CN112637374B - Method, device and equipment for processing converted address and computer readable storage medium - Google Patents
Method, device and equipment for processing converted address and computer readable storage medium Download PDFInfo
- Publication number
- CN112637374B CN112637374B CN202011484004.3A CN202011484004A CN112637374B CN 112637374 B CN112637374 B CN 112637374B CN 202011484004 A CN202011484004 A CN 202011484004A CN 112637374 B CN112637374 B CN 112637374B
- Authority
- CN
- China
- Prior art keywords
- address
- target
- source address
- source
- target message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5053—Lease time; Renewal aspects
Abstract
The application provides a method for processing a translation address, which comprises the following steps: after source NAT operation is carried out on a target message, a source address of the target message after conversion is obtained and is used as a target source address; if the valid state is not in the valid state valid time interval of the target source address, clearing the valid state valid time interval set for the target source address; if the session connection of the target message is invalid, the session connection is not reachable, the converted source address needs to be reselected for the target message, and an invalid state validation time interval is set for the target source address, so that the target source address is prohibited from being used as the converted source address of the target message and other messages with the same destination address within the invalid state validation time interval. The intermittence of the target source address is invalid, so that the influence of frequent timer events on the performance of the safety equipment can be avoided, and the method can adapt to the actually changed network environment.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for processing a translation address.
Background
Source Network Address Translation (NAT) is a function of using an internal Address in an internal Network of a local area Network, and when an internal node needs to communicate with an external Network, the internal Address is replaced by a public Address at a gateway, so that the internal Address can be normally used on an external public Network (Internet), and the NAT can enable a plurality of computers to share Internet connection, thereby well solving the problem of shortage of public Internet Protocol (IP) addresses. By this method, only one legal IP address can be applied for accessing the computer in the whole LAN to Internet. At this point, the NAT masks the intranet, and all intranet computers are not visible to the public network, whereas intranet computer users are generally unaware of the NAT's presence. The method has the advantages that based on that the IPv4 address is nearly exhausted, the IP address configuration is carried out by using the internal network address, the consumption of the IPv4 address can be effectively reduced, the NAT gateway can normally access the Internet, the internal network is hidden, the internal network is protected, the attack from the outside of the network is effectively avoided, and the method plays a very important role in the field of network security.
See fig. 1 for a schematic flow chart of rejecting unavailable IPs. When a message passes through the security device, it needs to inquire to obtain available NAT resources (including IP + port), and makes source NAT conversion process for the message, if the source NAT conversion process is successful, it records the current session state of the message and sets timer event for it, after the timer event responds, if the public network IP obtained after NAT conversion belongs to unavailable IP, it releases the NAT conversion resources corresponding to the message, and eliminates the unavailable IP from NAT address pool, otherwise, it performs corresponding operation according to the current connection state corresponding to the message. Each message passing through the security device can be recorded in a session form, and source NAT information is recorded in a session corresponding to each message.
In the process of eliminating the unavailable IP, because the source NAT resource search is an indispensable overhead, if traversing all NAT sessions to search for a connection whose session state is unchanged for a long time, the performance of the security device will be affected to a great extent, so a timer can be used to respond to an event, and because the source NAT translation resources on the security device are limited, the impact of the timer of a certain magnitude on the performance of the security device is small. Referring to the schematic processing flow diagram of the timer response event shown in fig. 2, in the timer event, it is checked whether the session state is updated, if so, the timer event is reset, otherwise, it is determined whether the current connection is an invalid connection; if the current connection is invalid, the public network IP obtained after NAT conversion is removed from the NAT address pool, NAT conversion resources are released, and if the connection is valid, timer events on the session are removed.
Whether the session state is changed after NAT conversion is checked regularly to check whether the conversion connection is effective, if the connection is ineffective, the address resources after the conversion are removed from the NAT address pool, namely, the unavailable IP is removed, and once the unavailable IP is removed, the recovery is not carried out. However, in an actual network environment, the upstream and downstream network environments are not the same, because currently unavailable connections may become available connections along with changes of the upstream and downstream network environments (such as adding routing configuration on the destination address side, etc.), and therefore, such an IP processing manner that is not reusable once eliminated has great application limitations in the actually changed network environment.
Disclosure of Invention
In view of the above, the present application provides a method, an apparatus, a device and a computer readable storage medium for processing a translation address, which can adapt to a network environment that actually changes.
Specifically, the method is realized through the following technical scheme:
a method of translation address processing, comprising:
after carrying out source Network Address Translation (NAT) operation on a target message, obtaining a translated source address of the target message as a target source address;
if the valid state of the target source address is not within the valid state valid time interval of the target source address, clearing the valid state valid time interval set for the target source address;
if the session connection of the target message is invalid, reselecting a converted source address for the target message, and setting an invalid state effective time interval for the target source address, so as to prohibit the target source address from being used as the converted source address of the target message and other messages within the invalid state effective time interval, wherein the destination addresses of the other messages are the same as the destination address of the target message.
A translated address processing apparatus comprising:
the address translation unit is used for obtaining a translated source address of the target message as a target source address after carrying out source Network Address Translation (NAT) operation on the target message;
a clearing unit is set, which is used for clearing the effective state effective time interval set for the target source address if the effective state effective time interval is not in the effective state effective time interval of the target source address;
and the invalid setting unit is used for reselecting a converted source address for the target message if the session connection of the target message is invalid connection, and setting an invalid state effective time interval for the target source address, so that the target source address is prohibited from being used as the converted source address of the target message and other messages within the invalid state effective time interval, wherein the destination addresses of the other messages are the same as the destination address of the target message.
An electronic device, comprising: a processor, a memory;
the memory for storing a computer program;
the processor is used for executing the processing method for converting the address by calling the computer program.
A computer-readable storage medium on which a computer program is stored, which when executed by a processor implements the above-described translation address processing method.
In the technical scheme provided by the application, after source NAT operation is carried out on a target message, a translated source address of the target message is obtained and is used as a target source address; if the valid state validation time interval is not within the valid state validation time interval of the target source address, the valid state validation time interval set for the target source address is cleared, so that the validity of the target source address can be determined again according to the session connection state of the target message, and the valid state validation time interval is set for the target message again or the invalid state validation time interval is set instead. If the session connection of the target message is invalid, the session connection is not reachable, the converted source address needs to be reselected for the target message, and an invalid state effective time interval is set for the target source address, so that the target source address is prohibited from being used as the converted source address of the target message and other messages with the same destination address within the invalid state effective time interval, and the target source address is enabled to be invalid discontinuously, thereby not only avoiding the influence on the performance of the safety equipment caused by frequent timer use events, but also adapting to the actually changed network environment.
Drawings
FIG. 1 is a schematic flow chart illustrating the elimination of unusable IPs according to the present application;
FIG. 2 is a schematic diagram illustrating a process flow of a timer responding to an event according to the present application;
FIG. 3 is a flowchart illustrating a method for processing translated addresses according to the present application;
FIG. 4 is a schematic diagram illustrating a translation process of an address port according to the present application;
FIG. 5 is a flow chart illustrating another method for translating addresses according to the present application;
FIG. 6 is a block diagram of a translated address processing apparatus according to the present application;
fig. 7 is a schematic structural diagram of an electronic device shown in the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Prior to describing the embodiments of the present application, technical terms related to the embodiments of the present application will be described first.
And (3) source NAT: source Network Address Translation, a Translation technique for converting a private Address into a public IP Address, is widely used in various types of access methods and networks. NAT solves the problem of insufficient lP address, can effectively avoid attacks from the outside of the network, and hides and protects the computer inside the network.
Conversation: that is, link tracking, when a flow passes through a device, records forwarding information including a quintuple, an Access interface, a MAC Address (translated into a MAC Address), and NAT information corresponding to the flow.
NAT address pool: the address pool is formed by combining external addresses (globally unique IP addresses), and such an address set is called the address pool. When the data packet of the internal network reaches the external network through address conversion, a certain IP address is selected from the address pool as the source IP address of the data packet, so that the external address of the user can be effectively utilized, and the capability of accessing the external network is improved.
Invalid connection: the method means that after a client sends a request message, a server does not respond or is blocked, so that connection cannot be normally established and cannot be used for data transmission.
Unavailable IP: when a certain address in the public network IP address pool is used for source NAT translation, the address is an unavailable IP address because the session formed by this translation is an invalid connection.
In order to facilitate understanding of the existing technical solution of eliminating unavailable IP, the following description is given.
The client (192.168.1.1) directly accesses the server (172.30.0.1) through the security device, and the NAT address pool ranges from 172.30.0.2 to 172.30.0.2 and from 10.23.0.1 to 10.23.0.2.
The client initiates two Transmission Control Protocol (Transmission Control Protocol/Internet Protocol, TCP for short) requests, and forms the following session after NAT conversion:
(1)192.168.1.1-172.30.0.1 to 172.30.0.2-172.30.0.1;
(2)192.168.1.1-172.30.0.1 to 10.23.0.1-172.30.0.1.
Under the condition of a normal network, based on a first session, the corresponding data message can be normally forwarded to the server, namely, a direct route can be inquired to access the server, and after interaction, normal connection is established and data transmission is carried out; however, since the security device and the server do not have a 10.23 network segment, based on the second session, the corresponding data packet cannot be normally forwarded to the server, and the connection state is always in the SYN _ send state, so that effective data transmission cannot be performed.
At this time, it can be judged that its connection state is not changed and it is an invalid connection by the timer responding to the event. Therefore, in the second session, the public network IP obtained after NAT conversion can be removed from the NAT address pool, and the subsequent request message can not be converted into the unavailable IP, thereby improving the effectiveness of source NAT conversion. Wherein the timer event response time may be checked once for 6 seconds.
The prior art scheme has the following disadvantages: since the currently unavailable connection may become an available connection with the change of the upstream and downstream network environments (such as adding routing configuration on the destination address side, etc.), such an IP processing manner that is not reusable once being eliminated has a great application limitation in the actual transformed network environment.
In order to solve the above technical problem, an embodiment of the present application provides a method for processing a translation address, where a reasonable effective state validation time interval and an invalid state validation time interval are set for an external IP address in an NAT address pool, so that the method can better meet the requirement of a changing actual network environment.
The following describes a method for processing a translation address provided in the embodiment of the present application in detail.
Referring to fig. 3, a schematic flowchart of a method for processing a translated address according to an embodiment of the present application, where an execution subject of the method may be a security device, such as a firewall, a router, and the like, and various steps of the method will be described below with reference to the schematic flowchart of translating an address port shown in fig. 4.
The translation address processing method shown in fig. 3 includes the following steps S301 to S303:
s301: after the source NAT operation is carried out on the target message, the translated source address of the target message is obtained and used as the target source address.
In this embodiment, the target Packet may be a Packet header, such as a first Packet in an Internet Packet explorer (Packet Internet Groper, PING for short), or may be a non-Packet header. If the source IP address of the target packet is an internal address used in an internal network of the lan, and the network device in the internal network wants to access the external network through the security device, after receiving the target packet from the internal network, the security device performs a source NAT operation on the target packet to obtain a translated source address of the target packet, where the translated source address is an external IP address.
In the embodiment of the present application, S301 may specifically include the following steps a 1-A3:
step A1: and selecting an initial converted address of the target message in the NAT address pool as an undetermined source address.
After receiving the target message, the security device matches the source NAT policy according to the source NAT translation configuration, and after successful matching, obtains information of a designated NAT address pool, where a plurality of external IP addresses are stored, see S401-S402 shown in fig. 4. Based on this, when performing initial NAT operation on a target packet, an external IP address, that is, an initial translated address, may be selected from the NAT address pool, and since the initial translated address may not be the final translated source address, the initial translated address is defined as an undetermined source address here.
In an implementation manner of the embodiment of the present application, the "selecting an initial post-translation address of a target packet in an NAT address pool" in step a1 may specifically include: performing hash calculation based on at least one of a source address before conversion of the target message, a source port before conversion of the target message and the number of addresses in the NAT address pool; and selecting the initial converted address of the target message from the NAT address pool according to the calculated hash value.
In this implementation manner, the source address of the target packet before the conversion is the internal network address of the target packet, and the source port of the target packet before the conversion is the internal network port of the target packet. When performing address translation, one or more of the source address of the target packet before translation, the source port of the target packet before translation, and the number of addresses in the NAT address pool may be subjected to hash (hash) calculation for remainder, so as to obtain a hash value, and then an external IP address is selected from the NAT address pool based on the hash value as an initial post-translation address of the target packet, see S403 shown in fig. 4.
Step A2: and determining whether a record relation between the undetermined source address of the target message and the destination address of the target message exists in the association table.
The association table records the association relationship between each destination address and each source address (i.e. each external IP address) in the NAT address pool.
In practical applications, because different source IP addresses of the internal network may be translated to the same external IP address in the NAT address pool through the source NAT, but after translation, the respective destination addresses may be different, so that some network connections may be invalid because whether the addresses in the NAT address pool are available or not is closely related to the destination address attribute of the access.
Therefore, an association table between each destination address and each source address in the NAT pool address may be established, and the available state of the table is identified, so that, after the pending source address of the target packet is selected in the NAT pool through step a1, the association table may be queried according to the destination address of the target packet and the pending source address, and whether a record relationship between the pending source address of the target packet and the destination address of the target packet exists in the association table is checked, if so, it is described that the pending source address has a certain availability, but it is further required to determine the availability of the pending source address through subsequent steps, and if not, the pending source address cannot be used as the final translated source address (i.e., the target source address), see S404 shown in fig. 4. Therefore, the validity of the selection result of the converted source address can be improved by inquiring the association table.
Step A3: and if the record relation between the undetermined source address and the destination address of the target message exists in the association table and the undetermined source address is not in the invalid state effective time interval of the undetermined source address currently, taking the undetermined source address as the target source address.
Further, the embodiment of the present application further includes step a 4: and if the record relation between the undetermined source address and the destination address of the target message exists in the association table and the current invalid state effective time interval of the undetermined source address exists, reselecting the undetermined source address of the target message from the NAT address pool, and continuously executing the step A2 until the target source address is obtained.
Referring to S405-S407 shown in FIG. 4, step A3 and step A4 are described in detail below.
If the record relation between the to-be-determined source address of the target message and the destination address exists in the association table, checking whether a connection invalid mark of the to-be-determined source address exists, and if so, indicating that an invalid state effective time interval is set for the to-be-determined source address currently so as to enable the to-be-determined source address to be invalid discontinuously. For example, assuming that the invalid state validation interval is 1 minute, in the 1 st minute, the pending source address is in the "invalid state", in the 2 nd minute, the pending source address is in the "invalid timeout state", in the 3 rd minute, the pending source address is in the "invalid state", and in the 4 th minute, the pending source address is in the "invalid timeout state", … ….
When the undetermined source address is in an invalid overtime state, that is, the undetermined source address is not currently in an invalid state effective time interval of the undetermined source address, at this time, the target message and other messages can both use the undetermined source address as a translated source address (that is, a target source address) after the NAT operation.
On the contrary, when the pending source address is in an "invalid state", that is, currently within an invalid state effective time interval of the pending source address, at this time, the target packet and other packets cannot use the pending source address as a translated source address (that is, a target source address) after the NAT operation, that is, within the invalid state effective time interval, the pending source address is removed from the NAT address pool. Therefore, an undetermined source address needs to be selected for the target message again, specifically, a subsequent address or a previous address of the currently undetermined source address may be selected from the NAT address pool, or of course, an unselected address may be randomly selected from the NAT address pool as a new undetermined source address, and then step a2 is executed again until the target source address is obtained.
Further, after a certain pending source address is taken as a target source address in the above manner, the following steps B1-B2 may be included:
step B1: and determining five-tuple information contained in the session of the target message.
In the embodiment of the application, the security device records each message passing through the device in a session form, based on the uplink or downlink of the message, the session contains forward quintuple information or reverse quintuple information, and the network connection corresponding to each message is uniquely identified through the quintuple information.
In step B1, the five-tuple information corresponding to the destination packet includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol. Because the quintuple information is the quintuple information after the source NAT operation, the source IP address is the target source address of the target message, and the source port is a port selected from the port conversion range corresponding to the target message.
And after matching is successful, not only the appointed NAT address pool information can be obtained, but also the appointed port translation range can be obtained. One port can be randomly selected from the port conversion range as a source port in the five-tuple information.
Step B2: if the five-tuple information of the target message exists in the existing session list, reselecting one port from the port conversion range as a source port, and executing the step B1 again until the five-tuple information of the target message does not exist in the existing session list.
In this embodiment of the present application, an existing session list may be queried according to the quintuple information of the target packet, and whether a session with the quintuple already exists is checked to determine whether the quintuple information of the target packet conflicts with the quintuple information of other packets, see S408 shown in fig. 4. If the quintuple information of the target message does not exist in the existing session list, the quintuple information of the target message is not conflicted with the quintuple information of other messages, and normal network access can be performed.
On the contrary, if the quintuple information of the target packet exists in the existing session list, it indicates that the quintuple information of the target packet conflicts with the quintuple information of other packets, at this time, the port information may be transformed, that is, a port is reselected from the port transformation range to replace the source port in the quintuple information in step B1, so as to obtain updated quintuple information, and then, based on the updated quintuple information, the existing session list is re-queried through step B2 until the source port is no longer changed (i.e., the quintuple information does not conflict again), see S409-S410 shown in fig. 4.
Further, the method may further include step B3: if the port conversion range cannot enable the five-tuple information of the target message to be absent in the existing session list, reselecting the undetermined source address of the target message in the NAT address pool, and re-executing the step A2 'of determining whether the record relationship between the undetermined source address and the target address of the target message exists in the association table' and the subsequent steps thereof.
Specifically, referring to S410, S406, and S404 shown in fig. 4, if all the ports in the port translation range have conflicts, the pending source address needs to be selected again for the target packet, and then the following steps of "determining whether the record relationship between the pending source address and the destination address of the target packet exists in the association table" and the following steps are executed again. It should be noted that, when the undetermined source address of the target packet is reselected from the NAT address pool, the selection manner described in the step a4 may be adopted, that is, the next address or the previous address of the currently undetermined source address may be selected from the NAT address pool, or of course, an unselected address may be randomly selected from the NAT address pool as a new undetermined source address.
Therefore, by the above method, the converted source address (i.e. the target source address) and the port without conflict can be selected for the target message.
S302: and if the valid state is not in the valid state valid time interval of the target source address, clearing the valid state valid time interval set for the target source address.
After a conflict-free target source address of the target message is obtained, the association table can be inquired, and whether the record relationship between the target source address and the target address of the target message exists in the association table or not is determined; if yes, indicating that the connection can be achieved, and checking whether a connection effective mark of the target source address exists; if so, the valid state validation time interval is set for the target source address. For example, assuming that the valid state validation interval is 1 minute apart, then in the 1 st minute, the destination source address is in the "valid state", in the 2 nd minute, the destination source address is in the "valid timeout state", in the 3 rd minute, the destination source address is in the "valid state", and in the 4 th minute, the destination source address is in the "valid timeout state", … ….
When the destination source address is in the "valid timeout state", that is, not in the valid interval of the valid state of the destination source address, at this time, the destination source address of the destination message, the destination address of the destination message, and the session identifier (that is, the session ID) of the destination message may be added to the address pool valid information table, see S409 shown in fig. 4.
And clearing the effective state effective time interval set for the target source address so as to re-determine the effectiveness of the target source address according to the conversation state of the target message, and further re-setting the effective state effective time interval for the target message or changing the effective state effective time interval into the invalid state effective time interval.
S303: and if the session connection of the target message is invalid, reselecting the converted source address for the target message, setting an invalid state effective time interval for the target source address, and prohibiting the target source address from being used as the converted source address of the target message and other messages within the invalid state effective time interval, wherein the destination addresses of the other messages are the same as the destination address of the target message.
In the embodiment of the present application, it is required to determine whether the session connection of the target packet is an invalid connection, that is, S304 shown in fig. 5 is executed, and if so, S303 is executed. The effective connection means that after the client sends a request message, the server responds, and the connection can be normally established and can be used for data transmission; the invalid connection means that after the client sends the request message, the server does not respond or is blocked, so that the connection cannot be normally established and cannot be used for data transmission.
In an implementation manner of the embodiment of the present application, S304 may specifically include: according to the conversation identification (namely conversation ID) of the target message, inquiring whether the conversation state of the target message changes; and determining whether the session connection of the target message is invalid connection according to the change condition of the session state.
In this implementation manner, a timer may be set for the session state of the target packet, and when the session state detection timer of the target packet is valid after time out, whether the session state changes is queried according to the recorded session ID of the target packet, and if the session state is always unchanged, that is, the current session state is consistent with the previously stored session state, it indicates that the session connection cannot perform effective data transmission, that is, the session connection is an invalid connection, otherwise, the session connection is an effective connection.
In this embodiment of the present application, if the session connection of the target packet is an invalid connection, the invalid flag of the target source address is set to 1 in the record information of the target source address, so that the target packet performs the source NAT operation again, that is, step S301 is executed again. In addition, an invalid state effective time interval is set for the target source address, so that when the target message and other subsequent messages (the destination addresses of the other messages are the same as the destination address of the target message) are subjected to source NAT conversion, the target source address is removed from the NAT address pool within the invalid state effective time interval of the target source address, namely, the target source address is forbidden to be used as the converted source address of the target message and other messages.
Further, referring to fig. 5, the embodiment of the present application may further include S305: if the session connection of the target message is effective, resetting an effective state effective time interval for the target source address.
Therefore, the method and the device set the reasonable effective state effective time interval for the target source address, and start the timer event when the target message is subjected to NAT conversion to obtain the target source address and is not in the effective state effective time interval of the target source address. Similarly, in the embodiment of the present application, a reasonable invalid state validation time interval is set for the target source address, and when the target source address is in the invalid state validation time interval, the target source address is prohibited from being used as the address after NAT conversion, and during this period, if the target source address changes into the source address in the valid connection due to network change, when the invalid state validation time interval is overtime, the use of the target source address can be resumed, so that the target source address can be used as the address after NAT conversion, and the requirement of the converted actual network environment is better met.
In the method for processing a translated address provided in the embodiment of the present application, a translated source address of a target message is obtained as a target source address after performing a source NAT operation on the target message; if the valid state validation time interval is not within the valid state validation time interval of the target source address, the valid state validation time interval set for the target source address is cleared, so that the validity of the target source address can be determined again according to the session connection state of the target message, and the valid state validation time interval is set for the target message again or the invalid state validation time interval is set instead. If the session connection of the target message is invalid, the session connection is not reachable, the converted source address needs to be reselected for the target message, and an invalid state effective time interval is set for the target source address, so that the target source address is prohibited from being used as the converted source address of the target message and other messages with the same destination address within the invalid state effective time interval, and the target source address is enabled to be invalid discontinuously, thereby not only avoiding the influence on the performance of the safety equipment caused by frequent timer use events, but also adapting to the actually changed network environment.
Referring to fig. 6, a schematic diagram of a processing apparatus for converting an address according to an embodiment of the present application is shown, where the apparatus includes:
an address translation unit 610, configured to perform source Network Address Translation (NAT) operation on a target packet, to obtain a translated source address of the target packet, where the translated source address is used as a target source address;
a clearing unit 620 is configured to clear the valid state validation time interval set for the target source address if the valid state validation time interval is not within the valid state validation time interval of the target source address;
an invalid setting unit 630, configured to reselect a post-conversion source address for the target packet if the session connection of the target packet is an invalid connection, and set an invalid state effective time interval for the target source address, so as to prohibit the target source address from being used as the post-conversion source address of the target packet and another packet within the invalid state effective time interval, where destination addresses of the another packet and the target packet are the same.
In an implementation manner of the embodiment of the present application, the apparatus further includes:
and the effective setting unit is used for resetting the effective state effective time interval for the target source address if the session connection of the target message is effective.
In an implementation manner of the embodiment of the present application, the address translation unit 610 is specifically configured to:
selecting an initial converted address of the target message in an NAT address pool as an undetermined source address;
determining whether a record relationship exists between the source address to be determined and the destination address of the target message in an association table, wherein the association table records the association relationship between each destination address and each source address in the NAT address pool;
and if the record relationship exists in the association table and the current address is not in the invalid state effective time interval of the undetermined source address, taking the undetermined source address as the target source address.
In an implementation manner of the embodiment of the present application, the address translation unit 610 is further configured to:
and if the recording relationship exists in the association table and the current invalid state of the to-be-determined source address is within the effective time interval, reselecting the to-be-determined source address from the NAT address pool, and continuously realizing the function of determining whether the recording relationship between the to-be-determined source address and the destination address of the target message exists in the association table.
In an implementation manner of the embodiment of the present application, the address translation unit 610 is specifically configured to:
performing hash calculation based on at least one of a source address before the conversion of the target message, a source port before the conversion of the target message and the number of addresses in the NAT address pool;
and selecting the initial converted address of the target message from the NAT address pool according to the calculated hash value.
In an implementation manner of the embodiment of the present application, the apparatus further includes a port conversion unit, configured to:
after the undetermined source address is used as the target source address, determining quintuple information contained in a session of the target message, wherein the quintuple information comprises a source IP address, a source port, a target IP address, a target port and a transport layer protocol, the source IP address is the target source address, and the source port is a port selected from a port conversion range corresponding to the target message;
and if the five-tuple information exists in the existing session list, reselecting a port from the port conversion range as the source port, and continuously realizing the function of determining the five-tuple information contained in the session of the target message until the five-tuple information does not exist in the existing session list.
In an implementation manner of the embodiment of the present application, the port converting unit is further configured to:
and if the port conversion range can not enable the five-tuple information not to exist in the existing session list, reselecting the undetermined source address of the target message in the NAT address pool, and continuously realizing the function of determining whether the record relationship between the undetermined source address and the target address of the target message exists in the association table.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
An embodiment of the present application further provides an electronic apparatus, a schematic structural diagram of the electronic apparatus is shown in fig. 7, the electronic apparatus 7000 includes at least one processor 7001, a memory 7002, and a bus 7003, and the at least one processor 7001 is electrically connected to the memory 7002; the memory 7002 is configured to store at least one computer executable instruction, and the processor 7001 is configured to execute the at least one computer executable instruction so as to execute the steps of any one of the converted address processing methods as provided by any one of the embodiments or any one of the alternative embodiments in the present application.
Further, the processor 7001 may be an FPGA (Field-Programmable Gate Array) or other devices having logic processing capability, such as an MCU (micro controller Unit) and a CPU (Central processing Unit).
By applying the embodiment of the application, the discontinuity of the target source address is invalid, the influence of frequent timer events on the performance of the safety equipment can be avoided, and the method and the device can adapt to the actually changed network environment.
The embodiments of the present application further provide another computer-readable storage medium, which stores a computer program, where the computer program is configured to implement, when executed by a processor, the steps of any one of the methods for processing a translated address provided in any one of the embodiments or any one of the optional implementation manners in the present application.
The computer-readable storage medium provided by the embodiments of the present application includes, but is not limited to, any type of disk including floppy disks, hard disks, optical disks, CD-ROMs, and magneto-optical disks, ROMs (Read-Only memories), RAMs (Random Access memories), EPROMs (Erasable Programmable Read-Only memories), EEPROMs (Electrically Erasable Programmable Read-Only memories), flash memories, magnetic cards, or optical cards. That is, a readable storage medium includes any medium that stores or transmits information in a form readable by a device (e.g., a computer).
By applying the embodiment of the application, the discontinuity of the target source address is invalid, the influence of frequent timer events on the performance of the safety equipment can be avoided, and the method and the device can adapt to the actually changed network environment.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A method for processing a translated address, comprising:
after performing source Network Address Translation (NAT) operation on a target message, obtaining a translated source address of the target message as a target source address;
if the valid state of the target source address is not within the valid state valid time interval of the target source address, clearing the valid state valid time interval set for the target source address;
if the session connection of the target message is invalid, reselecting a converted source address for the target message, and setting an invalid state effective time interval for the target source address, so as to prohibit the target source address from being used as the converted source address of the target message and other messages within the invalid state effective time interval, wherein the destination addresses of the other messages are the same as the destination address of the target message.
2. The method of claim 1, further comprising:
if the session connection of the target message is effective, resetting effective state effective time interval for the target source address.
3. The method according to claim 1 or 2, wherein the obtaining of the translated source address of the target packet as the target source address by performing the source NAT operation on the target packet comprises:
selecting an initial converted address of the target message in an NAT address pool as an undetermined source address;
determining whether a record relationship exists between the source address to be determined and the destination address of the target message in an association table, wherein the association table records the association relationship between each destination address and each source address in the NAT address pool;
and if the record relationship exists in the association table and the current address is not in the invalid state effective time interval of the undetermined source address, taking the undetermined source address as the target source address.
4. The method of claim 3, further comprising:
and if the record relationship exists in the association table and the current invalid state of the undetermined source address is in the effective time interval, reselecting the undetermined source address from the NAT address pool, and continuously executing the step of determining whether the record relationship exists between the undetermined source address and the destination address of the target message in the association table.
5. The method of claim 3, wherein the selecting the initial translated address of the target packet in an NAT address pool comprises:
performing hash calculation based on at least one of a source address before the conversion of the target message, a source port before the conversion of the target message and the number of addresses in the NAT address pool;
and selecting the initial converted address of the target message from the NAT address pool according to the calculated hash value.
6. The method of claim 3, wherein after said taking said pending source address as said target source address, further comprising:
determining five-tuple information contained in the session of the target message, wherein the five-tuple information comprises a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol, the source IP address is the target source address, and the source port is a port selected from a port conversion range corresponding to the target message;
if the five-tuple information exists in the existing session list, reselecting a port from the port conversion range as the source port, and continuing to execute the step of determining the five-tuple information contained in the session of the target packet until the five-tuple information does not exist in the existing session list.
7. The method of claim 6, further comprising:
and if the port conversion range can not enable the five-tuple information not to exist in the existing session list, reselecting the undetermined source address of the target message in the NAT address pool, and continuously executing the step of determining whether the record relationship between the undetermined source address and the destination address of the target message exists in the association table.
8. A translated address processing apparatus, comprising:
the address translation unit is used for obtaining a translated source address of the target message as a target source address after carrying out source Network Address Translation (NAT) operation on the target message;
a clearing unit is set, which is used for clearing the effective state effective time interval set for the target source address if the effective state effective time interval is not in the effective state effective time interval of the target source address;
and the invalid setting unit is used for reselecting a converted source address for the target message if the session connection of the target message is invalid connection, and setting an invalid state effective time interval for the target source address, so that the target source address is prohibited from being used as the converted source address of the target message and other messages within the invalid state effective time interval, wherein the destination addresses of the other messages are the same as the destination address of the target message.
9. An electronic device, comprising: a processor, a memory;
the memory for storing a computer program;
the processor, configured to execute the translation address processing method according to any one of claims 1 to 7 by calling the computer program.
10. A computer-readable storage medium on which a computer program is stored, the program being characterized by implementing the method of converting an address according to any one of claims 1 to 7 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011484004.3A CN112637374B (en) | 2020-12-15 | 2020-12-15 | Method, device and equipment for processing converted address and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011484004.3A CN112637374B (en) | 2020-12-15 | 2020-12-15 | Method, device and equipment for processing converted address and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112637374A CN112637374A (en) | 2021-04-09 |
| CN112637374B true CN112637374B (en) | 2022-07-01 |
Family
ID=75314167
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011484004.3A Active CN112637374B (en) | 2020-12-15 | 2020-12-15 | Method, device and equipment for processing converted address and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112637374B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007174033A (en) * | 2005-12-20 | 2007-07-05 | Matsushita Electric Ind Co Ltd | Snmp network management system, device to be managed, and program |
| CN101123582A (en) * | 2007-09-21 | 2008-02-13 | 中兴通讯股份有限公司 | A communication method between private network terminals |
| JP2012156656A (en) * | 2011-01-24 | 2012-08-16 | Fujitsu Ltd | Network address translation method, network address translation proxy response method, network address translation device, and network address translation proxy response device |
| CN106506724A (en) * | 2016-11-23 | 2017-03-15 | 杭州华三通信技术有限公司 | A kind of method and device of distribution port block |
| CN106789859A (en) * | 2016-01-29 | 2017-05-31 | 新华三技术有限公司 | message matching method and device |
| CN106790732A (en) * | 2015-11-24 | 2017-05-31 | 中兴通讯股份有限公司 | Address conversion method, apparatus and system, network identity control method and device |
| CN107682470A (en) * | 2017-10-16 | 2018-02-09 | 杭州迪普科技股份有限公司 | The method and device of public network IP availability in a kind of detection nat address pool |
| CN108347359A (en) * | 2018-01-30 | 2018-07-31 | 新浪网技术(中国)有限公司 | A kind of catenet address conversion outlet judgment method and device |
| CN109743414A (en) * | 2019-02-18 | 2019-05-10 | 国家计算机网络与信息安全管理中心 | The method and computer readable storage medium of address translation availability are improved using redundancy link |
| CN110138885A (en) * | 2018-02-02 | 2019-08-16 | 华为技术有限公司 | Address distribution method and device |
| CN111273577A (en) * | 2018-12-05 | 2020-06-12 | 阿自倍尔株式会社 | Facility monitoring system and communication method for facility monitoring system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140294006A1 (en) * | 2013-03-29 | 2014-10-02 | Alcaltel-Lucent Canada Inc. | Direct service mapping for nat and pnat |
-
2020
- 2020-12-15 CN CN202011484004.3A patent/CN112637374B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007174033A (en) * | 2005-12-20 | 2007-07-05 | Matsushita Electric Ind Co Ltd | Snmp network management system, device to be managed, and program |
| CN101123582A (en) * | 2007-09-21 | 2008-02-13 | 中兴通讯股份有限公司 | A communication method between private network terminals |
| JP2012156656A (en) * | 2011-01-24 | 2012-08-16 | Fujitsu Ltd | Network address translation method, network address translation proxy response method, network address translation device, and network address translation proxy response device |
| CN106790732A (en) * | 2015-11-24 | 2017-05-31 | 中兴通讯股份有限公司 | Address conversion method, apparatus and system, network identity control method and device |
| CN106789859A (en) * | 2016-01-29 | 2017-05-31 | 新华三技术有限公司 | message matching method and device |
| CN106506724A (en) * | 2016-11-23 | 2017-03-15 | 杭州华三通信技术有限公司 | A kind of method and device of distribution port block |
| CN107682470A (en) * | 2017-10-16 | 2018-02-09 | 杭州迪普科技股份有限公司 | The method and device of public network IP availability in a kind of detection nat address pool |
| CN108347359A (en) * | 2018-01-30 | 2018-07-31 | 新浪网技术(中国)有限公司 | A kind of catenet address conversion outlet judgment method and device |
| CN110138885A (en) * | 2018-02-02 | 2019-08-16 | 华为技术有限公司 | Address distribution method and device |
| CN111273577A (en) * | 2018-12-05 | 2020-06-12 | 阿自倍尔株式会社 | Facility monitoring system and communication method for facility monitoring system |
| CN109743414A (en) * | 2019-02-18 | 2019-05-10 | 国家计算机网络与信息安全管理中心 | The method and computer readable storage medium of address translation availability are improved using redundancy link |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112637374A (en) | 2021-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7107609B2 (en) | Stateful packet forwarding in a firewall cluster | |
| CN112422481B (en) | Trapping method, system and forwarding equipment for network threats | |
| US7797419B2 (en) | Method of determining intra-session event correlation across network address translation devices | |
| RU2649290C1 (en) | SYSTEM AND METHOD OF TRAFFIC FILTRATION AT DDoS-ATTACK DETECTION | |
| US7039721B1 (en) | System and method for protecting internet protocol addresses | |
| US7283544B2 (en) | Automatic network device route management | |
| US9917928B2 (en) | Network address translation | |
| KR102379721B1 (en) | System for controlling network access of application based on tcp session control and method therefor | |
| KR20080063209A (en) | Network security elements using endpoint resources | |
| CN107682470B (en) | Method and device for detecting public network IP availability in NAT address pool | |
| CN105490995B (en) | A kind of method and apparatus that NVE E-Packets in NVO3 networks | |
| US10630700B2 (en) | Probe counter state for neighbor discovery | |
| CN109347670A (en) | Route tracing method and device, electronic equipment, storage medium | |
| TWI500295B (en) | Link state identifier collision handling | |
| US10397225B2 (en) | System and method for network access control | |
| CN113347155A (en) | Method, system and device for defending ARP spoofing | |
| US7707294B2 (en) | Edge traversal service dormancy | |
| US20170228539A1 (en) | Control device, control system, control method, and control program | |
| CN112104761A (en) | NAT address translation method | |
| CN113794739B (en) | Double-layer active defense method and device for man-in-the-middle attack | |
| CN107786539A (en) | A kind of method that anti-CC attacks are carried out based on DNS | |
| CN111953810B (en) | Method, device and storage medium for identifying proxy internet protocol address | |
| CN112637374B (en) | Method, device and equipment for processing converted address and computer readable storage medium | |
| CN111865876B (en) | Network access control method and equipment | |
| CN113852697B (en) | SDP terminal flow proxy method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |