CN114024725B - Inter-container communication method, system, electronic equipment and storage medium - Google Patents

Inter-container communication method, system, electronic equipment and storage medium Download PDF

Info

Publication number
CN114024725B
CN114024725B CN202111242113.9A CN202111242113A CN114024725B CN 114024725 B CN114024725 B CN 114024725B CN 202111242113 A CN202111242113 A CN 202111242113A CN 114024725 B CN114024725 B CN 114024725B
Authority
CN
China
Prior art keywords
message
label
receiving end
forwarded
sending
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111242113.9A
Other languages
Chinese (zh)
Other versions
CN114024725A (en
Inventor
王向群
费稼轩
张小建
姚启桂
石聪聪
张伟剑
郭志民
吕卓
陈岑
李暖暖
陈涛
李峰
袁涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Global Energy Internet Research Institute Co ltd Nanjing Branch
State Grid Corp of China SGCC
State Grid Henan Electric Power Co Ltd
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
State Grid Xinjiang Electric Power Co Ltd
Original Assignee
Global Energy Internet Research Institute Co ltd Nanjing Branch
State Grid Corp of China SGCC
State Grid Henan Electric Power Co Ltd
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
State Grid Xinjiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Global Energy Internet Research Institute Co ltd Nanjing Branch, State Grid Corp of China SGCC, State Grid Henan Electric Power Co Ltd, Electric Power Research Institute of State Grid Henan Electric Power Co Ltd, State Grid Xinjiang Electric Power Co Ltd filed Critical Global Energy Internet Research Institute Co ltd Nanjing Branch
Priority to CN202111242113.9A priority Critical patent/CN114024725B/en
Publication of CN114024725A publication Critical patent/CN114024725A/en
Application granted granted Critical
Publication of CN114024725B publication Critical patent/CN114024725B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • H04L12/462LAN interconnection over a bridge based backbone
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a method, a system, electronic equipment and a storage medium for communication among containers, wherein the method comprises the following steps: receiving a message to be forwarded; judging whether the label of the message sending end is matched with the label of the message receiving end; when the label of the message sending end is matched with the label of the message receiving end, forwarding the message to be forwarded to the message receiving end. The invention provides a method, a system, electronic equipment and a storage medium for inter-container communication, which are characterized in that labels are arranged for a message sending end and a message receiving end, when a network bridge forwards a message to be forwarded, the labels of the message sending end and the labels of the message receiving end are matched, and when the matching is successful, the message is forwarded. Therefore, the communication method among the containers can effectively limit the forwarding direction of the message by setting the label, and realize service isolation. Meanwhile, the limitation of network communication among containers can be flexibly realized, and the safety protection capability among containers is further effectively improved.

Description

Inter-container communication method, system, electronic equipment and storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and system for inter-container communication, an electronic device, and a storage medium
Background
The electric power intelligent fusion terminal realizes flexible, quick and safe service application by adopting containerized deployment, and the containerized deployment of the terminal APP brings new risks and challenges to network security of the intelligent internet of things terminal while improving the perception level and user response capability of the energy internet.
Based on the control of netNamespace, a dock can create an isolated network environment among containers, and under the isolated network environment, the containers have completely independent network stacks and are isolated from hosts, and can also share the network namespaces of hosts or other containers, so that the needs of developers under various scenes can be basically met. The bridge mode is a docker default and is also the most commonly used network mode by developers. In this mode, the docker creates an independent network stack for the containers, ensures that processes within the containers use independent network environments, and achieves network stack isolation between containers and between the containers and the host. In the aspect of the container virtual network, the connection is performed by default by using a bridging mode for the container network, a virtual bridge dock 0 is created on a host machine to play the role of a traditional switch, and packet forwarding is automatically performed among various network interfaces. Each time a new container is created, a virtual network interface is added to it and connected to bridge dock 0.
The vulnerability of the bridge will lead to information leakage and even availability of other users on the platform. The network bridge mode is adopted between containers on the same host, and the forwarded data packets are not filtered, so that ARP spoofing and MAC flooding attacks are easily suffered. Some of the containers need to communicate with other containers, perform data interaction point to point, and in some cases, some of the containers are in the role of a data center, and need to communicate with a plurality of containers, so that fine-grained security setting is necessary for network communication between the containers to meet the complex service application.
Disclosure of Invention
Therefore, the technical problem to be solved by the present invention is to overcome the defect that the existing network bridge does not perform any filtering on the forwarded data packet, so as to provide an inter-container communication method, system, electronic device and storage medium.
According to a first aspect, an embodiment of the present invention discloses a method for inter-container communication, including:
receiving a message to be forwarded;
judging whether the label of the message sending end is matched with the label of the message receiving end;
when the label of the message sending end is matched with the label of the message receiving end, forwarding the message to be forwarded to the message receiving end.
Alternatively, the process may be carried out in a single-stage,
the tag comprises a sending tag list and a receiving tag list;
the sending label is a label set when the message sending end sends a message;
the receiving tag list is a collection set of the sending tags which can be received by the message receiving end;
the sending tag, the receiving tag list, the local area network address of the container and the bridge port of the container are correspondingly arranged in the address list.
Optionally, the determining whether the label of the message sending end is matched with the label of the message receiving end includes:
judging the message type of the message to be forwarded;
and judging whether the label of the message sending end is matched with the label of the message receiving end according to the message type.
Optionally, the determining the message type includes:
judging whether the message to be forwarded is of a unicast type, a multicast type or a broadcast type according to the message to be forwarded;
when the message to be forwarded is of a unicast type, judging whether the local area network address of the message receiving end is positioned in the address table;
when the local area network address of the message receiving end is positioned in the address table, judging that the message to be forwarded is of a known unicast type;
when the local area network address of the message receiving end is not in the address table, judging that the message to be forwarded is of an unknown unicast type;
when the message to be forwarded is of a multicast type, judging whether local area network addresses of a plurality of message receiving ends are positioned in the address table;
when local area network addresses of a plurality of message receiving ends are all located in the address table, judging that the message to be forwarded is of a known multicast type;
and when the local area network address of any message receiving end is not in the address table, judging that the message to be forwarded is of an unknown multicast type.
Optionally, the determining, according to the message type, whether the label of the message sending end is matched with the label of the message receiving end includes:
when judging that the message to be forwarded is of a known unicast type or a known multicast type, inquiring the address table according to the local area network address of the message transmitting end, and determining a transmitting label of the message transmitting end;
inquiring the address table according to the local area network address of the message receiving end, and judging whether the sending label of the message sending end is in a receiving label list corresponding to the message receiving end;
when the label of the message sending end is matched with the label of the message receiving end, forwarding the message to the message receiving end, including:
when the sending label of the message sending end is positioned in the receiving label list of the message receiving end, the message to be forwarded is sent to the message receiving end;
and discarding the message to be forwarded when the sending label of the message sending end is not in the receiving label list of the message receiving end.
Optionally, the determining, according to the message type, whether the label of the message sending end is matched with the label of the message receiving end, further includes:
when judging that the message to be forwarded is of a broadcast type or an unknown multicast type, inquiring the address table according to the local area network address of the message transmitting end, and determining a transmitting label of the message transmitting end;
traversing the address table, and judging whether the sending label of the message sending end is in a receiving label list corresponding to each message receiving end one by one;
when the label of the message sending end is matched with the label of the message receiving end, forwarding the message to the message receiving end, including:
when the sending label of the message sending end is positioned in the receiving label list of the message receiving end, the message to be forwarded is sent to the message receiving end;
and discarding the message to be forwarded when the sending label of the message sending end is not in the receiving label list of the message receiving end.
Optionally, the determining, according to the message type, whether the tag of the sending end corresponds to the tag of the receiving end further includes:
and discarding the message to be forwarded when judging that the message to be forwarded is of an unknown unicast type.
According to a second aspect, an embodiment of the present invention further discloses an inter-container communication system, including:
the receiving unit is used for receiving the message to be forwarded;
the judging unit is used for judging whether the label of the message sending end is matched with the label of the message receiving end;
and the forwarding unit is used for forwarding the message to be forwarded to the message receiving end when the label of the message sending end is matched with the label of the message receiving end.
According to a third aspect, an embodiment of the present invention further discloses an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform the steps of the inter-container communication method according to the first aspect or any alternative implementation of the first aspect.
According to a fourth aspect, an embodiment of the present invention also discloses a computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the steps of the inter-container communication method according to the first aspect or any of the alternative embodiments of the first aspect.
The technical scheme of the invention has the following advantages:
according to the inter-container communication method, the inter-container communication system, the electronic equipment and the storage medium, the labels are arranged for the message sending end and the message receiving end, when a network bridge forwards a message to be forwarded, the labels of the message sending end and the labels of the message receiving end are matched, and when the matching is successful, the message is forwarded. Therefore, the inter-container communication method can effectively limit the message forwarding direction by setting the label, and realize service isolation. Meanwhile, the limitation of network communication between containers can be flexibly realized, and the safety protection capability of the containers is further effectively improved. The method solves the problems that the forwarded data packet is not filtered in the prior art and is easy to suffer ARP spoofing and MAC flooding attack.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart showing a specific example of a method of inter-container communication in an embodiment of the present invention;
FIG. 2 is a flowchart of another specific example of a method of inter-container communication in an embodiment of the present invention;
FIG. 3 is a flowchart of another specific example of a method of inter-container communication in an embodiment of the present invention;
FIG. 4 is a schematic block diagram of a specific example of an inter-container communication system in an embodiment of the present invention;
fig. 5 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made apparent and fully in view of the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the description of the present invention, it should be noted that the directions or positional relationships indicated by the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, are merely for convenience of describing the present invention and simplifying the description, and do not indicate or imply that the devices or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and thus should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should be noted that, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; the two components can be directly connected or indirectly connected through an intermediate medium, or can be communicated inside the two components, or can be connected wirelessly or in a wired way. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.
In addition, the technical features of the different embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
The embodiment of the invention discloses a method for communication between containers, which is shown in fig. 1 and comprises the following steps:
step S1, receiving a message to be forwarded.
Illustratively, when a docker is installed, a docker0 bridge is created. And receiving the message to be forwarded, which is sent by a certain container in the local area network, by the network bridge. Wherein, a dock is an open-source application container engine, and a complete dock is composed of the following parts: a DockerClient, dockerDaemon daemon, dockerImage mirror, like DockerContainer container. The Docker service by default creates a Docker0 bridge (with a Docker0 internal interface on it) that communicates with other physical or virtual network cards at the kernel layer, which places all containers and local hosts on the same physical network. Thus, the network bridge created by the method can realize communication among containers, or can realize forwarding of messages among containers.
And S2, judging whether the label of the message sending end is matched with the label of the message receiving end.
The message sending end and the message receiving end can be containers created in the docker, and when the containers are created, corresponding MAC addresses (local area network addresses) are allocated to the containers. And the created bridge contains three data structures: structnet_ bridge, structnet _bridge_port and structnet_bridge_ fdb _entry, wherein the structnet_bridge_ fdb _entry structure is set in the CAM table. Thus, when a container is created and assigned a MAC address, the MAC address and the bridge port corresponding to the container are inserted into a CAM table (address table). Specifically, when the MAC address and bridge port are inserted in the CAM table, the br_ fdb _inst () function implementation is called.
Specifically, the tag includes a sending tag and a receiving tag list, the sending tag is a tag set when a message sending end sends a message, and the receiving tag list is a collection of the sending tags received by the message receiving end. The sending tag, the receiving tag list, the local area network address of the container and the network bridge port are correspondingly arranged in the address list. Two labels are set for the bridge port where each container is located, wherein one label is used when the bridge port sends out a message and can be called as a sending label, and the other label is used when the bridge port where other containers received by the bridge port are located sends out a message; in general, a bridge port where one container is located can receive a message sent by multiple containers, so that another tag may form a receiving tag list, where the receiving tag list includes sending tags corresponding to when all bridge ports where the bridge port where the container is located can receive send messages.
Specifically, after a label is set on a bridge port where a certain container is located, the corresponding sending label snd_tag and receiving label list rcv_tag [ max ] can be both stored in the CAM table and correspond to the local area network address and the bridge port of the container. Thus, the sending tag, the receiving tag list, the local area network address of the container, and the bridge port can be associated.
Specifically, after the sending tag, the receiving tag list, the local area network address of the container and the bridge port are set in the CAM table, when the bridge receives the message to be forwarded, the_br_handle_frame () function can be called to process the received message, and the message sending end and the message receiving end of the message to be forwarded are determined. After determining the message sending end and the message receiving end, the sending label of the message sending end can be queried in the CAM table stored before, the receiving label list of the message receiving end is confirmed, and whether the sending label of the message sending end is in the receiving label list of the message receiving end is judged, so that the matching of the label of the message sending end and the label of the message receiving end is realized.
And step S3, when the label of the message receiving end is matched with the label of the message receiving end, forwarding the message to the message receiving end.
Specifically, when the sending label of the message sending end is judged to be in the receiving label list of the message receiving end, that is, the label of the message sending end is confirmed to be matched with the label of the message receiving end, the message to be forwarded can be forwarded to the corresponding message receiving end. When forwarding a message, the br_forward () function may be called to forward the message to be forwarded to the port. In addition, if the sending label of the message sending end is found not to be in the receiving label list of the message receiving end by comparison, the message may have a certain risk, and the message may be discarded.
According to the inter-container communication method provided by the embodiment of the invention, the labels are set for the message sending end and the message receiving end, when a network bridge forwards a message to be forwarded, the labels of the message sending end and the labels of the message receiving end are matched, and when the matching is successful, the message is forwarded. Therefore, the inter-container communication method can effectively limit the message forwarding direction by setting the label, and realize service isolation. Meanwhile, the limitation of network communication between containers can be flexibly realized, and the safety protection capability of the containers is further effectively improved. The method solves the problems that the forwarded data packet is not filtered in the prior art and is easy to suffer ARP spoofing and MAC flooding attack.
As an optional implementation manner of the embodiment of the present invention, a process for determining whether a label of a message sending end is matched with a label of a message receiving end, as shown in fig. 2, includes the following steps:
step S21: judging the message type.
Specifically, when a message to be forwarded is received, the type of the message is judged first, and how to forward the message is judged according to the type. When judging the message type, the type of the message to be forwarded can be judged according to whether the local area network address corresponding to the message receiving end receiving the message is in the CAM table.
And S22, judging whether the label of the message sending end is matched with the label of the message receiving end according to the message type.
Specifically, after judging the message type, the tag matching and the message forwarding can be performed according to the type of the message to be forwarded.
In one embodiment, when the message receiving end for processing the message to be forwarded confirms that there is only one message receiving end of the message, the message to be forwarded is judged to be of a unicast type, when the message receiving ends of the message are confirmed to be multiple, the message is judged to be of a multicast type, and when the message receiving ends of the message are confirmed to be all ports in the network bridge, the message is judged to be of a broadcast type.
In one embodiment, when judging that the message to be forwarded is of unicast type, judging whether the local area network address of the message receiving end is in the address table; when the local area network address of the message receiving end is in the address table, judging that the message is of a known unicast type; and when the local area network address of the message receiving end is not in the address table, judging that the message is unknown unicast.
In one embodiment, when judging that the message to be forwarded is of a multicast type, judging whether local area network addresses of a plurality of message receiving ends are in the address table; when the local area network addresses of a plurality of message receiving ends are all in the address table, judging that the message is of a known multicast type; when the local area network address of any message receiving end is not in the address table, judging that the message to be forwarded is of an unknown multicast type.
In one embodiment, when judging that the message to be forwarded is of a known unicast type or a known multicast type, inquiring the address table according to the local area network address of the message transmitting end, and determining a transmitting label of the message transmitting end; inquiring the address table according to the local area network address of the message receiving end, and judging whether the sending label of the message sending end is in a receiving label list corresponding to the message receiving end; when the sending tag is positioned in the receiving tag list, sending a message to be forwarded to the message receiving end; and discarding the message to be forwarded when the sending label is not in the receiving expression list. And discarding the message to be forwarded when judging that the message to be forwarded is unknown unicast.
For example, when the service application in the container sends a known unicast or known multicast message, the bridge obtains the message sending end and the message receiving end of the message by processing the received message through_br_handle_frame (), queries the CAM table according to the MAC address of the message sending end, searches the sending tag (snd_tag) of the bridge port of the message sending end, queries the CAM table according to the MAC address of the message receiving end, and if the MAC address is in the CAM table, searches the receiving tag list (rcv_tag [ max ]) of the bridge port of the message receiving end, and determines whether the snd_tag is in rcv_tag [ max ]. If the sending label is in the receiving label list, the br_forward function is called to forward the message to be forwarded to the port, otherwise, the message is discarded, and if the MAC address of the message receiving end is not in the CAM list, the message to be forwarded is also discarded.
In one embodiment, when judging that the message to be forwarded is of a broadcast or unknown multicast type, inquiring the address table according to the local area network address of the message sending end, determining the sending label of the message sending end, traversing the address table, and judging whether the sending label of the message sending end is in a receiving label list corresponding to each message receiving end one by one; when the sending label of the message sending end is positioned in the receiving label list of the message receiving end, the message to be forwarded is sent to the message receiving end; and discarding the message to be forwarded when the sending label is not in the receiving label list of the message receiving end.
When a service application in a container sends a broadcast or unknown multicast message, a bridge processes the received message through_br_handle_frame () to obtain a message sending end and a message receiving end of the message, queries a CAM table according to the MAC address of the message sending end, searches a sending tag (snd_tag) of a bridge port of the message sending end, traverses a receiving tag list (rcv_tag [ max ]) of a plurality of bridge ports of the message receiving end, and checks rcv_tag [ max ] of each port one by one to judge whether the snd_tag is in rcv_tag [ max ]. If the sending tag is in the receiving tag list, the br_forward () function is called to forward the message to be forwarded to the port, otherwise the message is discarded.
According to the inter-container communication method provided by the embodiment of the invention, the inter-container communication is flexibly configured through flexibly configuring the sending label and the receiving label list, so that network communication and security isolation of various services can be realized. When the label is set on the bridge port where the container is located, the number of the labels is not limited, and the label is used in a scene with a large number of containers as usual. In addition, when the tag is set, the application range is limited to the network bridge, and the communication among the containers across the host machine is not influenced.
In one embodiment, the method of communication between containers is implemented using the flow shown in fig. 3:
first, in the CAM table of the bridge description structure net_bridge of dock 0, a field for storing a tag added when the port transmits a message, that is, a transmit tag snd_tag, and a field list for storing a tag receivable by the port, that is, a receive tag list rcv_tag [ MAX ], are added to each port. And manually assigning the MAC address of the container when the container is created, calling the br_ fdb _insert () function to insert the MAC address and the bridge port to which the container corresponds into the CAM table.
When the network bridge receives the message to be forwarded, judging the type of the message, when the message is a known unicast message and a known multicast message, the network bridge calls a br_handle_frame () function to process the received message, searches a CAM table according to a message source MAC address, searches a snd_tag of a port of the network bridge, searches the CAM table according to the MAC address of a message receiving end, searches an rcv_tag list of the port of the network bridge if the MAC address is in the CAM table, and calls a br_forward () function to forward a data packet to the port if the snd_tag is in the rcv_tag list. Otherwise, discarding the message.
Similarly, for broadcast messages and unknown multicast messages sent by service applications in a container, a bridge processes a received message to call a br_handle_frame () function, searches a CAM table according to a message source MAC address, searches for the snd_tag of the bridge port, traverses the bridge ports of all message receiving ends, checks the rcv_tag list of each port one by one, and if the snd_tag is in the rcv_tag list, calls a br_forward () function to forward a data packet to the port. Otherwise, discarding the message.
Similarly, for an unknown unicast message sent by a service application in a container, when the network bridge processes the received message, the message is directly discarded.
The embodiment of the invention also discloses a communication system between containers, as shown in fig. 4, the device comprises:
the receiving unit is used for receiving the message to be forwarded; for details, see the description of step S1 in the above method embodiment.
The judging unit is used for judging whether the label of the message sending end is matched with the label of the message receiving end; for details, see the description of step S2 in the above method embodiment.
The forwarding unit is used for forwarding the message to be forwarded to the message receiving end when the label of the message sending end is matched with the label of the message receiving end; for details, see the description of step S3 in the above method embodiment.
The inter-container communication device provided by the embodiment of the invention sets the labels for the message sending end and the message receiving end, when the network bridge forwards the message to be forwarded, the label of the message sending end and the label of the message receiving end are matched, and when the matching is successful, the message is forwarded. Therefore, the inter-container communication method can effectively limit the message forwarding direction by setting the label, and realize service isolation. Meanwhile, the limitation of network communication between containers can be flexibly realized, so that the safety protection capability of the containers is effectively improved, and the problems that the forwarded data packets are not filtered and are easy to suffer ARP spoofing and MAC flooding attack in the prior art are solved.
The inter-container communication device provided by the embodiment of the invention can flexibly configure the inter-container communication by flexibly configuring the sending label and the receiving label list, so that network communication and security isolation of various services can be realized. When the label is set on the bridge port where the container is located, the number of the labels is not limited, and the label is used in a scene with more containers as usual. In addition, when the tag is set, the application range is limited to the network bridge, and the communication among the containers across the host machine is not influenced.
The function description of the inter-container communication device provided by the embodiment of the invention refers to the inter-container communication method description in the above embodiment in detail.
The embodiment of the present invention further provides an electronic device, as shown in fig. 5, where the electronic device may include a processor 401 and a memory 402, where the processor 401 and the memory 402 may be connected by a bus or other means, and in fig. 5, the connection is exemplified by a bus.
The processor 401 may be a central processing unit (Central Processing Unit, CPU). The processor 401 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 402, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the method for detecting illegal activities in the embodiments of the present invention. The processor 401 executes various functional applications of the processor and data processing, i.e., implements the illegal action detection method in the above-described method embodiments by running non-transitory software programs, instructions, and modules stored in the memory 402.
Memory 402 may include a storage program area that may store an operating system, at least one application program required for functionality, and a storage data area; the storage data area may store data created by the processor 401, or the like. In addition, memory 402 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 402 may optionally include memory located remotely from processor 401, such remote memory being connectable to processor 401 through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 402 and when executed by the processor 401, perform the method of detecting illicit activity in the embodiment shown in fig. 1.
The specific details of the electronic device may be understood correspondingly with respect to the corresponding related descriptions and effects in the embodiment shown in fig. 1, which are not repeated herein.
It will be appreciated by those skilled in the art that implementing all or part of the above-described embodiment method may be implemented by a computer program to instruct related hardware, where the program may be stored in a computer readable storage medium, and the program may include the above-described embodiment method when executed. Wherein the storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a random access Memory (RandomAccessMemory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations are within the scope of the invention as defined by the appended claims.

Claims (8)

1. A method of inter-container communication, comprising:
receiving a message to be forwarded;
judging whether the label of the message sending end is matched with the label of the message receiving end, wherein the message sending end and the message receiving end are containers created in a dock;
when the label of the message sending end is matched with the label of the message receiving end, forwarding the message to be forwarded to the message receiving end;
the judging whether the label of the message sending end is matched with the label of the message receiving end comprises the following steps:
judging the message type of a message to be forwarded, wherein the message type comprises a known unicast type or a known multicast type;
judging whether the label of the message sending end is matched with the label of the message receiving end according to the message type;
judging whether the label of the message sending end is matched with the label of the message receiving end according to the message type, comprising:
when judging that the message to be forwarded is of a known unicast type or a known multicast type, inquiring an address table according to the local area network address of the message transmitting end, and determining a transmitting label of the message transmitting end;
inquiring the address table according to the local area network address of the message receiving end, and judging whether the sending label of the message sending end is in a receiving label list corresponding to the message receiving end;
when the label of the message sending end is matched with the label of the message receiving end, forwarding the message to the message receiving end, including:
when the sending label of the message sending end is positioned in the receiving label list of the message receiving end, the message to be forwarded is sent to the message receiving end;
and discarding the message to be forwarded when the sending label of the message sending end is not in the receiving label list of the message receiving end.
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
the tag comprises a sending tag list and a receiving tag list;
the sending label is a label set when the message sending end sends a message;
the receiving tag list is a collection set of the sending tags which can be received by the message receiving end;
the sending tag, the receiving tag list, the local area network address of the container and the bridge port of the container are correspondingly arranged in the address list.
3. The method according to claim 2, wherein the determining the message type includes:
judging whether the message to be forwarded is of a unicast type, a multicast type or a broadcast type according to the message to be forwarded;
when the message to be forwarded is of a unicast type, judging whether the local area network address of the message receiving end is positioned in the address table;
when the message receiving end local area network address is positioned in the address table, judging that the message to be forwarded is of a known unicast type;
when the local area network address of the message receiving end is not in the address table, judging that the message to be forwarded is of an unknown unicast type;
when the message to be forwarded is of a multicast type, judging whether local area network addresses of a plurality of message receiving ends are positioned in the address table;
when local area network addresses of a plurality of message receiving ends are all located in the address table, judging that the message to be forwarded is of a known multicast type;
and when the local area network address of any message receiving end is not in the address table, judging that the message to be forwarded is of an unknown multicast type.
4. The method of claim 3, wherein the determining, according to the message type, whether the label of the message sending end is matched with the label of the message receiving end, further comprises:
when judging that the message to be forwarded is of a broadcast type or an unknown multicast type, inquiring the address table according to the local area network address of the message transmitting end, and determining a transmitting label of the message transmitting end;
traversing the address table, and judging whether the sending label of the message sending end is in a receiving label list corresponding to each message receiving end one by one;
when the label of the message sending end is matched with the label of the message receiving end, forwarding the message to the message receiving end, including:
when the sending label of the message sending end is positioned in the receiving label list of the message receiving end, the message to be forwarded is sent to the message receiving end;
and discarding the message to be forwarded when the sending label of the message sending end is not in the receiving label list of the message receiving end.
5. The method of claim 3, wherein the determining, according to the message type, whether the tag of the transmitting end corresponds to the tag of the receiving end, further comprises:
and discarding the message to be forwarded when judging that the message to be forwarded is of an unknown unicast type.
6. An inter-container communication system, comprising:
the receiving unit is used for receiving the message to be forwarded;
the judging unit is used for judging whether the label of the message sending end is matched with the label of the message receiving end, and the message sending end and the message receiving end are containers created in the docker;
the forwarding unit is used for forwarding the message to be forwarded to the message receiving end when the label of the message sending end is matched with the label of the message receiving end;
the judging whether the label of the message sending end is matched with the label of the message receiving end comprises the following steps:
judging the message type of a message to be forwarded, wherein the message type comprises a known unicast type or a known multicast type;
judging whether the label of the message sending end is matched with the label of the message receiving end according to the message type;
judging whether the label of the message sending end is matched with the label of the message receiving end according to the message type, comprising:
when judging that the message to be forwarded is of a known unicast type or a known multicast type, inquiring an address table according to the local area network address of the message transmitting end, and determining a transmitting label of the message transmitting end;
inquiring the address table according to the local area network address of the message receiving end, and judging whether the sending label of the message sending end is in a receiving label list corresponding to the message receiving end;
when the label of the message sending end is matched with the label of the message receiving end, forwarding the message to the message receiving end, including:
when the sending label of the message sending end is positioned in the receiving label list of the message receiving end, the message to be forwarded is sent to the message receiving end;
and discarding the message to be forwarded when the sending label of the message sending end is not in the receiving label list of the message receiving end.
7. An electronic device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform the steps of the inter-container communication method of any of claims 1-5.
8. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the inter-container communication method according to any of claims 1-5.
CN202111242113.9A 2021-10-25 2021-10-25 Inter-container communication method, system, electronic equipment and storage medium Active CN114024725B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111242113.9A CN114024725B (en) 2021-10-25 2021-10-25 Inter-container communication method, system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111242113.9A CN114024725B (en) 2021-10-25 2021-10-25 Inter-container communication method, system, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114024725A CN114024725A (en) 2022-02-08
CN114024725B true CN114024725B (en) 2023-06-20

Family

ID=80057709

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111242113.9A Active CN114024725B (en) 2021-10-25 2021-10-25 Inter-container communication method, system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114024725B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102148745A (en) * 2010-02-08 2011-08-10 中兴通讯股份有限公司 Method and system for increasing forwarding efficiency of virtual private LAN service network
CN102263774A (en) * 2010-05-24 2011-11-30 杭州华三通信技术有限公司 Method and device for processing source role information
CN105187311A (en) * 2015-06-09 2015-12-23 杭州华三通信技术有限公司 Message forwarding method and message forwarding device
CN106603550A (en) * 2016-12-28 2017-04-26 中国银联股份有限公司 Network isolation method and network isolation device
CN107124402A (en) * 2017-04-12 2017-09-01 杭州迪普科技股份有限公司 A kind of method and apparatus of packet filtering
CN109246012A (en) * 2017-07-10 2019-01-18 中兴通讯股份有限公司 Message forwarding method, device and computer readable storage medium
CN110830371A (en) * 2019-11-13 2020-02-21 迈普通信技术股份有限公司 Message redirection method and device, electronic equipment and readable storage medium
CN111740907A (en) * 2020-05-29 2020-10-02 新华三信息安全技术有限公司 Message transmission method, device, equipment and machine readable storage medium
CN112714052A (en) * 2020-12-20 2021-04-27 苏州浪潮智能科技有限公司 Flow isolation method and device, switch and storage medium
CN113079097A (en) * 2021-03-24 2021-07-06 新华三信息安全技术有限公司 Message processing method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110896379B (en) * 2018-09-13 2022-11-08 中兴通讯股份有限公司 Message sending method, binding relationship notification method, device and storage medium
US11223494B2 (en) * 2020-01-13 2022-01-11 Vmware, Inc. Service insertion for multicast traffic at boundary

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102148745A (en) * 2010-02-08 2011-08-10 中兴通讯股份有限公司 Method and system for increasing forwarding efficiency of virtual private LAN service network
CN102263774A (en) * 2010-05-24 2011-11-30 杭州华三通信技术有限公司 Method and device for processing source role information
CN105187311A (en) * 2015-06-09 2015-12-23 杭州华三通信技术有限公司 Message forwarding method and message forwarding device
CN106603550A (en) * 2016-12-28 2017-04-26 中国银联股份有限公司 Network isolation method and network isolation device
CN107124402A (en) * 2017-04-12 2017-09-01 杭州迪普科技股份有限公司 A kind of method and apparatus of packet filtering
CN109246012A (en) * 2017-07-10 2019-01-18 中兴通讯股份有限公司 Message forwarding method, device and computer readable storage medium
CN110830371A (en) * 2019-11-13 2020-02-21 迈普通信技术股份有限公司 Message redirection method and device, electronic equipment and readable storage medium
CN111740907A (en) * 2020-05-29 2020-10-02 新华三信息安全技术有限公司 Message transmission method, device, equipment and machine readable storage medium
CN112714052A (en) * 2020-12-20 2021-04-27 苏州浪潮智能科技有限公司 Flow isolation method and device, switch and storage medium
CN113079097A (en) * 2021-03-24 2021-07-06 新华三信息安全技术有限公司 Message processing method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Docker:containerize your application;A Kropp,R Torre;《Elsevier》;全文 *
基于LoRa的物联网无线通信系统设计;李信希;《中国优秀硕士学位论文全文数据库》;全文 *

Also Published As

Publication number Publication date
CN114024725A (en) 2022-02-08

Similar Documents

Publication Publication Date Title
US8341725B2 (en) Secure DHCP processing for layer two access networks
US8862705B2 (en) Secure DHCP processing for layer two access networks
CN107547402B (en) Forwarding table generation method and device
US8769111B2 (en) IP network service redirector device and method
WO2016101646A1 (en) Access method and apparatus for ethernet virtual network
CN110830371B (en) Message redirection method and device, electronic equipment and readable storage medium
US10284461B2 (en) Method and related apparatus for probing packet forwarding path
CN106559292A (en) A kind of broad band access method and device
EP2224645A1 (en) A method and equipment for transmitting a message based on the layer-2 tunnel protocol
WO2015096409A1 (en) Method, device and system for discovering link in software-defined network
CN103368849A (en) OAM (Operations, Administration and Management) message processing method and device
CN109787878A (en) A kind of tunnel links detection method and relevant device
CN102025641B (en) Message filtering method and exchange equipment
CN106059885B (en) Processing method and system of the wireless controller to CAPWAP message
EP3499808A1 (en) Network device and controlling method thereof applicable for mesh networks
CN107528929B (en) ARP (Address resolution protocol) entry processing method and device
CN114024725B (en) Inter-container communication method, system, electronic equipment and storage medium
CN108737277A (en) A kind of message forwarding method and device
EP4109829A1 (en) Method and apparatus for transmitting policy, and network transmission system
WO2015188706A1 (en) Data frame processing method, device and system
CN107547686B (en) ARP request message processing method and device
CN110945847B (en) Method, device and system for rapidly recovering service in path switching process
CN106452992B (en) Method and device for realizing remote multi-homing networking
CN112039854A (en) Data transmission method, device and storage medium
CN113132220B (en) Method and device for processing routing information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant