CN104092691A - Implementation method for implementing root-authority-free networking firewall and client-side - Google Patents

Implementation method for implementing root-authority-free networking firewall and client-side Download PDF

Info

Publication number
CN104092691A
CN104092691A CN201410334918.XA CN201410334918A CN104092691A CN 104092691 A CN104092691 A CN 104092691A CN 201410334918 A CN201410334918 A CN 201410334918A CN 104092691 A CN104092691 A CN 104092691A
Authority
CN
China
Prior art keywords
application
network connection
connection request
network
configuration
Prior art date
Application number
CN201410334918.XA
Other languages
Chinese (zh)
Inventor
苏云琳
王鹏程
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Priority to CN201410334918.XA priority Critical patent/CN104092691A/en
Publication of CN104092691A publication Critical patent/CN104092691A/en

Links

Abstract

The invention discloses an implementation method for implementing a root-authority-free networking firewall and a client-side. The method includes the steps of obtaining a network connection request; redirecting the network connection request to a local service process, wherein the local service process is provided by a local VPN service; obtaining the application name of the application triggering the network connection request by inquiring about a system file in the local service process; inquiring about a pre-configuration file to obtain the configuration strategy which is recorded in the pre-configuration file and corresponds to the application name; processing the network connection request according to the configuration strategy. Due to the fact that the application in the VPN frame is allowed in the operating system to have the higher control right for network connection, by means of the VPN frame, control over network connection of other applications can be achieved through the application without obtaining the root authority.

Description

免root权限的联网防火墙的实现方法及客户端 Implementation avoid root privileges networking and client firewall

技术领域 FIELD

[0001] 本发明涉及互联网技术领域,具体涉及一种免root权限的联网防火墙的实现方法及客户端。 [0001] The present invention relates to the field of Internet technologies, and particularly relates to a method to achieve a no-client network firewall root authority.

背景技术 Background technique

[0002] 随着智能手机的普及和移动互联网技术的发展,手机上网成为"手机网民"不可或缺的需求,智能手机上的应用也越来越多。 [0002] With the popularity of smart phones and mobile Internet technology development, mobile Internet become a "mobile phone users' essential needs, applications on smartphones more and more. 相对于PC而言,手机私密性很强,手机安全隐患对用户的威胁更大,一些手机流氓软件、手机黑客、盗取手机流量等安全问题导致用户无故的花费支出和其它形式的损失。 Relative to the PC, mobile phone privacy is very strong, a greater threat to the security risks mobile phone users, some cell phone rogue software, phone hacking, stealing mobile traffic and other security issues led to the loss of other forms of spending and expenditures users for no reason.

[0003] 为了加强手机上网的安全性,现有技术提供了联网防火墙技术,用户利用联网防火墙可以实现设置应用程序上网规则,屏蔽和允许应用程序上网,设置黑白名单,统计上网流量,获取上网流量日志以及显示网络状态等功能。 [0003] In order to enhance the security of mobile Internet, the existing firewall technology provides networking technology, users can take advantage of network firewall settings to achieve application access rules, blocking, and allows applications to the Internet, setting black and white list, Internet traffic statistics, access to Internet traffic log and network status display function. 但是,由于手机操作系统的权限限制, 现有的联网防火墙要实现上述功能必须获得root权限,然后根据获得的root权限对其它应用程序进行管理和控制。 However, due to rights restrictions phone operating system, the existing network firewall to achieve these functions must have root privileges, and then manage and control other applications obtained in accordance with root privileges. 然而,要获得root权限需要通过刷机实现,对于实现上述功能来说,由于系统文件的刷新需要一定延迟,所以现有技术的联网防火墙一般都具有反馈结果延迟的问题。 However, to gain root privileges need to achieve through the brush, to achieve the above functions, because the system files need to refresh certain delay, so the art of networking firewalls generally have a problem of delayed feedback results.

发明内容 SUMMARY

[0004] 鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的客户端和相应的免root权限的联网防火墙的实现方法。 [0004] In view of the above problems, the present invention is proposed in order to overcome the above problems or to provide an at least partially solve the above problems and corresponding client as root-free implementation of the network firewall.

[0005] 根据本发明的一个方面,提供了一种免root权限的联网防火墙的实现方法,包括: [0005] In accordance with one aspect of the invention there is provided a method for implementing a network firewall Free root authority, comprising:

[0006] 获取网络连接请求,将所述网络连接请求重定向至本地服务进程,所述本地服务进程是由本地VPN服务提供的; [0006] obtain a network connection request, the network connection request is redirected to the local service process, the process is a local service provided by a local VPN services;

[0007] 在所述本地服务进程中,通过查询系统文件获得发起所述网络连接请求的应用的应用名; [0007] In the process of local service, access to the application name of the application that initiated the network connection request by querying the file system;

[0008] 查询预配置文件,得到所述预配置文件中记录的与所述应用名对应的配置策略; [0008] The query pre-profile, to obtain the name of the application corresponding to the pre-allocation strategy record in the configuration file;

[0009] 按照所述配置策略对所述网络连接请求进行处理。 [0009] The connection request is processed according to the configuration of the network policy.

[0010] 根据本发明的另一方面,提供了一种客户端,包括: [0010] According to another aspect of the present invention, there is provided a client, comprising:

[0011] 重定向模块,适于获取网络连接请求,将所述网络连接请求重定向至本地服务进程,所述本地服务进程是由本地VPN服务提供的; [0011] redirection module, adapted to obtain a network connection request, the network connection request is redirected to the local service process, the process is a local service provided by a local VPN services;

[0012] 应用名获取模块,适于在所述本地服务进程中,通过查询系统文件获得发起所述网络连接请求的应用的应用名; [0012] The application name obtaining module, adapted to the local service in the process, obtain application name of the application to initiate a connection request to the network by querying the file system;

[0013] 查询模块,适于查询预配置文件,得到所述预配置文件中记录的与所述应用名对应的配置策略; [0013] The query module is adapted to query the pre-profile, to obtain the name of the application corresponding to the pre-allocation strategy record in the configuration file;

[0014] 处理模块,适于按照所述配置策略对所述网络连接请求进行处理。 [0014] The processing module, adapted in accordance with the configuration policy for the network connection request is processed.

[0015] 根据本发明提供的方案,通过在客户端内部创建本地VPN服务而提供的本地服务进程用于对应用的网络连接进行处理,即:通过查询系统文件获得发起网络连接请求的应用的应用名,进而通过查询配置文件得到对应的配置策略,按照配置策略对网络连接请求进行处理。 [0015] The present invention provides the local service process by creating a local VPN services within a client application provided for handling network connections, namely: the application obtain application initiates network connection request by querying the file system name, in turn obtained by querying the corresponding configuration policy profile configuration policy in accordance with the network connection request is processed. 由于在操作系统框架内允许VPN框架里的应用对网络连接具有更高的控制权, 因此利用VPN框架使得本发明应用无需获得root权限即可实现对其它应用的网络连接的控制,解决了现有技术中存在的反馈结果延迟的问题。 Because the VPN application framework within the operating system allows higher frame has control over network connections, so that the frame using the VPN application of the invention can be realized without controlling root access other applications on the network connection, solves art that the result of feedback delay problem.

[0016] 上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段, 而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。 [0016] The above description is only an overview of the technical solution of the present invention, in order to more fully understood from the present invention, but may be implemented in accordance with the contents of the specification, and in order to make the aforementioned and other objects, features and advantages of the present invention can be more apparent from the following specific embodiments cite Patent of the present invention.

附图说明 BRIEF DESCRIPTION

[0017] 通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。 [0017] By reading the following detailed description of preferred embodiments Hereinafter, a variety of other advantages and benefits to those of ordinary skill in the art will become apparent. 附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。 The drawings are only for purposes of illustrating a preferred embodiment and are not to be considered limiting of the present invention. 而且在整个附图中,用相同的参考符号表示相同的部件。 But throughout the drawings, like parts with the same reference symbols. 在附图中: In the drawings:

[0018] 图1示出了根据本发明一个实施例的免root权限的联网防火墙的实现方法的流程图; [0018] FIG. 1 shows a flowchart of a method implemented as root-free networked firewall according to one embodiment of the present invention;

[0019] 图2示出了根据本发明一个实施例的免root权限的联网防火墙的实现方法的流程图; [0019] FIG. 2 shows a flowchart of a method implemented as root-free networked firewall according to one embodiment of the present invention;

[0020] 图3示出了根据本发明一个实施例的客户端的功能结构框图; [0020] FIG. 3 shows a functional block diagram of a client according to one embodiment of the present invention;

[0021] 图4示出了根据本发明另一个实施例的客户端的功能结构框图。 [0021] FIG. 4 shows a functional block diagram of a client according to another embodiment of the present invention.

具体实施方式 Detailed ways

[0022] 下面将参照附图更详细地描述本公开的示例性实施例。 [0022] The following exemplary embodiments of the present disclosure will be described in more detail with reference to the drawings. 虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。 While the exemplary embodiment shows an exemplary embodiment of the present disclosure in the drawings, it should be understood that the present disclosure may be implemented embodiments and should not be set forth herein to limit in various forms. 相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。 Rather, these embodiments are able to more thorough understanding of the present disclosure, and the scope of the present disclosure can be completely conveying to those skilled in the art.

[0023] 本发明实施例是基于在客户端内部创建的本地VPN服务(VPN client)而实现的。 [0023] Example embodiments of the present invention is based on the local VPN service (VPN Client) inside the client creates achieved. 本文中,客户端可以是智能手机、平板式电脑等具有移动联网服务的移动终端设备。 In this paper, the client can be smart phones, tablet computers and other mobile devices with a mobile networking services. 客户端的操作系统为了便于使用VPN服务,开放了多个系统接口(API),在得到用户确认的情况下,VPN服务能够获得控制和管理其它应用的权限。 The client operating system to facilitate the use of VPN service, a plurality of open system interface (the API), in the case of obtaining the user's confirmation, control access to VPN services and other rights management applications. 具体地,通过调用操作系统提供的API, 可将客户端内部的VPN服务打开,当客户端的其它应用要访问网络时,应用所发起的网络连接请求均经过本地VPN服务的处理,使得客户端能够有效且安全地访问网络资源。 In particular, by calling an API provided by the OS, may be an internal client VPN service is opened, when the other application client to access the network, application initiates a network connection requests are processed locally VPN services, so that the client can effective and secure access to network resources.

[0024] 以一种应用场景为例,客户端在安装或首次启动用于实现本发明方案的独立的应用(以下称为本发明应用)时,本发明应用需要创建本地VPN服务,此时本发明应用向用户发出信任或不信任本应用的提示信息,如果用户选择信任,则本发明应用创建本地VPN服务。 [0024] In an application scenario as an example, in a client installation or first start the application independent implementations of the present invention (hereinafter referred to applications of the present invention), the present invention requires the application to create a local VPN service, the present case application invention issued trust or not trust this application prompt information to the user, if the user chooses to trust, the application of the present invention to create a local VPN services. 在创建本地VPN服务之后,由于在操作系统框架内允许VPN框架里的应用对其它应用具有更高的控制权,所以本发明应用对于网络连接的控制级别高于其它应用。 After creating the local VPN service, since the VPN application framework allows for a greater control over the other applications within the framework of the operating system, the application of the present invention is connected to the control level of the network than other applications. 在用户要使用某些应用且希望在使用这些应用的过程中对这些应用发起的网络连接进行处理时,启动上述创建本地VPN服务的本发明应用,点击本发明应用的设置开关用于启动VPN client。 When the user wants to use in certain applications and those applications want to initiate a network connection process in using these applications, the startup of the above-described VPN service create a local application of the present invention, the present invention is applied click switch is provided for activating VPN Client . 在启动VPN client后,执行本实施例提供的方法。 After starting the VPN client, the method provided in the present embodiment performs.

[0025] 图1示出了根据本发明一个实施例的免root权限的联网防火墙的实现方法的流程图。 [0025] FIG. 1 shows a flowchart of a method implemented as root-free networked firewall according to one embodiment of the present invention. 如图1所示,该方法包括如下步骤: As shown in FIG 1, the method comprising the steps of:

[0026] 步骤S100,获取网络连接请求,将网络连接请求重定向至本地服务进程,本地服务进程是由本地VPN服务提供的。 [0026] step S100, a request for acquiring the network connection, the network connection request redirection to the local service process, the process is a local service provided by a local VPN service.

[0027] 基于上面的描述可知,在本发明应用创建本地VPN服务之后,本发明应用对于网络连接的控制级别高于其它应用。 [0027] Based on the above description that, after the application of the present invention to create a local VPN service, the present invention is applied to the control level network connections than other applications. 在其它应用发出网络连接请求时,本发明应用能拦截网络连接请求,将网络连接请求重定向至本发明应用内的本地服务进程进行后续处理。 When a network connection request other applications, applications of the present invention is capable of intercepting network connection request, the network connection service request redirection to the local process in the present invention is applied for subsequent processing. 以微博应用为例,当用户启动微博应用发起访问微博内容的网络连接请求时,由于本发明应用对网络连接的控制级别高于微博应用,本发明应用拦截该网络连接请求,将网络连接请求重定向至本发明应用内的本地服务进程进行后续处理。 Micro-blog application, for example, when a user starts Twitter application initiates a micro-blog content access network connection request, since the application of the present invention is connected to a control level of the network than Twitter application, the present invention is applied to the intercepting network connection request, network connection request is redirected to the local service in the process of the present invention is applied for subsequent processing.

[0028] 步骤S101,在本地服务进程中,通过查询系统文件获得发起网络连接请求的应用的应用名。 [0028] step S101, and in the process of local service, access to the application name of the application to initiate network connection request by querying the file system.

[0029] 系统文件记录有当前系统中所有tcp连接和/或udp连接的情况。 [0029] file system is recorded with the current systems all tcp connection and / or udp connections. 以Android系统为例,当前系统中所有tcp连接和/或udp连接的网络连接信息都保存在proc文件中。 With Android system, for example, network connection information in the current system all tcp connection and / or udp connections are stored in the proc file. proc文件是内核的一个快照,它存储了系统运行时的状态信息,同时又可以作为输入接口--用户可以修改proc目录下一些文件中的内容来改变内核运行时的参数设置。 proc file is a snapshot of the kernel, which stores the state information system is running, but also can be used as input interface - Users can modify the contents of some files in the proc directory to change the parameters set kernel runtime. 本文利用proc文件存储状态信息的功能,即通过读取proc文件来实现netstat命令的一些基本功能,包括tcp和udp端口的扫描,进而获得发起网络连接请求的应用的应用名。 In this paper, proc file storing state information of the function, i.e., to achieve some basic functions by reading proc netstat command file, including scanning tcp and udp port, thereby obtaining the application name of the application to initiate a network connection request.

[0030] 步骤S102,查询预配置文件,得到预配置文件中记录的与应用名对应的配置策略。 [0030] step S102, the query pre-configured file, get pre-configured file name recorded in the corresponding application configuration policies.

[0031] 本发明提供了用于存储各种配置策略的预配置文件,该预配置文件向用户提供了配置接口,用户可以通过该配置接口选择哪些应用使用哪些配置策略。 [0031] The present invention provides a pre-configured policy file for storing various types of configuration, the pre-configured configuration file provides interface to a user, the user can choose which applications which use this configuration policy configuration interface. 根据用户的选择,每种配置策略对应有应用名列表,该应用名列表中每一个应用都采用对应的配置策略进行处理。 The user's selection, each configured with a policy corresponding to the application name in the list, the application name in the list corresponding to each application configuration policies are used for processing.

[0032] 举例来说,预配置文件中存储有防火墙策略,一种防火墙策略具体为:在无线移动网(如3G或4G)联网情况下禁止应用访问网络,用户可选择微博应用使用该防火墙策略, 则在预配置文件中将微博应用名写入防火墙策略对应的应用名列表。 [0032] For example, pre-stored profile firewall policy A firewall policy specifically is: prohibit the application from accessing the network (e.g., 3G or 4G) wireless networking in the mobile network, the user may select to use the micro-blog application firewall policy, the pre-configured in the file microblogging application name written application name corresponding to the list of firewall policy. 可选地,另一种防火墙策略具体为:在无线移动网联网情况下禁止后台程序访问网络,用户可选择使用该策略的应用,在预配置文件中将用户选择的应用名写入该防火墙策略对应的应用名列表;用户也可选择不使用该策略的应用(即排他性选择),在预配置文件中将用户选择的应用以外的应用名写入该防火墙策略对应的应用名列表。 Alternatively, another firewall policy specifically is: disabled in the wireless mobile networking in the background network to access the network, the user can choose to apply the policy to use, writes the name of the application firewall policy profile in the pre-selected by the user the name of the corresponding application list; user may also select the policy is not applied (i.e., exclusive selection) used to write the application name list corresponding to the firewall policy application name other than the application of a pre-selected by the user in the profile. 一般来说,对于微信、微博这些即时通讯软件,用户需要实时地获取通知消息,所以在预配置文件中也可排除这些应用的应用名,以避免这些应用处于后台时不能及时地获取通知消息。 In general, for micro-channel, microblogging these instant messaging software, users need to get real-time notification message, so the pre-configured file name can also be applied to exclude these applications, in order to avoid these applications can not get timely notification message in the background .

[0033] 步骤S103,按照配置策略对网络连接请求进行处理。 [0033] Step S103, the policy according to the configuration of the network connection request is processed.

[0034] 在得到发起网络连接请求的应用名及其对应的配置策略之后,按照该配置策略对网络连接请求进行处理。 [0034] After obtaining the application name and corresponding configuration policy to initiate a network connection request, in accordance with the configuration policy of the network connection request is processed. 对于微博应用,若当前联网情况是无线移动网联网,则阻断微博应用发起的网络连接请求。 For micro-blog application, if the current network situation is a wireless mobile network to a network, the network connection block Twitter application initiated request. 对于某个后台程序,若它属于禁止后台程序访问网络的防火墙策略对应的应用名列表,且当前联网情况为无线移动网联网,则阻断该后台程序发起的网络连接请求。 For a daemon, if it belongs to the application name in the list corresponding firewall policy prohibits daemon to access the network, and the current situation as a networking wireless mobile network interconnection, blocking the daemon is initiated network connection request.

[0035] 根据本实施例提供的方法,通过在客户端内部创建本地VPN服务而提供的本地服务进程用于对应用的网络连接进行处理,即:通过查询系统文件获得发起网络连接请求的应用的应用名,进而通过查询配置文件得到对应的配置策略,按照配置策略对网络连接请求进行处理。 [0035] The method provided in this embodiment, the process by creating a local service within the local VPN services provided for the client application to the network connection process, namely: obtain application initiates a network connection request by querying the file system application name, and thus the corresponding configuration obtained by querying the policy configuration file, the network connection request processing in accordance with the configuration policy. 一方面,由于在操作系统框架内允许VPN框架里的应用对网络连接具有更高的控制权,因此利用VPN框架使得本发明应用无需获得root权限即可实现对其它应用的网络连接的控制,解决了现有技术中存在的反馈结果延迟的问题;另一方面,通过功能独立的本发明应用来实现本实施例的上述方法,无需在每个应用中分别设置配置策略,通过在本发明应用提供的配置接口中统一设置配置策略形成预配置文件,即可对应用名列表中的所有应用采用统一的配置策略进行处理,方便用户使用。 In one aspect, since the VPN application framework within the operating system allows higher frame has control over network connections, so that the frame using the VPN application of the invention can be realized without controlling root access other applications on the network connection, to solve the result of feedback delay problems present in the prior art; on the other hand, by the function of the present invention is independent of the application of the above method according to the present embodiment, without providing policy arranged separately in each application, application of the present invention by providing a configuration interface in a unified form a pre-set configuration policy configuration file, you can use all the application name in the list of unified allocation strategy for processing, user-friendly.

[0036] 另外,在本发明实施例中,除了客户端本地配置的上述用于存储各种配置策略的预配置文件以外,云端也会提供一些默认配置策略。 [0036] Further, in the embodiment of the present invention, in addition to the configuration policy for storing various pre-configured client local configuration file, the cloud will provide some default configuration policy. 例如,云端提供了让用户一键设置的功能,支持云端配置如下策略:禁止平时只在前台使用的应用(例如浏览器、视频播放软件等应用)在后台联网,和/或,禁止无需联网的应用(例如计算器等应用)进行联网。 For example, the cloud provides allows users one-click feature set, support for cloud configure the following policies: Prohibition usually only networking in the background application foreground use (such as a browser, video player software, and other applications), and / or prohibit not need networking application (for example calculator application, etc.) networking. 在云端配置的策略可定时同步到客户端,存储在预配置文件中以供匹配使用。 Drive configuration policy can be a timing synchronized to the client, a pre-stored in the configuration file to use for matching.

[0037] 图2示出了根据本发明一个实施例的免root权限的联网防火墙的实现方法的流程图。 [0037] FIG. 2 shows a flowchart of a method implemented as root-free networked firewall according to one embodiment of the present invention. 如图2所示,该方法包括如下步骤: 2, the method comprising the steps of:

[0038] 步骤S200,获取网络连接请求。 [0038] step S200, a request for acquiring the network connection.

[0039] 对于客户端内部安装的某个应用,如果该应用需要访问网络,则需要先发起网络连接请求,例如tcp连接请求或udp连接请求。 [0039] For certain applications the internal client installation, if the application needs to access the network, it is necessary to initiate a network connection request, e.g. tcp udp connection request or a connection request. 本实施例在该应用发出这样的网络连接请求之前,获取该网络连接请求,执行后续流程。 Prior to the present embodiment, such a network connection request issued by the application, obtaining the network connection request, perform the subsequent process.

[0040] 步骤S201,从网络连接请求中解析出路由信息,判断解析出的路由信息是否与预先下发的路由表中记录的信息相匹配,若是,执行步骤S202 ;若否,则本方法流程结束。 [0040] step S201, the parsed from the network connection request whether Outlet resolved by the information, whether the routing information matches the predetermined information delivered by the routing table records, if yes, perform step S202; if not, then the method flow End.

[0041] 本发明实施例预先下发了路由表,该路由表中记录了需要进行网络连接优化处理的路由信息,如果网络连接请求中的路由信息与该路由表中记录的信息相匹配,则执行后续方法流程。 Embodiment [0041] The present invention previously issued a routing table, the routing table records the need to optimize the routing of information processing, if the network routing information in the connection request matches the information in the routing table records the network connection, perform a subsequent process flow. 如果网络连接请求中的路由信息与该路由表中记录的信息不相匹配,则表明此次网络连接请求无需进行网络连接优化处理,后续可按照现有技术的流程继续处理。 If the network connection routing information request does not match the information recorded in the routing table, it indicates that the network connection request without network connection optimization process, the subsequent process may continue in accordance with the prior art process.

[0042] 步骤S202,将网络连接请求重定向至本地服务进程。 [0042] In step S202, the network connection request redirection to the local service process.

[0043] 基于上面的描述可知,在本发明应用创建本地VPN服务之后,本发明应用对于网络连接的控制级别高于其它应用。 [0043] Based on the above description that, after the application of the present invention to create a local VPN service, the present invention is applied to the control level network connections than other applications. 在其它应用发出网络连接请求时,本发明应用能拦截网络连接请求,将网络连接请求重定向至本发明应用内的本地服务进程进行后续处理。 When a network connection request other applications, applications of the present invention is capable of intercepting network connection request, the network connection service request redirection to the local process in the present invention is applied for subsequent processing.

[0044] 步骤S203,调用用于获取地址和端口的系统接口,获取网络连接请求对应的地址和端口。 [0044] step S203, the system interface for acquiring a call address and port corresponding to the connection request obtain a network address and port.

[0045] 在本地服务进程接收到网络连接请求之后,通过调用系统接口可获取发起网络连接请求的应用的本地地址和端口,即ip:P〇rt。 After the [0045] receiving a network connection request on the local server process, system interface can be obtained by calling the local address and port applications to initiate a network connection requests, namely ip: P〇rt. 在Android系统中提供了getpeername 接口,当本地服务进程接收到网络连接请求后,获取该网络连接请求对应的socket,将该socket传递给getpeername接口,就能获取发起网络连接请求的应用的本地地址和端口。 Providing getpeername Android system interface, when receiving a local network connection service process request, acquires the local address of the application corresponding to the request network connection socket, the socket is transmitted to an interface getpeername can obtain the request and initiate a network connection port.

[0046] 步骤S204,根据网络连接请求对应的地址和端口查询系统文件,获得发起网络连接请求的应用的应用标识。 [0046] step S204, the connection request based on the network address and port corresponding to the document query system, obtain application identification of the application initiating network connection request.

[0047] 系统文件记录有当前系统中所有tcp连接和/或udp连接的情况。 [0047] file system is recorded with the current systems all tcp connection and / or udp connections. 以Android系统为例,当前系统中所有tcp连接和/或udp连接的网络连接信息都保存在proc文件中。 With Android system, for example, network connection information in the current system all tcp connection and / or udp connections are stored in the proc file. 具体地,有关tcp连接的网络连接信息保存在/proc/net/tcp文件中,有关udp连接的网络连接信息保存在/proc/net/udp,还有一些网络连接信息保存在/proc/net/tcp6中。 Specifically, the network connection information stored in the tcp connections / proc / net / tcp file, the network connection information on udp connections stored in / proc / net / udp, as well as some of the network connection information is stored in / proc / net / tcp6 in. 因此,本发明实施例所要查询的系统文件包含以下文件中的一个或多个:/proc/net/tcp ;/ proc/net/udp ;/proc/net/tcp6。 Thus, embodiments of the file system to be queried according to the invention comprises one or more of the following files: / proc / net / tcp; / proc / net / udp; / proc / net / tcp6. 其中,在查询系统文件/proc/net/tcp6之前还包括:将地址和端口由IPV4协议转换为IPV6协议。 Among them, before querying the system file / proc / net / tcp6 further comprising: an address and port translation by the IPV4 to IPV6 protocol agreement.

[0048] 具体地,在查询时,首先查询/proc/net/tcp文件;如果没有查询到,接着查询/ proc/net/udp文件;如果还没有查询到,最后查询/proc/net/tcp6文件。 [0048] Specifically, in the query, the first query / proc / net / tcp File; if not queried, then the query / proc / net / udp document; if it does not query the last query / proc / net / tcp6 file .

[0049] 下面给出通过执行netstat-tn命令查询/proc/net/tcp文件输出的信息的具体示例: [0049] The following specific examples are given information / proc / net / tcp file output by the execution of the query command netstat-tn:

[0050] si local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode [0050] si local_address rem_address st tx_queue rx_queue tr tm-> when retrnsmt uid timeout inode

[0051] 1:3A00AA0A:00C7 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 25926 1 f73bc080 3000 002-1 [0051] 1: 3A00AA0A: 00C7 00000000: 0000 0A 00000000: 00000000 00: 00000000 00000000 0 0 25926 1 f73bc080 3000 002-1

[0052] 在上述示例中,si表示打开套接字的编号;local_address表示格式为十六进制(网络字节序)的本地IP地址:端口号;rem_address表示远程地址;st表示连接状态;uid 表示发起网络连接请求的应用标识。 [0052] In the example above, si denotes the number of open sockets; local_address expressed in hexadecimal format (Network Byte Order) local IP address: port number; rem_address indicates a remote address; ST represents a connection state; uid It represents application identification initiating network connection request. 其它信息与本方案没有直接关系,不再赘述。 Other information not directly related to the present embodiment, is omitted.

[0053] 通过以上示例可以看出,在获知网络连接请求对应的本地地址和端口的情况下, 可以通过查询系统文件得到对应的uid。 [0053] As can be seen by the above example, in the case of known network connection request corresponding to the local address and port can be obtained by querying the corresponding uid file system.

[0054] /proc/net/udp文件和/proc/net/tcp6文件也与上述示例类似,只是在远程地址和状态信息上有所区别,在此不再赘述。 [0054] / proc / net / udp document and / proc / net / tcp6 file is also similar to the example described above, but differ in the remote address and status information, are not repeated here.

[0055] 步骤S205,根据应用标识调用用于获取应用名的系统接口,获取发起网络连接请求的应用的应用名。 [0055] Step S205, the call identifier according to the application system interface for acquiring application name, obtaining the application name of the application to initiate a network connection request.

[0056] 在获得应用标识之后,通过调用系统接口进一步获得应用名。 [0056] After obtaining the application identifier, the application name to obtain further by calling the system interface. 具体地,利用Android系统提供的getApplicationName接口,得到发起网络连接请求的应用名。 Specifically, with getApplicationName Android system provides an interface to obtain application name initiating network connection request.

[0057] 步骤S206,查询预配置文件,得到预配置文件中记录的与应用名对应的配置策略。 [0057] step S206, the query pre-configured file, get pre-configured file name recorded in the corresponding application configuration policies.

[0058] 本发明提供了用于存储各种配置策略的预配置文件,该预配置文件向用户提供了配置接口,用户可以通过该配置接口选择哪些应用使用哪些配置策略。 [0058] The present invention provides a pre-configured policy file for storing various types of configuration, the pre-configured configuration file provides interface to a user, the user can choose which applications which use this configuration policy configuration interface. 作为一种具体示例, 预配置文件中可包含如下配置策略: As a specific example, the configuration file may include a pre-configured policy as follows:

[0059] (1)在无线移动网联网情况下,阻断一些应用名对应的应用发起的网络连接请求; [0059] (1) In the case of a wireless mobile networking network, block some applications initiated web application name corresponding to the connection request;

[0060] (2)在无线移动网联网情况下,禁止某些后台程序访问网络; [0060] (2) In the case of a wireless mobile networking network, some background is prohibited to access the network;

[0061] (3)在无线局域网联网情况下,对一些应用名对应的应用发起的用于访问支付页面的网络连接请求进行加密处理,即加密策略。 [0061] (3) In the case of wireless local area networking, application name corresponding to initiate some applications used to access the network connection request payment page is encrypted, ie an encryption policy.

[0062] 根据用户的选择,每种配置策略对应有应用名列表,该应用名列表中每一个应用都采用对应的配置策略进行处理。 [0062] According to a user's selection, each configured with a policy corresponding to the application name in the list, the application name in the list corresponding to each application configuration policies are used for processing. 以上述防火墙策略(1)为例,若用户选择优酷、搜狐视频等应用使用该防火墙策略,那么在预配置文件中该防火墙策略对应的应用名列表中添加上述应用的应用名,形成该防火墙策略的应用黑名单;以上述防火墙策略(2)为例,若用户选择微博、微信等应用不使用该防火墙策略,那么在预配置文件中将除了微博、微信以外的应用的应用名添加到该防火墙策略对应的应用名列表中,形成该防火墙策略的应用黑名单; 以加密策略(3)为例,若用户选择淘宝、支付宝、京东、当当网等支付类应用使用加密策略, 那么在预配置文件中加密策略对应的应用名列表中添加上述支付类应用的应用名,形成加密策略的应用黑名单。 In the above firewall policy (1), for example, when the user selects Youku, Sohu video applications use the firewall policy, then add the application name to the application in the pre-profile application name list of firewall policies to form the firewall policy blacklist application; firewall policy to the above (2), for example, when the user selects microblogging, letters and other applications that do not use a firewall policy, then in addition to it, the application name of the application other than the micro-channel will be added to the pre-profile application name list of the firewall policy corresponding form application blacklist the firewall policy; encrypted policy (3), for example, if the user selects Taobao, Alipay, Jingdong, Dangdang and other payment type applications use encryption policy, then the pre Add a list of applications in the name of the configuration file encryption policy corresponding application name of said payment type applications, application form blacklist encryption policy.

[0063] 在实际应用过程中,可根据情况设置其它配置策略,本发明对此不做限制。 [0063] In actual application, other configurations may be provided according to the policy, the present invention is not limited in this regard.

[0064] 另外,在本实施例中,除了客户端本地配置的上述用于存储各种配置策略的预配置文件以外,云端也会提供一些默认配置策略。 [0064] Further, in the present embodiment, in addition to the pre-profile configuration policy for storing various local client configuration, the cloud will provide some default configuration policy. 例如,云端提供了让用户一键设置的功能, 支持云端配置如下策略:禁止平时只在前台使用的应用(例如浏览器、视频播放软件等应用)在后台联网,和/或,禁止无需联网的应用(例如计算器等应用)进行联网。 For example, the cloud provides allows users one-click feature set, support for cloud configure the following policies: Prohibition usually only networking in the background application foreground use (such as a browser, video player software, and other applications), and / or prohibit not need networking application (for example calculator application, etc.) networking. 在云端配置的策略可定时同步到客户端,存储在预配置文件中以供匹配使用。 Drive configuration policy can be a timing synchronized to the client, a pre-stored in the configuration file to use for matching.

[0065] 步骤S207,按照配置策略对网络连接请求进行处理。 [0065] step S207, the network connection policy according to the configuration request is processed.

[0066] 在得到发起网络连接请求的应用名及其对应的配置策略之后,按照该配置策略对网络连接请求进行处理。 [0066] After obtaining the application name and corresponding configuration policy to initiate a network connection request, in accordance with the configuration policy of the network connection request is processed. 在上述示例中,如果发起网络连接请求的应用属于防火墙策略(1) 的应用黑名单,则进一步判断当前联网是否属于无线移动(例如3G或4G)联网情况,如是, 则阻断该应用发起的网络连接请求;通过这样的方式,可以大大降低数据流量,达到省流量的目的。 In the above example, if the originating network connection request blacklist application belonging firewall policy (1), it is further determined whether the current wireless mobile network (e.g., 3G or 4G) network where, if yes, to block the application launched network connection request; in this way, data traffic can be greatly reduced, to achieve efficient flow. 如果发起网络连接请求的应用属于防火墙策略(2)的应用黑名单,则进一步判断当前联网是否属于无线移动联网情况以及该应用是否为后台程序,如是,则阻断该应用发起的网络连接请求;通过这样的方式,也能达到省流量的目的。 If the originating application network firewall policy belonging to a connection request (2) blacklist application, it is further judged whether the current network situation and the wireless mobile networking application daemon whether, and if so, to block the network connection request initiated by the application; in this way, we can achieve the purpose of the provincial traffic. 如果发起网络连接请求的应用属于加密策略的应用黑名单,则进一步判断当前联网是否属于无线局域网(例如wifi)联网情况,如是,则对该应用发起的用于访问支付页面的网络连接请求进行加密处理,以提高网络访问的安全性。 If the originating application belongs to blacklist encryption policy network connection requests, it is further determined whether the current networking wireless local area network (eg wifi) networking situation, and if so, the network connection used to access the payment page request initiated by the application is encrypted treatment to improve the security of network access.

[0067] 根据本实施例提供的方法,通过在客户端内部创建本地VPN服务而提供的本地服务进程用于对应用的网络连接进行处理,即:通过查询系统文件获得发起网络连接请求的应用的应用名,进而通过查询配置文件得到对应的配置策略,按照配置策略对网络连接请求进行处理。 [0067] The method provided in this embodiment, the process by creating a local service within the local VPN services provided for the client application to the network connection process, namely: obtain application initiates a network connection request by querying the file system application name, and thus the corresponding configuration obtained by querying the policy configuration file, the network connection request processing in accordance with the configuration policy. 一方面,由于在操作系统框架内允许VPN框架里的应用对网络连接具有更高的控制权,因此利用VPN框架使得本发明应用无需获得root权限即可实现对其它应用的网络连接的控制,解决了现有技术中存在的反馈结果延迟的问题;另一方面,通过功能独立的本发明应用来实现本实施例的上述方法,无需在每个应用中分别设置配置策略,通过在本发明应用提供的配置接口中统一设置配置策略形成预配置文件,即可对应用名列表中的所有应用采用统一的配置策略进行处理,方便用户使用。 In one aspect, since the VPN application framework within the operating system allows higher frame has control over network connections, so that the frame using the VPN application of the invention can be realized without controlling root access other applications on the network connection, to solve the result of feedback delay problems present in the prior art; on the other hand, by the function of the present invention is independent of the application of the above method according to the present embodiment, without providing policy arranged separately in each application, application of the present invention by providing a configuration interface in a unified form a pre-set configuration policy configuration file, you can use all the application name in the list of unified allocation strategy for processing, user-friendly. 进一步的,通过配置上述防火墙策略,可使某些应用在3G或4G等无线移动联网情况下禁止联网,避免了这些应用耗费移动流量,达到省流量的目的,减少了用户对流量的支出;而且,用户可通过本发明应用统一管理和配置其它应用的流量输出,操作实用且便捷;通过配置上述加密策略,可对某些支付类应用在wifi等无线局域网联网情况下对支付页面的访问进行加密处理,避免了用户私密信息泄露导致的财产损失问题,提高了网络访问的安全性。 Further, by arranging the firewall policy, it can prohibit certain applications such as networking in a mobile 3G or 4G wireless networking, the purpose of avoiding the application of these cost mobile traffic, to the provincial traffic, reducing spending on user traffic; and , the user can use the unified management of the present invention and the flow rate output configuration other applications, practical and convenient operation; by configuring the above encryption policy, the payment may be based on some application to access the payment page is carried out in the wireless LAN networking wifi the encryption treatment, to avoid the user private information disclosure problems caused property damage, improves the security of network access.

[0068] 图3示出了根据本发明一个实施例的客户端的功能结构框图。 [0068] FIG. 3 shows a functional block diagram of a client according to one embodiment of the present invention. 如图3所示,该客户端包括:重定向模块300、应用名获取模块310、查询模块320以及处理模块330。 As shown in FIG. 3 the client comprising: redirecting module 300, an application name obtaining module 310, query module 320 and a processing module 330. 这里的各个功能模块具体为本发明应用内部的功能模块。 Here various functional modules of the present invention within the application specific functional block.

[0069] 重定向模块300适于获取网络连接请求,将网络连接请求重定向至本地服务进程,本地服务进程是由本地VPN服务提供的。 [0069] The redirection module 300 is adapted to obtain a network connection request, the network connection request is redirected to the local service process, the process is a local service provided by a local VPN service. 在本发明应用创建本地VPN服务之后,本发明应用对于网络连接的控制级别高于其它应用。 After application of the present invention to create a local VPN service, the present invention is applied to the control level network connections than other applications. 在其它应用发出网络连接请求时,本发明应用中的重定向模块300能拦截网络连接请求,将网络连接请求重定向至本地服务进程进行后续处理。 When a network connection request other applications, applications of the present invention, the redirection module 300 can intercept the network connection request, the network connection service request redirection to the local process for subsequent processing.

[0070] 应用名获取模块310适于在本地服务进程中,通过查询系统文件获得发起网络连接请求的应用的应用名。 [0070] application name acquisition module 310 is adapted to process local service, access to the application name of the application to initiate network connection request by querying the file system. 系统文件记录有当前系统中所有tcp连接和/或udp连接的情况。 File system is recorded in the current system and is connected to all tcp / udp or connections. 以Android系统为例,当前系统中所有tcp连接和/或udp连接的网络连接信息都保存在proc文件中。 With Android system, for example, network connection information in the current system all tcp connection and / or udp connections are stored in the proc file. proc文件是内核的一个快照,它存储了系统运行时的状态信息,同时又可以作为输入接口--用户可以修改proc目录下一些文件中的内容来改变内核运行时的参数设置。 proc file is a snapshot of the kernel, which stores the state information system is running, but also can be used as input interface - Users can modify the contents of some files in the proc directory to change the parameters set kernel runtime. 本文利用proc文件存储状态信息的功能,即通过读取proc文件来实现netstat命令的一些基本功能,包括tcp和udp端口的扫描,进而获得发起网络连接请求的应用的应用名。 In this paper, proc file storing state information of the function, i.e., to achieve some basic functions by reading proc netstat command file, including scanning tcp and udp port, thereby obtaining the application name of the application to initiate a network connection request.

[0071] 查询模块320适于查询预配置文件,得到预配置文件中记录的与应用名对应的配置策略。 [0071] Query module 320 is adapted to query the pre-configuration files, an application name corresponding to the obtained pre-configured policy configuration file records. 本发明提供了用于存储各种配置策略的预配置文件,该预配置文件向用户提供了配置接口,用户可以通过该配置接口选择哪些应用使用哪些配置策略。 The present invention provides a pre-configured policy file for storing various types of configuration, the pre-configured configuration file provides interface to a user, the user can choose which applications which use this configuration policy configuration interface. 根据用户的选择,每种配置策略对应有应用名列表,该应用名列表中每一个应用都采用对应的配置策略进行处理。 The user's selection, each configured with a policy corresponding to the application name in the list, the application name in the list corresponding to each application configuration policies are used for processing.

[0072] 处理模块330适于按照配置策略对网络连接请求进行处理。 [0072] The processing module 330 is adapted to configure a policy according to the network connection request is processed. 在得到发起网络连接请求的应用名及其对应的配置策略之后,由处理模块330按照该配置策略对网络连接请求进行处理。 After obtaining the application name and corresponding configuration policy to initiate a network connection request, the processing module 330 processes a connection request to the network by a policy in accordance with the configuration.

[0073] 图4示出了根据本发明另一个实施例的客户端的功能结构框图。 [0073] FIG. 4 shows a functional block diagram of a client according to another embodiment of the present invention. 如图4所示,该客户端包括:预配置文件存储模块400、判断模块410、重定向模块420、应用名获取模块430、 查询模块440以及处理模块450。 , The client 4 includes: a pre-profile storage module 400, a determining module 410, the redirection module 420, an application name obtaining module 430, query module 440 and a processing module 450.

[0074] 预配置文件存储模块400用于存储预配置文件,该预配置文件向用户提供了配置接口,用户可以通过该配置接口选择哪些应用使用哪些配置策略。 [0074] Pre-profile storage module 400 for storing pre-configured files, the pre-configured configuration file provides interface to a user, the user can choose which applications which use this configuration policy configuration interface. 作为一种具体示例,预配置文件中可包含如下配置策略:在无线移动网联网情况下,阻断一些应用名对应的应用发起的网络连接请求;和/或,在无线移动网联网情况下,禁止一些应用名对应的应用作为后台程序访问网络;和/或,在无线局域网联网情况下,对一些应用名对应的应用发起的用于访问支付页面的网络连接请求进行加密处理。 As a specific example, the configuration file may include a pre-configured policy as follows: the mobile network in a wireless network, the application name corresponding to block some of the network connection request initiated by the application; and / or wireless network where the mobile network, prohibiting certain application corresponding to the application name as a background program to access the network; and / or, in the case of wireless LAN networking, application name corresponding to initiate some applications used to access the network connection request payment page is encrypted.

[0075] 根据用户的选择,每种配置策略对应有应用名列表,该应用名列表中每一个应用都采用对应的配置策略进行处理。 [0075] According to a user's selection, each configured with a policy corresponding to the application name in the list, the application name in the list corresponding to each application configuration policies are used for processing. 以上述方法实施例描述的防火墙策略(1)为例,若用户选择优酷、搜狐视频等应用使用该防火墙策略,那么在预配置文件中该防火墙策略对应的应用名列表中添加上述应用的应用名,形成该防火墙策略的应用黑名单;以上述方法实施例描述的防火墙策略(2)为例,若用户选择微博、微信等应用不使用该防火墙策略,那么在预配置文件中将除了微博、微信以外的应用的应用名添加到该防火墙策略对应的应用名列表中,形成该防火墙策略的应用黑名单;以上述方法实施例描述的加密策略(3)为例,若用户选择淘宝、支付宝、京东、当当网等支付类应用使用加密策略,那么在预配置文件中加密策略对应的应用名列表中添加上述支付类应用的应用名,形成加密策略的应用黑名单。 Firewall policy described in the above method of (1), for example, when the user selects Youku, Sohu video applications use the firewall policy, then add the application name to the application in the pre-profile application name list to the firewall policy corresponding forming a blacklist application of the firewall policy; firewall policies described in the above embodiment of the method (2), for example, when the user selects it, and micro-channel applications such as firewall policy is not used, then the preconfigured in the file except Twitter , the application name of the application other than the micro-channel is added to the application name list to the firewall policy corresponding to, form an application a blacklist of the firewall policy; encryption policy described in the above-described method of (3), for example, when the user selects Taobao, Alipay , Jingdong, Dangdang and other payment type applications use encryption policy, the encryption in the pre-application configuration file name list of policies to add the corresponding application name of said payment type applications, application form blacklist encryption policy.

[0076] 在实际应用过程中,可根据情况设置其它配置策略,本发明对此不做限制。 [0076] In actual application, other configurations may be provided according to the policy, the present invention is not limited in this regard.

[0077] 判断模块410适于从网络连接请求中解析出路由信息,判断解析出的路由信息是否与预先下发的路由表中记录的信息相匹配。 [0077] The judging module 410 is adapted to resolve the way from the network by the connection request information, it determines whether the parsed routing information and information previously issued routing table records match.

[0078] 重定向模块420进一步适于:若判断模块410的判断结果为匹配,则将网络连接请求重定向至本地服务进程。 [0078] The redirection module 420 is further adapted to: if the determination result of the determining module 410 is a match, the network connection request redirection to the local service process.

[0079] 进一步的,应用名获取模块430包括:第一调用模块431、系统文件查询模块432 以及第二调用模块433。 [0079] Further, the application name acquiring module 430 includes: a first calling module 431, system files, query module 432 and second module 433 calls.

[0080] 第一调用模块431适于调用用于获取地址和端口的系统接口,获取网络连接请求对应的地址和端口。 [0080] The first module 431 is adapted to call the calling system interface for acquiring address and port, obtain a network connection corresponding to the request address and port. 具体地,第一调用模块431可调用getpeername接口,用于获取发起网络连接请求的应用的本地地址和端口。 Specifically, the first module 431 may invoke call getpeername interface for acquiring application to initiate local address and port of the network connection request.

[0081] 系统文件查询模块432适于根据网络连接请求对应的地址和端口查询系统文件, 获得发起网络连接请求的应用的应用标识。 [0081] The file system module 432 is adapted to query the network connection and port corresponding to the request address inquiry system files, obtain application identification of the application initiating network connection request. 系统文件记录有当前系统中所有tcp连接和/ 或udp连接的情况。 File system is recorded in the current system and is connected to all tcp / udp or connections. 以Android系统为例,当前系统中所有tcp连接和/或udp连接的网络连接信息都保存在proc文件中。 With Android system, for example, network connection information in the current system all tcp connection and / or udp connections are stored in the proc file. 具体地,有关tcp连接的网络连接信息保存在/proc/ net/tcp文件中,有关udp连接的网络连接信息保存在/proc/net/udp,还有一些网络连接信息保存在/proc/net/t Cp6中。 Specifically, the network connection information stored in the tcp connections / proc / net / tcp file, the network connection information on udp connections stored in / proc / net / udp, as well as some of the network connection information is stored in / proc / net / t Cp6 in. 因此,系统文件查询模块432所要查询的系统文件包含以下文件中的一个或多个:/proc/net/tcp ;/proc/net/udp ;/proc/net/tcp6。 Thus, the system queries the file system module 432 contains a file to be queried or more of the following files: / proc / net / tcp; / proc / net / udp; / proc / net / tcp6. 系统文件查询模块432还适于:在查询系统文件/proc/net/tcp6之前,将地址和端口由IPV4协议转换为IPV6协议。 Query file system module 432 is further adapted to: prior inquiry system file / proc / net / tcp6, the IPV4 address and port translation by the protocol IPV6 protocol. 关于查询系统文件可参见方法实施例的具体描述。 Detailed description of the method can be found in the file search system embodiment.

[0082] 第二调用模块433适于根据应用标识调用用于获取应用名的系统接口,获取发起网络连接请求的应用的应用名。 [0082] The second module 433 is adapted to call the calling application identification system interface for acquiring application name, obtaining the application name of the application to initiate a network connection request. 具体地,第二调用模块433可调用Android系统提供的getApp 1 i cat ionName接口,得到发起网络连接请求的应用名。 Specifically, the second module 433 may invoke call getApp 1 i cat ionName Android system provides an interface to obtain application name initiating network connection request.

[0083] 查询模块440适于查询预配置文件,得到预配置文件中记录的与应用名对应的配置策略。 [0083] Query module 440 is adapted to query the pre-configuration files, the configuration file to obtain a pre-recorded application name corresponding to the configuration policy. 具体地,查询模块440查询每种配置策略的应用名列表,如果某种配置策略的应用名列表中包含发起网络连接请求的应用名,则确定该配置策略为与应用名对应的配置策略。 Specifically, the query module 440 queries the list of names for each application policy configuration, if the application name list of some configuration policy contains the request to initiate a network connection application name, it is determined that the policy for configuration and application name corresponding to the configuration policy.

[0084] 处理模块450适于按照配置策略对网络连接请求进行处理。 [0084] The processing module 450 is adapted to configure a policy according to the network connection request is processed. 例如,如果发起网络连接请求的应用属于防火墙策略(1)的应用黑名单,则处理模块450进一步判断当前联网是否属于无线移动(例如3G或4G)联网情况,如是,则处理模块450阻断该应用发起的网络连接请求。 For example, if the originating application requests network connection belongs to a blacklist application firewall policy (1), the processing module 450 further determines whether the current wireless mobile network (e.g., 3G or 4G) network, the case, the processing module 450 to block the network connection request initiated by the application. 如果发起网络连接请求的应用属于防火墙策略(2)的应用黑名单,则处理模块450进一步判断当前联网是否属于无线移动联网情况以及该应用是否为后台程序,如是,则处理模块450阻断该应用发起的网络连接请求。 If the originating application network firewall policy belonging to a connection request (2) blacklist application, the processing module 450 further determines whether the current wireless network and mobile networking applications where daemon whether, and if so, the processing module 450 to block the application initiating a network connection request. 如果发起网络连接请求的应用属于加密策略的应用黑名单,则处理模块450进一步判断当前联网是否属于无线局域网(例如wifi)联网情况,如是,则处理模块450对该应用发起的用于访问支付页面的网络连接请求进行加密处理,以提高网络访问的安全性。 If the application initiating the blacklist encryption policy network belonging to the connection request, the processing module 450 further determines whether the current wireless local area network (e.g. wifi) network, the case, the processing module 450 for accessing the page payment initiated by the application the network connection request is encrypted to improve the security of network access.

[0085] 根据本发明上述实施例提供的客户端,通过在其内部创建本地VPN服务而提供的本地服务进程用于对应用的网络连接进行处理,即:通过查询系统文件获得发起网络连接请求的应用的应用名,进而通过查询配置文件得到对应的配置策略,按照配置策略对网络连接请求进行处理。 [0085] The client of the present invention provides the above-described embodiment, the local service process by creating a local VPN services provided therein for connection to the network application process, namely: obtaining initiates network connection request by querying the file system application name of the application, in turn obtained by querying the corresponding profile configuration policy for the network connection request processing in accordance with the configuration policy. 一方面,由于在操作系统框架内允许VPN框架里的应用对网络连接具有更高的控制权,因此利用VPN框架使得本发明应用无需获得root权限即可实现对其它应用的网络连接的控制,解决了现有技术中存在的反馈结果延迟的问题;另一方面,通过功能独立的本发明应用来实现本实施例的上述方案,无需在每个应用中分别设置配置策略,通过在本发明应用提供的配置接口中统一设置配置策略形成预配置文件,即可对应用名列表中的所有应用采用统一的配置策略进行处理,方便用户使用。 In one aspect, since the VPN application framework within the operating system allows higher frame has control over network connections, so that the frame using the VPN application of the invention can be realized without controlling root access other applications on the network connection, to solve the result of feedback delay problems present in the prior art; on the other hand, the present embodiment performs the above embodiment by application of the present invention is functionally independent, without providing policy arranged separately in each application, application of the present invention by providing a configuration interface in a unified form a pre-set configuration policy configuration file, you can use all the application name in the list of unified allocation strategy for processing, user-friendly. 进一步的,通过配置上述防火墙策略,可使某些应用在3G或4G等无线移动联网情况下禁止联网,避免了这些应用耗费移动流量,达到省流量的目的,减少了用户对流量的支出;而且,用户可通过本发明应用统一管理和配置其它应用的流量输出,操作实用且便捷;通过配置上述加密策略,可对某些支付类应用在wifi等无线局域网联网情况下对支付页面的访问进行加密处理,避免了用户私密信息泄露导致的财产损失问题,提高了网络访问的安全性。 Further, by arranging the firewall policy, it can prohibit certain applications such as networking in a mobile 3G or 4G wireless networking, the purpose of avoiding the application of these cost mobile traffic, to the provincial traffic, reducing spending on user traffic; and , the user can use the unified management of the present invention and the flow rate output configuration other applications, practical and convenient operation; by configuring the above encryption policy, the payment may be based on some application to access the payment page is carried out in the wireless LAN networking wifi the encryption treatment, to avoid the user private information disclosure problems caused property damage, improves the security of network access.

[0086] 在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。 [0086] The algorithms and displays are not provided, the virtual system or other device inherently related to any particular computer. 各种通用系统也可以与基于在此的示教一起使用。 Various general-purpose systems may also be used with the teachings herein based. 根据上面的描述,构造这类系统所要求的结构是显而易见的。 According to the above description, the configuration of such a system requires a structure will be apparent. 此外,本发明也不针对任何特定编程语言。 Further, the present invention is not to any particular programming language. 应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。 It should be appreciated that a variety of programming languages ​​may be utilized to achieve the present invention described herein, the above description and specific language is made to the disclosure of preferred embodiments of the present invention.

[0087] 在此处所提供的说明书中,说明了大量具体细节。 [0087] In the description provided herein, numerous specific details are described. 然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。 However, it can be understood that the embodiments of the present invention may be practiced without these specific details. 在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。 In some examples, not shown in detail in well-known methods, structures and techniques, so as not to obscure the understanding of this description.

[0088] 类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。 [0088] Similarly, it should be understood that the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects in the description of exemplary embodiments of the present invention, various features of the invention are sometimes grouped into a single together embodiment, FIG, or the description thereof. 然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。 However, the methods disclosed herein should not be interpreted as reflecting an intention: that the claimed invention requires more features than in each of the claims expressly recited. 更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。 More specifically, as reflected in the book as the following claims, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. 因此, 遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。 Thus, the claims following the specific embodiments are hereby incorporated into this Detailed Description explicitly, with each claim itself as a separate embodiment of the present invention.

[0089] 本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。 [0089] Those skilled in the art can understand may be made to change adaptively embodiment device module and provided them with one or more devices different from this embodiment of the. 可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。 The embodiments may be modules or units into one module or component or components or units, and in addition they can be divided into a plurality of sub-modules or sub-units or sub-assemblies. 除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。 Any method other than such features and / or process, or at least some of the units are mutually exclusive, any combination of the present specification (including the accompanying claims, abstract and drawings) All of the features disclosed in, or disclosed herein and such All process units or equipment combination. 除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。 Unless expressly stated otherwise, each feature of the present specification (including the accompanying claims, abstract and drawings) may be provided by the same disclosed, characterized equivalents or similar purpose may be substituted.

[0090] 此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。 [0090] Moreover, those skilled in the art will appreciate that although in some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant in the present within the scope of the invention and form different embodiments. 例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。 For example, in one embodiment any forth in the following claims, it may be claimed in any combination used.

[0091] 本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。 [0091] The various components of the present embodiment of the invention may be implemented in hardware, or as software modules running on one or more processors, or in a combination thereof. 本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的客户端中的一些或者全部部件的一些或者全部功能。 Those skilled in the art will appreciate that a microprocessor may be used or a digital signal processor (DSP) in practice to implement some or all of the functionality of the client embodiment some or all of the member according to the present invention. 本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。 The present invention may also be implemented as a part or all of the device or apparatus programs for performing the methods described herein (e.g., computer programs and computer program products). 这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。 Such a program implementing the present invention may be stored on a computer-readable medium, or may have the form of one or more signals. 这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。 Such signals can be downloaded from the Internet website, or provided on a carrier signal, or in any other form.

[0092] 应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。 [0092] It should be noted that the embodiments of the present invention, the above-described embodiments illustrate rather than limit the invention, and those skilled in the art without departing from the scope of the appended claims may be devised alternative embodiments. 在权利要求中, 不应将位于括号之间的任何参考符号构造成对权利要求的限制。 In the claims, should not be limited by any reference signs located claimed configured to claims between parentheses. 单词"包含"不排除存在未列在权利要求中的元件或步骤。 The word "comprising" does not exclude the presence of elements or steps not listed in the appended claims. 位于元件之前的单词"一"或"一个"不排除存在多个这样的元件。 Preceding an element of the word "a" or "an" does not exclude the presence of a plurality of such elements. 本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。 The present invention by means of hardware comprising several distinct elements, and by means of a suitably programmed computer implemented. 在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。 Unit claims enumerating several means, several of these means may be embodied by the same item of hardware. 单词第一、第二、以及第三等的使用不表示任何顺序。 Word of the first, second, and third, etc. does not denote any order. 可将这些单词解释为名称。 These words can be interpreted as names.

[0093] 本发明公开了:A1、一种免root权限的联网防火墙的实现方法,包括: [0093] The present invention discloses: a method implemented A1, a no root access network firewall, comprising:

[0094] 获取网络连接请求,将所述网络连接请求重定向至本地服务进程,所述本地服务进程是由本地VPN服务提供的; [0094] obtain a network connection request, the network connection request is redirected to the local service process, the process is a local service provided by a local VPN services;

[0095] 在所述本地服务进程中,通过查询系统文件获得发起所述网络连接请求的应用的应用名; [0095] In the process of local service, access to the application name of the application that initiated the network connection request by querying the file system;

[0096] 查询预配置文件,得到所述预配置文件中记录的与所述应用名对应的配置策略; [0096] Query preconfiguration file, to obtain the name of the application corresponding to the pre-allocation strategy record in the configuration file;

[0097] 按照所述配置策略对所述网络连接请求进行处理。 [0097] The connection request is processed according to the configuration of the network policy.

[0098] A2、根据A1所述的方法,在所述将网络连接请求重定向至本地服务进程之前进一步包括:从所述网络连接请求中解析出路由信息,判断解析出的路由信息是否与预先下发的路由表中记录的信息相匹配; [0098] A2, method according to A1, the network connection before the local redirection request to the service process further comprising: parsing out routing information, determines whether the parsed routing information in advance from the network connection request issued information recorded in the routing table that matches;

[0099] 所述将网络连接请求重定向至本地服务进程具体为:若判断结果为匹配,则将所述网络连接请求重定向至本地服务进程。 [0099] The network connection request is redirected to the local service process specifically comprises: when the judgment result is match, then the network connection request redirection to the local service process.

[0100] A3、根据A1或A2所述的方法,所述通过查询系统文件获得发起所述网络连接请求的应用的应用名进一步包括: [0100] A3, A1 or the method according to A2, is obtained initiate the network connection application name of the application request by querying the system further comprises a file:

[0101] 调用用于获取对端地址和端口的系统接口,获取所述网络连接请求对应的地址和端口; [0101] The system call interface for acquiring an end address and port corresponding to the connection request acquires the network address and port;

[0102] 根据所述网络连接请求对应的地址和端口查询系统文件,获得所述发起网络连接请求的应用的应用标识; [0102] The connection request to the network address and port corresponding to the document query system, the initiating application identifying an application to obtain a network connection request;

[0103] 根据所述应用标识调用用于获取应用名的系统接口,获取所述发起网络连接请求的应用的应用名。 [0103] The call identifier to the application system interface for acquiring application name, obtaining the application name of the application to initiate a network connection request.

[0104] A4、根据A3所述的方法,所述系统文件包含以下文件中的一个或多个:/proc/ net/tcp ;/proc/net/udp ;/proc/net/tcp6〇 [0104] A4, according to the method A3, the system comprising a file or more of the following files: / proc / net / tcp; / proc / net / udp; / proc / net / tcp6〇

[0105] A5、根据A4所述的方法,在查询系统文件/proc/net/tcp6之前还包括:将所述地址和端口由IPV4协议转换为IPV6协议。 [0105] A5, method according to A4, before the query system file / proc / net / tcp6 further comprising: converting the address and port of IPV4 protocol IPV6 protocol.

[0106] A6、根据A1-A5任一项所述的方法,所述配置策略包含: [0106] A6, A1-A5 method according to any one of the policy configuration comprising:

[0107] 在无线移动网联网情况下,阻断一些应用名对应的应用发起的网络连接请求; [0107] In a wireless network the mobile network, the application initiates block some web application name corresponding to the connection request;

[0108] 和/或,在无线移动网联网情况下,禁止一些应用名对应的应用作为后台程序访问网络; [0108] and / or, in the case where the wireless mobile networking network, prohibiting certain application name corresponding to the application program to access the network as a background;

[0109] 和/或,在无线局域网联网情况下,对一些应用名对应的应用发起的用于访问支付页面的网络连接请求进行加密处理。 [0109] and / or, in the case where the wireless LAN network, for some applications, the application name corresponding to initiate payment page for accessing a network connection request is encrypted.

[0110] 本发明还公开了:B7、一种客户端,包括: [0110] The present invention further discloses: B7, A client, comprising:

[0111] 重定向模块,适于获取网络连接请求,将所述网络连接请求重定向至本地服务进程,所述本地服务进程是由本地VPN服务提供的; [0111] redirection module, adapted to obtain a network connection request, the network connection request is redirected to the local service process, the process is a local service provided by a local VPN services;

[0112] 应用名获取模块,适于在所述本地服务进程中,通过查询系统文件获得发起所述网络连接请求的应用的应用名; [0112] application name obtaining module, adapted to the local service in the process, obtain application name of the application to initiate a connection request to the network by querying the file system;

[0113] 查询模块,适于查询预配置文件,得到所述预配置文件中记录的与所述应用名对应的配置策略; [0113] Query module, adapted to query the pre-profile, to obtain the name of the application corresponding to the pre-allocation strategy record in the configuration file;

[0114] 处理模块,适于按照所述配置策略对所述网络连接请求进行处理。 [0114] The processing module, adapted in accordance with the configuration policy for the network connection request is processed.

[0115] B8、根据B7所述的客户端,还包括:判断模块,适于从所述网络连接请求中解析出路由信息,判断解析出的路由信息是否与预先下发的路由表中记录的信息相匹配; [0115] B8, according to the client B7, further comprising: a determining module adapted to parse a network connection request from the way the information, determines whether the parsed routing information issued previously recorded in the routing table matches the information;

[0116] 所述重定向模块进一步适于:若所述判断模块的判断结果为匹配,则将所述网络连接请求重定向至本地服务进程。 [0116] The redirection module is further adapted to: determining if the judgment result modules match, then the network connection request is redirected to the local service process.

[0117] B9、根据B7或B8所述的客户端,所述应用名获取模块包括: [0117] B9, B7 or client according to the B8, the application name obtaining module comprises:

[0118] 第一调用模块,适于调用用于获取地址和端口的系统接口,获取所述网络连接请求对应的地址和端口; [0118] a first call module, adapted to call the system interface for acquiring the address and port corresponding to the connection request acquires the network address and port;

[0119] 系统文件查询模块,适于根据所述网络连接请求对应的地址和端口查询系统文件,获得所述发起网络连接请求的应用的应用标识; [0119] The system file query module adapted for connection port corresponding to the request address and a file search system according to the network, identifying an application to obtain the application initiating a network connection request;

[0120] 第二调用模块,适于根据所述应用标识调用用于获取应用名的系统接口,获取所述发起网络连接请求的应用的应用名。 [0120] Second module call, the caller's identity is adapted according to the application system interface for acquiring application name, obtaining the application name of the application to initiate a network connection request.

[0121] B10、根据B9所述的客户端,所述系统文件查询模块进一步适于查询以下系统文件中的一个或多个:/proc/net/tcp ;/proc/net/udp ;/proc/net/tcp6〇 [0121] B10, B9 according to the client, the file system module is further adapted to query one or more of the following query in the file system: / proc / net / tcp; / proc / net / udp; / proc / net / tcp6〇

[0122] B11、根据B10所述的客户端,所述系统文件查询模块还适于:在查询系统文件/ proc/net/tcp6之前,将所述地址和端口由IPV4协议转换为IPV6协议。 [0122] B11, according to the client according to B10, the file system module is further adapted to query: before the query system file / proc / net / tcp6, the IPV4 address and port translation by the protocol IPV6 protocol.

[0123] B12、根据B7-B11任一项所述的客户端,预配置文件存储模块,用于存储所述预配置文件,所述预配置文件中记录的配置策略包含: [0123] B12, B7-B11 according to any one of the client, a pre-profile storage module for storing the pre-configuration files, the pre-configured policy profile record comprises:

[0124] 在无线移动网联网情况下,阻断一些应用名对应的应用发起的网络连接请求; [0124] In a wireless network the mobile network, the application initiates block some web application name corresponding to the connection request;

[0125] 和/或,在无线移动网联网情况下,禁止一些应用名对应的应用作为后台程序访问网络; [0125] and / or, in the case where the wireless mobile networking network, prohibiting certain application name corresponding to the application program to access the network as a background;

[0126] 和/或,在无线局域网联网情况下,对一些应用名对应的应用发起的用于访问支付页面的网络连接请求进行加密处理。 [0126] and / or, in the case where the wireless LAN network, for some applications, the application name corresponding to initiate payment page for accessing a network connection request is encrypted.

Claims (10)

1. 一种免root权限的联网防火墙的实现方法,包括: 获取网络连接请求,将所述网络连接请求重定向至本地服务进程,所述本地服务进程是由本地VPN服务提供的; 在所述本地服务进程中,通过查询系统文件获得发起所述网络连接请求的应用的应用名; 查询预配置文件,得到所述预配置文件中记录的与所述应用名对应的配置策略; 按照所述配置策略对所述网络连接请求进行处理。 A free-implemented method as root network firewall, comprising: acquiring a network connection request, the network connection request is redirected to the local service process, the process of the local service provided by the local VPN services; the local service process, obtain application name of the application to initiate a connection request to the network by querying the file system; pre query profile, to obtain the pre-application name corresponding to the profile configuration policy recorded; according to the configuration policy for the network connection request is processed.
2. 根据权利要求1所述的方法,在所述将网络连接请求重定向至本地服务进程之前进一步包括:从所述网络连接请求中解析出路由信息,判断解析出的路由信息是否与预先下发的路由表中记录的信息相匹配; 所述将网络连接请求重定向至本地服务进程具体为:若判断结果为匹配,则将所述网络连接请求重定向至本地服务进程。 2. The method according to claim 1, in the network connection request to the local service process prior to redirect further comprising: parsing the way out from the network by the connection request information, determines whether the routing information parsed at previously send routing information recorded in the table matches; the network connection request is redirected to the local service process specifically comprises: when the judgment result is match, then the network connection request redirection to the local service process.
3. 根据权利要求1或2所述的方法,所述通过查询系统文件获得发起所述网络连接请求的应用的应用名进一步包括: 调用用于获取对端地址和端口的系统接口,获取所述网络连接请求对应的地址和端Π ; 根据所述网络连接请求对应的地址和端口查询系统文件,获得所述发起网络连接请求的应用的应用标识; 根据所述应用标识调用用于获取应用名的系统接口,获取所述发起网络连接请求的应用的应用名。 3. The method of claim 1 or claim 2, obtaining the application name of the application to initiate said connection request further comprises a network by querying the file system: the system interface for acquiring a call peer address and port, obtaining the network connection and an end address corresponding to the request [pi; connection request according to the network address and port corresponding to the document query system to obtain the initiating application identifying an application requests a network connection; call for acquiring application name according to the application identifier system interface, to acquire the application name of the application to initiate a network connection request.
4. 根据权利要求3所述的方法,所述系统文件包含以下文件中的一个或多个:/proc/ net/tcp ;/proc/net/udp ;/proc/net/tcp6〇 4. The method according to claim 3, said system comprising a file or more of the following files: / proc / net / tcp; / proc / net / udp; / proc / net / tcp6〇
5. 根据权利要求4所述的方法,在查询系统文件/pr〇C/net/tCp6之前还包括:将所述地址和端口由IPV4协议转换为IPV6协议。 The method according to claim 4, before the query file system / pr〇C / net / tCp6 further comprising: converting the address and port of IPV4 protocol IPV6 protocol.
6. 根据权利要求1-5任一项所述的方法,所述配置策略包含: 在无线移动网联网情况下,阻断一些应用名对应的应用发起的网络连接请求; 和/或,在无线移动网联网情况下,禁止一些应用名对应的应用作为后台程序访问网络; 和/或,在无线局域网联网情况下,对一些应用名对应的应用发起的用于访问支付页面的网络连接请求进行加密处理。 6. The method according to any one of claims 1 to 5, the policy configuration comprising: a mobile network in a wireless network, the network connection block some application name corresponding to the request initiated by the application; and / or, in the radio under the mobile network interconnection case, prohibiting certain application name corresponding to the application as a background program to access the network; and / or, in the case of wireless local area networking, network connection requests corresponding to the number of applications were initiated by the application used to access the payment page is encrypted deal with.
7. -种客户端,包括: 重定向模块,适于获取网络连接请求,将所述网络连接请求重定向至本地服务进程,所述本地服务进程是由本地VPN服务提供的; 应用名获取模块,适于在所述本地服务进程中,通过查询系统文件获得发起所述网络连接请求的应用的应用名; 查询模块,适于查询预配置文件,得到所述预配置文件中记录的与所述应用名对应的配置策略; 处理模块,适于按照所述配置策略对所述网络连接请求进行处理。 7. - kind of client, comprising: redirecting module, adapted to obtain a network connection request, the network connection request is redirected to the local service process, the process of the local service provided by the local VPN services; application name obtaining module adapted to the local service process, the file system is obtained by querying the application name of the application initiating the network connection request; query module adapted to query the pre-configuration files, the configuration file to obtain the pre-recorded in the application name corresponding configuration policy; a processing module, adapted according to the configuration of the network connection policy processing request.
8. 根据权利要求7所述的客户端,还包括:判断模块,适于从所述网络连接请求中解析出路由信息,判断解析出的路由信息是否与预先下发的路由表中记录的信息相匹配; 所述重定向模块进一步适于:若所述判断模块的判断结果为匹配,则将所述网络连接请求重定向至本地服务进程。 The client according to claim 7, further comprising: a determining module, adapted to resolve the way from the network by the connection request information, determines whether the information parsed routing information issued previously recorded in the routing table matches; the redirection module is further adapted to: determining if the judgment result modules match, then the network connection request is redirected to the local service process.
9. 根据权利要求7或8所述的客户端,所述应用名获取模块包括: 第一调用模块,适于调用用于获取地址和端口的系统接口,获取所述网络连接请求对应的地址和端口; 系统文件查询模块,适于根据所述网络连接请求对应的地址和端口查询系统文件,获得所述发起网络连接请求的应用的应用标识; 第二调用模块,适于根据所述应用标识调用用于获取应用名的系统接口,获取所述发起网络连接请求的应用的应用名。 The network connection corresponding to the request address and a first calling module is adapted to call the system interface for acquiring the address and port, obtaining: The client according to claim 7 or 8, including the application name obtaining module port; system file query module, adapted to connection request according to the corresponding network address and port inquiry system files, the application to obtain the identity of the network application to initiate a connection request; a second calling module identifier is adapted according to the application calls system interface for acquiring application name, obtaining the application name of the application to initiate a network connection request.
10. 根据权利要求9所述的客户端,所述系统文件查询模块进一步适于查询以下系统文件中的一个或多个:/proc/net/tcp ;/proc/net/udp ;/proc/net/tcp6〇 10. A client according to claim 9, wherein said file system is further adapted to query a query module file system of the following or more: / proc / net / tcp; / proc / net / udp; / proc / net / tcp6〇
CN201410334918.XA 2014-07-15 2014-07-15 Implementation method for implementing root-authority-free networking firewall and client-side CN104092691A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410334918.XA CN104092691A (en) 2014-07-15 2014-07-15 Implementation method for implementing root-authority-free networking firewall and client-side

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410334918.XA CN104092691A (en) 2014-07-15 2014-07-15 Implementation method for implementing root-authority-free networking firewall and client-side

Publications (1)

Publication Number Publication Date
CN104092691A true CN104092691A (en) 2014-10-08

Family

ID=51640372

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410334918.XA CN104092691A (en) 2014-07-15 2014-07-15 Implementation method for implementing root-authority-free networking firewall and client-side

Country Status (1)

Country Link
CN (1) CN104092691A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363247A (en) * 2014-11-28 2015-02-18 北京奇虎科技有限公司 Flow saving method and device adopting saving-free application
CN104468269A (en) * 2014-12-01 2015-03-25 郭丹 Directional traffic monitoring method based on Android terminal device
CN105530255A (en) * 2015-12-16 2016-04-27 网宿科技股份有限公司 Method and device for verifying request data
CN105592105A (en) * 2016-02-26 2016-05-18 北京奇虎科技有限公司 Safety-guaranteed asynchronous network access method and safety-guaranteed asynchronous network access device
CN105635178A (en) * 2016-02-26 2016-06-01 北京奇虎科技有限公司 Blocking network access method and device for ensuring safety
CN106101077A (en) * 2016-05-31 2016-11-09 宇龙计算机通信科技(深圳)有限公司 Method and apparatus for limiting application to access network

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610264A (en) * 2009-07-24 2009-12-23 深圳市永达电子股份有限公司 Firewall system, safety service platform and firewall system management method
CN102333075A (en) * 2010-06-30 2012-01-25 丛林网络公司 Vpn network client for mobile device having fast reconnect
CN102333306A (en) * 2010-06-30 2012-01-25 丛林网络公司 Multi-service vpn network client for mobile device having integrated acceleration
CN102355667A (en) * 2011-06-30 2012-02-15 北京邮电大学 Method and system for controlling network connection of application programs in mobile intelligent terminal system
US20120254353A1 (en) * 2011-03-31 2012-10-04 Hitachi, Ltd. Network system, machine allocation device and machine allocation method
US8363658B1 (en) * 2008-11-13 2013-01-29 Sprint Communications Company L.P. Dynamic firewall and dynamic host configuration protocol configuration
CN102929613A (en) * 2012-10-16 2013-02-13 无锡江南计算技术研究所 Adjusting and optimizing device and method for operating system
CN103281288A (en) * 2013-02-05 2013-09-04 武汉安天信息技术有限责任公司 Mobile phone firewall system and mobile phone firewall method
CN103384250A (en) * 2006-08-03 2013-11-06 思杰系统有限公司 Systems and methods for application-based interception and authorization of ssl/vpn traffic
CN103840994A (en) * 2012-11-23 2014-06-04 华耀(中国)科技有限公司 System and method for user side to access intranet through VPN
CN105453097A (en) * 2013-05-31 2016-03-30 微软技术许可有限责任公司 Restricted driver platform runs drivers in sandbox in user mode

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103384250A (en) * 2006-08-03 2013-11-06 思杰系统有限公司 Systems and methods for application-based interception and authorization of ssl/vpn traffic
US8363658B1 (en) * 2008-11-13 2013-01-29 Sprint Communications Company L.P. Dynamic firewall and dynamic host configuration protocol configuration
CN101610264A (en) * 2009-07-24 2009-12-23 深圳市永达电子股份有限公司 Firewall system, safety service platform and firewall system management method
CN102333075A (en) * 2010-06-30 2012-01-25 丛林网络公司 Vpn network client for mobile device having fast reconnect
CN102333306A (en) * 2010-06-30 2012-01-25 丛林网络公司 Multi-service vpn network client for mobile device having integrated acceleration
US20120254353A1 (en) * 2011-03-31 2012-10-04 Hitachi, Ltd. Network system, machine allocation device and machine allocation method
CN102355667A (en) * 2011-06-30 2012-02-15 北京邮电大学 Method and system for controlling network connection of application programs in mobile intelligent terminal system
CN102929613A (en) * 2012-10-16 2013-02-13 无锡江南计算技术研究所 Adjusting and optimizing device and method for operating system
CN103840994A (en) * 2012-11-23 2014-06-04 华耀(中国)科技有限公司 System and method for user side to access intranet through VPN
CN103281288A (en) * 2013-02-05 2013-09-04 武汉安天信息技术有限责任公司 Mobile phone firewall system and mobile phone firewall method
CN105453097A (en) * 2013-05-31 2016-03-30 微软技术许可有限责任公司 Restricted driver platform runs drivers in sandbox in user mode

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363247A (en) * 2014-11-28 2015-02-18 北京奇虎科技有限公司 Flow saving method and device adopting saving-free application
CN104468269A (en) * 2014-12-01 2015-03-25 郭丹 Directional traffic monitoring method based on Android terminal device
CN104468269B (en) * 2014-12-01 2018-02-13 郭丹 Directional flow regulation method based on a terminal device Android
CN105530255A (en) * 2015-12-16 2016-04-27 网宿科技股份有限公司 Method and device for verifying request data
CN105530255B (en) * 2015-12-16 2019-03-29 网宿科技股份有限公司 The method and device of checking request data
CN105635178A (en) * 2016-02-26 2016-06-01 北京奇虎科技有限公司 Blocking network access method and device for ensuring safety
CN105635178B (en) * 2016-02-26 2018-06-22 北京奇虎科技有限公司 To ensure the safety of blocking network access method and device
CN105592105B (en) * 2016-02-26 2018-12-25 北京奇虎科技有限公司 Guarantee the asynchronous system Network Access Method and device of safety
CN105592105A (en) * 2016-02-26 2016-05-18 北京奇虎科技有限公司 Safety-guaranteed asynchronous network access method and safety-guaranteed asynchronous network access device
CN106101077A (en) * 2016-05-31 2016-11-09 宇龙计算机通信科技(深圳)有限公司 Method and apparatus for limiting application to access network

Similar Documents

Publication Publication Date Title
CN102333306B (en) Multi-service vpn network client for mobile device having integrated acceleration
CN102316093B (en) Dual-Mode Multi-Service VPN Network Client for Mobile Device
CN102316094B (en) Multi-service VPN network client for mobile device having integrated acceleration
US8363650B2 (en) Method and systems for routing packets from a gateway to an endpoint
CN102334311B (en) Redirection of secure data connection requests
US9537830B2 (en) System and method to provide built-in and mobile VPN connectivity
US20160087933A1 (en) Techniques for the deployment and management of network connected devices
US6892225B1 (en) Agent system for a secure remote access system
CN103001999B (en) Private cloud server for public cloud networks, intelligent client device and method
JP4734592B2 (en) Secure access provides a method and system of the client redirected to a private network
CN1972297B (en) Computerized system and method for policy-based content filtering
US8918841B2 (en) Hardware interface access control for mobile applications
KR101662614B1 (en) Encrypted data inspection in a network environment
US7464408B1 (en) Damage containment by translation
JP5509334B2 (en) And methods for managing access to protected resources in a computer network, the physical entity and a computer program therefor
CN102316092B (en) VPN network client for mobile device having fast reconnect
JP2002215478A (en) Fire wall service supply method
CN102340400A (en) Method and apparatus for bearer and server independent parental control of a smartphone, using a second smartphone
JPH11168510A (en) Packet verification method
JPH11168511A (en) Packet authentication method
US20070174454A1 (en) Method and apparatus for accessing Web services and URL resources for both primary and shared users over a reverse tunnel mechanism
CN102333110A (en) Vpn network client for mobile device having fast reconnect
CN1874307A (en) System and method for autonomically configurable router
KR20050001397A (en) Method of assisting an application to traverse a firewall
CN104283843B (en) A method for user login, apparatus and system for

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
RJ01