WO2016034122A1 - CPE设备基于Linux实现公网接入用户数限制的系统及方法 - Google Patents

CPE设备基于Linux实现公网接入用户数限制的系统及方法 Download PDF

Info

Publication number
WO2016034122A1
WO2016034122A1 PCT/CN2015/088835 CN2015088835W WO2016034122A1 WO 2016034122 A1 WO2016034122 A1 WO 2016034122A1 CN 2015088835 W CN2015088835 W CN 2015088835W WO 2016034122 A1 WO2016034122 A1 WO 2016034122A1
Authority
WO
WIPO (PCT)
Prior art keywords
public network
access
limit
address
lan
Prior art date
Application number
PCT/CN2015/088835
Other languages
English (en)
French (fr)
Chinese (zh)
Inventor
李华敏
屈兰
乔美杰
陈芳
Original Assignee
烽火通信科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 烽火通信科技股份有限公司 filed Critical 烽火通信科技股份有限公司
Priority to RU2016146823A priority Critical patent/RU2670789C9/ru
Publication of WO2016034122A1 publication Critical patent/WO2016034122A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks

Definitions

  • the present invention relates to the field of CPE (Customer Premise Equipment) equipment, and particularly relates to a system and method for implementing a public network access user limit based on Linux.
  • CPE Customer Premise Equipment
  • the CPE device is required to limit the number of accessing public network terminals at the same time. It can be based on the IPv4 (Internet Protocol Version 4) private network address and IPv6 (Internet Protocol Version 4). Internet Protocol Version 6, Internet Protocol Version 6) The global address or MAC address (physical address) is used to count the number of Internet terminals. It can only limit the total number of users accessing the public network.
  • the purpose of the present invention is to overcome the deficiencies of the above-mentioned background art, and to provide a system and method for limiting the number of public network access users based on Linux in a CPE device, and to combine two methods for limiting the number of terminals accessing the public network, which can not only limit the simultaneous
  • the maximum number of accesses to the public network can also limit the number of accesses to the public network for each type of terminal. This enriches the number of access to the public network.
  • the present invention provides a system for implementing a public network access limit of a CPE device based on Linux, including a dynamic host configuration protocol DHCP module and a public network user access limit module, wherein:
  • the DHCP module is configured to: check the status information of the LAN side device of the local area network each time. Clear the IP packet filtering system iptables forwarding table rules, clear the previously checked information, so that each check is subject to the current result;
  • the public network user access number limiting module is configured to: if the public network user access number restriction function is disabled, the recorded black and white list is cleared, and the public network user access number is not limited; if the public network user access number limit function If it is enabled, the IP address of the device on the LAN is obtained.
  • the terminal is identified by the DHCP option Option 60 to distinguish the device type.
  • the public network user access number limiting module performs offline detection through the address resolution protocol ARP or the neighbor discovery protocol, and determines whether the LAN side device is online, and only checks the IP address of one LAN side device every time it is executed. If the device on the LAN side is online, the number of users of the corresponding device type is increased by one, and the black and white list is updated. If the device on the LAN side is offline and the IP address of the device is in the iptalbes forwarding table, the restriction rule for the IP address of the device is cleared. If the device on the LAN side is offline and the IP address of the device does not exist in the iptables forwarding table, the IP address is found in reverse order from the blacklist, the restriction rule of the IP address is cleared, and the black and white list is updated.
  • the restriction type is the total number of devices or the type of the device. If the restriction type is the total number of devices, the device type is not distinguished.
  • the iptables forwarding table is restricted. The device is restricted from accessing the public network. Otherwise, the iptables forwarding table is not added. The device is not connected to the public network. Limit, clear the IP address in the iptables forwarding table but not in the lease information caches table and in the ARP table.
  • the IP address of the LAN-side device After waiting for the interval, obtain the IP address of the LAN-side device and continue to distinguish the device type; if the restriction type is the device type restriction If the access device type exceeds the limit, add the restriction rule of the iptbles forwarding table; otherwise, do not add the restriction rule of the iptbles forwarding table. Clear the IP address in the iptables forwarding table but not in the lease information cache table and in the ARP table. After waiting for the interval, obtain the IP address of the LAN-side device and continue to distinguish the device type.
  • N is a natural number
  • the CPE device supports the following restriction policy: if a terminal is detected to be offline, the current online terminal is less than N The new terminal is allowed to access the public network; if there are still N terminals online, the CPE device rejects the request of the new terminal to access the public network, but allows the terminal to obtain the IP address of the private network and access other terminals and devices on the LAN side. .
  • the present invention also provides a method for implementing a public network access user limit based on Linux by a CPE device, including the following steps:
  • the DHCP module clears the iptables forwarding table rules each time, and clears the previously checked information, so that each check is based on the current result.
  • step S4 If the access limit of the public network is enabled, the IP address of the device on the LAN is obtained, and the terminal is identified by the DHCP Option 60 to distinguish the device type, and the process proceeds to step S5.
  • the public network access limit module performs offline detection through the ARP or neighbor discovery protocol to determine whether the LAN device is online. Only one IP address of the LAN device is checked for each execution. If the LAN device is online, go to the step. S6; otherwise Go to step S7;
  • step S6 if the LAN side device is online, the number of users corresponding to the device type is increased by 1, and the process proceeds to step S8;
  • step S7 If the device on the LAN side is offline and the IP address of the device is in the iptalbes forwarding table, the restriction rule of the IP address of the device is cleared. If the device on the LAN side is offline, and the IP address of the device does not exist in the iptables forwarding table. Limiting the rule, then finding an IP address in reverse order from the blacklist, clearing the restriction rule of the IP address, and proceeding to step S8;
  • step S8 update the black and white list, go to step S9;
  • the determination limit type is the device total limit or device type limit, if the limit type is the device total limit, go to step S10; if the limit type is device type limit, go to step S11;
  • the restriction rule of the iptables forwarding table is added to limit the request of the device to access the public network; otherwise, the restriction of the iptables forwarding table is not added. Rule, the device is not restricted to the public network access, go to step S12;
  • step S11 if the access device type exceeds the limit number, the restriction rule of the iptbles forwarding table is added, otherwise the restriction rule of the iptbles forwarding table is not added, and the process goes to step S12;
  • N is a natural number
  • the CPE device supports the following restriction policy: if a terminal is detected to be offline, the current online terminal is less than N The new terminal is allowed to access the public network; if there are still N terminals online, the CPE device rejects the request of the new terminal to access the public network, but allows the terminal to obtain the IP address of the private network and access the LAN. Other terminals and devices on the side.
  • the CPE device counts the current user, the IP or the statically configured IP dynamically allocated by the CPE device, and the CPE device counts the total number of users. Users who exceed the user limit will be restricted.
  • the CPE device connects to the wireless access point AP, the CPE device dynamically allocates IP to the wireless AP. As long as the wireless AP is online, it will be counted in the current number of users.
  • the device types recognized by the CPE device include a personal computer PC, a set top box, a telephone, and a camera.
  • the CPE device defaults to a PC for devices that do not send Option 60 and those that do not recognize.
  • the interval time is 30 seconds.
  • the present invention combines two ways of restricting the number of terminals accessing the public network: 1. Limiting the maximum number of simultaneous access to the public network; 2. Limiting the number of individual access networks for each type of terminal. A device that is not recognized is considered a PC terminal. Compared with the existing functions that can only limit the total number of users accessing the public network, the present invention can not only limit the maximum number of simultaneous access to the public network, but also separate access to each type of terminal. The number of networks is limited, which enriches the function of limiting the number of access to the public network.
  • the CPE device allows the terminal to access the Internet and meet the requirements for the user to access the public network at the same time.
  • the CPE device The new terminal is no longer allowed to access the Internet, and the blacklist that restricts the user's Internet access and the whitelist that allows the user to access the Internet are dynamically updated, and the user is provided with a safe and high-quality service when the network side resources permit.
  • FIG. 1 is a flowchart of a method for implementing a public network access user limit based on Linux in a CPE device according to an embodiment of the present invention.
  • the embodiment of the invention provides a system for limiting the number of users accessing the public network based on the CPE device, including a DHCP (Dynamic Host Configuration Protocol) module and a public network access limit module, wherein:
  • DHCP Dynamic Host Configuration Protocol
  • the DHCP module is used to clear the iptables (IP packet filtering system) forwarding table rules each time the LAN (Local Area Network) status information is checked, and clear the previously checked information, so that each check is based on the current result. ;
  • the public network user access limit module is used to: if the public network user access limit function is disabled, the recorded black and white list is cleared, and the public network user access number is not limited; if the public network user access limit function is enabled, The IP address of the device on the LAN is obtained. The device is identified by the DHCP Option 60 (option 60) to distinguish the device type. The CPE device defaults to PC (Personal Computer) for devices that do not send Option 60 and those that do not. ;
  • the public network user access limit module performs offline detection through the ARP (Address Resolving Protocol) or the neighbor discovery protocol to determine whether the LAN device is online. Only one IP address of the LAN device is checked for each execution. If the device is online, the number of users corresponding to the device type is increased by one, and the blacklist and whitelist are updated. If the device on the LAN side is offline and the IP address of the device is in the iptalbes forwarding table, the restriction rule for the IP address of the device is cleared. If the device is offline and the iptables forwarding table does not contain the restriction rule for the IP address of the device, the IP address is found in reverse order from the blacklist. The restriction rule of the IP address is cleared and the black and white list is updated.
  • ARP Address Resolving Protocol
  • the limit type is the device limit or the device type limit. If the limit type is the total number of devices, the device type is different. The number of online users exceeds the public network access limit.
  • N N is a natural number
  • the restriction rule of the iptables forwarding table is added, and the request for accessing the public network is restricted. Otherwise, the restriction rule of the iptables forwarding table is not added, and the public network access restriction is not performed on the device, and the iptables are cleared.
  • the IP address of the device in the forwarding table is not limited to the IP address in the ARP table. The IP address of the device on the LAN side is obtained after the waiting interval (preferably 30 seconds).
  • the restriction rule of the iptbles forwarding table is added. Otherwise, the restriction rule of the iptbles forwarding table is not added.
  • the restriction in the iptables forwarding table is cleared but the leases are not stored. After neutralizing the IP address in the ARP table and waiting for the interval (preferably 30 seconds), obtain the IP address of the device on the LAN side and continue to distinguish the device. Types of.
  • N is a natural number.
  • the CPE device supports the following restriction policy: if the terminal is offline, and the current online terminal is less than N, the new terminal is allowed to access. The public network; if there are still N terminals online, the CPE device rejects the request of the new terminal to access the public network, but allows the terminal to obtain the IP address of the private network and access other terminals and devices on the LAN side.
  • an embodiment of the present invention provides a method for a CPE device to implement a public network access user limit based on Linux, including the following steps:
  • the DHCP module clears the iptables (IP packet filtering system) forwarding table rules each time, and clears the previously checked information, so that each check is based on the current result.
  • iptables IP packet filtering system
  • the access limit of the public network is enabled, the IP address of the device on the LAN is obtained.
  • the device is identified by the DHCP Option 60 (option 60) to distinguish the device type.
  • the CPE device does not recognize the device that does not send the Option 60.
  • the device type defaults to PC (Personal Computer).
  • the device types recognized by the CPE device include PC, STB (Set Top Box), Phone (Camera), Camera (Camera), which can be used for different device types. Public network access restrictions; go to step S5;
  • the public network user access limit module performs offline detection through the ARP (Address Resolving Protocol) or the neighbor discovery protocol to determine whether the LAN device is online. Only one IP address of the LAN device is checked for each execution. If the LAN side device is online, go to step S6; otherwise, go to step S7;
  • ARP Address Resolving Protocol
  • step S6 if the LAN side device is online, the number of users corresponding to the device type is increased by 1, and the process proceeds to step S8;
  • step S7 If the device on the LAN side is offline and the IP address of the device is in the iptalbes forwarding table, the restriction rule of the IP address of the device is cleared. If the device on the LAN side is offline, and the IP address of the device does not exist in the iptables forwarding table. Limiting the rule, then finding an IP address in reverse order from the blacklist, clearing the restriction rule of the IP address, and proceeding to step S8;
  • step S8 update the black and white list, go to step S9;
  • the determination limit type is the device total limit or device type limit, if the limit type is the device total limit, go to step S10; if the limit type is device type limit, go to step S11;
  • step S10 If the number of users on the network exceeds the number of the public network access limit N, and N is a natural number, add the restriction rule of the iptables forwarding table to limit the request for accessing the public network. Otherwise, the device does not add.
  • the restriction rule of the iptables forwarding table does not limit the public network access of the device, and the process goes to step S12;
  • step S11 if the access device type exceeds the limit number, the restriction rule of the iptbles forwarding table is added, otherwise the restriction rule of the iptbles forwarding table is not added, and the process goes to step S12;
  • the embodiment of the present invention provides a Linux-based implementation method, which uses the DHCP Option 60 to identify a terminal, performs offline detection through an ARP or a neighbor discovery protocol, and implements an Internet restriction function by setting an iptables rule of the Linux kernel.
  • CPE devices can distinguish device types through DHCP Option60.
  • the embodiment of the present invention combines the above two configurations, and enriches the function of separately limiting the number of accessing the public network.
  • the CPE device counts the current user, the IP address dynamically assigned by the CPE device, or the statically configured IP.
  • the CPE device counts the total number of users. The number of users exceeding the user limit is limited.
  • the CPE device dynamically allocates IP to the wireless AP. As long as the wireless AP is online, it is counted in the current number of users.
  • the device type whether the user device is a PC or a set-top box or a camera, considers that the total number of online users does not exceed the limit of the maximum number of users.
  • the iptables forwarding table restriction rule is added. The IP data is not forwarded, so the IP user cannot access the Internet.
  • the public network access restriction is performed according to the limit of the number of users of each type. Each device exceeds the limit restriction rule of the limit number, thereby restricting the IP user from accessing the Internet, and no excess is not added.
  • step S4 Periodically check the device on the LAN side. After the process waits for a certain period of time, go back to step S4, "Obtain the IP address of the device on the LAN side, and distinguish the device type.” Repeat the above steps. It is recommended to set the interval to 30 seconds, that is, 30 seconds. cycle.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
PCT/CN2015/088835 2014-09-05 2015-09-02 CPE设备基于Linux实现公网接入用户数限制的系统及方法 WO2016034122A1 (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
RU2016146823A RU2670789C9 (ru) 2014-09-05 2015-09-02 Система и способ ограничения количества подключенных к общественной сети пользователей посредством оборудования сре на основе linux

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410452825.7 2014-09-05
CN201410452825.7A CN104270325B (zh) 2014-09-05 2014-09-05 CPE设备基于Linux实现公网接入用户数限制的系统及方法

Publications (1)

Publication Number Publication Date
WO2016034122A1 true WO2016034122A1 (zh) 2016-03-10

Family

ID=52161817

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/088835 WO2016034122A1 (zh) 2014-09-05 2015-09-02 CPE设备基于Linux实现公网接入用户数限制的系统及方法

Country Status (3)

Country Link
CN (1) CN104270325B (ru)
RU (1) RU2670789C9 (ru)
WO (1) WO2016034122A1 (ru)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115189909A (zh) * 2022-05-24 2022-10-14 浙江远望信息股份有限公司 基于网络环境变化对违规连接互联网行为的防护方法
CN117350728A (zh) * 2023-12-05 2024-01-05 山东恒宇电子有限公司 基于Linux白名单的车载机IC卡补登充值方法及系统

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104270325B (zh) * 2014-09-05 2017-08-01 烽火通信科技股份有限公司 CPE设备基于Linux实现公网接入用户数限制的系统及方法
CN107465529B (zh) * 2016-06-06 2022-07-12 中兴通讯股份有限公司 客户终端设备管理方法、系统及自动配置服务器
CN108271182B (zh) * 2016-12-30 2021-05-07 华为技术服务有限公司 一种确定cpe数量的方法、装置及系统
CN111614970A (zh) * 2020-05-20 2020-09-01 广东九联科技股份有限公司 控制终端访问直播资源的方法及系统
CN112751762A (zh) * 2020-12-31 2021-05-04 荆门汇易佳信息科技有限公司 多运营商网络链路负载出站自动化选路平台

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729405A (zh) * 2008-10-29 2010-06-09 阿尔卡特朗讯公司 接入节点中的转发表的自配置
CN101958826A (zh) * 2009-07-20 2011-01-26 北大方正集团有限公司 同一帐户下非连续多ip地址共享同一带宽的方法及装置
CN102480476A (zh) * 2010-11-30 2012-05-30 上海博路信息技术有限公司 一种基于dhcp协议扩展的多业务访问方法
CN103957142A (zh) * 2014-04-11 2014-07-30 烽火通信科技股份有限公司 一种实现pon系统三网合一的系统、方法及装置
CN104270325A (zh) * 2014-09-05 2015-01-07 烽火通信科技股份有限公司 CPE设备基于Linux实现公网接入用户数限制的系统及方法

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685285B (zh) * 2013-12-18 2017-12-22 上海斐讯数据通信技术有限公司 一种路由模式下限制终端数量的方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729405A (zh) * 2008-10-29 2010-06-09 阿尔卡特朗讯公司 接入节点中的转发表的自配置
CN101958826A (zh) * 2009-07-20 2011-01-26 北大方正集团有限公司 同一帐户下非连续多ip地址共享同一带宽的方法及装置
CN102480476A (zh) * 2010-11-30 2012-05-30 上海博路信息技术有限公司 一种基于dhcp协议扩展的多业务访问方法
CN103957142A (zh) * 2014-04-11 2014-07-30 烽火通信科技股份有限公司 一种实现pon系统三网合一的系统、方法及装置
CN104270325A (zh) * 2014-09-05 2015-01-07 烽火通信科技股份有限公司 CPE设备基于Linux实现公网接入用户数限制的系统及方法

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115189909A (zh) * 2022-05-24 2022-10-14 浙江远望信息股份有限公司 基于网络环境变化对违规连接互联网行为的防护方法
CN117350728A (zh) * 2023-12-05 2024-01-05 山东恒宇电子有限公司 基于Linux白名单的车载机IC卡补登充值方法及系统
CN117350728B (zh) * 2023-12-05 2024-02-20 山东恒宇电子有限公司 基于Linux白名单的车载机IC卡补登充值方法及系统

Also Published As

Publication number Publication date
RU2016146823A3 (ru) 2018-10-05
RU2016146823A (ru) 2018-10-05
CN104270325A (zh) 2015-01-07
CN104270325B (zh) 2017-08-01
RU2670789C2 (ru) 2018-10-25
RU2670789C9 (ru) 2018-11-23

Similar Documents

Publication Publication Date Title
WO2016034122A1 (zh) CPE设备基于Linux实现公网接入用户数限制的系统及方法
WO2015117337A1 (zh) 网络规则条目的设置方法及装置
US9083705B2 (en) Identifying NATed devices for device-specific traffic flow steering
US20140211714A1 (en) Method and apparatus for performing policy control on data packet
WO2014154040A1 (zh) 访问控制方法及设备、系统
WO2017114362A1 (zh) 一种报文转发方法、装置和系统
WO2009094928A1 (fr) Procédé et équipement de transmission d'un message basé sur le protocole de tunnel de niveau 2
WO2014187212A1 (zh) 一种转发报文的方法及装置
EP2928141A1 (en) Ipv6 address tracing method, device, and system
WO2017107871A1 (zh) 访问控制方法和网络设备
WO2016150296A1 (zh) 发送、接收流规范规则的方法和装置
US20140123217A1 (en) Provisioning layer three access for agentless devices
WO2017041737A1 (zh) 报文处理
CN111654485A (zh) 一种客户端的认证方法以及设备
WO2019047611A1 (zh) 一种数据传输方法、pnf sdn控制器、vnf sdn控制器及系统
WO2011107052A2 (zh) 一种防止地址冲突的方法及接入节点
CN103152360A (zh) 一种基于无线路由器的访客访问网络的方法
WO2014201600A1 (zh) 一种会话管理方法、地址管理方法及相关装置
WO2010130181A1 (zh) 防止IPv6地址被欺骗性攻击的装置与方法
WO2021121040A1 (zh) 一种宽带接入的方法、装置、设备和存储介质
JP2006094417A (ja) 加入者回線収容装置およびパケットフィルタリング方法
WO2014135102A1 (zh) Wlan用户管理方法、装置及系统
CN103516820B (zh) 基于mac地址的端口映射方法和装置
JP2006094416A (ja) 加入者回線収容装置およびパケットフィルタリング方法
CN110753135A (zh) 一种ip地址配置方法、配置设备及存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15838156

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2016146823

Country of ref document: RU

Kind code of ref document: A

122 Ep: pct application non-entry in european phase

Ref document number: 15838156

Country of ref document: EP

Kind code of ref document: A1