CN109088957A - The method, apparatus and equipment of NAT regulation management - Google Patents

The method, apparatus and equipment of NAT regulation management Download PDF

Info

Publication number
CN109088957A
CN109088957A CN201811004300.1A CN201811004300A CN109088957A CN 109088957 A CN109088957 A CN 109088957A CN 201811004300 A CN201811004300 A CN 201811004300A CN 109088957 A CN109088957 A CN 109088957A
Authority
CN
China
Prior art keywords
nat
rule
message
module
protocol stack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811004300.1A
Other languages
Chinese (zh)
Other versions
CN109088957B (en
Inventor
赵剑川
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Comba Network Systems Co Ltd
Original Assignee
Comba Telecom Technology Guangzhou Ltd
Comba Telecom Systems China Ltd
Comba Telecom Systems Guangzhou Co Ltd
Tianjin Comba Telecom Systems Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Comba Telecom Technology Guangzhou Ltd, Comba Telecom Systems China Ltd, Comba Telecom Systems Guangzhou Co Ltd, Tianjin Comba Telecom Systems Co Ltd filed Critical Comba Telecom Technology Guangzhou Ltd
Priority to CN201811004300.1A priority Critical patent/CN109088957B/en
Publication of CN109088957A publication Critical patent/CN109088957A/en
Application granted granted Critical
Publication of CN109088957B publication Critical patent/CN109088957B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2557Translation policies or rules

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This application involves the method, apparatus and equipment of a kind of NAT regulation management.Wherein, when processor realizes the method for NAT regulation management, NAT rule is configured in the NAT table item in NAT module;NAT rule is used to indicate NAT module and carries out message forwarding;NAT rule is the rule learnt from network protocol stack.Based on above-mentioned steps, realizes automatic study and dynamically issue NAT forward rule, the management cost for reducing hardware NAT rule is high.Also, pass through the separation of control plane and forwarding surface, control plane is realized by software approach, and forwarding surface improves the forwarding rate of NAT message and the disposed of in its entirety performance of system by hardware realization;Meanwhile control plane reduces unnecessary manual intervention, mitigates the burden of net administrative staff by learning the method with aging automatically.

Description

The method, apparatus and equipment of NAT regulation management
Technical field
This application involves network communication technology fields, more particularly to a kind of NAT (Network Address Translation, network address translation) regulation management method and apparatus.
Background technique
It is higher and higher to the message processing speed requirement of product with the raising of service bandwidth demand, and the NAT of LINUX Function affects the processing speed of message to a certain extent.Since the equipment based on software realization nat feature needs to consume one Message can be improved in fixed CPU (Central Processing Unit, central processing unit) process resource, the performance for improving CPU Forwarding rate.But high-performance CPU price is too high, considers from cost performance and uneconomical.
Currently, existing company develops NAT processing hardware, nat feature may be implemented and do not need consumption cpu performance, But during realization, inventor has found that at least there are the following problems in traditional technology: in the situation that forward rule is large number of Under, the management cost of hardware NAT rule is high.
Summary of the invention
Based on this, it is necessary to for traditional technology in the case where forward rule is large number of, the management of hardware NAT rule Problem at high cost provides the method, apparatus and equipment of a kind of NAT regulation management.
To achieve the goals above, on the one hand, the embodiment of the present application provides a kind of method of NAT regulation management, comprising:
NAT rule is configured in the NAT table item in NAT module;NAT rule is used to indicate NAT module and carries out message turn Hair;
NAT rule is the rule learnt from network protocol stack.
It will also be wrapped before the step in NAT table item that NAT rule is configured in NAT module in one of the embodiments, Include step:
According to the NAT connection in network protocol stack, NAT rule is generated;NAT is connected as the report that forwarding mismatches NAT table item It is generated when literary.
In one of the embodiments, according to the NAT connection in network protocol stack, the step for generating NAT rule includes:
According to the tuple data of NAT connection, NAT rule is generated;Tuple data include source IP (Internet Protocol, The agreement interconnected between network), destination IP, source port number and destination slogan.
Network protocol stack includes tracking HASH table in one of the embodiments,.
According to the NAT connection in network protocol stack, further comprised the steps of: before generating the step of NAT rule
Tracking HASH table (Hash table) is searched according to the default period 1, obtains NAT connection.
The message for mismatching NAT table item in one of the embodiments, includes the first message and the second message.First message For the public net message of the NAT module forwards received;Public net message is for being sent to from business board.Second message receives The slave business blackboard newspaper text of NAT module forwards;From business blackboard newspaper text for being sent to public network.
Network protocol stack is the protocol stack comprising netfilter in one of the embodiments,.
According to the NAT connection in network protocol stack, further comprised the steps of: before generating the step of NAT rule
Based on netfilter, the first message is transmitted to from business board;
And/or it is based on netfilter, the second message is transmitted to public network.
It is based on netfilter in one of the embodiments, the first message was transmitted to from the step of business board includes: Modify the target MAC (Media Access Control) address of the purpose IP address of the first message, the destination slogan of the first message and the first message.
Based on netfilter, the step of the second message is transmitted to public network, includes:
Modify the source IP address of the second message and the source port number of the second message.
The expired NAT rule deleted in NAT table item is further comprised the steps of: in one of the embodiments,.
In one of the embodiments, delete NAT table item in expired NAT rule step before, further comprise the steps of: by The NAT rule in NAT table item is searched according to default second round, obtains expired NAT rule.
It further comprises the steps of: in one of the embodiments,
Initialization command or control command are sent to NAT module;Control instruction be ARP entry order, the order of NAT table item, Public network IP order, private network IP or subnet mask order.
On the other hand, the embodiment of the present application also provides a kind of devices of NAT regulation management, comprising:
Hardware NAT rule configuration module, for being configured to NAT rule in the NAT table item in NAT module;NAT rule is used Message forwarding is carried out in instruction NAT module;NAT rule is the rule learnt from network protocol stack.
Provide a kind of equipment, including main business plate in one of the embodiments, at least one from business board, and For connecting the NAT module of public network;NAT module is separately connected main business plate and respectively from business board.
Main business plate includes the processor for executing the method such as above-mentioned NAT regulation management;Processor connects NAT module.
The first network interface of NAT module passes through MDC (management for connecting public network, the second network interface in one of the embodiments, Data clock)/MDIO (Management Data Input/Output) processor of interface connection, third network interface connection is from business Plate.
A kind of computer storage medium is provided in one of the embodiments, is stored thereon with computer program, the journey The method such as above-mentioned NAT regulation management is realized when sequence is executed by processor.
A technical solution in above-mentioned technical proposal is had the following advantages and beneficial effects:
NAT rule is configured in the NAT table item in NAT module by processor;NAT rule is used to indicate the progress of NAT module Message forwarding;NAT rule is the rule learnt from network protocol stack.Based on above-mentioned steps, realize under automatic study and dynamic NAT forward rule is sent out, the management cost for reducing hardware NAT rule is high.Also, pass through the separation of control plane and forwarding surface, control Realize that forwarding surface improves the forwarding rate of NAT message and the disposed of in its entirety of system by hardware realization by software approach in face Energy;Meanwhile control plane reduces unnecessary manual intervention, mitigates net administrative staff's by learning the method with aging automatically Burden.
Detailed description of the invention
By reading a detailed description of non-restrictive embodiments in the light of the attached drawings below, the application's is other Feature, objects and advantages will become more apparent upon:
Fig. 1 is the first schematic flow chart of the method for NAT regulation management in one embodiment;
Fig. 2 is the second schematic flow chart of the method for NAT regulation management in one embodiment;
Fig. 3 is the third schematic flow chart of the method for NAT regulation management in one embodiment;
Fig. 4 is the 4th schematic flow chart of the method for NAT regulation management in one embodiment;
Fig. 5 is the 5th schematic flow chart of the method for NAT regulation management in one embodiment;
Fig. 6 is the 6th schematic flow chart of the method for NAT regulation management in one embodiment;
Fig. 7 is the 7th schematic flow chart of the method for NAT regulation management in one embodiment;
Fig. 8 is the structural schematic diagram of the device of NAT regulation management in one embodiment;
Fig. 9 is the first schematic diagram of equipment in one embodiment;
Figure 10 is the second schematic diagram of equipment in one embodiment;
Figure 11 is the third schematic diagram of equipment in one embodiment;
Figure 12 is the 4th schematic diagram of equipment in one embodiment;
Figure 13 is the operational process schematic diagram of equipment in one embodiment.
Specific embodiment
The application in order to facilitate understanding is described more fully the application below with reference to relevant drawings.In attached drawing Give the preferred embodiment of the application.But the application can realize in many different forms, however it is not limited to this paper institute The embodiment of description.On the contrary, purpose of providing these embodiments is make it is more thorough and comprehensive to disclosure of this application.
It should be noted that it can be directly to separately when an element is considered as " connection " another element One element and it is in combination be integrated, or may be simultaneously present centering elements.
Unless otherwise defined, all technical and scientific terms used herein and the technical field for belonging to the application The normally understood meaning of technical staff is identical.The term used in the description of the present application is intended merely to description tool herein The purpose of the embodiment of body, it is not intended that in limitation the application.Term " and or " used herein includes one or more phases Any and all combinations of the listed item of pass.
NAT technology is to solve the problems, such as a kind of limited technology that need to grow up of IPV4 address resource.When in Intranet When thering is multiple host to need to access internet, NAT technology can use, accessed by sharing a public network IP address internet.In LINUX system, the netfilter module of LINUX kernel for realizing message monitoring, filtering and forwarding. The combination of itself and application program iptables are, it can be achieved that nat feature.This solves to operate based on LINUX to a certain extent The problem of product development personnel of system rewrite nat feature code.This method by software realization nat feature is software NAT method.
Nat feature affects the processing speed of message to a certain extent.And hardware NAT needs manually to issue for it NAT forward rule.In the more situation of NAT forward rule, the management cost of hardware NAT rule is high.For this purpose, the application is real It applies example and provides the method, apparatus and equipment of a kind of NAT regulation management, realize automatic study and dynamically issue NAT forward rule, It can be used in the products such as router or gateway, the hardware NAT rule in distributed system be managed.Specifically, can be The NAT module for increasing hardware in system runs LINUX system in main business plate and configures netfilter function and conntrack Function;By the study of NAT rule, when discovery has new NAT connection to generate, according to the connection, NAT rule, and handle are generated NAT rule is configured in NAT module.
In one embodiment, a kind of method of NAT regulation management is provided, as shown in FIG. 1, FIG. 1 is one embodiment First schematic flow chart of the method for middle NAT regulation management, comprising:
NAT rule is configured in the NAT table item in NAT module by step S120;NAT rule be used to indicate NAT module into The forwarding of row message;NAT rule is the rule learnt from network protocol stack.
Specifically, processor learns NAT rule from the network protocol stack of main business plate, and the rule learnt is matched It sets in the NAT table item in NAT module.NAT module can NAT rule in dynamic acquisition network protocol stack, and be based on NAT table , corresponding NAT conversion and forwarding are carried out to the message got.
It should be noted that processor can be used for controlling main business plate processing message, is forwarded according to configuration to message, Meanwhile the NAT rule for the foundation that can also learn to E-Packet from the network protocol stack of main business plate, and rule is issued to NAT Module.Specifically, processor can be the processor of the main business plate of the processor or message handling system of message handling system Deng.
The rule of foundation, may be used to indicate NAT module to corresponding message when NAT rule can E-Packet for main business board It is forwarded.Wherein, message may include that public network is sent to the message of system, business board is sent to the message and business board of public network Between the message etc. that is transmitted, also, the type multiplicity of message;Message and different types of report between distinct interaction object The corresponding different forward rule of text.Therefore, the forward rule quantity of message is big, and corresponding NAT rule quantity is also big, using manual Higher management cost is needed to the mode of NAT module configuration NAT rule, and that there are allocative efficiencys is low, accuracy is low etc. asks Topic.The embodiment of the present application when main business plate E-Packets, can learn automatically the NAT rule of its use that E-Packets and by the rule It is then allocated in the NAT table item of NAT module.
NAT table item can be forwarded corresponding message according to each NAT rule for converging various NAT rules, can The load of main business plate is effectively reduced, improves message forward efficiency, the disposed of in its entirety performance of lifting system.
Network protocol stack can be used for recording the state for the data packet for being related to nat feature;State based on record produces phase The NAT rule answered.
Based on above-mentioned process, realizes automatic study and dynamically issue NAT forward rule, reduce the management of hardware NAT rule It is at high cost.Also, pass through the separation of control plane and forwarding surface, control plane is realized by software approach, can learn new NAT automatically Rule is simultaneously issued in NAT module;Forwarding surface carries out message forwarding by hardware realization, based on NAT module, and NAT message can be improved Forwarding rate and system disposed of in its entirety performance;Meanwhile control plane can be reduced not by learning the method with aging automatically Necessary manual intervention mitigates the burden of net administrative staff.
In one embodiment, as shown in Fig. 2, Fig. 2 is the second signal of the method for NAT regulation management in one embodiment Property flow chart, will be further comprised the steps of: before the step in NAT table item that NAT rule is configured in NAT module
Step S110 generates NAT rule according to the NAT connection in network protocol stack;NAT is connected as forwarding and mismatches NAT It is generated when the message of list item.
Specifically, NAT module forwards the packet to master when being sent to the message and NAT table item mismatch of NAT module Business board after carrying out NAT conversion to the message by main business plate, completes forwarding.During main business plate carries out message forwarding, NAT connection is generated in network protocol stack.Processor can monitor network protocol stack, when generating new NAT connection, according to NAT Connection, study obtains NAT rule, and the NAT rule is handed down to NAT module.
It should be noted that NAT module, which does not have, carries out nat feature to the message when message and NAT table item mismatch Rule, be unable to complete forwarding, need to be forwarded by main business plate.According to the process that main business plate E-Packets, can learn To NAT rule and it is allocated to NAT table item.It is subsequent, when identical message is sent to NAT module, NAT table item, NAT mould can be matched Block can carry out nat feature to the message and complete to forward.
NAT module can constantly obtain new NAT rule, can be realized and be forwarded to more messages;Also, NAT mould The process that block obtains NAT rule is not necessarily to manual intervention, reduces the burden of business personnel, the management of reduction hardware NAT rule at This, improves the allocative efficiency and accuracy of NAT rule, meanwhile, it is capable to effectively improve the handling capacity of system, forward efficiency and operation Efficiency.
In one embodiment, as shown in figure 3, Fig. 3 is the third signal of the method for NAT regulation management in one embodiment Property flow chart, according to the NAT connection in network protocol stack, the step for generating NAT rule includes:
Step S112 generates NAT rule according to the tuple data of NAT connection;Tuple data includes source IP, destination IP, source Port numbers and destination slogan.
Specifically, NAT connection can be divided into original and reply both direction, each direction can use a tuple Data (tuple) indicate;The packet information on corresponding direction, such as source IP, destination IP, source port number are contained in tuple And destination slogan etc..Corresponding NAT rule can be generated according to the tuple data of NAT connection.
Specifically, in LINUX kernel, the state (including NAT connection) of a connection can be tracked and is recorded, is all By the packet data recording state of network protocol stack, each connection status can be real by a struct nf_conn data structure Example is described.
In one embodiment, network protocol stack includes tracking HASH table;As shown in figure 3, according in network protocol stack NAT connection further comprises the steps of: before generating the step of NAT rule
Step S108 searches tracking HASH table according to the default period 1, obtains NAT connection.
Specifically, the tracking HASH table in regular Network Search protocol stack, can obtain new NAT connection;According to new NAT connection, study obtain new NAT rule and are handed down to NAT module, realize the function for configuring NAT rule for NAT module automatically Energy.
It should be noted that can configure conntrack function in network protocol stack, for tracking and recording the shape of connection State for all packet data recording states by network protocol stack and generates tracking HASH table.The default period 1 can be according to reality Border demand is configured, to realize the effect for the NAT table item for regularly updating NAT module.
In one embodiment, the message for mismatching NAT table item includes the first message and the second message;
First message is the public net message of the NAT module forwards received;Public net message is for being sent to from business board;
Second message is the slave business blackboard newspaper text of the NAT module forwards received;From business blackboard newspaper text for being sent to public affairs Net.
Specifically, it may include two kinds that NAT module, which can not carry out nat feature and the message of forwarding: one is sent out by public network System, destination are given as from the message of business board, another kind is the report by send from business board, destination for public network Text.
It should be noted that the above-mentioned message that can not be forwarded with NAT table item mismatch, NAT module, NAT module will It is transmitted to main business plate;Main business plate carries out NAT conversion and forwarding to the message.
In one embodiment, network protocol stack is the protocol stack comprising netfilter;As shown in figure 4, Fig. 4 is one 4th schematic flow chart of the method for NAT regulation management in embodiment generates NAT according to the NAT connection in network protocol stack It is further comprised the steps of: before the step of rule
Step S104 is based on netfilter, the first message is transmitted to from business board.
And/or
Step S106 is based on netfilter, the second message is transmitted to public network.
Specifically, the network protocol stack of main business plate is configured with netfilter function, it can be in the operation system of main business plate Nat feature is realized on system.Based on netfilter, main business plate can carry out NAT conversion and difference to the first message, the second message It is forwarded to corresponding destination.
In one embodiment, as shown in figure 5, Fig. 5 is the 5th signal of the method for NAT regulation management in one embodiment Property flow chart, be based on netfilter, the first message was transmitted to from the step of business board includes:
Step S105 modifies the purpose IP address of the first message, the destination slogan of the first message and the first message Target MAC (Media Access Control) address (physical address).
Based on netfilter, the step of the second message is transmitted to public network, includes:
Step S107 modifies the source IP address of the second message and the source port number of the second message.
Specifically, main business plate can be according to configuration, the purpose IP address for the first message that public network is sent, destination port Number and target MAC (Media Access Control) address modify, and modified first message is transmitted to corresponding from business board.Main business plate is also It can be modified according to configuration to source IP address, the source port number of the second message sent from business board, and by modified Two messages are transmitted to public network.
It should be noted that the modification of IP address and port numbers can be by netfilter according to the use of this system port numbers Situation determines.
Further, the space (forward rule table) that forward rule (including NAT rule) is stored in NAT module is limited, In the case that forward rule is numerous, in fact it could happen that the not enough situation of forward rule table.
In one embodiment, as shown in fig. 6, Fig. 6 is the 6th signal of the method for NAT regulation management in one embodiment Property flow chart, further comprises the steps of:
Step S130 deletes the expired NAT rule in NAT table item.
Specifically, expired NAT rule is deleted from NAT module, is kept away there are when expired NAT rule in NAT table item Exempt from expired NAT rule and occupy hardware resource, realize the dynamic change of NAT rule in NAT module, and takes full advantage of limited Hardware NAT table item resource.
It should be noted that expired NAT rule can be NAT rule not used in preset time;Preset time can basis Actual demand is set.Not used NAT rule within a preset time, corresponding message forwarding frequency is low, to system The influence of forwarding is smaller, can delete from NAT module, retains hardware resource for common NAT rule.
In one embodiment, as shown in fig. 7, Fig. 7 is the 7th signal of the method for NAT regulation management in one embodiment Property flow chart, delete NAT table item in expired NAT rule step before, further comprise the steps of:
Step S128 searches the NAT rule in NAT table item according to default second round, obtains expired NAT rule.
Specifically, whether the NAT rule inspected periodically in NAT table item expires, if it has, NAT rule from hard It is deleted in part.
It should be noted that processor can find the aging that expires by the control routine interface of calling NAT module When NAT rule, corresponding project is deleted from hardware list.Default second round can be configured according to actual needs, with reality The expired NAT rule of aging is now periodically removed, dynamic updates the NAT table item of NAT module.
In one embodiment, as shown in fig. 7, further comprising the steps of:
Step S102 sends initialization command or control command to NAT module;Control instruction is ARP entry order, NAT List item order, public network IP order, private network IP or subnet mask order.
Specifically, processor can by the control routine interface of hardware NAT, to NAT module send initialization command and Control command.
It should be noted that initialization command can be sent to it when starting to enable NAT module, NAT module is indicated Initialize resource.In the operation phase, control instruction can be sent to NAT module, instruction NAT module completes corresponding operation.
For the embodiment of the present application in NAT module there are no when NAT rule, system uses the LINUX kernel of main business plate The nat feature of itself;Wherein, the nat feature of LINUX can be realized by software NAT.NAT rule learning process learns from kernel To NAT rule, and after NAT rule is issued to NAT module, from business board sending, no longer turn with the matched message of NAT table item Mainboard is issued, but outer net is directly sent to from NAT module after modifying to message according to NAT rule by NAT module.This Outside, public network be sent to system, with the matched message of NAT table item also by NAT hardware cell according to corresponding NAT rule to message It is modified accordingly, and is transmitted to corresponding business board.Based on this, the forwarding of main business plate can be reduced from business blackboard newspaper text or public affairs The burden of network packet;Meanwhile raising reduces the time delay of system from the forwarding speed of business blackboard newspaper text and public net message, improves system The entire throughput of system;Also, limited hardware NAT table item resource can be also dynamically utilized, unnecessary manual intervention is reduced, is dropped The burden of low administrative staff.
It should be understood that although each step in the flow chart of Fig. 1-7 is successively shown according to the instruction of arrow, These steps are not that the inevitable sequence according to arrow instruction successively executes.Unless expressly stating otherwise herein, these steps Execution there is no stringent sequences to limit, these steps can execute in other order.Moreover, at least one in Fig. 1-7 Part steps may include that perhaps these sub-steps of multiple stages or stage are not necessarily in synchronization to multiple sub-steps Completion is executed, but can be executed at different times, the execution sequence in these sub-steps or stage is also not necessarily successively It carries out, but can be at least part of the sub-step or stage of other steps or other steps in turn or alternately It executes.
In one embodiment, a kind of device of NAT regulation management is provided, as shown in figure 8, Fig. 8 is one embodiment The structural schematic diagram of the device of middle NAT regulation management, comprising:
Hardware NAT rule configuration module 110, for being configured to NAT rule in the NAT table item in NAT module;NAT rule It is then used to indicate NAT module and carries out message forwarding;NAT rule is the rule learnt from network protocol stack.
In one embodiment, further includes:
NAT rule learning module, for generating NAT rule according to the NAT connection in network protocol stack;NAT is connected as turning It is generated when the message of hair mismatch NAT table item.
In one embodiment, NAT rule generation module includes:
NAT rule generating unit, the tuple data for being connected according to NAT generate NAT rule;Tuple data includes source IP, destination IP, source port number and destination slogan.
In one embodiment, network protocol stack includes tracking HASH table.
The device of NAT regulation management further include:
NAT connection obtains module, for searching tracking HASH table according to the default period 1, obtains NAT connection.
In one embodiment, the message for mismatching NAT table item includes the first message and the second message.First message is to connect The public net message of the NAT module forwards received;Public net message is for being sent to from business board.Second message is the NAT received The slave business blackboard newspaper text of module forwards;From business blackboard newspaper text for being sent to public network.
In one embodiment, network protocol stack is the protocol stack comprising netfilter.
The device of NAT regulation management further include:
First message is transmitted to from business board by the first packet forwarding module for being based on netfilter;
And/or the second message is transmitted to public network for being based on netfilter by second packet forwarding module.
In one embodiment, the first packet forwarding module includes:
First message modify unit, for modify purpose IP address, the destination slogan of the first message of the first message with And first message target MAC (Media Access Control) address.
Second packet forwarding module includes:
Second message modifies unit, for modifying the source IP address of the second message and the source port number of the second message.
In one embodiment, further includes:
Expired NAT redundant rule elimination module, for deleting the rule of the expired NAT in NAT table item.
In one embodiment, further includes:
Expired NAT rule acquisition module was obtained for searching the NAT rule in NAT table item according to default second round Phase NAT rule.
In one embodiment, further includes:
Command sending module, for sending initialization command or control command to NAT module;Control instruction is ARP entry Order, the order of NAT table item, public network IP order, private network IP or subnet mask order.
The specific of device about NAT regulation management limits the method that may refer to above for NAT regulation management It limits, details are not described herein.Modules in the device of above-mentioned NAT regulation management can be fully or partially through software, hardware And combinations thereof realize.Above-mentioned each module can be embedded in the form of hardware or independently of in the processor in computer equipment, It can be stored in a software form in the memory in computer equipment, execute the above modules pair in order to which processor calls The operation answered.
In one embodiment, a kind of equipment 200 is provided, as shown in figure 9, Fig. 9 is the of equipment in one embodiment One schematic diagram, including main business plate 210, at least one is from business board 220, and the NAT mould for connecting public network 300 Block 230;NAT module 230 is separately connected main business plate 210 and respectively from business board 220.
Main business plate 210 includes the processor 212 for executing the method such as above-mentioned NAT regulation management;Processor 212 connects NAT module 230.
When processor 212 executes the method for NAT regulation management, perform the steps of
NAT rule is configured in the NAT table item in NAT module;NAT rule is used to indicate NAT module and carries out message turn Hair;NAT rule is the rule learnt from network protocol stack.
In one embodiment, processor execute by NAT rule be configured to the step in the NAT table item in NAT module it Before, also perform the steps of
According to the NAT connection in network protocol stack, NAT rule is generated;NAT is connected as the report that forwarding mismatches NAT table item It is generated when literary.
In one embodiment, processor is executed according to the NAT connection in network protocol stack, generates the step of NAT rule When, also perform the steps of
According to the tuple data of NAT connection, NAT rule is generated;Tuple data include source IP, destination IP, source port number with And destination slogan.
In one embodiment, network protocol stack includes tracking HASH table.
Processor is executed according to the NAT connection in network protocol stack, before the step for generating NAT rule, is also realized following Step:
Tracking HASH table is searched according to the default period 1, obtains NAT connection.
In one embodiment, the message for mismatching NAT table item includes the first message and the second message.First message is to connect The public net message of the NAT module forwards received;Public net message is for being sent to from business board.Second message is the NAT received The slave business blackboard newspaper text of module forwards;From business blackboard newspaper text for being sent to public network.
In one embodiment, network protocol stack is the protocol stack comprising netfilter.
Processor is executed according to the NAT connection in network protocol stack, before the step for generating NAT rule, is also realized following Step:
Based on netfilter, the first message is transmitted to from business board;
And/or it is based on netfilter, the second message is transmitted to public network.
In one embodiment, processor, which executes, is based on netfilter, real when the first message is transmitted to from business board Existing following steps:
With modifying the purpose MAC of the purpose IP address of the first message, the destination slogan of the first message and the first message Location.
Processor is executed to be performed the steps of when the second message is transmitted to public network based on netfilter
Modify the source IP address of the second message and the source port number of the second message.
In one embodiment, processor also executes following steps:
Delete the expired NAT rule in NAT table item.
In one embodiment, it before processor executes the step for deleting the expired NAT rule in NAT table item, also realizes Following steps:
The NAT rule in NAT table item is searched according to default second round, obtains expired NAT rule.
In one embodiment, processor also executes following steps:
Initialization command or control command are sent to NAT module;Control instruction be ARP entry order, the order of NAT table item, Public network IP order, private network IP or subnet mask order.
In one embodiment, the first network interface of NAT module passes through MDC/MDIO interface for connecting public network, the second network interface Processor is connected, third network interface connection is from business board.
Specifically, NAT module can have multiple third network interfaces, it is multiple from business board for connecting;In addition, third network interface It can also be separately connected multiple from business board.Processor can also lead to by MDC/MDIO interface come initialization and control NAT module MDC/MDIO interface is crossed to be issued in NAT module to NAT module.
In one embodiment, as shown in Figure 10, Figure 10 is the second schematic diagram of equipment in one embodiment, main Business board and pass through two network interfaces that network interface is connected to NAT module respectively from business board.First network interface of NAT module (No. 5 network interfaces) for connecting public network, for connecting main business plate, third network interface (No. 1 network interface) is used for the second network interface (No. 0 network interface) It connects from business board.The case where the present embodiment only describes one from business board, it is multiple from business board the case where it is similar.
NAT module is responsible for E-Packeting.When NAT module receives message from business board, according to the source IP of message, source port Number matching NAT table item, if being matched to NAT table item, by matched NAT rule forwarding.If being not matched to NAT table item, Then message message between plate is forwarded to corresponding business board according to MAC Address.
When NAT module receives message from public network, NAT table item is matched according to destination IP, destination slogan, if be matched to NAT table item is then forwarded by matched NAT rule.If being not matched to NAT table item, which is forwarded to master from No. 0 network interface Business board;
NAT module is as follows to the business board Message processing for having matched NAT table item: 1, reading from matched NAT table item End of convert slogan and conversion IP address list item number;2, IP is read from public network IP address list item with conversion IP address list item number Address;3, the source IP address of message and source port number are revised as read IP address and port numbers, then turned from No. 5 mouths It is dealt into public network.
NAT module handles the public net message for having matched NAT table item as follows: 1, reading and turn from matched NAT table item Change port numbers and private network IP address;2, the corresponding MAC Address of private network IP is read from host A RP table;3, the destination IP of message Address and destination slogan are revised as read private network IP address and end of convert slogan, and target MAC (Media Access Control) address is revised as looking into Then the MAC Address found is forwarded to from No. 1 mouth from business board.
As shown in figure 11, Figure 11 is the third schematic diagram of equipment in one embodiment, main business plate and from business Plate is separately operable flush type LINUX operating system, includes network protocol stack in flush type LINUX operating system;Main business plate Operating system NAT module controls program, and NAT module controls program by MDC/MDIO interface protocol come initialization and control NAT module, control command include ARP entry order, the order of NAT table item, public network IP order, private network IP and subnet mask order Deng.
As shown in figure 11, main business plate also runs NAT rule learning program (showing as a kernel thread).NAT rule The function of learning program is mainly the message monitored in network protocol stack, and learns NAT rule from network protocol stack, finally handle NAT rule is issued in NAT module by MDC/MDIO interface.
The method for learning NAT rule from network protocol stack is as follows: the connection tracking module based on LINUX, timing are searched Tracking HASH table (init_net- > ct.hash) in kernel, if kernel setup NAT, and there is NAT stream to generate, then may be used To obtain the software NAT rule of NAT kernel, so that NAT rule is issued in NAT module.
As shown in figure 12, Figure 12 is the 4th schematic diagram of equipment in one embodiment, when system initialization, in master On the physical internet ports that business board connects with NAT module, with vconfig system command fictionalize 2 virtual interface eth0.1 and eth0.2.Wherein, eth0.1 is used for from business board communications, and IP address is configured to 192.168.1.1;Eth0.2 is used for and outer net Communication, IP address are configured to 10.140.115.1.It is issued in NAT module there are no when NAT rule from business board based on this Message may be forwarded on main business plate.Meanwhile main business plate configuration kernel protocol stack enables netfilter function, order Are as follows:
iptables-t nat-APOSTROUTING-s 192.168.1.0/24-o eth0.2-j SNAT-- to140.115.1.1
Software nat feature can be achieved in the operating system of main business plate.
It is as shown in figure 12: in system initialization, from business board configuration of IP be 192.168.1.2, default gateway is 192.168.1.1.By configuring above, in the case where no hardware NAT is regular, the message issued from business board can be by NAT Module forwards are to main business plate.Since the network protocol stack configuration of main business plate starts netfilter function, meeting basis is matched It sets, the modification of source IP address and port numbers is carried out to the slave business blackboard newspaper text received, source IP is changed to 140.115.1.1, Source port number is changed to 1024 (or other, to be determined by netfilter according to this system port numbers service condition), then the report Text is forwarded from eth0.2.Meanwhile the conntrack on main business plate has recorded the forward rule of this connection.
As shown in figure 13, Figure 13 is the operational process schematic diagram of equipment in one embodiment, and NAT rule learning process passes through The tracking HASH table (init_net- > ct.hash) in kernel conntrack module is searched in timing, if it find that there is new NAT Connection generates, then according to the connection, generates NAT rule, and NAT rule is issued in NAT module.Meanwhile calling NAT module Routine interface is controlled, the NAT ENTRY (corresponding expired NET connection) for the aging that expires is found, corresponding ENTRY is deleted from hardware list It removes.In this way, expired NAT table item is avoided to occupy hardware resource.
In one embodiment, a kind of computer readable storage medium is provided, computer program is stored thereon with, is calculated Machine program performs the steps of when being executed by processor
NAT rule is configured in the NAT table item in NAT module;NAT rule is used to indicate NAT module and carries out message turn Hair;
NAT rule is the rule learnt from network protocol stack.
In one embodiment, computer program is executed by processor the NAT table being configured to NAT rule in NAT module Before step in, also perform the steps of
According to the NAT connection in network protocol stack, NAT rule is generated;NAT is connected as the report that forwarding mismatches NAT table item It is generated when literary.
In one embodiment, computer program is executed by processor according to the NAT connection in network protocol stack, is generated It is also performed the steps of when NAT rule
According to the tuple data of NAT connection, NAT rule is generated;Tuple data include source IP, destination IP, source port number with And destination slogan.
In one embodiment, network protocol stack includes tracking HASH table.
Computer program be executed by processor generated according to the NAT connection in network protocol stack NAT rule step it Before, also perform the steps of
Tracking HASH table is searched according to the default period 1, obtains NAT connection.
In one embodiment, the message for mismatching NAT table item includes the first message and the second message.First message is to connect The public net message of the NAT module forwards received;Public net message is for being sent to from business board.Second message is the NAT received The slave business blackboard newspaper text of module forwards;From business blackboard newspaper text for being sent to public network.
In one embodiment, network protocol stack is the protocol stack comprising netfilter.
Computer program be executed by processor generated according to the NAT connection in network protocol stack NAT rule step it Before, also perform the steps of
Based on netfilter, the first message is transmitted to from business board;
And/or it is based on netfilter, the second message is transmitted to public network.
In one embodiment, computer program is executed by processor based on netfilter, by the first message be transmitted to from It is also performed the steps of when business board
With modifying the purpose MAC of the purpose IP address of the first message, the destination slogan of the first message and the first message Location.
Computer program is executed by processor based on netfilter, is also realized when the second message is transmitted to public network following Step:
Modify the source IP address of the second message and the source port number of the second message.
In one embodiment, it is also performed the steps of when computer program is executed by processor
Delete the expired NAT rule in NAT table item.
In one embodiment, computer program is executed by processor the step for deleting the expired NAT rule in NAT table item Before, it also performs the steps of
The NAT rule in NAT table item is searched according to default second round, obtains expired NAT rule.
In one embodiment, it is also performed the steps of when computer program is executed by processor
Initialization command or control command are sent to NAT module;Control instruction be ARP entry order, the order of NAT table item, Public network IP order, private network IP or subnet mask order.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the computer program can be stored in a non-volatile computer In read/write memory medium, the computer program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, To any reference of memory, storage, database or other media used in each embodiment provided herein, Including non-volatile and/or volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM (PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include Random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms, Such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhancing Type SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited In contradiction, all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously The limitation to the application range therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art, Without departing from the concept of this application, various modifications and improvements can be made, these belong to the protection model of the application It encloses.Therefore, the scope of protection shall be subject to the appended claims by the application.

Claims (14)

1. a kind of method of NAT regulation management characterized by comprising
NAT rule is configured in the NAT table item in NAT module;The NAT rule is used to indicate the NAT module and is reported Text forwarding;
The NAT rule is the rule learnt from network protocol stack.
2. the method for NAT regulation management according to claim 1, which is characterized in that NAT rule is configured to NAT module In NAT table item in step before further comprise the steps of:
According to the NAT connection in the network protocol stack, the NAT rule is generated;The NAT is connected as described in forwarding mismatch It is generated when the message of NAT table item.
3. the method for NAT regulation management according to claim 2, which is characterized in that according in the network protocol stack NAT connection, the step for generating the NAT rule include:
According to the tuple data of the NAT connection, the NAT rule is generated;The tuple data includes source IP, destination IP, source Port numbers and destination slogan.
4. the method for NAT regulation management according to claim 2, which is characterized in that the network protocol stack includes tracking HASH table;
According to the NAT connection in the network protocol stack, further comprised the steps of: before generating the step of the NAT rule
The tracking HASH table is searched according to the default period 1, obtains the NAT connection.
5. the method for NAT regulation management according to claim 2, which is characterized in that the mismatch NAT table item Message includes the first message and the second message;
First message is the public net message of the NAT module forwards received;The public net message for be sent to from Business board;
Second message is the slave business blackboard newspaper text of the NAT module forwards received;It is described to be used for from business blackboard newspaper text It is sent to the public network.
6. the method for NAT regulation management according to claim 5, which is characterized in that the network protocol stack be comprising The protocol stack of netfilter;
According to the NAT connection in the network protocol stack, further comprised the steps of: before generating the step of the NAT rule
Based on the netfilter, first message is transmitted to described from business board;
And/or it is based on the netfilter, second message is transmitted to the public network.
7. the method for NAT regulation management according to claim 6, which is characterized in that the netfilter is based on, by institute It states the first message and is transmitted to and described include: from the step of business board
Modify the mesh of the purpose IP address of first message, the destination slogan of first message and first message MAC Address;
Based on the netfilter, the step of second message is transmitted to the public network, includes:
Modify the source IP address of second message and the source port number of second message.
8. according to claim 1 to the method for NAT regulation management described in 7 any one, which is characterized in that further comprise the steps of:
Delete the expired NAT rule in the NAT table item.
9. the method for NAT regulation management according to claim 8, which is characterized in that delete expired in the NAT table item Before the step of NAT rule, further comprise the steps of:
The rule of the NAT in the NAT table item is searched according to default second round, obtains the expired NAT rule.
10. according to claim 1 to the method for NAT regulation management described in 7 any one, which is characterized in that further comprise the steps of:
Initialization command or control command are sent to the NAT module;The control instruction is ARP entry order, NAT table item life It enables, public network IP order, private network IP or subnet mask order.
11. a kind of device of NAT regulation management characterized by comprising
Hardware NAT rule configuration module, for being configured to NAT rule in the NAT table item in NAT module;The NAT rule is used Message forwarding is carried out in the instruction NAT module;
The NAT rule is the rule learnt from network protocol stack.
12. a kind of equipment, which is characterized in that including main business plate, at least one is from business board, and for connecting public network NAT module;The NAT module is separately connected the main business plate and each described from business board;
The main business plate includes the processor for executing the method for NAT regulation management as described in claims 1 to 10 any one; The processor connects the NAT module.
13. equipment according to claim 11, which is characterized in that the first network interface of the NAT module is described for connecting Public network, the second network interface connect the processor by MDC/MDIO interface, from business board described in third network interface connection.
14. a kind of computer storage medium, is stored thereon with computer program, which is characterized in that the program is executed by processor The method of NAT regulation management of the Shi Shixian as described in claims 1 to 10 any one.
CN201811004300.1A 2018-08-30 2018-08-30 NAT rule management method, device and equipment Expired - Fee Related CN109088957B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811004300.1A CN109088957B (en) 2018-08-30 2018-08-30 NAT rule management method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811004300.1A CN109088957B (en) 2018-08-30 2018-08-30 NAT rule management method, device and equipment

Publications (2)

Publication Number Publication Date
CN109088957A true CN109088957A (en) 2018-12-25
CN109088957B CN109088957B (en) 2022-03-25

Family

ID=64840273

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811004300.1A Expired - Fee Related CN109088957B (en) 2018-08-30 2018-08-30 NAT rule management method, device and equipment

Country Status (1)

Country Link
CN (1) CN109088957B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111447301A (en) * 2020-03-27 2020-07-24 深圳市三旺通信股份有限公司 Rail transit vehicle-mounted NAT method adopting externally-mounted CPU
CN112866008A (en) * 2020-12-30 2021-05-28 北京天融信网络安全技术有限公司 NAT rule enabling attribute configuration method and device, electronic equipment and storage medium
CN116016391A (en) * 2022-12-29 2023-04-25 天翼云科技有限公司 Message forwarding method and system based on NAT gateway
TWI830350B (en) * 2022-04-19 2024-01-21 聯發科技股份有限公司 Methods and electronic devices for routing data packets

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013063791A1 (en) * 2011-11-04 2013-05-10 Qualcomm Atheros, Inc. Nat/firewall accelerator
CN103347014A (en) * 2013-06-25 2013-10-09 深圳市共进电子股份有限公司 Network fast forwarding module and network fast forwarding achieving method
CN108200221A (en) * 2017-12-25 2018-06-22 北京东土科技股份有限公司 Rule synchronization method and device are converted in a kind of network address translation environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013063791A1 (en) * 2011-11-04 2013-05-10 Qualcomm Atheros, Inc. Nat/firewall accelerator
CN103347014A (en) * 2013-06-25 2013-10-09 深圳市共进电子股份有限公司 Network fast forwarding module and network fast forwarding achieving method
CN108200221A (en) * 2017-12-25 2018-06-22 北京东土科技股份有限公司 Rule synchronization method and device are converted in a kind of network address translation environment

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111447301A (en) * 2020-03-27 2020-07-24 深圳市三旺通信股份有限公司 Rail transit vehicle-mounted NAT method adopting externally-mounted CPU
CN112866008A (en) * 2020-12-30 2021-05-28 北京天融信网络安全技术有限公司 NAT rule enabling attribute configuration method and device, electronic equipment and storage medium
CN112866008B (en) * 2020-12-30 2023-09-01 北京天融信网络安全技术有限公司 NAT rule enabling attribute configuration method, NAT rule enabling attribute configuration device, electronic equipment and storage medium
TWI830350B (en) * 2022-04-19 2024-01-21 聯發科技股份有限公司 Methods and electronic devices for routing data packets
CN116016391A (en) * 2022-12-29 2023-04-25 天翼云科技有限公司 Message forwarding method and system based on NAT gateway

Also Published As

Publication number Publication date
CN109088957B (en) 2022-03-25

Similar Documents

Publication Publication Date Title
US10210015B2 (en) Virtual machine (VM) migration from switched fabric based computing system to external systems
CN109088957A (en) The method, apparatus and equipment of NAT regulation management
US9088584B2 (en) System and method for non-disruptive management of servers in a network environment
JP5493926B2 (en) Interface control method, interface control method, and interface control program
US8594090B2 (en) Multicasting using a multitiered distributed virtual bridge hierarchy
CN102938794B (en) ARP message forwarding method, switch and controller
CN103997414B (en) Generate method and the network control unit of configuration information
US8171539B2 (en) Methods and apparatus for implementing a search tree
CN105262685B (en) A kind of message processing method and device
US20170180456A1 (en) Method, device, and system for controlling network device auto-provisioning
CN109937401A (en) Via the real-time migration for the load balancing virtual machine that business bypass carries out
CN105407140A (en) Calculation resource virtualization system of networked test system and method thereof
CN110430114B (en) Virtual router and method for realizing interconnection between SDN network and traditional IP network
US10382391B2 (en) Systems and methods for managing network address information
CN105812502A (en) OpenFlow-based implementation method for address resolution protocol proxy technology
CN111638957A (en) Method for realizing cluster sharing type public cloud load balance
Wang et al. A research on high-performance sdn controller
CN112242952B (en) Data forwarding method, cabinet top type switch and storage medium
WO2018120940A1 (en) Distributive business service system, centralized service control method and corresponding device thereof
CN108768851B (en) A kind of router loopback mouth method and apparatus realized based on linux system
CN108881027A (en) A kind of radius message forwarding method and device for realizing router based on linux system
CN108494679A (en) A kind of SSH message forwarding methods and device for realizing router based on linux system
WO2023206799A1 (en) Network card communication method and apparatus for ai training platform, and device and medium
CN108881026A (en) A kind of BGP message forwarding method and device for realizing router based on linux system
CN109873716A (en) Processing method, device and the storage medium of data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20200108

Address after: 510663 Shenzhou Road, Guangzhou Science City, Guangzhou economic and Technological Development Zone, Guangdong, 10

Applicant after: COMBA TELECOM SYSTEMS (CHINA) Ltd.

Address before: 510663 Shenzhou Road 10, Guangzhou Science City, Guangzhou economic and Technological Development Zone, Guangzhou, Guangdong

Applicant before: COMBA TELECOM SYSTEMS (CHINA) Ltd.

Applicant before: COMBA TELECOM SYSTEMS (GUANGZHOU) Ltd.

Applicant before: COMBA TELECOM TECHNOLOGY (GUANGZHOU) Ltd.

Applicant before: TIANJIN COMBA TELECOM SYSTEMS Ltd.

TA01 Transfer of patent application right
CB02 Change of applicant information

Address after: 510663 Shenzhou Road, Guangzhou Science City, Guangzhou economic and Technological Development Zone, Guangdong, 10

Applicant after: Jingxin Network System Co.,Ltd.

Address before: 510663 Shenzhou Road, Guangzhou Science City, Guangzhou economic and Technological Development Zone, Guangdong, 10

Applicant before: COMBA TELECOM SYSTEMS (CHINA) Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20220325

CF01 Termination of patent right due to non-payment of annual fee