CN105577632B - A kind of safe networking methods and terminal based on Network Isolation - Google Patents
A kind of safe networking methods and terminal based on Network Isolation Download PDFInfo
- Publication number
- CN105577632B CN105577632B CN201510367443.9A CN201510367443A CN105577632B CN 105577632 B CN105577632 B CN 105577632B CN 201510367443 A CN201510367443 A CN 201510367443A CN 105577632 B CN105577632 B CN 105577632B
- Authority
- CN
- China
- Prior art keywords
- data
- network
- namespace
- microsoft loopback
- loopback adapter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Abstract
The invention discloses a kind of safe networking methods and terminal based on Network Isolation.Method therein includes:According to Internet resources, at least one first NameSpace (Namespace) and the second NameSpace are isolated;Receive the creation request of a corresponding application, the process is from external network requests data or to the external network transmission data;The set belonging to packet name according to the application or the domain where the initiation creation request, determine that the process belongs to the second NameSpace;External network is connected by the mobile data network, to ask or send the data.Also disclose corresponding terminal.The Namespace mechanism that the present invention is provided by using kernel, isolate more than two mutually independent network environments, wherein in the network environment of safety, terminal can only connect network by mobile data network, so as to select suitable network connecting mode for terminal and ensure safe networking, ensure the information security in terminal.
Description
Technical field
The present invention relates to field of communication technology more particularly to a kind of safe networking methods and terminal based on Network Isolation.
Background technology
The network connection strategy of existing intelligent terminal such as mobile phone is the preferential selection in the case where there is available Wi-Fi connection
Using Wi-Fi network, and when Wi-Fi network is not available, can just go to use carrier network (2G/3G/4G networks).With
The development of mobile Internet, the e-commerce classes such as mobile phone on-line payment, mobile phone shopping, mobile phone Web bank are applied in mobile terminal
It grows rapidly, and the safety of payment problem that this kind of application is brought is also increasingly prominent, if user is connected to Wi-Fi, can bring peace
Full hidden danger, such as hacker can utilize Wi-Fi network, obtain the private informations such as photo, the personal document in user mobile phone, even
In sensitive informations such as bank card passwords.If Wi-Fi connection is forbidden the inconvenient to use of user to be caused (to run after all again merely
Quotient's network flow is costly, and network speed is slower relative to Wi-Fi).
How to select network connecting mode and ensure safe networking, becomes the current technical issues that need to address.
Invention content
The present invention provides a kind of safe networking methods and terminal based on Network Isolation, with suitably selected network connecting mode
And ensure safe networking, ensure the information security in terminal.
On the one hand, a kind of safe networking methods based on Network Isolation are provided, including:
According to Internet resources, at least one first NameSpace and the second NameSpace are isolated, wherein the first name is empty
Between in process external network is connected by WLAN or mobile data network, the process in the second NameSpace passes through institute
State mobile data network connection external network;
Receive the creation request of a corresponding application, the process is from external network requests data or to described outer
Portion's network transmission data;
Set belonging to packet name according to the application initiates domain where the creation request, determine it is described into
Journey belongs to the second NameSpace;
External network is connected by the mobile data network, to ask or send the data.
On the other hand, a kind of terminal is provided, the terminal includes:Kernel, at least one first NameSpace and second
NameSpace;
The kernel includes:
Isolated location, for according to Internet resources, isolating at least one first NameSpace and the second name being empty
Between, wherein the process in the first NameSpace connects external network, the second name by WLAN or mobile data network
Process in space connects external network by the mobile data network;
First receiving unit, the creation request for receiving a corresponding application, the process is from external network
Request data or to the external network transmission data;
Where determination unit, the set being used for belonging to the packet name according to the application or the initiation creation request
Domain determines that the process belongs to the second NameSpace;
Connection unit, for connecting external network by the mobile data network, to ask or send the data.
As it can be seen that according to a kind of safe networking methods and terminal based on Network Isolation provided by the invention, by using interior
The Namespace mechanism that core provides, isolates more than two mutually independent network environments, wherein in the network environment of safety
In, terminal can only connect network by mobile data network, so as to select suitable network connecting mode for terminal and ensure
Safety networking, ensures the information security in terminal.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Obtain other attached drawings according to these attached drawings.
Fig. 1 is a kind of flow diagram of the safe networking methods based on Network Isolation provided in an embodiment of the present invention;
Fig. 2 is a kind of exemplary system architecture diagram to network safely based on Network Isolation of the embodiment of the present invention;
Fig. 3 be a kind of safe networking methods based on Network Isolation that embodiment illustrated in fig. 1 is provided further specifically
Bright flow diagram;
Fig. 4 is a kind of structural schematic diagram of terminal provided in an embodiment of the present invention;
Fig. 5 is the structural schematic diagram that a kind of terminal that embodiment illustrated in fig. 4 provides is further described.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other without creative efforts
Embodiment shall fall within the protection scope of the present invention.
Referring to Fig. 1, being that a kind of flow of the safe networking methods based on Network Isolation provided in an embodiment of the present invention is shown
It is intended to, this approach includes the following steps:
Step S101 isolates at least one first NameSpace Namespace and second according to Internet resources
Namespace, wherein the process in the first Namespace connects external network by WLAN or mobile data network,
Process in 2nd Namespace connects external network by the mobile data network.
Namespace (NameSpace) is a kind of resource isolation mechanism that linux kernel provides, and uses Nasmespace machines
After system, the system resources such as PID (ID of process), IPC (interprocess communication), Network are no longer of overall importance, but belong to special
Resource inside fixed Namespace, each Namespace is transparent to other Namespace.The present embodiment mainly makes
The isolation of network is carried out with Network Namespace therein.One Network Namespace provides for process
The view of one completely self-contained network protocol stack, including network device interface, IPv4 and IPv6 protocol stacks, IP route table are prevented
Wall with flues rule, sockets etc..As soon as a Network Namespace provide a independent network environment, with an independence
System it is the same.One physical equipment can be only present in a Network Namespace, but can be from one
Namespace is moved in another Namespace.Fig. 2 is a kind of exemplary peace based on Network Isolation of the embodiment of the present invention
The system architecture diagram to network entirely, operating system or kernel have isolated two network N amespace according to required Internet resources,
Respectively Network Namespace A and Network Namespace B, wlan0 therein, which are WLAN WLAN, to be made
Physical network card, rmnet0 are the physical network card that uses of data network, and process is received or outward by the two network interface cards
Transmission data packet.In figure, APP1, APP2, APP3 representative are relatively high to network security requirements, and this kind of APP is placed on Namespace
After B, it is only capable of surfing the Internet by data traffic.
Step S102, receives the creation request of a corresponding application, and the process is from external network requests data
Or to the external network transmission data.
If user clicks some APP and carries out networking acquisition data or send data to external network, operating system or interior
Core can create a new process, which indicates from external network requests data or external network transmission data.
Step S103, the set belonging to packet name according to the application or the domain where the initiation creation request,
Determine that the process belongs to the 2nd Namespace.
There are one packet names for the i.e. each applications of each APP, pre-define multiple set, each collection is combined into the packet of one group of application
, the corresponding application of packet name in set A belongs to Namespace A, and the corresponding application of packet name in set B belongs to
Namespace B, therefore, what it is according to establishment is the process of which application and the packet name of the application, if the packet name belongs to collection
Close B, so that it may to determine that the process belongs to Namespace B.
One terminal has multiple domains, it is specified that the process created by some domain must be networked by mobile network, therefore, just
Can according to initiate the creation request where domain, determine that the process belongs to Namespace B.
Step S104 connects external network, to ask or send the data by the mobile data network.
Determine that the requirement belongs to Namespace B from the process of external network requests data or external network transmission data
, so that it may to be networked by mobile data network by rmnet0, with request or transmission data.
According to a kind of safe networking methods based on Network Isolation provided by the invention, provided by using kernel
Namespace mechanism isolates more than two mutually independent network environments, wherein in the network environment of safety, terminal
Network can only be connected by mobile data network, so as to select suitable network connecting mode for terminal and ensure to connect safely
Net ensures the information security in terminal.
Referring to Fig. 3, further for a kind of safe networking methods based on Network Isolation provided embodiment illustrated in fig. 1
The flow diagram of detailed description, this approach includes the following steps:
Step S201 isolates at least one first NameSpace Namespace and second according to Internet resources
Namespace, wherein the process in the first Namespace connects external network by WLAN or mobile data network,
Process in 2nd Namespace connects external network by the mobile data network.
Step S202, receives the creation request of a corresponding application, and the process is from external network requests data
Or to the external network transmission data.
Step S203, the set belonging to packet name according to the application or the domain where the initiation creation request,
Determine that the process belongs to the 2nd Namespace.
Step S201-S203 is identical as the step S101-S103 of embodiment illustrated in fig. 1, and details are not described herein.
It is described in detail below how by mobile data network connection external network, to ask or send the number
According to:
It is virtual to be sent to second connect with the 2nd Namespace by step S204 for the corresponding request of data of the process
Network interface card.
The request of data is sent to connect with the first Namespace by step S205, second Microsoft Loopback Adapter
One Microsoft Loopback Adapter.
Step S206, first Microsoft Loopback Adapter derives from second Microsoft Loopback Adapter according to the request of data, by institute
It states request of data and external network is sent to by the mobile data network, and receive the external network and pass through the movement
The data that data network returns, send the data to second Microsoft Loopback Adapter.
Step S207, second Microsoft Loopback Adapter give the data feedback to the process.
Step S208 receives the data of the second Microsoft Loopback Adapter feedback.
The corresponding data sending request of the process is sent to second connect with the 2nd Namespace by step S209
Microsoft Loopback Adapter, the data sending request carry data to be sent.
Step S210, the data sending request is sent to by second Microsoft Loopback Adapter to be connect with the first Namespace
The first Microsoft Loopback Adapter.
Step S211, first Microsoft Loopback Adapter derive from second Microsoft Loopback Adapter according to the data sending request,
The data to be sent are sent to external network by the mobile data network.
VETH-A (i.e. the first Microsoft Loopback Adapter) shown in Fig. 2 and VETH-B (i.e. the second Microsoft Loopback Adapter) are that type is veth
The virtual network device (virtual network device) of type, what which typically occurred in pairs, from one
The data packet that veth is sent out can directly reach its peer veth.Veth provides a kind of abstract, Ke Yi of similar pipeline
Tunnel is established between different Namespace.Using virtual network device, the physics in other Namespace can be established
The bridge joint of equipment.If you do not need to connection external network, only needs to interconnect between two Namespace, then veth is just sufficient
It is much of that.
In order to connect external physical network, it is also necessary to introduce Linux bridge, by give Linux bridge and
VETH-B distributes IP address respectively, in addition corresponding routing rule and routing table and combining network address switch technology (NAT), it can
To realize that the process in two Namespace accesses external network by an identical physical network card rmnet0.
And for physical network card wlan0, if not using veth Microsoft Loopback Adapters and bridge, and configure corresponding routing
Rule and NAT address conversions, the process in Namespace B be do not know the existing of this physical network card of wlan0, therefore
External network cannot be accessed by waln0, that is to say, that cannot surf the Internet using WIFI network.
Wherein, step S204-S208 is the process of external network request data, and step S209-S211 is to extranets
The process of network transmission data.
According to a kind of safe networking methods based on Network Isolation provided by the invention, provided by using kernel
Namespace mechanism isolates more than two mutually independent network environments, wherein in the network environment of safety, terminal
Network can only be connected by mobile data network, so as to select suitable network connecting mode for terminal and ensure to connect safely
Net ensures the information security in terminal.
Referring to Fig. 4, being a kind of structural schematic diagram of terminal provided in an embodiment of the present invention, which includes:It is interior
Core 100, the first NameSpace 101, the second NameSpace 102, the kernel 100 include:
Isolated location 11, for according to Internet resources, isolating at least one first NameSpace Namespace and second
Namespace, wherein the process in the first Namespace connects external network by WLAN or mobile data network,
Process in 2nd Namespace connects external network by the mobile data network.
Namespace is a kind of resource isolation mechanism that linux kernel provides, after Nasmespace mechanism, PID
The system resources such as (ID of process), IPC (interprocess communication), Network are no longer of overall importance, but belong to specific
Resource inside Namespace, each Namespace is transparent to other Namespace.The present embodiment mainly uses
Network Namespace therein carry out the isolation of network.One Network Namespace provides one for process
The view of completely self-contained network protocol stack, including network device interface, IPv4 and IPv6 protocol stacks, IP route table, fire wall
Rule, sockets etc..As soon as a Network Namespace provide a independent network environment, with an independent system
Unified sample.One physical equipment can be only present in a Network Namespace, but can be moved from a Namespace
It moves in another Namespace.Fig. 2 is a kind of exemplary system to network safely based on Network Isolation of the embodiment of the present invention
Organization Chart, isolated location 11 have isolated two network N amespace, respectively Network according to required Internet resources
Namespace A and Network Namespace B, wlan0 therein are the physical network card that WIFI is used, and rmnet0 is data
The physical network card of Web vector graphic, process receive by the two network interface cards or are sent out data packet.In figure, APP1, APP2,
APP3 represent it is relatively high to network security requirements, this kind of APP is placed on after Namespace B, be only capable of by data traffic come
Online.
First receiving unit 12, the creation request for receiving a corresponding application, the process is from extranets
Network request data or to the external network transmission data.
If user clicks some APP and carries out networking acquisition data or send data to external network, operating system or interior
Core can create a new process, which indicates from external network requests data or external network transmission data.First connects
Receive the creation request that unit 12 receives a corresponding application.
Where determination unit 13, the set being used for belonging to the packet name according to the application or the initiation creation request
Domain, determine that the process belongs to the 2nd Namespace.
There are one packet names for the i.e. each applications of each APP, pre-define multiple set, each collection is combined into the packet of one group of application
, the corresponding application of packet name in set A belongs to Namespace A, and the corresponding application of packet name in set B belongs to
Namespace B, accordingly, it is determined that unit 13 is the packet name of process and the application which is applied according to establishment, if be somebody's turn to do
Packet name belongs to set B, so that it may to determine that the process belongs to Namespace B.
One terminal has multiple domains, it is specified that the process created by some domain must be networked by mobile network, therefore, just
Can according to initiate the creation request where domain, determine that the process belongs to Namespace B.
Connection unit 14, for connecting external network by the mobile data network, to ask or send the data.
Determine that the requirement belongs to Namespace B from the process of external network requests data or external network transmission data
, connection unit 14 can be networked by mobile data network by rmnet0, with request or transmission data.
According to a kind of terminal provided by the invention, by using the Namespace mechanism that kernel provides, isolate two with
On mutually independent network environment, wherein in the network environment of safety, terminal can only be connected by mobile data network
Network ensures the information security in terminal so as to select suitable network connecting mode for terminal and ensure safe networking.
Referring to Fig. 5, the structural schematic diagram that a kind of terminal to provide embodiment illustrated in fig. 4 is further described,
The terminal 2000 includes:Kernel 200, the first Microsoft Loopback Adapter 102 and the first name sky being connect with the first Microsoft Loopback Adapter 102
Between the 103, second Microsoft Loopback Adapter 104 and the second NameSpace 105 for being connect with the second Microsoft Loopback Adapter 104.The kernel 200 wraps
It includes:
Isolated location 21, for according to Internet resources, isolating at least one first NameSpace Namespace and second
Namespace, wherein the process in the first Namespace connects external network by WLAN or mobile data network,
Process in 2nd Namespace connects external network by the mobile data network.
First receiving unit 22, the creation request for receiving a corresponding application, the process is from extranets
Network request data or to the external network transmission data.
Where determination unit 23, the set being used for belonging to the packet name according to the application or the initiation creation request
Domain, determine that the process belongs to the 2nd Namespace.
Isolated location 21, the first receiving unit 22, the function of determination unit 23 and the isolated location of embodiment illustrated in fig. 4
11, the first receiving unit 12, determination unit 13 are identical, and details are not described herein.
Connection unit 24, for connecting external network by the mobile data network, to ask or send the data.
In the present embodiment, connection unit 24 includes:Transmission unit 241 and the second receiving unit 242.
Transmission unit 241, for the corresponding request of data of the process to be sent to connect with the 2nd Namespace
Two Microsoft Loopback Adapters.
Second Microsoft Loopback Adapter 104, for the request of data to be sent to connect with the first Namespace first
Microsoft Loopback Adapter.
First Microsoft Loopback Adapter 102 will be described for deriving from second Microsoft Loopback Adapter according to the request of data
Request of data is sent to external network by the mobile data network, and receives the external network and pass through the mobile number
According to the data that network returns, second Microsoft Loopback Adapter is sent the data to.
Second Microsoft Loopback Adapter 104 is additionally operable to the data feedback to the process.
Second receiving unit 242, the data for receiving the second Microsoft Loopback Adapter feedback.
The transmission unit 241 is additionally operable to the corresponding data sending request of the process being sent to and second
Second Microsoft Loopback Adapter of Namespace connections, the data sending request carry data to be sent.
Second Microsoft Loopback Adapter 104 is additionally operable to the data sending request being sent to and be connect with the first Namespace
The first Microsoft Loopback Adapter.
First Microsoft Loopback Adapter 102 is additionally operable to derive from second Microsoft Loopback Adapter according to the data sending request,
The data to be sent are sent to external network by the mobile data network.
VETH-A (i.e. the first Microsoft Loopback Adapter) shown in Fig. 2 and VETH-B (i.e. the second Microsoft Loopback Adapter) are that type is veth
The virtual network device (virtual network device) of type, what which typically occurred in pairs, from one
The data packet that veth is sent out can directly reach its peer veth.Veth provides a kind of abstract, Ke Yi of similar pipeline
Tunnel is established between different Namespace.Using virtual network device, the physics in other Namespace can be established
The bridge joint of equipment.If you do not need to connection external network, only needs to interconnect between two Namespace, then veth is just sufficient
It is much of that.
In order to connect external physical network, it is also necessary to introduce Linux bridge, by give Linux bridge and
VETH-B distributes IP address respectively, in addition corresponding routing rule and routing table and combining network address switch technology (NAT), it can
To realize that the process in two Namespace accesses external network by an identical physical network card rmnet0.
And for physical network card wlan0, if not using veth Microsoft Loopback Adapters and bridge, and configure corresponding routing
Rule and NAT address conversions, the process in Namespace B be do not know the existing of this physical network card of wlan0, therefore
External network cannot be accessed by waln0, that is to say, that cannot surf the Internet using WIFI network.
According to a kind of terminal provided by the invention, by using the Namespace mechanism that kernel provides, isolate two with
On mutually independent network environment, wherein in the network environment of safety, terminal can only be connected by mobile data network
Network ensures the information security in terminal so as to select suitable network connecting mode for terminal and ensure safe networking.
It should be noted that for each method embodiment above-mentioned, for simple description, therefore it is all expressed as a series of
Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the described action sequence because
According to the present invention, certain steps can be performed in other orders or simultaneously.Secondly, those skilled in the art should also know
It knows, embodiment described in this description belongs to preferred embodiment, and involved action and module are not necessarily of the invention
It is necessary.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, it may refer to the associated description of other embodiment.
Through the above description of the embodiments, it is apparent to those skilled in the art that the present invention can be with
It is realized with hardware realization or firmware realization or combination thereof mode.It when implemented in software, can be by above-mentioned function
Storage in computer-readable medium or as on computer-readable medium one or more instructions or code be transmitted.Meter
Calculation machine readable medium includes computer storage media and communication media, and wherein communication media includes convenient for from a place to another
Any medium of a place transmission computer program.Storage medium can be any usable medium that computer can access.With
For this but it is not limited to:Computer-readable medium may include random access memory (Random Access Memory,
RAM), read-only memory (Read-Only Memory, ROM), Electrically Erasable Programmable Read-Only Memory (Electrically
Erasable Programmable Read-Only Memory, EEPROM), CD-ROM (Compact Disc Read-
Only Memory, CD-ROM) or other optical disc storages, magnetic disk storage medium or other magnetic storage apparatus or can be used in
Carry or storage with instruction or data structure form desired program code and can by computer access any other
Medium.In addition.Any connection appropriate can become computer-readable medium.For example, if software is using coaxial cable, light
Fine optical cable, twisted-pair feeder, Digital Subscriber Line (Digital Subscriber Line, DSL) or such as infrared ray, radio and
The wireless technology of microwave etc is transmitted from website, server or other remote sources, then coaxial cable, optical fiber cable, double
The wireless technology of twisted wire, DSL or such as infrared ray, wireless and microwave etc is included in the fixing of affiliated medium.Such as this hair
Used in bright, disk (Disk) and dish (disc) include compress optical disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD),
Floppy disk and Blu-ray Disc, the usually magnetic replicate data of which disk, and dish is then with laser come optical replicate data.Group above
Conjunction should also be as being included within the protection domain of computer-readable medium.
In short, the foregoing is merely the preferred embodiment of technical solution of the present invention, it is not intended to limit the present invention's
Protection domain.All within the spirits and principles of the present invention, any modification, equivalent replacement, improvement and so on should be included in
Within protection scope of the present invention.
Claims (6)
1. a kind of safe networking methods based on Network Isolation, which is characterized in that including:
According to Internet resources, at least one first NameSpace and the second NameSpace are isolated, wherein in the first NameSpace
Process external network is connected by WLAN Wi-Fi or mobile data network, the process in the second NameSpace passes through
The mobile data network connects external network;
Receive the creation request of a corresponding application, the process is from external network requests data or to the extranets
Network transmission data;
The set belonging to packet name according to the application or the domain where the initiation creation request, determine the process category
In the second NameSpace;
External network is connected by the mobile data network, to ask or send the data;
It is described that external network is connected by the mobile data network, to ask the data, including:
The corresponding request of data of the process is sent to the second Microsoft Loopback Adapter being connect with the second NameSpace;
The request of data is sent to the first Microsoft Loopback Adapter being connect with the first NameSpace by second Microsoft Loopback Adapter;
First Microsoft Loopback Adapter derives from second Microsoft Loopback Adapter according to the request of data, and the request of data is passed through
The mobile data network is sent to external network, and receives what the external network was returned by the mobile data network
Data send the data to second Microsoft Loopback Adapter;
Second Microsoft Loopback Adapter gives the data feedback to the process;
Receive the data of the second Microsoft Loopback Adapter feedback;
It is described that external network is connected by the mobile data network, to send the data, including:
The corresponding data sending request of the process is sent to the second Microsoft Loopback Adapter being connect with the second NameSpace, the number
Data to be sent are carried according to request is sent;
The data sending request is sent to the first Microsoft Loopback Adapter being connect with the first NameSpace by second Microsoft Loopback Adapter;
First Microsoft Loopback Adapter derives from second Microsoft Loopback Adapter according to the data sending request, by the number to be sent
It is sent to external network according to by the mobile data network.
2. the method as described in claim 1, which is characterized in that the set includes the packet name of one group of application, the corresponding collection
The process of the packet name of application in conjunction belongs to second NameSpace;Or
Second NameSpace corresponds to a domain, and the process initiated in the domain belongs to second NameSpace.
3. the method as described in claim 1, which is characterized in that further include:
If first Microsoft Loopback Adapter receives the data that the external network is returned by the Wi-Fi, the data are lost
It abandons.
4. a kind of terminal, which is characterized in that the terminal includes:Kernel, at least one first NameSpace, the second name are empty
Between, the first Microsoft Loopback Adapter and the second Microsoft Loopback Adapter;
The kernel includes:
Isolated location, for according to Internet resources, isolating at least one first NameSpace and the second NameSpace,
In, the process in the first NameSpace connects external network, the second name by WLAN Wi-Fi or mobile data network
Process in space connects external network by the mobile data network;
First receiving unit, the creation request for receiving a corresponding application, the process is from external network requests
Data or to the external network transmission data;
Domain where determination unit, the set being used for belonging to the packet name according to the application or the initiation creation request,
Determine that the process belongs to the second NameSpace;
Connection unit, for connecting external network by the mobile data network, to ask or send the data;
The connection unit includes:
Transmission unit, for the corresponding request of data of the process to be sent to the second virtual net being connect with the second NameSpace
Card;
Second Microsoft Loopback Adapter, for the request of data to be sent to the first virtual net being connect with the first NameSpace
Card;
First Microsoft Loopback Adapter asks the data for deriving from second Microsoft Loopback Adapter according to the request of data
It asks and external network is sent to by the mobile data network, and receive the external network and pass through the mobile data network
The data of return send the data to second Microsoft Loopback Adapter;
Second Microsoft Loopback Adapter is additionally operable to the data feedback to the process;
The connection unit further includes:
Second receiving unit, the data for receiving the second Microsoft Loopback Adapter feedback;
The transmission unit is additionally operable to the corresponding data sending request of the process being sent to be connect with the second NameSpace
Second Microsoft Loopback Adapter, the data sending request carry data to be sent;
Second Microsoft Loopback Adapter is additionally operable to for the data sending request to be sent to the first void connecting with the first NameSpace
Quasi- network interface card;
First Microsoft Loopback Adapter is additionally operable to derive from second Microsoft Loopback Adapter according to the data sending request, is waited for described
Transmission data is sent to external network by the mobile data network.
5. terminal as claimed in claim 4, which is characterized in that the set includes the packet name of one group of application, the corresponding collection
The process of the packet name of application in conjunction belongs to second NameSpace;Or
Second NameSpace corresponds to a domain, and the process initiated in the domain belongs to second NameSpace.
6. terminal as claimed in claim 4, it is characterised in that:
It, will be described if first Microsoft Loopback Adapter is additionally operable to receive the data that the external network is returned by the Wi-Fi
Data abandon.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510367443.9A CN105577632B (en) | 2015-06-26 | 2015-06-26 | A kind of safe networking methods and terminal based on Network Isolation |
PCT/CN2015/085873 WO2016206171A1 (en) | 2015-06-26 | 2015-07-31 | Secure networking method based on network isolation, and terminal |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510367443.9A CN105577632B (en) | 2015-06-26 | 2015-06-26 | A kind of safe networking methods and terminal based on Network Isolation |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105577632A CN105577632A (en) | 2016-05-11 |
CN105577632B true CN105577632B (en) | 2018-08-24 |
Family
ID=55887294
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510367443.9A Active CN105577632B (en) | 2015-06-26 | 2015-06-26 | A kind of safe networking methods and terminal based on Network Isolation |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN105577632B (en) |
WO (1) | WO2016206171A1 (en) |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10176005B2 (en) * | 2014-03-31 | 2019-01-08 | Cypherpath, Inc. | Environment virtualization |
CN106779648B (en) * | 2016-12-16 | 2020-10-16 | Oppo广东移动通信有限公司 | Network data sending method and mobile terminal |
CN111294220B (en) * | 2018-12-07 | 2022-06-21 | 网宿科技股份有限公司 | Nginx-based network isolation configuration method and device |
CN111294316B (en) * | 2018-12-07 | 2022-07-01 | 网宿科技股份有限公司 | Network isolation method and device based on user mode protocol stack virtual router |
CN111294221B (en) * | 2018-12-07 | 2023-03-03 | 网宿科技股份有限公司 | Network isolation configuration method and device based on haproxy |
CN111294827A (en) * | 2019-02-28 | 2020-06-16 | 展讯通信(上海)有限公司 | Adaptive network communication method and device of application program |
CN111669355B (en) * | 2019-03-08 | 2023-04-18 | 厦门网宿有限公司 | Method for batch processing of nginx network isolation space and nginx server |
CN111835685B (en) * | 2019-04-19 | 2022-10-28 | 厦门网宿有限公司 | Method and server for monitoring running state of Nginx network isolation space |
CN111835684B (en) * | 2019-04-19 | 2023-01-20 | 厦门网宿有限公司 | Network isolation monitoring method and system for haproxy equipment |
CN111949471A (en) * | 2019-05-16 | 2020-11-17 | 珠海格力电器股份有限公司 | Monitoring control method for terminal process |
CN110336758B (en) * | 2019-05-28 | 2022-10-28 | 厦门网宿有限公司 | Data distribution method in virtual router and virtual router |
CN111143062A (en) * | 2019-12-19 | 2020-05-12 | 上海交通大学 | Balanced partitioning strategy for external load process by user mode protocol stack |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103796282A (en) * | 2014-02-27 | 2014-05-14 | 黄晓峰 | Network telephony processing method for smart mobile terminal |
CN104331329A (en) * | 2014-09-30 | 2015-02-04 | 上海斐讯数据通信技术有限公司 | Mobile office security system and method supporting domain management |
CN104394130A (en) * | 2014-11-12 | 2015-03-04 | 国云科技股份有限公司 | A multi-tenant virtual network isolating method |
CN104579831A (en) * | 2014-12-26 | 2015-04-29 | 北京网秦天下科技有限公司 | Data transmission processing method and device |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090276351A1 (en) * | 2008-04-30 | 2009-11-05 | Strands, Inc. | Scaleable system and method for distributed prediction markets |
US9137209B1 (en) * | 2008-12-10 | 2015-09-15 | Amazon Technologies, Inc. | Providing local secure network access to remote services |
CN103618736A (en) * | 2013-12-09 | 2014-03-05 | 成都达信通通讯设备有限公司 | Safety application system for mobile terminal to automatically switch between different channel networking interfaces |
CN104239764B (en) * | 2014-10-15 | 2017-07-07 | 北京奇虎科技有限公司 | The management-control method and device of terminal device and its systemic-function |
CN104483951B (en) * | 2014-12-19 | 2017-12-15 | 宇龙计算机通信科技(深圳)有限公司 | A kind of method, apparatus and terminal for controlling intelligent home device |
-
2015
- 2015-06-26 CN CN201510367443.9A patent/CN105577632B/en active Active
- 2015-07-31 WO PCT/CN2015/085873 patent/WO2016206171A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103796282A (en) * | 2014-02-27 | 2014-05-14 | 黄晓峰 | Network telephony processing method for smart mobile terminal |
CN104331329A (en) * | 2014-09-30 | 2015-02-04 | 上海斐讯数据通信技术有限公司 | Mobile office security system and method supporting domain management |
CN104394130A (en) * | 2014-11-12 | 2015-03-04 | 国云科技股份有限公司 | A multi-tenant virtual network isolating method |
CN104579831A (en) * | 2014-12-26 | 2015-04-29 | 北京网秦天下科技有限公司 | Data transmission processing method and device |
Also Published As
Publication number | Publication date |
---|---|
CN105577632A (en) | 2016-05-11 |
WO2016206171A1 (en) | 2016-12-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105577632B (en) | A kind of safe networking methods and terminal based on Network Isolation | |
CN106850324B (en) | Virtual network interface object | |
CN103580980B (en) | The method and device thereof that virtual network finds and automatically configures automatically | |
CN110708393B (en) | Method, device and system for transmitting data | |
US11240152B2 (en) | Exposing a subset of hosts on an overlay network to components external to the overlay network without exposing another subset of hosts on the overlay network | |
CN111865621B (en) | Method and device for accessing gateway | |
US20080192648A1 (en) | Method and system to create a virtual topology | |
CN100518125C (en) | Communication apparatus, system, method | |
US20130346591A1 (en) | Clientless Cloud Computing | |
TW201229779A (en) | Providing virtual networks using multi-tenant relays | |
US20080195756A1 (en) | Method and system to access a service utilizing a virtual communications device | |
CN104869043B (en) | A kind of method and terminal for establishing VPN connection | |
CN104221331A (en) | Layer 2 packet switching without look-up table for ethernet switches | |
CN106685949A (en) | Container access method, container access device and container access system | |
CN110177047B (en) | Message sending method, device, electronic equipment and computer readable storage medium | |
CN106844489A (en) | A kind of file operation method, device and system | |
CN107800781A (en) | A kind of configuration data processing method and device | |
CN110996372B (en) | Message routing method, device and system and electronic equipment | |
CN112202744A (en) | Multi-system data communication method and device | |
CN101138215B (en) | Asynchronous network stack operation in an operating system independent environment | |
CN102891900B (en) | A kind of method, apparatus and system of the domain name mapping in flow unloading | |
CN110278558B (en) | Message interaction method and WLAN system | |
CN115665026A (en) | Cluster networking method and device | |
CN101790074B (en) | Method for downloading application of digital television receiving terminal, gateway server and system | |
CN114980262A (en) | Access gateway selection method and device, storage medium and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |