CN117675753A

CN117675753A - A processing method and routing device for controlling sessions

Info

Publication number: CN117675753A
Application number: CN202311585585.3A
Authority: CN
Inventors: 师哲; 王宇轩; 崔佰会; 戴冰琦
Original assignee: New H3C Technologies Co Ltd
Current assignee: New H3C Technologies Co Ltd
Priority date: 2023-11-24
Filing date: 2023-11-24
Publication date: 2024-03-08

Abstract

This specification provides a control session processing method and routing device. The method includes: the NPU receives the first control message and converts the first source address in the first control message into according to the network address translation NAT rule. The second source address, the NPU sends the first control message and the second source address to the CPU kernel state, the NPU receives the second control message sent by the CPU kernel state, and sends the first destination address in the second control message Convert to the second destination address according to NAT rules, and the NPU sends the second control message and the second destination address to the CPU kernel state. The NPU receives the takeover notification sent by the CPU kernel state and the control message for user state conversion for session processing. Through this method, we avoid being limited by the processing logic of the NPU hardware. Each process process can only convert the IP once, which makes it impossible to achieve the technical problem of two NAT conversions in the NAT hairpin scenario.

Description

Control session processing method and routing equipment

Technical Field

The present disclosure relates to the field of communications technologies, and in particular, to a method and a routing device for controlling a session.

Background

NPU: network Processing Unit, a network processing unit;

NAT: network Address Translation network address translation;

ALG: application Level Gateway application layer gateway;

NAT hairpin: the NAT hairpin function is used for meeting the requirement of accessing between users located on the intranet side or between the users located on the intranet side and the server through NAT addresses.

The ALG (Application Level Gateway, application layer gateway) mainly completes processing of application layer messages. Normally, NAT only converts the IP address and port information in the header, and does not analyze the fields in the application layer data payload. However, some special protocols may include IP address or port information in the data payload of their message, and these contents cannot be effectively translated by NAT, which may cause problems. For example, FTP applications are commonly completed by both data and control sessions, and the establishment of a data session is dynamically determined by payload field information in the control session, which requires ALGs to complete the conversion of the payload field information to ensure the correct establishment of subsequent data sessions.

The NAT hairpin function is used for meeting the requirement of accessing between users located on the intranet side or between the users located on the intranet side and the server through NAT addresses. And the method can convert the source address and the destination address of the message at the same time by starting an intranet side interface of the NAT hairpin. It supports two networking modes:

P2P: and the users on the intranet side are mutually visited through the NAT address which is dynamically allocated. Each host computer in the intranet registers own external network address information to the external network server, the address information is NAT address converted from the external network side output direction address, and then the internal network hosts mutually visit through the external network addresses registered to the external network server.

C/S: and the user at the intranet side accesses the intranet server by using the NAT address. And the NAT simultaneously converts the source and destination IP addresses of the message accessing the intranet server on the intranet interface, wherein the destination IP address conversion is completed by matching the configuration of the intranet server on a certain extranet interface, and the source address conversion is completed by matching the outbound dynamic address conversion or the outbound static address conversion on the interface where the intranet server is positioned.

The processing mode of the ALG NAT hairpin commonly used at present is simpler, the destination IP address of the message hits the NAT Server address pool configured by the interface of the device in the process of forwarding the hardware of the device, the message is directly sent to the CPU user state for processing after being routed, the user state converts the IP addresses (including source IP and destination IP) possibly contained in the three-layer header and the data load of the message to generate a control session table item, the message is sent to the hardware, and the device forwards the message according to the corresponding next hop outlet.

At present, all data session messages and control session messages of the NAT ALG hairpin are usually processed in a CPU, the performance of the CPU is limited, the forwarding capability of the actual NAT ALG service is limited and can not meet the requirements of users, the processing of the session in the NPU is limited by processing logic of NPU hardware, and each flow processing can only perform one conversion processing on an IP address and can not perform proper processing on two NAT conversions related to the NAT hairpin scene.

Disclosure of Invention

To overcome the problems in the related art, the present specification provides a method of processing a control session and a routing apparatus.

According to a first aspect of embodiments of the present specification, there is provided a method of processing a control session, the method comprising:

the network processing unit NPU receives a first control message, and converts a first source address in the first control message into a second source address according to a network address translation NAT rule;

the NPU uploads the first control message and the second source address to a CPU kernel mode;

the NPU receives a second control message sent by the CPU in a kernel mode, and converts a first destination address in the second control message into a second destination address according to NAT rules, wherein the second control message is a first control message with a source address being a second source address;

the NPU sends the second control message and the second destination address to the CPU kernel state, and the CPU kernel state sends the first control message and the second source address to the CPU user state, so that the CPU user state establishes a session table;

the NPU receives a take-over notification sent by the CPU kernel mode and a control message for user mode conversion to perform session processing, wherein the take-over notification is sent to the CPU kernel mode by the CPU user mode after a session table is established.

Before the first source address in the first control message is converted into the second source address according to the network address translation NAT rule, the method further includes:

and judging whether the first control message needs to be subjected to address conversion according to NAT rules issued by the user in advance, and if so, executing the second source address converted from the first source address in the first control message according to the NAT rules.

The converting the first source address in the first control message into the second source address according to the NAT rule includes:

the NPU allocates address resources, establishes a first control session hardware table, converts a first source address into a second source address according to NAT rules, and simultaneously sets a first identification position in the first control session hardware table, wherein the first identification position is used for indicating that the first control session hardware table needs to perform NAT address conversion twice.

The NPU sends the first control message and the second source address to a CPU kernel mode, including:

the NPU encapsulates a first message and sends the first message to the CPU kernel mode, the first message carries a first control message, a second source address and a first identification bit after setting, and the first identification bit is used for indicating that the first control session hardware table needs to perform NAT address conversion twice.

Optionally, the method further comprises:

after receiving a first control message and a second source address sent by an NPU, the CPU kernel mode establishes a session table, wherein the session table comprises: the system comprises a first kernel mode software table and a second kernel mode software table, wherein the first kernel mode software table is used for storing a first control message and a second source address, and the second kernel mode software table is used for storing a second control message and the first source address.

The NPU receives a second control message sent by the CPU kernel mode, including:

and the NPU establishes a second control session hardware table according to the second control message.

The NPU sends the second control message and the second destination address to the CPU kernel state, including:

the NPU encapsulates a second message, where the second message carries a second control message and a second destination address.

After the CPU kernel mode receives the second message, the method further includes:

the CPU kernel mode queries a second kernel mode software table according to the second message to obtain a first source address, and obtains a first control message according to the first source address and a second control message in the second message;

the CPU kernel mode sends the first control message and the second source address to the CPU user mode;

the CPU user state obtains a first control message, converts a first destination address in the first control message according to the input interface to obtain a second destination address, converts a first source address in the first control message to obtain a second source address, and establishes a session table.

Optionally, after the NPU receives the take-over notification sent by the CPU kernel mode, the method further includes:

the NPU receives a third message sent by the CPU kernel mode, determines a target control session hardware table from the control session hardware table according to the third message, deletes the target control session hardware table and sends a fourth message to the CPU kernel mode, wherein the fourth message is used for indicating that the target control session hardware table is deleted;

the CPU kernel mode sends a fifth message to the CPU user mode according to the fourth message, and the user instructs the CPU user mode to delete the session table corresponding to the fifth message;

the CPU user state deletes the corresponding session table according to the fifth message, and sends a sixth message to the CPU kernel state, which is used for indicating the CPU kernel state to delete the session table corresponding to the sixth message;

wherein the third message, the fourth message, the fifth message and the sixth message have the same source address and destination address.

According to the embodiments, session tables (a user state software table, a kernel state software table and a control session hardware table) are respectively established in the NPU, the CPU kernel state and the CPU user state, so that the technical problem that the user side observes that the NAT session is one session and is consistent with the session display of the ALG NAT hairpin realized by the original pure CPU, and meanwhile, the processing logic limited by the NPU hardware is solved, only one conversion process can be carried out on the IP in each flow processing, and the two NAT conversions in the NAT hairpin scene cannot be realized is solved.

According to a second aspect of embodiments of the present specification, there is provided a routing device comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the following method when executing the program:

According to a second aspect of embodiments of the present specification, there is provided a routing device comprising: NPU and CPU, the CPU comprising: CPU kernel mode and CPU user mode, NPU includes:

the receiving module is used for receiving a first control message, and converting a first source address in the first control message into a second source address according to a network address translation NAT rule;

the sending module is used for uploading the first control message and the second source address to a CPU kernel mode;

the receiving module is further configured to receive a second control message sent by the CPU in a kernel mode, and convert a first destination address in the second control message into a second destination address according to NAT rules, where the second control message is a first control message with a source address being a second source address;

the sending module is further configured to send the second control message and the second destination address to the CPU kernel state, and send the first control message and the second source address to the CPU user state by the CPU kernel state, so that the CPU user state establishes a session table;

the receiving module is further configured to receive a takeover notification sent by the CPU kernel mode to perform session processing, where the takeover notification is sent by the CPU user mode to the CPU kernel mode after the session table is established.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the specification and together with the description, serve to explain the principles of the specification.

Fig. 1 is a diagram illustrating a method of processing a control session according to an exemplary embodiment of the present disclosure.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present description as detailed in the accompanying claims.

The terminology used in the description presented herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.

It should be understood that although the terms first, second, third, etc. may be used in this specification to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.

At present, all data session messages and control session messages of NAT ALG hairpin are usually processed in a CPU, the performance of the CPU is limited, the forwarding capability of the actual NAT ALG service is limited and can not meet the requirements of users, the processing of the session in an NPU is limited by processing logic of NPU hardware, and each flow processing can only perform one conversion processing on IP, and two NAT conversions related to NAT hairpin scenes can not be properly processed.

In order to solve the above technical problems, an embodiment of the present disclosure provides a method for processing a control session, as shown in fig. 1, including:

s101, an NPU receives a first control message, and converts a first source address in the first control message into a second source address according to a network address translation NAT rule;

s102NPU sends the first control message and the second source address to CPU kernel mode;

s103, the NPU receives a second control message sent by the CPU kernel mode, and converts a first destination address in the second control message into a second destination address according to NAT rules, wherein the second control message is a first control message with a source address being a second source address;

s104NPU sends the second control message and the second destination address to the CPU kernel state, and the CPU kernel state sends the first control message and the second source address to the CPU user state, so that the CPU user state establishes a session table;

s105NPU receives the take-over notice and the control message of user mode conversion sent by CPU kernel mode to process the session, wherein the take-over notice is sent to CPU kernel mode by CPU user mode after establishing session list.

In this embodiment, the user may preset the NAT rule and issue the NAT rule.

In step 101, after receiving the first control message, the NPU may determine whether address conversion needs to be performed on the first control message according to the NAT rule, if so, execute step S101, otherwise, process the first control message conventionally.

In this embodiment, after the first control packet hits the NAT rule, the NPU allocates an address resource (e.g., an IP address resource), establishes a first control session hardware table (i.e., establishes a hardware session table), converts a first source address in the first control packet into a second source address, and simultaneously sets a first identification bit in the first control session hardware table, where the first identification bit may be a alice tag in the first control session hardware table, and the first identification bit is used to indicate that the first control session hardware table needs to perform NAT address conversion Twice.

In step S102, the NPU encapsulates a first message, where the first message carries a first control message, a second source address, and a first set identification bit, where the first identification bit is used to indicate that the first control session hardware table needs to perform NAT address translation twice.

In this embodiment, after receiving a first control message and a second source address sent by an NPU, the CPU kernel mode establishes a session table, where the session table includes: the system comprises a first kernel mode software table and a second kernel mode software table, wherein the first kernel mode software table is used for storing a first control message and a second source address, and the second kernel mode software table is used for storing a second control message and the first source address.

In step S103, the NPU acquires the second control packet, and the first destination address in the second control packet is converted into the second destination address according to the NAT rule, and at the same time, the NPU establishes a session table (i.e., a second control session hardware table) according to the second control packet and the second destination address.

In this embodiment, the NPU encapsulates a second message, where the second message carries a second control message and a second destination address.

For ease of description, the techniques in this disclosure are further described:

(1) the method comprises the following steps The message entering device hits the NAT rule previously issued by the user on the NPU, and discovers that the message needs to perform conversion processing on the source IP and the destination IP. The NPU allocates IP resources, establishes a control session hardware table A (i.e. a first control session hardware table), converts the source IP address of the message, and sets a Tvice mark in the hardware table A (which means that the session table item needs to be subjected to the subsequent processing of NAT Twice);

(2) the method comprises the following steps And (3) uploading the NPU encapsulation message to a CPU, wherein the message carries the original message in the step (1), the converted source IP address and the Tvice mark. The CPU kernel mode establishes a kernel mode software table A and a kernel mode software table B, wherein the kernel mode software table A stores an original message before NAT conversion and a source IP address after conversion, and a Tvice mark in the software table is set; the kernel mode software table B stores the source IP address of the message after converting the source IP and the original message;

(3) the method comprises the following steps After the CPU kernel mode establishes a software table, converting a message source IP address, updating a checksum field, and then re-issuing to the NPU, wherein the NPU establishes a control session hardware table B, and converts a message destination IP address;

(4) the method comprises the following steps The message packaging information is uploaded to the CPU from the NPU again, and the message carries the message with the converted source IP and the converted destination IP address;

(5) the method comprises the following steps The CPU kernel mode inquires the kernel mode software table B according to the sent message, acquires the source IP of the original message, replaces the source IP address of the message in the sent message with the source IP address of the original message, and then sends the message to the CPU user mode (the sent message is the same as the original message in the step (1);

(6) the method comprises the following steps After the CPU user state receives the original message, firstly converting the destination IP of the message according to the Nat server configuration of the device inlet interface; then calling a kernel mode interface, inquiring a kernel mode software table A, acquiring source IP resources to be converted, which are distributed by an NPU, converting the source IP of the message, generating a user mode software table, and forwarding the message from the CPU user mode to the CPU kernel mode;

(7) the method comprises the following steps The message is issued to the NPU from the CPU kernel mode;

(8) the method comprises the following steps And the NAT control session message after the IP address conversion searches the next jump-out interface forwarding equipment.

In this embodiment, the NPU receives a third message sent by the CPU kernel mode, determines a target control session hardware table from the control session hardware table according to the third message, deletes the target control session hardware table, and sends a fourth message to the CPU kernel mode, where the fourth message is used to indicate that the target control session hardware table has been deleted;

The embodiment of the disclosure also provides a state synchronization mechanism of the same control session of the CPU user mode, the kernel mode and the NPU, so that the list item uniformity is ensured, and the potential list item residue problem in the new and deleting processes is avoided at the same time:

(1) the method comprises the following steps The CPU user state informs the table item deletion for the first time, the kernel state software table state is set to be deleted, and the timestamp of the kernel state software table to be deleted is refreshed;

(2) the method comprises the following steps The CPU kernel state sends a message to inform the NPU, and the hardware table state is set to be deleted;

(3) the method comprises the following steps The NPU timer polls the hardware table state at regular time, deletes the hardware table when the hardware table state is inquired to be the hardware table to be deleted, and sends a message to inform the CPU that the hardware table is deleted after the hardware table is deleted;

(4) the method comprises the following steps The CPU kernel mode reports the user mode information event and notifies the deletion of the user mode software table. If the state of the kernel mode software table is to be taken over (the processing of the step (4) in fig. 1 is abnormal) or is forcedly deleted, directly constructing a message and executing the subsequent step (5);

(5) the method comprises the following steps User state software table deletion, CPU user state second time notifying table item deletion, deleting kernel state software table, completing deletion flow;

(6) the method comprises the following steps Limited by the reliability of the hardware channel for transmitting information, the foregoing processes (1) - (5) may have the situation that the message notification is lost or fails to be processed, so as to avoid entry residues and synchronize the user state and the hardware table state in time, the CPU kernel mode software timer periodically polls the kernel mode software table state, and performs the following processing:

the CPU kernel mode software table does not receive the information of the CPU user mode taking over the session (step (4) in the figure 1) when the appointed time is exceeded, and the state of the kernel mode software table is set to be deleted;

b. the state of the kernel-mode software table is to be deleted, the state continuously exceeds the scheduled time table item and is not deleted, the state of the kernel-mode software table is set to be deleting, and meanwhile, the step (4) in the repeated execution deleting process informs a user of deleting the software table;

c. setting a state flag of the kernel-mode software table to be deleted (a double state is supposed to be that the user-mode flow in the step (5) cannot be issued correctly at the moment) and setting the kernel-mode software table to be forcedly deleted;

(7) the method comprises the following steps Limited by the reliability of the hardware channel for transmitting information, in the foregoing cases of message notification loss may exist in the flows (2) - (5) in fig. 1, in order to avoid table entry residues and synchronize the user state and the hardware table state, the CPU kernel-mode software timer periodically polls the kernel-mode software table state, and performs the following processing: the NPU timer polls the hardware table state at regular time, and the following processing is carried out:

a. the session hardware table does not receive the information of the CPU to take over the session when exceeding the fixed aging time, the hardware table is directly deleted according to the timing aging treatment, and then the step (3) is executed to inform the CPU;

according to the embodiments, the control session table states on the CPU user state, the kernel state and the NPU are synchronized, the protection is added to the three-party control session on the basis of guaranteeing NAT forwarding performance, the reliability of the session table entry is improved, and the risk caused by uncertainty of hardware channel transmission information is reduced.

The embodiment of the disclosure also provides a routing device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the following method:

the NPU receives a take-over notification sent by a CPU kernel mode and a control message converted by a user mode for session processing, wherein the take-over notification is sent to the CPU kernel mode by the CPU user mode after a session table is established, and the control message converted by the user mode is a control message converted by the user mode by SIP and DIP.

The embodiment of the disclosure also provides a routing device, which comprises: NPU and CPU, the CPU comprising: CPU kernel mode and CPU user mode, NPU includes:

For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present description. Those of ordinary skill in the art will understand and implement the present invention without undue burden.

The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.

It is to be understood that the present description is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.

The foregoing description of the preferred embodiments is provided for the purpose of illustration only, and is not intended to limit the scope of the disclosure, since any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the disclosure are intended to be included within the scope of the disclosure.

Claims

1. A method of handling a control session, the method comprising:

2. The method of claim 1, wherein prior to translating the first source address in the first control message to the second source address according to network address translation, NAT, rules, the method further comprises:

3. The method of claim 1, wherein the translating the first source address in the first control message to the second source address according to network address translation NAT rules comprises:

4. The method of claim 1, wherein the NPU uploading the first control message and the second source address to a CPU kernel mode, comprising:

5. The method according to claim 1, wherein the method further comprises:

6. The method of claim 1, wherein the NPU receives a second control message sent by a CPU kernel mode, comprising:

7. The method of claim 1, wherein the NPU forwarding the second control message and the second destination address to the CPU core state comprises:

8. The method of claim 7, wherein upon receipt of the second message by the CPU kernel mode, the method further comprises:

the CPU user state obtains a first control message, converts a first destination address in the first control message according to configuration information of an input interface to obtain a second destination address, converts a first source address in the first control message to obtain a second source address, and establishes a session table.

9. The method of claim 1, wherein after the NPU receives the takeover notification sent by the CPU in kernel mode, the method further comprises:

10. A routing device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor performs the following method when executing the program:

11. A routing device, the routing device comprising: NPU and CPU, the CPU comprising: CPU kernel mode and CPU user mode, NPU includes: