CN108173982B - NAT (network Address translation) processing method and device for cross-board message - Google Patents
NAT (network Address translation) processing method and device for cross-board message Download PDFInfo
- Publication number
- CN108173982B CN108173982B CN201810253589.4A CN201810253589A CN108173982B CN 108173982 B CN108173982 B CN 108173982B CN 201810253589 A CN201810253589 A CN 201810253589A CN 108173982 B CN108173982 B CN 108173982B
- Authority
- CN
- China
- Prior art keywords
- nat
- session table
- service board
- interface
- board card
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2546—Arrangements for avoiding unnecessary translation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
Abstract
The invention provides a method and a device for NAT (network address translation) processing of a cross-board message, wherein the method comprises the following steps: adding NAT information to the header of a data stream from a first service board card, and sending the added data message to a second service board card; when the second service board card receives the data message, judging whether the current service board card stores the NAT session table of the data stream; if not, selecting an available IP address and port for conversion according to the address range corresponding to the output interface, recording the conversion relation, creating an NAT session table, and respectively adding the conversion relation into the forward and reverse records of the NAT session table; if yes, NAT conversion is carried out according to the forward record of the NAT session table, and the corresponding record in the NAT session table is updated. The invention unifies the cross-board data flow to the downlink board card for processing, and realizes the cross-board flow forwarding of the distributed system on the basis of not increasing hardware resources.
Description
Technical Field
The present invention relates to the field of data communication technologies, and in particular, to a method and an apparatus for performing NAT processing on a cross-board message.
Background
With the development of network technology and the popularization of mobile internet, people's life, work and study have become more and more undiscovered from the internet. However, the IP address of the conventional IPv4 network has already been allocated, but the popularization of IPv6 is still far from the present, and on the other hand, the popularization of the mobile internet and the internet of things is an explosive growth of the terminals connected to the network.
So far, nat (network Address translation) technology is still the main means for solving the IPv4 Address shortage, and the technology can convert a plurality of private network addresses into one or more public network addresses, and realize high multiplexing of network addresses, so that the same IP Address can be used in different private networks, and only when a private network user accesses a public network, the private network user needs to translate into a public network Address, thereby solving the bottleneck problem of IPv4 Address resources.
Ordinary NAT processing is concentrated in an uplink processing flow of a message, namely, whether the message coming from an Inside interface or an Outside interface is processed, NAT conversation and rule matching are completed in the uplink processing flow, routing searching is carried out, an interface is determined, cross-board forwarding is achieved, only simple downlink processing is carried out on a downlink board card, and link encapsulation and interface sending are achieved. According to the method, the NAT session table must be created for each cross-board data stream on the upstream board card and the downstream board card at the same time, and the session table can be aged correctly only by carrying out state synchronization, so that the session table occupies two resources on the two board cards, and information interaction between the board cards is greatly increased due to a large amount of synchronization information. When a plurality of Inside interfaces and a plurality of out interfaces are located on different boards, and the different boards select available public network IP addresses and ports, the possibility of duplication and conflict also exists.
In order to solve the problem, in some system implementations, a method of specially adding one NAT service board is adopted to redirect all traffic requiring NAT to the NAT service board for processing, and after the processing is completed, the traffic is sent out through the original interface, thereby solving the problem of NAT session synchronization between different board cards. The method can solve the problem of the trans-board NAT, but an additional NAT service board needs to be added to the system, and the service board needs to process data of other multiple forwarding board cards in a centralized manner, so that the requirements on performance and memory are high, and the cost of a user is greatly increased. In addition, because the traffic is redirected from the original service board to the NAT service board, the NAT processing is completed and then the traffic is retransmitted to the ordinary service board for forwarding, which increases extra processing delay and inter-board traffic.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a method and a device for NAT processing of a cross-board message, which centralize the transmitted data message in the NAT processing of the downlink processing flow of the service board card where the Outside interface is positioned, fully utilize the CPU resources and the memory resources of different service board cards on the basis of not increasing the state synchronization information between hardware resources and cross-boards, realize the NAT flow forwarding of the cross-board card of a distributed system, have small change on the forwarding flow, reduce the complexity and the user expense of the system, and avoid the problem of available address and port selection conflict.
According to an embodiment of the present invention, a method for performing NAT processing on a cross-board message is provided, where the method for performing NAT processing on the cross-board message includes:
adding NAT information to the header of a data stream from a first service board card where an Inside interface is located to obtain an added data message, and sending the data message to a second service board card where an Outside interface is located, wherein the Inside interface is an interface for connecting a private network of a user, and the Outside interface is an interface for connecting an external public network;
when the second service board card receives the data message, judging whether the current service board card stores an NAT session table of the data stream;
if the second service board card does not store the NAT session table of the data stream, selecting an available IP address and an available port according to the address range corresponding to the Outside interface for conversion, and recording a conversion relation;
creating an NAT session table, and respectively adding the conversion relation into the forward and reverse records of the NAT session table;
and if the second service board card stores the NAT session table of the data stream, performing NAT conversion on the data message according to the forward record of the NAT session table, and updating the corresponding record in the NAT session table.
In the above NAT processing method for a cross-board message, the first service board determines an egress interface through a route forwarding table or a policy route.
In the above NAT processing method for a cross-board message, each service board includes at least one Inside interface and at least one out interface.
In the above NAT processing method for a cross-board message, the address range corresponding to each egress interface is different.
In the above NAT processing method for cross-board messages,
if the second service board card stores the NAT session table of the data stream, reading an index value required by searching the NAT session table according to the NAT information at the head of the data message;
and performing NAT conversion on the data message according to the record corresponding to the index value in the NAT session table, and updating the forward record of the NAT session table.
In the above NAT processing method for a cross-board packet, the index value is a hash value obtained by performing hash operation on an IP quintuple.
In the above NAT processing method for a cross-board message, the method further includes:
performing link layer encapsulation on the data message after NAT conversion according to the link type of the Outside interface;
and sending the encapsulated data message out through a corresponding port.
In the above NAT processing method for a cross-board message, the method further includes:
the second service board card receives a data message returned from an external public network, performs NAT conversion according to the reverse record of the NAT session table, updates the corresponding reverse record in the NAT session table, and sends the processed data message to the first service board card;
and the first service board card receives the processed data message and sends out the processed data message through a corresponding port.
In the above NAT processing method for a cross-board message, when the data flow is closed or the preset time is not sent, the second service board ages and recovers the NAT session table.
Another embodiment of the present invention provides a NAT processing apparatus for a cross-board message, including:
the system comprises an adding module, a data processing module and an output module, wherein the adding module is used for adding NAT information to the head of a data stream from a first service board card where an Inside interface is located to obtain an added data message, and sending the data message to a second service board card where an Outside interface is located, the Inside interface is an interface connected with a private network of a user, and the Outside interface is an interface connected with an external public network;
the judging module is used for judging whether the current service board card stores the NAT session table of the data stream or not when the second service board card receives the data message;
the conversion module is used for selecting an available IP address and an available port for conversion according to the address range corresponding to the Outside interface and recording the conversion relation if the second service board card does not store the NAT session table of the data stream;
the creating module is used for creating an NAT session table and adding the conversion relation into the forward and reverse records of the NAT session table respectively;
and the updating module is used for carrying out NAT conversion on the data message according to the forward record of the NAT session table and updating the corresponding record in the NAT session table if the NAT session table of the data stream is stored in the second service board card.
The NAT processing method and device for the cross-board message at least provide the following technical effects: the NAT rule is matched with the uplink processing flow of the service board card where the Inside interface is located, NAT processing information is carried to the downlink processing flow of the service board card where the Outside interface is located, synchronization of the states of the session tables is not needed among cross boards, and complexity of the system is reduced; the problem of available address and port selection conflict is avoided, the repeated occupation of resources is solved, and the message forwarding efficiency is improved; additional hardware resources are not required to be added, and the user overhead is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a general architecture diagram of a distributed system according to an embodiment of the present invention.
Fig. 2 is a flowchart illustrating a method for processing a cross-board NAT of a packet according to a first embodiment of the present invention.
Fig. 3 is a flowchart illustrating a method for NAT conversion of a cross-version message according to a second embodiment of the present invention.
Fig. 4 is a schematic structural diagram of an NAT processing apparatus for a cross-board message according to an embodiment of the present invention.
Description of the main element symbols:
10-controlling a board card; 11-exchange board card; 12-a service board card; 120-service daughter card; 20-NAT processing device of cross-board message; 210-add module; 220-a judgment module; 230-a conversion module; 240-a creation module; 250-update module.
Detailed Description
Various embodiments of the present disclosure will be described more fully hereinafter. The present disclosure is capable of various embodiments and of modifications and variations therein. However, it should be understood that: there is no intention to limit the various embodiments of the disclosure to the specific embodiments disclosed herein, but rather, the disclosure is to cover all modifications, equivalents, and/or alternatives falling within the spirit and scope of the various embodiments of the disclosure.
Hereinafter, the term "includes" or "may include" used in various embodiments of the present disclosure indicates the presence of the disclosed functions, operations, or elements, and does not limit the addition of one or more functions, operations, or elements. Furthermore, as used in various embodiments of the present disclosure, the terms "comprising," "having," and their derivatives, are intended to be only representative of the particular features, integers, steps, operations, elements, components, or combinations of the foregoing, and should not be construed as first excluding the existence of, or adding to one or more other features, integers, steps, operations, elements, components, or combinations of the foregoing.
In various embodiments of the disclosure, the expression "or" at least one of a or/and B "includes any or all combinations of the words listed simultaneously. For example, the expression "a or B" or "at least one of a or/and B" may include a, may include B, or may include both a and B.
Expressions (such as "first", "second", and the like) used in various embodiments of the present disclosure may modify various constituent elements in the various embodiments, but may not limit the respective constituent elements. For example, the above description does not limit the order and/or importance of the elements described. The foregoing description is for the purpose of distinguishing one element from another. For example, the first user device and the second user device indicate different user devices, although both are user devices. For example, a first element could be termed a second element, and, similarly, a second element could be termed a first element, without departing from the scope of various embodiments of the present disclosure.
It should be noted that: if it is described that one constituent element is "connected" to another constituent element, the first constituent element may be directly connected to the second constituent element, and a third constituent element may be "connected" between the first constituent element and the second constituent element. In contrast, when one constituent element is "directly connected" to another constituent element, it is understood that there is no third constituent element between the first constituent element and the second constituent element.
The term "user" used in various embodiments of the present disclosure may indicate a person using an electronic device or a device using an electronic device (e.g., an artificial intelligence electronic device).
The terminology used in the various embodiments of the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the various embodiments of the present disclosure. As used herein, the singular forms are intended to include the plural forms as well, unless the context clearly indicates otherwise. Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which the various embodiments of the present disclosure belong. The terms (such as those defined in commonly used dictionaries) should be interpreted as having a meaning that is consistent with their contextual meaning in the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined in various embodiments of the present disclosure.
Example 1
Fig. 1 is a general architecture diagram of a distributed system according to an embodiment of the present invention.
The general architecture of the distributed system comprises a control board card 10, a switch board card 11, a service board card 12 and a service daughter card 120.
The control board 10 is configured to issue a routing forwarding table entry and NAT rule related information.
Different service board cards 12 are interconnected through the switch board card 11, so that the forwarding of cross-board data flow is realized. The switch board 11 may also be a backplane.
In a distributed routing and forwarding system, a plurality of service cards 12 are typically included, and each service card includes a plurality of service daughter cards 120. Each service board card 12 is an independent forwarding subsystem, and traffic incoming from the service daughter card 120 connected to the service board card may be forwarded from the service board card 12, or may need to be forwarded from the service daughter cards 120 connected to other service board cards 12, that is, on-board forwarding traffic and cross-board forwarding traffic exist. Each service board 12 may connect different types of service daughter cards 120 and interfaces, where the number of service daughter cards 120 and the number of interfaces are dependent on the specific hardware implementation.
In this embodiment, according to the data flow direction, data forwarding may be divided into two processing flows, namely, uplink and downlink. The uplink processing flow refers to that a message received from the Inside interface of the service daughter card 120 is analyzed and the message type is identified through the link layer protocol, then a route forwarding table entry is searched for forwarding, a processing flow of a message outlet and a next hop is obtained, and finally necessary information obtained through table lookup and the message are sent to the service board 12 where the output interface is located through the switch board or the backplane. The downlink processing flow is mainly to process the data message from the switch board card 11 or the backplane, perform link layer information encapsulation according to the output interface information obtained from the table lookup of the uplink processing flow, and send out from the egress interface through the service daughter card 120. The service board 12 where the Inside interface is located is referred to as an uplink board, and the service board 12 where the out interface is located is referred to as a downlink board. Although the data flow with the input interface and the output interface on the same service board 12 does not pass through the switch board 11, the processing logic is still uniformly divided into two flows of uplink processing and downlink processing. The Inside interface and the Outside interface are both physical layer interfaces.
Fig. 2 is a flowchart illustrating a method for processing a cross-board NAT of a packet according to a first embodiment of the present invention. The method is applied to the general architecture of the distributed system, and comprises the following steps:
step S110, adding NAT information to the header of the data stream from the first service board where the Inside interface is located to obtain an added data packet, and sending the data packet to the second service board where the out interface is located.
The device comprises an Inside interface, an Outside interface, an Inde interface and an Outside interface, wherein the Inside interface is an interface for connecting a private network of a user, the Outside interface is an interface for connecting an external public network, and the Inside interface and the Outside interface are not on the same service board card.
In this embodiment, the first service board determines an egress interface through a policy routing or a routing forwarding table. In other embodiments of the present invention, an equivalent multipath routing algorithm, etc. may also be used to determine the egress interface.
Each service board card comprises at least one Inside interface and at least one out interface. And the Outside interfaces can be distributed on different service board cards, so that multi-outlet line backup and load sharing are realized.
Adding NAT information to the message head of a data stream coming from an Inside interface corresponding to a service daughter card connected with a first service board card to obtain an added data message, and sending the data message to a second service board card where an Outside interface is located through a switch board card or a back board.
The NAT information comprises NAT identification information, NAT conversion rules, ID information of an address range corresponding to an Outside interface, an IP quintuple, a Hash value calculated according to the IP quintuple, an outgoing interface, next hop information and the like. The NAT identification information is used for indicating whether the message needs NAT address conversion or not, the IP five-tuple is a set consisting of five quantities, namely a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol, the Hash value calculated according to the IP five-tuple is carried to the downlink processing flow of the second service board card and used as an index value to search or create an NAT session table on the second service board card, and the Hash value does not need to be extracted and calculated from the message again, so that the processing speed is improved, and repeated processing is avoided.
In this embodiment, the index value is a Hash value calculated by using an IP quintuple, the Hash value is a numerical value obtained by performing logical operation on data of the IP quintuple, and Hash values obtained by different IP addresses and ports are different. A simple implementation method is to calculate the data of the IP quintuple through a hash function to obtain an integer, divide the integer by the size of the hash table, and take the rest of the number as the key value of the storage position of the object. In other embodiments of the present invention, other types of index values that may be used to find and create the NAT session table may also be used.
Step S120, determine whether the NAT session table of the data flow is stored.
And the second service board receives the data message added with the NAT information from the switch board or the back board, extracts the NAT conversion information and the IP quintuple carried by the head part of the message and the corresponding Hash value, and searches whether the NAT session table of the data stream is stored in the current service board by taking the Hash value as an index. If the second service board card does not store the NAT session table of the data stream, step S130 is proceeded, and an available IP address and port are selected for conversion according to the address range corresponding to the Outside interface; if the second service board stores the NAT session table of the data stream, step S150 is proceeded, and the IP address and the port are converted according to the forward record in the NAT session table and sent out through the corresponding physical interface.
Step S130, selecting an available IP address and port for conversion according to the address range corresponding to the Outside interface, and recording the conversion relation.
If the second service board card does not store the NAT session table of the data stream, the data message is the first data message of the data stream where the data message is located, an available public network IP address and port combination is selected from the address range and port information corresponding to the Outside interface for conversion, and the conversion relation between the public network IP address and the port combination is recorded.
Step S140, creating a NAT session table, and adding the translation relationship to the forward and reverse records of the NAT session table, respectively.
A translation table entry, also called NAT session table, is established according to the translation relationship recorded in step S130. The NAT session table comprises parameters such as NAT identification, IP quintuple, output interface information, address range corresponding to an Outside interface and the like, and the conversion relation is respectively added into forward and reverse NAT session table records for follow-up matching search of data streams in forward and reverse directions. The forward record is the conversion record of the data flow sent from the user private network to the external public network, and the reverse record is the conversion record of the data flow sent from the external public network to the user private network.
It should be noted that the address range corresponding to each Outside interface is different. For example, if the interface ID corresponding to the Outside interface is 002 and the corresponding address range is 121.14.88.76-121.14.88.96, the address range corresponding to the Outside interface with the interface ID 007 is 121.14.82.26-121.14.82.46, each corresponding to a different address range, and the address range corresponding to each Outside interface is unique, so that only the IP address and the port converted by the user need to be ensured to be unique on the service board, thereby avoiding possible conflicts between different service boards.
For the data forwarded across boards, the NAT session table is created by concentrating on the second service board where the Outside interface is located, i.e., the downlink board, and even if multiple Inside interfaces come from different service boards, there is no problem of IP and port conflict during the conversion process.
In this embodiment, the NAT session table is stored in a hash chain table, the time complexity of hash chain table lookup is O (1), and the lookup speed is faster than the lookup and access speed in other data storage manners, and the hash chain table is used as a more preferable manner and does not limit the storage manner of the NAT session table.
For example, 192.168.1.110000 TCP 121.14.88.7680 is composed of source IP address 192.168.1.1, source port 10000, destination IP address 121.14.88.76, destination port 80, and transport layer protocol TCP protocol; the output interface information is information corresponding to an Outside interface; the address range corresponding to the Outside interface is the set of IP addresses of all available public networks passing through the Outside interface, and the range is 121.14.88.76-121.14.88.96, for example.
And step S150, NAT conversion is carried out on the data message according to the forward record of the NAT session table, and the corresponding record in the NAT session table is updated.
If the second service board card stores the NAT session table of the data stream, reading an index value required by searching the NAT session table according to the NAT information at the head of the data message; and performing NAT conversion on the data message according to the record corresponding to the index value in the NAT session table, modifying the corresponding checksum, and updating the corresponding record information in the NAT session table to serve as a reference basis for performing NAT address conversion on the next data message.
And performing link layer information encapsulation on the data message after NAT conversion according to the link type of the Outside interface of the downlink board card, and sending out the encapsulated data message through a corresponding port.
The second service board card receives a data message returned from an external public network, performs NAT conversion according to the reverse record of the NAT session table, updates the corresponding reverse record in the NAT session table, and sends the processed data message to the first service board card; and the first service board card receives the processed data message and sends out the processed data message through a corresponding port.
And after a reverse data message returned from the external public network reaches the downlink service board card where the Outside interface is located, reading quintuple information from NAT information carried by the head part of the message to calculate a Hash value, inquiring a reverse record of the NAT session table by using the Hash value as an index value, performing reverse NAT conversion on the reverse data message according to the reverse record, finding a corresponding Inside interface through a route, sending the corresponding Inside interface out, and updating the reverse record of the NAT session table. The processing flow of the reverse data message is unified with the processing flow of the NAT data message on the same board, and the processing complexity is reduced.
And when the data stream is closed or the preset time is not sent, the second service board card ages and recovers the NAT session table.
For example, the second service board counts the creation, update, and aging time of the NAT session table, and when the data flow is closed or is not sent for more than 2min, the downlink board ages and recovers the NAT session table corresponding to the data flow. After the NAT session table corresponding to the data stream is aged and recycled, when the downstream board receives the data stream again, the above process needs to be executed again, and a new NAT session table is created. The distributed system creates a NAT session table for each received data flow.
The NAT session table is concentrated on the downlink service board card where the Outside interface is located to update and age the state, so that the state synchronization between the uplink board card and the downlink board card is avoided, and the system complexity and the information exchange between the board cards are reduced.
Example 2
Fig. 3 is a flowchart illustrating a method for NAT conversion of a cross-version message according to a second embodiment of the present invention.
Step S210, receiving a message from an Inside interface.
And receiving a data stream needing NAT address translation from a first service board card where the Inside interface is located, and extracting a needed field.
Step S220, selecting an Outside interface.
For example, the first service board may select an egress interface according to a route forwarding table or a policy route, so as to implement traffic load sharing of multiple NAT exits, and multiple exits may be on different service boards, and NAT session tables are also distributed on different service boards, so as to fully utilize CPU resources and memory resources of different service boards.
Step S230, determine whether the Inside and the out interface are on the same service board.
Comparing the ID of the Inside interface with the ID of the Outside interface, judging whether the Inside interface and the Outside interface are on the same service board card, if so, proceeding to step S240, and directly performing NAT address conversion on the service board card where the Inside interface and the Outside interface are located; if the Inside interface and the Outside interface are not on the same service board, the process proceeds to step S250, and the NAT processing of the data packet is unified to the second service board, i.e., the downlink board where the Outside interface is located.
Step S240, a NAT session table is created, and NAT translation is performed.
When the service board cards where the Inside interface and the Outside interface are located are the same service board card, calculating a Hash value according to the IP quintuple, using the Hash value as an index value of the NAT session table, searching whether the NAT session table of the data stream exists on the service board card, and directly converting the data message according to a target IP address and a target port recorded in the NAT session table if the NAT session table of the data stream exists; if the NAT session table of the data stream does not exist, an available IP address and an available port are selected in the address range corresponding to the Outside interface for conversion, the NAT session table is established on the downlink board card, and the conversion relation is added into the forward record and the backward record of the NAT session table. In the embodiment, the NAT session table is stored in a Hash linked list mode, and the index value of the NAT session table is a Hash value.
And step S250, adding NAT information at the head of the data message, and sending the NAT information to the service board card where the Outside interface is located.
When the service board cards where the Inside interface and the Outside interface are located are different service board cards, adding NAT information to the head of the data message and carrying the NAT information to the downlink service board card where the Outside interface is located.
The NAT information comprises NAT identification information, NAT conversion rules, ID information of an address range corresponding to an Outside interface, an IP quintuple, a hash value calculated according to the IP quintuple, an outgoing interface, next hop information and the like.
In this embodiment, the Hash value is calculated according to the IP quintuple and is used as an index value to perform NAT session table lookup or creation on the downlink board card, and the subsequent data packet does not need to be extracted from the packet again and the Hash value is calculated, so that the processing speed is increased and repeated processing is avoided.
Step S260, determining whether NAT processing is performed on the downlink board.
Extracting NAT identification information from the head information carried by the data message to judge whether NAT address conversion is carried out on a downlink board card where the Outside interface is located or not, if NAT processing is not carried out on the downlink board card, proceeding to step S270, directly carrying out link layer information encapsulation on a downlink processing flow of a service board card where the Outside interface is located, and sending out the link layer information through the Outside interface; if the NAT processing is performed on the downlink board, the process proceeds to step S280, and whether the NAT session table of the data stream exists on the downlink board is searched.
And step S270, encapsulating the link layer information and sending the link layer information out from the corresponding physical interface.
If the downlink processing flow of the service board card where the Outside interface is located does not perform NAT address translation on the data message, the data message is processed according to message forwarding in the downlink processing flow, link layer information is packaged, and the data message is sent out from the corresponding Outside interface.
Step S280, determine whether there is a NAT session table for the data flow.
Extracting a Hash value from header information carried by a data message, using the Hash value as an index value to search whether an NAT session table of the data stream exists on a current board card, if the NAT session table of the data stream exists, proceeding to step S290, and directly converting the data message according to a forward recorded destination IP address and a destination port in the NAT session table; if no NAT session table of the data stream exists, go to step S300, select an available address and port in the address range corresponding to the Outside interface for translation, and create an NAT session table according to the translation relationship.
And step S290, NAT conversion is carried out according to the NAT session table.
When the downstream board card where the Outside interface is located stores the NAT session table of the data stream, reading an index value required for searching the NAT session table according to the NAT information at the head of the data message; and performing NAT conversion on the data message according to the record corresponding to the index value in the NAT session table, and updating the forward record of the NAT session table. NAT forwarding can be performed without re-analyzing the message, and the system processing speed is improved.
Step S300, selecting the available IP address and port to convert and recording the conversion relation.
And selecting an idle and available IP address and port for conversion according to the address range corresponding to the Outside interface and recording the conversion relation between the idle and available IP address and port. Because the address ranges corresponding to each Outside interface are different and unique, only the IP address and the port converted by the user need to be ensured to be unique on the downlink board card, thereby avoiding possible conflicts of different board cards.
In step S310, a NAT session table is created.
A NAT session table is created from the translation relationship recorded in step S300, and the translation relationship is added to the forward and reverse records in the NAT session table.
Step S320, NAT conversion is performed.
And performing NAT address translation according to the IP address and the port in the forward record in the NAT session table.
Step S330, the link layer information is encapsulated, sent out from the physical interface and the NAT conversation table is updated.
And processing the data message after NAT address conversion according to a downlink message forwarding flow, packaging link layer information according to the link type of the Outside interface, sending the link layer information out from the corresponding physical port, and updating an NAT session table according to the conversion information.
The second service board card receives a data message returned from an external public network, performs NAT conversion according to the reverse record of the NAT session table, updates the corresponding reverse record in the NAT session table, and sends the processed data message to the first service board card; the first service board card receives the processed data message and sends out the processed data message through a corresponding port
And after the reverse message returned from the external public network reaches the downlink board card where the Outside interface is located, the reverse message should be matched with the NAT session table, reverse NAT conversion is carried out according to the session table, the reverse record of the NAT session table is updated according to the conversion relation, then the corresponding intranet interface is found through the route, the converted data message is sent to the uplink board card where the intranet interface is located, and the uplink board card is sent out through the corresponding physical interface to carry out cross-board data forwarding.
The reverse message processing and the forwarding flow of the uplink board card are unified, the session table is directly found out on the current service board card in the data message received by the Outside interface, and the IP forwarding flow is carried out after NAT conversion.
And when the data stream is closed or the preset time is not sent, the second service board card ages and recovers the NAT session table. The state updating and the aging of the NAT session table are independently carried out on the downlink processing flow of the service board card of the Outside interface, and the state synchronization is not required to be carried out between the uplink processing flow of the service board card of the Inside interface and the downlink processing flow of the service board card of the Outside interface, so that the complexity of a system and the information exchange between boards are reduced.
Example 3
Fig. 4 is a schematic structural diagram of an NAT processing apparatus for a cross-board message according to an embodiment of the present invention. The NAT processing apparatus 20 for a cross-board message includes: an add module 210, a determine module 220, a convert module 230, a create module 240, and an update module 250.
The adding module 210 is configured to add NAT information to a header of a data stream from a first service board where the Inside interface is located to obtain an added data packet, and send the data packet to a second service board where the Outside interface is located, where the Inside interface is an interface for connecting a private network of a user, and the Outside interface is an interface for connecting an external public network.
The first service board card determines an Outside interface through a route forwarding table or a policy route.
Each service board card comprises at least one Inside interface and at least one out interface, the out interfaces can be distributed on different service board cards to realize multi-outlet line backup and load sharing, and different outlets can be selected according to a route forwarding table or a policy route. And a plurality of outlets can be arranged on different board cards, and the session tables are also distributed on different board cards, so that CPU resources and memory resources of different service boards are fully utilized.
The NAT information may include NAT session key values, address range IDs, NAT translation methods, outgoing interface and next hop information, etc. The key value of the NAT session table is carried to the downlink processing flow of the service board card where the Outside interface is located, and when the downlink service board card searches the NAT session table, the IP quintuple does not need to be extracted from the message again and the Hash value is calculated, so that the processing speed is improved, and repeated processing is avoided. The NAT session table is organized in a hash chain table mode.
Because the address range corresponding to each Outside interface is unique, only the IP address and port converted by the user need to be ensured to be unique on the board. The session table is concentrated on the service board where the Outside interface is located, and even if a plurality of Inside interfaces come from different service boards, the problem of conflict between the converted IP and the port does not exist.
The determining module 220 is configured to determine whether the current service board stores the NAT session table of the data flow when the second service board receives the data packet.
And searching whether the service board card stores the NAT session table of the data stream or not according to the session table key value in the NAT information carried by the data message header.
The conversion module 230 is configured to select an available IP address and an available port according to the address range corresponding to the Outside interface for conversion if the second service board does not store the NAT session table of the data stream, and record the conversion relationship.
If the data message is the first data message of the data stream where the data message is located, selecting an available IP address and an available port according to the address range corresponding to the Outside interface for conversion, and recording the conversion relation between the IP address and the port.
The creating module 240 is configured to create a NAT session table, and add the translation relationship to the forward and reverse records of the NAT session table, respectively.
And creating an NAT session table according to the source IP address, the source port, the destination IP address, the destination port and other information corresponding to the data message, and respectively adding the corresponding relation into the forward hash chain table and the reverse hash chain table for matching and searching the subsequent data flow in two directions.
And an updating module 250, configured to, if the second service board stores the NAT session table of the data flow, perform NAT translation on the data packet according to the forward record of the NAT session table, and update the corresponding record in the NAT session table.
If the second service board card stores the NAT session table of the data stream, reading an index value required by searching the NAT session table according to the NAT information at the head of the data message; and performing NAT conversion on the data message according to the record corresponding to the index value in the NAT session table, and updating the forward record of the NAT session table.
And performing link layer encapsulation on the data message after NAT conversion according to the link type of the Outside interface, and sending out the encapsulated data message through a corresponding port.
The second service board card receives a data message returned from an external public network, performs NAT conversion according to the reverse record of the NAT session table, updates the corresponding reverse record in the NAT session table, and sends the processed data message to the first service board card; and the first service board card receives the processed data message and sends out the processed data message through a corresponding port. The processing flow of the reverse message is unified with the processing flow of the NAT message on the same board, and the processing complexity is reduced.
The NAT session table across boards is centralized on the downlink service board card where the Outside interface is located, and the state is updated independently, so that the state synchronization between the uplink board card and the downlink board card is avoided, and the system complexity and the information exchange between the boards are reduced.
And when the data stream is closed or the preset time is not sent, the second service board card ages and recovers the NAT session table.
Therefore, when the cross-board NAT flow is processed, the NAT rule is matched in the uplink processing flow of the service board card where the Inside interface is located, NAT processing information is carried to the downlink board card where the out interface is located, the NAT processing information is concentrated on the downlink board card to be created, maintained and aged, cross-board state synchronization is not needed, an independent NAT service board card is not needed, the complexity of a system and the user expense are reduced, and the forwarding flow is not changed greatly; the address ranges corresponding to the Outside interfaces are different and unique, so that the problem of conflict between available addresses and port selection is avoided, the repeated occupation of resources is solved, and the message forwarding efficiency is improved; the reverse message returned from the external public network is unified with the forwarding flow of the uplink board card, the NAT session table is directly searched for by the lower business board card, the IP forwarding flow is carried out, and the processing complexity is reduced.
In the several embodiments provided in the present application, it should be understood that the disclosed system and method may be implemented in other ways. The system embodiments described above are merely illustrative, and the flowcharts and block diagrams in the figures, for example, illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, each functional module or unit in each embodiment of the present invention may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention or a part of the technical solution that contributes to the prior art in essence can be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a smart phone, a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention.
Claims (8)
1. A NAT processing method of a cross-board message is characterized by comprising the following steps:
adding NAT information to the header of a data stream from a first service board card where an Inside interface is located to obtain an added data message, and sending the data message to a second service board card where an Outside interface is located, wherein the Inside interface is an interface for connecting a private network of a user, and the Outside interface is an interface for connecting an external public network; each service board card comprises at least one Outside interface, and when the service board cards comprise a plurality of Outside interfaces, the corresponding address ranges of the Outside interfaces are different; the NAT information comprises NAT identification information, NAT conversion rules, ID information of an address range corresponding to an Outside interface, an IP quintuple, a hash value calculated according to the IP quintuple, an output interface and next hop information;
when the second service board card receives the data message, judging whether the current service board card stores an NAT session table of the data stream;
if the second service board card does not store the NAT session table of the data stream, selecting an available IP address and an available port according to the address range corresponding to the Outside interface for conversion, and recording a conversion relation;
creating an NAT session table, and respectively adding the conversion relation into the forward and reverse records of the NAT session table;
if the second service board stores the NAT session table of the data stream, performing NAT translation on the data message according to the forward record of the NAT session table, and updating the corresponding record in the NAT session table, including:
if the second service board card stores the NAT session table of the data stream, reading an index value required by searching the NAT session table according to the NAT information at the head of the data message;
and performing NAT conversion on the data message according to the record corresponding to the index value in the NAT session table, and updating the forward record of the NAT session table.
2. The NAT processing method for a cross-board message according to claim 1, wherein the first service board determines an egress interface through a route forwarding table or a policy route.
3. The NAT processing method for a cross-board message according to claim 1, wherein each service board includes at least one of the Inside interfaces.
4. The NAT method for processing cross-board message according to claim 1, wherein said index value is a hash value obtained by hashing an IP quintuple.
5. The method for NAT processing of a cross-board message according to claim 1, wherein performing NAT address translation on subsequent data messages of the data flow according to the forward record of the NAT session table, and after updating the NAT session table further comprises:
performing link layer encapsulation on the data message after NAT conversion according to the link type of the Outside interface;
and sending the encapsulated data message out through a corresponding port.
6. The NAT processing method for a cross-board message according to claim 1, further comprising:
the second service board card receives a data message returned from an external public network, performs NAT conversion according to the reverse record of the NAT session table, updates the corresponding reverse record in the NAT session table, and sends the processed data message to the first service board card;
and the first service board card receives the processed data message and sends out the processed data message through a corresponding port.
7. The method for processing the NAT of the cross-board packet according to claim 1, wherein when the data flow is closed or the preset time is not sent, the second service board ages and recovers the NAT session table.
8. An NAT processing apparatus for a cross-board message, comprising:
the system comprises an adding module, a data processing module and an output module, wherein the adding module is used for adding NAT information to the head of a data stream from a first service board card where an Inside interface is located to obtain an added data message, and sending the data message to a second service board card where an Outside interface is located, the Inside interface is an interface connected with a private network of a user, and the Outside interface is an interface connected with an external public network; each service board card comprises at least one Outside interface, and when the service board cards comprise a plurality of Outside interfaces, the corresponding address ranges of the Outside interfaces are different; the NAT information comprises NAT identification information, NAT conversion rules, ID information of an address range corresponding to an Outside interface, an IP quintuple, a hash value calculated according to the IP quintuple, an output interface and next hop information;
the judging module is used for judging whether the current service board card stores the NAT session table of the data stream or not when the second service board card receives the data message;
the conversion module is used for selecting an available IP address and an available port for conversion according to the address range corresponding to the Outside interface and recording the conversion relation if the second service board card does not store the NAT session table of the data stream;
the creating module is used for creating an NAT session table and adding the conversion relation into the forward and reverse records of the NAT session table respectively;
an updating module, configured to perform, if the second service board stores the NAT session table of the data flow, NAT translation on the data packet according to the forward record of the NAT session table, and update a corresponding record in the NAT session table, where the updating module includes:
if the second service board card stores the NAT session table of the data stream, reading an index value required by searching the NAT session table according to the NAT information at the head of the data message;
and performing NAT conversion on the data message according to the record corresponding to the index value in the NAT session table, and updating the forward record of the NAT session table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810253589.4A CN108173982B (en) | 2018-03-26 | 2018-03-26 | NAT (network Address translation) processing method and device for cross-board message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810253589.4A CN108173982B (en) | 2018-03-26 | 2018-03-26 | NAT (network Address translation) processing method and device for cross-board message |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108173982A CN108173982A (en) | 2018-06-15 |
| CN108173982B true CN108173982B (en) | 2020-12-22 |
Family
ID=62511360
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810253589.4A Active CN108173982B (en) | 2018-03-26 | 2018-03-26 | NAT (network Address translation) processing method and device for cross-board message |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108173982B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108848099B (en) * | 2018-06-22 | 2020-11-03 | 杭州叙简科技股份有限公司 | Port mapping system based on reverse multi-connection and port mapping method thereof |
| CN109819070B (en) * | 2019-04-12 | 2020-07-07 | 苏州浪潮智能科技有限公司 | Network address translation method |
| CN111510516B (en) * | 2020-04-22 | 2022-11-08 | 上海御渡半导体科技有限公司 | Network framework of distributed system of testing machine and communication method |
| CN111698344A (en) * | 2020-05-28 | 2020-09-22 | 浪潮思科网络科技有限公司 | Network address translation method, equipment and medium |
| CN112367261B (en) * | 2020-11-30 | 2022-10-18 | 迈普通信技术股份有限公司 | Message forwarding method and device and distributed equipment |
| CN113824720B (en) * | 2021-09-18 | 2023-07-18 | 恒安嘉新(北京)科技股份公司 | Message processing method, device, equipment and storage medium |
| CN113905364B (en) * | 2021-10-25 | 2023-07-04 | 广州通则康威智能科技有限公司 | Router uplink data tracing method, device, computer equipment and storage medium |
| CN114338595B (en) * | 2021-12-31 | 2024-02-02 | 山石网科通信技术股份有限公司 | Distributed processing method and device for message, storage medium and processor |
| CN114615216B (en) * | 2022-03-11 | 2023-07-21 | 深圳市风云实业有限公司 | Routing table dynamic adjustment method based on switching chip |
| CN115412526B (en) * | 2022-08-17 | 2024-02-02 | 北京天融信网络安全技术有限公司 | NAT processing method, device, electronic equipment and medium in distributed system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101052009A (en) * | 2007-05-14 | 2007-10-10 | 中兴通讯股份有限公司 | Method for realizing internal access by NAT device for private net element using public net address |
| CN101060493A (en) * | 2007-05-14 | 2007-10-24 | 中兴通讯股份有限公司 | A method of private network user access the server in a private network through domain name |
| CN101707569A (en) * | 2009-12-21 | 2010-05-12 | 杭州华三通信技术有限公司 | Method and device for processing NAT service message |
| CN102123101A (en) * | 2011-03-21 | 2011-07-13 | 中兴通讯股份有限公司 | Message processing method and device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7539202B2 (en) * | 2004-11-02 | 2009-05-26 | Cisco Technology, Inc. | Maintaining secrecy of assigned unique local addresses for IPv6 nodes within a prescribed site during access of a wide area network |
| CN101132424B (en) * | 2007-09-29 | 2011-08-31 | 杭州华三通信技术有限公司 | Network address conversion method and device thereof |
| CN102739820B (en) * | 2012-06-28 | 2015-06-03 | 杭州华三通信技术有限公司 | Message network address conversion processing method and network equipment |
| CN103825976B (en) * | 2014-03-04 | 2017-05-10 | 新华三技术有限公司 | NAT (network address translation) processing method and device in distributed system architecture |
| CN106790556B (en) * | 2016-12-26 | 2019-09-17 | 深圳市风云实业有限公司 | A kind of NAT conversation managing method based on distributed system |
-
2018
- 2018-03-26 CN CN201810253589.4A patent/CN108173982B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101052009A (en) * | 2007-05-14 | 2007-10-10 | 中兴通讯股份有限公司 | Method for realizing internal access by NAT device for private net element using public net address |
| CN101060493A (en) * | 2007-05-14 | 2007-10-24 | 中兴通讯股份有限公司 | A method of private network user access the server in a private network through domain name |
| CN101707569A (en) * | 2009-12-21 | 2010-05-12 | 杭州华三通信技术有限公司 | Method and device for processing NAT service message |
| CN102123101A (en) * | 2011-03-21 | 2011-07-13 | 中兴通讯股份有限公司 | Message processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108173982A (en) | 2018-06-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108173982B (en) | NAT (network Address translation) processing method and device for cross-board message | |
| US10778576B2 (en) | System and method for providing a bit indexed service chain | |
| US9559970B2 (en) | Shortening of service paths in service chains in a communications network | |
| US7558268B2 (en) | Apparatus and method for combining forwarding tables in a distributed architecture router | |
| US10069764B2 (en) | Ruled-based network traffic interception and distribution scheme | |
| US8290934B2 (en) | Method and system for processing access control lists using a hashing scheme | |
| US7237058B2 (en) | Input data selection for content addressable memory | |
| EP2544417B1 (en) | Communication system, path control apparatus, packet forwarding apparatus and path control method | |
| CN108768866B (en) | Cross-card forwarding method and device for multicast message, network equipment and readable storage medium | |
| JP2006295938A (en) | Network type routing scheme | |
| CN102857322A (en) | Hybrid port range encoding | |
| US8938579B2 (en) | Method and system for using range bitmaps in TCAM access | |
| CN106411924B (en) | A kind of method creating session forwarding-table item, the method and device that E-Packets | |
| CN104917681A (en) | System and method for packet forwarding using a conjunctive normal from strategy in a content-centric network | |
| CN110650092B (en) | Data processing method and device | |
| CN110768917B (en) | Message transmission method and device | |
| CN114640557A (en) | Gateway and cloud network system | |
| US20110249676A1 (en) | Method and System for Forwarding and Switching Traffic in a Network Element | |
| CN108777654B (en) | Message forwarding method and routing equipment | |
| US7702882B2 (en) | Apparatus and method for performing high-speed lookups in a routing table | |
| CN111147385A (en) | Method and system for forwarding data plane of software defined data center network | |
| CN114285907B (en) | Data transmission method, device, electronic equipment and storage medium | |
| CN114079634B (en) | Message forwarding method and device and computer readable storage medium | |
| CN113824781B (en) | Data center network source routing method and device | |
| US11924102B2 (en) | Minimizing deviation from average latency of table lookups |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |