CN108924138A - A method of realizing that TCP agent is fully transparent - Google Patents
A method of realizing that TCP agent is fully transparent Download PDFInfo
- Publication number
- CN108924138A CN108924138A CN201810731684.0A CN201810731684A CN108924138A CN 108924138 A CN108924138 A CN 108924138A CN 201810731684 A CN201810731684 A CN 201810731684A CN 108924138 A CN108924138 A CN 108924138A
- Authority
- CN
- China
- Prior art keywords
- server
- client
- tcp
- tcp agent
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/59—Network arrangements, protocols or services for addressing or naming using proxies for addressing
Abstract
The invention discloses a kind of method for realizing that TCP agent is fully transparent, TCP agent server is intercepted and is cached by flowing to the TCP Syn message of Server to Client, realizes that MAC Address is transparent;The inspection of TCP agent server simultaneously copies the header field mutually sent out between Client and Server, realizes that the head IP TOS and ttl field are transparent;TCP agent server is that Client establishes network namespace, realizes that TCP port is transparent.The present invention realizes that MAC Address is transparent, the head IP TOS/TTL field is transparent and TCP header peer-port field is transparent simultaneously.
Description
Technical field
The present invention relates to technical field of network security, are a kind of methods for realizing that TCP agent is fully transparent specifically.
Background technique
It is now widely used for the safety equipment of enterprise network, such as behavior management equipment, Web firewall, is required pair
The dissection process of TCP flow amount progress depth.Safety equipment is deployed in subscriber network typically as the role of " go-between ", such as
Fruit is not acted on behalf of TCP connection, then the granularity that safety equipment controls TCP connection is very weak.
For example, the WAF of non-proxy type is difficult to accomplish to modify some http session message, without influencing in TCP flow
Other messages.It is inevasible to use TCP agent technology to reach strong Control granularity.There are many kinds of TCP agents, including
Positive supply, reverse proxy, Transparent Proxy etc..Positive supply needs to configure client, usually not applicable Network Security Device
Usage scenario;Reverse proxy refers to that client does not perceive agent equipment, and in terms of network perspective, agent equipment will replace original clothes
Be engaged in device network site, reverse proxy can be it is transparent be also possible to it is opaque, if transparent, to user network configuration and
Service impact is minimum.Therefore Transparent Proxy is boundless in Network Security Device kind application prospect.
In fact, TCP Transparent Proxy is very extensive in safety equipment kind application, the reason is that user it is generally desirable to safety equipments not
Change the network environment disposed originally, do not influence original business, does not introduce complicated management.But safety currently on the market
Equipment, the overwhelming majority are not carried out real TCP Transparent Proxy, i.e., meet that MAC Address is transparent, the head IP is transparent simultaneously and
TCP port is transparent, but it is transparent only to realize IP address.MAC Address is opaque first to make intermediate equipment in user
It works as bridge in network topology, then needs to modify user network.Some Transparent Proxy products use the side of bridge packet capturing
Formula completes factorage, it is intended to achieve the purpose that MAC Address is transparent, but cache without Syn, first connection still can not be done
It is transparent to MAC Address.The reason is that agent equipment is in the TCP connection request for replying Client, Server not yet sends out message
To intermediate equipment.The TOS and ttl field on the head IP are opaque, and the diagnostic tool that may cause user can not work normally, or
There is deviation in person's qos policy.TCP port is opaque, and the network equipment or the TCP server itself that may cause Server load
There is deviation in balance policy, it is also possible to certain user's strategy be made to judge incorrectly.Therefore, agent equipment is still under many scenes
The network service of user can be impacted.
TCP agent software is had existed in the market:Such as haproxy, it is traditional transparent to generally refer to the saturating of IP address
It is bright.Its way be intermediate equipment receive Client TCP connection request after, direct disguise as server carries out response, establish
Then Client and internuncial connection construct message according to the request of Client and are sent to Server, establish connection with Server.
Data content is acted on behalf of after being bi-directionally connected foundation.It is transparent that this agent way cannot achieve transparent MAC Address, TOS and TTL
And TCP port is transparent.Some manufacturers in agent equipment by introducing Bridge, it is intended to which the MAC Address for reaching TCP agent is saturating
It is bright.Its way substantially process is:
1.ARP message is directly forwarded by Bridge, and Client and Server is allowed to acquire the address Mac of other side;
2. agent equipment receives the message that Client is sent, the address its purpose Mac is recorded;
3. agency replys Client, the source MAC in message is replaced with the MAC Address recorded in 2, disguise as Server's
The address Mac;
4. agent equipment receives the message that Server is sent, the address its purpose Mac is recorded;
5. agency replys Server, the source address Mac in message is replaced with the address Mac recorded in 4, disguise as Client's
The address Mac.
This mode has a problem:The source address Mac that the data message of Server uses may not be Client
The address Mac practised.One typical scene is the router of the Server connection of agent equipment, has opened ARP proxy on router.
Another scene is, the Server of agent equipment is connected to the interchanger for having done load balancing, and interchanger is by data balancing
To two routers.It is still problematic with the source address Mac in the address the purpose Mac replacement step 3 of the Server message replied,
Because traditional scheme Client establishes first with TCP agent equipment when connecting, the end Server sends reply message not yet.This
The MAC Address transparent scheme of patent will solve this problem.The present invention discloses a kind of method for realizing fully transparent TCP agent,
Incomplete Transparent Proxy is eliminated to adversely affect caused by user network business.
Summary of the invention
The purpose of the present invention is to provide a kind of methods for realizing that TCP agent is fully transparent, based on slow to Tcp Syn message
It deposits and MAC Address delay study, the TCP agent Mac of realization is transparent;By copying the data of Client, TCP agent report is kept
TOS/TTL field is transparent in literary head;Network namespace is established by network name space technology, realizes TCP generation
The port of reason is transparent.
The present invention is achieved through the following technical solutions:A method of it realizing that TCP agent is fully transparent, specifically includes following
Step:
Step F1:TCP agent server is intercepted and is cached by flowing to the TCP Syn message of Server to Client, real
Existing MAC Address is transparent;
Step F2:The inspection of TCP agent server simultaneously copies the header field mutually sent out between Client and Server, realizes
The head IP TOS and ttl field are transparent;
Step F3:TCP agent server is that Client establishes network namespace, realizes that TCP port is transparent.
Further, in order to preferably realize the present invention, the TCP agent server includes TCP agent interconnected
Module, Syn_handler module, Bridge, the TCP agent module includes Tcpproxy_client, Tcpproxy_
server,Fd_binder;
The step F1 specifically includes following steps:
Step F101:Client issues Tcp Syn message request, it is intended to establish connection with Server, Bridge learns and records
The source MAC of Client;
Step F102:The Tcp Syn message that Client is issued reaches TCP agent server, by Syn_handler block intercepts
And it caches;
Step F103:Syn_handler module sends message to TCP agent module, and notice TCP agent module record intercepts
Tcp Syn message five-tuple information and the TCP connection of initiation and Server;
Step F104:Tcpproxy_client in TCP agent module sends Tcp Syn message to Server by Bridge,
It attempts to establish connection with Server;
Step F105:The Tcp Syn message that Bridge forwarding Tcpproxy_client in TCP agent server is issued arrives
The source MAC of Server, the message that TCP agent server issues at this time are rewritten into the MAC Address of Client, Tcpproxy_
Client disguise as Client;
Step F106:Server replys and passes through Bridge and TCP agent module shakes hands and establishes connection, and Bridge passes through Server
The message of reply carries out two layers of information learning, records the source MAC of Server;
Step F107:The message that Bridge forwards Server to reply is to Tcpproxy_client, while TCP agent module is sent
Confirm to Bridge, and obtains the filec descriptor Client fd connecting with Server;
Step F108:The Tcpproxy_client of TCP agent module submits the filec descriptor of connection to Fd_binder
Client fd;
Step F109:The original Tcp that TCP agent module notice Syn_handler module sends Client in step F102
Syn message is let pass;
Step F110:The original Tcp Syn message that Syn_handler module sends Client is submitted in TCP agent module;
Step F111:TCP agent module replys ACK confirmation message to Client, is interacted and is shaken hands with Client by Bridge,
All mutual message source MACs that TCP agent server issues are modified to the MAC Address of Server, establish TCP generation at this time
The connection for managing server and Client, obtains the filec descriptor Server fd connecting with Client;
Step F112:The Tcpproxy_server of TCP agent module submits threaded file descriptor Server to Fd_binder
Fd, Fd_binder are associated filec descriptor Server fd and filec descriptor Client fd according to five-tuple information
Bind fd associated group;
Step F113:Tcpproxy_server and Tcpproxy_client is carried out by the fd associated group that Fd_binder is bound
Data forwarding.
Further, in order to preferably realize the present invention, the step F2 specifically includes following steps:
Step F201:TCP agent server checks that Client is sent to the header field of Server;
Step F202:The TOS and ttl value of header field in the step F201 are copied to by Tcpproxy_client
TCP agent server is sent in the request message of Server;
Step F203:TCP agent server checks that Server is sent to the header field of Client;
Step F204:The TOS and ttl value of header field in the step F203 are copied to by Tcpproxy_server
TCP agent server is sent in the request message of Client.
Further, in order to preferably realize the present invention, the quantity of the Client has multiple and takes respectively with TCP agent
Business device connection, the quantity of the network namespace has multiple and corresponds with multiple Client, described
Network namespace is connect with Bridge respectively;
The step F3 specifically includes following steps:
Step F301:Any one Client initiates Tcp Syn message request, by TCP agent server intercepts;
Step F302:Whether the Tcp Syn message that TCP agent server inspection receives belongs to some already existing Client,
If it is, finding network namespace corresponding with the Client;If it is not, then for Client creation pair
The network namespace answered;
Step F303:The Tcp Syn message that Client described in step F301 is issued is sent to corresponding network
It is handled in namespace;
Step F304:TCP agent module process is established by the network namespace described in step F303 and Server
It connects and communicates, IP address that Tcpproxy_client is used and TCP source port are complete with Client's described in step F301
Unanimously.
Working principle:
1.TCP proxy server is intercepted and is forwarded by the data flow and control stream for flowing to Server to Client, is realized
MAC Address is transparent.
The inspection of 2.TCP proxy server simultaneously copies the header field mutually sent out between Client and Server, realizes
The head IP TOS/TTL field is transparent.
3.TCP proxy server is that Client establishes network namespace, realizes that TCP port is transparent.
Compared with prior art, the present invention having the following advantages that and beneficial effect:
(1)The present invention realizes that MAC Address is transparent;
(2)The present invention realizes that the head IP TOS/TTL field is transparent;
(3)The present invention realizes that TCP header peer-port field is transparent.
Detailed description of the invention
Fig. 1 is MAC Address Transparent Proxy data and control flow diagram;
Fig. 2 is the transparent schematic illustration of TOS/TTL field;
Fig. 3 is TCP port Transparent Proxy schematic diagram.
Specific embodiment
The present invention is described in further detail below with reference to embodiment, embodiments of the present invention are not limited thereto.
Embodiment 1:
The present invention is achieved through the following technical solutions, as shown in Figure 1-Figure 3, a method of realizing that TCP agent is fully transparent, tool
Body includes the following steps:
Step F1:TCP agent server is intercepted and is cached by flowing to the TCP Syn message of Server to Client, real
Existing MAC Address is transparent;
Step F2:The inspection of TCP agent server simultaneously copies the header field mutually sent out between Client and Server, realizes
The head IP TOS/TTL field is transparent;
Step F3:TCP agent server is that Client establishes network namespace, realizes that TCP port is transparent.
It should be noted that the Client is proxied TCP Client by above-mentioned improvement, Server is by generation
The server of reason.The present invention provides a kind of method for realizing that TCP agent is fully transparent, and principle is to utilize Tcp Syn packet buffer
Postpone the response to client, first gets the address Mac of server, solve the problems, such as that handshake phase MAC Address is opaque, from
And realize that MAC Address is transparent.
The field transmitted between client and server is copied, realizes that TTL the and TOS field in IP is transparent.
Using network name space technology, i.e., network is established for Client in TCP agent server
Namespace realizes that the port numbers in TCP header are transparent.
The other parts of the present embodiment are same as the previously described embodiments, and so it will not be repeated.
Embodiment 2:
The present embodiment advanced optimizes on the basis of the above embodiments, as shown in Figure 1, the TCP agent server includes
TCP agent module interconnected, Syn_handler module, Bridge, the TCP agent module includes Tcpproxy_
client,Tcpproxy_server,Fd_binder;
The step F1 specifically includes following steps:
Step F101:Client issues Tcp Syn message request, it is intended to establish connection with Server, Bridge learns and records
The source MAC of Client;
Step F102:The Tcp Syn message that Client is issued reaches TCP agent server, by Syn_handler block intercepts
And it caches;
Step F103:Syn_handler module sends message to TCP agent module, and notice TCP agent module record intercepts
Tcp Syn message five-tuple information and the TCP connection of initiation and Server;
Step F104:Tcpproxy_client in TCP agent module sends Tcp Syn message to Server by Bridge,
It attempts to establish connection with Server;
Step F105:The Tcp Syn message that Bridge forwarding Tcpproxy_client in TCP agent server is issued arrives
The source MAC of Server, the message that TCP agent server issues at this time are rewritten into the MAC Address of Client, Tcpproxy_
Client disguise as Client;
Step F106:Server replys and passes through Bridge and TCP agent module shakes hands and establishes connection, and Bridge passes through Server
The message of reply carries out two layers of information learning, records the source MAC of Server;
Step F107:The message that Bridge forwards Server to reply is to Tcpproxy_client, while TCP agent module is sent
Confirm to Bridge, and obtains the filec descriptor Client fd connecting with Server;
Step F108:The Tcpproxy_client of TCP agent module submits the filec descriptor of connection to Fd_binder
Client fd;
Step F109:The original Tcp that TCP agent module notice Syn_handler module sends Client in step F102
Syn message is let pass;
Step F110:The original Tcp Syn message that Syn_handler module sends Client is submitted in TCP agent module;
Step F111:TCP agent module replys ACK confirmation message to Client, is interacted and is shaken hands with Client by Bridge,
All mutual message source MACs that TCP agent server issues are modified to the MAC Address of Server, establish TCP generation at this time
The connection for managing server and Client, obtains the filec descriptor Server fd connecting with Client;
Step F112:The Tcpproxy_server of TCP agent module submits threaded file descriptor Server to Fd_binder
Fd, Fd_binder are associated filec descriptor Server fd and filec descriptor Client fd according to five-tuple information
Bind fd associated group;
Step F113:Tcpproxy_server and Tcpproxy_client is carried out by the fd associated group that Fd_binder is bound
Data forwarding.
It should be noted that the step F103, step F108, step F109, step F122 are pair by above-mentioned improvement
The explanation of stream is controlled, remaining step is the explanation to data flow.The principle of the present embodiment is prolonged using Tcp Syn packet buffer
Late to the response of client, the address Mac of server is first got, solves the problems, such as that handshake phase MAC Address is opaque, thus
Realize that MAC Address is transparent.
The TCP agent server includes TCP agent module interconnected, Syn_handler module, Bridge, institute
It states Bridge and refers to the interchanger for supporting two layers of traditional network forwarding.The TCP agent module includes interconnected
Tcpproxy_client,Tcpproxy_server,Fd_binder.Client Client passes through TCP agent server to service
Device Server sends Tcp Syn message request, it is intended to establish connection with Server, first pass around Bridge, Bridge is for learning
Practise and record the source MAC of Client.The Tcp Syn message that Client is sent reaches Syn_handler mould by Bridge
Block by Syn_handler block intercepts and caches.Tcpproxy_server of the Syn_handler module to TCP agent module
Send message, the five-tuple information for the Tcp Syn message that notice Tcpproxy_server record intercepts, the five-tuple information
Including source IP address, source port, purpose IP address, destination port and transport layer protocol.TCP agent module by Bridge to
Server sends Tcp Syn message, attempts to establish connection with Server.What the Tcpproxy_client of TCP agent module was issued
Tcp Syn message reaches Server, and the source MAC for all mutual messages that TCP agent server issues at this time is changed to
The MAC Address of Client, Tcpproxy_client disguise as Client are communicated with Server, and the TCP agent server issues
All mutual messages include Tcp Syn message, ACK confirmation message.
Server is replied after receiving message, is shaken hands with TCP agent module and is established connection, Bridge passes through Server
The message of reply carries out two layers of information learning and records the source MAC of Server.The reply message of Bridge forwarding Server
Into Tcpproxy_client, TCP agent module send determine receives reply message message to Bridge, and obtain with
The filec descriptor Client fd of Server connection, then Tcpproxy_client presents a paper descriptor to Fd_binder
Client fd, the original Tcp Syn message that TCP agent module notice Syn_handler module clearance Client is sent.Syn_
Handler module will be mentioned in TCP agent module on original Tcp Syn message that Client is sent, and TCP agent module is replied
ACK confirmation message interacts handshake message with Client to Client, and by Bridge.
Same mode, the Tcp Syn message that the Tcpproxy_server of TCP agent module is replied reach Client, this
When the source MAC of Tcp Syn message that issues of TCP agent server be changed to the MAC Address of Server, thus disguise as
Server obtains filec descriptor Server fd.The Tcpproxy_server of TCP agent module is submitted to Fd_binder
Server fd, Fd_binder, which are associated Server fd with Client fd by five-tuple information, to bind fd and is associated with
Group.Tcpproxy_server and Tcpproxy_client carries out data forwarding by the fd associated group that Fd_binder is bound.
Client by the agency established with TCP agent module connect carry out data communication, with for and oneself communicate be
Server, and the Tcpproxy_server actually pretended in TCP agent module, Server are carried out by the connection established
Communication, with to be Client with oneself communicated, and the Tcpproxy_ actually pretended in TCP agent module
client。
The other parts of the present embodiment are same as the previously described embodiments, and so it will not be repeated.
Embodiment 3:
The present embodiment advanced optimizes on the basis of the above embodiments, as shown in Fig. 2, the step F2 specifically include it is following
Step:
Step F201:TCP agent server checks that Client is sent to the header field of Server;
Step F202:The TOS and ttl value of header field in the step F201 are copied to by Tcpproxy_client
TCP agent server is sent in the request message of Server;
Step F203:TCP agent server checks that Server is sent to the header field of Client;
Step F204:The TOS and ttl value of header field in the step F203 are copied to by Tcpproxy_server
TCP agent server is sent in the request message of Client.
It should be noted that by above-mentioned improvement, realize that TOS and the transparent method of ttl field are that Client passes through TCP generation
It manages server and sends message to Server, TCP agent server checks that the header fields of message, Tcpproxy_client will be reported
The TOS and ttl value of literary header fields copy TCP agent server to and are sent in the request message of Server.
Same mode, Server send message, TCP agent server inspection to Client by TCP agent server
The header fields of message, Tcpproxy_server copy the TOS of header field and ttl value to TCP agent server and send out
Into the request message of Client.
The other parts of the present embodiment are same as the previously described embodiments, and so it will not be repeated.
Embodiment 4:
The present embodiment advanced optimizes on the basis of the above embodiments, as shown in figure 3, the quantity of the Client have it is multiple
And connect respectively with TCP agent server, the quantity of the network namespace have it is multiple and with multiple Client
It corresponds, the network namespace is connect with Bridge respectively;
The step F3 specifically includes following steps:
Step F301:Any one Client initiates Tcp Syn message request, by TCP agent server intercepts;
Step F302:Whether the Tcp Syn message that TCP agent server inspection receives belongs to some already existing Client,
If it is, finding network namespace corresponding with the Client;If it is not, then for Client creation pair
The network namespace answered;
Step F303:The Tcp Syn message that Client described in step F301 is issued is sent to corresponding network
It is handled in namespace;
Step F304:TCP agent module process is established by the network namespace described in step F303 and Server
It connects and communicates, IP address that Tcpproxy_client is used and TCP source port are complete with Client's described in step F301
Unanimously.
It should be noted that actually the quantity of Client usually compares more, and each Client can also by above-mentioned improvement
Multiple connections can be established with Server, which results in the problems that TCP agent server upper port is not enough.In order to support to surpass
65536 concurrent ports are crossed, existing TCP agent server common practice is the multiple virtual IP addresses of configuration, is reached in TCP agent
Server establishes the different purpose of the source IP address in new five-tuple when connecting.Different virtual IP addresses is selected for different Client
Address is often infeasible, because the virtual IP address limited amount for usually allowing to configure in network, but the quantity of Client is non-
Chang Duo.
The present invention proposes a kind of new mode, establishes a network namespace for each Client, rather than makes
With different virtual ip address.Virtual ip address used in each network namespace can be identical, and port can also be with
Identical, so isolation of network namespace can also be with while solving concurrent connection number amount restricted problem
Accomplish the fully transparent of source port.
Assuming that the quantity of Client has N number of, then the quantity of network namespace also has N number of, and one by one with Client
It is corresponding, the network namespace abbreviation ns, and docked respectively with Bridge, Bridge and reality in the present embodiment
Applying Bridge described in example is the same module.When ClientX initiates the connection request to TCP agent module, taken by TCP agent
Business device is intercepted and captured, and whether the message that TCP agent server inspection receives belongs to some already existing Client, if it is not, then
A corresponding network namespaceX is created for the ClientX.ClientX is sent out to TCP agent module at this time
The message sent is sent in network namespaceX and is handled, and TCP agent module process is in network
Connected and communicated in namespaceX with Server foundation, Tcpproxy_client using IP address and TCP source port with
ClientX's is completely the same, and it is transparent to be achieved in TCP port.
The other parts of the present embodiment are same as the previously described embodiments, and so it will not be repeated.
The above is only presently preferred embodiments of the present invention, not does limitation in any form to the present invention, it is all according to
According to technical spirit any simple modification to the above embodiments of the invention, equivalent variations, protection of the invention is each fallen within
Within the scope of.
Claims (4)
1. a kind of method for realizing that TCP agent is fully transparent, it is characterised in that:Specifically include following steps:
Step F1:TCP agent server is intercepted and is cached by flowing to the TCP Syn message of Server to Client, real
Existing MAC Address is transparent;
Step F2:The inspection of TCP agent server simultaneously copies the header field mutually sent out between Client and Server, realizes
The head IP TOS and ttl field are transparent;
Step F3:TCP agent server is that Client establishes network namespace, realizes that TCP port is transparent.
2. a kind of method for realizing that TCP agent is fully transparent according to claim 1, it is characterised in that:The TCP agent
Server includes TCP agent module interconnected, Syn_handler module, Bridge, and the TCP agent module includes
Tcpproxy_client,Tcpproxy_server,Fd_binder;
The step F1 specifically includes following steps:
Step F101:Client issues Tcp Syn message request, it is intended to establish connection with Server, Bridge learns and records
The source MAC of Client;
Step F102:The Tcp Syn message that Client is issued reaches TCP agent server, by Syn_handler block intercepts
And it caches;
Step F103:Syn_handler module sends message to TCP agent module, and notice TCP agent module record intercepts
Tcp Syn message five-tuple information and the TCP connection of initiation and Server;
Step F104:Tcpproxy_client in TCP agent module sends Tcp Syn message to Server by Bridge,
It attempts to establish connection with Server;
Step F105:The Tcp Syn message that Bridge forwarding Tcpproxy_client in TCP agent server is issued arrives
The source MAC of Server, the message that TCP agent server issues at this time are rewritten into the MAC Address of Client, Tcpproxy_
Client disguise as Client;
Step F106:Server replys and passes through Bridge and TCP agent module shakes hands and establishes connection, and Bridge passes through Server
The message of reply carries out two layers of information learning, records the source MAC of Server;
Step F107:The message that Bridge forwards Server to reply is to Tcpproxy_client, while TCP agent module is sent
Confirm to Bridge, and obtains the filec descriptor Client fd connecting with Server;
Step F108:The Tcpproxy_client of TCP agent module submits the filec descriptor of connection to Fd_binder
Client fd;
Step F109:The original Tcp that TCP agent module notice Syn_handler module sends Client in step F102
Syn message is let pass;
Step F110:The original Tcp Syn message that Syn_handler module sends Client is submitted in TCP agent module;
Step F111:TCP agent module replys ACK confirmation message to Client, is interacted and is shaken hands with Client by Bridge,
All mutual message source MACs that TCP agent server issues are modified to the MAC Address of Server, establish TCP generation at this time
The connection for managing server and Client, obtains the filec descriptor Server fd connecting with Client;
Step F112:The Tcpproxy_server of TCP agent module submits threaded file descriptor Server to Fd_binder
Fd, Fd_binder are associated filec descriptor Server fd and filec descriptor Client fd according to five-tuple information
Bind fd associated group;
Step F113:Tcpproxy_server and Tcpproxy_client is carried out by the fd associated group that Fd_binder is bound
Data forwarding.
3. a kind of method for realizing that TCP agent is fully transparent according to claim 1, it is characterised in that:The step F2
Specifically include following steps:
Step F201:TCP agent server checks that Client is sent to the header field of Server;
Step F202:The TOS and ttl value of header field in the step F201 are copied to by Tcpproxy_client
TCP agent server is sent in the request message of Server;
Step F203:TCP agent server checks that Server is sent to the header field of Client;
Step F204:The TOS and ttl value of header field in the step F203 are copied to by Tcpproxy_server
TCP agent server is sent in the request message of Client.
4. a kind of method for realizing that TCP agent is fully transparent according to claim 2, it is characterised in that:The Client
Quantity have multiple and connect respectively with TCP agent server, the quantity of the network namespace have it is multiple and with it is more
A Client is corresponded, and the network namespace is connect with Bridge respectively;
The step F3 specifically includes following steps:
Step F301:Any one Client initiates Tcp Syn message request, by TCP agent server intercepts;
Step F302:Whether the Tcp Syn message that TCP agent server inspection receives belongs to some already existing Client,
If it is, finding network namespace corresponding with the Client;If it is not, then for Client creation pair
The network namespace answered;
Step F303:The Tcp Syn message that Client described in step F301 is issued is sent to corresponding network
It is handled in namespace;
Step F304:TCP agent module process is established by the network namespace described in step F303 and Server
It connects and communicates, IP address that Tcpproxy_client is used and TCP source port are complete with Client's described in step F301
Unanimously.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810731684.0A CN108924138B (en) | 2018-07-05 | 2018-07-05 | Method for realizing TCP proxy complete transparency |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810731684.0A CN108924138B (en) | 2018-07-05 | 2018-07-05 | Method for realizing TCP proxy complete transparency |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108924138A true CN108924138A (en) | 2018-11-30 |
| CN108924138B CN108924138B (en) | 2020-10-23 |
Family
ID=64424191
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810731684.0A Active CN108924138B (en) | 2018-07-05 | 2018-07-05 | Method for realizing TCP proxy complete transparency |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108924138B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111147446A (en) * | 2019-11-29 | 2020-05-12 | 深圳震有科技股份有限公司 | Media IP proxy method and equipment |
| CN111431943A (en) * | 2020-06-10 | 2020-07-17 | 之江实验室 | Mimicry system and TCP proxy method thereof |
| CN112104744A (en) * | 2020-03-30 | 2020-12-18 | 厦门网宿有限公司 | Traffic proxy method, server and storage medium |
| CN112104754A (en) * | 2020-11-18 | 2020-12-18 | 腾讯科技(深圳)有限公司 | Network proxy method, system, device, equipment and storage medium |
| CN114301996A (en) * | 2021-12-10 | 2022-04-08 | 山石网科通信技术股份有限公司 | Transmission data processing method and device |
| CN114401265A (en) * | 2021-12-15 | 2022-04-26 | 中孚安全技术有限公司 | TCP transparent proxy implementation method, system and device based on remote desktop protocol |
| CN115150205A (en) * | 2022-09-05 | 2022-10-04 | 南京华盾电力信息安全测评有限公司 | Non-invasive instruction safety protection method, device, medium and equipment |
| WO2022268137A1 (en) * | 2021-06-23 | 2022-12-29 | 中兴通讯股份有限公司 | Tcp connection method, system, network device, and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090282471A1 (en) * | 2008-05-07 | 2009-11-12 | Secure Computing Corporation | Named sockets in a firewall |
| CN101674177A (en) * | 2009-10-21 | 2010-03-17 | 北京高信达网络科技有限公司 | Method and device for detecting transparent proxy |
| CN102761534A (en) * | 2011-04-29 | 2012-10-31 | 北京瑞星信息技术有限公司 | Method and device for realizing transparent proxy of media access control layer |
| CN103428095A (en) * | 2013-08-26 | 2013-12-04 | 深信服网络科技(深圳)有限公司 | Proxy server and proxy method thereof |
| CN103491065A (en) * | 2012-06-14 | 2014-01-01 | 中兴通讯股份有限公司 | Transparent proxy and transparent proxy realization method |
| US8806011B1 (en) * | 2014-01-06 | 2014-08-12 | Cloudflare, Inc. | Transparent bridging of transmission control protocol (TCP) connections |
| CN106657076A (en) * | 2016-12-26 | 2017-05-10 | 北京神州绿盟信息安全科技股份有限公司 | TCP service implementation method and device of network namespace |
-
2018
- 2018-07-05 CN CN201810731684.0A patent/CN108924138B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090282471A1 (en) * | 2008-05-07 | 2009-11-12 | Secure Computing Corporation | Named sockets in a firewall |
| CN101674177A (en) * | 2009-10-21 | 2010-03-17 | 北京高信达网络科技有限公司 | Method and device for detecting transparent proxy |
| CN102761534A (en) * | 2011-04-29 | 2012-10-31 | 北京瑞星信息技术有限公司 | Method and device for realizing transparent proxy of media access control layer |
| CN103491065A (en) * | 2012-06-14 | 2014-01-01 | 中兴通讯股份有限公司 | Transparent proxy and transparent proxy realization method |
| CN103428095A (en) * | 2013-08-26 | 2013-12-04 | 深信服网络科技(深圳)有限公司 | Proxy server and proxy method thereof |
| US8806011B1 (en) * | 2014-01-06 | 2014-08-12 | Cloudflare, Inc. | Transparent bridging of transmission control protocol (TCP) connections |
| CN106657076A (en) * | 2016-12-26 | 2017-05-10 | 北京神州绿盟信息安全科技股份有限公司 | TCP service implementation method and device of network namespace |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111147446A (en) * | 2019-11-29 | 2020-05-12 | 深圳震有科技股份有限公司 | Media IP proxy method and equipment |
| CN111147446B (en) * | 2019-11-29 | 2022-12-30 | 深圳震有科技股份有限公司 | Media IP proxy method and equipment |
| CN112104744A (en) * | 2020-03-30 | 2020-12-18 | 厦门网宿有限公司 | Traffic proxy method, server and storage medium |
| CN111431943A (en) * | 2020-06-10 | 2020-07-17 | 之江实验室 | Mimicry system and TCP proxy method thereof |
| CN111431943B (en) * | 2020-06-10 | 2020-09-29 | 之江实验室 | Mimicry system and TCP proxy method thereof |
| CN112104754A (en) * | 2020-11-18 | 2020-12-18 | 腾讯科技(深圳)有限公司 | Network proxy method, system, device, equipment and storage medium |
| WO2022268137A1 (en) * | 2021-06-23 | 2022-12-29 | 中兴通讯股份有限公司 | Tcp connection method, system, network device, and storage medium |
| CN114301996A (en) * | 2021-12-10 | 2022-04-08 | 山石网科通信技术股份有限公司 | Transmission data processing method and device |
| CN114401265A (en) * | 2021-12-15 | 2022-04-26 | 中孚安全技术有限公司 | TCP transparent proxy implementation method, system and device based on remote desktop protocol |
| CN115150205A (en) * | 2022-09-05 | 2022-10-04 | 南京华盾电力信息安全测评有限公司 | Non-invasive instruction safety protection method, device, medium and equipment |
| CN115150205B (en) * | 2022-09-05 | 2023-01-10 | 南京华盾电力信息安全测评有限公司 | Non-invasive instruction safety protection method, device, medium and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108924138B (en) | 2020-10-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108924138A (en) | A method of realizing that TCP agent is fully transparent | |
| Abley et al. | Goals for IPv6 site-multihoming architectures | |
| US7316028B2 (en) | Method and system for transmitting information across a firewall | |
| Spatscheck et al. | Optimizing TCP forwarder performance | |
| CN104270379B (en) | HTTPS agency retransmission methods and device based on transmission control protocol | |
| Chatel | Classical versus transparent IP proxies | |
| US7646775B2 (en) | Protocol and system for firewall and NAT traversal for TCP connections | |
| CN107181688B (en) | System and method for realizing server-side cross-domain data transmission optimization in SDN network | |
| US9154512B2 (en) | Transparently proxying transport protocol connections using an external server | |
| US20070136413A1 (en) | Sip server sharing module and sip message relay system | |
| CN107395500B (en) | Intelligent network architecture integrating perception, calculation and storage and implementation method | |
| US9712649B2 (en) | CCN fragmentation gateway | |
| WO2021073565A1 (en) | Service providing method and system | |
| CN102761534B (en) | Realize the method and apparatus of media access control layer Transparent Proxy | |
| CN107018059A (en) | A kind of message forwarding method and device | |
| US20060268905A1 (en) | Method for controlling QoS and QoS policy converter | |
| US8914432B2 (en) | Real world traffic | |
| CN102137005A (en) | Method, device and system for forwarding date in communication system | |
| CN109547452A (en) | The method and system of TCP Transparent Proxy are realized on Linux bridge equipment | |
| Ng et al. | A Waypoint Service Approach to Connect Heterogeneous Internet Address Spaces. | |
| Liao et al. | A dynamic VPN architecture for private cloud computing | |
| WO2023173720A1 (en) | Application access method, cloud proxy assembly, node proxy assembly, device and medium | |
| Finlayson | Ip multicast and firewalls | |
| US6829709B1 (en) | Validation of network communication tunnels | |
| US9762746B2 (en) | Advice of charge in content centric networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |