CN-121750606-B - Quick forwarding method and system for network data packet integrated by zero padding Ding Nahe

Abstract

The present invention relates to the field of computer networks, and in particular, to a method and a system for fast forwarding a network data packet integrated with a zero padding Ding Nahe. The method comprises the steps of registering a hook function in a key node for data packet processing to obtain a registered custom processing function, expanding a connection tracking structure in a Linux kernel connection tracking system, adding custom fields to store a quick forwarding state, constructing a quick NAT (network address translation) connection table, calculating a hash value for the data packet when the data packet reaches the registered custom processing function, searching a corresponding connection node in the quick NAT connection table through the hash value, updating head information of the data packet and sending the head information to a target interface if the effective connection node is found, and otherwise marking the connection tracking information and enabling the data packet to go through a conventional Netfilter processing flow. The invention can solve the performance bottleneck problem caused by the dependence on Netfilter complete flow in the traditional Linux kernel network forwarding scheme.

Inventors

• GUO QIANG

Assignees

• 河北华沃通信科技有限公司

Dates

Publication Date

20260508

Application Date

20260302

Claims (9)

1. 1.A method for fast forwarding a network packet integrated with a zero padding Ding Nahe, comprising: Registering a hook function in a key node of data packet processing to obtain a registered custom processing function, expanding a connection tracking structure in a Linux kernel connection tracking system of a Netfilter framework of a network filter, and adding a custom field to store a fast forwarding state so as to realize zero padding Ding Nahe integration; Constructing a fast network address translation NAT (network address translation) connection table, wherein the fast NAT connection table is a static hash table for realizing O (1) complexity connection searching based on a hash value calculated on a data packet; when a data packet reaches the registered custom processing function, calculating a hash value for the data packet, and searching a corresponding connection node in the fast NAT connection table through the hash value; if the effective connection node is not found, marking connection tracking information and enabling the data packet to go through a conventional Netfilter processing flow; wherein updating the header information of the data packet and sending the header information to the target interface comprises: Updating an L2 layer Ethernet header, an L3 layer IP header and an L4 layer transmission protocol header of the data packet, wherein the L2 layer Ethernet header updates a source Media Access Control (MAC) address and a destination MAC address stored in the connecting node, the L3 layer IP header updates source IP address information and destination IP address information after NAT conversion stored in the connecting node, the L4 layer transmission protocol header updates source port information and destination port information after NAT conversion stored in the connecting node, and a network filter data packet hijacking identification is returned to skip the Netfilter complete processing flow.
2. 2. The method for forwarding network packets integrated with the zero padding Ding Nahe according to claim 1, wherein an entry of the fast NAT connection table is a connection state structure for performing CACHE line alignment according to a size of a symmetric multiprocessing CACHE line alignment unit smp_cache_byte, the connection state structure is divided into a hot spot data area and a secondary hot spot data area, the hot spot data area stores a network device pointer, a connection activity timestamp, a magic number, virtual local area network VLAN information, a source/destination IP address and a source/destination port, and the secondary hot spot data area stores connection statistics information, rate data and a user pointer; And the number of entries of the fast NAT connection table is configured according to a hardware platform, and the fast NAT connection table adopts a linear detection method to process hash collision.
3. 3. The method for fast forwarding a network packet integrated with the zero padding Ding Nahe according to claim 2, wherein if an active connection node is found, updating header information of the packet and sending the header information to a target interface, includes: If the value of the mac field of the connection node to be matched in the fast NAT connection table is consistent with the preset NAT flow path magic number natflow _path_mac constant of the system, the source IP address, destination IP address, source port, destination port and transport layer protocol type stored in the connection node to be matched are matched with the quintuple information of the data packet to be forwarded at present one by one, and the difference between the current system timestamp and the last active timestamp recorded in the field of the connection node to be matched jiffies is smaller than the preset threshold, determining that the connection node to be matched is an effective connection node, and updating the header information of the data packet and sending the header information to a target interface.
4. 4. A method for fast forwarding a network packet integrated with a zero padding Ding Nahe according to claim 2 or 3, further comprising: A first flag bit and a second flag bit are preset in a status field of the connection state structure body, a first flag bit adopted by the first flag bit is used for tracking the hardware acceleration state of the original direction data packet, and a second flag bit adopted by the second flag bit is used for tracking the hardware acceleration state of the recovery direction data packet; after the effective connection node is matched, detecting the state of the corresponding direction zone bit and the running state of the hardware acceleration module in real time; When the hardware acceleration failure is detected, the data packet forwarding path is automatically switched to a software path, the hardware acceleration zone bit in the corresponding direction is cleared, the failure reason is recorded, and meanwhile, the hardware statistical information is synchronously updated.
5. 5. A method for fast forwarding a network packet integrated with a zero padding Ding Nahe according to any one of claims 1 to 3, further comprising: identifying a user based on the source IP address, checking a user authentication status, and performing flow control on the authenticated user; Detecting a hypertext transfer protocol (HTTP)/hypertext transfer security (HTTPS) request in a kernel space, analyzing an HTTP request header or a Transport Layer Security (TLS) Server Name Indication (SNI) information to extract a Uniform Resource Locator (URL), and storing the URL information into a log buffer; based on the user identity, IP address or port information, a corresponding quality of service QoS policy is enforced in connection with the flow control tool.
6. 6. A method for fast forwarding a network packet integrated with a zero padding Ding Nahe according to any one of claims 1 to 3, further comprising: traversing all network interfaces when the system is started, analyzing the network interface name suffix to extract a region identification ID and a region type, constructing a mapping table of interface name-region ID-region type and caching the mapping table into a kernel space, wherein the region type comprises a Local Area Network (LAN) region or a Wide Area Network (WAN) region; When the data packet reaches the registered custom processing function, extracting the source network interface name and the target network interface name of the data packet, inquiring the corresponding source area ID, source area type, target area ID and target area type based on the mapping table, and writing the source area ID, the source area type, the target area type and the target area type into a connection state structure body; and executing a differentiated forwarding strategy according to the combination relation of the source region type and the target region type.
7. 7. The method for fast forwarding a network packet integrated with a zero padding Ding Nahe according to claim 6, wherein the performing a differential forwarding policy according to a combination relationship between a source zone type and a destination zone type includes: if the combination relation is LAN area-LAN area, directly forwarding the data packet; if the combination relationship is LAN area-WAN area, then the source network address conversion SNAT is executed and the data packet is forwarded after conversion; If the combination relation is WAN area-LAN area, the destination network address conversion DNAT is executed to transfer the data packet.
8. 8. A method for fast forwarding a network packet integrated with a zero padding Ding Nahe according to any one of claims 1 to 3, further comprising: and formatting the connection tracking information into a readable text format, and providing a paging query function of the connection tracking information through a user space character equipment interface.
9. 9. A system for fast forwarding of network packets integrated with a zero padding Ding Nahe, comprising: the registration module is used for registering the hook function in the key node of the data packet processing to obtain a registration custom processing function; the expansion module is used for expanding a connection tracking structure in a Linux kernel connection tracking system of the Netfilter framework, adding a custom field to store a fast forwarding state and realizing zero-padding Ding Nahe integration; The construction module is used for constructing a quick NAT connection table, wherein the quick NAT connection table is a static hash table for realizing O (1) complexity connection searching by calculating a hash value based on a data packet; the core forwarding module is used for calculating a hash value for the data packet when the data packet reaches the registered custom processing function, and searching a corresponding connection node in the fast NAT connection table through the hash value; if the effective connection node is not found, marking connection tracking information and enabling the data packet to go through a conventional Netfilter processing flow; when the core forwarding module updates the header information of the data packet and sends the header information to the target interface, the core forwarding module is configured to: Updating an L2 layer Ethernet header, an L3 layer IP header and an L4 layer transmission protocol header of the data packet, wherein the L2 layer Ethernet header updates a source MAC address and a destination MAC address stored in the connecting node, the L3 layer IP header updates source IP address information and destination IP address information after NAT conversion stored in the connecting node, the L4 layer transmission protocol header updates source port information and destination port information after NAT conversion stored in the connecting node, and a network filter data packet hijacking identification is returned to skip a Netfilter complete processing flow.

Description

Quick forwarding method and system for network data packet integrated by zero padding Ding Nahe Technical Field The present invention relates to the field of computer networks, and in particular, to a method and a system for fast forwarding a network data packet integrated with a zero padding Ding Nahe. Background In the field of computer networks, network devices such as routers and gateways need to rely on efficient data packet forwarding and network address conversion technologies, so as to meet the high-flow data transmission requirements of enterprises and various scenes. The Linux system becomes a main flow operation platform of the network equipment by virtue of the open source characteristic, and the data packet processing capability directly determines the overall performance of the equipment. Currently, packet forwarding and network address translation (Network Address Translation, NAT) functions of Linux network devices are mainly implemented based on network filter (Netfilter) and IP tables (iptables) mechanisms. The partial scheme can be combined with a hardware acceleration technology to improve the processing efficiency, and the forwarding flow is optimized by modifying the kernel source code so as to adapt to different hardware platforms. However, in the conventional scheme, each data packet needs to be processed by a complete multi-layer hook, that is, a Netfilter complete flow is relied on, so that the cost of a central processing unit (Central Processing Unit, CPU) is high, the performance is obviously reduced in a high-flow scene, and the memory layout of the conventional connection tracking mechanism is unreasonable, and the cache hit rate is low. Disclosure of Invention The embodiment of the invention provides a quick forwarding method and a system for a network data packet integrated with a zero padding Ding Nahe, which are used for solving the problem of performance bottleneck caused by dependence on Netfilter complete flow in the traditional Linux kernel network forwarding scheme. In a first aspect, an embodiment of the present invention provides a method for fast forwarding a network data packet integrated with a zero padding Ding Nahe, including: Registering a hook function in a key node of data packet processing to obtain a registered custom processing function, expanding a connection tracking structure in a Linux kernel connection tracking system of a Netfilter framework, and adding a custom field to store a fast forwarding state so as to realize zero padding Ding Nahe integration; constructing a quick network address translation (Network Address Translation, NAT) connection table, wherein the quick NAT connection table is a static hash table for realizing O (1) complexity connection searching based on a hash value calculated by a data packet; When a data packet arrives at the register custom processing function, calculating a hash value of the data packet, searching a corresponding connection node in the fast NAT connection table through the hash value, updating the head information of the data packet and sending the head information to a target interface if an effective connection node is searched, and marking connection tracking information and enabling the data packet to go away from a conventional Netfilter processing flow if the effective connection node is not searched. In one possible implementation, the entries of the fast NAT connection table are connection state structures that are aligned in CACHE lines according to the smp_cache_byte size, and the connection state structures are divided into a hot spot data area and a secondary hot spot data area, where the hot spot data area stores a network device pointer, a connection activity timestamp, a magic number, virtual local area network (Virtual Local Area Network, VLAN) information, a source/destination internet protocol (Internet Protocol, IP) address, and a source/destination port, and the secondary hot spot data area stores connection statistics information, rate data, and a user pointer; And the number of entries of the fast NAT connection table is configured according to a hardware platform, and the fast NAT connection table adopts a linear detection method to process hash collision. In one possible implementation manner, if the valid connection node is found, updating header information of the data packet and sending the header information to the target interface, including: If the value of the mac field of the connection node to be matched in the fast NAT connection table is consistent with the natflow _path_mac constant preset by the system, the source IP address, the destination IP address, the source port, the destination port and the transport layer protocol type stored in the connection node to be matched are matched with the quintuple information of the data packet to be forwarded one by one, and the difference between the current system timestamp and the last active timestamp recorded in the jiffies field