CN108011991B - Data stream forwarding method, main control board, interface board, engine board and distributed firewall - Google Patents
Data stream forwarding method, main control board, interface board, engine board and distributed firewall Download PDFInfo
- Publication number
- CN108011991B CN108011991B CN201711245120.8A CN201711245120A CN108011991B CN 108011991 B CN108011991 B CN 108011991B CN 201711245120 A CN201711245120 A CN 201711245120A CN 108011991 B CN108011991 B CN 108011991B
- Authority
- CN
- China
- Prior art keywords
- address
- public network
- data stream
- data flow
- board
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/255—Maintenance or indexing of mapping tables
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5061—Pools of addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a data stream forwarding method, a main control board, an interface board, an engine board and a distributed firewall, wherein the method comprises the following steps: the method comprises the steps that a main control board obtains all public network IP addresses in an NAT public network address pool, for each public network IP address, the public network IP address is calculated through a preset distribution function to obtain a function value, and the public network IP address is issued to an engine board corresponding to the function value; the interface board receives a reverse data stream responding to the forward data stream, and if the target characteristic value of the reverse data stream is determined to be a target characteristic value pre-distributed by the main control board according to a preset distribution function, a target interface is determined in the plurality of output interfaces according to the target characteristic value of the reverse data stream and the preset distribution function which is the same as the main control board; and the reverse data flow is forwarded to the engine board connected with the target interface, so that the technical effect that the reverse data flow is processed by the engine board where the session table entry is positioned is ensured.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a data stream forwarding method, a main control board, an interface board, an engine board, and a distributed firewall.
Background
The core service of the distributed firewall device is completed by the cooperation of an interface board and an engine board, wherein the interface board is responsible for message transceiving, and the engine board is responsible for security service, such as NAT processing. In order to improve the service processing capability, a distributed firewall is usually configured with a plurality of engine boards, and an interface board determines to send traffic to a certain engine board for processing according to a certain algorithm (mainly hash).
If the response flow of the external network host is not sent to the engine board recorded by the NAT session table entry, that is, the response message cannot match the NAT session, the reverse NAT conversion cannot be completed. For example: the intranet host accesses the extranet, the flow is sent to the engine board 1 for NAT conversion, and meanwhile NAT session table items are established; after NAT processing is completed, the engine board forwards the message to an interface board and sends the message to an external network; the response traffic sent by the extranet host is sent to the engine board 2 by the interface board. Because the engine board 2 has no NAT session table entry, the traffic is discarded, and the external network traffic cannot be smoothly converted by the NAT for the distributed firewall product.
Disclosure of Invention
In view of this, an object of the present invention is to provide a data stream forwarding method, a main control board, an interface board, an engine board, and a distributed firewall, so as to alleviate the technical problem that, when a reverse data stream responding to a forward data stream is not sent to an engine board where an NAT session entry is located, the reverse data stream cannot be matched with the NAT session entry, so that NAT conversion of the reverse data stream cannot be completed.
In a first aspect, an embodiment of the present invention provides a data stream forwarding method, where the method is applied to a main control board in a distributed firewall, and the method includes:
acquiring each public network IP address in an NAT public network address pool;
for each public network IP address, calculating the public network IP address through a preset distribution function to obtain a function value;
and issuing the public network IP address to an engine board corresponding to the function value.
In a second aspect, an embodiment of the present invention provides a data stream forwarding method, where the method is applied to a main control board in a distributed firewall, and the method includes:
acquiring each public network IP address in an NAT public network address pool and a plurality of port numbers corresponding to each public network IP address;
for each public network IP address and each port number corresponding to the public network IP address, calculating the public network IP address and the port number respectively through a preset distribution function to obtain a function value;
and issuing the public network IP address and the port number to an engine board corresponding to the function value.
In a third aspect, an embodiment of the present invention provides a data stream forwarding method, where the method is applied to an interface board in a distributed firewall, where the distributed firewall further includes multiple engine boards respectively connected to output interfaces of the interface board, and the method includes:
receiving a reverse data stream responding to a forward data stream, wherein the forward data stream is a data stream sent from an internal network to a public network;
if the target characteristic value of the reverse data flow is determined to be a target characteristic value pre-distributed by a main control board according to a preset distribution function, determining a target interface in a plurality of output interfaces according to the target characteristic value of the reverse data flow and the preset distribution function which is the same as the main control board;
and forwarding the reverse data flow to an engine board connected with the target interface.
With reference to the third aspect, an embodiment of the present invention provides a first possible implementation manner of the third aspect, where the method further includes:
receiving a forward data stream;
determining a target interface in a plurality of output interfaces according to the target characteristic value of the forward data stream and a preset distribution function;
and forwarding the forward data flow to an engine board connected with the target interface.
With reference to the third aspect, an embodiment of the present invention provides a second possible implementation manner of the third aspect, where determining a target interface in a plurality of output interfaces according to a destination characteristic value of the reverse data flow and a preset allocation function includes:
calculating the target characteristic value of the reverse data flow through a preset distribution function to obtain a function value;
and determining an output interface corresponding to the function value in the plurality of output interfaces as a target interface.
With reference to the third aspect, an embodiment of the present invention provides a third possible implementation manner of the third aspect, where the target feature value includes: a destination IP address in an IP quintuple of the reverse data flow;
the preset distribution function is a Hash function, and the calculating the target characteristic value of the reverse data flow through the preset distribution function to obtain a function value includes:
taking the target IP address as a key of the Hash function, and calculating to obtain a function value;
alternatively, the first and second electrodes may be,
a combination of a destination IP address and a destination port in an IP quintuple of the reverse data flow;
the preset distribution function is a Hash function, and the calculating the target characteristic value of the reverse data flow through the preset distribution function to obtain a function value includes:
and taking the destination IP address and the destination port number as keys of the Hash function, and calculating to obtain a function value.
In a fourth aspect, an embodiment of the present invention further provides a data stream forwarding method, where the method is applied to an engine board in a distributed firewall, and public network IP addresses in a public network address pool in the engine board are pre-allocated according to a preset allocation function, where the method includes:
receiving a forward data stream, wherein the forward data stream is a data stream sent from an intranet to a public network;
performing Network Address Translation (NAT) on the forward data stream by using a public network address pool, and establishing a session table entry;
and sending the forward data flow after NAT conversion to an interface board.
With reference to the fourth aspect, an embodiment of the present invention provides a first possible implementation manner of the fourth aspect, where the method further includes:
receiving a reverse data stream acknowledging the forward data stream;
NAT conversion is carried out on the reverse data flow by utilizing the session table item;
and sending the reverse data flow after NAT conversion to an interface board.
With reference to the fourth aspect, an embodiment of the present invention provides a second possible implementation manner of the fourth aspect, where performing NAT translation on the reverse data flow by using a session table entry generated when performing NAT translation on the forward data flow according to the public network address pool includes:
searching an intranet IP address corresponding to a target IP address in the IP quintuple of the reverse data flow in the session table entry, and converting the target IP address in the IP quintuple of the reverse data flow into the intranet IP address;
then, the performing network address translation NAT on the forward data stream by using the public network address pool includes:
selecting a public network IP address in the public network address pool; and converting the source IP address in the IP five-tuple of the forward data flow into the public network IP address.
With reference to the fourth aspect, an embodiment of the present invention provides a third possible implementation manner of the fourth aspect, where the performing network address translation NAT on the forward data stream by using a public network address pool includes:
searching an intranet IP address corresponding to a target IP address in an IP five-tuple of the reverse data stream and an intranet port corresponding to the target port in the session table entry, converting the target IP address into the intranet IP address, and converting the target port into the intranet port;
then, the performing network address translation NAT on the forward data stream by using the public network address pool includes:
selecting a public network IP address and a public network port in the public network address pool; and converting the source IP address in the IP five-tuple of the forward data flow into the public network IP address, and converting the source port into the public network port.
In a fifth aspect, an embodiment of the present invention further provides a main control board, which includes a memory and a processor, where the memory stores a computer program that can be run on the processor, and the processor implements the steps of the method according to the first aspect when executing the computer program.
In a sixth aspect, an embodiment of the present invention further provides a main control board, which includes a memory and a processor, where the memory stores a computer program that can be run on the processor, and the processor implements the steps of the method according to the second aspect when executing the computer program.
In a seventh aspect, an embodiment of the present invention further provides an interface board, which includes a memory and a processor, where the memory stores a computer program that is executable on the processor, and the processor implements the steps of the method according to the third aspect when executing the computer program.
In an eighth aspect, an embodiment of the present invention further provides an engine board, which includes a memory and a processor, where the memory stores a computer program operable on the processor, and the processor implements the steps of the method according to the fourth aspect when executing the computer program.
In a ninth aspect, an embodiment of the present invention further provides a distributed firewall, including: the main control board according to the fifth aspect or the sixth aspect, the interface board according to the seventh aspect, and the engine boards according to the eighth aspect.
The embodiment of the invention has the following beneficial effects: the main control board in the embodiment of the invention can obtain each public network IP address in the NAT public network address pool, for each public network IP address, the public network IP address is calculated through a preset distribution function to obtain a function value, and the public network IP address can be issued to the engine board corresponding to the function value; or, the main control board may obtain each public network IP address in the NAT public network address pool and a plurality of port numbers corresponding to each public network IP address, and for each public network IP address and each port number corresponding to the public network IP address, calculate the public network IP address and the port number through a preset allocation function to obtain a function value, and may issue the public network IP address and the port number to the engine board corresponding to the function value.
The interface board receives a reverse data stream responding to the forward data stream, and then determines a target interface in a plurality of output interfaces according to a target characteristic value of the reverse data stream and a preset distribution function which is the same as the preset distribution function adopted by the main control board for distributing the public network IP address; and forwarding the reverse data flow to an engine board connected with the target interface.
The engine board receives the forward data flow, then carries out network address translation NAT on the forward data flow by utilizing the public network address pool, establishes a session table entry, and can send the forward data flow after NAT translation to the interface board.
The destination IP address of the reverse data flow received by the interface board is the same as the source IP address of the forward data flow, and the source IP address of the forward data flow is obtained by the engine board performing NAT conversion on the forward data flow by using the public network address pool, so the destination IP address of the reverse data flow comes from the public network address pool in the engine board, in addition, the public network IP address in the public network address pool in the engine board is pre-distributed according to the function value obtained by calculating each public network IP address and the preset distribution function, therefore, the interface board uses the preset distribution function which is the same as that used when distributing the public network IP address, the function value obtained by calculating the destination IP address of the reverse data flow is always the same as that when distributing the public network IP address, the function value obtained by calculating the public network IP address is further the same as that determined according to the function value, so the reverse data flow can be transferred to the engine board performing NAT conversion on the forward data flow, the realization ensures that the reverse data flow is processed by the engine board where the session table item is located.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a diagram of a hardware architecture according to an embodiment of the present invention;
fig. 2 is a flowchart of a data stream forwarding method according to an embodiment of the present invention;
fig. 3 is a flowchart of another data stream forwarding method according to an embodiment of the present invention;
fig. 4 is a flowchart of another data stream forwarding method according to an embodiment of the present invention;
fig. 5 is a flowchart of another data stream forwarding method according to an embodiment of the present invention;
fig. 6 is a flowchart of another data stream forwarding method according to an embodiment of the present invention;
fig. 7 is a flowchart of another data stream forwarding method according to an embodiment of the present invention;
fig. 8A is an overall flowchart of a data stream forwarding method according to an embodiment of the present invention;
fig. 8B is another overall flowchart of a data stream forwarding method according to an embodiment of the present invention;
fig. 9 is a structural diagram of a data stream forwarding apparatus according to an embodiment of the present invention;
fig. 10 is a block diagram of another data stream forwarding apparatus according to an embodiment of the present invention;
fig. 11 is a structural diagram of another data stream forwarding apparatus according to an embodiment of the present invention;
fig. 12 is a structural diagram of another data stream forwarding apparatus according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
At present, when a reverse data flow responding to a forward data flow is not sent to an engine board where an NAT session table entry is located, the reverse data flow cannot complete NAT conversion of the reverse data flow due to the fact that the reverse data flow cannot be matched with the NAT session table entry.
To facilitate understanding of the present embodiment, first, a data stream forwarding method disclosed in the embodiment of the present invention is described in detail, where the data stream forwarding method can be used for forwarding a data stream between an interface board and an engine board inside a distributed firewall, as shown in fig. 1, the distributed firewall includes a main control board 01, an interface board 02, and a plurality of engine boards 04 (in fig. 1, two engine boards are taken as an example, and an engine board I03 and an engine board II 04 are respectively connected to each output interface of the interface board), where the main control board is used to manage the interface board and each engine board, for example, may issue a preset allocation function to the interface board, and allocate a public network IP address to each engine board, and the like; the interface board is mainly used for forwarding a forward data stream received from the intranet to the engine board, forwarding the forward data stream converted by the engine board NAT to the extranet, or forwarding a reverse data stream of the extranet responding to the forward data stream to the corresponding engine board, forwarding the reverse data stream converted by the engine board NAT to the intranet, and the like; the engine board is mainly used for performing NAT (network address translation) conversion on forward data flow or reverse data flow.
When the device starts the NAT function according to the configuration of the user, the parameter of the preset allocation function in the interface board may be set as the destination IP address in the IP quintuple of the data stream, or the parameter of the preset allocation function in the interface board may be set as the destination IP address and the destination port in the IP quintuple of the data stream. The output interfaces of the interface board can be respectively configured to correspond to the function values of the preset distribution function.
In order to allocate a public network IP address to each engine board, in an embodiment of the present invention, as shown in fig. 2, the data stream forwarding method may include the following steps:
and step S101, the main control board obtains each public network IP address in the NAT public network address pool.
And S102, for each public network IP address, the main control board calculates the public network IP address through a preset distribution function to obtain a function value.
In the embodiment of the present invention, the preset allocation function may refer to a Hash function, and in practical applications, other functions may also be used, where the present invention is not limited thereto, and in step S102, the public network IP address may be used as a key of the Hash function, and the number of engine boards in the distributed firewall is used for performing Hash operation to obtain a function value.
And step S103, the main control board issues the public network IP address to the engine board corresponding to the function value.
Illustratively, if the NAT public network address pool includes 1.0.0.1-1.0.0.6 six public network IP addresses, after the hash operation, if the main control board performs the hash operation on the public network IP addresses 1.0.0.1, 1.0.0.3, and 1.0.0.5, the calculated function value corresponds to the engine board 1; for the public network IP addresses 1.0.0.2, 1.0.0.4, and 1.0.0.6, the calculated function value corresponds to the engine board 2, and then the main control board may issue the public network IP addresses 1.0.0.1, 1.0.0.3, and 1.0.0.5 to the engine board 1 and issue the public network IP addresses 1.0.0.2, 1.0.0.4, and 1.0.0.6 to the engine board 2 according to the calculation result.
And for the port in NAT conversion, the port does not participate in hash operation. For example, for the public network IP address 1.0.0.1, 1024 to 65535 ports corresponding to the public network IP address are not involved in the hash operation, and are all allocated to the interface board 1 corresponding to the public network IP address 1.0.0.1. 1024 to 65535 ports corresponding to the public network IP address 1.0.0.2 are allocated to the interface board 2 corresponding to 1.0.0.2.
On the basis of the foregoing embodiment, since when performing NAT conversion on a forward data stream, one source IP address (the source IP address of the forward data stream is the IP address of the intranet host) is correspondingly converted into one public network IP address, which requires that the public network address pool contains a large number of public network IP addresses, however, for an enterprise gateway, there may not be such a large number of public network IP addresses actually; moreover, if several source IP addresses are translated into the same public network IP address, the reverse data stream answering the forward data stream may not be forwarded to the correct intranet host according to the session table entry, and for this reason, in another embodiment of the present invention, as shown in fig. 3, the data stream forwarding method may include the following steps:
step S201, the main control board obtains each public network IP address in the NAT public network address pool and a plurality of port numbers corresponding to each public network IP address.
Step S202, the main control board calculates the public network IP address and the port number respectively through a preset distribution function to obtain a function value for each public network IP address and each port number corresponding to the public network IP address.
In the embodiment of the present invention, the preset allocation function may refer to a Hash function, and in practical applications, other functions may also be used, where the present invention is not limited thereto, and in step S202, the public network IP address and the port number may be used as a key of the Hash function, and the number of engine boards in the distributed firewall is used to perform Hash operation, so as to obtain a function value. In practical application, the public network IP address and the port number may be respectively subjected to binary conversion, and then the sum or the difference of the binary conversion results of the public network IP address and the port number is taken as the key of the Hash function, which may be determined according to practical situations, but the present invention is not limited.
Step S203, the main control board issues the public network IP address and the port number to the engine board corresponding to the function value.
Illustratively, for a public network IP address 1.0.0.1, dynamic ports in ports corresponding to the public network IP address are 1024 to 65535, the main control board may perform a preset function operation on a plurality of dynamic ports corresponding to the public network IP, and if a function value obtained by calculation corresponds to the engine board 1 according to the public network IP address 1.0.0.1 and the port number 1025; according to the public network IP address 1.0.0.1 and the port number 1026, the calculated function value corresponds to the engine board 2, and then the main control board can issue the public network IP address 1.0.0.1 and the port number 1025 to the engine board 1 and issue the public network IP address 1.0.0.1 and the port number 1026 to the engine board 2 according to the calculation result until all the ports corresponding to the public network IP address are issued, and can continue to process the rest of the public network IP addresses according to the method.
When the interface board performs forward data stream forwarding inside the distributed firewall, in another embodiment of the present invention, as shown in fig. 4, the data stream forwarding method may include the following steps:
in step S301, the interface board receives a forward data stream.
In the embodiment of the present invention, the forward data stream is a data stream sent from an intranet to a public network.
Step S302, the interface board determines a target interface among the plurality of output interfaces according to the target characteristic value of the forward data stream and a preset allocation function.
In the embodiment of the invention, the preset allocation function adopted by the target interface is determined to be the same as the preset allocation function adopted by the main control board to allocate the public network IP address or allocate the public network IP address and the port number.
In this step, the interface board may first calculate a target feature value of the forward data stream through a preset distribution function to obtain a function value; and determining an output interface corresponding to the function value in the plurality of output interfaces as a target interface.
In an optional implementation manner, the destination characteristic value of the forward data stream may refer to a destination IP address in an IP quintuple of the forward data stream, and the destination IP address may be used as a key of the Hash function, and further, the interface board may calculate the destination IP address through the preset allocation function to obtain a function value.
In another optional implementation, the destination characteristic value of the forward data stream may also refer to a combination of a destination IP address and a destination port in an IP quintuple of the forward data stream, and then the combination of the destination IP address and the destination port number may be used as a key of a Hash function, and further, the interface board may calculate the combination of the destination IP address and the destination port number through a preset allocation function to obtain a function value, in an actual application, the public network IP address and the port number may be respectively subjected to binary conversion (for example, the destination IP address and the port identifier may be respectively converted into a decimal system), and then a sum or a difference of results of the binary conversion between the public network IP address and the port number may be used as the key of the Hash function, which may be determined according to an actual situation, which is not limited in the present invention.
For example, if the calculated function value is 1, the output interface corresponding to 1 may be determined as the target interface; if the calculated function value is 2, the output interface corresponding to 2 may be determined as the target interface, and the like, and in practical application, the output interface may be adjusted according to the actual situation, and the present invention is not limited.
Step S303, the interface board forwards the forward data stream to the engine board connected to the target interface.
Illustratively, after the interface board receives the forward data stream, a destination IP address of the forward data stream may be extracted, the destination IP address is used as a key of a Hash function, a function value is obtained by calculation, then the function value is divided by the number of the engine boards to obtain a remainder, an output interface corresponding to the remainder is determined as a target interface, and then the interface board forwards the forward data stream to the engine boards connected to the target interface.
Based on the above, when the interface board forwards the forward data stream inside the distributed firewall, only one target interface needs to be selected by using the preset distribution function, (since each target interface is connected to one engine board, respectively), which is equivalent to: and selecting an engine board inside the distributed firewall to perform NAT conversion on the forward data flow.
When an interface board forwards a reverse data flow inside a distributed firewall (where a response to the forward data flow is the reverse data flow, and the reverse data flow is forwarded to an internal network via an external network), in another embodiment of the present invention, as shown in fig. 5, the data flow forwarding method may include the following steps:
in step S401, the interface board receives a reverse data stream in response to the forward data stream.
Step S402, if the target characteristic value of the reverse data flow is determined to be the target characteristic value pre-distributed by the main control board according to the preset distribution function, the interface board determines a target interface in the plurality of output interfaces according to the target characteristic value of the reverse data flow and the preset distribution function which is the same as the main control board.
In the embodiment of the invention, the preset allocation function adopted by the target interface is determined to be the same as the preset allocation function adopted by the main control board to allocate the public network IP address or allocate the public network IP address and the port number.
In this step, the interface board may first calculate a target feature value of the reverse data stream through the preset allocation function to obtain a function value; and determining an output interface corresponding to the function value in the plurality of output interfaces as a target interface.
In practical applications, if the preset allocation function is a Hash function, in an optional implementation manner, the destination characteristic value of the reverse data stream may refer to a destination IP address in an IP quintuple of the reverse data stream, and the destination IP address may be used as a key of the Hash function, and further, the interface board may calculate the destination IP address through the preset allocation function to obtain a function value.
In another optional implementation, the destination characteristic value of the reverse data flow may also refer to a combination of a destination IP address and a destination port in an IP five-tuple of the reverse data flow, and the destination IP address and the destination port number may be used as a key of the Hash function, and further, the interface board may calculate the destination IP address through a preset allocation function to obtain a function value.
The manner of the destination IP address and the destination port number in step S402 and step S302 is the same, so the description of step S302 may be referred to specifically, and is not repeated here.
Step S403, the interface board forwards the reverse data stream to the engine board connected to the target interface.
Illustratively, after the interface board receives the reverse data stream, a destination IP address of the reverse data stream may be extracted, the destination IP address is used as a key of a Hash function, a function value is obtained by calculation, then the function value is divided by the number of the engine boards to obtain a remainder, an output interface corresponding to the remainder is determined as a target interface, and then the interface board forwards the reverse data stream to the engine board connected to the target interface.
In the embodiment of the present invention, since the destination IP address of the reverse data stream received by the interface board is the same as the source IP address of the forward data stream, and the source IP address of the forward data stream is obtained by the engine board performing NAT conversion on the forward data stream using the public network address pool, the destination IP address of the reverse data stream is derived from the public network address pool in the engine board (that is, the destination IP address of the reverse data stream is the same as any public network IP address in the public network address pool), and in addition, since the public network IP address in the public network address pool in the engine board is pre-allocated according to the function value calculated by each public network IP address and the pre-allocated function, the interface board uses the pre-allocated function which is the same as that used when the public network IP address is allocated, the function value calculated for the destination IP address of the reverse data stream is always the same as the function value calculated according to the public network IP address when the public network IP address is allocated, and the target interfaces determined according to the function values are the same, so that the reverse data flow can be forwarded to the engine board for performing NAT conversion on the forward data flow, and the reverse data flow is ensured to be processed by the engine board where the session table entry is located.
After the interface board forwards the forward data stream to the engine board, if the interface board receives the forward data stream after the NAT conversion from the engine board, the forward data stream after the NAT conversion can be forwarded to the external network; if the interface board receives the reverse data stream which is converted by the NAT and responds to the forward data stream from the engine board, the reverse data stream which is converted by the NAT can be forwarded to the internal network.
When the engine board receives the forward data stream, in another embodiment of the present invention, as shown in fig. 6, the data stream forwarding method may include the following steps:
step S501, an engine board receives a forward data stream;
step S502, the engine board performs NAT (network Address translation) on the forward data stream by using a public network address pool, and establishes a session table entry.
In the embodiment of the present invention, an optional implementation manner is that a public network IP address is selected from a public network address pool; and converting the source IP address in the IP five-tuple of the forward data flow into a public network IP address.
Another optional implementation is that a public network IP address and a public network port are selected from the public network address pool; and converting the source IP address in the IP five-tuple of the forward data flow into a public network IP address, and converting the source port into a public network port.
According to the foregoing example, for the forward data stream of the intranet host accessing the extranet host, if the engine board 1 performs NAT conversion, the public network IP address can be selected from the three addresses 1.0.0.1, 1.0.0.3 and 1.0.0.5 only for NAT conversion, and for example, when the public network IP address is selected, 1.0.0.1 may be used first, and after all the public network ports of 1.0.0.1 are used up, 1.0.0.3 … … may be used again; or randomly selecting, if the source IP address is occupied, randomly selecting again, and the like, where the selection mode may be adjusted according to the actual situation, the present invention is not limited, and after NAT conversion, a session table entry may be generated, for example, if the source IP address in the IP quintuple of the forward data stream is an intranet IP address: 2.0.0.1, the source port is an intranet port: 20000, after the engine board 1 performs NAT conversion on the forward data stream, the source IP address becomes the public network IP address: 1.0.0.1, the source port becomes 10000, and the following session table entry is established: 2.0.0.1:20000- - >1.0.0.1: 10000.
Step S503, the engine board sends the forward data stream after NAT conversion to the interface board.
When the engine board receives the reverse data stream, in another embodiment of the present invention, as shown in fig. 7, the data stream forwarding method may include the following steps:
in step S601, the engine board receives a reverse data stream in response to the forward data stream.
Step S602, the engine board performs NAT conversion on the reverse data flow by using a session table entry generated when performing NAT conversion on the forward data flow according to the public network address pool.
In the embodiment of the present invention, an optional implementation manner is that an intranet IP address corresponding to a destination IP address in an IP five-tuple of the reverse data stream is searched in the session table entry, and the destination IP address in the IP five-tuple of the reverse data stream is converted into the intranet IP address.
Another optional implementation manner is that an intranet IP address corresponding to a destination IP address in an IP quintuple of the reverse data stream and an intranet port corresponding to the destination port are searched in the session table entry; and converting the destination IP address in the IP quintuple of the reverse data flow into the intranet IP address, and converting the destination port into the intranet port.
Since the external network host can only know the public network IP address and the public network port of the internal network host through the forward data stream to be responded (i.e. the source IP address and the source port in the IP quintuple of the forward data stream), the destination IP address and the destination port in the IP quintuple of the reverse data stream can fill the public network IP address and the public network port. Illustratively, when the extranet host 3.0.0.1 actively accesses the intranet host to be responded to (as described in step S107), the destination IP address in the IP quintuple of the reverse data stream will be: 1.0.0.1, the destination port would be: 10000.
step S603, the engine board sends the reverse data stream after NAT conversion to the interface board.
In the embodiment of the invention, the engine board utilizes the public network address pool issued by the main control board according to the preset distribution function, when NAT conversion is carried out on the forward data flow based on the public network address pool, the address in the NAT address pool of the engine board is used, and the NAT session table entry is also created according to the address, so that when the reverse data flow responding to the forward data flow is received, the reverse data flow is still forwarded to the engine board for carrying out NAT conversion on the forward data flow according to the preset distribution function, and the engine board where the session table entry is positioned can be ensured to process the reverse data flow.
In another embodiment of the present invention, a distributed firewall is further provided, where the firewall includes the main control board, the interface board, and the engine board in the foregoing embodiments. In order to facilitate understanding of the data stream forwarding method capable of forwarding the reverse data stream answering the forward data stream to the engine board where the session table entry is located, in the embodiment of the present invention, a processing procedure in the distributed firewall will be described from an overall perspective.
First, the main control board needs to allocate a public network IP address to each engine board in advance, and as shown in fig. 8A, the following description will take an example of allocating only a public network IP address to each engine board in advance.
Step S701, obtaining each public network IP address in an NAT public network address pool;
step S702, calculating the public network IP address to obtain a function value through a preset distribution function for each public network IP address;
and step S703, issuing the public network IP address to the engine board corresponding to the function value.
When an intranet needs to send a forward data stream to an extranet through a distributed firewall, the following steps may be referred to:
step S704, an interface board receives a forward data stream, wherein the forward data stream is a data stream sent from an internal network to a public network;
step S705, the interface board determines a target interface among the plurality of output interfaces according to a target characteristic value of the forward data stream and a preset allocation function, where the target characteristic value is a target IP address of the forward data stream.
Step S706, the interface board forwards the forward data stream to the engine board connected with the target interface; in FIG. 8A, an engine board I is taken as an example;
step S707, the engine board receives a forward data stream, wherein the forward data stream is a data stream sent from the intranet to the public network;
step S708, the engine board performs NAT (network Address translation) on the forward data stream by using a public network address pool, and establishes a session table entry;
step S709, the engine board sends the forward data flow after NAT conversion to the interface board;
step S710, the interface board forwards the forward data flow which is received from the engine board and is converted by the NAT to the external network;
when the external network needs to send a reverse data stream to the internal network through the distributed firewall, the following steps may be referred to:
step 711, the interface board receives the reverse data stream of the response forward data stream;
step 712, the interface board determines a target interface among the plurality of output interfaces according to a target characteristic value of the reverse data stream and a preset allocation function, wherein the target characteristic value is a target IP address of the reverse data stream;
step S713, the interface board transmits the reverse data flow to the engine board connected with the target interface; determining that a preset distribution function adopted by a target interface is the same as a preset distribution function adopted by a main control board for distributing public network IP addresses;
the preset distribution functions are the same, which means that the input conditions of the distribution functions and the distribution functions are the same. For example, if the main control board performs a hash operation on the public network IP address by using the method shown in fig. 8A, and issues the public network IP address to the engine board corresponding to the function value, the interface board determines the target interface according to the destination IP address of the reverse data stream when receiving the reverse data stream; namely, the input condition is the public network IP address (destination IP address), and the adopted functions are all the same hash functions.
Step 714, the engine board receives the reverse data flow of the response forward data flow;
step S715, the engine board performs NAT conversion on the reverse data flow by using a session table entry generated when the NAT conversion is performed on the forward data flow according to the public network address pool, wherein the forward data flow is a data flow sent from an internal network to a public network;
step S716, the engine board sends the reverse data flow after NAT conversion to the interface board;
in step S717, the interface board forwards the reverse data stream received from the engine board after the NAT conversion to the intranet.
Therefore, the reverse data flow can be forwarded to the engine board for NAT conversion of the forward data flow, and the reverse data flow is ensured to be processed by the engine board where the session table entry is located.
In another embodiment of the present invention, a distributed firewall is further provided, where the firewall includes the main control board, the interface board, and the engine board in the foregoing embodiments. In order to facilitate understanding of the data stream forwarding method capable of forwarding the reverse data stream answering the forward data stream to the engine board where the session table entry is located, in the embodiment of the present invention, a processing procedure in the distributed firewall will be described from an overall perspective.
First, the main control board needs to allocate a public network IP address and a port number corresponding to each public network IP address to each engine board in advance, and as shown in fig. 8B, the following description will take an example of allocating a public network IP address + a port number to each engine board in advance.
Step S801, acquiring each public network IP address in an NAT public network address pool and a plurality of port numbers corresponding to each public network IP address;
step S802, calculating the public network IP address and the port number respectively through a preset distribution function to obtain a function value for each public network IP address and each port number corresponding to the public network IP address;
step S803, the public network IP address and the port number are issued to the engine board corresponding to the function value.
When an intranet needs to send a forward data stream to an extranet through a distributed firewall, the following steps may be referred to:
step S804, an interface board receives a forward data stream, wherein the forward data stream is a data stream sent from an internal network to a public network;
step S805, the interface board determines a target interface among the multiple output interfaces according to the destination characteristic value of the forward data stream and a preset allocation function, where the destination characteristic value is a destination IP address and a destination port number of the forward data stream.
Step S806, the interface board transmits the forward data flow to the engine board connected with the target interface; in FIG. 8A, an engine board I is taken as an example;
step S807, the engine board receives a forward data stream, wherein the forward data stream is a data stream sent from an internal network to a public network;
step S808, the engine board performs NAT (network Address translation) on the forward data stream by using a public network address pool, and establishes a session table entry;
step S809, the engine board sends the forward data flow after NAT conversion to the interface board;
step S810, the interface board forwards the forward data flow which is received from the engine board and is converted by the NAT to the external network;
when the external network needs to send a reverse data stream to the internal network through the distributed firewall, the following steps may be referred to:
step S811, the interface board receives the reverse data stream of the response forward data stream;
step S812, the interface board determines a target interface among the plurality of output interfaces according to the target characteristic value of the reverse data stream and a preset allocation function, where the target characteristic value is a target IP address and a target port number of the reverse data stream;
step S813, the interface board forwards the reverse data flow to the engine board connected with the target interface; determining that a preset distribution function adopted by a target interface is the same as a preset distribution function adopted by a main control board for distributing public network IP addresses;
the preset distribution functions are the same, which means that the input conditions of the distribution functions and the distribution functions are the same. For example, if the main control board performs hash operation on the public network IP address and port, and issues the public network IP address and port number to the engine board corresponding to the function value, then correspondingly, when the interface board receives the reverse data stream, the interface board determines the target interface according to the destination IP address and destination port of the reverse data stream, that is, the input condition is the public network IP address and port number (destination IP address and destination port number), and the adopted functions are all the same hash functions.
Step S814, the engine board receives the reverse data stream in response to the forward data stream;
step S815, the engine board performs NAT conversion on the reverse data stream by using a session table entry generated when performing NAT conversion on the forward data stream according to the public network address pool, where the forward data stream is a data stream sent from an internal network to a public network;
step S816, the engine board sends the reverse data flow after NAT conversion to the interface board;
step S817, the interface board forwards the reverse data flow received from the engine board after NAT conversion to the intranet.
Therefore, the reverse data flow can be forwarded to the engine board for NAT conversion of the forward data flow, and the reverse data flow is ensured to be processed by the engine board where the session table entry is located.
In another embodiment of the present invention, as shown in fig. 9, there is also provided a data stream forwarding apparatus, and the apparatus provided in the embodiment of the present invention achieves the same principle and produces the same technical effects as those of the foregoing method embodiment, and for the sake of brief description, reference may be made to corresponding contents in the foregoing method embodiment where no part of the apparatus embodiment is mentioned. The device comprises:
the first obtaining module 11 is configured to obtain public network IP addresses in the NAT public network address pool;
the first calculation module 12 is configured to calculate, for each public network IP address, a function value from the public network IP address through a preset allocation function;
and the first issuing module 13 is configured to issue the public network IP address to the engine board corresponding to the function value.
In another embodiment of the present invention, as shown in fig. 10, there is also provided a data stream forwarding apparatus, and the apparatus provided in the embodiment of the present invention achieves the same principle and produces the same technical effects as those of the foregoing method embodiment, and for the sake of brief description, reference may be made to corresponding contents in the foregoing method embodiment where no part of the apparatus embodiment is mentioned. The device comprises:
the second obtaining module 21 is configured to obtain public network IP addresses in the NAT public network address pool and a plurality of port numbers corresponding to each public network IP address;
the second calculation module 22 is configured to calculate, for each public network IP address and each port number corresponding to the public network IP address, the public network IP address and the port number through a preset allocation function, respectively, to obtain a function value;
and a second issuing module 23, configured to issue the public network IP address and the port number to an engine board corresponding to the function value.
In another embodiment of the present invention, as shown in fig. 11, there is also provided a data stream forwarding apparatus, and the apparatus provided in the embodiment of the present invention achieves the same principle and produces the same technical effects as those of the foregoing method embodiment, and for the sake of brief description, reference may be made to corresponding contents in the foregoing method embodiment where no part of the apparatus embodiment is mentioned. The device comprises:
a first receiving module 31, configured to receive a reverse data stream of a response forward data stream, where the forward data stream is a data stream sent from an intranet to a public network;
a first determining module 32, configured to determine, if it is determined that the destination characteristic value of the reverse data flow is a destination characteristic value pre-allocated by the main control board according to a preset allocation function, a target interface among the plurality of output interfaces according to the destination characteristic value of the reverse data flow and by using the preset allocation function that is the same as that of the main control board;
a first forwarding module 33, configured to forward the reverse data flow to an engine board connected to the target interface.
In yet another embodiment of the present invention, the apparatus further comprises:
the second receiving module is used for receiving the forward data stream;
the second determining module is used for determining a target interface in the plurality of output interfaces according to the target characteristic value of the forward data stream and a preset distribution function;
and the second forwarding module is used for forwarding the forward data stream to an engine board connected with the target interface.
In another embodiment of the present invention, the first determining module 32 includes:
the first calculation unit is used for calculating the target characteristic value of the reverse data flow through a preset distribution function to obtain a function value;
and the determining unit is used for determining an output interface corresponding to the function value in the plurality of output interfaces as a target interface.
In still another embodiment of the present invention, the destination characteristic value includes: a destination IP address in an IP quintuple of the reverse data flow;
the preset allocation function is a Hash function, and the first computing unit is further configured to:
taking the target IP address as a key of the Hash function, and calculating to obtain a function value;
alternatively, the first and second electrodes may be,
a combination of a destination IP address and a destination port in an IP quintuple of the reverse data flow;
the preset allocation function is a Hash function, and the first computing unit is further configured to:
and taking the destination IP address and the destination port number as keys of the Hash function, and calculating to obtain a function value.
In another embodiment of the present invention, as shown in fig. 12, there is also provided a data stream forwarding apparatus, and the apparatus provided in the embodiment of the present invention achieves the same principle and produces the same technical effects as those of the foregoing method embodiment, and for the sake of brief description, reference may be made to corresponding contents in the foregoing method embodiment where no part of the apparatus embodiment is mentioned. The method comprises the following steps:
a third receiving module 41, configured to receive a forward data stream, where the forward data stream is a data stream sent from an intranet to a public network;
the first NAT conversion module 42 is configured to perform NAT for the forward data stream by using a public network address pool, and establish a session table entry;
and a first sending module 43, configured to send the forward data stream after NAT conversion to the interface board.
In yet another embodiment of the present invention, the apparatus further comprises:
a fourth receiving module, configured to receive a reverse data stream that acknowledges the forward data stream;
the second NAT conversion module is used for carrying out NAT conversion on the reverse data flow by utilizing the session table entry;
and the second sending module is used for sending the reverse data flow after NAT conversion to the interface board.
In another embodiment of the present invention, the second NAT translation module is further configured to:
searching an intranet IP address corresponding to a target IP address in the IP quintuple of the reverse data flow in the session table entry, and converting the target IP address in the IP quintuple of the reverse data flow into the intranet IP address;
the first NAT translation module 42 is further configured to:
selecting a public network IP address in the public network address pool; and converting the source IP address in the IP five-tuple of the forward data flow into the public network IP address.
In another embodiment of the present invention, the second NAT translation module is further configured to:
searching an intranet IP address corresponding to a target IP address in an IP five-tuple of the reverse data stream and an intranet port corresponding to the target port in the session table entry, converting the target IP address into the intranet IP address, and converting the target port into the intranet port;
the first NAT translation module 42 is further configured to:
selecting a public network IP address and a public network port in the public network address pool; and converting the source IP address in the IP five-tuple of the forward data flow into the public network IP address, and converting the source port into the public network port.
In another embodiment of the present invention, an embodiment of the present invention further provides a main control board, which includes a memory and a processor, where the memory stores a computer program that can be executed on the processor, and the processor executes the computer program to implement the steps of the method described in the above method embodiment applied to the main control board.
In another embodiment of the present invention, an embodiment of the present invention further provides an interface board, which includes a memory and a processor, where the memory stores a computer program operable on the processor, and the processor executes the computer program to implement the steps of the method described in the method embodiment applied to the interface board.
In another embodiment of the present invention, an embodiment of the present invention further provides an engine board, including a memory and a processor, where the memory stores therein a computer program executable on the processor, and the processor executes the computer program to implement the steps of the method described in the method embodiment applied to the engine board.
There is also provided a distributed firewall, comprising: the main control board according to the foregoing embodiment, the interface board according to the foregoing embodiment, and a plurality of engine boards according to the foregoing embodiments.
In a further embodiment of the invention, a computer-readable medium is also provided having non-volatile program code executable by a processor, the program code causing the processor to perform the steps of the method described in the above method embodiment.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The data stream forwarding method, apparatus and computer program product of the electronic device provided in the embodiments of the present invention include a computer-readable storage medium storing a program code, where instructions included in the program code may be used to execute the method described in the foregoing method embodiments, and specific implementation may refer to the method embodiments, and will not be described herein again.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In addition, in the description of the embodiments of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (13)
1. A data stream forwarding method is applied to a main control board in a distributed firewall, and comprises the following steps:
acquiring each public network IP address in an NAT public network address pool;
for each public network IP address, calculating the public network IP address through a preset distribution function to obtain a function value; the preset distribution function is a Hash function; the function value is obtained by taking the public network IP address as a key of a Hash function and performing Hash operation by using the number of engine boards in the distributed firewall;
and issuing the public network IP address to an engine board corresponding to the function value.
2. A data stream forwarding method is applied to a main control board in a distributed firewall, and comprises the following steps:
acquiring each public network IP address in an NAT public network address pool and a plurality of port numbers corresponding to each public network IP address;
for each public network IP address and each port number corresponding to the public network IP address, calculating the public network IP address and the port number respectively through a preset distribution function to obtain a function value; the preset distribution function is a Hash function; the function value is obtained by taking the public network IP address and each port number corresponding to the public network IP address as a key of a Hash function and performing Hash operation by using the number of engine boards in the distributed firewall;
and issuing the public network IP address and the port number to an engine board corresponding to the function value.
3. A data flow forwarding method is applied to an interface board in a distributed firewall, the distributed firewall further comprises a plurality of engine boards which are respectively connected with output interfaces of the interface board, and the method comprises the following steps:
receiving a reverse data stream responding to a forward data stream, wherein the forward data stream is a data stream sent from an internal network to a public network;
if the target characteristic value of the reverse data flow is determined to be a target characteristic value pre-distributed by a main control board according to a preset distribution function, determining a target interface in a plurality of output interfaces according to the target characteristic value of the reverse data flow and the preset distribution function which is the same as the main control board; the destination characteristic value of the reverse data flow is a destination IP address in an IP quintuple of the reverse data flow, or the destination characteristic value of the reverse data flow is a combination of the destination IP address and a destination port in the IP quintuple of the reverse data flow; the preset distribution function is a Hash function; the purpose characteristic value comprises: a destination IP address in an IP quintuple of the reverse data flow; the preset distribution function is a Hash function, and the calculating the target characteristic value of the reverse data flow through the preset distribution function to obtain a function value includes: taking the target IP address as a key of the Hash function, and calculating to obtain a function value; the function value is obtained by taking the public network IP address as a key of a Hash function and performing Hash operation by using the number of engine boards in the distributed firewall; or, a combination of a destination IP address and a destination port in an IP quintuple of the reverse data flow; the preset distribution function is a Hash function, and the calculating the target characteristic value of the reverse data flow through the preset distribution function to obtain a function value includes: taking the destination IP address and the destination port number as keys of the Hash function, and calculating to obtain a function value; the function value is obtained by taking the public network IP address and each port number corresponding to the public network IP address as a key of a Hash function and performing Hash operation by using the number of engine boards in the distributed firewall;
and forwarding the reverse data flow to an engine board connected with the target interface.
4. The data stream forwarding method of claim 3, wherein the method further comprises:
receiving a forward data stream;
determining a target interface in a plurality of output interfaces according to the target characteristic value of the forward data stream and the Hash function; the destination characteristic value of the forward data flow is a destination IP address in an IP quintuple of the forward data flow; or, the destination characteristic value of the forward data flow is a combination of a destination IP address and a destination port in an IP quintuple of the forward data flow;
and forwarding the forward data flow to an engine board connected with the target interface.
5. The method of claim 3, wherein determining a target interface among the plurality of output interfaces according to the destination characteristic value of the reverse data stream and a predetermined allocation function comprises:
calculating the target characteristic value of the reverse data flow through the Hash function to obtain a function value;
and determining an output interface corresponding to the function value in the plurality of output interfaces as a target interface.
6. A data flow forwarding method is characterized in that the method is applied to an engine board in a distributed firewall, public network IP addresses in a public network address pool in the engine board are pre-allocated by a main control board according to function values obtained by calculation of preset allocation functions, and the preset allocation functions comprise Hash functions; the function value is obtained by taking the public network IP address as a key of a Hash function and performing Hash operation by using the number of engine boards in the distributed firewall; or the function value is obtained by taking the public network IP address and each port number corresponding to the public network IP address as a key of a Hash function and performing Hash operation by using the number of engine boards in the distributed firewall;
the method comprises the following steps:
receiving a forward data stream, wherein the forward data stream is a data stream sent from an intranet to a public network;
performing Network Address Translation (NAT) on the forward data stream by using a public network address pool, and establishing a session table entry;
and sending the forward data flow after NAT conversion to an interface board.
7. The data stream forwarding method of claim 6, wherein the method further comprises:
receiving a reverse data stream acknowledging the forward data stream;
NAT conversion is carried out on the reverse data flow by utilizing the session table item;
and sending the reverse data flow after NAT conversion to an interface board.
8. The method of claim 7, wherein performing NAT translation on the reverse data flow using a session table entry generated when performing NAT translation on the forward data flow according to the public network address pool comprises:
searching an intranet IP address corresponding to a target IP address in the IP quintuple of the reverse data flow in the session table entry, and converting the target IP address in the IP quintuple of the reverse data flow into the intranet IP address;
then, the performing network address translation NAT on the forward data stream by using the public network address pool includes:
selecting a public network IP address in the public network address pool; and converting the source IP address in the IP five-tuple of the forward data flow into the public network IP address.
9. The method of claim 7, wherein performing NAT translation on the reverse data flow using a session table entry generated when performing NAT translation on the forward data flow according to the public network address pool comprises:
searching an intranet IP address corresponding to a target IP address in an IP quintuple of the reverse data stream and an intranet port corresponding to a target port in the session table entry, converting the target IP address into the intranet IP address, and converting the target port into the intranet port;
then, the performing network address translation NAT on the forward data stream by using the public network address pool includes:
selecting a public network IP address and a public network port in the public network address pool; and converting the source IP address in the IP five-tuple of the forward data flow into the public network IP address, and converting the source port into the public network port.
10. A main control board, comprising a memory and a processor, wherein the memory stores a computer program operable on the processor, and the processor executes the computer program to implement the steps of the method of claim 1 or 2.
11. An interface board comprising a memory and a processor, the memory having stored thereon a computer program operable on the processor, the processor implementing the steps of the method according to any one of claims 3 to 5 when executing the computer program.
12. An engine board, comprising a memory and a processor, wherein the memory stores a computer program operable on the processor, and the processor executes the computer program to perform the steps of the method according to any one of claims 6 to 9.
13. A distributed firewall, comprising: the master control board of claim 10, the interface board of claim 11, and the plurality of engine boards of claim 12;
the preset distribution function adopted by the target interface determined in the interface board is the same as the preset distribution function adopted by the main control board for distributing the public network IP address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711245120.8A CN108011991B (en) | 2017-11-30 | 2017-11-30 | Data stream forwarding method, main control board, interface board, engine board and distributed firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711245120.8A CN108011991B (en) | 2017-11-30 | 2017-11-30 | Data stream forwarding method, main control board, interface board, engine board and distributed firewall |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108011991A CN108011991A (en) | 2018-05-08 |
| CN108011991B true CN108011991B (en) | 2021-12-07 |
Family
ID=62055705
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711245120.8A Active CN108011991B (en) | 2017-11-30 | 2017-11-30 | Data stream forwarding method, main control board, interface board, engine board and distributed firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108011991B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109379452B (en) * | 2018-11-23 | 2021-03-30 | 京东数字科技控股有限公司 | Message processing method and NAT equipment |
| CN112367261B (en) * | 2020-11-30 | 2022-10-18 | 迈普通信技术股份有限公司 | Message forwarding method and device and distributed equipment |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100356752C (en) * | 2003-06-14 | 2007-12-19 | 华为技术有限公司 | A method for utilizing network address resource |
| CN101610296B (en) * | 2009-07-21 | 2011-12-28 | 杭州华三通信技术有限公司 | Network address translation (NAT) outgoing interface balancing method and device |
| CN102739820B (en) * | 2012-06-28 | 2015-06-03 | 杭州华三通信技术有限公司 | Message network address conversion processing method and network equipment |
| CN103269317B (en) * | 2013-04-22 | 2016-12-28 | 北京百度网讯科技有限公司 | Nothing lockization communication means based on symmetric multi-processors smp system and system |
| CN103825976B (en) * | 2014-03-04 | 2017-05-10 | 新华三技术有限公司 | NAT (network address translation) processing method and device in distributed system architecture |
| US20150304427A1 (en) * | 2014-04-22 | 2015-10-22 | Alcatel-Lucent Canada, Inc. | Efficient internet protocol security and network address translation |
| CN104580550A (en) * | 2014-12-30 | 2015-04-29 | 北京天融信科技有限公司 | Method and equipment for NAT (network address translation) processing during distribution of multiple service boards in distributed system |
-
2017
- 2017-11-30 CN CN201711245120.8A patent/CN108011991B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN108011991A (en) | 2018-05-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107079059B (en) | Block chain storage method and device and node equipment | |
| CN106686070B (en) | Database data migration method, device, terminal and system | |
| EP3300331A1 (en) | Response method, apparatus and system in virtual network computing authentication, and proxy server | |
| EP3057282B1 (en) | Network flow control device, and security strategy configuration method and device thereof | |
| CN107317887B (en) | A kind of load-balancing method, device and system | |
| CN109525684B (en) | Message forwarding method and device | |
| US20120240184A1 (en) | System and method for on the fly protocol conversion in obtaining policy enforcement information | |
| CN105391622A (en) | Method and system for sharing resources in instant messaging or social networking application | |
| JP4595811B2 (en) | Information processing apparatus, server, communication system, address determining method, address changing method, and program | |
| EP3425884B1 (en) | Mapping keepalive method and apparatus for network address translation | |
| CN108011991B (en) | Data stream forwarding method, main control board, interface board, engine board and distributed firewall | |
| CN103795622A (en) | Message forwarding method and device using same | |
| TWI538449B (en) | Nat traversal method, computer-readable medium, and system for mediating connection | |
| CN112333298A (en) | Message transmission method and device, computer equipment and storage medium | |
| CN104811383A (en) | Message forwarding method and equipment | |
| CN112333289A (en) | Reverse proxy access method, device, electronic equipment and storage medium | |
| CN107547339B (en) | Method and device for feeding back MAC address of gateway media access control | |
| CN112351115A (en) | Port prediction method and device of symmetric NAT equipment | |
| CN112040029B (en) | NAT conversion method, device, computer equipment and storage medium | |
| JP2019530374A (en) | Network access control method, apparatus, and device | |
| CN112395070A (en) | Data processing system and method | |
| EP2975828B1 (en) | Method for configuring a network connection, telecommunications network, program and computer program product | |
| CN114598532A (en) | Connection establishing method, device, electronic equipment and storage medium | |
| CN110247960B (en) | Method and device for realizing secure multi-party computation, computer equipment and storage medium | |
| US20150350079A1 (en) | Method of message routing for a distributed computing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |