CN110636151B - Message processing method and device, firewall and storage medium - Google Patents

Message processing method and device, firewall and storage medium Download PDF

Info

Publication number
CN110636151B
CN110636151B CN201911023219.2A CN201911023219A CN110636151B CN 110636151 B CN110636151 B CN 110636151B CN 201911023219 A CN201911023219 A CN 201911023219A CN 110636151 B CN110636151 B CN 110636151B
Authority
CN
China
Prior art keywords
session
message
pointer
parent
application message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911023219.2A
Other languages
Chinese (zh)
Other versions
CN110636151A (en
Inventor
张琦枫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201911023219.2A priority Critical patent/CN110636151B/en
Publication of CN110636151A publication Critical patent/CN110636151A/en
Application granted granted Critical
Publication of CN110636151B publication Critical patent/CN110636151B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/255Maintenance or indexing of mapping tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Abstract

The embodiment of the application provides a message processing method, a message processing device, a firewall and a storage medium, and relates to the technical field of communication. The scheme of this application includes: receiving an application message sent by a terminal, identifying the content of the application message, if the application message is detected to carry preset characteristics, acquiring an extended session type corresponding to the preset characteristics, updating current session data into a data structure corresponding to the extended session type, performing NAT (network Address translation) conversion on a source IP (Internet protocol) address and a source port number of the application message based on a prestored NAT table entry, and forwarding the NAT-converted application message to a server according to the updated data structure. By adopting the scheme, the connection failure of the terminal and the server is avoided.

Description

Message processing method and device, firewall and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, a firewall, and a storage medium for message processing.
Background
Deep Packet Inspection (DPI) and Network Address Translation (NAT) are key services of next-generation firewalls, and DPI and NAT can be used in cooperation at present. The firewall processes the message corresponding to the unknown port protocol as follows: in the process of three-way handshake of a terminal of a multi-channel Protocol and a server through a firewall, a message sent by the terminal to the firewall does not carry related content of the multi-channel Protocol, so that the firewall determines that the message belongs to a common TCP conversation through DPI, performs NAT conversion on a source IP address and a source port number of the message, generates an NAT table entry between the source IP address before conversion, the source port number, the converted source IP address and the converted source port number, and then sends the NAT-converted message to the server.
In order to avoid the situation of protocol port counterfeiting, when a firewall subsequently receives an application message sent by a terminal, content detection is carried out on the application message through DPI, if the protocol corresponding to the application message is determined to be a non-known port protocol through the content detection, a mapping table item between a destination IP address, a destination port number and a protocol type of the application message is generated, the application message is discarded, and created session information is deleted, so that an NAT table item is deleted.
If the firewall receives the retransmission message of the application message and recognizes that the destination IP and the destination port number carried by the retransmission message are the same as the destination IP and the destination port number in the mapping table entry, the protocol type of the retransmission message can be determined according to the mapping table entry. Since the firewall can determine the protocol type of the retransmission packet, the protocol type of the retransmission packet is known to the firewall at this time, and the firewall can continue to process the retransmission packet. Because the NAT table entry corresponding to the retransmission message is deleted, the firewall performs NAT conversion on the source IP address and the source port number of the retransmission message and then sends the retransmission message to the server.
After receiving the retransmission message, the server matches the retransmission message with the stored quintuple information, and because the quintuple information stored in the server is generated based on the message received in the TCP three-way handshake phase, the source IP address and the source NAT in the retransmission message have undergone NAT translation again, and the results of the two NAT translations are different, the source port number after NAT translation carried in the retransmission message is not matched with the quintuple information, so that the server cannot process the retransmission message, and the connection between the terminal and the server fails.
Disclosure of Invention
In view of this, embodiments of the present application provide a message processing method, an apparatus, a firewall, and a storage medium, so as to avoid a connection failure between a terminal and a server. The specific technical scheme is as follows:
in a first aspect, the present application provides a method for processing a packet, where the method includes:
receiving an application message sent by a terminal;
identifying the content of the application message, if the application message is detected to carry preset characteristics, updating the current session type to an extended session type corresponding to the preset characteristics, and updating the current session data structure to a data structure corresponding to the extended session type;
and performing NAT conversion on the source IP address and the source port number of the application message based on a prestored NAT table item, and forwarding the NAT-converted application message to a server according to the updated data structure.
In one possible implementation, the extended session type data structure includes a parent session pointer, an association table relationship, an application layer gateway service ALG pointer space, and an ALG type;
the parent conversation pointer points to a parent conversation, and the parent conversation is a conversation established based on a control message;
the relationship attribute of the association table is used for representing the association relationship between a parent session and a sub-session, the sub-session is created based on a data message, and each data transmission channel corresponds to one sub-session;
the ALG pointer space is a reserved memory space for storing pointer information of an ALG corresponding to the data message;
the ALG type is the protocol type of the application message processed by the ALG.
In a possible implementation manner, the updating the current session data structure to the data structure corresponding to the extended session type includes:
acquiring address information of a parent session matched with the application message, and filling the value of the parent session pointer into the address information of the parent session;
creating an association relation between the sub-session pointer and the parent session pointer matched with the application message, and filling the value of the association table relation into the association relation between the sub-session pointer and the parent session pointer matched with the application message;
and filling the ALG type into a protocol type of a multi-channel protocol characterized by the preset characteristics.
In a second aspect, the present application provides a packet processing apparatus, including:
the receiving module is used for receiving an application message sent by a terminal;
the updating module is used for identifying the content of the application message, acquiring an extended session type corresponding to a preset feature if the application message is detected to carry the preset feature, and updating a current session data structure into a data structure corresponding to the extended session type;
the conversion module is used for carrying out NAT conversion on the source IP address and the source port number of the application message based on a prestored NAT table item;
and the forwarding module is used for forwarding the NAT-converted application message to the server according to the updated data structure.
In one possible implementation, the data structure corresponding to the extended session type includes a parent session pointer, an association table relationship, an application layer gateway service ALG pointer space, and an ALG type;
the parent conversation pointer points to a parent conversation, and the parent conversation is a conversation established based on a control message;
the relationship attribute of the association table is used for representing the association relationship between a parent session and a sub-session, the sub-session is created based on a data message, and each data transmission channel corresponds to one sub-session;
the ALG pointer space is a reserved memory space for storing pointer information of an ALG corresponding to the data message;
the ALG type is the protocol type of the application message processed by the ALG.
In a possible implementation manner, the update module is specifically configured to:
acquiring address information of a parent session matched with the application message, and filling the value of the parent session pointer into the address information of the parent session;
creating an association relation between the sub-session pointer and the parent session pointer matched with the application message, and filling the value of the association table relation into the association relation between the sub-session pointer and the parent session pointer matched with the application message;
and filling the ALG type into a protocol type of a multi-channel protocol characterized by the preset characteristics.
In a third aspect, an embodiment of the present application provides a firewall, including: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: the message processing method described in the first aspect is implemented.
In a fourth aspect, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the message processing method in the first aspect is implemented.
In a fifth aspect, an embodiment of the present application further provides a computer program product containing instructions, which when run on a computer, causes the computer to execute the message processing method described in the first aspect.
Compared with the prior art, according to the message processing method provided by the embodiment of the application, after the firewall receives the application message, if the application message is identified to carry the preset characteristics, the message is not discarded and the session is not deleted, but the extended session type corresponding to the preset characteristics is obtained, and the current session data structure is updated to the data structure corresponding to the extended session type. Because the data structure corresponding to the extended session type can support the firewall to process the application message, the session does not need to be deleted. Because the session is not deleted, the NAT table entry is not deleted, so that the firewall can perform NAT conversion on the application message based on the prestored NAT table entry and send the NAT-converted application message to the server according to the updated data structure. Because the application message received by the server is obtained based on the pre-stored NAT table conversion, the source IP address and the source port number carried by the application message after the NAT conversion are matched with the quintuple information stored by the server, and the terminal can be successfully connected with the server.
Of course, not all advantages described above need to be achieved at the same time in the practice of any one product or method of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present application;
fig. 2 is a flowchart of a message processing method provided in the related art;
fig. 3 is a flowchart of a message processing method according to an embodiment of the present application;
fig. 4 is a flowchart of another message processing method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a firewall according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The architecture of the system applied to the embodiment of the present application is shown in fig. 1, and the system includes a terminal 10, a firewall 20 and a server 30.
Firewall 20 has DPI application identification and NAT functions, and accordingly firewall 20 may include a DPI application identification module and a NAT module.
The terminal 10 in the embodiment of the present application is a terminal installed with a client of a multi-channel protocol, and the server 30 is a server capable of processing a multi-channel protocol service.
Fig. 1 exemplarily shows one terminal, one firewall, and one server, and the number of devices in practical application is not limited thereto.
Referring to fig. 2, a description is given below of a message processing flow in the related art, and taking an interaction flow between a File Transfer Protocol (FTP) client and an FTP server as an example, as shown in fig. 2, it is assumed that an IP address of the FTP client is 192.168.1.3, an IP address of the FTP server is 1.1.1.2, and a port number is 3021. The method specifically comprises the following steps:
s201, the FTP client sends a TCP three-way handshake message to the firewall, the source address and the source port number of the message are 192.168.1.3/1111, and the destination address and the destination port number are: 1.1.1.2/3021.
In the embodiment of the present application, it is assumed 3021 that the port number is unknown, i.e., the firewall cannot determine the protocol type through the port number.
S202, the application identification module of the firewall performs DPI on the TCP packet with three-way handshake, and the protocol type cannot be determined through the destination port number 3021 of the packet.
S203, the application identification module of the firewall forwards the TCP three-way handshake message to the NAT module.
And S204, the NAT module carries out NAT conversion on the TCP handshake message to generate the TCP handshake message after NAT conversion and an NAT table entry.
Wherein, the source IP address and the source port number of the TCP handshake message after NAT conversion are converted into 20.1.1.1/2220.
The NAT table entry includes the source IP address and source port number before translation (192.168.1.3/1111) and the source IP address and source port number after translation (20.1.1.1/2220).
S205, the firewall sends the TCP three-way handshake message after NAT conversion to the FTP server.
In fig. 1, the detailed process of the TCP three-way handshake is omitted, and the process of performing the TCP three-way handshake between the client and the server may refer to the description in the related art.
After the TCP three-way handshake is completed, S206 may be performed.
S206, the FTP server establishes a TCP connection with the FTP client.
In this step, the quintuple information of the session maintained by the FTP server includes: source IP address (20.1.1.1), source port number (2220), destination address (1.1.1.2), destination port number (3021), protocol Type (TCP).
And S207, the FTP client sends the application message to the firewall.
The source address and the source port number of the application message are 192.168.1.3/1111, and the destination address and the destination port number are: 1.1.1.2/3021.
S208, the DPI application recognition module of the firewall determines that the destination port of the application message is an FTP port by performing content recognition on the application message, creates a non-known port mapping table entry, and deletes the established session information.
In this step, the entry includes a mapping relationship between a destination IP address, a destination port number, and a type of the unknown port protocol, and the entry includes a mapping relationship between 1.1.1.2/3021 and the FTP protocol.
S209, the firewall discards the application message, and the NAT module of the firewall deletes the NAT table entry.
S210, the FTP client sends a retransmission message to the firewall.
The retransmission packet is a retransmission packet of the application packet, so the source address and the source port number of the retransmission packet are still 192.168.1.3/1111, and the destination address and the destination port number are still: 1.1.1.2/3021.
S211, the DPI application recognition module of the firewall determines the protocol type of the retransmission message according to the non-known port mapping table entry.
The DPI application identification module can match a destination address and a destination port number of a retransmission message with a destination address and a destination port number in a non-known port mapping table entry, and if the matching is successful, the protocol type of the retransmission message is determined to be the protocol type in the non-known port mapping table entry.
S212, the DPI application recognition module of the firewall forwards the retransmission message to the NAT module.
And S213, the NAT module of the firewall performs NAT conversion on the retransmission message to generate the retransmission message after the NAT conversion and an NAT table entry.
Since the NAT entry corresponding to the application packet has been deleted in S209, in this step, NAT translation is performed on the retransmission packet again, and this time, NAT translation translates the source IP address and the source port number of the retransmission packet into 20.1.1.1/2221.
S214, the firewall sends the retransmission message after NAT conversion to the FTP server.
S215, the FTP server matches the retransmission message with the quintuple information, and the FTP server cannot process the retransmission message when the matching fails.
In S206, the source IP address and the source port number in the session five-tuple maintained by the FTP are 20.1.1.1/2221, and the source IP address and the source port number in the session five-tuple maintained by the FTP are 20.1.1.1/2220, it can be seen that the connection between the FTP client and the FTP server fails due to mismatch between the retransmission message and the five-tuple information, and the FTP client may have service interruption.
In order to solve the foregoing problem, an embodiment of the present application provides a message processing method, which may be applied to the firewall in fig. 1, and as shown in fig. 3, the method includes:
s301, receiving the application message sent by the terminal.
S302, identifying the content of the application message, if the application message is detected to carry the preset feature, acquiring an extended session type corresponding to the preset feature, and updating the current session data structure into a data structure corresponding to the extended session type.
Optionally, the firewall may perform content identification on the application packet through DPI. The preset feature is used for representing a multi-channel protocol, that is, if the application message is detected to carry the preset feature, the protocol corresponding to the application message is determined to be the multi-channel protocol, and then the extended session type corresponding to the preset feature is obtained.
In the embodiment of the application, preset features of multiple multi-channel protocols are pre-stored, and the preset features of the multi-channel protocols correspond to the extension session types. For example, if it is detected that the application packet carries a preset feature for representing an FTP Protocol, or that the application packet carries a preset feature for representing a Session Initiation Protocol (SIP), the extended Session type is obtained.
The preset feature may be a character related to the multi-channel protocol, or an identifier of the multi-channel protocol, or other information capable of characterizing the multi-channel protocol, which is not limited in this embodiment of the present application. For example, if it is detected that the field of the application packet includes the "FTP" character, the extended session type is obtained.
In the embodiment of the present application, the main differences between the extended session type and the current session type are: the data structure corresponding to the extended session type includes an association table relationship that includes one or more association table entries, each association table entry for associating a different session belonging to the same application. The data structure corresponding to the extended session type will be described in detail below.
S303, NAT conversion is carried out on the source IP address and the source port number of the application message based on the prestored NAT table item, and the application message after NAT conversion is forwarded to the server according to the updated data structure.
The pre-stored NAT table entry comprises the corresponding relation between the source IP address and the source port number before NAT conversion and the source IP address and the source port number after NAT conversion when NAT conversion is carried out on the message from the terminal last time.
Compared with the prior art, according to the message processing method provided by the embodiment of the application, after the firewall receives the application message, if the application message is identified to carry the preset characteristics, the message is not discarded and the session is not deleted, but the extended session type corresponding to the preset characteristics is obtained, and the current session data structure is updated to the data structure corresponding to the extended session type. Because the data structure corresponding to the extended session type can support the firewall to process the application message, the session does not need to be deleted. Because the session is not deleted, the NAT table entry is not deleted, so that the firewall can perform NAT conversion on the application message based on the prestored NAT table entry and send the NAT-converted application message to the server according to the updated data structure. Because the application message received by the server is obtained by converting based on the prestored NAT table item, the source IP address and the source port number carried by the application message after NAT conversion are matched with the quintuple information stored by the server, and the terminal can be successfully connected with the server.
In an embodiment of the present application, for detecting that the application packet in S302 carries a preset feature, the embodiment of the present application may specifically detect the preset feature carried by the application packet in the following manner:
and extracting message characteristics from the specified position of the application message, and if the extracted message characteristics are matched with the preset characteristics corresponding to the pre-stored multi-channel protocol, determining that the application message carries the preset characteristics.
The firewall pre-stores preset features corresponding to each tunneling protocol, for example, pre-stores feature a, feature B, and feature C corresponding to the FTP protocol, and if the packet features extracted from the designated location of the application packet by the firewall are all matched with feature a, feature B, and feature C, it is determined that the application packet carries features for characterizing the FTP protocol, that is, the protocol type corresponding to the application packet is the FTP protocol.
In another embodiment of the present Application, the data structure corresponding to the extended session type in S302 includes a parent session pointer, an association table relationship, an Application Layer Gateway Service (ALG) pointer space, and an ALG type;
and the parent session pointer points to a parent session, and the parent session is a session created based on the control message.
The relationship attribute of the association table is used for representing the association relationship between the parent session and the sub-session, the sub-session is created based on the data message, and each data transmission channel corresponds to one sub-session.
The ALG pointer space is a reserved memory space for storing the pointer information of the ALG corresponding to the data message.
The ALG type is the protocol type of the application message processed by the ALG.
Based on the data structure, the specific implementation manner of updating the current session data structure to the data structure corresponding to the extended session type in S302 is as follows:
acquiring address information of a parent session matched with the application message, and filling a value of a parent session pointer into the address information of the parent session; creating an association relation between a sub-session pointer and a parent session pointer matched with the application message, and filling the value of the association table relation into the association relation between the sub-session and the parent session matched with the application message; and filling the ALG type into a protocol type of the multi-channel protocol characterized by the preset characteristics.
In this step, since the ALG service is not involved, it is not necessary to fill attribute data corresponding to the application layer gateway service ALG pointer, and the ALG pointer may be filled in the ALG pointer space when performing the ALG service subsequently.
The address information of the parent session may be a storage address of the parent session, or an identifier of the parent session, that is, the parent session may be searched and acquired according to the parent session pointer.
After the current session data structure is updated to the data structure corresponding to the extended session type, a service between the terminal and the server, such as an ALG service, may be performed subsequently according to the data structure.
In the embodiment of the present application, for a multi-channel protocol, taking an FTP protocol as an example, a parent session is a session created between a terminal and a server for transmitting a control message, and a sub-session is a session created between the terminal and the server for transmitting an FTP application message. For the FTP protocol, there is one data transmission channel between the terminal and the server, i.e. one sub-session.
For the SIP protocol, a plurality of data transmission channels may exist between the terminal and the server, each data transmission channel corresponds to one sub-session, that is, there is an association relationship between one parent session and a plurality of sub-sessions belonging to the same application.
After the incidence relation between the sub-session pointer and the parent session pointer is created, the incidence relation is respectively associated with the parent session control block and the sub-session control block, further, in the message processing process, the parent session control block can search the sub-session pointer through the self pointer and the incidence relation, and similarly, the sub-session control block can also search the parent session pointer through the self pointer and the incidence relation.
In the embodiment of the application, the form and the data size of the data structure corresponding to the extended session type are different from those of the session data structure before updating, the session data structure before updating corresponds to the session type of the parent session, and the data structure corresponding to the extended session type includes the association relationship between the parent session and the child session.
Based on the network architecture shown in fig. 1, the message processing method in the embodiment of the present application is described by taking a multi-channel protocol as an FTP protocol as an example, and as shown in fig. 4, the method specifically includes:
s401 to S407 are the same as S201 to S207, and reference may be made to the related description above, which is not repeated herein.
S408, the DPI application identification module of the firewall determines that the protocol type corresponding to the application message is the multi-channel protocol FTP through content detection, obtains the extension session type corresponding to the FTP, and updates the current session data structure to the data structure corresponding to the extension session type.
It is to be understood that, in the process of updating the data structure corresponding to the extended session type, each attribute data included in the data structure may be populated.
S409, the DPI application identification module of the firewall forwards the application message to the NAT module.
And S410, the NAT module of the firewall performs NAT conversion on the application message according to the NAT table entry.
The NAT entry is the NAT entry in S204, that is, the NAT entry includes the source IP address and the source port number before the translation (192.168.1.3/1111) and the source IP address and the source port number after the translation (20.1.1.1/2220).
In this step, the source IP address of the application packet is converted into 20.1.1.1 according to the NAT entry, and the source port number is converted into 2220.
S411, the firewall sends the NAT-converted application message to the FTP server.
In this step, the firewall may send the NAT-converted application packet to the FTP server based on the updated data structure in S408.
And S412, the FTP server matches the application message after NAT conversion with the quintuple information, and if the matching is successful, FTP control connection and FTP data connection are established.
The quintuple information is the quintuple information in S406: source IP address (20.1.1.1), source port number (2220), destination address (1.1.1.2), destination port number (3021), protocol Type (TCP).
Since the source IP address and the source port number of the application packet after NAT translation are 20.1.1.1 and 2220, matching can be successful.
And S413, the FTP server sends a response message to the FTP client through the firewall.
Compared with the method flow shown in fig. 2, the method has the advantages that the firewall does not need to create a non-known port mapping table entry, so that the memory occupation can be reduced, and the subsequent table entry maintenance work is reduced. In addition, the firewall can continuously transmit the application message to the FTP server without discarding the application message or deleting the session, so that the FTP server can process the application message in time, and the terminal does not need to retransmit the application message, thereby improving the efficiency of establishing data connection between the terminal and the FTP server and reducing service delay. Because the security services of the firewall are all carried out on the basis of the session, the session is not deleted in the embodiment of the application, so that the potential safety hazard caused by the deletion of the session can be avoided, and the security is improved.
Based on the same technical concept, an embodiment of the present application provides a packet processing apparatus, where the apparatus is applied to a firewall, and as shown in fig. 5, the apparatus includes: a receiving module 501, an updating module 502, a converting module 503 and a forwarding module 504.
A receiving module 501, configured to receive an application packet sent by a terminal;
an updating module 502, configured to perform content identification on the application packet, acquire an extended session type corresponding to a preset feature if it is detected that the application packet carries the preset feature, and update a current session data structure to a data structure corresponding to the extended session type;
a translation module 503, configured to perform NAT translation on the source IP address and the source port number of the application packet based on a pre-stored NAT entry;
and a forwarding module 504, configured to forward the NAT-converted application packet to the server according to the updated data structure.
Optionally, the data structure corresponding to the extended session type includes a parent session pointer, an association table relationship, an application layer gateway service ALG pointer space, and an ALG type;
the parent conversation pointer points to a parent conversation, and the parent conversation is a conversation established based on a control message;
the relationship attribute of the association table is used for representing the association relationship between a parent session and a sub-session, the sub-session is created based on a data message, and each data transmission channel corresponds to one sub-session;
the ALG pointer space is a reserved memory space for storing pointer information of an ALG corresponding to the data message;
the ALG type is the protocol type of the application message processed by the ALG.
Optionally, the updating module 502 is specifically configured to:
acquiring address information of a parent session matched with the application message, and filling the value of the parent session pointer into the address information of the parent session;
creating an association relation between the sub-session pointer and the parent session pointer matched with the application message, and filling the value of the association table relation into the association relation between the sub-session pointer and the parent session pointer matched with the application message;
and filling the ALG type into a protocol type of a multi-channel protocol characterized by the preset characteristics.
The embodiment of the present application further provides a firewall, as shown in fig. 6, including a processor 601, a communication interface 602, a memory 603, and a communication bus 604, where the processor 601, the communication interface 602, and the memory 603 complete mutual communication through the communication bus 604,
a memory 603 for storing a computer program;
the processor 601 is configured to implement the steps executed by the firewall in the foregoing method embodiment when executing the program stored in the memory 603.
The communication bus mentioned in the firewall may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the firewall and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In another embodiment provided by the present application, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any of the message processing methods described above.
In yet another embodiment provided by the present application, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the message processing methods of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (8)

1. A message processing method is characterized by comprising the following steps:
receiving an application message sent by a terminal;
identifying the content of the application message, if the application message is detected to carry a preset feature, acquiring an extended session type corresponding to the preset feature, and updating a current session data structure into a data structure corresponding to the extended session type; the preset features are used for representing a multi-channel protocol;
and performing NAT conversion on the source IP address and the source port number of the application message based on a prestored NAT table item, and forwarding the NAT-converted application message to a server according to the updated data structure.
2. The method of claim 1, wherein the data structure corresponding to the extended session type comprises a parent session pointer, an association table relationship, an application layer gateway service (ALG) pointer space, and an ALG type;
the parent conversation pointer points to a parent conversation, and the parent conversation is a conversation established based on a control message;
the relationship attribute of the association table is used for representing the association relationship between a parent session and a sub-session, the sub-session is created based on a data message, and each data transmission channel corresponds to one sub-session;
the ALG pointer space is a reserved memory space for storing pointer information of an ALG corresponding to the data message;
the ALG type is the protocol type of the application message processed by the ALG.
3. The method of claim 2, wherein the updating the current session data structure to the data structure corresponding to the extended session type comprises:
acquiring address information of a parent session matched with the application message, and filling the value of the parent session pointer into the address information of the parent session;
creating an association relation between the sub-session pointer and the parent session pointer matched with the application message, and filling the value of the association table relation into the association relation between the sub-session pointer and the parent session pointer matched with the application message;
and filling the ALG type into a protocol type of a multi-channel protocol characterized by the preset characteristics.
4. A message processing apparatus, the apparatus comprising:
the receiving module is used for receiving an application message sent by a terminal;
the updating module is used for identifying the content of the application message, acquiring an extended session type corresponding to a preset feature if the application message is detected to carry the preset feature, and updating a current session data structure into a data structure corresponding to the extended session type; the preset features are used for representing a multi-channel protocol;
the conversion module is used for carrying out NAT conversion on the source IP address and the source port number of the application message based on a prestored NAT table item;
and the forwarding module is used for forwarding the NAT-converted application message to the server according to the updated data structure.
5. The apparatus of claim 4, wherein the data structure corresponding to the extended session type comprises a parent session pointer, an association table relationship, an application layer gateway service (ALG) pointer space, and an ALG type;
the parent conversation pointer points to a parent conversation, and the parent conversation is a conversation established based on a control message;
the relationship attribute of the association table is used for representing the association relationship between a parent session and a sub-session, the sub-session is created based on a data message, and each data transmission channel corresponds to one sub-session;
the ALG pointer space is a reserved memory space for storing pointer information of an ALG corresponding to the data message;
the ALG type is the protocol type of the application message processed by the ALG.
6. The apparatus of claim 5, wherein the update module is specifically configured to:
acquiring address information of a parent session matched with the application message, and filling the value of the parent session pointer into the address information of the parent session;
creating an association relation between the sub-session pointer and the parent session pointer matched with the application message, and filling the value of the association table relation into the association relation between the sub-session pointer and the parent session pointer matched with the application message;
and filling the ALG type into a protocol type of a multi-channel protocol characterized by the preset characteristics.
7. A firewall, comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 3.
8. A machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to: carrying out the method steps of any one of claims 1 to 3.
CN201911023219.2A 2019-10-25 2019-10-25 Message processing method and device, firewall and storage medium Active CN110636151B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911023219.2A CN110636151B (en) 2019-10-25 2019-10-25 Message processing method and device, firewall and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911023219.2A CN110636151B (en) 2019-10-25 2019-10-25 Message processing method and device, firewall and storage medium

Publications (2)

Publication Number Publication Date
CN110636151A CN110636151A (en) 2019-12-31
CN110636151B true CN110636151B (en) 2022-03-22

Family

ID=68977745

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911023219.2A Active CN110636151B (en) 2019-10-25 2019-10-25 Message processing method and device, firewall and storage medium

Country Status (1)

Country Link
CN (1) CN110636151B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111277470B (en) * 2020-02-19 2022-07-26 联想(北京)有限公司 User plane function switching method, device, system and storage medium
CN112019335B (en) * 2020-09-18 2023-12-29 上海市数字证书认证中心有限公司 SM2 algorithm-based multiparty collaborative encryption and decryption method, device, system and medium
CN112311789B (en) * 2020-10-28 2023-02-28 北京锐安科技有限公司 Deep packet processing method and device, electronic device and storage medium
CN114006809B (en) * 2021-10-09 2023-11-28 北京天融信网络安全技术有限公司 Method, device, equipment and storage medium for adjusting industrial control firewall data transmission
US20230164149A1 (en) * 2021-11-24 2023-05-25 Juniper Networks, Inc. Causing or preventing an update to a network address translation table
CN116347428A (en) * 2021-12-24 2023-06-27 华为技术有限公司 Communication method and device
CN115242858B (en) * 2022-07-21 2024-02-09 山石网科通信技术股份有限公司 Message processing method, device, electronic equipment and computer readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6360265B1 (en) * 1998-07-08 2002-03-19 Lucent Technologies Inc. Arrangement of delivering internet protocol datagrams for multimedia services to the same server
CN102148773A (en) * 2010-02-08 2011-08-10 中国联合网络通信集团有限公司 Method and system for converting IPv6 (Internet Protocol Version 6) protocol and IPv4 (Internet Protocol Version 4) protocol
CN103561130A (en) * 2013-11-06 2014-02-05 北京神州绿盟信息安全科技股份有限公司 Network address translation device and method suitable for multiple application layer protocols
CN104506513A (en) * 2014-12-16 2015-04-08 北京星网锐捷网络技术有限公司 Firewall flow graph backup method, firewall and firewall system
CN106789725A (en) * 2016-11-10 2017-05-31 瑞斯康达科技发展股份有限公司 It is a kind of to realize the methods, devices and systems that flow is redirected

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8090858B2 (en) * 2004-07-23 2012-01-03 Nokia Siemens Networks Oy Systems and methods for encapsulation based session initiation protocol through network address translation
US8180892B2 (en) * 2008-12-22 2012-05-15 Kindsight Inc. Apparatus and method for multi-user NAT session identification and tracking

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6360265B1 (en) * 1998-07-08 2002-03-19 Lucent Technologies Inc. Arrangement of delivering internet protocol datagrams for multimedia services to the same server
CN102148773A (en) * 2010-02-08 2011-08-10 中国联合网络通信集团有限公司 Method and system for converting IPv6 (Internet Protocol Version 6) protocol and IPv4 (Internet Protocol Version 4) protocol
CN103561130A (en) * 2013-11-06 2014-02-05 北京神州绿盟信息安全科技股份有限公司 Network address translation device and method suitable for multiple application layer protocols
CN104506513A (en) * 2014-12-16 2015-04-08 北京星网锐捷网络技术有限公司 Firewall flow graph backup method, firewall and firewall system
CN106789725A (en) * 2016-11-10 2017-05-31 瑞斯康达科技发展股份有限公司 It is a kind of to realize the methods, devices and systems that flow is redirected

Also Published As

Publication number Publication date
CN110636151A (en) 2019-12-31

Similar Documents

Publication Publication Date Title
CN110636151B (en) Message processing method and device, firewall and storage medium
US10812524B2 (en) Method, and devices for defending distributed denial of service attack
US7930365B2 (en) Method and apparatus to modify network identifiers at data servers
US8874789B1 (en) Application based routing arrangements and method thereof
CN110519265B (en) Method and device for defending attack
WO2019062593A1 (en) Packet transmission method and device, and computer readable storage medium
CN111510476B (en) Communication method, communication device, computer equipment and computer readable storage medium
EP2779588A2 (en) Methods and apparatus for hostname selective routing in dual-stack hosts
US10834052B2 (en) Monitoring device and method implemented by an access point for a telecommunications network
CN106899500B (en) Message processing method and device for cross-virtual extensible local area network
US11240202B2 (en) Message processing method, electronic device, and readable storage medium
CN111031148B (en) Address resolution method and device, electronic equipment and storage medium
CN112020862B (en) Method, system, and computer-readable storage medium for identifying devices on a remote network
US9967214B2 (en) Direct client-to-client internet relay chat for softap clients
US11677585B2 (en) Transparent TCP connection tunneling with IP packet filtering
CN110891056A (en) HTTPS request authentication method and device, electronic equipment and storage medium
JP6048129B2 (en) Communication system, apparatus, method, and program
US10375175B2 (en) Method and apparatus for terminal application accessing NAS
CN107612831B (en) Transmission method and device for data message of access source station
US20230216796A1 (en) Embedding an artificially intelligent neuron capable of packet inspection and system optimization in ipv6 enabled wlan networks
CN113014664B (en) Gateway adaptation method, device, electronic equipment and storage medium
JP5797597B2 (en) Relay device
CN110289979B (en) Bridge and network management method
CN103139205A (en) Message processing method, device and network server
CN107302485B (en) Method, equipment and device for interconnecting equipment in different networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant