CN111355746B - Communication method, device, equipment and storage medium - Google Patents

Communication method, device, equipment and storage medium Download PDF

Info

Publication number
CN111355746B
CN111355746B CN202010180352.5A CN202010180352A CN111355746B CN 111355746 B CN111355746 B CN 111355746B CN 202010180352 A CN202010180352 A CN 202010180352A CN 111355746 B CN111355746 B CN 111355746B
Authority
CN
China
Prior art keywords
access
port
address
restricted
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010180352.5A
Other languages
Chinese (zh)
Other versions
CN111355746A (en
Inventor
龚炜林
陈剑华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202010180352.5A priority Critical patent/CN111355746B/en
Publication of CN111355746A publication Critical patent/CN111355746A/en
Application granted granted Critical
Publication of CN111355746B publication Critical patent/CN111355746B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a communication method, a communication device, communication equipment and a storage medium, wherein the method comprises the following steps: a server receives a communication request, wherein the communication request comprises a first port identifier and a protocol address; if the access-restricted port corresponding to the first port identifier can be matched in a preset access-restricted port set, acquiring an access address set corresponding to the access-restricted port set; wherein each access address in the set of access addresses corresponds to at least one restricted access port in the set of restricted access ports; when the access address corresponding to the protocol address can be matched in the access address set, determining the matched access address as a target address; and accessing the limited access port corresponding to the target address to complete the response to the communication request.

Description

Communication method, device, equipment and storage medium
Technical Field
The embodiment of the application relates to the field of communication, and relates to but is not limited to a communication method, a communication device, communication equipment and a storage medium.
Background
In an open-source cluster management framework, a common communication method is to adopt a traditional mechanism of iptables + ipset set and only perform open access to a specified port and an Internet Protocol (IP). However, in the related art, with the increasing of the number of the IP and the ports, the traditional iptables + ipset communication rule is complicated, and the Central Processing Unit (CPU) occupancy rate is high in the using process, so that the convenience of communication is affected, and the experience of a user is greatly improved.
Disclosure of Invention
In view of this, embodiments of the present application provide a communication method, apparatus, device and storage medium.
The technical scheme of the embodiment of the application is realized as follows:
in a first aspect, an embodiment of the present application provides a communication method, including:
a server receives a communication request, wherein the communication request comprises a first port identifier and a protocol address;
if the access restricted port corresponding to the first port identifier can be matched in a preset access restricted port set, acquiring an access address set corresponding to the access restricted port set; wherein each access address in the set of access addresses corresponds to at least one restricted access port in the set of restricted access ports;
if the access address corresponding to the protocol address can be matched in the access address set, determining the matched access address as a target address;
accessing the restricted access port corresponding to the target address to complete the response to the communication request.
In a second aspect, an embodiment of the present application provides a communication apparatus, including:
a receiving module, configured to receive a communication request, where the communication request includes a first port identifier and a protocol address;
an obtaining module, configured to match a restricted access port corresponding to the first port identifier if the restricted access port is in a preset restricted access port set, and obtain an access address set corresponding to the restricted access port set; wherein each access address in the set of access addresses corresponds to at least one restricted access port in the set of restricted access ports;
a determining module, configured to determine, if an access address corresponding to the protocol address can be matched in the access address set, the matched access address as a target address;
and the first communication module is used for accessing the limited access port corresponding to the target address so as to complete the response to the communication request.
In a third aspect, an embodiment of the present application provides a communication device, including:
a memory for storing executable instructions; and the processor is used for realizing the method when executing the executable instructions stored in the memory.
In a fourth aspect, embodiments of the present application provide a storage medium storing executable instructions for causing a processor to implement the above method when executed.
According to the communication method, the communication device, the communication equipment and the storage medium provided by the embodiment of the application, a server receives a communication request, wherein the communication request comprises a first port identifier and a protocol address, if a restricted access port corresponding to the first port identifier can be matched in a preset restricted access port set, an access address set corresponding to the restricted access port set can be obtained; and if the access address corresponding to the protocol address can be matched in the access address set, the matched access address is determined as the target address, so that access to the access limiting port corresponding to the target address can be realized, and the communication process is completed.
Drawings
In the drawings, which are not necessarily drawn to scale, like reference numerals may describe similar components in different views. Like reference numerals having different letter suffixes may represent different examples of similar components. The drawings illustrate generally, by way of example, but not by way of limitation, various embodiments discussed herein.
Fig. 1 is a schematic flowchart of an alternative implementation of a communication method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of an alternative implementation of the communication method according to the embodiment of the present application;
fig. 3A is a schematic flowchart of an alternative implementation of the communication method according to the embodiment of the present application;
fig. 3B is a schematic diagram of an optional application scenario of the communication method according to the embodiment of the present application;
fig. 4 is a schematic flowchart of an alternative implementation of the communication method according to the embodiment of the present application;
fig. 5 is a schematic flowchart of an alternative implementation of the communication method according to the embodiment of the present application;
fig. 6 is a schematic diagram of an alternative structure of a communication device according to an embodiment of the present disclosure;
fig. 7 is a schematic diagram of an alternative component structure of a communication device according to an embodiment of the present application.
Detailed Description
In order to make the objectives, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the attached drawings, the described embodiments should not be considered as limiting the present application, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which the embodiments of the present application belong. The terminology used in the embodiments of the present application is for the purpose of describing the embodiments of the present application only and is not intended to be limiting of the present application.
Before further detailed description of the embodiments of the present application, terms and expressions referred to in the embodiments of the present application will be described, and the terms and expressions referred to in the embodiments of the present application will be used for the following explanation.
1. Access Control List (ACL): the ACL classifies messages according to these rules, so that the device can process different messages. And simultaneously, the method is responsible for managing all rules configured by the user and providing an algorithm of the message matching rules.
2. ipset: the ipset is a framework inside the Linux kernel and can be managed through an ipset utility program. Depending on the type, the ipset may store the IP Address, network, Transmission Control Protocol or User Datagram Protocol (UDP) port number, Media Access Control Address (MAC) Address, interface name or a combination thereof in some manner to ensure the lightning speed when matching an entry to the set.
3. ZooKeeper (abbreviated ZK): the ZK is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services. All of these types of services are used in some form or by distributed applications.
4. Distributed Denial of Service attack (DDOS): distributed denial of service attacks can cause a plurality of computers to be attacked at the same time, so that the attacked target can not be used normally, the distributed denial of service attacks are already generated for a plurality of times, and a plurality of large websites can not be operated, thereby not only influencing the normal use of users, but also causing huge economic loss.
The communication method in the related art has the following problems:
1. the lack of a mechanism for distributed communication security requires a user to supplement codes by himself to realize the distributed communication security. Moreover, the traditional network isolation method has a complex scheme, is not easy to adopt by a client and has a cost problem; for example, the traditional isolated group communication Network uses Virtual Network, Virtual Local Area Network (VLAN), an independently communicating portal, etc.
2. The traditional iptables chained rule is that an ACL rule is added between hosts, but the ACL rule is complicated along with the increment of IP and ports, and the communication quality is influenced.
In addition, the communication mechanism in the application can also solve the problems that security defense weakness exists in encryption of a Secure Sockets Layer (SSL) of the traditional TCP/UDP communication data, data security can be guaranteed only to a certain extent, and a distributed open-source component cluster is easy to suffer from open port brute attack, unauthorized access, remote code execution and DDOS attack.
Based on at least one of the above problems in the related art, the embodiments of the present application provide a communication method, which can not only complement the security defense weakness of the conventional open-source framework, but also solve the problem of lack of a mechanism for distributed communication security. For example: DDOS attacks, and makes communication lighter, can realize fast, on this basis, has still simplified the ACL rule of communication, has optimized ACL's performance.
Example one
The embodiments of the present application provide a communication method, where functions implemented by the communication method of the present embodiment may be implemented by a processor in a communication device calling a program code, and certainly, the program code may be stored in a computer-readable storage medium, and thus, the communication device at least includes the processor and the computer-readable storage medium.
Fig. 1 is a schematic flowchart of an alternative implementation of a communication method provided in an embodiment of the present application, and as shown in fig. 1, the method includes the following steps:
step S101, a server receives a communication request, wherein the communication request comprises a first port identification and a protocol address.
In some embodiments, the server receives a request from a user or another server, wherein the communication request comprises a first port identification and a protocol address; the first port identification and the protocol address are the port of the server at the other end of the request and the protocol address of the server.
Here, the first port identification may be any one of 1 to 65535; the Protocol address at least includes Internet Protocol version 4 (IPv 4) and Internet Protocol version 6(Internet Protocol version 6, IPv 6).
For example, when the server 1 receives the request 3 of the user for establishing communication with the server 2, the first port identifier n, IPv4(192.168.0.1) or IPv6(fe80:: fcfc: feff: fe45:9109) of the server 2 is carried in the request 3.
Step S102, if the access-restricted port corresponding to the first port identifier can be matched in a preset access-restricted port set, obtaining an access address set corresponding to the access-restricted port set; wherein each access address in the set of access addresses corresponds to at least one restricted access port in the set of restricted access ports.
In some embodiments, the preset restricted access port set holds all ports restricted to access, i.e. restricted access ports, which are relative to the open ports, i.e. the restricted access ports are different from the open ports and are not accessible to any server; the access address set stores all access addresses of all allowed access restricted access ports, and each access address in the access address set can access each restricted access port in the restricted access port set.
For example, the preset restricted access port set a includes: port a1, port a2 … … port An; access address set B, comprising: IP1, IP2 … … IPn; then any one or more of port a1, port a2 to port An may be accessible by the IP1 through IPn, where n may be any positive integer.
When a restricted access port corresponding to the first port identifier can be matched in a preset restricted access port set, acquiring an access address set corresponding to the restricted access port set so as to perform the next communication process; and when the access-restricted port corresponding to the first port identifier cannot be matched in a preset access-restricted port set, the communication process cannot be established.
For example, if the restricted access port corresponding to the port cannot be matched in the set a, the access address set B corresponding to the restricted access port cannot be acquired, and the server 1 cannot establish a communication connection with the server 2. And when the port An with limited access corresponding to the port can be matched in the set A, acquiring An access address set B corresponding to the port A with limited access.
Step S103, if the access address corresponding to the protocol address can be matched in the access address set, determining the matched access address as a target address.
In some embodiments, when the access address corresponding to the protocol address cannot be matched in the access address set, it indicates that the protocol address cannot access the restricted access port, and the communication request cannot be established.
For example, when the access address corresponding to 192.168.0.1 or fe80:: fcfc: feff: fe45:9109 in the request cannot be found in the access address set B, then the protocol address 192.168.0.1 or fe80:: fcfc: feff: fe45:9109 in the request cannot access the port An corresponding to the port identifier (n may be any positive integer), and then the server 1 and the server 2 cannot establish a communication connection. When an access address time IPn corresponding to 192.168.0.1 or fe80:: fcfc: feff: fe45:9109 in the request can be found in the access address set B, the IPn is determined as the target address.
And step S104, accessing the limited access port corresponding to the target address to complete the response to the communication request.
In some embodiments, after the target address and port are determined, the communication process is completed by accessing the restricted access port corresponding to the target address.
For example, the limited access port An corresponding to the determined target address IPn is accessed to complete the communication between the server 1 and the server 2.
According to the communication method provided by the embodiment of the application, a server receives a communication request, the communication request comprises a first port identifier and a protocol address, and when a restricted access port corresponding to the first port identifier can be matched in a preset restricted access port set, an access address set corresponding to the restricted access port set can be obtained; and when the access address corresponding to the protocol address can be matched in the access address set, the matched access address is determined as the target address, so that access to the access limiting port corresponding to the target address can be realized, and the communication process is completed.
Example two
The embodiments of the present application provide a communication method, where functions implemented by the communication method of the present embodiment may be implemented by a processor in a communication device calling a program code, and certainly, the program code may be stored in a computer-readable storage medium, and thus, the communication device at least includes the processor and the computer-readable storage medium.
Fig. 2 is a schematic flowchart of an alternative implementation of the communication method according to the embodiment of the present application, and as shown in fig. 2, the method includes the following steps:
step S201, the server receives a communication request, where the communication request includes a first port identifier and a protocol address.
The implementation process of step S201 is the same as the process and implemented function implemented by step S101 in the above-described embodiment.
Step S202, a preset configuration file is obtained, wherein the configuration file comprises at least one second port identifier.
In some embodiments, the preset configuration file is a user-defined configuration file, and the configuration file includes a port identifier for restricting access.
Step S203, determining the restricted access port set according to the at least one second port identifier.
In some embodiments, the set of restricted access ports is formed by a second port in the configuration file identifying the corresponding restricted access port.
For example, the preset configuration file C includes second port identifiers C1 and C2 … … Cn; and storing the port A1 and the port An of the port A2 … … corresponding to the port identifier C1 and the port identifier C2 … … Cn to form the limited access port set A.
And step S204, obtaining the access address allowing to access each limited access port to generate the access address set.
In some embodiments, according to the restricted access port corresponding to the restricted access port identifier in the configuration file, an access address for accessing each restricted access port is obtained, and the access address constitutes the access address set.
For example, the IP1, the IP2, and the … … IPn in the access address set allowing access to the restricted access port a1 and the port a2 … … and the IP1, the IP2, and the IP … … IPn in the access address set are obtained and stored, so as to obtain the access address set.
Step S205, determining whether there is a restricted access port corresponding to the first port identifier in the preset restricted access port set.
For example, it is determined whether the port corresponding to the port identifier n carrying the server 2 in the request 3 exists in the preset restricted access port set a.
When the judgment result of step S205 is yes, step S206 is executed, and when the judgment result is no, step S207 is executed.
Step S206, if the access-restricted port corresponding to the first port identifier can be matched in a preset access-restricted port set, obtaining an access address set corresponding to the access-restricted port set; wherein each access address in the set of access addresses corresponds to at least one restricted access port in the set of restricted access ports.
The implementation process of step S206 is the same as the implementation process and the implemented functions of step S102 in the above-described embodiment.
Step S207, if the restricted access port corresponding to the first port identifier cannot be matched in the preset restricted access port set, the communication cannot be established, and thus the process ends.
For example, when a port matching the port identifier n of the server 2 cannot be found in the preset access restricted port set a, it indicates that the port corresponding to the port identifier n of the server 2 does not belong to the access restricted port, and therefore, the port corresponding to the port identifier n does not perform the communication verification process.
Step S208, judging whether an access address corresponding to the protocol address exists in the access address set.
For example, it is determined whether the access address corresponding to the protocol address 192.168.0.1 or fe80:: fcfc: feff: fe45:9109 in the request 3 exists in the access address set B.
When the judgment result of step S208 is yes, step S209 is executed, and when the judgment result is no, step S210 is executed.
Step S209, if the access address corresponding to the protocol address can be matched in the access address set, determining the matched access address as the target address.
The implementation process of step S209 is the same as the process and implemented function implemented by step S103 in the above-described embodiment.
Step S210, if the access address corresponding to the protocol address cannot be matched in the access address set, the communication cannot be established, and thus the process is ended.
In some embodiments, when the protocol address 192.168.0.1 or fe80:: fcfc: feff: fe45:9109 of the server 2 cannot be found in the access address set B, it indicates that the protocol address 192.168.0.1 or fe80 of the server 2:: fcfc: feff: fe45:9109 does not belong to the protocol address of the accessible restricted port, and then the server 2 cannot establish communication with the server 1.
And step S211, accessing the limited access port corresponding to the target address to complete the response to the communication request.
The step S211 implementation process is the same as the process and implemented function implemented in step S104 in the above-described embodiment.
According to the communication method provided by the embodiment of the application, the access limiting port set and the access address set are established, the server receives the communication request, the communication request comprises the first port identification and the protocol address, when the access limiting port set is preset, the access limiting port corresponding to the first port identification can be matched, and when the access address corresponding to the protocol address is matched in the access address set, the communication process can be realized according to the searched access limiting port and the searched access address, and the communication method based on the access limiting port set and the access address set greatly improves the convenience of communication and improves the experience of users.
EXAMPLE III
The embodiments of the present application provide a communication method, where functions implemented by the communication method of the present embodiment may be implemented by a processor in a communication device calling a program code, and certainly, the program code may be stored in a computer-readable storage medium, and thus, the communication device at least includes the processor and the computer-readable storage medium.
Fig. 3A is a schematic flowchart of an alternative implementation of the communication method according to the embodiment of the present application, and as shown in fig. 3A, the method includes the following steps:
step S301, the server receives a communication request, wherein the communication request comprises a first port identifier and a protocol address.
The implementation process of step S301 is the same as the process and implemented function implemented by step S101 in the above-described embodiment.
Step S302, judging whether the server is a server in the distributed cluster system.
In some embodiments, the server may be a server in a distributed cluster system, or may be a server in a stand-alone system, that is, the communication may be applicable to both a stand-alone system and a distributed cluster system. Here, the stand-alone system refers to a system having only one server.
When the determination result of step S302 is no, step S303 is executed, and when the determination result of step S302 is yes, step S304 is executed.
Step S303, if the server is the server of the stand-alone system, the protocol address of the stand-alone system is obtained.
In some embodiments, a protocol address of the server is obtained, and the protocol address is used to implement communication connection with other servers.
In this embodiment of the application, when it is determined that the server is a server of a stand-alone system, step S306 is executed.
Step S304, if the server is a server in the distributed cluster system, acquiring a protocol address of the server and a virtual address of the distributed cluster system.
In some embodiments, when the server is a server in a distributed cluster system, a protocol address of the server and a virtual address of the distributed cluster system are obtained. Here, the virtual address of the distributed cluster system means that all servers in the distributed cluster system share one protocol address, and communication can be performed through the one protocol address.
And S305, realizing communication between the server and other servers in the distributed cluster system by adopting the protocol address of the server.
In some embodiments, when the server is a server in a distributed cluster system, the protocol address of the server is used to implement communication between servers within the cluster.
Step S306, establishing a communication rule between a restricted access port set and an access address set so that each access address in the access address set can access at least one restricted access port in the restricted access port set.
In some embodiments, the communication rule refers to that each access address in the set of access addresses is capable of accessing at least one restricted access port in the set of restricted access ports.
For example, the preset restricted access port set a includes: port a1, port a2 … … port An; accessing a set of addresses B, comprising: IP1, IP2 … … IPn; the IPn in the access set can access any one of port a1, port a2 to port An, which is the above communication rule.
Step S307, if the restricted access port corresponding to the first port identifier can be matched in a preset restricted access port set, matching an access address corresponding to the protocol address in the access address set based on the communication rule.
Step S308, if the access address corresponding to the protocol address can be matched in the access address set, determining the matched access address as a target address.
The implementation process of step S307 and step S308 is the same as the process and implemented function implemented by step S102 and step S103 described above.
Step S309, adopting the virtual address/the protocol address to respond to the communication request, and accessing the restricted access port corresponding to the target address to complete the response to the communication request.
In some embodiments, when the server is a server in a distributed cluster system, the communication request is implemented using a virtual address of the server cluster system, that is, the restricted access port corresponding to the target address is accessed using the virtual address of the server cluster system, so as to complete a response to the communication request.
For example, when the server 1 is one server in the distributed cluster system, the virtual IPn of the cluster system is obtained, and the virtual IPn of the cluster system is used to respond to the communication request with the server 2, so as to establish the communication connection between the server 1 and the server 2.
In some embodiments, when there is a restricted access port that is not mutually accessible between the server and any of the other servers, the restricted access port that is not mutually accessible is subjected to a downgrading process, so that the restricted access port that is not mutually accessible becomes a whitelist port.
Here, the downgrading means deleting the restricted access ports, which cannot be accessed to each other, in the restricted access port set, so that the restricted access ports, which cannot be accessed to each other, become open ports, that is, white list ports, and then any server can access the restricted access ports, which cannot be accessed to each other, that is, communication between the server and the other servers can be achieved by using the white list ports.
In some embodiments, when the server and any other server have access to the restricted port being degraded, the server may elect to form a cluster with any other server; after the cluster is formed, the degraded port needs to be added to the restricted access port set again based on the security of the communication port, and at this time, the server and any other server already form the cluster, and internal communication can be realized between the server and the other server.
For example, when the server 1 cannot access the restricted port 60 of the server 2, the restricted port 60 of the server 2 is deleted from the restricted access port set of the server 2, so that the port 60 becomes a white list port, and both the server 1 and the server 2 can access the port 60, then the server 1 and the server 2 can form a cluster. After the server 1 and the server 2 form a cluster, the server 1 and the server 2 can access the restricted access port of the other side, and communication can be realized. Based on communication security considerations, port 60 needs to be added to the restricted access port set of server 2 again, and server 1 can access restricted port 60 of server 2.
Fig. 3B is a schematic view of an optional application scenario of the communication method according to the embodiment of the present application, as shown in fig. 3B, the communication system 30 at least includes a server 100, a server 300, and a server cluster 400, where when the communication system is a stand-alone system, two ends of communication are the server 100 and the server 300, and the server 100 and the server 300 establish a connection through the network 200 based on a communication rule to perform information interaction. When the communication system is a distributed cluster system, the server 300 and the cluster server 400 are at two ends of communication, as can be seen from fig. 3B, the server 400 is composed of a plurality of servers 400-1, 400-2 … … 400-n, wherein the servers 400-1, 400-2 and 400-n are internally accessible to each other, and when communication with an external server is realized, the servers 400-1, 400-2 and 400-n can be realized by a virtual address, for example, the cluster server 400 and the server 300 establish connection through the network 200 based on the communication rule, so as to realize communication connection between each server in the cluster server and the server 300.
According to the communication method provided by the embodiment of the application, the communication rule between the access limiting port set and the access address set is established, so that each access address in the access address set can access at least one access limiting port in the access limiting port set, and thus, by receiving a communication request carrying a first port identifier and a protocol address, corresponding ports and target addresses are searched in the access limiting port set and the access address set, and communication connection between a stand-alone system and a server is realized, or communication connection between a cluster and the server is realized.
Example four
The embodiments of the present application provide a communication method, where functions implemented by the communication method of the present embodiment may be implemented by a processor in a communication device calling a program code, and certainly, the program code may be stored in a computer-readable storage medium, and thus, the communication device at least includes the processor and the computer-readable storage medium.
Fig. 4 is a schematic flowchart of an alternative implementation of the communication method according to the embodiment of the present application, and as shown in fig. 4, the method includes the following steps:
step S401, the server receives a communication request, wherein the communication request comprises a first port identification and a protocol address.
The implementation process of step S401 is the same as the process and implemented function implemented by step S101 in the above-described embodiment.
Step S402, a file to be configured is obtained, wherein the file to be configured comprises an identifier of at least one port to be configured.
In some embodiments, the configuration file is a user-defined configuration file, for example, if a user needs to write an 80 port into the configuration file, then the 80 port needs to be accessible by a protocol address in the configuration file; the file to be configured at least includes a port identifier to be configured, for example, the port 80.
Step S403, finding a restricted access port corresponding to the identifier of each port to be configured in the restricted access port set.
In some embodiments, it is searched whether a port corresponding to the identifier of the port to be configured exists in the restricted access port set, for example, whether a port number corresponding to the port 80 is included in the restricted access port set.
Step S404, judging whether a restricted access port corresponding to the identifier of each port to be configured exists in the restricted access port set.
When the determination result of step S404 is yes, step S405 is executed, and when the determination result is no, step S406 is executed.
Step S405, if a port corresponding to any one of the port identifiers to be configured can be found in the restricted access port set, deleting the port to be configured in the file to be configured.
In some embodiments, it is assumed that the restricted access port set includes three port numbers 80, 459, and 4230, and the user-defined configuration file includes the port identifier 80, and the restricted access set includes the port 80 corresponding to the port identifier, so that the port corresponding to the port identifier 80 does not need to be repeatedly added to the restricted access port set.
Step S406, if the access restricted port corresponding to the identifier of any port to be configured cannot be found, determining the corresponding port to be configured as the target port to be configured.
In some embodiments, when a port corresponding to any one of the port identifiers to be configured cannot be found in the restricted access port set, the corresponding port to be configured is determined as a target port.
For example, assuming that the restricted access port set includes three port identifiers of 80, 459, and 4230, and the user-defined configuration file includes at least the port identifier 50, the port corresponding to the port identifier 50 is determined as the target port.
Step S407, taking the target port to be configured as the restricted access port, and storing the port in the restricted access port set to update the restricted access port set.
In some embodiments, the target port to be configured is added to the restricted access port set, so that the port corresponding to the port identifier to be configured exists in the restricted access port set, so as to implement the update of the restricted access port set.
Step S408, at least one address to be configured allowing to access the target port to be configured is obtained.
In some embodiments, when the corresponding target port to be configured is added to the restricted access port set, all protocol addresses allowing access to the target port to be configured are obtained, and an address to be configured is generated.
For example, after the port corresponding to the port 80 is added to the restricted access port set, the protocol addresses of all servers that are allowed to access the port 80, such as IP1, IP2 … … IPn, etc., are obtained, and these IP1 and IP2 … … IPn constitute addresses to be configured.
Step S409, judging whether an access address corresponding to the address to be configured exists in the access address set.
When the determination result of step S409 is yes, step S410 is executed, and when the determination result is no, step S411 is executed.
Step S410, if the access address corresponding to the address to be configured can be found in the access address set, not adding the address to be configured to the access address set.
In some embodiments, when the address set is restarted or reset, the address to be configured is also rewritten according to the configuration file.
Step S411, if the access address corresponding to any address to be configured cannot be found, the corresponding address to be configured is taken as the access address and stored in the access address set, so as to update the access address set.
In some embodiments, when an access address corresponding to the address to be configured cannot be found in the access address set, the address to be configured is added to the access address set to update the access address set, that is, update of the communication rule of the file to be configured is completed.
For example, the protocol addresses of all servers that are allowed to access the port 80, such as IP1, IP2 … … IPn, etc., are stored in the access address set, so that the update of the communication rule of the port 80 to be configured is realized.
Step S412, if the access restricted port corresponding to the first port identifier can be matched in a preset access restricted port set, acquiring an access address set corresponding to the access restricted port set; wherein each access address in the set of access addresses corresponds to at least one restricted access port in the set of restricted access ports.
Step S413, if the access address corresponding to the protocol address can be matched in the access address set, determining the matched access address as the target address.
And step S414, accessing the limited access port corresponding to the target address to complete the response to the communication request.
The implementation process of steps S412 to S414 is the same as the implemented process and implemented function of steps S205 to S211 in the above embodiment.
According to the communication method provided by the embodiment of the application, when the port identification to be configured is not in the preset access limiting port set, the port corresponding to the port identification to be configured is added to the preset access limiting port set, and when the address to be configured, which can access the port corresponding to the port identification to be configured, is not in the access address set, the address to be configured is added to the access address set, so that simple updating of communication rules can be achieved, the communication process is simple and flexible, and the experience of a user is greatly improved.
EXAMPLE five
The embodiments of the present application provide a communication method, where functions implemented by the communication method of the present embodiment may be implemented by a processor in a communication device calling a program code, and certainly, the program code may be stored in a computer-readable storage medium, and thus, the communication device at least includes the processor and the computer-readable storage medium.
Fig. 5 is a schematic flowchart of an alternative implementation of the communication method according to the embodiment of the present application, and as shown in fig. 5, the method includes the following steps:
and step S501, generating an ipset rule.
In the embodiment of the application, the ipset rule is a communication rule between a port in the ipset set and an IP in the ipset set. Here, step S501 includes step S5011 and step S5012.
Step S5011, generating a port set (dmoc _ cluster _ port), an IPV4 set (dmoc _ cluster _ ip) and an IPV6 set (dmoc _ cluster _ ip _ v6), wherein the three IPset sets are respectively used for storing a port with limited access, an IPV4 allowing the port with limited access and an IPV6 allowing the port with limited access. The code to create the above three sets is as follows:
ipset create dmoc_cluster_port bitmap:port range 1-65535.
ipset create dmoc_cluster_ip hash:ip.
ipset create dmoc_cluster_ip_v6 hash:ip family inet6.
step S5012 generates an iptables rule.
When the destination port of TCP/UDP traffic is in the port set dmoc _ cluster _ port and the source address is not in the IPV4 set dmoc _ cluster _ ip and IPV6 set dmoc _ cluster _ ip _ v6, the establishment of a communication connection between the destination port and the source address is refused. The code for generating the iptables rule is as follows:
match-set dmoc_cluster_port dst!match-set dmoc_cluster_ip src reject-with icmp-host-unreachable.
match-set dmoc_cluster_port dst!match-set dmoc_cluster_ip_v6 src reject-with icmp6-no-route.
and step S502, acquiring a configuration file.
Reading a configuration file customized by a user, obtaining a port number list for limiting access and a port number white list, and simultaneously obtaining an IP and an IP white list for allowing access to a limited port, wherein the port number white list is a port opened to the outside, the IP white list is an IP list capable of accessing all limited ports, for example, the limited ports are 80, 443 and 3389, and after adding IPn to the IP white list, the IPn can access the three limited ports of 80, 443 and 3389.
And S503, judging whether the communication system is a trunking system.
In the embodiment of the application, the cluster system is a distributed system consisting of more than one server, and the method for judging whether the server is the cluster system is that whether the system generates a marker file is judged, if the system consists of a plurality of servers, a cluster.
Step S504 is executed when the determination result in step S503 is yes, and step S505 is executed when the determination result in step S503 is no.
And step S504, acquiring the cluster member IP and the cluster VIP from the ZK.
When the system is a cluster, a cluster member IP (IP for designating cluster communication) and a cluster VIP (IP address virtualized from cluster VIP) are obtained from the ZK, wherein the cluster member IP refers to the IP for designating cluster communication, the cluster VIP refers to the IP address virtualized from the cluster VIP, the cluster VIP can access the cluster VIP as long as any node in the cluster can normally access the cluster, the cluster member IPs need to be ensured to be communicated with each other, a ZK port can be accessed, configuration contents can be obtained, and the cluster VIP needs to open access to allow Web and data access.
And step S505, acquiring all the IP of the mobile phone.
When the system is a single machine, the IPV4 and IPV6 addresses of all network ports of the machine are obtained, so that the internal communication is ensured to be normal, and the internal IP is allowed to access the restricted port.
And step S506, adding and deleting ACL rules.
Performing algorithm calculation on the configuration content and the IP acquired in the steps S502, S503 and S504, and performing add-delete ACL rules to limit the ports in the port set dmoc _ cluster _ port accessible by the designated sets IPV4 dmoc _ cluster _ IP and IPV6dmoc _ cluster _ IP _ v6, wherein the code for deleting and adding ACL rules is as follows:
deleting the port: ports _ exist-ports _ expect-while _ port _ cfg;
newly adding a port: ports _ expect-ports _ exist;
newly adding an IP: fetch _ inet (ips _ expect-ips _ exist);
and (4) deleting the IP: fetch _ inet (ips _ exist-ips _ expect);
wherein, the ports _ exists refers to the existing port ACL rule;
the ports _ expect refers to an expected port ACL rule (corresponding to the file to be configured, obtained from the file to be configured);
while _ port _ cfg refers to port ACL rules of the white list (i.e. ACL rules to be deleted, port white list configuration file);
IPs _ expect refers to a desired IP ACL rule (IPs _ expect is ZK _ cfg _ IP + while _ cfg _ IP, and configuration files IP and ZK store IP, all-local IP, and IP white list configuration);
IPs _ exists refers to an existing IP ACL rule;
catch _ inet is a process of dividing IP into IPV4 and IPV 6.
The algorithm in the embodiment of the present application may be a self-defined algorithm, referred to as dmoc _ acl algorithm for short, and is calculated by using an intersection, a union, a difference, and the like of sets. In the embodiment of the present application, existing rules are compared with configuration files to determine whether there is a change in an existing ACL rule, if there is a change, the changed ACL rule is updated to the existing ACL rule, for example, there are 80 ports and 443 ports in the configuration files, and 9001 ports are newly added, then after the algorithm comparison, only 9001 ports are added, instead of adding all the 80 ports, 443 ports, and 9001 ports again. The algorithm can optimize the adding efficiency, so that the ACL rule based on the algorithm runs faster.
And step S507, storing the IP acquired in step S504 and step S505 into a configuration file.
After updating the ACL rules, the latest cluster IP, cluster VIP, and all the IPs of the local computer, which are obtained from the ZK, need to be written into the configuration file. The configuration file is used for backing up data acquired from the ZK, and the abnormal ACL rule maintenance caused by abnormal communication of the ZK is avoided, so that the stability of system and ACL communication is ensured.
And step S508, performing degradation processing on the ACL to form a cluster.
When the host a needs to form a cluster with the host B, zk needs to ensure that the hosts can communicate with each other to access the zk port, so that ACL degradation processing needs to be temporarily performed, and communication is performed on the zk port to enable zk to elect to form the cluster, so that the host B can access zk to acquire data.
For example, host a restricts access to 2181 port, host B cannot access to 2181 port of host a, and when host a and host B need to form a cluster, 2181 needs to be temporarily set as a port white list, so that all hosts A, B can access to 2181 port to form a cluster. When the host A and the host B form a cluster, configuration information can be shared, and the same configuration file can be read.
Step S509 writes the IP of the host B into ZK.
Writing host cluster communication IP into ZK will update security rule, after ACL degradation is closed (deleting port number 2181 white list), host A and B can still access 2181 port number and read the same data, which needs to be recovered after degradation from security perspective, otherwise, it is easy to attack port, so updating ACL rule, and re-executing step 2.
The scheme of the embodiment of the application can be used for encrypting the traditional TCP/UDP communication data SSL and forming a complementary communication safety mechanism by using the isolated cluster communication network, so that the data safety is guaranteed, DDOS attack is defended at the same time, mutual interference is avoided, a layer of safety protection is added, the scheme is suitable for most open source cluster distributed frameworks, and the communication safety mechanism in a distributed environment can be formed.
The scheme of the embodiment of the application can also solve the problem that the port number is exposed on the public network and is easily cracked by violence, for example, if the port number is a 4-digit password gate, a thief can crack the password entering only by trying 10 x 10 times, and the ACL rule is just like a cell gatekeeper, but not a person in a cell forbids the password entering, so the thief cannot crack by violence.
The scheme of the embodiment of the application can also solve the problem of DDOS attack, for example, if a port number is assumed to be one door, if tens of thousands of people knock on the door every day, you may not do anything but continuously open the door, and ACL rules are just like a list of cell residents, and the ACL rules are resident of a cell, and cell security can be put in.
The method based on the distributed complementary communication mechanism in the embodiment of the application is also suitable for various open source cluster management frameworks. In the embodiment of the application, for the design of the ACL rule, the design scheme of the IPV6 is supported, and for the design of the iptables rule, the first layer defense can be realized by using 4 iptables rules. In addition, the embodiment of the application also protects the ACL rule design and calculation algorithm of the port and IP separation management.
EXAMPLE six
The embodiment provides a communication device, which comprises modules and sub-modules, and can be realized by a processor in the communication device; of course, it may also be implemented by logic circuitry; in implementation, the processor may be a Central Processing Unit (CPU), a Microprocessor (MPU), a Digital Signal Processor (DSP), a Field Programmable Gate Array (FPGA), or the like.
Fig. 6 is a schematic diagram of an alternative structure of a communication device according to an embodiment of the present application, and as shown in fig. 6, the communication device 60 includes:
a receiving module 61, configured to receive a communication request, where the communication request includes a first port identifier and a protocol address;
an obtaining module 62, configured to obtain an access address set corresponding to a restricted access port set when a restricted access port corresponding to the first port identifier can be matched in a preset restricted access port set; wherein each access address in the set of access addresses corresponds to at least one restricted access port in the set of restricted access ports;
a determining module 63, configured to determine, when an access address corresponding to the protocol address can be matched in the access address set, the matched access address as a target address;
a first communication module 64, configured to access the restricted access port corresponding to the target address to complete a response to the communication request.
In some embodiments, the apparatus further comprises: the second obtaining module is used for obtaining a preset configuration file, and the configuration file comprises at least one second port identifier; a second determining module, configured to determine the restricted access port set according to the identifier of the at least one second port; and the third acquisition module is used for acquiring the access address which is allowed to access each limited access port so as to generate the access address set.
In some embodiments, the apparatus further comprises: an establishing module, configured to establish a communication rule between the set of restricted access ports and the set of access addresses, so that each access address in the set of access addresses can access at least one restricted access port in the set of restricted access ports; correspondingly, the access address is determined by: the obtaining module is further configured to match an access address corresponding to the protocol address in the access address set based on the communication rule when a restricted access port corresponding to the port identifier can be matched in a preset restricted access port set.
In some embodiments, the apparatus further comprises: a fourth obtaining module, configured to obtain a file to be configured, where the file to be configured includes an identifier of at least one port to be configured; the searching module is used for searching the access limiting port corresponding to the identifier of each port to be configured in the access limiting port set; the third determining module is used for determining the corresponding port to be configured as the target port to be configured when the access-restricted port corresponding to the identifier of any port to be configured cannot be found; the first storage module is configured to use the target port to be configured as the restricted access port and store the port in the restricted access port set, so as to update the restricted access port set.
In some embodiments, the apparatus further comprises: a fifth obtaining module, configured to obtain at least one to-be-configured address allowing access to the target to-be-configured port; and the second storage module is used for taking the at least one address to be configured as the access address and storing the at least one address to be configured in the access address set so as to update the access address set.
In some embodiments, the apparatus further comprises: a sixth obtaining module, configured to, when the server is a server in a distributed cluster system, obtain a protocol address of the server and a virtual address of the distributed cluster system; the second communication module is used for realizing the communication between the server and other servers in the distributed cluster system by adopting the protocol address of the server; and the response module is used for responding to the communication request by adopting the virtual address so as to complete the response to the communication request.
In some embodiments, the apparatus further comprises: a degradation processing module, configured to, when a restricted access port that is not accessible to each other exists between the server and any one of the other servers, perform degradation processing on the restricted access port that is not accessible to each other, so that the restricted access port that is not accessible to each other becomes a white list port; and the third communication module is used for realizing the communication between the server and the other servers by adopting the white list port.
It should be noted that the description of the apparatus in the embodiment of the present application is similar to the description of the method embodiment, and has similar beneficial effects to the method embodiment, and therefore, the description is not repeated. For technical details not disclosed in the embodiments of the present apparatus, reference is made to the description of the method embodiments of the present application for understanding.
EXAMPLE seven
In the embodiment of the present application, if the communication method is implemented in the form of a software functional module and sold or used as a standalone product, the communication method may also be stored in a computer-readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present invention or portions thereof that contribute to the related art may be embodied in the form of a software product, where the computer software product is stored in a computer-readable storage medium and includes several instructions for enabling a terminal to execute all or part of the methods according to the embodiments of the present invention. And the aforementioned computer-readable storage media comprise: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, or an optical disk. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.
Correspondingly, an embodiment of the present application provides a communication device, including: a memory for storing executable instructions; and the processor is used for realizing the communication method provided by the embodiment when executing the executable instructions stored in the memory.
The embodiment of the present application provides a storage medium, which is a computer-readable storage medium and stores executable instructions for causing a processor to implement the communication method provided by the above embodiment when executed.
Fig. 7 is a schematic diagram of an optional component structure of a communication device according to an embodiment of the present application, and as shown in fig. 7, the communication device 70 at least includes: a processor 71, a communication interface 72, and a storage medium 73 configured to store executable instructions, wherein: the processor 71 generally controls the overall operation of the communication device 70.
The communication interface 72 may enable the communication device to communicate with other devices over a network.
The storage medium 73 is configured to store instructions and applications executable by the processor 71, and may also buffer data to be processed or processed by each module in the processor 71 and the communication device 70, and may be implemented by a FLASH Memory (FLASH) or a Random Access Memory (RAM).
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present invention, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention. The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
It should be noted that, in this document, the terms "comprises", "comprising" or any other variation thereof are intended to cover a non-exclusive inclusion, so that a process, a method or an apparatus including a series of elements includes not only those elements but also other elements not explicitly listed or inherent to such process, method or apparatus. Without further limitation, an element identified by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element. In the several embodiments provided in the embodiments of the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment. Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned computer-readable storage media comprise: various media that can store program code, such as removable storage devices, read-only memories, magnetic or optical disks, etc. Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in the form of a software product, which is stored in a computer-readable storage medium and includes several instructions for causing a terminal to execute all or part of the methods according to the embodiments of the present invention. And the aforementioned computer-readable storage media comprise: a removable storage device, a ROM, a magnetic or optical disk, or other various media that can store program code.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may be separately used as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit. Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The methods disclosed in the several method embodiments provided in the present application may be combined arbitrarily without conflict to obtain new method embodiments.
Features disclosed in several of the product embodiments provided in the present application may be combined in any combination to yield new product embodiments without conflict.
The features disclosed in the several method or apparatus embodiments provided in the present application may be combined arbitrarily, without conflict, to arrive at new method embodiments or apparatus embodiments.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (10)

1. A method of communication, the method comprising:
a server receives a communication request, wherein the communication request comprises a first port identifier and a protocol address;
if the access restricted port corresponding to the first port identifier can be matched in a preset access restricted port set, acquiring an access address set corresponding to the access restricted port set; wherein each access address in the set of access addresses corresponds to at least one restricted access port in the set of restricted access ports;
if the access address corresponding to the protocol address can be matched in the access address set, determining the matched access address as a target address;
and accessing the limited access port corresponding to the target address to complete the response to the communication request.
2. The method of claim 1, wherein the set of access addresses is determined by:
acquiring a preset configuration file, wherein the configuration file comprises at least one second port identifier;
determining the restricted access port set according to the at least one second port identifier;
obtaining access addresses allowed to access each restricted access port to generate the set of access addresses.
3. The method of claim 1, further comprising:
establishing a communication rule between the set of restricted access ports and the set of access addresses such that each access address in the set of access addresses can access at least one restricted access port in the set of restricted access ports;
correspondingly, the access address is determined by:
and when the access limiting port corresponding to the first port identification can be matched in a preset access limiting port set, matching an access address corresponding to the protocol address in the access address set based on the communication rule.
4. The method of claim 1, wherein the restricted access port set is updated by:
acquiring a file to be configured, wherein the file to be configured comprises an identifier of at least one port to be configured;
searching a restricted access port corresponding to the identifier of each port to be configured in the restricted access port set;
if the access limiting port corresponding to the identifier of any port to be configured cannot be found, determining the corresponding port to be configured as a target port to be configured;
and taking the target port to be configured as the restricted access port, and storing the port to be configured in the restricted access port set to update the restricted access port set.
5. The method of claim 4, wherein the set of access addresses is updated by:
acquiring at least one address to be configured allowing to access the target port to be configured;
and if the access address corresponding to any address to be configured cannot be found, taking the corresponding address to be configured as the access address and storing the access address in the access address set so as to update the access address set.
6. The method according to any one of claims 1 to 5, further comprising:
if the server is a server in the distributed cluster system, acquiring a protocol address of the server and a virtual address of the distributed cluster system;
the protocol address of the server is adopted to realize the communication between the server and other servers in the distributed cluster system;
and responding to the communication request by adopting the virtual address so as to complete the communication.
7. The method of claim 6, further comprising:
when a restricted access port which cannot be mutually accessed exists between the server and any other server, performing degradation processing on the restricted access port which cannot be mutually accessed so as to enable the restricted access port which cannot be mutually accessed to be a white list port;
and realizing communication between the server and the other servers by adopting the white list port.
8. A communications apparatus, the apparatus comprising:
a receiving module, configured to receive a communication request, where the communication request includes a first port identifier and a protocol address;
an obtaining module, configured to match a restricted access port corresponding to the first port identifier if the restricted access port is in a preset restricted access port set, and obtain an access address set corresponding to the restricted access port set; wherein each access address in the set of access addresses corresponds to at least one restricted access port in the set of restricted access ports;
a determining module, configured to determine, if an access address corresponding to the protocol address can be matched in the access address set, the matched access address as a target address;
and the first communication module is used for accessing the limited access port corresponding to the target address so as to complete the response to the communication request.
9. A communication device, the device comprising:
a memory for storing executable instructions; a processor for implementing the method of any one of claims 1 to 7 when executing executable instructions stored in the memory.
10. A storage medium having stored thereon executable instructions for causing a processor to perform the method of any one of claims 1 to 7 when executed.
CN202010180352.5A 2020-03-16 2020-03-16 Communication method, device, equipment and storage medium Active CN111355746B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010180352.5A CN111355746B (en) 2020-03-16 2020-03-16 Communication method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010180352.5A CN111355746B (en) 2020-03-16 2020-03-16 Communication method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111355746A CN111355746A (en) 2020-06-30
CN111355746B true CN111355746B (en) 2022-08-05

Family

ID=71197520

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010180352.5A Active CN111355746B (en) 2020-03-16 2020-03-16 Communication method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111355746B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113225308B (en) * 2021-03-19 2022-11-08 深圳市网心科技有限公司 Network access control method, node equipment and server
CN113067883B (en) * 2021-03-31 2023-07-28 建信金融科技有限责任公司 Data transmission method, device, computer equipment and storage medium
CN113596033B (en) * 2021-07-30 2023-03-24 深信服科技股份有限公司 Access control method and device, equipment and storage medium
CN117278341A (en) * 2023-11-23 2023-12-22 成都卓拙科技有限公司 ACL rule updating method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103200281A (en) * 2013-01-24 2013-07-10 中国联合网络通信集团有限公司 Method, device and system for accessing intranet server
CN105052093A (en) * 2013-02-01 2015-11-11 瑞典爱立信有限公司 Method and system of shortest path bridging (SPB) enhanced resilience with loop mitigation
CN109587109A (en) * 2017-09-29 2019-04-05 费希尔-罗斯蒙特系统公司 The poisoning of process control interchanger is protected

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7058727B2 (en) * 1998-09-28 2006-06-06 International Business Machines Corporation Method and apparatus load balancing server daemons within a server
JP2019129427A (en) * 2018-01-25 2019-08-01 ブラザー工業株式会社 Communication apparatus and computer program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103200281A (en) * 2013-01-24 2013-07-10 中国联合网络通信集团有限公司 Method, device and system for accessing intranet server
CN105052093A (en) * 2013-02-01 2015-11-11 瑞典爱立信有限公司 Method and system of shortest path bridging (SPB) enhanced resilience with loop mitigation
CN109587109A (en) * 2017-09-29 2019-04-05 费希尔-罗斯蒙特系统公司 The poisoning of process control interchanger is protected
CN109617813A (en) * 2017-09-29 2019-04-12 费希尔-罗斯蒙特系统公司 The intelligent process control switch port of enhancing locks

Also Published As

Publication number Publication date
CN111355746A (en) 2020-06-30

Similar Documents

Publication Publication Date Title
CN111355746B (en) Communication method, device, equipment and storage medium
US10764320B2 (en) Structuring data and pre-compiled exception list engines and internet protocol threat prevention
US20190281088A1 (en) Security mediation for dynamically programmable network
US10623232B2 (en) System and method for determining and forming a list of update agents
US9571523B2 (en) Security actuator for a dynamically programmable computer network
EP3788755B1 (en) Accessing cloud resources using private network addresses
US10958725B2 (en) Systems and methods for distributing partial data to subnetworks
CN113596033B (en) Access control method and device, equipment and storage medium
US10313396B2 (en) Routing and/or forwarding information driven subscription against global security policy data
US10855721B2 (en) Security system, security method, and recording medium for storing program
US10868830B2 (en) Network security system, method, recording medium and program for preventing unauthorized attack using dummy response
US11983220B2 (en) Key-value storage for URL categorization
US10681007B2 (en) String search and matching for gate functionality
US10897483B2 (en) Intrusion detection system for automated determination of IP addresses
US20230350966A1 (en) Communicating url categorization information
CN107736003B (en) Method and apparatus for securing domain names
CN111865876B (en) Network access control method and equipment
US20140294006A1 (en) Direct service mapping for nat and pnat
CN113691650B (en) IPv4/IPv6 stateless segmented safety mapping method and control system
KR102382317B1 (en) Method and system for downloading cyber training tool
US20230179623A1 (en) Breach path prediction and remediation
EP3304852B1 (en) String search and matching for gate functionality
CN114679290A (en) Network security management method and electronic equipment
AU2018302104A1 (en) Systems and methods for distributing partial data to subnetworks
Dong et al. A security framework for protecting traffic between collaborative domains

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant