CN112235436A - Network address translation rule matching method and equipment - Google Patents

Network address translation rule matching method and equipment Download PDF

Info

Publication number
CN112235436A
CN112235436A CN202011148411.7A CN202011148411A CN112235436A CN 112235436 A CN112235436 A CN 112235436A CN 202011148411 A CN202011148411 A CN 202011148411A CN 112235436 A CN112235436 A CN 112235436A
Authority
CN
China
Prior art keywords
nat
message
configuration
rule
acceleration table
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202011148411.7A
Other languages
Chinese (zh)
Inventor
胡海林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202011148411.7A priority Critical patent/CN112235436A/en
Publication of CN112235436A publication Critical patent/CN112235436A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2557Translation policies or rules

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a network address translation rule matching method and equipment, wherein the method comprises the following steps: determining an NAT acceleration table entry corresponding to a received message according to the network protocol type of the message; the NAT acceleration table entry is generated in advance according to the network protocol type, the configuration item and all NAT rules configured by the user; and matching the NAT rule corresponding to the message according to the at least two configuration items of the message and the NAT acceleration table entry, and performing NAT conversion on the message according to the matched NAT rule. By the scheme, the efficiency of matching large-specification NAT rules can be accelerated, the newly-built performance of NAT equipment is improved, and the requirement of configuring specifications by a user can be met.

Description

Network address translation rule matching method and equipment
Technical Field
The present application relates to the field of network communication technologies, and in particular, to a method and an apparatus for matching network address translation rules.
Background
The Network Address Translation (NAT) technology is a technology for solving the problem of exhaustion of IP Address resources at present, and is also a transition technology from IPv 4to IPv6, and the NAT technology is used in most Network environments. At the boundary of the internal and external networks, traffic flows in and out, so that the NAT technology comprises source address translation and target address translation.
With the increasing number of NAT rules configured in the NAT device by users, when a large number of users establish session connections through the NAT device at the same time, there is a great challenge on service processing performance. The traditional NAT rule matching method cannot meet the requirement of matching large-specification NAT rules, and aiming at the large-specification NAT rules, an acceleration method is adopted during message matching, so that the NAT rule matching speed can be effectively improved, and the smoothness of a network is ensured; otherwise, the matching process will be very long, resulting in a very long time for the user to establish session connection, and simultaneously occupying a large amount of CPU resources of the system.
For example, the conventional slow matching method: traversing the rule linked list, comparing and judging with each matching condition in each linked list node according to the original message, if all conditions are in accordance with the current rule, matching the rule, otherwise, continuously traversing and matching. When the specification of the NAT rule reaches tens of thousands, the traditional matching sequence is that matching is carried out from beginning to end and item by item. If the matching is performed in this order, the new performance of the session connection will be low.
Therefore, how to accelerate the matching of the large-size NAT rule is a technical problem to be solved urgently in the field.
Disclosure of Invention
The application aims to provide a network address translation rule matching method and equipment so as to accelerate large-specification NAT rule matching.
A first aspect of the present application provides a network address translation rule matching method, including:
determining an NAT acceleration table entry corresponding to a received message according to the network protocol type of the message; the NAT acceleration table entry is generated in advance according to the network protocol type, the configuration item and all NAT rules configured by the user;
and matching the NAT rule corresponding to the message according to the at least two configuration items of the message and the NAT acceleration table entry, and performing NAT conversion on the message according to the matched NAT rule.
A second aspect of the present application provides a network address translation device, including:
the determining module is used for determining the NAT acceleration table entry corresponding to the message according to the network protocol type of the received message; the NAT acceleration table entry is generated in advance according to the network protocol type, the configuration item and all NAT rules configured by the user;
and the matching module is used for matching the NAT rule corresponding to the message according to the at least two configuration items of the message and the NAT acceleration table item so as to perform NAT conversion on the message according to the matched NAT rule.
Compared with the prior art, the network address translation rule matching method and the device provided by the application determine the NAT acceleration table entry corresponding to the message according to the network protocol type of the received message, match the NAT rule corresponding to the message according to the at least two configuration items of the message and the NAT acceleration table entry, and perform NAT translation on the message according to the matched NAT rule. The NAT acceleration table entry in the scheme is generated in advance according to the network protocol type and configuration item of the message and all NAT rules configured by the user, and the hit speed of the NAT rules can be improved according to the statistical result, so that the scheme can accelerate the matching efficiency of large-specification NAT rules, improve the newly-built performance of NAT equipment and meet the requirements of user configuration specifications.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 illustrates a flow chart of a network address translation rule matching method provided by some embodiments of the present application;
FIG. 2 is a diagram illustrating a specific message rule matching process;
FIG. 3 is a flowchart illustrating a NAT acceleration table entry generation method;
FIG. 4 is a diagram illustrating the process of adding bitmaps for all configuration items to a red-black tree;
FIG. 5 shows a schematic diagram of a generated array of Bitmap pointers;
FIG. 6 is a schematic diagram of a Bitmap pointer array based matching process;
FIG. 7 is a diagram illustrating updating of NAT acceleration entries by a timer;
fig. 8 illustrates a schematic diagram of a network address translation device provided in some embodiments of the present application.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
It is to be noted that, unless otherwise specified, technical or scientific terms used herein shall have the ordinary meaning as understood by those skilled in the art to which this application belongs.
In addition, the terms "first" and "second", etc. are used to distinguish different objects, rather than to describe a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
With the increasing number of NAT rules configured in the NAT device by users, when a large number of users simultaneously establish a new session through the NAT device, there is a great challenge on service processing performance. The traditional NAT rule matching method cannot meet the requirement of matching large-specification NAT rules, and aiming at the large-specification NAT rules, an acceleration method is adopted during message matching, so that the NAT rule matching speed can be effectively improved, and the smoothness of a network is ensured; otherwise, the matching process will be very long, resulting in a very long time for the user to establish session connection, and simultaneously occupying a large amount of CPU resources of the system.
In view of this, embodiments of the present application provide a network address translation rule matching method and a network address translation device, which are described below with reference to the accompanying drawings.
Referring to fig. 1, a flowchart of a network address translation rule matching method provided in some embodiments of the present application is shown, as shown in the figure, the network address translation rule matching method is applied to a NAT device, and specifically includes the following steps:
step S101: determining an NAT acceleration table entry corresponding to a received message according to the network protocol type of the message; the NAT acceleration table entry is generated in advance according to the network protocol type, the configuration item and all NAT rules configured by the user;
step S102: and matching the NAT rule corresponding to the message according to the at least two configuration items of the message and the corresponding NAT acceleration table entry, and performing NAT conversion on the message according to the matched NAT rule.
In this embodiment, the configuration items of the packet may include a source address SIP, a destination address DIP, a source security domain, a destination security domain, and a service object. The service object may include: protocol, TCP source port, TCP destination port, UDP source port, UDP destination port, ICMP TYPE field TYPE, ICMP CODE field CODE, etc.
In this embodiment, the network protocol type of the packet may include: IPv4 network protocol and IPv6 network protocol. That is, the device may be a dual stack NAT device, and the received message may be an IPv4 message or an IPv6 message. In the method and the device, different NAT acceleration table entries are generated by counting different network protocol types, and when messages are matched, the corresponding NAT acceleration table entries are selected for acceleration matching according to the network protocol types of the messages.
In step S101, the NAT acceleration table entry corresponding to the received message is determined according to the network protocol type of the message. Specifically, if the received message is an IPv4 message, selecting an IPv4 NAT acceleration table entry; and if the received message is the IPv6 message, selecting the NAT acceleration table entry of the IPv 6.
In step S102, the NAT rule corresponding to the message is matched according to the at least two configuration items of the message and the corresponding NAT acceleration table entry.
Specifically, the NAT acceleration table entry may include at least two bitmap bits corresponding to the configuration entries, where each bit in the bitmap corresponds to one NAT rule.
Step S102 may be specifically implemented as: searching a bitmap corresponding to each configuration item in at least two configuration items of the message in an NAT acceleration table item; and performing AND operation on the bitmap corresponding to each configuration item, and acquiring the NAT rule of the matched message according to the AND operation result.
For example, statistics is respectively carried out on rules in which each SIP and DIP configuration item appears, a corresponding bitmap is generated, and when the rules of the message are matched, a first bitmap corresponding to the SIP and the DIP configuration item is found according to the SIP in the message; and finding out a second bitmap corresponding to the DIP according to the DIP in the message, carrying out AND operation on the two bitmaps, and finding out the remaining bits according to the AND operation result, namely finding out the rules corresponding to the bits, namely the rules corresponding to the hits, wherein the two configuration items are all present in the rules corresponding to the bits.
According to some embodiments of the present application, the obtaining of the NAT rule of the matching packet according to the operation result specifically includes:
if one bit is left in the operation result, the NAT rule corresponding to the bit is the NAT rule of the matched message;
and if a plurality of bits are left in the operation result, traversing other filtering conditions according to the configuration sequence of the NAT rule in the bitmap, and matching the NAT rule corresponding to the message from the NAT rules corresponding to the plurality of bits.
Wherein the other filtering condition may be a filtering condition set by a user, such as a priority.
In this embodiment, statistics is performed based on the configuration items of the message, the NAT acceleration table entries in which the NAT rules appear in each configuration item are counted, and the hit speed can be increased by matching the NAT rule corresponding to the message with the NAT acceleration table entry. Fig. 2 is a schematic diagram illustrating a specific message rule matching process.
Especially under the dual stack environment, the user can configure the NAT44 and the NAT66, and also can configure the NAT64 rule, when there are a lot of rules in the current device, the corresponding NAT rule can be quickly matched through the NAT acceleration table entry for the original message, no matter whether IPV4 or IPV 6.
IPV4 traffic may be matched to NAT44 or NAT64(4to6) rules through IPV4 acceleration table entries; likewise, IPV6 traffic accelerates the matching of table entries to NAT66 or NAT64(6to4) rules through IPV 6.
Table 3 below is a verification test of the accelerated matching compared to the existing slow matching of the present application:
number of rules Acceleration At a slow speed
1 14.08w cpu 90% 14.1w cpu 86%
1000 14.08w cpu 86% 9.6w cpu 88%
10000 14.04w cpu 88% 4.1w cpu 86%
In conclusion, the accelerated matching of the application has the advantage that the matching efficiency linearly rises as the number of the specifications is larger.
The generation of the NAT acceleration table entry is described in detail below.
According to some embodiments of the present application, a NAT acceleration entry is generated in advance according to the network protocol type of the packet, the configuration entry, and all NAT rules configured by the user, as shown in fig. 3, the method may include the following steps:
step S201: selecting at least two configuration items of the corresponding message aiming at each network protocol type;
step S202: respectively counting the NAT rules in which each configuration item appears according to the NAT rule configuration sequence of the user, and generating a bitmap corresponding to the configuration items;
step S203: adding the bitmaps of all the configuration items into a red-black tree, and allocating a unique index to each bitmap to generate the NAT acceleration table item.
The red-black tree is a self-balancing binary search tree. Unlike a normal binary tree, each node of the red-black tree has a color attribute, either red or black. Besides the general requirements imposed by the binary tree, the red-black tree also has the following characteristics: the node is black or red; the root node is black; each leaf node is black; the sub-page point of each red node is black; every other leaf and all paths from any node contain the same number of black nodes.
Specifically, the message network protocol types are different, the configuration items are different, and at least two configuration items can be selected as needed to construct the NAT acceleration table entry, for example, a bitmap of each configuration item is generated by statistics.
The statistics with the configuration items SIP, DIP are for example as follows:
rule 1: SIP 1.1.1.1 DIP 2.2.2.1;
rule 2: SIP 1.1.1.1-1.1.1.10 DIP 2.2.2.0/24
And counting which rule all the SIP occurs in, as shown in the following table 1:
elements of SIP Index of rule
1.1.1.1 0,1
1.1.1.2/1 1
1.1.1.4/3 1
1.1.1.8/1 1
1.1.1.10 1
Statistics are given of which rule all DIPs appear in, as shown in table 2 below:
elements of DIP Index of rule
2.2.2.1 0,1
2.2.2.0/1 1
As described above, according to the NAT rule configuration sequence of the user, the bitmap corresponding to each configuration item is respectively counted. Bitmaps of all configuration items are then added to the red-black tree, and each bitmap is assigned a unique index to generate NAT acceleration entries.
Specifically, the process of adding the bitmaps of all the configuration items to the red-black Tree is generally shown in fig. 4, where, taking the SIP configuration items as an example, the SIP configuration in the rule is traversed, the SIP is put into an IP-BitTree (Bin Tree, binary Tree data structure), an RB-Tree (red-black Tree) is constructed according to the IP-BitTree, an IP-Trie (Trie Tree) is constructed according to the IP-BitTree, the IP-BitTree is released, and bitmap mapping is generated according to the RB-Tree.
In the application, the bitmaps of all configuration items are placed in the RB-Tree, and a unique index is distributed to the bitmaps. Corresponding to the index of the Bitmap pointer array subsequently generated according to the RB-Tree. And the RB-Tree Key is bitmap, and when the bitmap is generated according to the IP-BitTree and is put into the RB-Tree, the IP-BitTree records the RB-Tree index corresponding to the current bitmap.
Fig. 5 is a schematic diagram of the generated Bitmap pointer array. Specifically, a Bitmap pointer array is generated according to the number of nodes in the RB-Tree. And traversing the RB-Tree, and assigning the corresponding Bitmap to the corresponding Bitmap pointer array element according to the index of the RB-Tree.
Fig. 6 is a schematic diagram of a matching process based on a Bitmap pointer array.
In the application, NAT rule matching is realized based on the searching efficiency of the red and black tree, and the red and black tree can perform searching, inserting and deleting operations with the time complexity of O (log2 (N)). Furthermore, any imbalance will be resolved within 3 revolutions. This is not available with data structures such as AVL trees (balanced binary search trees).
In practical application, when a configuration item set by a user changes, the acceleration table entry needs to be regenerated once again; when the number of configuration items is large, the speed of accelerating the generation of the table entry becomes slow. If the acceleration table entry needs to be created again every time the configuration is changed, especially under the condition of large flow, CPU and memory are consumed, and the current service processing is influenced, so that the function of a timer can be added, and the acceleration table entry is updated.
The logic of the timer: as shown in fig. 7, the callback function is executed every 1s, whether there is a configuration change configured lower kernel is checked, if there is a configuration change and the lower kernel is, the lower kernel acceleration command word is triggered, the acceleration table is created again, the global configuration sequence number is increased, and the global fast forwarding table operation is cleared. And after the kernel mode receives the acceleration command, the acceleration table is created again, and according to configuration division issued by a user, either the acceleration table is created again by the whole rule or the acceleration table is created again by a certain option. After configuration is changed, the strategy is not immediately effective, and certain time delay exists.
Thus, in some embodiments of the present application, the above method may further comprise:
detecting whether a user changes the configuration item setting of the message or not at regular time; and if so, regenerating the NAT acceleration table entry according to the configuration item changed by the user.
Specifically, if all configuration items are changed, the whole NAT acceleration table entry is regenerated; and if the single configuration item changes the setting, regenerating the acceleration table of the single configuration item in the NAT acceleration table entry.
The method for matching network address translation rules provided in the embodiment of the present application determines the NAT acceleration table entry corresponding to the message according to the network protocol type of the received message, matches the NAT rule corresponding to the message according to the at least two configuration items of the message and the NAT acceleration table entry, and performs NAT translation on the message according to the matched NAT rule. The NAT acceleration table entry in the scheme is generated in advance according to the network protocol type and configuration item of the message and all NAT rules configured by the user, and the hit speed of the NAT rules can be improved according to the statistical result, so that the scheme can accelerate the matching efficiency of large-specification NAT rules, improve the newly-built performance of NAT equipment and meet the requirements of user configuration specifications.
In the foregoing embodiment, a network address translation rule matching method is provided, and correspondingly, the present application also provides a network address translation device. The network address translation device provided by the embodiment of the application can implement the network address translation rule matching method. Referring to fig. 8, a schematic diagram of a network address translation device according to some embodiments of the present application is shown. Since the apparatus embodiments are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for relevant points. The device embodiments described below are merely illustrative.
As shown in fig. 8, the network address translation device 10 may include:
a determining module 101, configured to determine, according to a network protocol type of a received message, an NAT acceleration table entry corresponding to the message; the NAT acceleration table entry is generated in advance according to the network protocol type, the configuration item and all NAT rules configured by the user;
and the matching module 102 is configured to match the NAT rule corresponding to the message according to the at least two configuration items of the message and the NAT acceleration table entry, so as to perform NAT conversion on the message according to the matched NAT rule.
In some implementations of the embodiment of the present application, the NAT acceleration entry includes a bitmap corresponding to the at least two configuration entries, and each bit in the bitmap corresponds to one NAT rule;
correspondingly, the matching module 102 is specifically configured to:
searching a bitmap corresponding to each configuration item in the at least two configuration items of the message in the NAT acceleration table item;
and performing AND operation on the bitmap corresponding to each configuration item, and acquiring the NAT rule matched with the message according to the AND operation result.
If one bit is left in the and operation result, the NAT rule corresponding to the bit is the NAT rule matched with the message; and if a plurality of bits are left in the AND operation result, traversing other filtering conditions according to the configuration sequence of the NAT rules in the bitmap, and matching the NAT rules corresponding to the messages from the NAT rules corresponding to the plurality of bits.
In some implementations of embodiments of the present application, the apparatus 10 further comprises:
an acceleration table entry construction module configured to:
selecting at least two configuration items of the corresponding message aiming at each network protocol type;
respectively counting the NAT rules in which each configuration item appears according to the NAT rule configuration sequence of the user, and generating a bitmap corresponding to the configuration items;
adding the bitmaps of all the configuration items into a red-black tree, and allocating a unique index to each bitmap to generate the NAT acceleration table item.
In some implementations of the embodiments of the present application, the acceleration entry constructing module is further configured to:
detecting whether a user changes the configuration item setting of the message or not at regular time;
and if so, regenerating the NAT acceleration table entry according to the configuration item changed by the user.
In some implementations of the embodiment of the present application, the acceleration entry constructing module is further specifically configured to:
if all the configuration items are changed, regenerating the whole NAT acceleration table item;
and if the single configuration item changes the setting, regenerating the acceleration table of the single configuration item in the NAT acceleration table entry.
In some implementations of embodiments of the present application, the configuration items include: a source address, a destination address, a source security domain, a destination security domain, and a service object.
In some implementations of embodiments of the present application, the network protocol type includes: IPv4 network protocol and IPv6 network protocol.
The network address translation device provided by the above embodiment of the present application and the network address translation rule matching method provided by the embodiment of the present application have the same beneficial effects based on the same inventive concept.
Finally, it should be noted that: the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present disclosure, and the present disclosure should be construed as being covered by the claims and the specification.

Claims (10)

1. A network address translation rule matching method is characterized by comprising the following steps:
determining an NAT acceleration table entry corresponding to a received message according to the network protocol type of the message; the NAT acceleration table entry is generated in advance according to the network protocol type, the configuration item and all NAT rules configured by the user;
and matching the NAT rule corresponding to the message according to the at least two configuration items of the message and the NAT acceleration table entry, and performing NAT conversion on the message according to the matched NAT rule.
2. The method of claim 1, wherein the NAT acceleration entry includes a bitmap corresponding to the at least two configuration entries, and each bit in the bitmap corresponds to one NAT rule;
the matching of the NAT rule corresponding to the message according to the at least two configuration items of the message and the NAT acceleration table entry comprises the following steps:
searching a bitmap corresponding to each configuration item in the at least two configuration items of the message in the NAT acceleration table item;
and performing AND operation on the bitmap corresponding to each configuration item, and acquiring the NAT rule matched with the message according to the AND operation result.
3. The method of claim 2, wherein the obtaining the NAT rule matching the packet according to the and operation result comprises:
if one bit is left in the and operation result, the NAT rule corresponding to the bit is the NAT rule matched with the message;
and if a plurality of bits are left in the AND operation result, traversing other filtering conditions according to the configuration sequence of the NAT rules in the bitmap, and matching the NAT rules corresponding to the messages from the NAT rules corresponding to the plurality of bits.
4. The method of claim 1, wherein statistically generating the NAT acceleration entry in advance according to the network protocol type, the configuration entry, and all NAT rules configured by the user comprises:
selecting at least two configuration items of the corresponding message aiming at each network protocol type;
respectively counting the NAT rules in which each configuration item appears according to the NAT rule configuration sequence of the user, and generating a bitmap corresponding to the configuration items;
adding the bitmaps of all the configuration items into a red-black tree, and allocating a unique index to each bitmap to generate the NAT acceleration table item.
5. The method of claim 4, further comprising:
detecting whether a user changes the configuration item setting of the message or not at regular time;
and if so, regenerating the NAT acceleration table entry according to the configuration item changed by the user.
6. The method of claim 5, wherein the regenerating the NAT acceleration entry according to the configuration entry changed by the user comprises:
if all the configuration items are changed, regenerating the whole NAT acceleration table item;
and if the single configuration item changes the setting, regenerating the acceleration table of the single configuration item in the NAT acceleration table entry.
7. The method of any of claims 1-6, wherein the configuration items comprise: a source address, a destination address, a source security domain, a destination security domain, and a service object.
8. The method according to any of claims 1 to6, wherein the network protocol type comprises: IPv4 network protocol and IPv6 network protocol.
9. A network address translation device, comprising:
the determining module is used for determining the NAT acceleration table entry corresponding to the message according to the network protocol type of the received message; the NAT acceleration table entry is generated in advance according to the network protocol type, the configuration item and all NAT rules configured by the user;
and the matching module is used for matching the NAT rule corresponding to the message according to the at least two configuration items of the message and the NAT acceleration table item so as to perform NAT conversion on the message according to the matched NAT rule.
10. The apparatus of claim 9, wherein the configuration item comprises: a source address, a destination address, a source security domain, a destination security domain, and a service object.
CN202011148411.7A 2020-10-23 2020-10-23 Network address translation rule matching method and equipment Withdrawn CN112235436A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011148411.7A CN112235436A (en) 2020-10-23 2020-10-23 Network address translation rule matching method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011148411.7A CN112235436A (en) 2020-10-23 2020-10-23 Network address translation rule matching method and equipment

Publications (1)

Publication Number Publication Date
CN112235436A true CN112235436A (en) 2021-01-15

Family

ID=74108996

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011148411.7A Withdrawn CN112235436A (en) 2020-10-23 2020-10-23 Network address translation rule matching method and equipment

Country Status (1)

Country Link
CN (1) CN112235436A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113518133A (en) * 2021-05-26 2021-10-19 北京天融信网络安全技术有限公司 Information configuration method and device and communication equipment
CN114268604A (en) * 2021-12-21 2022-04-01 中国电信股份有限公司 Method and system for providing access service
CN117579525A (en) * 2023-11-20 2024-02-20 北京思存通信技术有限公司 Network protocol feature recognition system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113518133A (en) * 2021-05-26 2021-10-19 北京天融信网络安全技术有限公司 Information configuration method and device and communication equipment
CN114268604A (en) * 2021-12-21 2022-04-01 中国电信股份有限公司 Method and system for providing access service
CN114268604B (en) * 2021-12-21 2024-03-22 中国电信股份有限公司 Method and system for providing access service
CN117579525A (en) * 2023-11-20 2024-02-20 北京思存通信技术有限公司 Network protocol feature recognition system

Similar Documents

Publication Publication Date Title
CN112235436A (en) Network address translation rule matching method and equipment
US9245626B2 (en) System and method for packet classification and internet protocol lookup in a network environment
US8914320B2 (en) Graph generation method for graph-based search
US6434144B1 (en) Multi-level table lookup
CN1655533B (en) Filter based on longest prefix match algorithm
CN113542125B (en) Method and device for forwarding message based on integrated flow table
US20040028046A1 (en) Logarithmic time range-based multifield-correlation packet classification
CN111131084B (en) QoS-aware OpenFlow flow table searching method
US7861291B2 (en) System and method for implementing ACLs using standard LPM engine
CN108141416A (en) A kind of message processing method, computing device and message process device
US8615015B1 (en) Apparatus, systems and methods for aggregate routes within a communications network
CN108848204B (en) NAT service rapid processing method and device
CN111726305A (en) Virtual machine-oriented multistage flow table management and control method and system
CN107547407A (en) Message transmitting method, device and realization device
US6279097B1 (en) Method and apparatus for adaptive address lookup table generator for networking application
US10897422B2 (en) Hybrid routing table for routing network traffic
US20080056270A1 (en) Method and apparatus of hierarchical node partitioning for address planning in pnni networks
US20230041395A1 (en) Method and Device for Processing Routing Table Entries
Hsieh et al. A classified multisuffix trie for IP lookup and update
CN107528794B (en) Data processing method and device
US20080175241A1 (en) System and method for obtaining packet forwarding information
CN104539537B (en) A kind of method for searching route and device
CN107800630A (en) Message processing method and device
CN105634999A (en) Aging method and device for medium access control address
CN114024885B (en) IP routing table management system and method based on subnet mask division

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20210115

WW01 Invention patent application withdrawn after publication