CN101299772B - System and method for processing network address conversion preferable regulation - Google Patents
System and method for processing network address conversion preferable regulation Download PDFInfo
- Publication number
- CN101299772B CN101299772B CN2008100678029A CN200810067802A CN101299772B CN 101299772 B CN101299772 B CN 101299772B CN 2008100678029 A CN2008100678029 A CN 2008100678029A CN 200810067802 A CN200810067802 A CN 200810067802A CN 101299772 B CN101299772 B CN 101299772B
- Authority
- CN
- China
- Prior art keywords
- nat
- information
- subclauses
- rule
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a system and a method of the network address conversion preferred rule conversion treatment, wherein the system includes an NAT matching inyoite interface configuration module for configurating the NAT namely the network address conversion matching inyoite interface rule, and performing the information synchronizntion and transmission to the NAT inyoite interface rule list module; an NAT inyoite interface rule list module, for recording the NAT inyoite interface rule list, and performing the list item organization, for providing the information to the NAT matching inyoite interface rule list module as the reference standard; an NAT matching inyoite interface rule operating module, matching to find the NAT conversion item on the received data package, using the information in the NAT inyoite interface rule list as the reference standard, if matching with the NAT inyoite interface rule, novel NAT conversion items are generated according to the data package and the rule information, and conversion is performed according to the novel NAT conversion items.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to a kind ofly when communicating by letter between private network and the public network in network, the system mechanism of conversion process is carried out in network address translation (nat) according to preference rule.
Background technology
High speed development along with the internet, the internet has become the part in people's daily life gradually, the continuous development of network technology and people are on the increase network demand, cause the continuous expansion of network size, make the network ip address resource become and are becoming tight day.And NAT (network address translation) technology has well solved this problem.Its main way is to convert illegal private net address to legal public network IP address, sets up by the differentiation of public network private network, makes Internet resources fully obtain application.When the user visits public network by private network, can apply for that public network address and port numbers link, and then in the Internet, carry out communication that this method has improved the utilance of public network IP address resources greatly, thereby is widely used.
In network uses, according to different environment, the network manager sometimes can be on router configuration pin all to make the NAT transformation rule of network address translation and the public network address pond difference of conversion to the corresponding different outgoing interfaces of a data source.Therefore, if also disposed the address pool of not specifying outgoing interface of another same data source this moment on the router, at this moment, packet comes then, for searching of the NAT transformation rule of different outgoing interfaces, and NAT conversion stripes purpose generates, and will to occur mating not be the situation of optimum Match.Though can not influence use, but can occur the public network address of distributing being arranged at outgoing interface, but do not use, and take resource in other NAT public network address pond that does not configure interface especially, and at the configuration of the NAT transformation rule of specifying outgoing interface owing to the appointment outgoing interface, packet will be transmitted from other outgoing interface and carry out also can't using when NAT changes, when network uses the peak, the public network address pond that might have exhausts, still have the user can't obtain public network address and carry out the NAT conversion, and on the other hand, the but still old a lot of public network addresses of the address pool that has, do not use, cause the public network address resource not reasonably by imagination, distribute effectively and use.
Summary of the invention
The objective of the invention is to, a kind of system and method for network address translation preference rule conversion is provided, solve the problem that public network address can not be utilized effectively in the prior art, can carry out according to network manager's configuration fully for the use of public network address when being implemented between private network and the public network communication.
The present invention is by the following technical solutions:
The invention provides a kind of system of network address translation preference rule conversion process, comprising:
NAT matches the interface configuration module: being used for NAT is that network address translation matches interface rules and is configured, and carries out information synchronization to NAT outgoing interface rule list module, transmission; When configuration NAT transformation rule, if take the NAT rule configuration of interface out of, then NAT matches the interface configuration module and ACL number of the source port of outgoing interface and packet can be extracted, and stores in the NAT outgoing interface rule list;
NAT outgoing interface rule list module: be used to write down NAT outgoing interface rule list, and carry out the list item tissue, provide information foundation in contrast for NAT matches the interface rules operational module;
NAT matches the interface rules operational module: be used for the packet of receiving is carried out matched and searched NAT conversion clauses and subclauses, be normative reference with the information in the NAT outgoing interface rule list when searching, carry out matching ratio, if there is the NAT outgoing interface rule of coupling, then generate new NAT conversion clauses and subclauses, and transmit according to new NAT conversion clauses and subclauses according to packet and Rule Information.
The present invention also provides a kind of method of utilizing said system to carry out network address translation preference rule conversion process, carries out NAT in advance and matches the interface rules configuration, and described method comprises:
Steps A. information extraction from packet, comprise IP address, port numbers, outgoing interface information, find out the ACL information of packet;
Step B. comprises outgoing interface information according to packet information, and coupling NAT conversion clauses and subclauses if any NAT conversion clauses and subclauses, are transmitted according to these clauses and subclauses; As do not have NAT conversion clauses and subclauses, carry out step C;
Step C. does not comprise outgoing interface information according to packet information, and coupling NAT conversion clauses and subclauses if NAT conversion clauses and subclauses are arranged, are carried out step D; As do not have NAT conversion clauses and subclauses, search the NAT transformation rule and generate new clauses and subclauses, and transmit this packet according to these new clauses and subclauses;
Step D. searches NAT outgoing interface rule list according to the ACL information and the outgoing interface information of packet, as finds the coupling clauses and subclauses, generate new clauses and subclauses by affiliated rule, and transmit this packet according to these new clauses and subclauses, otherwise, transmit according to the NAT conversion clauses and subclauses that step C finds.
Further, the NAT of described method matches interface rules configuration and specifically comprises:
The NAT transformation rule of interface is taken in step a. configuration out of;
Step b. obtains outgoing interface information and the ACL information in the NAT transformation rule;
Step c is opened up new memory headroom and is set up NAT outgoing interface rule list, and with outgoing interface information
And ACL information writes NAT outgoing interface rule list, preserves.
Compared with prior art, the NAT transformation rule of the present invention's while configurations match outgoing interface and the NAT transformation rule of the outgoing interface that do not match, realized that the clear of address pool separates, the confusion of address pool is used when having avoided the NAT conversion, thereby has improved the utilization ratio of public network address.
Description of drawings
Fig. 1 is the structural representation of the described system of the embodiment of the invention;
Fig. 2 is that the NAT of the described method of the embodiment of the invention matches interface rules configuration flow figure;
Fig. 3 is the process chart of the described method of the embodiment of the invention;
Embodiment
Specifically describe the preferred embodiments of the present invention below in conjunction with accompanying drawing, wherein, accompanying drawing constitutes the application's part, and has explaination principle of the present invention with embodiments of the invention.
As shown in Figure 1, Fig. 1 is the structural representation of the described system of the embodiment of the invention, specifically comprises with lower module:
NAT matches the interface configuration module: mainly be the module that is configured, by network manager configuration, this module is collected configuration information, puts storage in order, for the processing of packet provides foundation, can reflect the configuration intention clearly.When configuration NAT transformation rule, if take the NAT rule configuration of interface out of, then module will be extracted according to the source port of bag ACL number of outgoing interface and religion, stores in the NAT outgoing interface rule list.
NAT outgoing interface rule list module mainly is the transformation rule that is used for writing down corresponding ACL number corresponding outgoing interface, matches the interface configuration module by NAT and carries out data collection.This table mainly is to open up a memory space in internal memory, and carries out algorithm organization, thereby realization list item discal patch purpose is searched interpolation, operations such as deletion.
NAT matches the interface rules operational module: be main operational module, be responsible for the packet of receiving is carried out information extraction, carry out matched and searched NAT conversion clauses and subclauses according to these information, be normative reference with the information in the NAT outgoing interface rule list when searching, carry out matching ratio, if there is the NAT outgoing interface rule of coupling, then generates new NAT conversion clauses and subclauses, and transmit according to new NAT conversion clauses and subclauses according to packet and Rule Information.
As shown in Figure 2, Fig. 2 is that the NAT of the described method of the embodiment of the invention matches interface rules configuration flow figure, and concrete flow process is as follows:
Step 200: the NAT transformation rule of interface is taken in configuration out of;
Step 201: obtain outgoing interface information and ACL information in the NAT transformation rule;
Step 202: open up new memory headroom and set up NAT outgoing interface rule list, and outgoing interface information and ACL information are write NAT outgoing interface rule list, preserve.
As shown in Figure 3, Fig. 3 is the process chart of the described method of the embodiment of the invention, and idiographic flow is as follows:
Step 300: flow process begins;
Step 301: packet is received by system;
Step 302: extract the information in the packet, comprise IP address, port numbers, VPN, outgoing interface information, obtain the ACL information of packet, according to packet information, comprise IP address, port numbers, VPN, outgoing interface information, carry out NAT conversion clauses and subclauses matched and searched;
Step 303: judge whether to find corresponding NAT conversion clauses and subclauses, if find, execution in step 304, otherwise execution in step 305;
Step 304: transmit according to the NAT conversion clauses and subclauses of finding, flow process finishes.
Step 305: comprise IP address, port numbers, VPN information with packet information again, carry out NAT conversion entries match, but do not comprise outgoing interface information.
Step 306: judge whether to find corresponding NAT conversion clauses and subclauses,, carry out step 307,, carry out step 308 if find if do not find;
Step 307: search the NAT transformation rule and generate new clauses and subclauses, and carry out NAT according to new clauses and subclauses and transmit, flow process finishes.
Step 308: obtain the ACL information of packet, and outgoing interface information, search NAT outgoing interface rule list;
Step 309: search the NAT conversion clauses and subclauses whether coupling is arranged in the NAT outgoing interface rule list, if do not have, carry out step 310, otherwise carry out step 311;
Step 310: carry out the NAT forwarding according to the NAT conversion clauses and subclauses that step 305 is found, flow process finishes.
Step 311: according to the NAT outgoing interface Rule Information of finding, search corresponding NAT transformation rule, generate new NAT conversion clauses and subclauses, and carry out NAT and transmit;
Step 312: flow process finishes;
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.
Claims (3)
1. the system of a network address translation preference rule conversion process is characterized in that, comprising:
NAT matches the interface configuration module: being used for NAT is that network address translation matches interface rules and is configured, and carries out information synchronization to NAT outgoing interface rule list module, transmission; When configuration NAT transformation rule, if take the NAT rule configuration of interface out of, then NAT matches the interface configuration module and ACL number of the source port of outgoing interface and packet can be extracted, and stores in the NAT outgoing interface rule list;
NAT outgoing interface rule list module: be used to write down NAT outgoing interface rule list, and carry out the list item tissue, provide information foundation in contrast for NAT matches the interface rules operational module;
NAT matches the interface rules operational module: be used for the packet of receiving is carried out matched and searched NAT conversion clauses and subclauses, be normative reference with the information in the NAT outgoing interface rule list when searching, carry out matching ratio, if there is the NAT outgoing interface rule of coupling, then generate new NAT conversion clauses and subclauses, and transmit according to new NAT conversion clauses and subclauses according to packet and Rule Information.
2. a method of utilizing said system to carry out network address translation preference rule conversion process is characterized in that, carries out NAT in advance and matches the interface rules configuration, and described method comprises:
Steps A. information extraction from packet, comprise IP address, port numbers, outgoing interface information, find out the ACL information of packet;
Step B. comprises outgoing interface information according to packet information, and coupling NAT conversion clauses and subclauses if any NAT conversion clauses and subclauses, are transmitted according to these clauses and subclauses; As do not have NAT conversion clauses and subclauses, carry out step C;
Step C. does not comprise outgoing interface information according to packet information, and coupling NAT conversion clauses and subclauses if NAT conversion clauses and subclauses are arranged, are carried out step D; As do not have NAT conversion clauses and subclauses, search the NAT transformation rule and generate new clauses and subclauses, and transmit this packet according to these new clauses and subclauses;
Step D. searches NAT outgoing interface rule list according to the ACL information and the outgoing interface information of packet, as finds the coupling clauses and subclauses, generate new clauses and subclauses by affiliated rule, and transmit this packet according to these new clauses and subclauses, otherwise, transmit according to the NAT conversion clauses and subclauses that step C finds.
3. method according to claim 2 is characterized in that, described NAT matches the interface rules configuration and specifically comprises:
The NAT transformation rule of interface is taken in step a. configuration out of;
Step b. obtains outgoing interface information and the ACL information in the NAT transformation rule;
Step c is opened up new memory headroom and is set up NAT outgoing interface rule list, and outgoing interface information and ACL information are write NAT outgoing interface rule list, preserves.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100678029A CN101299772B (en) | 2008-06-04 | 2008-06-04 | System and method for processing network address conversion preferable regulation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100678029A CN101299772B (en) | 2008-06-04 | 2008-06-04 | System and method for processing network address conversion preferable regulation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101299772A CN101299772A (en) | 2008-11-05 |
| CN101299772B true CN101299772B (en) | 2011-05-11 |
Family
ID=40079451
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100678029A Active CN101299772B (en) | 2008-06-04 | 2008-06-04 | System and method for processing network address conversion preferable regulation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101299772B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8341207B2 (en) * | 2010-04-07 | 2012-12-25 | Apple Inc. | Apparatus and method for matching users for online sessions |
| CN103475746B (en) * | 2013-08-09 | 2017-07-04 | 新华三技术有限公司 | A kind of terminal service method and device |
| CN107547396B (en) * | 2017-05-18 | 2021-03-19 | 新华三信息安全技术有限公司 | Message forwarding method and device |
| CN111770211B (en) * | 2020-06-17 | 2023-04-18 | 北京百度网讯科技有限公司 | SNAT method, SNAT device, electronic equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1960313A (en) * | 2005-11-03 | 2007-05-09 | 中兴通讯股份有限公司 | Periphery devices of service provider of combining network address conversion, and method of application |
| CN101068212A (en) * | 2007-06-11 | 2007-11-07 | 中兴通讯股份有限公司 | Network address switching retransmitting device and method |
-
2008
- 2008-06-04 CN CN2008100678029A patent/CN101299772B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1960313A (en) * | 2005-11-03 | 2007-05-09 | 中兴通讯股份有限公司 | Periphery devices of service provider of combining network address conversion, and method of application |
| CN101068212A (en) * | 2007-06-11 | 2007-11-07 | 中兴通讯股份有限公司 | Network address switching retransmitting device and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101299772A (en) | 2008-11-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104639363B (en) | For managing the management servomechanism and its management method of high in the clouds device in virtual region network | |
| CN102769679B (en) | Method and device for tracing source of internet protocol (IP) address after network address translation (NAT) | |
| CN101068212B (en) | Network address switching retransmitting device and method | |
| CN101299772B (en) | System and method for processing network address conversion preferable regulation | |
| US20120320788A1 (en) | Method and Apparatus for Snoop-and-Learn Intelligence in Data Plane | |
| CN102739720A (en) | Distributed cache server system and application method thereof, cache clients and cache server terminals | |
| CN102857428B (en) | A kind of message forwarding method based on Access Control List (ACL) and equipment | |
| CN102067569A (en) | Method and apparatus for managing data services in a multi-processor computing environment | |
| WO2003042782A3 (en) | Routing and forwarding table management for network processor architectures | |
| CN101800690B (en) | Method and device for realizing source address conversion by using address pool | |
| US9307555B2 (en) | Method and system for mobile terminal to access the network through cell phone | |
| CN106331196A (en) | Method and device for realizing NAT | |
| CN109218301A (en) | The method and apparatus of the frame head mapping of software definition between multi-protocols | |
| CN106713524A (en) | AP device, network address conversion method and communication system | |
| CN108459830A (en) | Evidence protection device suitable for internet court | |
| CN102929960A (en) | Self-adaption method and system of theme music | |
| CN101764836B (en) | Distributed heartbeat server framework and progress processing method | |
| CN102437946A (en) | Access control method, NAS (network attached storage) equipment and authentication server | |
| KR100896438B1 (en) | Tunneling ipv6 packet through ipv4 network using a tunnel entry based on ipv6 prefix | |
| WO2004066070A3 (en) | Network address translation based mobility management | |
| CN109145643A (en) | A kind of personal multi-source data management method and system based on private clound | |
| CN106294539B (en) | Mix the data directory list storage strategy under cloud environment | |
| CN105721627B (en) | A kind of online de-identification method of IP network flow data | |
| CN102546348A (en) | Method for network processor to achieve various three-layer interfaces and network processor | |
| CN102308539A (en) | Method and device of fast shift of forwarding port |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |