A method for ICMP packet processing under a distributed NAT gateway
By electing a fixed ICMP NAT gateway in the distributed NAT gateway and configuring routes and L2 redirect tables, the problem of ICMP packet translation failure was solved, normal NAT translation and VPC isolation were achieved, and the risk and the need to modify compute nodes were reduced.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- UNICLOUD TECH CO LTD
- Filing Date
- 2023-05-18
- Publication Date
- 2026-06-30
AI Technical Summary
In a distributed NAT gateway, when ICMP packets from the internal network to the public network are load-balanced to any NAT gateway, the NAT translation status information is stored locally. This means that when the external network responds to internal network ICMP packets, it cannot find the NAT translation information, resulting in NAT translation failure.
By electing a fixed ICMP NAT gateway, configuring routes and L2 redirect tables, we ensure that ICMP packets are redirected to the designated NAT gateway on both outbound and inbound journeys, and record NAT translation session information in the CT module to achieve reverse translation.
Under the distributed NAT gateway, ICMP packet NAT translation is guaranteed to proceed normally without modifying the compute nodes, the risks are controllable, the scheduling module monitors the ICMP NAT gateway connectivity in real time, and reschedules in case of anomalies, ensuring VPC isolation and load balancing.
Smart Images

Figure CN116582511B_ABST
Abstract
Description
Technical Field
[0001] This application belongs to the field of cloud computing technology, and in particular relates to a method for processing ICMP messages under a distributed NAT gateway. Background Technology
[0002] A NAT gateway (Network Address Translation Gateway) is a network address translation service that provides NAT proxy (SNAT / DNAT / EIP) capabilities. It can enable cloud servers on private networks to reuse public IP addresses, allowing multiple private networks of a user to access the public network or provide internet services through a unified NAT gateway.
[0003] A distributed NAT gateway is an implementation of a NAT gateway that uses clustering technology to allow traffic to access the public network through different NAT gateways, thereby achieving traffic load balancing, supporting large-scale public network applications, and enhancing system high availability.
[0004] Source NAT translation of ICMP messages is typically performed using the CT module within the NAT gateway. In application engineering, the Linux kernel CT module or the OVS DPDK CT module are commonly used. NAT translation information is stored in the CT module of this NAT gateway.
[0005] In a distributed NAT gateway scenario, ICMP packets from the internal network accessing the public network are load-balanced to any NAT gateway, and the NAT translation status information is stored in the local CT module of that NAT gateway. However, ICMP packets from the external network responding to the internal network may be load-balanced to other NAT gateways, which can lead to NAT translation failures due to the inability to find NAT translation information. Summary of the Invention
[0006] In view of this, this application aims to propose a method for ICMP packet processing under a distributed NAT gateway. Based on a distributed NAT gateway, it provides a way to solve the problem of ICMP response packet return NAT translation failure. By electing a fixed ICMP NAT gateway, and through routing or L2 routing, ICMP packets from the internal network to the external network and ICMP packets from the external network to the internal network are redirected to the ICMP NAT gateway, thus resolving the problem of return NAT translation failure.
[0007] To achieve the above objectives, the technical solution of this application is implemented as follows:
[0008] A method for processing ICMP packets under a distributed NAT gateway includes the following steps:
[0009] S1. The election module follows the rules;
[0010] S2. On a non-ICMP NAT gateway, configure the ICMP group-based routing table used for outbound redirection and the L2 redirection table used for return;
[0011] After receiving the tunnel packet, the S3 and ICMP NAT gateways send it to the CT module for NAT translation.
[0012] S4. After receiving the ICMP request, the public network host sends an ICMP response, and the packet enters the TOR.
[0013] S5. After any NAT gateway receives an ICMP response, it makes a judgment;
[0014] After receiving the ICMP response, the S6 ICMP NAT gateway obtains the L3VNI (VPC information) based on the destination IP of the packet, performs reverse translation based on the previously recorded NAT translation session information, modifies the destination address to the host IP address within the VPC, and sends it to the cloud host within the specified VPC.
[0015] Furthermore, in step S1, a NAT gateway in the NAT gateway cluster is elected as the sole ICMP NAT gateway for processing ICMP packets.
[0016] Furthermore, step S2 includes the following steps:
[0017] A1. When a cloud host in a VPC pings an external network address: the ICMP request is load-balanced and sent to any NAT gateway in the NAT gateway cluster, and the tunnel is encapsulated with the VNI information of the VPC itself.
[0018] A2. When any NAT gateway receives an ICMP request tunnel packet, it makes a judgment: if it is an ICMP gateway, it continues the forwarding process; if it is not an ICMP gateway, it matches the route group for the ICMP packet according to the configuration information, encapsulates it into a tunnel packet with the VNI as the VPC VNI, and sends it to the ICMP NAT gateway to complete the route redirection.
[0019] Furthermore, in step S3, the CT module also records the NAT translation session information as follows:
[0020] If using the Linux kernel's CT module for conversion, then:
[0021] Session:(src_ip,dst_ip,icmp_id)→(src_ip_new,dst_ip,icmp_id_new);
[0022] If using the Openvswitch CT module for conversion, then:
[0023] Session:(src_ip,dst_ip,icmp_id)→(src_ip_new,dst_ip,icmp_id).
[0024] Furthermore, in step S4, after receiving the ICMP response, TOR processes it in the same way as other types of messages, and the load balancer randomly sends it to any NAT gateway.
[0025] Furthermore, upon receiving an ICMP response, any NAT gateway that is an ICMP NAT gateway will continue the forwarding process if it is one; otherwise, it will modify the MAC address in the logical switch according to the configuration information and redirect the response to the ICMP NAT gateway.
[0026] Furthermore, in step S6, the destination IP is public IP information.
[0027] Furthermore, this solution discloses an ICMP packet processing device under a distributed NAT gateway, used to execute an ICMP packet processing method under a distributed NAT gateway.
[0028] Based on the same inventive concept, this application also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the program, it implements the ICMP message processing method under a distributed NAT gateway as described above.
[0029] Based on the same inventive concept, this application also provides a non-transitory computer-readable storage medium, wherein the non-transitory computer-readable storage medium stores computer instructions, the computer instructions being used to cause the computer to execute an ICMP packet processing method under a distributed NAT gateway as described above.
[0030] Compared with existing technologies, the ICMP packet processing method under a distributed NAT gateway described in this application has the following advantages:
[0031] The ICMP packet processing method under a distributed NAT gateway described in this application ensures normal NAT translation of ICMP packets in the case of a distributed NAT gateway. Whether it is election or configuration modification, it is all concentrated in the NAT gateway cluster, without the need to modify the computing nodes, and the risk is controllable. The scheduling module monitors the connectivity of the ICMP NAT gateway in real time. When the ICMP NAT gateway is abnormal, it re-schedules and selects a new one. ICMP packets going to the external network are transmitted in the NAT gateway using tunnel packet encapsulation, which contains L3VNI information to identify VPCs. For the return route, the VPC information is identified based on the binding relationship between the destination IP (public IP) and the VPC, ensuring VPC isolation. Attached Figure Description
[0032] The accompanying drawings, which form part of this application, are used to provide a further understanding of this application. The illustrative embodiments and descriptions of this application are used to explain this application and do not constitute an undue limitation of this application. In the drawings:
[0033] Figure 1 This is a schematic diagram of an ICMP packet processing method under a distributed NAT gateway as described in an embodiment of this application;
[0034] Figure 2 This is a schematic diagram of the storage medium described in an embodiment of this application. Detailed Implementation
[0035] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with specific embodiments and the accompanying drawings.
[0036] It should be noted that, unless otherwise defined, the technical or scientific terms used in the embodiments of this application should have the ordinary meaning understood by one of ordinary skill in the art to which this application pertains. The terms "first," "second," and similar terms used in the embodiments of this application do not indicate any order, quantity, or importance, but are merely used to distinguish different components. Terms such as "comprising" or "including" mean that the element or object preceding the word encompasses the elements or objects listed after the word and their equivalents, without excluding other elements or objects. Terms such as "connected" or "linked" are not limited to physical or mechanical connections, but can include electrical connections, whether direct or indirect. Terms such as "upper," "lower," "left," and "right" are only used to indicate relative positional relationships; when the absolute position of the described object changes, the relative positional relationship may also change accordingly.
[0037] Based on this, one or more embodiments of this application provide a method for processing ICMP packets under a distributed NAT gateway.
[0038] The embodiments of this application are described in detail below with reference to the accompanying drawings.
[0039] A method for processing ICMP packets under a distributed NAT gateway includes the following steps:
[0040] S1. The election module follows the rules;
[0041] S2. On a non-ICMP NAT gateway, configure the ICMP group-based routing table used for outbound redirection and the L2 redirection table used for return;
[0042] After receiving the tunnel packet, the S3 and ICMP NAT gateways send it to the CT module for NAT translation.
[0043] S4. After receiving the ICMP request, the public network host sends an ICMP response, and the packet enters the TOR.
[0044] S5. After any NAT gateway receives an ICMP response, it makes a judgment;
[0045] After receiving the ICMP response, the S6 ICMP NAT gateway obtains the L3VNI (VPC information) based on the destination IP of the packet, performs reverse translation based on the previously recorded NAT translation session information, modifies the destination address to the host IP address within the VPC, and sends it to the cloud host within the specified VPC.
[0046] In step S1, a NAT gateway in the NAT gateway cluster is elected as the sole ICMPNAT gateway for processing ICMP packets.
[0047] Step S2 includes the following steps:
[0048] A1. When a cloud host in a VPC pings an external network address: the ICMP request is load-balanced and sent to any NAT gateway in the NAT gateway cluster, and the tunnel is encapsulated with the VNI information of the VPC itself.
[0049] A2. When any NAT gateway receives an ICMP request tunnel packet, it makes a judgment: if it is an ICMP gateway, it continues the forwarding process; if it is not an ICMP gateway, it matches the route group for the ICMP packet according to the configuration information, encapsulates it into a tunnel packet with the VNI as the VPC VNI, and sends it to the ICMP NAT gateway to complete the route redirection.
[0050] In step S3, the CT module also records the NAT translation session information as follows:
[0051] If using the Linux kernel's CT module for conversion, then:
[0052] Session:(src_ip,dst_ip,icmp_id)→(src_ip_new,dst_ip,icmp_id_new);
[0053] If using the Openvswitch CT module for conversion, then:
[0054] Session:(src_ip,dst_ip,icmp_id)→(src_ip_new,dst_ip,icmp_id).
[0055] In step S4, after receiving the ICMP response, TOR processes it in the same way as other types of messages, and the load balancer randomly sends it to any NAT gateway.
[0056] When any NAT gateway receives an ICMP response, if it is an ICMP NAT gateway, it continues the forwarding process; if it is not an ICMP gateway, it modifies the MAC address in the logical switch according to the configuration information and redirects the response to the ICMP NAT gateway.
[0057] In step S6, the destination IP is a public IP address.
[0058] It should be noted that the above description describes some embodiments of this application. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recorded in the claims can be performed in a different order than that shown in the above embodiments and still achieve the desired result. Furthermore, the processes depicted in the drawings do not necessarily require a specific or sequential order to achieve the desired result. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
[0059] Based on the same inventive concept, and corresponding to the methods of any of the above embodiments, the embodiments of this application also provide an ICMP message processing device under a distributed NAT gateway.
[0060] For ease of description, the above apparatus is described in terms of its functions, divided into various modules. Of course, in implementing the embodiments of this application, the functions of each module can be implemented in one or more software and / or hardware.
[0061] The apparatus described above is used to implement a corresponding ICMP packet processing method under a distributed NAT gateway in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiments, which will not be described further here.
[0062] Based on the same inventive concept, corresponding to the methods of any of the above embodiments, embodiments of this application also provide an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the program, it implements an ICMP packet processing method under a distributed NAT gateway as described in any of the above embodiments.
[0063] Figure 2This embodiment illustrates a more specific hardware structure of an electronic device, which may include a processor 1010, a memory 1020, an input / output interface 1030, a communication interface 1040, and a bus 1050. The processor 1010, memory 1020, input / output interface 1030, and communication interface 1040 are interconnected internally via the bus 1050.
[0064] The processor 1010 can be implemented using a general-purpose CPU (Central Processing Unit), microprocessor, application-specific integrated circuit (ASIC), or one or more integrated circuits, and is used to execute relevant programs to implement the technical solutions provided in the embodiments of this specification.
[0065] The memory 1020 can be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory), static storage device, dynamic storage device, etc. The memory 1020 can store the operating system and other applications. When the technical solutions provided in the embodiments of this specification are implemented by software or firmware, the relevant program code is stored in the memory 1020 and is called and executed by the processor 1010.
[0066] The input / output interface 1030 is used to connect input / output modules to realize information input and output. Input / output modules can be configured as components within the device (not shown in the figure) or externally connected to the device to provide corresponding functions. Input devices may include keyboards, mice, touchscreens, microphones, various sensors, etc., while output devices may include displays, speakers, vibrators, indicator lights, etc.
[0067] The communication interface 1040 is used to connect a communication module (not shown in the figure) to enable communication between this device and other devices. The communication module can communicate via wired means (such as USB, Ethernet cable, etc.) or wireless means (such as mobile network, WIFI, Bluetooth, etc.).
[0068] Bus 1050 includes a pathway for transmitting information between various components of the device, such as processor 1010, memory 1020, input / output interface 1030, and communication interface 1040.
[0069] It should be noted that although the above-described device only shows the processor 1010, memory 1020, input / output interface 1030, communication interface 1040, and bus 1050, in specific implementations, the device may also include other components necessary for normal operation. Furthermore, those skilled in the art will understand that the above-described device may only include the components necessary for implementing the embodiments of this specification, and not necessarily all the components shown in the figures.
[0070] The electronic devices described in the above embodiments are used to implement a corresponding ICMP packet processing method under a distributed NAT gateway in any of the foregoing embodiments, and have the beneficial effects of the corresponding method embodiments, which will not be repeated here.
[0071] Based on the same inventive concept, corresponding to the methods of any of the above embodiments, this application also provides a non-transitory computer-readable storage medium that stores computer instructions for causing the computer to execute an ICMP packet processing method under a distributed NAT gateway as described in any of the above embodiments.
[0072] The computer-readable medium of this embodiment includes permanent and non-permanent, removable and non-removable media, and information storage can be implemented by any method or technology. Information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic magnetic disk storage or other magnetic storage devices, or any other non-transfer medium that can be used to store information accessible by a computing device.
[0073] The computer instructions stored in the storage medium of the above embodiments are used to cause the computer to execute an ICMP packet processing method under a distributed NAT gateway as described in any of the above embodiments, and have the beneficial effects of the corresponding method embodiments, which will not be repeated here.
[0074] Those skilled in the art should understand that the discussion of any of the above embodiments is merely exemplary and is not intended to imply that the scope of this application (including the claims) is limited to these examples; within the framework of this application, the technical features of the above embodiments or different embodiments can also be combined, the steps can be implemented in any order, and there are many other variations of different aspects of the embodiments of this application as described above, which are not provided in the details for the sake of brevity.
[0075] Additionally, to simplify the description and discussion, and to avoid obscuring the embodiments of this application, the well-known power / ground connections to integrated circuit (IC) chips and other components may or may not be shown in the provided drawings. Furthermore, the apparatus may be shown in block diagram form to avoid obscuring the embodiments of this application, and this also takes into account the fact that the details of the implementation of these block diagram apparatuses are highly dependent on the platform on which the embodiments of this application will be implemented (i.e., these details should be fully understood by those skilled in the art). While specific details (e.g., circuits) have been set forth to describe exemplary embodiments of this application, it will be apparent to those skilled in the art that the embodiments of this application can be implemented without these specific details or with variations thereof. Therefore, these descriptions should be considered illustrative rather than restrictive.
[0076] Although this application has been described in conjunction with specific embodiments thereof, many substitutions, modifications, and variations of these embodiments will be apparent to those skilled in the art from the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may be used with the embodiments discussed.
[0077] The embodiments of this application are intended to cover all such substitutions, modifications, and variations that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the embodiments of this application should be included within the protection scope of this application.
Claims
1. A method for processing ICMP packets under a distributed NAT gateway, characterized in that, Includes the following steps: S1. The election module follows the rules; S2. On a non-ICMP NAT gateway, configure the ICMP group-based routing table used for outbound redirection and the L2 redirection table used for return; After receiving the tunnel message, the S3 and ICMPNAT gateways send it to the CT module for NAT translation. S4. After receiving the ICMP request, the public network host sends an ICMP response, and the packet enters the TOR. S5. After any NAT gateway receives an ICMP response, it makes a judgment; After receiving the ICMP response, the S6 ICMPNAT gateway obtains the L3VNI (VPC information) based on the destination IP of the packet, performs reverse translation based on the previously recorded NAT translation session information, modifies the destination address to the host IP address within the VPC, and sends it to the cloud host within the specified VPC. In step S1, a NAT gateway in the NAT gateway cluster is elected as the sole ICMPNAT gateway for processing ICMP packets. Step S2 includes the following steps: A1. When a cloud host in a VPC pings an external network address: the ICMP request is load-balanced and sent to any NAT gateway in the NAT gateway cluster, and the tunnel is encapsulated with the VNI information of the VPC itself. A2. When any NAT gateway receives an ICMP request tunnel message, it makes a judgment: if it is an ICMP gateway, then continue the forwarding process; If it is not an ICMP gateway, it matches the route group for ICMP packets according to the configuration information, encapsulates it into a tunnel packet with VNI as VPCVNI, and sends it to the ICMPNAT gateway to complete the route redirection. In step S3, the CT module also records the NAT translation session information as follows: If the Linux kernel CT module is used for translation, then: Session:(src_ip,dst_ip,icmp_id) (src_ip_new,dst_ip,icmp_id_new); If using the OpenvswitchCT module for conversion, then: Session:(src_ip,dst_ip,icmp_id) (src_ip_new,dst_ip,icmp_id); In step S4, after receiving the ICMP response, TOR processes it in the same way as other types of messages, and the load balancer randomly sends it to any NAT gateway.
2. The ICMP packet processing method under a distributed NAT gateway according to claim 1, characterized in that, When any NAT gateway receives an ICMP response, if it is an ICMPNAT gateway, it continues the forwarding process; if it is not an ICMP gateway, it modifies the MAC address in the logical switch according to the configuration information and redirects the response to the ICMPNAT gateway.
3. The ICMP packet processing method under a distributed NAT gateway according to claim 1, characterized in that: In step S6, the destination IP is a public IP address.
4. An electronic device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the ICMP message processing method under a distributed NAT gateway as described in any one of claims 1-3.
5. A non-transitory computer-readable storage medium, characterized in that, in, The non-transitory computer-readable storage medium stores computer instructions, which are used to cause the computer to execute the ICMP packet processing method under a distributed NAT gateway as described in any one of claims 1-3.