CN111770211B - SNAT method, SNAT device, electronic equipment and storage medium - Google Patents
SNAT method, SNAT device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111770211B CN111770211B CN202010555573.6A CN202010555573A CN111770211B CN 111770211 B CN111770211 B CN 111770211B CN 202010555573 A CN202010555573 A CN 202010555573A CN 111770211 B CN111770211 B CN 111770211B
- Authority
- CN
- China
- Prior art keywords
- snat
- rule
- configuration request
- user
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
- H04L47/125—Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2521—Translation architectures other than single NAT servers
Abstract
The embodiment of the application discloses a SNAT method, a SNAT device, electronic equipment and a storage medium, which relate to the technical field of cloud computing and comprise the following steps: receiving an SNAT configuration request sent by a user through a terminal; carrying out validity check on the SNAT configuration request; updating the current SNAT rule of the user according to the SNAT configuration request under the condition that the SNAT configuration request passes validity check; determining a target public network outlet IP matched with the user according to the updated SNAT rule; and establishing communication connection between the user resources and the external network through the target public network outlet IP. According to the embodiment of the application, the access success rate of the public network outlet IP can be improved, and the flow load balance of the public network outlet IP is optimized.
Description
Technical Field
The embodiment of the application relates to the technical field of computers, in particular to a cloud computing technology.
Background
For a cloud product supporting a Network Address Translation function, a SNAT (Source Address Translation) function is one of the Network Address Translation functions, and is mainly used for binding resources in the cloud with an Elastic public Network IP (EIP), so that the resources in the cloud access external Network resources through the bound EIP. Because the resources in the cloud are all used as the public network export IP through the bound EIP, how to define effective SNAT rules for each resource in the cloud is very significant to the access success rate of cloud products and the flow load balancing problem.
Disclosure of Invention
The embodiment of the application provides an SNAT method, an SNAT device, electronic equipment and a storage medium, so as to improve the access success rate of the public network export IP and optimize the traffic load balance of the public network export IP.
In a first aspect, an embodiment of the present application provides an SNAT method, including:
receiving an SNAT configuration request sent by a user through a terminal;
carrying out validity check on the SNAT configuration request;
updating the current SNAT rule of the user according to the SNAT configuration request under the condition that the SNAT configuration request passes validity check;
determining a target public network outlet IP matched with the user according to the updated SNAT rule;
and establishing communication connection between the user resources and the external network through the target public network outlet IP.
In a second aspect, an embodiment of the present application provides an SNAT device, including:
a request receiving module, configured to receive a SNAT configuration request sent by a user through a terminal;
the request checking module is used for checking the validity of the SNAT configuration request;
a rule updating module, configured to update a current SNAT rule of the user according to the SNAT configuration request when the SNAT configuration request passes validity check;
an outlet IP determining module, configured to determine, according to the updated SNAT rule, a target public network outlet IP that matches the user;
and the communication connection establishing module is used for establishing communication connection between the user resources and the external network through the target public network outlet IP.
In a third aspect, an embodiment of the present application provides an electronic device, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the first and the second end of the pipe are connected with each other,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the SNAT method provided by the embodiments of the first aspect.
In a fourth aspect, the present application also provides a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute the SNAT method provided in the first aspect.
According to the method and the device, the validity of the SNAT configuration request sent by the user through the terminal is verified, the current SNAT rule of the user is updated according to the SNAT configuration request under the condition that the SNAT configuration request passes the validity verification, the target public network outlet IP matched with the user is determined according to the updated SNAT rule, the communication connection between the user resource and the external network is established through the target public network outlet IP, the access success rate of the public network outlet IP can be improved, and the flow load balance of the public network outlet IP is optimized.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present disclosure, nor do they limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The drawings are included to provide a better understanding of the present solution and are not to be considered limiting of the present application. Wherein:
fig. 1 is a flowchart of an SNAT method according to an embodiment of the present disclosure;
fig. 2 is a flowchart of an SNAT method according to an embodiment of the present disclosure;
fig. 3 is a structural diagram of an SNAT device according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device for implementing the SNAT method according to the embodiment of the present application.
Detailed Description
The following description of the exemplary embodiments of the present application, taken in conjunction with the accompanying drawings, includes various details of the embodiments of the application for the understanding of the same, which are to be considered exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present application. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Currently, cloud products, such as NAT (Network Address Translation) products on the cloud, can support SNAT and DNAT (Destination Address Translation). The SNAT function needs user resources of all users in the cloud to bind SNAT EIP. In specific implementation, the NAT gateway controller (for managing functions such as mapping relationship of network addresses) may fixedly select the EIP according to the port range according to the number of the to-be-bound IPs provided by the user. For example, assume that there are 6 EIPs, each EIP respectively fixes a set of range port numbers, the sum of the port numbers corresponding to the 6 EIPs is 65536, and the port numbers corresponding to the EIPs are not mutually duplicated. If the IP to be bound provided by the user a accesses the external network through the port number 12345 and the port 12345 belongs to the binding range of EIP3 (one EIP among 6 EIPs), the user a can only access the external network through EIP 3. The above way of defining the SNAT rule has great limitations, mainly reflected in:
1) For some services with high security requirements or with a filing requirement, the accessed peer-end resource may set white list restriction for the access address or directly perform the filing processing. If the EIP of the user resource in the cloud does not belong to the white list of the peer resource or is not recorded, an access failure may be caused.
2) When different user resources in the cloud access the external network resources at the same time, the situation that the port numbers of the access requests are concentrated in a certain range at a certain moment easily occurs. At this time, if all the user resources access the external network through the same EIP, the problem of insufficient number of available connections or the problem of unbalanced traffic load of the public network egress IP may result.
In an example, fig. 1 is a flowchart of an SNAT method provided in an embodiment of the present application, where the present embodiment is applicable to a case where a user customizes a SNAT rule, and the method may be performed by a SNAT apparatus, which may be implemented by software and/or hardware, and may be generally integrated in an electronic device. The electronic device can be a NAT gateway device and can realize the function of network address translation. Accordingly, as shown in fig. 1, the method comprises the following operations:
s110, receiving a SNAT configuration request sent by a user through a terminal.
The SNAT configuration request may be used to configure a user's current SNAT rule in a customized manner, and may include multiple types of SNAT customized rules. The SNAT custom rule is also a user-defined SNAT rule, for example, a user specifies one or more EIPs from the optional EIPs as public network export IPs for the to-be-bound IP. The terminal may be a terminal, such as a gateway controller, configured to configure the SNAT rule, and the embodiment of the present application does not limit a specific type of the terminal.
In the embodiment of the application, after the SNAT configuration request sent by the user through the terminal is detected, the SNAT configuration request sent by the user through the terminal can be received.
And S120, carrying out validity check on the SNAT configuration request.
Correspondingly, after receiving the SNAT configuration request, the received SNAT configuration request can be further subjected to validity check. The validity check may be, for example, checking whether the EIP specified by the user in the SNAT configuration request meets the SNAT condition, for example, checking whether the format and the segment range of the EIP specified by the user meet the SNAT requirement, and whether the EIP specified by the user conflicts with the EIP bound to the DNAT.
S130, under the condition that the SNAT configuration request passes the validity check, updating the current SNAT rule of the user according to the SNAT configuration request.
The current SNAT rule may be a SNAT rule currently adopted by the user, that is, the EIP to which the user is currently bound for the SNAT function.
Correspondingly, if the SNAT configuration request passes the validity check, the current SNAT rule of the user can be updated by using the SNAT self-defining rule related in the valid SNAT configuration request. It should be noted that, the current SNAT of the user may be null, or may have a specific SNAT rule, which is not limited in the embodiment of the present application.
S140, determining a target public network outlet IP matched with the user according to the updated SNAT rule.
The target public network outlet IP is also the EIP designated by the user from each EIP and used for the user resource to access the external network.
S150, establishing communication connection between the user resource and the external network through the target public network outlet IP.
The user resource is also a resource of the user in the public network, such as a server or a storage of each user in the cloud.
In the embodiment of the application, after the user finishes updating the current SNAT rule of the user through the terminal, the user resource can access the external network by using the target public network outlet IP configured by the user in a user-defined way.
Therefore, in the embodiment of the application, the gateway controller does not select the EIP according to the port range according to the number of the to-be-bound IPs provided by the user, but updates the current SNAT rule of the user according to the SNAT configuration request sent by the user, supports the user to define the public network export IP to access the external network, can meet the service requirements of white list limitation, address filing and the like, and accordingly improves the access success rate of the public network export IP. Meanwhile, because the user designates the public network outlet IP, even if the port numbers of the access requests are concentrated in a certain range at a certain moment, all user resources cannot access the external network through only one EIP, and therefore the problem that the number of available connections is insufficient or the traffic load of the public network outlet IP is unbalanced due to the fact that the port numbers of the access requests are concentrated in a certain range is solved.
According to the method and the device, the validity of the SNAT configuration request sent by the user through the terminal is verified, the current SNAT rule of the user is updated according to the SNAT configuration request under the condition that the SNAT configuration request passes the validity verification, the target public network outlet IP matched with the user is determined according to the updated SNAT rule, the communication connection between the user resource and the external network is established through the target public network outlet IP, the access success rate of the public network outlet IP can be improved, and the flow load balance of the public network outlet IP is optimized.
In an example, fig. 2 is a flowchart of an SNAT method provided in the embodiment of the present application, and the embodiment of the present application performs optimization and improvement on the basis of the technical solutions of the above embodiments, and provides a specific optional implementation manner for performing validity check on the SNAT configuration request and updating the current SNAT rule of the user according to the SNAT configuration request.
A SNAT method as shown in fig. 2, comprising:
s210, receiving a SNAT configuration request sent by a user through a terminal.
In an alternative embodiment of the present application, the SNAT configuration request may include a create SNAT rule request, a modify SNAT rule request, a delete SNAT rule request, and a view SNAT rule request.
Wherein the create SNAT rule request can be used to create a new SNAT, the modify SNAT rule request can be used to modify the user's current one or more SNAT rules, the delete SNAT rule request can be used to delete the user's current one or more SNAT rules, and the view SNAT rule request can be used to view the user's current one or more SNAT rules.
In embodiments of the present application, the types of SNAT configuration requests may include, but are not limited to, create SNAT rule requests, modify SNAT rule requests, delete SNAT rule requests, and view SNAT rule requests. That is, the user can realize the functions of adding, deleting, modifying and checking the SNAT rule.
In an optional embodiment of the present application, the SNAT configuration request may include a SNAT rule parameter, a SNAT identification parameter, and a rule action parameter.
The SNAT rule parameters are used for describing SNAT rules and the like which need to be created, modified, deleted and viewed, the SNAT identification parameters are used for describing identifications of the SNAT rules, and the rule working parameters are used for describing specific operations aiming at the rules.
In an alternative example, assuming that the type of the SNAT configuration request sent by the user is a create SNAT rule request, the user may first specify a gateway corresponding to the create SNAT rule before sending the create SNAT rule request. And then, respectively assigning values to the SNAT rule parameter, the SNAT identification parameter and the rule action parameter. For example, the SNAT rule parameter is assigned with the SNAT rule to be created, the SNAT identification parameter is assigned with the ID (Identity document) number of the SNAT rule to be created, and the rule action parameter is assigned with "create _ SNAT _ rules" (indicating that the SNAT rule is created). The type of the SNAT rule parameter may be in a JSON (JavaScript Object Notation) list format, and the types of the SNAT identification parameter and the rule action parameter may be in a string format.
In an alternative example, assuming that the type of the SNAT configuration request sent by the user is a modify SNAT rule request, the user may first specify a gateway corresponding to the modify SNAT rule before sending the modify SNAT rule request. And then, respectively assigning values to the SNAT rule parameter, the SNAT identification parameter and the rule action parameter. For example, the SNAT rule parameter is assigned the SNAT rule to be modified, the SNAT identification parameter is assigned the ID number of the SNAT rule to be modified, and the rule action parameter is assigned "update _ SNAT _ rules" (indicating modification of the SNAT rule). The type of the SNAT rule parameter may be in JSON list format, and the types of the SNAT identification parameter and the rule action parameter may be in string format.
In an alternative example, assuming that the type of the SNAT configuration request sent by the user is a request for deleting a SNAT rule, the user may first specify a gateway corresponding to the SNAT rule to delete before sending the request for deleting the SNAT rule. And then, respectively assigning values to the SNAT rule parameter, the SNAT identification parameter and the rule action parameter. For example, the SNAT rule parameter is assigned with the SNAT rule to be deleted, the SNAT identification parameter is assigned with the ID number of the SNAT rule to be deleted, and the rule action parameter is assigned with "delete _ SNAT _ rules" (indicating deletion of the SNAT rule). The type of the SNAT rule parameter may be in JSON list format, and the types of the SNAT identification parameter and the rule action parameter may be in string format.
In an alternative example, assuming that the type of the SNAT configuration request sent by the user is a view SNAT rule request, the user may first specify a gateway corresponding to a view SNAT rule before sending the view SNAT rule request. Then, the SNAT rule parameter, the SNAT identification parameter and the rule action parameter are respectively assigned. For example, the SNAT rule parameter is assigned to the SNAT rule to be viewed, the SNAT identification parameter is assigned to the ID number of the SNAT rule to be viewed, and the rule action parameter is assigned to "view _ SNAT _ rules" (indicating to view the SNAT rule). The type of the SNAT rule parameter may be in JSON list format, and the types of the SNAT identification parameter and the rule action parameter may be in string format.
Optionally, the fields of the SNAT rule parameters may include, but are not limited to, name, rule _ id, status, create _ time, cidr, and eiss. Where the name field indicates the name of the rule, the field is not a necessary field, and the field value may be null. The rule _ ID field indicates the ID number of the SNAT rule, and is also not a necessary field, and its field value may be null. For example, the field may have a specific assignment when the user views, modifies, or deletes the SNAT rule, but the field value of the field may be null when used to create the SNAT rule. The two fields status and create _ time may be used in the view SNAT rule request. The field value of the status field may be configurable or active. The create _ time field indicates the creation time of the SNAT rule. cidr can represent the network segment to which the public network export IP address belongs in the SNAT rule. The edges may then represent the public network egress IP of the SNAT rule. Two fields, i.e., cidr and eiss, are required. The type of the fields of name, rule _ id, status, create _ time, and cidr may be a string, and the type of the eiss field may be in the JSON list format.
In the above scheme, by forming multiple types of SNAT configuration requests by using the request parameters of the SNAT configuration requests such as the SNAT rule parameters, the SNAT identification parameters, the rule action parameters and the like, the user can be supported to realize the self-defined functions of adding, deleting, modifying, checking and the like on the SNAT rule.
S220, returning a response success parameter to the user under the condition that the response to the SNAT configuration request is successful.
S230, returning a response failure parameter to the user or not executing the operation of returning the parameter under the condition that the response to the SNAT configuration request fails.
Wherein the response success parameter may be a parameter indicating success of the response. For example, the response success parameter may be set to 200 or 20, and the embodiment of the present application does not limit the specific parameter content of the response success parameter. The response failure parameter may be a parameter indicating a response failure. For example, the response failure parameter may be set to 400 or 40, etc. Or, the response failure parameter may also be a parameter of a current SNAT rule of the user, and the like, and the embodiment of the present application also does not limit the specific parameter content of the response failure parameter.
In the embodiment of the application, the SNAT configuration request can also be responded according to the type of the SNAT configuration request.
Optionally, for the type of the request for creating the SNAT rule, the specific response mode may be: if the response is successful, 200 is returned to the user. If the response fails, the parameters of the current SNAT rule are returned to the user. Optionally, the parameter of the current SNAT rule may specifically be the current specific SNAT rule content.
Optionally, for the type of the request for modifying the SNAT rule, the specific response mode may be: if the response is successful, 200 is returned to the user. If the response fails, the parameter may not be returned.
Optionally, for the request type for deleting the SNAT rule, the specific response mode may be: if the response is successful, 200 is returned to the user. If the response fails, no parameters may be returned.
Optionally, for checking the SNAT rule request type, the specific response mode may be: if the response is successful, the parameters of the current SNAT rule are returned to the user. Optionally, the parameter of the current SNAT rule may specifically be the current specific SNAT rule content. If the response fails, no parameters may be returned.
In the above scheme, by responding to the SNAT configuration request according to the type of the SNAT configuration request, the user can know the specific response condition of the current SNAT configuration request, so that the user can know the self-defined result of the SNAT rule.
S240, according to a preset IP verification rule, performing validity verification on the EIP included in the target SNAT rule in the SNAT configuration request.
Wherein, the preset IP verification rule may include: the EIP included by the target SNAT rule belongs to a target network segment; the target SNAT rule includes an EIP that does not conflict with a destination address translation DNAT EIP.
The target network segment may be a network segment type meeting the requirements of the SNAT rule, for example, a network segment different from a local area network (i.e., a local area network where user resources are located) to which the NAT gateway belongs, and the specific type of the target network segment is not limited in the embodiments of the present application. The DNAT EIP may be a public network egress IP address involved in the DNAT rules.
Optionally, when the validity check is performed on the SNAT configuration request, the SNAT self-defined rule in the SNAT configuration request may be mainly checked, and more specifically, the validity of the SNAT EIP in the SNAT self-defined rule may be checked. That is, whether the SNAT EIP in the SNAT self-defining rule belongs to the target network segment is checked, that is, the SNAT EIP is required to belong to the network segment parameter. If the EIP is a single IP address, "/32" information can be added to the EIP to make it a segment parameter. Meanwhile, the SNAT EIP and the DNAT EIP in the SNAT custom rule can not be repeated.
In the scheme, the validity of the SNAT EIP is verified, so that the SNAT rule defined by the user can meet the requirement of the SNAT rule, and the usability of the SNAT rule automatically defined by the user is ensured.
In an optional embodiment of the present application, in case that the SNAT configuration request passes the validity check, the target SNAT rule included in the SNAT configuration request is saved in a database.
Wherein, the target SNAT rule is also the SNAT self-defining rule involved in the SNAT configuration request.
In this embodiment of the present application, optionally, if the SNAT configuration request passes the validity check, the SNAT custom rule meeting the specification may be persisted into the database.
S250, comparing the target SNAT rule included in the SNAT configuration request with the current SNAT rule.
S260, updating the current SNAT rule to the target SNAT rule when it is determined that the target SNAT rule is different from the current SNAT rule.
Optionally, after the SNAT configuration request passes the validity check, the target SNAT rule included in the SNAT configuration request may be compared with the current SNAT rule stored locally. If the comparison result is that the target SNAT rule is different from the current SNAT rule, the current SNAT rule can be updated by using the target SNAT rule; otherwise, the update operation is not performed.
In an optional embodiment of the present application, the updating the current SNAT rule to the target SNAT rule may include: and in the case that the target SNAT rule comprises a plurality of EIPs, equalizing the connection number of each EIP.
In embodiments of the present application, the target SNAT rule may include a single EIP or multiple EIP groups. If the target SNAT rule comprises a plurality of EIPs, when each EIP is used for accessing the extranet resource, the connection number of each EIP can be balanced. For example, if EIP1 has a small number of current connections, subsequent access requests from the user may be preferentially accessed through EIP 1. The benefits of this arrangement are: the method can further balance the connection number of each EIP bound by the user, avoid the problems of insufficient available connection number and unbalanced public network outlet IP flow load when excessive access requests access the external network through only one or a small number of EIPs, and realize further optimization of the flow load balance of the public network outlet IP.
S270, confirming the updating result of the current SNAT rule.
In the embodiment of the application, if the update operation of the current SNAT rule of the user is completed, the update result of the current SNAT rule can be further confirmed, so that the update operation of the current SNAT rule is ensured to be correct.
It should be noted that, in the embodiment of the present application, the SNAT method may support the user-defined SNAT rule, and may be compatible with the existing SNAT method. That is, if the user does not configure the SNAT custom rule, when accessing the external network, the gateway controller still selects the EIP according to the number of the to-be-bound IPs provided by the user and the port range.
S280, determining a target public network outlet IP matched with the user according to the updated SNAT rule.
And S290, establishing communication connection between the user resource and the external network through the target public network outlet IP.
In one particular alternative example, the entire flow of user-defined SNAT rules may be implemented by a gateway controller in the NAT gateway device. Optionally, the SNAT configuration request sent by the user may be received by an interface of the gateway controller. After the gateway controller receives the SNAT configuration request through the interface, the SNAT self-defining rule matched with the SNAT configuration request can be issued to a verification module of the gateway controller, so that the verification module is used for carrying out validity verification on the SNAT self-defining rule included in the SNAT configuration request. The verification module can issue the SNAT self-defining rule passing the validity verification to an NAT agent module of the gateway controller, and the NAT agent module updates the current SNAT rule of the user according to the received SNAT self-defining rule. Meanwhile, the verification module can also persist the SNAT self-defined rule passing the validity verification into the database. It should be noted that the NAT agent module may interact with the verification module in a heartbeat message manner, and update the current SNAT rule of the user according to the SNAT customized rule. That is, the verification module may issue the SNAT-defined rule to the NAT agent module when the NAT agent module reports the heartbeat. Meanwhile, the NAT agent module can also compare and update the heartbeat information with the current SNAT rule of the user. After the NAT agent module completes the update operation of the SNAT self-defining rule, the updated SNAT self-defining rule can be carried in the next heartbeat message, so that the transaction module can confirm the update result.
According to the technical scheme, the SNAT configuration requests sent by the user are responded and subjected to validity check, and the current SNAT rule of the user is updated according to the SNAT configuration requests under the condition that the SNAT configuration requests pass the validity check, so that the access success rate of the public network outlet IP can be improved, and the flow load balance of the public network outlet IP is optimized.
In an example, fig. 3 is a block diagram of an SNAT apparatus provided in an embodiment of the present application, where the embodiment of the present application is applicable to a case where a user customizes a SNAT rule, and the apparatus is implemented by software and/or hardware and is specifically configured in an electronic device. The electronic device can be a NAT gateway device and can realize the function of network address translation.
Fig. 3 shows a SNAT device 300, comprising: a request receiving module 310, a request checking module 320, a rule updating module 330, an egress IP determining module 340, and a communication connection establishing module 350. Wherein the content of the first and second substances,
a request receiving module 310, configured to receive a SNAT configuration request sent by a user through a terminal;
a request checking module 320, configured to perform validity checking on the SNAT configuration request;
a rule updating module 330, configured to update the current SNAT rule of the user according to the SNAT configuration request when the SNAT configuration request passes the validity check;
an outlet IP determining module 340, configured to determine, according to the updated SNAT rule, a target public network outlet IP matched with the user;
a communication connection establishing module 350, configured to establish a communication connection between the user resource and the external network through the target public network outlet IP.
According to the method and the device, validity check is carried out on the SNAT configuration request sent by the user through the terminal, the current SNAT rule of the user is updated according to the SNAT configuration request under the condition that the SNAT configuration request passes the validity check, the target public network outlet IP matched with the user is determined according to the updated SNAT rule, communication connection between the user resource and an external network is established through the target public network outlet IP, the access success rate of the public network outlet IP can be improved, and the flow load balance of the public network outlet IP is optimized.
Optionally, the SNAT configuration request includes a create SNAT rule request, a modify SNAT rule request, a delete SNAT rule request, and a view SNAT rule request.
Optionally, the SNAT configuration request includes a SNAT rule parameter, a SNAT identification parameter, and a rule action parameter.
Optionally, the apparatus further comprises: a first request response module, configured to return a response success parameter to the user when the SNAT configuration request response is successful; and the second request response module is used for returning a response failure parameter to the user or not executing the operation of returning the parameter under the condition that the response to the SNAT configuration request fails.
Optionally, the request checking module 320 is specifically configured to: according to a preset IP verification rule, carrying out validity verification on an EIP included in a target SNAT rule in the SNAT configuration request; wherein, the preset IP verification rule comprises: the EIP included by the target SNAT rule belongs to a target network segment; the target SNAT rule includes an EIP that is non-conflicting with a DNAT EIP.
Optionally, the rule updating module 330 is specifically configured to: comparing a target SNAT rule included in the SNAT configuration request with the current SNAT rule; updating the current SNAT rule to the target SNAT rule if it is determined that the target SNAT rule differs from the current SNAT rule.
Optionally, the rule updating module 330 is specifically configured to: and in the case that the target SNAT rule comprises a plurality of EIPs, equalizing the connection number of each EIP.
Optionally, the apparatus further comprises: and the update result confirmation module is used for confirming the update result of the current SNAT rule.
Optionally, the apparatus further comprises: and the request storage module is used for storing the target SNAT rule included by the SNAT configuration request into a database under the condition that the SNAT configuration request passes the validity check.
The SNAT device can execute the SNAT method provided by any embodiment of the application, and has corresponding functional modules and beneficial effects of the execution method. For details of the SNAT method provided in any of the embodiments of the present application, reference may be made to the SNAT method not described in detail in this embodiment.
Since the above-described SNAT device is a device that can execute the SNAT method in the embodiment of the present application, based on the SNAT method described in the embodiment of the present application, a person skilled in the art can understand the specific implementation of the SNAT device of the present embodiment and various variations thereof, and therefore, how to implement the SNAT method in the embodiment of the present application by the SNAT device is not described in detail herein. The skilled person in the art should be able to implement the apparatus used in the SNAT method in the embodiments of the present application without departing from the scope of the present application.
In one example, the present application also provides an electronic device and a readable storage medium.
Fig. 4 is a schematic structural diagram of an electronic device for implementing the SNAT method according to the embodiment of the present application. Fig. 4 is a block diagram of an electronic device of the SNAT method according to the embodiment of the present application. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic devices may also represent various forms of mobile devices, such as personal digital processors, cellular telephones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the present application that are described and/or claimed herein.
As shown in fig. 4, the electronic apparatus includes: one or more processors 401, memory 402, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are interconnected using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions for execution within the electronic device, including instructions stored in or on the memory to display graphical information of a GUI on an external input/output apparatus (such as a display device coupled to the interface). In other embodiments, multiple processors and/or multiple buses may be used, along with multiple memories and multiple memories, as desired. Also, multiple electronic devices may be connected, with each device providing portions of the necessary operations (e.g., as a server array, a group of blade servers, or a multi-processor system). In fig. 4, one processor 401 is taken as an example.
The memory 402 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by use of an electronic device implementing the SNAT method, and the like. Further, the memory 402 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 402 optionally includes memory located remotely from processor 401, and such remote memory may be coupled to an electronic device implementing the SNAT method via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The electronic device implementing the SNAT method may further include: an input device 403 and an output device 404. The processor 401, the memory 402, the input device 403 and the output device 404 may be connected by a bus or other means, and fig. 4 illustrates an example of a connection by a bus.
The input device 403 may receive input numeric or character information and generate key signal inputs related to user settings and function control of an electronic apparatus implementing the SNAT method, such as a touch screen, keypad, mouse, track pad, touch pad, pointing stick, one or more mouse buttons, track ball, joystick, or other input device. The output devices 404 may include a display device, auxiliary lighting devices (e.g., LEDs), and haptic feedback devices (e.g., vibrating motors), among others. The display device may include, but is not limited to, a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display, and a plasma display. In some implementations, the display device can be a touch screen.
Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, application specific ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
These computer programs (also known as programs, software applications, or code) include machine instructions for a programmable processor, and may be implemented using high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or device (e.g., magnetic discs, optical disks, memory, programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
According to the method and the device, the validity of the SNAT configuration request sent by the user through the terminal is verified, the current SNAT rule of the user is updated according to the SNAT configuration request under the condition that the SNAT configuration request passes the validity verification, the target public network outlet IP matched with the user is determined according to the updated SNAT rule, the communication connection between the user resource and the external network is established through the target public network outlet IP, the access success rate of the public network outlet IP can be improved, and the flow load balance of the public network outlet IP is optimized.
It should be understood that various forms of the flows shown above, reordering, adding or deleting steps, may be used. For example, the steps described in the present application may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solutions disclosed in the present application can be achieved.
The above-described embodiments should not be construed as limiting the scope of the present application. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (12)
1. A source address translation, SNAT, method comprising:
receiving an SNAT configuration request sent by a user through a terminal;
carrying out validity check on the SNAT configuration request;
under the condition that the SNAT configuration request passes the validity check, updating the current SNAT rule of the user according to the SNAT self-defined rule in the SNAT configuration request;
determining a target public network outlet IP matched with the user according to the updated SNAT rule;
establishing communication connection between user resources and an external network through the target public network outlet IP;
the SNAT configuration request is used for carrying out custom configuration on the current SNAT rule of a user;
wherein, the updating the current SNAT rule of the user according to the SNAT self-defining rule in the SNAT configuration request comprises:
comparing a target SNAT rule included in the SNAT configuration request with the current SNAT rule;
updating the current SNAT rule to the target SNAT rule if it is determined that the target SNAT rule differs from the current SNAT rule;
wherein the updating the current SNAT rule to the target SNAT rule comprises:
and in the case that the target SNAT rule comprises a plurality of EIPs, equalizing the connection number of each EIP.
2. The method of claim 1, wherein the SNAT configuration request comprises a create SNAT rule request, a modify SNAT rule request, a delete SNAT rule request, and a view SNAT rule request.
3. The method of claim 1 or 2, wherein the SNAT configuration request comprises a SNAT rule parameter, a SNAT identification parameter, and a rule action parameter.
4. The method according to claim 1 or 2, after the receiving the SNAT configuration request sent by the user through the terminal, further comprising:
returning a response success parameter to the user if the response to the SNAT configuration request is successful;
and in the case of failure of responding to the SNAT configuration request, returning a response failure parameter to the user or not executing the operation of returning the parameter.
5. The method of claim 1, wherein the legitimacy checking the SNAT configuration request comprises:
according to a preset IP verification rule, performing validity verification on a public network outlet IP EIP included by a target SNAT rule in the SNAT configuration request;
wherein, the preset IP verification rule comprises:
the EIP included by the target SNAT rule belongs to a target network segment;
the target SNAT rule includes an EIP that does not conflict with a destination address translation DNAT EIP.
6. A SNAT device, comprising:
a request receiving module, configured to receive an SNAT configuration request sent by a user through a terminal; wherein, the SNAT configuration request is used for carrying out custom configuration on the current SNAT rule of the user
The request checking module is used for checking the validity of the SNAT configuration request;
a rule updating module, configured to update a current SNAT rule of the user according to a SNAT custom rule in the SNAT configuration request when the SNAT configuration request passes validity check;
an outlet IP determining module, configured to determine, according to the updated SNAT rule, a target public network outlet IP that matches the user;
the communication connection establishing module is used for establishing communication connection between the user resources and the external network through the target public network outlet IP;
wherein the rule updating module is specifically configured to:
comparing a target SNAT rule included in the SNAT configuration request with the current SNAT rule;
updating the current SNAT rule to the target SNAT rule if it is determined that the target SNAT rule differs from the current SNAT rule;
wherein the rule updating module is specifically configured to:
and in the case that the target SNAT rule comprises a plurality of EIPs, equalizing the number of connections of each EIP.
7. The apparatus of claim 6, wherein the SNAT configuration request comprises a create SNAT rule request, a modify SNAT rule request, a delete SNAT rule request, and a view SNAT rule request.
8. The apparatus of claim 6 or 7, wherein the SNAT configuration request comprises a SNAT rule parameter, a SNAT identification parameter, and a rule action parameter.
9. The apparatus of claim 6 or 7, further comprising:
the first request response module is used for returning a response success parameter to the user under the condition that the response to the SNAT configuration request is successful;
and the second request response module is used for returning a response failure parameter to the user or not executing the operation of returning the parameter under the condition that the response to the SNAT configuration request fails.
10. The apparatus of claim 6, wherein the request checking module is specifically configured to:
according to a preset IP verification rule, performing validity verification on the public network outlet IP EIP included in the SNAT configuration request;
wherein, the preset IP verification rule comprises:
the EIP included in the SNAT configuration request belongs to a target network segment;
the EIP included in the SNAT configuration request does not conflict with the destination address translation DNAT EIP.
11. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the first and the second end of the pipe are connected with each other,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the SNAT method of any one of claims 1-5.
12. A non-transitory computer-readable storage medium having stored thereon computer instructions for causing the computer to perform the SNAT method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010555573.6A CN111770211B (en) | 2020-06-17 | 2020-06-17 | SNAT method, SNAT device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010555573.6A CN111770211B (en) | 2020-06-17 | 2020-06-17 | SNAT method, SNAT device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111770211A CN111770211A (en) | 2020-10-13 |
| CN111770211B true CN111770211B (en) | 2023-04-18 |
Family
ID=72721011
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010555573.6A Active CN111770211B (en) | 2020-06-17 | 2020-06-17 | SNAT method, SNAT device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111770211B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113794583B (en) * | 2021-08-15 | 2023-12-29 | 新华三信息安全技术有限公司 | Configuration method and device |
| CN114679428A (en) * | 2022-04-07 | 2022-06-28 | 上海数禾信息科技有限公司 | Method, device, computer equipment and storage medium for adding EIP on NAT rule |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1841164A1 (en) * | 2006-03-29 | 2007-10-03 | Swisscom AG | System, process and connection unit for dynamically configuring NAT routers |
| CN110830574A (en) * | 2019-11-05 | 2020-02-21 | 浪潮云信息技术有限公司 | Method for realizing intranet load balance based on docker container |
| CN111010459A (en) * | 2019-12-06 | 2020-04-14 | 紫光云(南京)数字技术有限公司 | Method for solving IP address conflict when SLB is used as SNAT |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101227398B (en) * | 2008-01-31 | 2010-08-18 | 中兴通讯股份有限公司 | Method and system for automatic adjusting application of network address conversion |
| CN101299772B (en) * | 2008-06-04 | 2011-05-11 | 中兴通讯股份有限公司 | System and method for processing network address conversion preferable regulation |
| CN104270464A (en) * | 2014-10-22 | 2015-01-07 | 西安未来国际信息股份有限公司 | Cloud computing virtualized network architecture and optimization method |
| CN111193773B (en) * | 2019-12-06 | 2022-12-09 | 腾讯云计算(北京)有限责任公司 | Load balancing method, device, equipment and storage medium |
-
2020
- 2020-06-17 CN CN202010555573.6A patent/CN111770211B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1841164A1 (en) * | 2006-03-29 | 2007-10-03 | Swisscom AG | System, process and connection unit for dynamically configuring NAT routers |
| CN110830574A (en) * | 2019-11-05 | 2020-02-21 | 浪潮云信息技术有限公司 | Method for realizing intranet load balance based on docker container |
| CN111010459A (en) * | 2019-12-06 | 2020-04-14 | 紫光云(南京)数字技术有限公司 | Method for solving IP address conflict when SLB is used as SNAT |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111770211A (en) | 2020-10-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111327720B (en) | Network address conversion method, device, gateway equipment and storage medium | |
| CN111741026B (en) | Cross-chain transaction request processing method, device, equipment and storage medium | |
| CN110765024B (en) | Simulation test method, simulation test device, electronic equipment and computer readable storage medium | |
| CN109729040B (en) | Method, apparatus and computer readable medium for selection of a protocol | |
| CN111770211B (en) | SNAT method, SNAT device, electronic equipment and storage medium | |
| CN109597643A (en) | Using gray scale dissemination method, device, electronic equipment and storage medium | |
| US10924590B1 (en) | Virtual workspace experience visualization and optimization | |
| CN111277647A (en) | Block chain network member management method, device, equipment and medium | |
| CN111866092B (en) | Message transmission method and device, electronic equipment and readable storage medium | |
| CN111858628A (en) | Database-based management method, database-based management platform, electronic device and storage medium | |
| CN111625195A (en) | Method and device for server capacity expansion | |
| CN112565356B (en) | Data storage method and device and electronic equipment | |
| KR102583532B1 (en) | Scheduling method and apparatus, device and storage medium | |
| CN111770176B (en) | Traffic scheduling method and device | |
| CN112084000A (en) | Container cluster testing method and device | |
| CN111352706A (en) | Data access method, device, equipment and storage medium | |
| CN113726902B (en) | Micro-service calling method, system, server, equipment and storage medium | |
| EP4106293A2 (en) | Network configuring method and apparatus for cloud mobile phone, device and storage medium | |
| CN110650215A (en) | Function execution method and device of edge network | |
| CN112165430B (en) | Data routing method, device, equipment and storage medium | |
| CN111416860B (en) | Transaction processing method and device based on block chain, electronic equipment and medium | |
| CN113691403A (en) | Topological node configuration method, related device and computer program product | |
| CN114286981A (en) | Desktop as a service system | |
| CN111092876A (en) | Multi-host system, information processing method and device for multi-host system | |
| CN112925482B (en) | Data processing method, device, system, electronic equipment and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |