Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order, and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
The term "include" and variations thereof as used herein are open-ended, i.e., "including but not limited to". The term "based on" is "based, at least in part, on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Relevant definitions for other terms will be given in the following description.
It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
An embodiment of the present disclosure provides a network resource access control method, which may be applied to a gateway. Fig. 1 is a flowchart illustrating a network resource access control method according to an embodiment of the present disclosure. As shown in fig. 1, the method comprises the steps of:
step S11, determining, according to the access control list rule, a network resource set for which the user identity information in the data packet sent by the user side has the access right.
The access control list rule comprises the corresponding relation between each user identity information and the network resource set with the access authority of the user identity information. The user identity information may be a source IP address, and the correspondence between each user identity information and the network resource set to which the user identity information has access right is the correspondence between each source IP address and the network resource set. Determining the network resource set with the access right of the user side according to the source IP address in the data packet sent by the user side.
Step S12, determining the target network resource requested to be accessed by the user end according to the destination information in the data packet.
Step S13, forwarding the data packet to the target network resource when the target network resource belongs to the network resource set.
Through step S13, when the network resource set includes the target network resource, the target network resource belongs to the network resource set, that is, the target network resource to be accessed by the data packet sent by the client is within the access right of the client, the data packet is forwarded to the target network resource.
Through the technical scheme, the ACL access control list rule is set according to the user identity information which is the unique user identification, such as a source IP address, and if the number of employees is increased, the network segment does not need to be divided again, so that the resource waste is avoided.
Optionally, the method further comprises establishing the access control list rule by:
and calculating a BitMap value of each type of network resource through a BitMap BitMap algorithm according to the identification information of each type of network resource, and calculating BitMap values of various network resource collections according to the BitMap values of each type of network resource, wherein each network resource collection comprises at least one type of network resource.
Network resources can be divided into a plurality of categories, for example, for an intranet, the network resources can be divided into three categories, namely an office system, a research and development system and a financial system. The identification information of each type of network resource is unique, for example, each type of network resource may be numbered, and the identification information of each type of network resource may be the number. And calculating the BitMap value of each type of network resource through a BitMap BitMap algorithm according to the identification information of each type of network resource, namely calculating the number of each type of network resource through the BitMap algorithm to obtain the BitMap value of each type of network resource. For example, numbers of the office system, the development system and the financial system are 1, 2 and 3 respectively, and the BitMap values of the office system, the development system and the financial system which are 1, 2 and 3 respectively are 0010, 0100 and 1000 are obtained by calculation through the BitMap algorithm. The BitMap value may be expressed by 8 bits, 16 bits, or the like, and 0 may be added to the missing part. For a network resource set, performing or operation according to the BitMap values of multiple types of network resources included in the network resource set, and calculating to obtain the BitMap value of the network resource set.
And taking the identity information of each user as a main key, taking the BitMap value of the network resource set with the access authority of the identity information of each user as a value, establishing a corresponding relation between the identity information of each user and the BitMap value of the network resource set with the access authority of the identity information of the user, and storing the corresponding relation into a first hash table.
For example, when a network resource set with user identity information having access right is an office system and a research and development system, the BitMap value of the network resource set with user identity information having access right is the or operation of the BitMap value of the office system and the BitMap value of the research and development system, that is, the or operation of 0010 and 0100, and the result is 0110, the BitMap value of the network resource set with user identity information having access right is 0110, the user identity information is used as a primary key, and 0110 is used as a value, and the value is stored in the first hash table.
By adopting the technical scheme, the BitMap algorithm can save storage space and accelerate query speed.
Optionally, the user identity information is an initial IP address of the user side, and the method further includes:
and under the condition that the IP address associated with the user account of the user side is detected to be different from the initial IP address, replacing the initial IP address of the user side in the first hash table with the detected IP address.
When a user goes to a non-affiliated office area, after the user side of the user is connected with WiFi of the non-affiliated office area, the IP address of the user side changes, and the user can be identified according to a user account logged in by the user side. If the access control list rule is simply set by using the source IP address, when the user terminal goes to an office other than the office, the set of network resources that the user terminal can access after the source IP address of the user terminal changes will change, and effective network authority management cannot be performed through the access control list rule. By the technical scheme, when the IP address associated with the user account of the user side is detected to be different from the initial IP address, the initial IP address of the user side in the first hash table is replaced by the detected IP address, so that when the user goes out of an office, the network resource set which can be accessed by the user is unchanged, namely the user access authority is unchanged.
Optionally, the first hash table includes a primary hash table and a secondary hash table, and the replacing the initial IP address of the user end in the first hash table with the detected IP address includes:
replacing the initial IP address of the user side in the secondary hash table with the detected IP address to update the secondary hash table.
And after the updating of the auxiliary hash table is finished, setting the auxiliary hash table as a main hash table, and setting the original main hash table as an auxiliary hash table.
The determining, according to the access control list rule, a network resource set for which user identity information in a data packet sent by a user side has an access right includes:
and determining a network resource set with access authority for the user identity information in the data packet sent by the user side according to the main hash table.
Through the technical scheme, the main hash table and the auxiliary hash table are arranged, the searching (network resource collection with user identity information having access authority) operation is performed on the main hash table, and the updating (user identity information) operation is performed on the auxiliary hash table, and when the updating is completed, the main bitmap table and the auxiliary bitmap table are replaced. Thus, lock-free operation is realized, and performance bottleneck is solved.
Optionally, the network resource is divided according to attribute information of the network resource, where the attribute information includes at least one of an IP address field, a port number, and a transport layer protocol of the network resource.
The determining the target network resource which the user terminal requests to access according to the destination information in the data packet includes:
and judging target attribute information corresponding to the target information, and determining the target network resource according to the target attribute information through the corresponding relation between the attribute information of the network resource and the network resource set, wherein the target information comprises at least one of a target IP address, a target port number and a transport layer protocol in the data packet.
For example, when the network resource is divided according to the IP address field, the IP address field to which the destination IP address belongs may be determined according to the destination IP address in the data packet, and the network resource to which the IP address field belongs is the target network resource. When the network resource is divided according to the two attribute information, for example, when the network resource is divided according to the IP address field and the transport layer protocol, the IP address field to which the destination IP address belongs may be determined according to the destination IP address in the data packet, and then the network resource (set) to which the IP address field belongs and the network resource (set) to which the transport layer protocol in the data packet belongs are and-operated, and the operation result is the target network resource. Similarly, when the network resource is divided according to the destination IP address, the destination port number, and the transport layer protocol, the IP address segment to which the destination IP address belongs may be determined according to the destination IP address in the data packet, and then the network resource (set) to which the IP address segment belongs, the network resource (set) to which the destination port number in the data packet belongs, and the network resource (set) to which the transport layer protocol in the data packet belongs are and-operated, and the operation result is the target network resource.
Optionally, the method further includes establishing a correspondence between the attribute information of the network resource and the network resource set by:
and dividing the network resources into multiple types of network resources according to the attribute information of the network resources, and numbering each type of network resources.
For example, the attribute information includes an IP address field, a port number, and a transport layer protocol of the network resource. The network resources are divided into three types of office systems, research and development systems and financial systems according to the attribute information, the numbers of the office systems, the research and development systems and the financial systems are respectively 1, 2 and 3, and the attribute information included by each type of network resources is shown in fig. 2. Actually, as shown in fig. 3, the IP address segments corresponding to the office system are 10.0.0.64-10.0.0.127, the IP address segments corresponding to the development system are 10.0.0.16-10.0.0.127, and the IP address segments corresponding to the financial system are 10.0.0.32-10.0.0.95. And performing intersection operation on the IP network segments corresponding to the office system, the research and development system and the financial system in the FIG. 3 to obtain 10.0.0.16-10.0.0.32, 10.0.0.32-10.0.0.64, 10.0.0.64-10.0.0.95 and 10.0.0.95-10.0.0.127. Therefore, as shown in FIG. 2, the IP network segment class attribute information of the office system is 10.0.0.64-10.0.0.95 and 10.0.0.95-10.0.0.127; developing system IP network segment class attribute information of 10.0.0.16-10.0.0.32, 10.0.0.32-10.0.0.64, 10.0.0.64-10.0.0.95 and 10.0.0.95-10.0.0.127; the financial system IP network segment class attribute information is 10.0.0.32-10.0.0.64 and 10.0.0.64-10.0.0.95.
And calculating a BitMap value of each type of network resource through a BitMap algorithm according to the number of each type of network resource, and calculating BitMap values of various network resource collections according to the BitMap values of each type of network resource, wherein each network resource collection comprises at least one type of network resource.
Then for fig. 2, the BitMap values for numbers 1, 2, 3 for the office system, development system, and finance system, respectively, are 0010, 0100, 1000 as calculated using the BitMap algorithm. The BitMap value may be expressed by 8 bits, 16 bits, or the like, and 0 may be added to the missing part. For a network resource set, performing or operation according to the BitMap values of multiple types of network resources included in the network resource set, and calculating to obtain the BitMap value of the network resource set.
And aiming at each attribute information, establishing a corresponding relation between each attribute information of the network resources and the network resource set by taking the attribute information as a main key and taking a BitMap value of the network resource set corresponding to the attribute information as a value.
Based on the network resource division result of fig. 2, for an attribute information, for example, it is IP segments 10.0.0.95-10.0.0.127, the network resource set corresponding to the IP segments 10.0.0.95-10.0.0.127 is the set of office system and development system, the BitMap value of the set of office system and development system is the BitMap value of office system and the BitMap value of development system, and the result is 0110. The BitMap value for the set of network resources corresponding to IP segments 10.0.0.95-10.0.0.127 is 0110. Similarly, the BitMap values of the sets of network resources corresponding to the IP network segments 10.0.0.16-10.0.0.32, 10.0.0.32-10.0.0.64 and 10.0.0.64-10.0.0.95 are obtained, as shown in FIG. 3. The result of fig. 3 may be stored in a second hash table, where the primary key of the second hash table is an IP network segment and the value is a BitMap value of the network resource set corresponding to the IP network segment.
Based on the network resource division result of fig. 2, for one attribute information, for example, it is a port number 53, the set of network resources corresponding to the port number 53 is a set of an office system, a development system, and a financial system, a BitMap value of the set of the office system, the development system, and the financial system is an or operation, that is, an or operation of 0010, 0100, and 1000 is performed, and the result is 1110. The BitMap value of the set of network resources corresponding to port number 53 is 1110. Similarly, the BitMap values of the set of network resources corresponding to port numbers 0, 22, 80, and 443 are obtained, as shown in fig. 4. Where a port number of 0 indicates wildcard ports 1-65535. The result of fig. 4 may be stored in a third hash table, where the primary key of the third hash table is the port number and the value is the BitMap value of the network resource set corresponding to the port number.
Based on the network resource partitioning result of fig. 2, for one attribute information, which is, for example, the transport layer protocol TCP, it can be represented by protocol number 6 of the RFC rule. The network resource set corresponding to the transport layer protocol 6 is a set of an office system, a research and development system, and a financial system, the BitMap value of the set of the office system, the research and development system, and the financial system is the BitMap value of the office system, the BitMap value of the research and development system, and the BitMap value of the financial system, and the result is 1110. The BitMap value of the set of network resources corresponding to transport layer protocol 6 is 1110. Similarly, a BitMap value of the set of network resources corresponding to the transport layer protocol 0 is obtained, as shown in fig. 5. Wherein transport layer protocol 0 represents a generic 4-layer protocol 1-255. The result of fig. 5 may be stored in a fourth hash table, where a primary key of the fourth hash table is a transport layer protocol and a value of the fourth hash table is a BitMap value of a network resource set corresponding to the transport layer protocol.
By adopting the technical scheme, the BitMap algorithm can save storage space and accelerate query speed.
Optionally, the attribute information includes an IP address field, a port number, and a transport layer protocol of the network resource, and the destination information includes a destination IP address, a destination port number, and a transport layer protocol in the data packet. The judging of the target attribute information corresponding to the target information and the determining of the target network resource through the corresponding relation between the attribute information of the network resource and the network resource set according to the target attribute information comprise:
and determining a corresponding target IP address field according to the target IP address in the data packet.
And determining the BitMap value of the network resource set corresponding to the target IP address field according to the corresponding relation between the IP address field of the network resource and the network resource set.
And determining the BitMap value of the network resource set corresponding to the destination port number in the data packet according to the corresponding relation between the port number of the network resource and the network resource set.
And determining the BitMap value of the network resource set corresponding to the transport layer protocol in the data packet according to the corresponding relation between the transport layer protocol of the network resource and the network resource set.
And calculating the BitMap value of the network resource set corresponding to the target IP address field, the BitMap value of the network resource set corresponding to the target port number in the data packet and the BitMap value of the network resource set corresponding to the transport layer protocol in the data packet, and determining the BitMap value of the target network resource.
For example, based on the network resource partitioning result of fig. 2, when the packet accesses the web server (22 port of TCP) with destination IP address 10.0.0.16: the destination IP address 10.0.0.16 in the data packet is 10.0.0.16-10.0.0.32, the BitMap value of the destination IP address 10.0.0.16-10.0.0.32 is 0100 according to the second hash table, the BitMap value of the network resource set corresponding to the destination port number 22 in the data packet is 0110 according to the third hash table, and the BitMap value of the network resource set corresponding to the transport layer protocol TCP (6) in the data packet is 1110 according to the fourth hash table, then the BitMap value of the destination network resource is 0100 (the and operation result of 0100, 0110 and 1110). The BitMap value of the target network resource is equal to that of the research and development system, and the BitMap value is consistent with the representation of FIG. 2, so that the correctness of the method is indirectly proved.
Optionally, the forwarding the data packet to the target network resource when the target network resource belongs to the network resource set includes:
performing AND operation on the BitMap value of the target network resource and the BitMap value of the network resource set to obtain an operation result;
forwarding the data packet to the target network resource under the condition that the operation result is not 0;
the method further comprises the following steps: and if the operation result is 0, discarding the data packet.
For example, based on the network resource division result in fig. 2, for a user side (for example, user side a in fig. 2), a network resource set whose user identity information in a data packet sent by the user side has access right is an office system and a research and development system, a BitMap value of the network resource set is 0110, the data packet sent by the user side accesses a web server (22 ports of TCP) whose destination IP address is 10.0.0.16, the target network resource is the research and development system, a BitMap value of the target network resource is 0100, and the BitMap value of the target network resource and the BitMap value of the network resource set are and-operated to obtain 0100, and if the result is not 0, the data packet is forwarded to the target network resource. The meaning is that the target network resource (research and development system) to be accessed by the data packet forwards the data packet when the target network resource belongs to the network resource set (including the set of the research and development system and the office system) with the access right.
For another example, based on the network resource division result in fig. 2, for a user side (for example, user side B in fig. 2), a network resource set whose user identity information in a data packet sent by the user side has access right is an office system and a financial system, then the BitMap value of the network resource set is 1010 (or the result of the or operation of the BitMap value 0010 of the office system and the BitMap value 1000 of the financial system), the data packet sent by the user side accesses the web server (22 ports of TCP) whose destination IP address is 10.0.0.16, then the target network resource is a development system, the BitMap value of the target network resource is 0100, and the BitMap value of the target network resource and the BitMap value of the network resource set are and operated to obtain 0000, and if the result is 0, the data packet is discarded. The meaning is that when the target network resource (research and development system) to be accessed by the data packet does not belong to the network resource set (including the set of the office system and the financial system) with the access right, the data packet is discarded.
Based on the inventive concept, the embodiment of the present disclosure further provides a gateway 10. As shown in fig. 6, the gateway 10 includes:
the access right acquiring module 11 is configured to determine, according to an access control list rule, a network resource set in which user identity information in a data packet sent by a user side has an access right, where the access control list rule includes a correspondence between each piece of user identity information and the network resource set in which the user identity information has the access right.
And the target network area obtaining module 12 is configured to determine, according to the destination information in the data packet, a target network resource that the user terminal requests to access.
A determining module 13, configured to forward the data packet to the target network resource when the target network resource belongs to the network resource set.
Through the technical scheme, the ACL access control list rule is set according to the user identity information which is the unique user identification, such as a source IP address, and if the number of employees is increased, the network segment does not need to be divided again, so that the resource waste is avoided.
Optionally, the access right obtaining module 11, the target network area obtaining module 12, and the determining module 13 are operated in a packet receiving process of the gateway 10, where the packet receiving process is based on a Linux kernel fast data channel XDP technology and an extended burley packet filter eBPF technology.
Through the technical scheme, compared with the traditional ACL tools (such as iptables and nfables), when the number of clients is large (such as the number of enterprise employees is large (ten thousand), better performance and smaller resource consumption can be brought, and reasonable and efficient ACL management is carried out.
Optionally, there are multiple gateways 10, an etcd cluster is operated by the multiple gateways 10, and a corresponding relationship between each piece of user identity information and a network resource set of which the user identity information has an access right is stored in the etcd cluster. The gateways 10 call a watch method of the etcd to monitor the corresponding relationship, and notify the plurality of gateways 10 of the change information after the network resource set corresponding to the user identity information is changed; and the gateways 10 synchronously update the network resource sets corresponding to the user identity information according to the change information.
By the above technical solution, when the gateway 10 is deployed in a cluster, after the network resource set corresponding to the user identity information is changed, the network resource sets corresponding to the user identity information of a plurality of gateways 10 (gateway 10 clusters) are updated synchronously.
Optionally, the access control list rule is established by:
and calculating a BitMap value of each type of network resource through a BitMap BitMap algorithm according to the identification information of each type of network resource, and calculating BitMap values of various network resource collections according to the BitMap values of each type of network resource, wherein each network resource collection comprises at least one type of network resource.
And taking the identity information of each user as a main key, taking the BitMap value of the network resource set with the access authority of the identity information of each user as a value, establishing a corresponding relation between the identity information of each user and the BitMap value of the network resource set with the access authority of the identity information of the user, and storing the corresponding relation into a first hash table.
By adopting the technical scheme, the BitMap algorithm can save storage space and accelerate query speed.
Optionally, the user identity information is an initial IP address of the user side, and the gateway 10 further includes:
an updating module, configured to replace the initial IP address of the user side in the first hash table with the detected IP address when it is detected that the IP address associated with the user account of the user side is different from the initial IP address.
When a user goes to a non-affiliated office area, after the user side of the user is connected with WiFi of the non-affiliated office area, the IP address of the user side changes, and the user can be identified according to a user account logged in by the user side. If the access control list rule is simply set by using the source IP address, when the user terminal goes to an office other than the office, the set of network resources that the user terminal can access after the source IP address of the user terminal changes will change, and effective network authority management cannot be performed through the access control list rule. By the technical scheme, when the IP address associated with the user account of the user side is detected to be different from the initial IP address, the initial IP address of the user side in the first hash table is replaced by the detected IP address, so that when the user goes out of an office, the network resource set which can be accessed by the user is unchanged, namely the user access authority is unchanged.
Optionally, the first hash table includes a primary hash table and a secondary hash table, and the update module is specifically configured to: replacing the initial IP address of the user side in the secondary hash table with the detected IP address so as to update the secondary hash table; and after the updating of the auxiliary hash table is finished, setting the auxiliary hash table as a main hash table, and setting the original main hash table as an auxiliary hash table.
The access right obtaining module 11 is specifically configured to: and determining a network resource set with access authority for the user identity information in the data packet sent by the user side according to the main hash table.
Through the technical scheme, the main hash table and the auxiliary hash table are arranged, the searching (network resource collection with user identity information having access authority) operation is performed on the main hash table, and the updating (user identity information) operation is performed on the auxiliary hash table, and when the updating is completed, the main bitmap table and the auxiliary bitmap table are replaced. Thus, lock-free operation is realized, and performance bottleneck is solved.
Optionally, the network resource is divided according to attribute information of the network resource, where the attribute information includes at least one of an IP address field, a port number, and a transport layer protocol of the network resource;
the target network area obtaining module 12 is specifically configured to: and judging target attribute information corresponding to the target information, and determining the target network resource according to the target attribute information through the corresponding relation between the attribute information of the network resource and the network resource set, wherein the target information comprises at least one of a target IP address, a target port number and a transport layer protocol in the data packet.
Optionally, the correspondence between the attribute information of the network resource and the network resource set is established as follows: dividing the network resources into multiple types of network resources according to the attribute information of the network resources, and numbering each type of network resources; calculating a BitMap value of each type of network resource through a BitMap algorithm according to the number of each type of network resource, and calculating BitMap values of various network resource collections according to the BitMap values of each type of network resource, wherein each network resource collection comprises at least one type of network resource; and aiming at each attribute information, establishing a corresponding relation between each attribute information of the network resources and the network resource set by taking the attribute information as a main key and taking a BitMap value of the network resource set corresponding to the attribute information as a value.
By adopting the technical scheme, the BitMap algorithm can save storage space and accelerate query speed.
Optionally, the attribute information includes an IP address field, a port number, and a transport layer protocol of the network resource, and the destination information includes a destination IP address, a destination port number, and a transport layer protocol in the data packet;
the target network area obtaining module 12 is specifically configured to: determining a corresponding target IP address field according to the target IP address in the data packet; determining a BitMap value of the network resource set corresponding to the target IP address field according to the corresponding relation between the IP address field of the network resource and the network resource set; determining a BitMap value of the network resource set corresponding to the destination port number in the data packet according to the corresponding relation between the port number of the network resource and the network resource set; determining a BitMap value of a network resource set corresponding to a transport layer protocol in the data packet according to the corresponding relation between the transport layer protocol of the network resource and the network resource set; and calculating the BitMap value of the network resource set corresponding to the target IP address field, the BitMap value of the network resource set corresponding to the target port number in the data packet and the BitMap value of the network resource set corresponding to the transport layer protocol in the data packet, and determining the BitMap value of the target network resource.
Optionally, the determining module 13 is specifically configured to: performing AND operation on the BitMap value of the target network resource and the BitMap value of the network resource set to obtain an operation result; forwarding the data packet to the target network resource under the condition that the operation result is not 0;
the gateway 10 further includes: and the discarding module is used for discarding the data packet under the condition that the operation result is 0.
Based on the above inventive concept, the disclosed embodiments also provide a computer readable medium, on which a computer program is stored, which when executed by a processing apparatus, implements the steps of the above network resource access control method.
Referring now to FIG. 7, a block diagram of an electronic device 600 suitable for use in implementing embodiments of the present disclosure is shown. The electronic device may be applied to a gateway. The electronic device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 7, electronic device 600 may include a processing means (e.g., central processing unit, graphics processor, etc.) 601 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage means 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 600 are also stored. The processing device 601, the ROM 602, and the RAM 603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
Generally, the following devices may be connected to the I/O interface 605: input devices 606 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; output devices 607 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 608 including, for example, tape, hard disk, etc.; and a communication device 609. The communication means 609 may allow the electronic device 600 to communicate with other devices wirelessly or by wire to exchange data. While fig. 7 illustrates an electronic device 600 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program carried on a non-transitory computer readable medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication means 609, or may be installed from the storage means 608, or may be installed from the ROM 602. The computer program, when executed by the processing device 601, performs the above-described functions defined in the methods of the embodiments of the present disclosure.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: determining a network resource set with access authority for user identity information in a data packet sent by a user side according to an access control list rule, wherein the access control list rule comprises a corresponding relation between each user identity information and the network resource set with the access authority for the user identity information; determining the target network resource which the user side requests to access according to the target information in the data packet; and forwarding the data packet to the target network resource under the condition that the target network resource belongs to the network resource set.
Computer program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including but not limited to an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present disclosure may be implemented by software or hardware. Wherein the name of a module in some cases does not constitute a limitation on the module itself.
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
According to one or more embodiments of the present disclosure, an example provides a network resource access control method, including determining, according to an access control list rule, a network resource set in which user identity information in a data packet sent by a user side has an access right, where the access control list rule includes a correspondence relationship between each user identity information and the network resource set in which the user identity information has the access right; determining the target network resource which the user side requests to access according to the target information in the data packet; and forwarding the data packet to the target network resource under the condition that the target network resource belongs to the network resource set.
Example two provides the method of example one, further comprising establishing the access control list rule by: calculating a BitMap value of each type of network resource through a BitMap BitMap algorithm according to the identification information of each type of network resource, and calculating BitMap values of various network resource collections according to the BitMap values of each type of network resource, wherein each network resource collection comprises at least one type of network resource; and taking the identity information of each user as a main key, taking the BitMap value of the network resource set with the access authority of the identity information of each user as a value, establishing a corresponding relation between the identity information of each user and the BitMap value of the network resource set with the access authority of the identity information of the user, and storing the corresponding relation into a first hash table.
According to one or more embodiments of the present disclosure, example three provides the method of example two, where the user identity information is an initial IP address of the user side, and the method further includes: and under the condition that the IP address associated with the user account of the user side is detected to be different from the initial IP address, replacing the initial IP address of the user side in the first hash table with the detected IP address.
In accordance with one or more embodiments of the present disclosure, example four provides the method of example three, the first hash table includes a primary hash table and a secondary hash table, and the replacing the initial IP address of the user terminal in the first hash table with the detected IP address includes: replacing the initial IP address of the user side in the secondary hash table with the detected IP address so as to update the secondary hash table; after the secondary hash table is updated, setting the secondary hash table as a primary hash table, and setting an original primary hash table as a secondary hash table;
the determining, according to the access control list rule, a network resource set for which user identity information in a data packet sent by a user side has an access right includes: and determining a network resource set with access authority for the user identity information in the data packet sent by the user side according to the main hash table.
Example five provides the method of examples one to four, the network resource is partitioned according to attribute information of the network resource, the attribute information includes at least one of an IP address field, a port number, and a transport layer protocol of the network resource; the determining the target network resource which the user terminal requests to access according to the destination information in the data packet includes: and judging target attribute information corresponding to the target information, and determining the target network resource according to the target attribute information through the corresponding relation between the attribute information of the network resource and the network resource set, wherein the target information comprises at least one of a target IP address, a target port number and a transport layer protocol in the data packet.
Example six provides the method of example five, further comprising, in accordance with one or more embodiments of the present disclosure: establishing the corresponding relation between the attribute information of the network resource and the network resource set in the following way: dividing the network resources into multiple types of network resources according to the attribute information of the network resources, and numbering each type of network resources; calculating a BitMap value of each type of network resource through a BitMap algorithm according to the number of each type of network resource, and calculating BitMap values of various network resource collections according to the BitMap values of each type of network resource, wherein each network resource collection comprises at least one type of network resource; and aiming at each attribute information, establishing a corresponding relation between each attribute information of the network resources and the network resource set by taking the attribute information as a main key and taking a BitMap value of the network resource set corresponding to the attribute information as a value.
In accordance with one or more embodiments of the present disclosure, example seven provides the method of example six, the attribute information includes an IP address field, a port number, and a transport layer protocol of the network resource, and the destination information includes a destination IP address, a destination port number, and a transport layer protocol in the packet; the judging of the target attribute information corresponding to the target information and the determining of the target network resource through the corresponding relation between the attribute information of the network resource and the network resource set according to the target attribute information comprise: determining a corresponding target IP address field according to the target IP address in the data packet; determining a BitMap value of the network resource set corresponding to the target IP address field according to the corresponding relation between the IP address field of the network resource and the network resource set; determining a BitMap value of the network resource set corresponding to the destination port number in the data packet according to the corresponding relation between the port number of the network resource and the network resource set; determining a BitMap value of a network resource set corresponding to a transport layer protocol in the data packet according to the corresponding relation between the transport layer protocol of the network resource and the network resource set; and calculating the BitMap value of the network resource set corresponding to the target IP address field, the BitMap value of the network resource set corresponding to the target port number in the data packet and the BitMap value of the network resource set corresponding to the transport layer protocol in the data packet, and determining the BitMap value of the target network resource.
In accordance with one or more embodiments of the present disclosure, example eight provides the method of example seven, the forwarding the data packet to the target network resource if the target network resource belongs to the set of network resources, comprising: performing AND operation on the BitMap value of the target network resource and the BitMap value of the network resource set to obtain an operation result; forwarding the data packet to the target network resource under the condition that the operation result is not 0;
the method further comprises the following steps: and if the operation result is 0, discarding the data packet.
Example nine provides a gateway applied to network resource access control according to one or more embodiments of the present disclosure, the gateway including: the access authority acquisition module is used for determining a network resource set of which the user identity information in a data packet sent by a user side has access authority according to an access control list rule, wherein the access control list rule comprises a corresponding relation between each user identity information and the network resource set of which the user identity information has the access authority; the target network area acquisition module is used for determining the target network resource which the user side requests to access according to the target information in the data packet; and the judging module is used for forwarding the data packet to the target network resource under the condition that the target network resource belongs to the network resource set.
In accordance with one or more embodiments of the present disclosure, example ten provides the gateway of example nine, where the access right obtaining module, the target network area obtaining module, and the determining module are run in a packet receiving process of the gateway, and the packet receiving process is based on a fast data channel XDP technology of a Linux kernel and an extended burley packet filter eBPF technology.
According to one or more embodiments of the present disclosure, an eleventh example provides a gateway of the ninth or tenth example, where the number of gateways is multiple, an etcd cluster is operated by the multiple gateways, and a corresponding relationship between each piece of user identity information and a network resource set of which the user identity information has an access right is stored in the etcd cluster; the gateways call a watch method of the etcd to monitor the corresponding relation, and after a network resource set corresponding to the user identity information is changed, the gateways are notified of the change information; and the plurality of gateways synchronously update the network resource sets corresponding to the user identity information according to the change information.
Example twelve provides a computer readable medium, on which a computer program is stored, which when executed by a processing device implements the steps of the method of any of examples one to eight, in accordance with one or more embodiments of the present disclosure.
Example thirteen provides an electronic device, according to one or more embodiments of the present disclosure, comprising: a storage device having a computer program stored thereon; processing means for executing the computer program in the storage means to carry out the steps of the method of any one of examples one to eight.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure herein is not limited to the particular combination of features described above, but also encompasses other embodiments in which any combination of the features described above or their equivalents does not depart from the spirit of the disclosure. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims. With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.