CN105491020B - The method for realizing routine access IP address limitation in the operating system of smart machine - Google Patents

The method for realizing routine access IP address limitation in the operating system of smart machine Download PDF

Info

Publication number
CN105491020B
CN105491020B CN201510822785.5A CN201510822785A CN105491020B CN 105491020 B CN105491020 B CN 105491020B CN 201510822785 A CN201510822785 A CN 201510822785A CN 105491020 B CN105491020 B CN 105491020B
Authority
CN
China
Prior art keywords
address
operating system
smart machine
program
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510822785.5A
Other languages
Chinese (zh)
Other versions
CN105491020A (en
Inventor
孟晶石
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Gongjin Communication Technology Co Ltd
Original Assignee
Shanghai Gongjin Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Gongjin Communication Technology Co Ltd filed Critical Shanghai Gongjin Communication Technology Co Ltd
Priority to CN201510822785.5A priority Critical patent/CN105491020B/en
Publication of CN105491020A publication Critical patent/CN105491020A/en
Application granted granted Critical
Publication of CN105491020B publication Critical patent/CN105491020B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention relates to the methods that routine access IP address in a kind of operating system for realizing smart machine limits, including one virtual machine container of program creation started in the operating system of smart machine for needs;The IP address for allowing to access in the virtual machine container is set;The starting program simultaneously operates in it in virtual machine container;By the IP address of the operating system control of the smart machine routine access.The method that routine access IP address limitation in the operating system of smart machine is realized using this kind; this patent is supplied to a kind of new protection mechanism of user; want to upload to the server of oneself if APP is collected into user data; so the method can to APP network access limit, make its can not with do not communicated by the domain names of customer acceptance or IP address;The method can provide more flexible restriction scheme, only provide access of the APP to certain network address, even if APP is Virus, also can not have wider application range to system destruction.

Description

The method for realizing routine access IP address limitation in the operating system of smart machine
Technical field
The present invention relates to the operation system technology fields, in particular to one of network technique field more particularly to smart machine The method that kind realizes routine access IP address limitation in the operating system of smart machine.
Background technique
Smart phone, Intelligent routing, gateway allow third party APP or developing plug and the application for issuing oneself, Yong Huyin Private data are collected in the unwitting situation of user by developer, and intelligent machine operating system IOS or android are provided at present Sandbox mechanism, rights management can let the user know that the personal information such as contact person of APP access user, photo, bluetooth equipment, position Service, and user is given access power fixed absolutely.However whether Android APP rights management can only limit user in the prior art It can surf the Internet, the management of more permissions can not be carried out.
Summary of the invention
The purpose of the present invention is overcoming the above-mentioned prior art, providing one kind can be realized limitation cell phone application Or router plug routine access by domain name that user refuses or IP address management, allow APP or plug-in card program in similar virtual machine Container in operation, by container is extended, is enable APP or plug-in unit complete to run directly in it is all on host machine system The method of routine access IP address limitation in the operating system of the realization smart machine of function.
To achieve the goals above, routine access IP address limitation in the operating system of realization smart machine of the invention Method has following constitute:
The method that routine access IP address limits in the operating system of the realization smart machine, is mainly characterized by, described Method the following steps are included:
(1) one virtual machine container of program creation started in the operating system of smart machine for needs;
(2) IP address for allowing to access in the setting virtual machine container;
(3) start the program and operate in it in virtual machine container;
(4) by the IP address of the operating system control of the smart machine routine access.
Preferably, the step (1) the following steps are included:
(1-1) is the one-to-one virtual machine container of program creation for needing to start in the operating system of smart machine;
(1-2) is that the virtual machine container creates virtual network interface;
(1-3) is that the virtual network interface distributes IP address.
It is more preferably, described to create virtual network interface for the virtual machine container, specifically:
VETH, HOST or MACVLAN networking mode are selected for the virtual machine container and create corresponding virtual network Interface.
Preferably, the program is APP program or plug-in card program.
Preferably, controlling the IP address of the routine access, including journey in the operating system by smart machine The control accessed mutually between the control and two programs of sequence access outside ip address.
More preferably, the control of the routine access outside ip address, comprising the following steps:
The port of outside ip address is mapped to the corresponding virtual machine of program by network address translation by (4-A-1) Container;
Program described in (4-A-2) is connected to the network by the port of the IP address after mapping.
More preferably, the control accessed mutually between two programs, comprising the following steps:
(4-B-1) is finger daemon of each program creation to monitor known IP address;
(4-B-2) when the finger daemon listens to be transmitted to when program connection service provide plug-in unit where void The quasi- corresponding IP address of machine container and port.
Using the method for routine access IP address limitation in the operating system of the realization smart machine in the invention, have It is following the utility model has the advantages that
(1) this patent is supplied to a kind of new protection mechanism of user, if APP is collected into user data and wants to upload to oneself Server, be limited then the method can access APP network, make its can not with not by the domain names of customer acceptance or IP address is communicated;
(2) the method can provide more flexible restriction scheme, only provide access of the APP to certain network address, even if APP is Virus, also can not have wider application range to system destruction.
Detailed description of the invention
Fig. 1 is that the method for routine access IP address limitation in the operating system using realization smart machine of the invention is formed Architecture diagram.
Fig. 2 is that the method for routine access IP address limitation in the operating system using realization smart machine of the invention is formed Network topological diagram.
The schematic diagram of Fig. 3 interaction between two programs of the invention.
Specific embodiment
It is further to carry out combined with specific embodiments below in order to more clearly describe technology contents of the invention Description.
The present invention relates to domain names or IP address that a kind of limitation cell phone application or router plug routine access are refused by user Administrative mechanism provides a solution.APP or plug-in card program is allowed to run in the container of similar virtual machine.By to container It is extended, so that APP or plug-in unit is completed to run directly in the institute on host machine system functional.The advantage is that prevents APP Or plug-in card program running background collects the private data of user, and uploads to the ignorant server of user.Only domain name or IP Address is by customer acceptance, program ability Internet access.Improve router, the safety of gateway product.
In order to realize the purpose, the method for routine access IP address limitation includes in the operating system of the realization smart machine Following steps:
(1) one virtual machine container of program creation started in the operating system of smart machine for needs;
(2) IP address for allowing to access in the setting virtual machine container;
(3) start the program and operate in it in virtual machine container;
(4) by the IP address of the operating system control of the smart machine routine access.
In a kind of preferable embodiment, the step (1) the following steps are included:
(1-1) is the one-to-one virtual machine container of program creation for needing to start in the operating system of smart machine;
(1-2) is that the virtual machine container creates virtual network interface;
(1-3) is that the virtual network interface distributes IP address.
It is described to create virtual network interface for the virtual machine container in a kind of more preferably embodiment, specifically Are as follows:
VETH, HOST or MACVLAN networking mode are selected for the virtual machine container and create corresponding virtual network Interface.
In a kind of preferable embodiment, the program is APP program or plug-in card program.
In a kind of preferable embodiment, the routine access described by the operating system control of smart machine IP address, the control accessed mutually between control and two programs including routine access outside ip address.
In a kind of more preferably embodiment, the control of the routine access outside ip address, comprising the following steps:
The port of outside ip address is mapped to the corresponding virtual machine of program by network address translation by (4-A-1) Container;
Program described in (4-A-2) is connected to the network by the port of the IP address after mapping.
In a kind of more preferably embodiment, the control that is accessed mutually between two programs, comprising the following steps:
(4-B-1) is finger daemon of each program creation to monitor known IP address;
(4-B-2) when the finger daemon listens to be transmitted to when program connection service provide plug-in unit where void The quasi- corresponding IP address of machine container and port.
Specific in practical application of the invention, detailed process is as follows:
When starting APP, a namespace is created first, restarts app in namespace,
A namespace can be created by calling clone function to be passed to parameter CLONE_NEWNS.
As shown in Figure 1, SMD is management program, the plug-in card program that suffix is cpk is all operated in inside namespace, Namespace is lightweight virtual machine.
One APP or plug-in card program can be communicated with the system external world, can also be done outer service routine and be received external journey The access request of sequence, two APP in same system can be in communication with each other, so needing to solve the problems, such as follows:
1, each namespace has independent IP address.
2, the plug-in unit run in lan device such as smart phone or other computer energy and namespace is communicated.
3, the IP address of each namespace is randomly assigned, and the plug-in unit run in two namespace will be communicated, It must know the IP address of another namespace.
First of all for solving the problems, such as 1, obtains and create virtual network interface for namespace and distribute IP to virtual network interface 3 kinds of modes, VETH, HOST, MACVLAN can be used in address, Namespace networking.Wherein MACVLAN can be worked again in three kinds of moulds Formula.
Select VETH that can possess MAC Address identical with HOST network interface for the namespace network interface created.This Sample can solve the problems, such as that such as sudden peal of thunder plug-in unit uses MAC Address to be used to authorize as parameter.
The each APP or namespace where plug-in unit has been owned by the IP address of oneself, then network topology structure comparison Shown in Fig. 2.
In addition to cell phone application is independent physical equipment, GateWay and all namespace Zhuo are set in a physics in figure It is run in a standby operating system, namespace can regard virtual machine as.GateWay is host.Therefore it solves each APP and extraneous the problem of communicating.
It solves the problems, such as 2, such as sudden peal of thunder cell phone application, removes the sudden peal of thunder CPK plug-in unit on connection gateway, can connect before 192.168.1.1 9000 ports.Since modified framework makes sudden peal of thunder plug-in component operation in namespace, mutually in mobile phone APP, namespace have the subnet of oneself, at this moment need to map 192.168.1.1:9000 by prerouting chain by NAT To namespace IP:9000.It can be realized by iptables rule.
Plug-in unit access wide area network does not need to make any modification.It is by NAT that data, which are contracted out, and at this moment plug-in card program is equivalent to A computer in local area network.NAT can do address conversion automatically by port mapping.
Solve the problems, such as the 3rd above, the interconnection between plug-in unit: CPK plug-in unit and OSGI plug-in unit need to interconnect sometimes.Original framework Middle client plug-in can be directly connected to server-side plug-in unit by the address loop 127.0.0.1.New structure is located at different plug-in units In different Namespace, and both sides do not know other side's IP address.
Finger daemon is created for each namespace, for monitoring fixed known IP address, such as certain of 192.168.1.1 A port.When listening to plug-in unit connection, the namespace which is responsible for where being transmitted to the plug-in unit that service provides is corresponding IP address and port.Two plug-in units all operate on gateway, and the two plug-in units needs cooperate.One offer service, One uses service.It is equivalent in operating system while two processes of operation does interprocess communication.
Tcppm proc is plug-in unit forwarding process, it is necessary to be operated in host, a namespace can correspond to multiple Port forwards process, and multiple ports can be monitored or be forwarded to port forwarding process.Private address that will be each namespace different It is corresponded on host address and some port with port.
The realization limited of surfing the Internet can be realized by the network interface created in iptables rule rhetoric question topic 1 to each The address ip that namespace is able to access that.And all processes all can only be according to the namespace's in a namespace Access rule.
Using the method for routine access IP address limitation in the operating system of the realization smart machine in the invention, have It is following the utility model has the advantages that
(1) this patent is supplied to a kind of new protection mechanism of user, if APP is collected into user data and wants to upload to oneself Server, be limited then the method can access APP network, make its can not with not by the domain names of customer acceptance or IP address is communicated;
(2) the method can provide more flexible restriction scheme, only provide access of the APP to certain network address, even if APP is Virus, also can not have wider application range to system destruction.
In this description, the present invention is described with reference to its specific embodiment.But it is clear that can still make Various modifications and alterations are without departing from the spirit and scope of the invention.Therefore, the description and the appended drawings should be considered as illustrative And not restrictive.

Claims (5)

1. a kind of method that routine access IP address limits in operating system for realizing smart machine, which is characterized in that described Method the following steps are included:
(1) one virtual machine container of program creation started in the operating system of smart machine for needs;
(2) IP address for allowing to access in the setting virtual machine container;
(3) start the program and operate in it in virtual machine container;
(4) by the IP address of the operating system control of the smart machine routine access;
The IP address of the routine access described by the operating system control of smart machine, including routine access external IP The control accessed mutually between the control of location and two programs;
The control accessed mutually between two programs, comprising the following steps:
(4-B-1) is finger daemon of each program creation to monitor known IP address;
(4-B-2) when the finger daemon listens to be transmitted to when program connection service provide plug-in unit where virtual machine The corresponding IP address of container and port.
2. the method for routine access IP address limitation in the operating system according to claim 1 for realizing smart machine, Be characterized in that, the step (1) the following steps are included:
(1-1) is the one-to-one virtual machine container of program creation for needing to start in the operating system of smart machine;
(1-2) is that the virtual machine container creates virtual network interface;
(1-3) is that the virtual network interface distributes IP address.
3. the method for routine access IP address limitation in the operating system according to claim 2 for realizing smart machine, It is characterized in that, it is described to create virtual network interface for the virtual machine container, specifically:
VETH, HOST or MACVLAN networking mode are selected for the virtual machine container and create corresponding virtual network interface.
4. the method for routine access IP address limitation in the operating system according to claim 1 for realizing smart machine, It is characterized in that, the program is APP program or plug-in card program.
5. the method for routine access IP address limitation in the operating system according to claim 1 for realizing smart machine, It is characterized in that, the control of the routine access outside ip address, comprising the following steps:
The port of outside ip address is mapped to the corresponding virtual machine of the program by network address translation and held by (4-A-1) Device;
Program described in (4-A-2) is connected to the network by the port of the IP address after mapping.
CN201510822785.5A 2015-11-24 2015-11-24 The method for realizing routine access IP address limitation in the operating system of smart machine Active CN105491020B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510822785.5A CN105491020B (en) 2015-11-24 2015-11-24 The method for realizing routine access IP address limitation in the operating system of smart machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510822785.5A CN105491020B (en) 2015-11-24 2015-11-24 The method for realizing routine access IP address limitation in the operating system of smart machine

Publications (2)

Publication Number Publication Date
CN105491020A CN105491020A (en) 2016-04-13
CN105491020B true CN105491020B (en) 2019-01-29

Family

ID=55677737

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510822785.5A Active CN105491020B (en) 2015-11-24 2015-11-24 The method for realizing routine access IP address limitation in the operating system of smart machine

Country Status (1)

Country Link
CN (1) CN105491020B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737584A (en) * 2017-04-19 2018-11-02 中国移动通信集团山西有限公司 The access method of container service, the analytic method of network address, device and system
CN110704155B (en) * 2018-07-09 2023-03-17 阿里巴巴集团控股有限公司 Container network construction method and device, physical host and data transmission method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101369979A (en) * 2008-09-17 2009-02-18 北京中星微电子有限公司 Communication method, apparatus and system for network camera and user terminal
CN104410724A (en) * 2014-12-23 2015-03-11 上海市共进通信技术有限公司 Method for realizing device type recognition in intelligent gateway based on HTTP protocol

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7111303B2 (en) * 2002-07-16 2006-09-19 International Business Machines Corporation Virtual machine operating system LAN
CN102571698B (en) * 2010-12-17 2017-03-22 中国移动通信集团公司 Access authority control method, system and device for virtual machine
US8893261B2 (en) * 2011-11-22 2014-11-18 Vmware, Inc. Method and system for VPN isolation using network namespaces
CN102710814B (en) * 2012-06-21 2016-03-30 北京奇虎科技有限公司 The control method of virtual machine IP address and device
CN104270317B (en) * 2014-09-12 2018-01-16 普联技术有限公司 A kind of control method, system and the router of router operation application program
CN104468568A (en) * 2014-12-05 2015-03-25 国云科技股份有限公司 Virtual machine security isolation method
CN104601428B (en) * 2014-12-23 2018-10-09 广州亦云信息技术有限公司 Communication means between virtual machine

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101369979A (en) * 2008-09-17 2009-02-18 北京中星微电子有限公司 Communication method, apparatus and system for network camera and user terminal
CN104410724A (en) * 2014-12-23 2015-03-11 上海市共进通信技术有限公司 Method for realizing device type recognition in intelligent gateway based on HTTP protocol

Also Published As

Publication number Publication date
CN105491020A (en) 2016-04-13

Similar Documents

Publication Publication Date Title
Hui et al. Major requirements for building Smart Homes in Smart Cities based on Internet of Things technologies
US11025627B2 (en) Scalable and secure resource isolation and sharing for IoT networks
US11936743B2 (en) Device management services based on restful messaging
US9876756B2 (en) Network access method and device for equipment
CN102255903B (en) Safety isolation method for virtual network and physical network of cloud computing
CN102868647B (en) Data processing method and device based on Linux network core
Huang et al. An SDN_based management framework for IoT devices
CN106502335B (en) For configuring the machine frame system and its configuration method of one or more servomechanisms
CN106302320B (en) The method, apparatus and system authorized for the business to user
WO2018232304A1 (en) Cloud-to-device mediator service from services definition
Nugur et al. Design and development of an IoT gateway for smart building applications
Zemrane et al. SDN-based solutions to improve IoT: survey
EP2812801A1 (en) Application context transfer for distributed computing resources
CN103209200B (en) Cloud service exchange system and service-seeking and exchange method
CN106155264B (en) Manage the computer approach and computer system of the power consumption of storage subsystem
CN103929746A (en) Internet-surfing configuration method for equipment of Internet of things, equipment of Internet of things and user equipment
CN105159256A (en) Web service-based intelligent household control system
CN107707557A (en) Anonymous access method, apparatus, the network equipment and readable storage medium storing program for executing
CN104092684A (en) Method and device for supporting VPN based on OpenFlow protocol
CN104967572B (en) Network Access Method, device and equipment
CN105491020B (en) The method for realizing routine access IP address limitation in the operating system of smart machine
WO2012075749A1 (en) Home wireless network and realization method thereof
Datta et al. Extending datatweet iot architecture for virtual iot devices
CN114124714A (en) Multi-level network deployment method, device, equipment and storage medium
US11363653B2 (en) Ad hoc service switch-based control of ad hoc networking

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant