WO2017054429A1 - Sopc-based nat implementation method and device - Google Patents

Sopc-based nat implementation method and device Download PDF

Info

Publication number
WO2017054429A1
WO2017054429A1 PCT/CN2016/078029 CN2016078029W WO2017054429A1 WO 2017054429 A1 WO2017054429 A1 WO 2017054429A1 CN 2016078029 W CN2016078029 W CN 2016078029W WO 2017054429 A1 WO2017054429 A1 WO 2017054429A1
Authority
WO
WIPO (PCT)
Prior art keywords
processing
module
nat
learning
processing module
Prior art date
Application number
PCT/CN2016/078029
Other languages
French (fr)
Chinese (zh)
Inventor
刘兆先
Original Assignee
北京特立信电子技术股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京特立信电子技术股份有限公司 filed Critical 北京特立信电子技术股份有限公司
Publication of WO2017054429A1 publication Critical patent/WO2017054429A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are an SOPC-based NAT implementation method and device. The steps comprise: a learning/processing module judging whether it can process the information itself; if so, the learning/processing module performs processing according to contents learned previously, and then submits a processing result to an NAT processing module, otherwise, received information is submitted to a processor for processing. The device comprises a processor module, a learning/processing module, an Ethernet interface module, an extracting module, a data buffer module, an NAT processing module, and an NAT reverse processing module. The present invention implements NAT processing based on an SOPC, makes full use of the advantages of a processor and logic processing to rationally assign respective implementation functions of the processor and the logic processing, and uses a learning/processing module to make up for shortcomings of processing capability of a processor module. Moreover, the present invention also has the advantages of flexible NAT processing, fast processing, low costs and low power consumption, and has good economic and social benefits. The present invention can be widely applied to various NAT processing systems.

Description

一种基于SOPC的NAT的实现方法及装置  Method and device for implementing NAT based on SOPC
技术领域Technical field
本发明涉及计算机网络领域,尤其涉及一种网络地址转换方法。The present invention relates to the field of computer networks, and in particular, to a network address translation method.
背景技术Background technique
NAT:Network Address Translation,网络地址转换。NAT: Network Address Translation, network address translation.
SOPC:System-on-Programmable-Chip,即可编程片上系统。SOPC: System-on-Programmable-Chip, you can program the system on chip.
ICMP:Internet Control Message Protocol,Internet控制报文协议。它是TCP/IP协议族的一个子协议,用于在IP主机、路由器之间传递控制消息。ICMP: Internet Control Message Protocol, Internet Control Message Protocol. It is a sub-protocol of the TCP/IP protocol suite for passing control messages between IP hosts and routers.
CAM:Content Addressable Memory, 内容可寻址存储器。CAM: Content Addressable Memory, content addressable memory.
目前NAT的实现主要有三种方法,第一种是纯软件实现,载体通常为通用CPU;第二种是基于FPGA硬件实现;第三种是基于网络处理器(NP)实现。At present, there are three main methods for implementing NAT. The first one is pure software implementation, the carrier is usually a general-purpose CPU, the second is based on FPGA hardware, and the third is based on network processor (NP).
通过纯软件实现的方法处理方式灵活,技术成熟,但缺点也很明显,处理速度比较慢,时延大,需要占用大量CPU时间,内存消耗大。The method implemented by pure software is flexible in processing and mature in technology, but the disadvantages are also obvious. The processing speed is slow, the delay is large, and a large amount of CPU time is required, and the memory consumption is large.
通过FPGA实现的方法处理速度快,时延小。如果仅用单纯逻辑实现,通常只能实现一些功能比较简单的NAT处理,且不及纯软件实现应用灵活、需要消耗大量逻辑资源。The method implemented by the FPGA has a fast processing speed and a small delay. If only simple logic is used, it is usually only possible to implement some NAT functions with relatively simple functions, and it is not as flexible as pure software, and consumes a lot of logic resources.
通过NP实现的方法处理速度快,但价格昂贵,应用不够灵活。The method implemented by NP is fast, but expensive, and the application is not flexible enough.
综上所述,现有技术存在以下问题:In summary, the prior art has the following problems:
1、通过单纯逻辑进行NAT实现对功能复杂度有限制; 1. NAT implementation through simple logic has limitations on functional complexity;
2、针对具体应用,现有通过FPGA或者NP的实现方式应用均不够灵活;2. For specific applications, the existing implementation methods through FPGA or NP are not flexible enough;
3、针对小型应用,现有的实现方式体积大,功耗高,成本高。3. For small applications, the existing implementation is bulky, high in power consumption, and high in cost.
发明内容Summary of the invention
为了解决上述技术问题,本发明的目的是提供一种可灵活实现NAT处理、处理速度快、成本低、功耗低的NAT的实现方法。In order to solve the above technical problem, an object of the present invention is to provide an implementation method of a NAT that can flexibly implement NAT processing, has a fast processing speed, low cost, and low power consumption.
为了解决上述技术问题,本发明的另一个目的是提供一种可灵活实现NAT处理、处理速度快、成本低、功耗低的NAT的实现装置。In order to solve the above technical problem, another object of the present invention is to provide an apparatus for implementing NAT that can flexibly implement NAT processing, has high processing speed, low cost, and low power consumption.
本发明所采用的技术方案是:The technical solution adopted by the invention is:
一种基于SOPC的NAT的实现方法,其包括步骤:S1,对数据包进行信息提取;S2,将数据包存入缓冲区,同时将提取的信息提交给学习/处理模块;S3,学习/处理模块判断自己能否处理此信息,如果能处理,则进入步骤S4,否则将接收到的信息提交给处理器并进入步骤S5;S4,学习/处理模块根据以前学习的内容进行处理,然后将处理结果提交给NAT处理模块;S5,处理器对接收到信息进行处理,并将处理结果返回给学习/处理模块;S6,学习/处理模块学习处理器的结果,并将处理结果提交给NAT处理模块;S7,NAT处理模块、NAT逆处理模块根据接收的处理结果对缓冲区中的数据包进行处理。A method for implementing NAT based on SOPC, comprising the steps of: S1, extracting information from a data packet; S2, storing the data packet in a buffer, and submitting the extracted information to a learning/processing module; S3, learning/processing The module determines whether it can process the information, if it can be processed, proceeds to step S4, otherwise submits the received information to the processor and proceeds to step S5; S4, the learning/processing module processes according to the previously learned content, and then processes The result is submitted to the NAT processing module; S5, the processor processes the received information, and returns the processing result to the learning/processing module; S6, the learning/processing module learns the result of the processor, and submits the processing result to the NAT processing module. S7, the NAT processing module and the NAT inverse processing module process the data packets in the buffer according to the received processing result.
优选的,步骤S1所述信息包括源MAC地址、以太网协议类型、IP协议类型、以太网源IP、以太网目的IP、ICMP标识符、ICMP序列号、源端口号、目的端口、IP包的16位标识、IP包的3位标志及13位片偏移、IP首部检验和、ICMP/TCP/UDP的检验和。Preferably, the information in step S1 includes a source MAC address, an Ethernet protocol type, an IP protocol type, an Ethernet source IP, an Ethernet destination IP, an ICMP identifier, an ICMP sequence number, a source port number, a destination port, and an IP packet. 16-bit identifier, 3-bit flag and 13-bit slice offset for IP packets, IP header checksum, and ICMP/TCP/UDP checksum.
优选的,步骤S2中所述提交给学习/处理模块的信息包括源IP、目的IP、源端口号(TCP、UDP)、目的端口(TCP、UDP)、IP包的16位标识、IP包的3位标志及13位片偏移及协议类型。Preferably, the information submitted to the learning/processing module in step S2 includes source IP, destination IP, source port number (TCP, UDP), destination port (TCP, UDP), 16-bit identifier of the IP packet, and IP packet. 3-bit flag and 13-bit slice offset and protocol type.
优选的,所述步骤S3具体包括子步骤:S31,首先通过数据包的3位标志及13位片偏移判断该数据包是否为IP分片包,如果是分片包,则不能处理此信息,否则进入步骤S32;S32,用信息中的源IP、源端口、目的IP、目的端口、协议类型进行CAM查询,如果存在有效项,则表示学习/处理模块能处理此信息并进入步骤S4,否则表示不能处理此信息并进入步骤S33;S33,将接收到的信息提交给处理器并进入步骤S5。Preferably, the step S3 specifically includes the sub-step: S31, first determining whether the data packet is an IP fragment packet by using a 3-bit flag of the data packet and a 13-bit slice offset, and if the fragment packet is a fragment packet, the information cannot be processed. Otherwise, the process proceeds to step S32; S32, the CAM query is performed by using the source IP, the source port, the destination IP, the destination port, and the protocol type in the information. If there is a valid item, the learning/processing module can process the information and proceeds to step S4. Otherwise, it means that this information cannot be processed and proceeds to step S33; S33, the received information is submitted to the processor and proceeds to step S5.
优选的,所述步骤S4具体为:从CAM的输出中获取匹配单元的地址,从存储模块中读出该地址单元的内容,作为处理结果返回给NAT处理模块,同时将对应的老化计数器清零。Preferably, the step S4 is specifically: obtaining an address of the matching unit from the output of the CAM, reading the content of the address unit from the storage module, returning the result to the NAT processing module as a processing result, and clearing the corresponding aging counter at the same time. .
优选的,步骤S5中所述的信息为私网数据或公网数据,所述步骤S5具体包括子步骤:S51,对私网数据进行处理,并将处理结果返回给学习/处理模块;或者S52,对公网数据进行处理,并将处理结果返回给学习/处理模块。Preferably, the information in step S5 is private network data or public network data, and the step S5 specifically includes the sub-steps: S51, processing the private network data, and returning the processing result to the learning/processing module; or S52 , processing the public network data, and returning the processing result to the learning/processing module.
优选的,所述步骤S51具体包括子步骤:S511,用源端口号作为私网端口查找表的索引,从存储器中取出该序号的对应表项,判断表项的有效标识位是否有效,如果有效则进入步骤S512,否则转至步骤S519;S512,判断指针标识位是否有效,如果有效则转至步骤S517,否则转至步骤S513;S513,判断协议字段、源IP字段是否匹配,如果匹配则转至步骤S514,否则转至步骤S519;S514,用替换端口的内容对源端口进行替换,并判断外网网关有效标识位是否有效,如果有效则转至步骤S516,否则转至步骤S515;S515,数据包可直接送达或采用默认网关,转至步骤S518;S516,数据包需经过该外网网关转发,转至步骤S518;S517,通过IP指针找到IP查找表,历遍有效标识位有效的表项,如果存在协议字段、源IP字段匹配项,则转至步骤S514,否则转至步骤S519;S518,查表成功,转至步骤S5111;S519,若动态模式位置位,则随机分配一个未使用的公网IP、端口,并将相应信息添加到NAT配置表中,转至步骤S5111;S5110,查表失败,数据包丢弃,转至步骤S5111;S5111,将处理结果返回给学习/处理模块,转至步骤S511,开始下一次查表;所述步骤S52具体包括子步骤:S521,用目的端口号作为公网端口查找表的索引,从存储器中取出该序号的对应表项,判断表项的有效标识位是否有效,如果无效则转至步骤S5210,如果有效则转至步骤S522;S522,判断指针标识位是否有效,如果无效则转至步骤S523,如果有效则转至步骤S525;S523,判断协议字段、外网IP字段是否匹配,如果匹配则转至骤S524,否则转至步骤S5210;S524,用替换端口的内容、内网IP的内容对目的端口、目的IP进行替换,转至步骤S529;S525, 通过IP指针找到IP查找表,历遍有效标识位有效的表项,如果存在协议字段、外网IP字段匹配,且当远程IP有效标识有效时,远程IP、远程端口也匹配的匹配项时则转至步骤S526,如果没有则转至步骤S5210;S526,判断内网IP有效标识是否有效,如果有效则转至步骤S527,否则转至步骤S528;S527,用IP查找表中的替换端口、内网IP对目的端口、目的IP进行替换,转至步骤S529;S528,用IP查找表中的替换端口、端口查找表中的内网IP对目的端口、目的IP进行替换,转至步骤S529;S529,查表成功,转至步骤S5211;S5210,查表失败,转至步骤S5211;S5211,将处理结果返回给学习/处理模块,转至步骤S521,开始下一次查表。Preferably, the step S51 includes the sub-step: S511, using the source port number as an index of the private network port lookup table, and taking the corresponding entry of the sequence number from the memory, determining whether the valid identifier of the entry is valid, if valid. Go to step S512, otherwise go to step S519; S512, determine whether the pointer flag is valid, if yes, go to step S517, otherwise go to step S513; S513, determine whether the protocol field, the source IP field match, if it matches Go to step S514, otherwise go to step S519; S514, replace the source port with the content of the replacement port, and determine whether the valid identifier of the external network gateway is valid, if yes, go to step S516, otherwise go to step S515; The data packet can be directly delivered or adopts the default gateway, and the process goes to step S518; in S516, the data packet needs to be forwarded by the external network gateway, and the process goes to step S518; S517, the IP lookup table is found through the IP pointer, and the valid identification bit is valid. The entry, if there is a protocol field, a source IP field match, then go to step S514, otherwise go to step S519; S518, the table is successful, go to the step S5111; S519, if the dynamic mode is set, randomly allocate an unused public network IP and port, and add the corresponding information to the NAT configuration table, and go to step S5111; S5110, the table check fails, the data packet is discarded, and the packet is discarded. Go to step S5111; S5111, return the processing result to the learning/processing module, go to step S511, and start the next lookup table; the step S52 specifically includes the sub-step: S521, using the destination port number as the index of the public network port lookup table And taking the corresponding entry of the serial number from the memory, determining whether the valid identifier of the entry is valid, if not, proceeding to step S5210, if yes, proceeding to step S522; S522, determining whether the pointer identifier is valid, if invalid Go to step S523, if yes, go to step S525; S523, determine whether the protocol field and the external network IP field match, if yes, go to step S524, otherwise go to step S5210; S524, replace the content of the port, the intranet The content of the IP is replaced by the destination port and the destination IP, and the process goes to step S529; S525, The IP lookup table is found through the IP pointer, and the valid valid identifier is used. If there is a protocol field, the external network IP field matches, and when the remote IP valid identifier is valid, the remote IP and the remote port also match the matching item. Go to step S526, if not, go to step S5210; S526, determine whether the intranet IP valid identification is valid, if yes, go to step S527, otherwise go to step S528; S527, use the replacement port in the IP lookup table, The network IP replaces the destination port and the destination IP, and the process goes to step S529; in S528, the destination port and the destination IP address are replaced by the internal port IP in the replacement port and the port lookup table in the IP lookup table, and the process goes to step S529; If the lookup table is successful, the process goes to step S5211; if the table check fails, the process goes to step S5211; S5211, the process result is returned to the learning/processing module, and the process goes to step S521 to start the next lookup table.
优选的,所述步骤S5还包括子步骤:S50,对接收到的信息进行IP分片包处理;所述步骤S50具体包括子步骤:S501,判断是否为IP分片包,如果是分片包则转至步骤S502;S502,判断是否为IP分片包的首包,如果是则转至步骤S503,否则转至步骤S504;S503,将首包按非分片包的处理方式进行处理,并将缓存中该分片包的其它分片也按该方式处理,转至步骤S505;S504,将分片包信息缓存,转至步骤S505;S505,转至步骤S501步,开始下一次处理。Preferably, the step S5 further includes the sub-step: S50, performing IP fragmentation packet processing on the received information; the step S50 specifically includes the sub-step: S501, determining whether it is an IP fragmentation packet, if it is a fragmentation packet Go to step S502; S502, determine whether it is the first packet of the IP fragmentation packet, if yes, go to step S503, otherwise go to step S504; S503, process the first packet in a non-fragmented packet processing manner, and The other fragments of the fragment packet in the buffer are also processed in this manner, and the flow proceeds to step S505; in S504, the fragmentation packet information is buffered, and the flow proceeds to step S505; S505, the processing proceeds to step S501, and the next processing is started.
优选的,所述步骤S7具体包括子步骤:S71,根据学习/处理模块输出的结果,结合提取模块的输出、数据缓冲模块中的数据包内容,实现私网到公网TCP、UDP数据包的源IP、源端口替换,即完成NAT处理;S72,根据学习/处理模块输出的结果,结合提取模块的输出、数据缓冲模块中的数据包内容,实现公网到私网TCP、UDP数据包的目的IP、目的端口替换,即完成NAT逆处理;S73,重新计算IP首部校验和、TCP校验和、UDP校验和。Preferably, the step S7 specifically includes the sub-step: S71, according to the output of the learning/processing module, combining the output of the extraction module and the data packet content in the data buffer module to implement the private network to the public network TCP and UDP data packets. The source IP address and the source port are replaced, that is, the NAT processing is completed; S72, according to the output of the learning/processing module, combined with the output of the extraction module and the data packet content in the data buffer module, the public network to the private network TCP and UDP data packets are realized. The destination IP address and the destination port are replaced, that is, the NAT inverse processing is completed; and S73, the IP header checksum, the TCP checksum, and the UDP checksum are recalculated.
一种基于SOPC的NAT的实现装置,其用于实施基于SOPC的NAT的实现方法,其包括:处理器模块, 用于对学习/处理模块输出的数据包信息进行查表处理,并将处理结果返回给学习/处理模块;学习/处理模块,其分别与提取模块和处理器模块相连,主要有两个作用:一是接收提取模块的输出,检查学习内容中是否有符合项,如果有符合项则将存储的对应结果输出给NAT处理模块,如果没有符合项则将接收的数据直接提交给处理器模块,并记录该数据,以便在学习过程中与处理结果建立一一对应关系;二是学习处理器输出的数据包处理结果,即将数据包信息输入与数据包处理结果间建立一一对应的关系,以便对后续数据包中有相同输入条件的数据包直接进行处理,以减轻处理器模块的负荷,提高数据包的处理能力,然后将结果输出给NAT处理模块;提取模块,其与以太网接口模块相连,用于提取数据包信息;以太网接口,包括用于连接私网的私网以太网接口和用于连接公网的以太网接口;数据缓冲模块,其连接于提取模块和NAT处理模块或NAT逆处理模块之间,用于缓存数据包;NAT处理模块,其分别与提取模块、数据缓冲模块、学习/处理模块和以太网接口连接,其用于接收学习/处理模块的输出,并结合提取模块的输出、数据缓冲模块中的数据包内容,实现私网到公网的NAT处理;NAT逆处理模块,其分别与提取模块、数据缓冲模块、学习/处理模块和以太网接口连接,其用于接收学习/处理模块的输出,并结合提取模块的输出、数据缓冲模块中的数据包内容,实现公网到私网的NAT逆处理。An apparatus for implementing NAT based on SOPC, which is used for implementing an implementation method of SOPC-based NAT, which comprises: a processor module, It is used to perform table lookup processing on the data packet outputted by the learning/processing module, and returns the processing result to the learning/processing module; the learning/processing module is respectively connected to the extraction module and the processor module, and has two main functions: First, the output of the extraction module is received, and whether there is a matching item in the learning content, if there is a matching item, the stored corresponding result is output to the NAT processing module, and if there is no matching item, the received data is directly submitted to the processor module, and Recording the data so as to establish a one-to-one correspondence with the processing result in the learning process; second, learning the data packet processing result output by the processor, that is, establishing a one-to-one correspondence between the data packet information input and the data packet processing result, so as to The data packets with the same input conditions in the subsequent data packets are directly processed to reduce the load of the processor module, improve the processing capability of the data packet, and then output the result to the NAT processing module; the extraction module is connected to the Ethernet interface module. Used to extract packet information; Ethernet interface, including private network ether for connecting to the private network An interface and an Ethernet interface for connecting to the public network; a data buffering module connected between the extraction module and the NAT processing module or the NAT inverse processing module for buffering the data packet; and the NAT processing module, respectively, and the extraction module and the data The buffer module, the learning/processing module and the Ethernet interface connection are used for receiving the output of the learning/processing module, and combining the output of the extraction module and the data packet content in the data buffer module to implement NAT processing from the private network to the public network; The NAT inverse processing module is respectively connected to the extraction module, the data buffer module, the learning/processing module and the Ethernet interface, and is configured to receive the output of the learning/processing module, and combine the output of the extraction module and the data packet in the data buffer module. Content, implementing NAT reverse processing from the public network to the private network.
本发明的有益效果是:The beneficial effects of the invention are:
本发明通过基于SOPC实现了NAT处理,充分发挥处理器和逻辑处理各自的长处,合理分配各自的实现功能,并采用了学习/处理模块来弥补处理器模块处理能力的不足,采用先进的数据结构(NAT处理表)和合理的NAT处理流程,最大限度的提升通用性和处理性能;而且还具有NAT处理灵活、处理速度快、成本低、功耗低的优点,具有良好的经济和社会效益。The invention realizes NAT processing based on SOPC, fully utilizes the respective advantages of the processor and the logic processing, reasonably allocates respective implementation functions, and adopts a learning/processing module to compensate for the insufficiency of the processing capability of the processor module, and adopts an advanced data structure. (NAT processing table) and reasonable NAT processing flow to maximize the versatility and processing performance; also has the advantages of flexible NAT processing, fast processing speed, low cost, low power consumption, and good economic and social benefits.
本发明可广泛应用于各种NAT处理系统。The invention is widely applicable to various NAT processing systems.
附图说明DRAWINGS
下面结合附图对本发明的具体实施方式作进一步说明:The specific embodiments of the present invention are further described below in conjunction with the accompanying drawings:
图1是本发明基于SOPC的NAT的实现方法一种实施例的方法流程图;1 is a flowchart of a method for implementing an SOPC-based NAT method according to an embodiment of the present invention;
图2是本发明私网NAT处理表一种实施例的结构及逻辑关系图;2 is a structural and logical relationship diagram of an embodiment of a private network NAT processing table of the present invention;
图3是本发明公网NAT处理表一种实施例的结构及逻辑关系图;3 is a structural and logical relationship diagram of an embodiment of a public network NAT processing table of the present invention;
图4是本发明基于SOPC的NAT的实现装置一种实施例的系统结构框图。4 is a block diagram showing the system structure of an embodiment of an SOPC-based NAT implementation apparatus according to the present invention.
具体实施方式detailed description
需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
该实施例中,一种基于SOPC的NAT的实现装置以FPGA为载体,设计方案结构框图如图4所示。该方案由两部分组成,一部分是外部存储器主要用来存储和查询网络地址转换表以及作为处理器的外部存储器,另一部分则主要完成NAT功能的实现,主要包括处理器模块、学习/处理模块、以太网接口模块、提取模块、数据缓冲模块、NAT处理模块、NAT逆处理模块,这些功能模块都是用FPGA来实现。In this embodiment, a device for implementing NAT based on SOPC uses FPGA as a carrier, and a block diagram of a design scheme is shown in FIG. 4 . The solution consists of two parts, one is that the external memory is mainly used to store and query the network address translation table and the external memory as the processor, and the other part mainly implements the NAT function, mainly including the processor module, the learning/processing module, Ethernet interface module, extraction module, data buffer module, NAT processing module, NAT inverse processing module, these functional modules are all implemented by FPGA.
本方案支持TCP、UDP、ICMP协议的NAT处理。由于NAT转换表的存储、管理和查找用逻辑实现比较繁琐且耗费资源,特别是当NAT配置复杂、表项庞大的时候几乎不可实现,故这部分的功能在FPGA内部以嵌入式CPU核的方式来进行实现。其包括:This solution supports NAT processing of TCP, UDP, and ICMP protocols. The logic implementation of the storage, management, and lookup of the NAT translation table is cumbersome and resource-intensive, especially when the NAT configuration is complicated and the entries are large, so this part of the function is embedded in the FPGA core. To achieve. It includes:
1.处理器模块Processor module
处理器模块与学习/处理模块和外部存储相连,主要有三个作用:一、在静态NAT模式下,接收配置下发通道的数据,并根据配置数据建立NAT处理表;二、在动态NAT模式下,根据学习/处理模块输出的私网数据包信息进行动态分配公网IP、端口号,并用该信息建立NAT处理表;三、对学习/处理模块输出的数据包信息进行查表处理,并将处理结果返回给学习/处理模块。The processor module is connected to the learning/processing module and the external storage. The main functions are as follows: 1. In the static NAT mode, the data of the configured delivery channel is received, and the NAT processing table is established according to the configuration data. Second, in the dynamic NAT mode. Dynamically assigning the public network IP and port number according to the private network packet information output by the learning/processing module, and using the information to establish a NAT processing table; 3. performing a table lookup processing on the data packet information output by the learning/processing module, and The processing result is returned to the learning/processing module.
本实例中处理器模块采用xilinx提供的软核CPU microblaze 和相应外设构成。CPU采用了两个microblaze核,一个主要用于NAT处理表的更新及维护以及系统管理,另一个主要用于NAT处理。The processor module in this example uses the soft core CPU microblaze provided by xilinx. And the corresponding peripherals. The CPU uses two microblaze cores, one for NAT update table maintenance and maintenance and system management, and the other for NAT processing.
2.学习/处理模块2. Learning / Processing Module
学习/处理模块与提取模块和处理器模块相连,主要有两个作用:一、接收提取模块的输出,检查学习内容中是否有符合项,如果有符合项则将存储的对应结果输出给NAT处理模块,如果没有符合项则将接收的数据直接提交给处理器模块,并记录该数据,以便在学习过程中与处理结果建立一一对应关系。二、学习处理器输出的数据包处理结果,即将数据包信息输入与数据包处理结果间建立一一对应的关系,以便对后续数据包中有相同输入条件的数据包直接进行处理,以减轻处理器的负荷,提高数据包的处理能力,然后将结果输出给NAT处理模块。The learning/processing module is connected to the extraction module and the processor module, and has two main functions: first, receiving the output of the extraction module, checking whether there is a matching item in the learning content, and if there is a matching item, outputting the stored corresponding result to the NAT processing. The module, if there is no match, submits the received data directly to the processor module, and records the data to establish a one-to-one correspondence with the processing result in the learning process. Second, the processing result of the data packet output by the learning processor is to establish a one-to-one correspondence between the data packet information input and the data packet processing result, so as to directly process the data packet having the same input condition in the subsequent data packet to reduce the processing. Load, improve the processing power of the packet, and then output the result to the NAT processing module.
该实施例中,学习/处理模块主要包括CAM模块、存储模块、管理模块、计数器组等。In this embodiment, the learning/processing module mainly includes a CAM module, a storage module, a management module, a counter group, and the like.
CAM模块有两种实现方法,基于查找表实现和基于BLOCKRAM实现,需根据逻辑资源的使用情况权衡。CAM模块的功能是实现数据的快速匹配,用于判断学习内容中是否有符合项。CAM模块的表项数可参数设置,可根据具体应用环境需要进行设置,本实例中采用的表项数为32。增加表项可大幅提高学习/处理能力,但所消耗的逻辑资源成指数增长。The CAM module has two implementation methods, based on the lookup table implementation and based on the BLOCKRAM implementation, which needs to be weighed according to the usage of the logical resources. The function of the CAM module is to achieve a quick match of the data and to determine whether there is a match in the learning content. The number of entries in the CAM module can be set. It can be set according to the requirements of the specific application environment. The number of entries used in this example is 32. Increasing the number of entries can greatly improve learning/processing capabilities, but the logic resources consumed grow exponentially.
存储模块也有两种实现方法,基于查找表实现和基于BLOCKRAM实现,需根据逻辑资源的使用情况权衡。存储模块的功能是用于存储学习到的处理结果,并在存储单元数量上与CAM模块的表项数相同、在地址关系上一一对应。本实例中存储单元数量为32。There are also two implementations of storage modules, based on lookup table implementations and BLOCKRAM-based implementations, which need to be weighed against the use of logical resources. The function of the storage module is to store the learned processing result, and the number of storage units is the same as the number of entries of the CAM module, and the address relationship is in one-to-one correspondence. The number of storage units in this example is 32.
管理模块主要实现对CAM模块的写入、查询的控制功能,对存储模块的读写控制功能,对计数器组的计数启动、清零控制功能,此外还实现学习控制功能和处理控制功能。The management module mainly implements the control function of writing and querying the CAM module, the read/write control function of the storage module, the counting start and clear control functions of the counter group, and the learning control function and the processing control function.
学习控制功能如下:首先根据表项数建立标识组,每个标识组单元唯一指示一个表项,初始时标识组单元全部置为无效,当检测到处理器输出的有效结果时,首先在标识组找出一个无效单元,如果没有无效单元则找出计数器组中计数值最大的计数器所对应的标识组单元,并将该标识组单元有效位置位,同时将该结果的输入缩减后存入CAM的对应单元,结果存入存储模块相应单元,且清零计数器组中对应的计数器,并启动该计数器。当计数器组中的计数器值超过阈值时,将对应标识组单元有效位复位,同时关闭该计数器并计数值清零。The learning control function is as follows: First, an identification group is established according to the number of entries, each identification group unit uniquely indicates an entry, and the initial identification group unit is all invalid. When a valid result of the processor output is detected, the identification group is first Find an invalid unit, if there is no invalid unit, find the identification group unit corresponding to the counter with the largest count value in the counter group, and set the effective position of the identification group unit, and reduce the input of the result to the CAM. Corresponding to the unit, the result is stored in the corresponding unit of the storage module, and the corresponding counter in the counter group is cleared, and the counter is started. When the counter value in the counter group exceeds the threshold, the corresponding flag group unit valid bit is reset, and the counter is turned off and the count value is cleared.
处理控制功能如下:将提取模块的输出经过缩减后进行CAM查询,如果存在匹配单元且该单元对应的标识组单元有效位置位,则将计数器组中对应位置的计数器清零,并将存储模块对应位置的内容作为处理结果输出给NAT处理模块,否则将提取模块的输出提交给处理器模块,并暂存该数据。The processing control function is as follows: the output of the extraction module is reduced and then the CAM query is performed. If there is a matching unit and the identification group unit corresponding to the unit is in a valid position bit, the counter of the corresponding position in the counter group is cleared, and the storage module is correspondingly The content of the location is output to the NAT processing module as a result of the processing, otherwise the output of the extraction module is submitted to the processor module, and the data is temporarily stored.
计数器组实现CAM单元的老化时间计数,并在数量上与CAM模块的表项数相同、并与CAM模块的表项一一对应。本实例中计数器组的数量为32。The counter group implements the aging time count of the CAM unit, and is the same as the number of entries of the CAM module and corresponds to the entries of the CAM module. The number of counter groups in this example is 32.
3.以太网接口3. Ethernet interface
包括用于连接私网的私网以太网接口和用于连接公网的以太网接口,以太网接口模块根据实际需求实现以太网PHY、MAC功能。It includes a private network Ethernet interface for connecting to the private network and an Ethernet interface for connecting to the public network. The Ethernet interface module implements the Ethernet PHY and MAC functions according to actual needs.
4.提取模块4. Extraction module
提取模块与以太网接口模块相连,主要完成数据包信息的提取。提取的控制流信号包括源MAC地址、以太网协议类型、IP协议类型、以太网源IP、以太网目的IP、ICMP标识符(ICMP)、ICMP序列号(ICMP)、源端口号(TCP、UDP)、目的端口(TCP、UDP)、IP包的16位标识、IP包的3位标志及13位片偏移、IP首部检验和 、ICMP/TCP/UDP的检验和等。其中源IP、目的IP、源端口号(TCP、UDP)、目的端口(TCP、UDP)、IP包的16位标识、IP包的3位标志及13位片偏移及协议类型输出给学习/处理模块;其余的直接输出给NAT处理模块或者NAT逆处理模块。The extraction module is connected to the Ethernet interface module, and mainly completes the extraction of the data packet information. The extracted control flow signals include source MAC address, Ethernet protocol type, IP protocol type, Ethernet source IP, Ethernet destination IP, ICMP identifier (ICMP), ICMP sequence number (ICMP), source port number (TCP, UDP). ), destination port (TCP, UDP), 16-bit identification of the IP packet, 3-bit flag of the IP packet, and 13-bit slice offset, IP header checksum , ICMP/TCP/UDP checksum, etc. Source IP, destination IP, source port number (TCP, UDP), destination port (TCP, UDP), 16-bit identifier of the IP packet, 3-bit flag of the IP packet, and 13-bit slice offset and protocol type output to the learning/ Processing module; the rest is directly output to the NAT processing module or the NAT inverse processing module.
5.数据缓冲模块5. Data buffer module
数据缓冲模块基于BLOCKRAM实现,用于实现数据包的缓存,还可以消除由于NAT处理过程的时延抖动造成数据包的累积。The data buffer module is implemented based on BLOCKRAM, which is used to implement buffering of data packets, and can also eliminate the accumulation of data packets due to delay jitter of the NAT processing process.
6.NAT处理模块6.NAT processing module
NAT模块与提取模块、数据缓冲模块和学习/处理模块相连,主要有两个作用:一、接收提取模块的输出,并结合数据缓冲模块中的数据包内容,实现私网NAT IP的ARP功能及ICMP功能及ICMP的NAT功能(ICMP是(Internet Control Message Protocol)Internet控制报文协议。它是TCP/IP协议族的一个子协议,用于在IP主机、路由器之间传递控制消息。);二、接收学习/处理模块的输出,并结合提取模块的输出、数据缓冲模块中的数据包内容,实现私网到公网TCP、UDP数据包的源IP、源端口替换,实现私网到公网的NAT处理,并重新计算IP首部校验和、TCP校验和、UDP校验和。The NAT module is connected to the extraction module, the data buffer module, and the learning/processing module. It has two main functions: 1. Receive the output of the extraction module, and combine the contents of the data packet in the data buffer module to implement private network NAT. IP ARP function and ICMP function and ICMP NAT function (ICMP is (Internet Control Message) Protocol) Internet Control Message Protocol. It is a sub-protocol of the TCP/IP protocol suite for passing control messages between IP hosts and routers. Second, receive the output of the learning/processing module, and combine the output of the extraction module with the contents of the data packet in the data buffer module to realize the source IP and source port replacement of the private network to the public network TCP and UDP data packets, and realize the private network. NAT processing to the public network, and recalculate the IP header checksum, TCP checksum, and UDP checksum.
7.NAT逆处理模块7. NAT inverse processing module
NAT逆处理模块实现公网数据到私网的NAT处理,与NAT处理模块大部分功能相同,除了以下两点:一、没有ICMP的NAT功能;二、公网到私网TCP、UDP数据包替换的是目的IP、目的端口。The NAT inverse processing module implements NAT processing from the public network data to the private network, and has the same functions as the NAT processing module except for the following two points: 1. The NAT function without ICMP; 2. The public network to the private network TCP and UDP data packet replacement The destination IP and destination port.
本实施例中,从私网来的千兆以太网数据包通过FPGA中的SGMII接口进入FPGA中,由以太网接口模块对数据包进行接收、缓存;然后提取模块从数据包中提取必要的信息,如源IP地址、目的IP地址、TCP、UDP端口号,协议类型等;然后将数据包存入数据缓冲模块,并将提取的数据包信息提交给学习处理模块;学习/处理模块检查自己能否处理此信息,如果不能处理这些信息则将接收到的信息提交给处理器,如果能处理,则根据学习到的内容进行处理,并将处理结果提交给NAT处理模块;处理器接收到数据包信息后,根据预设的规则进行处理,并将处理结果返回给学习/处理模块;学习/处理模块学习处理结果,并将处理结果提交给NAT处理模块;NAT处理模块接收到处理结果后,从数据缓冲模块中读出数据包并根据处理结果对数据进行NAT处理,然后提交给以太网接口模块;以太网接口模块将数据包缓存并发送到公网或私网上。反之从公网过来的数据包也通过相应的流程进行NAT逆处理。In this embodiment, the Gigabit Ethernet data packet from the private network enters the FPGA through the SGMII interface in the FPGA, and the Ethernet interface module receives and buffers the data packet; then the extraction module extracts the necessary information from the data packet. , such as source IP address, destination IP address, TCP, UDP port number, protocol type, etc.; then store the data packet into the data buffer module, and submit the extracted data packet information to the learning processing module; the learning/processing module checks that it can No, this information is processed. If the information cannot be processed, the received information is submitted to the processor. If it can be processed, it is processed according to the learned content, and the processing result is submitted to the NAT processing module; the processor receives the data packet. After the information, the processing is performed according to the preset rule, and the processing result is returned to the learning/processing module; the learning/processing module learns the processing result, and submits the processing result to the NAT processing module; after receiving the processing result, the NAT processing module receives the processing result The data buffer module reads out the data packet and performs NAT processing on the data according to the processing result, and then submits to the Ethernet interface. Block; Ethernet interface module sent the packet buffer public or private network. On the contrary, the data packets coming from the public network are also inversely processed by NAT through the corresponding process.
一种基于SOPC的NAT实现方法可分为数据流步骤和控制流步骤。A SOPC-based NAT implementation method can be divided into a data flow step and a control flow step.
一、 控制流步骤First, the control flow step
包括步骤:Including steps:
P1,处理器模块从配置下发通道接收配置数据。P1. The processor module receives configuration data from the configuration delivery channel.
当配置下发通道接收到外部外部发送过来的配置数据时,将产生中断信号。处理器模块接收到中断后,将读取配置数据,并与本地保存的配置数据比较,只对更新的内容进行更改。初始时,本地配置数据为初始默认配置。When the configuration delivery channel receives the configuration data sent from the external external, an interrupt signal will be generated. After receiving the interrupt, the processor module will read the configuration data and compare it with the locally saved configuration data, and only change the updated content. Initially, the local configuration data is the initial default configuration.
P2,处理器模块更新、维护NAT处理表(NAT处理表存储在外部存储器中)。P2, the processor module updates and maintains the NAT processing table (the NAT processing table is stored in the external memory).
在以下三种情况下,需要对NAT处理表进行更新、维护。第一、配置下发通道接收到下发数据,并且存在NAT处理表相关内容的更改;第二、有新分配IP、端口发生;第三、定时刷新标志位置位。NAT处理表分为私网NAT处理表和公网NAT处理表,私网NAT处理表结构及其逻辑关系如图2所示,公网NAT处理表的结构及逻辑关系如图3所示。In the following three cases, the NAT processing table needs to be updated and maintained. First, the configuration delivery channel receives the delivered data, and there is a change in the content related to the NAT processing table; second, there is a newly allocated IP, the port occurs; and the third, the timing refresh flag is set. The NAT processing table is divided into a private network NAT processing table and a public network NAT processing table. The private network NAT processing table structure and its logical relationship are shown in FIG. 2, and the structure and logical relationship of the public network NAT processing table are shown in FIG. 3.
如图2所示,私网NAT处理表、公网NAT处理表都包含端口查找表和IP查找表。其中端口查找表表项数固定为65536项,即全端口范围。IP查找表表项也固定,表项数视应用需求的复杂度而定,通常取8、16、32,如果仅是单个公网IP的简单NAT处理(例如五元组NAT),可省去IP查找表 。IP查找表在NAT处理表的更新、维护过程中动态分配和回收。私网IP查找表按源IP排序放置,公网IP查找表按远程IP排序放置,以提高查找速度。As shown in FIG. 2, the private network NAT processing table and the public network NAT processing table all include a port lookup table and an IP lookup table. The number of port lookup table entries is fixed to 65,536, which is the full port range. The IP lookup table entry is also fixed. The number of entries depends on the complexity of the application requirements. Usually, it takes 8, 16, 32. If it is only a simple NAT processing of a single public IP address (for example, quintuple NAT), it can be omitted. IP lookup table . The IP lookup table is dynamically allocated and reclaimed during the update and maintenance of the NAT processing table. The private IP lookup table is sorted by source IP, and the public IP lookup table is placed in remote IP order to improve the search speed.
私网端口查找表包含10项,即有效标识、指针标识、替换端口/IP指针、协议、源IP、外网IP、外网网关有效标识、外网网关、老化计数器使能、老化计数器。有效标识位用于标识该表项是否有效;指针标识位用于标识替换端口/IP指针字段的内容是IP查找表的指针还是公网源端口;替换端口/IP指针字段用于存放IP查找表的指针或公网源端口;协议用于指示该表项对应的协议类型,0表示对所有协议有效,1表示TCP协议,2表示UDP协议等,可跟据实现应用扩展;源IP字段用于指示该表项对应私网主机的IP地址;外网IP字段用于指示私网主机经NAT后的公网IP地址;外网网关有效标识用于标识外网网关字段是否有效;外网网关字段用于在一个网络中存在多公网网关的情况,用于指定一个特定的网关;老化计数器使能位用于标识老化计数器是否有效;老化计数器字段用于设定该表项的生存时间,生存时间超过阈值后,则此表项将设为无效。The private network port lookup table contains 10 items, namely, the valid identifier, the pointer identifier, the replacement port/IP pointer, the protocol, the source IP, the external network IP, the external network gateway valid identifier, the external network gateway, the aging counter enable, and the aging counter. The valid identifier bit is used to identify whether the entry is valid; the pointer identifier is used to identify whether the content of the replacement port/IP pointer field is a pointer of the IP lookup table or a public network source port; and the replacement port/IP pointer field is used to store the IP lookup table. The pointer or the public network source port; the protocol is used to indicate the protocol type corresponding to the entry, 0 means valid for all protocols, 1 means TCP protocol, 2 means UDP protocol, etc., and can be extended according to the implementation; source IP field is used for Indicates that the entry corresponds to the IP address of the private network host; the external network IP field is used to indicate the public network IP address of the private network host after NAT; the external network gateway valid identifier is used to identify whether the external network gateway field is valid; the external network gateway field Used to specify a specific gateway in a network. The aging counter enable bit is used to identify whether the aging counter is valid. The aging counter field is used to set the lifetime of the entry. After the time exceeds the threshold, this entry will be set to invalid.
私网IP查找表包含9项,即有效标识、替换端口、协议、源IP、外网IP、外网网关有效标识、外网网关、老化计数器使能、老化计数器。除了替换端口字段外,均与私网端口查找表的表项字段定义相同,替换端口用于存放公网源端口。仅当在私网源端口存在重叠的情况才需要分配私网IP查找表。The IP address lookup table of the private network contains nine items, namely, the valid identifier, the replacement port, the protocol, the source IP address, the external network IP address, the external network gateway valid identifier, the external network gateway, the aging counter enable, and the aging counter. The replacement port is the same as the entry of the private network port lookup table. The replacement port is used to store the public network source port. The private network IP lookup table needs to be allocated only when there is overlap in the private network source ports.
如图3所示,公网端口查找表包含8项,即有效标识、指针标识、替换端口/IP指针、协议、内网IP、外网IP、老化计数器使能、老化计数器。除了替换端口/IP指针、内网IP字段外,均与私网端口查找表的表项字段定义相同。替换端口/IP指针字段用于存放IP查找表的指针或数据包对应的私网目的端口;内网IP字段用于存放数据包对应的私网目的主机IP地址。As shown in Figure 3, the public network port lookup table contains eight items, namely, the valid identifier, the pointer identifier, the replacement port/IP pointer, the protocol, the intranet IP, the external network IP, the aging counter enable, and the aging counter. Except for the replacement port/IP pointer and the intranet IP field, the definition is the same as the entry of the private network port lookup table. The replacement port/IP pointer field is used to store the pointer of the IP lookup table or the private network destination port corresponding to the data packet; the internal network IP field is used to store the IP address of the private network destination host corresponding to the data packet.
公网IP查找表包含11项,即有效标识、替换端口、协议、远程IP有效标识、远程IP、远程端口、内网IP、内网IP有效标识、外网IP、老化计数器使能、老化计数器。除了替换端口、远程IP有效标识、远程IP、远程端口、内网IP、内网IP有效标识字段外,均与私网端口查找表的表项字段定义相同。替换端口字段用于存放数据包对应的私网目的端口;远程IP有效标识位用于标识远程IP、远程端口字段是否有效;远程IP字段用于存放数据包对应的公网远程主机源IP地址;远程端口字段用于存放数据包对应的公网远程主机源端口;内网IP字段用于存放数据包对应的私网目的主机IP地址;内网IP有效标识位用于标识内网IP字段是否有效,如无效则表示采用公网端口查找表中的内网IP。The public IP lookup table contains 11 items, namely, valid ID, replacement port, protocol, remote IP valid ID, remote IP, remote port, intranet IP, intranet IP valid ID, external network IP, aging counter enable, aging counter. . Except for the replacement port, remote IP valid ID, remote IP, remote port, intranet IP, and intranet IP valid ID fields, the definitions are the same as those of the private network port lookup table. The replacement port field is used to store the private network destination port corresponding to the data packet; the remote IP valid identification bit is used to identify whether the remote IP and the remote port field are valid; and the remote IP field is used to store the public network remote host source IP address corresponding to the data packet; The remote port field is used to store the public network remote host source port corresponding to the data packet; the internal network IP field is used to store the IP address of the private network destination host corresponding to the data packet; the internal network IP effective identification bit is used to identify whether the internal network IP field is valid. If invalid, it means that the intranet IP in the public network port lookup table is used.
二、 数据流步骤Second, the data flow step
包括步骤:Including steps:
S1,对数据包进行信息提取;S1, extracting information from the data packet;
提取的控制流信号包括源MAC地址、以太网协议类型、IP协议类型、以太网源IP、以太网目的IP、icmp标识符(ICMP)、icmp序列号(ICMP)、源端口号(TCP、UDP)、目的端口(TCP、UDP)、IP包的16位标识、IP包的3位标志及13位片偏移、IP首部检验和 、ICMP/TCP/UDP的检验和等。The extracted control flow signals include source MAC address, Ethernet protocol type, IP protocol type, Ethernet source IP, Ethernet destination IP, icmp identifier (ICMP), icmp serial number (ICMP), source port number (TCP, UDP). ), destination port (TCP, UDP), 16-bit identification of the IP packet, 3-bit flag of the IP packet, and 13-bit slice offset, IP header checksum , ICMP/TCP/UDP checksum, etc.
S2,将数据包存入缓冲区,同时将提取的信息提交给学习/处理模块;S2, storing the data packet in a buffer, and submitting the extracted information to the learning/processing module;
提交给学习/处理模块的数据包信息包括源IP、目的IP、源端口号(TCP、UDP)、目的端口(TCP、UDP)、IP包的16位标识、IP包的3位标志及13位片偏移及协议类型。The packet information submitted to the learning/processing module includes source IP, destination IP, source port number (TCP, UDP), destination port (TCP, UDP), 16-bit identifier of the IP packet, 3-bit flag of the IP packet, and 13 bits. Slice offset and protocol type.
S3,学习/处理模块判断自己能否处理此信息,如果能处理,则进入步骤S4,否则将接收到的信息提交给处理器并进入步骤S5;S3, the learning / processing module determines whether it can handle this information, if it can be processed, proceeds to step S4, otherwise submits the received information to the processor and proceeds to step S5;
学习/处理模块的具体判断过程如下:The specific judgment process of the learning/processing module is as follows:
优选的,所述步骤S3具体包括子步骤:S31,首先通过数据包的3位标志及13位片偏移判断该数据包是否为IP分片包,如果是分片包,则不能处理此信息,否则进入步骤S32;S32,用信息中的源IP、源端口、目的IP、目的端口、协议类型进行CAM查询,如果存在有效项,则表示学习/处理模块能处理此信息并进入步骤S4,否则表示不能处理此信息并进入步骤S33;S33,将接收到的信息提交给处理器并进入步骤S5。Preferably, the step S3 specifically includes the sub-step: S31, first determining whether the data packet is an IP fragment packet by using a 3-bit flag of the data packet and a 13-bit slice offset, and if the fragment packet is a fragment packet, the information cannot be processed. Otherwise, the process proceeds to step S32; S32, the CAM query is performed by using the source IP, the source port, the destination IP, the destination port, and the protocol type in the information. If there is a valid item, the learning/processing module can process the information and proceeds to step S4. Otherwise, it means that this information cannot be processed and proceeds to step S33; S33, the received information is submitted to the processor and proceeds to step S5.
S4,学习/处理模块根据以前学习的内容进行处理,然后将处理结果提交给NAT处理模块;S4, the learning/processing module processes according to the previously learned content, and then submits the processing result to the NAT processing module;
所述步骤S4具体为:从CAM的输出中获取匹配单元的地址,从存储模块中读出该地址单元的内容,作为处理结果返回给NAT处理模块,同时将对应的老化计数器清零。The step S4 is specifically: obtaining the address of the matching unit from the output of the CAM, reading the content of the address unit from the storage module, returning to the NAT processing module as a processing result, and clearing the corresponding aging counter.
S5,处理器对接收到信息进行处理,并将处理结果返回给学习/处理模块;S5. The processor processes the received information, and returns the processing result to the learning/processing module.
处理器模块接收到学习/处理模块输出的信息后,首先进行IP分片包处理(步骤S50,对接收到的信息进行IP分片包处理),处理过程如下:After receiving the information output by the learning/processing module, the processor module first performs IP fragmentation packet processing (step S50, performing IP fragmentation packet processing on the received information), and the processing procedure is as follows:
S501,判断是否为IP分片包,如果是分片包则转至步骤S502S501, determining whether it is an IP fragmentation packet, if it is a fragmentation packet, proceeding to step S502.
S502,判断是否为IP分片包的首包,如果是则转至步骤S503,否则转至步骤S504;S502, determining whether it is the first packet of the IP fragmentation packet, if yes, proceeding to step S503, otherwise proceeding to step S504;
S503,将首包按非分片包的处理方式进行处理,并将缓存中该分片包的其它分片也按该方式处理,转至步骤S505;S503, the first packet is processed in a non-fragmented packet processing manner, and the other fragments of the fragmented packet in the cache are also processed in this manner, and the process proceeds to step S505;
S504,将分片包信息缓存,转至步骤S505;S504, the fragmentation packet information is cached, and the process proceeds to step S505;
S505,转至步骤S501步,开始下一次处理。S505, proceeding to step S501 to start the next processing.
然后处理器模块根据接收到的信息是私网数据还是公网数据分别进行处理。Then, the processor module processes the received information according to whether the received information is private network data or public network data.
私网数据的处理过程如下:The processing of private network data is as follows:
S511,用源端口号作为私网端口查找表的索引,从存储器中取出该序号的对应表项,判断表项的有效标识位是否有效,如果有效则进入步骤S512,否则转至步骤S519;S511, using the source port number as an index of the private network port lookup table, taking the corresponding entry of the serial number from the memory, determining whether the valid identifier of the entry is valid, if yes, proceeding to step S512, otherwise proceeding to step S519;
S512,判断指针标识位是否有效,如果有效则转至步骤S517,否则转至步骤S513;S512, determining whether the pointer flag is valid, if it is valid, then go to step S517, otherwise go to step S513;
S513,判断协议字段、源IP字段是否匹配,如果匹配则转至步骤S514,否则转至步骤S519;S513, judging whether the protocol field and the source IP field match, if yes, go to step S514, otherwise go to step S519;
S514,用替换端口的内容对源端口进行替换,并判断外网网关有效标识位是否有效,如果有效则转至步骤S516,否则转至步骤S515;S514, replacing the source port with the content of the replacement port, and determining whether the effective identifier of the external network gateway is valid, if yes, proceeding to step S516, otherwise proceeding to step S515;
S515,数据包可直接送达或采用默认网关,转至步骤S518;S515, the data packet can be directly delivered or adopts a default gateway, and the process goes to step S518;
S516,数据包需经过该外网网关转发,转至步骤S518;S516, the data packet needs to be forwarded by the external network gateway, and the process goes to step S518;
S517,通过IP指针找到IP查找表,历遍有效标识位有效的表项,如果存在协议字段、源IP字段匹配项,则转至步骤S514,否则转至步骤S519;S517, the IP lookup table is found through the IP pointer, and the valid valid identifier is over the entry. If there is a protocol field and a source IP field match, the process goes to step S514, otherwise the process goes to step S519.
S518,查表成功,转至步骤S5111;S518, the table is successful, and the process goes to step S5111;
S519,若动态模式位置位,则随机分配一个未使用的公网IP、端口,并将相应信息添加到NAT配置表中,转至步骤S5111;S519, if the dynamic mode is set, randomly allocate an unused public network IP, port, and add the corresponding information to the NAT configuration table, and then go to step S5111;
S5110,查表失败,数据包丢弃,转至步骤S5111;S5110, the table check fails, the data packet is discarded, and the process goes to step S5111;
S5111,将处理结果返回给学习/处理模块,转至步骤S511,开始下一次查表;S5111, returning the processing result to the learning/processing module, and proceeding to step S511 to start the next lookup table;
公网数据的处理过程如下:The processing of public network data is as follows:
S521,用目的端口号作为公网端口查找表的索引,从存储器中取出该序号的对应表项,判断表项的有效标识位是否有效,如果无效则转至步骤S5210,如果有效则转至步骤S522;S521, using the destination port number as an index of the public network port lookup table, taking the corresponding entry of the serial number from the memory, determining whether the valid identifier of the entry is valid, if not, proceeding to step S5210, if yes, proceeding to step S522;
S522,判断指针标识位是否有效,如果无效则转至步骤S523,如果有效则转至步骤S525;S522, determining whether the pointer flag is valid, if not, proceeding to step S523, if it is valid, then proceeding to step S525;
S523,判断协议字段、外网IP字段是否匹配,如果匹配则转至骤S524,否则转至步骤S5210;S523, determining whether the protocol field and the external network IP field match, if yes, then go to step S524, otherwise go to step S5210;
S524,用替换端口的内容、内网IP的内容对目的端口、目的IP进行替换,转至步骤S529;S524, replacing the destination port and the destination IP with the content of the replacement port and the content of the intranet IP, and proceeding to step S529;
S525, 通过IP指针找到IP查找表,历遍有效标识位有效的表项,如果存在协议字段、外网IP字段匹配,且当远程IP有效标识有效时,远程IP、远程端口也匹配的匹配项时则转至步骤S526,如果没有则转至步骤S5210;S525, The IP lookup table is found through the IP pointer, and the valid valid identifier is used. If there is a protocol field, the external network IP field matches, and when the remote IP valid identifier is valid, the remote IP and the remote port also match the matching item. Go to step S526, if not, go to step S5210;
S526,判断内网IP有效标识是否有效,如果有效则转至步骤S527,否则转至步骤S528;S526, determining whether the intranet IP valid identification is valid, if it is valid, then going to step S527, otherwise going to step S528;
S527,用IP查找表中的替换端口、内网IP对目的端口、目的IP进行替换,转至步骤S529;S527, using the replacement port in the IP lookup table, the intranet IP to replace the destination port, the destination IP, and then go to step S529;
S528,用IP查找表中的替换端口、端口查找表中的内网IP对目的端口、目的IP进行替换,转至步骤S529;S528, using the replacement port in the IP lookup table, the intranet IP in the port lookup table to replace the destination port and the destination IP, and proceed to step S529;
S529,查表成功,转至步骤S5211;S529, the table is successful, and the process goes to step S5211;
S5210,查表失败,转至步骤S5211;S5210, the table check fails, go to step S5211;
S5211,将处理结果返回给学习/处理模块,转至步骤S521,开始下一次查表。S5211, returning the processing result to the learning/processing module, and proceeding to step S521 to start the next table lookup.
S6,学习/处理模块学习处理器的结果,并将处理结果提交给NAT处理模块;S6. The learning/processing module learns the result of the processor, and submits the processing result to the NAT processing module.
S7,NAT处理模块、NAT逆处理模块根据接收的处理结果对缓冲区中的数据包进行处理;S7, the NAT processing module and the NAT inverse processing module process the data packet in the buffer according to the received processing result;
所述步骤S7具体包括子步骤:S71,根据学习/处理模块输出的结果,结合提取模块的输出、数据缓冲模块中的数据包内容,实现私网到公网TCP、UDP数据包的源IP、源端口替换,即完成NAT处理;S72,根据学习/处理模块输出的结果,结合提取模块的输出、数据缓冲模块中的数据包内容,实现公网到私网TCP、UDP数据包的目的IP、目的端口替换,即完成NAT逆处理;S73,重新计算IP首部校验和、TCP校验和、UDP校验和。The step S7 specifically includes the sub-step: S71, according to the output of the learning/processing module, combined with the output of the extraction module and the data packet content in the data buffer module, the source IP of the private network to the public network TCP, UDP data packet, The source port is replaced, that is, the NAT processing is completed; S72, according to the output of the learning/processing module, combined with the output of the extraction module and the data packet content in the data buffer module, the destination IP of the public network to the private network TCP, UDP data packet, The destination port is replaced, that is, the NAT inverse processing is completed; S73, the IP header checksum, the TCP checksum, and the UDP checksum are recalculated.
综上所述,本发明的优点包括:In summary, the advantages of the present invention include:
1、基于SOPC的实现方式,主要功能均由单颗FPGA实现,可有效减少芯片的使用数量,此外由于许多不适合逻辑处理的工作由处理器实现可大幅缩减逻辑规模,从而缩小产品体积,降低功耗,节约成本;1. Based on the implementation of SOPC, the main functions are realized by a single FPGA, which can effectively reduce the number of chips used. In addition, many of the work that is not suitable for logic processing can be greatly reduced by the processor, thereby reducing the product size and reducing the size of the product. Power consumption, cost savings;
2、采用处理器+逻辑的实现方式,能最大限度的发挥纯软件实现和纯逻辑实现各自的长处,具有很高的性价比。2, using the processor + logic implementation, can maximize the pure software implementation and pure logic to achieve their respective strengths, with a high cost performance.
3、采用FPGA厂商提供的片上处理器(软核或硬核),具有高度可定制性,一方面相较于传统处理器可剪裁掉所有未使用的功能,从而降低功耗;另一方面可根据NAT应用的需求进行优化,提高处理速度和效率。3. Using the on-chip processor (soft core or hard core) provided by the FPGA manufacturer, it is highly customizable. On the one hand, it can cut off all unused functions compared with the traditional processor, thus reducing power consumption; Optimized according to the needs of NAT applications to improve processing speed and efficiency.
4、处理器和逻辑模块位于一个FPGA芯片上,能大幅提高两者之间的数据交互效率,提高NAT的处理速度。4. The processor and logic module are located on an FPGA chip, which can greatly improve the data interaction efficiency between the two and improve the processing speed of NAT.
5、在处理器和逻辑模块之间增加学习模块,能大幅减轻处理器的处理负担,提高整体的处理速度,弥补高速应用环境下处理器主频不高的限制。5. Adding a learning module between the processor and the logic module can greatly reduce the processing load of the processor, improve the overall processing speed, and make up for the limitation of the processor frequency in the high-speed application environment.
本发明通过基于SOPC实现了NAT处理,充分发挥处理器和逻辑处理各自的长处,合理分配各自的实现功能,并采用了学习/处理模块来弥补处理器模块处理能力的不足,采用先进的数据结构(NAT处理表)和合理的NAT处理流程,最大限度的提升通用性和处理性能;而且还具有NAT处理灵活、处理速度快、成本低、功耗低的优点,具有良好的经济和社会效益。The invention realizes NAT processing based on SOPC, fully utilizes the respective advantages of the processor and the logic processing, reasonably allocates respective implementation functions, and adopts a learning/processing module to compensate for the insufficiency of the processing capability of the processor module, and adopts an advanced data structure. (NAT processing table) and reasonable NAT processing flow to maximize the versatility and processing performance; also has the advantages of flexible NAT processing, fast processing speed, low cost, low power consumption, and good economic and social benefits.
本发明可广泛应用于各种NAT处理系统。The invention is widely applicable to various NAT processing systems.
以上是对本发明的较佳实施进行了具体说明,但本发明创造并不限于所述实施例,熟悉本领域的技术人员在不违背本发明精神的前提下还可做作出种种的等同变形或替换,这些等同的变形或替换均包含在本申请权利要求所限定的范围内。The above is a detailed description of the preferred embodiments of the present invention, but the present invention is not limited to the embodiments, and those skilled in the art can make various equivalent modifications or substitutions without departing from the spirit of the invention. Such equivalent modifications or alternatives are intended to be included within the scope of the claims.

Claims (10)

  1. 一种基于SOPC的NAT的实现方法,其特征在于,其包括步骤: A method for implementing NAT based on SOPC, characterized in that it comprises the steps of:
    S1,对数据包进行信息提取;S1, extracting information from the data packet;
    S2,将数据包存入缓冲区,同时将提取的信息提交给学习/处理模块;S2, storing the data packet in a buffer, and submitting the extracted information to the learning/processing module;
    S3,学习/处理模块判断自己能否处理此信息,如果能处理,则进入步骤S4,否则将接收到的信息提交给处理器并进入步骤S5;S3, the learning / processing module determines whether it can handle this information, if it can be processed, proceeds to step S4, otherwise submits the received information to the processor and proceeds to step S5;
    S4,学习/处理模块根据以前学习的内容进行处理,然后将处理结果提交给NAT处理模块;S4, the learning/processing module processes according to the previously learned content, and then submits the processing result to the NAT processing module;
    S5,处理器对接收到信息进行处理,并将处理结果返回给学习/处理模块;S5. The processor processes the received information, and returns the processing result to the learning/processing module.
    S6,学习/处理模块学习处理器的结果,并将处理结果提交给NAT处理模块;S6. The learning/processing module learns the result of the processor, and submits the processing result to the NAT processing module.
    S7,NAT处理模块、NAT逆处理模块根据接收的处理结果对缓冲区中的数据包进行处理。 S7. The NAT processing module and the NAT inverse processing module process the data packet in the buffer according to the received processing result.
  2. 根据权利要求1所述的基于SOPC的NAT的实现方法,其特征在于,步骤S1所述信息包括源MAC地址、以太网协议类型、IP协议类型、以太网源IP、以太网目的IP、ICMP标识符、ICMP序列号、源端口号、目的端口、IP包的16位标识、IP包的3位标志及13位片偏移、IP首部检验和、ICMP/TCP/UDP的检验和。The method for implementing SOPC-based NAT according to claim 1, wherein the information in step S1 includes a source MAC address, an Ethernet protocol type, an IP protocol type, an Ethernet source IP, an Ethernet destination IP, and an ICMP identifier. Symbol, ICMP serial number, source port number, destination port, 16-bit identifier of IP packet, 3-bit flag of IP packet and 13-bit slice offset, IP header checksum, and ICMP/TCP/UDP checksum.
  3. 根据权利要求1所述的基于SOPC的NAT的实现方法,其特征在于,步骤S2中所述提交给学习/处理模块的信息包括源IP、目的IP、源端口号(TCP、UDP)、目的端口(TCP、UDP)、IP包的16位标识、IP包的3位标志及13位片偏移及协议类型。The method for implementing the SOPC-based NAT according to claim 1, wherein the information submitted to the learning/processing module in step S2 includes source IP, destination IP, source port number (TCP, UDP), and destination port. (TCP, UDP), 16-bit identifier of IP packet, 3-bit flag of IP packet, 13-bit slice offset and protocol type.
  4. 根据权利要求2或3所述的基于SOPC的NAT的实现方法,其特征在于,所述步骤S3具体包括子步骤:The method for implementing the SOPC-based NAT according to claim 2 or 3, wherein the step S3 comprises the following sub-steps:
    S31,首先通过数据包的3位标志及13位片偏移判断该数据包是否为IP分片包,如果是分片包,则不能处理此信息,否则进入步骤S32;S31, first, through the 3-bit flag of the data packet and the 13-bit slice offset to determine whether the data packet is an IP fragment packet, if it is a fragment packet, the information cannot be processed, otherwise proceeds to step S32;
    S32,用信息中的源IP、源端口、目的IP、目的端口、协议类型进行CAM查询,如果存在有效项,则表示学习/处理模块能处理此信息并进入步骤S4,否则表示不能处理此信息并进入步骤S33;S32, performing CAM query by using source IP, source port, destination IP, destination port, and protocol type in the information. If there is a valid item, it indicates that the learning/processing module can process the information and proceeds to step S4, otherwise the information cannot be processed. And proceeds to step S33;
    S33,将接收到的信息提交给处理器并进入步骤S5。S33. Submit the received information to the processor and proceed to step S5.
  5. 根据权利要求1所述的基于SOPC的NAT的实现方法,其特征在于,所述步骤S4具体为:从CAM的输出中获取匹配单元的地址,从存储模块中读出该地址单元的内容,作为处理结果返回给NAT处理模块,同时将对应的老化计数器清零。The method for implementing the SOPC-based NAT according to claim 1, wherein the step S4 is specifically: obtaining an address of the matching unit from the output of the CAM, and reading the content of the address unit from the storage module, as The processing result is returned to the NAT processing module, and the corresponding aging counter is cleared.
  6. 根据权利要求1所述的基于SOPC的NAT的实现方法,其特征在于,步骤S5中所述的信息为私网数据或公网数据,所述步骤S5具体包括子步骤:The method for implementing the SOPC-based NAT according to claim 1, wherein the information in step S5 is private network data or public network data, and the step S5 specifically includes the sub-steps:
    S51,对私网数据进行处理,并将处理结果返回给学习/处理模块;S51: processing private network data, and returning the processing result to the learning/processing module;
    或者or
    S52,对公网数据进行处理,并将处理结果返回给学习/处理模块。S52: Process the public network data, and return the processing result to the learning/processing module.
  7. 根据权利要求6所述的基于SOPC的NAT的实现方法,其特征在于,所述步骤S51具体包括子步骤:The method for implementing the SOPC-based NAT according to claim 6, wherein the step S51 comprises the following sub-steps:
    S511,用源端口号作为私网端口查找表的索引,从存储器中取出该序号的对应表项,判断表项的有效标识位是否有效,如果有效则进入步骤S512,否则转至步骤S519;S511, using the source port number as an index of the private network port lookup table, taking the corresponding entry of the serial number from the memory, determining whether the valid identifier of the entry is valid, if yes, proceeding to step S512, otherwise proceeding to step S519;
    S512,判断指针标识位是否有效,如果有效则转至步骤S517,否则转至步骤S513;S512, determining whether the pointer flag is valid, if it is valid, then go to step S517, otherwise go to step S513;
    S513,判断协议字段、源IP字段是否匹配,如果匹配则转至步骤S514,否则转至步骤S519;S513, judging whether the protocol field and the source IP field match, if yes, go to step S514, otherwise go to step S519;
    S514,用替换端口的内容对源端口进行替换,并判断外网网关有效标识位是否有效,如果有效则转至步骤S516,否则转至步骤S515;S514, replacing the source port with the content of the replacement port, and determining whether the effective identifier of the external network gateway is valid, if yes, proceeding to step S516, otherwise proceeding to step S515;
    S515,数据包可直接送达或采用默认网关,转至步骤S518;S515, the data packet can be directly delivered or adopts a default gateway, and the process goes to step S518;
    S516,数据包需经过该外网网关转发,转至步骤S518;S516, the data packet needs to be forwarded by the external network gateway, and the process goes to step S518;
    S517,通过IP指针找到IP查找表,历遍有效标识位有效的表项,如果存在协议字段、源IP字段匹配项,则转至步骤S514,否则转至步骤S519;S517, the IP lookup table is found through the IP pointer, and the valid valid identifier is over the entry. If there is a protocol field and a source IP field match, the process goes to step S514, otherwise the process goes to step S519.
    S518,查表成功,转至步骤S5111;S518, the table is successful, and the process goes to step S5111;
    S519,若动态模式位置位,则随机分配一个未使用的公网IP、端口,并将相应信息添加到NAT配置表中,转至步骤S5111;S519, if the dynamic mode is set, randomly allocate an unused public network IP, port, and add the corresponding information to the NAT configuration table, and then go to step S5111;
    S5110,查表失败,数据包丢弃,转至步骤S5111;S5110, the table check fails, the data packet is discarded, and the process goes to step S5111;
    S5111,将处理结果返回给学习/处理模块,转至步骤S511,开始下一次查表;S5111, returning the processing result to the learning/processing module, and proceeding to step S511 to start the next lookup table;
    所述步骤S52具体包括子步骤:The step S52 specifically includes the sub-steps:
    S521,用目的端口号作为公网端口查找表的索引,从存储器中取出该序号的对应表项,判断表项的有效标识位是否有效,如果无效则转至步骤S5210,如果有效则转至步骤S522;S521, using the destination port number as an index of the public network port lookup table, taking the corresponding entry of the serial number from the memory, determining whether the valid identifier of the entry is valid, if not, proceeding to step S5210, if yes, proceeding to step S522;
    S522,判断指针标识位是否有效,如果无效则转至步骤S523,如果有效则转至步骤S525;S522, determining whether the pointer flag is valid, if not, proceeding to step S523, if it is valid, then proceeding to step S525;
    S523,判断协议字段、外网IP字段是否匹配,如果匹配则转至骤S524,否则转至步骤S5210;S523, determining whether the protocol field and the external network IP field match, if yes, then go to step S524, otherwise go to step S5210;
    S524,用替换端口的内容、内网IP的内容对目的端口、目的IP进行替换,转至步骤S529;S524, replacing the destination port and the destination IP with the content of the replacement port and the content of the intranet IP, and proceeding to step S529;
    S525, 通过IP指针找到IP查找表,历遍有效标识位有效的表项,如果存在协议字段、外网IP字段匹配,且当远程IP有效标识有效时,远程IP、远程端口也匹配的匹配项时则转至步骤S526,如果没有则转至步骤S5210;S525, The IP lookup table is found through the IP pointer, and the valid valid identifier is used. If there is a protocol field, the external network IP field matches, and when the remote IP valid identifier is valid, the remote IP and the remote port also match the matching item. Go to step S526, if not, go to step S5210;
    S526,判断内网IP有效标识是否有效,如果有效则转至步骤S527,否则转至步骤S528;S526, determining whether the intranet IP valid identification is valid, if it is valid, then going to step S527, otherwise going to step S528;
    S527,用IP查找表中的替换端口、内网IP对目的端口、目的IP进行替换,转至步骤S529;S527, using the replacement port in the IP lookup table, the intranet IP to replace the destination port, the destination IP, and then go to step S529;
    S528,用IP查找表中的替换端口、端口查找表中的内网IP对目的端口、目的IP进行替换,转至步骤S529;S528, using the replacement port in the IP lookup table, the intranet IP in the port lookup table to replace the destination port and the destination IP, and proceed to step S529;
    S529,查表成功,转至步骤S5211;S529, the table is successful, and the process goes to step S5211;
    S5210,查表失败,转至步骤S5211;S5210, the table check fails, go to step S5211;
    S5211,将处理结果返回给学习/处理模块,转至步骤S521,开始下一次查表。S5211, returning the processing result to the learning/processing module, and proceeding to step S521 to start the next table lookup.
  8. 根据权利要求6所述的基于SOPC的NAT的实现方法,其特征在于,所述步骤S5还包括子步骤:The method for implementing the SOPC-based NAT according to claim 6, wherein the step S5 further comprises the substeps:
    S50,对接收到的信息进行IP分片包处理;S50: Perform IP fragmentation packet processing on the received information.
    所述步骤S50具体包括子步骤:The step S50 specifically includes the sub-steps:
    S501,判断是否为IP分片包,如果是分片包则转至步骤S502;S501, determining whether it is an IP fragmentation packet, if it is a fragmentation packet, then proceeding to step S502;
    S502,判断是否为IP分片包的首包,如果是则转至步骤S503,否则转至步骤S504;S502, determining whether it is the first packet of the IP fragmentation packet, if yes, proceeding to step S503, otherwise proceeding to step S504;
    S503,将首包按非分片包的处理方式进行处理,并将缓存中该分片包的其它分片也按该方式处理,转至步骤S505;S503, the first packet is processed in a non-fragmented packet processing manner, and the other fragments of the fragmented packet in the cache are also processed in this manner, and the process proceeds to step S505;
    S504,将分片包信息缓存,转至步骤S505;S504, the fragmentation packet information is cached, and the process proceeds to step S505;
    S505,转至步骤S501步,开始下一次处理。S505, proceeding to step S501 to start the next processing.
  9. 根据权利要求1所述的基于SOPC的NAT的实现方法,其特征在于,所述步骤S7具体包括子步骤:The method for implementing the SOPC-based NAT according to claim 1, wherein the step S7 comprises the following sub-steps:
    S71,根据学习/处理模块输出的结果,结合提取模块的输出、数据缓冲模块中的数据包内容,实现私网到公网TCP、UDP数据包的源IP、源端口替换,即完成NAT处理;S71, according to the output of the learning/processing module, combining the output of the extraction module and the content of the data packet in the data buffer module, realizing the source IP and source port replacement of the private network to the public network TCP and UDP data packets, that is, completing the NAT processing;
    S72,根据学习/处理模块输出的结果,结合提取模块的输出、数据缓冲模块中的数据包内容,实现公网到私网TCP、UDP数据包的目的IP、目的端口替换,即完成NAT逆处理;S72, according to the output of the learning/processing module, combining the output of the extraction module and the content of the data packet in the data buffer module, realizing the destination IP and destination port replacement of the public network to the private network TCP and UDP data packets, that is, completing the NAT inverse processing. ;
    S73,重新计算IP首部校验和、TCP校验和、UDP校验和。S73, recalculating the IP header checksum, the TCP checksum, and the UDP checksum.
  10. 一种基于SOPC的NAT的实现装置,其特征在于,其用于实施如权利要求1至9任一项所述的基于SOPC的NAT的实现方法,其包括:An apparatus for implementing NAT based on SOPC, characterized in that it is used for implementing the method for implementing SOPC-based NAT according to any one of claims 1 to 9, which comprises:
    处理器模块, 用于对学习/处理模块输出的数据包信息进行查表处理,并将处理结果返回给学习/处理模块;Processor module, It is used for performing table lookup processing on the data packet output by the learning/processing module, and returning the processing result to the learning/processing module;
    学习/处理模块,其分别与提取模块和处理器模块相连,主要有两个作用:一是接收提取模块的输出,检查学习内容中是否有符合项,如果有符合项则将存储的对应结果输出给NAT处理模块,如果没有符合项则将接收的数据直接提交给处理器模块,并记录该数据,以便在学习过程中与处理结果建立一一对应关系;二是学习处理器输出的数据包处理结果,即将数据包信息输入与数据包处理结果间建立一一对应的关系,以便对后续数据包中有相同输入条件的数据包直接进行处理,以减轻处理器模块的负荷,提高数据包的处理能力,然后将结果输出给NAT处理模块;The learning/processing module is respectively connected to the extraction module and the processor module, and has two main functions: one is to receive the output of the extraction module, check whether there is a matching item in the learning content, and if there is a matching item, the corresponding result stored is output. Give the NAT processing module, if there is no matching item, submit the received data directly to the processor module, and record the data to establish a one-to-one correspondence with the processing result in the learning process; second, the data packet processing output by the learning processor As a result, a one-to-one correspondence is established between the input of the packet information and the result of the packet processing, so as to directly process the data packet having the same input condition in the subsequent data packet, so as to reduce the load of the processor module and improve the processing of the data packet. Capability, and then output the result to the NAT processing module;
    提取模块,其与以太网接口模块相连,用于提取数据包信息;An extraction module, which is connected to the Ethernet interface module and configured to extract data packet information;
    以太网接口,包括用于连接私网的私网以太网接口和用于连接公网的以太网接口;An Ethernet interface, including a private network Ethernet interface for connecting to the private network and an Ethernet interface for connecting to the public network;
    数据缓冲模块,其连接于提取模块和NAT处理模块或NAT逆处理模块之间,用于缓存数据包;a data buffering module, which is connected between the extraction module and the NAT processing module or the NAT inverse processing module, for buffering the data packet;
    NAT处理模块,其分别与提取模块、数据缓冲模块、学习/处理模块和以太网接口连接,其用于接收学习/处理模块的输出,并结合提取模块的输出、数据缓冲模块中的数据包内容,实现私网到公网的NAT处理;a NAT processing module, which is respectively connected to the extraction module, the data buffer module, the learning/processing module, and the Ethernet interface, and is configured to receive the output of the learning/processing module, and combine the output of the extraction module and the data packet content in the data buffer module. To implement NAT processing from the private network to the public network;
    NAT逆处理模块,其分别与提取模块、数据缓冲模块、学习/处理模块和以太网接口连接,其用于接收学习/处理模块的输出,并结合提取模块的输出、数据缓冲模块中的数据包内容,实现公网到私网的NAT逆处理。The NAT inverse processing module is respectively connected to the extraction module, the data buffer module, the learning/processing module and the Ethernet interface, and is configured to receive the output of the learning/processing module, and combine the output of the extraction module and the data packet in the data buffer module. Content, implementing NAT reverse processing from the public network to the private network.
PCT/CN2016/078029 2015-09-30 2016-03-31 Sopc-based nat implementation method and device WO2017054429A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510641720.0 2015-09-30
CN201510641720.0A CN105162901B (en) 2015-09-30 2015-09-30 Method and device for realizing NAT based on SOPC

Publications (1)

Publication Number Publication Date
WO2017054429A1 true WO2017054429A1 (en) 2017-04-06

Family

ID=54803652

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/078029 WO2017054429A1 (en) 2015-09-30 2016-03-31 Sopc-based nat implementation method and device

Country Status (2)

Country Link
CN (1) CN105162901B (en)
WO (1) WO2017054429A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105162901B (en) * 2015-09-30 2019-05-14 北京特立信电子技术股份有限公司 Method and device for realizing NAT based on SOPC
CN109618020B (en) * 2018-12-25 2022-01-11 北京物芯科技有限责任公司 Network address conversion method and device for fragmented messages

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6650641B1 (en) * 1999-07-02 2003-11-18 Cisco Technology, Inc. Network address translation using a forwarding agent
CN1585401A (en) * 2003-08-21 2005-02-23 华为技术有限公司 Network address converting method for zoned message
CN101068212A (en) * 2007-06-11 2007-11-07 中兴通讯股份有限公司 Network address switching retransmitting device and method
CN101877728A (en) * 2010-06-25 2010-11-03 中兴通讯股份有限公司 Method and device for converting and forwarding network addresses
US20150032872A1 (en) * 2013-07-24 2015-01-29 Cisco Technology, Inc., A Corporation Of California Selectively Using Network Address Translated Mapped Addresses Based on their Prior Network Reachability
CN105162901A (en) * 2015-09-30 2015-12-16 北京特立信电子技术股份有限公司 Method and device for realizing NAT based on SOPC

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102307123B (en) * 2011-09-06 2013-09-25 电子科技大学 NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic
CN103152269B (en) * 2013-02-26 2016-03-02 杭州华三通信技术有限公司 A kind of message forwarding method based on NAT and equipment
CN107889134B (en) * 2014-09-02 2021-04-09 安科讯(福建)科技有限公司 High-reliability multi-board LTE gateway processing method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6650641B1 (en) * 1999-07-02 2003-11-18 Cisco Technology, Inc. Network address translation using a forwarding agent
CN1585401A (en) * 2003-08-21 2005-02-23 华为技术有限公司 Network address converting method for zoned message
CN101068212A (en) * 2007-06-11 2007-11-07 中兴通讯股份有限公司 Network address switching retransmitting device and method
CN101877728A (en) * 2010-06-25 2010-11-03 中兴通讯股份有限公司 Method and device for converting and forwarding network addresses
US20150032872A1 (en) * 2013-07-24 2015-01-29 Cisco Technology, Inc., A Corporation Of California Selectively Using Network Address Translated Mapped Addresses Based on their Prior Network Reachability
CN105162901A (en) * 2015-09-30 2015-12-16 北京特立信电子技术股份有限公司 Method and device for realizing NAT based on SOPC

Also Published As

Publication number Publication date
CN105162901B (en) 2019-05-14
CN105162901A (en) 2015-12-16

Similar Documents

Publication Publication Date Title
WO2016023148A1 (en) Packet control method, switch and controller
WO2018090585A1 (en) Data virtualization storage method and apparatus, and server and storage medium
WO2014010992A1 (en) Communication method between content requester and content provider for providing content and real-time streaming content in content name-based content centric network
WO2015103864A1 (en) Method for memory management and linux terminal
WO2013055182A1 (en) Apparatus and method for transmitting/receiving forward error correction packet in mobile communication system
WO2015046753A1 (en) Impedance matching method and impedance matching system
WO2013104252A1 (en) Method and system for mobile terminal to access the network through cell phone
WO2017054429A1 (en) Sopc-based nat implementation method and device
WO2015078008A1 (en) Link discovery method, system and device
WO2014187158A1 (en) Method, server, and terminal for controlling cloud sharing of terminal data
WO2015158219A1 (en) Remote debugging method and apparatus for mobile terminal
WO2013055181A1 (en) Apparatus and method for transmitting/receiving forward error correction packet in mobile communication system
EP3022977A1 (en) Method and apparatus for calculating location of electronic device
WO2018076812A1 (en) Data request response method and device, storage medium, server and system
WO2019056733A1 (en) Concurrent volume control method, application server, system and storage medium
WO2013178003A1 (en) Service node switching method and system
WO2018199443A1 (en) Apparatus and method for performing operation being secure against side channel attack
WO2017028597A1 (en) Data processing method and apparatus for virtual resource
WO2020197184A1 (en) Multicore electronic device and packet processing method thereof
EP3095109A1 (en) Display device, driver of the display device, electronic device including the display device and the driver, and display system
WO2019127115A1 (en) Data transmission method, terminal device and network device
WO2015070771A1 (en) Data caching system and method
WO2017131285A1 (en) Container network management system and container networking method
EP3318044A1 (en) Apparatus and method for transmitting and receiving signal in multimedia system
WO2019210574A1 (en) Message processing method, apparatus, device, and readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16850056

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 12/09/2018)

122 Ep: pct application non-entry in european phase

Ref document number: 16850056

Country of ref document: EP

Kind code of ref document: A1