WO2020113817A1 - 一种基于用户态协议栈的网络隔离方法和装置 - Google Patents

一种基于用户态协议栈的网络隔离方法和装置 Download PDF

Info

Publication number
WO2020113817A1
WO2020113817A1 PCT/CN2019/074459 CN2019074459W WO2020113817A1 WO 2020113817 A1 WO2020113817 A1 WO 2020113817A1 CN 2019074459 W CN2019074459 W CN 2019074459W WO 2020113817 A1 WO2020113817 A1 WO 2020113817A1
Authority
WO
WIPO (PCT)
Prior art keywords
protocol stack
network
space
user mode
business
Prior art date
Application number
PCT/CN2019/074459
Other languages
English (en)
French (fr)
Inventor
程杜勇
Original Assignee
网宿科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 网宿科技股份有限公司 filed Critical 网宿科技股份有限公司
Priority to EP19893260.0A priority Critical patent/EP3893451A4/en
Priority to US17/288,978 priority patent/US20210392091A1/en
Publication of WO2020113817A1 publication Critical patent/WO2020113817A1/zh

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/90Buffering arrangements
    • H04L49/901Buffering arrangements using storage descriptor, e.g. read or write pointers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/30Peripheral units, e.g. input or output ports
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/10Address translation
    • G06F12/1072Decentralised address translation, e.g. in distributed shared memory systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/10Address translation
    • G06F12/109Address translation for multiple virtual address spaces, e.g. segmentation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/145Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being virtual, e.g. for virtual blocks or segments before a translation mechanism
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1491Protection against unauthorised use of memory or access to memory by checking the subject access rights in a hierarchical protection system, e.g. privilege levels, memory rings
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/90Buffering arrangements
    • H04L49/9063Intermediate storage in different physical parts of a node or terminal
    • H04L49/9068Intermediate storage in different physical parts of a node or terminal in the network interface card
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/0223User address space allocation, e.g. contiguous or non contiguous base addressing
    • G06F12/0284Multiple user address space allocation, e.g. using different base addresses
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1032Reliability improvement, data loss prevention, degraded operation etc
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1041Resource optimization
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/15Use in a specific computing environment
    • G06F2212/154Networked environment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/17Embedded application
    • G06F2212/174Telecommunications system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/65Details of virtual memory and virtual address translation
    • G06F2212/657Virtual address space management

Definitions

  • the invention relates to the technical field of network communication, and in particular to a network isolation method and device based on a user state protocol stack.
  • the network isolation technology inside the network equipment is a technology that receives business data through different network cards on the network equipment and stores the business data in different network isolation spaces for processing. Because the network isolation spaces are completely isolated, each network The business programs in the isolated space do not interfere with each other, so that stable concurrency of business programs can be achieved, and data security during business processing is ensured.
  • the Linux system provides a kernel-level environment isolation method based on the Namespace mechanism.
  • the Network Namespace can be used to achieve the above-mentioned network isolation effect within the network equipment.
  • each network namespace can be understood It provides an independent network environment for the copy of the network protocol stack. Like independent systems, it has independent routing tables, adjacency tables, Netfilter tables, network sockets and other network resources.
  • embodiments of the present invention provide a network isolation method and device based on a user mode protocol stack.
  • the technical solution is as follows:
  • a network isolation method based on a user mode protocol stack including:
  • a plurality of user-space protocol stack network isolation spaces with independent protocol stack private entries are set based on the user-space protocol stack;
  • data processing is performed on the business data through the protocol stack private entry of the user space protocol stack network isolation space corresponding to the network card.
  • data processing of the service data through the protocol stack private entry of the user space protocol stack network isolation space corresponding to the network card includes:
  • the business data obtained after processing by the protocol stack is provided to the business program, and business processing is performed on the business data based on the business program.
  • the performing business processing on the business data based on the business program includes:
  • the method further includes:
  • the service program configuration file corresponding to the target user mode protocol stack network isolated space is managed in a shared memory manner.
  • the method further includes:
  • the corresponding target user mode protocol stack network isolation space is specified through the isolation space pointer of the socket structure of the target socket;
  • the method further includes:
  • the protocol stack private entries of the user-space protocol stack network isolated space corresponding to the target space identifier are managed in a shared memory manner.
  • a network isolation device based on a user mode protocol stack includes:
  • Modification module used to add an isolation space pointer for each network card to bind the network isolation space at the bottom network card interface of the user mode protocol stack;
  • a setting module configured to set a plurality of user-space protocol stack network isolation spaces with independent protocol-stack private entries based on the user-space protocol stack when the business program is initialized;
  • the binding module is used to designate a corresponding user mode protocol stack network isolation space for each network card through the isolation space pointer of each network card;
  • the processing module is configured to process the service data received from any network card through the protocol stack private entry of the user space protocol stack network isolation space corresponding to the network card.
  • processing module is specifically used for:
  • the business data obtained after processing by the protocol stack is provided to the business program, and business processing is performed on the business data based on the business program.
  • processing module is specifically used for:
  • the device further includes:
  • the loading module is used to load the isolated space management tool added with the space identifier of the network isolated space of the target user mode protocol stack;
  • the management module is used to manage the business program configuration file corresponding to the target user mode protocol stack network isolation space through the isolated space management tool in a shared memory manner.
  • the transformation module is further used to add an isolation space pointer for binding a network isolation space to the socket structure of the user mode protocol stack;
  • the binding module is also used to specify the corresponding target user mode protocol stack network isolation space through the isolation space pointer of the socket structure of the target socket when the business program creates the target socket;
  • the processing module is further configured to perform data processing on the business data through the protocol stack private entry of the target user mode protocol stack network isolation space for the business data generated when the target socket is called.
  • the device further includes:
  • the loading module is used to load the isolated space management tool added with the target space identification
  • the management module is used to manage the protocol stack private entries of the user-space protocol stack network isolation space corresponding to the target space identifier by using the isolated space management tool in a shared memory manner.
  • a network device in a third aspect, includes a processor and a memory.
  • the memory stores at least one instruction, at least one program, code set, or instruction set.
  • the at least one instruction, the at least one A piece of program, the code set or the instruction set is loaded and executed by the processor to implement the network isolation method based on the user mode protocol stack as described in the first aspect.
  • a computer-readable storage medium in which at least one instruction, at least one program, code set or instruction set is stored in the storage medium, the at least one instruction, the at least one program, the code The set or instruction set is loaded and executed by the processor to implement the network isolation method based on the user mode protocol stack as described in the first aspect.
  • an isolation space pointer for binding a network isolation space is added for each network card; when a business program is initialized, multiple independent devices are provided based on the user mode protocol stack.
  • the isolation space pointer the association between the network card and the user mode protocol stack network isolation space is established, so that the service data received by different network cards can be specified using different user mode protocol stack network isolation spaces for independent protocol stack private entries. Processing, without interfering with each other, to achieve network isolation based on user mode protocol stack.
  • FIG. 1 is a flowchart of a network isolation method based on a user mode protocol stack provided by an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of a network isolation device based on a user mode protocol stack according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a network device according to an embodiment of the present invention.
  • An embodiment of the present invention provides a network isolation method based on a user mode protocol stack.
  • the execution subject of the method may be any network device with a function of running a business program, and may be specifically understood as a back-end server of a service provider.
  • the user equipment protocol stack may be set on the network device to replace the kernel state protocol stack to implement the processing of the service data to be sent and received.
  • Network devices can run business programs based on user-mode protocol stacks, such as nginx, haproxy, http, etc. These business programs run in user space, and the high performance of these business programs can be met through the user-mode protocol stack and the corresponding network isolation technology And high concurrency demand.
  • the network device may include a processor, a memory, and a transceiver.
  • the processor may be used to perform network isolation processing based on the user state protocol stack in the following process, and the memory may be used to store data and generate data required in the following processing process.
  • the data, the transceiver can be used to receive and send the relevant data in the following process.
  • Step 101 at the bottom network interface of the user mode protocol stack, add an isolation space pointer for binding the network isolation space for each network card.
  • the user mode protocol stack needs to be transformed first. Specifically, you can first determine the bottom layer network card interface of the user mode protocol stack, and then at the bottom layer network card interface, add an isolation space pointer for each network card to bind the network isolation space.
  • the isolation space pointer can be used to Each network card is bound to a specific network isolation space.
  • the processing in this step may be implemented by a technician on the network device side controlling the network device, or may be completed by the network device based on a preset user state protocol stack modification program.
  • Step 102 When the service program is initialized, a plurality of user-space protocol stack network isolation spaces with independent protocol-stack private entries are set based on the user-space protocol stack.
  • the business program installed on the network device can be initialized when it is first started or restarted after a fault.
  • the network device can load the protocol stack configuration file of the business program, call the user mode protocol stack, and create a specified number of The network isolation space of the user mode protocol stack (set in the protocol stack configuration file).
  • protocol stack network isolation spaces all have independent protocol stack private entries, that is, each protocol stack private entry of each user mode protocol stack network isolation space and other user mode protocol stack network isolation space protocol stack private entries
  • protocol stack private entry can include ip address table, routing table, socket table, connection tracking table and other user mode protocols Network parameter table items that the stack needs to call when performing data processing on the business data.
  • Step 103 Specify a corresponding user-space protocol stack network isolation space for each network card through the isolation space pointer of each network card.
  • the service program when the service program is initialized, after the network device sets up multiple user-mode protocol stack network isolation spaces, it can also be specified for each network card through the isolation space pointer of each network card based on the protocol stack configuration file of the business program.
  • a corresponding user mode protocol stack network isolation space that is, setting the isolation space pointer of each network card to point to a user mode protocol stack network isolation space.
  • one network card can only correspond to one user mode protocol stack network isolation space, and one user mode protocol stack network isolation space can correspond to multiple network cards.
  • the specific correspondence between the network card and the user mode protocol stack network isolation space is in the above protocol Set in the stack configuration file.
  • Step 104 For the service data received from any network card, perform data processing on the service data through the protocol stack private entry of the user space protocol stack network isolation space corresponding to the network card.
  • the network device can receive the business data of the business program from the network card. For the received business data, the network device can first determine the network card that receives the business data, and then find the corresponding network card The user-space protocol stack network isolation space, and then through the user-space protocol stack network isolation space protocol stack private entries, use the user-space protocol stack and business programs to perform data processing on business data.
  • the business data can be processed by the protocol stack through the user mode protocol stack, and then the business data can be handed over to the business program to perform business processing.
  • the processing in step 104 can be as follows:
  • the target user mode protocol stack network isolation space is determined according to the target network card's isolation space pointer
  • the business data obtained after processing by the protocol stack is provided to the business program, and business processing is performed on the business data based on the business program.
  • the network device specifies the network isolation space of the user mode protocol stack for each network card, during the operation of the business program, when the network device receives business data from the target network card, it can be based on the target network card
  • the isolated space pointer determines the target user-space protocol stack network isolated space. After that, in the process of using the user mode protocol stack to perform protocol stack processing on the business data, if a specific network parameter entry is needed, the network device can call the protocol stack private entry of the target user mode protocol stack network isolation space , And then use the private entry of the protocol stack to continue the protocol stack processing of business data.
  • the network device may provide the business data obtained by the protocol stack processing to the business program, and then perform business processing on the business data based on the business program.
  • the protocol stack processing of the network isolation space of multiple user mode protocol stacks can be divided into public protocol stack processing and private protocol stack processing of each user mode protocol stack network isolation space, regardless of whether the public protocol stack processing or private All of the protocol stack processing can be implemented by the same user mode protocol stack.
  • the private protocol stack processing is specifically implemented by calling different protocol stack private entries.
  • the network device does not need to create multiple instances of the user mode protocol stack. It can save the consumption of system resources and reduce the management complexity of the user mode protocol stack.
  • the service processing corresponding to the network isolation space of different user mode protocol stacks can also be different.
  • the service processing of the business data can be as follows: determining the business of the business program configuration file corresponding to the target user mode protocol stack network isolation space The processing logic performs business processing on the business data based on the business program according to the business processing logic.
  • the network device can determine the business program configuration corresponding to the network isolation space of the target user mode protocol stack The business processing logic of the file, and then execute the business processing logic through the business program, so as to realize the business processing of the business data.
  • the business program before running the business program, the business program also needs to be modified to use network isolation technology for the business program.
  • multiple business program configuration files can be created, and each business program configuration file corresponds to a user In the network isolation space of the state-of-the-art protocol stack, business processing, program attribute configuration, and program startup parameters in different business program configuration files are all isolated from each other, and do not interfere with each other.
  • the business program When the business program is initialized, it can load all business program configuration files and store the business processing logic of each business program configuration file, so that when it is necessary to perform business processing corresponding to the network isolation space of different user mode protocol stacks, the same
  • the business program is implemented according to different business processing logic.
  • the network device does not need to start an independent business program for each user-space protocol stack network isolation space, which can save the consumption of system resources and reduce the management complexity of the business program.
  • the business program configuration file can be managed by the isolated space management tool.
  • the corresponding processing can be as follows: load the isolated space management with the added space identifier of the target user mode protocol stack network isolated space Tool; through the isolated space management tool, manage the business program configuration file corresponding to the target user mode protocol stack network isolated space in a shared memory manner.
  • the existing isolation space management tool applicable to the Linux kernel-level network isolation technology can be modified, that is, the parameter of the space identifier of the network isolation space of the user mode protocol stack is added to the isolation space management tool.
  • the network device can load the isolated space management tool added with the space identifier of the target user mode protocol stack network isolation space, and then use the isolated space management tool to share memory The communication between the isolated space management tool and the business program is realized, so that the business program configuration file corresponding to the target user mode protocol stack network isolated space can be realized.
  • the network isolation technology based on the user mode protocol stack can be implemented through the transformation of the socket structure.
  • the corresponding processing can be as follows: For the socket structure of the user mode protocol stack, add Set the isolation space pointer of the network isolation space; when the business program creates the target socket, specify the corresponding target user mode protocol stack network isolation space through the isolation space pointer of the socket structure of the target socket; The business data generated during the connection is processed through the private entry of the protocol stack in the isolated space of the target user-mode protocol stack network to process the business data.
  • the socket structure of the user mode protocol stack can be modified in advance, that is, an isolation space pointer used to bind the network isolation space is added to the socket structure, and the isolation space pointer can be used to set The connection function operation is bound to a specific network isolation space.
  • the network device can perform data processing on the business data through the protocol stack private entry in the network isolation space of the target user mode protocol stack. Specifically, after the business program generates the business data, if the business data needs to be sent in the form of a message, the business data can be delivered to the user mode protocol stack for protocol stack processing by calling the created target socket.
  • the network device can determine the corresponding target user mode protocol stack network isolation space according to the target socket, and then call the target user mode protocol stack network isolation space protocol stack private entry to perform the relevant protocol stack processing, and finally You can encapsulate the business data into a message, and then send the message through the network card corresponding to the network isolation space of the target user mode protocol stack, so that network isolation can be achieved in the process of sending business data.
  • the private space entry of the protocol stack of the user-space protocol stack network isolated space can be managed by the isolated space management tool.
  • the corresponding processing can be as follows: load the isolated space added with the target space identifier Management tool; manage the protocol stack private entries of the user-space protocol stack network isolation space corresponding to the target space identifier through the shared space management tool through the shared memory.
  • the existing isolation space management tools (such as ifconfig, ip and other tools) applicable to the Linux kernel-level network isolation technology can be transformed, that is, the user space protocol stack network isolation space is added to the isolation space management tool The space identifies this parameter.
  • the network device can load the isolated space management tool added with the target space identifier, and then can use the isolated space management tool to implement the user space protocol stack network isolated space corresponding to the target space identifier by the isolated space management tool and the target space identifier. Communication, so that the protocol stack private entry of the user space protocol stack network isolation space can be managed.
  • an isolation space pointer for binding a network isolation space is added for each network card; when a business program is initialized, multiple independent devices are provided based on the user mode protocol stack.
  • the isolation space pointer In this way, through the isolation space pointer, the association between the network card and the user mode protocol stack network isolation space is established, so that the service data received by different network cards can be specified by using different user mode protocol stack network isolation spaces. Processing, without interfering with each other, to achieve network isolation based on user mode protocol stack.
  • an embodiment of the present invention also provides a network isolation device based on a user mode protocol stack. As shown in FIG. 2, the device includes
  • the transformation module 201 is used to add an isolation space pointer for binding a network isolation space to each network card at the bottom network card interface of the user mode protocol stack;
  • the setting module 202 is configured to set a plurality of user-space protocol stack network isolation spaces with independent protocol-stack private entries based on the user-space protocol stack when the business program is initialized;
  • the binding module 203 is used to designate a corresponding user mode protocol stack network isolation space for each network card through the isolation space pointer of each network card;
  • the processing module 204 is configured to perform data processing on the business data received from any network card through the protocol stack private entry of the user space protocol stack network isolation space corresponding to the network card.
  • processing module 204 is specifically used to:
  • the business data obtained after processing by the protocol stack is provided to the business program, and business processing is performed on the business data based on the business program.
  • processing module 204 is specifically used to:
  • the device further includes:
  • the loading module is used to load the isolated space management tool added with the space identifier of the network isolation space of the target user mode protocol stack;
  • the management module is used to manage the business program configuration file corresponding to the target user mode protocol stack network isolation space through the isolated space management tool in a shared memory manner.
  • the transformation module 201 is further used to add an isolation space pointer for binding a network isolation space to the socket structure of the user mode protocol stack;
  • the binding module 203 is also used to specify the corresponding target user mode protocol stack network isolation space through the isolation space pointer of the socket structure of the target socket when the business program creates the target socket;
  • the processing module 204 is further configured to perform data processing on the business data through the protocol stack private entry of the target user mode protocol stack network isolation space for the business data generated when the target socket is called.
  • the device further includes:
  • the loading module is used to load the isolated space management tool added with the target space identification
  • the management module is used to manage the protocol stack private entries of the user-space protocol stack network isolation space corresponding to the target space identifier by using the isolated space management tool in a shared memory manner.
  • an isolation space pointer for binding a network isolation space is added for each network card; when a business program is initialized, multiple independent devices are provided based on the user mode protocol stack.
  • the isolation space pointer In this way, through the isolation space pointer, the association between the network card and the user mode protocol stack network isolation space is established, so that the service data received by different network cards can be specified by using different user mode protocol stack network isolation spaces. Processing, without interfering with each other, to achieve network isolation based on user mode protocol stack.
  • the network isolation device based on the user mode protocol stack only uses the above-mentioned division of each functional module as an example to illustrate the network isolation based on the user mode protocol stack.
  • the above function allocation is performed by different functional modules, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above.
  • the network isolation device based on the user state protocol stack provided in the above embodiments and the network isolation method embodiment based on the user state protocol stack belong to the same concept. For the specific implementation process, please refer to the method embodiments, which will not be repeated here.
  • the network device 300 may have a relatively large difference due to different configurations or performance, and may include one or more central processors 322 (for example, one or more processors) and a memory 332, and one or more storage application programs 342 or The storage medium 330 of the data 344 (for example, one or one mass storage device).
  • the memory 332 and the storage medium 330 may be short-term storage or persistent storage.
  • the program stored in the storage medium 330 may include one or more modules (not shown in the figure), and each module may include a series of instruction operations on the network device 300.
  • the central processor 322 may be configured to communicate with the storage medium 330 and execute a series of instruction operations in the storage medium 330 on the network device 300.
  • the network device 300 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input and output interfaces 358, one or more keyboards 356, and/or, one or more operating systems 341, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc.
  • the network device 300 may include a memory, and one or more programs, wherein the one or more programs are stored in the memory, and are configured to be executed by one or more processors.
  • the one or more programs include for performing The above network isolation instruction based on the user mode protocol stack.
  • the program may be stored in a computer-readable storage medium.
  • the mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Computer And Data Communications (AREA)
  • Telephonic Communication Services (AREA)
  • Communication Control (AREA)

Abstract

本发明公开了一种基于用户态协议栈的网络隔离方法和装置,属于网络通信技术领域。所述方法包括:在用户态协议栈的底层网卡接口处,为每个网卡添加用于绑定网络隔离空间的隔离空间指针;当业务程序初始化时,基于所述用户态协议栈设置多个具备独立的协议栈私有表项的用户态协议栈网络隔离空间;通过所述每个网卡的隔离空间指针为所述每个网卡分别指定一个对应的用户态协议栈网络隔离空间;对于从任一网卡接收的业务数据,通过所述网卡对应的用户态协议栈网络隔离空间的协议栈私有表项,对所述业务数据进行数据处理。采用本发明,可以对基于用户态协议栈的业务程序实现网络隔离。

Description

一种基于用户态协议栈的网络隔离方法和装置 技术领域
本发明涉及网络通信技术领域,特别涉及一种基于用户态协议栈的网络隔离方法和装置。
背景技术
网络设备内部的网络隔离技术是一种通过网络设备上的不同网卡接收业务数据,并将业务数据存放在不同的网络隔离空间里进行处理的技术,由于网络隔离空间之间完全隔离,故而各个网络隔离空间内的业务程序互不干扰,从而可以实现业务程序的稳定并发,保证业务处理过程中的数据安全。
Linux系统基于Namespace机制提供了一种内核级别环境隔离的方法,其中,网络命名空间(Network Namespace)可以用来实现上述网络设备内部的网络隔离效果,从逻辑上讲,每个网络命名空间可以理解为网络协议栈的副本,提供了一份独立的网络环境,类似独立的系统一样具备独立的路由选择表、邻接表、Netfilter表、网络套接字等网络资源。
发明人发现现有技术至少存在以下问题:
近年来越来越多的业务程序依托于用户态协议栈运行,而用户态协议栈部署在用户空间,因此现有的基于内核的网络隔离技术无法直接适用于用户态协议栈的业务程序。
发明内容
为了解决现有技术的问题,本发明实施例提供了一种基于用户态协议栈的网络隔离方法和装置。所述技术方案如下:
第一方面,提供了一种基于用户态协议栈的网络隔离方法,所述方法包括:
在用户态协议栈的底层网卡接口处,为每个网卡添加用于绑定网络隔离空间的隔离空间指针;
当业务程序初始化时,基于所述用户态协议栈设置多个具备独立的协议栈 私有表项的用户态协议栈网络隔离空间;
通过所述每个网卡的隔离空间指针为所述每个网卡分别指定一个对应的用户态协议栈网络隔离空间;
对于从任一网卡接收的业务数据,通过所述网卡对应的用户态协议栈网络隔离空间的协议栈私有表项,对所述业务数据进行数据处理。
可选的,所述对于任一网卡接收的业务数据,通过所述网卡对应的用户态协议栈网络隔离空间的协议栈私有表项,对所述业务数据进行数据处理,包括:
当从目标网卡接收到业务数据时,根据所述目标网卡的隔离空间指针确定目标用户态协议栈网络隔离空间;
调用所述目标用户态协议栈网络隔离空间的协议栈私有表项,基于所述用户态协议栈对所述业务数据执行协议栈处理;
将协议栈处理后得到的业务数据提供给所述业务程序,基于所述业务程序对所述业务数据执行业务处理。
可选的,所述基于所述业务程序对所述业务数据执行业务处理,包括:
确定所述目标用户态协议栈网络隔离空间对应的业务程序配置文件的业务处理逻辑,按照所述业务处理逻辑基于所述业务程序对所述业务数据执行业务处理。
可选的,所述方法还包括:
加载添加有目标用户态协议栈网络隔离空间的空间标识的隔离空间管理工具;
通过所述隔离空间管理工具,以共享内存的方式管理所述目标用户态协议栈网络隔离空间对应的业务程序配置文件。
可选的,所述方法还包括:
为所述用户态协议栈的套接字结构体,添加用于绑定网络隔离空间的隔离空间指针;
当所述业务程序创建目标套接字时,通过所述目标套接字的套接字结构体的隔离空间指针指定对应的目标用户态协议栈网络隔离空间;
对于调用所述目标套接字时生成的业务数据,通过所述目标用户态协议栈网络隔离空间的协议栈私有表项,对所述业务数据进行数据处理。
可选的,所述方法还包括:
加载添加有目标空间标识的隔离空间管理工具;
通过所述隔离空间管理工具,以共享内存的方式管理所述目标空间标识对应的用户态协议栈网络隔离空间的协议栈私有表项。
第二方面,提供了一种基于用户态协议栈的网络隔离装置,所述装置包括:
改造模块,用于在用户态协议栈的底层网卡接口处,为每个网卡添加用于绑定网络隔离空间的隔离空间指针;
设置模块,用于当业务程序初始化时,基于所述用户态协议栈设置多个具备独立的协议栈私有表项的用户态协议栈网络隔离空间;
绑定模块,用于通过所述每个网卡的隔离空间指针为所述每个网卡分别指定一个对应的用户态协议栈网络隔离空间;
处理模块,用于对于从任一网卡接收的业务数据,通过所述网卡对应的用户态协议栈网络隔离空间的协议栈私有表项,对所述业务数据进行数据处理。
可选的,所述处理模块,具体用于:
当从目标网卡接收到业务数据时,根据所述目标网卡的隔离空间指针确定目标用户态协议栈网络隔离空间;
调用所述目标用户态协议栈网络隔离空间的协议栈私有表项,基于所述用户态协议栈对所述业务数据执行协议栈处理;
将协议栈处理后得到的业务数据提供给所述业务程序,基于所述业务程序对所述业务数据执行业务处理。
可选的,所述处理模块,具体用于:
确定所述目标用户态协议栈网络隔离空间对应的业务程序配置文件的业务处理逻辑,按照所述业务处理逻辑基于所述业务程序对所述业务数据执行业务处理。
可选的,所述装置还包括:
加载模块,用于加载添加有目标用户态协议栈网络隔离空间的空间标识的隔离空间管理工具;
管理模块,用于通过所述隔离空间管理工具,以共享内存的方式管理所述目标用户态协议栈网络隔离空间对应的业务程序配置文件。
可选的,所述改造模块还用于为所述用户态协议栈的套接字结构体,添加 用于绑定网络隔离空间的隔离空间指针;
所述绑定模块还用于当所述业务程序创建目标套接字时,通过所述目标套接字的套接字结构体的隔离空间指针指定对应的目标用户态协议栈网络隔离空间;
所述处理模块还用于对于调用所述目标套接字时生成的业务数据,通过所述目标用户态协议栈网络隔离空间的协议栈私有表项,对所述业务数据进行数据处理。
可选的,所述装置还包括:
加载模块,用于加载添加有目标空间标识的隔离空间管理工具;
管理模块,用于通过所述隔离空间管理工具,以共享内存的方式管理所述目标空间标识对应的用户态协议栈网络隔离空间的协议栈私有表项。
第三方面,提供了一种网络设备,所述网络设备包括处理器和存储器,所述存储器中存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、所述至少一段程序、所述代码集或指令集由所述处理器加载并执行以实现如第一方面所述的基于用户态协议栈的网络隔离方法。
第四方面,提供了一种计算机可读存储介质,所述存储介质中存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、所述至少一段程序、所述代码集或指令集由处理器加载并执行以实现如第一方面所述的基于用户态协议栈的网络隔离方法。
本发明实施例提供的技术方案带来的有益效果是:
本发明实施例中,在用户态协议栈的底层网卡接口处,为每个网卡添加用于绑定网络隔离空间的隔离空间指针;当业务程序初始化时,基于用户态协议栈设置多个具备独立的协议栈私有表项的用户态协议栈网络隔离空间;通过每个网卡的隔离空间指针为每个网卡分别指定一个对应的用户态协议栈网络隔离空间;对于从任一网卡接收的业务数据,通过网卡对应的用户态协议栈网络隔离空间的协议栈私有表项,对业务数据进行数据处理。这样,通过隔离空间指针的方式,建立网卡和用户态协议栈网络隔离空间的关联,从而可以针对不同 网卡接收的业务数据,使用不同用户态协议栈网络隔离空间指定独立的协议栈私有表项进行处理,相互之间互不干扰,实现了基于用户态协议栈的网络隔离。
附图说明
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1是本发明实施例提供的一种基于用户态协议栈的网络隔离方法流程图;
图2是本发明实施例提供的一种基于用户态协议栈的网络隔离装置结构示意图;
图3是本发明实施例提供的一种网络设备的结构示意图。
具体实施方式
为使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明实施方式作进一步地详细描述。
本发明实施例提供了一种基于用户态协议栈的网络隔离方法,该方法的执行主体可以是任意具备业务程序运行功能的网络设备,具体可以理解为业务提供方的后台服务器。其中,网络设备上可以设置有用户态协议栈,代替内核态协议栈实现对待收发的业务数据进行处理。网络设备可以运行有基于用户态协议栈的业务程序,如nginx、haproxy、http server等,这些业务程序运行在用户空间,通过用户态协议栈及相应的网络隔离技术可以满足这些业务程序的高性能以及高并发需求。网络设备中可以包括处理器、存储器、收发器,处理器可以用于进行下述流程中的基于用户态协议栈的网络隔离的处理,存储器可以用于存储下述处理过程中需要的数据以及产生的数据,收发器可以用于接收和发送下述处理过程中的相关数据。
下面将结合具体实施方式,对图1所示的处理流程进行详细的说明,内容可以如下:
步骤101,在用户态协议栈的底层网卡接口处,为每个网卡添加用于绑定网络隔离空间的隔离空间指针。
在实施中,为了在用户态协议栈上实现网络隔离技术,达到不同网卡接收的业务数据到达不同网络隔离空间的目的,需要先对用户态协议栈进行改造。具体的,可以先确定用户态协议栈的底层网卡接口,然后在该底层网卡接口处,为每个网卡添加一个用于绑定网络隔离空间的隔离空间指针,该隔离空间指针可以用于将每个网卡绑定到一个具体的网络隔离空间。本步骤的处理可以由网络设备侧的技术人员控制网络设备实现,也可以由网络设备基于预设的用户态协议栈的改造程序自行完成的。
步骤102,当业务程序初始化时,基于用户态协议栈设置多个具备独立的协议栈私有表项的用户态协议栈网络隔离空间。
在实施中,安装在网络设备上的业务程序在首次启动或者故障重启时,可以进行初始化操作,这时,网络设备可以加载业务程序的协议栈配置文件,调用用户态协议栈,创建指定数目个(协议栈配置文件中设定的)用户态协议栈网络隔离空间。这些用户态协议栈网络隔离空间均具备独立的协议栈私有表项,即每个用户态协议栈网络隔离空间的协议栈私有表项均与其它用户态协议栈网络隔离空间的协议栈私有表项相同、部分相同或完全不同,其中,每个用户态协议栈网络隔离空间具备私有的隔离空间地址,协议栈私有表项可以包含ip地址表、路由表、socket表、连接跟踪表等用户态协议栈对业务数据进行数据处理时所需要调用的网络参数表项。
步骤103,通过每个网卡的隔离空间指针为每个网卡分别指定一个对应的用户态协议栈网络隔离空间。
在实施中,业务程序初始化时,网络设备在设置了多个用户态协议栈网络隔离空间之后,可以同样基于业务程序的协议栈配置文件,通过每个网卡的隔离空间指针为每个网卡分别指定一个对应的用户态协议栈网络隔离空间,即设置每个网卡的隔离空间指针指向一个用户态协议栈网络隔离空间。此处,一个网卡只能对应一个用户态协议栈网络隔离空间,而一个用户态协议栈网络隔离空间则可以对应多个网卡,网卡与用户态协议栈网络隔离空间的具体对应关系则在上述协议栈配置文件中设定。
步骤104,对于从任一网卡接收的业务数据,通过网卡对应的用户态协议栈网络隔离空间的协议栈私有表项,对业务数据进行数据处理。
在实施中,业务程序在运行的过程中,网络设备可以从网卡接收到业务程 序的业务数据,对于接收到的业务数据,网络设备可以先确定接收该业务数据的网卡,然后查找到该网卡对应的用户态协议栈网络隔离空间,再通过该用户态协议栈网络隔离空间的协议栈私有表项,使用用户态协议栈以及业务程序对业务数据进行数据处理。
可选的,可以先通过用户态协议栈对业务数据进行协议栈处理,然后再将业务数据交由业务程序执行业务处理,相应的,步骤104的处理可以如下:
当从目标网卡接收到业务数据时,根据目标网卡的隔离空间指针确定目标用户态协议栈网络隔离空间;
调用目标用户态协议栈网络隔离空间的协议栈私有表项,基于用户态协议栈对业务数据执行协议栈处理;
将协议栈处理后得到的业务数据提供给业务程序,基于业务程序对业务数据执行业务处理。
在实施中,以目标网卡为例,网络设备在为每个网卡指定用户态协议栈网络隔离空间后,在业务程序运行过程中,当网络设备从目标网卡接收到业务数据时,可以根据目标网卡的隔离空间指针确定目标用户态协议栈网络隔离空间。之后,在使用用户态协议栈对业务数据执行协议栈处理的过程中,如果需要用到具体的网络参数表项时,网络设备则可以调用目标用户态协议栈网络隔离空间的协议栈私有表项,然后使用该协议栈私有表项继续进行对业务数据的协议栈处理。接下来,在协议栈处理完成后,网络设备可以将协议栈处理后得到的业务数据提供给业务程序,然后基于业务程序对业务数据进行业务处理。可以理解,多个用户态协议栈网络隔离空间的协议栈处理,均可以分为公共的协议栈处理和各用户态协议栈网络隔离空间私有的协议栈处理,而无论公共的协议栈处理还是私有的协议栈处理,均可以由同一个用户态协议栈来实现,其中私有的协议栈处理具体通过调用不同的协议栈私有表项来实现,网络设备无需创建多份用户态协议栈的实例,从而可以节省系统资源的消耗,降低用户态协议栈的管理复杂度。
可选的,不同用户态协议栈网络隔离空间对应的业务处理也可以不同,相应的,对业务数据的业务处理具体可以如下:确定目标用户态协议栈网络隔离空间对应的业务程序配置文件的业务处理逻辑,按照所述业务处理逻辑基于业务程序对业务数据执行业务处理。
在实施中,同样以目标网卡接收到的业务数据为例,网络设备在将经协议栈处理后得到的业务数据提供给业务程序后,可以确定目标用户态协议栈网络隔离空间对应的业务程序配置文件的业务处理逻辑,然后通过业务程序来执行该业务处理逻辑,从而实现对业务数据的业务处理。需要说明的是,在运行业务程序前,同样需要对业务程序进行改造,以便对该业务程序使用网络隔离技术,具体的,可以创建多份业务程序配置文件,每个业务程序配置文件对应一个用户态协议栈网络隔离空间,不同业务程序配置文件中的业务处理、程序属性配置、程序启动参数等均相互隔离,互不干扰。业务程序在初始化时,可以加载所有业务程序配置文件,并存储每个业务程序配置文件的业务处理逻辑,这样,当需要执行不同用户态协议栈网络隔离空间对应的业务处理时,可以由同一个业务程序按照不同的业务处理逻辑来实现,网络设备无需针对每个用户态协议栈网络隔离空间均启动一个独立的业务程序,从而可以节省系统资源的消耗,降低业务程序的管理复杂度。
可选的,可以对隔离空间管理工具进行一定改造后,通过隔离空间管理工具管理业务程序配置文件,相应的处理可以如下:加载添加有目标用户态协议栈网络隔离空间的空间标识的隔离空间管理工具;通过隔离空间管理工具,以共享内存的方式管理目标用户态协议栈网络隔离空间对应的业务程序配置文件。
在实施中,可以对现有的适用在Linux内核级别的网络隔离技术的隔离空间管理工具进行改造,即在隔离空间管理工具中添加用户态协议栈网络隔离空间的空间标识这一参数。这样,以目标用户态协议栈网络隔离空间为例,网络设备可以加载添加有目标用户态协议栈网络隔离空间的空间标识的隔离空间管理工具,然后通过该隔离空间管理工具,以共享内存的方式实现隔离空间管理工具与业务程序的通讯,从而可以实现对目标用户态协议栈网络隔离空间对应的业务程序配置文件进行管理。
可选的,可以通过对套接字结构体的改造,来实现基于用户态协议栈上的网络隔离技术,相应的处理可以如下:为用户态协议栈的套接字结构体,添加用于绑定网络隔离空间的隔离空间指针;当业务程序创建目标套接字时,通过目标套接字的套接字结构体的隔离空间指针指定对应的目标用户态协议栈网络隔离空间;对于调用目标套接字时生成的业务数据,通过目标用户态协议栈网络隔离空间的协议栈私有表项,对业务数据进行数据处理。
在实施中,可以预先对用户态协议栈的套接字结构体进行改造,即在套接字结构体中添加用于绑定网络隔离空间的隔离空间指针,该隔离空间指针可以用于将套接字函数操作绑定到一个具体的网络隔离空间。之后,当业务程序创建目标套接字时,可以基于业务程序配置文件添加某一用户态协议栈网络隔离空间(如目标用户态协议栈网络隔离空间)的空间标识,这样,可以通过目标套接字的套接字结构体的隔离空间指针为目标套接字指定对应的目标用户态协议栈网络隔离空间。进一步的,对于调用目标套接字时生成的业务数据,网络设备可以通过目标用户态协议栈网络隔离空间的协议栈私有表项,对业务数据进行数据处理。具体来讲,业务程序在生成业务数据后,如果需要以报文的形式发送该业务数据,则可以通过调用已创建的目标套接字,将业务数据递交给用户态协议栈进行协议栈处理。在处理过程中,网络设备可以根据目标套接字确定对应的目标用户态协议栈网络隔离空间,然后调用目标用户态协议栈网络隔离空间的协议栈私有表项来进行相关的协议栈处理,最后可以将业务数据封装为报文,然后通过目标用户态协议栈网络隔离空间对应的网卡发送报文,从而可以在发送业务数据的过程中实现网络隔离。
可选的,可以对隔离空间管理工具进行一定改造后,通过隔离空间管理工具管理用户态协议栈网络隔离空间的协议栈私有表项,相应的处理可以如下:加载添加有目标空间标识的隔离空间管理工具;通过隔离空间管理工具,以共享内存的方式管理目标空间标识对应的用户态协议栈网络隔离空间的协议栈私有表项。
在实施中,可以对现有的适用在Linux内核级别的网络隔离技术的隔离空间管理工具(如ifconfig、ip等工具)进行改造,即在隔离空间管理工具中添加用户态协议栈网络隔离空间的空间标识这一参数。这样,网络设备可以加载添加有目标空间标识的隔离空间管理工具,然后可以通过该隔离空间管理工具,以共享内存的方式实现隔离空间管理工具与目标空间标识对应的用户态协议栈网络隔离空间的通讯,从而可以实现对该用户态协议栈网络隔离空间的协议栈私有表项进行管理。
本发明实施例中,在用户态协议栈的底层网卡接口处,为每个网卡添加用于绑定网络隔离空间的隔离空间指针;当业务程序初始化时,基于用户态协议栈设置多个具备独立的协议栈私有表项的用户态协议栈网络隔离空间;通过每 个网卡的隔离空间指针为每个网卡分别指定一个对应的用户态协议栈网络隔离空间;对于从任一网卡接收的业务数据,通过网卡对应的用户态协议栈网络隔离空间的协议栈私有表项,对业务数据进行数据处理。这样,通过隔离空间指针的方式,建立网卡和用户态协议栈网络隔离空间的关联,从而可以针对不同网卡接收的业务数据,使用不同用户态协议栈网络隔离空间指定独立的协议栈私有表项进行处理,相互之间互不干扰,实现了基于用户态协议栈的网络隔离。
基于相同的技术构思,本发明实施例还提供了一种基于用户态协议栈的网络隔离装置,如图2所示,所述装置包括
改造模块201,用于在用户态协议栈的底层网卡接口处,为每个网卡添加用于绑定网络隔离空间的隔离空间指针;
设置模块202,用于当业务程序初始化时,基于所述用户态协议栈设置多个具备独立的协议栈私有表项的用户态协议栈网络隔离空间;
绑定模块203,用于通过所述每个网卡的隔离空间指针为所述每个网卡分别指定一个对应的用户态协议栈网络隔离空间;
处理模块204,用于对于从任一网卡接收的业务数据,通过所述网卡对应的用户态协议栈网络隔离空间的协议栈私有表项,对所述业务数据进行数据处理。
可选的,所述处理模块204,具体用于:
当从目标网卡接收到业务数据时,根据所述目标网卡的隔离空间指针确定目标用户态协议栈网络隔离空间;
调用所述目标用户态协议栈网络隔离空间的协议栈私有表项,基于所述用户态协议栈对所述业务数据执行协议栈处理;
将协议栈处理后得到的业务数据提供给所述业务程序,基于所述业务程序对所述业务数据执行业务处理。
可选的,所述处理模块204,具体用于:
确定所述目标用户态协议栈网络隔离空间对应的业务程序配置文件的业务处理逻辑,按照所述业务处理逻辑基于所述业务程序对所述业务数据执行业务处理。
可选的,所述装置还包括:
加载模块,用于加载添加有目标用户态协议栈网络隔离空间的空间标识的 隔离空间管理工具;
管理模块,用于通过所述隔离空间管理工具,以共享内存的方式管理所述目标用户态协议栈网络隔离空间对应的业务程序配置文件。
可选的,所述改造模块201还用于为所述用户态协议栈的套接字结构体,添加用于绑定网络隔离空间的隔离空间指针;
所述绑定模块203还用于当所述业务程序创建目标套接字时,通过所述目标套接字的套接字结构体的隔离空间指针指定对应的目标用户态协议栈网络隔离空间;
所述处理模块204还用于对于调用所述目标套接字时生成的业务数据,通过所述目标用户态协议栈网络隔离空间的协议栈私有表项,对所述业务数据进行数据处理。
可选的,所述装置还包括:
加载模块,用于加载添加有目标空间标识的隔离空间管理工具;
管理模块,用于通过所述隔离空间管理工具,以共享内存的方式管理所述目标空间标识对应的用户态协议栈网络隔离空间的协议栈私有表项。
本发明实施例中,在用户态协议栈的底层网卡接口处,为每个网卡添加用于绑定网络隔离空间的隔离空间指针;当业务程序初始化时,基于用户态协议栈设置多个具备独立的协议栈私有表项的用户态协议栈网络隔离空间;通过每个网卡的隔离空间指针为每个网卡分别指定一个对应的用户态协议栈网络隔离空间;对于从任一网卡接收的业务数据,通过网卡对应的用户态协议栈网络隔离空间的协议栈私有表项,对业务数据进行数据处理。这样,通过隔离空间指针的方式,建立网卡和用户态协议栈网络隔离空间的关联,从而可以针对不同网卡接收的业务数据,使用不同用户态协议栈网络隔离空间指定独立的协议栈私有表项进行处理,相互之间互不干扰,实现了基于用户态协议栈的网络隔离。
需要说明的是:上述实施例提供的基于用户态协议栈的网络隔离装置在实现基于用户态协议栈的网络隔离时,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的基于用户态协议栈的网络隔离装置与基于用户态协议 栈的网络隔离方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。
图3是本发明实施例提供的网络设备的结构示意图。该网络设备300可因配置或性能不同而产生比较大的差异,可以包括一个或一个以上中央处理器322(例如,一个或一个以上处理器)和存储器332,一个或一个以上存储应用程序342或数据344的存储介质330(例如一个或一个以上海量存储设备)。其中,存储器332和存储介质330可以是短暂存储或持久存储。存储在存储介质330的程序可以包括一个或一个以上模块(图示没标出),每个模块可以包括对网络设备300中的一系列指令操作。更进一步地,中央处理器322可以设置为与存储介质330通信,在网络设备300上执行存储介质330中的一系列指令操作。
网络设备300还可以包括一个或一个以上电源326,一个或一个以上有线或无线网络接口350,一个或一个以上输入输出接口358,一个或一个以上键盘356,和/或,一个或一个以上操作系统341,例如Windows Server,Mac OS X,Unix,Linux,FreeBSD等等。
网络设备300可以包括有存储器,以及一个或者一个以上的程序,其中一个或者一个以上程序存储于存储器中,且经配置以由一个或者一个以上处理器执行所述一个或者一个以上程序包含用于进行上述基于用户态协议栈的网络隔离指令。
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。
以上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。

Claims (14)

  1. 一种基于用户态协议栈的网络隔离方法,其特征在于,所述方法包括:
    在用户态协议栈的底层网卡接口处,为每个网卡添加用于绑定网络隔离空间的隔离空间指针;
    当业务程序初始化时,基于所述用户态协议栈设置多个具备独立的协议栈私有表项的用户态协议栈网络隔离空间;
    通过所述每个网卡的隔离空间指针为所述每个网卡分别指定一个对应的用户态协议栈网络隔离空间;
    对于从任一网卡接收的业务数据,通过所述网卡对应的用户态协议栈网络隔离空间的协议栈私有表项,对所述业务数据进行数据处理。
  2. 根据权利要求1所述的方法,其特征在于,所述对于任一网卡接收的业务数据,通过所述网卡对应的用户态协议栈网络隔离空间的协议栈私有表项,对所述业务数据进行数据处理,包括:
    当从目标网卡接收到业务数据时,根据所述目标网卡的隔离空间指针确定目标用户态协议栈网络隔离空间;
    调用所述目标用户态协议栈网络隔离空间的协议栈私有表项,基于所述用户态协议栈对所述业务数据执行协议栈处理;
    将协议栈处理后得到的业务数据提供给所述业务程序,基于所述业务程序对所述业务数据执行业务处理。
  3. 根据权利要求2所述的方法,其特征在于,所述基于所述业务程序对所述业务数据执行业务处理,包括:
    确定所述目标用户态协议栈网络隔离空间对应的业务程序配置文件的业务处理逻辑,按照所述业务处理逻辑基于所述业务程序对所述业务数据执行业务处理。
  4. 根据权利要求3所述的方法,其特征在于,所述方法还包括:
    加载添加有目标用户态协议栈网络隔离空间的空间标识的隔离空间管理工 具;
    通过所述隔离空间管理工具,以共享内存的方式管理所述目标用户态协议栈网络隔离空间对应的业务程序配置文件。
  5. 根据权利要求1所述的方法,其特征在于,所述方法还包括:
    为所述用户态协议栈的套接字结构体,添加用于绑定网络隔离空间的隔离空间指针;
    当所述业务程序创建目标套接字时,通过所述目标套接字的套接字结构体的隔离空间指针指定对应的目标用户态协议栈网络隔离空间;
    对于调用所述目标套接字时生成的业务数据,通过所述目标用户态协议栈网络隔离空间的协议栈私有表项,对所述业务数据进行数据处理。
  6. 根据权利要求1所述的方法,其特征在于,所述方法还包括:
    加载添加有目标空间标识的隔离空间管理工具;
    通过所述隔离空间管理工具,以共享内存的方式管理所述目标空间标识对应的用户态协议栈网络隔离空间的协议栈私有表项。
  7. 一种基于用户态协议栈的网络隔离装置,其特征在于,所述装置包括:
    改造模块,用于在用户态协议栈的底层网卡接口处,为每个网卡添加用于绑定网络隔离空间的隔离空间指针;
    设置模块,用于当业务程序初始化时,基于所述用户态协议栈设置多个具备独立的协议栈私有表项的用户态协议栈网络隔离空间;
    绑定模块,用于通过所述每个网卡的隔离空间指针为所述每个网卡分别指定一个对应的用户态协议栈网络隔离空间;
    处理模块,用于对于从任一网卡接收的业务数据,通过所述网卡对应的用户态协议栈网络隔离空间的协议栈私有表项,对所述业务数据进行数据处理。
  8. 根据权利要求7所述的装置,其特征在于,所述处理模块,具体用于:
    当从目标网卡接收到业务数据时,根据所述目标网卡的隔离空间指针确定目标用户态协议栈网络隔离空间;
    调用所述目标用户态协议栈网络隔离空间的协议栈私有表项,基于所述用户态协议栈对所述业务数据执行协议栈处理;
    将协议栈处理后得到的业务数据提供给所述业务程序,基于所述业务程序对所述业务数据执行业务处理。
  9. 根据权利要求8所述的装置,其特征在于,所述处理模块,具体用于:
    确定所述目标用户态协议栈网络隔离空间对应的业务程序配置文件的业务处理逻辑,按照所述业务处理逻辑基于所述业务程序对所述业务数据执行业务处理。
  10. 根据权利要求9所述的装置,其特征在于,所述装置还包括:
    加载模块,用于加载添加有目标用户态协议栈网络隔离空间的空间标识的隔离空间管理工具;
    管理模块,用于通过所述隔离空间管理工具,以共享内存的方式管理所述目标用户态协议栈网络隔离空间对应的业务程序配置文件。
  11. 根据权利要求7所述的装置,其特征在于,所述改造模块还用于为所述用户态协议栈的套接字结构体,添加用于绑定网络隔离空间的隔离空间指针;
    所述绑定模块还用于当所述业务程序创建目标套接字时,通过所述目标套接字的套接字结构体的隔离空间指针指定对应的目标用户态协议栈网络隔离空间;
    所述处理模块还用于对于调用所述目标套接字时生成的业务数据,通过所述目标用户态协议栈网络隔离空间的协议栈私有表项,对所述业务数据进行数据处理。
  12. 根据权利要求7所述的装置,其特征在于,所述装置还包括:
    加载模块,用于加载添加有目标空间标识的隔离空间管理工具;
    管理模块,用于通过所述隔离空间管理工具,以共享内存的方式管理所述目标空间标识对应的用户态协议栈网络隔离空间的协议栈私有表项。
  13. 一种网络设备,其特征在于,所述网络设备包括处理器和存储器,所述存储器中存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、所述至少一段程序、所述代码集或指令集由所述处理器加载并执行以实现如权利要求1至6任一所述的基于用户态协议栈的网络隔离方法。
  14. 一种计算机可读存储介质,其特征在于,所述存储介质中存储有至少一条指令、至少一段程序、代码集或指令集,所述至少一条指令、所述至少一段程序、所述代码集或指令集由处理器加载并执行以实现如权利要求1至6任一所述的基于用户态协议栈的网络隔离方法。
PCT/CN2019/074459 2018-12-07 2019-02-01 一种基于用户态协议栈的网络隔离方法和装置 WO2020113817A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP19893260.0A EP3893451A4 (en) 2018-12-07 2019-02-01 METHOD AND APPARATUS FOR NETWORK DISCONNECTION BASED ON A USER MODE PROTOCOL STACK
US17/288,978 US20210392091A1 (en) 2018-12-07 2019-02-01 User-mode protocol stack-based network isolation method and device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811497871.3 2018-12-07
CN201811497871.3A CN111294293B (zh) 2018-12-07 2018-12-07 一种基于用户态协议栈的网络隔离方法和装置

Publications (1)

Publication Number Publication Date
WO2020113817A1 true WO2020113817A1 (zh) 2020-06-11

Family

ID=70974488

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/074459 WO2020113817A1 (zh) 2018-12-07 2019-02-01 一种基于用户态协议栈的网络隔离方法和装置

Country Status (4)

Country Link
US (1) US20210392091A1 (zh)
EP (1) EP3893451A4 (zh)
CN (1) CN111294293B (zh)
WO (1) WO2020113817A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112422453A (zh) * 2020-12-09 2021-02-26 新华三信息技术有限公司 一种报文处理的方法、装置、介质及设备

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205185B (zh) * 2020-09-16 2023-03-24 厦门网宿有限公司 一种控制报文的代理方法及装置
CN113485823A (zh) * 2020-11-23 2021-10-08 中兴通讯股份有限公司 数据传输方法、装置、网络设备、存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2208295A1 (en) * 1997-04-04 1998-10-04 Microsoft Corporation User mode proxy of kernel mode operations in a computer operating system
CN104168257A (zh) * 2014-01-28 2014-11-26 广东电网公司电力科学研究院 基于非网络方式的数据隔离装置及其方法与系统
CN106789099A (zh) * 2016-11-16 2017-05-31 深圳市捷视飞通科技股份有限公司 基于pcie的高速隔离网络方法及终端
CN108429770A (zh) * 2018-06-07 2018-08-21 北京网迅科技有限公司杭州分公司 一种服务器与客户端数据隔离系统及数据传输方法

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120278878A1 (en) * 2011-04-27 2012-11-01 International Business Machines Corporation Systems and methods for establishing secure virtual private network communications using non-privileged vpn client
CN102402487B (zh) * 2011-11-15 2014-10-22 北京天融信科技股份有限公司 一种零拷贝接收报文的方法和系统
US9231846B2 (en) * 2011-11-22 2016-01-05 Microsoft Technology Licensing, Llc Providing network capability over a converged interconnect fabric
US9612877B1 (en) * 2012-07-12 2017-04-04 Cisco Technology, Inc. High performance computing in a virtualized environment
CN102999330B (zh) * 2012-11-12 2015-10-14 北京神州绿盟信息安全科技股份有限公司 基于用户态网卡驱动的网卡配置方法及装置
CN104639578B (zh) * 2013-11-08 2018-05-11 华为技术有限公司 多协议栈负载均衡方法及装置
CN103778368A (zh) * 2014-01-23 2014-05-07 重庆邮电大学 一种基于系统虚拟化技术的进程安全隔离方法
US10892942B2 (en) * 2016-01-22 2021-01-12 Equinix, Inc. Container-based cloud exchange disaster recovery

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2208295A1 (en) * 1997-04-04 1998-10-04 Microsoft Corporation User mode proxy of kernel mode operations in a computer operating system
CN104168257A (zh) * 2014-01-28 2014-11-26 广东电网公司电力科学研究院 基于非网络方式的数据隔离装置及其方法与系统
CN106789099A (zh) * 2016-11-16 2017-05-31 深圳市捷视飞通科技股份有限公司 基于pcie的高速隔离网络方法及终端
CN108429770A (zh) * 2018-06-07 2018-08-21 北京网迅科技有限公司杭州分公司 一种服务器与客户端数据隔离系统及数据传输方法

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3893451A4 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112422453A (zh) * 2020-12-09 2021-02-26 新华三信息技术有限公司 一种报文处理的方法、装置、介质及设备
CN112422453B (zh) * 2020-12-09 2022-05-24 新华三信息技术有限公司 一种报文处理的方法、装置、介质及设备

Also Published As

Publication number Publication date
US20210392091A1 (en) 2021-12-16
EP3893451A1 (en) 2021-10-13
EP3893451A4 (en) 2022-01-19
CN111294293A (zh) 2020-06-16
CN111294293B (zh) 2021-08-10

Similar Documents

Publication Publication Date Title
US11372802B2 (en) Virtual RDMA switching for containerized applications
EP3471366A1 (en) Container deployment method, communication method between services and related devices
US9588807B2 (en) Live logical partition migration with stateful offload connections using context extraction and insertion
US8830870B2 (en) Network adapter hardware state migration discovery in a stateful environment
WO2019184164A1 (zh) 自动部署Kubernetes从节点的方法、装置、终端设备及可读存储介质
US8769040B2 (en) Service providing system, a virtual machine server, a service providing method, and a program thereof
US7451197B2 (en) Method, system, and article of manufacture for network protocols
WO2020113817A1 (zh) 一种基于用户态协议栈的网络隔离方法和装置
CN113127150A (zh) 云原生系统的快速部署方法、装置、电子设备和存储介质
WO2024016624A1 (zh) 多集群访问方法和系统
WO2024113582A1 (zh) 一种多云集群资源共享方法、装置、设备及存储介质
CN111143034A (zh) 一种控制网络数据转发平面的方法、装置及系统
US11126457B2 (en) Method for batch processing nginx network isolation spaces and nginx server
CN112395049A (zh) 一种业务服务器调用方法、系统、设备及存储介质
CN112416495A (zh) 一种超融合云终端资源统一管理系统及方法
CN115913778A (zh) 一种基于边车模式的网络策略更新方法、系统及存储介质
CN111669423B (zh) 基于用户态协议栈的网络隔离空间的批量处理方法及系统
WO2022151386A1 (zh) 一种节点分批升级的方法、相关装置以及设备
JP7212158B2 (ja) プロバイダネットワークサービス拡張
CN111669358B (zh) 一种批量处理vrouter网络隔离空间的方法和装置
CN111669310B (zh) 一种pptp vpn中网络隔离空间的批量处理方法及pptp vpn服务器
CN111669355B (zh) 一种批量处理nginx网络隔离空间的方法及nginx服务器
US20050281258A1 (en) Address translation program, program utilizing method, information processing device and readable-by-computer medium
WO2022141293A1 (zh) 一种弹性伸缩的方法及装置
WO2024103726A1 (zh) 基于云计算技术的云服务部署方法及云管理平台

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19893260

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2019893260

Country of ref document: EP

Effective date: 20210706