CN106572197B

CN106572197B - Network address translation method, device and system

Info

Publication number: CN106572197B
Application number: CN201510654182.9A
Authority: CN
Inventors: 金帅; 吴佳明; 陈家军; 薛蹦蹦; 陈子昂; 杨玉玺
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2015-10-10
Filing date: 2015-10-10
Publication date: 2020-01-14
Anticipated expiration: 2035-10-10
Also published as: CN106572197A

Abstract

The application discloses a network address translation method, a device and a system, wherein a virtual server acquires an external network source address in a service request message sent by user equipment, and the external network source address is the external network address of the user equipment; converting an external network source address and an external network destination address in the service request message into an internal network source address and an internal network destination address, wherein the internal network source address is the internal network address of the virtual server, and the destination address is the internal network address of a cloud host for processing the service request message; carrying the external network source address and the first identification bit in a service request message after address conversion, and sending the service request message to a connection tracker; and enabling the connection tracker to acquire the external network source address carried in the service request message according to the first identification bit carried in the service request message sent by the virtual server, replace the internal network source address in the service request message with the external network source address, and send the service request message to the cloud host for service processing.

Description

Network address translation method, device and system

Technical Field

The present application relates to the technical field of load balancing in a Linux system, and in particular, to a network address translation method, apparatus, and system.

Background

Load balancing is a technique for distributing network requests to available servers in a server cluster based on a load balancing algorithm. Load balancing enables network visitors to obtain the best possible network experience by managing data traffic entering a server cluster. For example, in the cloud computing service, the network service request is distributed to a server with a small load for processing through a load balancing technology, so that the processing efficiency of the network service request is improved, and a network visitor obtains better experience.

Generally, in a cloud computing service, a Load Balancer is often virtualized into a plurality of available Virtual Load Balancers (VLBs), or Load balancing software is installed on a Virtual server (server virtualized Virtual machine) to realize Load balancing in the cloud computing service. For example, based on the load balancing technology of the Linux operating system, a plurality of backend servers can be integrated into one virtual server, and traffic forwarding and load balancing for the plurality of backend servers are realized.

The inventor discovers that in the process of implementing the invention: in a cloud computing environment, in a load balancing technology based on a Linux operating system, when a client sends a service access request message to a Virtual Server (LVS) for internal network transmission, the Virtual Server needs to perform address conversion on the service access request message, and can distribute the service access request message to a back-end Server (Real Server, a cloud host in a cloud computing environment) with a smaller load through the load balancing technology for processing. However, the back-end server (cloud host) does not know which front-end user device sent the service access request message.

Therefore, the existing load balancing technology based on the Linux operating system cannot realize user transparent proxy of the cloud host.

Disclosure of Invention

In view of the above, the present application provides a method, an apparatus, and a system for network address translation, which can solve the existing problems.

In order to solve the above technical problem, a first aspect of the present application provides a network address translation method, including:

the method comprises the steps that a virtual server obtains an external network source address in a service request message sent by user equipment, wherein the external network source address is the external network address of the user equipment;

converting an external network source address and an external network destination address in the service request message into an internal network source address and an internal network destination address, wherein the internal network source address is the internal network address of the virtual server, and the destination address is the internal network address of a cloud host for processing the service request message;

carrying the external network source address and the first identification bit in a service request message after address conversion, and sending the service request message to a connection tracker; and enabling the connection tracker to acquire the external network source address carried in the service request message according to the first identification bit carried in the service request message sent by the virtual server, replace the internal network source address in the service request message with the external network source address, and send the service request message to the cloud host for service processing.

Optionally, the carrying the external network source address and the first identification bit in the service request message after the address translation includes:

and the virtual server adds a first extension field in the format of the service request message, and utilizes the first extension field to carry the external network source address and the first identification bit.

the virtual server adds a second extension field and a third extension field in the format of the service request message, utilizes the second extension field to carry the external network source address, and utilizes the third extension field to carry the first identification bit; or the second extension field is used for carrying the first identification bit, and the third extension field is used for carrying the external network source address.

Optionally, the method further comprises:

the virtual server receives a service response message sent by the connection tracker, wherein the service response message is sent by the cloud host after service processing is carried out according to the service request message;

and the virtual server acquires the external network destination address carried in the service response message according to a second identification bit carried in the service response message, wherein the external network destination address is the external network address of the user equipment, and sends the service response message to the user equipment pointed by the external network destination address.

In a second aspect, an embodiment of the present invention further provides a network address translation method, including:

the method comprises the steps that a connection tracker receives a service request message which is sent by a virtual server and subjected to address conversion, wherein the service request message is the service request message sent to the virtual server by user equipment;

acquiring an external network source address carried in the service request message according to a first identification bit carried in the service request message, wherein the external network source address is an external network address of user equipment which sends the service request message;

and replacing the internal network source address in the service request message with the external network source address, and sending the service request message to the cloud host for service processing.

Optionally, the method further comprises:

the connection tracker receives a service response message sent by the cloud host, wherein the service response message is sent by the cloud host after service processing is carried out according to the service request message, and a destination address in the service response message is an external network destination address and is an external network address of user equipment carried in the service request message;

replacing an external network destination address in the service response message with an internal network destination address, wherein the internal network destination address is an internal network address of the virtual server, carrying the external network destination address and a second identification bit in the service response message after address conversion, and sending the service response message to the virtual server, so that the virtual server obtains the external network destination address carried in the service response message according to the second identification bit carried in the service response message sent by the connection tracker, and sends the service response message to the user equipment pointed by the external network destination address.

Optionally, the step of carrying the external network destination address and the second identification bit in the service response message after address translation includes:

and the connection tracker adds a first extension field in the format of the service response message, and utilizes the first extension field to carry the destination address of the external network and a second identification bit.

adding a second extension field and a third extension field in the service response message format by the connection tracker, carrying the external network destination address by using the second extension field, and carrying the second identification bit by using the third extension field; or the second extension field is used for carrying the second identification bit, and the third extension field is used for carrying the external network source address.

In a third aspect, an embodiment of the present invention further provides a network address translation device, located on a virtual server side, including:

the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring an external network source address in a service request message sent by user equipment, and the external network source address is the external network address of the user equipment;

a conversion module, configured to convert an external network source address and an external network destination address in the service request message into an internal network source address and an internal network destination address, where the internal network source address is an internal network address of the virtual server, and the destination address is an internal network address of a cloud host that processes the service request message;

the packaging module is used for carrying the external network source address and the first identification bit in a service request message after address conversion and sending the service request message to the connection tracker through the sending module; and enabling the connection tracker to acquire the external network source address carried in the service request message according to the first identification bit carried in the service request message sent by the virtual server, replace the internal network source address in the service request message with the external network source address, and send the service request message to the cloud host for service processing.

Optionally, the encapsulation module is specifically configured to:

and adding a first extension field in the format of the service request message, and carrying the external network source address and the first identification bit by using the first extension field.

Optionally, the encapsulation module is specifically configured to:

adding a second extension field and a third extension field in the format of the service request message, using the second extension field to carry the external network source address, and using the third extension field to carry the first identification bit; or the second extension field is used for carrying the first identification bit, and the third extension field is used for carrying the external network source address.

Optionally, the apparatus further comprises:

a receiving module, configured to receive a service response packet sent by the connection tracker, where the service response packet is a service response packet sent by the cloud host after performing service processing according to the service request packet;

the obtaining module is configured to obtain the external network destination address carried in the service response message according to a second identification bit carried in the service response message, where the external network destination address is an external network address of the user equipment, and send the service response message to the user equipment to which the external network destination address points through the sending module.

In a fourth aspect, an embodiment of the present invention further provides a network address translation apparatus, located in a connection tracker, including:

the receiving module is used for receiving a service request message which is sent by a virtual server and is subjected to address conversion, wherein the service request message is the service request message sent to the virtual server by user equipment;

an obtaining module, configured to obtain an external network source address carried in the service request packet according to a first identification bit carried in the service request packet, where the external network source address is an external network address of a user equipment that sends the service request packet;

and the replacing module is used for replacing the internal network source address in the service request message with the external network source address and sending the service request message to the cloud host through the sending module for service processing.

Optionally, the apparatus further comprises:

the receiving module is further configured to receive a service response message sent by the cloud host, where the service response message is a service response message sent by the cloud host after performing service processing according to the service request message, and a destination address in the service response message is an external network destination address and is an external network address of the user equipment carried in the service request message;

the replacement module is further configured to replace an external network destination address in the service response message with an internal network destination address, where the internal network destination address is an internal network address of the virtual server, carry the external network destination address and the second identification bit in the service response message after address conversion, and send the service response message to the virtual server, so that the virtual server obtains the external network destination address carried in the service response message according to the second identification bit carried in the service response message sent by the connection tracker, and sends the service response message to the user equipment to which the external network destination address points.

Optionally, the replacement module is specifically configured to:

and adding a first extension field in the format of the service response message, and carrying the destination address of the external network and a second identification bit by using the first extension field.

Optionally, the replacement module is specifically configured to:

adding a second extension field and a third extension field in the format of the service response message, using the second extension field to carry the destination address of the external network, and using the third extension field to carry the second identification bit; or the second extension field is used for carrying the second identification bit, and the third extension field is used for carrying the external network source address.

In a fifth aspect, an embodiment of the present invention further provides a network address translation system, including: a virtual server and a connection tracker;

the virtual server comprises the network address translation device of the third aspect;

the connection tracker comprises the network address translation device of the fourth aspect.

Optionally, the system further comprises: the system comprises user equipment and a cloud host;

the user equipment is used for sending a service request message to the virtual server, wherein the service request message comprises an external network source address and an external network destination address, the external network source address is the external network address of the user equipment, and the external network destination address is the external network address of the virtual server;

the cloud host is configured to send a service response message to the connection tracker after performing service processing according to the service request message sent by the connection tracker, where the service response message includes an external network destination address and an internal network source address, where the external network destination address is an external network address of the user equipment, and the internal network source address is an internal network address of the cloud host.

The embodiment of the invention obtains the external network address of the user equipment when the virtual server receives the service request message sent by the user equipment, converting the external network address in the service request message into an internal network address, carrying the external network address and the first identification bit of the user equipment in the service request message after address conversion, and then sending the service request message to a connection tracker, the connection tracker obtains the external network address of the user equipment carried in the message according to the first identification bit, before sending the service request message to the cloud host, replacing the internal network source address in the message with the external network address of the user equipment, therefore, the source address in the service request message received by the cloud host is the address of the real user equipment, and the source address is observed from the perspective of the cloud host, the cloud host of the external service directly establishes communication with the real user equipment, and transparent proxy of the user is realized.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

FIG. 1 is a diagram of a system architecture for implementing a load balancing technique in the prior art;

FIG. 2 is a flow diagram of a prior art technique for implementing load balancing;

fig. 3 is a system architecture diagram for implementing a load balancing technique according to an embodiment of the present invention;

fig. 4 is a flowchart illustrating a network address translation method according to an embodiment of the present application;

fig. 5 is a flowchart illustrating a network address translation method according to an embodiment of the present application;

fig. 6 is a flowchart illustrating a network address translation method according to an embodiment of the present application;

fig. 7 is a flowchart illustrating a network address translation method according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a network address translation device according to an embodiment of the present invention;

fig. 9 is a schematic structural diagram of a network address translation device according to an embodiment of the present invention;

fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present invention;

fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present invention;

fig. 12 is a schematic structural diagram of a network address translation system according to an embodiment of the present invention;

fig. 13 is an architecture diagram of a Conntrack module distributed deployment according to an embodiment of the present invention.

Detailed Description

Embodiments of the present application will be described in detail with reference to the drawings and examples, so that how to implement technical means to solve technical problems and achieve technical effects of the present application can be fully understood and implemented.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (transient media), such as modulated data signals and carrier waves.

As used in the specification and in the claims, certain terms are used to refer to particular components. As one skilled in the art will appreciate, manufacturers may refer to a component by different names. This specification and claims do not intend to distinguish between components that differ in name but not function. In the following description and in the claims, the terms "include" and "comprise" are used in an open-ended fashion, and thus should be interpreted to mean "include, but not limited to. "substantially" means within an acceptable error range, and a person skilled in the art can solve the technical problem within a certain error range to substantially achieve the technical effect. Furthermore, the term "coupled" is intended to encompass any direct or indirect electrical coupling. Thus, if a first device couples to a second device, that connection may be through a direct electrical coupling or through an indirect electrical coupling via other devices and couplings. The description which follows is a preferred embodiment of the present application, but is made for the purpose of illustrating the general principles of the application and not for the purpose of limiting the scope of the application. The protection scope of the present application shall be subject to the definitions of the appended claims.

It is also noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a good or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such good or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a commodity or system that includes the element.

Fig. 1 is a diagram of a system architecture for implementing a load balancing technique in the prior art, as shown in fig. 1, in a load balancing technique system, an external network address (e.g. 220.67.8.10) of a virtual server externally providing a front-end virtual service is used as a service access address of a user equipment, and the user equipment performs service access through the service access address; the virtual server internally provides an intranet address (for example 192.168.1.10) of a back-end virtual service as a service response address of the back-end server (cloud host), and the cloud host performs service processing result feedback through the service response address.

Based on the system architecture diagram shown in fig. 1, fig. 2 is a flowchart of a load balancing technique implemented in the prior art, and as shown in fig. 2, the specific steps are as follows:

201: and the user equipment sends the service access request message to the virtual server.

The source address of the service access request message is an external network address (e.g. 10.87.7.45) of the user equipment, and the destination address is an external network address (e.g. 220.67.8.10) of a virtual service provided by the virtual server to the outside.

202: the virtual server receives the service access request message, selects a cloud host for service processing through a load balancing algorithm, and performs network address conversion, that is, an intranet address (e.g. 192.168.1.10) of a backend virtual service provided by the virtual server internally replaces a source address (e.g. 10.87.7.45) of the service access request message, an intranet address (e.g. 192.168.10.11) of the selected cloud host replaces a destination address (e.g. 220.67.8.10) of the service access request message, and the service access request message after address conversion is sent to the selected cloud host.

203: and the cloud host processes the service access request message, and returns a service access response message after the processing is finished.

The source address of the service access response message is an intranet address (e.g. 192.168.10.11) of a cloud host that processes the service, and the destination address is an intranet address (e.g. 192.168.1.10) of a backend virtual service provided by the virtual server pair.

204: the service access response message reaches the virtual server, and the virtual server performs network address conversion, that is, the virtual server replaces the source address of the service access response message with the external network address (such as 220.67.8.10) of a front-end virtual service provided by the virtual server, replaces the destination address of the service access response message with the external network address (such as 10.87.7.45) of the user equipment, and sends the service access response message after address conversion to the user equipment.

Therefore, the message subjected to load balancing by the virtual server needs to be transmitted in an intranet by using an intranet address, and the cloud host cannot sense the existence of the front-end user equipment; the user device is also unaware of the presence of the backend cloud host. Therefore, the existing load balancing technology based on the Linux operating system cannot realize user transparent proxy of the cloud host.

In order to realize transparent proxy of a user of a cloud host, the invention needs to improve the prior art:

a connection tracker (a trace module) is deployed on each host of the cloud host, for a service access request message subjected to load balancing of a virtual server, the virtual server needs to carry a source address of the message (namely, an address of real user equipment) in the service access request message, and before the message is sent to the cloud host, the connection tracker needs to restore an internal network source address in the service access request message to the address of the real user equipment; if the cloud host replies the message with the address of the real user equipment, because the address of the real user equipment is not the intranet address and cannot be routed to the extranet through the intranet, when the cloud host replies the message with the address of the real user equipment (namely the destination address in the reply message of the cloud host is the address of the real user equipment), the destination address in the reply message of the cloud host is replaced by the internal address through the connection tracker for transmission in the intranet, and then the destination address is replaced by the address of the real user equipment through the virtual server before being sent to the user equipment.

Therefore, the technical scheme of the invention can meet the basic load balancing function of the virtual server, and simultaneously can realize bidirectional transparent proxy, so that the cloud host can acquire the real address of the user equipment.

Fig. 3 is a system architecture diagram for implementing a load balancing technique according to an embodiment of the present invention, as shown in fig. 3, in a load balancing technique system, a virtual server (LVS for short) provides an external network address (e.g. 220.67.8.10) of a front-end virtual service to the outside as a service access address of a user equipment, and the user equipment performs service access through the service access address; the virtual server internally provides an intranet address (for example 192.168.1.10) of a back-end virtual service as a business response address of the back-end server (cloud host). In the system architecture diagram of the embodiment of the invention, a connection tracker (CTK module for short) is deployed in each host of a cloud host, and before the CTK module is sent to the cloud host, the connection tracker needs to restore an intranet source address in a service access request message to a real address of user equipment; when the cloud host replies the message with the address of the real user equipment (namely the destination address in the cloud host reply message is the address of the real user equipment), the destination address in the cloud host reply message is replaced by the internal address through the connection tracker for transmission in the internet.

Based on the system architecture diagram shown in fig. 3, fig. 4 is a schematic flowchart of a network address translation method according to an embodiment of the present application, where the method is executed by a virtual server, and as shown in fig. 4, when a user equipment sends a service request packet to the virtual server, the method includes:

401. and the virtual server receives a service request message sent by the user equipment.

The source address of the extranet in the service request message is the extranet address of the user equipment, which is the address of the real user equipment, the IP address of the user equipment shown in fig. 3 is 10.87.7.45, and the destination address of the extranet in the service request message is the extranet address (e.g. 220.67.8.10) of the virtual server providing a front-end virtual service to the outside, which is used as the service access address of the user equipment.

402. The method comprises the steps of obtaining an external network source address in a service request message sent by user equipment, and converting the external network source address and an external network destination address in the service request message into an internal network source address and an internal network destination address.

The source address here is the external network address of the user equipment, and is the address of the real user equipment, and the IP address of the user equipment shown in fig. 3 is 10.87.7.45.

The intranet source address is an intranet address (such as 192.168.1.10) of a backend virtual service provided by the virtual server internally, and serves as a service response address of the backend server (cloud host);

the intranet destination address is an intranet address (for example, 192.168.10.11) of the cloud host that processes the service request packet.

It should be noted that how to determine the cloud host that processes the service request packet is to calculate, by using a preset load balancing algorithm, a serial number of the cloud host to which the service request packet should be sent when the virtual server receives the service request packet. Here, the load balancing algorithm may employ existing algorithms, such as: round robin algorithm, random algorithm, address-based Hash algorithm, minimum connection algorithm, server pressure algorithm, weighting algorithm, etc., the present invention is not limited at all.

403. And carrying the acquired source address of the external network and the first identification bit in the service request message after the address conversion.

The first identifier is used for indicating that the connection tracker acquires the external network source address carried in the service request message according to a first identifier bit carried in the service request message when receiving the service request message sent by the virtual server, and replaces the internal network source address in the service request message with the external network source address. That is to say, when receiving a service request message sent by the virtual server, the connection tracker acquires an address of the real user equipment carried in the service request message, and replaces an internal network source address in the service request message with the address of the real user equipment before sending the service request message to the cloud host.

In a specific implementation, in an optional implementation manner, step 403 may add a first extension field in the format of the service request packet, and use the first extension field to carry the extranet source address and the first identification bit.

In an optional implementation manner, a second extension field and a third extension field are added to the format of the service request packet, the second extension field is used to carry the external network source address, and the third extension field is used to carry the first identification bit; or the second extension field is used for carrying the first identification bit, and the third extension field is used for carrying the external network source address.

For example, when communication is based on the TCP/IP protocol, a custom field can be added in the Option area of the TCP header, and a standard TLV structure is adopted:

TYPE(1Bytes)

Length(1Byte)

Value

the Type field defines the identifier, the Length field declares the Length, and the Value field fills the address of the real user equipment.

404. And sending the service request message to the connection tracker.

The service request message in step 404 is subjected to address translation, and the service request message carries the address (the extranet source address) of the real user equipment and the first identification bit.

It should be noted that, in the above steps, the virtual server does not make any change to the data in the service request message sent by the user equipment.

Based on the system architecture diagram shown in fig. 3, corresponding to the method for performing network address translation on the virtual server side shown in fig. 4, fig. 5 is a flowchart of a network address translation method according to an embodiment of the present application, where the method is performed on the connection tracker side, and as shown in fig. 5, when the connection tracker receives a service request packet sent by the virtual server, the method includes:

501. and the connection tracker receives a service request message sent by the virtual server.

It should be noted that the service request message sent by the virtual server is the service request message that carries the address of the real user equipment (the external network source address) and the first identification bit after the address conversion is performed by the embodiment shown in fig. 4.

502. And acquiring the external network source address carried in the service request message according to the first identification bit carried in the service request message.

Wherein, the source address of the external network is the external network address of the user equipment sending the service request message, that is, the address of the real user equipment (10.87.7.450 shown in fig. 3).

503. And replacing the internal network source address in the service request message with the external network source address, and sending the service request message to the cloud host for service processing.

That is to say, the connection tracker replaces the internal network source address in the received service request message with the acquired real address of the user equipment, and sends the service request message after replacing the source address to the cloud host selected by the load balancing algorithm for service processing.

That is, the source address in the service request message sent to the cloud host is the address of the real user equipment (10.87.7.450 shown in fig. 3), and the destination address is the intranet address (192.168.10.11) of the cloud host.

Based on the system architecture diagram shown in fig. 3, fig. 6 is a schematic flowchart of a network address translation method according to an embodiment of the present application, where the method is executed on a connection tracker side, and as shown in fig. 6, when a connection tracker receives a service response packet sent by a cloud host, the method includes:

601. and the connection tracker receives a service response message sent by the cloud host.

The service response message is a service response message sent by the cloud host after performing service processing according to the service request message, where a destination address in the service response message is an external network destination address and is an external network address of the user equipment carried in the service request message (that is, an address of the real user equipment, for example, an IP address of the user equipment shown in fig. 3 is 10.87.7.45); the source address in the service response message is an intranet address (e.g., 192.168.10.11) of the cloud host.

602. And replacing the external network destination address in the service response message with the internal network destination address.

Since the destination address in the service response message is the extranet address of the user equipment and cannot be transmitted in the intranet, the connection tracker needs to replace the extranet destination address in the service response message with the intranet destination address, as shown in fig. 3, and replace the IP address of the user equipment in the service response message to 10.87.7.45 with the intranet address (e.g. 192.168.1.10) of the virtual server providing the virtual service in the intranet.

603. And carrying the external network destination address and the second identification bit in the service response message after the address conversion.

The destination address here is the external network address of the user equipment.

In an optional implementation manner, a first extension field is added to the format of the service response packet, and the first extension field is used to carry the destination address of the external network and the second identification bit.

In an optional implementation manner, a second extension field and a third extension field are added to the format of the service response packet, the second extension field is used to carry the destination address of the external network, and the third extension field is used to carry the second identification bit; or the second extension field is used for carrying the second identification bit, and the third extension field is used for carrying the external network source address.

TYPE(1Bytes)

Length(1Byte)

Value

The second identification bit is used for instructing the virtual server to obtain the external network destination address carried in the service response message (that is, obtain the external network address of the real user equipment) according to the second identification bit carried in the service response message.

604. And sending the service response message to a virtual server.

The source address in the service response message is the intranet address of the cloud host (192.168.10.11 shown in fig. 3), and the destination address is the intranet address of the virtual server (192.168.1.10 shown in fig. 3).

It should be noted that, in the above steps, the connection tracker does not make any change on the data in the service response message sent by the cloud host.

Based on the system architecture diagram shown in fig. 3, corresponding to the method for performing network address translation on the connection tracker side shown in fig. 6, fig. 7 is a flowchart of a network address translation method according to an embodiment of the present application, where the method is performed on the virtual server side, and as shown in fig. 7, when the virtual server receives a service response packet sent by the connection tracker, the method includes:

701. and the virtual server receives the service response message sent by the connection tracker.

The service response message is a service response message obtained by processing a service request message sent by the connection tracker to the cloud host according to the address translation method in the embodiment shown in fig. 6;

the service response message carries the second identification bit and the external network address of the real user equipment.

702. And acquiring the external network destination address carried in the service response message according to the second identification bit carried in the service response message.

The extranet destination address here is the extranet address of the real user device (10.87.7.45 shown in fig. 3).

703. And replacing the internal network source address in the service response message with the external network source address, and replacing the internal network destination address with the external network destination address.

Here, the intranet source address is an intranet source address (e.g. 192.168.10.11) of the cloud host, and the intranet destination address is an intranet address (e.g. 192.168.1.10) of the virtual server.

As shown in fig. 3, before sending the service response message to the user equipment, the virtual server needs to replace the intranet source address (and the intranet source address of the cloud host, e.g. 192.168.10.11) in the service response message with the extranet source address (i.e. the extranet address of the virtual server providing the network service to the outside, e.g. 220.67.8.10), and replace the intranet destination address (i.e. the intranet address of the virtual server providing the network service to the inside, e.g. 192.168.1.10) with the extranet destination address (i.e. the extranet address of the real user equipment, e.g. 10.87.7.45).

704. And sending the service response message to the user equipment pointed by the destination address of the external network.

The service response message is a message obtained by address translation of the virtual server.

Based on the system architecture diagram for implementing the load balancing technique provided in fig. 3, the network address translation method according to the embodiment of the present invention is described below by specific examples.

User equipment sends a service request message of Cip- > Vip; wherein, Cip: client IP, i.e., the source IP address of the user device (e.g., 10.87.7.45); vip: virtual IP, Virtual server IP address (e.g., 220.67.8.10);

a virtual server (LVS for short) converts a source address and a destination address into Lip- > Rip;

wherein, Lip: local IP, an intranet IP address used by the LVS, an address (e.g. 192.168.1.10) used for transmitting a message in the intranet;

rip: RS IP, an intranet IP address used by RS, an address of a cloud host for providing backend services (e.g., 192.168.10.11);

the service request message carries a source address and a first identification bit of real user equipment;

when a service request message carrying a source address of a real user equipment and a first identification bit reaches a host (a cloud host, NC for short), a Conntrack module (also called a connection tracker) in the host performs address conversion to Cip- > Rip, and the Cip- > Rip is sent to the cloud host.

Network path	Source	Dest
			User equipment	Cip	Vip
LVS	Lip	Rip
			Conntrack	Cip	Rip

And the service response message Rip- > Cip replied by the cloud host is converted into Rip- > Lip through a Conntrack module, is returned to the LVS through a route, is converted into Vip- > Cip and is sent back to the client.

Network path	Source	Dest
			Cloud host	Rip	Cip
Conntrack	Rip	Lip
			LVS	Vip	Cip

And the communication is established between the cloud host which uses the Rip to externally serve and the client which uses the Cip as the address directly by observing from the angle of the cloud host, so that the bidirectional transparent proxy is realized.

Fig. 8 is a schematic structural diagram of a network address translation device according to an embodiment of the present invention, located on a virtual server side, as shown in fig. 8, including:

an obtaining module 81, configured to obtain an external network source address in a service request message sent by a user equipment, where the external network source address is an external network address of the user equipment;

a conversion module 82, configured to convert an external network source address and an external network destination address in the service request message into an internal network source address and an internal network destination address, where the internal network source address is an internal network address of the virtual server, and the destination address is an internal network address of a cloud host that processes the service request message;

the encapsulating module 83 is configured to carry the external network source address and the first identification bit in a service request message after address translation, and send the service request message to the connection tracker through the sending module 84; and enabling the connection tracker to acquire the external network source address carried in the service request message according to the first identification bit carried in the service request message sent by the virtual server, replace the internal network source address in the service request message with the external network source address, and send the service request message to the cloud host for service processing.

The encapsulation module 82 is specifically configured to:

The encapsulation module 83 is further specifically configured to:

Optionally, the apparatus further comprises:

a receiving module 85, configured to receive a service response packet sent by the connection tracker, where the service response packet is a service response packet sent by the cloud host after performing service processing according to the service request packet;

the obtaining module 81 is configured to obtain the external network destination address carried in the service response message according to a second identification bit carried in the service response message, where the external network destination address is an external network address of the user equipment, and send the service response message to the user equipment to which the external network destination address points through the sending module.

The device according to the embodiment of the present invention may execute the network address translation method on the virtual server side shown in fig. 4 or fig. 7, and the implementation principle and the technical effect are not described again.

Fig. 9 is a schematic structural diagram of a network address translation device according to an embodiment of the present invention, which is located on the connection tracker side, and as shown in fig. 9, includes:

a receiving module 91, configured to receive a service request packet sent by a virtual server and subjected to address translation, where the service request packet is a service request packet sent by a user equipment to the virtual server;

an obtaining module 92, configured to obtain an external network source address carried in the service request packet according to a first identification bit carried in the service request packet, where the external network source address is an external network address of a user equipment that sends the service request packet;

and a replacing module 93, configured to replace the internal network source address in the service request message with the external network source address, and send the service request message to the cloud host through the sending module 94 for service processing.

Optionally, the receiving module 91 is further configured to receive a service response message sent by the cloud host, where the service response message is a service response message sent by the cloud host after performing service processing according to the service request message, and a destination address in the service response message is an external network destination address and is an external network address of the user equipment carried in the service request message;

the replacing module 93 is further configured to replace an external network destination address in the service response message with an internal network destination address, where the internal network destination address is an internal network address of the virtual server, carry the external network destination address and the second identification bit in the service response message after address conversion, and send the service response message to the virtual server, so that the virtual server obtains the external network destination address carried in the service response message according to the second identification bit carried in the service response message sent by the connection tracker, and sends the service response message to the user equipment to which the external network destination address points.

Optionally, the replacing module 93 is specifically configured to:

The device according to the embodiment of the present invention may execute the network address translation method on the connection tracker side shown in fig. 5 or fig. 6, and the implementation principle and technical effect are not described again.

Fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, which may execute the network address translation method on the virtual server side shown in fig. 4 or fig. 7, and as shown in fig. 10, includes a processor and a memory; wherein, the memory stores instructions for executing the network address translation method on the virtual server side shown in fig. 4 or fig. 7, and when the processor calls the instructions in the memory, the following steps can be executed:

acquiring an external network source address in a service request message sent by user equipment, wherein the external network source address is the external network address of the user equipment;

carrying the external network source address and the first identification bit in a service request message after address conversion, and sending the service request message to a connection tracker; and enabling the connection tracker to acquire the external network source address carried in the service request message according to the first identification bit carried in the service request message, replace the external network source address with the internal network source address in the service request message, and send the service request message to the cloud host for service processing.

Wherein, carrying the external network source address and the first identification bit in the service request message after address conversion includes:

adding a first extension field in the format of the service request message, and carrying the external network source address and a first identification bit by using the first extension field; or

When the processor calls the instructions in the memory, the following steps can also be executed: :

receiving a service response message sent by the connection tracker, wherein the service response message is sent by the cloud host after service processing is carried out according to the service request message;

Fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, which may execute the network address translation method on the connection tracker side shown in fig. 5 or fig. 6, and as shown in fig. 11, includes a processor and a memory; wherein, the memory stores instructions for executing the network address translation method on the connection tracker side shown in fig. 5 or fig. 6, and when the processor calls the instructions in the memory, the following steps can be executed:

receiving a service request message which is sent by a virtual server and subjected to address conversion, wherein the service request message is a service request message sent to the virtual server by user equipment;

Optionally, it may also be performed:

receiving a service response message sent by the cloud host, wherein the service response message is sent by the cloud host after performing service processing according to the service request message, and a destination address in the service response message is an external network destination address and is an external network address of the user equipment carried in the service request message;

replacing an external network destination address in the service response message with an internal network destination address, wherein the internal network destination address is an internal network address of the virtual server, carrying the external network destination address and a second identification bit in the service response message after address conversion, and sending the service response message to the virtual server, so that the virtual server obtains the external network destination address carried in the service response message according to the second identification bit carried in the service response message, and sends the service response message to the user equipment pointed by the external network destination address.

Wherein, carrying the external network destination address and the second identification bit in the service response message after address conversion includes:

Fig. 12 is a schematic structural diagram of a network address translation system according to an embodiment of the present invention, which can execute the network address translation method according to any one of the embodiments of fig. 4 to 7; as shown in fig. 12, includes: the system comprises user equipment, a virtual server, a connection tracker and a cloud host;

the virtual server is used for acquiring an external network source address in a service request message sent by user equipment, wherein the external network source address is the external network address of the user equipment; converting an external network source address and an external network destination address in the service request message into an internal network source address and an internal network destination address, wherein the internal network source address is the internal network address of the virtual server, and the destination address is the internal network address of a cloud host for processing the service request message; carrying the external network source address and the first identification bit in a service request message after address conversion, and sending the service request message to a connection tracker;

the connection tracker is used for acquiring the external network source address carried in the service request message according to the first identification bit carried in the service request message sent by the virtual server, replacing the internal network source address in the service request message with the external network source address, and sending the service request message to the cloud host for service processing;

and the cloud host is used for processing the service according to the service request message sent by the connection tracker and then sending a service response message to the connection tracker, wherein the service response message comprises an external network destination address and an internal network source address, the external network destination address is the external network address of the user equipment, and the internal network source address is the internal network address of the cloud host.

The connection tracker is further configured to receive a service response message sent by the cloud host, where a destination address in the service response message is an external network destination address and is an external network address of the user equipment carried in the service request message; replacing an external network destination address in the service response message with an internal network destination address, wherein the internal network destination address is an internal network address of the virtual server, carrying the external network destination address and a second identification bit in the service response message after address conversion, and sending the service response message to the virtual server;

the virtual server is further configured to obtain the external network destination address carried in the service response message according to a second identification bit carried in the service response message sent by the connection tracker, and send the service response message to the user equipment to which the external network destination address points.

Fig. 13 is an architecture diagram of a Conntrack module distributed deployment according to an embodiment of the present invention, as shown in fig. 13:

the Conntrack module is deployed on each host machine and is used for processing the flow of each cloud host machine on the host machine. The Conntrack module is independent from the front-end load balance, does not need to maintain a complex corresponding relation, and only needs to extract and record a real source address of each connection and an internal address used for transmission in the intranet. The method has the characteristics of simplicity, light weight and convenience in maintenance, and cannot influence other cloud hosts/host machines in fault or upgrading maintenance.

The foregoing description shows and describes several preferred embodiments of the invention, but as aforementioned, it is to be understood that the invention is not limited to the forms disclosed herein, but is not to be construed as excluding other embodiments and is capable of use in various other combinations, modifications, and environments and is capable of changes within the scope of the inventive concept as expressed herein, commensurate with the above teachings, or the skill or knowledge of the relevant art. And that modifications and variations may be effected by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.

Claims

1. A method for network address translation, comprising:

converting an external network source address and an external network destination address in the service request message into an internal network source address and an internal network destination address, wherein the internal network source address is the internal network address of the virtual server, and the internal network destination address is the internal network address of a cloud host for processing the service request message;

carrying the external network source address in a service request message after address conversion of a virtual server and sending the service request message to a connection tracker; and the connection tracker acquires the external network source address according to the service request message sent by the virtual server, converts the internal network source address in the service request message into the external network source address, and sends the service request message subjected to address conversion by the connection tracker to the cloud host for service processing.

2. The method of claim 1, wherein the carrying of the source address of the external network in the service request message after the address translation by the virtual server comprises:

and the virtual server adds a first extension field in the format of the service request message, and utilizes the first extension field to carry the external network source address.

3. The method of claim 1, wherein the carrying of the source address of the external network in the service request message after the address translation by the virtual server comprises:

the virtual server adds a first extension field in the format of the service request message, and utilizes the first extension field to carry the external network source address, wherein the first extension field also carries a first identification bit, and the first identification bit is used for indicating a connection tracker to acquire the external network source address carried in the service request message according to the first identification bit carried in the service request message when receiving the service request message sent by the virtual server, and converting the internal network source address in the service request message into the external network source address.

4. The method of claim 1, wherein the carrying of the source address of the external network in the service request message after the address translation by the virtual server comprises:

the virtual server adds a second extension field and a third extension field in the format of the service request message, the second extension field is used for carrying the external network source address, and the third extension field carries a first identification bit; or the third extension field is used for carrying the external network source address, the second extension field carries the first identification bit, and the first identification bit is used for indicating the connection tracker to obtain the external network source address carried in the service request message according to the first identification bit carried in the service request message when receiving the service request message sent by the virtual server, and converting the internal network source address in the service request message into the external network source address.

5. The method according to claim 3 or 4, wherein the first extension field, the second extension field or the third extension field is located in a header optional area of a service request message.

6. The method according to any one of claims 1-4, further comprising:

the virtual server receives a service response message sent by the connection tracker, wherein the service response message is sent by the cloud host after service processing is carried out according to the service request message after address conversion is carried out by the connection tracker;

and the virtual server acquires the external network destination address carried in the service response message according to the service response message, wherein the external network destination address is the external network address of the user equipment, and sends the service response message to the user equipment pointed by the external network destination address.

7. The method according to claim 6, wherein the service response message carries the external network destination address, comprising:

adding a fourth extension field in the format of the service response message, and using the fourth extension field to carry the external network destination address, wherein the fourth extension field also carries a second identification bit, and the second identification bit is used for indicating a virtual server to obtain the external network destination address carried in the service response message according to the second identification bit carried in the service response message.

8. The method according to claim 6, wherein the service response message carries the external network destination address, comprising:

adding a fifth extension field and a sixth extension field in the format of the service response message, wherein the fifth extension field is used for carrying the external network destination address, and the sixth extension field carries a second identification bit; or the sixth extension field is used for carrying the external network source address, and the fifth extension field carries the second identification bit; and the second identification bit is used for indicating the virtual server to acquire the external network destination address carried in the service response message according to the second identification bit carried in the service response message.

9. The method of claim 1, wherein the connection tracker is deployed on each host of the cloud hosts.

10. A method for network address translation, comprising:

acquiring an external network source address carried in the service request message according to the service request message, wherein the external network source address is an external network address of user equipment which sends the service request message;

and converting the internal network source address in the service request message into the external network source address, and sending the service request message subjected to address conversion to the cloud host for service processing.

11. The method of claim 10, further comprising:

and converting an external network destination address in the service response message into an internal network destination address, wherein the internal network destination address is the internal network address of the virtual server, carrying the external network destination address in the service response message after address conversion of the connection tracker, and sending the service response message to the virtual server, so that the virtual server obtains the external network destination address carried in the service response message and sends the service response message to the user equipment pointed by the external network destination address.

12. A network address translation apparatus, located on a virtual server side, comprising:

the encapsulation module is used for carrying the external network source address in a service request message after the address conversion of the virtual server and sending the service request message to the connection tracker through the sending module; and the connection tracker acquires the external network source address according to the service request message sent by the virtual server, converts the internal network source address in the service request message into the external network source address, and sends the service request message subjected to address conversion by the network address conversion device to the cloud host for service processing.

13. The apparatus of claim 12, further comprising:

a receiving module, configured to receive a service response packet sent by the connection tracker, where the service response packet is a service response packet sent by the cloud host after performing service processing according to a service request packet after address conversion is performed by the connection tracker;

the obtaining module is configured to obtain the external network destination address carried in the service response packet according to the service response packet, where the external network destination address is an external network address of the user equipment, and send the service response packet to the user equipment to which the external network destination address points through the sending module.

14. A network address translation device located at a connection tracker, comprising:

an obtaining module, configured to obtain an external network source address carried in the service request packet according to the service request packet, where the external network source address is an external network address of a user equipment that sends the service request packet;

and the replacing module is used for converting the internal network source address in the service request message into the external network source address and sending the service request message subjected to address conversion by the network address conversion device to the cloud host through the sending module for service processing.

15. The apparatus of claim 14, further comprising:

the replacement module is further configured to convert an external network destination address in the service response message into an internal network destination address, where the internal network destination address is an internal network address of the virtual server, carry the external network destination address in a service response message after address conversion performed by the network address conversion device, and send the service response message to the virtual server, so that the virtual server obtains the external network destination address carried in the service response message, and sends the service response message to the user equipment to which the external network destination address points.

16. A network address translation device is characterized by comprising a connection tracker which is respectively and electrically connected with a virtual server and a cloud host,

the connection tracker is used for acquiring an external network source address according to a service request message sent by the virtual server, converting the internal network source address in the service request message into the external network source address, and sending the converted service request message to the cloud host for service processing;

the connection tracker is further configured to receive a service response message sent by the cloud host, convert an external network destination address in the service response message into an internal network destination address, carry the external network destination address in the service response message after address conversion, and send the service response message to the virtual server.

17. The apparatus of claim 16, wherein the connection tracker is deployed on each host of a cloud host.

18. A network address translation system, comprising: a virtual server and a connection tracker;

the virtual server comprises the network address translation device of any of claims 12-13;

the connection tracker comprising a network address translation device according to any of claims 14-15.

19. The system of claim 18, further comprising: the system comprises user equipment and a cloud host;

20. An electronic device located on a virtual server side, comprising:

a processor; and

a memory arranged to store computer executable instructions that, when executed, cause the processor to:

converting an external network source address and an external network destination address in the service request message into an internal network source address and an internal network destination address, wherein the internal network source address is an internal network address of a virtual service side, and the internal network destination address is an internal network address of a cloud host for processing the service request message;

carrying the external network source address in a service request message after address conversion is carried out on the electronic equipment positioned at the virtual service side, and sending the service request message to the electronic equipment positioned at the connection tracker; and the electronic equipment connected with the tracker acquires the external network source address according to a service request message sent by the electronic equipment on the virtual service side, converts the internal network source address in the service request message into the external network source address, and sends the service request message subjected to address conversion by the connection tracker to the cloud host for service processing.

21. The electronic device of claim 20, wherein the processor further performs the following:

receiving a service response message, wherein the service response message is sent by the cloud host after performing service processing according to a service request message after address conversion is performed on an electronic device connected with a tracker;

and acquiring the external network destination address carried in the service response message according to the service response message, wherein the external network destination address is the external network address of the user equipment, and sending the service response message to the user equipment pointed by the external network destination address.

22. An electronic device located in a connection tracker, comprising:

a processor; and

receiving a service request message which is sent by electronic equipment at a virtual server side and subjected to address conversion, wherein the service request message is sent to the electronic equipment at the virtual server side by user equipment;

23. The electronic device of claim 22, wherein the processor further performs the following:

and converting an external network destination address in the service response message into an internal network destination address, wherein the internal network destination address is the internal network address of the electronic equipment at the virtual server side, carrying the external network destination address in the service response message after address conversion of the electronic equipment connected with the tracker, and sending the service response message to the electronic equipment at the virtual server side, so that the electronic equipment at the virtual server side obtains the external network destination address carried in the service response message and sends the service response message to the user equipment pointed by the external network destination address.