CN113098991B

CN113098991B - Message processing method and device, private line access gateway and public cloud system

Info

Publication number: CN113098991B
Application number: CN202110335089.7A
Authority: CN
Inventors: 邓龙飞
Original assignee: Beijing Kingsoft Cloud Network Technology Co Ltd
Current assignee: Beijing Kingsoft Cloud Network Technology Co Ltd
Priority date: 2021-03-29
Filing date: 2021-03-29
Publication date: 2022-11-04
Anticipated expiration: 2041-03-29
Also published as: CN113098991A

Abstract

The embodiment of the invention provides a message processing method, a message processing device, a private line access gateway and a public cloud system. Wherein the method comprises the following steps: receiving a first message, wherein the first message comprises a first source IP address and a first destination IP address; determining whether the first source IP address is the conflict IP address or not to obtain a first determination result; determining whether the first destination IP address is the conflict IP address or not to obtain a second determination result; performing network address conversion processing on the first message according to the first determination result, the second determination result and the preset network address conversion protocol to obtain a second message; and forwarding the second message. The cost of resolving IP address conflicts can be reduced.

Description

Message processing method and device, private line access gateway and public cloud system

Technical Field

The invention relates to the technical field of cloud services, in particular to a message processing method, a message processing device, a private line access gateway and a public cloud system.

Background

In some application scenarios, the cloud computing network architecture may include a private cloud and a public cloud, and is hereinafter referred to as a hybrid cloud. In an application scenario of a hybrid cloud, network devices in a private cloud and a public cloud can jointly implement cloud computing, and therefore the network devices in the private cloud and the network devices in the public cloud are required to be capable of communicating with each other.

However, the owner of the private cloud and the provider of the public cloud are often different, and therefore, when configuring the IP address of the network device, there may be duplication between network segments used by the owner of the private cloud and the provider of the public cloud, and an IP address conflict may be formed (for example, the owner of the private cloud configures the IP address of the network device a in the private cloud to be 10.0.0.2, and the provider of the public cloud configures the IP address of the network device B in the public cloud to be 10.0.0.2.), thereby causing abnormal communication between the network device of the public cloud and the network device of the private cloud.

In the related art, an owner of the private cloud may reconfigure an IP address of a network device of the private cloud to avoid a collision of the IP addresses. However, the scheme has large configuration workload and tedious operation, namely, the cost for solving the IP address conflict is high.

Disclosure of Invention

The embodiment of the invention aims to provide a message processing method, a message processing device, a private access gateway and a public cloud system, so as to reduce the cost of solving IP address conflict. The specific technical scheme is as follows:

in a first aspect of the embodiments of the present invention, a packet processing method is provided, which is applied to a private access gateway, where the private access gateway is disposed between a first network and a second network, an IP address of a first network device in the first network and an IP address of a second network device in the second network are mutually conflicting IP addresses, and the private access gateway is provided with a preset network address translation protocol, and the method includes:

receiving a first message, wherein the first message comprises a first source IP address and a first destination IP address;

determining whether the first source IP address is the conflict IP address or not to obtain a first determination result;

determining whether the first destination IP address is the conflict IP address or not to obtain a second determination result;

performing network address translation processing on the first message according to the first determination result, the second determination result and the preset network address translation protocol to obtain a second message;

and forwarding the second message.

In one possible embodiment, the private access gateway stores a default access control list,

the determining whether the first source IP address is a conflicting IP address to obtain a first determination result includes:

and determining whether the first source IP address is a conflict IP address according to the preset access control list to obtain a first determination result.

In a possible embodiment, the private line access gateway includes a data interface, the preset access control list includes a corresponding relationship between at least one first preset IP address and a preset data interface, the first message further includes first data interface information, the first data interface information is used for indicating a data interface on the private line access gateway for receiving the first message,

determining whether the first source IP address is a conflicting IP address according to the preset access control list, and obtaining a first determination result, including:

determining whether a data interface represented by a first source IP address and first data interface information of the first message is matched with a first preset IP address and a preset data interface in any corresponding relation in the preset access control list;

and when the first source IP address of the first message is determined to be matched with the conflict IP address, determining that the first source IP address of the first message is the conflict IP address.

In a possible embodiment, the determining whether the first destination IP address is the conflicting IP address obtains a second determination result, including:

determining whether the first destination IP address is a second preset IP address;

and if so, determining that the first destination IP address of the first message is the conflict IP address.

In one possible embodiment, when the first determination result is that the first source IP address is a conflicting IP address, and the second determination result is that the first destination IP address is a non-conflicting IP address,

the performing network address translation processing on the first packet according to the first determination result, the second determination result and the preset network address translation protocol to obtain a second packet includes:

processing the first message according to the preset network address conversion protocol so as to convert a first source IP address of the first message into a second source IP address;

and obtaining a second message based on the second source IP address and the first destination IP address.

In one possible embodiment, when the first determination result is that the first source IP address is a conflicting IP address, the second determination result is that the first destination IP address is a conflicting IP address,

the performing, according to the first determination result, the second determination result, and the preset network address translation protocol, network address translation processing on the first packet to obtain a second packet includes:

processing the first message according to the preset network address conversion protocol so as to convert a first source IP address of the first message into a second source IP address and convert the first destination IP address into a second destination IP address;

and obtaining a second message based on the second source IP address and the second destination IP address.

In one possible embodiment, when the first determination result is that the first source IP address is a non-conflicting IP address, the second determination result is that the first destination IP address is a conflicting IP address,

processing the first message according to the preset network address conversion protocol so as to convert the first destination IP address into a second destination IP address;

and obtaining a second message based on the first source IP address and the second destination IP address.

In one possible embodiment, when the first determination result is that the first source IP address is a non-conflicting IP address, the second determination result is that the first destination IP address is a non-conflicting IP address,

the method further comprises the following steps:

determining routing information according to the first source IP address and the first destination IP address;

and forwarding the first message based on the determined routing information.

In a second aspect of the embodiments of the present invention, a packet processing apparatus is provided, which is applied to a private access gateway, where the private access gateway is disposed between a first network and a second network, and an IP address of a first network device in the first network and an IP address of a second network device in the second network are conflicting IP addresses, and the private access gateway is provided with a preset network address translation protocol, and the apparatus includes:

the message receiving module is used for receiving a first message, wherein the first message comprises a first source IP address and a first destination IP address;

the source address detection module is used for determining whether the first source IP address is the conflict IP address or not to obtain a first determination result;

the destination address detection module is used for determining whether the first destination IP address is the conflict IP address or not to obtain a second determination result;

the address conversion module is used for performing network address conversion processing on the first message according to the first determination result, the second determination result and the preset network address conversion protocol to obtain a second message;

and the message sending module is used for forwarding the second message.

In one possible embodiment, the private access gateway stores a preset access control list,

the source address detection module comprises:

and the first determining unit is used for determining whether the first source IP address is a conflict IP address according to the preset access control list to obtain a first determination result.

In a possible embodiment, the private line access gateway further includes a data interface, the preset access control list includes a corresponding relationship between at least one first preset IP address and a preset data interface, the first message further includes first data interface information, the first data interface information is used for indicating a data interface on the private line access gateway, which receives the first message,

the first determining unit is specifically configured to determine whether an interface represented by a first source IP address and first data interface information of the first packet matches a first preset IP address and a preset data interface in any corresponding relationship in the preset access control list;

and when the first message is matched with the second message, determining that the first source IP address of the first message is a conflict IP address.

In a possible embodiment, the destination address detection module includes:

the judging unit is used for determining whether the first destination IP address is a second preset IP address;

and a second determining unit, configured to determine that the first destination IP address of the first packet is the collision IP address when the determination result is yes.

In one possible embodiment, the address translation module includes:

a first address translation unit, configured to, when the first determination result is that the first source IP address is a conflicting IP address and the second determination result is that the first destination IP address is a non-conflicting IP address, process the first packet according to the preset network address translation protocol, so as to translate the first source IP address of the first packet into a second source IP address;

and the first message generating unit is used for obtaining a second message based on the second source IP address and the first destination IP address.

In one possible embodiment, the address translation module includes:

a second address conversion unit, configured to, when the first determination result is that the first source IP address is a conflicting IP address, and the second determination result is that the first destination IP address is a conflicting IP address, process the first packet according to the preset network address conversion protocol, so as to convert the first source IP address of the first packet into a second source IP address, and convert the first destination IP address into a second destination IP address;

and the second message generating unit is used for obtaining a second message based on the second source IP address and the second destination IP address.

In one possible embodiment, the address translation module includes:

a third address translation unit, configured to, when the first determination result is that the first source IP address is a non-conflicting IP address, and the second determination result is that the first destination IP address is a conflicting IP address, process the first packet according to the preset network address translation protocol, so as to translate the first destination IP address into a second destination IP address;

and the third message generating unit is used for obtaining a second message based on the first source IP address and the second destination IP address.

the message sending module is further configured to determine routing information according to the first source IP address and the first destination IP address;

and forwarding the first message based on the determined routing information.

In a third aspect of the embodiments of the present invention, a dedicated access gateway is provided, where the dedicated access gateway is disposed between a first network and a second network, and an IP address of a first network device in the first network and an IP address of a second network device in the second network are conflicting IP addresses, the dedicated access gateway is provided with a preset network address translation protocol, and the dedicated access gateway includes:

a processor, a communication interface, a memory, and a communication bus;

the processor, the communication interface and the memory complete mutual communication through the communication bus;

the memory is used for storing a computer program;

the processor is configured to implement the method steps of any one of the first aspect when executing the program stored in the memory.

In a fourth aspect of embodiments of the present invention, a public cloud system is provided, where the public cloud system includes a first network, a first switch, and a private line access gateway

The first network is a public cloud, and the private access gateway is arranged between the first network and the first switch;

the first switch is used for connecting a second network and the private line access gateway;

the second network is a private cloud, the IP address of the first network equipment in the first network and the IP address of the second network equipment in the second network are conflict IP addresses, and the private access gateway is provided with a preset network address conversion protocol;

the private access gateway is configured to process a first packet according to the packet processing method in any of the first aspects, where the first packet is a packet sent by a network device in a first network to a network device in a second network or a packet sent by a network device in the second network to a network device in the first network.

In a fifth aspect of embodiments of the present invention, there is provided a hybrid cloud system comprising a first network, a second network, a first switch, a second switch, and a private access gateway,

the first network is a public cloud, and the second network is a private cloud;

the first switch is used for connecting the second switch and the private line access gateway;

the second switch is used for connecting the second network with the first switch;

the private access gateway is disposed between the first network and the first switch,

the IP address of the first network equipment in the first network and the IP address of the second network equipment in the second network are conflict IP addresses, and the private access gateway is provided with a preset network address translation protocol;

the private access gateway is configured to process a first packet according to the packet processing method of any of the first aspects, where the first packet is a packet sent by a network device in a first network to a network device in a second network or a packet sent by a network device in the second network to a network device in the first network.

The embodiment of the invention has the following beneficial effects:

the message processing method, the message processing device, the private access gateway and the public cloud system provided by the embodiment of the invention can detect the first source IP address and the first destination IP address of the message sent from the first network to the second network through the private access gateway, and perform network address conversion processing on the first message according to the first determination result and the second determination result obtained by detection and a preset network address conversion protocol to obtain the second message. Therefore, the IP addresses of the message sent by the first network device, the message sent to the first network device, the message sent by the second network device, and the message sent to the second network device can be converted, so that the network device in the first network does not sense the second network device, and the network device in the second network does not sense the first network device, that is, any network device in the first network and the second network does not sense the first network device and the second network at the same time, and therefore, the problem that the network devices cannot normally communicate due to IP address conflict cannot be solved because the IP addresses of the first network device and the second network device are mutually conflicting IP addresses, and meanwhile, the IP addresses of the network devices in the first network or the second network do not need to be reconfigured, and therefore, the cost of IP address conflict can be reduced by adopting the embodiment.

Of course, it is not necessary for any product or method to achieve all of the above-described advantages at the same time for practicing the invention.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other embodiments can be obtained according to the drawings without creative efforts.

Fig. 1 is a schematic structural diagram of a hybrid cloud system according to an embodiment of the present invention;

fig. 2 is a schematic flow chart of a message processing method according to an embodiment of the present invention;

fig. 3 is a schematic flowchart of a first determination result determining method according to an embodiment of the present invention;

fig. 4 is a schematic flowchart of a second determination method according to an embodiment of the present invention;

fig. 5 is a schematic diagram of another architecture of a hybrid cloud system according to an embodiment of the present invention;

fig. 6 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram of a private access gateway according to an embodiment of the present invention;

fig. 8 is a schematic diagram of a principle of a private access gateway according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

In order to more clearly describe the message processing method provided in the embodiment of the present invention, an exemplary possible application scenario of the message processing method provided in the embodiment of the present invention is described below, and it can be understood that the following example is only one possible application scenario of the message processing method provided in the embodiment of the present invention, and the message processing method provided in the embodiment of the present invention may also be applied to other possible applications in other possible embodiments, and the present embodiment does not limit the present invention in any way.

Referring to fig. 1, fig. 1 is a schematic diagram illustrating an architecture of a hybrid cloud system according to an embodiment of the present invention, where the hybrid cloud system includes a public cloud system and a private cloud system, where the public cloud system includes a network device 1, a network device 2, and a first switch, the private cloud system includes a second switch (swich) and a network device 3, the network devices 1 and 2 belong to a public cloud, and the network device 3 belongs to a private cloud.

For convenience of description, it is assumed that the IP addresses of the network device 1 and the network device 3 are the same and are both 10.0.0.2, and if the network device 2 in the public cloud needs to send a packet to the private cloud network device 3, the destination IP address of the packet is 10.0.0.2, and according to the local precedence principle, the packet is forwarded to the network device 1, which results in that normal communication cannot be performed between the network device 2 and the network device 3.

Based on this, the embodiment of the present invention provides a message processing method, which is applied to a private access gateway, where the private access gateway is disposed between a first network and a second network, and between an IP address of a first network device in the first network and the second network, and the IP address of the first network device in the first network and the IP address of the second network device in the second network are conflicting IP addresses, and the private access gateway is provided with a preset network address translation protocol. The first network and the second network are different from each other, and the first network and the second network may be different networks according to different application scenarios, for example, in the foregoing example application scenario, the first network may be one of a private cloud network and a public cloud network, and the second network is the other of the private cloud network and the public cloud network.

As shown in fig. 2, the method for processing a packet according to the embodiment of the present invention includes:

s201, receiving a first message, wherein the first message comprises a first source IP address and a first destination IP address.

S202, determining whether the first source IP address is a conflict IP address or not, and obtaining a first determination result.

S203, determining whether the first destination IP address is a conflict IP address or not, and obtaining a second determination result.

S204, performing network address conversion processing on the first message according to the first determination result, the second determination result and a preset network address conversion protocol to obtain a second message.

S205, forwarding the second message.

With the embodiment, the first source IP address and the first destination IP address of the message sent from the first network to the second network can be detected through the private access gateway, and the network address conversion processing is performed on the first message according to the first determination result, the second determination result and the preset network address conversion protocol obtained through detection, so as to obtain the second message. Therefore, the IP addresses of the message sent by the first network device, the message sent to the first network device, the message sent by the second network device, and the message sent to the second network device can be converted, so that the network device in the first network does not sense the second network device, and the network device in the second network does not sense the first network device, that is, any network device in the first network and the second network does not sense the first network device and the second network at the same time, and therefore, the problem that the network devices cannot normally communicate due to IP address conflict cannot be solved because the IP addresses of the first network device and the second network device are mutually conflicting IP addresses, and meanwhile, the IP addresses of the network devices in the first network or the second network do not need to be reconfigured, and therefore, the cost of IP address conflict can be reduced by adopting the embodiment.

In S201, because the private access gateway is disposed between the first network and the second network, the first message received by the private access gateway may be sent to the network device in the second network by the network device in the first network, or sent to the network device in the first network by the network device in the second network. For convenience of description, the first packet is taken as a packet sent by a network device in a first network to a network device in a second network for example, and the principle of the case where the first packet is a packet sent by a network device in the second network to a network device in the first network is the same, which is not described herein again.

In S202, it may be understood that, if the first source IP address is a conflicting IP address, the first packet may be considered to be sent by the first network device, and in order to avoid that the network device in the second network senses the first network device, the dedicated access gateway needs to convert the source IP address of the first packet. And if the first source IP address is not the conflicting IP address, the first packet may be considered not to be sent by the first network device, and at this time, the private line access gateway does not need to convert the source IP address of the first packet.

In S203, it can be understood that, if the first destination IP address is a conflicting IP address, the first packet may be considered as a packet sent to the second network device, and in order to avoid that the network device in the first network senses the second network device, the private access gateway converts the source IP address of the packet sent by the second network device to the network device in the first network, so that the destination IP address learned by the network device in the first network when sending the packet to the second network device is not the IP address of the second network device, and the private access gateway needs to convert the destination IP address of the packet, so that the packet can be accurately sent to the second network device.

If the first destination IP address is not a conflicting IP address, it may be determined that the first packet is not a packet sent to the second network device, and because the private line access gateway does not need to convert source IP addresses of packets sent by other network devices in the second network except the second network, the destination IP address learned by the network device in the first network when sending a packet to other network devices is the IP address of the other network device, and the private line access gateway does not need to convert the destination IP address of the packet.

S203 may be executed before S202, may also be executed after S202, and may also be executed synchronously with S202 or alternatively, which is not limited in this embodiment.

In S204, the preset network address translation protocol may agree with a corresponding relationship between the determination result and the address translation mode, and may be an address translation mode that determines a corresponding relationship between the first determination result and the second determination result in the preset network address translation protocol, and perform network address translation processing on the first packet according to the determined address translation mode.

As analyzed above, the network address translation processing on the first packet needs to satisfy the following conditions: if the first source IP address is a conflict IP address, the private access gateway needs to convert the first source IP address, and if the first source IP address is not the conflict address, the private access gateway does not need to convert the first source IP address. If the first destination IP address is a conflict IP address, the private access gateway needs to convert the first destination IP address, and if the first destination IP address is not the conflict IP address, the private access gateway does not need to convert the first destination IP address.

Under the condition that the conditions are met, different address conversion modes can be adopted to perform network address processing on the first message according to actual requirements, and the embodiment does not limit the first message.

For example, the following describes the way of network address translation processing for four different cases:

in case one, when the first determination result is that the first source IP address is the conflicting IP address, and the second determination result is that the first destination IP address is the conflicting IP address.

As discussed above, in this case, the private access gateway needs to perform address translation on the first source IP address and needs to perform address translation on the first destination IP address, so in a possible embodiment, the private access gateway may process the first packet according to a predetermined network address translation protocol to translate the first source IP address of the first packet into the second source IP address and translate the first destination IP address into the second destination IP address. And obtaining a second message based on the second source IP address and the second destination IP address.

The second source IP address is different from the first source IP address, and the second destination IP address is different from the first destination IP address. The second source IP address may be an address of the private access gateway, and for example, the second source IP address may be an IP address of an interface in the private access gateway, where the interface is used to connect a network device in the second network device, or an IP address of another device connected to the private access gateway, and the another device forwards the packet to the private access gateway after receiving the packet.

The second destination IP address may be an IP address of the second network device, that is, an emergency IP address, or an IP address of another device connected to the second network device, and the other device forwards the packet to the second network device after receiving the packet.

It can be understood that, in a case of a first time, it may be considered that the first packet is sent from the first network device to the second network device, and in this embodiment, since the first source IP address is converted into the second source IP address, the destination IP address, which is not learned by the network device in the second network when sending the packet to the first network device, is the second source IP address, and the second source IP address is an IP address pointing to the private access gateway, the packet sent by the network device in the second network in response to the second packet is directed to the private access gateway, and is forwarded to the first network device by the private access gateway, so the network device in the second network does not sense the first network device. And because the first destination IP address is converted into the second destination IP address, and the second destination IP address is an IP address pointing to the second network device, the second packet will be accurately sent to the second network device.

And in case two, when the first determination result is that the first source IP address is a non-conflict IP address, and the second determination result is that the first destination IP address is a conflict IP address.

As discussed above, the private access gateway does not need to perform address translation for the first source IP address and needs to perform address translation for the first destination IP address, so in a possible embodiment, the private access gateway may process the first packet according to a predetermined network address translation protocol to translate the first source IP address of the first packet into the second source IP address and to translate the first destination IP address into the second destination IP address. And obtaining a second message based on the first source IP address and the second destination IP address.

For the second destination IP address, reference may be made to the description of the foregoing case one, and details are not described herein. It is understood that in other possible embodiments, in case two, the private access gateway may also perform address translation on the first source IP address, for example, translating the first source IP address into a third source IP address, where the third source IP address may be the same as or different from the second source IP address, and the third source IP address is an IP address pointing to the private access gateway.

It is understood that in the second case, the first packet may be considered to be sent to the second network device by the non-first network device in the first network, and the second packet may be accurately sent to the second network device since the first destination IP address is converted into the second destination IP address, and the second destination IP address is an IP address pointing to the second network device.

And thirdly, when the first source IP address is the conflict IP address as a result of the first determination, and the first destination IP address is the non-conflict IP address as a result of the second determination.

As analyzed above, the private access gateway needs to perform address translation on the first source IP address at this time, and does not need to perform address translation on the first destination IP address, so in a possible embodiment, the private access gateway may process the first packet according to a predetermined network address translation protocol to translate the first source IP address of the first packet into the second source IP address. And obtaining a second message based on the second source IP address and the first destination IP address.

For the second source IP address, reference may be made to the description of the foregoing case one, and details are not repeated here. It is understood that in other possible embodiments, in case three, the private access gateway may also perform address translation on the first destination IP address, for example, translate the first destination IP address into a third destination IP address, where the third destination IP address may be the same as the second destination IP address or different from the second destination IP address, and the third destination IP address and the first destination address point to the same network device.

It can be understood that, in case three, it may be considered that the first packet is sent by the first network device to the non-second network device in the second network, but with this embodiment, since the first source IP address is converted into the second source IP address, the destination IP address, which is not learned by the network device in the second network when sending the packet to the first network device, is the second source IP address, and the second source IP address is an IP address pointing to the private access gateway, the packet sent by the network device in the second network in response to the second packet is directed to the private access gateway, and is forwarded to the first network device by the private access gateway, so the network device in the second network does not sense the first network device.

And fourthly, when the first determination result is that the first source IP address is a non-conflict IP address, and the second determination result is that the first destination IP address is a non-conflict IP address.

As discussed above, the private access gateway does not need to perform address translation for the first source IP address and does not need to perform address translation for the first destination IP address, and thus in one possible embodiment, the private access gateway does not need to perform address translation for the first packet. At this time, the private access gateway may determine routing information according to the first source IP address and the first destination IP address, and forward the first packet based on the determined routing information.

It can be understood that, in the fourth case, the first packet may be considered as being sent by the non-first network device in the first network to the non-second network device in the second network, so that a forwarding error caused by an IP address conflict between the first network device and the second network device may not occur in a forwarding process of the first packet, and the first packet may be forwarded normally at this time.

In order to more clearly describe the message processing method provided in the embodiment of the present invention, the following respectively describes the determination manners of the first determination result and the second determination result.

For the first determination:

in a possible embodiment, the private access gateway stores a preset access control list, and the private access gateway may determine whether the first source IP address is a conflicting IP address according to the preset access control list to obtain the first determination result.

The preset access control list may be agreed with a plurality of rules, and when the first packet hits any one of the rules, the first source IP address of the first packet is determined to be a conflicting IP address. Wherein the representation of the rules may differ from embodiment to embodiment. For example, in a possible embodiment, the rule may be represented in the form of a correspondence between an IP address and a data interface, for example, the private access gateway includes a data interface, and the preset access control list includes at least one correspondence between a first preset IP address and a preset data interface, and the first message further includes first data interface information, where the first data interface information is used to represent a data interface on which the private access gateway receives the first message.

In this embodiment, the manner for determining whether the first source IP address is a conflicting IP address may be as shown in fig. 3, including:

s301, determining whether a first source IP address of the first message and a data interface represented by the first data interface information are matched with a first preset IP address and a preset data interface in any corresponding relation in a preset access control list.

The matching of the first preset IP address and the preset data interface in any corresponding relationship between the data interface represented by the first source IP address and the first data interface information of the first packet and the preset access control list means that a corresponding relationship meeting the following conditions exists in the preset access control list:

the first preset IP address in the corresponding relationship is a first source IP address, and the data interface in the corresponding relationship is a data interface represented by the first data interface information.

S302, when the match is determined, the first source IP address of the first message is determined to be the conflict IP address.

For example, it is assumed that a corresponding relationship exists in the preset access control list: the IP address 111.1.1 corresponds to the data interface a, the first source IP address of the first packet is 111.1.1, and the data interface indicated by the first data interface information of the first packet is the data interface a, then a match may be determined, so as to determine that the first source IP address of the first packet is the collision IP address.

For the second determination:

in one possible embodiment, the manner of determining the second determination result may be as shown in fig. 4, including:

s401, determining whether the first destination IP address is a second preset IP address.

The second preset IP address may be an IP address pointing to a private access gateway, and it may be understood that if the first destination IP address of the first packet is a conflicting IP address, the first packet may be considered to be sent to the second network device. As described above, since the private access gateway performs address translation on the source IP address of the packet sent by the second network device, the packet sent by the network device in the first network to the second network device is directed to the private access gateway, that is, the first destination IP address should be the second preset IP address.

S402, when the determination is yes, determining that the first destination IP address of the first message is a conflict IP address.

As analyzed in S401, if the first destination IP address is the second preset IP address, the first packet may be considered as a packet addressed to the second network device, and thus the first destination IP address may be determined to be the conflicting IP address.

For more clearly explaining the principle of the message processing method provided by the embodiment of the present invention, reference may be made to fig. 5 for explaining a specific application scenario, and fig. 5 is a schematic diagram illustrating another architecture of a hybrid cloud system provided by the embodiment of the present invention.

The hybrid cloud system comprises a public cloud system and a private cloud system, the public cloud system can comprise a first switch, a private access gateway and a public cloud, and the private cloud system can comprise a second switch and a private cloud.

In the hybrid cloud system, the private cloud may be a first network and the public cloud may be a second network, or the public cloud may be the first network and the private cloud may be the second network. For convenience of description, the following description will be made for four scenarios by taking a public cloud network as a first network and a private cloud network as a second network as examples:

scene one: a non-first network device in the public cloud network sends a first message to a second network device in the private cloud network.

Assume that the IP address of the non-first network device in the public cloud is 10.10.5.53, the IP address of the second network device in the private cloud is 10.10.10.3, i.e. the conflict IP address is 10.10.10.3, and assume that the private line access gateway comprises two data interfaces, wherein the IP address of data interface a for connecting the public cloud is 20.20.20.3 and the IP address of data interface B for connecting the private cloud is 30.30.30.3. An access control list is preset in the private access gateway, and the access control list includes two corresponding relations, that is, an IP address 10.10.10.3 corresponds to the data interface a, and an IP address 10.10.10.3 corresponds to the data interface B.

As analyzed above, in the process of learning routing, the non-first network device in the public cloud converts the source IP address of the received packet sent by the second network device in the private cloud into 30.30.30.3, and therefore the source IP address of the first packet is 10.10.5.53, and the destination IP address is 30.30.30.3.

After the private access gateway obtains the message through the data interface a, the private access gateway receives the message through the data interface a, and therefore the data interface represented by the first data interface information of the message is the data interface a. At this time, the first source IP address and the first data interface information are obviously not matched with all corresponding relations in the preset access control list, so that the private line access gateway can determine that the first source IP address of the first message is not a conflict IP address.

It can be understood that, at this time, the second preset IP address includes the IP address 30.30.30.3 of the data interface B, so that the private access gateway can determine that the first destination IP address of the first packet is the second preset IP address, thereby determining that the first destination IP address of the first packet is the conflicting IP address.

That is, at this time, the private access gateway may determine that the first determination result is that the first source IP address is not the conflicting IP address, and may determine that the second determination result is that the first destination IP address is the conflicting IP address. At this time, referring to the related description of the foregoing case two, the private access gateway may convert the first destination IP address into the second destination IP address, and obtain the second packet based on the first source IP address and the second destination IP address.

The source IP address of the obtained second packet is 10.10.5.53, the destination IP address is 10.10.10.3, and the private access gateway forwards the second packet to the first switch. Since the source IP address of the packet received by the first switch is 10.10.5.53 and the destination IP address is 10.10.10.3, the first switch may forward the second packet to the network device with the destination IP address in the private cloud, that is, the second network device in the private cloud, according to the routing table stored locally.

The source IP address of the second packet received by the second network device in the private cloud is 10.10.5.53, and the destination IP address is 10.10.10.3, so if the second network device in the private cloud needs to respond to the second packet, the source IP address of the responded packet is 10.10.10.3, and the destination IP address is 10.10.5.53. When the message is transmitted to the private access gateway, since the source IP address is the conflict IP address and the destination IP address is not the conflict IP address, the private access gateway converts the source IP address of the message into 30.30.30.3, so that the source IP address of the responded message received by the network device in the public cloud is 30.30.30.3 (which explains why the destination IP address when the network device in the public cloud sends the message to the second network device in the private cloud is 30.30.30.3), and the destination IP address is 10.10.5.53.

It can be seen that in scenario one, network devices in the private cloud and the public cloud can communicate normally.

And a second scene: a first network device in the public cloud network sends a first message to a second network device in the private cloud network.

Assume that the IP address of the first network device in the public cloud and the IP address of the second network device in the private cloud are both 10.10.10.3, i.e. the conflict IP address is 10.10.10.3, and assume that the private access gateway includes two data interfaces, wherein the IP address of the data interface a for connecting the public cloud is 20.20.20.3, and the IP address of the data interface B for connecting the private cloud is 30.30.30.3. An access control list is preset in the private access gateway, and the access control list includes two corresponding relations, namely that the IP address 10.10.10.3 corresponds to the data interface a, and the IP address 10.10.10.3 corresponds to the data interface B.

As analyzed above, the source IP address of the first packet sent by the first network device in the public cloud is 10.10.10.3, and the destination IP address is 30.30.30.3.

After the private access gateway obtains the message through the data interface a, the private access gateway receives the message through the data interface a, and therefore the data interface represented by the first data interface information of the message is the data interface a. At this time, the first source IP address and the first data interface information are matched with the corresponding relationship in the preset access control list, so that the private line access gateway can determine that the first source IP address of the first packet is a conflict IP address.

It can be understood that, at this time, the second preset IP address includes the IP address 30.30.30.3 of the data interface B, so that the dedicated line access gateway may determine that the first destination IP address of the first packet is the second preset IP address, thereby determining that the first destination IP address of the first packet is the conflicting IP address.

That is, at this time, the private line access gateway may determine that the first determination result is that the first source IP address is the conflicting IP address, and may determine that the second determination result is that the first destination IP address is the conflicting IP address. At this time, referring to the description of the foregoing case one, the private access gateway may convert the first source IP address into the second source IP address, convert the first destination IP address into the second destination IP address, and obtain the second packet based on the first source IP address and the second destination IP address.

Assuming that the second source IP address is 20.20.20.2, the source IP address of the obtained second packet is 20.20.20.2, and the destination IP address is 10.10.10.3, and the private access gateway forwards the second packet to the first switch. Since the source IP address of the packet received by the first switch is 20.20.20.3, and the destination IP address is 10.10.10.3, the first switch may forward the second packet to the network device whose IP address is the destination IP address in the private cloud, that is, the second network device in the private cloud, according to the routing table stored locally.

The source IP address of the message received by the second network device in the private cloud is 20.20.20.3, and the destination IP address is 10.10.10.3, and if the second network device in the private cloud needs to respond to the second message, the source IP address of the responded message is 10.10.10.3, and the destination IP address is 20.20.20.3. Since 20.20.20.3 is the address of data interface a of the private access gateway, the reply packet will be forwarded to the private access gateway. When the message is forwarded to the private access gateway, because the source IP address is the conflict IP address, and because the destination IP address is the conflict IP address, the private access gateway converts the source IP address of the message into 30.30.30.3, and changes the source IP address to the destination IP address into 10.10.10.3.

The private access gateway may forward the responded packet after the address change to the first network device in the public cloud according to the destination IP address. The source IP address of the message received by the first network device in the public cloud and responded by the second network device is 30.30.30.3, and the destination IP address is 10.10.10.3.

It can be seen that in scenario two, the network devices in the private cloud and the public cloud can communicate normally.

Scene three: a first network device in the public cloud sends a first message to a non-second network device in the private cloud.

Assume that the IP address of the first network device in the public cloud is 10.10.10.3, i.e. the conflict IP address is 10.10.10.3, the IP address of the non-second network device in the private cloud is 10.10.5.53, and assume that the private access gateway comprises two data interfaces, wherein the IP address of data interface a for connecting the public cloud is 20.20.20.3 and the IP address of data interface B for connecting the private cloud is 30.30.30.3. An access control list is preset in the private access gateway, and the access control list includes two corresponding relations, that is, an IP address 10.10.10.3 corresponds to the data interface a, and an IP address 10.10.10.3 corresponds to the data interface B.

As described in the foregoing analysis, the source IP address of the first packet sent by the first network device in the public cloud is 10.10.10.3, and the destination IP address is 10.10.5.53.

After the private line access gateway acquires the message through the data interface a, since the private line access gateway receives the message through the data interface a, the data interface indicated by the first data interface information of the message is the data interface a. At this time, the first source IP address and the first data interface information are obviously matched with the corresponding relationship in the preset access control list, so that the private line access gateway can determine that the first source IP address of the first packet is a conflict IP address.

It is understood that, at this time, the second preset IP address includes the IP address 30.30.30.3 of the data interface B, and the first destination IP address is 10.10.5.53, so that the dedicated line access gateway may determine that the first destination IP address of the first packet is not the second preset IP address, and thus determine that the first destination IP address of the first packet is not the conflicting IP address.

That is, at this time, the private access gateway may determine that the first determination result is that the first source IP address is the conflicting IP address, and may determine that the second determination result is that the first destination IP address is not the conflicting IP address. At this time, referring to the related description of the third case, the private access gateway may convert the first source IP address into the second source IP address, and obtain the second packet based on the second source IP address and the first destination IP address.

Assuming that the second source IP address is 20.20.20.3, the source IP address of the obtained second packet is 20.20.20.3, the destination IP address is 10.10.5.53, and the private access gateway forwards the second packet to the first switch. Since the source IP address of the second packet received by the first switch is 20.20.20.3 and the destination IP address is 10.10.5.53, the first switch may forward the packet to the network device whose IP address is the destination IP address in the private cloud, that is, the non-second network device in the private cloud, according to the routing table stored locally.

If the non-second network device in the private cloud needs to respond to the second message, the source IP address of the responded message is 10.10.5.53, and the destination IP address is 20.20.20.3. Since 20.20.20.3 is the address of the external interface in the private access gateway, the responded packet will be forwarded to the private access gateway. When the message is transmitted to the private access gateway, because the source IP address is not the conflict IP address, and the destination IP address is the conflict IP address, the private access gateway converts the destination IP address of the message into 10.10.10.3, and forwards the responded message to the first network device in the public cloud according to the converted address.

The private access gateway can forward the modified response message to the network equipment with the IP address conflict in the public cloud according to the destination IP address. The source IP address of the reply message received by the network device in the public cloud, where the IP address conflict occurs, is 10.10.5.53, and the destination IP address is 10.10.10.3.

It can be seen that in scenario three, network devices in the private cloud and the public cloud can communicate normally.

Scene four: the non-first network device in the public cloud sends a first message to the non-second network device in the private cloud.

Assuming that the IP address of the non-first network device in the public cloud is 10.10.5.53, the IP address of the non-second network device in the private cloud is 10.10.5.63, and the conflicting IP address is 10.10.10.3, assuming that the private access gateway includes two data interfaces, wherein the IP address of the data interface a for connecting the public cloud is 20.20.20.3, and the IP address of the data interface B for connecting the private cloud is 30.30.30.3. An access control list is preset in the private access gateway, and the access control list includes two corresponding relations, that is, an IP address 10.10.10.3 corresponds to the data interface a, and an IP address 10.10.10.3 corresponds to the data interface B.

Since the first packet is a packet sent by the non-first network device in the public cloud to the non-second network device in the private cloud, the source IP address of the first packet is 10.10.5.53, and the destination IP address is 10.10.5.63.

After the private access gateway obtains the message through the data interface a, the private access gateway receives the message through the data interface a, and therefore the data interface represented by the first data interface information of the message is the data interface a. At this time, the first source IP address and the first data interface information obviously do not match with all the corresponding relations in the preset access control list, so the private access gateway can determine that the first source IP address of the first packet is not a conflict IP address.

It can be understood that, at this time, the second preset IP address includes the IP address 30.30.30.3 of the data interface B, and the first destination IP address is 10.10.5.53, so that the dedicated line access gateway may determine that the first destination IP address of the first packet is not the second preset IP address, and thus determine that the first destination IP address of the first packet is not the conflicting IP address.

That is, at this time, the private line access gateway may determine that the first determination result is that the first source IP address is not a conflicting IP address, and may determine that the second determination result is that the first destination IP address is not a conflicting IP address. At this time, referring to the related description of the fourth case, the dedicated access gateway may determine routing information according to the first source IP address and the first destination IP address, and forward the first packet to the first switch based on the determined routing information.

The source IP address of the packet received by the first switch is 10.10.5.53, and the destination IP address is 10.10.5.63, so that the first switch can forward the first packet to the network device whose IP address is the destination IP address in the private cloud, that is, the non-second network device in the private cloud, according to the routing table stored locally.

The source IP address of the second packet received by the second network device in the private cloud is 10.10.5.53, and the destination IP address is 10.10.5.63, so if the second network device in the private cloud needs to respond to the second packet, the source IP address of the responded packet is 10.10.5.63, and the destination IP address is 10.10.5.53. When the message is transmitted to the private line access gateway, because the source IP address is not a conflict IP address and the destination IP address is not a conflict IP address, the private line access gateway determines routing information based on the source IP address and the destination IP of the responded message, and forwards the first message to the non-first network equipment in the public cloud based on the determined routing information.

It can be seen that in scenario four, network devices in the private cloud and the public cloud can communicate normally.

Referring to fig. 6, fig. 6 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present invention, where the message processing apparatus is applied to a private access gateway, the private access gateway is disposed between a first network and a second network, and an IP address of a first network device in the first network and an IP address of a device in the second network are conflicting IP addresses, and the private access gateway is provided with a preset network address translation protocol, where the message processing apparatus may include:

a message receiving module 601, configured to receive a first message, where the first message includes a first source IP address and a first destination IP address;

a source address detection module 602, configured to determine whether the first source IP address is the conflicting IP address, and obtain a first determination result;

a destination address detection module 603, configured to determine whether the first destination IP address is the conflict IP address, and obtain a second determination result;

an address translation module 604, configured to perform network address translation processing on the first packet according to the first determination result, the second determination result, and the preset network address translation protocol, to obtain a second packet;

a message sending module 605, configured to forward the second message.

the source address detection module 602 includes:

In a possible embodiment, the destination address detecting module 603 includes:

and a second determining unit, configured to determine that the first destination IP address of the first packet is the conflicting IP address when the determination is yes.

In a possible embodiment, the address translation module 604 includes:

In one possible embodiment, the address translation module 604 includes:

In a possible embodiment, the address translation module 604 includes:

the message sending module 605 is further configured to determine routing information according to the first source IP address and the first destination IP address;

and forwarding the first message based on the determined routing information.

The embodiment of the present invention further provides a private line access gateway, the private line access gateway is disposed between a first network and a second network, and an IP address of a first network device in the first network and an IP address of a second network device in the second network are conflicting IP addresses, the private line access gateway is provided with a preset network address translation protocol, and as shown in fig. 7, the private line access gateway may include a processor 701, a communication interface 702, a memory 703 and a communication bus 704, where the processor 701, the communication interface 702, and the memory 703 complete mutual communication through the communication bus 704,

a memory 703 for storing a computer program;

the processor 701 is configured to implement the following steps when executing the program stored in the memory 703:

and forwarding the second message.

The communication bus mentioned in the above dedicated access gateway may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this is not intended to represent only one bus or type of bus.

The communication interface is used for communication between the private access gateway and other equipment.

The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.

The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.

For more clearly explaining the dedicated access gateway provided in the embodiment of the present invention, refer to fig. 8, and fig. 8 is a schematic diagram illustrating a principle of the dedicated access gateway provided in the embodiment of the present invention, where the dedicated access gateway includes a Network Card (NIC), an access control list flow classification circuit unit, a two-layer and three-layer forwarding circuit unit, and an address conversion circuit unit.

The network card is used for receiving the first message and sending the received first message to the access control list flow classification circuit unit.

The access control list flow classification circuit unit is used for determining whether a first source IP address of the first message is a conflict IP address or not, obtaining a first determination result, determining whether a first destination IP address of the first message is the conflict IP address or not, and obtaining a second determination result.

And when the first determination result is that the first source IP address is not a conflict IP address and the second determination result is that the first destination IP address is not a conflict IP address, the access control list flow classification circuit unit sends the first message to the two-layer and three-layer forwarding single-path unit, otherwise, the first determination result, the second determination result and the first message are sent to the address conversion circuit unit.

The second-layer and third-layer forwarding single-path unit is used for determining routing information based on a first source IP address and a first destination IP address of the first message and controlling the network card to forward the first message based on the determined routing information.

The address conversion circuit unit is used for carrying out network address conversion processing on the first message according to the first determination result, the second determination result and a preset network address conversion protocol to obtain a second message, and forwarding the second message through the network card.

Corresponding to the message processing method, the embodiment of the invention also provides a public cloud system, wherein the public cloud system can comprise a first network, a first switch and a private access gateway;

the private access gateway is configured to process a first packet according to any one of the packet processing methods described above, where the first packet is a packet sent by a network device in a first network to a network device in a second network or a packet sent by a network device in the second network to a network device in the first network.

Wherein the first switch may be a DP switch, and reference may be made to fig. 5 for the architecture of the public cloud system.

Corresponding to the foregoing message processing method, an embodiment of the present invention further provides a hybrid cloud system, where the hybrid cloud system includes a first network, a second network, a first switch, a second switch, and a dedicated access gateway,

the first network is a public cloud, and the second network is a private cloud;

Wherein the first switch may be a DP switch, and reference may be made to fig. 5 for the architecture of the hybrid cloud system. The first switch and the second switch may learn routes of opposite ends through a BGP (Border Gateway Protocol) technique, so as to establish a connection relationship. Or the first switch and the second switch may acquire the route of the opposite end by configuring the static route for the first switch and the second switch, so as to establish the connection relationship.

In another embodiment of the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any of the message processing methods described above.

In another embodiment of the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the message processing methods of the above embodiments.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), among others.

It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.

All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus, the private access gateway, the computer program product, and the computer-readable storage medium, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the partial description of the method embodiments.

The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims

1. A message processing method is characterized in that the message processing method is applied to a private access gateway, the private access gateway comprises a data interface, the private access gateway is arranged between a first network and a second network, an IP address of first network equipment in the first network and an IP address of second network equipment in the second network are conflicting IP addresses, the private access gateway is provided with a preset network address conversion protocol and stores a preset access control list, the preset access control list comprises at least one first preset IP address and a corresponding relation of a preset data interface, and the method comprises the following steps:

receiving a first message, wherein the first message comprises a first source IP address, a first destination IP address and first data interface information, and the first data interface information is used for indicating a data interface on the private access gateway for receiving the first message;

determining whether the first source IP address is a conflict IP address according to the preset access control list to obtain a first determination result;

performing network address conversion processing on the first message according to the first determination result, the second determination result and the preset network address conversion protocol to obtain a second message;

forwarding the second message;

2. The method of claim 1, wherein determining whether the first destination IP address is the conflicting IP address results in a second determination comprising:

3. The method of claim 1, wherein when the first determination is that the first source IP address is a conflicting IP address and the second determination is that the first destination IP address is a non-conflicting IP address,

4. The method of claim 1, wherein when the first determination is that the first source IP address is a conflicting IP address and the second determination is that the first destination IP address is a conflicting IP address,

5. The method of claim 1, wherein when the first determination is that the first source IP address is a non-conflicting IP address and the second determination is that the first destination IP address is a conflicting IP address,

6. The method of claim 1, wherein when the first determination is that the first source IP address is a non-conflicting IP address and the second determination is that the first destination IP address is a non-conflicting IP address,

the method further comprises the following steps:

and forwarding the first message based on the determined routing information.

7. A message processing device is characterized in that the message processing device is applied to a private access gateway, the private access gateway comprises a data interface, the private access gateway is arranged between a first network and a second network, an IP address of first network equipment in the first network and an IP address of second network equipment in the second network are conflict IP addresses, the private access gateway is provided with a preset network address conversion protocol and stores a preset access control list, the preset access control list comprises at least one first preset IP address and a corresponding relation of a preset data interface, and the device comprises:

the message receiving module is used for receiving a first message, wherein the first message comprises a first source IP address, a first destination IP address and first data interface information, and the first data interface information is used for indicating a data interface on the private access gateway for receiving the first message;

the message sending module is used for forwarding the second message;

the source address detection module comprises:

a first determining unit, configured to determine whether an interface represented by a first source IP address and first data interface information of the first packet matches a first preset IP address and a preset data interface in any corresponding relationship in the preset access control list;

8. The apparatus of claim 7, wherein the destination address detection module comprises:

9. The apparatus of claim 7, wherein the address translation module comprises:

10. The apparatus of claim 7, wherein the address translation module comprises:

11. The apparatus of claim 7, wherein the address translation module comprises:

12. The apparatus of claim 7, wherein when the first determination is that the first source IP address is a non-conflicting IP address and the second determination is that the first destination IP address is a non-conflicting IP address,

and forwarding the first message based on the determined routing information.

13. The utility model provides a private line access gateway, its characterized in that, private line access gateway includes data interface, private line access gateway sets up between first network and second network, just the IP address of first network equipment in the first network with the IP address of second network equipment in the second network each other is conflict IP address, private line access gateway is provided with predetermines network address translation protocol and predetermines the access control list, predetermine the access control list and include at least one first predetermined IP address and predetermine data interface's corresponding relation, private line access gateway includes:

a processor, a communication interface, a memory, and a communication bus;

the memory is used for storing a computer program;

the processor, when executing the program stored in the memory, implementing the method steps of any of claims 1-6.

14. A public cloud system is characterized in that the public cloud system comprises a first network, a first switch and a private access gateway, the private access gateway comprises a data interface,

the second network is a private cloud, the IP address of the first network equipment in the first network and the IP address of the second network equipment in the second network are conflict IP addresses, the private access gateway is provided with a preset network address conversion protocol and a preset access control list, and the preset access control list comprises a corresponding relation between at least one first preset IP address and a preset data interface;

the private access gateway is configured to process a first packet according to the packet processing method according to any one of claims 1 to 6, where the first packet is a packet sent by a network device in a first network to a network device in a second network or a packet sent by a network device in the second network to a network device in the first network.

15. A hybrid cloud system comprising a first network, a second network, a first switch, a second switch, and a private access gateway, the private access gateway comprising a data interface,

the first network is a public cloud, and the second network is a private cloud;

the IP address of the first network equipment in the first network and the IP address of the second network equipment in the second network are conflict IP addresses, the private access gateway is provided with a preset network address translation protocol and a preset access control list, and the preset access control list comprises the corresponding relation between at least one first preset IP address and a preset data interface;

the private access gateway is configured to process a first packet according to the packet processing method of any one of claims 1 to 6, where the first packet is a packet sent by a network device in a first network to a network device in a second network or a packet sent by a network device in the second network to a network device in the first network.