CN106331196A - Method and device for realizing NAT - Google Patents
Method and device for realizing NAT Download PDFInfo
- Publication number
- CN106331196A CN106331196A CN201510363226.2A CN201510363226A CN106331196A CN 106331196 A CN106331196 A CN 106331196A CN 201510363226 A CN201510363226 A CN 201510363226A CN 106331196 A CN106331196 A CN 106331196A
- Authority
- CN
- China
- Prior art keywords
- address
- mapping
- nat
- item
- public network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2521—Translation architectures other than single NAT servers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2517—Translation of Internet protocol [IP] addresses using port numbers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
- H04L61/2575—NAT traversal using address mapping retrieval, e.g. simple traversal of user datagram protocol through session traversal utilities for NAT [STUN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a method and device for realizing NAT. The method comprises the following steps: creating a mapping table and a filtering table, and correspondingly setting a first key value and a second key value for inquiring the mapping table and the filtering table; when a message is sent from a private network to a public network, realizing address NAT conversion via the mapping table; when the message is sent from the public network to the private network, realizing the address NAT conversion via the filtering table; and then forwarding the message after the NAT conversion. By adoption of the method and device disclosed by the invention, diversified demands of users can be satisfied, and the mapping table and the filtering table are simple in structures, small in internal memory space occupation and high in query efficiency. In the method and device disclosed by the invention, an address mapping relation is recorded by the mapping table, therefore the ip resource utilization rate of the public network can be improved, moreover the times of accessing an address pool in the NAT conversion process of the message can also be greatly reduced, and thus the NAT efficiency is improved.
Description
Technical field
The present invention relates to network communication field, particularly relate to realize NAT (Network Address
Translation, network address translation) technology.
Background technology
NAT is to propose for 1994, the problem exhausted in order to solve ipv4 address resource.The base of NAT
Present principles is just to be assigned to legal public network address when private network main frame needs and accesses public network, and internal mutual
Private net address is then used during connection.
Private network IP address refers to the IP address of internal network or main frame, and public network IP address refers in the Internet
Upper globally unique IP address.NAT is that the IP address in IP datagram literary composition head is converted to another
The process of IP address.
The typical application scenarios of NAT is one-to-many NAT or multi-to-multi NAT.At this application scenarios
In, multiple host ports of internal network access public network to (Pri_ip:port) simultaneously, and NAT gateway makes
With one or more (address pool) public network address port, to it, (Pub_ip:port) is carried out address to turn
Change, and record this mapping relations.Afterwards, when message mails to private network from public network, NAT gateway is searched
Address conversion record, replaces back original private net address again by the destination address of message, and sends back to send and ask
The main frame asked.
In order to the most effectively utilize public network ip resource, it is ensured that the intercommunity of network, RFC5128 proposes
Three kinds of addresses map and filtered model, are respectively as follows: external address independent pattern
(Endpoint-Independent), external address associative mode (Address-Dependent), externally
Location and port associative mode (Address and Port-Dependent).
Traditional method is to use NAT daily record or ATT indirectly to realize mapping filtered model,
But there is shortcoming in both of which.The method of NAT daily record exists along with NAT log recording increases, and system is opened
Sell increasing shortcoming.ATT then cannot flexible configuration, it is impossible to support multiple mapping simultaneously
Filtered model, it is impossible to meet the diversified demand of user.
Summary of the invention
The present invention provides a kind of method and apparatus realizing NAT, solves the address between private network and public network
The technical problem that conversion map and access control.
For solving above-mentioned technical problem, the invention provides a kind of method realizing NAT, including following
Processing procedure:
Create mapping table and filter table, and be provided for inquiring about mapping table according to address mapping filtered model
First key assignments, and it is provided for the second key assignments of query filter table;Described mapping table is used for recorded message
Address transformational relation from private network to public network, described filter table is returned for recording the address from public network to private network
Trace back information;
When message sends to public network from private network, from message, extract the first key assignments, by described first key
Value obtains public network address, updates the correspondence mappings list item in described mapping table, and by address traceback information more
New corresponding filtering meter item in described filter table;The described public network address obtained is utilized to carry out address NAT
Public network it is sent to after conversion;
When message sends to private network from public network, from message, extract the second key assignments, by described second key
Value inquires about described filter table;If inquiring the filtering meter item of correspondence, then utilize the address in filtering meter item
Traceback information is sent to private network after carrying out address NAT conversion;Otherwise, report according to acl rule group
The forward process of literary composition.
Preferably, described obtaining public network address by described first key assignments, update in described mapping table is right
Answer mapping item, specifically include: inquire about described mapping table by described first key assignments;If it is right to inquire
The mapping item answered, reads the transitional information from private net address to public network address in this mapping item, and
The count value of this mapping item is added one;Otherwise, from public network address pond, extract public network address, and create
Corresponding mapping item, writes this mapping item by the transitional information from private net address to public network address, will
The count value of this mapping item adds one, and creates filtering meter item, by the address traceback information write of this message
This filtering meter item.
Further, also including: create conversational list, described conversational list is used for recorded message in private network and public affairs
Address NAT transitional information between net;Carry out NAT at the described described public network address utilizing acquisition to turn
After changing afterwards and utilizing the address traceback information in filtering meter item to carry out address NAT conversion, also include:
Address NAT transitional information is write described conversational list as session entry.
Further, also include after described establishment conversational list: the burin-in process of conversational list, and as required
Address NAT transitional information in aging session entry triggers the old of described mapping table and filter table respectively
Change processes.
Preferably, the address NAT transitional information in the most aging described session entry touches respectively
The burin-in process sending out mapping table and filter table described specifically includes following processing procedure: the most aging
Address NAT transitional information in session entry and the mapping filtered model of configuration, inquire about described mapping
Table, if finding the mapping item of correspondence, then subtracts one by the counting in this mapping item;When counting reduces to zero
Time, delete this mapping item, and delete the filtering meter item that this mapping item associates, reclaim NAT address
Resource.
Preferably, described the first key assignments being provided for inquiry mapping table according to address mapping filtered model,
And be provided for query filter table the second key assignments particularly as follows:
When address mapping filtered model is address independent pattern, described first key assignments is: message source ip
With source port, described second key assignments is: ip and port after address NAT conversion;
When address mapping filtered model is address associative mode, described first key assignments is: message source ip,
Source port and purpose ip, described second key assignments is: ip, the address NAT conversion after address NAT conversion
After port and purpose ip;
When address mapping filtered model is address port associative mode, described first key assignments is: message
Source ip, source port, purpose ip and purpose port, described second key assignments is: after address NAT conversion
Port, purpose ip and purpose port after ip, address NAT conversion.
Present invention also offers a kind of device realizing NAT, including:
First dispensing unit, is used for creating mapping table and filter table, and sets according to address mapping filtered model
Put the first key assignments for inquiring about mapping table, and be provided for the second key assignments of query filter table;Described
Mapping table be used for recorded message address transformational relation from private network to public network, described filter table for record from
Public network is to the address traceback information of private network;
First message sends processing unit, for when message sends to public network from private network, carries from message
Taking the first key assignments, obtain public network address by described first key assignments, the correspondence updated in described mapping table is reflected
Firing table item, and address traceback information is updated the corresponding filtering meter item in described filter table;Utilize and obtain
Described public network address carry out address NAT conversion after be sent to public network;
Second message sends processing unit, for when message sends to private network from public network, from message
Extract the second key assignments, inquire about described filter table by described second key assignments;If inquiring the filtration of correspondence
List item, then utilize the address traceback information in filtering meter item to be sent to private network after carrying out address NAT conversion;
Otherwise, the forward process of message is carried out according to acl rule group.
Preferably, described first message sends processing unit and includes mapping table query processing module, is used for leading to
Cross described first key assignments and inquire about described mapping table;If inquiring the mapping item of correspondence, read this mapping
The transitional information from private net address to public network address in list item, and the count value of this mapping item is added
One;Otherwise, from public network address pond, extract public network address, and create corresponding mapping item, will be from private
Net address writes this mapping item to the transitional information of public network address, the count value of this mapping item is added
One, and create filtering meter item, the address traceback information of this message is write this filtering meter item.
Further, also include: processing unit is write in the second dispensing unit and session;
Described second dispensing unit, is used for creating conversational list, and described conversational list is used for recorded message at private network
And the address NAT transitional information between public network;
Described conversational list writes processing unit, for utilizing the described public network address obtained to carry out NAT described
After conversion and after utilizing the address traceback information in filtering meter item to carry out address NAT conversion, by address
NAT transitional information writes described conversational list as session entry.
Further, also include conversational list burin-in process module, for the burin-in process of conversational list, and root
Described mapping table and filtration is triggered respectively according to needing the address NAT transitional information in aging session entry
The burin-in process of table.
Preferably, described conversational list burin-in process module includes associating burin-in process submodule, for basis
Need the address NAT transitional information in aging session entry and the mapping filtered model of configuration, look into
Asking described mapping table, if finding the mapping item of correspondence, then the counting in this mapping item being subtracted one;When
When counting reduces to zero, delete this mapping item, and delete the filtering meter item that this mapping item associates, reclaim
NAT address resource.
Preferably, described first dispensing unit includes that key assignments arranges module, for filtering mould when address maps
When formula is address independent pattern, described first key assignments is: message source ip and source port, described second key assignments
For: ip and port after address NAT conversion;
When address mapping filtered model is address associative mode, described first key assignments is: message source ip,
Source port and purpose ip, described second key assignments is: ip, the address NAT conversion after address NAT conversion
After port and purpose ip;
When address mapping filtered model is address port associative mode, described first key assignments is: message
Source ip, source port, purpose ip and purpose port, described second key assignments is: after address NAT conversion
Port, purpose ip and purpose port after ip, address NAT conversion.
Beneficial effects of the present invention:
In the present invention, owing to filtered model can be mapped with flexible configuration address, dynamic during message NAT
State generates mapping item and filtering meter item, meets the variation needs of user.And mapping table, filter table
Simple in construction, committed memory space is little, uses hash method index, and search efficiency is high.
The present invention uses mapping table recording address mapping relations, except public network ip resource profit can be improved
By rate, it is also possible to the greatly number of times in reference address pond during minimizing message NAT, improve NAT
Efficiency.
In the present invention, filter table priority is higher than acl rule, and the message inquiring filtering meter item is direct
Forward according to filtering meter item.Filter table not only have recorded NAT address backtracking relation, also acts as private network
Access control and ensure p2p network interworking effect.
In the present invention, mapping table, filter table carry out aging along with conversational list.The timely aging guarantor of mapping table
When having demonstrate,proved conversation end, the recovery immediately of NAT resource, can further improve address pool utilization rate.Further,
The most aging access rights closing the public network private network main frame to initiating this session of filter table, fully
Ensure the safety of private network main frame.
Accompanying drawing explanation
Fig. 1 is the unrelated mapping in prior art peripheral address filtered model principle schematic;
Fig. 2 is prior art peripheral address correlation map filtered model principle schematic;
Fig. 3 is prior art peripheral address and port correlation map filtered model principle schematic;
Fig. 4 is mapping table data structure of the present invention and retrieving schematic diagram;
Fig. 5 is mapping table retrieval flow figure of the present invention;
Fig. 6 is the method flow diagram that the present invention realizes NAT;
Fig. 7 is that message of the present invention is mail to outer net process chart by private network;
Fig. 8 is that message of the present invention is mail to private network process chart by outer net;
Fig. 9 is mapping table of the present invention, filter table burin-in process flow chart.
Detailed description of the invention
The several key technology points in the present invention are the most first introduced: map and filter mould below in conjunction with embodiment
Formula, mapping table, filter table and conversational list.
One, mapping and filtered model
In the present invention, map filtered model and bind together, i.e. if configuration maps filtered model be
Address independent pattern, then representing mapped mode is address independent pattern, and filtered model is also the unrelated mould in address
Formula, both keep consistent.
The present invention supports that RFC5128 proposes existing three kinds of filtered models, and in addition, the present invention also props up
Hold User Defined and map filtered model or the filtered model of the newest standard proposition, can fully full then use
Family diversified demand.
Three kinds of addresses mapping filtered models that Fig. 1-3 respectively RFC5128 proposes: the unrelated mould of external address
Formula, external address associative mode, external address and the schematic diagram of port associative mode.
Two, mapping table
Mapping table i.e. Ref table.Mapping table of the present invention have recorded the address transformational relation during NAT,
I.e. message address transformational relation from private network to public network.Mapping table can be but be not limited to following form:
Mapping table=src_ip, src_port, dip, dport, translate_ip, translate_port,
Next_ref_index, ref_cn, other}
Wherein src_ip, src_port, dip, dport respectively identification message source ip, source port, purpose ip,
Purpose port;Ip and port after translate_ip, translate_port identification message NAT respectively;
Next_ref_index, represents next mapping table index.Ref_cn represents mapping table counting, indicates
NAT information in how many conversational lists is incorporated in this mapping table, and ref_cn puts 1 when setting up mapping table,
The public network address of a deuterzooid mapping table is often quoted in other sessions, and ref_cn increases by 1;Other represents other
Need the additional information of storage, can carry out self-defined according to demand.
During the independent pattern of address, mapping table creates and inquiry key assignments is set to { src_ip, src_port}.
During the associative mode of address, mapping table creates and inquiry key assignments is set to { src_ip, src_port, dip}.
During address port associative mode, mapping table create and inquiry key assignments be set to src_ip, src_port,
Dip, dport}.
As a example by the associative mode of address, send and send the message in table 1 successively, then can get mapping item:
Mapping item Ref_A={src_ip=192.168.1.6, src_port=16, dip=128.0.0.5, dport
=0, translate_ip=129.0.0.6, translate_port=50, ref_cn=3}
Owing to being address associative mode, then the key assignments creating, inquiring about mapping item Ref_A should be
{ src_ip=192.168.1.6, src_port=16, dip=128.0.0.5}.
When sending message 1, after distributing public network address for message 1, create mapping item Ref_A, now
Ref_cn=1.
When sending message 2,3, owing to user is configured with end points independent pattern, will during inquiry mapping table
Hit mapping item A, now takes the address translation information in mapping item A and replaces the source of message 2,3
Ip address and port, complete nat conversion, now ref_cn=3.
Subsequent packet cannot hit Ref_A, chooses available public network address by reentering address pool, and
Set up new mapping table.
Table 1
Mapping table data structure as shown in Figure 4 and retrieving schematic diagram, and the mapping shown in Fig. 5
Table search flow process.
Mapping table can use the 2-level search structure of HASH+CAM, to improve search efficiency.Wherein,
HASH table can preserve CHS=2N_REF bar list item, that is one content-addressable memory of every HASH list item,
Each content-addressable memory preserves 1 list item, and every corresponding one of CAM entry maps watch chain.
In CAM entry, the value of storage obtains, every time from stack top from pre-set stack ref_stack
Obtain an element, be used for indexing mapping table.If mapping table maximum bar number is CREF, then this stack size
For CREF, element={ 0,1,2,3,4 ... CREF-1} in stack.
When there is hash conflict in the establishment process of mapping item, element next_ref_index in mapping table
Also need to obtain from stack, in order to index next mapping item.
Three, filter table
Filter table i.e. Fil table.Filter table of the present invention have recorded the address traceback information from public network to private network and
The accessibility of private network main frame, filter table can be but be not limited to following form:
Filter table=translate_ip, translate_port, dip, dport, src_ip, src_port,
next_ref_index,other}
Wherein ip and port after translate_ip, translate_port identification message NAT respectively.src_ip、
Src_port, dip, dport identification message source ip, source port, purpose ip, purpose port respectively.
Next_ref_index, represents next filtering meter item index.Other represents other needs the additional of storage
Information, can carry out self-defined according to demand.
During the independent pattern of address, filter table create and inquiry key assignments be set to translate_ip,
translate_port}。
During the associative mode of address, filter table create and inquiry key assignments be set to translate_ip,
translate_port,dip}。
During address port associative mode, filter table create and inquiry key assignments be set to translate_ip,
translate_port,dip,dport}。
As shown in table 2, filter table uses and the identical structure organization of mapping table and search method, only
Unlike one, carry out keyword selection during hash retrieval different.
Assume that mapping filtered model is address associative mode, has following mapping item and a message:
Mapping table Ref_A={src_ip=192.168.1.6, src_port=16, dip=128.0.0.5, dport=0,
Translate_ip=129.0.0.6, translate_port=50, ref_cn=3}
Table 2
Then correspondence has a following filtering meter item Fil_A:
Filter table Fil_A=={translate_ip=129.0.0.6, translate_port=50, dip=128.0.0.5,
Dport=0, src_ip=192.168.1.6, src_port=16, next_ref_index, other}
During the associative mode of address, filter table create and inquiry key assignments be set to translate_ip,
Translate_port, dip}, corresponding to filter table Fil_A, key assignments should be translate_ip=129.0.0.6,
Translate_port=50, dip=128.0.0.5}.
Owing to being address associative mode, public network main frame 128.0.0.5 arbitrary port is sent to (129.0.0.6:50)
Message will hit Fil_A, now extract src_ip=192.168.1.6, src_port=16 in filter table and enter
Row NAT changes, and completes address backtracking.
The message that other public network main frames send cannot hit Fil_A, will forward according to acl rule group
Process, the most both completed address conversion, and also protected the safety of private network main frame.
Assume that mapping filtered model is address independent pattern (making dip=0, dport=0 in above-mentioned filter table),
Then any main frame of public network is sent to the message of (129.0.0.6:50) and all can be forwarded by filtering meter item Fil_A
To private network, this ensures that there the intercommunity of p2p network.
Four, conversational list
Conversational list, i.e. FT table, is uniquely to be determined a conversational list by message five-tuple.
Conversational list=src_ip, src_port, dip, dport, protocol, nat_flag, translate_ip,
translate_port,other}
Src_ip, src_port, dip, dport identification message source ip, source port, purpose ip, purpose respectively
Port, nat_flag are NAT mark, can record NAT mode, mark source or destination address translation.
Translate_ip, translate_port represent which kind of ip message purpose or source address should be translated as respectively
With port, other represent other additional informations needing storage, potentially include the status information of session, old
Change information, security policy information, statistical information, routing iinformation etc., can carry out self-defined according to demand.
When a message needs to be NAT, one connects then corresponding two FT tables, and this is primarily due to
Having done the conversion of NAT address, the message five-tuple of both direction there occurs change, such as (Aip:Aport)
Send message to (Cip:Cport), and protocol type is PRO_a, after NAT, (Aip:Aport)
Be translated as (Bip:Bport), then the five-tuple removing the message in direction be Aip, Aport, Cip, Cport,
PRO_a}, the five-tuple of the message returned become Cip, Cport, Bip, Bport, PRO_a}, positive and negative
Change to message five-tuple, here belong to a connection, but corresponding two FT tables.
When, after first message receiving session, no matter which kind of maps filtered model, all can be after NAT
Automatically generate forward and reverse session entry, and the NAT information of this session be saved in session entry,
When receiving the subsequent packet of this session the most again, directly read the NAT information of session entry.This
Sample, can be greatly improved the treatment effeciency of session subsequent packet.
Below in conjunction with accompanying drawing, and described in detail the implementation of the present invention by specific embodiment.
During the realization of the present invention, mapping filtered model can be configured by user, it is also possible to directly give tacit consent to
Filtered model is mapped for one.Map filtered model and include but not limited to following pattern: external address is unrelated
Pattern, external address associative mode, external address and port associative mode.Above-mentioned Three models is
The filtered model that RFC5128 proposes, it is also possible to the filtered model proposed for the newest standard, or use
The self-defining mapping in family filtered model.
The present invention realizes the method flow of NAT as shown in Figure 6, it is necessary first to create mapping table and filtration
Table, wherein mapping table is used for recorded message address transformational relation from private network to public network, and filter table is used for remembering
Record address traceback information from public network to private network.
Then map filtered model according to address and be provided for inquiring about the first key assignments of mapping table, and arrange
The second key assignments for query filter table.
The process of message of the present invention includes both direction: mails to public network from private network and mails to private network from public network.
Carry out address NAT conversion respectively according to direction before sending message.
Finally the message after NAT changes is forwarded.
During as it is shown in fig. 7, message is mail to public network by private network, arrange not according to the mapping filtered model of configuration
The first same key assignments also inquires about mapping table, if not inquiring the mapping item of correspondence, then enters address pool and obtains
Take a public network address, and dynamic creation mapping item, by the public network address obtained and message source, purpose
The information write mapping items such as address, and mapping item counting is put 1, then according to mapping filtered model,
Corresponding second key assignments is set and creates filtering meter item, address traceback information is write filtering meter item;If inquiry
To corresponding mapping item, then directly read the address translation information in mapping item, and by mapping item
Counting adds 1.The public network address finally using acquisition is replaced the private net address of message and is completed NAT conversion, and
Information of address conversion is write corresponding conversational list.
As shown in Figure 8, when message is mail to private network by public network, arrange not according to the mapping filtered model of configuration
The second same key assignments query filter table, if inquiring the filtering meter item of correspondence, then reads in filtering meter item
Destination address is replaced back private net address by NAT address traceback information, and skips the lookup of acl rule group,
Directly E-Packet and information of address conversion is write conversational list;If not finding filtering meter item, then basis
The Query Result of acl rule group processes message.
As it is shown in figure 9, in one embodiment, aging aging by conversational list of mapping table, filter table
Trigger.Concrete implementation process can be: when conversational list is aging, the most aging session entry
In address NAT transitional information and the mapping filtered model of configuration, inquire about described mapping table, if looking for
To corresponding mapping item, then the counting in this mapping item is subtracted 1;When counting reduces to 0, delete
This mapping item, and delete the filtering meter item of this mapping item association, reclaim NAT address resource.
To sum up, the invention provides a kind of NAT and map the implementation method with filtered model and device, carry
High NAT treatment effeciency, meets the diversified configuration needs of user.Realized by filter table simultaneously
Address backtracking and the access to private network main frame limit, and ensure that the intercommunity of network under the conditions of NAT.
Above content is to combine specific embodiment further description made for the present invention, it is impossible to
Assert the present invention be embodied as be confined to these explanations.Common for the technical field of the invention
For technical staff, without departing from the inventive concept of the premise, it is also possible to make some simple deductions or
Replace, all should be considered as belonging to protection scope of the present invention.
Claims (12)
1. the method realizing NAT, it is characterised in that include following processing procedure:
Create mapping table and filter table, and be provided for inquiring about mapping table according to address mapping filtered model
First key assignments, and it is provided for the second key assignments of query filter table;Described mapping table is used for recorded message
Address transformational relation from private network to public network, described filter table is returned for recording the address from public network to private network
Trace back information;
When message sends to public network from private network, from message, extract the first key assignments, by described first key
Value obtains public network address, updates the correspondence mappings list item in described mapping table, and by address traceback information more
New corresponding filtering meter item in described filter table;The described public network address obtained is utilized to carry out address NAT
Public network it is sent to after conversion;
When message sends to private network from public network, from message, extract the second key assignments, by described second key
Value inquires about described filter table;If inquiring the filtering meter item of correspondence, then utilize the address in filtering meter item
Traceback information is sent to private network after carrying out address NAT conversion;Otherwise, report according to acl rule group
The forward process of literary composition.
The method realizing NAT the most according to claim 1, it is characterised in that described by described
One key assignments obtains public network address, updates the correspondence mappings list item in described mapping table, specifically includes: pass through
Described first key assignments inquires about described mapping table;If inquiring the mapping item of correspondence, read this mapping table
The transitional information from private net address to public network address in Xiang, and the count value of this mapping item is added one;
Otherwise, from public network address pond, extract public network address, and create corresponding mapping item, will be from private network ground
Location writes this mapping item to the transitional information of public network address, adds one by the count value of this mapping item, and
Create filtering meter item, the address traceback information of this message is write this filtering meter item.
The method realizing NAT the most according to claim 2, it is characterised in that also include: create session
Table, described conversational list is used for recorded message address NAT transitional information between private network and public network;?
Described utilize obtain described public network address carry out NAT conversion after and utilize the address in filtering meter item
After traceback information carries out address NAT conversion, also include: using address NAT transitional information as conversational list
Item writes described conversational list.
The method realizing NAT the most according to claim 3, it is characterised in that after described establishment conversational list
Also include: the address NAT in the burin-in process of conversational list, and the most aging session entry turns
Information of changing triggers the burin-in process of described mapping table and filter table respectively.
The method realizing NAT the most according to claim 4, it is characterised in that described the most aging
Session entry in address NAT transitional information trigger the aging place of described mapping table and filter table respectively
Reason specifically includes following processing procedure: the address NAT conversion in the most aging session entry is believed
Breath and the mapping filtered model of configuration, inquire about described mapping table, if finding the mapping item of correspondence, then
Counting in this mapping item is subtracted one;When counting reduces to zero, delete this mapping item, and deletion should
The filtering meter item of mapping item association, reclaims NAT address resource.
6. according to the method realizing NAT described in any one of claim 1-5, it is characterised in that described basis
Address maps filtered model and is provided for inquiring about the first key assignments of mapping table, and is provided for query filter
Second key assignments of table particularly as follows:
When address mapping filtered model is address independent pattern, described first key assignments is: message source ip
With source port, described second key assignments is: ip and port after address NAT conversion;
When address mapping filtered model is address associative mode, described first key assignments is: message source ip,
Source port and purpose ip, described second key assignments is: ip, the address NAT conversion after address NAT conversion
After port and purpose ip;
When address mapping filtered model is address port associative mode, described first key assignments is: message
Source ip, source port, purpose ip and purpose port, described second key assignments is: after address NAT conversion
Port, purpose ip and purpose port after ip, address NAT conversion.
7. the device realizing NAT, it is characterised in that including:
First dispensing unit, is used for creating mapping table and filter table, and sets according to address mapping filtered model
Put the first key assignments for inquiring about mapping table, and be provided for the second key assignments of query filter table;Described
Mapping table be used for recorded message address transformational relation from private network to public network, described filter table for record from
Public network is to the address traceback information of private network;
First message sends processing unit, for when message sends to public network from private network, carries from message
Taking the first key assignments, obtain public network address by described first key assignments, the correspondence updated in described mapping table is reflected
Firing table item, and address traceback information is updated the corresponding filtering meter item in described filter table;Utilize and obtain
Described public network address carry out address NAT conversion after be sent to public network;
Second message sends processing unit, for when message sends to private network from public network, from message
Extract the second key assignments, inquire about described filter table by described second key assignments;If inquiring the filtration of correspondence
List item, then utilize the address traceback information in filtering meter item to be sent to private network after carrying out address NAT conversion;
Otherwise, the forward process of message is carried out according to acl rule group.
The device realizing NAT the most according to claim 7, it is characterised in that described first message is sent out
Processing unit is sent to include mapping table query processing module, for inquiring about described mapping by described first key assignments
Table;If inquiring the mapping item of correspondence, read the ground from private net address to public network in this mapping item
The transitional information of location, and the count value of this mapping item is added one;Otherwise, extract from public network address pond
Public network address, and create the mapping item of correspondence, the transitional information from private net address to public network address is write
Enter this mapping item, the count value of this mapping item is added one, and creates filtering meter item, by this message
Address traceback information writes this filtering meter item.
The device realizing NAT the most according to claim 8, it is characterised in that also include: the second configuration
Processing unit is write in unit and session;
Described second dispensing unit, is used for creating conversational list, and described conversational list is used for recorded message at private network
And the address NAT transitional information between public network;
Described conversational list writes processing unit, for utilizing the described public network address obtained to carry out NAT described
After conversion and after utilizing the address traceback information in filtering meter item to carry out address NAT conversion, by address
NAT transitional information writes described conversational list as session entry.
The device realizing NAT the most according to claim 9, it is characterised in that also include that conversational list is old
Change processing module, the address in the burin-in process of conversational list, and the most aging session entry
NAT transitional information triggers the burin-in process of described mapping table and filter table respectively.
11. devices realizing NAT according to claim 10, it is characterised in that described conversational list is old
Change processing module to include associating burin-in process submodule, the ground in the most aging session entry
Location NAT transitional information and the mapping filtered model of configuration, inquire about described mapping table, if finding correspondence
Mapping item, then the counting in this mapping item is subtracted one;When counting reduces to zero, delete this mapping
List item, and delete the filtering meter item of this mapping item association, reclaim NAT address resource.
12. according to the device realizing NAT described according to any one of claim 7-11, it is characterised in that institute
Stating the first dispensing unit and include that key assignments arranges module, being used for when address maps filtered model is the unrelated mould in address
During formula, described first key assignments is: message source ip and source port, and described second key assignments is: address NAT
Ip and port after conversion;
When address mapping filtered model is address associative mode, described first key assignments is: message source ip,
Source port and purpose ip, described second key assignments is: ip, the address NAT conversion after address NAT conversion
After port and purpose ip;
When address mapping filtered model is address port associative mode, described first key assignments is: message
Source ip, source port, purpose ip and purpose port, described second key assignments is: after address NAT conversion
Port, purpose ip and purpose port after ip, address NAT conversion.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510363226.2A CN106331196A (en) | 2015-06-26 | 2015-06-26 | Method and device for realizing NAT |
PCT/CN2016/083025 WO2016206511A1 (en) | 2015-06-26 | 2016-05-23 | Method and device for implementing nat |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510363226.2A CN106331196A (en) | 2015-06-26 | 2015-06-26 | Method and device for realizing NAT |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106331196A true CN106331196A (en) | 2017-01-11 |
Family
ID=57584670
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510363226.2A Withdrawn CN106331196A (en) | 2015-06-26 | 2015-06-26 | Method and device for realizing NAT |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN106331196A (en) |
WO (1) | WO2016206511A1 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107547396A (en) * | 2017-05-18 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of message forwarding method and device |
CN112104565A (en) * | 2020-09-15 | 2020-12-18 | 东软集团股份有限公司 | Method, system and equipment for realizing message forwarding |
CN113746954A (en) * | 2021-09-22 | 2021-12-03 | 烽火通信科技股份有限公司 | Method and device for rapidly recovering NAT address block secondary allocation |
WO2022116848A1 (en) * | 2020-12-01 | 2022-06-09 | 武汉绿色网络信息服务有限责任公司 | Packet transmission method and apparatus, computer device, and storage medium |
CN114615230A (en) * | 2022-03-14 | 2022-06-10 | 芯河半导体科技(无锡)有限公司 | Traceable NAPT dynamic address mapping method |
CN115065599A (en) * | 2022-04-09 | 2022-09-16 | 北京金睛云华科技有限公司 | NAT rule optimization configuration method in full-flow storage backtracking analysis system |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111866110B (en) * | 2020-07-13 | 2023-12-19 | 浙江捷创方舟数字技术有限公司 | Industrial equipment communication method and 5G gateway |
CN112202935B (en) * | 2020-08-28 | 2023-01-13 | 中盈优创资讯科技有限公司 | NAT address pool management method and device |
CN112965824B (en) * | 2021-03-31 | 2024-04-09 | 北京金山云网络技术有限公司 | Message forwarding method and device, storage medium and electronic equipment |
CN113709242A (en) * | 2021-08-26 | 2021-11-26 | 华为技术有限公司 | Message forwarding method and communication device |
CN113904798B (en) * | 2021-08-27 | 2024-03-22 | 长沙星融元数据技术有限公司 | Multi-group filtering method, system, equipment and storage medium for IP message |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1897560A (en) * | 2005-07-12 | 2007-01-17 | 中兴通讯股份有限公司 | Method for improving routing list capacity |
CN101068212A (en) * | 2007-06-11 | 2007-11-07 | 中兴通讯股份有限公司 | Network address switching retransmitting device and method |
CN101132424A (en) * | 2007-09-29 | 2008-02-27 | 杭州华三通信技术有限公司 | Network address conversion method and device thereof |
CN101605105A (en) * | 2009-07-14 | 2009-12-16 | 中兴通讯股份有限公司 | A kind of method and apparatus that fragment message is carried out network address translation |
US20140310397A1 (en) * | 2013-04-10 | 2014-10-16 | D-Link Corporation | Network system capable of implementing stun with the assistance of two network devices and method thereof |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7193996B2 (en) * | 2002-02-28 | 2007-03-20 | Acme Packet, Inc. | System and method for determining a source of an internet protocol packet |
CN103188154B (en) * | 2013-04-19 | 2016-03-02 | 杭州华三通信技术有限公司 | A kind of method of network address translation and board |
CN104168338A (en) * | 2013-05-16 | 2014-11-26 | 杭州迪普科技有限公司 | Network address conversion device and network address conversion method |
CN103825976B (en) * | 2014-03-04 | 2017-05-10 | 新华三技术有限公司 | NAT (network address translation) processing method and device in distributed system architecture |
-
2015
- 2015-06-26 CN CN201510363226.2A patent/CN106331196A/en not_active Withdrawn
-
2016
- 2016-05-23 WO PCT/CN2016/083025 patent/WO2016206511A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1897560A (en) * | 2005-07-12 | 2007-01-17 | 中兴通讯股份有限公司 | Method for improving routing list capacity |
CN101068212A (en) * | 2007-06-11 | 2007-11-07 | 中兴通讯股份有限公司 | Network address switching retransmitting device and method |
CN101132424A (en) * | 2007-09-29 | 2008-02-27 | 杭州华三通信技术有限公司 | Network address conversion method and device thereof |
CN101605105A (en) * | 2009-07-14 | 2009-12-16 | 中兴通讯股份有限公司 | A kind of method and apparatus that fragment message is carried out network address translation |
US20140310397A1 (en) * | 2013-04-10 | 2014-10-16 | D-Link Corporation | Network system capable of implementing stun with the assistance of two network devices and method thereof |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107547396A (en) * | 2017-05-18 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of message forwarding method and device |
CN107547396B (en) * | 2017-05-18 | 2021-03-19 | 新华三信息安全技术有限公司 | Message forwarding method and device |
CN112104565A (en) * | 2020-09-15 | 2020-12-18 | 东软集团股份有限公司 | Method, system and equipment for realizing message forwarding |
CN112104565B (en) * | 2020-09-15 | 2024-03-29 | 东软集团股份有限公司 | Method, system and equipment for realizing message forwarding |
WO2022116848A1 (en) * | 2020-12-01 | 2022-06-09 | 武汉绿色网络信息服务有限责任公司 | Packet transmission method and apparatus, computer device, and storage medium |
CN113746954A (en) * | 2021-09-22 | 2021-12-03 | 烽火通信科技股份有限公司 | Method and device for rapidly recovering NAT address block secondary allocation |
CN113746954B (en) * | 2021-09-22 | 2023-06-13 | 烽火通信科技股份有限公司 | Method and device for quickly recovering NAT address block through secondary allocation |
CN114615230A (en) * | 2022-03-14 | 2022-06-10 | 芯河半导体科技(无锡)有限公司 | Traceable NAPT dynamic address mapping method |
CN114615230B (en) * | 2022-03-14 | 2024-01-19 | 芯河半导体科技(无锡)有限公司 | NAPT dynamic address mapping method capable of backtracking |
CN115065599A (en) * | 2022-04-09 | 2022-09-16 | 北京金睛云华科技有限公司 | NAT rule optimization configuration method in full-flow storage backtracking analysis system |
CN115065599B (en) * | 2022-04-09 | 2023-07-18 | 北京金睛云华科技有限公司 | NAT rule optimizing configuration method in full-flow storage backtracking analysis system |
Also Published As
Publication number | Publication date |
---|---|
WO2016206511A1 (en) | 2016-12-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106331196A (en) | Method and device for realizing NAT | |
US10084680B2 (en) | System and method for subscriber aware network monitoring | |
CN103428093B (en) | Route prefix storing, matching and updating method and device based on names | |
CN101552803B (en) | Method for maintaining network address translation address mapping table, media gateway and controller thereof | |
TWI520530B (en) | Packet switch device and method of the same | |
JP4705656B2 (en) | Address translation device, address translation program | |
CN1874313A (en) | Method of processing packet and metwork device | |
CN101237378A (en) | Mapping method and device of virtual LAN | |
US8923291B2 (en) | Communication apparatus and communication method | |
CN103200281A (en) | Method, device and system for accessing intranet server | |
CN103442096B (en) | NAT method based on mobile Internet and system | |
CN103957282B (en) | Terminal user's domain name mapping acceleration system and its method in a kind of domain | |
CN108848204A (en) | A kind of NAT business immediate processing method and device | |
CN101132424A (en) | Network address conversion method and device thereof | |
CN109905496A (en) | A kind of DNS intelligent dispatching method based on subscriber policy | |
CN108540387A (en) | Method for network access control and device | |
US9485179B2 (en) | Apparatus and method for scalable and flexible table search in a network switch | |
US20050063393A1 (en) | Method of network address port translation and gateway using the same | |
CN106453091B (en) | The equivalent route management method and device of router Forwarding plane | |
US20050265340A1 (en) | Network address-port translation apparatus and method | |
CN105991391A (en) | Method and device for uploading protocol message to CPU | |
CN108259504A (en) | It is a kind of based on group realize accesses control list a method and device | |
CN104427013B (en) | Working level address-translating device and its processing method to station address mapping relations | |
CN102984075A (en) | Programmable router based on NetFPGA | |
CN1561038A (en) | Method of collecting insertion of multiple IP voice insertion equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20170111 |