CN106789666B - Method and device for determining converted port - Google Patents
Method and device for determining converted port Download PDFInfo
- Publication number
- CN106789666B CN106789666B CN201611033880.8A CN201611033880A CN106789666B CN 106789666 B CN106789666 B CN 106789666B CN 201611033880 A CN201611033880 A CN 201611033880A CN 106789666 B CN106789666 B CN 106789666B
- Authority
- CN
- China
- Prior art keywords
- port
- session
- session table
- target
- converted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for determining a converted port, which comprises the following steps: after acquiring the source port number and the source IP, the network forwarding equipment performs function operation based on the parameter source port number and the source IP to obtain a converted port; when the first session table with a target five-tuple does not exist locally in the network forwarding device, generating the first session table based on the target five-tuple, wherein the target five-tuple comprises a converted network protocol address, a converted port, a target network protocol address, a target port and a network transmission protocol. The ports after conversion can be operated in a multi-core mode, and the operations do not interfere with each other, so that port resource competition does not exist, the information whether the ports are distributed or not does not need to be stored, the ports do not need to be searched complicatedly, the ports do not need to be searched again after the searching fails, the ports after conversion can be determined quickly in the multi-core mode, and message transmission is carried out through the ports after conversion. In addition, the invention also discloses a device for determining the converted port.
Description
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a method and an apparatus for determining a converted port.
Background
With the rapid development of science and technology, at present, Network forwarding devices enter a multi-core era, under the condition of multi-core processing, when an internal private Network accesses an external Internet, Network Address Translation (NAT) is generally performed, that is, a private Network Protocol (IP) address of the internal private Network is translated into a public IP address, and by using a small number of public IP addresses to represent more private IP addresses, the problem that Ipv4 faces Network address exhaustion can be solved, and the security of private Network addresses of the private Network is protected.
At present, network forwarding devices for multi-core processing generally use a Network Address Port Translation (NAPT) method, that is, a source Port of a message is correspondingly translated on the basis of translating a private IP address of an internal private network into a public IP address. In the prior art, after a private IP address is converted into a legal public IP address, a network forwarding device searches for an unused port at this time from a port 1024 to a port 65535 corresponding to the converted IP address in a locking manner, and performs packet transmission by using the searched port as a converted port.
The inventor has found through research that a port of the same IP address can be used only once in the same situation, that is, the used port can be used again only after being released, because the use and the release of the port are not fixed during the actual network forwarding, the distribution of the used port number and the unused port of an IP address is as shown in fig. 1, the used port number and the unused port are randomly and disorderly arranged, and the process of searching for the unused port is very complicated; contention for port lookup may also be involved in multi-core, i.e., a network forwarding device cannot simultaneously lookup unused ports in multi-core, since the confusion of simultaneous lookup is not conducive to distinguishing used port numbers from unused ports. Therefore, the scheme in the prior art cannot ensure that the available ports are found quickly under the multi-core environment, and therefore, the message transmission through the found available ports cannot be ensured quickly.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method and an apparatus for determining a converted port, so that a network forwarding device can quickly find an available port for packet transmission in a multi-core environment.
To solve the above technical problem, the present invention provides a method for determining a converted port, including:
acquiring a source network protocol address and a source port corresponding to a session, wherein the session is used for communication between a client and a server;
determining a converted port corresponding to the session through the operation of an operation rule by taking the source network protocol address and the source port as parameters;
if the network forwarding device does not locally have a first session table with a target five-tuple, generating the first session table based on the target five-tuple, wherein the target five-tuple comprises a converted network protocol address, a converted port, a target network protocol address, a target port and a network transmission protocol.
Preferably, the method further comprises the following steps:
if the network forwarding equipment locally has a first session table with a target five-tuple, generating a second session table based on the first session table, wherein the second session table comprises a source hardware address and the session address, and the source hardware address is a local hardware address of a client.
Preferably, if the network forwarding device locally has a first session table with a target five-tuple, generating a second session table based on the first session table includes:
and if the network forwarding equipment locally has a first session table with a target five-tuple and the multiplexing times of the converted port do not exceed a preset threshold value, generating a second session table based on the first session table.
Preferably, the number of times of multiplexing is determined by the number of addresses recorded in the second session table, where the number of addresses indicates the number of session group addresses included in the second session table.
Preferably, the method further comprises the following steps:
and if the network forwarding equipment locally has a first session table with a target five-tuple and the multiplexing times of the converted port exceed a preset threshold value, sending a reset message to the client.
The invention also provides a device for determining a converted port, which comprises:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a source network protocol address and a source port corresponding to a session, and the session is used for communication between a client and a server;
a determining unit, configured to determine, by using the source network protocol address and the source port as parameters, a converted port corresponding to the session through an operation of an operation rule;
a first generating unit, configured to generate a first session table based on a target five-tuple if the first session table having the target five-tuple does not exist locally on the network forwarding device, where the target five-tuple includes a translated network protocol address, a translated port, a target network protocol address, a target port, and a network transport protocol.
Preferably, the method further comprises the following steps:
a second generating unit, configured to generate a second session table based on the first session table if the network forwarding device locally has the first session table with a target five-tuple, where the second session table includes a source hardware address and the session address, and the source hardware address is a hardware address local to the client.
Preferably, the second generating unit is further configured to generate a second session table based on the first session table if the first session table with the target five-tuple locally exists in the network forwarding device and the multiplexing number of the converted port does not exceed a preset threshold.
Preferably, the number of times of multiplexing is determined by the number of addresses recorded in the second session table, where the number of addresses indicates the number of session group addresses included in the second session table.
Preferably, the method further comprises the following steps:
and the sending unit is used for sending a reset message to the client if the network forwarding equipment locally has a first session table with a target five-tuple and the multiplexing times of the converted port exceeds a preset threshold value.
Compared with the prior art, the invention has the following advantages:
in the embodiment of the invention, after acquiring a source port number and a source IP, a network forwarding device performs function operation based on the source port number and the source IP to obtain a converted port, and generates a first session table based on a target five-tuple when the first session table with the target five-tuple does not exist locally in the network forwarding device, wherein the target five-tuple comprises a converted network protocol address, a converted port, a destination network protocol address, a destination port and a network transmission protocol. Therefore, the converted port is obtained by performing function operation according to the source port number and the source IP, the port can be concurrent under multiple cores, and the converted port is simultaneously operated without mutual interference, so that port resource competition does not exist, whether the port is allocated or not does not need to be stored, the port does not need to be searched in a complex manner, the port does not need to be searched again after the searching fails, the converted port is rapidly determined under the multiple cores, and message transmission is performed through the converted port.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a diagram illustrating an actual scenario in which a port of an IP address is used or not used;
FIG. 2 is a block diagram of an exemplary application scenario in an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for determining a converted port according to an embodiment of the present invention;
FIG. 4-1 is a diagram illustrating a first session table according to an embodiment of the present invention;
FIG. 4-2 is a diagram illustrating a second session table according to an embodiment of the invention;
FIG. 5 is a flow chart illustrating another method for determining a converted port according to an embodiment of the present invention;
FIG. 6 is a schematic structural diagram of an apparatus for determining a converted port according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of another apparatus for determining a converted port according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The inventor finds that, in the prior art, a port of the same IP address can be used only once at the same time, that is, the used port can be used again only after being released, because the use and the release of the port are not fixed during the actual network forwarding, the used port number and the unused port of an IP address are randomly and disorderly arranged, and the process of searching for the unused port is very complicated; in the case of multiple cores, contention of port lookup may also be involved, that is, the network forwarding device in the multiple cores cannot simultaneously lookup an unused port, because the simultaneous lookup is chaotic and is not favorable for distinguishing a used port number from an unused port, and cannot quickly find an available port in the multiple cores, so that it cannot be guaranteed that packet transmission is quickly performed through the found available port.
Based on this, in the embodiment of the present invention, after the source port number and the source IP are obtained, function operation is performed based on the parameter source port number and the source IP to obtain the converted port, and meanwhile, when the network forwarding device locally has the first session table with the target five-tuple, the source hardware address is added to the first session table, and when the existence times are too many, a reset packet is sent to the source end. Therefore, the converted port is obtained by performing function operation according to a source port number and a source IP, under the operation rule, if the source IP addresses are different and/or the source ports are different, the calculated converted port is different, the source ports corresponding to the multi-core sessions are generally different, and the calculated converted ports are different, so that the multi-core concurrent operation does not interfere with each other, port resource competition does not exist, whether the port is allocated or not is not required to be stored, the port is not required to be searched in a complex manner, the port is not required to be searched again after the searching is failed, the uniqueness of the session table when the target five-tuple conflicts is ensured by increasing the source hardware address in the session table, the calculated converted port can still be used successfully, the converted port can be recalculated by sending a reset message when the number of conflicts is excessive, and the converted port can be quickly determined under the multi-core, and transmitting the message through the converted port.
For example, one of the scenarios of the embodiment of the present invention may be applied to the scenario shown in fig. 2. In this scenario, there are a client 101, a firewall 102, and a server 103, where the client 101 and the firewall 102 may interact, and the firewall 102 and the server 103 may interact. The client 101 sends a session request of the client 101 and the server 103 to the firewall 102, the firewall 102 receives the session request, obtains a source IP address, a source port, a destination IP address, a destination port and a network transmission protocol corresponding to the session, after the firewall 102 determines the translated IP address corresponding to the session, the firewall 102 determines the translated port corresponding to the session through the operation of the operation rule with the source IP address and the source port as parameters, if the first session table with the target five-tuple does not exist locally by firewall 102, the first session table is generated based on the target five-tuple, so that the client 101 and the server 103 perform message interaction through the session, and the target five-tuple includes a converted network protocol address, a converted port, a destination network protocol address, a destination port, and a network transmission protocol.
It is to be understood that, in the application scenario described above, although the actions of the embodiment of the present invention are described as being performed by the firewall 102, the present invention is not limited in terms of the execution subject as long as the actions disclosed in the embodiment of the present invention are performed.
It is to be understood that the above scenario is only one scenario example provided by the embodiment of the present invention, and the embodiment of the present invention is not limited to this scenario.
The following describes a specific implementation manner of the method and apparatus for determining a post-conversion port according to an embodiment of the present invention in detail by using embodiments with reference to the accompanying drawings.
Exemplary method
Referring to fig. 3, a flowchart illustrating a method for determining a converted port according to an embodiment of the present invention is shown. In this embodiment, the method may include, for example, the steps of:
step 301: and the firewall acquires a source network protocol address and a source port corresponding to a session, wherein the session is used for communication between the client and the server.
It should be noted that the client may send a session request between the client and the server to the firewall, the firewall receives the session request, and may obtain a source IP address, a source port, a destination IP address, a destination port, and a network transport protocol corresponding to the session according to the session request, where the source IP address is an IP address of the client, the source port is a port of the client, the destination IP address is an IP address of the server, and the destination port is a port of the server.
Step 302: and the firewall determines the converted port corresponding to the session by taking the source network protocol address and the source port as parameters through the operation of an operation rule.
It should be noted that, after the firewall obtains the source network Protocol address and the source port corresponding to the session, the firewall first determines the network Protocol address after the conversion, and then determines the port after the conversion through the function operation with the source network Protocol address and the source port as references, generally, the ports 0 to 1023 are fixed and used for the server monitoring connection, but not used for converting the source port of the packet, so the port numbers of the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP) that can be used are 1024 to 65535. In some embodiments of this embodiment, the hash value of the source network protocol address and the source port may be calculated first, and then the hash value is normalized to 1024 to 65535 by means of mapping.
For example, after the client 1.1.1.1:1234 performs packet interaction with the server 8.8.8.8:90, the firewall obtains the source network protocol address 1.1.1.1, the source port 1234, the destination network protocol address 8.8.8.8, the destination port 90, and the network transport protocol, the firewall may first determine that the network protocol address after conversion is 2.2.2.2, then calculate the hash value of the source network protocol address 1.1.1 and the source port 1234, determine that the port after conversion is 55 by mapping the hash value to a specification of 55, and when the session table including the destination network protocol address 8.8.8.8, the destination port 90, the network protocol address after conversion 2.2.2.2.2, the port after conversion 55, and the network transport protocol is unique, the packet interaction between the client 1.1.1.1:1234 and the server 8.8.8.8:90 may be performed by packet interaction between the firewall 2.2.2.2.2: 55 and the server 8.8.8.8: 90.
Under the operation rule, if the source IP addresses are different and/or the source ports are different, the calculated converted ports are different, that is, it is determined that the converted ports corresponding to the sessions are different. For different sessions, the source IP addresses are usually different and the source ports are not all the same, so that the converted ports calculated for different sessions are usually different under the operation rule, thereby ensuring that the converted ports allocated for different sessions are different. Moreover, since the converted port corresponding to the session is directly determined by performing function operation based on the source IP address and the source port, complex search is not needed, and the situation of searching again after search failure does not occur, thereby greatly reducing the time complexity; whether the port is used or not does not need to be recorded, and whether the port is used or not does not need to be stored, so that the use of the memory is greatly saved.
It should be noted that, for the session, the firewall uses the converted IP address and the determined converted port to perform packet transmission with the server, instead of directly using the source IP address and the source port, so that, in the communication process between the firewall and the server, even if an attacker can obtain the converted IP address and the converted port, the attacker cannot calculate the source port through the converted IP address and the converted port, and the source IP address is protected, thereby protecting the privacy of the client connection port.
Step 303: if the firewall does not locally have a first session table with a target five-tuple, generating the first session table based on the target five-tuple, wherein the target five-tuple comprises a converted IP address, a converted port, a target IP address, a target port and a network transmission protocol.
It should be noted that, after determining the translated port corresponding to the session, when the translated IP address, the translated port, the destination IP address, the destination port, and the network transport protocol used by the session do not exist in the generated session table, the first session table generated by the firewall is unique. The first session table is shown in fig. 4-1, where address 1 indicates the number of addresses, and the session address indicates the address of the session table.
It should be noted that the target five-tuple includes the translated IP address, the translated port, the destination IP address, the destination port, and the network transport protocol of the session. On the one hand, since the source port is randomly extracted by the local machine of the client, the possibility that the source ports corresponding to different sessions are the same is low. On the other hand, since the translated port corresponding to the session is calculated based on the source IP address and the source port, the translated port determined in step 302 for the session is usually different from the translated ports being used by other sessions. In yet another aspect, the destination network protocol address and destination port that the client is to access the server are also typically not identical for different sessions. It can be seen that after determining the converted port for the session in step 302, the probability that the target five tuple of the session collides with the five tuples of other established sessions is very low, and therefore, the probability that the first session table with the target five tuple does not exist locally in the firewall can be as high as 99% or more.
It should be noted that, if the source IP address and the source port used by the session are the same as the source IP address and the source port of the established other session, after the converted port corresponding to the session is determined, the converted port of the session may be the same as the converted port used by the established other session, and further, if the converted IP address, the destination port, the network transport protocol corresponding to the session are also the same as the established other session, the source hardware address may be added to generate the session table with the multi-level address, so as to ensure the uniqueness of the session table. For this reason, the present embodiment may further include: and if a first session table with a target five-tuple exists in the local firewall, generating a second session table based on the first session table, wherein the second session table comprises a source hardware address and the session address, and the source hardware address is the local hardware address of the client.
In some embodiments of this embodiment, if the firewall has a first session table with a target five tuple locally and the multiplexing number of the converted port does not exceed a preset threshold, a second session table is generated based on the first session table. The second session table is shown in fig. 4-2, where addresses 2 and 3 indicate the number of addresses, that is, the number of sessions, and the address of the session group indicates the address of the session table, and the address of the session group includes the source hardware address and the session address. The multiplexing times are determined by the number of addresses recorded in the second session table, and the number of addresses represents the number of session group addresses in the second session table.
It should be noted that generating the second session table based on the first session table greatly reduces the possibility that the converted port determined after re-operation still has a conflict if the converted port determined by the operation conflicts with the converted IP address, the target port and the protocol after sending the reset packet to the source end, and also ensures the availability of the converted port determined by the operation.
It should be noted that, in some embodiments of this embodiment, if the first session table having the target five-tuple locally exists in the firewall and the multiplexing number of the converted port exceeds a preset threshold, a reset message may also be sent to the client. After receiving the reset message, the client may extract a new source port at random again and send a session request between the client and the server to the firewall again, and the firewall may recalculate according to the new source port to obtain a suitable converted port corresponding to the session.
Through various implementation manners provided by this embodiment, after obtaining a source port number and a source IP, a firewall performs function operation based on the source port number and the source IP to obtain a converted port, and when a first session table with a target five-tuple does not exist locally in the network forwarding device, the first session table is generated based on the target five-tuple, where the target five-tuple includes a converted network protocol address, a converted port, a destination network protocol address, a destination port, and a network transport protocol. Therefore, the converted port is obtained by performing function operation according to the source port number and the source IP, the port can be concurrent under multiple cores, and the converted port is simultaneously operated without mutual interference, so that port resource competition does not exist, whether the port is allocated or not does not need to be stored, the port does not need to be searched in a complex manner, the port does not need to be searched again after the searching fails, the converted port is rapidly determined under the multiple cores, and message transmission is performed through the converted port.
Referring to fig. 5, a flow chart of another method for determining a converted port according to an embodiment of the present invention is shown. In this embodiment, the method may include, for example, the steps of:
step 501: and the firewall acquires a source network protocol address and a source port corresponding to a session, wherein the session is used for communication between the client and the server.
Step 502: and the firewall determines the converted port corresponding to the session by taking the source network protocol address and the source port as parameters through the operation of an operation rule.
Step 503: if the firewall does not locally have a first session table with a target five-tuple, generating the first session table based on the target five-tuple, wherein the target five-tuple comprises a converted network protocol address, a converted port, a target network protocol address, a target port and a network transmission protocol.
Step 504: and if the firewall locally has a first session table with a target five-tuple and the multiplexing times of the converted port do not exceed a preset threshold value, generating a second session table based on the first session table, wherein the second session table comprises a source hardware address and the session address, and the source hardware address is a local hardware address of the client.
Optionally, in some implementations of this embodiment, the number of times of multiplexing is determined by the number of addresses recorded in the second session table, where the number of addresses indicates the number of session group addresses in the second session table.
Step 505: and if the firewall locally has a first session table with a target five-tuple and the multiplexing times of the converted port exceed a preset threshold value, sending a reset message to the client.
Through various implementation manners provided by this embodiment, after obtaining a source port number and a source IP, a firewall performs function operation based on the source port number and the source IP to obtain a converted port, and when a first session table with a target five-tuple does not exist locally in the network forwarding device, the first session table is generated based on the target five-tuple, where the target five-tuple includes a converted network protocol address, a converted port, a destination network protocol address, a destination port, and a network transport protocol. Therefore, the converted ports are obtained by performing function operation according to the source port number and the source IP, the ports can be concurrent under multiple cores, and the converted ports are operated simultaneously, and the operations do not interfere with each other, so that port resource competition does not exist, the information whether the ports are distributed does not need to be stored, the ports do not need to be searched complicatedly, and the ports do not need to be searched again after the searching fails; the uniqueness of the right key session table when the target quintuple conflicts is ensured by adding the source hardware address in the session table, the calculated converted port can still be used successfully, and the converted port can be recalculated by sending the reset message when the conflict times are excessive, so that the converted port can be quickly determined under multi-core conditions, and the message transmission can be carried out through the converted port.
Exemplary device
Referring to fig. 6, a schematic structural diagram of an apparatus for determining a converted port according to an embodiment of the present invention is shown. In this embodiment, the apparatus may specifically include:
an obtaining unit 601, configured to obtain a source network protocol address and a source port corresponding to a session, where the session is used for communication between a client and a server.
A determining unit 602, configured to determine, by using the source network protocol address and the source port as parameters, a converted port corresponding to the session through an operation of an operation rule.
A first generating unit 603, configured to generate a first session table based on a target five-tuple if the first session table with the target five-tuple does not exist locally on the network forwarding device, where the target five-tuple includes a translated network protocol address, a translated port, a target network protocol address, a target port, and a network transport protocol.
Optionally, in some embodiments of this embodiment, the apparatus may further include: a second generating unit, configured to generate a second session table based on the first session table if the network forwarding device locally has the first session table with a target five-tuple, where the second session table includes a source hardware address and the session address, and the source hardware address is a hardware address local to the client.
Optionally, in some implementations of this embodiment, the second generating unit is further configured to generate a second session table based on the first session table if the first session table with the target five-tuple locally exists in the network forwarding device and the multiplexing number of the converted port does not exceed a preset threshold.
Optionally, in some implementations of this embodiment, the number of times of multiplexing is determined by the number of addresses recorded in the second session table, where the number of addresses indicates the number of session group addresses in the second session table.
Optionally, in some embodiments of this embodiment, the apparatus may further include: and the sending unit is used for sending a reset message to the client if the network forwarding equipment locally has a first session table with a target five-tuple and the multiplexing times of the converted port exceeds a preset threshold value.
Through various implementation manners provided by this embodiment, after obtaining a source port number and a source IP, a firewall performs function operation based on the source port number and the source IP to obtain a converted port, and when a first session table with a target five-tuple does not exist locally in the network forwarding device, the first session table is generated based on the target five-tuple, where the target five-tuple includes a converted network protocol address, a converted port, a destination network protocol address, a destination port, and a network transport protocol. Therefore, the converted port is obtained by performing function operation according to the source port number and the source IP, the port can be concurrent under multiple cores, and the converted port is simultaneously operated without mutual interference, so that port resource competition does not exist, whether the port is allocated or not does not need to be stored, the port does not need to be searched in a complex manner, the port does not need to be searched again after the searching fails, the converted port is rapidly determined under the multiple cores, and message transmission is performed through the converted port.
Referring to fig. 7, a schematic structural diagram of an apparatus for determining a converted port according to an embodiment of the present invention is shown. In this embodiment, the apparatus may specifically include:
an obtaining unit 701, configured to obtain a source network protocol address and a source port corresponding to a session, where the session is used for performing communication between a client and a server.
A determining unit 702, configured to determine, by using the source network protocol address and the source port as parameters, a converted port corresponding to the session through an operation of an operation rule.
A first generating unit 703 is configured to generate a first session table based on a target five-tuple if the network forwarding device does not locally have the first session table with the target five-tuple, where the target five-tuple includes a translated network protocol address, a translated port, a destination network protocol address, a destination port, and a network transport protocol.
A second generating unit 704, configured to generate a second session table based on the first session table if the network forwarding device locally has the first session table with the target five-tuple, where the second session table includes a source hardware address and the session address, and the source hardware address is a hardware address local to the client.
Optionally, in some implementations of this embodiment, the second generating unit is further configured to generate a second session table based on the first session table if the first session table with the target five-tuple locally exists in the network forwarding device and the multiplexing number of the converted port does not exceed a preset threshold.
Optionally, in some implementations of this embodiment, the number of times of multiplexing is determined by the number of addresses recorded in the second session table, where the number of addresses indicates the number of session group addresses in the second session table.
A sending unit 705, configured to send a reset packet to the client if the network forwarding device locally has the first session table with the target five-tuple and the multiplexing frequency of the converted port exceeds a preset threshold.
Through various implementation manners provided by this embodiment, after obtaining a source port number and a source IP, a firewall performs function operation based on the source port number and the source IP to obtain a converted port, and when a first session table with a target five-tuple does not exist locally in the network forwarding device, the first session table is generated based on the target five-tuple, where the target five-tuple includes a converted network protocol address, a converted port, a destination network protocol address, a destination port, and a network transport protocol. Therefore, the converted ports are obtained by performing function operation according to the source port number and the source IP, the ports can be concurrent under multiple cores, and the converted ports are operated simultaneously, and the operations do not interfere with each other, so that port resource competition does not exist, the information whether the ports are distributed does not need to be stored, the ports do not need to be searched complicatedly, and the ports do not need to be searched again after the searching fails; the uniqueness of the session table when the target quintuple conflicts is ensured by increasing the source hardware address in the right key session table, the calculated converted port can still be used successfully, and the converted port can be recalculated by sending the reset message when the conflict times are excessive, so that the converted port can be quickly determined under multi-core conditions, and the message transmission can be carried out through the converted port.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described system embodiments are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The foregoing is directed to embodiments of the present application and it is noted that numerous modifications and adaptations may be made by those skilled in the art without departing from the principles of the present application and are intended to be within the scope of the present application.
Claims (8)
1. A method for determining a port after conversion is applied to a network forwarding device, and comprises the following steps:
acquiring a source network protocol address, a source port, a target network protocol address, a target port and a network transmission protocol corresponding to a session, wherein the session is used for communication between a client and a server;
determining a converted network protocol address, and determining a converted port corresponding to the session through the operation of an operation rule by taking the source network protocol address and the source port as parameters;
if the network forwarding device does not locally have a first session table with a target five-tuple, generating the first session table based on the target five-tuple, wherein the target five-tuple comprises the converted network protocol address, the converted port, the destination network protocol address, the destination port and the network transmission protocol;
if the network forwarding equipment locally has a first session table with a target five-tuple, generating a second session table based on the first session table, wherein the second session table comprises a source hardware address and the session address, and the source hardware address is a local hardware address of a client.
2. The method of claim 1, wherein if the network forwarding device has a first session table with a target five-tuple locally, generating a second session table based on the first session table comprises:
and if the network forwarding equipment locally has a first session table with a target five-tuple and the multiplexing times of the converted port do not exceed a preset threshold value, generating a second session table based on the first session table.
3. The method according to claim 2, wherein the number of times of multiplexing is determined by the number of addresses recorded in the second session table, the number of addresses indicating the number of session group addresses present in the second session table.
4. The method of claim 1, further comprising:
and if the network forwarding equipment locally has a first session table with a target five-tuple and the multiplexing times of the converted port exceed a preset threshold value, sending a reset message to the client.
5. An apparatus for determining a converted port, applied to a network forwarding device, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a source network protocol address, a source port, a target network protocol address, a target port and a network transmission protocol corresponding to a session, and the session is used for communication between a client and a server;
a determining unit, configured to determine a converted network protocol address, and determine, by using the source network protocol address and the source port as parameters, a converted port corresponding to the session through an operation of an operation rule;
a first generating unit, configured to generate a first session table based on a target five-tuple if the first session table having the target five-tuple does not exist locally on the network forwarding device, where the target five-tuple includes the converted network protocol address, the converted port, the destination network protocol address, the destination port, and the network transport protocol;
a second generating unit, configured to generate a second session table based on the first session table if the network forwarding device locally has the first session table with a target five-tuple, where the second session table includes a source hardware address and the session address, and the source hardware address is a hardware address local to the client.
6. The apparatus according to claim 5, wherein the second generating unit is further configured to generate a second session table based on the first session table if the first session table with the target five-tuple exists locally in the network forwarding device and the multiplexing number of the converted port does not exceed a preset threshold.
7. The apparatus according to claim 6, wherein the number of times of multiplexing is determined by the number of addresses recorded in the second session table, the number of addresses indicating the number of session group addresses included in the second session table.
8. The apparatus of claim 5, further comprising:
and the sending unit is used for sending a reset message to the client if the network forwarding equipment locally has a first session table with a target five-tuple and the multiplexing times of the converted port exceeds a preset threshold value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611033880.8A CN106789666B (en) | 2016-11-22 | 2016-11-22 | Method and device for determining converted port |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611033880.8A CN106789666B (en) | 2016-11-22 | 2016-11-22 | Method and device for determining converted port |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106789666A CN106789666A (en) | 2017-05-31 |
| CN106789666B true CN106789666B (en) | 2020-05-08 |
Family
ID=58971953
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611033880.8A Active CN106789666B (en) | 2016-11-22 | 2016-11-22 | Method and device for determining converted port |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106789666B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111131539B (en) * | 2019-12-23 | 2022-06-28 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN112104565B (en) * | 2020-09-15 | 2024-03-29 | 东软集团股份有限公司 | Method, system and equipment for realizing message forwarding |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011103820A2 (en) * | 2011-04-15 | 2011-09-01 | 华为技术有限公司 | Method and apparatus for network address translation |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1235368C (en) * | 2002-08-21 | 2006-01-04 | 华为技术有限公司 | Address conversion method for simultaneously supporting one-to-one and many-to-many under the PAT mode |
| CN101150505B (en) * | 2007-07-31 | 2010-06-16 | 杭州华三通信技术有限公司 | Method and device for forwarding data stream via network address translation |
| CN101335770B (en) * | 2008-08-06 | 2011-04-20 | 杭州华三通信技术有限公司 | Method and apparatus for network port address conversion |
| CN104468412B (en) * | 2014-12-04 | 2017-10-31 | 东软集团股份有限公司 | BlueDrama packet delivery method and system based on RSS |
-
2016
- 2016-11-22 CN CN201611033880.8A patent/CN106789666B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011103820A2 (en) * | 2011-04-15 | 2011-09-01 | 华为技术有限公司 | Method and apparatus for network address translation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106789666A (en) | 2017-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7797419B2 (en) | Method of determining intra-session event correlation across network address translation devices | |
| US20140294009A1 (en) | Communication apparatus, communication system, control method of communication apparatus and program | |
| US20170264590A1 (en) | Preventing dns cache poisoning | |
| CN109525684B (en) | Message forwarding method and device | |
| CN107682470B (en) | Method and device for detecting public network IP availability in NAT address pool | |
| US10397111B2 (en) | Communication device, communication system, and communication method | |
| CN107241453B (en) | Network address translation mapping keep-alive method and device | |
| US8082333B2 (en) | DHCP proxy for static host | |
| CN109495369B (en) | Message forwarding method and device | |
| CN105959282A (en) | Protection method and device for DHCP attack | |
| US20120198091A1 (en) | Network system, control apparatus and network apparatus | |
| WO2014142258A1 (en) | Communication system, control device, address allocation method, and program | |
| US9992159B2 (en) | Communication information detecting device and communication information detecting method | |
| EP3016423A1 (en) | Network safety monitoring method and system | |
| CN106789666B (en) | Method and device for determining converted port | |
| CN114556868B (en) | Private subnetworks for virtual private network VPN clients | |
| WO2010064439A1 (en) | Identifier management system, identifier generation method and management method, terminal, and generation and management program | |
| EP2690832B1 (en) | Communication device, communication system, and communication method | |
| US20150229520A1 (en) | Network monitoring system, communication device, network management method | |
| Rajput et al. | The helping protocol “DHCP” | |
| WO2016177185A1 (en) | Method and apparatus for processing media access control (mac) address | |
| US10432580B2 (en) | Message processing method, apparatus, and system | |
| CN112187963B (en) | Distributed hash table implementation method, computer device and storage medium | |
| US20120047271A1 (en) | Network address translation device and method of passing data packets through the network address translation device | |
| WO2015184979A1 (en) | Methods and devices for processing packet, sending information, and receiving information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |