CN112968867A - Access control method, system, physical host and communication equipment - Google Patents
Access control method, system, physical host and communication equipment Download PDFInfo
- Publication number
- CN112968867A CN112968867A CN202110124192.7A CN202110124192A CN112968867A CN 112968867 A CN112968867 A CN 112968867A CN 202110124192 A CN202110124192 A CN 202110124192A CN 112968867 A CN112968867 A CN 112968867A
- Authority
- CN
- China
- Prior art keywords
- security group
- physical host
- network card
- configuration information
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/70—Virtual switches
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides an access control method, a system, a physical host, a communication device and a computer readable storage medium, wherein the method comprises the following steps: a first network card of a physical host receives configuration information of a security group rule; and the first virtual switch in the first network card sets the security group rule according to the configuration information of the security group rule, so that the external equipment accesses the physical host according to the security group rule. The problem of safety group function failure or mistake that the user maloperation arouses is solved.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to an access control method, system, physical host, communication device, and computer-readable storage medium.
Background
Currently, most cloud platforms provide a Bare Metal Server (BMS), and since the security of a data packet cannot be determined, a security group function needs to be implemented for the Bare Metal Server, so as to provide access control for network communication. The current implementation mode of the security group of the physical host is mainly a mode of installing a security component in an operating system of the physical host to set iptables, and the security group rule is converted into a specific iptables rule. However, in the actual operation of the user, some misoperation often occurs, and since the security group rule is directly configured in the operating system, the problem of failure or error of the security group function is easily caused.
Disclosure of Invention
The embodiment of the application provides an access control method, a system, a physical host, a communication device and a computer readable storage medium, so as to solve the problems in the related art, and the technical scheme is as follows:
in a first aspect, an embodiment of the present application provides an access control method, including:
a first network card of a physical host receives configuration information of a security group rule;
and the first virtual switch in the first network card sets the security group rule according to the configuration information of the security group rule, so that the external equipment accesses the physical host according to the security group rule.
In a second aspect, an embodiment of the present application provides a physical host, including:
an acquisition module for receiving configuration information of security group rules;
and the configuration module is used for setting the security group rules according to the configuration information of the security group rules so as to enable the external equipment to access the physical host according to the security group rules.
In a third aspect, an embodiment of the present application provides an access control system, where the access control system includes: at least one physical host and an external switch for data transmission to the at least one physical host;
the physical host includes: running a first network card of a network card operating system; the network card operating system is configured with a first virtual switch, a security group rule is configured in the first virtual switch, and access control is performed on the physical host according to the security group rule;
and the physical host is connected with the external switch through the first network card.
In a fourth aspect, an embodiment of the present application provides a communication device, where the apparatus includes: a memory and a processor. Wherein the memory and the processor are in communication with each other via an internal connection path, the memory is configured to store instructions, the processor is configured to execute the memory-stored instructions, and the processor is configured to cause the processor to perform the method of any of the above-described aspects when executing the memory-stored instructions.
In a fifth aspect, the present application provides a computer-readable storage medium, which stores a computer program, and when the computer program runs on a computer, the method in any one of the above-mentioned aspects is executed.
The advantages or beneficial effects in the above technical solution at least include: because the first virtual switch is configured in the network card operating system of the first network card of the physical host, the security group rule is configured in the first virtual switch, and the access of the physical host is limited according to the security group rule, the security group function is realized, and the problem that the security group function is invalid or wrong easily caused by misoperation of a user is avoided.
The foregoing summary is provided for the purpose of description only and is not intended to be limiting in any way. In addition to the illustrative aspects, embodiments, and features described above, further aspects, embodiments, and features of the present application will be readily apparent by reference to the drawings and following detailed description.
Drawings
In the drawings, like reference numerals refer to the same or similar parts or elements throughout the several views unless otherwise specified. The figures are not necessarily to scale. It is appreciated that these drawings depict only some embodiments in accordance with the disclosure and are therefore not to be considered limiting of its scope.
FIG. 1 is a schematic diagram of a host system in the prior art;
fig. 2 is a schematic structural diagram of an access control system according to an embodiment of the present application;
FIG. 3 is a flow chart of an access control method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of an access control method according to an embodiment of the present application;
fig. 5 is a schematic flowchart of an access control method according to an embodiment of the present application;
fig. 6 is a schematic flowchart of an access control method according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an access control system according to an embodiment of the present application;
FIG. 8 is a block diagram of a physical host according to an embodiment of the present application;
FIG. 9 is a block diagram of a physical host according to an embodiment of the present application;
FIG. 10 is a block diagram of a physical host according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of a communication device according to an embodiment of the present application.
Detailed Description
In the following, only certain exemplary embodiments are briefly described. As those skilled in the art will recognize, the described embodiments may be modified in various different ways, all without departing from the spirit or scope of the present application. Accordingly, the drawings and description are to be regarded as illustrative in nature, and not as restrictive.
An embodiment of the present application provides an access control system, as shown in fig. 2, the access control system includes: at least one physical host and an external switch 3 for data transmission to the at least one physical host.
The physical host comprises: a first network card 1 of a network card operating system is operated; the network card operating system is provided with a first virtual switch 2 for setting security group rules; the first virtual switch 2 is configured with security group rules, and performs access control on the physical host according to the security group rules. The physical host is connected with an external switch 3 through a first network card 1.
It should be noted that the access control system provided in the embodiment of the present application may include a plurality of physical hosts, where the physical hosts can communicate with each other through the external switch 3, and can also perform network communication according to the external switch 3. It will be understood that each physical Host has the same structure, and each physical Host runs a corresponding Host operating system 6 (i.e., Host OS), while the network card operating system is independent of the Host operating system 6 and runs in the first network card 1. In this embodiment, the first network card 1 is an intelligent network card (Smart NIC), the corresponding network card operating system is a Smart NIC OS, and the core of the intelligent network card is a Central Processing Unit (CPU) assisted by an FPGA (field programmable Gate Array). The Smart NIC OS and the Host OS may both be embedded operating systems, and when the physical Host performs communication, the Smart NIC OS and the Host OS are configured to be an embedded ownership Mode (ECPF Mode), so that resources and functions of the Smart network card are owned and controlled by an embedded ARM (Asynchronous Response Mode) subsystem.
It should be noted that, the network card operating system is configured with a first virtual switch 2, that is, an open vswitch, which is abbreviated as OVS, and the OVS includes: ovsdb-sever, ovs-vswitchd, and ovs kernel module. Wherein, ovsdb-server is a database server of the OVS and is used for storing configuration information of the virtual switch. It exchanges information with manager and ovs-vswitchd using OVSDB (JSON-RPC) approach. And the OVS kernel module is a kernel module of the OVS, processes packet switching and a tunnel, caches flow, forwards if a forwarding rule is found in the cache of the kernel, and otherwise, sends the forwarding rule to a user space for processing. OVS-vswitchd is the core component of OVS, the communication with upper layer controller complies with openflow protocol, the communication with OVSDB-server uses OVSDB protocol, the kernel module communicates through netlink, and supports multiple independent datapaths (bridges), which realize binding by changing flow table, and VLAN functions.
For example, the external switch 3 may be a physical switch, and when the physical switch receives external information (e.g., security group rules configured by a user), the network card operating system is configured to be in an ownership mode, and corresponding security group rules are added to the flow table of the first virtual switch 2, so as to implement the functions of security groups.
It can be seen that the host system in the prior art (see fig. 1) directly converts the security group rules into iptables rules through the host operating system. In the embodiment of the present application (see fig. 2), since the first virtual switch 2 is configured in the card operating system of the first network card 1, and the security group rule is configured in the first virtual switch 2, access limitation is performed on the physical host according to the security group rule, so that a security group function is implemented. Since the security group rule is set in the first virtual switch 2 instead of the host operating system 6, the failure or error of the security group function does not occur even if the user operates it by mistake.
In one embodiment, the access control system further comprises: a communication module for communicating the physical host with the external device.
The data communication module 4 is connected between the physical host and the external switch 3.
In the embodiment of the present application, referring to fig. 2, the communication module may be a physical network card, and may also be other devices capable of performing data communication, which is not limited herein. It should be noted that the physical host can communicate with the external device through the physical network card, for example, the physical host can communicate with other physical hosts through the external switch 3 through the physical network card, and can also access the network to perform network communication.
In one embodiment, the access control system further comprises:
the physical hosts access the wide area network 5 through the external switch 3.
It should be noted that, still referring to fig. 2, the external switch 3 may be a physical switch, which not only allows data communication among a plurality of physical hosts, but also allows the physical hosts to access the wide area network 5 (i.e., public network), so that the physical hosts can perform communication in various ways.
Fig. 3 shows a flowchart of an access control method of an access control system according to an embodiment of the present application. As shown in fig. 3, the method may include:
s110, the first network card 1 of the physical host receives the configuration information of the security group rule.
It should be noted that the access control method is applied to the access control system provided in the embodiment of the present invention.
In a specific implementation process, the first network card 1 acquires configuration information of the security group rule through the external switch 3. Wherein the configuration information of the security group rules includes any one or more of: rule direction, authorization policy, protocol type, port range, authorization object, and priority, and the configuration information of the security group rule may further include information related to the physical host, such as physical host number, identification code, and the like. It is understood that the configuration information of the security group rule may be selected by the user, or may be preset, and is not limited herein.
S120, the first virtual switch in the first network card 1 sets the security group rule according to the configuration information of the security group rule, so that the external device accesses the physical host according to the security group rule.
In a specific implementation process, the first virtual switch 2 in the first network card 1 receives configuration information of the security group rule, and adds the required security group rule into the OVS flow table according to the configuration information, and since the OVS can be used together with a Connection tracking system (Connection tracking system) of a kernel, the OpenFlow flow can be used for matching the Connection state of TCP, UDP, ICMP, and the like by means of the function of connrack. (i.e., the connection tracking system supports tracking stateful and stateless protocols), thereby realizing the identification of the network state, controlling the communication condition of the port of the physical host, and further realizing the security group function.
The security group rule may be stored in the first virtual switch 2 in advance in the form of an OVS flow table, or may be stored in the first virtual switch 2 in another form. After the first network card 1 receives the security group rule configuration information, the security group rule in the first virtual switch 2 is set according to the received security group rule configuration information. For example, when the received configuration information of the security group rule is a device a, and the SSH 22 port is released, the configuration information is added to the security group rule, so that the SSH 22 port releases the device a. For another example, the incoming direction: SSH 22 port, HTTP 80 port, egress direction: all accesses are allowed by default.
For example, a user may configure the security group rule through a device such as a user terminal device (e.g., a mobile phone, a tablet computer, etc.) or an operation console corresponding to the physical host, and send configuration information to the physical host; after the first network card 1 in the physical host receives the configuration information, the first virtual switch 2 sets the security group rule in the first virtual switch 2 according to the configuration information, and the access rule of the physical host port is set in the security group rule, so that the communication condition of the physical host port is limited. It can be understood that, when a plurality of physical hosts exist in the access control system, the physical host corresponding to the configuration information of the user needs to be determined, and the configuration information is issued to the corresponding physical host. Then the configuration information needs to include the number, identification code, etc. of the physical host, so as to correspondingly control the communication situation of the physical host.
In view of this, in the access control method of the access control system provided in the embodiment of the present application, after the first network card 1 receives the configuration information of the security group rule, the first virtual switch 2 sets the security group rule according to the configuration information, and performs access restriction on the physical host according to the security group rule, thereby implementing the security group function. Since the security group rule is set in the first virtual switch 2 instead of the host operating system 6, the failure or error of the security group function does not occur even if the user operates it by mistake.
In one embodiment, before the first network card 1 of the physical host receives the configuration information of the security group rule, the method further includes:
s100, configuring the physical host to work in the first mode, so that the first network card 1 controls the physical host to communicate with the external device through the external switch 3.
Fig. 4 is a flow chart of an access control method. As shown in fig. 4, in the embodiment of the present application, the first mode is an embedded ownership mode (ECPF mode). In the ECPF Mode, the first network card 1 resources and functions are owned and controlled by an embedded ARM (Asynchronous Response Mode) subsystem. The physical host can still use the original network functions of the network card, but the privilege is limited. Only after the driver on the first network card 1 side has been loaded and the network card configuration is completed, the driver of the host operating system of the corresponding physical host can be loaded. The network card operating system in ECPF mode controls and configures the network card embedded switch, which means that traffic to and from the host port always falls on the operating system side of the network card. If data transmission is stopped at the network card, the traffic path to and from the host port is interrupted.
For example, in the ECPF mode, the network card operating system may load the host-side network port and the physical network card (i.e. the data communication module 4) port at the same time, so that the first network card 1 can communicate with the external device through the external switch 3, thereby obtaining the configuration information of the security group rule through the external switch 3.
It should be noted that, when the physical host does not operate in the first mode, that is, does not operate in the ECPF mode, the main control system of the physical host is the host operating system, not the network card system. In this way, communication is performed through the host operating system of the physical host, that is, a driver of the host operating system needs to be loaded first, and then a driver on the first network card 1 side needs to be loaded. Therefore, only when the physical host works in the ECPF mode, the network card system of the first network card 1 can serve as the main control system, and the flow of the host interface always falls on the operating system side of the network card, so that the network card system can restrict the port access of the physical host according to the security group rule in the first virtual machine.
In one embodiment, the first virtual switch 2 in the first network card 1 sets the security group rule according to the configuration information configuration of the security group rule, so that the external device accesses the physical host according to the security group rule, and step S120 specifically includes:
the first virtual switch 2 correspondingly adds the configuration information of the security group rule to perform access restriction on the port of the physical host, so that the external device accesses the physical host according to the security group rule.
In a specific implementation process, after receiving configuration information of a security group rule, the first network card 1 adds the configuration information to the security group rule, where the security group rule is information such as access rules of each port of a physical machine and objects that can be accessed by the physical machine, and after any external device is accessed, the first network card 1 needs to search for a corresponding security group rule according to a current external device, so as to determine a port accessed by the current external device.
In one embodiment, the correspondingly adding, by the first virtual switch 2, the configuration information of the security group rule to restrict access to the port of the physical host, so that the external device accesses the physical host according to the security group rule specifically includes:
s1210, add the configuration information of the security group rule to the security group rule of the first virtual switch 2 through the driver in the first network card 1.
S1220, the first virtual switch 2 executes a corresponding configuration instruction according to the security group rule to configure a port of the physical host, so that the external device accesses the physical host according to the security group rule.
Fig. 5 is a flow chart of an access control method. As shown in fig. 5, it should be noted that the driver in the first network card 1 is an SGagent program, and the SGagent program is driven to add the configuration information of the security group to the security group rule of the first virtual switch 2, so that the configuration information becomes effective in the first virtual switch 2. In the embodiment of the present application, after the physical host receives the configuration information of the security group rule, the SGagent program in the first network card 1 is called to write the configuration information of the security group rule into the OVS flow table of the first virtual switch 2, so as to implement the security group function.
For ease of understanding, the security group rules are illustrated by the following example:
OVS configures security group rule execution commands:
for example, rule one: selecting a specific port of the open physical host to make the external device accessible, and corresponding to the OVS configuration:
ovs-ofctl add-flow br0 priority=0,tcp,tp_src=80,actions=normal
for another example, rule two: setting no communication with the physical host 192.168.0.2, corresponding to the OVS configuration:
ovs-ofctl add-flow br0 priority=5,ip,nw_dst=192.168.0.2,actions=drop
it will be appreciated that corresponding security group rules may be configured in the OVS according to the needs of the user.
In one embodiment, the first network card 1 of the physical host receives configuration information of the security group rule, and the step S110 specifically includes:
s1110, the first network card 1 of the physical host receives the configuration information of the security group rule through the external switch 3.
Fig. 6 is a flow chart of an access control method. As shown in fig. 6 to 7, for example, when there are multiple physical hosts in the access control system, a management platform 7 is provided for receiving a security group rule request configured by a user, and when the management platform 7 receives the security group rule request from the user, a task of configuring the security group rule is created, and at this time, an SGagent program in the first network card 1 is invoked to implement writing of configuration information of the security group rule into an OVS flow table of the first virtual switch 2, thereby implementing the security group function.
By adopting the scheme, the first virtual switch is configured in the network card operating system of the first network card of the physical host, the security group rule is configured in the first virtual switch, and the physical host is subjected to access limitation according to the security group rule, so that the security group function is realized, and the problem that the security group function is invalid or wrong easily caused by misoperation of a user is avoided.
Fig. 8 shows a schematic structural diagram of a physical host according to an embodiment of the present application. As shown in fig. 8, the apparatus includes:
the obtaining module 110 is configured to receive configuration information of the security group rule.
A configuration module 120, configured to set the security rule according to the configuration information of the security group rule, so that the external device accesses the physical host according to the security group rule.
In one embodiment, as shown in fig. 9, the apparatus further comprises:
the processing module 100 is configured to configure the physical host to operate in the first mode, so that the first network card 1 controls the physical host to communicate with the external device through the external switch 3.
In an embodiment, the configuration module 120 specifically includes:
the first configuration unit is configured to correspondingly add, by the first virtual switch 2, the configuration information of the security group rule to perform access restriction on a port of the physical host, so that the external device accesses the physical host according to the security group rule.
In an embodiment, as shown in fig. 10, the first configuration unit specifically includes:
a first sub-configuration unit 1210, configured to add configuration information of the security group rule to the security group rule of the first virtual switch 2 through a driver in the first network card 1;
the second sub-configuration unit 1220 is configured to, by the first virtual switch 2, execute a corresponding configuration instruction according to the security group rule to configure a port of the physical host, so that the external device accesses the physical host according to the security group rule.
In one embodiment, the obtaining module is further configured to:
the first network card 1 of the physical host receives configuration information of the security group rules through the external switch 3.
The functions of each module in each apparatus in the embodiment of the present application may refer to corresponding descriptions in the above method, and are not described herein again.
Fig. 11 shows a block diagram of a communication device according to an embodiment of the present application. As shown in fig. 9, the communication apparatus includes: a memory 910 and a processor 920, the memory 910 having stored therein computer programs operable on the processor 920. The processor 920 implements the access control method in the above-described embodiments when executing the computer program. The number of the memory 910 and the processor 920 may be one or more.
The communication device further includes:
and a communication interface 930 for communicating with an external device to perform data interactive transmission.
If the memory 910, the processor 920 and the communication interface 930 are implemented independently, the memory 910, the processor 920 and the communication interface 930 may be connected to each other through a bus and perform communication with each other. The bus may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 9, but this does not indicate only one bus or one type of bus.
Optionally, in an implementation, if the memory 910, the processor 920 and the communication interface 930 are integrated on a chip, the memory 910, the processor 920 and the communication interface 930 may complete communication with each other through an internal interface.
Embodiments of the present application provide a computer-readable storage medium, which stores a computer program, and when the program is executed by a processor, the computer program implements the method provided in the embodiments of the present application.
The embodiment of the present application further provides a chip, where the chip includes a processor, and is configured to call and execute the instruction stored in the memory from the memory, so that the communication device in which the chip is installed executes the method provided in the embodiment of the present application.
An embodiment of the present application further provides a chip, including: the system comprises an input interface, an output interface, a processor and a memory, wherein the input interface, the output interface, the processor and the memory are connected through an internal connection path, the processor is used for executing codes in the memory, and when the codes are executed, the processor is used for executing the method provided by the embodiment of the application.
It should be understood that the processor may be a Central Processing Unit (CPU), other general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or any conventional processor or the like. It is noted that the processor may be an advanced reduced instruction set machine (ARM) architecture supported processor.
Further, optionally, the memory may include a read-only memory and a random access memory, and may further include a nonvolatile random access memory. The memory may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may include a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can include Random Access Memory (RAM), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available. For example, Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate synchronous SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), synchlink DRAM (SLDRAM), and direct memory bus RAM (DR RAM).
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions according to the present application are generated in whole or in part when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present application, "a plurality" means two or more unless specifically limited otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process. And the scope of the preferred embodiments of the present application includes other implementations in which functions may be performed out of the order shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions.
It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. All or part of the steps of the method of the above embodiments may be implemented by hardware that is configured to be instructed to perform the relevant steps by a program, which may be stored in a computer-readable storage medium, and which, when executed, includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present application may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module may also be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. The storage medium may be a read-only memory, a magnetic or optical disk, or the like.
While the present invention has been described with reference to the preferred embodiments, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. An access control method, comprising:
a first network card of a physical host receives configuration information of a security group rule;
and the first virtual switch in the first network card sets the security group rule according to the configuration information of the security group rule, so that the external equipment accesses the physical host according to the security group rule.
2. The method of claim 1, wherein before the first network card of the physical host receives configuration information for security group rules, the method further comprises:
and under the condition that the physical host works in the first mode, the first network card controls the physical host to communicate with the external equipment through an external switch.
3. The method of claim 1, wherein the first virtual switch in the first network card sets security group rules according to configuration information of the security group rules to enable an external device to access the physical host according to the security group rules, comprising:
and the first virtual switch correspondingly adds the configuration information of the security group rule into the security group rule so as to carry out access limitation on the port of the physical host, so that the external equipment can access the physical host according to the security group rule.
4. The method of claim 3, wherein the first virtual switch correspondingly adds configuration information of the security group rules to restrict access to ports of the physical host, so that an external device accesses the physical host according to the security group rules, and wherein the method comprises:
adding configuration information of the security group rule to the security group rule of the first virtual switch through a driver in the first network card;
and the first virtual switch executes a corresponding configuration instruction according to the security group rule to configure a port of the physical host, so that an external device accesses the physical host according to the security group rule.
5. The method of claim 1, wherein receiving configuration information of security group rules by the first network card of the physical host specifically comprises:
and the first network card of the physical host receives the configuration information of the security group rule through an external switch.
6. The method of any of claims 1-5, wherein configuration information for the security group rules includes at least one of: rule direction, protocol type, port range, authorization object, and priority.
7. A physical host, comprising:
an acquisition module for receiving configuration information of security group rules;
and the configuration module is used for setting the security group rules according to the configuration information of the security group rules so as to enable the external equipment to access the physical host according to the security group rules.
8. An access control system, characterized in that the access control system comprises: at least one physical host and an external switch for data transmission to the at least one physical host;
the physical host includes: running a first network card of a network card operating system; the network card operating system is configured with a first virtual switch, a security group rule is configured in the first virtual switch, and access control is performed on the physical host according to the security group rule;
and the physical host is connected with the external switch through the first network card.
9. A communication device, comprising: a processor and a memory, the memory having stored therein instructions that are loaded and executed by the processor to implement the method of any of claims 1-6.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110124192.7A CN112968867A (en) | 2021-01-29 | 2021-01-29 | Access control method, system, physical host and communication equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110124192.7A CN112968867A (en) | 2021-01-29 | 2021-01-29 | Access control method, system, physical host and communication equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112968867A true CN112968867A (en) | 2021-06-15 |
Family
ID=76272469
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110124192.7A Pending CN112968867A (en) | 2021-01-29 | 2021-01-29 | Access control method, system, physical host and communication equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112968867A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114448904A (en) * | 2022-03-04 | 2022-05-06 | 上海交通大学 | Method for application identification and fine-grained flow control in Open VSwitch software switch |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100333189A1 (en) * | 2009-06-30 | 2010-12-30 | Sun Microsystems, Inc. | Method and system for enforcing security policies on network traffic |
| CN105376256A (en) * | 2015-12-08 | 2016-03-02 | 国云科技股份有限公司 | Openflow based method for controlling user to access virtual machine |
| CN108322467A (en) * | 2018-02-02 | 2018-07-24 | 云宏信息科技股份有限公司 | Virtual firewall configuration method, electronic equipment and storage medium based on OVS |
| CN111092876A (en) * | 2019-12-12 | 2020-05-01 | 北京首都在线科技股份有限公司 | Multi-host system, information processing method and device for multi-host system |
-
2021
- 2021-01-29 CN CN202110124192.7A patent/CN112968867A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100333189A1 (en) * | 2009-06-30 | 2010-12-30 | Sun Microsystems, Inc. | Method and system for enforcing security policies on network traffic |
| CN105376256A (en) * | 2015-12-08 | 2016-03-02 | 国云科技股份有限公司 | Openflow based method for controlling user to access virtual machine |
| CN108322467A (en) * | 2018-02-02 | 2018-07-24 | 云宏信息科技股份有限公司 | Virtual firewall configuration method, electronic equipment and storage medium based on OVS |
| CN111092876A (en) * | 2019-12-12 | 2020-05-01 | 北京首都在线科技股份有限公司 | Multi-host system, information processing method and device for multi-host system |
Non-Patent Citations (1)
| Title |
|---|
| 刘畅等: "智能网卡应用于云网络加速方案研究", 《电信工程技术与标准化》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114448904A (en) * | 2022-03-04 | 2022-05-06 | 上海交通大学 | Method for application identification and fine-grained flow control in Open VSwitch software switch |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20180330081A1 (en) | Execution environment virtualization method and apparatus and virtual execution environment access method and apparatus | |
| JP4805238B2 (en) | Method, apparatus and system for enabling a secure location aware platform | |
| US10083129B2 (en) | Code loading hardening by hypervisor page table switching | |
| US10678465B2 (en) | Seamless migration of storage volumes between storage arrays | |
| EP3804227B1 (en) | Monitoring connectivity and latency of a virtual network | |
| WO2020024413A1 (en) | Method for controlling deployment of cloud computing platform, server, and storage medium | |
| CN109391514B (en) | High-availability-based equipment deployment method, server, storage medium and device | |
| US20150370582A1 (en) | At least one user space resident interface between at least one user space resident virtual appliance and at least one virtual data plane | |
| CN107463339B (en) | NAS storage system | |
| US20140047114A1 (en) | Virtual desktop policy control | |
| CN110635928B (en) | Control method, control device and computer storage medium | |
| CN114826969B (en) | Network connectivity checking method, device, equipment and storage medium | |
| CN107273765B (en) | Processor based on double virtual kernel mechanism | |
| CN115604272A (en) | Load balancing method, device, system creating method, device and medium | |
| CN112968867A (en) | Access control method, system, physical host and communication equipment | |
| US11137995B2 (en) | Updating firmware of a microcontroller | |
| CN112003794B (en) | Floating IP current limiting method, system, terminal and storage medium | |
| CN112202711B (en) | Network access control method and device of terminal, electronic equipment and storage medium | |
| CN112015352A (en) | Storage block device identification device, system and storage block device reading and writing method | |
| US9535874B2 (en) | Host embedded controller interface bridge | |
| CN113722000B (en) | Intelligent network card configuration method and device, electronic equipment and readable storage medium | |
| CN113691389A (en) | Configuration method of load balancer, server and storage medium | |
| CN110677344A (en) | Data processing method and server | |
| US20080140687A1 (en) | Socket structure simultaneously supporting both toe and ethernet network interface card and method of forming the socket structure | |
| CN111404820B (en) | Route query method, device, equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210615 |
|
| RJ01 | Rejection of invention patent application after publication |