code through an external interface, compiling the open-source code called by the external interface, and forming a target code database.
[0012] In one embodiment, the method further includes: obtaining a pre-generated target routing rule, wherein the target routing rule further includes a bounce rule corresponding to the GPU BOX BMC to the server baseboard controller;
[0013] In response to the GPU BOX BMC automatically generating the default rule for the second virtual LAN port in the GPU BOX BMC, delete the default rule for the second virtual LAN port in the GPU BOX BMC;
[0014] Add a target route rule in the default rule settings for the second virtual LAN port in GPU BOX BMC.
[0015] In one embodiment, the method further includes: obtaining the IP address of the server baseboard management controller;
[0016] Log in to the server board management controller via the Redfish interface using the server board management controller's IP address and obtain the login token value.
[0017] The client accesses the server baseboard management controller via a token value.
[0018] In one embodiment, the method further includes: setting a first virtual local area network (VLAN) port address and a second VLAN port address on the server baseboard management controller side; setting a first VLAN port address and a second VLAN port address on the GPU BOX side; wherein the first VLAN port address and the second VLAN port address on the server baseboard management controller side are in the same network segment within a preset range as the first VLAN port address and the second VLAN port address on the GPU BOX side.
[0019] In one embodiment, the audit logs are stored in a server system including a blockchain network, and the method includes:
[0020] In response to receiving an audit log retrieval request, the audit log retrieval request includes characteristic information associated with the audit log to be queried, and a standard interface for invoking the audit log smart contract based on the characteristic information to read the audit log to be queried from the blockchain.
[0021] To address the aforementioned technical problems, a second aspect provides a port forwarding device, the device comprising:
[0022] The acquisition module is used to acquire the port address of the GPU BOX for external forwarding in response to a request sent by the client to acquire the source IP address of the operating system. The port address of the GPU BOX for external forwarding includes a first external forwarding port address and a second external forwarding port address.
[0023] The forwarding module is used to forward the first external forwarding port address and the second external forwarding port address to the first virtual LAN port and the second virtual LAN port corresponding to the LAN switch, respectively, according to the pre-set port forwarding rules; the pre-set port forwarding rules are configured with target address types, and the target address types include network address data packets;
[0024] The access module is used to enable the client to access the GPU BOX through the first virtual LAN port and the second virtual LAN port according to the pre-generated target routing rules. The GPU BOX includes the pre-generated target routing rules.
[0025] The audit module is used to record the operating system source IP address in the audit log when a client accesses the server baseboard management controller via WEB / Redfish commands.
[0026] To address the aforementioned technical problems, a third aspect provides a computer device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it performs the following steps: when the processor executes the computer program, it performs the steps of the method described in the first aspect.
[0027] In order to solve the above-mentioned technical problems, in a fourth aspect, this application provides a computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of the method described in the first aspect.
[0028] Unlike existing technologies, this application, in response to a request from the server baseboard management controller to obtain the operating system source IP address, acquires a first external forwarding port address and a second external forwarding port address. Based on pre-set port forwarding rules, it forwards the first and second external forwarding port addresses to the corresponding first and second virtual LAN ports of the LAN switch, respectively. The GPU BOX includes pre-generated target routing rules, and according to these rules, the client accesses the GPU BOX through the first and second virtual LAN ports. When the client accesses the server baseboard management controller via WEB / Redfish commands, the operating system source IP address is recorded in the audit log. Thus, the client can filter and forward data packets using network address packets specified in the port forwarding rules as the target address, enabling the client to obtain real-time information about each component within the GPU BOX, facilitating rapid fault location. Attached Figure Description
[0029] Figure 1 This is a schematic diagram of the server system architecture in one embodiment;
[0030] Figure 2 This is a flowchart illustrating a port forwarding method in one embodiment;
[0031] Figure 3 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation
[0032] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.
[0033] In existing technologies, real-time information about each component within the GPU BOX is mainly obtained through the following two methods, as detailed below:
[0034] In the first implementation, GPU BOX information is aggregated to the front-end (server baseboard management controller) for display. This typically includes functions such as GPU BOX sensor aggregation, FRU information acquisition, system information aggregation, and firmware upgrade integration. However, this method consumes resources on the front-end (server baseboard management controller), and the front-end (server baseboard management controller) cannot aggregate all GPU BOX information. Furthermore, when problems occur, the fault chain is very long, making it difficult to quickly pinpoint whether the fault lies with the front-end, the GPU BOX, or the interaction between the front-end and GPU BOX information.
[0035] In the second implementation, the network port of the GPU BOX is connected to the network cable to obtain the IP address of the GPU BOX. Customers can interact and obtain information by directly accessing the IP address of the GPU BOX. However, this method will increase the maintenance complexity for operation and maintenance personnel, double the complexity of data center configuration and installation, and also consume more network resources in the entire laboratory.
[0036] Traditional audit logs record content in three ways:
[0037] The first method is through web-based operations. This is achieved by logging into the BMC via the web. The web frontend first accesses the BMC via a URL:
[0038] The response is obtained via POST from https: / / 100.2.130.189 / api / session. In this response, server_addr":100.2.130.189 is the BMC IP, and remote_addr":"100.20.181.38" is the IP of the client accessing BMC.
[0039] Each information resource has a unique address on the network called a URL (Uniform Resource Locator), which is a Uniform Resource Locator identifier, referring to a network address. The POST method is also an important component of the HTTP protocol. The POST method is generally used to send update requests to the destination server, along with a request body.
[0040] This can be achieved by obtaining the IP address of the server baseboard management controller (GLC), logging into the GLC via the Redfish protocol interface using the obtained IP address, and acquiring a token value; or by specifying a URL path and using the CURL tool to log into the GLC and acquire a token value. The remote controller then uses the token value to remotely access the GLC and remotely mount the driver folder to the server to be installed via the Redfish interface. Specifically, this includes: remotely mounting the GLC via the GLC's URL path, mounting the driver files via the GLC's Redfish interface, and finally executing the driver installation command.
[0041] For example:
[0042]
[0043] In this string, "CSRFToken":"pE9F8n6o" represents the result of the curl command, and "pE9F8n6o" is the token value, also known as an access token. It is typically generated by the server and sent to the client application. Access tokens can be used as credentials for accessing restricted resources to verify the legitimacy of a request.
[0044] After obtaining the access token, the web frontend inserts the server address, server name, and other information into the URL. It then uses the "api / session" function to pass the address information and logs it in the URL. The log content includes the address information, whether the user's operation was successful, and whether the login was successful. The log format can be as follows:
[0045] spx_restservice:[1562:1562INFO]|WEB|10.67.18.100|admin|Login Successfrom IP:10.67.18.100user:admin
[0046] adviserd:[1401:1561INFO]|KVM|10.67.18.100|admin|Logout Success fromIP:10.67.18.100user:admin
[0047] spx_restservice:[1562:1562INFO]|WEB|10.67.18.100|admin|Operation:Entry BMC Flash Mode(HPM)Success
[0048] Here, `spx_restservice` is the configured process name, `admin` is the username, `Login Success from IP` means that the user accesses BMC from IP 10.67.18.100 using the username `admin`, and `Logout Success from IP` means that the user logs out of BMC from IP 10.67.18.100 using the username `admin`. It should be understood that the above log format is only an example. In addition to recording user login and logout events, log processing can also include records of access to sensitive information in the system, illegal user operations, and permission errors, etc.
[0049] The second method is to implement logging through the Redfish protocol.
[0050] Specifically, this can be achieved by creating a session object, storing the source IP address within the session object, and then retrieving the source IP address each time the URL is accessed. The BMC will then record audit logs based on the correctness of the execution, in the format shown below:
[0051] spx_restservice_ext:[1734:1734INFO]|WEB|192.168.111.10|BOX|LogoutSuccess from IP:192.168.111.10user:BOX
[0052] spx_restservice_ext:[1734:1734INFO]|REDFISH|100.2.128.82|admin|LoginSuccess from IP:100.2.128.82user:admin
[0053] spx_restservice_ext:[1734:1734INFO]|REDFISH|100.2.128.82|admin|Operation:UPLOAD Update BMC Success
[0054] Here, `spx_restservice_ext` is the process name, `admin` is the username, and `REDFISH` (which can also be identified as Redfish) is the user-defined method for logging. `LoginSuccess from IP` indicates that the user accesses the BMC from IP 100.2.128.82 using the username `admin`; `Logout Success from IP` indicates that the user logs out of the BMC from IP 192.168.111.10 using the username `admin`. It's important to understand that the above log formats are merely examples. In addition to recording login and logout events, log processing can also include records of access to sensitive information, unauthorized user actions, and permission errors.
[0055] The third method is to implement logging through IPMI.
[0056] Specifically, the application sends IPMI commands to the IPMI service process, which then communicates with the BMC to complete session authentication. For example, requests received by the BMC through a wireless adapter (LAN interface) or KCS interface include session information. When the session type is LAN, the session contains the source IP address of the data packet (RMCP Package). Success or failure of the IPMI command execution is logged accordingly. When the session type is KCS, commands pushed from the HOST (BIOS, Basic Input / Output System) are also logged.
[0057] The specific format is as follows:
[0058] IPMIMain:[292:352INFO]|IPMI|fc13::5:ce26:2ebc:990b|admin|DedicatedLAN,Operation:Set AC Mode NetFn:0x3a CMD:0x23 Req:0xdd 0xb300xff 0xfc Rsp:0.Success.
[0059] IPMIMain:[292:352INFO]|IPMI|192.168.111.10|BOX|Dedicated LAN,Operation:Set SEL Time NetFn:0xa CMD:0x49 Req:0x7e 0x16 0x160x65 Rsp:0.Success.
[0060] IPMIMain:[266:318INFO]|IPMI|HOST|NA|Operation:Self Test ResultsNetFn:0x6 CMD:0x4 Req:Rsp:0.Success.
[0061] As can be seen from the above, the audit logs clearly record all operations performed on the server, including web operations, SSH logins and logouts, Redfish operations, and operations performed by maintenance personnel on the server during BIOS interactions and normal maintenance. One of the key pieces of information in these logs is the source IP address of the operating system that records the configuration actions.
[0062] In the existing technology, when a client accesses the GPU BOX through the first and second external forwarding port addresses of the GPU BOX using the port forwarding scheme of the server baseboard management controller, it is found that the audit log cannot record the operator's source IP address, but only the IP address of the server baseboard management controller.
[0063] This application proposes a network management solution for accessing the box terminal using port forwarding. Under this solution, it is particularly important to accurately transmit the IP address (IPv4 / IPv6) of the operation source terminal to the box terminal and correctly record it in the audit log so that maintenance personnel can accurately locate the problem when the server fails.
[0064] In one implementation, such as Figure 1 As shown, the server system includes a baseboard management controller (SERVER BMC) on the server motherboard, which uses LAN SWI TCH to achieve network isolation. The server baseboard management controller shown in the figure includes a communication process for network communication with the GPUBOX BMC (GPU box baseboard management controller). The external management network port (client) shown in the figure also has a communication process for network communication with the basic management controller on the server motherboard.
[0065] The external network port can be understood as a port connecting to an external network. One end of the external management port connects to the first end of Port 4 on the LANSWITCH, and the second end of Port 4 connects to the second end of Port 3 on the LANSWITCH. The first end of Port 3 connects to the management port on the side of the controller near the server motherboard, and then connects to the controller on the server motherboard through the management port. Through this network, the IP address of the controller on the server motherboard (first BMC in the diagram) can be displayed to the client through the external management port.
[0066] One end of the controller on the server motherboard (first BMC in the diagram) is connected to the first end of the cascading network port. The second end of the cascading network port is connected to the first end of Port 3 on the LAN switch. The second end of Port 3 is connected to the first end of Port 5 on the LAN switch. The second end of Port 5 is connected to the controller of the GPU BOX (second BMC in the diagram). As shown in the diagram, the GPU BOX controller (second BMC in the diagram) cannot be accessed externally from the management network port through the port on the LAN switch. That is, access to the GPU BOX controller (second BMC in the diagram) can only be achieved through port forwarding by the controller on the server motherboard (first BMC in the diagram).
[0067] The external management port is used for network configuration and management. This port is typically used for remote access to devices to perform operations such as initial device setup, configuration changes, monitoring, and troubleshooting. The management port usually uses protocols such as Telnet, SSH, HTTP, and HTTPS for remote access.
[0068] Cascading network ports allow switches to share information and configurations, forming a larger switch cluster that provides higher performance, reliability, and scalability. The management network port connecting the cascading network port to the server board management controller connects to the port on the LAN switch, enabling communication between the GPU BOX board management controller's management system and the server board management controller's management system on a single web interface, facilitating the transfer of sensor data and firmware files. Multiple management ports are connected via a network switch, allowing access to the integrated management systems of both the server board management controller and the GPU BOX board management controller via their web interfaces. This facilitates simultaneous out-of-band monitoring and firmware management of both the GPU BOX and the server, resulting in convenient and efficient management.
[0069] In this implementation, network isolation is achieved by setting up VLANs (Virtual Local Area Networks) on the LAN SWITCH chip. Port3 / Port4 are in VLAN ID=101 (solid black line), and Port3 / Port5 are in VLAN ID=102 (dashed line). The SERVER BMC (Baseboard Management Controller on the server motherboard) and the management network are in VLANs Port3 and Port4; the GPUBOX BMC (Baseboard Management Controller for the GPU Box) and the SERVER BMC are in VLANs Port4 and Port5. The SERVER BMC is configured to forward the GPU BOX's 443 (WEB access port) and 623 (IPMI Command) port addresses to external networks as 8443 and 8623, respectively. The SERVER BMC BOND0 IP address is obtained through DHCP (Dynamic Host Configuration Protocol) allocation, and BOND0.102 is configured as a static IP address: 192.168.111.10 for communication with the BOX BMC, with a subnet mask of 255.255.255.0. BOX BMC's fixed static IP address is 192.168.111.11
[0070] Configure the client and server BMC IPs to be on the same network segment, so that the client can access the GPU BOX BMC via https: / / IP:8443 / #dashboard (a browser link generated based on the specific address set in the GPU BOX's web access port); the client can also access the GPU BOX BMC via the command ipmitool -H IP -U xxxxx -P xxxxx -I lanplus -p8623sel get 0x0 (a browser link generated based on the specific address set in the GPU BOX's IPMI Command access port).
[0071] In this application, the SERVER BMC and GPU BOX BMC can communicate with each other, but the client and GPU BOX BMC cannot communicate with each other. A Virtual Local Area Network (VLAN) is configured on the LAN switch. This VLAN includes multiple VLAN ports (e.g., IPv4 / IPv6), allowing the client to access GPU BOX information through these ports. Specifically, by forwarding the access port information between the SERVER BMC and GPU BOX BMC to the corresponding VLAN ports, the client can access GPU BOX information through multiple VLAN ports.
[0072] Since the client and GPU BOX BMC cannot directly access each other, port forwarding is required to enable access between the client and GPU BOX BMC. However, during the port forwarding process, the server baseboard management controller performs the port forwarding, and the source IP address recorded in the audit log is the IP address of the server baseboard management controller, not the source IP address of the operating system.
[0073] To address the aforementioned technical problems, this application provides a port forwarding method, as detailed below.
[0074] Step S1: In response to receiving a request from the client to obtain the source IP address of the operating system, obtain the port address for forwarding the GPU BOX to the outside, wherein the port address for forwarding the GPU BOX to the outside includes a first outward forwarding port address and a second outward forwarding port address.
[0075] Specifically, the first and second external forwarding port addresses here are the (WEB access port) and (IPMI Command) for SERVERBMC to access GPU BOX BMC (GPU box baseboard management controller).
[0076] Step S2: According to the pre-set port forwarding rules, forward the first external forwarding port address and the second external forwarding port address to the first virtual LAN port and the second virtual LAN port corresponding to the LAN switch, respectively; wherein, the pre-set port forwarding rules are configured with a target address type, and the target address type includes network address data packets.
[0077] Specifically, the pre-configured port forwarding rules include setting the target address type, which includes network address packets. When a network address packet containing the target address type is retrieved, the network address packet is sent to the iptables tool. After the network address packet enters the PREROUTING chain of the NAT table in the iptables tool, it will be redirected to the first VLAN port and the second VLAN port. In this way, even if the HOST BMC IP address (the IP address of the baseboard management controller on the server motherboard) changes during port forwarding, a browser can still be used to log in to the WEB access port of the GPU BOX BMC through the IP address of the baseboard management controller on the old server motherboard.
[0078] Server port forwarding can be achieved through port forwarding tools, the system's built-in command-line tools, or third-party software. Alternatively, it can be accomplished by configuring Network Address Translation (NAT) rules using firewall tools such as iptables, firewalld, or NC (also known as Netcat, a network tool in Unix-like operating systems with powerful port forwarding capabilities).
[0079] Specifically, taking port forwarding using the iptables firewall tool as an example, you can access websites already set up on the Linux system by configuring port forwarding. Specifically, you can set the network connection mode to Network Address Translation (NAT) in the system settings. In advanced settings, check the "Connecting via Ethernet cable" option and configure the corresponding port forwarding rules.
[0080] Step S3: The GPU BOX includes pre-generated target routing rules. Based on the pre-generated target routing rules, the client accesses the GPU BOX through the first virtual LAN port and the second virtual LAN port.
[0081] Specifically, the pre-generated target routing rules include the corresponding bounce rules from the GPU BOX BMC to the server baseboard controller. When the GPU BOX BMC is automatically configured with a static IP (IPv4 / IPv6), the GPU BOX BMC will automatically generate a default rule for the second VLAN port in the GPU BOX BMC at BOND0. At this time, it is necessary to delete the default rule for the second VLAN port in the GPU BOX BMC. This is because the second VLAN port in the GPU BOX BMC will need to be specified at BOND0.102 later. If the second VLAN port in the GPU BOX BMC that the GPU BOX BMC automatically generates is on the same network segment as the second VLAN port in the GPU BOX BMC that is specified later, it will cause port forwarding to fail.
[0082] Please continue reading. Figure 1 Currently, bond0 is the IP address of the external management network port. The controller on the server motherboard (AST2600 on the left in the diagram) and the controller of the GPU BOX (AST2600 on the right in the diagram) are each configured with static IPs (IPv4 / IPv6). If the IP address of the external management network port is in the same network segment as the static IPs configured on the server motherboard controller (AST2600 on the left in the diagram) and the GPU BOX controller (AST2600 on the right in the diagram), the port forwarding will fail and the forwarding will not be able to be redirected.
[0083] By configuring the GPU BOX BMC to delete the routing rules of its self-generated second virtual LAN port (IPv6) and adding a target routing rule, the port forwarding communication failure caused by the second virtual LAN port BOND0 and BOND0.102 being in the same network segment is resolved. The target routing rule includes the corresponding bounce rule from the GPU BOX BMC to the server baseboard controller.
[0084] Step S4: In response to a client accessing the server baseboard management controller via WEB / Redfish commands, record the operating system source IP address in the audit log.
[0085] Specifically, when a client accesses the server baseboard management controller via WEB / Redfish commands, it can create a session object and use the session object to store the source IP address. Then, the source IP address can be obtained every time the URL is accessed and called. The server baseboard management controller will record the operating system source IP address in the audit log.
[0086] This application sets up a pre-generated target routing rule, namely the jumpback rule from the GPU BOX BMC to the server baseboard controller. Even if the HOST BMC IP address (the IP address of the baseboard management controller on the server motherboard) changes during port forwarding, a browser can still use the IP address of the baseboard management controller on the old server motherboard to log in to the WEB access port of the GPU BOX BMC. When accessing the server baseboard management controller via WEB / Redfish commands, the operating system's source IP address is substituted into the session, which can then be recorded in the audit log. This allows maintenance personnel to accurately understand the user's operations on the faulty machine by querying the logs when the server malfunctions. This helps to quickly resolve and locate the problem, save manpower, facilitate maintenance, and has objective economic benefits.
[0087] In one embodiment, this application further provides a method to call open-source code via an external interface, compile the open-source code called by the external interface to form a target code database, and enrich the local code database by using the source code called by the external interface, so that the code can later support the implementation of the method of this invention.
[0088] In one implementation, the client can obtain the IP address of the server baseboard management controller; log in to the server baseboard management controller via the Redfish interface based on the IP address of the server baseboard management controller, and obtain a token value for logging in to the server baseboard management controller; the client accesses the server baseboard management controller through the token value.
[0089] Specifically, the system obtains the IP address of the server baseboard management controller (SBR). Using this IP address, it logs into the SBR via the Redfish protocol interface and obtains a token value. Then, it specifies a URL path and uses the CURL tool to log into the SBR and obtain another token value. The remote controller then uses this token value to remotely access the SBR.
[0090] In one embodiment, a first VLAN port address and a second VLAN port address are respectively set on the server baseboard management controller side; a first VLAN port address and a second VLAN port address are also set on the GPU BOX side. The first VLAN port address and the second VLAN port address on the server baseboard management controller side are located within the same preset network segment as the first VLAN port address and the second VLAN port address on the GPU BOX side. By ensuring that the first VLAN port address and the second VLAN port address on the server baseboard management controller side are within the same preset network segment as the first VLAN port address and the second VLAN port address on the GPU BOX side, mutual access between the server baseboard management controller and the BMC on the GPU BOX side is possible.
[0091] In one embodiment, after generating the audit log, the audit log can be stored in a server system including a blockchain network. Specifically, in response to receiving an audit log retrieval request, the audit log retrieval request includes feature information associated with the audit log to be queried, and a standard interface for calling the audit log smart contract based on the feature information to read the audit log to be queried from the blockchain.
[0092] In this embodiment, the audit log is first signed to verify that it has not been intercepted and altered by any external malicious program. Next, the audit log is stored in a log repository on the log audit server; and then sent to a server system that includes a blockchain network, so that the audit log is stored on the blockchain created by the blockchain network.
[0093] When the audit log operator performs an audit, it first queries the log list from the server system. It can locate specific logs by filtering by date, keywords, application name, and action. If a query entry in the audit log has a "successfully uploaded to the blockchain" marker, it indicates that the audit log for that entry supports blockchain auditing. Next, the server system can communicate with the blockchain network based on the query request to extract the audit logs from the blockchain created by the blockchain network.
[0094] Blockchain employs a decentralized distributed ledger approach, where all nodes in the system participate simultaneously in recording data changes. Each node maintains an identical and complete copy of the ledger, meaning the destruction of a single node does not affect the integrity of the entire ledger and its records. By using blockchain to store generated audit logs, data security can be improved. Furthermore, once verified and added to the blockchain, audit logs are permanently stored, generating chronologically tamper-proof data records that ensure traceability and significantly reduce the possibility of data falsification at different points in time.
[0095] In another optional embodiment of this application, a preset application programming interface (API) is provided in the baseboard management controller (BMC) on the server side. After storing the queried device information on the server side, the preset API is used to send the device information stored on the server side to the front-end interface of the baseboard management controller for display. For critical information, a RESTful interface can also be added to the BMC on the server side to display it on the web page of the baseboard management controller (BMC). RESTful is a design style and development method for web applications, based on HTTP, and can be defined using XML or JSON format. RESTful is suitable for scenarios where mobile Internet companies use it as a business interface to enable third-party OTT services to call mobile network resources, with action types including adding, modifying, and deleting the called resources. By storing the obtained GPU BOX information in shared memory and then using IPMI commands and the web to retrieve data from the shared memory and present it to the user, the obtained data can be displayed intuitively to the user, thereby decoupling data acquisition and retrieval.
[0096] In one feasible implementation, regarding the specific program implementation of the port forwarding method, when users submit configurations via a page or command line, the Neutron Server still provides services to parse the user's configuration and save it to the database (DB). The existing port forwarding function is provided by the Linux-based L3_agent process, which has less than ideal performance. In this application, the port forwarding function is provided by VPP. This process relies on DPDK forwarding, resulting in a significant performance improvement. Therefore, the response flow is changed to Neutron Server calling the plugin provided by Networking-vpp to send a message to the ETCD storage system. Then, the Networking-vpp process, vpp-agent, continuously monitors ETCD. When an interesting message is detected, it reads the message content. This can be understood as: when the monitoring key key of vpp-agent matches the pre-configured message key key, it reads the packet forwarding request content of the corresponding virtual LAN. Then, it calls the API interface provided by VPP, and VPP binds the port forwarding, thus implementing the user-configured port forwarding.
[0097] To better illustrate the port forwarding method of this application, the following specific embodiments of the port forwarding method are provided as examples:
[0098] Step 1: For example, the specific settings for the LAN switch can be as follows:
[0099] Port0 and 1 enable 8021.Q
[0100] Port0,1 is configured with VLAN ID 99.
[0101] Port 2,5 enables 8021.Q
[0102] Configure VLAN ID 100 on Port2,5
[0103] VLAN ID 99 is valid, and Port0 and Port1 are added and untagged. Load VLAN 99.
[0104] VLAN ID 100 is valid, and Port2, Port5, and Port0 are added and untagged. Load VLAN 100.
[0105] That is, combine Port3 and Port4 into one VLAN and name it VLAN99; combine Port3 and Port5 into one VLAN and name it VLAN100.
[0106] Step 2: (1) Define the addresses of the first virtual LAN port and the second virtual LAN port of the server baseboard management controller.
[0107] For example, the SERVER BMC (Server Baseboard Management Controller) end.
[0108] Configure the IPv4 (first VLAN port) and IPv6 (second VLAN port) addresses at BOND0.102 as 192.168.111.10 and fdbd:0101:0202:0303:10 respectively: Here, BOND 0.102 is the VLAN ID set.
[0109] Understandably, as long as the server controller and the GPU BOX are on the same network segment, the values in the IPv4 / IPv6 addresses can be set arbitrarily.
[0110] Exemplary
[0111] The command `ip link add link bond0 name bond0.102 type vlan id 102` sets the VLAN ID to 102 and the name to bond.102.
[0112] `ip link set dev bond0.102 up` [Sets the network interface status to online]
[0113] ip addr add fdbd:0101:0202:0303:10peer fdbd:0101:0202:0303:11devbond0.102 noprefixroute
[0114] ip addr add 192.168.111.10peer 192.168.111.11dev bond0.102
[0115] bond0.102 Link encap:Ethernet HWaddr 9C:C2:C4:3E:4A:A7
[0116] Inet addr:192.168.111.10Bcast:0.0.0.0Mask:255.255.255.255
[0117] inet6 addr:fe80::9ec2:c4ff:fe3e:4aa7 / 64Scope:Link [Sets the IPv6 address to fe80::9ec2:c4ff:fe3e:4aa7 / 64]
[0118] inet6 addr:fdbd:101:202:303::10 / 128Scope:Global
[0119] UP BROADCAST RUNNING MULTICAST MTU:1500Metric:1
[0120] RX packets:4086447errors:0dropped:0overruns:0frame:0
[0121] TX packets:4199346 errors:0 dropped:0 overruns:0 carrier:0 [Is the network accepting packets?]
[0122] collisions:0txqueuelen:1000
[0123] RX bytes:335621357(320.0MiB)TX bytes:351781037(335.4MiB)
[0124] (2) Configure static routing table
[0125] ip route add 192.168.111.11dev bond0.102
[0126] (3) Configure port forwarding rules:
[0127] 1)iptables-t nat-IPREROUTING-i bond0-m addrtype--dst-type LOCAL-ptcp--dport 8443-j DNAT--to 192.168.111.11:443
[0128] (Forward port 8443 (WEB access port) of external access to the GPU BOX to the local server port)
[0129] 2)iptables-t nat-I PREROUTING-i bond0-m addrtype--dst-type LOCAL-pudp--dport 8623-j DNAT--to 192.168.111.11:623
[0130] (Forward port 8623 (IPMI Command port) of external access to the GPU BOX to the local server port)
[0131] 3)ip6tables-t nat-A PREROUTING-i bond0-p tcp-m addrtype--dst-typeLOCAL--dport 8443-j DNAT--to-destination[fdbd:101:202:303::11]:443;
[0132] (Forward the external access to the GPU BOX port 8443 (WEB access port) to the corresponding VLAN port on the switch)
[0133] 4)ip6tables-t nat-A PREROUTING-i bond0-p udp-m addrtype--dst-typeLOCAL--dport 8623-j DNAT--to-destination[fdbd:101:202:303::11]:623
[0134] (Forward the external access to the GPU BOX port 8623 (IPMI Command port) to the corresponding VLAN port on the switch)
[0135] Specifically, 1) and 2) refer to the server BMC forwarding the GPU BOX's 443 (WEB access port) and 623 (IPMICommand) ports to the outside world, which are 8443 and 8623 respectively, so that the server BMC can access the GPU BOX through the two ports corresponding to 443 and 623; 3) and 4) refer to the server BMC forwarding the virtual LAN port corresponding to the switch to the outside world, so that clients on the virtual LAN port side of the switch can access the server publishing (BOX side) by accessing the virtual LAN port of the switch.
[0136] The parameter -m addrtype --dst-type LOCAL specifies the current address for filtering and forwarding. This is to ensure that even after the HOST BMC IP changes, users can still log in to the BOX BMC WEB using the old IP address via a browser.
[0137] When data packets whose destination address type belongs to the host system's local network address enter the NAT table PREROUTING chain, they are directly jumped to the virtual network port 8623 / 8443.
[0138] The current host IP address is 100.2.111.10. If we change the IP address of 100.2.111.10 to 100.2.111.12, we find that 100.2.111.10 can still be redirected.
[0139] This requires using iptables commands instead of socat, because socat cannot carry the source IP address to the client. A static IPv4 / IPv6 IP address needs to be specified; otherwise, the client's source IP address cannot be carried to the client and thus recorded in the design log. The current code does not contain the above two parts, and a code library needs to be added to support them.
[0140] Optionally, the library files that can be added are libip6t_DNAT.so / libxt_addrtype.so, from which the required code can be obtained.
[0141] (4) Enable ip6table forwarding rules:
[0142] sysctl-w net.ipv6.conf.bond0.forwarding=1
[0143] sysctl-w net.ipv6.conf.all.forwarding=1
[0144] sysctl-w net.ipv6.conf.default.forwarding=1
[0145] Step 3: BOX BMC setup.
[0146] The static IPv4 / IPv6 address can be set on the GPU BOX BMC side as follows:
[0147] 192.168.111.11,netmask:255.255.255.0,,gatway:192.168.111.10
[0148] fdbd:101:202:303::11,gateway:fdbd:101:202:303::10
[0149] The static IPv4 / IPv6 address for the server baseboard management controller can be set to: 192.168.111.10, fdbd:0101:0202:0303:10.
[0150] Understandably, it is necessary to ensure that the server baseboard management controller and the GPU BOX are on the same network segment, and the values in the IPv4 / IPv6 addresses can be set arbitrarily.
[0151] (2) Configure routing policy:
[0152] ip rule del from 192.168.111.11
[0153] ip rule add sport 443lookup 210
[0154] ip rule add sport 623lookup 210
[0155] ip route add 0.0.0.0 / 0via 192.168.111.10tab 210
[0156] [Added BOX BMC to nose BMC route rule]
[0157] ip-6ruledel from fdbd:101:202:303::11lookup eth0
[0158] ip-6rule add sport 443lookup 220
[0159] ip-6rule add sport 623lookup 220
[0160] ip-6route add 0:: / 0via fdbd:101:202:303::10tab 220
[0161] [Added BOX BMC to nose BMC route rule]
[0162] The reason for replacing `ip-6route add default via fdbd:101:202:303::10` with the above routing policy is to resolve port forwarding communication failures between IPv0 and bond0.102 on the same network segment. This is because when Box BMC sets a default static IP, it adds the following IPv6 rule: `from fdbd:101:202:303::11lookup eth0`. Therefore, it's necessary to delete the default IPv6 rule in Box BMC and add the relevant routing table rule.
[0163] The specific steps are as follows: Delete the existing IPv6 rule.
[0164] ip-6rule del from fdbd:101:202:303::11lookup eth0
[0165] Add a 220 rule chain for source ports 443 / 623
[0166] ip-6rule add sport 443lookup 220
[0167] ip-6rule add sport 623lookup 220
[0168] Add routing rules for the rule chain
[0169] ip-6route add 0:: / 0via fdbd:101:202:303::10tab 220
[0170] Port forwarding involves first inputting an IP address, such as IP:8443. This IP address is the IP address forwarding the port to, not the IP address of the host machine. Assuming access to the server baseboard management controller (SMC) is through any server, the SMC will record the IP address of the currently accessed server. However, in existing technology, the audit log displays the input address as the SMC's IP address plus the port number. This format indicates that the audit log records the SMC's IP address, not the IP address of the source operating server. For example, if the logged-in system IP is 100.2.111.11, but the headend IP is 1000.2.111.10:8443, the audit log should record an IP ending with '11', but in practice, it records '10'. Therefore, existing technology cannot display the source operating server's IP address in the audit log.
[0171] This solution addresses the issue of audit logs failing to correctly record the source IP address when accessing via IPv6 addresses by separately configuring the IPv4 and IPv6 addresses of the Server BMC (Server Baseboard Management Controller) and the GPU BOX BMC (GPU Box Basic Management Controller), and by using iptables commands instead of socat for port forwarding rules. When accessing the Server Baseboard Management Controller via WEB / Redfish commands, the operating system's source IP address is included in the session and thus recorded in the audit logs. This allows maintenance personnel to accurately understand user actions on the faulty machine by querying the logs when a server malfunctions. This facilitates faster problem resolution and localization, saves manpower, simplifies maintenance, and provides substantial economic benefits.
[0172] It should be understood that, although Figure 2 The steps in the flowchart are shown sequentially as indicated by the arrows, but these steps are not necessarily executed in the order indicated by the arrows. Unless otherwise specified herein, there is no strict order in which these steps are executed, and they can be performed in other orders. Figure 2 At least some of the steps in the process may include multiple sub-steps or multiple stages. These sub-steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these sub-steps or stages is not necessarily sequential, but can be executed in turn or alternately with other steps or at least some of the sub-steps or stages of other steps.
[0173] In one embodiment, a port forwarding device is provided, comprising: an acquisition module, a forwarding module, an access module, and an auditing module, wherein:
[0174] The acquisition module is used to acquire the port address of the GPU BOX for external forwarding in response to a request sent by the client to acquire the source IP address of the operating system. The port address of the GPU BOX for external forwarding includes a first external forwarding port address and a second external forwarding port address.
[0175] The forwarding module is used to forward the first external forwarding port address and the second external forwarding port address to the first virtual LAN port and the second virtual LAN port corresponding to the LAN switch, respectively, according to the pre-set port forwarding rules; the pre-set port forwarding rules are configured with target address types, and the target address types include network address data packets;
[0176] The access module is used to enable the client to access the GPU BOX through the first virtual LAN port and the second virtual LAN port according to the pre-generated target routing rules. The GPU BOX includes the pre-generated target routing rules.
[0177] The audit module is used to record the operating system source IP address in the audit log when a client accesses the server baseboard management controller via WEB / Redfish commands.
[0178] In one embodiment, another implementation of the port forwarding method that the above-mentioned device can achieve includes the following specific steps:
[0179] The pre-configured port forwarding rules specify the target address type, which includes network address packets, and the methods include:
[0180] In response to the network address packet containing the target address type, the network address packet is sent to the iptables tool. After the network address packet enters the PREROUTING chain of the NAT table in the iptables tool, the client uses the network address packet to jump to the first VLAN port and the second VLAN port.
[0181] In one embodiment, another implementation of the port forwarding method that the above-mentioned device can achieve includes the following steps: calling open-source code through an external interface, compiling the open-source code called by the external interface, and forming an object code database.
[0182] In one embodiment, another implementation of the port forwarding method that the above-mentioned device can achieve includes the following specific steps:
[0183] Obtain the pre-generated target routing rules, which also include the corresponding bounce rules from the GPU BOX BMC to the server baseboard controller;
[0184] In response to the GPU BOX BMC automatically generating the default rule for the second virtual LAN port in the GPU BOX BMC, delete the default rule for the second virtual LAN port in the GPU BOX BMC;
[0185] Add a target route rule in the default rule settings for the second virtual LAN port in GPU BOX BMC.
[0186] In one embodiment, another implementation of the port forwarding method that the above-mentioned device can achieve includes the following specific steps:
[0187] Obtain the IP address of the server baseboard management controller;
[0188] Log in to the server baseboard management controller via the Redfish interface using the server baseboard management controller's IP address and obtain the login token value.
[0189] The client accesses the server baseboard management controller via a token value.
[0190] In one embodiment, another implementation of the port forwarding method that the above-mentioned device can achieve includes the following specific steps:
[0191] Set the first VLAN port address and the second VLAN port address on the server baseboard management controller side; set the first VLAN port address and the second VLAN port address on the GPU BOX side; wherein the first VLAN port address and the second VLAN port address on the server baseboard management controller side are in the same preset network segment as the first VLAN port address and the second VLAN port address on the GPU BOX side.
[0192] In one embodiment, another implementation of the port forwarding method that the above-mentioned device can achieve includes the following specific steps:
[0193] In response to receiving an audit log retrieval request, the audit log retrieval request includes characteristic information associated with the audit log to be queried, and a standard interface for invoking the audit log smart contract based on the characteristic information to read the audit log to be queried from the blockchain.
[0194] For specific limitations regarding the port forwarding device, please refer to the limitations on the port forwarding method above, which will not be repeated here. Each module in the aforementioned port forwarding device can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in the processor of the computer device in hardware form or independent of it, or stored in the memory of the computer device in software form, so that the processor can call and execute the operations corresponding to each module.
[0195] In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as follows: Figure 3 As shown, the computer device includes a processor, memory, network interface, and database connected via a system bus. The processor provides computing and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system, computer programs, and database. The internal memory provides an environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The database stores data used in the port forwarding method described above. The network interface is used for communication with external terminals via a network connection. When the computer program is executed by the processor, it implements a port forwarding method.
[0196] Those skilled in the art will understand that Figure 3 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
[0197] In one embodiment, a computer device is provided, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to perform the following steps:
[0198] In response to receiving a request from a client to obtain the source IP address of the operating system, the port address for forwarding the GPU BOX to the outside is obtained, wherein the port address for forwarding the GPU BOX to the outside includes a first outward forwarding port address and a second outward forwarding port address;
[0199] According to the pre-configured port forwarding rules, the first external forwarding port address and the second external forwarding port address are forwarded to the first virtual LAN port and the second virtual LAN port corresponding to the LAN switch, respectively; the pre-configured port forwarding rules are configured with target address types, and the target address types include network address data packets;
[0200] The GPU BOX includes pre-generated target routing rules. Based on these rules, the client accesses the GPU BOX through the first virtual LAN port and the second virtual LAN port.
[0201] When a client accesses the server baseboard management controller via WEB / Redfish commands, the operating system source IP address is recorded in the audit log.
[0202] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0203] The pre-configured port forwarding rules specify the target address type, which includes network address packets, and the methods include:
[0204] In response to the network address packet containing the target address type, the network address packet is sent to the iptables tool. After the network address packet enters the PREROUTING chain of the NAT table in the iptables tool, the client uses the network address packet to jump to the first VLAN port and the second VLAN port.
[0205] In one embodiment, when the processor executes a computer program, it also performs the following steps: calling open-source code through an external interface, compiling the open-source code called by the external interface, and forming an object code database.
[0206] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0207] Obtain the pre-generated target routing rules, which also include the corresponding bounce rules from the GPU BOX BMC to the server baseboard controller;
[0208] In response to the GPU BOX BMC automatically generating the default rule for the second virtual LAN port in the GPU BOX BMC, delete the default rule for the second virtual LAN port in the GPU BOX BMC;
[0209] Add a target route rule in the default rule settings for the second virtual LAN port in GPU BOX BMC.
[0210] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0211] Obtain the IP address of the server baseboard management controller;
[0212] Log in to the server board management controller via the Redfish interface using the server board management controller's IP address and obtain the login token value.
[0213] The client accesses the server baseboard management controller via a token value.
[0214] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0215] Set the first VLAN port address and the second VLAN port address on the server baseboard management controller side; set the first VLAN port address and the second VLAN port address on the GPU BOX side; wherein the first VLAN port address and the second VLAN port address on the server baseboard management controller side are in the same preset network segment as the first VLAN port address and the second VLAN port address on the GPU BOX side.
[0216] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0217] In response to receiving an audit log retrieval request, the audit log retrieval request includes characteristic information associated with the audit log to be queried, and a standard interface for invoking the audit log smart contract based on the characteristic information to read the audit log to be queried from the blockchain.
[0218] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon, the computer program performing the following steps when executed by a processor:
[0219] In response to receiving a request from a client to obtain the source IP address of the operating system, the port address for forwarding the GPU BOX to the outside is obtained, wherein the port address for forwarding the GPU BOX to the outside includes a first outward forwarding port address and a second outward forwarding port address;
[0220] According to the pre-configured port forwarding rules, the first external forwarding port address and the second external forwarding port address are forwarded to the first virtual LAN port and the second virtual LAN port corresponding to the LAN switch, respectively; the pre-configured port forwarding rules are configured with target address types, and the target address types include network address data packets;
[0221] The GPU BOX includes pre-generated target routing rules. Based on these rules, the client accesses the GPU BOX through the first virtual LAN port and the second virtual LAN port.
[0222] When a client accesses the server baseboard management controller via WEB / Redfish commands, the operating system source IP address is recorded in the audit log.
[0223] In one embodiment, when the computer program is executed by a processor, it also performs the following steps:
[0224] The pre-configured port forwarding rules specify the target address type, which includes network address packets, and the methods include:
[0225] In response to the network address packet containing the target address type, the network address packet is sent to the iptables tool. After the network address packet enters the PREROUTING chain of the NAT table in the iptables tool, the client uses the network address packet to jump to the first VLAN port and the second VLAN port.
[0226] In one embodiment, when the computer program is executed by the processor, it also performs the following steps: calling open-source code through an external interface, compiling the open-source code called by the external interface, and forming an object code database.
[0227] In one embodiment, when the computer program is executed by a processor, it also performs the following steps:
[0228] Obtain the pre-generated target routing rules, which also include the corresponding bounce rules from the GPU BOX BMC to the server baseboard controller;
[0229] In response to the GPU BOX BMC automatically generating the default rule for the second virtual LAN port in the GPU BOX BMC, delete the default rule for the second virtual LAN port in the GPU BOX BMC;
[0230] Add a target route rule in the default rule settings for the second virtual LAN port in GPU BOX BMC.
[0231] In one embodiment, when the computer program is executed by a processor, it also performs the following steps:
[0232] Obtain the IP address of the server baseboard management controller;
[0233] Log in to the server board management controller via the Redfish interface using the server board management controller's IP address and obtain the login token value.
[0234] The client accesses the server baseboard management controller via a token value.
[0235] In one embodiment, when the computer program is executed by a processor, it also performs the following steps:
[0236] Set the first VLAN port address and the second VLAN port address on the server baseboard management controller side; set the first VLAN port address and the second VLAN port address on the GPU BOX side; wherein the first VLAN port address and the second VLAN port address on the server baseboard management controller side are in the same preset network segment as the first VLAN port address and the second VLAN port address on the GPU BOX side.
[0237] In one embodiment, when the computer program is executed by a processor, it also performs the following steps:
[0238] In response to receiving an audit log retrieval request, the audit log retrieval request includes characteristic information associated with the audit log to be queried, and a standard interface for invoking the audit log smart contract based on the characteristic information to read the audit log to be queried from the blockchain.
[0239] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, storage, databases, or other media used in the embodiments provided in this application can include non-volatile and / or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in various forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link DRAM (SLDRAM), Rambus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.
[0240] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.
[0241] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are relatively specific and detailed, they should not be construed as limiting the scope of the invention patent. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this patent application should be determined by the appended claims.
Claims
1. A port forwarding method, characterized by, include: In response to receiving a request from a client to access the GPU BOX, the port address for forwarding the GPU BOX to the outside is obtained, wherein the port address for forwarding the GPU BOX to the outside includes a first external forwarding port address and a second external forwarding port address; According to the pre-set port forwarding rules, the first external forwarding port address and the second external forwarding port address are forwarded to the first virtual LAN port and the second virtual LAN port corresponding to the LAN switch, respectively; wherein, the pre-set port forwarding rules are configured with target address types, the target address types include local network addresses, and the data packets corresponding to the local network addresses are forwarded to the virtual LAN ports; The GPU BOX includes pre-generated target routing rules. According to the pre-generated target routing rules, the client accesses the GPU BOX through the first virtual LAN port and the second virtual LAN port. When the client accesses the server baseboard management controller via WEB / Redfish commands, the operating system source IP address is recorded in the audit log.
2. The method of claim 1, wherein, The step of forwarding the data packet corresponding to the local network address to the virtual LAN port includes: In response to obtaining the network address data packet corresponding to the local network address, the network address data packet is sent to the iptables tool. After the network address data packet enters the PREROUTING chain of the NAT table in the iptables tool, it is redirected to the first virtual LAN port and the second virtual LAN port.
3. The method of claim 1, wherein, The method further includes: Open source code is called through an external interface, and the open source code called by the external interface is compiled to form an object code database.
4. The method of claim 1, wherein, The method further includes: Obtain pre-generated target routing rules, which also include bounce rules from the GPU BOX BMC to the server baseboard controller; In response to the GPU BOX BMC automatically generating the default rule for the second virtual LAN port in the GPU BOX BMC, delete the default rule for the second virtual LAN port in the GPU BOX BMC; Add a bounce rule in the default rule settings for the second virtual LAN port in GPU BOX BMC.
5. The method of claim 1, wherein, The method further includes: Obtain the IP address of the server baseboard management controller; Log in to the server baseboard management controller via the Redfish interface using the IP address of the server baseboard management controller and obtain the token value for logging in to the server baseboard management controller; The client accesses the server baseboard management controller using the token value.
6. The method of claim 1, wherein, It also includes setting a first virtual LAN port address and a second virtual LAN port address on the server baseboard management controller side; setting a first virtual LAN port address and a second virtual LAN port address on the GPU BOX side; wherein the first virtual LAN port address and the second virtual LAN port address on the server baseboard management controller side are in the same preset range of network segments as the first virtual LAN port address and the second virtual LAN port address on the GPU BOX side.
7. The method according to claim 1, characterized in that, The audit logs are stored in a server system that includes a blockchain network, and the method includes: In response to receiving an audit log retrieval request, the audit log retrieval request includes feature information associated with the audit log to be queried, and a standard interface for invoking the audit log smart contract based on the feature information to read the audit log to be queried from the blockchain.
8. A port forwarding apparatus, characterized by, The device includes: The acquisition module is used to acquire the port address of the GPU BOX for external forwarding in response to a request sent by the client to access the GPU BOX, wherein the port address of the GPU BOX for external forwarding includes a first external forwarding port address and a second external forwarding port address. The forwarding module is used to forward the first external forwarding port address and the second external forwarding port address to the first virtual LAN port and the second virtual LAN port corresponding to the LAN switch, respectively, according to the pre-set port forwarding rules. The pre-set port forwarding rules are configured with target address types, including local network addresses, and forward the data packets corresponding to the local network addresses to the virtual LAN ports. An access module is used to allow a client to access the GPU BOX through the first virtual LAN port and the second virtual LAN port, based on the pre-generated target routing rules, wherein the GPU BOX includes the pre-generated target routing rules; The audit module is used to record the operating system source IP address in the audit log when the client accesses the server baseboard management controller via WEB / Redfish command.
9. A computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 7.
10. A computer-readable storage medium having stored thereon a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 7.