Specific embodiment
The application in order to facilitate understanding is described more fully the application below with reference to relevant drawings.In attached drawing
Give the preferred embodiment of the application.But the application can realize in many different forms, however it is not limited to this paper institute
The embodiment of description.On the contrary, purpose of providing these embodiments is make it is more thorough and comprehensive to disclosure of this application.
It should be noted that it can be directly to separately when an element is considered as " connection " another element
One element and it is in combination be integrated, or may be simultaneously present centering elements.
Unless otherwise defined, all technical and scientific terms used herein and the technical field for belonging to the application
The normally understood meaning of technical staff is identical.The term used in the description of the present application is intended merely to description tool herein
The purpose of the embodiment of body, it is not intended that in limitation the application.Term " and or " used herein includes one or more phases
Any and all combinations of the listed item of pass.
NAT technology is to solve the problems, such as a kind of limited technology that need to grow up of IPV4 address resource.When in Intranet
When thering is multiple host to need to access internet, NAT technology can use, accessed by sharing a public network IP address
internet.In LINUX system, the netfilter module of LINUX kernel for realizing message monitoring, filtering and forwarding.
The combination of itself and application program iptables are, it can be achieved that nat feature.This solves to operate based on LINUX to a certain extent
The problem of product development personnel of system rewrite nat feature code.This method by software realization nat feature is software
NAT method.
Nat feature affects the processing speed of message to a certain extent.And hardware NAT needs manually to issue for it
NAT forward rule.In the more situation of NAT forward rule, the management cost of hardware NAT rule is high.For this purpose, the application is real
It applies example and provides the method, apparatus and equipment of a kind of NAT regulation management, realize automatic study and dynamically issue NAT forward rule,
It can be used in the products such as router or gateway, the hardware NAT rule in distributed system be managed.Specifically, can be
The NAT module for increasing hardware in system runs LINUX system in main business plate and configures netfilter function and conntrack
Function;By the study of NAT rule, when discovery has new NAT connection to generate, according to the connection, NAT rule, and handle are generated
NAT rule is configured in NAT module.
In one embodiment, a kind of method of NAT regulation management is provided, as shown in FIG. 1, FIG. 1 is one embodiment
First schematic flow chart of the method for middle NAT regulation management, comprising:
NAT rule is configured in the NAT table item in NAT module by step S120;NAT rule be used to indicate NAT module into
The forwarding of row message;NAT rule is the rule learnt from network protocol stack.
Specifically, processor learns NAT rule from the network protocol stack of main business plate, and the rule learnt is matched
It sets in the NAT table item in NAT module.NAT module can NAT rule in dynamic acquisition network protocol stack, and be based on NAT table
, corresponding NAT conversion and forwarding are carried out to the message got.
It should be noted that processor can be used for controlling main business plate processing message, is forwarded according to configuration to message,
Meanwhile the NAT rule for the foundation that can also learn to E-Packet from the network protocol stack of main business plate, and rule is issued to NAT
Module.Specifically, processor can be the processor of the main business plate of the processor or message handling system of message handling system
Deng.
The rule of foundation, may be used to indicate NAT module to corresponding message when NAT rule can E-Packet for main business board
It is forwarded.Wherein, message may include that public network is sent to the message of system, business board is sent to the message and business board of public network
Between the message etc. that is transmitted, also, the type multiplicity of message;Message and different types of report between distinct interaction object
The corresponding different forward rule of text.Therefore, the forward rule quantity of message is big, and corresponding NAT rule quantity is also big, using manual
Higher management cost is needed to the mode of NAT module configuration NAT rule, and that there are allocative efficiencys is low, accuracy is low etc. asks
Topic.The embodiment of the present application when main business plate E-Packets, can learn automatically the NAT rule of its use that E-Packets and by the rule
It is then allocated in the NAT table item of NAT module.
NAT table item can be forwarded corresponding message according to each NAT rule for converging various NAT rules, can
The load of main business plate is effectively reduced, improves message forward efficiency, the disposed of in its entirety performance of lifting system.
Network protocol stack can be used for recording the state for the data packet for being related to nat feature;State based on record produces phase
The NAT rule answered.
Based on above-mentioned process, realizes automatic study and dynamically issue NAT forward rule, reduce the management of hardware NAT rule
It is at high cost.Also, pass through the separation of control plane and forwarding surface, control plane is realized by software approach, can learn new NAT automatically
Rule is simultaneously issued in NAT module;Forwarding surface carries out message forwarding by hardware realization, based on NAT module, and NAT message can be improved
Forwarding rate and system disposed of in its entirety performance;Meanwhile control plane can be reduced not by learning the method with aging automatically
Necessary manual intervention mitigates the burden of net administrative staff.
In one embodiment, as shown in Fig. 2, Fig. 2 is the second signal of the method for NAT regulation management in one embodiment
Property flow chart, will be further comprised the steps of: before the step in NAT table item that NAT rule is configured in NAT module
Step S110 generates NAT rule according to the NAT connection in network protocol stack;NAT is connected as forwarding and mismatches NAT
It is generated when the message of list item.
Specifically, NAT module forwards the packet to master when being sent to the message and NAT table item mismatch of NAT module
Business board after carrying out NAT conversion to the message by main business plate, completes forwarding.During main business plate carries out message forwarding,
NAT connection is generated in network protocol stack.Processor can monitor network protocol stack, when generating new NAT connection, according to NAT
Connection, study obtains NAT rule, and the NAT rule is handed down to NAT module.
It should be noted that NAT module, which does not have, carries out nat feature to the message when message and NAT table item mismatch
Rule, be unable to complete forwarding, need to be forwarded by main business plate.According to the process that main business plate E-Packets, can learn
To NAT rule and it is allocated to NAT table item.It is subsequent, when identical message is sent to NAT module, NAT table item, NAT mould can be matched
Block can carry out nat feature to the message and complete to forward.
NAT module can constantly obtain new NAT rule, can be realized and be forwarded to more messages;Also, NAT mould
The process that block obtains NAT rule is not necessarily to manual intervention, reduces the burden of business personnel, the management of reduction hardware NAT rule at
This, improves the allocative efficiency and accuracy of NAT rule, meanwhile, it is capable to effectively improve the handling capacity of system, forward efficiency and operation
Efficiency.
In one embodiment, as shown in figure 3, Fig. 3 is the third signal of the method for NAT regulation management in one embodiment
Property flow chart, according to the NAT connection in network protocol stack, the step for generating NAT rule includes:
Step S112 generates NAT rule according to the tuple data of NAT connection;Tuple data includes source IP, destination IP, source
Port numbers and destination slogan.
Specifically, NAT connection can be divided into original and reply both direction, each direction can use a tuple
Data (tuple) indicate;The packet information on corresponding direction, such as source IP, destination IP, source port number are contained in tuple
And destination slogan etc..Corresponding NAT rule can be generated according to the tuple data of NAT connection.
Specifically, in LINUX kernel, the state (including NAT connection) of a connection can be tracked and is recorded, is all
By the packet data recording state of network protocol stack, each connection status can be real by a struct nf_conn data structure
Example is described.
In one embodiment, network protocol stack includes tracking HASH table;As shown in figure 3, according in network protocol stack
NAT connection further comprises the steps of: before generating the step of NAT rule
Step S108 searches tracking HASH table according to the default period 1, obtains NAT connection.
Specifically, the tracking HASH table in regular Network Search protocol stack, can obtain new NAT connection;According to new
NAT connection, study obtain new NAT rule and are handed down to NAT module, realize the function for configuring NAT rule for NAT module automatically
Energy.
It should be noted that can configure conntrack function in network protocol stack, for tracking and recording the shape of connection
State for all packet data recording states by network protocol stack and generates tracking HASH table.The default period 1 can be according to reality
Border demand is configured, to realize the effect for the NAT table item for regularly updating NAT module.
In one embodiment, the message for mismatching NAT table item includes the first message and the second message;
First message is the public net message of the NAT module forwards received;Public net message is for being sent to from business board;
Second message is the slave business blackboard newspaper text of the NAT module forwards received;From business blackboard newspaper text for being sent to public affairs
Net.
Specifically, it may include two kinds that NAT module, which can not carry out nat feature and the message of forwarding: one is sent out by public network
System, destination are given as from the message of business board, another kind is the report by send from business board, destination for public network
Text.
It should be noted that the above-mentioned message that can not be forwarded with NAT table item mismatch, NAT module, NAT module will
It is transmitted to main business plate;Main business plate carries out NAT conversion and forwarding to the message.
In one embodiment, network protocol stack is the protocol stack comprising netfilter;As shown in figure 4, Fig. 4 is one
4th schematic flow chart of the method for NAT regulation management in embodiment generates NAT according to the NAT connection in network protocol stack
It is further comprised the steps of: before the step of rule
Step S104 is based on netfilter, the first message is transmitted to from business board.
And/or
Step S106 is based on netfilter, the second message is transmitted to public network.
Specifically, the network protocol stack of main business plate is configured with netfilter function, it can be in the operation system of main business plate
Nat feature is realized on system.Based on netfilter, main business plate can carry out NAT conversion and difference to the first message, the second message
It is forwarded to corresponding destination.
In one embodiment, as shown in figure 5, Fig. 5 is the 5th signal of the method for NAT regulation management in one embodiment
Property flow chart, be based on netfilter, the first message was transmitted to from the step of business board includes:
Step S105 modifies the purpose IP address of the first message, the destination slogan of the first message and the first message
Target MAC (Media Access Control) address (physical address).
Based on netfilter, the step of the second message is transmitted to public network, includes:
Step S107 modifies the source IP address of the second message and the source port number of the second message.
Specifically, main business plate can be according to configuration, the purpose IP address for the first message that public network is sent, destination port
Number and target MAC (Media Access Control) address modify, and modified first message is transmitted to corresponding from business board.Main business plate is also
It can be modified according to configuration to source IP address, the source port number of the second message sent from business board, and by modified
Two messages are transmitted to public network.
It should be noted that the modification of IP address and port numbers can be by netfilter according to the use of this system port numbers
Situation determines.
Further, the space (forward rule table) that forward rule (including NAT rule) is stored in NAT module is limited,
In the case that forward rule is numerous, in fact it could happen that the not enough situation of forward rule table.
In one embodiment, as shown in fig. 6, Fig. 6 is the 6th signal of the method for NAT regulation management in one embodiment
Property flow chart, further comprises the steps of:
Step S130 deletes the expired NAT rule in NAT table item.
Specifically, expired NAT rule is deleted from NAT module, is kept away there are when expired NAT rule in NAT table item
Exempt from expired NAT rule and occupy hardware resource, realize the dynamic change of NAT rule in NAT module, and takes full advantage of limited
Hardware NAT table item resource.
It should be noted that expired NAT rule can be NAT rule not used in preset time;Preset time can basis
Actual demand is set.Not used NAT rule within a preset time, corresponding message forwarding frequency is low, to system
The influence of forwarding is smaller, can delete from NAT module, retains hardware resource for common NAT rule.
In one embodiment, as shown in fig. 7, Fig. 7 is the 7th signal of the method for NAT regulation management in one embodiment
Property flow chart, delete NAT table item in expired NAT rule step before, further comprise the steps of:
Step S128 searches the NAT rule in NAT table item according to default second round, obtains expired NAT rule.
Specifically, whether the NAT rule inspected periodically in NAT table item expires, if it has, NAT rule from hard
It is deleted in part.
It should be noted that processor can find the aging that expires by the control routine interface of calling NAT module
When NAT rule, corresponding project is deleted from hardware list.Default second round can be configured according to actual needs, with reality
The expired NAT rule of aging is now periodically removed, dynamic updates the NAT table item of NAT module.
In one embodiment, as shown in fig. 7, further comprising the steps of:
Step S102 sends initialization command or control command to NAT module;Control instruction is ARP entry order, NAT
List item order, public network IP order, private network IP or subnet mask order.
Specifically, processor can by the control routine interface of hardware NAT, to NAT module send initialization command and
Control command.
It should be noted that initialization command can be sent to it when starting to enable NAT module, NAT module is indicated
Initialize resource.In the operation phase, control instruction can be sent to NAT module, instruction NAT module completes corresponding operation.
For the embodiment of the present application in NAT module there are no when NAT rule, system uses the LINUX kernel of main business plate
The nat feature of itself;Wherein, the nat feature of LINUX can be realized by software NAT.NAT rule learning process learns from kernel
To NAT rule, and after NAT rule is issued to NAT module, from business board sending, no longer turn with the matched message of NAT table item
Mainboard is issued, but outer net is directly sent to from NAT module after modifying to message according to NAT rule by NAT module.This
Outside, public network be sent to system, with the matched message of NAT table item also by NAT hardware cell according to corresponding NAT rule to message
It is modified accordingly, and is transmitted to corresponding business board.Based on this, the forwarding of main business plate can be reduced from business blackboard newspaper text or public affairs
The burden of network packet;Meanwhile raising reduces the time delay of system from the forwarding speed of business blackboard newspaper text and public net message, improves system
The entire throughput of system;Also, limited hardware NAT table item resource can be also dynamically utilized, unnecessary manual intervention is reduced, is dropped
The burden of low administrative staff.
It should be understood that although each step in the flow chart of Fig. 1-7 is successively shown according to the instruction of arrow,
These steps are not that the inevitable sequence according to arrow instruction successively executes.Unless expressly stating otherwise herein, these steps
Execution there is no stringent sequences to limit, these steps can execute in other order.Moreover, at least one in Fig. 1-7
Part steps may include that perhaps these sub-steps of multiple stages or stage are not necessarily in synchronization to multiple sub-steps
Completion is executed, but can be executed at different times, the execution sequence in these sub-steps or stage is also not necessarily successively
It carries out, but can be at least part of the sub-step or stage of other steps or other steps in turn or alternately
It executes.
In one embodiment, a kind of device of NAT regulation management is provided, as shown in figure 8, Fig. 8 is one embodiment
The structural schematic diagram of the device of middle NAT regulation management, comprising:
Hardware NAT rule configuration module 110, for being configured to NAT rule in the NAT table item in NAT module;NAT rule
It is then used to indicate NAT module and carries out message forwarding;NAT rule is the rule learnt from network protocol stack.
In one embodiment, further includes:
NAT rule learning module, for generating NAT rule according to the NAT connection in network protocol stack;NAT is connected as turning
It is generated when the message of hair mismatch NAT table item.
In one embodiment, NAT rule generation module includes:
NAT rule generating unit, the tuple data for being connected according to NAT generate NAT rule;Tuple data includes source
IP, destination IP, source port number and destination slogan.
In one embodiment, network protocol stack includes tracking HASH table.
The device of NAT regulation management further include:
NAT connection obtains module, for searching tracking HASH table according to the default period 1, obtains NAT connection.
In one embodiment, the message for mismatching NAT table item includes the first message and the second message.First message is to connect
The public net message of the NAT module forwards received;Public net message is for being sent to from business board.Second message is the NAT received
The slave business blackboard newspaper text of module forwards;From business blackboard newspaper text for being sent to public network.
In one embodiment, network protocol stack is the protocol stack comprising netfilter.
The device of NAT regulation management further include:
First message is transmitted to from business board by the first packet forwarding module for being based on netfilter;
And/or the second message is transmitted to public network for being based on netfilter by second packet forwarding module.
In one embodiment, the first packet forwarding module includes:
First message modify unit, for modify purpose IP address, the destination slogan of the first message of the first message with
And first message target MAC (Media Access Control) address.
Second packet forwarding module includes:
Second message modifies unit, for modifying the source IP address of the second message and the source port number of the second message.
In one embodiment, further includes:
Expired NAT redundant rule elimination module, for deleting the rule of the expired NAT in NAT table item.
In one embodiment, further includes:
Expired NAT rule acquisition module was obtained for searching the NAT rule in NAT table item according to default second round
Phase NAT rule.
In one embodiment, further includes:
Command sending module, for sending initialization command or control command to NAT module;Control instruction is ARP entry
Order, the order of NAT table item, public network IP order, private network IP or subnet mask order.
The specific of device about NAT regulation management limits the method that may refer to above for NAT regulation management
It limits, details are not described herein.Modules in the device of above-mentioned NAT regulation management can be fully or partially through software, hardware
And combinations thereof realize.Above-mentioned each module can be embedded in the form of hardware or independently of in the processor in computer equipment,
It can be stored in a software form in the memory in computer equipment, execute the above modules pair in order to which processor calls
The operation answered.
In one embodiment, a kind of equipment 200 is provided, as shown in figure 9, Fig. 9 is the of equipment in one embodiment
One schematic diagram, including main business plate 210, at least one is from business board 220, and the NAT mould for connecting public network 300
Block 230;NAT module 230 is separately connected main business plate 210 and respectively from business board 220.
Main business plate 210 includes the processor 212 for executing the method such as above-mentioned NAT regulation management;Processor 212 connects
NAT module 230.
When processor 212 executes the method for NAT regulation management, perform the steps of
NAT rule is configured in the NAT table item in NAT module;NAT rule is used to indicate NAT module and carries out message turn
Hair;NAT rule is the rule learnt from network protocol stack.
In one embodiment, processor execute by NAT rule be configured to the step in the NAT table item in NAT module it
Before, also perform the steps of
According to the NAT connection in network protocol stack, NAT rule is generated;NAT is connected as the report that forwarding mismatches NAT table item
It is generated when literary.
In one embodiment, processor is executed according to the NAT connection in network protocol stack, generates the step of NAT rule
When, also perform the steps of
According to the tuple data of NAT connection, NAT rule is generated;Tuple data include source IP, destination IP, source port number with
And destination slogan.
In one embodiment, network protocol stack includes tracking HASH table.
Processor is executed according to the NAT connection in network protocol stack, before the step for generating NAT rule, is also realized following
Step:
Tracking HASH table is searched according to the default period 1, obtains NAT connection.
In one embodiment, the message for mismatching NAT table item includes the first message and the second message.First message is to connect
The public net message of the NAT module forwards received;Public net message is for being sent to from business board.Second message is the NAT received
The slave business blackboard newspaper text of module forwards;From business blackboard newspaper text for being sent to public network.
In one embodiment, network protocol stack is the protocol stack comprising netfilter.
Processor is executed according to the NAT connection in network protocol stack, before the step for generating NAT rule, is also realized following
Step:
Based on netfilter, the first message is transmitted to from business board;
And/or it is based on netfilter, the second message is transmitted to public network.
In one embodiment, processor, which executes, is based on netfilter, real when the first message is transmitted to from business board
Existing following steps:
With modifying the purpose MAC of the purpose IP address of the first message, the destination slogan of the first message and the first message
Location.
Processor is executed to be performed the steps of when the second message is transmitted to public network based on netfilter
Modify the source IP address of the second message and the source port number of the second message.
In one embodiment, processor also executes following steps:
Delete the expired NAT rule in NAT table item.
In one embodiment, it before processor executes the step for deleting the expired NAT rule in NAT table item, also realizes
Following steps:
The NAT rule in NAT table item is searched according to default second round, obtains expired NAT rule.
In one embodiment, processor also executes following steps:
Initialization command or control command are sent to NAT module;Control instruction be ARP entry order, the order of NAT table item,
Public network IP order, private network IP or subnet mask order.
In one embodiment, the first network interface of NAT module passes through MDC/MDIO interface for connecting public network, the second network interface
Processor is connected, third network interface connection is from business board.
Specifically, NAT module can have multiple third network interfaces, it is multiple from business board for connecting;In addition, third network interface
It can also be separately connected multiple from business board.Processor can also lead to by MDC/MDIO interface come initialization and control NAT module
MDC/MDIO interface is crossed to be issued in NAT module to NAT module.
In one embodiment, as shown in Figure 10, Figure 10 is the second schematic diagram of equipment in one embodiment, main
Business board and pass through two network interfaces that network interface is connected to NAT module respectively from business board.First network interface of NAT module
(No. 5 network interfaces) for connecting public network, for connecting main business plate, third network interface (No. 1 network interface) is used for the second network interface (No. 0 network interface)
It connects from business board.The case where the present embodiment only describes one from business board, it is multiple from business board the case where it is similar.
NAT module is responsible for E-Packeting.When NAT module receives message from business board, according to the source IP of message, source port
Number matching NAT table item, if being matched to NAT table item, by matched NAT rule forwarding.If being not matched to NAT table item,
Then message message between plate is forwarded to corresponding business board according to MAC Address.
When NAT module receives message from public network, NAT table item is matched according to destination IP, destination slogan, if be matched to
NAT table item is then forwarded by matched NAT rule.If being not matched to NAT table item, which is forwarded to master from No. 0 network interface
Business board;
NAT module is as follows to the business board Message processing for having matched NAT table item: 1, reading from matched NAT table item
End of convert slogan and conversion IP address list item number;2, IP is read from public network IP address list item with conversion IP address list item number
Address;3, the source IP address of message and source port number are revised as read IP address and port numbers, then turned from No. 5 mouths
It is dealt into public network.
NAT module handles the public net message for having matched NAT table item as follows: 1, reading and turn from matched NAT table item
Change port numbers and private network IP address;2, the corresponding MAC Address of private network IP is read from host A RP table;3, the destination IP of message
Address and destination slogan are revised as read private network IP address and end of convert slogan, and target MAC (Media Access Control) address is revised as looking into
Then the MAC Address found is forwarded to from No. 1 mouth from business board.
As shown in figure 11, Figure 11 is the third schematic diagram of equipment in one embodiment, main business plate and from business
Plate is separately operable flush type LINUX operating system, includes network protocol stack in flush type LINUX operating system;Main business plate
Operating system NAT module controls program, and NAT module controls program by MDC/MDIO interface protocol come initialization and control
NAT module, control command include ARP entry order, the order of NAT table item, public network IP order, private network IP and subnet mask order
Deng.
As shown in figure 11, main business plate also runs NAT rule learning program (showing as a kernel thread).NAT rule
The function of learning program is mainly the message monitored in network protocol stack, and learns NAT rule from network protocol stack, finally handle
NAT rule is issued in NAT module by MDC/MDIO interface.
The method for learning NAT rule from network protocol stack is as follows: the connection tracking module based on LINUX, timing are searched
Tracking HASH table (init_net- > ct.hash) in kernel, if kernel setup NAT, and there is NAT stream to generate, then may be used
To obtain the software NAT rule of NAT kernel, so that NAT rule is issued in NAT module.
As shown in figure 12, Figure 12 is the 4th schematic diagram of equipment in one embodiment, when system initialization, in master
On the physical internet ports that business board connects with NAT module, with vconfig system command fictionalize 2 virtual interface eth0.1 and
eth0.2.Wherein, eth0.1 is used for from business board communications, and IP address is configured to 192.168.1.1;Eth0.2 is used for and outer net
Communication, IP address are configured to 10.140.115.1.It is issued in NAT module there are no when NAT rule from business board based on this
Message may be forwarded on main business plate.Meanwhile main business plate configuration kernel protocol stack enables netfilter function, order
Are as follows:
iptables-t nat-APOSTROUTING-s 192.168.1.0/24-o eth0.2-j SNAT--
to140.115.1.1
Software nat feature can be achieved in the operating system of main business plate.
It is as shown in figure 12: in system initialization, from business board configuration of IP be 192.168.1.2, default gateway is
192.168.1.1.By configuring above, in the case where no hardware NAT is regular, the message issued from business board can be by NAT
Module forwards are to main business plate.Since the network protocol stack configuration of main business plate starts netfilter function, meeting basis is matched
It sets, the modification of source IP address and port numbers is carried out to the slave business blackboard newspaper text received, source IP is changed to 140.115.1.1,
Source port number is changed to 1024 (or other, to be determined by netfilter according to this system port numbers service condition), then the report
Text is forwarded from eth0.2.Meanwhile the conntrack on main business plate has recorded the forward rule of this connection.
As shown in figure 13, Figure 13 is the operational process schematic diagram of equipment in one embodiment, and NAT rule learning process passes through
The tracking HASH table (init_net- > ct.hash) in kernel conntrack module is searched in timing, if it find that there is new NAT
Connection generates, then according to the connection, generates NAT rule, and NAT rule is issued in NAT module.Meanwhile calling NAT module
Routine interface is controlled, the NAT ENTRY (corresponding expired NET connection) for the aging that expires is found, corresponding ENTRY is deleted from hardware list
It removes.In this way, expired NAT table item is avoided to occupy hardware resource.
In one embodiment, a kind of computer readable storage medium is provided, computer program is stored thereon with, is calculated
Machine program performs the steps of when being executed by processor
NAT rule is configured in the NAT table item in NAT module;NAT rule is used to indicate NAT module and carries out message turn
Hair;
NAT rule is the rule learnt from network protocol stack.
In one embodiment, computer program is executed by processor the NAT table being configured to NAT rule in NAT module
Before step in, also perform the steps of
According to the NAT connection in network protocol stack, NAT rule is generated;NAT is connected as the report that forwarding mismatches NAT table item
It is generated when literary.
In one embodiment, computer program is executed by processor according to the NAT connection in network protocol stack, is generated
It is also performed the steps of when NAT rule
According to the tuple data of NAT connection, NAT rule is generated;Tuple data include source IP, destination IP, source port number with
And destination slogan.
In one embodiment, network protocol stack includes tracking HASH table.
Computer program be executed by processor generated according to the NAT connection in network protocol stack NAT rule step it
Before, also perform the steps of
Tracking HASH table is searched according to the default period 1, obtains NAT connection.
In one embodiment, the message for mismatching NAT table item includes the first message and the second message.First message is to connect
The public net message of the NAT module forwards received;Public net message is for being sent to from business board.Second message is the NAT received
The slave business blackboard newspaper text of module forwards;From business blackboard newspaper text for being sent to public network.
In one embodiment, network protocol stack is the protocol stack comprising netfilter.
Computer program be executed by processor generated according to the NAT connection in network protocol stack NAT rule step it
Before, also perform the steps of
Based on netfilter, the first message is transmitted to from business board;
And/or it is based on netfilter, the second message is transmitted to public network.
In one embodiment, computer program is executed by processor based on netfilter, by the first message be transmitted to from
It is also performed the steps of when business board
With modifying the purpose MAC of the purpose IP address of the first message, the destination slogan of the first message and the first message
Location.
Computer program is executed by processor based on netfilter, is also realized when the second message is transmitted to public network following
Step:
Modify the source IP address of the second message and the source port number of the second message.
In one embodiment, it is also performed the steps of when computer program is executed by processor
Delete the expired NAT rule in NAT table item.
In one embodiment, computer program is executed by processor the step for deleting the expired NAT rule in NAT table item
Before, it also performs the steps of
The NAT rule in NAT table item is searched according to default second round, obtains expired NAT rule.
In one embodiment, it is also performed the steps of when computer program is executed by processor
Initialization command or control command are sent to NAT module;Control instruction be ARP entry order, the order of NAT table item,
Public network IP order, private network IP or subnet mask order.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the computer program can be stored in a non-volatile computer
In read/write memory medium, the computer program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein,
To any reference of memory, storage, database or other media used in each embodiment provided herein,
Including non-volatile and/or volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM
(PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include
Random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms,
Such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhancing
Type SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM
(RDRAM), direct memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality
It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited
In contradiction, all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously
The limitation to the application range therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art,
Without departing from the concept of this application, various modifications and improvements can be made, these belong to the protection model of the application
It encloses.Therefore, the scope of protection shall be subject to the appended claims by the application.