CN112087533A

CN112087533A - Message processing method, device, equipment and storage medium

Info

Publication number: CN112087533A
Application number: CN202010952900.1A
Authority: CN
Inventors: 陈剑豪
Original assignee: Beijing Qingyun Science And Technology Co ltd
Current assignee: Beijing Qingyun Science And Technology Co ltd
Priority date: 2020-09-11
Filing date: 2020-09-11
Publication date: 2020-12-15
Anticipated expiration: 2040-09-11
Also published as: CN112087533B

Abstract

The invention discloses a message processing method, a device, equipment and a storage medium, wherein the message processing method comprises the following steps: dividing messages to be processed into first-class messages and second-class messages; after the first type of message is subjected to Network Address Translation (NAT), the first type of message is subjected to message forwarding processing by adopting a first strategy through an NAT gateway cluster; and after NAT is carried out on the second type of message, a second strategy is adopted to carry out message forwarding processing on the second type of message through the NAT gateway cluster. According to the technical scheme provided by the embodiment of the application, the message is split into the first type and the second type, different forwarding strategies are processed aiming at the two types of messages, the current flow of an SNAT cluster is ensured not to be interrupted in the expansion process, and the state synchronization among the clusters is not needed.

Description

Message processing method, device, equipment and storage medium

Technical Field

The embodiment of the invention relates to the technical field of clusters, in particular to a message processing method, a message processing device, message processing equipment and a message processing storage medium.

Background

The SNAT gateway cluster is a gateway cluster which is provided with multiple nodes, is used for processing active uplink flow from an internal network to a public network, and enables a source address SNAT of a data packet to be a public network address on the SNAT gateway cluster when multiple devices of the internal network without public network addresses access the public network.

The existing SNAT gateway schemes have two types, one type is a single-node SNAT gateway cluster, but the single-node SNAT gateway cannot be expanded horizontally. One is a multi-node state-synchronized SNAT gateway cluster, but requires complex synchronization of connection states between cluster nodes.

Disclosure of Invention

The invention provides a message processing method, a message processing device, message processing equipment and a message processing storage medium, so that the existing flow is not interrupted in the process of capacity reduction and expansion, and state synchronization among clusters is not needed.

In a first aspect, an embodiment of the present invention provides a message processing method, including:

dividing messages to be processed into first-class messages and second-class messages;

after the first type of message is subjected to Network Address Translation (NAT), the first type of message is subjected to message forwarding processing by adopting a first strategy through an NAT gateway cluster;

and after NAT is carried out on the second type of message, a second strategy is adopted to carry out message forwarding processing on the second type of message through the NAT gateway cluster.

Further, the dividing the message to be processed into a first type message and a second type message includes:

the messages to be processed are divided into first messages and second messages through a layered model of a transmission control protocol/internet protocol (TCP/IP) protocol stack.

Further, under the condition that the NAT gateway cluster normally operates, performing packet forwarding processing on the first type by using a first policy through the NAT gateway cluster, including:

when the first type of message is active uplink flow and the connection state in the NAT system in the node is a first state, keeping the existing source address conversion SNAT through the node and forwarding the first type of message to a public network;

when the first type of message is active uplink flow and the connection state in an NAT system in the node is a second state, the node performs SNAT on the first type of message through the NAT system and forwards the first type of message to a public network;

when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, keeping the existing source address conversion SNAT through the node and forwarding the first type of message to a public network;

and when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a second state, if the target port of the first type of message is not in the port range allocated by the node, the first type of message is forwarded to the corresponding cluster node according to the division of the port group after passing through the policy routing system by the node.

Further, the performing, by the NAT gateway cluster, packet forwarding processing on the second type by using a second policy under the condition that the NAT gateway cluster normally operates or the NAT gateway cluster is in the capacity expansion or capacity reduction includes:

when the second type of message is active uplink flow and the connection state in the NAT system in the node is a first state, keeping the existing source address translation SNAT through the node and forwarding the second type of message to the public network;

when the second type of message is active uplink flow and the connection state in the NAT system in the node is a second state, if the first node receives the second type of message, the first node performs SNAT on the second type of message through the NAT system, and forwards the second type of message to the public network; and if other nodes except the first node receive the second type of message, the other nodes forward the second type of message to the first node after passing through a policy routing system.

Further, under the condition that the NAT gateway cluster normally operates, performing packet forwarding processing on the second type by using a second policy through the NAT gateway cluster, including:

when the second type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, keeping the existing destination address translation DNAT through the node and forwarding the second type of message to the intranet;

when the second type of message is passive downlink flow and the connection state in the NAT system in the node is a second state, if the first node receives the second type of message, the first node carries out DNAT on the second type of message through the NAT system, and then forwards the second type of message to the intranet; and if other nodes except the first node receive the second type of message, the other nodes forward the second type of message to the first node after passing through a policy routing system.

Further, under the condition that the NAT gateway cluster is expanded or contracted, the forwarding processing of the first type of packet is performed by the NAT gateway cluster by using a first policy, including:

when the first type of message is active uplink flow and the connection state in the NAT system in the node is a first state, keeping the existing SNAT through the node and forwarding the first type of message to a public network;

when the first type of message is active uplink flow and the connection state in an NAT system in a node is a second state, if an original node or a reserved node receives the first type of message, the SNAT is carried out on the first type of message through the NAT system by the original node or the reserved node, and then the first type of message is forwarded to a public network;

when the first type of message is active uplink flow and the connection state in an NAT system in a node is a second state, if the first type of message is received by the capacity expansion node, the first type of message is forwarded to a public network after the first type of message passes through the NAT system for SNAT through the capacity expansion node;

and if the first type of message is active uplink flow and the connection state in the NAT system in the node is a second state, forwarding the first type of message to the corresponding cluster node through the capacity reduction node according to the division of the new port group if the capacity reduction node receives the first type of message.

when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, the node keeps the existing DNAT and forwards the second type of message to the intranet;

when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, if a target port corresponding to the first type of message is in a node distribution port range and the node is a capacity expansion node or a reserved node, forwarding the first type of message to the corresponding node through the node according to an old port group;

and when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, if the target port corresponding to the first type of message is not in the range of the node allocated port, forwarding the first type of message to the corresponding node through the node according to the new port grouping.

In a second aspect, an embodiment of the present invention further provides a packet processing apparatus, including:

the message dividing module is used for dividing the message to be processed into a first type message and a second type message;

the first processing module is used for performing Network Address Translation (NAT) on a first type of message, and then performing message forwarding processing on the first type of message by adopting a first strategy through an NAT gateway cluster;

and the second processing module is used for performing NAT on the second type message and then performing message forwarding processing on the second type message by adopting a second strategy through the NAT gateway cluster.

In a third aspect, an embodiment of the present invention further provides an apparatus, where the apparatus includes:

one or more processors;

a memory for storing one or more programs;

when the one or more programs are executed by the one or more processors, the one or more processors implement the message processing method according to any of the embodiments of the present application.

In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the message processing method according to any one of the embodiments of the present application.

The message processing method, apparatus, device and storage medium provided in the foregoing embodiments include: dividing messages to be processed into first-class messages and second-class messages; after the first type of message is subjected to Network Address Translation (NAT), the first type of message is subjected to message forwarding processing by adopting a first strategy through an NAT gateway cluster; and after NAT is carried out on the second type of message, a second strategy is adopted to carry out message forwarding processing on the second type of message through the NAT gateway cluster. According to the technical scheme provided by the embodiment of the application, the message is split into the first type and the second type, different forwarding strategies are processed aiming at the two types of messages, the current flow of an SNAT cluster is ensured not to be interrupted in the expansion process, and the state synchronization among the clusters is not needed.

Drawings

FIG. 1 is a comparison of three architectures;

fig. 2 is a flowchart of a message processing method according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of a node-less, SNAT-ICMP, system provided in the present embodiment;

FIG. 4 is a schematic diagram of the node-less, DNAT-ICMP provided in this example;

FIG. 5 is a diagram of a TCP SNAT/DNAT provided by the present embodiment;

FIG. 6 is a schematic diagram of a multi-node, SNAT-ICMP, provided in the present embodiment;

FIG. 7 is a schematic diagram of a multinode, DNAT-ICMP, provided in the present embodiment;

fig. 8 is a schematic diagram of the capacity expansion, SNAT-NATed, provided by the present embodiment;

FIG. 9 is a schematic diagram of the present embodiment of the present invention, SNAT-UnNATed;

fig. 10 is a schematic diagram of a capacity expansion node, SNAT-unNATed, according to this embodiment;

FIG. 11 is a schematic diagram of the amplification, DNAT-NATed, provided in this example;

FIG. 12 is a diagram illustrating the present embodiment of a volume expansion node, DNAT-UnNATed-local node port;

FIG. 13 is a diagram of an expanded DNAT-unaTed-non-native node port (during expansion) of the present embodiment;

FIG. 14 is a diagram of an expansion node, DNAT-unNATed-non-native node port, according to the present embodiment;

fig. 15 is a schematic diagram of a holding node (during the contraction) of the contraction, SNAT-unNATed provided in this embodiment;

fig. 16 is a schematic diagram of a reduced volume node, SNAT-unanted, according to this embodiment;

FIG. 17 is a schematic illustration of the abbreviated, DNAT-NATed provided in this example;

FIG. 18 is a diagram of the abbreviated, DNAT-unaTed-own node port provided in the present embodiment, of a reservation node (during abbreviated);

FIG. 19 is a diagram of an abbreviated, DNAT-unaTed-non-native node port, abbreviated node as provided in this embodiment;

fig. 20 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present invention;

fig. 21 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.

Detailed Description

The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.

First, keywords related in the embodiment of the present invention are briefly introduced.

IP Network Address Translation (NAT) principle: for a transport layer connection, the quintuple is used as a unique identifier: source IP, source port, destination IP, destination port, protocol number.

IP NAT is classified into two cases, Source Address Translation (SNAT) and Destination Address Translation (DNAT):

SNAT: the source address (and possibly the source port). If there are two intranet IPs 192.168.1.2/24 and 192.168.1.3/24, shared internet access is achieved through a gateway 8.8.8.8, and when 192.168.1.2 accesses 53 ports of the extranet 114.114.114.114 from 30273 ports through the gateway, the gateway will convert the quintuple from (192.168.1.2,30273,114.114.114.114,53,6) to (8.8.8.8,30273,114.114.114.114,53,6) and send it to 114.114.114.114, i.e., source address conversion is achieved. With the SNAT gateway cluster as a first perspective, SNAT can be considered as upstream network traffic.

DNAT: the destination address (and possibly also the destination port). As in the above example, when the public network client (1.2.4.8) needs to access the 80 port service of 192.168.1.2 through the gateway 8.8.8.8, the gateway will convert the quintuple of the packet sent by the client from (1.2.4.8,30273,8.8.8.8,80,6) to (1.2.4.8,30273,192.168.1.2,80,6) and then to 192.168.1.2, i.e. implement the destination address conversion. DNAT may also switch destination ports as well. With the SNAT gateway cluster as a first perspective, DNAT may be considered upstream network traffic.

The SNAT gateway cluster means a gateway cluster which has a plurality of nodes, is used for processing active uplink flow from an internal network to a public network (the internal network and the public network are relative ranges), and realizes that a data packet source address SNAT is a public network address on the SNAT gateway cluster when a plurality of devices of the internal network without public network addresses access the public network.

The Open System Interconnection Reference Model (OSI) is divided into seven levels: a physical layer, a data link layer, a network layer, a transport layer, a session layer, a presentation layer, and an application layer.

TCP/IP reference model: TCP/IP is an abbreviation of Transfer Control Protocol/Internet Protocol, i.e., Transmission Control Protocol/Internet Protocol.

The concept of the seven-layer protocol architecture of OSI is clear and theoretical and complete, but it is complex and not used. The TCP/IP architecture is different and is now widely used. It comprises four levels: an application layer, a transport layer, a network interconnect layer, and a host-to-network layer. However, in essence, TCP/IP has only the top three layers, since the bottom network interface layer has nothing in detail. Therefore, in teaching, a compromise is usually made, i.e. combining the advantages of OSI and TCP/IP, using an architecture with only five layers of protocols: physical layer, data link layer, network layer, transport layer and application layer, a comparison of the three architectures is shown in fig. 1.

The TCP/IP protocol stack is divided into different protocols according to different layers. However, the application of the TCP/IP protocol stack is so extensive today, and the application layer is usually built on the TCP/IP protocol stack, such as the HTTP protocol, DNS protocol, FTP protocol, etc., which are the most common protocols on the internet.

A transmission layer port: the port is part of the transport layer. When a computer provides a plurality of services (applications at the application layer, such as HTTP services), the computer distinguishes the services by assigning different port numbers to different services. Port numbers are represented by a 16bit integer, the port range is: 0 to 65535. A transport layer connection can be represented by a five-tuple: protocol, source IP, destination IP, source port, destination port. The following TCP header UDP header indicates header fields of main protocols TCP and UDP of a transport layer in a TCP/IP protocol stack, where the header fields include a source port and a destination port.

The connection state is as follows: there are two most common protocols for the transport layer of the TCP/IP protocol stack: TCP and UDP. UDP does not provide a complex control mechanism, and provides connectionless-oriented communication service by using IP; TCP is a connection-oriented, reliable, byte-stream-based transport-layer communication protocol that ensures that network packets received at the receiving end are lossless, gapless, non-redundant, and in-order.

Although the connection state is not defined in the protocol, some virtual connections may be defined by certain characteristics (such as protocol type, source IP, target IP, source port, target port, and a certain timeout period). Thus, the data streams discussed in this scheme are all data streams that can be defined (virtually) connected. The TCP protocol header is shown in table 1 and the UDP protocol header is shown in table 2.

TABLE 1

TABLE 2

Transversely stretching: for a network component, there are theoretically two ideas available for expansion when encountering performance bottlenecks.

Transversely stretching: the transverse extension shows that when the network component operates in a cluster mode, cluster nodes are gradually increased; the horizontal scaling is represented by a gradual reduction of cluster nodes when the network components are operating in cluster mode.

Longitudinal expansion: the longitudinal extension is realized by that the network component improves the hardware configuration, such as increasing the number of CPU cores, increasing the available memory and the like; vertical scaling represents network components reducing hardware configuration, such as reducing CPU core count, reducing available memory, and the like.

In an embodiment, fig. 2 is a flowchart of a message processing method provided in an embodiment of the present invention, which is applicable to a case where a gateway cluster processes a message, and the method may be executed by a message processing apparatus, where the apparatus may be implemented in a soft and/or hardware manner.

It should be noted that the technical solution of the present application is a smooth scaling solution of a cluster of network components established at a network layer (TCP/UDP) and a transport layer (IP) based on a TCP/IP protocol stack.

As shown in fig. 2, the message processing method provided in the embodiment of the present application mainly includes the following steps:

s11, dividing the message to be processed into a first type message and a second type message.

The method for dividing the messages to be processed into the first type of messages and the second type of messages comprises the following steps: the messages to be processed are divided into first messages and second messages through a layered model of a transmission control protocol/internet protocol (TCP/IP) protocol stack.

Specifically, the messages to be processed of the NAT gateway are divided into two types according to the TCP/IP model: a first type of packet and a second type of packet.

The first type of packet refers to a packet transmitted according to a TCP/UDP protocol, which is a transport layer protocol, and in a corresponding protocol header, there are transport layer ports (including a source port and a destination port).

The second type of message refers to a message transmitted according to all protocols except the TCP/UDP protocol.

In this embodiment, the NAT gateway cluster is divided into a combination of fixed nodes. Further, in this embodiment, the number of nodes of one NAT gateway cluster is defined as 1, 2, 4, and 8.

The ports defined in the TCP/UDP protocol header are 16 bits, i.e. the legal port range is 0-65535. Where a port range of 0-1023 is typically serviced by the system and is reserved for ports by the system. The port range available for NAT can be designated 1024-. In this embodiment, the legal port range is divided into 8 groups:

PG1：1024–9087；PG2:9088–17151；PG3:17152–25215；PG4:25215–33279；PG5:33280–41343；PG6:41344–49407；PG7:49408–57471；PG8:57472–65535。

and S12, after NAT is carried out on the first type of message, the first type of message is forwarded by the NAT gateway cluster by adopting a first strategy.

It should be noted that, the NAT system may be a system that performs SNAT/DNAT on a packet; and after NAT is carried out on the data packet, the connection state of the NAT is recorded, the NAT-carried connection is marked as NATed connection, and other connections are marked as un-NATed connection.

For the data packet which can not be processed by the NAT system, the NAT gateway cluster will deliver the data packet to the policy routing system for processing and forwarding.

Under the condition that the NAT gateway cluster normally operates, the first type of packet is forwarded and processed by the NAT gateway cluster through a first strategy, and the method comprises the following steps: when the first type of message is active uplink flow and the connection state in the NAT system in the node is a first state, keeping the existing source address conversion SNAT through the node and forwarding the first type of message to a public network; when the first type of message is active uplink flow and the connection state in an NAT system in the node is a second state, the node performs SNAT on the first type of message through the NAT system and forwards the first type of message to a public network; when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, keeping the existing source address conversion SNAT through the node and forwarding the first type of message to a public network; and when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a second state, if the target port of the first type of message is not in the port range allocated by the node, the first type of message is forwarded to the corresponding cluster node according to the division of the port group after passing through the policy routing system by the node.

a) When the NAT gateway cluster receives the first type of packet, which is active uplink traffic, the processing is performed as follows.

i) If the connection state of the first type message in the NAT system in the node is NATed, the node keeps the existing SNAT and forwards the SNAT to the public network. The strategy can avoid the interruption of the existing connection during capacity expansion or capacity reduction.

ii) if the connection state of the first type message in the NAT system in the node is un-NATed, the node transmits the first type message to the public network after SNAT of the first type message through the NAT system.

b) When the first type of message received by the NAT gateway cluster is the passive downlink flow, the processing is carried out according to the following mode.

i) If the connection state of the first type message in the NAT system in the node is NATed, the node keeps the existing DNAT and forwards the DNAT back to the intranet. The strategy can avoid the interruption of the existing connection during capacity expansion or capacity reduction.

ii) if the connection state of the first type message in the NAT system in the node is un-NATed, the following two conditions are divided:

1) if the destination port of the first type packet is within the range of the port allocated to the node, the branch does not exist because the failure of the NATed connection is not considered in the embodiment.

2) If the target port of the first type message is not in the range of the port allocated to the node, the node forwards the flow to the corresponding cluster node according to the division of the port group after passing through the policy routing system.

For example: for the first type of protocol, the processing strategy on the NAT gateway cluster is:

SNAT (uplink):

NATed

existing SNATs are maintained and forwarded to the public network, avoiding interruption of existing connections.

un-NATed

After SNAT, forwarding to the public network.

DNAT (downstream) (after receiving the packet, the NAT gateway cluster node determines the target port):

NATed

the existing SNAT is maintained and forwarded to the public network. The existing connection is avoided from being interrupted.

un-NATed

The port of the node is as follows:

this branch is not present.

Non-local node port:

and forwarding to the corresponding cluster nodes according to the division of the port groups.

Under the condition that the NAT gateway cluster is expanded or contracted, the first type of message is forwarded by the NAT gateway cluster by adopting a first strategy, and the method comprises the following steps: when the first type of message is active uplink flow and the connection state in the NAT system in the node is a first state, keeping the existing SNAT through the node and forwarding the first type of message to a public network; when the first type of message is active uplink flow and the connection state in an NAT system in a node is a second state, if an original node or a reserved node receives the first type of message, the SNAT is carried out on the first type of message through the NAT system by the original node or the reserved node, and then the first type of message is forwarded to a public network; when the first type of message is active uplink flow and the connection state in an NAT system in a node is a second state, if the first type of message is received by the capacity expansion node, the first type of message is forwarded to a public network after the first type of message passes through the NAT system for SNAT through the capacity expansion node; and if the first type of message is active uplink flow and the connection state in the NAT system in the node is a second state, forwarding the first type of message to the corresponding cluster node through the capacity reduction node according to the division of the new port group if the capacity reduction node receives the first type of message.

Under the condition that the NAT gateway cluster is expanded or contracted, the first type of message is forwarded by the NAT gateway cluster by adopting a first strategy, and the method comprises the following steps: when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, the node keeps the existing DNAT and forwards the second type of message to the intranet; when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, if a target port corresponding to the first type of message is in a node distribution port range and the node is a capacity expansion node or a reserved node, forwarding the first type of message to the corresponding node through the node according to an old port group; and when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, if the target port corresponding to the first type of message is not in the range of the node allocated port, forwarding the first type of message to the corresponding node through the node according to the new port grouping.

The specific description is as follows:

i) If the connection state of the first type message in the NAT system in the node is NATed, the node keeps the existing SNAT and forwards the SNAT to the public network. The strategy can avoid the interruption of the existing connection during capacity expansion or capacity reduction;

ii) if the connection state of the first type message in the NAT system in the node is un-NATed,

1) if the original node (during capacity expansion) or the reserved node (during capacity reduction) receives the message, the node conducts SNAT on the first type of message through the NAT system and then forwards the message to the public network.

2) If the capacity expansion node receives the first type message, the node conducts SNAT on the first type message through the NAT system and then forwards the first type message to the public network.

3) If the capacity reduction node receives the traffic, the node groups the traffic according to the new port and forwards the traffic to the corresponding node. This policy indicates that the nodes in the contraction are no longer SNAT for the new connection.

b) When the NAT gateway cluster receives the first type of message, the first type of message is passive downlink flow, the first type of message is processed according to the following mode:

ii) if the connection state of the traffic in the NAT system in the node is un-NATed, processing is carried out according to the following mode.

1) If the destination port of the traffic is within the range of the port assigned to the node, the process proceeds as follows.

If the node is the original node (during capacity expansion), the branch does not exist because the failure of the NATed connection is not considered in the embodiment.

If the node is a capacity expansion node, it indicates that the first type of packet belongs to an old connection established before capacity expansion, and at this time, the packet is required to be forwarded to the corresponding node according to the old port, so as to avoid the interruption of the existing connection.

If the node is a reserved node (during capacity expansion), the first type of message belongs to an old connection established before capacity expansion, and the first type of message needs to be grouped according to the old port and forwarded to the corresponding node, so that the existing connection interruption is avoided.

If the node is a capacity reduction node, the branch does not exist since the node will not have a port according to the new packet since it is the capacity reduction node at the time of capacity reduction.

2) If the destination port of the traffic is not within the range of the port assigned to the node, the process proceeds as follows.

Always according to the new port packet, and forwarding to the corresponding node.

For example: for the first type of message, the processing strategy on the NAT gateway cluster is as follows:

after receiving the packet, the SNAT (NAT gateway cluster node judges the connection state of the data packet locally recorded in the node):

NATed：

un-NATed：

Original node (during capacity expansion) or reserved node (during capacity reduction): and dividing according to the new port group, newly allocating a target port, and enabling the SNAT to go out.

Capacity expansion nodes: and dividing according to the new port group, newly allocating a target port, and enabling the SNAT to go out.

And (3) capacity reduction nodes: and grouping and dividing according to new ports, and forwarding to corresponding NAT gateway cluster nodes. Which corresponds to rejecting the new connection.

DNAT (after receiving the packet, judging the connection state of the data packet locally recorded in the node by the NAT gateway cluster node):

NATed: existing DNAT was maintained and forwarded back to the intranet. The existing connection is avoided from being interrupted.

un-NATed (determine whether the node port is determined by the latest port group):

the port of the node is as follows:

original node (at capacity expansion): this branch is not present. (since the original node in the expansion belongs to the connection of the node port, it must be NATed state)

Capacity expansion nodes: the description is an old connection, forwarded to the corresponding node in the old packet. The existing connection is avoided from being interrupted.

Reservation node (at capacity reduction): the description is an old connection, forwarded to the corresponding node in the old packet. The existing connection is avoided from being interrupted.

And (3) capacity reduction nodes: this branch is not present. (since it is the capacity node at capacity reduction, the node will not have any more ports according to the new packet)

Non-local node port:

original node (at capacity expansion): and forwarding to the corresponding node according to the new packet.

Capacity expansion nodes: and forwarding to the corresponding node according to the new packet.

Reservation node (at capacity reduction): and forwarding to the corresponding node according to the new packet.

And (3) capacity reduction nodes: and forwarding to the corresponding node according to the new packet.

And S13, after NAT is carried out on the second type message, the NAT gateway cluster is adopted to carry out message forwarding processing on the second type message by adopting a second strategy.

The method for forwarding the second type of packet by using the second strategy through the NAT gateway cluster includes: when the second type of message is active uplink flow and the connection state in the NAT system in the node is a first state, keeping the existing source address translation SNAT through the node and forwarding the second type of message to the public network; when the second type of message is active uplink flow and the connection state in the NAT system in the node is a second state, if the first node receives the second type of message, the first node performs SNAT on the second type of message through the NAT system, and forwards the second type of message to the public network; and if other nodes except the first node receive the second type of message, the other nodes forward the second type of message to the first node after passing through a policy routing system.

The method for forwarding the second type of packet by using the second strategy through the NAT gateway cluster includes: when the second type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, keeping the existing destination address translation DNAT through the node and forwarding the second type of message to the intranet; when the second type of message is passive downlink flow and the connection state in the NAT system in the node is a second state, if the first node receives the second type of message, the first node carries out DNAT on the second type of message through the NAT system, and then forwards the second type of message to the intranet; and if other nodes except the first node receive the second type of message, the other nodes forward the second type of message to the first node after passing through a policy routing system.

Specifically, when the cluster runs normally, the working flow is as follows:

1. for the second type of message, the processing strategy on the NAT gateway cluster is:

SNAT (uplink):

NATed：

un-NATed：

And the node 1: after SNAT, forwarding to the public network.

And other nodes: forwarded to node 1.

DNAT (lower row):

NATed: the existing SNAT is maintained and forwarded to the public network. The existing connection is avoided from being interrupted.

un-NATed：

And the node 1: DNAT is then forwarded back to the intranet.

And other nodes: forwarded to node 1.

The detailed description is as follows:

a) and when the NAT gateway cluster receives the second type of message and is active uplink flow, processing the second type of message according to the following mode.

i) If the connection state of the second type message in the NAT system in the node is NATed, the node keeps the existing SNAT and forwards the SNAT to the public network. The strategy can avoid the interruption of the existing connection during capacity expansion or capacity reduction;

ii) if the connection state of the second type message in the NAT system in the node is un-NATed, processing according to the following mode.

1) If the node 1 receives the second type message, the node 1 carries out SNAT on the second type message through the NAT system and then forwards the second type message to the public network.

2) If the message is received by other nodes except the node 1, the other nodes transmit the second type message to the node 1 after passing through the NAT system policy routing system.

b) When the NAT gateway cluster receives the passive downlink traffic of the second type of protocol, the processing is performed as follows.

i) And if the connection state of the second type message in the NAT system in the node is NATed, the node keeps the existing DNAT and forwards the DNAT back to the intranet. The strategy can avoid the interruption of the existing connection during capacity expansion or capacity reduction;

ii) if the connection state of the second type message in the NAT system in the node is un-NATed:

1) if the node 1 receives the second type message, the node 1 forwards the second type message back to the intranet after DNAT is carried out on the second type message by the NAT system;

2) if the message is received by other nodes except the node 1, the other nodes transmit the second type message back to the node 1 after passing through the NAT system policy routing system.

Specifically, when the cluster is in the capacity expansion or capacity reduction, the working flow is as follows:

SNAT：

un-NATed

And the node 1: after SNAT, forwarding to the public network.

And other nodes: forwarded to node 1.

DNAT：

un-NATed：

And the node 1: DNAT is then forwarded back to the intranet.

And other nodes: forwarded to node 1.

The detailed description is as follows:

a) when the NAT gateway cluster receives active upstream traffic for the second type of messaging protocol,

i) if the connection state of the traffic in the NAT system in the node is NATed, the node keeps the existing SNAT and forwards the SNAT to the public network. The strategy can avoid the interruption of the existing connection during capacity expansion or capacity reduction;

ii) if the connection state of the traffic in the NAT system in the node is un-NATed:

1) if the node 1 receives the traffic, the node 1 carries out SNAT on the traffic through an NAT system and then forwards the traffic to a public network;

2) if the traffic is received by other nodes except the node 1, the other nodes forward the traffic to the node 1 after passing through the NAT system policy routing system.

b) When the NAT gateway cluster receives passive downstream traffic for the second type of protocol,

i) if the connection state of the traffic in the NAT system in the node is NATed, the node keeps the existing DNAT and forwards the DNAT back to the intranet. The strategy can avoid the interruption of the existing connection during capacity expansion or capacity reduction;

1) if the node 1 receives the traffic, the node 1 forwards the traffic back to the intranet after DNAT is carried out on the traffic by the NAT system;

2) if the traffic is received by other nodes except the node 1, the other nodes forward the traffic back to the node 1 after passing through the NAT system policy routing system.

Further, the method comprises the following steps: and when the NATed connection recorded by the NAT system on the capacity expansion node is 0, marking the capacity expansion node as a normal node.

And when the NATed recorded by the NAT system on the capacity reduction node is connected to be 0, the capacity reduction node is thoroughly destroyed.

It should be noted that the present invention provides a way to provide a flexible and smooth cluster scaling scheme for a multi-node-oriented network component cluster, which is constructed based on the transport layer of the OSI model or the TCP/IP model, and is not limited to the application layer.

The following describes a specific technical scheme of the present application, taking the number of NAT gateway cluster nodes as two nodes as an example.

In this embodiment, the intranet refers to a private network, and the IP address segment is assumed to be 192.168.1.0/24. The public network refers to a public network, and the IP address field of the public network is 1.1.1.0/24.

It should be noted that the internal network and the public network are relative ranges, and are not defined in IP address standard division. Here, the main difference between the intranet and the public network is that when the intranet address accesses the public network address, the intranet IP cannot be directly used, but the source IP needs to be converted from the intranet address to the public network address by the SNAT before accessing the public network.

The related client, NAT gateway and public network environment information are as follows:

the client side 1: 192.168.1.2/24

And the client side 2: 192.168.1.3/24

NAT gateway cluster 1 public network IP: 1.1.1.1/24

NAT gateway 1 cluster node 1: intranet IP: 192.168.1.11/24

NAT gateway 1 cluster node 2: intranet IP: 192.168.1.12/24

NAT gateway 1 cluster node 3: intranet IP: 192.168.1.13/24

NAT gateway 1 cluster node 4: intranet IP: 192.168.1.14/24

The number of the initial nodes of the NAT gateway cluster 1 is 2, and the NAT gateway cluster node 1 and the NAT gateway cluster node 2 are included.

When the NAT gateway cluster 1 expands horizontally, the nodes NAT gateway cluster node 3 and NAT gateway cluster node 4 are added.

When the NAT gateway cluster 1 is transversely scaled, the node NAT gateway 1 cluster node 2 is deleted.

The address of the server: 1.1.1.2/24.

For convenience of description of the following operation, the first type of protocol is described by taking TCP as an example, and the second type of protocol is described by taking ICMP as an example.

The first type: TCP; the second type: ICMP, echo-request/echo-reply.

If not specifically stated, the priority of the rule is from top to bottom in the order of the rule, the top priority is the highest, and the bottom priority is the lowest.

When the cluster is in normal operation, the following rules are provided:

the NAT gateway list is shown in table 3.

TABLE 3

Taking the above as an example, the rule states: there is a NAT gateway cluster 1, its public network address is 1.1.1.1/32, and provide SNAT service, will be with 192.168.1.0/24 packet of IP source before forwarding out of the public network, through SNAT once, its source address becomes 1.1.1.1, and after receiving the packet that is received, carry on DNAT once, change its source address back to 192.168.1.0/24, forward back to the intranet again; the expected node number of the cluster is 2, the current node number is 2, and the current state of the cluster is normal.

The list of nodes for NAT gateway cluster 1 is shown in table 4.

TABLE 4

	Intranet IP	Port group	Status of state
				NAT gateway cluster node 1	192.168.1.11/24	PG1+PG2+PG3+PG4	-
NAT gateway cluster node 2	192.168.1.12/24	PG5+PG6+PG7+PG8	-

Taking the above as an example, the rule states: the NAT gateway cluster 1 has two nodes, which are: NAT gateway cluster node 1, its inner network IP is 192.168.1.11/24; for the first class of protocols, the port group (PG1+ PG2+ PG3+ PG4) will be used as the port range of the NAT; NAT gateway cluster node 2, its inner network IP is 192.168.1.12/24; for the first class of protocols, the port group (PG5+ PG6+ PG7+ PG8) will be used as the port range of the NAT.

The SNAT rules within NAT gateway cluster node 1 are shown in table 5.

TABLE 5

Taking the above as an example, the rule states: NAT gateway cluster node 1 has three SNAT rules:

1. if the NAT system receives the message, the source IP is 192.168.1.0/24, and the NATed state is in the NAT system, then the NAT gateway cluster node 1 uses the existing NATed connection to forward the packet NAT to the public network.

2. If the NAT system receives the message, the source IP is 192.168.1.0/24, and the un-NATed state is in the NAT system.

a) If the protocol of the message is the second type protocol, the NAT gateway cluster node 1 will do SNAT once, and forward the SNAT packet to the public network;

b) if the protocol of the packet is the first type, the NAT gateway cluster node 1 will perform SNAT once, and will select an available source port from PG1+ PG2+ PG3+ PG4, and forward the packet SNAT to the public network.

The DNAT rules within NAT gateway cluster node 1 are shown in table 6.

TABLE 6

Taking the above as an example, the rule states: the NAT system of NAT gateway cluster node 1 has six DNAT rules:

1. if the message received by the NAT system is that the target IP is 1.1.1.1/32 in the NATed state in the NAT system, the NAT gateway cluster node 1 uses the existing NATed connection to forward the packet DNAT to the internal network.

2. If the message received by the NAT system, the target IP is 1.1.1.1/32, and the un-NATed state in the NAT system is as follows:

a, if the protocol of the message is the second type protocol, the NAT gateway cluster node 1 will do DNAT once, and forward the DNAT to the intranet;

b, if the protocol of the message is the first type protocol and the target port is in the range of PG1+ PG2+ PG3+ PG4, the NAT gateway cluster node 1 will do DNAT once and forward the packet DNAT to the intranet;

c if the protocol of the packet is the first type protocol and the destination port is in the range PG5+ PG6+ PG7+ PG8, the NAT gateway cluster node 1 will forward to the policy routing system in the node, that is, the policy routing rule in the NAT gateway cluster node 1 described below.

The policy routing rules within NAT gateway cluster node 1 are shown in table 7.

TABLE 7

Taking the above as an example, the rule states: the policy routing system of the NAT gateway cluster node 1 has a policy routing rule:

1. when the target IP segment of the packet received by the policy routing system is 1.1.1.1/32, and the protocol of the packet is the first type of protocol, and the target port of the packet is in the range PG5+ PG6+ PG7+ PG8, the NAT gateway cluster node 1 forwards the packet to the NAT gateway cluster node 2.

The SNAT rules within NAT gateway cluster node 2 are shown in table 8.

TABLE 8

Taking the above as an example, the rule states: the NAT gateway cluster node 2 has three SNAT rules:

1. if the NAT system receives the message, the source IP is 192.168.1.0/24, and the NATed state is in the NAT system, then the NAT gateway cluster node 2 uses the existing NATed connection to forward the packet NAT to the public network;

2. if the NAT system receives the message, the source IP is 192.168.1.0/24, and the un-NATed state is in the NAT system:

a) if the protocol of the message is the second type protocol, the NAT gateway cluster node 2 forwards the message to a policy routing system in the node;

b) if the protocol of the packet is the first type, the NAT gateway cluster node 2 will perform SNAT once, and will select an available source port from PG5+ PG6+ PG7+ PG8, and forward the packet SNAT to the public network.

The DNAT rules within NAT gateway cluster node 2 are shown in table 9.

TABLE 9

Taking the above as an example, the rule states: the NAT system of NAT gateway cluster node 2 has six DNAT rules:

1. if the message received by the NAT system is that the target IP is 1.1.1.1/32 in the NATed state in the NAT system, the NAT gateway cluster node 2 uses the existing NATed connection to transmit the packet NAT to the internal network;

a) if the protocol of the message is the second type protocol, the NAT gateway cluster node 2 will forward to the policy routing system in the node;

b) if the protocol of the message is the first type of protocol and the target port is in the range of PG5+ PG6+ PG7+ PG8, the NAT gateway cluster node 2 will do DNAT once and forward the packet DNAT to the intranet;

c) if the protocol of the packet is the first type protocol and the destination port is in the range PG1+ PG2+ PG3+ PG4, the NAT gateway cluster node 2 will forward to the policy routing system in the node, that is, the policy routing rule in the NAT gateway cluster node 2 described below.

The policy routing rules within NAT gateway cluster node 2 are shown in table 10.

Watch 10

Taking the above as an example, the rule states: the policy routing system of the NAT gateway cluster node 2 has three policy routing rules:

1. when the strategy routing system receives the message, the target IP section is 1.1.1.1/32, and the protocol of the message is the second type protocol, the NAT gateway cluster node 2 will forward the message to the NAT gateway cluster node 1;

2. when the target IP segment of the packet received by the policy routing system is 1.1.1.1/32, and the protocol of the packet is the first type of protocol, and the target port of the packet is in the range PG1+ PG2+ PG3+ PG4, the NAT gateway cluster node 2 forwards the packet to the NAT gateway cluster node 1.

The routing rules within client 1 are shown in table 11.

TABLE 11

Taking the above as an example, the rule states: there are two routing rules in client 1:

1. for the data packet with the target IP of 192.168.1.0/24, the data packet can be directly sent to a corresponding target address from the network card;

2. for a data packet with a target IP of 0.0.0.0/0, the packet needs to be sent from the network card to the network device with the address of 192.168.1.11 or 192.168.1.12 as the next hop. In the technical solution example of the present invention, the NAT gateway cluster node 1 or the NAT gateway cluster node 2 is also included.

The routing rules within client 2 are shown in table 12.

TABLE 12

Taking the above as an example, the rule states: there are two routing rules in client 2:

The routing rules of the devices connecting the public network and the internal network are shown in table 13.

Watch 13

Taking the above example as an example, the rule shows that when receiving a packet with a target IP of 1.1.1.1/32, a device connecting the public network and the intranet forwards the packet to a next-hop device with an IP of 192.168.1.11 or 192.168.1.12.

The workflow of the cluster in normal operation:

fig. 3 is a schematic diagram of a small node, SNAT-ICMP, provided in this embodiment, and as shown in fig. 3, SNAT-ICMP describes a SNAT process of a second type of protocol on NAT gateway cluster 1:

1. for echo-request sent by the client 1, if the request is sent to the NAT gateway cluster node 1, the NAT gateway cluster node 1 will make SNAT to the request through the NAT system, change the source address to 1.1.1.1, and forward the SNAT to the public network;

2. for echo-request sent by the client 1, if the request is sent to the NAT gateway cluster node 2, the NAT gateway cluster node 2 forwards the request to the NAT gateway cluster node 1 through the NAT system and the policy routing system, and forwards the request to the public network after being processed by # 1.

Fig. 4 is a schematic diagram of a DNAT-ICMP with few nodes provided in this embodiment, and as shown in fig. 4, the DNAT-ICMP describes a DNAT process of a second type of protocol on the NAT gateway cluster 1:

1. for echo-reply sent by public network response, if the request is sent to the NAT gateway cluster node 1, the NAT gateway cluster node 1 will make DNAT to it through the NAT system, change its target address to 192.168.1.2, and forward it back to the client 1;

2. for echo-reply sent by public network response, if the request is sent to the NAT gateway cluster node 2, the NAT gateway cluster node 2 forwards the request to the NAT gateway cluster node 1 through the NAT system and the policy routing system, and forwards the request to the public network after being processed by # 1.

Fig. 5 is a schematic diagram of TCP SNAT/DNAT provided in this embodiment, and as shown in fig. 5, describes a workflow of a first type protocol on a NAT gateway cluster 1:

request packet of flow1: if NAT gateway cluster node 1 receives a packet with a TCP packet, a source IP of 192.168.1.2, and a source port of 121, then performs SNAT on the packet, and then changes the source IP to 1.1.1.1 and the source port to 1024 (selected from PG 1), and sends the packet to the public network.

Response packet of flow1: if NAT gateway cluster node 1 receives the data packet with TCP data packet, target IP 1.1.1.1 and target port 1024, after DNAT, its target IP becomes 192.168.1.2 and target port becomes 121, and sends back to the intranet; if the NAT gateway cluster node 2 receives a data packet with a TCP data packet protocol, a target IP of 1.1.1.1, and a target port of 1024, it forwards the data packet to the NAT gateway cluster node 1.

Request packet of flow2: if the NAT gateway cluster node 2 receives a packet with a TCP packet, a source IP of 192.168.1.3, and a source port of 132, then performs SNAT on the packet, and then the source IP becomes 1.1.1.1, and the source port becomes 49408 (selected from PG 7), and sends the packet to the public network.

Response packet of flow2: if NAT gateway cluster node 2 receives the TCP data packet, the target IP is 1.1.1.1, and the target port is 49408, then DNAT is performed on the TCP data packet, the target IP is changed to 192.168.1.3, the target port is changed to 132, and the data packet is sent back to the intranet; if the NAT gateway cluster node 1 receives a packet with a protocol of TCP packet, a target IP of 1.1.1.1, and a target port of 49408, it forwards the packet to the NAT gateway cluster node 2.

When a cluster is expanding, there are the following rules.

The NAT gateway list is shown in table 14.

TABLE 14

Taking the above as an example, the rule is different compared with the rule in normal operation of the cluster:

the expected node number of the NAT gateway cluster 1 is 4, the current node number is 4, and the state of the cluster is in capacity expansion.

The list of nodes for NAT gateway cluster 1 is shown in table 15.

Watch 15

two original nodes (during capacity expansion) of NAT gateway cluster 1:

for the first type of protocol, the NAT gateway cluster node 1 uses a port group PG1+ PG2 as a port range of NAT;

for the first type of protocol, the NAT gateway cluster node 2 uses the port group PG5+ PG6 as the port range of NAT;

two expansion nodes of the NAT gateway cluster 1 are respectively:

the NAT gateway cluster node 3 has an intranet IP of 192.168.1.13/24, and for a first type of protocol, a port group PG3+ PG4 is used as a port range of NAT, and the state is in capacity expansion;

the NAT gateway cluster node 4 has an internal network IP of 192.168.1.14/24, and for the first type of protocol, the port group PG7+ PG8 is used as the port range of NAT, and the state is in capacity expansion.

The SNAT rules within NAT gateway cluster node 1 are shown in table 16.

TABLE 16

for the first type of data packets with the source IP of 192.168.1.0/24 and the state of un-NATed, the NAT gateway cluster node 1 changes the source port range after SNAT into PG1+ PG2 when SNAT is performed on the first type of data packets.

The DNAT rules within NAT gateway cluster node 1 are shown in table 17.

TABLE 17

the NAT gateway cluster node 1 forwards the data packet of the first type with target IP of 1.1.1.1/32 and state of un-NATed and target port in the range of PG3+ PG4 to the policy routing system in the node

Policy routing rules within NAT gateway cluster node 1:

the NAT gateway cluster node 1 for a first type of packet with a target IP of 1.1.1.1/32 and a state of un-NATed,

1. if its target port is in range PG3+ PG4, forward the packet to NAT gateway cluster node 3;

2. if its target port is in range PG7+ PG8, the packet is forwarded to NAT gateway cluster node 4.

The SNAT rules within NAT gateway cluster node 2 are shown in table 18.

Watch 18

for the first type of data packets with the source IP of 192.168.1.0/24 and the state of un-NATe, the NAT gateway cluster node 2 changes the source port range after SNAT to PG5+ PG6 when performing SNAT on the first type of data packets.

The DNAT rules within NAT gateway cluster node 2 are shown in table 19.

Watch 19

the NAT gateway cluster node 2 forwards the first type of data packets, the target IP of which is 1.1.1.1/32, the state of which is un-NATed, and the target port of which is in the range PG7+ PG8, to a policy routing system in the node.

The policy routing rules within NAT gateway cluster node 2 are shown in table 20.

Watch 20

the NAT gateway cluster node 2 for a first type of packet with a target IP of 1.1.1.1/32 and a state of un-NATed,

1. if its target port is in range PG7+ PG8, the packet is forwarded to NAT gateway cluster node 4.

The SNAT rules within NAT gateway cluster node 3 are shown in table 21.

TABLE 21

the NAT gateway cluster node 3 is a newly added node, and the NAT gateway cluster node 3 has three SNAT rules:

1. if the source IP of the message received by the NAT system is 192.168.1.0/24, and the message is in the NATed state in the NAT system, the NAT gateway cluster node 3 uses the existing NATed connection to forward the packet NAT to the public network;

2. if the message received by the NAT system (NAT system) is 192.168.1.0/24, the source IP is in un-NATed state in the NAT system:

a) if the protocol of the message is the second type protocol, the NAT gateway cluster node 3 forwards the message to a policy routing system in the node;

b) if the protocol of the packet is the first type, the NAT gateway cluster node 3 will perform SNAT once, and select an available source port from PG3+ PG4, and forward the packet SNAT to the public network.

The DNAT rules within NAT gateway cluster node 3 are shown in table 22.

TABLE 22

the NAT gateway cluster node 3 is a newly added node, and the NAT system of the NAT gateway cluster node 3 has six DNAT rules:

1. if the message received by the NAT system is that the target IP is 1.1.1.1/32 in the NATed state in the NAT system, the NAT gateway cluster node 3 uses the existing NATed connection to transmit the packet NAT to the internal network;

2. if the message received by the NAT system (the NAT system) is that the target IP is 1.1.1.1/32, the un-NATed state in the NAT system is as follows:

a) if the protocol of the message is the second type protocol, the NAT gateway cluster node 3 will forward to the policy routing system in the node;

b) if the protocol of the packet is the first type protocol and the target port is in the range PG3+ PG4, it indicates that the connection is a new connection established before capacity expansion, at this time, the NAT gateway cluster node 3 will forward to the policy routing system in the node according to the old packet, that is, the policy routing rule in the NAT gateway cluster node 3 described below;

c) if the protocol of the packet is the first type of protocol and the destination port is within the range PG1+ PG2+ PG5+ PG6+ PG7+ PG8, the NAT gateway cluster node 3 will forward to the policy routing system in the node, that is, the policy routing rule in the NAT gateway cluster node 3 described below.

The policy routing rules within NAT gateway cluster node 3 are shown in table 23.

TABLE 23

the NAT gateway cluster node 3 is a newly added node, and the policy routing system of the NAT gateway cluster node 3 has four policy routing rules:

1. when the target IP section of the received message (the strategy routing system) is 1.1.1.1/32 and the protocol of the message is the second type protocol, the NAT gateway cluster node 3 forwards the message to the NAT gateway cluster node 1;

2. when a message (policy routing system) is received, a target IP segment is 1.1.1.1/32, the protocol of the message is a first type of protocol, and a target port of the message is in a range PG1+ PG2, then the NAT gateway cluster node 3 forwards the message to the NAT gateway cluster node 1;

3. when a message (policy routing system) is received, a target IP segment is 1.1.1.1/32, the protocol of the message is a first type of protocol, and a target port of the message is in a range PG3+ PG4, then the NAT gateway cluster node 3 forwards the message to the NAT gateway cluster node 1;

4. when a message (policy routing system) is received, the target IP segment is 1.1.1.1/32, the protocol of the message is the first type of protocol, and the target port of the message is in the range PG5+ PG6, then the NAT gateway cluster node 3 forwards the message to the NAT gateway cluster node 2;

5. when the target IP segment of the received packet (policy routing system) is 1.1.1.1/32, the protocol of the packet is the first type of protocol, and the target port of the packet is in the range PG7+ PG8, then the NAT gateway cluster node 3 forwards the packet to the NAT gateway cluster node 4.

The SNAT rules within NAT gateway cluster node 4 are shown in table 24.

Watch 24

the NAT gateway cluster node 4 is a newly added node, and the NAT gateway cluster node 4 has three SNAT rules:

1. if the source IP of the message received by the NAT system is 192.168.1.0/24, and the message is in the NATed state in the NAT system, the NAT gateway cluster node 4 uses the existing NATed connection to forward the packet NAT to the public network;

a) if the protocol of the message is the second type protocol, the NAT gateway cluster node 4 forwards the message to a policy routing system in the node;

b) if the protocol of the packet is the first type, the NAT gateway cluster node 4 will perform SNAT once, and select an available source port from PG7+ PG8, and forward the packet SNAT to the public network.

The DNAT rules within the NAT gateway cluster node 4 are shown in table 25.

TABLE 25

the NAT gateway cluster node 4 is a newly added node, and the NAT system of the NAT gateway cluster node 4 has six DNAT rules:

1. if the message received by the NAT system is that the target IP is 1.1.1.1/32 in the NATed state in the NAT system, the NAT gateway cluster node 4 uses the existing NATed connection to transmit the packet NAT to the internal network;

a) if the protocol of the message is the second type protocol, the NAT gateway cluster node 4 will forward to the policy routing system in the node;

b) if the protocol of the packet is the first type protocol and the target port is in the range PG7+ PG8, it indicates that the connection is a new connection established before capacity expansion, at this time, the NAT gateway cluster node 4 will forward to the policy routing system in the node according to the old packet, that is, the policy routing rule in the NAT gateway cluster node 4 described below;

c) if the protocol of the packet is the first type of protocol and the destination port is within the range PG1+ PG2+ PG3+ PG4+ PG5+ PG6, the NAT gateway cluster node 4 forwards the packet to the policy routing system in the node, that is, the policy routing rule in the NAT gateway cluster node 4 described below.

The policy routing rules within NAT gateway cluster node 4 are shown in table 26.

Watch 26

the NAT gateway cluster node 4 is a newly added node, and the policy routing system of the NAT gateway cluster node 4 has four policy routing rules:

1. when the target IP section of the received message (the strategy routing system) is 1.1.1.1/32 and the protocol of the message is the second type protocol, the NAT gateway cluster node 4 forwards the message to the NAT gateway cluster node 1;

2. when a message (policy routing system) is received, a target IP segment is 1.1.1.1/32, the protocol of the message is a first type of protocol, and a target port of the message is in a range PG1+ PG2, then the NAT gateway cluster node 4 forwards the message to the NAT gateway cluster node 1;

3. when the target IP section of the received message (policy routing system) is 1.1.1.1/32, the protocol of the message is the first type of protocol, and the target port of the message is in the range of PG3+ PG4, then the NAT gateway cluster node 4 will forward the message to the NAT gateway cluster node 3;

4. when the target IP section of the received message (policy routing system) is 1.1.1.1/32, the protocol of the message is the first type of protocol, and the target port of the message is in the range of PG5+ PG6, then the NAT gateway cluster node 4 will forward the message to the NAT gateway cluster node 2;

5. when the target IP segment of the received packet (policy routing system) is 1.1.1.1/32, the protocol of the packet is the first type of protocol, and the target port of the packet is in the range PG7+ PG8, then the NAT gateway cluster node 4 forwards the packet to the NAT gateway cluster node 1.

The routing rules within client 1 are shown in table 27.

Watch 27

2. for a data packet with a target IP of 0.0.0.0/0, the packet needs to be sent from the network card to the network device with the address of 192.168.1.11 or 192.168.1.12 or 192.168.1.13 or 192.168.1.14 as the next hop. In the technical solution example of the present invention, the NAT gateway cluster node 1, the NAT gateway cluster node 2, the NAT gateway cluster node 3, or the NAT gateway cluster node 4 is also included.

The routing rules within client 2 are shown in table 28.

Watch 28

The routing rules of the devices connecting the public network and the internal network are shown in table 29.

Watch 29

Taking the above example as an example, the rule shows that when receiving a packet with a target IP of 1.1.1.1/32, a device connected to the public network and the intranet forwards the packet to a next-hop device with an IP of 192.168.1.11, 192.168.1.12, 192.168.1.13, or 192.168.1.14.

The routing rules of the devices connecting the public network and the internal network are shown in table 30.

Watch 30

Workflow in cluster expansion:

fig. 6 is a schematic diagram of a multi-node, SNAT-ICMP, provided in this embodiment, and as shown in fig. 6, describes a SNAT process of a second type of protocol on a NAT gateway cluster 1:

1 for echo-request sent by a client 1, if a request is sent to an NAT gateway cluster node 1, the NAT gateway cluster node 1 will make SNAT for the request through an NAT system, change the source address of the SNAT to 1.1.1.1 and forward the SNAT to a public network;

2. for echo-request sent by the client 1, if the request is sent to the NAT gateway cluster node 2, the NAT gateway cluster node 3 or the NAT gateway cluster node 4, the NAT gateway cluster node 2, the NAT gateway cluster node 3 or the NAT gateway cluster node 4 forwards the request to the NAT gateway cluster node 1 through the NAT system and the policy routing system, and forwards the request to the public network after being processed by # 1.

Fig. 7 is a schematic diagram of a multi-node, DNAT-ICMP, provided in this embodiment, and as shown in fig. 7, describes a DNAT process of the second type of protocol on the NAT gateway cluster 1:

2. for echo-reply sent by public network response, if the request is sent to the NAT gateway cluster node 2, the NAT gateway cluster node 3 or the NAT gateway cluster node 4, the NAT gateway cluster node 2, the NAT gateway cluster node 3 or the NAT gateway cluster node 4 forwards the request to the NAT gateway cluster node 1 through the NAT system and the policy routing system, and forwards the request to the public network after being processed by # 1.

Fig. 8 is a schematic diagram of capacity expansion and SNAT-NATed provided in this embodiment, and as shown in fig. 8, describes an SNAT process in which a connection state of a first type of protocol on a NAT gateway cluster 1 is NATed:

when flow1 is sent to NAT gateway cluster node 1, because the flow is in the state of NATed in the node, NAT gateway cluster node 1 will use the existing NAT information, and after continuing performing SNAT on the node, its source IP becomes 1.1.1.1, and the source port becomes 1024 (found from the NAT system), and sends to the public network;

when flow2 is sent to NAT gateway cluster node 2, because the flow is in the state of NATed in the node, NAT gateway cluster node 2 will use the existing NAT information, and after continuing performing SNAT on the node, its source IP becomes 1.1.1.1, and the source port becomes 49408 (found from the NAT system, although PG7 where port 49408 is currently allocated to NAT gateway cluster node 4), and sends the flow to the public network;

fig. 9 is a schematic diagram of the extension and SNAT-unNATed provided in this embodiment, and as shown in fig. 9, the original node (during extension) describes a workflow in which, when the connection state of the first type protocol on the NAT gateway cluster 1 is un-NATed, the uplink traffic is sent to the original node (during extension):

flow3, if NAT gateway cluster node 1 receives the data packet with TCP data packet, source IP 192.168.1.2 and source port 123, after SNAT, its source IP becomes 1.1.1.1 and source port becomes 1025 (selected from PG1, 1024 ports are occupied by flow 1), and sends it to public network;

flow4, if NAT gateway cluster node 1 receives TCP data packet, source IP 192.168.1.3, source port 134 data packet, after SNAT, its source IP becomes 1.1.1.1, source port becomes 41344 (selected from PG 6), and sends to public network;

fig. 10 is a schematic diagram of capacity expansion, SNAT-unNATed, and a capacity expansion node provided in this embodiment, and as shown in fig. 10, describes a workflow in which, when the connection state of the first type protocol on the NAT gateway cluster 1 is un-NATed, uplink traffic is sent to (during capacity expansion) an original node:

1, flow5, if NAT gateway cluster node 3 receives the data packet with TCP data packet, source IP 192.168.1.2 and source port 125, after SNAT, its source IP becomes 1.1.1.1 and source port becomes 17152 (selected from PG 3), and sends it to public network;

flow6, if NAT gateway cluster node 4 receives TCP data packet, source IP 192.168.1.3, source port 136 data packet, after SNAT, its source IP becomes 1.1.1.1, source port becomes 49409 (selected from PG7, 49408 port is occupied by flow 2), and sends to public network;

fig. 11 is a schematic diagram of the extension, DNAT-NATed provided in this embodiment, and as shown in fig. 11, describes a workflow of DNAT of downlink traffic when the connection state of the first type protocol on the NAT gateway cluster 1 is NATed:

flow1, if NAT gateway cluster node 1 receives the data packet with TCP data packet, target IP 1.1.1.1, target port 1024, because the flow NAT gateway cluster node 1 is NATed state, it directly inquires the existing NAT information, after DNAT, its target IP changes to 192.168.1.2, target port changes to 121, and sends back to the inner network;

flow2, if NAT gateway cluster node 2 receives the packet with TCP packet, target IP 1.1.1.1 and target port 49408, because the flow NAT gateway cluster node 2 is NATed state, it directly inquires the existing NAT information, after DNAT, its target IP becomes 192.168.1.2 and target port becomes 132 (although PG7 of 49408 port attribution has been assigned to NAT gateway cluster node 4), and sends back to the intranet.

Fig. 12 is a schematic diagram of the expansion, DNAT-unated-local node port and the expansion node provided in this embodiment, and as shown in fig. 12, describes a working flow of DNAT of downlink traffic when a target port of a packet received by an expansion node of the NAT gateway cluster 1 is the local node port but a connection state recorded in the node is un-NATed in the first type of protocol:

flow2, if the NAT gateway cluster node 4 receives a packet with a TCP packet protocol, a target IP of 1.1.1.1, and a target port of 49408, although the PG7 to which the port 49408 belongs to the current node, because the connection belongs to an un-NATed state in the NAT gateway cluster node 4, it indicates that the connection is an old connection generated before capacity expansion, and it needs to be sent back to the corresponding node, that is, the NAT gateway cluster node 2, and then processed by the NAT gateway cluster node 2 and sent back to the intranet.

Fig. 13 is a schematic diagram of the expansion, DNAT-unated-non-local node port (during expansion) of the original node provided in this embodiment, and as shown in fig. 13, describes a workflow of DNAT of downlink traffic when the original node (during expansion) of the NAT gateway cluster 1 receives that the target port is not the local node port and the connection state is un-NATed:

flow1, if NAT gateway cluster node 2 receives the data packet whose protocol is TCP data packet, target IP is 1.1.1.1, and target port is 1024, it sends back the corresponding node, that is NAT gateway cluster node 1, then NAT gateway cluster node 1 processes and sends back to the inner network.

Fig. 14 is a schematic diagram of the extension, DNAT-unanted-non-local node port, and the expansion node provided in this embodiment, and as shown in fig. 14, describes a working flow of DNAT of downlink traffic when the extension node of the NAT gateway cluster 1 receives that the target port is a non-local node port and the connection state is un-NATed in the first type of protocol:

flow1, if NAT gateway cluster node 3 or NAT gateway cluster node 4 receives the data packet whose protocol is TCP data packet, target IP is 1.1.1.1, and target port is 1024, it sends back the corresponding node, that is NAT gateway cluster node 1, then NAT gateway cluster node 1 processes and sends back to the inner network.

When clustering is performed, the following rules are applied:

the NAT gateway list is shown in table 31.

Watch 31

the expected node number of the NAT gateway cluster 1 is 1, the current node number is 2, and the state of the cluster is in the shrinkage.

The list of nodes for NAT gateway cluster 1 is shown in table 32.

Watch 32

Taking the above as an example, the rule is different compared with the rule in normal operation of the cluster: two nodes of NAT gateway cluster 1:

the NAT gateway cluster node 1 has an IP of 192.168.1.11/24, and for a first type of protocol, a port group PG1+ PG2+ PG3+ PG4+ PG5+ PG6+ PG7+ PG8 is used as a port range of NAT;

the NAT gateway cluster node 2 is in the reduced capacity state, i.e. the node will not do any active SNAT any more.

The SNAT rules within NAT gateway cluster node 1 are shown in table 33.

Watch 33

for a first type of data packet with a source IP of 192.168.1.0/24 and a state of un-NATed, when SNAT is performed on the first type of data packet, the source port range behind the SNAT is changed into PG1+ PG2+ PG3+ PG4+ PG5+ PG6+ PG7+ PG8 by the NAT gateway cluster node 1.

The DNAT rules within the NAT gateway cluster node 1 are shown in Table 34.

Watch 34

Taking the above as an example, the rule is unchanged compared to the normal operation of the cluster.

Note: two DNAT rules with a target IP segment of 1.1.1.1/32, a connection state of un-NATed, a first matching protocol and target ports in ranges of PG5+ PG6 and PG7+ PG8 indicate that the data packet is an old connection established before the contraction, and at the moment, the data packet needs to be grouped according to the old ports and forwarded to a node in the contraction (namely NAT gateway cluster node 2) through a policy routing system (a policy routing rule in NAT gateway cluster node 1 described below).

The policy routing rules within NAT gateway cluster node 1 are shown in table 35.

Watch 35

Note: the policy routing rules ensure that connections established prior to the reduction are not interrupted during the reduction process.

SNAT rules within NAT gateway cluster node 2 are shown in Table 36

Watch 36

the NAT gateway cluster node 2 forwards the first type data packet with the source IP of 192.168.1.0/24 and the state of un-NATed to a policy routing system in the node. This difference indicates that the node NAT gateway cluster node 2 in the reduction no longer accepts any new SNAT active connections.

The DNAT rules within the NAT gateway cluster node 2 are shown in table 37.

Watch 37

the NAT gateway cluster node 2 forwards the first type of data packets with the target IP of 1.1.1.1/32, the state of un-NATed and the target port of PG5+ PG6+ PG7+ PG8 to a policy routing system in the node. The change of the rule indicates that the nodes of the nodes in the reduction do not accept SNAT for the new connection any more.

The policy routing rules within NAT gateway cluster node 2 are shown in table 38.

Watch 38

for a first type of data packet with a source IP segment of 192.168.1.0/24, forwarding the packet to the NAT gateway cluster node 1 by the NAT gateway cluster node 2, wherein the difference indicates that the NAT gateway cluster node 2 in the reduction does not accept any new SNAT active connection any more;

for a first type of packet with a target IP of 1.1.1.1/32, the NAT gateway cluster node 2 forwards the packet to the NAT gateway cluster node 1 if its target port is in the range PG5+ PG6+ PG7+ PG 8.

The routing rules within client 1 are shown in table 39.

Watch 39

2. for a data packet with a target IP of 0.0.0.0/0, the packet needs to be sent from the network card to the network device with the address of 192.168.1.11 of the next hop. In the embodiment of the present invention, the NAT gateway cluster node 1 is also referred to.

The routing rules within client 2 are shown in table 40.

Watch 40

The routing rule of the device connecting the public network and the internal network is shown in table 41.

Table 41

Note: because the NAT gateway cluster node 2 is still in the capacity reduction state, the next hop of 1.1.1.1/32 on the device connecting the public network and the intranet still contains 192.168.1.12 IP, and only when the NAT gateway cluster node 2 is in the capacity reduction state and can be destroyed, the device connecting the public network and the intranet needs to remove 192.168.1.12.

Workflow in cluster reduction:

the change process of the second type of protocol during the contraction, that is, the change from multi-node to less node, can compare the graph multi-node, SNAT-ICMP and graph less node, SNAT-ICMP and graph multi-node, DNAT-ICMP and graph less node, DNAT-ICMP, and will not be described herein again.

Fig. 14 is a schematic diagram of the contraction and SNAT-NATed provided in this embodiment, and as shown in fig. 14, describes a workflow of a first type protocol in a NAT system when receiving uplink traffic in the NAT gateway cluster 1, where the state is NATed:

when flow2 is sent to the NAT gateway cluster node 2, because the flow is in the node NATed state, the NAT gateway cluster node 2 uses the existing NAT information, continues performing SNAT on the node, changes its source IP to 1.1.1.1, changes its source port to 49408 (from the NAT system, although the NAT gateway cluster node 2 is already in the reduced capacity state and no port group is allocated), and sends it to the public network.

Fig. 15 is a schematic diagram of the abbreviated, SNAT-unated (during abbreviated) reservation node provided in this embodiment, and fig. 15 illustrates a workflow of the first type protocol in the state of an un-NATed when the reservation node (during abbreviated) of the NAT gateway cluster 1 receives uplink traffic in the NAT system:

flow7, if NAT gateway cluster node 1 receives the data packet with TCP data packet, source IP 192.168.1.2 and source port 127, after SNAT, its source IP becomes 1.1.1.1 and source port becomes 1025 (selected from PG1, 1024 ports are occupied by flow 1), and sends it to public network.

Fig. 16 is a schematic diagram of the abbreviated node, SNAT-unated, and the abbreviated node provided in this embodiment, and as shown in fig. 16, describes a workflow of the first type protocol when the abbreviated node in the NAT gateway cluster 1 receives the uplink traffic in the NAT system and the state is un-NATed:

1, flow8, if the NAT gateway cluster node 2 receives a packet with a protocol of TCP data packet, source IP 192.168.1.3 and source port 138, because the flow is in un-NATed state in the NAT system of the NAT gateway cluster node 2 and the NAT gateway cluster node 2 is in the capacity reduction, the NAT gateway cluster node 1 does not allocate any port group for the packet, so the NAT gateway cluster node 2 needs to forward the packet to the NAT gateway cluster node 1, the NAT gateway cluster node 1 performs SNAT on the packet, the source IP becomes 1.1.1.1, the source port becomes 57472 (an unoccupied port is randomly selected, here, the 57472 port of PG8 is taken as an example), and the packet is sent to the public network;

fig. 17 is a schematic diagram of the abbreviated, DNAT-NATed protocol provided in this embodiment, and as shown in fig. 17, describes a workflow of the first type protocol when the NAT gateway cluster 1 receives downlink traffic in the NAT system and the state is NATed:

flow2, if NAT gateway cluster node 2 receives the packet with TCP packet, target IP 1.1.1.1 and target port 49408, because the flow NAT gateway cluster node 2 is NATed state, it directly inquires the existing NAT information, after DNAT, its target IP becomes 192.168.1.2 and target port becomes 132 (although PG7 of 49408 port attribution has been assigned to NAT gateway cluster node 1), and sends back to the intranet.

Fig. 18 is a schematic diagram of the abbreviated, DNAT-unated-local node port (during abbreviated) reservation node provided in this embodiment, and as shown in fig. 18, describes a working flow of the first type protocol when the reservation node (during abbreviated) in the NAT gateway cluster 1 receives downlink traffic in the NAT system and the state is un-NATed:

flow 2. if NAT gateway cluster node 1 receives a packet with a TCP packet protocol, a target IP of 1.1.1.1 and a target port of 49408, although the port group PG7 to which the target port 49408 belongs is already currently allocated to NAT gateway cluster node 1, because the flow is in an un-NATed state at NAT gateway cluster node 1, it indicates that the flow is a connection established before the contraction, and it needs to be forwarded to NAT gateway cluster node 2 according to the old packet, and NAT gateway cluster node 2 performs DNAT on it and sends back to the intranet.

Fig. 19 is a schematic diagram of the abbreviated, DNAT-unanted-non-local node port and the abbreviated node provided in this embodiment, and as shown in fig. 19, describes a working flow of the first type protocol when the abbreviated node in the NAT gateway cluster 1 receives downlink traffic in the NAT system, where the state is un-NATed:

flow1, if NAT gateway cluster node 2 receives the data packet with TCP data packet, target IP 1.1.1, target port 1024, it will forward the flow to NAT gateway cluster node 1 according to the new packet, and NAT gateway cluster node 1 will do DNAT to it and send back to the intranet.

It should be noted that, the DNAT-unanted-non-local node port (during the contraction) reserved node, that is, the working flow of the first type protocol when the reserved node (during the contraction) of the NAT gateway cluster 1 receives the downlink traffic in the NAT system and the state of the received downlink traffic is un-NATed, is consistent with the contraction, the DNAT-unanted-non-local node port, and the contraction node, which is not described herein again.

In an embodiment, fig. 20 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present invention, which is applicable to a case where a gateway cluster processes a message, and the apparatus may be implemented in a soft and/or hardware manner.

As shown in fig. 20, the message processing apparatus provided in the embodiment of the present invention mainly includes:

a message dividing module 51, configured to divide a message to be processed into a first type of message and a second type of message;

the first processing module 52 is configured to perform Network Address Translation (NAT) on the first type of packet, and then perform packet forwarding processing on the first type of packet by using a first policy through the NAT gateway cluster;

and the second processing module 53 is configured to, after performing NAT on the second type of packet, perform packet forwarding processing on the second type of packet by using a second policy through the NAT gateway cluster.

The message processing device provided in the above embodiment divides the message to be processed into the first type of message and the second type of message; after the first type of message is subjected to Network Address Translation (NAT), the first type of message is subjected to message forwarding processing by adopting a first strategy through an NAT gateway cluster; and after NAT is carried out on the second type of message, a second strategy is adopted to carry out message forwarding processing on the second type of message through the NAT gateway cluster. According to the technical scheme provided by the embodiment of the application, the message is split into the first type and the second type, different forwarding strategies are processed aiming at the two types of messages, the current flow of an SNAT cluster is ensured not to be interrupted in the expansion process, and the state synchronization among the clusters is not needed.

Further, the dividing the message to be processed into a first type message and a second type message includes: the messages to be processed are divided into first messages and second messages through a layered model of a transmission control protocol/internet protocol (TCP/IP) protocol stack.

Further, under the condition that the NAT gateway cluster normally operates, performing packet forwarding processing on the first type by using a first policy through the NAT gateway cluster, including: when the first type of message is active uplink flow and the connection state in the NAT system in the node is a first state, keeping the existing source address conversion SNAT through the node and forwarding the first type of message to a public network; when the first type of message is active uplink flow and the connection state in an NAT system in the node is a second state, the node performs SNAT on the first type of message through the NAT system and forwards the first type of message to a public network; when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, keeping the existing source address conversion SNAT through the node and forwarding the first type of message to a public network; and when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a second state, if the target port of the first type of message is not in the port range allocated by the node, the first type of message is forwarded to the corresponding cluster node according to the division of the port group after passing through the policy routing system by the node.

Further, the performing, by the NAT gateway cluster, packet forwarding processing on the second type by using a second policy under the condition that the NAT gateway cluster normally operates or the NAT gateway cluster is in the capacity expansion or capacity reduction includes: when the second type of message is active uplink flow and the connection state in the NAT system in the node is a first state, keeping the existing source address translation SNAT through the node and forwarding the second type of message to the public network; when the second type of message is active uplink flow and the connection state in the NAT system in the node is a second state, if the first node receives the second type of message, the first node performs SNAT on the second type of message through the NAT system, and forwards the second type of message to the public network; and if other nodes except the first node receive the second type of message, the other nodes forward the second type of message to the first node after passing through a policy routing system.

Further, under the condition that the NAT gateway cluster normally operates, performing packet forwarding processing on the second type by using a second policy through the NAT gateway cluster, including: when the second type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, keeping the existing destination address translation DNAT through the node and forwarding the second type of message to the intranet; when the second type of message is passive downlink flow and the connection state in the NAT system in the node is a second state, if the first node receives the second type of message, the first node carries out DNAT on the second type of message through the NAT system, and then forwards the second type of message to the intranet; and if other nodes except the first node receive the second type of message, the other nodes forward the second type of message to the first node after passing through a policy routing system.

Further, under the condition that the NAT gateway cluster is expanded or contracted, the forwarding processing of the first type of packet is performed by the NAT gateway cluster by using a first policy, including: when the first type of message is active uplink flow and the connection state in the NAT system in the node is a first state, keeping the existing SNAT through the node and forwarding the first type of message to a public network; when the first type of message is active uplink flow and the connection state in an NAT system in a node is a second state, if an original node or a reserved node receives the first type of message, the SNAT is carried out on the first type of message through the NAT system by the original node or the reserved node, and then the first type of message is forwarded to a public network; when the first type of message is active uplink flow and the connection state in an NAT system in a node is a second state, if the first type of message is received by the capacity expansion node, the first type of message is forwarded to a public network after the first type of message passes through the NAT system for SNAT through the capacity expansion node; and if the first type of message is active uplink flow and the connection state in the NAT system in the node is a second state, forwarding the first type of message to the corresponding cluster node through the capacity reduction node according to the division of the new port group if the capacity reduction node receives the first type of message.

Further, under the condition that the NAT gateway cluster is expanded or contracted, the forwarding processing of the first type of packet is performed by the NAT gateway cluster by using a first policy, including: when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, the node keeps the existing DNAT and forwards the second type of message to the intranet; when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, if a target port corresponding to the first type of message is in a node distribution port range and the node is a capacity expansion node or a reserved node, forwarding the first type of message to the corresponding node through the node according to an old port group; and when the first type of message is passive downlink flow and the connection state in the NAT system in the node is a first state, if the target port corresponding to the first type of message is not in the range of the node allocated port, forwarding the first type of message to the corresponding node through the node according to the new port grouping.

The message processing device provided by the embodiment of the invention can execute the message processing method provided by any embodiment of the invention, and has the corresponding functional module and beneficial effect of the execution method.

Fig. 21 is a schematic structural diagram of an apparatus according to an embodiment of the present invention, as shown in fig. 21, the apparatus includes a processor 610, a memory 620, an input device 630, and an output device 640; the number of processors 610 in the device may be one or more, and one processor 610 is taken as an example in fig. 21; the processor 610, the memory 620, the input device 630 and the output device 640 in the apparatus may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 21.

The memory 620, which is a computer-readable storage medium, may be used to store software programs, computer-executable programs, and modules. The processor 610 executes various functional applications of the device and data processing by executing software programs, instructions and modules stored in the memory 620, that is, implements the message processing method described above.

The memory 620 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 620 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 620 can further include memory located remotely from the processor 610, which can be connected to the device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The input means 630 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function controls of the device. The output device 640 may include a display device such as a display screen.

An embodiment of the present invention further provides a storage medium containing computer-executable instructions, where the computer-executable instructions are executed by a computer processor to perform a message processing method, and the method includes:

Of course, the storage medium provided by the embodiment of the present invention includes computer-executable instructions, and the computer-executable instructions are not limited to the method operations described above, and may also perform related operations in the message processing method provided by any embodiment of the present invention.

From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.

It should be noted that, in the embodiment of the message processing apparatus, each unit and each module included in the embodiment are only divided according to functional logic, but are not limited to the above division, as long as the corresponding function can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.

It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims

1. A message processing method is characterized by comprising the following steps:

2. The method of claim 1, wherein the classifying the packets to be processed into a first type of packet and a second type of packet comprises:

3. The method according to claim 1, wherein, in a case where the NAT gateway cluster is operating normally, performing packet forwarding processing on the first type by using a first policy through the NAT gateway cluster includes:

4. The method of claim 1, wherein the forwarding of the packet to the second class by the NAT gateway cluster using a second policy is performed when the NAT gateway cluster is operating normally or the NAT gateway cluster is in an extended or reduced state, and the method includes:

5. The method of claim 1, wherein, when the NAT gateway cluster is operating normally, performing packet forwarding processing on the second type by using a second policy through the NAT gateway cluster includes:

6. The method of claim 1, wherein the performing, by the NAT gateway cluster, packet forwarding processing on the first type using a first policy under the condition that the NAT gateway cluster is expanded or contracted includes:

7. The method of claim 1, wherein the performing, by the NAT gateway cluster, packet forwarding processing on the first type using a first policy under the condition that the NAT gateway cluster is expanded or contracted includes:

8. A message processing apparatus, comprising:

9. An apparatus, characterized in that the apparatus comprises:

one or more processors;

a memory for storing one or more programs;

when executed by the one or more processors, cause the one or more processors to implement the message processing method of any of claims 1-7.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a message processing method according to any one of claims 1 to 7.