CN105991552B - The method and apparatus that aging is carried out to flow table and NAT conversational list - Google Patents

The method and apparatus that aging is carried out to flow table and NAT conversational list Download PDF

Info

Publication number
CN105991552B
CN105991552B CN201510056361.2A CN201510056361A CN105991552B CN 105991552 B CN105991552 B CN 105991552B CN 201510056361 A CN201510056361 A CN 201510056361A CN 105991552 B CN105991552 B CN 105991552B
Authority
CN
China
Prior art keywords
nat
tree
information
stream
flow table
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510056361.2A
Other languages
Chinese (zh)
Other versions
CN105991552A (en
Inventor
李安坤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Damo Institute Hangzhou Technology Co Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201510056361.2A priority Critical patent/CN105991552B/en
Publication of CN105991552A publication Critical patent/CN105991552A/en
Application granted granted Critical
Publication of CN105991552B publication Critical patent/CN105991552B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses the method and apparatus that a kind of pair of flow table and NAT conversational list carry out aging, belong to network communication technology field.The method includes:Change, after public network IP resource changing or the change of interface link state in interface IP, obtains the IP information before changing;IP information before the change is inserted into the form of node in the waiting tree of preset IP information tree-shaped storage organization;According to the IP number of nodes and aging timing waited in tree, it is determined whether carry out aging to flow table and NAT conversational list;When determining to the flow table and NAT conversational list progress aging, scan the flow table and the NAT conversational list, by the flow table and the NAT conversational list flow table node corresponding with the IP information before the change in the IP information tree-shaped storage organization and NAT session node aging fall.It can active aging flow table and NAT conversational list, the number for reducing scanning flow table and NAT conversational list.

Description

The method and apparatus that aging is carried out to flow table and NAT conversational list
Technical field
The present invention relates to network communication technology fields, and in particular to the side of a kind of pair of flow table and the progress aging of NAT conversational list Method and device.
Background technique
With the development of network communication technology, the effect of network is also increasing, when being surfed the Internet by network, state-detection The network equipment can be by flow table (flow table), and recording network connection information (mainly includes source IP, destination IP, source port, destination The five-tuples such as mouth, network protocol information), NAT (Network Address Translation, Network address translators) can be passed through Conversational list (table being made of NAT Binding (binding)), record private network IP address are converted into the mapping relations of public network IP address. In daily O&M, the interface IP of the network equipment needs to change because of network topology change sometimes;The public affairs of the network equipment Net IP resource is changed because of the planning of operator ISP sometimes;The interface link state of the network equipment there may come a time when to change Become (such as down, change).Change, after public network IP resource changing or the change of interface link state in interface IP, IP can occur Change, the IP before change also has table node in the flow table of the state-detection network equipment and NAT conversational list.In order to avoid occupying Resource, can table node to the IP before change carry out aging process.
For the aging process of the table node of the IP before the change in flow table and NAT conversational list, mainly there is following two at present Kind technology:The first:Passive aging, after IP changes, not active scan flow table and the NAT session of the state-detection network equipment Table waits the natural overtime aging of the table node of preceding IP to be changed.Second:Active aging, after IP changes, triggering one Secondary flow table and NAT session table scan fall the table node aging of the IP before change.
However, need time-out time ability aging after to fall the table node of the IP before changing the technology of passive aging, And the time-out time of flow table and conversational list is usually two minutes, in this case, the state-detection network equipment cannot discharge in time The session of IP before change can greatly reduce the concurrent connection number of the state-detection network equipment, will cause state-detection network and set The unnecessary consumption of standby memory source and forwarding performance;Session for the IP before changing, the state-detection network equipment will continue to The data packet in the session is forwarded, very big security risk can be brought to back-end server.For active aging technology, each IP A flow table and NAT session table scan can all be triggered by changing, and due in network IP it is very much, the state-detection network equipment Table node in flow table and NAT conversational list can achieve million millions even more than one hundred million grades, and each IP, which changes, triggers one Secondary flow table and NAT session table scan can bring great performance to be lost to the state-detection network equipment.
Summary of the invention
In order to solve problems in the prior art, the present invention provides the sides that a kind of pair of flow table and NAT conversational list carry out aging Method and device, can active aging flow table and NAT conversational list, the state-detection network equipment can discharge in time change before IP Session, do not continue to forwarding change before IP session on data packet;It can be reduced by IP information tree-shaped storage organization The number of flow table and NAT conversational list is scanned, the performance loss of the state-detection network equipment is reduced, so that the state-detection network equipment Relevant Session Resources can be discharged in time and efficiently, improve the safety of back-end server, reduce the state-detection network equipment Resource consumption.
To solve the above-mentioned problems, described the invention discloses the method that a kind of pair of flow table and NAT conversational list carry out aging Method includes:
Change, after public network IP resource changing or the change of interface link state in interface IP, obtains the IP information before changing;
IP information before the change is inserted into the waiting of preset IP information tree-shaped storage organization in the form of node In tree;
According to the IP number of nodes and aging timing waited in tree, it is determined whether turned over to flow table and address It translates NAT conversational list and carries out aging;
When determining to the flow table and NAT conversational list progress aging, the flow table and the NAT session are scanned Table, by believing in the flow table and the NAT conversational list with the IP before the change in the IP information tree-shaped storage organization It ceases corresponding flow table node and NAT session node aging is fallen.
Further, change, after public network IP resource changing or the change of interface link state in interface IP, obtain before changing Before IP information, further include:
It obtains the state-detection network equipment and starts information;
Create the IP information tree-shaped storage organization.
Further, the IP information tree-shaped storage organization includes:Balanced binary tree prefix trees Patricia tree storage Structure, balanced binary tree red black tree tree storage structure or balanced binary tree self-balancing tree SBT tree storage structure.
Further, according to the IP number of nodes and aging timing waited in tree, it is determined whether to flow table Aging is carried out with NAT conversational list, including:
The IP number of nodes in tree is waited to be compared with preset IP number of nodes threshold value by described;
When the IP number of nodes waited in tree is more than or equal to preset IP number of nodes threshold value, the flow table is judged Scanned state whether is in the NAT conversational list;
If the flow table and the NAT conversational list are not on scanned state, it is determined that the flow table and described NAT conversational list carries out aging.
Further, the IP number of nodes in tree is waited to be compared it with preset IP number of nodes threshold value by described Afterwards, further include:
When the IP number of nodes waited in tree is less than preset IP number of nodes threshold value, determine not to the flow table Aging is carried out with the NAT conversational list.
Further, according to aging timing, it is determined whether aging is carried out to flow table and NAT conversational list, including:
Every a preset time interval, judge whether the IP number of nodes in the waiting tree is zero;
If described wait the IP number of nodes in tree to be not zero, by the timing of the corresponding timer of aging timing Time increases by a preset time value;
Judge whether the timing time of the corresponding timer of the aging timing is more than or equal to preset aging timing Time threshold;
If it is larger than or equal to the aging timing threshold value, then judge whether the flow table and the NAT conversational list are located In scanned state;
If the flow table and the NAT conversational list are not on scanned state, it is determined that the flow table and described NAT conversational list carries out aging.
Further, after judging whether the IP number of nodes waited in tree is zero, further include:
If it is zero, it is determined that do not carry out aging to the flow table and the NAT conversational list.
Further, it is preset to judge whether the timing time of the corresponding timer of the aging timing is more than or equal to After aging timing threshold value, further include:
If it is less than the aging timing threshold value, it is determined that do not carried out to the flow table and the NAT conversational list old Change.
Further, judge whether the flow table and the NAT conversational list are in after scanned state, further include:
If the flow table and the NAT conversational list are in scanned state, it is determined that not to the flow table and the NAT Conversational list carries out aging.
Further, the flow table and the NAT conversational list are scanned, by the flow table and the NAT conversational list with The corresponding flow table node of IP information and NAT session node aging before the change in the IP information tree-shaped storage organization Fall, including:
The NAT conversational list is scanned, a NAT binding node is obtained;
Judge whether the NAT binding node is empty;
If the NAT binding node is not sky, the corresponding IP information of the NAT binding node is obtained;
The corresponding IP information of NAT binding node is successively compared with the IP information before the change waited in tree Compared with;
If described wait the IP before there is the consistent change of IP information corresponding with NAT binding node in tree to believe Breath then deletes the NAT binding node, then executes the step of scanning the NAT conversational list;
If the NAT binding node is sky, the flow table is scanned, a traffic identifier ID is obtained;
Judge whether the stream ID is effective;
If the stream ID is effective, according to the stream ID, the IP information of the corresponding stream of the stream ID is obtained;
The IP information of the corresponding stream of the stream ID is successively compared with the IP information before the change waited in tree;
If the IP information waited before the consistent change of IP information that there is stream corresponding with the stream ID in tree, The corresponding stream of the stream ID is set to ageing state, stream aging is carried out to the corresponding stream of the stream ID, is then executed described in scanning The step of flow table;
If the stream ID is invalid, the IP information tree-shaped storage organization is emptied.
Further, the flow table and the NAT conversational list are scanned, by the flow table and the NAT conversational list with The corresponding flow table node of IP information and NAT session node aging before the change in the IP information tree-shaped storage organization Fall, including:
The flow table is scanned, a traffic identifier ID is obtained;
Judge whether the stream ID is effective;
If the stream ID is effective, according to the stream ID, the IP information of the corresponding stream of the stream ID is obtained;
The IP information of the corresponding stream of the stream ID is successively compared with the IP information before the change waited in tree;
If the IP information waited before the consistent change of IP information that there is stream corresponding with the stream ID in tree, The corresponding stream of the stream ID is set to ageing state, stream aging is carried out to the corresponding stream of the stream ID, is then executed described in scanning The step of flow table;
If the stream ID is invalid, the NAT conversational list is scanned, obtains a NAT binding node;
Judge whether the NAT binding node is empty;
If the NAT binding node is not sky, the corresponding IP information of the NAT binding node is obtained;
The corresponding IP information of NAT binding node is successively compared with the IP information before the change waited in tree Compared with;
If described wait the IP before there is the consistent change of IP information corresponding with NAT binding node in tree to believe Breath then deletes the NAT binding node, then executes the step of scanning the NAT conversational list;
If the NAT binding node is sky, the IP information tree-shaped storage organization is emptied.
To solve the above-mentioned problems, the invention also discloses the device that a kind of pair of flow table and NAT conversational list carry out aging, institutes Stating device includes:
Module is obtained, for changing in interface IP, after public network IP resource changing or the change of interface link state, obtains and changes Preceding IP information;
It is inserted into module, is deposited for the IP information before the change to be inserted into preset IP information tree-shaped in the form of node In the waiting tree of storage structure;
Determining module, for according to the IP number of nodes and aging timing waited in tree, it is determined whether right Flow table and address translation NAT conversational list carry out aging;
Ageing module, for when determine aging is carried out to the flow table and the NAT conversational list when, scan the flow table and The NAT conversational list, by the flow table and the NAT conversational list in the IP information tree-shaped storage organization described in change The corresponding flow table node of IP information and NAT session node aging before change fall.
Further, described device further includes:
Starting module, for obtaining state-detection network equipment starting information;
Creation module, for creating the IP information tree-shaped storage organization.
Further, the IP information tree-shaped storage organization includes:Balanced binary tree prefix trees Patricia tree storage Structure, balanced binary tree red black tree tree storage structure or balanced binary tree self-balancing tree SBT tree storage structure.
Further, the determining module includes:
First comparing unit, for carrying out the IP number of nodes waited in tree and preset IP number of nodes threshold value Compare;
First judging unit, for being more than or equal to preset IP number of nodes threshold when the IP number of nodes waited in tree When value, judge whether the flow table and the NAT conversational list are in scanned state;
First determination unit, if being not on scanned state for the flow table and the NAT conversational list, it is determined that Aging is carried out to the flow table and the NAT conversational list.
Further, the determining module further includes:
Second determination unit, for being less than preset IP number of nodes threshold value when the IP number of nodes waited in tree When, it determines and aging is not carried out to the flow table and the NAT conversational list.
Further, the determining module includes:
Second judgment unit, for judging that the IP number of nodes in the waiting tree is every a preset time interval No is zero;
Timing unit, it is if waiting the IP number of nodes in tree to be not zero for described, aging timing is corresponding Timer timing time increase a preset time value;
Third judging unit, for judging whether the timing time of the corresponding timer of the aging timing is greater than In preset aging timing threshold value;
4th judging unit, for if it is larger than or equal to the aging timing threshold value, then judging the flow table and institute State whether NAT conversational list is in scanned state;
Third determination unit, if being not on scanned state for the flow table and the NAT conversational list, it is determined that Aging is carried out to the flow table and the NAT conversational list.
Further, the determining module further includes:
4th determination unit, if the IP number of nodes in the waiting tree is zero, it is determined that not to the flow table Aging is carried out with the NAT conversational list.
Further, the determining module further includes:
5th determination unit, for if it is less than the aging timing threshold value, it is determined that not to the flow table and institute It states NAT conversational list and carries out aging.
Further, the determining module further includes:
6th determination unit, if being in scanned state for the flow table and the NAT conversational list, it is determined that not right The flow table and the NAT conversational list carry out aging.
Further, the ageing module includes:
First scanning element obtains a NAT binding node for scanning the NAT conversational list;
5th judging unit, for judging whether the NAT binding node is empty;
It is corresponding to obtain the NAT binding node if not being sky for NAT binding node for first acquisition unit IP information;
Second comparing unit, for the corresponding IP information of NAT binding node successively to be waited changing in tree with described IP information before change is compared;
First aged cell, if for there is IP information one corresponding with NAT binding node in waiting tree IP information before the change of cause then deletes the NAT binding node, first scanning element is then notified to execute described in scanning The step of NAT conversational list;
Second scanning element scans the flow table, obtains one and fail to be sold at auction if being sky for NAT binding node Know ID;
6th judging unit, for judging whether the stream ID is effective;
Second acquisition unit, according to the stream ID, obtains the corresponding stream of the stream ID if effective for the stream ID IP information;
Third comparing unit, before the change by the IP information of the corresponding stream of the stream ID successively and in the waiting tree IP information be compared;
Second aged cell, if waiting the IP information that there is stream corresponding with the stream ID in tree consistent for described The corresponding stream of the stream ID is then set to ageing state by the IP information before change, carries out stream aging to the corresponding stream of the stream ID, Then second scanning element is notified to execute the step of scanning the flow table;
First empties unit, if invalid for the stream ID, empties the IP information tree-shaped storage organization.
Further, the ageing module includes:
Third scanning element obtains a traffic identifier ID for scanning the flow table;
7th judging unit, for judging whether the stream ID is effective;
Third acquiring unit, according to the stream ID, obtains the corresponding stream of the stream ID if effective for the stream ID IP information;
4th comparing unit, before the change by the IP information of the corresponding stream of the stream ID successively and in the waiting tree IP information be compared;
Third aged cell, if waiting the IP information that there is stream corresponding with the stream ID in tree consistent for described The corresponding stream of the stream ID is then set to ageing state by the IP information before change, carries out stream aging to the corresponding stream of the stream ID, Then the third scanning element is notified to execute the step of scanning the flow table;
4th scanning element scans the NAT conversational list if invalid for the stream ID, obtains a NAT binding Node;
8th judging unit, for judging whether the NAT binding node is empty;
It is corresponding to obtain the NAT binding node if not being sky for NAT binding node for 4th acquiring unit IP information;
5th comparing unit, for the corresponding IP information of NAT binding node successively to be waited changing in tree with described IP information before change is compared;
4th aged cell, if for there is IP information one corresponding with NAT binding node in waiting tree IP information before the change of cause then deletes the NAT binding node, the 4th scanning element is then notified to execute described in scanning The step of NAT conversational list;
Second empties unit, if being sky for NAT binding node, empties the IP information tree storage knot Structure.
Compared with prior art, the present invention can be obtained including following technical effect:
1) change, after public network IP resource changing or the change of interface link state in interface IP, according to IP information tree storage IP number of nodes and aging timing in the waiting tree of structure, it is determined whether flow table and NAT conversational list are carried out old Change, can active aging flow table and NAT conversational list, the state-detection network equipment can discharge in time change before IP meeting Words do not continue to the data packet in the session of the IP before forwarding changes;And the IP information before change is inserted in the form of node Enter into the waiting tree of preset IP information tree-shaped storage organization, scanning flow table can be reduced by IP information tree-shaped storage organization With the number of NAT conversational list, reduce the performance loss of the state-detection network equipment, enable the state-detection network equipment timely and Relevant Session Resources are efficiently discharged, the safety of back-end server is improved, the resource for reducing the state-detection network equipment disappears Consumption.
2) scan flow table and when NAT conversational list, by the IP information of the corresponding stream of stream ID successively with IP information tree storage knot The IP information before change in the waiting tree of structure is compared, by the corresponding IP information of NAT binding node successively with IP inforamtion tree The IP information before change in the waiting tree of type storage organization is compared, and the time of the inquiry of IP information tree-shaped storage organization is multiple Miscellaneous degree is O (logn), is equivalent to scan that flow table O (logn) is secondary, it is secondary to scan NAT conversational list O (logn) in this way, thus pole The frequency of scanning flow table and NAT conversational list is reduced greatly.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes a part of the invention, this hair Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 be it is provided in an embodiment of the present invention the first the method flow diagram of aging is carried out to flow table and NAT conversational list;
Fig. 2 is a kind of balanced binary tree Patricia tree storage structural schematic diagram provided in an embodiment of the present invention;
Fig. 3 is provided in an embodiment of the present invention a kind of according to the IP number of nodes waited in tree, it is determined whether to flow table and The method flow diagram of NAT conversational list progress aging;
Fig. 4 is provided in an embodiment of the present invention a kind of according to aging timing, it is determined whether to flow table and NAT conversational list Carry out the method flow diagram of aging;
Fig. 5 is the method flow diagram that second pair of flow table provided in an embodiment of the present invention and NAT conversational list carry out aging;
Fig. 6 is that provided in an embodiment of the present invention the third carries out the method flow diagram of aging to flow table and NAT conversational list;
Fig. 7 is that the first apparatus structure for carrying out aging to flow table and NAT conversational list provided in an embodiment of the present invention is illustrated Figure;
Fig. 8 is the apparatus structure signal that second pair of flow table provided in an embodiment of the present invention and NAT conversational list carry out aging Figure.
Specific embodiment
Carry out the embodiment that the present invention will be described in detail below in conjunction with accompanying drawings and embodiments, thereby how the present invention is applied Technological means solves technical problem and reaches the realization process of technical effect to fully understand and implement.
As used some vocabulary to censure specific components in the specification and claims.Those skilled in the art answer It is understood that hardware manufacturer may call the same component with different nouns.This specification and claims are not with name The difference of title is as the mode for distinguishing component, but with the difference of component functionally as the criterion of differentiation.Such as logical The "comprising" of piece specification and claim mentioned in is an open language, therefore should be construed to " include but do not limit In "." substantially " refer within the acceptable error range, those skilled in the art can within a certain error range solve described in Technical problem basically reaches the technical effect.In addition, " coupling " word includes any direct and indirect electric property coupling herein Means.Therefore, if it is described herein that a first device is coupled to a second device, then representing the first device can directly electrical coupling It is connected to the second device, or the second device indirectly electrically coupled through other devices or coupling means.Specification Subsequent descriptions are to implement better embodiment of the invention, so the description be for the purpose of illustrating rule of the invention, The range being not intended to limit the invention.Protection scope of the present invention is as defined by the appended claims.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability Include, so that commodity or system including a series of elements not only include those elements, but also including not clear The other element listed, or further include for this commodity or the intrinsic element of system.In the feelings not limited more Under condition, the element that is limited by sentence "including a ...", it is not excluded that in the commodity or system for including the element also There are other identical elements.
Embodiment description
The realization of the method for the present invention is described further with an embodiment below.As shown in Figure 1, being the embodiment of the present invention A kind of pair of flow table and NAT conversational list carry out the method flow diagram of aging, this method includes:
S101:Change, after public network IP resource changing or the change of interface link state in interface IP, obtains the IP letter before changing Breath.
Wherein, the IP information before change includes version and the address of the IP before changing.
Wherein, the version of IP include IPv4 (Internet Protocol Version 4, internet protocol version 4), IPv6 (Internet Protocol Version 6, internet protocol version 6) etc..
Specifically, change, after public network IP resource changing or the change of interface link state in interface IP, state-detection network is set Preparation send message informing Service Processing Module, IP information of the Service Processing Module before extracting change in message.
S102:IP information before change is inserted into the waiting of preset IP information tree-shaped storage organization in the form of node In tree.
Wherein, IP information tree-shaped storage organization includes:Balanced binary tree Patricia (prefix trees) tree storage structure is put down Weighing apparatus binary tree red black tree tree storage structure or balanced binary tree SBT (Size Balanced Tree, self-balancing tree) tree-shaped are deposited Storage structure.
Specifically, balanced binary tree Patricia tree storage structure, balanced binary tree red black tree tree storage structure or Balanced binary tree SBT tree storage structure etc. can be completed within O (log n, n are the total node number the operated) time Insertion, lookup and delete operation, can be improved scan efficiency.
Specifically, IP information tree-shaped storage organization can be in interface IP change, public network IP resource changing or interface link After state changes, before obtaining the IP information before changing, creates, that is, exist after obtaining state-detection network equipment starting information After the starting of the state-detection network equipment, IP information tree-shaped storage organization is created.
S103:According to the IP number of nodes and aging timing waited in tree, it is determined whether to flow table and NAT meeting It talks about table and carries out aging.
Specifically, two conditional parallels of IP number of nodes and aging timing in tree are waited to be judged, when logical It crosses any when judging to carry out aging to flow table and NAT conversational list in the two, it is determined that flow table and NAT conversational list are carried out old Change.
S104:When determine aging is carried out to flow table and NAT conversational list when, scan flow table and NAT conversational list, by flow table and Flow table node corresponding with the IP information before the change in IP information tree-shaped storage organization and NAT session section in NAT conversational list Point aging is fallen.
Specifically, when scanning flow table and NAT conversational list, it can first scan NAT conversational list and scan flow table again, it can also be first Scanning flow table scans NAT conversational list again, does not limit this, can be configured according to practical application situation.
It specifically, referring to fig. 2, is a kind of balanced binary tree Patricia tree storage structure of this example creation, each number It is as follows according to member's meaning:* pending_tree (waiting tree):The node of IP information before change hangs over waiting tree;pending_ num:Current IP number of nodes;pending_threshold:IP number of nodes threshold value, IP number of nodes reach IP number of nodes Measure threshold value, driver sweep flow table and NAT conversational list;sec_passed:The timing time of the corresponding timer of aging timing; sec_threshold:Aging timing threshold value;If the timing time of the corresponding timer of aging timing reaches aging Timing threshold value, driver sweep flow table and NAT conversational list;*working_tree:IP information before the change scanned Node, working_tree do not need storing data, merely point to pending_tree, due to needing to scan flow table and NAT meeting Table is talked about, is scanned for convenience, when scanning flow table after scanning NAT conversational list in the ban, can be used when scanning NAT conversational list Pending_tree (since working_tree does not need storing data, is only referred to when scanning flow table using working_tree To pending_tree, so being indirectly using pending_tree), it is scanned when scanning NAT conversational list after flow table in the ban, it can be with Pending_tree is used when scanning flow table, using working_tree (due to working_tree when scanning NAT conversational list Storing data is not needed, pending_tree is merely pointed to, so being indirectly using pending_tree);is_in_scan: Scan (scanning) processing mark, avoids flow table and NAT conversational list scanning process from being interrupted, and it is 1 that scan process mark, which can be set, When, when flow table and NAT conversational list are in scanned state, scan process mark is 0, flow table and NAT session are not on and are swept Retouch state;if_node:Node number;ifl_idx:The call number of network device interface;ifip:IPVx type structure, stores the version of IP Sheet and address, the address including IPv4 or IPv6.
Specifically, referring to Fig. 3, in a preferred embodiment, according to the IP number of nodes waited in tree, it is determined whether right Flow table and NAT conversational list carry out aging, including:
S201:The IP number of nodes in tree will be waited to be compared with preset IP number of nodes threshold value, when in waiting tree IP number of nodes be more than or equal to preset IP number of nodes threshold value when, execute S202;When the IP number of nodes in waiting tree is small When preset IP number of nodes threshold value, S204 is executed.
Specifically, preset IP number of nodes threshold value can be configured according to practical application situation, such as can be set to 10,100 etc..
S202:Judge whether flow table and NAT conversational list are in scanned state, if flow table and NAT conversational list are not located In scanned state, then S203 is executed;If flow table and NAT conversational list are in scanned state, S204 is executed.
Specifically, due to waiting two conditional parallels of IP number of nodes and aging timing in tree to be judged, When by the two it is any judge to carry out aging to flow table and NAT conversational list when, it is determined that flow table and NAT conversational list are carried out Aging before determining and executing aging, first judges whether are a downstream table and NAT conversational list so in order to avoid repeating aging In scanned state, if flow table and NAT conversational list are being aging in scanned state, can no longer execute old Change.
Specifically, mark (is_in_scan) can be handled by inquiry scan to judge whether are flow table and NAT conversational list In scanned state.
S203:It determines and aging is carried out to flow table and NAT conversational list, then execute S104.
Specifically, it is determined that after carrying out aging to flow table and NAT conversational list, it can be by scan process mark (is_in_scan) It is set to scanned state, when such as setting scan process mark is 1, flow table and NAT conversational list are in scanned state, then will scan Processing mark is set to 1.
S204:It determines and aging is not carried out to flow table and NAT conversational list, then terminate.
Specifically, referring to fig. 4, in a preferred embodiment, according to aging timing, it is determined whether to flow table and NAT conversational list carries out aging, including:
S301:Every a preset time interval, judge to wait whether the IP number of nodes in tree is zero, if waiting tree In IP number of nodes be not zero, then execute S302;If waiting the IP number of nodes in tree is zero, S306 is executed.
Wherein, preset time interval can be 0.1 second, 0.5 second, 1 second etc., can be selected according to practical application situation It selects, does not limit this.
S302:The timing time of the corresponding timer of aging timing is increased by a preset time value.
Wherein, preset time value can be identical as preset time interval, and such as preset time interval is 1 second, when presetting Between be worth also for 1 second, i.e., when judgement in 1 second waits the IP number of nodes in tree to be not zero, then the corresponding meter of aging timing When device timing time increase by 1 second, until the timing time of the corresponding timer of aging timing be more than or equal to it is preset old Change timing threshold value.Preset time value can be not identical as preset time interval, and such as preset time interval is 0.5 second, Preset time value is 1 second, i.e., when judgement in 0.5 second waits the IP number of nodes in tree to be not zero, then aging timing pair The timing time for the timer answered increases by 1 second, until the timing time of the corresponding timer of aging timing is more than or equal in advance If aging timing threshold value.
S303:Judge whether the timing time of the corresponding timer of aging timing is more than or equal to preset aging timing Time threshold then executes S304 if it is larger than or equal to preset aging timing threshold value;If it is less than preset aging timing Time threshold then executes S306.
S304:Judge whether flow table and NAT conversational list are in scanned state, if flow table and NAT conversational list are not located In scanned state, then S305 is executed;If flow table and NAT conversational list are in scanned state, S306 is executed.
Specifically, due to waiting two conditional parallels of IP number of nodes and aging timing in tree to be judged, When by the two it is any judge to carry out aging to flow table and NAT conversational list when, it is determined that flow table and NAT conversational list are carried out Aging before determining and executing aging, first judges whether are a downstream table and NAT conversational list so in order to avoid repeating aging In scanned state, if flow table and NAT conversational list are being aging in scanned state, can no longer execute old Change.
Specifically, mark (is_in_scan) can be handled by inquiry scan to judge whether are flow table and NAT conversational list In scanned state.
S305:It determines and aging is carried out to flow table and NAT conversational list, then execute S104.
Specifically, it is determined that after carrying out aging to flow table and NAT conversational list, it can be by scan process mark (is_in_scan) It is set to scanned state, when such as setting scan process mark is 1, flow table and NAT conversational list are in scanned state, then will scan Processing mark is set to 1.
S306:It determines and aging is not carried out to flow table and NAT conversational list, then terminate.
Specifically, referring to Fig. 5, in a preferred embodiment, when scanning NAT conversational list in the ban, then scanning flow table:Scanning Flow table and NAT conversational list, by flow table and NAT conversational list with IP information pair before the change in IP information tree-shaped storage organization The flow table node and NAT session node aging answered fall, including:
S401:NAT conversational list is scanned, NAT binding section (binding) point is obtained.
S402:Judge whether NAT binding node is sky, if NAT binding node is not sky, executes S403;If NAT Binding node is sky, then executes S406.
Specifically, it is sky that NAT, which binds node, then proves to have scanned through all NAT binding node in NAT conversational list.
S403:Obtain the corresponding IP information of NAT binding node.
Wherein, IP information includes version and the address of IP.
S404:The corresponding IP information of NAT binding node is successively compared with the IP information before the change waited in tree, If waiting the IP information before there is the consistent change of IP information corresponding with NAT binding node in tree, S405 is executed;If The IP information before not having to exist the consistent change of IP information corresponding with NAT binding node in tree is waited, then executes S401.
Specifically, the IP information before there is the consistent change of IP information corresponding with NAT binding node in tree is waited, then is demonstrate,proved Bright NAT binds the corresponding IP information of node and has occurred and that change, NAT can be bound knot removal and fallen.
S405:It deletes NAT and binds node, then execute S401.
S406:Flow table is scanned, a traffic identifier ID is obtained.
S407:Whether effective judge stream ID, if stream ID is effective, executes S408;If stream ID is invalid, execute S411。
Specifically, it if stream ID is invalid, proves to have scanned through flow table.
S408:According to stream ID, the IP information of the corresponding stream of stream ID is obtained.
S409:The IP information of the corresponding stream of stream ID is successively compared with the IP information before the change waited in tree, such as Fruit waits the IP information before the consistent change of IP information that there is stream corresponding with stream ID in tree, then executes S410;If waited IP information before not having the consistent change of IP information in the presence of stream corresponding with stream ID in tree, then execute S406.
Specifically, the IP information before waiting the consistent change of IP information that there is stream corresponding with stream ID in tree, then prove The IP information of the corresponding stream of stream ID has occurred and that change, the corresponding stream aging of stream ID can be fallen.
S410:The corresponding stream of stream ID is set to ageing state, stream aging is carried out to the corresponding stream of stream ID, is then executed S406。
S411:IP information tree-shaped storage organization is emptied, is then terminated.
Specifically, IP information tree-shaped storage organization is emptied, that is, the IP before emptying the change in IP information tree-shaped storage organization The data such as information, aging timing, IP number of nodes.
Specifically, after emptying IP information tree-shaped storage organization, scan process mark (is_in_scan) can be set to not There is scanned state, when such as setting scan process mark is 0, flow table and NAT conversational list are not on scanned state, then will sweep It retouches processing mark and is set to 0.
Specifically, referring to Fig. 6, in a preferred embodiment, when scanning flow table in the ban, then scanning NAT conversational list:Scanning Flow table and NAT conversational list, by flow table and NAT conversational list with IP information pair before the change in IP information tree-shaped storage organization The flow table node and NAT session node aging answered fall, including:
S501:Flow table is scanned, a traffic identifier ID is obtained.
S502:Whether effective judge stream ID, if stream ID is effective, executes S506;If stream ID is invalid, execute S503。
Specifically, it if stream ID is invalid, proves to have scanned through flow table.
S503:According to stream ID, the IP information of the corresponding stream of stream ID is obtained.
Wherein, IP information includes version and the address of IP.
S504:The IP information of the corresponding stream of stream ID is successively compared with the IP information before the change waited in tree, such as Fruit waits the IP information before the consistent change of IP information that there is stream corresponding with stream ID in tree, then executes S505;If waited There is no the IP information for having before the consistent change of IP information of stream corresponding with stream ID in tree, then S501.
Specifically, the IP information before waiting the consistent change of IP information that there is stream corresponding with stream ID in tree, then prove The IP information of the corresponding stream of stream ID has occurred and that change, the corresponding stream aging of stream ID can be fallen.
S505:The corresponding stream of stream ID is set to ageing state, stream aging is carried out to the corresponding stream of stream ID, is then executed S501。
S506:NAT conversational list is scanned, a NAT binding node is obtained.
S507:Judge whether NAT binding node is sky, if NAT binding node is not sky, executes S511;If NAT Binding node is sky, then executes S508.
Specifically, it is sky that NAT, which binds node, then proves to have scanned through all NAT binding node in NAT conversational list.
S508:Obtain the corresponding IP information of NAT binding node.
S509:The corresponding IP information of NAT binding node is successively compared with the IP information before the change waited in tree, If waiting the IP information before there is the consistent change of IP information corresponding with NAT binding node in tree, S510 is executed;If The IP information before not having to exist the consistent change of IP information corresponding with NAT binding node in tree is waited, then executes S506.
Specifically, the IP information before there is the consistent change of IP information corresponding with NAT binding node in tree is waited, then is demonstrate,proved Bright NAT binds the corresponding IP information of node and has occurred and that change, NAT can be bound knot removal and fallen.
S510:It deletes NAT and binds node, then execute S506.
S511:IP information tree-shaped storage organization is emptied, is then terminated.
Specifically, IP information tree-shaped storage organization is emptied, that is, the IP before emptying the change in IP information tree-shaped storage organization The data such as information, aging timing, IP number of nodes.
Specifically, after emptying IP information tree-shaped storage organization, scan process mark (is_in_scan) can be set to not There is scanned state, when such as setting scan process mark is 0, flow table and NAT conversational list are not on scanned state, then will sweep It retouches processing mark and is set to 0.
The method that aging is carried out to flow table and NAT conversational list described in the present embodiment, in interface IP change, public network IP resource After change or interface link state change, according to the IP number of nodes in the waiting tree of IP information tree-shaped storage organization, and always Change timing, it is determined whether aging is carried out to flow table and NAT conversational list, can active aging flow table and NAT conversational list, state The detection network equipment can discharge the session of the IP before changing in time, not continue to the number in the session of the IP before forwarding changes According to packet;And the IP information before change is inserted into the waiting tree of preset IP information tree-shaped storage organization in the form of node In, the number of scanning flow table and NAT conversational list can be reduced by IP information tree-shaped storage organization, reduced state-detection network and set Standby performance loss, enables the state-detection network equipment to discharge relevant Session Resources in time and efficiently, improves rear end clothes The safety of business device, reduces the resource consumption of the state-detection network equipment.It is when scanning flow table and NAT conversational list, stream ID is corresponding The IP information of stream be successively compared, with the IP information before the change in the waiting tree of IP information tree-shaped storage organization by NAT The corresponding IP information of binding node is successively compared with the IP information before the change in the waiting tree of IP information tree-shaped storage organization Compared with the time complexity of the inquiry of IP information tree-shaped storage organization is O (logn), is equivalent to scan flow table O in this way (logn) secondary, scan that NAT conversational list O (logn) is secondary, to greatly reduce the frequency of scanning flow table and NAT conversational list.
As shown in fig. 7, be the embodiment of the present invention a kind of pair of flow table and NAT conversational list carry out aging structure drawing of device, The device includes:
Module 601 is obtained, for changing in interface IP, after public network IP resource changing or the change of interface link state, is obtained IP information before change;Wherein, the IP information before change includes version and the address of the IP before changing;
It is inserted into module 602, is deposited for the IP information before changing to be inserted into preset IP information tree-shaped in the form of node In the waiting tree of storage structure;
Determining module 603, for according to the IP number of nodes and aging timing waited in tree, it is determined whether right Flow table and address translation NAT conversational list carry out aging;
Ageing module 604, for scanning flow table and NAT session when determining to flow table and the progress aging of NAT conversational list Table, by the flow table node corresponding with the IP information before the change in IP information tree-shaped storage organization in flow table and NAT conversational list Fall with NAT session node aging.
Further, referring to Fig. 8, which further includes:
Starting module 605, for obtaining state-detection network equipment starting information;
Creation module 606, for creating IP information tree-shaped storage organization.
Further, IP information tree-shaped storage organization includes:Balanced binary tree prefix trees Patricia tree storage structure, Balanced binary tree red black tree tree storage structure or balanced binary tree self-balancing tree SBT tree storage structure.
Further, it is determined that module 603 includes:
First comparing unit, for the IP number of nodes in tree will to be waited to compare with preset IP number of nodes threshold value Compared with;
First judging unit, for being more than or equal to preset IP number of nodes threshold value when the IP number of nodes in waiting tree When, judge whether flow table and NAT conversational list are in scanned state;
First determination unit, if being not on scanned state for flow table and NAT conversational list, it is determined that flow table and NAT conversational list carries out aging.
Further, it is determined that module 603 further includes:
Second determination unit, for when wait tree in IP number of nodes be less than preset IP number of nodes threshold value when, really It is fixed aging not to be carried out to flow table and NAT conversational list.
Further, it is determined that module 603 includes:
Second judgment unit, for every a preset time interval, judge to wait IP number of nodes in tree whether be Zero;
Timing unit, if for waiting the IP number of nodes in tree to be not zero, by the corresponding meter of aging timing When device timing time increase a preset time value;
Third judging unit, for judging it is pre- whether the timing time of the corresponding timer of aging timing is more than or equal to If aging timing threshold value;
4th judging unit, for if it is larger than or equal to aging timing threshold value, then judging flow table and NAT conversational list being It is no to be in scanned state;
Third determination unit, if being not on scanned state for flow table and NAT conversational list, it is determined that flow table and NAT conversational list carries out aging.
Further, it is determined that module 603 further includes:
4th determination unit, if being zero for waiting the IP number of nodes in tree, it is determined that not to flow table and NAT session Table carries out aging.
Further, it is determined that module 603 further includes:
5th determination unit, for if it is less than aging timing threshold value, it is determined that not to flow table and NAT conversational list into Row aging.
Further, it is determined that module 603 further includes:
6th determination unit, if being in scanned state for flow table and NAT conversational list, it is determined that not to flow table and NAT conversational list carries out aging.
Further, ageing module 604 includes:
First scanning element obtains a NAT binding node for scanning NAT conversational list;
5th judging unit, for judging whether NAT binding node is empty;
First acquisition unit obtains the corresponding IP information of NAT binding node if not being sky for NAT binding node; Wherein, IP information includes version and the address of IP;
Second comparing unit, for the IP before the change in successively setting the corresponding IP information of NAT binding node with waiting Information is compared;
First aged cell, if there is the consistent change of IP information corresponding with NAT binding node for waiting in tree The step of preceding IP information then deletes NAT binding node, the first scanning element is then notified to execute scanning NAT conversational list;
Second scanning element scans flow table, obtains a traffic identifier ID if being sky for NAT binding node;
6th judging unit, for judging whether stream ID is effective;
If second acquisition unit, according to stream ID, obtains the IP information of the corresponding stream of stream ID effective for stream ID;
Third comparing unit, for the IP information before the change in successively setting the IP information of the corresponding stream of stream ID with waiting It is compared;
Second aged cell, if before for waiting the consistent change of IP information that there is stream corresponding with stream ID in tree The corresponding stream of stream ID is then set to ageing state by IP information, is carried out stream aging to the corresponding stream of stream ID, is then notified the second scanning Unit executes the step of scanning flow table;
First empties unit, if invalid for stream ID, empties IP information tree-shaped storage organization.
Further, ageing module 604 includes:
Third scanning element obtains a traffic identifier ID for scanning flow table;
7th judging unit, for judging whether stream ID is effective;
If third acquiring unit, according to stream ID, obtains the IP information of the corresponding stream of stream ID effective for stream ID;Its In, IP information includes version and the address of IP;
4th comparing unit, for the IP information before the change in successively setting the IP information of the corresponding stream of stream ID with waiting It is compared;
Third aged cell, if before for waiting the consistent change of IP information that there is stream corresponding with stream ID in tree The corresponding stream of stream ID is then set to ageing state by IP information, carries out stream aging to the corresponding stream of stream ID, then notifies third scanning Unit executes the step of scanning flow table;
If 4th scanning element scans NAT conversational list invalid for stream ID, obtains a NAT binding node;
8th judging unit, for judging whether NAT binding node is empty;
4th acquiring unit obtains the corresponding IP information of NAT binding node if not being sky for NAT binding node;
5th comparing unit, for the IP before the change in successively setting the corresponding IP information of NAT binding node with waiting Information is compared;
4th aged cell, if there is the consistent change of IP information corresponding with NAT binding node for waiting in tree The step of preceding IP information then deletes NAT binding node, the 4th scanning element is then notified to execute scanning NAT conversational list;
Second empties unit, if being sky for NAT binding node, empties IP information tree-shaped storage organization.
The device for carrying out aging described in the present embodiment to flow table and NAT conversational list, in interface IP change, public network IP resource After change or interface link state change, according to the IP number of nodes in the waiting tree of IP information tree-shaped storage organization, and always Change timing, it is determined whether aging is carried out to flow table and NAT conversational list, can active aging flow table and NAT conversational list, state The detection network equipment can discharge the session of the IP before changing in time, not continue to the number in the session of the IP before forwarding changes According to packet;And the IP information before change is inserted into the waiting tree of preset IP information tree-shaped storage organization in the form of node In, the number of scanning flow table and NAT conversational list can be reduced by IP information tree-shaped storage organization, reduced state-detection network and set Standby performance loss, enables the state-detection network equipment to discharge relevant Session Resources in time and efficiently, improves rear end clothes The safety of business device, reduces the resource consumption of the state-detection network equipment.It is when scanning flow table and NAT conversational list, stream ID is corresponding The IP information of stream be successively compared, with the IP information before the change in the waiting tree of IP information tree-shaped storage organization by NAT The corresponding IP information of binding node is successively compared with the IP information before the change in the waiting tree of IP information tree-shaped storage organization Compared with the time complexity of the inquiry of IP information tree-shaped storage organization is O (logn), is equivalent to scan flow table O in this way (logn) secondary, scan that NAT conversational list O (logn) is secondary, to greatly reduce the frequency of scanning flow table and NAT conversational list.
Described device is corresponding with method flow above-mentioned description, and shortcoming refers to the narration of above method process, no longer It repeats one by one.
The method and apparatus proposed by the present invention for carrying out aging to flow table and NAT conversational list, both can be applied to IPv4 can also For in the network equipment of IPv6.It can be used in multi-core network device.It can also be applied to other state-detection networks to set In standby similar aging application scenarios.
Several preferred embodiments of the invention have shown and described in above description, but as previously described, it should be understood that the present invention Be not limited to forms disclosed herein, should not be regarded as an exclusion of other examples, and can be used for various other combinations, Modification and environment, and the above teachings or related fields of technology or knowledge can be passed through within that scope of the inventive concept describe herein It is modified.And changes and modifications made by those skilled in the art do not depart from the spirit and scope of the present invention, then it all should be in this hair In the protection scope of bright appended claims.

Claims (22)

1. the method that a kind of pair of flow table and NAT conversational list carry out aging, which is characterized in that the method includes:
Change, after public network IP resource changing or the change of interface link state in interface IP, obtains the IP information before changing;
IP information before the change is inserted into the form of node in the waiting tree of preset IP information tree-shaped storage organization;
According to the IP number of nodes and aging timing waited in tree, it is determined whether to flow table and address translation NAT Conversational list carries out aging;
When determining to the flow table and NAT conversational list progress aging, the flow table and the NAT conversational list are scanned, it will It is corresponding with the IP information before the change in the IP information tree-shaped storage organization in the flow table and the NAT conversational list Flow table node and NAT session node aging fall.
2. the method as described in claim 1, which is characterized in that in interface IP change, public network IP resource changing or interface link After state changes, before obtaining the IP information before changing, further include:
It obtains the state-detection network equipment and starts information;
Create the IP information tree-shaped storage organization.
3. method according to claim 1 or 2, which is characterized in that the IP information tree-shaped storage organization includes:Balanced binary Set prefix trees Patricia tree storage structure, balanced binary tree red black tree tree storage structure or balanced binary tree self-balancing tree SBT tree storage structure.
4. the method as described in claim 1, which is characterized in that according to the IP number of nodes waited in tree and aging Timing, it is determined whether aging is carried out to flow table and NAT conversational list, including:
The IP number of nodes in tree is waited to be compared with preset IP number of nodes threshold value by described;
When the IP number of nodes waited in tree is more than or equal to preset IP number of nodes threshold value, the flow table and institute are judged State whether NAT conversational list is in scanned state;
If the flow table and the NAT conversational list are not on scanned state, it is determined that the flow table and the NAT meeting It talks about table and carries out aging.
5. method as claimed in claim 4, which is characterized in that save the IP number of nodes waited in tree and preset IP After point amount threshold is compared, further include:
When the IP number of nodes waited in tree is less than preset IP number of nodes threshold value, determine not to the flow table and institute It states NAT conversational list and carries out aging.
6. the method as described in claim 1, which is characterized in that according to aging timing, it is determined whether to flow table and NAT meeting It talks about table and carries out aging, including:
Every a preset time interval, judge whether the IP number of nodes in the waiting tree is zero;
If described wait the IP number of nodes in tree to be not zero, by the timing time of the corresponding timer of aging timing Increase by a preset time value;
Judge whether the timing time of the corresponding timer of the aging timing is more than or equal to preset aging timing Threshold value;
If it is larger than or equal to the aging timing threshold value, then judge whether the flow table and the NAT conversational list are in quilt Scanning mode;
If the flow table and the NAT conversational list are not on scanned state, it is determined that the flow table and the NAT meeting It talks about table and carries out aging.
7. method as claimed in claim 6, which is characterized in that judge it is described wait tree in IP number of nodes whether be zero it Afterwards, further include:
If it is zero, it is determined that do not carry out aging to the flow table and the NAT conversational list.
8. method as claimed in claim 6, which is characterized in that judge the timing of the corresponding timer of the aging timing Whether the time is more than or equal to after preset aging timing threshold value, further includes:
If it is less than the aging timing threshold value, it is determined that do not carry out aging to the flow table and the NAT conversational list.
9. the method as described in claim 4 or 6, which is characterized in that judge whether the flow table and the NAT conversational list are in After scanned state, further include:
If the flow table and the NAT conversational list are in scanned state, it is determined that not to the flow table and the NAT session Table carries out aging.
10. the method as described in claim 1, which is characterized in that the flow table and the NAT conversational list are scanned, by the stream Flow table corresponding with the IP information before the change in the IP information tree-shaped storage organization in table and the NAT conversational list Node and NAT session node aging are fallen, including:
The NAT conversational list is scanned, a NAT binding node is obtained;
Judge whether the NAT binding node is empty;
If the NAT binding node is not sky, the corresponding IP information of the NAT binding node is obtained;
The corresponding IP information of NAT binding node is successively compared with the IP information before the change waited in tree;
If the IP information waited before there is the consistent change of IP information corresponding with NAT binding node in tree, The NAT binding node is deleted, the step of scanning the NAT conversational list is then executed;
If the NAT binding node is sky, the flow table is scanned, a traffic identifier ID is obtained;
Judge whether the stream ID is effective;
If the stream ID is effective, according to the stream ID, the IP information of the corresponding stream of the stream ID is obtained;
The IP information of the corresponding stream of the stream ID is successively compared with the IP information before the change waited in tree;
If the IP information waited before the consistent change of IP information that there is stream corresponding with the stream ID in tree, by institute It states the corresponding stream of stream ID and is set to ageing state, stream aging is carried out to the corresponding stream of the stream ID, then execute and scan the flow table The step of;
If the stream ID is invalid, the IP information tree-shaped storage organization is emptied.
11. the method as described in claim 1, which is characterized in that the flow table and the NAT conversational list are scanned, by the stream Flow table corresponding with the IP information before the change in the IP information tree-shaped storage organization in table and the NAT conversational list Node and NAT session node aging are fallen, including:
The flow table is scanned, a traffic identifier ID is obtained;
Judge whether the stream ID is effective;
If the stream ID is effective, according to the stream ID, the IP information of the corresponding stream of the stream ID is obtained;
The IP information of the corresponding stream of the stream ID is successively compared with the IP information before the change waited in tree;
If the IP information waited before the consistent change of IP information that there is stream corresponding with the stream ID in tree, by institute It states the corresponding stream of stream ID and is set to ageing state, stream aging is carried out to the corresponding stream of the stream ID, then execute and scan the flow table The step of;
If the stream ID is invalid, the NAT conversational list is scanned, obtains a NAT binding node;
Judge whether the NAT binding node is empty;
If the NAT binding node is not sky, the corresponding IP information of the NAT binding node is obtained;
The corresponding IP information of NAT binding node is successively compared with the IP information before the change waited in tree;
If the IP information waited before there is the consistent change of IP information corresponding with NAT binding node in tree, The NAT binding node is deleted, the step of scanning the NAT conversational list is then executed;
If the NAT binding node is sky, the IP information tree-shaped storage organization is emptied.
12. the device that a kind of pair of flow table and NAT conversational list carry out aging, which is characterized in that described device includes:
Module is obtained, for changing in interface IP, after public network IP resource changing or the change of interface link state, is obtained before changing IP information;
It is inserted into module, for the IP information before the change to be inserted into preset IP information tree storage knot in the form of node In the waiting tree of structure;
Determining module, for according to the IP number of nodes and aging timing waited in tree, it is determined whether to flow table Aging is carried out with address translation NAT conversational list;
Ageing module, for when determine aging is carried out to the flow table and the NAT conversational list when, scan the flow table and described NAT conversational list, will be in the flow table and the NAT conversational list and before the change in the IP information tree-shaped storage organization The corresponding flow table node of IP information and NAT session node aging fall.
13. device as claimed in claim 12, which is characterized in that described device further includes:
Starting module, for obtaining state-detection network equipment starting information;
Creation module, for creating the IP information tree-shaped storage organization.
14. device as described in claim 12 or 13, which is characterized in that the IP information tree-shaped storage organization includes:Balance Binary tree prefix trees Patricia tree storage structure, balanced binary tree red black tree tree storage structure or balanced binary tree are certainly flat Weighing apparatus tree SBT tree storage structure.
15. device as claimed in claim 12, which is characterized in that the determining module includes:
First comparing unit, for waiting the IP number of nodes in tree to compare with preset IP number of nodes threshold value for described Compared with;
First judging unit, for being more than or equal to preset IP number of nodes threshold value when the IP number of nodes waited in tree When, judge whether the flow table and the NAT conversational list are in scanned state;
First determination unit, if being not on scanned state for the flow table and the NAT conversational list, it is determined that institute It states flow table and the NAT conversational list carries out aging.
16. device as claimed in claim 15, which is characterized in that the determining module further includes:
Second determination unit, for when it is described wait tree in IP number of nodes be less than preset IP number of nodes threshold value when, really It is fixed aging not to be carried out to the flow table and the NAT conversational list.
17. device as claimed in claim 12, which is characterized in that the determining module includes:
Second judgment unit, for every a preset time interval, judge it is described wait the IP number of nodes in setting whether be Zero;
Timing unit, if waiting the IP number of nodes in tree to be not zero for described, by the corresponding meter of aging timing When device timing time increase a preset time value;
Third judging unit, for judging it is pre- whether the timing time of the corresponding timer of the aging timing is more than or equal to If aging timing threshold value;
4th judging unit, for if it is larger than or equal to the aging timing threshold value, then judging the flow table and the NAT Whether conversational list is in scanned state;
Third determination unit, if being not on scanned state for the flow table and the NAT conversational list, it is determined that institute It states flow table and the NAT conversational list carries out aging.
18. device as claimed in claim 17, which is characterized in that the determining module further includes:
4th determination unit, if the IP number of nodes in the waiting tree is zero, it is determined that not to the flow table and institute It states NAT conversational list and carries out aging.
19. device as claimed in claim 17, which is characterized in that the determining module further includes:
5th determination unit, for if it is less than the aging timing threshold value, it is determined that not to the flow table and the NAT Conversational list carries out aging.
20. the device as described in claim 15 or 17, which is characterized in that the determining module further includes:
6th determination unit, if being in scanned state for the flow table and the NAT conversational list, it is determined that not to described Flow table and the NAT conversational list carry out aging.
21. device as claimed in claim 12, which is characterized in that the ageing module includes:
First scanning element obtains a NAT binding node for scanning the NAT conversational list;
5th judging unit, for judging whether the NAT binding node is empty;
First acquisition unit obtains the corresponding IP of the NAT binding node if not being sky for NAT binding node Information;
Second comparing unit, for the NAT to be bound the corresponding IP information of node successively and before the change waited in tree IP information be compared;
First aged cell, if consistent for there is IP information corresponding with NAT binding node in waiting tree IP information before change then deletes the NAT binding node, then notifies first scanning element executes to scan the NAT The step of conversational list;
Second scanning element scans the flow table, obtains a traffic identifier ID if being sky for NAT binding node;
6th judging unit, for judging whether the stream ID is effective;
Second acquisition unit, according to the stream ID, obtains the IP of the corresponding stream of the stream ID if effective for the stream ID Information;
Third comparing unit, for the IP before the change in successively setting the IP information of the corresponding stream of the stream ID with the waiting Information is compared;
Second aged cell, if waiting the consistent change of IP information that there is stream corresponding with the stream ID in tree for described The corresponding stream of the stream ID is then set to ageing state by preceding IP information, carries out stream aging to the corresponding stream of the stream ID, then Second scanning element is notified to execute the step of scanning the flow table;
First empties unit, if invalid for the stream ID, empties the IP information tree-shaped storage organization.
22. device as claimed in claim 12, which is characterized in that the ageing module includes:
Third scanning element obtains a traffic identifier ID for scanning the flow table;
7th judging unit, for judging whether the stream ID is effective;
Third acquiring unit, according to the stream ID, obtains the IP of the corresponding stream of the stream ID if effective for the stream ID Information;
4th comparing unit, for the IP before the change in successively setting the IP information of the corresponding stream of the stream ID with the waiting Information is compared;
Third aged cell, if waiting the consistent change of IP information that there is stream corresponding with the stream ID in tree for described The corresponding stream of the stream ID is then set to ageing state by preceding IP information, carries out stream aging to the corresponding stream of the stream ID, then The third scanning element is notified to execute the step of scanning the flow table;
4th scanning element scans the NAT conversational list if invalid for the stream ID, obtains a NAT binding section Point;
8th judging unit, for judging whether the NAT binding node is empty;
4th acquiring unit obtains the corresponding IP of the NAT binding node if not being sky for NAT binding node Information;
5th comparing unit, for the NAT to be bound the corresponding IP information of node successively and before the change waited in tree IP information be compared;
4th aged cell, if consistent for there is IP information corresponding with NAT binding node in waiting tree IP information before change then deletes the NAT binding node, then notifies the 4th scanning element executes to scan the NAT The step of conversational list;
Second empties unit, if being sky for NAT binding node, empties the IP information tree-shaped storage organization.
CN201510056361.2A 2015-02-03 2015-02-03 The method and apparatus that aging is carried out to flow table and NAT conversational list Active CN105991552B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510056361.2A CN105991552B (en) 2015-02-03 2015-02-03 The method and apparatus that aging is carried out to flow table and NAT conversational list

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510056361.2A CN105991552B (en) 2015-02-03 2015-02-03 The method and apparatus that aging is carried out to flow table and NAT conversational list

Publications (2)

Publication Number Publication Date
CN105991552A CN105991552A (en) 2016-10-05
CN105991552B true CN105991552B (en) 2018-11-30

Family

ID=57037054

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510056361.2A Active CN105991552B (en) 2015-02-03 2015-02-03 The method and apparatus that aging is carried out to flow table and NAT conversational list

Country Status (1)

Country Link
CN (1) CN105991552B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109639802B (en) * 2018-12-18 2021-11-02 杭州迪普科技股份有限公司 Link statistics management method and device
CN112217919B (en) * 2020-12-11 2021-03-23 广东省新一代通信与网络创新研究院 Method and system for realizing network address conversion
CN113746954B (en) * 2021-09-22 2023-06-13 烽火通信科技股份有限公司 Method and device for quickly recovering NAT address block through secondary allocation

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170517A (en) * 2007-12-06 2008-04-30 杭州华三通信技术有限公司 Method and device for aging of control session table
CN101247353A (en) * 2008-03-25 2008-08-20 杭州华三通信技术有限公司 Stream aging method and network appliance
CN102780641A (en) * 2012-08-17 2012-11-14 北京傲天动联技术有限公司 Flow table aging method and device of quick forwarding engine, and switch
CN103414698A (en) * 2013-07-22 2013-11-27 北京星网锐捷网络技术有限公司 Method and device for aging conversation flows

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1946062A (en) * 2006-10-10 2007-04-11 华为数字技术有限公司 Method and system for keep-alive conversation table in NAT device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170517A (en) * 2007-12-06 2008-04-30 杭州华三通信技术有限公司 Method and device for aging of control session table
CN101247353A (en) * 2008-03-25 2008-08-20 杭州华三通信技术有限公司 Stream aging method and network appliance
CN102780641A (en) * 2012-08-17 2012-11-14 北京傲天动联技术有限公司 Flow table aging method and device of quick forwarding engine, and switch
CN103414698A (en) * 2013-07-22 2013-11-27 北京星网锐捷网络技术有限公司 Method and device for aging conversation flows

Also Published As

Publication number Publication date
CN105991552A (en) 2016-10-05

Similar Documents

Publication Publication Date Title
EP3174256B1 (en) Service process control method and network device
CN107294797B (en) Network topology identification method and system
CN105991552B (en) The method and apparatus that aging is carried out to flow table and NAT conversational list
CN107370636B (en) Link state determination method and device
CN108924050A (en) Data forwarding method and its device, storage medium and network card equipment
CN109561164B (en) NAT table entry management method and device and NAT equipment
US7701934B2 (en) System and method for managing devices within a private network via a public network
CN109240796A (en) Virtual machine information acquisition methods and device
US20240106751A1 (en) Method and apparatus for processing detnet data packet
CN110278152B (en) Method and device for establishing fast forwarding table
CN107172230B (en) Method for realizing service node communication address discovery based on third-party database
CN103685279A (en) Self-adapting-based network port fast scanning method
CN114915561A (en) Network topological graph generation method and device
Bonola et al. StreaMon: A data-plane programming abstraction for software-defined stream monitoring
CN112910825B (en) Worm detection method and network equipment
CN106506270B (en) Ping message processing method and device
CN105991353A (en) Fault location method and device
CN106330712B (en) A kind of control method and device of MAC address learning
US20100180026A1 (en) Recycling items in a network device
CN109379356A (en) The method and device of automatic capture cpu attack message
CN108833282A (en) Data forwarding method, system, device and SDN switch
CN106506522B (en) The management method and device of TCP connection
CN112019554B (en) Intranet host and intra-cloud streaming method and device
Cisco Temporary Variables
Cisco Temporary Variables

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20211105

Address after: Room 516, floor 5, building 3, No. 969, Wenyi West Road, Wuchang Street, Yuhang District, Hangzhou City, Zhejiang Province

Patentee after: Alibaba Dharma Institute (Hangzhou) Technology Co.,Ltd.

Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands

Patentee before: ALIBABA GROUP HOLDING Ltd.

EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20161005

Assignee: Hangzhou Jinyong Technology Co.,Ltd.

Assignor: Alibaba Dharma Institute (Hangzhou) Technology Co.,Ltd.

Contract record no.: X2024980001317

Denomination of invention: Method and device for aging flow tables and NAT session tables

Granted publication date: 20181130

License type: Common License

Record date: 20240123

Application publication date: 20161005

Assignee: Golden Wheat Brand Management (Hangzhou) Co.,Ltd.

Assignor: Alibaba Dharma Institute (Hangzhou) Technology Co.,Ltd.

Contract record no.: X2024980001316

Denomination of invention: Method and device for aging flow tables and NAT session tables

Granted publication date: 20181130

License type: Common License

Record date: 20240123

Application publication date: 20161005

Assignee: Hangzhou Xinlong Huazhi Trademark Agency Co.,Ltd.

Assignor: Alibaba Dharma Institute (Hangzhou) Technology Co.,Ltd.

Contract record no.: X2024980001315

Denomination of invention: Method and device for aging flow tables and NAT session tables

Granted publication date: 20181130

License type: Common License

Record date: 20240123