CN113839933B - Method for solving multi-network card flow by utilizing security group - Google Patents

Method for solving multi-network card flow by utilizing security group Download PDF

Info

Publication number
CN113839933B
CN113839933B CN202111067398.7A CN202111067398A CN113839933B CN 113839933 B CN113839933 B CN 113839933B CN 202111067398 A CN202111067398 A CN 202111067398A CN 113839933 B CN113839933 B CN 113839933B
Authority
CN
China
Prior art keywords
network card
flow table
security group
source
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111067398.7A
Other languages
Chinese (zh)
Other versions
CN113839933A (en
Inventor
刘立京
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unicloud Nanjing Digital Technology Co Ltd
Original Assignee
Unicloud Nanjing Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Unicloud Nanjing Digital Technology Co Ltd filed Critical Unicloud Nanjing Digital Technology Co Ltd
Priority to CN202111067398.7A priority Critical patent/CN113839933B/en
Publication of CN113839933A publication Critical patent/CN113839933A/en
Application granted granted Critical
Publication of CN113839933B publication Critical patent/CN113839933B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of computers, in particular to a method for solving the problem of flow of a plurality of network cards by utilizing a security group; binding a network card of the same network segment by using a cloud host; unbinding the IP and the MAC in the main network card flow table; and issuing the security group of the second network card to the corresponding inlet of the main network card, adding a source IP limit value in the flow table, and taking the source IP as a matching item in the ovs flow table by adding a new matching rule to realize the purpose of avoiding discarding the current flow when the flow of the second network card is accessed externally.

Description

Method for solving multi-network card flow by utilizing security group
Technical Field
The invention relates to the technical field of computers, in particular to a method for solving the problem of multi-network card flow by utilizing a security group.
Background
The security group function mainly provides protection for the host side, and the access to the virtual machine under the data center is guaranteed to be strictly controlled through the filtering of a message protocol and a port. After the security group is created, the user can define various access rules in the security group, and when the cloud server joins the security group, the cloud server is protected by the access rules.
When the host is a dual-network-card host and both network cards are in the same network segment, and the second network card is accessed externally, the first network card responds to the flow because of the same gateway 172.16.0.1. Because of the limitation of the flow table, only the flow of the network card connected with the flow table is allowed to go out, and at the moment, whether the IP and the MAC are consistent is matched. If not, the traffic is discarded. When the second network card is accessed, the source address of the response packet is the address of the second network card, and the source MAC is the MAC of the first network card, so that the flow of the external access to the second network card is not reachable.
Disclosure of Invention
The invention aims to provide a method for solving the traffic of a plurality of network cards by utilizing a security group, which aims to solve the technical problem that the current traffic is discarded when the second network card traffic is accessed externally in the prior art.
In order to achieve the above purpose, the method for solving the traffic of the multiple network cards by using the security group in the invention comprises the following steps:
binding a network card of the same network segment by using a cloud host;
unbinding the IP and the MAC in the main network card flow table;
and issuing the security group of the second network card to an inlet corresponding to the main network card, and adding a source IP limit value into the flow table.
Wherein, in the step of unbinding the IP and the MAC in the main network card flow table: in ovs the restriction of IP and MAC binding is released and the flow table is matched to IP plus MAC instead of only MAC.
In the step of issuing the security group of the second network card to the corresponding inlet of the main network card and adding the source IP limit value to the flow table, the initial flow table matching rule is as follows: priority, action, protocol, port and destination IP.
The method comprises the steps of issuing a security group of a second network card to an inlet corresponding to a main network card, and adding a source IP limit value in a flow table, wherein the flow table matching rule with the source IP limit is as follows: priority, source IP, action, protocol, port, and destination IP.
After the step of issuing the security group of the second network card to the corresponding inlet of the main network card and adding the source IP limit value in the flow table, the method comprises the following steps of: the entry matched with the flow table of any network card in the network segment is changed from vNet-2 to vNet-1, the flow accessing any network card is output from the virtual machine and enters ovs, and the security group rule matched with vNet-1 is matched on ovs.
After the step of issuing the security group of the second network card to the corresponding inlet of the main network card and adding the source IP limit value in the flow table, the method comprises the following steps of: vNet-1 contains the safety group rules for vNet-2.
The beneficial effects of the invention are as follows: the network card of the same network segment is bound by the cloud host, and the network segment is as follows: 172.16.0.0/24, the IP address of the main network card is 172.16.0.2, and the IP address of the second network card is: any address of 172.16.0.3-172.16.0.23, when accessing the second network card, unbind the IP and MAC in the flow table of the main network card, and no matching IP address is needed in the flow table of ovs, so that the flow of the second network card can pass smoothly, in this process, the security group of the second network card is issued to the corresponding inlet of the main network card, the source IP limit value is added in the flow table, and by adding a new matching rule, the source IP is used as a matching item in the flow table of ovs, so that the current flow is prevented from being discarded when the flow of the second network card is accessed externally.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of steps of a method of the present invention for resolving multi-network card traffic using a security group.
Fig. 2 is a schematic diagram of the initial flow table matching rules of the present invention.
Fig. 3 is a schematic diagram of the flow table matching rule of the present invention with source IP restrictions.
Detailed Description
Referring to fig. 1 to 3, the present invention provides a method for solving a multi-network card traffic by using a security group, comprising the following steps:
s1: binding a network card of the same network segment by using a cloud host;
s2: unbinding the IP and the MAC in the main network card flow table;
s3: and issuing the security group of the second network card to an inlet corresponding to the main network card, and adding a source IP limit value into the flow table.
Firstly, binding network cards of the same network segment by using a cloud host, wherein the network segment is as follows: 172.16.0.0/24, the IP address of the main network card is 172.16.0.2, and the IP address of the second network card is: any address of 172.16.0.3-172.16.0.23, when accessing the second network card, unbind the IP and MAC in the flow table of the main network card, and no matching IP address is needed in the flow table of ovs, so that the flow of the second network card can pass smoothly, in this process, the security group of the second network card is issued to the corresponding inlet of the main network card, the source IP limit value is added in the flow table, and by adding a new matching rule, the source IP is used as a matching item in the flow table of ovs, so that the current flow is prevented from being discarded when the flow of the second network card is accessed externally.
Wherein, in the step of unbinding the IP and the MAC in the main network card flow table: in ovs the restriction of IP and MAC binding is released and the flow table is matched to IP plus MAC instead of only MAC.
When the second network card is accessed, the IP and the MAC in the main network card flow table are unbindd, only the MAC address is matched in the ovs flow table, and the IP address is not matched, so that the flow of the second network card can be ensured to pass smoothly.
In the step of issuing the security group of the second network card to the corresponding inlet of the main network card and adding the source IP limit value to the flow table, the initial flow table matching rule is as follows: priority, action, protocol, port and destination IP.
Priority is the order of matching, actions are allowed to pass or discard, protocol is the matching network protocol: TCP, UDP, ICMP, port is the matched port range 1-65535, destination IP is the matched opposite IP address.
The method comprises the steps of issuing a security group of a second network card to an inlet corresponding to a main network card, and adding a source IP limit value in a flow table, wherein the flow table matching rule with the source IP limit is as follows: priority, source IP, action, protocol, port, and destination IP.
After the step of issuing the security group of the second network card to the corresponding inlet of the main network card and adding the source IP limit value in the flow table, the method comprises the following steps of: the entry matched with the flow table of any network card in the network segment is changed from vNet-2 to vNet-1, the flow accessing any network card is output from the virtual machine and enters ovs, and the security group rule matched with vNet-1 is matched on ovs.
After the step of issuing the security group of the second network card to the corresponding inlet of the main network card and adding the source IP limit value in the flow table, the method comprises the following steps of: vNet-1 contains the safety group rules for vNet-2.
The matching rule increases the matching of the source IP, the entry matched with the flow table of the second network card is changed from vNet-2 to vNet-1, the vNet-1 entry not only contains the security group rule of the main network card, but also contains the matching rule of the second network card, the flow of accessing the second network card enters ovs from the virtual machine, and the security group rule matched with the vNet-1 is matched on ovs, so that the effectiveness of the security group is ensured when the flow of the second network card passes through the vNet-1 entry.
After the step of issuing the security group of the second network card to the corresponding inlet of the main network card and adding the source IP limit value in the flow table, the method comprises the following steps of: and the flow from the main network card and the flow from the second network card are matched with the safe group flow table through the vNet-1 port.
The virtual machine is provided with two network cards, the interface corresponding to the main network card on ovs is vNet-1, the interface corresponding to the second network card on ovs is vNet-2, the regular flow table is issued on the vNet-1 when the main network card binds a security group, the security group flow table corresponding to the second network card is issued on the vNet-1 when the second network card binds the security group, no matter the flow from the main network card or the flow from the second network card is matched with the security group flow table through the vNet-1 port, and different source IPs are matched with different flow tables because of the verification of the added source IPs, so that the isolation of the security group rules is realized.
The above disclosure is only a preferred embodiment of the present invention, and it should be understood that the scope of the invention is not limited thereto, and those skilled in the art will appreciate that all or part of the procedures described above can be performed according to the equivalent changes of the claims, and still fall within the scope of the present invention.

Claims (3)

1. The method for solving the problem of the flow of the multiple network cards by utilizing the security group is characterized by comprising the following steps:
binding a network card of the same network segment by using a cloud host;
unbinding the IP and the MAC in the main network card flow table;
issuing a security group of the second network card to an inlet corresponding to the main network card, and adding a source IP limit value into a flow table;
in the step of unbinding the IP and MAC in the main network card flow table: removing the restriction of IP and MAC binding in ovs flow table, and replacing the flow table with matching IP and MAC;
in the step of issuing the security group of the second network card to the corresponding inlet of the main network card and adding the source IP limit value in the flow table, the initial flow table matching rule is as follows: priority, action, protocol, port and destination IP;
in the step of issuing the security group of the second network card to the corresponding inlet of the main network card and adding the source IP limit value in the flow table, the flow table matching rule added with the source IP limit is as follows: priority, source IP, action, protocol, port, and destination IP.
2. The method for resolving multi-network card traffic using a security group as recited in claim 1, wherein,
after the step of issuing the security group of the second network card to the corresponding inlet of the main network card and adding the source IP limit value in the flow table: the entry matched with the flow table of any network card in the network segment is changed from vNet-2 to vNet-1, the flow accessing any network card is output from the virtual machine and enters ovs, and the security group rule matched with vNet-1 is matched on ovs.
3. The method for resolving multi-network card traffic using a security group as recited in claim 2, wherein,
after the step of issuing the security group of the second network card to the corresponding inlet of the main network card and adding the source IP limit value in the flow table: vNet-1 contains the safety group rules for vNet-2.
CN202111067398.7A 2021-09-13 2021-09-13 Method for solving multi-network card flow by utilizing security group Active CN113839933B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111067398.7A CN113839933B (en) 2021-09-13 2021-09-13 Method for solving multi-network card flow by utilizing security group

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111067398.7A CN113839933B (en) 2021-09-13 2021-09-13 Method for solving multi-network card flow by utilizing security group

Publications (2)

Publication Number Publication Date
CN113839933A CN113839933A (en) 2021-12-24
CN113839933B true CN113839933B (en) 2023-09-26

Family

ID=78959199

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111067398.7A Active CN113839933B (en) 2021-09-13 2021-09-13 Method for solving multi-network card flow by utilizing security group

Country Status (1)

Country Link
CN (1) CN113839933B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115622815B (en) * 2022-12-19 2023-02-24 苏州浪潮智能科技有限公司 Port isolation implementation method, device, equipment and medium based on virtualization environment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572032A (en) * 2016-09-28 2017-04-19 浪潮电子信息产业股份有限公司 Method for realizing virtual network priority
CN106789667A (en) * 2016-11-21 2017-05-31 华为技术有限公司 A kind of data forwarding method, relevant device and system
CN106953788A (en) * 2017-02-16 2017-07-14 北京西普阳光教育科技股份有限公司 A kind of Virtual Network Controller and control method
CN107612843A (en) * 2017-09-27 2018-01-19 国云科技股份有限公司 A kind of method for preventing cloud platform IP and MAC from forging
CN108123818A (en) * 2016-11-30 2018-06-05 江南大学 A kind of emulation mode of the expansible fusion of actual situation network agile
CN108322467A (en) * 2018-02-02 2018-07-24 云宏信息科技股份有限公司 Virtual firewall configuration method, electronic equipment and storage medium based on OVS
WO2019000434A1 (en) * 2017-06-30 2019-01-03 华为技术有限公司 Data processing method, network interface card and server
CN111726305A (en) * 2020-06-18 2020-09-29 广州市品高软件股份有限公司 Virtual machine-oriented multistage flow table management and control method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10397108B2 (en) * 2016-01-25 2019-08-27 Futurewei Technologies, Inc. Service function chaining across multiple subnetworks

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106572032A (en) * 2016-09-28 2017-04-19 浪潮电子信息产业股份有限公司 Method for realizing virtual network priority
CN106789667A (en) * 2016-11-21 2017-05-31 华为技术有限公司 A kind of data forwarding method, relevant device and system
CN108123818A (en) * 2016-11-30 2018-06-05 江南大学 A kind of emulation mode of the expansible fusion of actual situation network agile
CN106953788A (en) * 2017-02-16 2017-07-14 北京西普阳光教育科技股份有限公司 A kind of Virtual Network Controller and control method
WO2019000434A1 (en) * 2017-06-30 2019-01-03 华为技术有限公司 Data processing method, network interface card and server
CN107612843A (en) * 2017-09-27 2018-01-19 国云科技股份有限公司 A kind of method for preventing cloud platform IP and MAC from forging
CN108322467A (en) * 2018-02-02 2018-07-24 云宏信息科技股份有限公司 Virtual firewall configuration method, electronic equipment and storage medium based on OVS
CN111726305A (en) * 2020-06-18 2020-09-29 广州市品高软件股份有限公司 Virtual machine-oriented multistage flow table management and control method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"基于OpenFlow流表的云网络异常行为主动监测和处理";龚燕波、刘瑛、陈健林;《电信工程技术与标准化》;第32卷(第7期);第34-39页 *

Also Published As

Publication number Publication date
CN113839933A (en) 2021-12-24

Similar Documents

Publication Publication Date Title
CN107395570B (en) Cloud platform auditing system based on big data management analysis
CN102594814B (en) Terminal-based network access control system
CN105282169B (en) Ddos attack method for early warning based on SDN controller threshold values and its system
CN103763194B (en) A kind of message forwarding method and device
CN105245555B (en) One kind is used for electric power serial server communication protocol security protection system
CN102761534B (en) Realize the method and apparatus of media access control layer Transparent Proxy
CN102438028B (en) A kind of prevent Dynamic Host Configuration Protocol server from cheating method, Apparatus and system
US9667446B2 (en) Condition code approach for comparing rule and packet data that are provided in portions
CN106302518B (en) A kind of network firewall of software and hardware combining
CN106209684A (en) A kind of method forwarding detection scheduling based on Time Triggered
CN113839933B (en) Method for solving multi-network card flow by utilizing security group
JP2007208861A (en) Illegal access monitoring apparatus and packet relaying device
CN104539600A (en) Industrial control firewall implementing method for supporting filtering IEC 104 protocol
CN104519065A (en) Implementation method of industrial control firewall supporting Modbus TCP protocol filtering
CN107707435A (en) A kind of message processing method and device
CN101127760A (en) Bidirectional protocol isolation method and its device in network
CN105516189A (en) Network security enforcement system and method based on big data platform
CN104735071A (en) Network access control implementation method between virtual machines
EP3456027A1 (en) System and method for a fallback access control list port configuration
CN106789892B (en) Universal method for defending distributed denial of service attack for cloud platform
CN108737217A (en) A kind of packet snapping method and device
CN103023914A (en) Firewall system and implementation method thereof
CN105939322A (en) Message attack protection method and device
CN103001966B (en) The process of a kind of private network IP, recognition methods and device
CN103944886B (en) A kind of realization method and system of port security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant