CN117176475A - Rule configuration method and device, linux host and storage medium - Google Patents
Rule configuration method and device, linux host and storage medium Download PDFInfo
- Publication number
- CN117176475A CN117176475A CN202311445405.1A CN202311445405A CN117176475A CN 117176475 A CN117176475 A CN 117176475A CN 202311445405 A CN202311445405 A CN 202311445405A CN 117176475 A CN117176475 A CN 117176475A
- Authority
- CN
- China
- Prior art keywords
- iptables
- rule
- iptables rule
- target
- configuration information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 192
- 230000008569 process Effects 0.000 claims abstract description 154
- 238000004590 computer program Methods 0.000 claims description 8
- 238000002372 labelling Methods 0.000 claims description 4
- 230000008676 import Effects 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 abstract description 3
- 238000001914 filtration Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
When a first iptables rule is required to be written into an iptables rule storage module of a linux host through a target iptables rule management process, the currently stored iptables configuration information is read from the iptables rule storage module, a historical iptables rule set is determined according to the read iptables configuration information, the historical iptables rule set comprises a plurality of historical iptables rules, each historical iptables rule is associated with a process identifier of an iptables rule management process for configuring the historical iptables rule, the target iptables rule is determined according to the first iptables rule and the historical iptables rule set, the configuration of the iptables rule is realized by writing the target iptables rule into the iptables rule storage module, and in addition, each historical iptables rule is associated with an identifier for managing the iptables rule according to the history iptables rule, so that the subsequent process is more convenient for maintenance of the subsequent process identifier of the history iptables rule, and the subsequent maintenance process can be more known.
Description
Technical Field
The present application relates to the field of network technologies, and in particular, to a rule configuration method, a rule configuration device, a linux host, and a storage medium.
Background
In making packet filtering decisions, firewalls have a set of rules that follow and compose, which are stored in dedicated packet filtering tables that are integrated in the Linux kernel. In an actual application scenario, an operation and maintenance personnel may need to reconfigure the IP packet filtering rule of the linux kernel according to the use requirement, so how to configure the rule in the linux kernel becomes a technical problem to be solved currently.
Disclosure of Invention
An embodiment of the application aims to provide a rule configuration method, a rule configuration device, a linux host and a storage medium, so as to solve the technical problems.
In one aspect, a rule configuration method is provided, the method including:
when a first iptables rule is required to be written into an iptables rule storage module of a linux host through a target iptables rule management process, reading currently stored iptables configuration information from the iptables rule storage module; the linux host is pre-configured with an iptables rule management process;
determining a historical iptables rule set according to the read iptables configuration information; the history iptables rule set comprises a plurality of history iptables rules, and each history iptables rule is associated with a process identifier of the iptables rule management process for configuring the history iptables rule;
determining a target iptables rule according to the first iptables rule and the historical iptables rule set;
and writing the target iptables rule into the iptables rule storage module.
In one embodiment, the determining the historical iptables rule set according to the read iptables configuration information includes:
the method comprises the steps of storing the iptables configuration information through an iptables-save command to obtain first configuration information in a character string format;
performing rule analysis on the first configuration information to obtain a historical iptables rule set, and adding the analyzed historical iptables rule set into a predefined control class object;
the determining the target iptables rule according to the first iptables rule and the historical iptables rule set includes:
and determining a target iptables rule according to the first iptables rule and the control class object.
In one embodiment, each of the history iptables rules is marked with a process identifier of the iptables rule management process configured for the history iptables rule, where determining the target iptables rule according to the first iptables rule and the control class object includes:
deleting the historical iptables rule marked with the target process identifier in the historical iptables rule set from the control class object to obtain a second iptables rule configured by other iptables rule management processes except the target iptables rule management process; the target process identifier is a process identifier of the target iptables rule management process;
and generating a target iptables rule according to the first iptables rule and the second iptables rule.
In one embodiment, the generating the target iptables rule according to the first iptables rule and the second iptables rule includes:
labeling the target process identifier for the first iptables rule;
adding the first iptables rule marked with the target process identifier into the control class object;
serializing the control class object into second configuration information in a character string format;
and when the second configuration information is inconsistent with the first configuration information, taking the second configuration information as a target iptables rule.
In one embodiment, after the serializing the control class object into the second configuration information in the string format, the method includes:
when the second configuration information is consistent with the first configuration information, abandoning the rule writing;
the writing the target iptables rule into the iptables rule storage module comprises the following steps:
and calling an iptables-restore interface to import the target iptables rule into the iptables rule storage module.
In one embodiment, each of the historical iptables rules is labeled with a corresponding rule configuration time; the determining a target iptables rule according to the first iptables rule and the control class object includes:
labeling a target process identifier and a target rule configuration time for the first iptables rule; the target process identifier is a process identifier of the target iptables rule management process;
adding the first iptables rule marked with the target process identifier and the target rule configuration time to the control class object;
and deleting the historical iptables rule of which the target process identifier is marked in the control class object and the marked rule configuration time is before the target rule configuration to obtain the target iptables rule.
In one embodiment, the method further comprises:
when a first iptables rule is required to be written into an iptables rule storage module of a linux host through a target iptables rule management process, starting a file lock configured for the iptables rule storage module in advance;
and after the target iptables rule is written into the iptables rule storage module, unlocking the file lock.
In another aspect, there is provided a rule configuration apparatus, the apparatus comprising:
the reading module is used for reading the currently stored iptables configuration information from the iptables rule storage module when the first iptables rule is required to be written into the iptables rule storage module of the linux host through the target iptables rule management process; the linux host is pre-configured with an iptables rule management process;
the first determining module is used for determining a historical iptables rule set according to the read iptables configuration information; the history iptables rule set comprises a plurality of history iptables rules, and each history iptables rule is associated with a process identifier of the iptables rule management process for configuring the history iptables rule;
the second determining module is used for determining a target iptables rule according to the first iptables rule and the historical iptables rule set;
and the writing module is used for writing the target iptables rule into the iptables rule storage module.
In another aspect, there is provided a linux host, including a processor and a memory, where the memory stores a computer program, and the processor executes the computer program to implement any of the methods described above.
In another aspect, a computer readable storage medium is provided, storing a computer program which, when executed by at least one processor, implements any of the methods described above.
According to the rule configuration method, the device, the linux host and the storage medium provided by the application, when a first iptables rule is required to be written into the iptables rule storage module of the linux host through the target iptables rule management process, the currently stored iptables configuration information is read from the iptables rule storage module, a history iptables rule set is determined according to the read iptables configuration information, the history iptables rule set comprises a plurality of history iptables rules, each history iptables rule is associated with a process identifier of an iptables rule management process for configuring the history iptables rule, the target iptables rule is determined according to the first iptables rule and the history iptables rule set, and the configuration of the iptables rule is realized.
Drawings
Fig. 1 is a flow chart of a rule configuration method according to a first embodiment of the present application;
FIG. 2 is a flowchart of a method for determining a history iptables rule set according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a rule configuration device according to a second embodiment of the present application;
fig. 4 is a schematic structural diagram of a linux host according to a third embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
Example 1
The embodiment of the application provides a rule configuration method, which can be applied to a linux host, wherein the linux host can be any electronic device using a linux system, for example, the method can be any linux server needing to set firewall services.
Referring to fig. 1, the rule configuration method in the embodiment of the present application may include the following steps:
s11: when a first iptables rule is required to be written into an iptables rule storage module of a linux host through a target iptables rule management process, reading currently stored iptables configuration information from the iptables rule storage module; the linux host is pre-configured with an iptables rule management process.
S12: determining a historical iptables rule set according to the read iptables configuration information; the history iptables rule set comprises a plurality of history iptables rules, and each history iptables rule is associated with a process identifier of an iptables rule management process for configuring the history iptables rule.
S13: and determining the target iptables rule according to the first iptables rule and the historical iptables rule set.
S14: and writing the target iptables rule into the iptables rule storage module.
The steps described above are described in detail below.
The rule configuration method provided by the embodiment of the application can be applied to any scene needing to configure the iptables rule in the kernel of the linux host.
The iptables rule in the embodiment of the present application may be an IP packet filtering rule.
The iptables rule storage module is a module in the linux host kernel for storing iptables configuration information, wherein the iptables configuration information comprises a rule table, the rule table is composed of rule chains, and the rule chains are composed of various iptables rules.
In the embodiment of the application, the linux host is preconfigured with the iptables rule management process, for example, 1, 2 or more iptables rule management processes can be configured. The iptables rule management process is used for realizing the management of firewall iptables rules on the linux host, and is particularly used for realizing the configuration of iptables rules, including the addition, modification and deletion of iptables rules. Illustratively, at least two iptables rule management processes are preconfigured on the linux host. Because the linux host is preconfigured with at least two iptables rule management processes, when a fault occurs in one iptables rule management process in work, the iptables rule can be configured through another iptables rule management process on the linux host, so that the problem that the iptables rule cannot be configured due to process faults is avoided.
It should be noted that, for each iptables rule management process, a corresponding process identifier may be preconfigured, where the process identifier is used to indicate an identity of the corresponding iptables rule management process. Manual review is facilitated and distinguishes which process a specific rule belongs to.
For example, for each service scenario, the corresponding iptables rule management process may be preconfigured on the linux host. That is, the iptables rules of the application scene a, the application scene B, and the application scene C may be configured by a first iptables rule management process that is configured in advance, and the iptables rules of the application scene D and the application scene E may be configured by a second iptables rule management process that is configured in advance. The iptables rule configuration of different application scenes can be configured through different iptables rule management processes, so that a plurality of processes are allowed to manage the iptables rule configuration of different service scenes at the same time.
The target iptables rule management process in step S11 refers to a management process on the linux host that needs to perform iptables rule configuration currently. When the first iptables rule is required to be written into the iptables rule storage module of the linux host through the target iptables rule management process, the target iptables rule management process can be pulled up, and the currently stored iptables configuration information is read from the iptables rule storage module.
In order to avoid the concurrent problem of reading and writing, which leads to the writing of one process being covered by other processes, a corresponding file lock, such as an opt/iptables lock, can be configured in advance for the iptables rule storage module. When the first iptables rule is required to be written into the iptables rule storage module of the linux host through the target iptables rule management process, the file lock is acquired and started, so that only the target iptables rule management process is ensured to modify the iptables rule in the iptables rule storage module. If the operation is terminated by mistake in the subsequent steps, the file lock needs to be unlocked to ensure that the next iptables rule configuration can be carried out.
For step S12, please refer to fig. 2, the following sub-steps may be included:
s121: and storing the iptables configuration information through the iptables-save command to obtain first configuration information in a character string format.
S122: and carrying out rule analysis on the first configuration information to obtain a historical iptables rule set, and adding the analyzed historical iptables rule set into a predefined control class object.
Correspondingly, determining the target iptables rule according to the first iptables rule and the history iptables rule set includes:
and determining a target iptables rule according to the first iptables rule and the control class object.
In the embodiment of the application, the iptables configuration information in the iptables rule storage module can be read by calling the iptables-save command and is stored as the first configuration information SSave in the character string format, the iptables configuration information is stored by the iptables-save command, the running speed of the program is faster, and the execution accuracy is higher. It should be noted that, the first configuration information SSave may be saved to other backup files, without being saved to the iptables rule storage module. The rule parsing of the first configuration information comprises the following steps: and acquiring the statistical information of the rule chains under each rule table, and acquiring the rule content of the iptables rule under each rule chain and the process identification marked for the rule, thereby obtaining the historical iptables rule set.
In the embodiment of the application, each history iptables rule is marked with the process identifier of the iptables rule management process for configuring the history iptables rule, in this way, the association between the history iptables rule and the process identifier can be realized, and the process identifier marked by each history iptables rule is used for indicating which iptables rule management process is configured by the history iptables rule before.
For example, in the embodiment of the present application, the corresponding process identifier may be labeled for each history iptables rule through the comment function of iptables.
The control class object in the embodiment of the present application is predefined, for example, may be defined as an object Status.
Next, a procedure for determining a target iptables rule from the first iptables rule and the control class object will be described.
In a first alternative embodiment, the history iptables rule marked with the target process identifier in the history iptables rule set may be deleted from the control class object, to obtain a second iptables rule configured by other iptables rule management processes except the target iptables rule management process; the target process identifier is a process identifier of a target iptables rule management process; and generating a target iptables rule according to the first iptables rule and the second iptables rule.
It will be understood that, after the historical iptables rule marked with the target process identifier in the historical iptables rule set is deleted from the control class object, only the second iptables rule configured by the other iptables rule management processes except the target iptables rule management process remains in the current control class object.
In order to facilitate distinguishing between the iptables rule management processes to which each iptables rule belongs, a target process identifier may also be labeled for the first iptables rule, that is, in the embodiment of the present application, a target iptables rule is generated according to the first iptables rule and the second iptables rule, where the method includes:
the method comprises the steps of marking a target process identifier on a first iptables rule, adding the first iptables rule marked with the target process identifier into a control class object, wherein the control class object consists of the first iptables rule marked with the target process identifier and a second iptables rule marked with other process identifiers, and the other process identifiers are process identifiers corresponding to other iptables rule management processes except the target iptables rule management process. The current control class object is serialized into a second configuration information SRestore in string format. And when the second configuration information SRestore is inconsistent with the first configuration information SSave, taking the second configuration information as a target iptables rule. At this point, the target iptables rule may be written to the iptables rule storage module by an iptables-restore command.
Likewise, the target process identifier may be labeled for the first iptables rule by the command function of the iptables. When other process identifiers of other iptables rule management processes are marked in the first iptables rule, the process identifier should be deleted, and a target process identifier is marked in the first iptables rule.
To avoid wasting resources, in some embodiments, when the second configuration information SRestore and the first configuration information SSave are consistent, the rule writing may be aborted.
In a second alternative embodiment, each history iptables rule in the history iptables rule set is marked with a rule configuration time of the rule, in addition to a process identifier of a corresponding iptables rule management process, where the rule configuration time may be a time when the rule is written into the iptables rule storage module. For this case, determining the target iptables rule according to the first iptables rule and the control class object includes:
the method comprises the steps that a target process identifier and a target rule configuration time T1 are marked on a first iptables rule, the target process identifier is the process identifier of the target iptables rule management process, the target rule configuration time can be the current time to indicate that the rule is configured at a time point T1, a first iptables rule marked with the target process identifier and the target rule configuration time is added to a control class object, the control class object at the moment consists of a historical iptables rule set and the first iptables rule marked with the target process identifier and the target rule configuration time, at the moment, the target process identifier is marked in the control class object, the historical iptables rule marked with the rule configuration time before the target rule configuration T1 is deleted, and the remaining iptables rule in the control class object at the moment is the target iptables rule.
It should be noted that, a plurality of iptables rule management processes preconfigured on the linux host may manage table rules or chain rules that are different from each other, and default rules of the plurality of iptables rule management processes on the same table rules or chain rules are the same. For example, the default rejection is first followed by adding the permission rule, or the default permission is followed by adding the rejection rule.
In the embodiment of the application, the deletion of the iptables rule can be performed based on the process identification, so that a large number of repeated rules can be ensured not to exist in the iptables rule storage module. In addition, each iptables rule management process can independently realize the iptables configuration function without mutual influence.
Finally, it should be noted that, in the embodiment of the present application, the target iptables rule may be imported into the iptables rule storage module by calling the iptables-restore interface, compared with the method of implementing writing of the target iptables rule by generating the add command and the delete command, since the single iptables-restore command is a transaction, the writing of the target iptables rule directly implemented through the iptables-restore interface may reduce unsafe conditions in intermediate states, and the actual step amount is less, and is easy to implement and debug.
It should be understood that, although the steps in the above-described flowcharts are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described above may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, and the order of execution of the sub-steps or stages is not necessarily sequential, but may be performed alternately or alternately with at least a part of the sub-steps or stages of other steps or other steps.
Example two
Based on the same inventive concept, an embodiment of the present application provides a rule configuration device, please refer to fig. 3, including:
a reading module 301, configured to read, when a first iptables rule needs to be written into an iptables rule storage module of a linux host through a target iptables rule management process, currently stored iptables configuration information from the iptables rule storage module; the linux host is pre-configured with an iptables rule management process;
a first determining module 302, configured to determine a historical iptables rule set according to the read iptables configuration information; the history iptables rule set comprises a plurality of history iptables rules, and each history iptables rule is marked with a process identifier of the iptables rule management process for configuring the history iptables rule;
a second determining module 303, configured to determine a target iptables rule according to the first iptables rule and the historical iptables rule set;
and the writing module 304 is configured to write the target iptables rule into the iptables rule storage module.
Further, the first determining module 302 is configured to store the iptables configuration information through an iptables-save command, so as to obtain first configuration information in a character string format; and carrying out rule analysis on the first configuration information to obtain a historical iptables rule set, and adding the analyzed historical iptables rule set into a predefined control class object. The second determining module 303 is configured to determine a target iptables rule according to the first iptables rule and the control class object.
Further, each history iptables rule is marked with a process identifier of the iptables rule management process configured for the history iptables rule, and the second determining module 303 is configured to delete the history iptables rule marked with the target process identifier in the history iptables rule set from the control class object, so as to obtain a second iptables rule configured by other iptables rule management processes except the target iptables rule management process; the target process identifier is a process identifier of the target iptables rule management process; and generating a target iptables rule according to the first iptables rule and the second iptables rule.
Further, the second determining module 303 is configured to label the target process identifier to the first iptables rule; adding the first iptables rule marked with the target process identifier into the control class object; serializing the control class object into second configuration information in a character string format; and when the second configuration information is inconsistent with the first configuration information, taking the second configuration information as a target iptables rule.
Further, the second determining module 303 is further configured to discard the rule writing when the second configuration information is consistent with the first configuration information.
Further, the writing module 304 is configured to call an iptables-restore interface to import the target iptables rule into the iptables rule storage module.
Further, each of the history iptables rules is marked with a corresponding rule configuration time, and the second determining module 303 is configured to mark the first iptables rule with a target process identifier and a target rule configuration time; the target process identifier is a process identifier of the target iptables rule management process; adding the first iptables rule marked with the target process identifier and the target rule configuration time to the control class object; and deleting the historical iptables rule of which the target process identifier is marked in the control class object and the marked rule configuration time is before the target rule configuration to obtain the target iptables rule.
Further, the device comprises a file lock starting module and a file lock unlocking module, wherein the file lock starting module is used for starting a file lock configured for the iptables rule storage module in advance when a first iptables rule is required to be written into the iptables rule storage module of the linux host through a target iptables rule management process; and the file lock unlocking module is used for unlocking the file lock after the target iptables rule is written into the iptables rule storage module.
It should be noted that, for simplicity of description, the content described in the above embodiment is not repeated in this embodiment.
Example III
Based on the same inventive concept, the embodiment of the present application provides a linux host, where the linux host may be any electronic device that uses a linux system, for example, may be any linux server that needs to set firewall services.
The linux host includes a processor 401 and a memory 402, where the memory 402 stores a computer program, and the processor 401 and the memory 402 implement communication through a communication bus, and the processor 401 executes the computer program to implement each step of the method in the first embodiment, which is not described herein. It will be appreciated that the configuration shown in fig. 4 is merely illustrative, and that the electronic device may also include more or fewer components than shown in fig. 4, or have a different configuration than shown in fig. 4.
The processor 401 may be an integrated circuit chip having signal processing capabilities. The processor 401 may be a general-purpose processor including a Central Processing Unit (CPU), a Network Processor (NP), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. Which may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present application. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Memory 402 may include, but is not limited to, random Access Memory (RAM), read Only Memory (ROM), programmable Read Only Memory (PROM), erasable read only memory (EPROM), electrically erasable read only memory (EEPROM), and the like.
The present embodiment also provides a computer readable storage medium, such as a floppy disk, an optical disk, a hard disk, a flash memory, a usb disk, an SD card, an MMC card, etc., in which one or more programs for implementing the above steps are stored, and the one or more programs may be executed by the one or more processors 401 to implement the steps of the method in the first embodiment, which is not described herein again.
It should be noted that, the illustrations provided in the present embodiment merely illustrate the basic concept of the present application by way of illustration, and only the components related to the present application are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complex. The structures, proportions, sizes, etc. shown in the drawings attached hereto are for illustration purposes only and are not intended to limit the scope of the application, which is defined by the claims, but rather by the claims. Also, the terms such as "upper," "lower," "left," "right," "middle," and "a" and the like recited in the present specification are merely for descriptive purposes and are not intended to limit the scope of the application, but are intended to provide relative positional changes or modifications without materially altering the technical context in which the application may be practiced.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.
Claims (10)
1. A rule configuration method, comprising:
when a first iptables rule is required to be written into an iptables rule storage module of a linux host through a target iptables rule management process, reading currently stored iptables configuration information from the iptables rule storage module; the linux host is pre-configured with an iptables rule management process;
determining a historical iptables rule set according to the read iptables configuration information; the history iptables rule set comprises a plurality of history iptables rules, and each history iptables rule is associated with a process identifier of the iptables rule management process for configuring the history iptables rule;
determining a target iptables rule according to the first iptables rule and the historical iptables rule set;
and writing the target iptables rule into the iptables rule storage module.
2. The rule configuration method according to claim 1, wherein said determining a historical iptables rule set from the read iptables configuration information comprises:
the method comprises the steps of storing the iptables configuration information through an iptables-save command to obtain first configuration information in a character string format;
performing rule analysis on the first configuration information to obtain a historical iptables rule set, and adding the analyzed historical iptables rule set into a predefined control class object;
the determining the target iptables rule according to the first iptables rule and the historical iptables rule set includes:
and determining a target iptables rule according to the first iptables rule and the control class object.
3. The rule configuration method according to claim 2, wherein each of the history iptables rules is marked with a process identifier of the iptables rule management process configuring the history iptables rule, and the determining a target iptables rule according to the first iptables rule and the control class object includes:
deleting the historical iptables rule marked with the target process identifier in the historical iptables rule set from the control class object to obtain a second iptables rule configured by other iptables rule management processes except the target iptables rule management process; the target process identifier is a process identifier of the target iptables rule management process;
and generating a target iptables rule according to the first iptables rule and the second iptables rule.
4. The rule configuration method of claim 3, wherein the generating the target iptables rule from the first iptables rule and the second iptables rule comprises:
labeling the target process identifier for the first iptables rule;
adding the first iptables rule marked with the target process identifier into the control class object;
serializing the control class object into second configuration information in a character string format;
and when the second configuration information is inconsistent with the first configuration information, taking the second configuration information as a target iptables rule.
5. The rule configuration method of claim 4, wherein after the second configuration information serializing the control class object into a string format, the method comprises:
when the second configuration information is consistent with the first configuration information, abandoning the rule writing;
the writing the target iptables rule into the iptables rule storage module comprises the following steps:
and calling an iptables-restore interface to import the target iptables rule into the iptables rule storage module.
6. The rule configuration method of claim 2, wherein each of the historical iptables rules is annotated with a corresponding rule configuration time; the determining a target iptables rule according to the first iptables rule and the control class object includes:
labeling a target process identifier and a target rule configuration time for the first iptables rule; the target process identifier is a process identifier of the target iptables rule management process;
adding the first iptables rule marked with the target process identifier and the target rule configuration time to the control class object;
and deleting the historical iptables rule of which the target process identifier is marked in the control class object and the marked rule configuration time is before the target rule configuration to obtain the target iptables rule.
7. The rule configuration method according to any one of claims 1-6, wherein the method further comprises:
when a first iptables rule is required to be written into an iptables rule storage module of a linux host through a target iptables rule management process, starting a file lock configured for the iptables rule storage module in advance;
and after the target iptables rule is written into the iptables rule storage module, unlocking the file lock.
8. A rule configuration apparatus, comprising:
the reading module is used for reading the currently stored iptables configuration information from the iptables rule storage module when the first iptables rule is required to be written into the iptables rule storage module of the linux host through the target iptables rule management process; at least two iptables rule management processes are preconfigured on the linux host;
the first determining module is used for determining a historical iptables rule set according to the read iptables configuration information; the history iptables rule set comprises a plurality of history iptables rules, and each history iptables rule is associated with a process identifier of the iptables rule management process for configuring the history iptables rule;
the second determining module is used for determining a target iptables rule according to the first iptables rule and the historical iptables rule set;
and the writing module is used for writing the target iptables rule into the iptables rule storage module.
9. A linux host comprising a processor and a memory, wherein the memory has a computer program stored therein, and wherein the processor executes the computer program to implement the method of any of claims 1-7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by at least one processor, implements the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311445405.1A CN117176475B (en) | 2023-11-02 | 2023-11-02 | Rule configuration method and device, linux host and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311445405.1A CN117176475B (en) | 2023-11-02 | 2023-11-02 | Rule configuration method and device, linux host and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117176475A true CN117176475A (en) | 2023-12-05 |
| CN117176475B CN117176475B (en) | 2024-02-27 |
Family
ID=88930123
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311445405.1A Active CN117176475B (en) | 2023-11-02 | 2023-11-02 | Rule configuration method and device, linux host and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117176475B (en) |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1761252A (en) * | 2005-11-03 | 2006-04-19 | 上海交通大学 | Method for implementing experimental system of firewall under multiple user's remote concurrency control in large scale |
| CN102025735A (en) * | 2010-12-08 | 2011-04-20 | 北京航空航天大学 | Distributed network firewall system of Linux based on defense strategy |
| CN104601379A (en) * | 2015-01-29 | 2015-05-06 | 太仓市同维电子有限公司 | Method for saving traffic and surfing internet for passive optical network (PON) home gateway unit |
| US20200257810A1 (en) * | 2019-02-11 | 2020-08-13 | Red Hat, Inc. | Tool for generating security policies for containers |
| CN111901060A (en) * | 2019-12-26 | 2020-11-06 | 长扬科技(北京)有限公司 | Method and terminal for supporting local time by iptables rule |
| US10887282B1 (en) * | 2018-10-19 | 2021-01-05 | Juniper Networks, Inc. | Determining synchronization of filter rules (e.g., on iptable filter tables on Linux kernal) across firewall filter application restarts |
| CN113098851A (en) * | 2021-03-25 | 2021-07-09 | 广州虎牙科技有限公司 | Method, device, system, equipment and medium for implementing virtual firewall |
| US20210367842A1 (en) * | 2020-05-25 | 2021-11-25 | Orange | Method for configuring a firewall equipment in a communication network, method for updating a configuration of a firewall equipment, and corresponding device, access equipment, firewall equipment and computer programs |
| CN114024717A (en) * | 2021-10-09 | 2022-02-08 | 深圳市广和通无线股份有限公司 | Application program flow control method, device, equipment and storage medium |
| CN114221873A (en) * | 2021-12-09 | 2022-03-22 | 建信金融科技有限责任公司 | Data processing method, device and system based on Linux system |
| CN114374569A (en) * | 2022-03-22 | 2022-04-19 | 北京指掌易科技有限公司 | Message detection method and device, electronic equipment and storage medium |
| CN115756901A (en) * | 2022-11-30 | 2023-03-07 | 沈阳尚源智慧科技有限公司 | Business decision processing method and rule engine system thereof |
| CN115941264A (en) * | 2022-10-31 | 2023-04-07 | 深圳市众云网有限公司 | Firewall management system based on network security |
| WO2023065712A1 (en) * | 2021-10-22 | 2023-04-27 | 中车株洲电力机车有限公司 | Distributed train control network intrusion detection method, system, and storage medium |
| CN116915852A (en) * | 2023-09-13 | 2023-10-20 | 麒麟软件有限公司 | Transparent proxy method and system for linux application program |
-
2023
- 2023-11-02 CN CN202311445405.1A patent/CN117176475B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1761252A (en) * | 2005-11-03 | 2006-04-19 | 上海交通大学 | Method for implementing experimental system of firewall under multiple user's remote concurrency control in large scale |
| CN102025735A (en) * | 2010-12-08 | 2011-04-20 | 北京航空航天大学 | Distributed network firewall system of Linux based on defense strategy |
| CN104601379A (en) * | 2015-01-29 | 2015-05-06 | 太仓市同维电子有限公司 | Method for saving traffic and surfing internet for passive optical network (PON) home gateway unit |
| US10887282B1 (en) * | 2018-10-19 | 2021-01-05 | Juniper Networks, Inc. | Determining synchronization of filter rules (e.g., on iptable filter tables on Linux kernal) across firewall filter application restarts |
| US20200257810A1 (en) * | 2019-02-11 | 2020-08-13 | Red Hat, Inc. | Tool for generating security policies for containers |
| CN111901060A (en) * | 2019-12-26 | 2020-11-06 | 长扬科技(北京)有限公司 | Method and terminal for supporting local time by iptables rule |
| US20210367842A1 (en) * | 2020-05-25 | 2021-11-25 | Orange | Method for configuring a firewall equipment in a communication network, method for updating a configuration of a firewall equipment, and corresponding device, access equipment, firewall equipment and computer programs |
| CN113098851A (en) * | 2021-03-25 | 2021-07-09 | 广州虎牙科技有限公司 | Method, device, system, equipment and medium for implementing virtual firewall |
| CN114024717A (en) * | 2021-10-09 | 2022-02-08 | 深圳市广和通无线股份有限公司 | Application program flow control method, device, equipment and storage medium |
| WO2023065712A1 (en) * | 2021-10-22 | 2023-04-27 | 中车株洲电力机车有限公司 | Distributed train control network intrusion detection method, system, and storage medium |
| CN114221873A (en) * | 2021-12-09 | 2022-03-22 | 建信金融科技有限责任公司 | Data processing method, device and system based on Linux system |
| CN114374569A (en) * | 2022-03-22 | 2022-04-19 | 北京指掌易科技有限公司 | Message detection method and device, electronic equipment and storage medium |
| CN115941264A (en) * | 2022-10-31 | 2023-04-07 | 深圳市众云网有限公司 | Firewall management system based on network security |
| CN115756901A (en) * | 2022-11-30 | 2023-03-07 | 沈阳尚源智慧科技有限公司 | Business decision processing method and rule engine system thereof |
| CN116915852A (en) * | 2023-09-13 | 2023-10-20 | 麒麟软件有限公司 | Transparent proxy method and system for linux application program |
Non-Patent Citations (3)
| Title |
|---|
| 吴文刚;王庆生;: "基于linux包过滤防火墙技术发展研究", 太原理工大学学报, no. 1 * |
| 夏栋梁;刘建芳;: "Linux系统下使用Iptables构建防火墙", 计算机时代, no. 04 * |
| 朱立才;杨寿保;宋舜宏;: "Netfilter/iptables防火墙性能优化方案与实现", 计算机工程与应用, no. 15 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117176475B (en) | 2024-02-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110209652B (en) | Data table migration method, device, computer equipment and storage medium | |
| CN110309125B (en) | Data verification method, electronic device and storage medium | |
| CN111506386A (en) | Virtual machine online migration method, device, equipment and computer readable storage medium | |
| WO2020119476A1 (en) | Alliance chain information release control method and terminal equipment | |
| CN110554962A (en) | Regression testing process covering method, server and computer readable storage medium | |
| WO2020010724A1 (en) | Front-end static resource management method, apparatus, computer device and storage medium | |
| CN108446371B (en) | Data back-leading method and device, computer equipment and storage medium | |
| CN111338716A (en) | Data processing method and device based on rule engine and terminal equipment | |
| CN117176475B (en) | Rule configuration method and device, linux host and storage medium | |
| CN114546432A (en) | Multi-application deployment method, device, equipment and readable storage medium | |
| CN114282288A (en) | Axle network identification method, device, equipment and storage medium | |
| CN109783196B (en) | Virtual machine migration method and device | |
| CN114157662B (en) | Cloud platform parameter adaptation method, device, terminal equipment and storage medium | |
| US10318745B2 (en) | Access control system and access control method | |
| CN109327499B (en) | Service interface management method and device, storage medium and terminal | |
| CN111651235A (en) | Virtual machine set task management method and device | |
| CN110224997B (en) | Gateway-based service exposure method and device and terminal equipment | |
| CN113726855A (en) | Service aggregation method, device, electronic equipment and computer-readable storage medium | |
| CN114071488A (en) | Policy configuration method, device, equipment and storage medium | |
| CN115037799B (en) | Current limiting method, device, equipment and medium | |
| WO2019134238A1 (en) | Method for executing auxiliary function, device, storage medium, and terminal | |
| US11050643B2 (en) | Method for managing software service, and server | |
| US11855912B2 (en) | Network management apparatus, method, and program | |
| CN113076273B (en) | Component access method, device, electronic equipment, storage medium and program product | |
| CN115242641A (en) | Strategy issuing result previewing method and device and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |