CN114024725A - Inter-container communication method, system, electronic equipment and storage medium - Google Patents

Inter-container communication method, system, electronic equipment and storage medium Download PDF

Info

Publication number
CN114024725A
CN114024725A CN202111242113.9A CN202111242113A CN114024725A CN 114024725 A CN114024725 A CN 114024725A CN 202111242113 A CN202111242113 A CN 202111242113A CN 114024725 A CN114024725 A CN 114024725A
Authority
CN
China
Prior art keywords
message
label
forwarded
sending
receiving end
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111242113.9A
Other languages
Chinese (zh)
Other versions
CN114024725B (en
Inventor
王向群
费稼轩
张小建
姚启桂
石聪聪
张伟剑
郭志民
吕卓
陈岑
李暖暖
陈涛
李峰
袁涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Global Energy Internet Research Institute Co ltd Nanjing Branch
State Grid Corp of China SGCC
State Grid Henan Electric Power Co Ltd
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
State Grid Xinjiang Electric Power Co Ltd
Original Assignee
Global Energy Internet Research Institute Co ltd Nanjing Branch
State Grid Corp of China SGCC
State Grid Henan Electric Power Co Ltd
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
State Grid Xinjiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Global Energy Internet Research Institute Co ltd Nanjing Branch, State Grid Corp of China SGCC, State Grid Henan Electric Power Co Ltd, Electric Power Research Institute of State Grid Henan Electric Power Co Ltd, State Grid Xinjiang Electric Power Co Ltd filed Critical Global Energy Internet Research Institute Co ltd Nanjing Branch
Priority to CN202111242113.9A priority Critical patent/CN114024725B/en
Publication of CN114024725A publication Critical patent/CN114024725A/en
Application granted granted Critical
Publication of CN114024725B publication Critical patent/CN114024725B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • H04L12/462LAN interconnection over a bridge based backbone
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a method, a system, electronic equipment and a storage medium for communication among containers, wherein the method comprises the following steps: receiving a message to be forwarded; judging whether the label of the message sending end is matched with the label of the message receiving end; and when the label of the message sending end is matched with the label of the message receiving end, forwarding the message to be forwarded to the message receiving end. The invention provides a method, a system, electronic equipment and a storage medium for communication between containers, wherein labels are set for a message sending end and a message receiving end, when a network bridge forwards a message to be forwarded, the label of the message sending end and the label of the message receiving end are matched firstly, and when the matching is successful, the message is forwarded. Therefore, the communication method between the containers can effectively limit the message forwarding direction by setting the label, and realizes service isolation. Meanwhile, limitation on network communication between containers can be flexibly realized, and the safety protection capability between containers is effectively improved.

Description

Inter-container communication method, system, electronic equipment and storage medium
Technical Field
The invention relates to the technical field of network security, in particular to a method, a system, electronic equipment and a storage medium for communication between containers
Background
The electric power intelligent integration terminal realizes flexible, quick and safe business application by adopting containerized deployment, and the containerized deployment of the terminal APP also brings new risks and challenges to the network safety of the intelligent Internet of things terminal while improving the perception level and the user response capability of the energy Internet.
Based on the control of the net namespace, the docker can create an isolated network environment among the containers, and under the isolated network environment, the containers have completely independent network stacks, are isolated from the host, can also enable the containers to share the network namespace of the host or other containers, and can basically meet the requirements of developers in various scenes. The bridge mode is docker default and is also the most commonly used network mode by developers. In this mode, the docker creates an independent network stack for the container, so that processes in the container use an independent network environment, and network stack isolation between containers and between the container and the host is realized. In the container virtual network, bridging is used as a default for the container network to connect, a virtual bridge docker0 is created on a host to play the role of a traditional switch, and packet forwarding is automatically performed among various network interfaces. Each time a new container is created, a virtual network interface is added to it and connected to bridge docker 0.
The vulnerability of bridges will result in information leakage or even availability impacts for other users on the platform. The containers on the same host adopt a bridge mode, and forwarded data packets are not filtered at all, so that the forwarding data packets are easy to suffer from ARP spoofing and MAC flooding attacks. The service in some containers needs to communicate with other containers for point-to-point data interaction, and in some cases, some containers are in the role of a data center and need to communicate with a plurality of containers, so that fine-grained security setting needs to be performed on network communication between the containers to meet complex service application.
Disclosure of Invention
Therefore, the technical problem to be solved by the present invention is to overcome the defect that the existing bridge does not perform any filtering on the forwarded data packets, thereby providing an inter-container communication method, system, electronic device and storage medium.
According to a first aspect, an embodiment of the present invention discloses an inter-container communication method, including:
receiving a message to be forwarded;
judging whether the label of the message sending end is matched with the label of the message receiving end;
and when the label of the message sending end is matched with the label of the message receiving end, forwarding the message to be forwarded to the message receiving end.
Alternatively,
the labels comprise a sending label list and a receiving label list;
the sending label is a label set when the message sending end sends a message;
the receiving label list is a collection of the sending labels which can be received by the message receiving end;
the sending label, the receiving label list, the local area network address of the container and the bridge port where the container is located are correspondingly arranged in an address table.
Optionally, the determining whether the label of the message sending end is matched with the label of the message receiving end includes:
judging the message type of the message to be forwarded;
and judging whether the label of the message sending end is matched with the label of the message receiving end or not according to the message type.
Optionally, the determining the packet type includes:
judging whether the message to be forwarded is of a unicast type, a multicast type or a broadcast type according to the message to be forwarded;
when the message to be forwarded is of a unicast type, judging whether the local area network address of the message receiving end is located in the address table;
when the local area network address of the message receiving end is positioned in the address table, judging that the message to be forwarded is of a known unicast type;
when the local area network address of the message receiving end is not in the address table, judging that the message to be forwarded is of an unknown unicast type;
when the message to be forwarded is of a multicast type, judging whether the local area network addresses of a plurality of message receiving ends are positioned in the address table;
when the local area network addresses of a plurality of message receiving ends are all located in the address table, judging that the message to be forwarded is of a known multicast type;
and when the local area network address of any message receiving end is not in the address table, judging that the message to be forwarded is of an unknown multicast type.
Optionally, the determining, according to the packet type, whether the tag of the packet sending end is matched with the tag of the packet receiving end includes:
when the message to be forwarded is judged to be of a known unicast type or a known multicast type, inquiring the address table according to the local area network address of the message sending end, and determining a sending label of the message sending end;
inquiring the address table according to the local area network address of the message receiving end, and judging whether a sending label of the message sending end is in a receiving label list corresponding to the message receiving end;
when the label of the message sending end is matched with the label of the message receiving end, the message is forwarded to the message receiving end, and the method comprises the following steps:
when the sending label of the message sending end is positioned in the receiving label list of the message receiving end, sending the message to be forwarded to the message receiving end;
and when the sending label of the message sending end is not in the receiving label list of the message receiving end, discarding the message to be forwarded.
Optionally, the determining, according to the packet type, whether a tag of a packet sending end is matched with a tag of a packet receiving end further includes:
when the message to be forwarded is judged to be a broadcast type or an unknown multicast type, inquiring the address table according to the local area network address of the message sending end, and determining a sending label of the message sending end;
traversing the address table, and judging whether the sending label of the message sending end is in a receiving label list corresponding to each message receiving end one by one;
when the label of the message sending end is matched with the label of the message receiving end, the message is forwarded to the message receiving end, and the method comprises the following steps:
when the sending label of the message sending end is positioned in the receiving label list of the message receiving end, sending the message to be forwarded to the message receiving end;
and when the sending label of the message sending end is not in the receiving label list of the message receiving end, discarding the message to be forwarded.
Optionally, the determining, according to the packet type, whether the label of the sending end corresponds to the label of the receiving end further includes:
and when the message to be forwarded is judged to be of an unknown unicast type, discarding the message to be forwarded.
According to a second aspect, an embodiment of the present invention further discloses an inter-container communication system, including:
a receiving unit, configured to receive a packet to be forwarded;
the judging unit is used for judging whether the label of the message sending end is matched with the label of the message receiving end;
and the forwarding unit is used for forwarding the message to be forwarded to the message receiving end when the label of the message sending end is matched with the label of the message receiving end.
According to a third aspect, an embodiment of the present invention further discloses an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform the steps of the inter-container communication method of the first aspect or any of the optional embodiments of the first aspect.
According to a fourth aspect, the present invention further discloses a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the inter-container communication method according to the first aspect or any one of the optional embodiments of the first aspect.
The technical scheme of the invention has the following advantages:
according to the inter-container communication method, the inter-container communication system, the electronic equipment and the storage medium, the labels are arranged aiming at the message sending end and the message receiving end, when the bridge forwards the message to be forwarded, the label of the message sending end and the label of the message receiving end are matched firstly, and when the matching is successful, the message is forwarded again. Therefore, the communication method between the containers can effectively limit the message forwarding direction by setting the label, and realizes service isolation. Meanwhile, limitation on network communication between containers can be flexibly realized, and the safety protection capability of the containers is effectively improved. The method solves the problems that forwarded data packets are not filtered, and are easy to suffer ARP spoofing and MAC flooding attacks in the prior art.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart showing a specific example of a method of communication between containers according to an embodiment of the present invention;
FIG. 2 is a flowchart of another specific example of a method of inter-container communication according to an embodiment of the present invention;
FIG. 3 is a flowchart showing another specific example of a method of communication between containers according to an embodiment of the present invention;
FIG. 4 is a schematic block diagram of a specific example of an inter-container communication system in an embodiment of the present invention;
fig. 5 is a diagram of a specific example of an electronic device in an embodiment of the invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; the two elements may be directly connected or indirectly connected through an intermediate medium, or may be communicated with each other inside the two elements, or may be wirelessly connected or wired connected. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
In addition, the technical features involved in the different embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The embodiment of the invention discloses a communication method between containers, which comprises the following steps as shown in figure 1:
and step S1, receiving the message to be forwarded.
Illustratively, when the docker is installed, a docker0 bridge is created. The bridge receives a message to be forwarded sent by a container within the LAN. The docker is an open-source application container engine, and a complete docker is composed of the following parts: a Docker Client, a Docker Daemon, a Docker Image mirror, like a Docker Container. The Docker service defaults to creating a Docker0 bridge (with a Docker0 internal interface) that connects to other physical or virtual network cards at the kernel level, which puts all containers and local hosts on the same physical network. Therefore, the bridge created by the method can realize communication between containers, or can realize forwarding of messages between containers.
Step S2, whether the label of the message sending end is matched with the label of the message receiving end is judged.
Both the message sending end and the message receiving end can be containers created in the docker, and corresponding MAC addresses (local area network addresses) can be distributed to the containers when the containers are created. The created bridge contains three data structures: struct net _ bridge, struct net _ bridge _ port, and struct net _ bridge _ fdb _ entry, wherein the struct net _ bridge _ fdb _ entry structure is provided in the CAM table. Thus, when a container is created and assigned a MAC address, the MAC address and the bridge port to which the container corresponds are inserted into a CAM table (address table). Specifically, when a MAC address and a bridge port are inserted in the CAM table, the br _ fdb _ instert () function implementation is called.
Specifically, the tags include a sending tag and a receiving tag list, where the sending tag is a tag set when a message sending end sends a message, and the receiving tag list is a collection of the sending tags received by the message receiving end. The sending label, the receiving label list, the local area network address of the container and the bridge port are correspondingly arranged in an address table. Setting two labels for the bridge port where each container is located, wherein one label is used when the bridge port sends a message outwards and can be called as a sending label, and the other label is used when the bridge port where other containers are located sends the message and is received by the bridge port; in general, a bridge port where a container is located may receive messages sent by multiple containers, and thus, another label may form a receiving label list, where the receiving label list includes sending labels corresponding to all bridge ports that the bridge port where the container is located may receive when sending messages.
Specifically, after setting a tag for a bridge port where a certain container is located, both the sending tag snd _ tag and the receiving tag list rcv _ tag [ max ] corresponding thereto may be stored in the CAM table, and correspond to the local area network address and the bridge port of the container. This allows the transmission label, the reception label list, the local area network address of the container, and the bridge port to be associated with each other.
Specifically, after the sending tag, the receiving tag list, the local area network address of the container, and the bridge port are set in the CAM table, when the bridge receives the to-be-forwarded message, the _ br _ handle _ frame () function may be called to process the received message, and the message sending end and the message receiving end of the to-be-forwarded message are determined. After the message sending end and the message receiving end are determined, the sending label of the message sending end can be inquired in the CAM table stored before, the receiving label list of the message receiving end is confirmed, and whether the sending label of the message sending end is in the receiving label list of the message receiving end or not is judged, so that the matching of the label of the message sending end and the label of the message receiving end is realized.
Step S3, when the label of the message receiving end is matched with the label of the message receiving end, the message is forwarded to the message receiving end.
Specifically, when it is determined that the sending tag of the message sending end is in the receiving tag list of the message receiving end, that is, the tag of the message sending end and the tag of the message receiving end are confirmed to be matched, the message to be forwarded can be forwarded to the corresponding message receiving end. When the message is forwarded, a br _ forward () function may be called to forward the message to be forwarded to the port. In addition, if the sending tag of the message sending end is found not in the receiving tag list of the message receiving end through comparison, the message may have a certain risk, and the message may be discarded.
According to the inter-container communication method provided by the embodiment of the invention, the labels are set aiming at the message sending end and the message receiving end, when the bridge forwards the message to be forwarded, the Baime love you of the message sending end is matched with the label of the message receiving end, and when the matching is successful, the message is forwarded. Therefore, the communication method between the containers can effectively limit the message forwarding direction by setting the label, and realizes service isolation. Meanwhile, limitation on network communication between containers can be flexibly realized, and the safety protection capability of the containers is effectively improved. The method solves the problems that forwarded data packets are not filtered, and are easy to suffer ARP spoofing and MAC flooding attacks in the prior art.
As an optional implementation manner of the embodiment of the present invention, a process of determining whether a tag of a message sending end is matched with a tag of a message receiving end includes the following steps, as shown in fig. 2:
step S21: and judging the type of the message.
Specifically, when a message to be forwarded is received, the type of the message is determined first, and how to forward the message is determined according to the type. When the type of the message is judged, the type of the message to be forwarded can be judged according to whether the local area network address corresponding to the message receiving end for receiving the message is in the CAM table or not.
And step S22, judging whether the label of the message sending end is matched with the label of the message receiving end according to the message type.
Specifically, after the type of the packet is determined, matching of the label and forwarding of the packet may be performed according to the type of the packet to be forwarded.
In an embodiment, when only one message receiving end of the message is confirmed by processing the message to be forwarded, the message to be forwarded is determined to be of a unicast type, when a plurality of message receiving ends of the message are confirmed, the message is determined to be of a multicast type, and when the message receiving ends of the message are confirmed to be all ports in the bridge, the message is determined to be of a broadcast type.
In one embodiment, when the message to be forwarded is determined to be of a unicast type, determining whether a local area network address of the message receiving end is in the address table; when the local area network address of the message receiving end is in the address table, judging that the message is of a known unicast type; and when the local area network address of the message receiving end is not in the address table, judging that the message is unknown unicast.
In one embodiment, when the message to be forwarded is determined to be of a multicast type, determining whether the local area network addresses of a plurality of message receiving ends are in the address table; when the local area network addresses of a plurality of message receiving ends are all in the address table, judging that the messages are of a known multicast type; and when the local area network address of any message receiving end is not in the address table, judging that the message to be forwarded is of an unknown multicast type.
In one embodiment, when the message to be forwarded is determined to be of a known unicast type or a known multicast type, querying the address table according to the local area network address of the message sending end, and determining a sending label of the message sending end; inquiring the address table according to the local area network address of the message receiving end, and judging whether a sending label of the message sending end is in a receiving label list corresponding to the message receiving end; when the sending label is positioned in the receiving label list, sending the message to be forwarded to the message receiving end; and when the sending label is not in the receiving expression list, discarding the message to be forwarded. And when the message to be forwarded is judged to be unknown unicast, discarding the message to be forwarded.
Illustratively, when a service application in a container sends a known unicast or known multicast message, a bridge processes the received message through _ br _ handle _ frame () to obtain a message sending end and a message receiving end of the message, queries a CAM table according to a MAC address of the message sending end, searches a sending tag (snd _ tag) of a bridge port of the message sending end, then queries the CAM table according to the MAC address of the message receiving end, if the MAC address is in the CAM table, searches a receiving tag list (rcv _ tag [ max ]) of the bridge port of the message receiving end, and judges whether the snd _ tag is in the rcv _ tag [ max ]. If the sending label is in the receiving label list, calling br _ forward function to forward the message to be forwarded to the port, otherwise discarding the message, and if the MAC address of the message receiving end is not in the CAM table, also discarding the message to be forwarded.
In one embodiment, when the message to be forwarded is determined to be a broadcast or unknown multicast type, querying the address table according to the local area network address of the message sending end, determining the sending label of the message sending end, traversing the address table, and determining whether the sending label of the message sending end is in a receiving label list corresponding to each message receiving end one by one; when the sending label of the message sending end is positioned in a receiving label list of a message receiving end, sending the message to be forwarded to the message receiving end; and when the sending label is not in the receiving label list of the message receiving end, discarding the message to be forwarded.
Illustratively, when a service application in a container sends a broadcast or unknown multicast message, a bridge processes the received message through _ br _ handle _ frame () to obtain a message sending end and a message receiving end of the message, queries a CAM table according to a MAC address of the message sending end, finds a sending tag (snd _ tag) of a bridge port of the message sending end, then traverses a receiving tag list (rcv _ tag [ max ]) of a plurality of bridge ports of the message receiving end, checks rcv _ tag [ max ] of each port one by one, and judges whether the snd _ tag is in the rcv _ tag [ max ]. If the sending label is in the receiving label list, calling br _ forward () function to forward the message to be forwarded to the port, otherwise, discarding the message.
According to the communication method between the containers, the sending label list and the receiving label list are flexibly configured, the communication between the containers is flexibly configured, and network communication and safety isolation of various services can be achieved. When setting labels on the bridge port where the container is located, the number of the labels is not limited, and the label is used as usual in a scene with a large number of containers. In addition, when the label is set, the application range is limited in the bridge, and the communication between the containers and the host computer is not influenced.
In one embodiment, the inter-container communication method is implemented by using a flow shown in fig. 3:
firstly, in a CAM table of a docker0 bridge description structure net _ bridge, a field for storing a tag added when the port sends a packet, namely a sending tag snd _ tag, and a field list for storing tags capable of being received by the port, namely a receiving tag list rcv _ tag [ MAX ], are respectively added for each port. And manually assigns the MAC address of the container when the container is created, calls br _ fdb _ insert () function to insert the MAC address and the bridge port to which the container corresponds into the CAM table.
When a bridge receives a message to be forwarded, the type of the message is judged firstly, when the message is a known unicast message and a known multicast message, the bridge calls a br _ handle _ frame () function to process the received message, searches a CAM (computer access control) table according to a message source MAC (media access control) address, searches a snd _ tag of a port of the bridge, searches the CAM table according to a MAC address of a message receiving end, searches an rcv _ tag list of the port of the bridge if the MAC address is in the CAM table, and calls a br _ forward () function to forward a data packet to the port if the snd _ tag is in the rcv _ tag list. Otherwise, the message is discarded.
Similarly, for broadcast messages and unknown multicast messages sent by service applications in a container, the bridge calls a br _ handle _ frame () function to process received messages, searches a CAM table according to a message source MAC address, searches the snd _ tag of the bridge port, then traverses the bridge ports of all message receiving ends, checks an rcv _ tag list of each port one by one, and calls a br _ forward () function to forward data packets to the port if the snd _ tag is in the rcv _ tag list. Otherwise, the message is discarded.
Similarly, for an unknown unicast packet sent by a service application in a container, when the bridge processes the received packet, the bridge directly discards the packet.
The embodiment of the invention also discloses a communication system between containers, as shown in fig. 4, the device comprises:
a receiving unit, configured to receive a packet to be forwarded; for details, reference is made to the description relating to step S1 in the above method embodiment.
The judging unit is used for judging whether the label of the message sending end is matched with the label of the message receiving end; for details, reference is made to the description relating to step S2 in the above method embodiment.
The forwarding unit is used for forwarding the message to be forwarded to the message receiving end when the label of the message sending end is matched with the label of the message receiving end; for details, reference is made to the description relating to step S3 in the above method embodiment.
The inter-container communication device provided by the embodiment of the invention sets the labels aiming at the message sending end and the message receiving end, when the bridge forwards the message to be forwarded, the label of the message sending end and the label of the message receiving end are matched firstly, and when the matching is successful, the message is forwarded. Therefore, the communication method between the containers can effectively limit the message forwarding direction by setting the label, and realizes service isolation. Meanwhile, limitation on network communication between containers can be flexibly realized, so that the safety protection capability of the containers is effectively improved, and the problems that forwarded data packets are not filtered at all and are easily attacked by ARP spoofing and MAC flooding in the prior art are solved.
The communication device between the containers provided by the embodiment of the invention can flexibly configure the communication between the containers by flexibly configuring the sending label list and the receiving label list, and can realize the network communication and the safety isolation of various services. When setting labels for the bridge port where the container is located, the number of the labels is not limited, and the method is used normally in a scene with many containers. In addition, when the label is set, the use range is limited in the bridge, and the communication between the containers and the host computer is not influenced.
The functional description of the inter-container communication device provided by the embodiment of the invention refers to the inter-container communication method description in the above embodiment in detail.
An embodiment of the present invention further provides an electronic device, as shown in fig. 5, the electronic device may include a processor 401 and a memory 402, where the processor 401 and the memory 402 may be connected by a bus or in another manner, and fig. 5 takes the connection by the bus as an example.
Processor 401 may be a Central Processing Unit (CPU). The Processor 401 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 402, which is a non-transitory computer-readable storage medium, may be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as program instructions/modules corresponding to the illegal activity detection method in the embodiment of the present invention. The processor 401 executes various functional applications and data processing of the processor by running non-transitory software programs, instructions and modules stored in the memory 402, namely, implements the illegal behavior detection method in the above method embodiment.
The memory 402 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 401, and the like. Further, the memory 402 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 402 may optionally include memory located remotely from processor 401, which may be connected to processor 401 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 402 and, when executed by the processor 401, perform the illegal activity detection method as in the embodiment shown in fig. 1.
The details of the electronic device may be understood with reference to the corresponding related description and effects in the embodiment shown in fig. 1, and are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims (10)

1. An inter-container communication method, comprising:
receiving a message to be forwarded;
judging whether the label of the message sending end is matched with the label of the message receiving end;
and when the label of the message sending end is matched with the label of the message receiving end, forwarding the message to be forwarded to the message receiving end.
2. The method of claim 1,
the labels comprise a sending label list and a receiving label list;
the sending label is a label set when the message sending end sends a message;
the receiving label list is a collection of the sending labels which can be received by the message receiving end;
the sending label, the receiving label list, the local area network address of the container and the bridge port where the container is located are correspondingly arranged in an address table.
3. The method of claim 2, wherein the determining whether the label of the message sending end matches the label of the message receiving end comprises:
judging the message type of the message to be forwarded;
and judging whether the label of the message sending end is matched with the label of the message receiving end or not according to the message type.
4. The method of claim 3, wherein the determining the packet type comprises:
judging whether the message to be forwarded is of a unicast type, a multicast type or a broadcast type according to the message to be forwarded;
when the message to be forwarded is of a unicast type, judging whether the local area network address of the message receiving end is located in the address table;
when the message receiving end local area network address is positioned in the address table, judging that the message to be forwarded is of a known unicast type;
when the local area network address of the message receiving end is not in the address table, judging that the message to be forwarded is of an unknown unicast type;
when the message to be forwarded is of a multicast type, judging whether a plurality of message receiving terminal local area network addresses are positioned in the address table;
when the local area network addresses of a plurality of message receiving ends are all located in the address table, judging that the message to be forwarded is of a known multicast type;
and when the local area network address of any message receiving end is not in the address table, judging that the message to be forwarded is of an unknown multicast type.
5. The method according to claim 4, wherein said determining whether the label of the message sending end matches the label of the message receiving end according to the message type comprises:
when the message to be forwarded is judged to be of a known unicast type or a known multicast type, inquiring the address table according to the local area network address of the message sending end, and determining a sending label of the message sending end;
inquiring the address table according to the local area network address of the message receiving end, and judging whether a sending label of the message sending end is in a receiving label list corresponding to the message receiving end;
when the label of the message sending end is matched with the label of the message receiving end, the message is forwarded to the message receiving end, and the method comprises the following steps:
when the sending label of the message sending end is positioned in a receiving label list of the message receiving end, sending the message to be forwarded to the message receiving end;
and when the sending label of the message sending end is not in the receiving label list of the message receiving end, discarding the message to be forwarded.
6. The method according to claim 4, wherein said determining whether the label of the message sending end matches the label of the message receiving end according to the message type further comprises:
when the message to be forwarded is judged to be a broadcast type or an unknown multicast type, inquiring the address table according to the local area network address of the message sending end, and determining a sending label of the message sending end;
traversing the address table, and judging whether the sending label of the message sending end is in a receiving label list corresponding to each message receiving end one by one;
when the label of the message sending end is matched with the label of the message receiving end, the message is forwarded to the message receiving end, and the method comprises the following steps:
when the sending label of the message sending end is positioned in a receiving label list of the message receiving end, sending the message to be forwarded to the message receiving end;
and when the sending label of the message sending end is not in the receiving label list of the message receiving end, discarding the message to be forwarded.
7. The method according to claim 4, wherein said determining whether the label of the transmitting end corresponds to the label of the receiving end according to the packet type further comprises:
and when the message to be forwarded is judged to be of an unknown unicast type, discarding the message to be forwarded.
8. An inter-container communication system, comprising:
a receiving unit, configured to receive a packet to be forwarded;
the judging unit is used for judging whether the label of the message sending end is matched with the label of the message receiving end;
and the forwarding unit is used for forwarding the message to be forwarded to the message receiving end when the label of the message sending end is matched with the label of the message receiving end.
9. An electronic device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform the steps of the inter-container communication method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the inter-container communication method according to any one of claims 1 to 7.
CN202111242113.9A 2021-10-25 2021-10-25 Inter-container communication method, system, electronic equipment and storage medium Active CN114024725B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111242113.9A CN114024725B (en) 2021-10-25 2021-10-25 Inter-container communication method, system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111242113.9A CN114024725B (en) 2021-10-25 2021-10-25 Inter-container communication method, system, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114024725A true CN114024725A (en) 2022-02-08
CN114024725B CN114024725B (en) 2023-06-20

Family

ID=80057709

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111242113.9A Active CN114024725B (en) 2021-10-25 2021-10-25 Inter-container communication method, system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114024725B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102148745A (en) * 2010-02-08 2011-08-10 中兴通讯股份有限公司 Method and system for increasing forwarding efficiency of virtual private LAN service network
CN102263774A (en) * 2010-05-24 2011-11-30 杭州华三通信技术有限公司 Method and device for processing source role information
CN105187311A (en) * 2015-06-09 2015-12-23 杭州华三通信技术有限公司 Message forwarding method and message forwarding device
CN106603550A (en) * 2016-12-28 2017-04-26 中国银联股份有限公司 Network isolation method and network isolation device
CN107124402A (en) * 2017-04-12 2017-09-01 杭州迪普科技股份有限公司 A kind of method and apparatus of packet filtering
CN109246012A (en) * 2017-07-10 2019-01-18 中兴通讯股份有限公司 Message forwarding method, device and computer readable storage medium
CN110830371A (en) * 2019-11-13 2020-02-21 迈普通信技术股份有限公司 Message redirection method and device, electronic equipment and readable storage medium
CN111740907A (en) * 2020-05-29 2020-10-02 新华三信息安全技术有限公司 Message transmission method, device, equipment and machine readable storage medium
CN112714052A (en) * 2020-12-20 2021-04-27 苏州浪潮智能科技有限公司 Flow isolation method and device, switch and storage medium
CN113079097A (en) * 2021-03-24 2021-07-06 新华三信息安全技术有限公司 Message processing method and device
US20210218587A1 (en) * 2020-01-13 2021-07-15 Vmware, Inc. Service insertion for multicast traffic at boundary
US20210273881A1 (en) * 2018-09-13 2021-09-02 Zte Corporation Message Sending Method, Binding Relationship Advertising Method, Apparatus, and Storage Medium

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102148745A (en) * 2010-02-08 2011-08-10 中兴通讯股份有限公司 Method and system for increasing forwarding efficiency of virtual private LAN service network
CN102263774A (en) * 2010-05-24 2011-11-30 杭州华三通信技术有限公司 Method and device for processing source role information
CN105187311A (en) * 2015-06-09 2015-12-23 杭州华三通信技术有限公司 Message forwarding method and message forwarding device
CN106603550A (en) * 2016-12-28 2017-04-26 中国银联股份有限公司 Network isolation method and network isolation device
CN107124402A (en) * 2017-04-12 2017-09-01 杭州迪普科技股份有限公司 A kind of method and apparatus of packet filtering
CN109246012A (en) * 2017-07-10 2019-01-18 中兴通讯股份有限公司 Message forwarding method, device and computer readable storage medium
US20210273881A1 (en) * 2018-09-13 2021-09-02 Zte Corporation Message Sending Method, Binding Relationship Advertising Method, Apparatus, and Storage Medium
CN110830371A (en) * 2019-11-13 2020-02-21 迈普通信技术股份有限公司 Message redirection method and device, electronic equipment and readable storage medium
US20210218587A1 (en) * 2020-01-13 2021-07-15 Vmware, Inc. Service insertion for multicast traffic at boundary
CN111740907A (en) * 2020-05-29 2020-10-02 新华三信息安全技术有限公司 Message transmission method, device, equipment and machine readable storage medium
CN112714052A (en) * 2020-12-20 2021-04-27 苏州浪潮智能科技有限公司 Flow isolation method and device, switch and storage medium
CN113079097A (en) * 2021-03-24 2021-07-06 新华三信息安全技术有限公司 Message processing method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
A KROPP,R TORRE: "Docker:containerize your application", 《ELSEVIER》 *
李信希: "基于LoRa的物联网无线通信系统设计", 《中国优秀硕士学位论文全文数据库》 *

Also Published As

Publication number Publication date
CN114024725B (en) 2023-06-20

Similar Documents

Publication Publication Date Title
US8875233B2 (en) Isolation VLAN for layer two access networks
AU697935B2 (en) Method for establishing restricted broadcast groups in a switched network
EP1170925B1 (en) MAC address-pairs-based communication restricting method
US8862705B2 (en) Secure DHCP processing for layer two access networks
US11201814B2 (en) Configuration of networks using switch device access of remote server
EP2224645B1 (en) A method and equipment for transmitting a message based on the layer-2 tunnel protocol
EP2725749B1 (en) Method, apparatus and system for processing service flow
CN110830371B (en) Message redirection method and device, electronic equipment and readable storage medium
WO2016101646A1 (en) Access method and apparatus for ethernet virtual network
WO2014205784A1 (en) Method and device for processing multicast message in nvo3 network, and nvo3 network
EP2493127A1 (en) Method for virtual link discovery control and system for fibre channel over ethernet protocol
US8769111B2 (en) IP network service redirector device and method
CN106685827B (en) Downlink message forwarding method and AP (access point) equipment
CN107241313B (en) Method and device for preventing MAC flooding attack
WO2017107871A1 (en) Access control method and network device
US20210184963A1 (en) Communication Method and Communications Device
CN112165537B (en) Virtual IP method for ping reply
CN107528929B (en) ARP (Address resolution protocol) entry processing method and device
CN114024725B (en) Inter-container communication method, system, electronic equipment and storage medium
US9025606B2 (en) Method and network node for use in link level communication in a data communications network
US20170289094A1 (en) Performing duplicate address detection for an integrated routing and bridging device
CN113973101A (en) Method and device for processing table item information
WO2015188706A1 (en) Data frame processing method, device and system
CN107547686B (en) ARP request message processing method and device
CN106452992B (en) Method and device for realizing remote multi-homing networking

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant