CN109672665A - A kind of access control method, device, system and computer readable storage medium - Google Patents

A kind of access control method, device, system and computer readable storage medium Download PDF

Info

Publication number
CN109672665A
CN109672665A CN201811354619.7A CN201811354619A CN109672665A CN 109672665 A CN109672665 A CN 109672665A CN 201811354619 A CN201811354619 A CN 201811354619A CN 109672665 A CN109672665 A CN 109672665A
Authority
CN
China
Prior art keywords
data packet
target
access
packet
access data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811354619.7A
Other languages
Chinese (zh)
Other versions
CN109672665B (en
Inventor
王庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing QIYI Century Science and Technology Co Ltd
Original Assignee
Beijing QIYI Century Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing QIYI Century Science and Technology Co Ltd filed Critical Beijing QIYI Century Science and Technology Co Ltd
Priority to CN201811354619.7A priority Critical patent/CN109672665B/en
Publication of CN109672665A publication Critical patent/CN109672665A/en
Application granted granted Critical
Publication of CN109672665B publication Critical patent/CN109672665B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of access control method, device, system and computer readable storage mediums, belong to network technique field.Wherein, relay device can receive the access data packet of access equipment transmission, it is then based on the source address of access data packet and Authorization Attributes mark is set for access data packet, obtain target packet, target packet is finally sent to target device, target device can identify represented Authorization Attributes based on the Authorization Attributes and handle target packet, in this way, without storing permission list in target device, target device is defined the competence without based on the permission list, being directly based upon the Authorization Attributes mark for including in target packet can determine the access authority of target packet, realize that the data packet sent to access equipment is handled in turn, the occupancy to target device memory space can be reduced in turn, it avoids impacting the normal processing of data packet the performance and target device of target device.

Description

A kind of access control method, device, system and computer readable storage medium
Technical field
The invention belongs to network technique fields, can more particularly to a kind of access control method, device, system and computer Read storage medium.
Background technique
Currently, with the continuous development of network technology, the equipment in network system is more and more, in order to improve the peace of network Quan Xing, it is often necessary to the access authority of equipment in network system be limited, for example, for being stored with higher-security rank The server of data only allows part server to access.
In the prior art, access limit when, usually target device store a permission list, the permission name Recite in list it is all allow to access the target device, and do not allow to access the network protocol of the access equipment of the target device (IP) address, target device first can be sent to number based on data packet acquisition when receiving the data packet that access equipment is sent According to the IP of the access equipment of packet, the IP and permission list for being then based on the access equipment judge whether the IP of the access equipment has Access authority conversely, not handling the data packet then, and then realizes access control if so, then handling data packet System.
But the number of servers in network system is more, when the relationship of access control is complex, is stored in target The scale of the permission list of equipment can be very big, and then occupies the more memory space of target device, while target device is based on being somebody's turn to do The operation that permission list defines the competence can also consume the more resource of target device, and then reduce the performance of target device, influence Normal processing of the target device to data packet.
Summary of the invention
In view of this, the present invention provides a kind of access control method, device, system and computer readable storage medium, It solves and is accessed when limiting to a certain extent, the memory space of target device is occupied more, reduce the property of target device Can, the problem of influencing normal processing of the target device to data packet.
According to the present invention in a first aspect, provide a kind of access control method, be applied to include relay device and target The system of equipment, this method may include:
The relay device receives the access data packet that access equipment is sent;The destination address of the access data packet is institute State the IP address of target device;
Source address of the relay device based on the access data packet is that Authorization Attributes mark is arranged in the access data packet Know, obtains target packet;
The target packet is sent to the target device by the relay device;
The target device carries out the target packet based on the represented Authorization Attributes of Authorization Attributes mark Processing.
Second aspect according to the present invention provides a kind of access control method, is applied to relay device, and this method can be with Include:
Receive the access data packet that access equipment is sent;The destination address of the access data packet is the IP of target device Location;
Source address based on the access data packet is that Authorization Attributes mark is arranged in the access data packet, obtains number of targets According to packet;
The target packet is sent to the target device.
Optionally, the Authorization Attributes include allowing to access and forbid to access, and the Authorization Attributes are identified as permission IP Address;
The source address based on the access data packet is that Authorization Attributes mark is arranged in the access data packet, obtains mesh Mark data packet, comprising:
Obtain the source address of the access data packet;
Based on the source address of the access data packet, with determining the corresponding permission IP of Authorization Attributes of the access data packet Location;
With replacing the source of the access data packet using the corresponding permission IP address of Authorization Attributes of the access data packet Location obtains target packet.
Optionally, the source address based on the access data packet, determines the Authorization Attributes pair of the access data packet The permission IP address answered, comprising:
The target network segment where the source address of the access data packet is determined based on the source address for accessing data packet;
It is matched in preset network segment and permission IP address corresponding relationship according to the target network segment, determines the mesh The corresponding permission IP address of network segment is marked, using the corresponding permission IP address of Authorization Attributes as the access data packet.
Optionally, the Authorization Attributes are identified as specified marker character;
The source address based on the access data packet is that Authorization Attributes mark is arranged in the access data packet, obtains mesh Mark data packet, comprising:
Obtain the source address of the access data packet;
Based on the source address of the access data packet, the Authorization Attributes of the access data packet are determined;
The corresponding specified label of Authorization Attributes of the access data packet is inserted into the designated position of the access data packet Symbol, obtains target packet.
Optionally, the access data packet for receiving access equipment and sending, comprising: the port letter based on the access equipment The IP address of breath and the access equipment, establishes interface channel with the access equipment;Institute is received based on the interface channel State access data packet;
After the target packet is sent to the target device, the method also includes:
Receive the response data packet that target device is sent;If the destination address of the response data packet is permission IP address, Then based on the port information in the response data packet, by interface channel corresponding with the port information by the number of responses Corresponding access equipment is sent to according to packet.
The third aspect according to the present invention provides a kind of access control method, is applied to target device, and this method can be with Include:
Receive the target packet that relay device is sent;Being provided in the target packet indicates the target packet Authorization Attributes Authorization Attributes mark, the target packet is the access number that the relay device is sent based on access equipment It is generated according to packet, the source address of the access data packet is the IP address of the access equipment;
Based on the Authorization Attributes mark in the target packet, the target packet is handled.
Optionally, the Authorization Attributes mark based in the target packet, at the target packet Reason, comprising:
If the Authorization Attributes mark in the target packet indicates to allow to access, at the target packet Reason;
If the Authorization Attributes mark in the target packet indicates to forbid accessing, the target packet is abandoned.
Fourth aspect according to the present invention provides a kind of access control system, which includes: relay device and target Equipment;
The relay device, for receiving the access data packet of access equipment transmission;The target of the access data packet Location is the IP address of the target device;
The relay device is also used to based on the source address of the access data packet be that permission is arranged in the access data packet Attribute-bit obtains target packet;
The relay device is also used to the target packet being sent to the target device;
The target device, for identifying represented Authorization Attributes to the target packet based on the Authorization Attributes It is handled.
The 5th aspect according to the present invention, provides a kind of access control apparatus, is applied to relay device, which can be with Include:
First receiving module, for receiving the access data packet of access equipment transmission;The target of the access data packet Location is the IP address of target device;
Setup module is that Authorization Attributes mark is arranged in the access data packet for the source address based on the access data packet Know, obtains target packet;
First sending module, for the target packet to be sent to the target device.
Optionally, the Authorization Attributes include allowing to access and forbid to access, and the Authorization Attributes are identified as permission IP Address;
The setup module, comprising:
Acquisition submodule, for obtaining the source address of the access data packet;
It determines submodule, for the source address based on the access data packet, determines the permission category of the access data packet The corresponding permission IP address of property;
Submodule is replaced, for replacing the visit using the corresponding permission IP address of Authorization Attributes of the access data packet The source address for asking data packet, obtains target packet.
Optionally, the determining submodule, is used for:
The target network segment where the source address of the access data packet is determined based on the source address for accessing data packet;
It is matched in preset network segment and permission IP address corresponding relationship according to the target network segment, determines the mesh The corresponding permission IP address of network segment is marked, using the corresponding permission IP address of Authorization Attributes as the access data packet.
Optionally, the Authorization Attributes are identified as specified marker character;
The setup module, is used for:
Obtain the source address of the access data packet;
Based on the source address of the access data packet, the Authorization Attributes of the access data packet are determined;
The corresponding specified label of Authorization Attributes of the access data packet is inserted into the designated position of the access data packet Symbol, obtains target packet.
Optionally, first receiving module, is used for:
The IP address of port information and the access equipment based on the access equipment is established with the access equipment Interface channel;The access data packet is received based on the interface channel;
Described device further include:
Second receiving module, for receiving the response data packet of target device transmission;
Second sending module is based on the sound if the destination address for the response data packet is permission IP address The port information in data packet is answered, is sent to the response data packet pair by interface channel corresponding with the port information The access equipment answered.
The 6th aspect according to the present invention, provides a kind of access control apparatus, is applied to target device, which can be with Include:
Third receiving module, for receiving the target packet of relay device transmission;It is provided in the target packet Indicate that the Authorization Attributes mark of the Authorization Attributes of the target packet, the target packet are that the relay device is based on visiting Ask the access data packet generation that equipment is sent, the source address of the access data packet is the IP address of the access equipment;
Processing module, for being carried out to the target packet based on the Authorization Attributes mark in the target packet Processing.
Optionally, the processing module, is used for:
If the Authorization Attributes mark in the target packet indicates to allow to access, at the target packet Reason;
If the Authorization Attributes mark in the target packet indicates to forbid accessing, the target packet is abandoned.
The 7th aspect according to the present invention, provides a kind of computer readable storage medium, the computer-readable storage Computer program is stored on medium, when the computer program is executed by processor realize as first aspect, second aspect and The step of access control method described in the third aspect.
For first technology, the present invention has following advantage:
Relay device can receive the access data packet of access equipment transmission, and the source address for being then based on access data packet is It accesses data packet setting Authorization Attributes to identify, obtains target packet, wherein Authorization Attributes mark is for indicating access data The Authorization Attributes of packet, Authorization Attributes include allowing to access and forbid to access, and target packet is finally sent to target device, Target device can identify represented Authorization Attributes based on the Authorization Attributes and handle target packet, in this way, being not necessarily to Permission list is stored in target device, target device is defined the competence without based on the permission list, is directly based upon target The Authorization Attributes mark for including in data packet can determine the access authority of target packet, and then realizes and send to access equipment Data packet handled, and then the occupancy to target device memory space can be reduced, avoid the performance to target device with And target device impacts the normal processing of data packet.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 is a kind of step flow chart of access control method provided in an embodiment of the present invention;
Fig. 2 is the step flow chart of another access control method provided in an embodiment of the present invention;
Fig. 3 is the step flow chart of another access control method provided in an embodiment of the present invention;
Fig. 4 is the step flow chart of another access control method provided in an embodiment of the present invention;
Fig. 5 is the step flow chart of another access control method provided in an embodiment of the present invention;
Fig. 6 is a kind of application schematic diagram of access control system provided in an embodiment of the present invention;
Fig. 7 is a kind of block diagram of access control apparatus provided in an embodiment of the present invention;
Fig. 8 is the block diagram of another access control apparatus provided in an embodiment of the present invention;
Fig. 9 is the block diagram of another access control apparatus provided in an embodiment of the present invention;
Figure 10 is a kind of block diagram of access control system provided in an embodiment of the present invention.
Specific embodiment
The exemplary embodiment that the present invention will be described in more detail below with reference to accompanying drawings.Although showing the present invention in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the present invention without should be by embodiments set forth here It is limited.It is to be able to thoroughly understand the present invention on the contrary, providing these embodiments, and can be by the scope of the present invention It is fully disclosed to those skilled in the art.
Fig. 1 is a kind of step flow chart of access control method provided in an embodiment of the present invention, is set applied to including transfer Standby and target device system, as shown in Figure 1, this method may include:
Step 101, the relay device receive the access data packet that access equipment is sent.
In the embodiment of the present invention, which refers to needing access target equipment, sends access number to target device According to the equipment of packet, which can be computer, server, portable mobile termianl etc., the embodiment of the present invention to this not It limits.
Further, which can be the IP address that the destination address that access equipment is sent is target device Data packet, in practical application, equipment is when sending data packet, with usually directly sending data packets to the target of the data packet Equipment represented by location, and in the embodiment of the present invention, the permission for the ease of target device based on access data packet is to access number It is handled according to packet, routing configuration can be carried out to access equipment in advance, so that access equipment can first send out access data packet Relay device is given, correspondingly, relay device can receive the access data packet of access equipment transmission.
The source address of step 102, the relay device based on the access data packet is access data packet setting power Attribute-bit is limited, target packet is obtained.
In the embodiment of the present invention, Authorization Attributes mark can be used to indicate that the Authorization Attributes of access data packet, the permission Attribute includes allowing to access and forbid to access, and correspondingly, Authorization Attributes mark may include the permission for indicating to allow to access Attribute-bit, and forbid the Authorization Attributes mark of access.
Further, the Authorization Attributes for accessing data packet, which can be by its source address, to be determined, wherein accesses data packet Source address indicates that the IP address for sending the access equipment of the access data packet generally accesses Authorization Attributes and the transmission of data packet The permission of its access equipment is corresponding, for example, when access equipment has access authority, the permission of the access data packet sent Attribute can be to allow to access, and when access equipment does not have access authority, the Authorization Attributes of the access data packet sent can be with To forbid accessing, therefore, in the embodiment of the present invention, the access equipment with access authority can be defined in relay device in advance The IP address of IP address and the access equipment without access authority, correspondingly, relay device can be first based on access data The source address of packet determines the permission for sending the access equipment of the access data packet, is then based on the visit for sending the access data packet It asks the permission of equipment, Authorization Attributes is set for access data packet and are identified, and then obtain target packet.
The target packet is sent to the target device by step 103, the relay device.
In the embodiment of the present invention, target packet can be sent to the target device by relay device, in order to target Device target data packet is handled.
Step 104, the target device are based on the represented Authorization Attributes of Authorization Attributes mark to the number of targets It is handled according to packet.
In the embodiment of the present invention, identified since relay device is provided with Authorization Attributes in target packet, in this way, target After equipment receives the target packet, the Authorization Attributes mark being directly based upon in the target packet can determine number of targets It is performed corresponding processing according to the Authorization Attributes of packet, and then to the target packet, and then can be omitted and stored in target device The operation of permission list, correspondingly, target device is without the permission for determining target packet based on permission list, Jin Erjie The process resource for having saved target device avoids impacting the performance of target device, guarantees that target device can be normally to mesh Mark data packet is handled.
In conclusion a kind of access control method provided in an embodiment of the present invention, relay device can receive access equipment The access data packet of transmission is then based on the source address of access data packet as access data packet and Authorization Attributes mark is arranged, obtains Target packet, wherein Authorization Attributes mark includes allowing to visit for indicating the Authorization Attributes of access data packet, Authorization Attributes It asks and forbids accessing, target packet is finally sent to target device, and target device can identify institute based on Authorization Attributes The Authorization Attributes of expression are handled target packet in this way, without storing permission list, target device in target device It can determine without the Authorization Attributes mark for including in target packet, to define the competence, is directly based upon based on the permission list The access authority of target packet, and then realize that the data packet sent to access equipment is handled, and then can reduce to mesh The occupancy of marking device memory space avoids causing shadow to the normal processing of data packet to the performance and target device of target device It rings.
Fig. 2 is the step flow chart of another access control method provided in an embodiment of the present invention, is applied to relay device, As shown in Fig. 2, this method may include:
Step 201 receives the access data packet that access equipment is sent;The destination address of the access data packet sets for target Standby IP address.
Specifically, the implementation of this step is referred to above-mentioned steps 101, this will not be repeated here for the embodiment of the present invention.
Step 202, the source address based on the access data packet are that Authorization Attributes mark is arranged in the access data packet, are obtained To target packet.
Specifically, the implementation of this step is referred to above-mentioned steps 102, this will not be repeated here for the embodiment of the present invention.
The target packet is sent to the target device by step 203.
Specifically, the implementation of this step is referred to above-mentioned steps 103, this will not be repeated here for the embodiment of the present invention.
In conclusion another kind access control method provided in an embodiment of the present invention, relay device can receive access and set The access data packet that preparation is sent is then based on the source address of access data packet as access data packet and Authorization Attributes mark is arranged, obtains To target packet, wherein Authorization Attributes mark includes allowing for indicating the Authorization Attributes of access data packet, Authorization Attributes It accesses and forbids accessing, target packet is finally sent to target device, target device is allowed to be based on Authorization Attributes The represented Authorization Attributes of mark handle target packet, in this way, without storing permission list, mesh in target device Marking device is identified i.e. without the Authorization Attributes for including in target packet, to define the competence, are directly based upon based on the permission list It can determine the access authority of target packet, and then realize that the data packet sent to access equipment is handled, and then can drop The low occupancy to target device memory space avoids the normal processing of performance and target device to target device to data packet It impacts.
Fig. 3 is the step flow chart of another access control method provided in an embodiment of the present invention, is applied to access equipment, As shown in figure 3, this method may include:
Access data packet is sent to relay device by step 301, so that the relay device is based on the access data packet Source address be the access data packet be arranged Authorization Attributes mark, obtain target packet, and the target packet is sent out Give target device.
In the embodiment of the present invention, the destination address of the access data packet can be the IP address of target device, which sets Standby can be computer, server, portable mobile termianl, etc., and the embodiment of the present invention is not construed as limiting this.Practical application In, equipment usually directly sends data packets to equipment represented by the destination address of the data packet when sending data packet, And in the embodiment of the present invention, the permission for the ease of target device based on access data packet handles access data packet, can To carry out routing configuration to access equipment in advance, so that access equipment can be by the visit for the IP address that destination address is target device It asks that data packet is first sent to relay device, and then is set by relay device based on the source address of access data packet for target packet Authorization Attributes mark is set, and the target packet obtained after setting is sent to target device, due to being existed by relay device In target packet be provided with Authorization Attributes identify, it is therefore not necessary in target device store permission list, target device also without Need to be based on the permission list to define the competence, being directly based upon the Authorization Attributes mark for including in target packet can determine target The access authority of data packet, handles target packet, and then can reduce the occupancy to target device memory space, keeps away Exempt to impact the normal processing of data packet the performance and target device of target device.
In conclusion another access control method provided in an embodiment of the present invention, access equipment can be by destination address Access data packet for the IP address of target device is sent to relay device, so that source of the relay device based on access data packet Location is that Authorization Attributes mark is arranged in access data packet, and the target packet obtained after being arranged is sent to target device, this Sample, without storing permission list in target device, target device is defined the competence without based on the permission list, direct base The Authorization Attributes mark for including in target packet can determine the access authority of target packet, and then realizes and set to access The data packet that preparation is sent is handled, and then can reduce the occupancy to target device memory space, is avoided to target device Performance and target device impact the normal processing of data packet.
Fig. 4 is the step flow chart of another access control method provided in an embodiment of the present invention, is applied to target device, As shown in figure 4, this method may include:
Step 401 receives the target packet that relay device is sent;Being provided in the target packet indicates the mesh Mark the Authorization Attributes mark of the Authorization Attributes of data packet.
In the embodiment of the present invention, which can be the access data packet that relay device is sent based on access equipment It generates, the source address of the access data packet is the IP address of access equipment, specifically, can be relay device is based on the access The source address of data packet is arranged what Authorization Attributes identified, that is, the number carried in target packet in the access data packet It is identical according to the data effective information carried in effective information and access data packet, it is believed that the target packet is essentially to visit Ask the data packet that equipment is sent.Further, due to including that Authorization Attributes identify in the target packet, it is therefore not necessary in mesh Permission list is stored in marking device, target device is defined the competence without based on the permission list, is directly based upon target data The Authorization Attributes mark for including in packet can determine the access authority of target packet, handle target packet, in turn The occupancy to target device memory space can be reduced, avoid performance and target device to target device to data packet just Often processing impacts.
Step 402 is identified based on the Authorization Attributes in the target packet, is handled the target packet.
In the embodiment of the present invention, target device can identify represented power based on the Authorization Attributes in the target packet Attribute is limited, target packet is performed corresponding processing, and then realizes access control.
In conclusion another access control method provided in an embodiment of the present invention, target device can receive transfer and set The target packet that preparation is sent, wherein the permission category for indicating the Authorization Attributes of target packet is provided in the target packet Property mark, the Authorization Attributes mark being then based in target packet handles target packet, in this way, without in mesh Permission list is stored in marking device, target device is defined the competence without based on the permission list, is directly based upon target data The Authorization Attributes mark for including in packet can determine the access authority of target packet, and then realize the number sent to access equipment It is handled according to packet, and then the occupancy to target device memory space can be reduced, avoid the performance and mesh to target device Marking device impacts the normal processing of data packet.
Fig. 5 is the step flow chart of another access control method provided in an embodiment of the present invention, as shown in figure 5, the party Method may include:
Step 501, access equipment are sent to relay device for data packet is accessed;Wherein, the target of the access data packet Address is the IP address of the target device.
In this step, in order to enable access equipment to be first sent to relay device for data packet is accessed, it can be in advance based on The IP address of relay device is modified the routing configuration of the access equipment, specifically, can by the IP of relay device Location is added in the routing rule of access equipment, Lai Shixian routing configuration.
Further, access equipment will access data packet when being sent to relay device, can first send and wrap to relay device Include access equipment IP address and port information establishes connection request, in this way, relay device can be based on the access equipment end Message breath and IP address, establish interface channel with access equipment, and then, access equipment can will be accessed by the interface channel Data packet is sent to relay device.Wherein, which can be transmission control protocol (Transmission Control Protocol, TCP) interface channel.
Step 502, relay device receive the access data packet that access equipment is sent.
Correspondingly, in this step, relay device can receive the port information including access equipment of access equipment transmission And the IP address of access equipment establishes connection request, is then based on the port information of access equipment and the IP of access equipment Interface channel is established with access equipment in address, then, receives access data packet based on interface channel.
The source address of step 503, relay device based on the access data packet is that permission category is arranged in the access data packet Property mark, obtain target packet.
This step can have the feasible embodiment of following two.
The first feasible embodiment:
The Authorization Attributes mark can be permission IP address, correspondingly, relay device can based on following sub-steps (1)~ Sub-step (3) realizes that the source address based on access data packet is that access data packet setting Authorization Attributes identify, and obtains target data The operation of packet:
Sub-step (1): relay device obtains the source address of the access data packet.
In this step, relay device can first to access data packet parse, then analytically after access data packet The position of middle storage source address information, reads the source address of the access data packet.
Sub-step (2): source address of the relay device based on the access data packet determines the permission of the access data packet The corresponding permission IP address of attribute.
In this step, relay device can first determine the source address institute of access data packet based on the source address of access data packet Target network segment, then matched in preset network segment and permission IP address corresponding relationship according to target network segment, determine The corresponding permission IP address of target network segment, using the corresponding permission IP address of Authorization Attributes as access data packet.
In practical application, when accessing permission control, generally require to all IP for being included in some network segment Location carries out permission control, for example, have network segment N1:1.1.1.0/24, network segment N2:1.1.2.0/24, network segment N3:1.1.3.0/24, Network segment N1, which can be limited, not allows to access network segment N3, and network segment N2 allows to access network segment N3.It therefore, can be according to reality in this step Border demand is the permission IP address that different network segment settings indicates Authorization Attributes in advance, establishes network segment pass corresponding with permission IP address It is and is stored in relay device, in this way, compared to the mode for storing multiple IP address, it is possible to reduce the data volume of storage.Certainly, In the embodiment of the present invention, IP address and permission IP address corresponding relationship also can store, correspondingly, relay device is from the IP address In permission IP address corresponding relationship, the corresponding permission IP address of source address of access data packet, the present invention are directly searched Embodiment is not construed as limiting this.
Further, due to the IP address that the source address of access data packet is access equipment, relay device can be with First determine the network segment where the source address of access data packet, that is, the network segment where IP address, then from preset network segment and permission Permission IP address corresponding to the target network segment is searched in IP address corresponding relationship, by the corresponding permission IP address of the target network segment It is determined as accessing the corresponding permission IP address of Authorization Attributes of data packet, it is exemplary, it is assumed that i.e. permission IP address includes 1.1.3.2 And 1.1.3.3, wherein 1.1.3.2 expression is forbidden accessing, and 1.1.3.3 expression allows to access, the corresponding permission IP of network segment N1 Location is 1.1.3.2, and the corresponding permission IP address of network segment N2 is 1.1.3.3, accesses the target network segment where the source address of data packet For N2, then 1.1.3.3 can be determined as accessing the corresponding permission IP address of Authorization Attributes of data packet by relay device.
Sub-step (3): relay device replaces institute using the corresponding permission IP address of Authorization Attributes of the access data packet The source address for stating access data packet, obtains target packet.
In this step, relay device can delete the source address stored in access data packet, then by the permission IP address The position that source address is stored in write-access data packet, obtains target packet.
Second of feasible embodiment:
The Authorization Attributes are identified as specified marker character, and correspondingly, relay device can be based on following sub-steps (4)~sub-step Suddenly (6) realize that the source address based on access data packet is that access data packet setting Authorization Attributes identify, and obtain target packet Operation:
Sub-step (4): relay device obtains the source address of the access data packet.
Specifically, the implementation of this step is similar with above-mentioned sub-step (1), above-mentioned sub-step (1) can be referred to, this hair This will not be repeated here for bright embodiment.
Sub-step (5): source address of the relay device based on the access data packet determines the permission of the access data packet Attribute.
In this step, relay device can first determine the source address institute of access data packet based on the source address of access data packet Target network segment, be then based on preset network segment and specified marker character corresponding relationship, determine the corresponding specified mark of target network segment The corresponding specified marker character of target network segment is finally determined as accessing the corresponding specified label of Authorization Attributes of data packet by note symbol Symbol.Wherein, which may include the marker character for indicating that the marker character accessed and expression is allowed to forbid access, label The concrete form of symbol can be to be set according to actual needs, and the embodiment of the present invention is not construed as limiting this.For example, table can be set Show that the marker character for allowing to access is A, indicating to forbid the marker character of access is B.It is exemplary, it is assumed that access the source address institute of data packet The corresponding specified marker character of target network segment be A, then relay device A can be determined as access data packet Authorization Attributes Corresponding specified marker character.
Sub-step (6): relay device is inserted into the permission of the access data packet in the designated position of the access data packet The corresponding specified marker character of attribute, obtains target packet.
In this step, which, which can be, is set according to actual conditions, exemplary, which can be end Position, correspondingly, relay device can be by the corresponding specified marker character A insertion access data packets of the Authorization Attributes for accessing data packet Last bit obtains target packet.
The target packet is sent to the target device by step 504, relay device.
Specifically, the implementation of this step is referred to above-mentioned steps 103, this will not be repeated here for the embodiment of the present invention.
Step 505, target device receive the target packet that relay device is sent.
Specifically, the implementation of this step is referred to above-mentioned steps 301, this will not be repeated here for the embodiment of the present invention.
Step 506, target device based in the target packet Authorization Attributes mark, to the target packet into Row processing.
Specifically, target device can first parse target packet, then analytically after target packet in Authorization Attributes mark is extracted, it, can be to target packet if the Authorization Attributes mark in target packet indicates to allow to access It is handled, if the Authorization Attributes mark in target packet indicates to forbid accessing, abandons the target packet.The present invention is real It applies in example, relay device generates target packet by the way that Authorization Attributes mark is arranged for access data packet, and target device passes through Authorization Attributes mark is indicated that the target packet accessed is allowed to handle, and abandon Authorization Attributes mark to indicate to forbid visiting The target packet asked in this way, can control part access equipment is able to access that target device, and then realizes access control, together When, by selectively abandoning target packet, can control at data packet concurrency and the target device on target device Flow spent by data packet is managed, and then realizes con current control and flow control.Further, in practical application, in order to the greatest extent The process resource of target device may be saved, can indicate to forbid accessing by corresponding Authorization Attributes mark by relay device Access data packet directly abandon, and then reduce to target device send data packet number, and then save target device place Manage resource.
Further, if relay device is to generate target using the source address of permission IP address change access data packet Data packet sends the IP address of the access equipment of the data packet, due to not carrying in target packet for the ease of subsequent process In, target device can normally be sent to access equipment for the response data packet of the target packet, and target device can incite somebody to action Response data packet is sent to relay device, and then relay device can receive the response data packet of target device transmission, if response The destination address of data packet is permission IP address, then based on the port information in response data packet, by corresponding with port information Interface channel response data packet is sent to corresponding access equipment.Specifically, relay device can be in the company established before It connects in road and searches port information interface channel identical with the port information in response data packet, it, will using the interface channel Response data packet is sent to access equipment.
In conclusion another access control method provided in an embodiment of the present invention, access equipment can be by destination address It is sent to relay device for the access data packet of the IP address of target device, relay device can receive the visit of access equipment transmission It asks data packet, is then based on the source address of access data packet as access data packet and Authorization Attributes mark is set, obtain target data Packet, wherein Authorization Attributes mark includes allowing to access and prohibit for indicating the Authorization Attributes of access data packet, Authorization Attributes It only accesses, target packet is finally sent to target device, target device can receive the target data of relay device transmission Packet, the Authorization Attributes mark being then based in target packet, handles target packet, in this way, without setting in target Standby middle storage permission list, target device are defined the competence without based on the permission list, are directly based upon in target packet Including Authorization Attributes mark can determine the access authority of target packet, and then realize the data packet sent to access equipment It is handled, and then the occupancy to target device memory space can be reduced, avoid setting the performance and target of target device The standby normal processing to data packet impacts.
Fig. 6 is a kind of application schematic diagram of access control system provided in an embodiment of the present invention, as shown in Figure 6, wherein S1 Indicate access equipment 1, S2 indicates access equipment 2, and S4 indicates relay device, and S3 indicates target device, further, access equipment Network segment N1 where 1 source address are as follows: 1.1.1.0/24, the network segment N2 where the source address of access equipment 2 are as follows: 1.1.2.0/ 24, indicate the permission IP address for allowing to access are as follows: 1.1.3.3 indicates the permission IP address for forbidding access are as follows: 1.1.3.2.
Assuming that preset network segment and the network segment in permission IP address corresponding relationship, to match with network segment N1:1.1.1.0/24 Corresponding permission IP address 1.1.3.2, permission IP address corresponding with the network segment that network segment N2:1.1.2.0/24 matches 1.1.3.3, then, the source address of access data packet of the source address that relay device can send access equipment 1 in N1 is more It is changed to 1.1.3.2, the source address of the access data packet of source address that access equipment 2 is sent in N2 is changed to 1.1.3.3, into And obtain target packet.Then, target packet can be sent to target device by relay device.Further, target is set It is standby to abandon the target packet that source address is 1.1.3.2, at the target packet for being 1.1.3.3 to source address Reason.
In conclusion relay device can be access equipment transmission according to the permission of access equipment in the embodiment of the present invention Access data packet reset the source address that can indicate Authorization Attributes, and then obtain target packet, then relay device Target packet can be sent to target device, target device can receive the target packet of relay device transmission, then Authorization Attributes mark is indicated that the target packet accessed is allowed to handle, and abandon Authorization Attributes mark to indicate to forbid visiting The target packet asked.In this way, target device is without based on the permission list without storing permission list in target device It defines the competence, to be directly based upon Authorization Attributes represented by the source address of target packet i.e. can be determined whether to target packet It is handled, and then realizes that the data packet sent to access equipment is handled, reduce the occupancy to target device memory space, It avoids impacting the normal processing of data packet the performance and target device of target device.
Fig. 7 is a kind of block diagram of access control apparatus provided in an embodiment of the present invention, as shown in fig. 7, the device 70 can be with Applied to relay device, which may include:
First receiving module 701, for receiving the access data packet of access equipment transmission;The target of the access data packet Address is the IP address of target device.
Setup module 702 is that permission category is arranged in the access data packet for the source address based on the access data packet Property mark, obtain target packet.
First sending module 703, for the target packet to be sent to the target device.
Optionally, the Authorization Attributes include allowing to access and forbid to access, and the Authorization Attributes are identified as permission IP Address.
The setup module 702, comprising:
Acquisition submodule, for obtaining the source address of the access data packet.
It determines submodule, for the source address based on the access data packet, determines the permission category of the access data packet The corresponding permission IP address of property.
Submodule is replaced, for replacing the visit using the corresponding permission IP address of Authorization Attributes of the access data packet The source address for asking data packet, obtains target packet.
Optionally, the determining submodule, is used for:
The target network segment where the source address of the access data packet is determined based on the source address for accessing data packet.
It is matched in preset network segment and permission IP address corresponding relationship according to the target network segment, determines the mesh The corresponding permission IP address of network segment is marked, using the corresponding permission IP address of Authorization Attributes as the access data packet.
Optionally, the Authorization Attributes are identified as specified marker character;
The setup module 702, is used for:
Obtain the source address of the access data packet.
Based on the source address of the access data packet, the Authorization Attributes of the access data packet are determined.
The corresponding specified label of Authorization Attributes of the access data packet is inserted into the designated position of the access data packet Symbol, obtains target packet.
Optionally, first receiving module 701, is used for:
The IP address of port information and the access equipment based on the access equipment is established with the access equipment Interface channel.The access data packet is received based on the interface channel.
Described device 70 further include:
Second receiving module, for receiving the response data packet of target device transmission.
Second sending module is based on the sound if the response address for the response data packet is permission IP address The port information in data packet is answered, is sent to the response data packet pair by interface channel corresponding with the port information The access equipment answered.
In conclusion a kind of access control apparatus provided in an embodiment of the present invention, the first receiving module can receive access The access data packet that equipment is sent, then setup module can be access data packet setting power based on the source address of access data packet Attribute-bit is limited, target packet is obtained, wherein Authorization Attributes mark is for indicating the Authorization Attributes of access data packet, power Limit attribute includes allowing to access and forbid to access, and target packet can be sent to target and set by last first sending module It is standby, in this way, target device is defined the competence without based on the permission list without storing permission list in target device, Being directly based upon the Authorization Attributes mark for including in target packet can determine the access authority of target packet, and then realization pair The data packet that access equipment is sent is handled, and then can reduce the occupancy to target device memory space, is avoided to target The performance and target device of equipment impact the normal processing of data packet.
Fig. 8 is the block diagram of another access control apparatus provided in an embodiment of the present invention, as shown in figure 8, the device 80 can To be applied to access equipment, which may include:
Third sending module 801 is sent to relay device for that will access data packet, so that the relay device is based on institute The source address for stating access data packet is that Authorization Attributes mark is arranged in the access data packet, obtains target packet, and will be described Target packet is sent to target device.
Wherein, the destination address of the access data packet is the IP address of the target device.
Optionally, described device 80 further include:
Module is changed, for the IP address based on the relay device, the routing configuration of the access equipment is carried out more Change, so that the access data packet for the IP address that destination address is target device is sent to the transfer and set by the access equipment It is standby.
In conclusion another kind access control apparatus provided in an embodiment of the present invention, third sending module can be by target Address is that the access data packet of the IP address of target device is sent to relay device, so that the relay device is based on the access The source address of data packet is that Authorization Attributes mark is arranged in the access data packet, and the target packet obtained after being arranged is sent out Give target device, in this way, without in target device store permission list, target device without based on the permission list come It defines the competence, being directly based upon the Authorization Attributes mark for including in target packet can determine the access authority of target packet, It realizes that the data packet sent to access equipment is handled in turn, and then the occupancy to target device memory space can be reduced, It avoids impacting the normal processing of data packet the performance and target device of target device.
Fig. 9 is the block diagram of another access control apparatus provided in an embodiment of the present invention, as shown in figure 9, the device 90 can To be applied to target device, which may include:
Third receiving module 901, for receiving the target packet of relay device transmission;It is arranged in the target packet There are the Authorization Attributes for the Authorization Attributes for indicating the target packet to identify, the target packet is that the relay device is based on What the access data packet that access equipment is sent generated, the source address of the access data packet is the IP address of the access equipment.
Processing module 902, for based in the target packet Authorization Attributes mark, to the target packet into Row processing.
Optionally, the processing module 902, is used for:
If the Authorization Attributes mark in the target packet indicates to allow to access, at the target packet Reason.
If the Authorization Attributes mark in the target packet indicates to forbid accessing, the target packet is abandoned.
In conclusion another access control apparatus provided in an embodiment of the present invention, during third receiving module can receive Turn the target packet of equipment transmission, wherein the power for indicating the Authorization Attributes of target packet is provided in the target packet Attribute-bit is limited, then processing module can be identified based on the Authorization Attributes in target packet, at target packet Reason, in this way, target device is defined the competence without based on the permission list without storing permission list in target device, Being directly based upon the Authorization Attributes mark for including in target packet can determine the access authority of target packet, and then realization pair The data packet that access equipment is sent is handled, and then can reduce the occupancy to target device memory space, is avoided to target The performance and target device of equipment impact the normal processing of data packet.
Figure 10 is a kind of block diagram of access control system provided in an embodiment of the present invention, and as shown in Figure 10, which can To include: relay device 1001 and target device 1002;
Wherein, the relay device 1001, for receiving the access data packet of the transmission of access equipment 1003;The access number Destination address according to packet is the IP address of the target device;
The relay device 1001 is also used to the source address based on the access data packet as access data packet setting Authorization Attributes mark, obtains target packet;
The relay device 1001 is also used to for the target packet to be sent to the target device 1002;
The target device 1002, for identifying represented Authorization Attributes to the number of targets based on the Authorization Attributes It is handled according to packet.
In conclusion a kind of access control system provided in an embodiment of the present invention, relay device can receive access equipment The access data packet of transmission is then based on the source address of access data packet as access data packet and Authorization Attributes mark is arranged, obtains Target packet, wherein Authorization Attributes mark includes allowing to visit for indicating the Authorization Attributes of access data packet, Authorization Attributes It asks and forbids accessing, target packet is finally sent to target device, and target device can receive relay device transmission Target packet, the Authorization Attributes mark being then based in target packet, is handled target packet, in this way, being not necessarily to Permission list is stored in target device, target device is defined the competence without based on the permission list, is directly based upon target The Authorization Attributes mark for including in data packet can determine the access authority of target packet, and then realizes and send to access equipment Data packet handled, and then the occupancy to target device memory space can be reduced, avoid the performance to target device with And target device impacts the normal processing of data packet.
For above-mentioned apparatus embodiment, since it is basically similar to the method embodiment, so be described relatively simple, The relevent part can refer to the partial explaination of embodiments of method.
In addition, the embodiment of the present invention also provides a kind of terminal, including processor, memory, storage is on a memory and can The computer program run in processing, the computer program realize above-mentioned access control method embodiment when being executed by processor Each process, and identical technical effect can be reached, to avoid repeating, which is not described herein again.
The embodiment of the present invention also provides a kind of computer readable storage medium, and meter is stored on computer readable storage medium Calculation machine program, the computer program realize each process of above-mentioned access control method embodiment, and energy when being executed by processor Reach identical technical effect, to avoid repeating, which is not described herein again.Wherein, the computer readable storage medium, can be with For read-only memory (Read-Only Memory, abbreviation ROM), random access memory (Random Access Memory, letter Claim RAM), magnetic or disk etc..
All the embodiments in this specification are described in a progressive manner, the highlights of each of the examples are with The difference of other embodiments, the same or similar parts between the embodiments can be referred to each other.
It would have readily occurred to a person skilled in the art that: any combination application of above-mentioned each embodiment is all feasible, therefore Any combination between above-mentioned each embodiment is all embodiment of the present invention, but this specification exists as space is limited, This is not just detailed one by one.
Provided herein access control method not with any certain computer, virtual system or the intrinsic phase of other equipment It closes.Various general-purpose systems can also be used together with teachings based herein.As described above, construction has present invention side Structure required by the system of case is obvious.In addition, the present invention is also not directed to any particular programming language.It should be bright It is white, it can use various programming languages and realize summary of the invention described herein, and retouched above to what language-specific was done State is in order to disclose the best mode of carrying out the invention.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the present invention and help to understand one or more of the various inventive aspects, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, such as right As claim reflects, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows tool Thus claims of body embodiment are expressly incorporated in the specific embodiment, wherein each claim conduct itself Separate embodiments of the invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention Within the scope of and form different embodiments.For example, in detail in the claims, embodiment claimed it is one of any Can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice Microprocessor or digital signal processor (DSP) come realize some in access control method according to an embodiment of the present invention or The some or all functions of person's whole component.The present invention is also implemented as one for executing method as described herein Point or whole device or device programs (for example, computer program and computer program product).Such this hair of realization Bright program can store on a computer-readable medium, or may be in the form of one or more signals.It is such Signal can be downloaded from an internet website to obtain, and is perhaps provided on the carrier signal or is provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame Claim.

Claims (17)

1. a kind of access control method, which is characterized in that applied to the system including relay device and target device, the method Include:
The relay device receives the access data packet that access equipment is sent;The destination address of the access data packet is the mesh The IP address of marking device;
Source address of the relay device based on the access data packet is that Authorization Attributes mark is arranged in the access data packet, is obtained To target packet;
The target packet is sent to the target device by the relay device;
The target device is handled the target packet based on the represented Authorization Attributes of Authorization Attributes mark.
2. a kind of access control method, which is characterized in that be applied to relay device, which comprises
Receive the access data packet that access equipment is sent;The destination address of the access data packet is the IP address of target device;
Source address based on the access data packet is that Authorization Attributes mark is arranged in the access data packet, obtains target data Packet;
The target packet is sent to the target device.
3. according to the method described in claim 2, it is characterized in that, the Authorization Attributes include allowing to access and forbid to visit It asks, the Authorization Attributes are identified as permission IP address;
The source address based on the access data packet is that Authorization Attributes mark is arranged in the access data packet, obtains number of targets According to packet, comprising:
Obtain the source address of the access data packet;
Based on the source address of the access data packet, the corresponding permission IP address of Authorization Attributes of the access data packet is determined;
The source address that the access data packet is replaced using the corresponding permission IP address of Authorization Attributes of the access data packet, is obtained To target packet.
4. according to the method described in claim 3, it is characterized in that, the source address based on the access data packet, determines The corresponding permission IP address of Authorization Attributes of the access data packet, comprising:
The target network segment where the source address of the access data packet is determined based on the source address for accessing data packet;
It is matched in preset network segment and permission IP address corresponding relationship according to the target network segment, determines the target network The corresponding permission IP address of section, using the corresponding permission IP address of Authorization Attributes as the access data packet.
5. according to the method described in claim 2, it is characterized in that, the Authorization Attributes are identified as specified marker character;
The source address based on the access data packet is that Authorization Attributes mark is arranged in the access data packet, obtains number of targets According to packet, comprising:
Obtain the source address of the access data packet;
Based on the source address of the access data packet, the Authorization Attributes of the access data packet are determined;
It is inserted into the corresponding specified marker character of Authorization Attributes of the access data packet in the designated position of the access data packet, is obtained To target packet.
6. according to the method described in claim 3, it is characterized in that, the access data packet for receiving access equipment and sending, packet Include: the IP address of port information and the access equipment based on the access equipment establishes connection with the access equipment Channel;The access data packet is received based on the interface channel;
After the target packet is sent to the target device, the method also includes:
Receive the response data packet that target device is sent;If the destination address of the response data packet is permission IP address, base Port information in the response data packet, by interface channel corresponding with the port information by the response data packet It is sent to corresponding access equipment.
7. a kind of access control method, which is characterized in that be applied to target device, which comprises
Receive the target packet that relay device is sent;The power for indicating the target packet is provided in the target packet The Authorization Attributes mark of attribute is limited, the target packet is the access data packet that the relay device is sent based on access equipment It generates, the source address of the access data packet is the IP address of the access equipment;
Based on the Authorization Attributes mark in the target packet, the target packet is handled.
8. the method according to the description of claim 7 is characterized in that the Authorization Attributes mark based in the target packet Know, the target packet handled, comprising:
If the Authorization Attributes mark in the target packet indicates to allow to access, the target packet is handled;
If the Authorization Attributes mark in the target packet indicates to forbid accessing, the target packet is abandoned.
9. a kind of access control system, which is characterized in that the system comprises: relay device and target device;
The relay device, for receiving the access data packet of access equipment transmission;It is described access data packet destination address be The IP address of the target device;
The relay device is also used to based on the source address of the access data packet be that Authorization Attributes are arranged in the access data packet Mark, obtains target packet;
The relay device is also used to the target packet being sent to the target device;
The target device, for being carried out based on the represented Authorization Attributes of Authorization Attributes mark to the target packet Processing.
10. a kind of access control apparatus, which is characterized in that be applied to relay device, described device includes:
First receiving module, for receiving the access data packet of access equipment transmission;It is described access data packet destination address be The IP address of target device;
Setup module is that Authorization Attributes mark is arranged in the access data packet for the source address based on the access data packet, Obtain target packet;
First sending module, for the target packet to be sent to the target device.
11. device according to claim 10, which is characterized in that the Authorization Attributes include allowing to access and forbid to visit It asks, the Authorization Attributes are identified as permission IP address;
The setup module, comprising:
Acquisition submodule, for obtaining the source address of the access data packet;
It determines submodule, for the source address based on the access data packet, determines the Authorization Attributes pair of the access data packet The permission IP address answered;
Submodule is replaced, for replacing the access number using the corresponding permission IP address of Authorization Attributes of the access data packet According to the source address of packet, target packet is obtained.
12. device according to claim 11, which is characterized in that the determining submodule is used for:
The target network segment where the source address of the access data packet is determined based on the source address for accessing data packet;
It is matched in preset network segment and permission IP address corresponding relationship according to the target network segment, determines the target network The corresponding permission IP address of section, using the corresponding permission IP address of Authorization Attributes as the access data packet.
13. device according to claim 10, which is characterized in that the Authorization Attributes are identified as specified marker character;
The setup module, is used for:
Obtain the source address of the access data packet;
Based on the source address of the access data packet, the Authorization Attributes of the access data packet are determined;
It is inserted into the corresponding specified marker character of Authorization Attributes of the access data packet in the designated position of the access data packet, is obtained To target packet.
14. device according to claim 11, which is characterized in that first receiving module is used for: being based on the access The IP address of the port information of equipment and the access equipment establishes interface channel with the access equipment;Based on the company It connects and accesses data packet described in channel reception;
Described device further include:
Second receiving module, for receiving the response data packet of target device transmission;Second sending module, if being used for the response The destination address of data packet is permission IP address, then based on the port information in the response data packet, by with the port The response data packet is sent to corresponding access equipment by the corresponding interface channel of information.
15. a kind of access control apparatus, which is characterized in that be applied to target device, described device includes:
Third receiving module, for receiving the target packet of relay device transmission;Expression is provided in the target packet The Authorization Attributes of the Authorization Attributes of the target packet identify, and the target packet is that the relay device is set based on access What the access data packet that preparation is sent generated, the source address of the access data packet is the IP address of the access equipment;
Processing module, for handling the target packet based on the Authorization Attributes mark in the target packet.
16. device according to claim 15, which is characterized in that the processing module is used for:
If the Authorization Attributes mark in the target packet indicates to allow to access, the target packet is handled;
If the Authorization Attributes mark in the target packet indicates to forbid accessing, the target packet is abandoned.
17. a kind of computer readable storage medium, which is characterized in that store computer journey on the computer readable storage medium Sequence realizes the access control method as described in any in claim 1 to 8 when the computer program is executed by processor.
CN201811354619.7A 2018-11-14 2018-11-14 Access control method, device and system and computer readable storage medium Active CN109672665B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811354619.7A CN109672665B (en) 2018-11-14 2018-11-14 Access control method, device and system and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811354619.7A CN109672665B (en) 2018-11-14 2018-11-14 Access control method, device and system and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN109672665A true CN109672665A (en) 2019-04-23
CN109672665B CN109672665B (en) 2021-10-15

Family

ID=66142484

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811354619.7A Active CN109672665B (en) 2018-11-14 2018-11-14 Access control method, device and system and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN109672665B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111930709A (en) * 2020-07-20 2020-11-13 北京云途腾科技有限责任公司 Data storage method and device, electronic equipment and computer readable medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060156018A1 (en) * 2004-12-30 2006-07-13 Craig Lauer Template access control lists
CN101877704A (en) * 2010-06-02 2010-11-03 中兴通讯股份有限公司 Network access control method and service gateway
CN107517150A (en) * 2016-06-17 2017-12-26 深圳市信锐网科技术有限公司 Intranet resource access method and device based on VPN VPN
CN108616490A (en) * 2016-12-13 2018-10-02 腾讯科技(深圳)有限公司 A kind of method for network access control, apparatus and system
CN108632287A (en) * 2018-05-14 2018-10-09 四川斐讯信息技术有限公司 A kind of control method and system of softward interview permission
CN108809964A (en) * 2018-05-25 2018-11-13 浙江齐治科技股份有限公司 A kind of resource access control method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060156018A1 (en) * 2004-12-30 2006-07-13 Craig Lauer Template access control lists
CN101877704A (en) * 2010-06-02 2010-11-03 中兴通讯股份有限公司 Network access control method and service gateway
CN107517150A (en) * 2016-06-17 2017-12-26 深圳市信锐网科技术有限公司 Intranet resource access method and device based on VPN VPN
CN108616490A (en) * 2016-12-13 2018-10-02 腾讯科技(深圳)有限公司 A kind of method for network access control, apparatus and system
CN108632287A (en) * 2018-05-14 2018-10-09 四川斐讯信息技术有限公司 A kind of control method and system of softward interview permission
CN108809964A (en) * 2018-05-25 2018-11-13 浙江齐治科技股份有限公司 A kind of resource access control method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111930709A (en) * 2020-07-20 2020-11-13 北京云途腾科技有限责任公司 Data storage method and device, electronic equipment and computer readable medium
CN111930709B (en) * 2020-07-20 2024-04-12 北京百度云途腾科技有限责任公司 Data storage method, apparatus, electronic device, and computer readable medium

Also Published As

Publication number Publication date
CN109672665B (en) 2021-10-15

Similar Documents

Publication Publication Date Title
CN105808399B (en) Remote debugging method and device
CN104902452B (en) A kind of method and mobile terminal for mobile terminal network visiting
CN109088909B (en) Service gray level publishing method and device based on merchant type
CN110727589A (en) Test method, device and equipment
CN108183838B (en) Method and device for testing source NAT function
CN108183975A (en) A kind of method and system of domain name mapping
CN105095788B (en) The method, apparatus and system of private data guard
CN104301311B (en) The method and apparatus of DNS screen data contents
CN104935670B (en) A kind of method, the distribution server and system for mobile terminal network visiting
CN106412975B (en) A kind of test method and device of content charging loophole
CN105657000A (en) Message transmission method and device
CN106302384A (en) DNS message processing method and device
CN108076003A (en) The detection method and device of Session Hijack
CN105988922A (en) Testing method and device of application program as well as server
CN108243265A (en) A kind of dns resolution processing method and processing device
CN108182119A (en) Read and write abruption control method and device, storage medium and electronic device
CN106888268A (en) A kind of analysis method and device of domain name
CN109672665A (en) A kind of access control method, device, system and computer readable storage medium
CN106790380A (en) Data reporting method and device
CN110213365A (en) User access request processing method and electronic equipment based on user partition
CN105933398A (en) Access request forwarding method and system in content distribution network
CN108664811A (en) A kind of right management method and device
CN104935671B (en) A kind of method and mobile terminal for application program access network in mobile terminal
CN104360850B (en) A kind of service code processing method and processing device
CN112769739A (en) Database operation violation processing method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant