CN115664815A - Firewall policy processing method, device, electronic equipment and storage medium - Google Patents

Abstract

The application provides a firewall policy processing method and device, electronic equipment and a storage medium, and relates to the technical field of network security. According to the method and the device, only the user inputs the firewall policy editing instruction of the main board host at the client side on the operating system host, the operating system host can judge whether the edited port information corresponding to the target service policy on the information side network port changes or not in the whole process according to the identification of the target service policy to be edited and the edited port information corresponding to the target service policy in the firewall policy editing instruction, if so, the target service policy in the firewall of the main board host and the security policy of the quoted target service policy are automatically configured according to the edited port information, the configuration problem of the dual-host heterogeneous gateway firewall security policy is simplified, the configuration efficiency of the dual-host heterogeneous gateway firewall security policy is improved, and the problem that the configuration efficiency is low due to the fact that the firewall security policy is manually configured in the prior art is effectively solved.

Description

Translated fromChinese

防火墙策略处理方法、装置、电子设备及存储介质Firewall policy processing method, device, electronic equipment and storage medium

技术领域technical field

本申请涉及网络安全技术领域，具体而言，涉及一种防火墙策略处理方法、装置、电子设备及存储介质。The present application relates to the technical field of network security, in particular, to a firewall policy processing method, device, electronic equipment and storage medium.

背景技术Background technique

防火墙，是一种位于内网与外网之间的访问控制设备/软件，主要是被用来隔离不同的安全域、监控网络的通信数据，在内网和外网之间、专用网与公共网之间的边界上构造的保护屏障。而被防火墙分割的各个网络之间，必须按照防火墙规定的“安全策略”进行互相的访问。因此，必须通过对防火墙的安全策略的配置，实现防火墙对网络的保护。A firewall is an access control device/software located between the internal network and the external network. It is mainly used to isolate different security domains and monitor network communication data. Between the internal network and the external network, between the private network and the public Protective barriers are constructed on the boundaries between nets. The networks separated by the firewall must communicate with each other in accordance with the "security policy" stipulated by the firewall. Therefore, the protection of the network by the firewall must be realized through the configuration of the security policy of the firewall.

目前，防火墙安全策略都是手动配置的。具体的，通过对网络环境中的数据进行提取分析，运维人员(或安全管理人员)根据分析结果手动进行防火墙安全策略的配置。Currently, firewall security policies are manually configured. Specifically, by extracting and analyzing data in the network environment, operation and maintenance personnel (or security management personnel) manually configure firewall security policies according to the analysis results.

但是，在工业安全领域的主机异构网关设备中，基于白名单的防火墙需要分别配置工业信息网和控制网的安全策略，而对于不同的通讯协议其配置方式各有不同，使得对现场工作人员的工作量和专业性要求较高，进而导致防火墙策略配置及管理时效率低下、且容易出错。However, in the host heterogeneous gateway device in the field of industrial security, the firewall based on the white list needs to configure the security policies of the industrial information network and the control network separately, and the configuration methods are different for different communication protocols, which makes it difficult for field workers. The workload and professional requirements are relatively high, which leads to low efficiency and error-prone firewall policy configuration and management.

发明内容Contents of the invention

本申请的目的在于，针对上述现有技术中的不足，提供一种防火墙策略处理方法、装置、电子设备及存储介质，以便解决现有技术中采用人工手动配置防火墙安全策略，存在配置效率低下、且容易出错等问题。The purpose of this application is to provide a firewall policy processing method, device, electronic equipment, and storage medium for the deficiencies in the above-mentioned prior art, so as to solve the problems of low configuration efficiency, and prone to errors.

为实现上述目的，本申请实施例采用的技术方案如下：In order to achieve the above purpose, the technical solution adopted in the embodiment of the present application is as follows:

第一方面，本申请实施例提供了一种防火墙策略处理方法，应用于主机异构网关设备中的操作系统主机，所述主机异构网关设备包括所述操作系统主机以及主板主机，所述操作系统主机上包括控制侧网口，所述主板主机上包括信息侧网口，所述方法包括：In the first aspect, the embodiment of the present application provides a firewall policy processing method, which is applied to the operating system host in the host heterogeneous gateway device. The host heterogeneous gateway device includes the operating system host and the motherboard host. The operation The system host includes a control side network port, and the main board host includes an information side network port, and the method includes:

接收用户输入的所述主板主机的防火墙策略编辑指示，所述主板主机的防火墙策略编辑指示中包括待编辑的目标服务策略的标识以及所述目标服务策略对应的编辑后的端口信息；receiving the editing instruction of the firewall policy of the mainboard host input by the user, wherein the editing instruction of the firewall policy of the mainboard host includes the identifier of the target service policy to be edited and the edited port information corresponding to the target service policy;

获取所述信息侧网口上当前已配置的服务策略中所述目标服务策略对应的编辑前的端口信息，并判断所述编辑前的端口信息是否与所述编辑后的端口信息一致；Obtaining the pre-edited port information corresponding to the target service policy in the currently configured service policy on the information side network port, and determining whether the pre-edited port information is consistent with the edited port information;

若否，则将所述主板主机的防火墙中引用所述目标服务策略的各目标安全策略删除；If not, each target security policy that references the target service policy in the firewall of the mainboard host is deleted;

根据所述编辑后的端口信息，更新所述目标服务策略，得到更新后的目标服务策略；updating the target service policy according to the edited port information to obtain an updated target service policy;

根据所述更新后的目标服务策略以及所述目标服务策略与所述目标安全策略的引用关系，更新所述主板主机上的安全策略。The security policy on the motherboard host is updated according to the updated target service policy and the reference relationship between the target service policy and the target security policy.

可选地，所述判断所述编辑前的端口信息是否与所述编辑后的端口信息一致，包括：Optionally, the judging whether the port information before editing is consistent with the port information after editing includes:

分别将编辑后的源端口的端口参数、编辑后的目的端口的端口参数与编辑前的源端口的端口参数及编辑前的目的端口的端口参数进行对比；Comparing the port parameters of the edited source port and the port parameters of the edited destination port with the port parameters of the source port before editing and the port parameters of the destination port before editing;

若所述编辑后的源端口的端口参数与所述编辑前的源端口的端口参数，或所述编辑后的目的端口的端口参数与所述编辑前的目的端口的端口参数不相同，则确定所述编辑前的端口信息与所述编辑后的端口信息不一致。If the port parameter of the edited source port is different from the port parameter of the source port before editing, or the port parameter of the edited destination port is different from the port parameter of the destination port before editing, then determine The port information before editing is inconsistent with the port information after editing.

可选地，所述将所述主板主机的防火墙中引用所述目标服务策略的各目标安全策略删除，包括：Optionally, the deleting each target security policy that references the target service policy in the firewall of the motherboard host includes:

将各所述目标安全策略中各配置项的参数信息缓存至预设存储空间；Cache the parameter information of each configuration item in each target security policy to a preset storage space;

遍历所述主板主机的防火墙中的各安全策略，若当前遍历到的安全策略所引用的服务策略为所述目标服务策略，则确定当前遍历到的安全策略为一个目标安全策略，并从所述主板主机的防火墙中删除所述当前遍历到的安全策略。Traversing through each security policy in the firewall of the motherboard host, if the service policy referenced by the currently traversed security policy is the target service policy, then determining that the currently traversed security policy is a target security policy, and from the The currently traversed security policy is deleted from the firewall of the motherboard host.

可选地，所述根据所述更新后的目标服务策略以及所述目标服务策略与所述目标安全策略的引用关系，更新所述主板主机上的安全策略，包括：Optionally, the updating the security policy on the motherboard host according to the updated target service policy and the reference relationship between the target service policy and the target security policy includes:

在所述目标服务策略更新完成后，从所述预设存储空间中读取引用所述目标服务策略的各所述目标安全策略；After the update of the target service policy is completed, read each of the target security policies referencing the target service policy from the preset storage space;

在所述主板主机的防火墙中新建各所述目标安全策略。Create each target security policy in the firewall of the motherboard host.

可选地，所述方法还包括：Optionally, the method also includes:

接收用户输入的操作系统主机的防火墙策略编辑指示，所述操作系统主机的防火墙策略编辑指示中包括待编辑的操作系统主机安全策略的标识所述操作系统主机安全策略对应的编辑后的参数信息；receiving a user-input firewall policy editing instruction for the operating system host, where the firewall policy editing instruction for the operating system host includes an identifier of the operating system host security policy to be edited; and edited parameter information corresponding to the operating system host security policy;

获取并删除所述控制侧网口上当前配置的各安全策略；Obtain and delete each security policy currently configured on the network port on the control side;

根据操作系统主机安全策略的标识以及所述操作系统主机安全策略对应的编辑后的参数信息，重新生成所述控制侧网口上的各安全策略，并在所述操作系统主机的防火墙中新建所述控制侧网口上的各安全策略。According to the identifier of the security policy of the operating system host and the edited parameter information corresponding to the security policy of the operating system host, regenerate each security policy on the network port on the control side, and create the new one in the firewall of the operating system host Control each security policy on the network port on the control side.

可选地，所述方法还包括：Optionally, the method also includes:

接收用户输入的所述主板主机的防火墙策略新增指示，所述主板主机的防火墙策略新增指示中包括待新增的服务策略的标识、所述待新增的服务策略中待编辑配置项的参数信息、待新增的安全策略的标识与所述待新增的安全策略中待编辑配置项的参数信息；Receiving the new instruction of the firewall policy of the main board host input by the user, the new instruction of the firewall policy of the main board host includes the identification of the service policy to be added, the configuration item to be edited in the service policy to be added Parameter information, the identification of the security policy to be added, and the parameter information of the configuration item to be edited in the security policy to be added;

根据所述待新增的服务策略的标识、所述待新增的服务策略中待编辑配置项的参数信息，生成所述信息侧网口上所述待新增的服务策略，并在所述主板主机的防火墙中新建所述信息侧网口上所述待新增的服务策略；According to the identification of the service policy to be added and the parameter information of the configuration item to be edited in the service policy to be added, generate the service policy to be added on the network port on the information side, and upload it on the main board Create a new service policy to be added on the information side network port in the firewall of the host;

根据所述待新增的安全策略的标识、所述待新增的安全策略中待编辑配置项的参数信息，生成所述信息侧网口上所述待新增的安全策略，并在所述主板主机的防火墙中新建所述信息侧网口上所述待新增的安全策略。According to the identity of the security policy to be added and the parameter information of the configuration item to be edited in the security policy to be added, generate the security policy to be added on the network port on the information side, and upload it on the main board The security policy to be added on the information side network port is newly created in the firewall of the host.

可选地，所述方法还包括：Optionally, the method also includes:

接收用户输入的所述主板主机的防火墙策略删除指示，所述主板主机的防火墙策略删除指示中包括待删除服务策略的标识；receiving the firewall policy deletion instruction of the mainboard host input by the user, where the firewall policy deletion instruction of the mainboard host includes an identifier of the service policy to be deleted;

根据所述待删除服务策略的标识，在所述信息侧网口上当前已配置的安全策略中查找引用所述待删除服务策略的各目标安全策略；According to the identification of the service policy to be deleted, search for each target security policy that references the service policy to be deleted in the security policies currently configured on the information side network port;

将所述主板主机的防火墙中引用所述待删除服务策略的各目标安全策略删除，并所述主板主机的防火墙中的所述待删除服务策略删除。Deleting each target security policy that references the service policy to be deleted in the firewall of the mainboard host, and deleting the service policy to be deleted in the firewall of the mainboard host.

第二方面，本申请实施例还提供了一种防火墙策略处理装置，应用于主机异构网关设备中的操作系统主机，所述主机异构网关设备包括所述操作系统主机以及主板主机，所述操作系统主机上包括控制侧网口，所述主板主机上包括信息侧网口，所述装置包括：In the second aspect, the embodiment of the present application also provides a firewall policy processing device, which is applied to the operating system host in the host heterogeneous gateway device, and the host heterogeneous gateway device includes the operating system host and the motherboard host, and the The operating system host includes a control side network port, the main board host includes an information side network port, and the device includes:

接收模块，用于接收用户输入的所述主板主机的防火墙策略编辑指示，所述主板主机的防火墙策略编辑指示中包括待编辑的目标服务策略的标识以及所述目标服务策略对应的编辑后的端口信息；The receiving module is configured to receive the editing instruction of the firewall policy of the mainboard host input by the user, and the editing instruction of the firewall policy of the mainboard host includes the identifier of the target service policy to be edited and the edited port corresponding to the target service policy information;

获取模块，用于获取所述信息侧网口上当前已配置的服务策略中所述目标服务策略对应的编辑前的端口信息；An acquisition module, configured to acquire port information before editing corresponding to the target service policy in the currently configured service policy on the information side network port;

判断模块，用于判断所述编辑前的端口信息是否与所述编辑后的端口信息一致；A judging module, configured to judge whether the port information before editing is consistent with the port information after editing;

删除模块，用于若否，则将所述主板主机的防火墙中引用所述目标服务策略的各目标安全策略删除；The deletion module is used to delete each target security policy that refers to the target service policy in the firewall of the mainboard host if not;

更新模块，用于根据所述编辑后的端口信息，更新所述目标服务策略，得到更新后的目标服务策略；根据所述更新后的目标服务策略以及所述目标服务策略与所述目标安全策略的引用关系，更新所述主板主机上的安全策略。An update module, configured to update the target service policy according to the edited port information to obtain an updated target service policy; according to the updated target service policy and the target service policy and the target security policy and update the security policy on the motherboard host.

可选地，所述判断模块，还用于：Optionally, the judging module is also used for:

分别将编辑后的源端口的端口参数、编辑后的目的端口的端口参数与编辑前的源端口的端口参数及编辑前的目的端口的端口参数进行对比；Comparing the port parameters of the edited source port and the port parameters of the edited destination port with the port parameters of the source port before editing and the port parameters of the destination port before editing;

若所述编辑后的源端口的端口参数与所述编辑前的源端口的端口参数，或所述编辑后的目的端口的端口参数与所述编辑前的目的端口的端口参数不相同，则确定所述编辑前的端口信息与所述编辑后的端口信息不一致。If the port parameter of the edited source port is different from the port parameter of the source port before editing, or the port parameter of the edited destination port is different from the port parameter of the destination port before editing, then determine The port information before editing is inconsistent with the port information after editing.

可选地，所述删除模块，还用于：Optionally, the deletion module is also used for:

将各所述目标安全策略中各配置项的参数信息缓存至预设存储空间；Cache the parameter information of each configuration item in each target security policy to a preset storage space;

遍历所述主板主机的防火墙中的各安全策略，若当前遍历到的安全策略所引用的服务策略为所述目标服务策略，则确定当前遍历到的安全策略为一个目标安全策略，并从所述主板主机的防火墙中删除所述当前遍历到的安全策略。Traversing through each security policy in the firewall of the motherboard host, if the service policy referenced by the currently traversed security policy is the target service policy, then determining that the currently traversed security policy is a target security policy, and from the The currently traversed security policy is deleted from the firewall of the motherboard host.

可选地，所述更新模块，还用于：Optionally, the updating module is also used for:

在所述目标服务策略更新完成后，从所述预设存储空间中读取引用所述目标服务策略的各所述目标安全策略；After the update of the target service policy is completed, read each of the target security policies referencing the target service policy from the preset storage space;

在所述主板主机的防火墙中新建各所述目标安全策略。Create each target security policy in the firewall of the motherboard host.

可选地，所述接收模块，还用于接收用户输入的操作系统主机的防火墙策略编辑指示，所述操作系统主机的防火墙策略编辑指示中包括待编辑的操作系统主机安全策略的标识所述操作系统主机安全策略对应的编辑后的参数信息；Optionally, the receiving module is further configured to receive an instruction to edit the firewall policy of the operating system host input by the user, and the instruction to edit the firewall policy of the operating system host includes an identification of the security policy of the operating system host to be edited. Edited parameter information corresponding to the system host security policy;

所述装置还包括：The device also includes:

处理模块，用于获取并删除所述控制侧网口上当前配置的各安全策略；A processing module, configured to obtain and delete each security policy currently configured on the network port on the control side;

新建模块，用于根据操作系统主机安全策略的标识以及所述操作系统主机安全策略对应的编辑后的参数信息，重新生成所述控制侧网口上的各安全策略，并在所述操作系统主机的防火墙中新建所述控制侧网口上的各安全策略。A newly-created module is used to regenerate each security policy on the network port on the control side according to the identity of the security policy of the operating system host and the edited parameter information corresponding to the security policy of the operating system host, and to regenerate the security policies on the network port of the operating system host Create new security policies on the network port on the control side in the firewall.

可选地，所述接收模块，还用于接收用户输入的所述主板主机的防火墙策略新增指示，所述主板主机的防火墙策略新增指示中包括待新增的服务策略的标识、所述待新增的服务策略中待编辑配置项的参数信息、待新增的安全策略的标识与所述待新增的安全策略中待编辑配置项的参数信息；Optionally, the receiving module is further configured to receive an instruction to add a firewall policy of the motherboard host input by a user, and the instruction to add a firewall policy to the motherboard host includes an identifier of a service policy to be added, the The parameter information of the configuration item to be edited in the service policy to be added, the identifier of the security policy to be added, and the parameter information of the configuration item to be edited in the security policy to be added;

所述新建模块，用于根据所述待新增的服务策略的标识、所述待新增的服务策略中待编辑配置项的参数信息，生成所述信息侧网口上所述待新增的服务策略，并在所述主板主机的防火墙中新建所述信息侧网口上所述待新增的服务策略；根据所述待新增的安全策略的标识、所述待新增的安全策略中待编辑配置项的参数信息，生成所述信息侧网口上所述待新增的安全策略，并在所述主板主机的防火墙中新建所述信息侧网口上所述待新增的安全策略。The new module is configured to generate the service to be added on the information side network port according to the identifier of the service policy to be added and the parameter information of the configuration item to be edited in the service policy to be added policy, and create a new service policy to be added on the information side network port in the firewall of the motherboard host; according to the identification of the security policy to be added, the security policy to be edited The parameter information of the configuration item generates the security policy to be added on the network port on the information side, and creates the security policy to be added on the network port on the information side in the firewall of the motherboard host.

可选地，所述接收模块，还用于接收用户输入的所述主板主机的防火墙策略删除指示，所述主板主机的防火墙策略删除指示中包括待删除服务策略的标识；Optionally, the receiving module is further configured to receive a firewall policy deletion instruction of the mainboard host input by a user, and the firewall policy deletion instruction of the mainboard host includes an identifier of a service policy to be deleted;

所述装置还包括：The device also includes:

查找模块，用于根据所述待删除服务策略的标识，在所述信息侧网口上当前已配置的安全策略中查找引用所述待删除服务策略的各目标安全策略；A search module, configured to, according to the identifier of the service policy to be deleted, search for each target security policy referencing the service policy to be deleted in the security policies currently configured on the information side network port;

所述删除模块，还用于将所述主板主机的防火墙中引用所述待删除服务策略的各目标安全策略删除，并所述主板主机的防火墙中的所述待删除服务策略删除。The deletion module is further configured to delete each target security policy in the firewall of the mainboard host that references the service policy to be deleted, and delete the service policy to be deleted in the firewall of the mainboard host.

第三方面，本申请实施例还提供了一种电子设备，该处理设备包括：处理器、存储介质和总线，存储介质存储有处理器可执行的机器可读指令，当电子设备运行时，处理器与存储介质之间通过总线通信，处理器执行机器可读指令，以执行如第一方面提供的方法的步骤。In the third aspect, the embodiment of the present application also provides an electronic device, the processing device includes: a processor, a storage medium, and a bus, the storage medium stores machine-readable instructions executable by the processor, and when the electronic device is running, the processing The processor communicates with the storage medium through the bus, and the processor executes machine-readable instructions to perform the steps of the method provided in the first aspect.

第四方面，本申请实施例还提供了一种计算机可读存储介质，该存储介质上存储有计算机程序，计算机程序被处理器运行时执行如第一方面提供的方法的步骤。In a fourth aspect, the embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the method provided in the first aspect are executed.

本申请的有益效果是：The beneficial effect of this application is:

本申请实施例提供一种防火墙策略处理方法、装置、电子设备及存储介质，在本方案中，用户只需要在操作系统主机上客户端输入主板主机的防火墙策略编辑指示，就可以全程由操作系统主机根据防火墙策略编辑指示中待编辑的目标服务策略的标识以及目标服务策略对应的编辑后的端口信息，来判断信息侧网口上目标服务策略对应的编辑后的端口信息是否发生变化，若是，则根据编辑后的端口信息对主板主机的防火墙中目标服务策略、及引用目标服务策略的安全策略进行自动化配置，大大简化了用户在使用双主机异构网关防火墙安全策略的配置问题，提高了双主机异构网关防火墙安全策略配置的效率，有效解决了现有技术中采用人工手动配置防火墙安全策略，存在配置效率低下、且容易出错等问题。The embodiment of the present application provides a firewall policy processing method, device, electronic equipment, and storage medium. In this solution, the user only needs to input the firewall policy editing instruction of the main board host on the client side of the operating system host, and the whole process can be controlled by the operating system. The host judges whether the edited port information corresponding to the target service policy on the network port on the information side has changed according to the identifier of the target service policy to be edited in the firewall policy editing instruction and the edited port information corresponding to the target service policy, and if so, then According to the edited port information, the target service policy in the firewall of the motherboard host and the security policy referencing the target service policy are automatically configured. The efficiency of the configuration of the security policy of the heterogeneous gateway firewall effectively solves the problems of low configuration efficiency and error proneness in the prior art of manually configuring the security policy of the firewall.

附图说明Description of drawings

为了更清楚地说明本申请实施例的技术方案，下面将对实施例中所需要使用的附图作简单地介绍，应当理解，以下附图仅示出了本申请的某些实施例，因此不应被看作是对范围的限定，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他相关的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application, the following will briefly introduce the accompanying drawings used in the embodiments. It should be understood that the following drawings only show some embodiments of the present application, so It should be regarded as a limitation on the scope, and those skilled in the art can also obtain other related drawings based on these drawings without creative work.

图1为本申请实施例提供的一种主机异构网关设备的结构示意图；FIG. 1 is a schematic structural diagram of a host heterogeneous gateway device provided in an embodiment of the present application;

图2为本申请实施例提供的一种电子设备的结构示意图；FIG. 2 is a schematic structural diagram of an electronic device provided in an embodiment of the present application;

图3为本申请实施例提供的一种防火墙策略处理方法的流程示意图；FIG. 3 is a schematic flowchart of a firewall policy processing method provided by an embodiment of the present application;

图4为本申请实施例提供的又一种防火墙策略处理方法的流程示意图；FIG. 4 is a schematic flowchart of another firewall policy processing method provided by the embodiment of the present application;

图5为本申请实施例提供的主板主机的防火墙中服务策略及安全策略的配置项的示意图；5 is a schematic diagram of service policy and security policy configuration items in the firewall of the mainboard host computer provided by the embodiment of the present application;

图6为本申请实施例提供的另一种防火墙策略处理方法的流程示意图；FIG. 6 is a schematic flowchart of another firewall policy processing method provided by the embodiment of the present application;

图7为本申请实施例提供的又一种防火墙策略处理方法的流程示意图；FIG. 7 is a schematic flowchart of another firewall policy processing method provided by the embodiment of the present application;

图8为本申请实施例提供的另一种防火墙策略处理方法的流程示意图；FIG. 8 is a schematic flowchart of another firewall policy processing method provided by the embodiment of the present application;

图9为本申请实施例提供的操作系统主机的防火墙中安全策略的配置项的示意图；FIG. 9 is a schematic diagram of configuration items of a security policy in a firewall of an operating system host provided by an embodiment of the present application;

图10为本申请实施例提供的又一种防火墙策略处理方法的流程示意图；FIG. 10 is a schematic flowchart of another firewall policy processing method provided by the embodiment of the present application;

图11为本申请实施例提供的另一种防火墙策略处理方法的流程示意图；FIG. 11 is a schematic flowchart of another firewall policy processing method provided by the embodiment of the present application;

图12为本申请实施例提供的又一种防火墙策略处理方法的流程示意图；FIG. 12 is a schematic flowchart of another firewall policy processing method provided by the embodiment of the present application;

图13为本申请实施例提供的又一种防火墙策略处理方法的流程示意图；FIG. 13 is a schematic flowchart of another firewall policy processing method provided by the embodiment of the present application;

图14为本申请实施例提供的一种防火墙策略处理装置的结构示意图。FIG. 14 is a schematic structural diagram of a firewall policy processing device provided by an embodiment of the present application.

图标：100-主机异构网关设备；101-操作系统主机；102-主板主机。Icon: 100-host heterogeneous gateway device; 101-operating system host; 102-mainboard host.

具体实施方式Detailed ways

为使本申请实施例的目的、技术方案和优点更加清楚，下面将结合本申请实施例中的附图，对本申请实施例中的技术方案进行清楚、完整地描述，应当理解，本申请中附图仅起到说明和描述的目的，并不用于限定本申请的保护范围。另外，应当理解，示意性的附图并未按实物比例绘制。本申请中使用的流程图示出了根据本申请的一些实施例实现的操作。应该理解，流程图的操作可以不按顺序实现，没有逻辑的上下文关系的步骤可以反转顺序或者同时实施。此外，本领域技术人员在本申请内容的指引下，可以向流程图添加一个或多个其他操作，也可以从流程图中移除一个或多个操作。In order to make the purpose, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. It should be understood that the appended The figures are only for the purpose of illustration and description, and are not used to limit the protection scope of the present application. Additionally, it should be understood that the schematic drawings are not drawn to scale. The flowcharts used in this application illustrate operations implemented in accordance with some embodiments of the application. It should be understood that the operations of the flowcharts may be performed out of order, and steps that have no logical context may be performed in reverse order or concurrently. In addition, those skilled in the art may add one or more other operations to the flowchart or remove one or more operations from the flowchart under the guidance of the content of the present application.

另外，所描述的实施例仅仅是本申请一部分实施例，而不是全部的实施例。通常在此处附图中描述和示出的本申请实施例的组件可以以各种不同的配置来布置和设计。因此，以下对在附图中提供的本申请的实施例的详细描述并非旨在限制要求保护的本申请的范围，而是仅仅表示本申请的选定实施例。基于本申请的实施例，本领域技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例，都属于本申请保护的范围。In addition, the described embodiments are only some of the embodiments of the application, not all of the embodiments. The components of the embodiments of the application generally described and illustrated in the figures herein may be arranged and designed in a variety of different configurations. Accordingly, the following detailed description of the embodiments of the application provided in the accompanying drawings is not intended to limit the scope of the claimed application, but merely represents selected embodiments of the application. Based on the embodiments of the present application, all other embodiments obtained by those skilled in the art without making creative efforts belong to the scope of protection of the present application.

需要说明的是，本申请实施例中将会用到术语“包括”，用于指出其后所声明的特征的存在，但并不排除增加其它的特征。It should be noted that the term "comprising" will be used in the embodiments of the present application to indicate the existence of the features stated later, but does not exclude the addition of other features.

首先，在对本申请所提供的技术方案展开具体说明之前，先对本申请所涉及的主机异构网关设备的结构进行简单说明。First of all, before the technical solution provided by the application is described in detail, the structure of the host heterogeneous gateway device involved in the application is briefly described.

图1为本申请实施例提供的一种主机异构网关设备的结构示意图；如图1所示，该主机异构网关设备100包括：操作系统主机101、主板主机102，其中，操作系统主机101上包括控制侧网口，主板主机102上包括信息侧网口。FIG. 1 is a schematic structural diagram of a host heterogeneous gateway device provided by an embodiment of the present application; as shown in FIG. The control side network port is included on themain board host 102, and the information side network port is included on themain board host 102.

示例性地，例如，操作系统主机101可以是windows主机，主板主机是ARM板主机，可以通过windows主机上的控制侧网口连接控制侧网络(即内网)，以及通过ARM板主机上的信息侧网口连接信息侧网络(即外网)。Exemplarily, for example, theoperating system host 101 can be a windows host, and the motherboard host is an ARM board host, which can be connected to the control side network (i.e., the intranet) through the control side network port on the windows host, and through the information on the ARM board host. The side network port is connected to the information side network (that is, the external network).

windows主机与ARM板主机通过专用数据线连接，从物理层断开信息侧网络和控制侧网络之间的直接连接，实现网络的物理隔离。当windows主机与ARM板主机之间需要互相访问时，windows主机与ARM板主机需要按照预先配置的防火墙安全策略进行互相的访问，从而保证网络通信安全。The windows host is connected to the ARM board host through a dedicated data line, and the direct connection between the information side network and the control side network is disconnected from the physical layer to achieve physical isolation of the network. When the windows host and the ARM board host need to communicate with each other, the windows host and the ARM board host need to communicate with each other according to the pre-configured firewall security policy, so as to ensure the security of network communication.

此外，信息侧的ARM主板主机采用非通用协议栈、微内核架构，无可利用漏洞。In addition, the ARM motherboard host on the information side adopts a non-universal protocol stack and microkernel architecture, and has no exploitable loopholes.

可选地，图1所示的主机异构网关设备100可应用于流程工业分散控制系统(Distributed Control System，简称DCS)控制系统的网络安全防护、电力系统现场智能电子设备IED(Intelligent Electronic Device，简称IED)的网络安全防护、轨道交通综合监控系统(Integrated Supervisory Control System，简称ISCS)的网络安全防护以及煤矿、冶金行业现场控制系统的网络安全防护等。Optionally, the hostheterogeneous gateway device 100 shown in FIG. 1 can be applied to the network security protection of the process industry distributed control system (Distributed Control System, referred to as DCS) control system, the field intelligent electronic device IED (Intelligent Electronic Device, Network security protection of IED), network security protection of Integrated Supervisory Control System (ISCS), and network security protection of on-site control systems in coal mines and metallurgical industries.

同时，控制侧网络和信息侧网络之间互相通信时均支持基于白名单的网络访问控制，可阻断异常流量、抵御分布式拒绝服务攻击DDOS(Distributed denial of serviceattack，简称DDOS)。At the same time, both the control-side network and the information-side network support whitelist-based network access control when communicating with each other, which can block abnormal traffic and resist distributed denial of service attacks (DDOS).

可以理解，图1所示的结构仅为示意，主机异构网关设备100还可包括比图1中所示更多或者更少的组件，或者具有与图1所示不同的配置。图1中所示的各组件可以采用硬件、软件或其组合实现。It can be understood that the structure shown in FIG. 1 is only for illustration, and the hostheterogeneous gateway device 100 may also include more or less components than those shown in FIG. 1 , or have a different configuration from that shown in FIG. 1 . Each component shown in Fig. 1 may be implemented by hardware, software or a combination thereof.

如下对用于执行本申请提供的防火墙策略处理方法的操作系统主机的结构示意图进行简单说明。A schematic structural diagram of an operating system host for executing the firewall policy processing method provided in this application is briefly described as follows.

图2为本申请实施例提供的一种操作系统主机的结构示意图；该操作系统主机用于实现本申请提供的防火墙策略处理方法。FIG. 2 is a schematic structural diagram of an operating system host provided in an embodiment of the present application; the operating system host is used to implement the firewall policy processing method provided in the present application.

如图2所示，操作系统主机包括：存储器201与处理器202。其中，存储器201、处理器202相互之间直接或间接地电性连接，以实现数据的传输或交互。例如，这些元件相互之间可通过一条或多条通讯总线或信号线实现电性连接。As shown in FIG. 2 , the operating system host includes: amemory 201 and aprocessor 202 . Wherein, thememory 201 and theprocessor 202 are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, these components can be electrically connected to each other through one or more communication buses or signal lines.

存储器201中存储有以软件或固件(firmware)的形式存储于存储器201中的软件功能模块，处理器202通过运行存储在存储器201内的软件程序以及模块，从而执行各种功能应用以及数据处理，即实现本申请实施例中的防火墙策略处理方法。Stored in thememory 201 are software function modules stored in thememory 201 in the form of software or firmware (firmware), and theprocessor 202 executes various functional applications and data processing by running the software programs and modules stored in thememory 201, That is, the firewall policy processing method in the embodiment of the present application is realized.

其中，存储器201可以是，但不限于，随机存取存储器(Random Access Memory，RAM)、只读存储器(Read Only Memory，ROM)、可编程只读存储器(Programmable Read-OnlyMemory，PROM)、可擦除只读存储器(Erasable Programmable Read-Only Memory，EPROM)等。其中，存储器201用于存储程序，处理器202在接收到执行指令后，执行所述程序。Wherein,memory 201 can be, but not limited to, random access memory (Random Access Memory, RAM), read-only memory (Read Only Memory, ROM), programmable read-only memory (Programmable Read-OnlyMemory, PROM), erasable In addition to read-only memory (Erasable Programmable Read-Only Memory, EPROM) and so on. Wherein, thememory 201 is used to store a program, and theprocessor 202 executes the program after receiving an execution instruction.

处理器202可能是一种集成电路芯片，具有信号的处理能力。上述的处理器202可以是通用处理器，包括中央处理器(Central Processing Unit，CPU)、网络处理器(NetworkProcessor，NP)等。Theprocessor 202 may be an integrated circuit chip with signal processing capabilities. Theaforementioned processor 202 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), and the like.

如下将通过多个具体的实施例对本申请所提供的防火墙策略处理方法步骤的实现原理和对应产生的有益效果进行说明。The implementation principles and corresponding beneficial effects of the steps of the firewall policy processing method provided by the present application will be described below through multiple specific embodiments.

图3为本申请实施例提供的一种防火墙策略处理方法的流程示意图；可选地，该方法的执行主体可以是所示图1的主机异构网关设备中的操作系统主机。FIG. 3 is a schematic flowchart of a firewall policy processing method provided by an embodiment of the present application; optionally, the method may be executed by an operating system host in the host heterogeneous gateway device shown in FIG. 1 .

应当理解，在其它实施例中防火墙策略处理方法其中部分步骤的顺序可以根据实际需要相互交换，或者其中的部分步骤也可以省略或删除。如图3所示，该方法包括：It should be understood that in other embodiments, the order of some steps in the firewall policy processing method can be exchanged according to actual needs, or some steps can also be omitted or deleted. As shown in Figure 3, the method includes:

S301、接收用户输入的主板主机的防火墙策略编辑指示。S301. Receive a firewall policy editing instruction of the mainboard host input by a user.

其中，主板主机的防火墙策略编辑指示中包括待编辑的目标服务策略的标识以及目标服务策略对应的编辑后的端口信息。其中，目标服务策略对应的编辑后的端口信息为待编辑的配置项。比如，目标服务策略对应的编辑前的端口信息为port1，编辑后的端口信息为port2，即需要对目标服务策略对应的端口信息进行重新编辑，以允许通过主机异构网关设备中主板主机通过端口port2向操作系统主机发出访问请求。Wherein, the firewall policy editing instruction of the motherboard host includes an identifier of the target service policy to be edited and edited port information corresponding to the target service policy. Wherein, the edited port information corresponding to the target service policy is a configuration item to be edited. For example, the pre-edited port information corresponding to the target service policy is port1, and the edited port information is port2, that is, the port information corresponding to the target service policy needs to be re-edited to allow the mainboard host in the host heterogeneous gateway device to pass through the port port2 sends an access request to the operating system host.

在本实施例中，用户可以通过操作系统主机上安装的客户端输入对主板主机的防火墙策略编辑指示。例如，若用户期望对主板主机的防火墙中某一个服务策略重新进行编辑，可以通过客户端输入该服务策略的标识以及该服务策略对应的编辑后的端口信息。比如，该服务策略的标识为服务策略1，该服务策略对应的编辑后的端口信息为port2。In this embodiment, the user may input an instruction to edit the firewall policy of the mainboard host through the client installed on the operating system host. For example, if the user wishes to re-edit a certain service policy in the firewall of the mainboard host, the identifier of the service policy and the edited port information corresponding to the service policy can be input through the client. For example, the identifier of the service policy is service policy 1, and the edited port information corresponding to the service policy is port2.

S302、获取信息侧网口上当前已配置的服务策略中目标服务策略对应的编辑前的端口信息，并判断编辑前的端口信息是否与编辑后的端口信息一致。S302. Obtain the pre-edited port information corresponding to the target service policy in the currently configured service policy on the network port on the information side, and determine whether the pre-edited port information is consistent with the edited port information.

应理解，在信息侧网口上已配置的服务策略的数量可能为一个或多个，且每个服务策略均为不同的策略。It should be understood that there may be one or more service policies configured on the network port on the information side, and each service policy is a different policy.

在本实施例中，可以利用目标服务策略的标识，在已配置的多个服务策略中查找到目标服务策略，然后，再读取目标服务策略中编辑前的端口信息，并判断编辑前的端口信息是否与编辑后的端口信息一致，以此来判断重新输入的编辑后的端口信息是否发生变化，若无，则不需要对目标服务策略中的端口信息进行变更。In this embodiment, the identifier of the target service policy can be used to find the target service policy in multiple configured service policies, and then read the port information before editing in the target service policy and determine the port information before editing. Whether the information is consistent with the edited port information is used to determine whether the re-input edited port information has changed. If not, the port information in the target service policy does not need to be changed.

S303、若否，则将主板主机的防火墙中引用目标服务策略的各目标安全策略删除。S303. If not, delete each target security policy that references the target service policy in the firewall of the motherboard host.

在上述实施例的基础上，若编辑前的端口信息与编辑后的端口信息不一致，则需要先将主板主机的防火墙中引用目标服务策略的各目标安全策略删除，避免已引用目标服务策略的各目标安全策略出现引用为空的情况。On the basis of the above-mentioned embodiments, if the port information before editing is inconsistent with the port information after editing, it is necessary to delete each target security policy that references the target service policy in the firewall of the mainboard host first, so as to avoid all security policies that have already referenced the target service policy. The target security policy has a null reference.

S304、根据编辑后的端口信息，更新目标服务策略，得到更新后的目标服务策略。S304. Update the target service policy according to the edited port information to obtain the updated target service policy.

在本实施例中，利用编辑后的端口信息、以及目标服务策略中其他配置项(如协议类型)重新配置目标服务策略，得到更新后的目标服务策略。In this embodiment, the target service policy is reconfigured by using the edited port information and other configuration items (such as protocol type) in the target service policy to obtain an updated target service policy.

S305、根据更新后的目标服务策略以及目标服务策略与目标安全策略的引用关系，更新主板主机上的安全策略。S305. Update the security policy on the motherboard host according to the updated target service policy and the reference relationship between the target service policy and the target security policy.

应理解，主板主机上已配置的安全策略必须要引用一个已配置的目标服务策略。It should be understood that the configured security policy on the mainboard host must refer to a configured target service policy.

在本实施例中，在目标服务策略更新后，还需要根据目标服务策略与目标安全策略的引用关系，将目标安全策略之前所引用的服务策略重新修改为更新后的目标服务策略，以对主板主机上的安全策略进行更新。这样，使得用户只需要在操作系统主机上客户端输入主板主机的防火墙策略编辑指示，就可以全程由操作系统主机根据防火墙策略编辑指示中待编辑的目标服务策略的标识以及目标服务策略对应的编辑后的端口信息，来判断信息侧网口上目标服务策略对应的编辑后的端口信息是否发生变化，若是，则根据编辑后的端口信息对主板主机的防火墙中目标服务策略、及引用目标服务策略的安全策略进行自动化配置，大大简化了用户在使用双主机异构网关防火墙安全策略的配置问题，提高了双主机异构网关防火墙安全策略配置的效率，有效解决了现有技术中采用人工手动配置防火墙安全策略，存在配置效率低下、且容易出错等问题。In this embodiment, after the target service policy is updated, it is necessary to re-modify the service policy previously referenced by the target security policy into the updated target service policy according to the reference relationship between the target service policy and the target security policy, so as to The security policy on the host is updated. In this way, the user only needs to input the firewall policy editing instruction of the motherboard host on the client side of the operating system host, and the operating system host can edit the target service policy according to the identifier of the target service policy to be edited in the firewall policy editing instruction and the target service policy. The updated port information is used to determine whether the edited port information corresponding to the target service policy on the network port on the information side has changed. The automatic configuration of the security policy greatly simplifies the configuration of the security policy of the dual-host heterogeneous gateway firewall for users, improves the efficiency of the security policy configuration of the dual-host heterogeneous gateway firewall, and effectively solves the problem of manually configuring the firewall in the prior art. Security policy, there are problems such as low configuration efficiency and error-prone.

综上所述，本申请实施例提供一种防火墙策略处理方法，在本方案中，用户只需要在操作系统主机上客户端输入主板主机的防火墙策略编辑指示，就可以全程由操作系统主机根据防火墙策略编辑指示中待编辑的目标服务策略的标识以及目标服务策略对应的编辑后的端口信息，来判断信息侧网口上目标服务策略对应的编辑后的端口信息是否发生变化，若是，则根据编辑后的端口信息对主板主机的防火墙中目标服务策略、及引用目标服务策略的安全策略进行自动化配置，大大简化了用户在使用双主机异构网关防火墙安全策略的配置问题，提高了双主机异构网关防火墙安全策略配置的效率，有效解决了现有技术中采用人工手动配置防火墙安全策略，存在配置效率低下、且容易出错等问题。To sum up, the embodiment of this application provides a firewall policy processing method. In this solution, the user only needs to input the firewall policy editing instructions of the motherboard host on the client side of the operating system host, and the operating system host can complete the whole process according to the firewall policy editing instructions of the main board host. The identifier of the target service policy to be edited in the policy editing instruction and the edited port information corresponding to the target service policy are used to determine whether the edited port information corresponding to the target service policy on the network port on the information side has changed, and if so, according to the edited The port information automatically configures the target service policy in the firewall of the motherboard host and the security policy that references the target service policy, which greatly simplifies the configuration problem of the user's firewall security policy when using a dual-host heterogeneous gateway, and improves the security of the dual-host heterogeneous gateway. The efficiency of the configuration of the firewall security policy effectively solves the problems of low configuration efficiency and error-proneness in the prior art of manually configuring the firewall security policy.

将通过如下实施例，具体讲解上述步骤S302中如何判断编辑前的端口信息是否与编辑后的端口信息一致。How to determine whether the pre-edited port information is consistent with the edited port information in the above step S302 will be explained in detail through the following embodiments.

可选地，参考图4所示，上述步骤S302中判断编辑前的端口信息是否与编辑后的端口信息一致，包括：Optionally, as shown in FIG. 4 , in step S302, it is determined whether the port information before editing is consistent with the port information after editing, including:

S401、分别将编辑后的源端口的端口参数、编辑后的目的端口的端口参数与编辑前的源端口的端口参数及编辑前的目的端口的端口参数进行对比。S401. Comparing the edited port parameters of the source port and the edited port parameters of the destination port with the port parameters of the source port before editing and the port parameters of the destination port before editing.

参考图5所示，为主板主机的防火墙中服务策略、及安全策略的配置项。其中，服务策略的配置项包括：服务名称(即服务策略的标识)、协议类型、源端口及目的端口；协议类型可以为文件传输协议(File Transfer Protocol，简称FTP)、传输控制协议(Transmission control protocol，简称TCP)、用户数据报协议(User DatagramProtocol，简称UDP)。Referring to FIG. 5 , it is the configuration items of the service policy and the security policy in the firewall of the motherboard host. Among them, the configuration items of the service policy include: service name (that is, the identifier of the service policy), protocol type, source port and destination port; the protocol type can be File Transfer Protocol (File Transfer Protocol, referred to as FTP), Transmission Control Protocol (Transmission control protocol, referred to as TCP), User Datagram Protocol (User Datagram Protocol, referred to as UDP).

安全策略的配置项包括：本地地址、本地掩码、远程地址、远程掩码及所引用的服务策略的标识。例如，安全策略A1所引用的服务策略的标识为服务策略B。The configuration items of the security policy include: local address, local mask, remote address, remote mask and the identification of the service policy referenced. For example, the identifier of the service policy referenced by security policy A1 is service policy B.

其中，源端口的端口参数(或目的端口的端口参数)可以指端口号，例如，源端口的端口参数为port1，用于标识主板主机上端口1。Wherein, the port parameter of the source port (or the port parameter of the destination port) may refer to a port number, for example, the port parameter of the source port is port1, which is used to identify port 1 on the motherboard host.

在本实施例中，需要将编辑后的源端口的端口参数与编辑前的源端口的端口参数进行对比，以及将编辑后的目的端口的端口参数与编辑前的目的端口的端口参数进行对比，以判断编辑后的源端口的端口参数、及编辑后的目的端口的端口参数是否均发生变化；若编辑后的源端口的端口参数、及编辑后的目的端口的端口参数均未发生变化，则不需要对目标服务策略进行重新编辑。In this embodiment, it is necessary to compare the port parameters of the edited source port with the port parameters of the source port before editing, and compare the port parameters of the edited destination port with the port parameters of the destination port before editing, to determine whether the port parameters of the edited source port and the port parameters of the edited destination port have changed; if the port parameters of the edited source port and the port parameters of the edited destination port have not changed, then No re-editing of target service policies is required.

S402、若编辑后的源端口的端口参数与编辑前的源端口的端口参数，或编辑后的目的端口的端口参数与编辑前的目的端口的端口参数不相同，则确定编辑前的端口信息与编辑后的端口信息不一致。S402. If the port parameter of the edited source port is different from the port parameter of the source port before editing, or the port parameter of the edited destination port is different from the port parameter of the destination port before editing, determine that the port information before editing is the same as that of the destination port before editing. The edited port information is inconsistent.

可选地，若编辑后的源端口的端口参数与编辑前的源端口的端口参数不相同，或编辑后的目的端口的端口参数与编辑前的目的端口的端口参数不相同，则可以确定编辑前的端口信息与编辑后的端口信息不一致，即编辑后的端口信息发生变化，进而需要对目标服务策略进行重新编辑。Optionally, if the port parameters of the edited source port are different from the port parameters of the source port before editing, or the port parameters of the edited destination port are different from the port parameters of the destination port before editing, then the edited The previous port information is inconsistent with the edited port information, that is, the edited port information changes, and the target service policy needs to be re-edited.

将通过如下实施例，具体讲解上述步骤S303中如何将主板主机的防火墙中引用目标服务策略的各目标安全策略删除。Through the following embodiments, how to delete each target security policy referencing the target service policy in the firewall of the motherboard host in the above step S303 will be explained in detail.

可选地，参考图6所示，上述步骤S303包括：Optionally, as shown in FIG. 6, the above step S303 includes:

S601、将各目标安全策略中各配置项的参数信息缓存至预设存储空间。S601. Cache parameter information of each configuration item in each target security policy to a preset storage space.

其中，预设存储空间为操作系统主机上的一个存储区域。Wherein, the preset storage space is a storage area on the operating system host.

参考上述图5所示，在获取到各目标安全策略之后，还需要将各目标安全策略中各配置项(如本地地址、本地掩码、远程地址、远程掩码及所引用的服务策略的标识)缓存至预设存储空间。With reference to the above shown in Figure 5, after each target security policy is obtained, each configuration item (such as local address, local mask, remote address, remote mask and the identification of the referenced service policy) in each target security policy needs to be ) to the preset memory space.

S602、遍历主板主机的防火墙中的各安全策略，若当前遍历到的安全策略所引用的服务策略为目标服务策略，则确定当前遍历到的安全策略为一个目标安全策略，并从主板主机的防火墙中删除当前遍历到的安全策略。S602. Traverse each security policy in the firewall of the motherboard host, if the service policy referenced by the currently traversed security policy is a target service policy, then determine that the currently traversed security policy is a target security policy, and retrieve the information from the firewall of the motherboard host Delete the currently traversed security policy.

在本实施例中，需要对主板主机的防火墙中的各安全策略一一进行遍历，以确定都有哪些安全策略引用了目标服务策略。具体的，例如，目标服务策略的标识为服务策略B，若当前遍历到的安全策略为安全策略A3，并读取到安全策略A3的配置项中所引用的服务策略的标识为服务策略B，则可以确定当前遍历到的安全策略A3为一个目标安全策略，并将安全策略A3从主板主机的防火墙中删除，以避免出现安全策略A3所引用的服务策略B的端口信息为编辑前的情况。In this embodiment, each security policy in the firewall of the motherboard host needs to be traversed one by one to determine which security policies refer to the target service policy. Specifically, for example, if the identifier of the target service policy is service policy B, if the currently traversed security policy is security policy A3, and the identifier of the service policy referenced in the configuration item of security policy A3 is read as service policy B, Then it can be determined that the currently traversed security policy A3 is a target security policy, and the security policy A3 is deleted from the firewall of the motherboard host, so as to avoid the situation that the port information of the service policy B referenced by the security policy A3 is before editing.

将通过如下实施例，具体讲解上述步骤S305中如何根据更新后的目标服务策略以及目标服务策略与目标安全策略的引用关系，更新主板主机上的安全策略。Through the following embodiments, how to update the security policy on the mainboard host according to the updated target service policy and the reference relationship between the target service policy and the target security policy in the above step S305 will be explained in detail.

可选地，参考图7所示，上述步骤S305包括：Optionally, as shown in FIG. 7, the above step S305 includes:

S701、在目标服务策略更新完成后，从预设存储空间中读取引用目标服务策略的各目标安全策略。S701. After the update of the target service policy is completed, read each target security policy referencing the target service policy from a preset storage space.

S702、在主板主机的防火墙中新建各目标安全策略。S702. Create new security policies for each target in the firewall of the mainboard host.

在本实施例中，在对目标服务策略更新完成后，从操作系统主机上的预设存储空间中读取引用目标服务策略的各目标安全策略，以得到各目标安全策略的配置项，如本地地址、本地掩码、远程地址、远程掩码及所引用的服务策略的标识；然后，再利用本地地址、本地掩码、远程地址、远程掩码及所引用的服务策略的标识以及更新后的目标服务策略，重新构建主板主机的防火墙中的各目标安全策略，实现了对各目标安全策略的重新编辑，确保了各目标安全策略所引用的服务策略中的端口信息为编辑后的。In this embodiment, after the update of the target service policy is completed, each target security policy referencing the target service policy is read from the preset storage space on the operating system host to obtain the configuration items of each target security policy, such as local address, local mask, remote address, remote mask, and ID of the service policy referenced; then, use the local address, local mask, remote address, remote mask, ID of the service policy referenced, and the updated The target service policy rebuilds each target security policy in the firewall of the motherboard host, realizes the re-editing of each target security policy, and ensures that the port information in the service policy referenced by each target security policy is the edited one.

将通过如下实施例，具体讲解如何对控制侧网口上的安全策略进行编辑处理。Through the following embodiments, how to edit the security policy on the network port on the control side will be explained in detail.

可选地，参考图8所示，该方法包括：Optionally, referring to Figure 8, the method includes:

S801、接收用户输入的操作系统主机的防火墙策略编辑指示。S801. Receive an instruction to edit a firewall policy of an operating system host input by a user.

其中，操作系统主机的防火墙策略编辑指示中包括待编辑的操作系统主机安全策略的标识、及操作系统主机安全策略对应的编辑后的参数信息。其中，编辑后的参数信息为操作系统主机安全策略中待重新修改的配置项的参数信息。Wherein, the firewall policy editing instruction of the operating system host includes an identifier of the security policy of the operating system host to be edited and edited parameter information corresponding to the security policy of the operating system host. Wherein, the edited parameter information is the parameter information of the configuration item to be re-modified in the security policy of the operating system host.

参考图9所示，为操作系统主机的防火墙中安全策略的配置项。其中，操作系统主机安全策略的配置项包括：程序、本地地址、本地掩码等。Referring to FIG. 9 , it is the configuration item of the security policy in the firewall of the operating system host. Wherein, the configuration items of the operating system host security policy include: program, local address, local mask and so on.

在本实施例中，用户可以通过操作系统主机上安装的客户端输入对操作系统主机的防火墙策略编辑指示。例如，若用户期望对操作系统主机的防火墙中某一个安全策略重新进行编辑，可以通过客户端输入操作系统主机安全策略的标识、以及操作系统主机安全策略对应的编辑后的参数信息。比如，该操作系统主机安全策略的标识为安全策略C，该安全策略C对应的编辑后的参数信息为：本地地址IP2，安全策略C中除本地地址之外的其他配置项不改变。In this embodiment, the user may input an instruction to edit the firewall policy of the operating system host through a client installed on the operating system host. For example, if the user wishes to re-edit a certain security policy in the firewall of the operating system host, he can input the identification of the security policy of the operating system host and the edited parameter information corresponding to the security policy of the operating system host through the client. For example, the identity of the security policy of the operating system host is security policy C, and the edited parameter information corresponding to the security policy C is: local address IP2, and other configuration items in security policy C except the local address are not changed.

S802、获取并删除控制侧网口上当前配置的各安全策略。S802. Obtain and delete each security policy currently configured on the network port on the control side.

应理解，在控制侧网口上当前配置的各安全策略的数量可能为一个或多个，且每个操作系统主机安全策略均为不同的策略。It should be understood that there may be one or more security policies currently configured on the network port on the control side, and each operating system host security policy is a different policy.

在本实施例中，可以利用操作系统主机安全策略的标识，在已配置的多个安全策略中查找到目标安全策略，并将各安全策略从操作系统主机的防火墙中删除。In this embodiment, the identification of the security policy of the operating system host can be used to find the target security policy among the multiple configured security policies, and delete each security policy from the firewall of the operating system host.

S803、根据操作系统主机安全策略的标识以及操作系统主机安全策略对应的编辑后的参数信息，重新生成控制侧网口上的各安全策略，并在操作系统主机的防火墙中新建控制侧网口上的各安全策略。S803. According to the identity of the security policy of the operating system host and the edited parameter information corresponding to the security policy of the operating system host, regenerate each security policy on the network port on the control side, and create a new network port on the control side in the firewall of the operating system host security strategy.

在上述实施例的基础上，可以根据操作系统主机安全策略的标识、操作系统主机安全策略中待重新修改的配置项的参数信息、以及操作系统主机安全策略中其他配置项的参数信息(其他配置项的参数信息在编辑前和编辑后均一致)，重新生成控制侧网口上的各安全策略，并在操作系统主机的防火墙中新建控制侧网口上的各安全策略，实现了对操作系统主机的防火墙中各目标安全策略的重新编辑。On the basis of the above-mentioned embodiments, according to the identifier of the security policy of the operating system host, the parameter information of the configuration item to be re-modified in the security policy of the operating system host, and the parameter information of other configuration items in the security policy of the operating system host (other configuration The parameter information of the item is consistent before and after editing), regenerate the security policies on the network port on the control side, and create new security policies on the network port on the control side in the firewall of the operating system host, realizing the security of the operating system host Re-editing of each target security policy in the firewall.

将通过如下实施例，具体讲解如何对主板主机的防火墙中各服务策略和安全策略进行新增和删除。Through the following embodiments, how to add and delete service policies and security policies in the firewall of the mainboard host will be explained in detail.

可选地，参考图10所示，该方法包括：Optionally, referring to Figure 10, the method includes:

S1001、接收用户输入的主板主机的防火墙策略新增指示。S1001. Receive an instruction to add a firewall policy of the mainboard host input by a user.

其中，主板主机的防火墙策略新增指示中包括待新增的服务策略的标识、待新增的服务策略中待编辑配置项的参数信息、待新增的安全策略的标识与待新增的安全策略中待编辑配置项的参数信息。Wherein, the firewall policy addition instruction of the motherboard host includes the identification of the service policy to be added, the parameter information of the configuration item to be edited in the service policy to be added, the identification of the security policy to be added and the security policy to be added. Parameter information of the configuration item to be edited in the policy.

在本实施例中，例如，用户可以通过操作系统主机上预先安装的客户端输入主板主机上待新增的服务策略的标识为服务策略C、待新增的服务策略中待编辑配置项的参数信息包括：协议类型、源端口及目的端口等；以及，待新增的安全策略的标识为安全策略A4、待新增的安全策略中待编辑配置项的参数信息包括：本地地址、本地掩码、远程地址、远程掩码及所引用的服务策略的标识(如服务策略B)。In this embodiment, for example, the user can input the identifier of the service policy to be added on the motherboard host as service policy C and the parameter of the configuration item to be edited in the service policy to be added through the pre-installed client on the operating system host. The information includes: protocol type, source port and destination port, etc.; and, the security policy to be added is identified as security policy A4, and the parameter information of the configuration item to be edited in the security policy to be added includes: local address, local mask , remote address, remote mask, and the identifier of the referenced service policy (such as service policy B).

S1002、根据待新增的服务策略的标识、待新增的服务策略中待编辑配置项的参数信息，生成信息侧网口上待新增的服务策略，在主板主机的防火墙中新建信息侧网口上待新增的服务策略。S1002. According to the identification of the service policy to be added and the parameter information of the configuration item to be edited in the service policy to be added, generate a service policy to be added on the network port on the information side, and create a new network port on the information side in the firewall of the mainboard host The service policy to be added.

S1003、根据待新增的安全策略的标识、待新增的安全策略中待编辑配置项的参数信息，生成信息侧网口上待新增的安全策略，在主板主机的防火墙中新建信息侧网口上待新增的安全策略。S1003. According to the identification of the security policy to be added and the parameter information of the configuration item to be edited in the security policy to be added, generate a security policy to be added on the network port on the information side, and create a new network port on the information side in the firewall of the motherboard host The security policy to be added.

在本实施例中，可以直接待新增的服务策略的标识、待新增的服务策略中待编辑配置项的参数信息，在主板主机的防火墙中新建信息侧网口上待新增的服务策略，以及根据待新增的安全策略的标识、待新增的安全策略中待编辑配置项的参数信息，在主板主机的防火墙中新建信息侧网口上待新增的安全策略。需要注意的是，待新增的安全策略必须要引用一个已配置的服务策略。In this embodiment, the identifier of the service policy to be added, the parameter information of the configuration item to be edited in the service policy to be added can be directly created, and the service policy to be added on the network port of the information side to be newly created in the firewall of the motherboard host, And according to the identity of the security policy to be added and the parameter information of the configuration item to be edited in the security policy to be added, the security policy to be added on the information side network port is newly created in the firewall of the motherboard host. It should be noted that the security policy to be added must reference a configured service policy.

可选地，参考图11所示，该方法包括：Optionally, referring to Figure 11, the method includes:

S1101、接收用户输入的主板主机的防火墙策略删除指示，主板主机的防火墙策略删除指示中包括待删除服务策略的标识。S1101. Receive a firewall policy deletion instruction of the mainboard host input by a user, where the firewall policy deletion instruction of the mainboard host includes an identifier of a service policy to be deleted.

S1102、根据待删除服务策略的标识，在信息侧网口上当前已配置的安全策略中查找引用待删除服务策略的各目标安全策略。S1102. According to the identifier of the service policy to be deleted, search for each target security policy that references the service policy to be deleted from the currently configured security policies on the network port on the information side.

S1103、将主板主机的防火墙中引用待删除服务策略的各目标安全策略删除，并将主板主机的防火墙中的待删除服务策略删除。S1103. Delete each target security policy in the firewall of the mainboard host that references the service policy to be deleted, and delete the service policy to be deleted in the firewall of the mainboard host.

在本实施例中，例如，用户可以通过操作系统主机上预先安装的客户端输入主板主机上待删除服务策略的标识为服务策略B，操作系统主机在对待删除服务策略B进行删除之前，必须先要删除引用该服务策略B的所有安全策略。即需要根据待删除服务策略的标识(如服务策略B)，在信息侧网口上当前已配置的安全策略中查找引用待删除服务策略的各目标安全策略(如安全策略A1、安全策略A2等)，然后，将主板主机的防火墙中引用服务策略B的安全策略A1及安全策略A2删除，同时再将主板主机的防火墙中的服务策略B删除。In this embodiment, for example, the user can input the identification of the service policy to be deleted on the motherboard host as service policy B through the pre-installed client on the operating system host, and the operating system host must first delete the service policy B to be deleted. All security policies referencing service policy B are to be deleted. That is, according to the identification of the service policy to be deleted (such as service policy B), it is necessary to search for each target security policy that references the service policy to be deleted (such as security policy A1, security policy A2, etc.) , and then delete security policy A1 and security policy A2 that reference service policy B in the firewall of the mainboard host, and delete service policy B in the firewall of the mainboard host at the same time.

可选地，若某个服务策略已被安全策略引用，则修改该服务策略后并不会应用到安全策略之中。Optionally, if a service policy has been referenced by a security policy, the modified service policy will not be applied to the security policy.

将通过如下实施例，具体讲解如何对操作系统主机的防火墙中各安全策略进行新建和删除。How to create and delete each security policy in the firewall of the operating system host will be specifically explained through the following embodiments.

可选地，参考图12所示，该方法包括：Optionally, referring to Figure 12, the method includes:

S1201、接收用户输入的操作系统主机的防火墙策略新增指示，操作系统主机的防火墙策略新增指示中包括待新增的操作系统主机安全策略的标识、及操作系统主机安全策略中待编辑配置项的参数信息。S1201. Receive the new instruction of the firewall policy of the operating system host input by the user, the new instruction of the firewall policy of the operating system host includes the identification of the security policy of the operating system host to be added, and the configuration items to be edited in the security policy of the operating system host parameter information.

S1202、根据操作系统主机安全策略的标识以及操作系统主机安全策略中待编辑配置项的参数信息，生成控制侧网口上的安全策略，并在操作系统主机的防火墙中新建控制侧网口上的安全策略。S1202. According to the identity of the security policy of the operating system host and the parameter information of the configuration items to be edited in the security policy of the operating system host, generate a security policy on the control side network port, and create a new security policy on the control side network port in the firewall of the operating system host .

在本实施例中，例如，用户可以通过操作系统主机上客户端输入待新增的操作系统主机安全策略的标识、及操作系统主机安全策略中待编辑配置项的参数信息(如程序、本地地址、本地掩码)，操作系统主机直接根据接收到的待新增的操作系统主机安全策略的标识、及操作系统主机安全策略中待编辑配置项的参数信息，生成控制侧网口上的安全策略，并在操作系统主机的防火墙中新建控制侧网口上的安全策略。In this embodiment, for example, the user can input the identification of the operating system host security policy to be added and the parameter information (such as program, local address, etc.) of the configuration items to be edited in the operating system host security policy through the client on the operating system host , local mask), the operating system host generates the security policy on the control side network port directly according to the identifier of the security policy of the operating system host to be added and the parameter information of the configuration item to be edited in the security policy of the operating system host. And create a security policy on the network port on the control side in the firewall of the operating system host.

可选地，参考图13所示，该方法包括：Optionally, referring to Figure 13, the method includes:

S1301、接收用户输入的操作系统主机的防火墙策略删除指示，操作系统主机的防火墙策略删除指示中包括待删除的操作系统主机安全策略的标识。S1301. Receive a firewall policy deletion instruction of the operating system host input by a user, where the firewall policy deletion instruction of the operating system host includes an identifier of the security policy of the operating system host to be deleted.

S1302、根据待删除的操作系统主机安全策略的标识，将操作系统主机的防火墙中待删除的操作系统主机安全策略删除。S1302. Delete the security policy of the operating system host to be deleted in the firewall of the operating system host according to the identifier of the security policy of the operating system host to be deleted.

在本实施例中，例如，用户可以通过操作系统主机上客户端输入待删除的操作系统主机安全策略的标识，操作系统主机直接根据待删除的操作系统主机安全策略的标识，对操作系统主机的防火墙中与待删除的操作系统主机安全策略的标识匹配的安全策略进行删除。In this embodiment, for example, the user can input the identification of the security policy of the operating system host to be deleted through the client on the operating system host, and the operating system host directly implements the identification of the security policy of the operating system host to be deleted. Delete the security policy in the firewall that matches the identifier of the OS host security policy to be deleted.

基于同一发明构思，本申请实施例中还提供了与防火墙策略处理方法对应的防火墙策略处理装置，由于本申请实施例中的装置解决问题的原理与本申请实施例上述防火墙策略处理方法相似，因此装置的实施可以参见方法的实施，重复之处不再赘述。Based on the same inventive concept, the embodiment of the present application also provides a firewall policy processing device corresponding to the firewall policy processing method. Since the problem-solving principle of the device in the embodiment of the present application is similar to the above-mentioned firewall policy processing method in the embodiment of the present application, therefore For the implementation of the device, reference may be made to the implementation of the method, and repeated descriptions will not be repeated.

参考图14所示，本申请实施例还提供了一种防火墙策略处理装置，应用于主机异构网关设备中的操作系统主机，主机异构网关设备包括操作系统主机以及主板主机，操作系统主机上包括控制侧网口，主板主机上包括信息侧网口，该装置包括：Referring to FIG. 14, the embodiment of the present application also provides a firewall policy processing device, which is applied to the operating system host in the host heterogeneous gateway device. The host heterogeneous gateway device includes the operating system host and the motherboard host. Including the control side network port, the main board includes the information side network port, the device includes:

接收模块1401，用于接收用户输入的主板主机的防火墙策略编辑指示，主板主机的防火墙策略编辑指示中包括待编辑的目标服务策略的标识以及目标服务策略对应的编辑后的端口信息；Thereceiving module 1401 is configured to receive the firewall policy editing instruction of the mainboard host input by the user, and the firewall policy editing instruction of the mainboard host includes the identifier of the target service policy to be edited and the edited port information corresponding to the target service policy;

获取模块1402，用于获取信息侧网口上当前已配置的服务策略中目标服务策略对应的编辑前的端口信息；Anacquisition module 1402, configured to acquire port information before editing corresponding to the target service policy in the currently configured service policy on the information side network port;

判断模块1403，用于判断编辑前的端口信息是否与编辑后的端口信息一致；Judgingmodule 1403, used to judge whether the port information before editing is consistent with the port information after editing;

删除模块1404，用于若否，则将主板主机的防火墙中引用目标服务策略的各目标安全策略删除；Deletion module 1404, for if not, then delete each target security policy that refers to the target service policy in the firewall of the motherboard host;

更新模块1405，用于根据编辑后的端口信息，更新目标服务策略，得到更新后的目标服务策略；根据更新后的目标服务策略以及目标服务策略与目标安全策略的引用关系，更新主板主机上的安全策略。Theupdate module 1405 is used to update the target service policy according to the edited port information to obtain the updated target service policy; update the target service policy on the motherboard host according to the updated target service policy and the reference relationship between the target service policy and the target security policy. security strategy.

可选地，判断模块1403，还用于：Optionally, the judgingmodule 1403 is also used for:

分别将编辑后的源端口的端口参数、编辑后的目的端口的端口参数与编辑前的源端口的端口参数及编辑前的目的端口的端口参数进行对比；Comparing the port parameters of the edited source port and the port parameters of the edited destination port with the port parameters of the source port before editing and the port parameters of the destination port before editing;

若编辑后的源端口的端口参数与编辑前的源端口的端口参数，或编辑后的目的端口的端口参数与编辑前的目的端口的端口参数不相同，则确定编辑前的端口信息与编辑后的端口信息不一致。If the port parameters of the edited source port are different from those of the source port before editing, or the port parameters of the edited destination port are different from those of the destination port before editing, then make sure that the port information before editing The port information is inconsistent.

可选地，删除模块1404，还用于：Optionally, deletemodule 1404, also for:

将各目标安全策略中各配置项的参数信息缓存至预设存储空间；Cache the parameter information of each configuration item in each target security policy to a preset storage space;

遍历主板主机的防火墙中的各安全策略，若当前遍历到的安全策略所引用的服务策略为目标服务策略，则确定当前遍历到的安全策略为一个目标安全策略，并从主板主机的防火墙中删除当前遍历到的安全策略。Traverse each security policy in the firewall of the motherboard host, if the service policy referenced by the currently traversed security policy is the target service policy, then determine that the currently traversed security policy is a target security policy, and delete it from the firewall of the motherboard host The currently traversed security policy.

可选地，更新模块1405，还用于：Optionally, theupdate module 1405 is also used for:

在目标服务策略更新完成后，从预设存储空间中读取引用目标服务策略的各目标安全策略；After the update of the target service policy is completed, read each target security policy referencing the target service policy from the preset storage space;

在主板主机的防火墙中新建各目标安全策略。Create new security policies for each target in the firewall of the motherboard host.

可选地，接收模块1401，还用于接收用户输入的操作系统主机的防火墙策略编辑指示，操作系统主机的防火墙策略编辑指示中包括待编辑的操作系统主机安全策略的标识操作系统主机安全策略对应的编辑后的参数信息；Optionally, thereceiving module 1401 is further configured to receive an instruction to edit the firewall policy of the operating system host input by the user, where the instruction to edit the firewall policy of the operating system host includes the identification of the security policy of the operating system host to be edited. The edited parameter information of ;

该装置还包括：The unit also includes:

处理模块，用于获取并删除控制侧网口上当前配置的各安全策略；A processing module, configured to acquire and delete each security policy currently configured on the network port on the control side;

新建模块，用于根据操作系统主机安全策略的标识以及操作系统主机安全策略对应的编辑后的参数信息，重新生成控制侧网口上的各安全策略，并在操作系统主机的防火墙中新建控制侧网口上的各安全策略。The new module is used to regenerate each security policy on the control side network port according to the identity of the security policy of the operating system host and the edited parameter information corresponding to the security policy of the operating system host, and create a new control side network in the firewall of the operating system host Each security policy on the port.

可选地，接收模块1401，还用于接收用户输入的主板主机的防火墙策略新增指示，主板主机的防火墙策略新增指示中包括待新增的服务策略的标识、待新增的服务策略中待编辑配置项的参数信息、待新增的安全策略的标识与待新增的安全策略中待编辑配置项的参数信息；Optionally, thereceiving module 1401 is also configured to receive an instruction to add a firewall policy of the mainboard host input by the user, and the instruction to add a firewall policy to the mainboard host includes the identifier of the service policy to be added, the service policy to be added The parameter information of the configuration item to be edited, the identification of the security policy to be added, and the parameter information of the configuration item to be edited in the security policy to be added;

新建模块，用于根据待新增的服务策略的标识、待新增的服务策略中待编辑配置项的参数信息，生成信息侧网口上待新增的服务策略，并在主板主机的防火墙中新建信息侧网口上待新增的服务策略；根据待新增的安全策略的标识、待新增的安全策略中待编辑配置项的参数信息，生成信息侧网口上待新增的安全策略，并在主板主机的防火墙中新建信息侧网口上待新增的安全策略。The new module is used to generate the service policy to be added on the network port on the information side according to the identification of the service policy to be added and the parameter information of the configuration item to be edited in the service policy to be added, and create a new one in the firewall of the motherboard host The service policy to be added on the network port on the information side; according to the identity of the security policy to be added and the parameter information of the configuration items to be edited in the security policy to be added, the security policy to be added on the network port on the information side is generated, and the The security policy to be added on the new information side network port in the firewall of the motherboard host.

可选地，接收模块1401，还用于接收用户输入的主板主机的防火墙策略删除指示，主板主机的防火墙策略删除指示中包括待删除服务策略的标识；Optionally, thereceiving module 1401 is also configured to receive a firewall policy deletion instruction of the mainboard host input by the user, and the firewall policy deletion instruction of the mainboard host includes an identifier of the service policy to be deleted;

该装置还包括：The unit also includes:

查找模块，用于根据待删除服务策略的标识，在信息侧网口上当前已配置的安全策略中查找引用待删除服务策略的各目标安全策略；The search module is used to search for each target security policy referencing the service policy to be deleted in the security policies currently configured on the information side network port according to the identifier of the service policy to be deleted;

删除模块1404，还用于将主板主机的防火墙中引用待删除服务策略的各目标安全策略删除，并主板主机的防火墙中的待删除服务策略删除。Thedeletion module 1404 is further configured to delete each target security policy in the firewall of the mainboard host that references the service policy to be deleted, and delete the service policy to be deleted in the firewall of the mainboard host.

上述装置用于执行前述实施例提供的方法，其实现原理和技术效果类似，在此不再赘述。The above-mentioned apparatus is used to execute the methods provided in the foregoing embodiments, and its implementation principles and technical effects are similar, and details are not repeated here.

以上这些模块可以是被配置成实施以上方法的一个或多个集成电路，例如：一个或多个特定集成电路(Application Specific Integrated Circuit，简称ASIC)，或，一个或多个微处理器(digital signal processor，简称DSP)，或，一个或者多个现场可编程门阵列(Field Programmable Gate Array，简称FPGA)等。再如，当以上某个模块通过处理元件调度程序代码的形式实现时，该处理元件可以是通用处理器，例如中央处理器(CentralProcessing Unit，简称CPU)或其它可以调用程序代码的处理器。再如，这些模块可以集成在一起，以片上系统(system-on-a-chip，简称SOC)的形式实现。The above modules may be one or more integrated circuits configured to implement the above method, for example: one or more specific integrated circuits (Application Specific Integrated Circuit, referred to as ASIC), or one or more microprocessors (digital signal processor, DSP for short), or, one or more Field Programmable Gate Arrays (Field Programmable Gate Array, FPGA for short), etc. For another example, when one of the above modules is implemented in the form of a processing element scheduling program code, the processing element may be a general-purpose processor, such as a central processing unit (Central Processing Unit, CPU for short) or other processors that can call program codes. For another example, these modules can be integrated together and implemented in the form of a system-on-a-chip (SOC for short).

可选地，本申请还提供一种程序产品，例如计算机可读存储介质，包括程序，该程序在被处理器执行时用于执行上述方法实施例。Optionally, the present application further provides a program product, such as a computer-readable storage medium, including a program, and the program is used to execute the foregoing method embodiments when executed by a processor.

在本申请所提供的几个实施例中，应该理解到，所揭露的装置和方法，可以通过其它的方式实现。例如，以上所描述的装置实施例仅仅是示意性的，例如，所述单元的划分，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式，例如多个单元或组件可以结合或者可以集成到另一个系统，或一些特征可以忽略，或不执行。另一点，所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口，装置或单元的间接耦合或通信连接，可以是电性，机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外，在本申请各个实施例中的各功能单元可以集成在一个处理单元中，也可以是各个单元单独物理存在，也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现，也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware, or in the form of hardware plus software functional units.

上述以软件功能单元的形式实现的集成的单元，可以存储在一个计算机可读取存储介质中。上述软件功能单元存储在一个存储介质中，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)或处理器(英文：processor)执行本申请各个实施例所述方法的部分步骤。而前述的存储介质包括：U盘、移动硬盘、只读存储器(英文：Read-Only Memory，简称：ROM)、随机存取存储器(英文：Random Access Memory，简称：RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The above-mentioned integrated units implemented in the form of software functional units may be stored in a computer-readable storage medium. The above-mentioned software functional units are stored in a storage medium, and include several instructions to enable a computer device (which may be a personal computer, server, or network device, etc.) or a processor (English: processor) to execute the functions described in various embodiments of the present application. part of the method. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (English: Read-Only Memory, abbreviated: ROM), random access memory (English: Random Access Memory, abbreviated: RAM), magnetic disk or optical disc, etc. Various media that can store program code.

Claims (10)

Translated fromChinese

1.一种防火墙策略处理方法，其特征在于，应用于主机异构网关设备中的操作系统主机，所述主机异构网关设备包括所述操作系统主机以及主板主机，所述操作系统主机上包括控制侧网口，所述主板主机上包括信息侧网口，所述方法包括：1. A firewall policy processing method, characterized in that it is applied to an operating system host in a host heterogeneous gateway device, the host heterogeneous gateway device includes the operating system host and a motherboard host, and the operating system host includes The control side network port, the main board host includes an information side network port, and the method includes:接收用户输入的所述主板主机的防火墙策略编辑指示，所述主板主机的防火墙策略编辑指示中包括待编辑的目标服务策略的标识以及所述目标服务策略对应的编辑后的端口信息；receiving the editing instruction of the firewall policy of the mainboard host input by the user, wherein the editing instruction of the firewall policy of the mainboard host includes the identifier of the target service policy to be edited and the edited port information corresponding to the target service policy;获取所述信息侧网口上当前已配置的服务策略中所述目标服务策略对应的编辑前的端口信息，并判断所述编辑前的端口信息是否与所述编辑后的端口信息一致；Obtaining the pre-edited port information corresponding to the target service policy in the currently configured service policy on the information side network port, and determining whether the pre-edited port information is consistent with the edited port information;若否，则将所述主板主机的防火墙中引用所述目标服务策略的各目标安全策略删除；If not, each target security policy that references the target service policy in the firewall of the mainboard host is deleted;根据所述编辑后的端口信息，更新所述目标服务策略，得到更新后的目标服务策略；updating the target service policy according to the edited port information to obtain an updated target service policy;根据所述更新后的目标服务策略以及所述目标服务策略与所述目标安全策略的引用关系，更新所述主板主机上的安全策略。The security policy on the motherboard host is updated according to the updated target service policy and the reference relationship between the target service policy and the target security policy.2.根据权利要求1所述的方法，其特征在于，所述判断所述编辑前的端口信息是否与所述编辑后的端口信息一致，包括：2. The method according to claim 1, wherein the judging whether the port information before editing is consistent with the port information after editing comprises:分别将编辑后的源端口的端口参数、编辑后的目的端口的端口参数与编辑前的源端口的端口参数及编辑前的目的端口的端口参数进行对比；Comparing the port parameters of the edited source port and the port parameters of the edited destination port with the port parameters of the source port before editing and the port parameters of the destination port before editing;若所述编辑后的源端口的端口参数与所述编辑前的源端口的端口参数，或所述编辑后的目的端口的端口参数与所述编辑前的目的端口的端口参数不相同，则确定所述编辑前的端口信息与所述编辑后的端口信息不一致。If the port parameter of the edited source port is different from the port parameter of the source port before editing, or the port parameter of the edited destination port is different from the port parameter of the destination port before editing, then determine The port information before editing is inconsistent with the port information after editing.3.根据权利要求1所述的方法，其特征在于，所述将所述主板主机的防火墙中引用所述目标服务策略的各目标安全策略删除，包括：3. The method according to claim 1, wherein the deleting each target security policy that references the target service policy in the firewall of the motherboard host includes:将各所述目标安全策略中各配置项的参数信息缓存至预设存储空间；Cache the parameter information of each configuration item in each target security policy to a preset storage space;遍历所述主板主机的防火墙中的各安全策略，若当前遍历到的安全策略所引用的服务策略为所述目标服务策略，则确定当前遍历到的安全策略为一个目标安全策略，并从所述主板主机的防火墙中删除所述当前遍历到的安全策略。Traversing through each security policy in the firewall of the motherboard host, if the service policy referenced by the currently traversed security policy is the target service policy, then determining that the currently traversed security policy is a target security policy, and from the The currently traversed security policy is deleted from the firewall of the motherboard host.4.根据权利要求3所述的方法，其特征在于，所述根据所述更新后的目标服务策略以及所述目标服务策略与所述目标安全策略的引用关系，更新所述主板主机上的安全策略，包括：4. The method according to claim 3, wherein, according to the updated target service policy and the reference relationship between the target service policy and the target security policy, update the security strategies, including:在所述目标服务策略更新完成后，从所述预设存储空间中读取引用所述目标服务策略的各所述目标安全策略；After the update of the target service policy is completed, read each of the target security policies referencing the target service policy from the preset storage space;在所述主板主机的防火墙中新建各所述目标安全策略。Create each target security policy in the firewall of the motherboard host.5.根据权利要求1-4任一项所述的方法，其特征在于，所述方法还包括：5. The method according to any one of claims 1-4, wherein the method further comprises:接收用户输入的操作系统主机的防火墙策略编辑指示，所述操作系统主机的防火墙策略编辑指示中包括待编辑的操作系统主机安全策略的标识所述操作系统主机安全策略对应的编辑后的参数信息；receiving a user-input firewall policy editing instruction for the operating system host, where the firewall policy editing instruction for the operating system host includes an identifier of the operating system host security policy to be edited; and edited parameter information corresponding to the operating system host security policy;获取并删除所述控制侧网口上当前配置的各安全策略；Obtain and delete each security policy currently configured on the network port on the control side;根据操作系统主机安全策略的标识以及所述操作系统主机安全策略对应的编辑后的参数信息，重新生成所述控制侧网口上的各安全策略，并在所述操作系统主机的防火墙中新建所述控制侧网口上的各安全策略。According to the identifier of the security policy of the operating system host and the edited parameter information corresponding to the security policy of the operating system host, regenerate each security policy on the network port on the control side, and create the new one in the firewall of the operating system host Control each security policy on the network port on the control side.6.根据权利要求1-4任一项所述的方法，其特征在于，所述方法还包括：6. The method according to any one of claims 1-4, wherein the method further comprises:接收用户输入的所述主板主机的防火墙策略新增指示，所述主板主机的防火墙策略新增指示中包括待新增的服务策略的标识、所述待新增的服务策略中待编辑配置项的参数信息、待新增的安全策略的标识与所述待新增的安全策略中待编辑配置项的参数信息；Receiving the new instruction of the firewall policy of the main board host input by the user, the new instruction of the firewall policy of the main board host includes the identification of the service policy to be added, the configuration item to be edited in the service policy to be added Parameter information, the identification of the security policy to be added, and the parameter information of the configuration item to be edited in the security policy to be added;根据所述待新增的服务策略的标识、所述待新增的服务策略中待编辑配置项的参数信息，生成所述信息侧网口上所述待新增的服务策略，并在所述主板主机的防火墙中新建所述信息侧网口上所述待新增的服务策略；According to the identification of the service policy to be added and the parameter information of the configuration item to be edited in the service policy to be added, generate the service policy to be added on the network port on the information side, and upload it on the main board Create a new service policy to be added on the information side network port in the firewall of the host;根据所述待新增的安全策略的标识、所述待新增的安全策略中待编辑配置项的参数信息，生成所述信息侧网口上所述待新增的安全策略，并在所述主板主机的防火墙中新建所述信息侧网口上所述待新增的安全策略。According to the identity of the security policy to be added and the parameter information of the configuration item to be edited in the security policy to be added, generate the security policy to be added on the network port on the information side, and upload it on the main board The security policy to be added on the information side network port is newly created in the firewall of the host.7.根据权利要求1-4任一项所述的方法，其特征在于，所述方法还包括：7. The method according to any one of claims 1-4, wherein the method further comprises:接收用户输入的所述主板主机的防火墙策略删除指示，所述主板主机的防火墙策略删除指示中包括待删除服务策略的标识；receiving the firewall policy deletion instruction of the motherboard host input by the user, where the firewall policy deletion instruction of the motherboard host includes an identifier of the service policy to be deleted;根据所述待删除服务策略的标识，在所述信息侧网口上当前已配置的安全策略中查找引用所述待删除服务策略的各目标安全策略；According to the identification of the service policy to be deleted, search for each target security policy that references the service policy to be deleted in the security policies currently configured on the information side network port;将所述主板主机的防火墙中引用所述待删除服务策略的各目标安全策略删除，并所述主板主机的防火墙中的所述待删除服务策略删除。Deleting each target security policy that references the service policy to be deleted in the firewall of the mainboard host, and deleting the service policy to be deleted in the firewall of the mainboard host.8.一种防火墙策略处理装置，其特征在于，应用于主机异构网关设备中的操作系统主机，所述主机异构网关设备包括所述操作系统主机以及主板主机，所述操作系统主机上包括控制侧网口，所述主板主机上包括信息侧网口，所述装置包括：8. A firewall policy processing device, characterized in that it is applied to an operating system host in a host heterogeneous gateway device, the host heterogeneous gateway device includes the operating system host and a motherboard host, and the operating system host includes The control side network port, the main board host includes the information side network port, and the device includes:接收模块，用于接收用户输入的所述主板主机的防火墙策略编辑指示，所述主板主机的防火墙策略编辑指示中包括待编辑的目标服务策略的标识以及所述目标服务策略对应的编辑后的端口信息；The receiving module is configured to receive the firewall policy editing instruction of the motherboard host input by the user, and the firewall policy editing instruction of the motherboard host includes the identifier of the target service policy to be edited and the edited port corresponding to the target service policy information;获取模块，用于获取所述信息侧网口上当前已配置的服务策略中所述目标服务策略对应的编辑前的端口信息；An acquisition module, configured to acquire port information before editing corresponding to the target service policy in the currently configured service policy on the information side network port;判断模块，用于判断所述编辑前的端口信息是否与所述编辑后的端口的信息一致；A judging module, configured to judge whether the port information before editing is consistent with the port information after editing;删除模块，用于若否，则将所述主板主机的防火墙中引用所述目标服务策略的各目标安全策略删除；The deletion module is used to delete each target security policy that refers to the target service policy in the firewall of the mainboard host if not;更新模块，用于根据所述编辑后的端口信息，更新所述目标服务策略，得到更新后的目标服务策略；根据所述更新后的目标服务策略以及所述目标服务策略与所述目标安全策略的引用关系，更新所述主板主机上的安全策略。An update module, configured to update the target service policy according to the edited port information to obtain an updated target service policy; according to the updated target service policy and the target service policy and the target security policy and update the security policy on the mainboard host.9.一种电子设备，其特征在于，包括：处理器、存储介质和总线，所述存储介质存储有所述处理器可执行的机器可读指令，当电子设备运行时，所述处理器与所述存储介质之间通过总线通信，所述处理器执行所述机器可读指令，以执行如权利要求1-7任一所述方法的步骤。9. An electronic device, comprising: a processor, a storage medium and a bus, the storage medium stores machine-readable instructions executable by the processor, and when the electronic device is running, the processor and The storage media communicate with each other through a bus, and the processor executes the machine-readable instructions to perform the steps of the method according to any one of claims 1-7.10.一种计算机可读存储介质，其特征在于，所述存储介质上存储有计算机程序，所述计算机程序被处理器运行时执行如权利要求1-7任一所述方法的步骤。10. A computer-readable storage medium, wherein a computer program is stored on the storage medium, and when the computer program is executed by a processor, the steps of the method according to any one of claims 1-7 are executed.

Images