CN106331196A - Method and device for realizing NAT - Google Patents

Method and device for realizing NAT Download PDF

Info

Publication number
CN106331196A
CN106331196A CN201510363226.2A CN201510363226A CN106331196A CN 106331196 A CN106331196 A CN 106331196A CN 201510363226 A CN201510363226 A CN 201510363226A CN 106331196 A CN106331196 A CN 106331196A
Authority
CN
China
Prior art keywords
address
mapping
nat
item
public network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201510363226.2A
Other languages
Chinese (zh)
Inventor
李大鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201510363226.2A priority Critical patent/CN106331196A/en
Priority to PCT/CN2016/083025 priority patent/WO2016206511A1/en
Publication of CN106331196A publication Critical patent/CN106331196A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2517Translation of Internet protocol [IP] addresses using port numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • H04L61/2575NAT traversal using address mapping retrieval, e.g. simple traversal of user datagram protocol through session traversal utilities for NAT [STUN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a method and device for realizing NAT. The method comprises the following steps: creating a mapping table and a filtering table, and correspondingly setting a first key value and a second key value for inquiring the mapping table and the filtering table; when a message is sent from a private network to a public network, realizing address NAT conversion via the mapping table; when the message is sent from the public network to the private network, realizing the address NAT conversion via the filtering table; and then forwarding the message after the NAT conversion. By adoption of the method and device disclosed by the invention, diversified demands of users can be satisfied, and the mapping table and the filtering table are simple in structures, small in internal memory space occupation and high in query efficiency. In the method and device disclosed by the invention, an address mapping relation is recorded by the mapping table, therefore the ip resource utilization rate of the public network can be improved, moreover the times of accessing an address pool in the NAT conversion process of the message can also be greatly reduced, and thus the NAT efficiency is improved.

Description

A kind of method and apparatus realizing NAT
Technical field
The present invention relates to network communication field, particularly relate to realize NAT (Network Address Translation, network address translation) technology.
Background technology
NAT is to propose for 1994, the problem exhausted in order to solve ipv4 address resource.The base of NAT Present principles is just to be assigned to legal public network address when private network main frame needs and accesses public network, and internal mutual Private net address is then used during connection.
Private network IP address refers to the IP address of internal network or main frame, and public network IP address refers in the Internet Upper globally unique IP address.NAT is that the IP address in IP datagram literary composition head is converted to another The process of IP address.
The typical application scenarios of NAT is one-to-many NAT or multi-to-multi NAT.At this application scenarios In, multiple host ports of internal network access public network to (Pri_ip:port) simultaneously, and NAT gateway makes With one or more (address pool) public network address port, to it, (Pub_ip:port) is carried out address to turn Change, and record this mapping relations.Afterwards, when message mails to private network from public network, NAT gateway is searched Address conversion record, replaces back original private net address again by the destination address of message, and sends back to send and ask The main frame asked.
In order to the most effectively utilize public network ip resource, it is ensured that the intercommunity of network, RFC5128 proposes Three kinds of addresses map and filtered model, are respectively as follows: external address independent pattern (Endpoint-Independent), external address associative mode (Address-Dependent), externally Location and port associative mode (Address and Port-Dependent).
Traditional method is to use NAT daily record or ATT indirectly to realize mapping filtered model, But there is shortcoming in both of which.The method of NAT daily record exists along with NAT log recording increases, and system is opened Sell increasing shortcoming.ATT then cannot flexible configuration, it is impossible to support multiple mapping simultaneously Filtered model, it is impossible to meet the diversified demand of user.
Summary of the invention
The present invention provides a kind of method and apparatus realizing NAT, solves the address between private network and public network The technical problem that conversion map and access control.
For solving above-mentioned technical problem, the invention provides a kind of method realizing NAT, including following Processing procedure:
Create mapping table and filter table, and be provided for inquiring about mapping table according to address mapping filtered model First key assignments, and it is provided for the second key assignments of query filter table;Described mapping table is used for recorded message Address transformational relation from private network to public network, described filter table is returned for recording the address from public network to private network Trace back information;
When message sends to public network from private network, from message, extract the first key assignments, by described first key Value obtains public network address, updates the correspondence mappings list item in described mapping table, and by address traceback information more New corresponding filtering meter item in described filter table;The described public network address obtained is utilized to carry out address NAT Public network it is sent to after conversion;
When message sends to private network from public network, from message, extract the second key assignments, by described second key Value inquires about described filter table;If inquiring the filtering meter item of correspondence, then utilize the address in filtering meter item Traceback information is sent to private network after carrying out address NAT conversion;Otherwise, report according to acl rule group The forward process of literary composition.
Preferably, described obtaining public network address by described first key assignments, update in described mapping table is right Answer mapping item, specifically include: inquire about described mapping table by described first key assignments;If it is right to inquire The mapping item answered, reads the transitional information from private net address to public network address in this mapping item, and The count value of this mapping item is added one;Otherwise, from public network address pond, extract public network address, and create Corresponding mapping item, writes this mapping item by the transitional information from private net address to public network address, will The count value of this mapping item adds one, and creates filtering meter item, by the address traceback information write of this message This filtering meter item.
Further, also including: create conversational list, described conversational list is used for recorded message in private network and public affairs Address NAT transitional information between net;Carry out NAT at the described described public network address utilizing acquisition to turn After changing afterwards and utilizing the address traceback information in filtering meter item to carry out address NAT conversion, also include: Address NAT transitional information is write described conversational list as session entry.
Further, also include after described establishment conversational list: the burin-in process of conversational list, and as required Address NAT transitional information in aging session entry triggers the old of described mapping table and filter table respectively Change processes.
Preferably, the address NAT transitional information in the most aging described session entry touches respectively The burin-in process sending out mapping table and filter table described specifically includes following processing procedure: the most aging Address NAT transitional information in session entry and the mapping filtered model of configuration, inquire about described mapping Table, if finding the mapping item of correspondence, then subtracts one by the counting in this mapping item;When counting reduces to zero Time, delete this mapping item, and delete the filtering meter item that this mapping item associates, reclaim NAT address Resource.
Preferably, described the first key assignments being provided for inquiry mapping table according to address mapping filtered model, And be provided for query filter table the second key assignments particularly as follows:
When address mapping filtered model is address independent pattern, described first key assignments is: message source ip With source port, described second key assignments is: ip and port after address NAT conversion;
When address mapping filtered model is address associative mode, described first key assignments is: message source ip, Source port and purpose ip, described second key assignments is: ip, the address NAT conversion after address NAT conversion After port and purpose ip;
When address mapping filtered model is address port associative mode, described first key assignments is: message Source ip, source port, purpose ip and purpose port, described second key assignments is: after address NAT conversion Port, purpose ip and purpose port after ip, address NAT conversion.
Present invention also offers a kind of device realizing NAT, including:
First dispensing unit, is used for creating mapping table and filter table, and sets according to address mapping filtered model Put the first key assignments for inquiring about mapping table, and be provided for the second key assignments of query filter table;Described Mapping table be used for recorded message address transformational relation from private network to public network, described filter table for record from Public network is to the address traceback information of private network;
First message sends processing unit, for when message sends to public network from private network, carries from message Taking the first key assignments, obtain public network address by described first key assignments, the correspondence updated in described mapping table is reflected Firing table item, and address traceback information is updated the corresponding filtering meter item in described filter table;Utilize and obtain Described public network address carry out address NAT conversion after be sent to public network;
Second message sends processing unit, for when message sends to private network from public network, from message Extract the second key assignments, inquire about described filter table by described second key assignments;If inquiring the filtration of correspondence List item, then utilize the address traceback information in filtering meter item to be sent to private network after carrying out address NAT conversion; Otherwise, the forward process of message is carried out according to acl rule group.
Preferably, described first message sends processing unit and includes mapping table query processing module, is used for leading to Cross described first key assignments and inquire about described mapping table;If inquiring the mapping item of correspondence, read this mapping The transitional information from private net address to public network address in list item, and the count value of this mapping item is added One;Otherwise, from public network address pond, extract public network address, and create corresponding mapping item, will be from private Net address writes this mapping item to the transitional information of public network address, the count value of this mapping item is added One, and create filtering meter item, the address traceback information of this message is write this filtering meter item.
Further, also include: processing unit is write in the second dispensing unit and session;
Described second dispensing unit, is used for creating conversational list, and described conversational list is used for recorded message at private network And the address NAT transitional information between public network;
Described conversational list writes processing unit, for utilizing the described public network address obtained to carry out NAT described After conversion and after utilizing the address traceback information in filtering meter item to carry out address NAT conversion, by address NAT transitional information writes described conversational list as session entry.
Further, also include conversational list burin-in process module, for the burin-in process of conversational list, and root Described mapping table and filtration is triggered respectively according to needing the address NAT transitional information in aging session entry The burin-in process of table.
Preferably, described conversational list burin-in process module includes associating burin-in process submodule, for basis Need the address NAT transitional information in aging session entry and the mapping filtered model of configuration, look into Asking described mapping table, if finding the mapping item of correspondence, then the counting in this mapping item being subtracted one;When When counting reduces to zero, delete this mapping item, and delete the filtering meter item that this mapping item associates, reclaim NAT address resource.
Preferably, described first dispensing unit includes that key assignments arranges module, for filtering mould when address maps When formula is address independent pattern, described first key assignments is: message source ip and source port, described second key assignments For: ip and port after address NAT conversion;
When address mapping filtered model is address associative mode, described first key assignments is: message source ip, Source port and purpose ip, described second key assignments is: ip, the address NAT conversion after address NAT conversion After port and purpose ip;
When address mapping filtered model is address port associative mode, described first key assignments is: message Source ip, source port, purpose ip and purpose port, described second key assignments is: after address NAT conversion Port, purpose ip and purpose port after ip, address NAT conversion.
Beneficial effects of the present invention:
In the present invention, owing to filtered model can be mapped with flexible configuration address, dynamic during message NAT State generates mapping item and filtering meter item, meets the variation needs of user.And mapping table, filter table Simple in construction, committed memory space is little, uses hash method index, and search efficiency is high.
The present invention uses mapping table recording address mapping relations, except public network ip resource profit can be improved By rate, it is also possible to the greatly number of times in reference address pond during minimizing message NAT, improve NAT Efficiency.
In the present invention, filter table priority is higher than acl rule, and the message inquiring filtering meter item is direct Forward according to filtering meter item.Filter table not only have recorded NAT address backtracking relation, also acts as private network Access control and ensure p2p network interworking effect.
In the present invention, mapping table, filter table carry out aging along with conversational list.The timely aging guarantor of mapping table When having demonstrate,proved conversation end, the recovery immediately of NAT resource, can further improve address pool utilization rate.Further, The most aging access rights closing the public network private network main frame to initiating this session of filter table, fully Ensure the safety of private network main frame.
Accompanying drawing explanation
Fig. 1 is the unrelated mapping in prior art peripheral address filtered model principle schematic;
Fig. 2 is prior art peripheral address correlation map filtered model principle schematic;
Fig. 3 is prior art peripheral address and port correlation map filtered model principle schematic;
Fig. 4 is mapping table data structure of the present invention and retrieving schematic diagram;
Fig. 5 is mapping table retrieval flow figure of the present invention;
Fig. 6 is the method flow diagram that the present invention realizes NAT;
Fig. 7 is that message of the present invention is mail to outer net process chart by private network;
Fig. 8 is that message of the present invention is mail to private network process chart by outer net;
Fig. 9 is mapping table of the present invention, filter table burin-in process flow chart.
Detailed description of the invention
The several key technology points in the present invention are the most first introduced: map and filter mould below in conjunction with embodiment Formula, mapping table, filter table and conversational list.
One, mapping and filtered model
In the present invention, map filtered model and bind together, i.e. if configuration maps filtered model be Address independent pattern, then representing mapped mode is address independent pattern, and filtered model is also the unrelated mould in address Formula, both keep consistent.
The present invention supports that RFC5128 proposes existing three kinds of filtered models, and in addition, the present invention also props up Hold User Defined and map filtered model or the filtered model of the newest standard proposition, can fully full then use Family diversified demand.
Three kinds of addresses mapping filtered models that Fig. 1-3 respectively RFC5128 proposes: the unrelated mould of external address Formula, external address associative mode, external address and the schematic diagram of port associative mode.
Two, mapping table
Mapping table i.e. Ref table.Mapping table of the present invention have recorded the address transformational relation during NAT, I.e. message address transformational relation from private network to public network.Mapping table can be but be not limited to following form:
Mapping table=src_ip, src_port, dip, dport, translate_ip, translate_port, Next_ref_index, ref_cn, other}
Wherein src_ip, src_port, dip, dport respectively identification message source ip, source port, purpose ip, Purpose port;Ip and port after translate_ip, translate_port identification message NAT respectively; Next_ref_index, represents next mapping table index.Ref_cn represents mapping table counting, indicates NAT information in how many conversational lists is incorporated in this mapping table, and ref_cn puts 1 when setting up mapping table, The public network address of a deuterzooid mapping table is often quoted in other sessions, and ref_cn increases by 1;Other represents other Need the additional information of storage, can carry out self-defined according to demand.
During the independent pattern of address, mapping table creates and inquiry key assignments is set to { src_ip, src_port}.
During the associative mode of address, mapping table creates and inquiry key assignments is set to { src_ip, src_port, dip}.
During address port associative mode, mapping table create and inquiry key assignments be set to src_ip, src_port, Dip, dport}.
As a example by the associative mode of address, send and send the message in table 1 successively, then can get mapping item:
Mapping item Ref_A={src_ip=192.168.1.6, src_port=16, dip=128.0.0.5, dport =0, translate_ip=129.0.0.6, translate_port=50, ref_cn=3}
Owing to being address associative mode, then the key assignments creating, inquiring about mapping item Ref_A should be { src_ip=192.168.1.6, src_port=16, dip=128.0.0.5}.
When sending message 1, after distributing public network address for message 1, create mapping item Ref_A, now Ref_cn=1.
When sending message 2,3, owing to user is configured with end points independent pattern, will during inquiry mapping table Hit mapping item A, now takes the address translation information in mapping item A and replaces the source of message 2,3 Ip address and port, complete nat conversion, now ref_cn=3.
Subsequent packet cannot hit Ref_A, chooses available public network address by reentering address pool, and Set up new mapping table.
Table 1
Mapping table data structure as shown in Figure 4 and retrieving schematic diagram, and the mapping shown in Fig. 5 Table search flow process.
Mapping table can use the 2-level search structure of HASH+CAM, to improve search efficiency.Wherein, HASH table can preserve CHS=2N_REF bar list item, that is one content-addressable memory of every HASH list item, Each content-addressable memory preserves 1 list item, and every corresponding one of CAM entry maps watch chain.
In CAM entry, the value of storage obtains, every time from stack top from pre-set stack ref_stack Obtain an element, be used for indexing mapping table.If mapping table maximum bar number is CREF, then this stack size For CREF, element={ 0,1,2,3,4 ... CREF-1} in stack.
When there is hash conflict in the establishment process of mapping item, element next_ref_index in mapping table Also need to obtain from stack, in order to index next mapping item.
Three, filter table
Filter table i.e. Fil table.Filter table of the present invention have recorded the address traceback information from public network to private network and The accessibility of private network main frame, filter table can be but be not limited to following form:
Filter table=translate_ip, translate_port, dip, dport, src_ip, src_port, next_ref_index,other}
Wherein ip and port after translate_ip, translate_port identification message NAT respectively.src_ip、 Src_port, dip, dport identification message source ip, source port, purpose ip, purpose port respectively. Next_ref_index, represents next filtering meter item index.Other represents other needs the additional of storage Information, can carry out self-defined according to demand.
During the independent pattern of address, filter table create and inquiry key assignments be set to translate_ip, translate_port}。
During the associative mode of address, filter table create and inquiry key assignments be set to translate_ip, translate_port,dip}。
During address port associative mode, filter table create and inquiry key assignments be set to translate_ip, translate_port,dip,dport}。
As shown in table 2, filter table uses and the identical structure organization of mapping table and search method, only Unlike one, carry out keyword selection during hash retrieval different.
Assume that mapping filtered model is address associative mode, has following mapping item and a message:
Mapping table Ref_A={src_ip=192.168.1.6, src_port=16, dip=128.0.0.5, dport=0, Translate_ip=129.0.0.6, translate_port=50, ref_cn=3}
Table 2
Then correspondence has a following filtering meter item Fil_A:
Filter table Fil_A=={translate_ip=129.0.0.6, translate_port=50, dip=128.0.0.5, Dport=0, src_ip=192.168.1.6, src_port=16, next_ref_index, other}
During the associative mode of address, filter table create and inquiry key assignments be set to translate_ip, Translate_port, dip}, corresponding to filter table Fil_A, key assignments should be translate_ip=129.0.0.6, Translate_port=50, dip=128.0.0.5}.
Owing to being address associative mode, public network main frame 128.0.0.5 arbitrary port is sent to (129.0.0.6:50) Message will hit Fil_A, now extract src_ip=192.168.1.6, src_port=16 in filter table and enter Row NAT changes, and completes address backtracking.
The message that other public network main frames send cannot hit Fil_A, will forward according to acl rule group Process, the most both completed address conversion, and also protected the safety of private network main frame.
Assume that mapping filtered model is address independent pattern (making dip=0, dport=0 in above-mentioned filter table), Then any main frame of public network is sent to the message of (129.0.0.6:50) and all can be forwarded by filtering meter item Fil_A To private network, this ensures that there the intercommunity of p2p network.
Four, conversational list
Conversational list, i.e. FT table, is uniquely to be determined a conversational list by message five-tuple.
Conversational list=src_ip, src_port, dip, dport, protocol, nat_flag, translate_ip, translate_port,other}
Src_ip, src_port, dip, dport identification message source ip, source port, purpose ip, purpose respectively Port, nat_flag are NAT mark, can record NAT mode, mark source or destination address translation. Translate_ip, translate_port represent which kind of ip message purpose or source address should be translated as respectively With port, other represent other additional informations needing storage, potentially include the status information of session, old Change information, security policy information, statistical information, routing iinformation etc., can carry out self-defined according to demand.
When a message needs to be NAT, one connects then corresponding two FT tables, and this is primarily due to Having done the conversion of NAT address, the message five-tuple of both direction there occurs change, such as (Aip:Aport) Send message to (Cip:Cport), and protocol type is PRO_a, after NAT, (Aip:Aport) Be translated as (Bip:Bport), then the five-tuple removing the message in direction be Aip, Aport, Cip, Cport, PRO_a}, the five-tuple of the message returned become Cip, Cport, Bip, Bport, PRO_a}, positive and negative Change to message five-tuple, here belong to a connection, but corresponding two FT tables.
When, after first message receiving session, no matter which kind of maps filtered model, all can be after NAT Automatically generate forward and reverse session entry, and the NAT information of this session be saved in session entry, When receiving the subsequent packet of this session the most again, directly read the NAT information of session entry.This Sample, can be greatly improved the treatment effeciency of session subsequent packet.
Below in conjunction with accompanying drawing, and described in detail the implementation of the present invention by specific embodiment.
During the realization of the present invention, mapping filtered model can be configured by user, it is also possible to directly give tacit consent to Filtered model is mapped for one.Map filtered model and include but not limited to following pattern: external address is unrelated Pattern, external address associative mode, external address and port associative mode.Above-mentioned Three models is The filtered model that RFC5128 proposes, it is also possible to the filtered model proposed for the newest standard, or use The self-defining mapping in family filtered model.
The present invention realizes the method flow of NAT as shown in Figure 6, it is necessary first to create mapping table and filtration Table, wherein mapping table is used for recorded message address transformational relation from private network to public network, and filter table is used for remembering Record address traceback information from public network to private network.
Then map filtered model according to address and be provided for inquiring about the first key assignments of mapping table, and arrange The second key assignments for query filter table.
The process of message of the present invention includes both direction: mails to public network from private network and mails to private network from public network. Carry out address NAT conversion respectively according to direction before sending message.
Finally the message after NAT changes is forwarded.
During as it is shown in fig. 7, message is mail to public network by private network, arrange not according to the mapping filtered model of configuration The first same key assignments also inquires about mapping table, if not inquiring the mapping item of correspondence, then enters address pool and obtains Take a public network address, and dynamic creation mapping item, by the public network address obtained and message source, purpose The information write mapping items such as address, and mapping item counting is put 1, then according to mapping filtered model, Corresponding second key assignments is set and creates filtering meter item, address traceback information is write filtering meter item;If inquiry To corresponding mapping item, then directly read the address translation information in mapping item, and by mapping item Counting adds 1.The public network address finally using acquisition is replaced the private net address of message and is completed NAT conversion, and Information of address conversion is write corresponding conversational list.
As shown in Figure 8, when message is mail to private network by public network, arrange not according to the mapping filtered model of configuration The second same key assignments query filter table, if inquiring the filtering meter item of correspondence, then reads in filtering meter item Destination address is replaced back private net address by NAT address traceback information, and skips the lookup of acl rule group, Directly E-Packet and information of address conversion is write conversational list;If not finding filtering meter item, then basis The Query Result of acl rule group processes message.
As it is shown in figure 9, in one embodiment, aging aging by conversational list of mapping table, filter table Trigger.Concrete implementation process can be: when conversational list is aging, the most aging session entry In address NAT transitional information and the mapping filtered model of configuration, inquire about described mapping table, if looking for To corresponding mapping item, then the counting in this mapping item is subtracted 1;When counting reduces to 0, delete This mapping item, and delete the filtering meter item of this mapping item association, reclaim NAT address resource.
To sum up, the invention provides a kind of NAT and map the implementation method with filtered model and device, carry High NAT treatment effeciency, meets the diversified configuration needs of user.Realized by filter table simultaneously Address backtracking and the access to private network main frame limit, and ensure that the intercommunity of network under the conditions of NAT.
Above content is to combine specific embodiment further description made for the present invention, it is impossible to Assert the present invention be embodied as be confined to these explanations.Common for the technical field of the invention For technical staff, without departing from the inventive concept of the premise, it is also possible to make some simple deductions or Replace, all should be considered as belonging to protection scope of the present invention.

Claims (12)

1. the method realizing NAT, it is characterised in that include following processing procedure:
Create mapping table and filter table, and be provided for inquiring about mapping table according to address mapping filtered model First key assignments, and it is provided for the second key assignments of query filter table;Described mapping table is used for recorded message Address transformational relation from private network to public network, described filter table is returned for recording the address from public network to private network Trace back information;
When message sends to public network from private network, from message, extract the first key assignments, by described first key Value obtains public network address, updates the correspondence mappings list item in described mapping table, and by address traceback information more New corresponding filtering meter item in described filter table;The described public network address obtained is utilized to carry out address NAT Public network it is sent to after conversion;
When message sends to private network from public network, from message, extract the second key assignments, by described second key Value inquires about described filter table;If inquiring the filtering meter item of correspondence, then utilize the address in filtering meter item Traceback information is sent to private network after carrying out address NAT conversion;Otherwise, report according to acl rule group The forward process of literary composition.
The method realizing NAT the most according to claim 1, it is characterised in that described by described One key assignments obtains public network address, updates the correspondence mappings list item in described mapping table, specifically includes: pass through Described first key assignments inquires about described mapping table;If inquiring the mapping item of correspondence, read this mapping table The transitional information from private net address to public network address in Xiang, and the count value of this mapping item is added one; Otherwise, from public network address pond, extract public network address, and create corresponding mapping item, will be from private network ground Location writes this mapping item to the transitional information of public network address, adds one by the count value of this mapping item, and Create filtering meter item, the address traceback information of this message is write this filtering meter item.
The method realizing NAT the most according to claim 2, it is characterised in that also include: create session Table, described conversational list is used for recorded message address NAT transitional information between private network and public network;? Described utilize obtain described public network address carry out NAT conversion after and utilize the address in filtering meter item After traceback information carries out address NAT conversion, also include: using address NAT transitional information as conversational list Item writes described conversational list.
The method realizing NAT the most according to claim 3, it is characterised in that after described establishment conversational list Also include: the address NAT in the burin-in process of conversational list, and the most aging session entry turns Information of changing triggers the burin-in process of described mapping table and filter table respectively.
The method realizing NAT the most according to claim 4, it is characterised in that described the most aging Session entry in address NAT transitional information trigger the aging place of described mapping table and filter table respectively Reason specifically includes following processing procedure: the address NAT conversion in the most aging session entry is believed Breath and the mapping filtered model of configuration, inquire about described mapping table, if finding the mapping item of correspondence, then Counting in this mapping item is subtracted one;When counting reduces to zero, delete this mapping item, and deletion should The filtering meter item of mapping item association, reclaims NAT address resource.
6. according to the method realizing NAT described in any one of claim 1-5, it is characterised in that described basis Address maps filtered model and is provided for inquiring about the first key assignments of mapping table, and is provided for query filter Second key assignments of table particularly as follows:
When address mapping filtered model is address independent pattern, described first key assignments is: message source ip With source port, described second key assignments is: ip and port after address NAT conversion;
When address mapping filtered model is address associative mode, described first key assignments is: message source ip, Source port and purpose ip, described second key assignments is: ip, the address NAT conversion after address NAT conversion After port and purpose ip;
When address mapping filtered model is address port associative mode, described first key assignments is: message Source ip, source port, purpose ip and purpose port, described second key assignments is: after address NAT conversion Port, purpose ip and purpose port after ip, address NAT conversion.
7. the device realizing NAT, it is characterised in that including:
First dispensing unit, is used for creating mapping table and filter table, and sets according to address mapping filtered model Put the first key assignments for inquiring about mapping table, and be provided for the second key assignments of query filter table;Described Mapping table be used for recorded message address transformational relation from private network to public network, described filter table for record from Public network is to the address traceback information of private network;
First message sends processing unit, for when message sends to public network from private network, carries from message Taking the first key assignments, obtain public network address by described first key assignments, the correspondence updated in described mapping table is reflected Firing table item, and address traceback information is updated the corresponding filtering meter item in described filter table;Utilize and obtain Described public network address carry out address NAT conversion after be sent to public network;
Second message sends processing unit, for when message sends to private network from public network, from message Extract the second key assignments, inquire about described filter table by described second key assignments;If inquiring the filtration of correspondence List item, then utilize the address traceback information in filtering meter item to be sent to private network after carrying out address NAT conversion; Otherwise, the forward process of message is carried out according to acl rule group.
The device realizing NAT the most according to claim 7, it is characterised in that described first message is sent out Processing unit is sent to include mapping table query processing module, for inquiring about described mapping by described first key assignments Table;If inquiring the mapping item of correspondence, read the ground from private net address to public network in this mapping item The transitional information of location, and the count value of this mapping item is added one;Otherwise, extract from public network address pond Public network address, and create the mapping item of correspondence, the transitional information from private net address to public network address is write Enter this mapping item, the count value of this mapping item is added one, and creates filtering meter item, by this message Address traceback information writes this filtering meter item.
The device realizing NAT the most according to claim 8, it is characterised in that also include: the second configuration Processing unit is write in unit and session;
Described second dispensing unit, is used for creating conversational list, and described conversational list is used for recorded message at private network And the address NAT transitional information between public network;
Described conversational list writes processing unit, for utilizing the described public network address obtained to carry out NAT described After conversion and after utilizing the address traceback information in filtering meter item to carry out address NAT conversion, by address NAT transitional information writes described conversational list as session entry.
The device realizing NAT the most according to claim 9, it is characterised in that also include that conversational list is old Change processing module, the address in the burin-in process of conversational list, and the most aging session entry NAT transitional information triggers the burin-in process of described mapping table and filter table respectively.
11. devices realizing NAT according to claim 10, it is characterised in that described conversational list is old Change processing module to include associating burin-in process submodule, the ground in the most aging session entry Location NAT transitional information and the mapping filtered model of configuration, inquire about described mapping table, if finding correspondence Mapping item, then the counting in this mapping item is subtracted one;When counting reduces to zero, delete this mapping List item, and delete the filtering meter item of this mapping item association, reclaim NAT address resource.
12. according to the device realizing NAT described according to any one of claim 7-11, it is characterised in that institute Stating the first dispensing unit and include that key assignments arranges module, being used for when address maps filtered model is the unrelated mould in address During formula, described first key assignments is: message source ip and source port, and described second key assignments is: address NAT Ip and port after conversion;
When address mapping filtered model is address associative mode, described first key assignments is: message source ip, Source port and purpose ip, described second key assignments is: ip, the address NAT conversion after address NAT conversion After port and purpose ip;
When address mapping filtered model is address port associative mode, described first key assignments is: message Source ip, source port, purpose ip and purpose port, described second key assignments is: after address NAT conversion Port, purpose ip and purpose port after ip, address NAT conversion.
CN201510363226.2A 2015-06-26 2015-06-26 Method and device for realizing NAT Withdrawn CN106331196A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510363226.2A CN106331196A (en) 2015-06-26 2015-06-26 Method and device for realizing NAT
PCT/CN2016/083025 WO2016206511A1 (en) 2015-06-26 2016-05-23 Method and device for implementing nat

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510363226.2A CN106331196A (en) 2015-06-26 2015-06-26 Method and device for realizing NAT

Publications (1)

Publication Number Publication Date
CN106331196A true CN106331196A (en) 2017-01-11

Family

ID=57584670

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510363226.2A Withdrawn CN106331196A (en) 2015-06-26 2015-06-26 Method and device for realizing NAT

Country Status (2)

Country Link
CN (1) CN106331196A (en)
WO (1) WO2016206511A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107547396A (en) * 2017-05-18 2018-01-05 新华三信息安全技术有限公司 A kind of message forwarding method and device
CN112104565A (en) * 2020-09-15 2020-12-18 东软集团股份有限公司 Method, system and equipment for realizing message forwarding
CN113746954A (en) * 2021-09-22 2021-12-03 烽火通信科技股份有限公司 Method and device for rapidly recovering NAT address block secondary allocation
WO2022116848A1 (en) * 2020-12-01 2022-06-09 武汉绿色网络信息服务有限责任公司 Packet transmission method and apparatus, computer device, and storage medium
CN114615230A (en) * 2022-03-14 2022-06-10 芯河半导体科技(无锡)有限公司 Traceable NAPT dynamic address mapping method
CN115065599A (en) * 2022-04-09 2022-09-16 北京金睛云华科技有限公司 NAT rule optimization configuration method in full-flow storage backtracking analysis system

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111866110B (en) * 2020-07-13 2023-12-19 浙江捷创方舟数字技术有限公司 Industrial equipment communication method and 5G gateway
CN112202935B (en) * 2020-08-28 2023-01-13 中盈优创资讯科技有限公司 NAT address pool management method and device
CN112965824B (en) * 2021-03-31 2024-04-09 北京金山云网络技术有限公司 Message forwarding method and device, storage medium and electronic equipment
CN113709242A (en) * 2021-08-26 2021-11-26 华为技术有限公司 Message forwarding method and communication device
CN113904798B (en) * 2021-08-27 2024-03-22 长沙星融元数据技术有限公司 Multi-group filtering method, system, equipment and storage medium for IP message

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1897560A (en) * 2005-07-12 2007-01-17 中兴通讯股份有限公司 Method for improving routing list capacity
CN101068212A (en) * 2007-06-11 2007-11-07 中兴通讯股份有限公司 Network address switching retransmitting device and method
CN101132424A (en) * 2007-09-29 2008-02-27 杭州华三通信技术有限公司 Network address conversion method and device thereof
CN101605105A (en) * 2009-07-14 2009-12-16 中兴通讯股份有限公司 A kind of method and apparatus that fragment message is carried out network address translation
US20140310397A1 (en) * 2013-04-10 2014-10-16 D-Link Corporation Network system capable of implementing stun with the assistance of two network devices and method thereof

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7193996B2 (en) * 2002-02-28 2007-03-20 Acme Packet, Inc. System and method for determining a source of an internet protocol packet
CN103188154B (en) * 2013-04-19 2016-03-02 杭州华三通信技术有限公司 A kind of method of network address translation and board
CN104168338A (en) * 2013-05-16 2014-11-26 杭州迪普科技有限公司 Network address conversion device and network address conversion method
CN103825976B (en) * 2014-03-04 2017-05-10 新华三技术有限公司 NAT (network address translation) processing method and device in distributed system architecture

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1897560A (en) * 2005-07-12 2007-01-17 中兴通讯股份有限公司 Method for improving routing list capacity
CN101068212A (en) * 2007-06-11 2007-11-07 中兴通讯股份有限公司 Network address switching retransmitting device and method
CN101132424A (en) * 2007-09-29 2008-02-27 杭州华三通信技术有限公司 Network address conversion method and device thereof
CN101605105A (en) * 2009-07-14 2009-12-16 中兴通讯股份有限公司 A kind of method and apparatus that fragment message is carried out network address translation
US20140310397A1 (en) * 2013-04-10 2014-10-16 D-Link Corporation Network system capable of implementing stun with the assistance of two network devices and method thereof

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107547396A (en) * 2017-05-18 2018-01-05 新华三信息安全技术有限公司 A kind of message forwarding method and device
CN107547396B (en) * 2017-05-18 2021-03-19 新华三信息安全技术有限公司 Message forwarding method and device
CN112104565A (en) * 2020-09-15 2020-12-18 东软集团股份有限公司 Method, system and equipment for realizing message forwarding
CN112104565B (en) * 2020-09-15 2024-03-29 东软集团股份有限公司 Method, system and equipment for realizing message forwarding
WO2022116848A1 (en) * 2020-12-01 2022-06-09 武汉绿色网络信息服务有限责任公司 Packet transmission method and apparatus, computer device, and storage medium
CN113746954A (en) * 2021-09-22 2021-12-03 烽火通信科技股份有限公司 Method and device for rapidly recovering NAT address block secondary allocation
CN113746954B (en) * 2021-09-22 2023-06-13 烽火通信科技股份有限公司 Method and device for quickly recovering NAT address block through secondary allocation
CN114615230A (en) * 2022-03-14 2022-06-10 芯河半导体科技(无锡)有限公司 Traceable NAPT dynamic address mapping method
CN114615230B (en) * 2022-03-14 2024-01-19 芯河半导体科技(无锡)有限公司 NAPT dynamic address mapping method capable of backtracking
CN115065599A (en) * 2022-04-09 2022-09-16 北京金睛云华科技有限公司 NAT rule optimization configuration method in full-flow storage backtracking analysis system
CN115065599B (en) * 2022-04-09 2023-07-18 北京金睛云华科技有限公司 NAT rule optimizing configuration method in full-flow storage backtracking analysis system

Also Published As

Publication number Publication date
WO2016206511A1 (en) 2016-12-29

Similar Documents

Publication Publication Date Title
CN106331196A (en) Method and device for realizing NAT
US10084680B2 (en) System and method for subscriber aware network monitoring
CN103428093B (en) Route prefix storing, matching and updating method and device based on names
CN101552803B (en) Method for maintaining network address translation address mapping table, media gateway and controller thereof
TWI520530B (en) Packet switch device and method of the same
JP4705656B2 (en) Address translation device, address translation program
CN1874313A (en) Method of processing packet and metwork device
CN101237378A (en) Mapping method and device of virtual LAN
US8923291B2 (en) Communication apparatus and communication method
CN103200281A (en) Method, device and system for accessing intranet server
CN103442096B (en) NAT method based on mobile Internet and system
CN103957282B (en) Terminal user's domain name mapping acceleration system and its method in a kind of domain
CN108848204A (en) A kind of NAT business immediate processing method and device
CN101132424A (en) Network address conversion method and device thereof
CN109905496A (en) A kind of DNS intelligent dispatching method based on subscriber policy
CN108540387A (en) Method for network access control and device
US9485179B2 (en) Apparatus and method for scalable and flexible table search in a network switch
US20050063393A1 (en) Method of network address port translation and gateway using the same
CN106453091B (en) The equivalent route management method and device of router Forwarding plane
US20050265340A1 (en) Network address-port translation apparatus and method
CN105991391A (en) Method and device for uploading protocol message to CPU
CN108259504A (en) It is a kind of based on group realize accesses control list a method and device
CN104427013B (en) Working level address-translating device and its processing method to station address mapping relations
CN102984075A (en) Programmable router based on NetFPGA
CN1561038A (en) Method of collecting insertion of multiple IP voice insertion equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20170111