CN119814720A - A network address translation method, device, equipment and storage medium - Google Patents
A network address translation method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN119814720A CN119814720A CN202510159550.6A CN202510159550A CN119814720A CN 119814720 A CN119814720 A CN 119814720A CN 202510159550 A CN202510159550 A CN 202510159550A CN 119814720 A CN119814720 A CN 119814720A
- Authority
- CN
- China
- Prior art keywords
- network address
- preset
- data packet
- address translation
- converted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请公开了一种网络地址转换方法、装置、设备及存储介质,涉及通信领域,应用于网络地址转换系统,包括:利用预设数据平面开发套件基于轮询模式获取待转换数据包并保存在预设数据包缓冲区;根据基于NFF‑Go框架确定的预设并行处理机制和待转换数据包对应的处理阶段,将预设数据包缓冲区中保存的待转换数据包分配至目标数据包处理流水线对应的各任务队列;利用各任务队列对应的目标协程对待转换数据包进行处理,以便从预设数据库中保存的所有预设网络地址转换策略中确定待转换数据包对应的目标策略对待转换数据包进行网络地址转换处理以得到转换后数据包。本申请克服传统NAT系统的性能瓶颈并简化配置和管理流程。
The present application discloses a network address translation method, device, equipment and storage medium, which relates to the field of communication and is applied to a network address translation system, including: using a preset data plane development kit to obtain a data packet to be converted based on a polling mode and save it in a preset data packet buffer; according to a preset parallel processing mechanism determined based on an NFF-Go framework and a processing stage corresponding to the data packet to be converted, the data packet to be converted stored in the preset data packet buffer is allocated to each task queue corresponding to the target data packet processing pipeline; the target coroutine corresponding to each task queue is used to process the data packet to be converted, so as to determine the target policy corresponding to the data packet to be converted from all preset network address translation policies saved in a preset database, and perform network address translation processing on the data packet to be converted to obtain the converted data packet. The present application overcomes the performance bottleneck of the traditional NAT system and simplifies the configuration and management process.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a method, an apparatus, a device, and a storage medium for converting a network address.
Background
Today, where computer network technology is rapidly evolving, conventional NAT (Network Address Translation ) systems increasingly expose their limitations in handling large-scale data streams. Most of these systems are based on general purpose processors or specific hardware, which, while meeting basic data conversion requirements, are increasingly subject to performance bottlenecks and scalability problems in the face of ever-increasing network traffic and complex and diverse network environments. In particular, conventional NAT systems often have difficulty meeting the high performance requirements of modern network applications due to problems of high processing delay, limited throughput, and the like. In addition, the configuration and management of conventional NAT systems also present challenges. These systems often rely on complex command line interfaces or proprietary management tools, which are cumbersome to operate and difficult to implement for remote automated control. The method not only increases the workload of operation and maintenance personnel, but also limits the flexible scheduling and the optimal configuration of network resources, and further improves the operation and maintenance cost and the difficulty.
In summary, how to overcome the performance bottleneck of the conventional NAT system and simplify the configuration and management procedures is a problem to be solved.
Disclosure of Invention
In view of the above, the present invention is directed to a network address translation method, device, apparatus and storage medium, which can overcome the performance bottleneck of the conventional NAT system and simplify the configuration and management procedures. The specific scheme is as follows:
in a first aspect, the present application discloses a network address translation method, which is applied to a network address translation system, and includes:
acquiring a data packet to be converted based on a polling mode by using a preset data plane development kit, and storing the data packet to be converted in a preset data packet buffer area;
distributing the data packets to be converted stored in the preset data packet buffer area to each task queue corresponding to a target data packet processing pipeline based on a preset parallel processing mechanism and a processing stage corresponding to the data packets to be converted, wherein the preset parallel processing mechanism is a parallel processing mechanism determined based on an NFF-Go framework;
And processing the data packet to be converted by utilizing a target protocol corresponding to each task queue so as to determine a target strategy corresponding to the data packet to be converted from all preset network address conversion strategies stored in a preset database, and performing network address conversion processing on the data packet to be converted based on the target strategy to obtain a converted data packet.
Optionally, before determining the target policy corresponding to the to-be-converted data packet from all preset network address conversion policies stored in a preset database, the method further includes:
and configuring a preset network address conversion strategy by using a first application programming interface, and storing the preset network address conversion strategy into the preset database, wherein the preset network address conversion strategy comprises a static network address conversion strategy, a dynamic network address conversion strategy and a port address conversion strategy.
Optionally, the network address translation method further includes:
Verifying the identity of a system administrator, so that the system administrator can query, add, delete and modify the preset network address conversion strategy by utilizing the first application programming interface;
Recording an operation log of the system administrator for configuring and managing the preset network address conversion strategy, and updating the preset network address conversion strategy in the preset database;
correspondingly, the network address translation method further comprises the following steps:
If service interruption occurs in the process of configuring and managing the preset network address conversion strategy, performing automatic recovery operation on the preset network address conversion strategy based on the preset automatic recovery strategy and the operation log, and providing corresponding configuration error information for the system administrator based on the operation log when the operation result of the automatic recovery operation meets the preset abnormal condition.
Optionally, the network address translation method further includes:
And if the task queue is an empty queue, acquiring the data packet to be converted from other task queues based on a preset task robbery rule by utilizing the target coroutine corresponding to the task queue and processing the data packet.
Optionally, the network address translation method further includes:
If the task queue meets a preset cooperative distance increasing condition, increasing the number of the target cooperative distances corresponding to the task queue to process the data packets to be converted in the task queue;
correspondingly, the network address translation method further comprises the following steps:
and if the task queue meets a preset coroutine reduction condition, reducing the number of the target coroutines corresponding to the task queue to process the data packets to be converted in the task queue.
Optionally, the network address translation method further includes:
and developing a target plug-in corresponding to a target support protocol based on a preset plug-in interface specification, and loading the target plug-in to the network address conversion system so as to carry out data packet transmission with a network environment corresponding to the target support protocol.
Optionally, the network address translation method further includes:
And deploying a monitoring agent on the network address conversion system to acquire target state data of the network address conversion system based on preset acquisition time, and uploading the target state data to a target management end through a second application programming interface.
In a second aspect, the present application discloses a network address translation device, which is applied to a network address translation system, and includes:
the data packet storage module is used for acquiring a data packet to be converted based on a polling mode by utilizing a preset data plane development kit and storing the data packet to be converted in a preset data packet buffer area;
The data packet distribution module is used for distributing the data packet to be converted stored in the preset data packet buffer zone to each task queue corresponding to the target data packet processing pipeline based on a preset parallel processing mechanism and a processing stage corresponding to the data packet to be converted, wherein the preset parallel processing mechanism is a parallel processing mechanism determined based on an NFF-Go framework;
The data packet conversion module is used for processing the data packet to be converted by utilizing a target protocol corresponding to each task queue so as to determine a target strategy corresponding to the data packet to be converted from all preset network address conversion strategies stored in a preset database, and performing network address conversion processing on the data packet to be converted based on the target strategy to obtain a converted data packet.
In a third aspect, the present application discloses an electronic device, comprising:
A memory for storing a computer program;
And a processor for executing the computer program to implement the aforementioned network address translation method.
In a fourth aspect, the present application discloses a computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the aforementioned network address translation method.
In the application, when network address conversion is carried out, a network address conversion system acquires a data packet to be converted based on a polling mode by utilizing a preset data plane development suite, stores the data packet to be converted in a preset data packet buffer zone, distributes the data packet to be converted stored in the preset data packet buffer zone to each task queue corresponding to a target data packet processing pipeline based on a preset parallel processing mechanism and a processing stage corresponding to the data packet to be converted, wherein the preset parallel processing mechanism is a parallel processing mechanism determined based on an NFF-Go framework, and processes the data packet to be converted by utilizing a target protocol corresponding to each task queue so as to determine a target strategy corresponding to the data packet to be converted from all preset network address conversion strategies stored in a preset database, and carries out network address conversion processing on the data packet to be converted based on the target strategy so as to obtain the data packet after conversion. It can be seen that the present application utilizes the NFF-Go framework in conjunction with the data plane development suite libraries to provide low-latency and high-throughput packet processing capabilities for network address translation systems. The data plane development suite library optimizes the processing of the data packet on the bottom hardware, reduces the context switching and interrupt processing of the CPU, and thus remarkably improves the system performance. Meanwhile, the flexibility of a preset parallel processing mechanism constructed based on the NFF-Go framework enables the system to easily cope with network scenes with different scales and complexities, and efficient execution of network address conversion is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a network address translation method disclosed in the present application;
FIG. 2 is a schematic diagram of a network address translation system architecture according to the present disclosure;
Fig. 3 is a schematic diagram of a network address translation device according to the present disclosure;
fig. 4 is a block diagram of an electronic device according to the present disclosure.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Conventional NAT systems often have difficulty meeting the high performance requirements of modern network applications due to high processing delay, limited throughput, and other issues. In addition, the configuration and management of conventional NAT systems also present challenges. These systems often rely on complex command line interfaces or proprietary management tools, which are cumbersome to operate and difficult to implement for remote automated control. The method not only increases the workload of operation and maintenance personnel, but also limits the flexible scheduling and the optimal configuration of network resources, and further improves the operation and maintenance cost and the difficulty. In order to solve the technical problems, the application discloses a network address translation method which can overcome the performance bottleneck of the traditional NAT system and simplify the configuration and management flow.
Referring to fig. 1, an embodiment of the present invention discloses a network address translation method, which is applied to a network address translation system, including:
and S11, acquiring a data packet to be converted based on a polling mode by using a preset data plane development kit, and storing the data packet to be converted in a preset data packet buffer area.
In this embodiment, the network address translation system (i.e., NAT system) is a system constructed based on NFV (Network Functions Virtualization, network function virtualization) technology, where the NFV technology is implemented by abstracting network functions from dedicated hardware devices and deploying them in the form of software on a general-purpose server. Therefore, the network address translation system can be constructed by combining a DPDK (DATA PLANE Development Kit) library with an NFF-Go framework (an open source framework for network function virtualization), so that the parallel processing capacity of a modern multi-core processor is fully utilized by the DPDK, low-delay and high-throughput data packet processing is realized, the processing performance of the NAT system in the face of large-scale data flow is obviously improved, and the smoothness and high efficiency of network transmission are ensured. The NFF-Go framework provides strong support for network function virtualization due to the characteristics of high performance, flexibility and easy development. That is, the high-performance processing architecture of the NFF-Go framework and the low-latency, high-throughput packet processing capability of the DPDK library effectively reduce the data processing latency of the network address translation system, and greatly improve the data throughput of the network address translation system. The introduction of the NFV technology enables the NAT function to be deployed on a general server, so that not only is the hardware cost reduced, but also the NAT system can easily cope with the increase of future network traffic, and the rapid expansion and dynamic adjustment of resources are realized. Furthermore, the lightweight design of the NFF-Go framework makes the overall system more efficient and easy to deploy. The system can be rapidly deployed and stably operated in an enterprise internal network, a cloud computing environment or an edge computing scene.
In this embodiment, a target plug-in corresponding to a target support protocol may be developed based on a preset plug-in interface specification, and the target plug-in is loaded to the network address translation system so as to perform data packet transmission with a network environment corresponding to the target support protocol. Specifically, a modular design mode can be adopted to divide the system into a plurality of independent modules, each module is responsible for specific functions or protocol processing, and the design mode enables the system to have good expandability and maintainability. When a new protocol needs to be supported, only the corresponding module needs to be developed and integrated into the system, and the whole system does not need to be modified in a large scale. On the basis, a plug-in architecture is adopted to further improve the flexibility and the expandability of the system. By defining a unified plug-in interface and specification (i.e., a preset plug-in interface specification), support for new protocols can be achieved by way of developing plug-ins and dynamically loading into the system. This allows the NAT system to fully support IPv4 (Internet Protocol version, internet protocol version 4) and IPv6 (Internet Protocol version, internet protocol version 6) and corresponding auxiliary protocols, such as ARP (Address Resolution Protocol ), ND (Neighbor Discovery, neighbor discovery) protocol, ICMP (Internet Control Message Protocol, control message protocol), ICMPv6 (Internet Control Message Protocol version, sixth edition control message protocol), DHCP (Dynamic Host Configuration Protocol ) and DHCPv6 (Dynamic Host Configuration Protocol version, sixth edition dynamic host configuration protocol), etc., while supporting rapid expansion and integration of new protocols in the future. In addition, in the environment where IPv4 and IPv6 coexist, NAT technology is an important means for implementing protocol compatibility and expandability, so that the present application introduces a NAT64 (Network Address Translation 64, a network address translation technology) translation mechanism at the same time to translate an IPv6 data packet into an IPv4 data packet, so as to support communication between an IPv6 node and an IPv4 node, and provide a perfect NAT solution, including NAT64 and DS-Lite (Dual STACK LITE, light Dual stack) technologies, so as to meet protocol translation requirements in different scenarios.
It should be noted that in this embodiment, a protocol conversion gateway is also deployed through the network address conversion system to provide transparent routing and protocol conversion functions between the IPv4 and IPv6 networks. For example, NAT-PT (network Address translation/Protocol translation) technology can achieve intercommunication between most applications of IPv6 hosts and IPv 4-only hosts by combining SIIT (stateless IP/ICMP translation technology) Protocol translation with conventional IPv4 dynamic address translation and ALG ((Application LAYER GATEWAY) Application layer gateway), ALG can analyze and process specific protocols at the Application layer so as to support specific protocols requiring address or port information translation, for example, application protocols such as FTP (FILE TRANSFER Protocol ) carry address or port information in message payload, and the like, which may need to be translated when passing through NAT equipment.
In this embodiment, the network address translation system can automatically and quickly process address translation requirements in the network. The network address conversion system adopts an efficient data packet capturing and processing mechanism, and directly acquires the data packet to be converted from the network card by using a polling mode of DPDK, so that performance loss caused by kernel interruption is avoided. Specifically, the DPDK allows the application program to bypass the network protocol stack of the Linux kernel, and access the NIC (NetworkInterface Card ) directly through a user Mode Driver (PMD). The direct access mode reduces frequent switching of the data packet between the kernel and the user mode, and reduces processing delay. That is, the use of the polling mode of DPDK allows the CPU (Central Processing Unit ) to actively query the receive queue of the NIC, and to immediately process the packet once it arrives, avoiding the overhead and delay associated with interrupts.
In this embodiment, after the data packet to be converted is obtained, the network address conversion system uses DPDK to implement a zero copy technique, so that unnecessary memory copying of the data packet is reduced or avoided as much as possible in the processes of receiving, processing and transmitting the data packet. Zero copy techniques are typically implemented by way of shared memory buffers, DMA (Direct Memory Access ) transfers, and the like. Specifically, the DPDK manages the packet buffer using a pre-allocated memory pool (mempool). When the data packet is received, the occupied buffer area can be directly reused by the subsequent processing flow without additional copying operation. The buffer reuse mechanism not only reduces the memory copy times, but also reduces the memory allocation and release overhead.
And step S12, distributing the data packets to be converted stored in the preset data packet buffer area to each task queue corresponding to a target data packet processing pipeline based on a preset parallel processing mechanism and a processing stage corresponding to the data packets to be converted, wherein the preset parallel processing mechanism is determined based on an NFF-Go framework.
In this embodiment, the NFF-Go framework is developed based on Go language, fully utilizes the concurrency characteristic of Go language, can process data packets by creating a large number of Go coroutines (goroutine), and uses channels (channels) to perform inter-coroutine communication and synchronization, and the DPDK supports the multi-queue function of NIC, allowing different data packets to be distributed to different CPU cores for processing, thereby realizing efficient parallel processing. At the same time, the NFF-Go framework supports the construction of efficient data processing pipelines. Each processing stage (such as parsing, matching, converting, etc.) can independently run in different coroutines, and are connected in series in a pipeline manner to form a continuous data processing flow. This pipelined processing mechanism not only increases processing speed but also reduces processing delay. Therefore, in a specific designer mode, a preset parallel processing mechanism can be constructed based on the pipeline processing mechanism of the NFF-Go framework, the concurrency characteristic of the Go language and the multi-queue function of the NIC supported by the DPDK, so that the network address conversion system can allocate the data packet to be converted stored in the preset data packet buffer to each task queue corresponding to the target data packet processing pipeline based on the preset parallel processing mechanism and the processing stage corresponding to the data packet to be converted, so as to allocate the data packet processing task to a plurality of CPU cores, fully utilize the computing resources of the multi-core CPU, ensure that each core can be fully utilized through reasonable scheduling of the cooperative procedure and the pipeline stage, and further improve the overall performance of the system.
In a specific embodiment, each processing stage corresponds to one or more task queues for storing packets to be converted that are to be processed for that processing stage. It will be appreciated that the processing stages corresponding to the destination packet processing pipeline are sequential, each processing stage being dependent on the output of the preceding processing stage. When the data packet to be converted completes the processing of the current stage, the data packet to be converted is put into a task queue corresponding to the next processing stage.
And step S13, processing the data packet to be converted by utilizing a target protocol corresponding to each task queue so as to determine a target strategy corresponding to the data packet to be converted from all preset network address conversion strategies stored in a preset database, and performing network address conversion processing on the data packet to be converted based on the target strategy to obtain a converted data packet.
In this embodiment, the network address translation system maintains a pool of coroutines, each responsible for processing packets in a task queue at a particular stage. There is a dynamic and flexible mapping relation between the coroutines and the task queues, that is, one task queue may have multiple coroutines to process, or one coroutine may process multiple task queues at the same time, so as to realize efficient utilization of coroutine resources. And correspondingly, if the task queue meets the preset cooperative distance reduction condition, reducing the number of the target cooperative distance corresponding to the task queue to process the data packet to be converted in the task queue. The preset cooperative distance increasing condition and the preset cooperative distance decreasing condition can be set according to the load, the task number and the resource condition. That is, when the number of tasks in a task queue suddenly increases, the system may temporarily allocate more coroutines to process the tasks in the queue, and when the number of tasks decreases, the number of coroutines may be reduced to save resources. In a cloud computing environment, the system improves the network connection efficiency between virtual machines by optimizing resource allocation. This helps to improve the user's business experience and application performance.
In this embodiment, if the task queue is an empty queue, the target protocol corresponding to the task queue may be utilized to obtain the data packet to be converted from other task queues based on a preset task robbery rule and process the data packet. It will be appreciated that the preset task preemption rule may be defined on conditions such as a range and a priority of task queues where tasks are preempted, for example, when each processing stage corresponds to a plurality of task queues, task preemption occurs preferentially between the task queues corresponding to the same processing stage, that is, if the processing stage a corresponds to the task queues A1, A2 and A3, the processing stage B corresponds to the task queue B1, where the target cooperative range corresponding to the processing stage A1 is the cooperative range A1, the target cooperative range corresponding to the processing stage A2, the target cooperative range corresponding to the processing stage A3 is the cooperative range A3, and if the processing stage A1 is an empty queue and many packets to be converted are still not processed in the processing stages A2 and/or A3, the cooperative range A1 will be used for processing the packets to be converted in the processing stage A2 and/or A3. If A1 is empty and the number of packets to be converted in A2 and A3 is smaller than the preset task number and the number of packets to be converted in B1 is larger than the preset task number, A1 will be used to process the packets to be converted in B1. That is, when the task queue is empty, the target coroutine corresponding to the task queue may be reassigned to other task queues to process the data packets to be converted in the other task queues. In addition, when the task queue is empty, the target coroutine corresponding to the task queue may not be allocated to other task queues, but wait for the arrival of a new data packet to be converted in the task queue to process the new data packet to be converted.
In this embodiment, configuration and management of NAT policies are a critical part of content. Before determining the target strategy corresponding to the data packet to be converted from all preset network address conversion strategies stored in the preset database, the preset network address conversion strategies are configured by using the first application programming interface, and the preset network address conversion strategies are stored in the preset database, wherein the preset network address conversion strategies can comprise static network address conversion strategies, dynamic network address conversion strategies and port address conversion strategies so as to meet the address conversion requirements in different scenes. Specifically, the NAT policy may be described by defining a clear data model, including key information such as policy ID (Identity document), source IP address range, destination IP address, port mapping rule, NAT type (static, dynamic, PAT (Port Address Translation, port address translation)), and the like, and the NAT policy data is transmitted in binary form using ProtoBuf (Protocol Buffers) as a data encoding format, so as to improve data transmission efficiency and security. In addition, during NAT policy configuration and management, the system ensures consistency and integrity of the data. Data collision and corruption caused by concurrent operations are prevented by transaction and lock mechanisms.
In this embodiment, the static NAT maps each private IP address in the internal network to a fixed public IP address on the external network. Through an API (Application Programming Interface ) interface, a system administrator can specify a source IP address, a destination IP address, and possibly a port number to configure static NAT rules. The network address translation system stores these rules in an internal database and matches and translates the rules during packet processing. Dynamic NAT allows multiple private IP addresses in an internal network to share one or a set of external public IP addresses. When configured, the user needs to specify a source IP address range, a destination IP address pool, and possibly a port range. The system dynamically allocates external IP addresses to internal requests as needed and records the current mapping relationship. Port Address Translation (PAT) is a special form of dynamic NAT that allows multiple internal private IP addresses to share an external public IP address and distinguish between different internal connections by different port numbers. Through the API interface, the user may configure PAT rules specifying a source IP address range, a destination IP address, and a port number range. The network address translation system allocates external connections based on port numbers and maintains an internal-to-external mapping table for matching and translation during packet processing. The network address conversion system enhances the security of the enterprise internal network by hiding and protecting the internal IP address, thereby effectively preventing external attackers from directly accessing internal network resources and reducing network security risks.
In this embodiment, the network address translation system further integrates gRPC (a high-performance, open-source, general-purpose remote procedure call framework) interfaces, where the first application programming interface may be a RESTful API interface based on HTTP protocol, and standard HTTP methods such as GET, POST, PUT, DELETE are supported, and interfaces such as AddNatRule, modifyNatRule, deleteNatRule may be used to add, modify, and delete NAT policies, respectively, so as to facilitate integration and remote management of all preset network address translation policies. Meanwhile, the first application programming interface can integrate authentication and authorization mechanisms, and only authenticated users can access a specific API interface and execute corresponding operations according to the authority of the user. The identity of the system administrator may be verified so that the system administrator queries, adds, deletes and modifies the preset network address translation policy using the first application programming interface. Specifically, when determining the target policy corresponding to the data packet to be converted from all preset network address conversion policies stored in the preset database, the network address conversion system provides an API interface to allow the user to query the configured NAT policy, including searching according to the policy ID, source IP address, target IP address, and other conditions. The system returns a matching list of NAT policies and details thereof. A user may modify existing NAT policies through the API interface, such as changing destination IP addresses, adjusting port mapping rules, etc. After the validity of the modification request is verified by the system, the NAT strategy information in the internal database is updated, and related components are informed of reloading strategies. The user may also delete NAT policies that are no longer needed to free up system resources. After the system verifies the deletion request, the corresponding NAT strategy information is removed from the internal database, and the mapping relation and state information related to the NAT strategy information are cleaned, so as to adapt to the change of network traffic and the safety requirement.
In this embodiment, the network address translation system records an operation log of a system administrator for configuring and managing a preset network address translation policy, and updates the preset network address translation policy in a preset database. The operation log specifically may include key information such as operation time, operation type, operation result, and the like. These logs can be used for subsequent auditing and troubleshooting. If the service interruption and other anomalies occur in the process of configuring and managing the preset network address conversion strategy, the network address conversion system automatically restores the preset network address conversion strategy based on the preset automatic restoration strategy and the operation log so as to cancel the configuration and restore to the previous stable state. And when the operation result of the automatic recovery operation accords with the preset abnormal condition, providing corresponding configuration error information for a system administrator based on an operation log for reference of a user, guiding the user to perform manual recovery, and adjusting NAT strategy configuration according to the error information.
In this embodiment, a monitoring agent may be deployed on the network address translation system to collect target state data of the network address translation system based on a preset collection time, and the target state data is uploaded to the target management end through the second application programming interface, where the target state data includes a NAT table state, an interface state, a CPU, a memory use condition, and the like, so that a network administrator can discover and solve a potential problem in time through the target management end, and easily implement dynamic adjustment of a NAT policy and real-time monitoring of a system state. The second application programming interface may also be gRPC interface, and the network address translation system uses the bidirectional flow (Bidirectional Streaming) function of gRPC to upload the target state data to the target management end, so that the real-time transmission and updating of the monitoring data (i.e. the target state data) can be realized. The network address translation system utilizes the high performance and scalability of gRPC protocol to handle a large number of remote call requests, thereby ensuring the real-time and accuracy of NAT policy adjustment. After receiving the monitoring data, the target management end analyzes and processes the monitoring data, and displays system state information through a graphical interface, so that a system administrator can intuitively know the system running state, the network address conversion system can adapt to the rapidly-changing network environment, and various network events can be responded in time. The design simplifies the operation flow, reduces the operation and maintenance difficulty, only focuses on the realization of service logic when the network address conversion system is developed and operated, does not need to go deep into the underlying network protocol and hardware details, and obviously improves the flexibility and maintainability of the system.
In this embodiment, the target management end may include a connection management module, a command sending and receiving module, a data processing and displaying module, an alarm management module and other functional modules, where the connection management module is responsible for establishing and maintaining gRPC connections with the NAT system to ensure availability and stability of remote management functions, the command sending and receiving module is used for sending remote management commands to the NAT system and receiving response results of the NAT system, the data processing and displaying module analyzes and processes received data and displays the data to a network administrator through a graphical interface, and the alarm management module is responsible for receiving and processing alarm information sent by the NAT system, including functions of alarm notification, alarm log record and the like. When the target management end is developed, a proper programming language such as Java, python and the like can be selected according to actual requirements, a mature gRPC framework and a library are utilized to simplify the development process such as gRPC-Java, gRPC-Python and the like, a graphical interface can be constructed by adopting a modern front-end technology stack (such as practice, vue and the like), and user experience is improved.
In this embodiment, an alarm triggering condition, such as a traffic abnormality, an interface failure, etc., may be further set in the NAT system and related network devices, and when the alarm triggering condition is met, corresponding alarm information may be generated, and the alarm information may be encoded into ProtoBuf format and sent to an alarm management module of the target management end through the gRPC interface, and after the target management end receives the alarm information, analysis and classification processing is performed, such as sending an alarm notification to a system administrator, recording an alarm log, etc., where the system administrator may take corresponding processing measures according to the alarm information.
It can be seen that the present application utilizes the NFF-Go framework in conjunction with the data plane development suite libraries to provide low-latency and high-throughput packet processing capabilities for network address translation systems. The data plane development suite library optimizes the processing of the data packet on the bottom hardware, reduces the context switching and interrupt processing of the CPU, and thus remarkably improves the system performance. Meanwhile, the flexibility of a preset parallel processing mechanism constructed based on the NFF-Go framework enables the system to easily cope with network scenes with different scales and complexities, and efficient execution of network address conversion is ensured.
Based on the above embodiment, the present application discloses a network address translation method, which can overcome the performance bottleneck of the conventional NAT system and simplify the configuration and management flow. Next, description will be made with respect to a specific network address translation system architecture.
Referring to fig. 2, the present application discloses a specific network address translation system architecture, in which a NAT service function is responsible for receiving a data packet to be processed from a network layer or a virtual network interface, invoking a protocol processing function to parse and process protocol information (such as an IP header, a TCP/UDP header, etc., a TCP/UDP, transmission Control Protocol/User Datagram Protocol, a transmission control protocol/user datagram protocol) in the data packet, performing address translation according to a NAT policy, and finally sending the translated data packet back to the network. During the process of processing the data packet, the NAT service function sends key information (such as processing results, error logs and the like) to the log and monitoring function for recording. The NAT service function can also receive NAT strategy configuration instructions sent by the control interface function, and update the internal NAT table entry.
In this embodiment, the control interface function provides gRPC and other remote management interfaces to receive a configuration instruction or a query request sent by a system administrator through the remote management interfaces, so as to configure NAT policies, query NAT states, and so on. The control interface function can send the received configuration instruction to the NAT service function to update the NAT strategy, and can send a query request to the NAT service function to acquire NAT state information. The control interface function may also interact with the log and monitor function to record an administrator's operation log, or query the log and monitor function to obtain system status information for reference by the administrator.
In this embodiment, the log and monitoring function is used to record the running state of the NAT system, the number of data packets processed, and error information, and provide a monitoring interface or interface for an administrator to check. Specifically, the log and monitor function receives the log information and monitor data sent by the NAT service function, records and stores the log information and monitor data, responds to the query request sent by the control interface function, provides system status information or log data, and displays the system status, log information, etc. to the administrator through the monitor interface or interface.
In this embodiment, the protocol processing function supports multiple network protocols (such as IPv4, IPv6, ARP, ICMP, etc.), and processes the data packets of these protocols accordingly. When the protocol processing function is called by the NAT service function, the protocol information in the data packet may be parsed and processed, and depending on the protocol type and the content of the data packet, the protocol processing function may modify the content of the data packet (e.g., modify an IP address, port number, etc.), and return the processed data packet to the NAT service function. While the protocol processing function typically does not interact directly with other functions, it indirectly affects the operation of the overall system through NAT service functions.
It can be seen that the present application utilizes the NFF-Go framework in conjunction with the data plane development suite libraries to provide low-latency and high-throughput packet processing capabilities for network address translation systems. The data plane development suite library optimizes the processing of the data packet on the bottom hardware, reduces the context switching and interrupt processing of the CPU, and thus remarkably improves the system performance. Meanwhile, the flexibility of a preset parallel processing mechanism constructed based on the NFF-Go framework enables the system to easily cope with network scenes with different scales and complexities, and efficient execution of network address conversion is ensured.
Referring to fig. 3, the application discloses a network address translation device, which is applied to a network address translation system, comprising:
The data packet storage module 11 is configured to acquire a data packet to be converted based on a polling mode by using a preset data plane development suite, and store the data packet to be converted in a preset data packet buffer;
The data packet distribution module 12 is configured to distribute the data packet to be converted stored in the preset data packet buffer to each task queue corresponding to the target data packet processing pipeline based on a preset parallel processing mechanism and a processing stage corresponding to the data packet to be converted, where the preset parallel processing mechanism is a parallel processing mechanism determined based on an NFF-Go framework;
the data packet conversion module 13 is configured to process the data packet to be converted by using a target protocol corresponding to each task queue, so as to determine a target policy corresponding to the data packet to be converted from all preset network address conversion policies stored in a preset database, and perform network address conversion processing on the data packet to be converted based on the target policy to obtain a converted data packet.
It can be seen that the present application utilizes the NFF-Go framework in conjunction with the data plane development suite libraries to provide low-latency and high-throughput packet processing capabilities for network address translation systems. The data plane development suite library optimizes the processing of the data packet on the bottom hardware, reduces the context switching and interrupt processing of the CPU, and thus remarkably improves the system performance. Meanwhile, the flexibility of a preset parallel processing mechanism constructed based on the NFF-Go framework enables the system to easily cope with network scenes with different scales and complexities, and efficient execution of network address conversion is ensured.
In a specific embodiment, the apparatus may further include:
The conversion strategy configuration module is used for configuring a preset network address conversion strategy by utilizing a first application programming interface and storing the preset network address conversion strategy into the preset database, wherein the preset network address conversion strategy comprises a static network address conversion strategy, a dynamic network address conversion strategy and a port address conversion strategy.
In a specific embodiment, the apparatus may further include:
the conversion strategy adjustment module is used for verifying the identity of a system administrator so that the system administrator can inquire, add, delete and modify the preset network address conversion strategy by utilizing the first application programming interface;
The conversion strategy updating module is used for recording an operation log of the system administrator for configuring and managing the preset network address conversion strategy and updating the preset network address conversion strategy in the preset database;
correspondingly, the device further comprises:
The conversion strategy recovery module is used for carrying out automatic recovery operation on the preset network address conversion strategy based on the preset automatic recovery strategy and the operation log if service interruption occurs in the process of configuring and managing the preset network address conversion strategy, and providing corresponding configuration error information for the system administrator based on the operation log when the operation result of the automatic recovery operation accords with a preset abnormal condition.
In a specific embodiment, the apparatus may further include:
And the task robbery module is used for acquiring the data packet to be converted from other task queues based on a preset task robbery rule by utilizing the target coroutine corresponding to the task queue and processing the data packet if the task queue is an empty queue.
In a specific embodiment, the apparatus may further include:
the coroutine number increasing module is used for increasing the number of the target coroutines corresponding to the task queue to process the data packets to be converted in the task queue if the task queue meets a preset coroutine increasing condition;
correspondingly, the device further comprises:
And the coroutine number reduction module is used for reducing the number of the target coroutines corresponding to the task queue to process the data packets to be converted in the task queue if the task queue meets a preset coroutine reduction condition.
In a specific embodiment, the apparatus may further include:
And the protocol expansion module is used for developing a target plug-in corresponding to a target support protocol based on a preset plug-in interface specification, and loading the target plug-in to the network address conversion system so as to carry out data packet transmission with a network environment corresponding to the target support protocol.
In a specific embodiment, the apparatus may further include:
and the state data uploading module is used for deploying a monitoring agent on the network address conversion system to acquire target state data of the network address conversion system based on preset acquisition time, and uploading the target state data to a target management end through a second application programming interface.
Further, the embodiment of the present application further discloses an electronic device, and fig. 4 is a block diagram of an electronic device 20 according to an exemplary embodiment, where the content of the diagram is not to be considered as any limitation on the scope of use of the present application.
Fig. 4 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may include, in particular, at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input-output interface 25, and a communication bus 26. Wherein the memory 22 is configured to store a computer program that is loaded and executed by the processor 21 to implement the relevant steps in the network address translation method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide working voltages for each hardware device on the electronic device 20, the communication interface 24 is capable of creating a data transmission channel with an external device for the electronic device 20, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein, and the input/output interface 25 is configured to obtain external input data or output data to the external device, and the specific interface type of the input/output interface may be selected according to the specific application needs and is not specifically limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 221, a computer program 222, and the like, and the storage may be temporary storage or permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device 20 and the computer program 222, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further include a computer program capable of performing other specific tasks in addition to the computer program capable of performing the network address translation method performed by the electronic device 20 as disclosed in any of the foregoing embodiments.
Further, the application also discloses a computer readable storage medium for storing a computer program, wherein the computer program realizes the network address translation method when being executed by a processor. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
While the foregoing has been provided to illustrate the principles and embodiments of the present application, specific examples have been provided herein to assist in understanding the principles and embodiments of the present application, and are intended to be in no way limiting, for those of ordinary skill in the art will, in light of the above teachings, appreciate that the principles and embodiments of the present application may be varied in any way.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510159550.6A CN119814720A (en) | 2025-02-13 | 2025-02-13 | A network address translation method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510159550.6A CN119814720A (en) | 2025-02-13 | 2025-02-13 | A network address translation method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119814720A true CN119814720A (en) | 2025-04-11 |
Family
ID=95279540
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202510159550.6A Pending CN119814720A (en) | 2025-02-13 | 2025-02-13 | A network address translation method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119814720A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101984623A (en) * | 2010-11-02 | 2011-03-09 | 北京天融信科技有限公司 | Firewall NetworkAddress Translation dynamic load balancing method and device |
| US20130013824A1 (en) * | 2011-07-08 | 2013-01-10 | Goetz Graefe | Parallel aggregation system |
| WO2020177246A1 (en) * | 2019-03-04 | 2020-09-10 | 南京邮电大学 | Nat-based method for load balancing in dpdk environment |
| CN112217919A (en) * | 2020-12-11 | 2021-01-12 | 广东省新一代通信与网络创新研究院 | Method and system for realizing network address conversion |
-
2025
- 2025-02-13 CN CN202510159550.6A patent/CN119814720A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101984623A (en) * | 2010-11-02 | 2011-03-09 | 北京天融信科技有限公司 | Firewall NetworkAddress Translation dynamic load balancing method and device |
| US20130013824A1 (en) * | 2011-07-08 | 2013-01-10 | Goetz Graefe | Parallel aggregation system |
| WO2020177246A1 (en) * | 2019-03-04 | 2020-09-10 | 南京邮电大学 | Nat-based method for load balancing in dpdk environment |
| CN112217919A (en) * | 2020-12-11 | 2021-01-12 | 广东省新一代通信与网络创新研究院 | Method and system for realizing network address conversion |
Non-Patent Citations (3)
| Title |
|---|
| 岑尤琪: ""NFF-Go网络函数框架指南"", pages 1 - 2, Retrieved from the Internet <URL:https://blog.csdn.net/gitblog_00314/article/details/142841070> * |
| 李峻峰;等: ""通用平台高性能可扩展网络地址转换系统"", 《北京邮电大学学报》, 9 March 2021 (2021-03-09), pages 16 - 18 * |
| 陈希;胡彬: ""Go语言在国产CPU平台上应用前景的探索与思考"", 《电子技术应用》, 22 August 2018 (2018-08-22), pages 3 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11824962B2 (en) | Methods and apparatus for sharing and arbitration of host stack information with user space communication stacks | |
| US11934341B2 (en) | Virtual RDMA switching for containerized | |
| EP3878158B1 (en) | Mirroring network traffic of virtual networks at a service provider network | |
| CN112416737B (en) | Container testing method, device, equipment and storage medium | |
| US10700979B2 (en) | Load balancing for a virtual networking system | |
| CN113924759A (en) | Service graph highlighting of missing nodes and links | |
| US20240069977A1 (en) | Data transmission method and data transmission server | |
| WO2020151030A1 (en) | Method and apparatus for processing data message | |
| CN114518969A (en) | Inter-process communication method, system, storage medium and computer device | |
| CN113938533B (en) | Communication methods, devices, electronic devices and computer-readable media between applications | |
| CN111107081A (en) | DPDK-based multi-process DNS service method and system | |
| WO2024113776A1 (en) | Data transmission method and related device | |
| CN115834722B (en) | Data processing method, device, network element equipment and readable storage medium | |
| CN119814720A (en) | A network address translation method, device, equipment and storage medium | |
| CN118200143A (en) | SDN technology-based container cloud platform network communication management method and system | |
| US20240305502A1 (en) | Smart nic/dpu translation agent for vendor-specific communication | |
| JP6677052B2 (en) | Communication management device, communication management method and program | |
| CN115913778A (en) | Network strategy updating method, system and storage medium based on sidecar mode | |
| Kissel | Janus: Lightweight Container Orchestration for High-performance Data Sharing | |
| US20250291770A1 (en) | Seamless NFS Server Pod Addition | |
| US20260032086A1 (en) | Method, system, and computer program product for address translation | |
| CN117615011B (en) | A service scheduling communication method, system, electronic device and computer storage medium | |
| EP4531368A1 (en) | Methods for controlling network traffic with a subscriber-aware disaggregator and methods thereof | |
| Teivo | Evaluation of low latency communication methods in a Kubernetes cluster | |
| Sunita et al. | Tools for Cloud for Resource Management: NOVA and SNMP |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |