CN105491020A - Method for realizing restriction of program in operating system of intelligent device on access of IP (Internet Protocol) address - Google Patents
Method for realizing restriction of program in operating system of intelligent device on access of IP (Internet Protocol) address Download PDFInfo
- Publication number
- CN105491020A CN105491020A CN201510822785.5A CN201510822785A CN105491020A CN 105491020 A CN105491020 A CN 105491020A CN 201510822785 A CN201510822785 A CN 201510822785A CN 105491020 A CN105491020 A CN 105491020A
- Authority
- CN
- China
- Prior art keywords
- address
- program
- access
- operating system
- virtual machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention relates to a method for realizing restriction of a program in an operating system of an intelligent device on accessing of an IP (Internet Protocol) address. The method comprises the following steps of creating a virtual machine container for a program which needs to start in the operating system of the intelligent device; setting an IP address which is allowing access in the virtual machine container; starting the program and running the program in the virtual machine container; and controlling the IP address accessed by the program through the operating system of the intelligent device. By adopting the method for realizing restriction of the program in the operating system of the intelligent device on accessing of the IP address, a new protection mechanism is provided for a user, if an APP (Application) collects user data and wants to upload to the own server, the method can be used for restricting the network access of the APP, so that communication with a network domain name or the IP address which is not recognized by the user cannot be carried out; the method provides a more flexible restriction mechanism, only the access of the APP to some network addresses is provided, even if the APP is a virus program, the system cannot be destroyed, and the method has a wider application range.
Description
Technical field
The present invention relates to networking technology area, particularly relate to the operation system technology field of smart machine, specifically refer to a kind of method realizing the operating system Program access IP address restriction of smart machine.
Background technology
Smart mobile phone, Intelligent routing, gateway allows third party APP or developing plug and issues oneself application, privacy of user data the person of being developed in the unwitting situation of user collect, and current intelligent machine operating system IOS or android provides sandbox mechanism, rights management that user can be allowed to know, and the personal information of APP calling party is as contact person, photo, bluetooth equipment, location-based service, and determining power gives user absolutely access.But in prior art, whether AndroidAPP rights management can only can surf the Net by limited subscriber, cannot carry out the management of more authorities.
Summary of the invention
The object of the invention is the shortcoming overcoming above-mentioned prior art, provide and a kind ofly can realize domain name that limiting handset APP or router plug routine access refused by user or IP address management, allow APP or plug-in card program run in the container of similar virtual machine, can complete by expanding, make APP or plug-in unit to container the method realizing the operating system Program access IP address restriction of smart machine of all functions run directly on host machine system.
To achieve these goals, the method realizing the operating system Program access IP address restriction of smart machine of the present invention has following formation:
This realizes the method for the operating system Program access IP address restriction of smart machine, and its main feature is, described method comprises the following steps:
(1) for needing program creation one virtual machine container started in the operating system of smart machine;
(2) the IP address allowing to access is set in described virtual machine container;
(3) program described in startup also makes it operate in described virtual machine container;
(4) the IP address of the routine access described in the operating system of smart machine controls.
Preferably, described step (1) comprises the following steps:
(1-1) for needing the man-to-man virtual machine container of program creation started in the operating system of smart machine;
(1-2) for described virtual machine container creates virtual network interface;
(1-3) be described virtual network interface distributing IP address.
More preferably, described is that described virtual machine container creates virtual network interface, is specially:
Select VETH, HOST or MACVLAN networking mode for described virtual machine container and create corresponding virtual network interface.
Preferably, described program is APP program or plug-in card program.
Preferably, described by the IP address controlling described routine access in the operating system of smart machine, comprise the control of access mutually between the control of routine access outside ip address and two programs.
More preferably, the control of described routine access outside ip address, comprises the following steps:
(4-A-1) port of outside ip address is mapped to virtual machine container corresponding to described program by network address translation;
(4-A-2) program described in carries out network connection by the port of the IP address after mapping.
More preferably, the control of access mutually between two described programs, comprises the following steps:
(4-B-1) for each program creation is in order to monitor the finger daemon of known IP address;
(4-B-2) IP address corresponding to the virtual machine container at the plug-in unit place that service provides and port is transmitted to when described finger daemon listens to when program connects.
Have employed the method realizing the operating system Program access IP address restriction of smart machine in this invention, there is following beneficial effect:
(1) this patent is supplied to a kind of new protection mechanism of user, if APP collects the server that user data wants to upload to oneself, so the method can limit APP access to netwoks, make its cannot with do not communicated by the domain names of customer acceptance or IP address;
(2) the method can provide restriction scheme more flexibly, only provides APP to the access of some network address, even if APP is Virus, also to system destruction, cannot have range of application widely.
Accompanying drawing explanation
Fig. 1 is the Organization Chart adopting the method realizing the operating system Program access IP address restriction of smart machine of the present invention to be formed.
Fig. 2 is the network topological diagram adopting the method realizing the operating system Program access IP address restriction of smart machine of the present invention to be formed.
Fig. 3 is schematic diagram mutual between two programs of the present invention.
Embodiment
In order to more clearly describe technology contents of the present invention, conduct further description below in conjunction with specific embodiment.
The present invention relates to domain name or IP address management mechanism that a kind of limiting handset APP or router plug routine access refused by user, a solution is provided.APP or plug-in card program is allowed to run in the container of similar virtual machine.By expanding container, make APP or plug-in unit can complete all functions run directly on host machine system.Its advantage is to prevent APP or plug-in card program running background from collecting the private data of user, and uploads to the ignorant server of user.Only have domain name or IP address by customer acceptance, program is Internet access.Improve router, the fail safe of gateway product.
In order to realize this object, this method realizing the operating system Program access IP address restriction of smart machine comprises the following steps:
(1) for needing program creation one virtual machine container started in the operating system of smart machine;
(2) the IP address allowing to access is set in described virtual machine container;
(3) program described in startup also makes it operate in described virtual machine container;
(4) the IP address of the routine access described in the operating system of smart machine controls.
In one preferably execution mode, described step (1) comprises the following steps:
(1-1) for needing the man-to-man virtual machine container of program creation started in the operating system of smart machine;
(1-2) for described virtual machine container creates virtual network interface;
(1-3) be described virtual network interface distributing IP address.
In a kind of better execution mode, described is that described virtual machine container creates virtual network interface, is specially:
Select VETH, HOST or MACVLAN networking mode for described virtual machine container and create corresponding virtual network interface.
In one preferably execution mode, described program is APP program or plug-in card program.
In one preferably execution mode, the IP address of the described routine access described in the operating system of smart machine controls, comprises the control of access mutually between the control of routine access outside ip address and two programs.
In a kind of better execution mode, the control of described routine access outside ip address, comprises the following steps:
(4-A-1) port of outside ip address is mapped to virtual machine container corresponding to described program by network address translation;
(4-A-2) program described in carries out network connection by the port of the IP address after mapping.
In a kind of better execution mode, the control of access mutually between two described programs, comprises the following steps:
(4-B-1) for each program creation is in order to monitor the finger daemon of known IP address;
(4-B-2) IP address corresponding to the virtual machine container at the plug-in unit place that service provides and port is transmitted to when described finger daemon listens to when program connects.
Specific in practical application of the present invention, detailed process is as follows:
When starting APP, first creating a namespace, in namespace, restarting app,
Import parameter CLONE_NEWNS into can create a namespace by calling clone function.
As shown in Figure 1, SMD is hypervisor, and suffix is that the plug-in card program of cpk all operates in inside namespace, and namespace is lightweight virtual machine.
An APP, or plug-in card program can communicate with the system external world, also can do the access request that outer service routine accepts external program, and two APP in same system can intercom mutually, so need to address the problem:
1, each namespace has independently IP address.
2, the plug-in unit of lan device as run in smart mobile phone or other computer energy and namespace communicates.
3, the IP address Random assignment of each namespace, the plug-in unit run in two namespace will communicate, and must know the IP address of another namespace.
First in order to deal with problems 1, must create virtual network interface also to virtual network interface distributing IP address for namespace, Namespace networking can use 3 kinds of modes, VETH, HOST, MACVLAN.Wherein MACVLAN can be operated in Three models again.
The network interface selecting VETH to can be namespace establishment has the MAC Address identical with HOST network interface.Can solve such as sudden peal of thunder plug-in unit like this uses MAC Address to be used for the problem of authorizing as parameter.
The namespace at each APP or plug-in unit place has the IP address of oneself, so shown in network topology structure comparison Fig. 2.
Except mobile phone A PP is independently physical equipment, in figure, GateWay and all namespace Zhuo run in an operating system of a physical equipment, and namespace can regard virtual machine as.GateWay is host.Therefore the problem that each APP communicates with the external world is solved.
Deal with problems 2, such as sudden peal of thunder mobile phone A PP, the sudden peal of thunder CPK plug-in unit going connection network to shut, can connect 9000 ports of 192.168.1.1 before.Because amended framework makes sudden peal of thunder plug-in component operation in namespace, in there being oneself subnet to mobile phone APP, namespace, at this moment need, by NAT, 192.168.1.1:9000 is mapped to namespaceIP:9000 by prerouting chain.Can be realized by iptables rule.
Plug-in unit access wide area network does not need to make any amendment.It is by NAT that packet is gone out, and at this moment plug-in card program is equivalent to a computer in local area network (LAN).NAT can do address transition by port mapping automatically.
3rd problem above of solution, interconnected between plug-in unit: CPK plug-in unit and OSGI plug-in unit need interconnected sometimes.In original framework, client plug-in is by loop address 127.0.0.1 direct Connection Service end plug-in unit.New structure makes different plug-in unit be arranged in different Namespace, and both sides do not know the other side IP address.
For each namespace creates finger daemon, for monitoring fixing known IP address, as certain port of 192.168.1.1.When listening to plug-in unit and connecting, this process is responsible for IP address corresponding to the namespace at the plug-in unit place that the service that is transmitted to provides and port.Two plug-in units all operate on gateway, and these two plug-in units need cooperation mutually.One provides service, and one uses service.Two processes being equivalent to simultaneously run in operating system do interprocess communication.
Tcppmproc is plug-in unit and forwards process, and must operate in host, a namespace may correspond to multiple port repeat process, and multiple port be monitored or be forwarded to port repeat process can.The private address different by each namespace and port correspond on host address and certain port.
The realization of online restriction, by the network interface created in iptables rule rhetoric question topic 1, can realize the ip address can accessed each namespace.And processes all in a namespace all can only according to the access rule of this namespace.
Have employed the method realizing the operating system Program access IP address restriction of smart machine in this invention, there is following beneficial effect:
(1) this patent is supplied to a kind of new protection mechanism of user, if APP collects the server that user data wants to upload to oneself, so the method can limit APP access to netwoks, make its cannot with do not communicated by the domain names of customer acceptance or IP address;
(2) the method can provide restriction scheme more flexibly, only provides APP to the access of some network address, even if APP is Virus, also to system destruction, cannot have range of application widely.
In this description, the present invention is described with reference to its specific embodiment.But, still can make various amendment and conversion obviously and not deviate from the spirit and scope of the present invention.Therefore, specification and accompanying drawing are regarded in an illustrative, rather than a restrictive.
Claims (7)
1. realize a method for the operating system Program access IP address restriction of smart machine, it is characterized in that, described method comprises the following steps:
(1) for needing program creation one virtual machine container started in the operating system of smart machine;
(2) the IP address allowing to access is set in described virtual machine container;
(3) program described in startup also makes it operate in described virtual machine container;
(4) the IP address of the routine access described in the operating system of smart machine controls.
2. the method realizing the operating system Program access IP address restriction of smart machine according to claim 1, it is characterized in that, described step (1) comprises the following steps:
(1-1) for needing the man-to-man virtual machine container of program creation started in the operating system of smart machine;
(1-2) for described virtual machine container creates virtual network interface;
(1-3) be described virtual network interface distributing IP address.
3. the method realizing the operating system Program access IP address restriction of smart machine according to claim 2, is characterized in that, described is that described virtual machine container creates virtual network interface, is specially:
Select VETH, HOST or MACVLAN networking mode for described virtual machine container and create corresponding virtual network interface.
4. the method realizing the operating system Program access IP address restriction of smart machine according to claim 1, it is characterized in that, described program is APP program or plug-in card program.
5. the method realizing the operating system Program access IP address restriction of smart machine according to claim 1, it is characterized in that, the IP address of the described routine access described in the operating system of smart machine controls, comprises the control of access mutually between the control of routine access outside ip address and two programs.
6. the method realizing the operating system Program access IP address restriction of smart machine according to claim 5, it is characterized in that, the control of described routine access outside ip address, comprises the following steps:
(4-A-1) port of outside ip address is mapped to virtual machine container corresponding to described program by network address translation;
(4-A-2) program described in carries out network connection by the port of the IP address after mapping.
7. the method realizing the operating system Program access IP address restriction of smart machine according to claim 5, it is characterized in that, the control of access mutually between two described programs, comprises the following steps:
(4-B-1) for each program creation is in order to monitor the finger daemon of known IP address;
(4-B-2) IP address corresponding to the virtual machine container at the plug-in unit place that service provides and port is transmitted to when described finger daemon listens to when program connects.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510822785.5A CN105491020B (en) | 2015-11-24 | 2015-11-24 | The method for realizing routine access IP address limitation in the operating system of smart machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510822785.5A CN105491020B (en) | 2015-11-24 | 2015-11-24 | The method for realizing routine access IP address limitation in the operating system of smart machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105491020A true CN105491020A (en) | 2016-04-13 |
| CN105491020B CN105491020B (en) | 2019-01-29 |
Family
ID=55677737
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510822785.5A Active CN105491020B (en) | 2015-11-24 | 2015-11-24 | The method for realizing routine access IP address limitation in the operating system of smart machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105491020B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108737584A (en) * | 2017-04-19 | 2018-11-02 | 中国移动通信集团山西有限公司 | The access method of container service, the analytic method of network address, device and system |
| CN110704155A (en) * | 2018-07-09 | 2020-01-17 | 阿里巴巴集团控股有限公司 | Container network construction method and device, physical host and data transmission method |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040015966A1 (en) * | 2002-07-16 | 2004-01-22 | Macchiano Angelo | Virtual machine operating system LAN |
| CN101369979A (en) * | 2008-09-17 | 2009-02-18 | 北京中星微电子有限公司 | Communication method, apparatus and system for network camera and user terminal |
| CN102571698A (en) * | 2010-12-17 | 2012-07-11 | 中国移动通信集团公司 | Access authority control method, system and device for virtual machine |
| CN102710814A (en) * | 2012-06-21 | 2012-10-03 | 奇智软件(北京)有限公司 | Method and device for controlling Internet protocol (IP) address of virtual machine |
| CN104270317A (en) * | 2014-09-12 | 2015-01-07 | 普联技术有限公司 | Control method and system for operating application program on router and router |
| US20150033324A1 (en) * | 2011-11-22 | 2015-01-29 | Vmware, Inc. | Method and system for vpn isolation using network namespaces |
| CN104410724A (en) * | 2014-12-23 | 2015-03-11 | 上海市共进通信技术有限公司 | Method for realizing device type recognition in intelligent gateway based on HTTP protocol |
| CN104468568A (en) * | 2014-12-05 | 2015-03-25 | 国云科技股份有限公司 | Virtual machine security isolation method |
| CN104601428A (en) * | 2014-12-23 | 2015-05-06 | 广州亦云信息技术有限公司 | Communication method of virtual machines |
-
2015
- 2015-11-24 CN CN201510822785.5A patent/CN105491020B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040015966A1 (en) * | 2002-07-16 | 2004-01-22 | Macchiano Angelo | Virtual machine operating system LAN |
| CN101369979A (en) * | 2008-09-17 | 2009-02-18 | 北京中星微电子有限公司 | Communication method, apparatus and system for network camera and user terminal |
| CN102571698A (en) * | 2010-12-17 | 2012-07-11 | 中国移动通信集团公司 | Access authority control method, system and device for virtual machine |
| US20150033324A1 (en) * | 2011-11-22 | 2015-01-29 | Vmware, Inc. | Method and system for vpn isolation using network namespaces |
| CN102710814A (en) * | 2012-06-21 | 2012-10-03 | 奇智软件(北京)有限公司 | Method and device for controlling Internet protocol (IP) address of virtual machine |
| CN104270317A (en) * | 2014-09-12 | 2015-01-07 | 普联技术有限公司 | Control method and system for operating application program on router and router |
| CN104468568A (en) * | 2014-12-05 | 2015-03-25 | 国云科技股份有限公司 | Virtual machine security isolation method |
| CN104410724A (en) * | 2014-12-23 | 2015-03-11 | 上海市共进通信技术有限公司 | Method for realizing device type recognition in intelligent gateway based on HTTP protocol |
| CN104601428A (en) * | 2014-12-23 | 2015-05-06 | 广州亦云信息技术有限公司 | Communication method of virtual machines |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108737584A (en) * | 2017-04-19 | 2018-11-02 | 中国移动通信集团山西有限公司 | The access method of container service, the analytic method of network address, device and system |
| CN110704155A (en) * | 2018-07-09 | 2020-01-17 | 阿里巴巴集团控股有限公司 | Container network construction method and device, physical host and data transmission method |
| CN110704155B (en) * | 2018-07-09 | 2023-03-17 | 阿里巴巴集团控股有限公司 | Container network construction method and device, physical host and data transmission method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105491020B (en) | 2019-01-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110191007B (en) | Node management method, system and computer readable storage medium | |
| US9876756B2 (en) | Network access method and device for equipment | |
| US9154378B2 (en) | Architecture for virtualized home IP service delivery | |
| US8751614B2 (en) | Providing virtualized visibility through routers | |
| US10887160B2 (en) | Management method for home network device and network management system | |
| WO2015192563A1 (en) | Method and device for implementing load balancing and load balancing service system | |
| WO2013097484A1 (en) | Method, server and system for balancing loads of virtual machine cluster | |
| TW201517563A (en) | Could gateway establishing and configuring system and method | |
| KR100906677B1 (en) | Secure remote access system and method for universal plug and play | |
| CN104967572B (en) | Network Access Method, device and equipment | |
| WO2016086544A1 (en) | Network interface configuration method and apparatus for network device and storage medium | |
| CN101083594A (en) | Method and system for managing network appliance | |
| CN102983988B (en) | A kind of proxy for equipment device and network administration apparatus | |
| CN105491020A (en) | Method for realizing restriction of program in operating system of intelligent device on access of IP (Internet Protocol) address | |
| St Juste et al. | Tincan: User-defined p2p virtual network overlays for ad-hoc collaboration | |
| CN105429884A (en) | Method and system of managing routers in different networks through terminal | |
| WO2015058413A1 (en) | Data configuration method and network management server | |
| EP3607777A1 (en) | Ad hoc service switch-based control of ad hoc networking | |
| CN105516121B (en) | The method and system that AC is communicated with AP in WLAN | |
| CN104301197B (en) | It is a kind of to realize the method and system mutually found between user multiple terminals | |
| CN107070725B (en) | A kind of method that server two-level management intermodule communication is shaken hands | |
| EP2788869A1 (en) | Hybrid virtual computing environments | |
| CN108471431B (en) | Home network traffic interception method and home network traffic management device | |
| CN113067908B (en) | NAT (network Address translation) traversing method and device, electronic equipment and storage medium | |
| CN109379267B (en) | Method and device for adding physical machine into virtual local area network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |