Summary of the invention
The object of the invention is the shortcoming overcoming above-mentioned prior art, provide and a kind ofly can realize domain name that limiting handset APP or router plug routine access refused by user or IP address management, allow APP or plug-in card program run in the container of similar virtual machine, can complete by expanding, make APP or plug-in unit to container the method realizing the operating system Program access IP address restriction of smart machine of all functions run directly on host machine system.
To achieve these goals, the method realizing the operating system Program access IP address restriction of smart machine of the present invention has following formation:
This realizes the method for the operating system Program access IP address restriction of smart machine, and its main feature is, described method comprises the following steps:
(1) for needing program creation one virtual machine container started in the operating system of smart machine;
(2) the IP address allowing to access is set in described virtual machine container;
(3) program described in startup also makes it operate in described virtual machine container;
(4) the IP address of the routine access described in the operating system of smart machine controls.
Preferably, described step (1) comprises the following steps:
(1-1) for needing the man-to-man virtual machine container of program creation started in the operating system of smart machine;
(1-2) for described virtual machine container creates virtual network interface;
(1-3) be described virtual network interface distributing IP address.
More preferably, described is that described virtual machine container creates virtual network interface, is specially:
Select VETH, HOST or MACVLAN networking mode for described virtual machine container and create corresponding virtual network interface.
Preferably, described program is APP program or plug-in card program.
Preferably, described by the IP address controlling described routine access in the operating system of smart machine, comprise the control of access mutually between the control of routine access outside ip address and two programs.
More preferably, the control of described routine access outside ip address, comprises the following steps:
(4-A-1) port of outside ip address is mapped to virtual machine container corresponding to described program by network address translation;
(4-A-2) program described in carries out network connection by the port of the IP address after mapping.
More preferably, the control of access mutually between two described programs, comprises the following steps:
(4-B-1) for each program creation is in order to monitor the finger daemon of known IP address;
(4-B-2) IP address corresponding to the virtual machine container at the plug-in unit place that service provides and port is transmitted to when described finger daemon listens to when program connects.
Have employed the method realizing the operating system Program access IP address restriction of smart machine in this invention, there is following beneficial effect:
(1) this patent is supplied to a kind of new protection mechanism of user, if APP collects the server that user data wants to upload to oneself, so the method can limit APP access to netwoks, make its cannot with do not communicated by the domain names of customer acceptance or IP address;
(2) the method can provide restriction scheme more flexibly, only provides APP to the access of some network address, even if APP is Virus, also to system destruction, cannot have range of application widely.
Embodiment
In order to more clearly describe technology contents of the present invention, conduct further description below in conjunction with specific embodiment.
The present invention relates to domain name or IP address management mechanism that a kind of limiting handset APP or router plug routine access refused by user, a solution is provided.APP or plug-in card program is allowed to run in the container of similar virtual machine.By expanding container, make APP or plug-in unit can complete all functions run directly on host machine system.Its advantage is to prevent APP or plug-in card program running background from collecting the private data of user, and uploads to the ignorant server of user.Only have domain name or IP address by customer acceptance, program is Internet access.Improve router, the fail safe of gateway product.
In order to realize this object, this method realizing the operating system Program access IP address restriction of smart machine comprises the following steps:
(1) for needing program creation one virtual machine container started in the operating system of smart machine;
(2) the IP address allowing to access is set in described virtual machine container;
(3) program described in startup also makes it operate in described virtual machine container;
(4) the IP address of the routine access described in the operating system of smart machine controls.
In one preferably execution mode, described step (1) comprises the following steps:
(1-1) for needing the man-to-man virtual machine container of program creation started in the operating system of smart machine;
(1-2) for described virtual machine container creates virtual network interface;
(1-3) be described virtual network interface distributing IP address.
In a kind of better execution mode, described is that described virtual machine container creates virtual network interface, is specially:
Select VETH, HOST or MACVLAN networking mode for described virtual machine container and create corresponding virtual network interface.
In one preferably execution mode, described program is APP program or plug-in card program.
In one preferably execution mode, the IP address of the described routine access described in the operating system of smart machine controls, comprises the control of access mutually between the control of routine access outside ip address and two programs.
In a kind of better execution mode, the control of described routine access outside ip address, comprises the following steps:
(4-A-1) port of outside ip address is mapped to virtual machine container corresponding to described program by network address translation;
(4-A-2) program described in carries out network connection by the port of the IP address after mapping.
In a kind of better execution mode, the control of access mutually between two described programs, comprises the following steps:
(4-B-1) for each program creation is in order to monitor the finger daemon of known IP address;
(4-B-2) IP address corresponding to the virtual machine container at the plug-in unit place that service provides and port is transmitted to when described finger daemon listens to when program connects.
Specific in practical application of the present invention, detailed process is as follows:
When starting APP, first creating a namespace, in namespace, restarting app,
Import parameter CLONE_NEWNS into can create a namespace by calling clone function.
As shown in Figure 1, SMD is hypervisor, and suffix is that the plug-in card program of cpk all operates in inside namespace, and namespace is lightweight virtual machine.
An APP, or plug-in card program can communicate with the system external world, also can do the access request that outer service routine accepts external program, and two APP in same system can intercom mutually, so need to address the problem:
1, each namespace has independently IP address.
2, the plug-in unit of lan device as run in smart mobile phone or other computer energy and namespace communicates.
3, the IP address Random assignment of each namespace, the plug-in unit run in two namespace will communicate, and must know the IP address of another namespace.
First in order to deal with problems 1, must create virtual network interface also to virtual network interface distributing IP address for namespace, Namespace networking can use 3 kinds of modes, VETH, HOST, MACVLAN.Wherein MACVLAN can be operated in Three models again.
The network interface selecting VETH to can be namespace establishment has the MAC Address identical with HOST network interface.Can solve such as sudden peal of thunder plug-in unit like this uses MAC Address to be used for the problem of authorizing as parameter.
The namespace at each APP or plug-in unit place has the IP address of oneself, so shown in network topology structure comparison Fig. 2.
Except mobile phone A PP is independently physical equipment, in figure, GateWay and all namespace Zhuo run in an operating system of a physical equipment, and namespace can regard virtual machine as.GateWay is host.Therefore the problem that each APP communicates with the external world is solved.
Deal with problems 2, such as sudden peal of thunder mobile phone A PP, the sudden peal of thunder CPK plug-in unit going connection network to shut, can connect 9000 ports of 192.168.1.1 before.Because amended framework makes sudden peal of thunder plug-in component operation in namespace, in there being oneself subnet to mobile phone APP, namespace, at this moment need, by NAT, 192.168.1.1:9000 is mapped to namespaceIP:9000 by prerouting chain.Can be realized by iptables rule.
Plug-in unit access wide area network does not need to make any amendment.It is by NAT that packet is gone out, and at this moment plug-in card program is equivalent to a computer in local area network (LAN).NAT can do address transition by port mapping automatically.
3rd problem above of solution, interconnected between plug-in unit: CPK plug-in unit and OSGI plug-in unit need interconnected sometimes.In original framework, client plug-in is by loop address 127.0.0.1 direct Connection Service end plug-in unit.New structure makes different plug-in unit be arranged in different Namespace, and both sides do not know the other side IP address.
For each namespace creates finger daemon, for monitoring fixing known IP address, as certain port of 192.168.1.1.When listening to plug-in unit and connecting, this process is responsible for IP address corresponding to the namespace at the plug-in unit place that the service that is transmitted to provides and port.Two plug-in units all operate on gateway, and these two plug-in units need cooperation mutually.One provides service, and one uses service.Two processes being equivalent to simultaneously run in operating system do interprocess communication.
Tcppmproc is plug-in unit and forwards process, and must operate in host, a namespace may correspond to multiple port repeat process, and multiple port be monitored or be forwarded to port repeat process can.The private address different by each namespace and port correspond on host address and certain port.
The realization of online restriction, by the network interface created in iptables rule rhetoric question topic 1, can realize the ip address can accessed each namespace.And processes all in a namespace all can only according to the access rule of this namespace.
Have employed the method realizing the operating system Program access IP address restriction of smart machine in this invention, there is following beneficial effect:
(1) this patent is supplied to a kind of new protection mechanism of user, if APP collects the server that user data wants to upload to oneself, so the method can limit APP access to netwoks, make its cannot with do not communicated by the domain names of customer acceptance or IP address;
(2) the method can provide restriction scheme more flexibly, only provides APP to the access of some network address, even if APP is Virus, also to system destruction, cannot have range of application widely.
In this description, the present invention is described with reference to its specific embodiment.But, still can make various amendment and conversion obviously and not deviate from the spirit and scope of the present invention.Therefore, specification and accompanying drawing are regarded in an illustrative, rather than a restrictive.