[go: up one dir, main page]

WO2016201780A1 - Gateway management method and apparatus - Google Patents

Gateway management method and apparatus Download PDF

Info

Publication number
WO2016201780A1
WO2016201780A1 PCT/CN2015/087844 CN2015087844W WO2016201780A1 WO 2016201780 A1 WO2016201780 A1 WO 2016201780A1 CN 2015087844 W CN2015087844 W CN 2015087844W WO 2016201780 A1 WO2016201780 A1 WO 2016201780A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
address
management policy
flow table
preset management
Prior art date
Application number
PCT/CN2015/087844
Other languages
French (fr)
Chinese (zh)
Inventor
赵莉
梁会发
强伟峰
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016201780A1 publication Critical patent/WO2016201780A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways

Definitions

  • the present invention relates to the field of communications, and in particular to a gateway management method and apparatus.
  • the Radius protocol is used for authentication, and the process is complicated; the edge acquisition control unit increases the data synchronization work, and the system overhead is large; the classification information is based on the Uniform Resoure Locator (URL) information and transmission control.
  • the Transmission Control Protocol (TCP) port and the destination IP address are not intuitive enough compared to the application-based classification, and the requirements for maintenance personnel are high.
  • the hardware module is added to realize the judgment of the online behavior, thereby achieving the purpose of controlling the online behavior of all users in the local area network.
  • the addition of hardware modules has led to increased equipment costs and is not suitable for cost-sensitive SMEs.
  • the present invention provides a gateway management method and apparatus, which solves at least the technical operation of controlling the online behavior of users in a local area network in the related art, which is complicated in operation, low in efficiency, and high in cost.
  • a gateway management method including:
  • the quintuple flow table is a preset management policy for finding the packet In the case that the preset management policy of the packet is generated;
  • the packet is processed according to the preset management policy.
  • the searching for the preset management policy corresponding to the packet includes:
  • the feature information of the packet includes at least one of the following:
  • IP address the port number, domain name.
  • the preset management policy includes at least one of the following:
  • Executing an execution action corresponding to the application service where the performing action includes one of: forwarding, blocking, and speed limiting;
  • the execution action corresponding to the application service is executed within a preset time period.
  • the method before the preset management policy corresponding to the packet is found, the method includes:
  • the IP address of the packet is recorded to the IP address authentication table, where the IP address authentication table is used to authenticate the packet of the IP address.
  • the IP address of the IP address authentication table is released, the IP address is deleted on the IP address authentication table.
  • the preset management policy corresponding to the packet is searched;
  • the preset management policy of the packet is recorded in the quintuple flow table.
  • the preset management policy corresponding to the packet is searched;
  • the preset management policy of the packet is recorded to the quintuple flow table.
  • the record of the packet in the quintuple flow table is deleted.
  • the quintuple flow table includes at least one of the following:
  • a gateway management apparatus including:
  • Obtaining a module configured to obtain an Internet packet of the terminal, and to find whether the packet has a record in the quintuple flow table, where the quintuple flow table is to find the packet Recording in the case of a preset management policy Generated by the preset management policy of the packet;
  • the processing module is configured to process the packet according to the preset management policy if the packet has a record in the quintuple flow table.
  • the device further includes:
  • the identification module is configured to identify a service application of the packet according to the feature information of the packet;
  • the locating module is configured to search for a preset management policy corresponding to the packet according to the feature information and the service application.
  • the device further includes:
  • a receiving module configured to acquire user information received by the terminal, and perform authentication on the terminal
  • the authentication module is configured to record the IP address of the packet to the IP address authentication table, where the IP address authentication table is used to authenticate the packet of the IP address.
  • the quintuple flow table includes at least one of the following:
  • the Internet access message of the terminal is obtained, and the preset management policy corresponding to the packet is searched.
  • the preset management policy of the packet is found, the preset management policy of the packet is recorded to the quintuple.
  • the flow table obtains the Internet packet of the terminal again, and finds whether the packet has a record in the quintuple flow table. If the packet has a record in the quintuple flow table, according to the preset
  • the management policy processes the packet and solves the technical operation of controlling the online behavior of users in the local area network.
  • the technical operation is complicated, the efficiency is low, and the cost is high.
  • the efficiency is improved, the hardware equipment is not increased, and the equipment cost is effectively controlled.
  • FIG. 1 is a flowchart of a gateway management method according to an embodiment of the present invention.
  • FIG. 2 is a structural block diagram of a gateway management apparatus according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of an online behavior management application system according to a preferred embodiment of the present invention.
  • FIG. 4 is a block diagram showing the principle of online behavior management according to a preferred embodiment of the present invention.
  • FIG. 5 is a schematic flowchart of a process for processing an online behavior management message according to a preferred embodiment of the present invention
  • FIG. 6 is a schematic diagram of an administrator configuration in accordance with a preferred embodiment of the present invention.
  • FIG. 7 is a schematic diagram of a policy search process according to a preferred embodiment of the present invention.
  • FIG. 8 is a flow chart showing an IP address release process according to a preferred embodiment of the present invention.
  • FIG. 1 is a flowchart of a gateway management method according to an embodiment of the present invention. As shown in FIG. 1, the process includes the following steps:
  • Step S102 Obtain an Internet packet of the terminal, and find whether the packet has a record in the quintuple flow table, where the quintuple flow table is in a case where a preset management policy of the packet is found. , recording the preset management policy generated by the message;
  • Step S104 If the packet has a record in the quintuple flow table, the packet is processed according to the preset management policy.
  • the Internet access packet of the terminal is obtained, and the preset management policy corresponding to the packet is searched, and the preset management policy of the packet is recorded to the quintuple flow table, and the subsequently received packet is in the quintuple. Whether there is a record in the flow table. If the packet has a record in the quintuple flow table, the packet is processed according to the preset management policy, so that the packet does not need to be parsed every time. And the record solves the technical operation of controlling the online behavior of users in the local area network, the operation is complicated, the efficiency is low, the cost is high, the efficiency is improved, the hardware equipment is not increased, and the equipment cost is effectively controlled.
  • the preset management policy corresponding to the packet is: the service application of the packet is identified according to the feature information of the packet; and the packet is searched according to the feature information and the service application.
  • the feature information of the packet includes at least one of the following: an IP address, a port number, and a domain name.
  • the preset management policy may be in multiple manners, and different preset management policies may be formulated according to the application service of the packet, the access time, the user group rights to which the source address of the packet belongs, and the like.
  • the preset management policy includes at least one of the following: performing an execution action corresponding to the application service, where the performing action includes one of: forwarding, blocking, and speed limiting; performing, in the preset time period, performing an application corresponding to the application service The execution action.
  • the user information received by the terminal is obtained, and the terminal is authenticated. If the authentication is passed, the IP address of the packet is recorded to an IP address authentication table, where the IP address authentication table is used for The packet of the IP address is authenticated.
  • the IP address of the IP address authentication table is released, the IP address is deleted on the IP address authentication table.
  • the quintuple flow table includes at least one of the following: a source IP address of the packet, and a source end of the packet. Indicates the destination IP address of the packet, the destination port of the packet, the transport layer protocol, the execution action of the default management policy corresponding to the packet, and whether the flag of the packet is reported.
  • the preset management policy corresponding to the packet is searched; if the preset management policy of the packet is found, the pre-record of the packet is recorded. Set the management strategy to the quintuple flow table. If the packet has a flag indicating that the packet is reported in the quintuple flow table, the preset management policy corresponding to the packet is searched; if the preset management policy of the packet is found, Record the default management policy of the packet to the quintuple flow table.
  • a gateway management device is also provided, which is used to implement the foregoing embodiments and preferred embodiments, and has not been described again.
  • the term "module” may implement a combination of software and/or hardware of a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 2 is a structural block diagram of a gateway management apparatus according to an embodiment of the present invention. As shown in FIG. 2, the apparatus includes
  • the obtaining module 22 is configured to obtain the Internet access message of the terminal, and find whether the packet has a record in the quintuple flow table, where the quintuple flow table is a preset management policy for finding the packet. In the case of recording the preset management policy of the message;
  • the processing module 24 is configured to process the packet according to the preset management policy if the packet has a record in the quintuple flow table.
  • the device obtains the Internet access packet of the terminal, searches for a preset management policy corresponding to the packet, and records the preset management policy of the packet to the quintuple flow table, and the subsequent received packet is in the quintuple. Whether there is a record in the flow table. If the packet has a record in the quintuple flow table, the packet is processed according to the preset management policy, so that the packet does not need to be parsed every time. And the record solves the technical operation of controlling the online behavior of users in the local area network, the operation is complicated, the efficiency is low, the cost is high, the efficiency is improved, the hardware equipment is not increased, and the equipment cost is effectively controlled.
  • the device further includes:
  • the identification module is configured to identify a service application of the packet according to the feature information of the packet;
  • the locating module is configured to search for a preset management policy corresponding to the packet according to the feature information and the service application.
  • the device further includes:
  • a receiving module configured to acquire user information received by the terminal, and perform authentication on the terminal
  • the authentication module is configured to record the IP address of the packet to the IP address authentication table, where the IP address authentication table is used to authenticate the packet of the IP address.
  • the quintuple flow table includes at least one of the following:
  • the preferred embodiment provides a method for implementing user online behavior management, and belongs to the field of broadband access communication.
  • it relates to a method for implementing online behavior management of users on a small and medium-sized enterprise gateway device.
  • the preferred embodiment implements functions such as user authentication, application control (blocking or speed limiting). It can implement fine-grained control of users' online behaviors, create user groups, bind different policy templates to different user groups, and control Internet access rights.
  • the policy template is based on the specific application of the user's online behavior (such as QQ, Youku video, PPLIVE, etc.). When the time period setting is combined with the user grouping, it is possible to specify the schedule of what user's online behavior is restricted. .
  • the method has its own authentication system (web authentication). The user does not need to install the client, and the terminal (computer or mobile phone) user accessing the network must be authenticated to connect with the Internet. Convenient for network administrators to operate and maintain.
  • the system consists of a policy library management module, an in-depth packet parsing module, and a packet forwarding module.
  • the deep packet parsing module implements the judgment of the user's online behavior, and is implemented by software. It does not need to add hardware modules, and can effectively control the cost of the router, and is particularly suitable for small and medium-sized enterprises that are sensitive to management costs.
  • the technical problem to be solved by the preferred embodiment is to overcome the problem of implementing the user online behavior management function for the small and medium-sized enterprise gateway in the prior art, and providing a passive optical network (Passive Optical Network, PON for short) uplink.
  • a high-efficiency, easy-to-operate, low-cost user online behavior management method is implemented on a small enterprise gateway device.
  • the preferred embodiment records the user's recent online behavior.
  • the same online behavior of the user can be processed in the packet forwarding module without the participation of the deep packet parsing module and the policy library management module, thereby improving the packet forwarding rate.
  • the preferred embodiment has a web authentication function, and the user terminal does not need to install a client, and is suitable for an application scenario in which the intranet accesses the Internet.
  • the online behavior is based on a specific application classification, and supports user group configuration and is convenient for management.
  • the method is implemented by software, and does not require a gateway device to separately add a hardware module, thereby effectively controlling the cost of
  • the policy library management module includes a configuration submodule, a database submodule, and a user authentication submodule.
  • the network administrator can operate the web configuration interface of the enterprise gateway to implement user information (including user name, password, user group, etc., disabled or activated state), user group (including user group name, bound policy template, and time).
  • the configuration of the template including the time period template (including the template name and start and end time), the policy template (including the template name, and the policy actions of one or a certain type of application), which are stored in the database according to the table structure of the database.
  • the policy template includes applications (supporting an application or a certain type of application, such as QQ, Thunder download, Youku video, P2P class, video class, game class, etc.) and actions (forwarding, blocking, speed limit, etc.).
  • the specific configuration method is to classify the user into a user group.
  • the user group is bound to the policy template and the time period template.
  • the policy template takes effect in the corresponding time period.
  • the deep packet parsing module includes a Deep Packet Inspection (DPI) engine and a feature library to analyze the online behavior of the user. Can identify the most common online applications. Based on the analysis result, the policy configuration corresponding to the database in the policy library management module is searched, and the packet forwarding module is notified to implement the function of blocking or limiting the speed of the user's online behavior.
  • DPI Deep Packet Inspection
  • the packet forwarding module includes a packet intercepting submodule, an IP address authentication table, and a quintuple flow table. It implements functions such as user Inernet access packet interception, IP address authentication record, and quintuple flow table record.
  • the IP address authentication table records the IP address authentication status. If the authentication is passed, the quintuple table is processed. If not, the user authentication sub-module of the policy library management module is notified for authentication.
  • the quintuple flow table records the source IP address, the source port, the destination IP address, the destination port, and the transport layer protocol (that is, the quintuple), the policy action, and whether the packet needs to be sent to the deep packet parsing module. Wait.
  • the packet can be directly forwarded according to the policy action in the quintuple flow table.
  • the policy library management module is required to notify the quintuple flow table, send the packet to the deep packet parsing module, parse the query policy library management module, and then notify the five yuan.
  • the group flow table performs the current policy action.
  • the preferred embodiment provides a method for implementing a user's online behavior management by a small and medium-sized enterprise gateway, including the following steps:
  • the first step the user accesses the Internet through the enterprise gateway.
  • the forwarding module intercepts the Internet packet of the user and searches for the IP address authentication table. If the IP address is authenticated, the process proceeds to the next step; if the IP address is not authenticated, the enterprise gateway pushes the web authentication interface to the user terminal, and the user inputs the username and password. authenticating.
  • the user authentication sub-module in the policy library management module checks the legality of the user accessing the Internet. After the authentication is passed, the user's IP address is saved in the user information in the database, and the IP address authentication table is recorded, and the next step is processed. If the authentication fails, the packet is discarded and the user is prohibited from accessing the Internet.
  • the second step is to search for the quintuple flow table. If there is a packet record and the mark does not need to be sent to the deep packet parsing module, the action is performed according to the policy action (forward, discard, or rate limit) in the flow table. If the tag needs to send a deep packet parsing module or a record without the packet, go to the next step.
  • the policy action forward, discard, or rate limit
  • Step 3 The packet is sent to the deep packet parsing module to extract the feature information in the packet content, such as the IP address, the port number, the domain name, and the like, and identify the service application of the user's online behavior.
  • the characteristics of some messages may change frequently, such as qq application, different qq client versions, different login server addresses, and different message characteristics.
  • the deep packet parsing module must ensure that the user's application is correctly determined based on the constantly changing feature information of the packet. Therefore, the version of the signature database needs to be continuously updated, and the message characteristics of the Internet application are backward compatible. For some business applications, multiple messages may be required to be identified. After the message parsing action is completed, proceed to the next step.
  • Step 4 According to the result of the message parsing, the application of the user (source IP address) is searched in the database of the policy library management module (the result of deep packet parsing, such as QQ, Thunder download, Youku video, etc.) at the current moment.
  • the policy forward, block, or rate limit, etc., and notify the packet forwarding module to proceed to the next step.
  • Step 5 The message forwarding module writes a quintuple flow table, records the message quintuple information and policy actions, and performs policy actions on the message.
  • Step 6 If the user's IP address is released, the Dynamic Host Configuration Protocol (DHCP) module notifies the packet forwarding module, deletes the entry of the IP address authentication table, and notifies the database to delete the user information. IP address.
  • DHCP Dynamic Host Configuration Protocol
  • the preferred embodiment has the characteristics of high efficiency, easy operation, and low cost.
  • the high efficiency is reflected in the preferred embodiment to maintain the quintuple flow table, which can reduce the packet depth parsing process, the packet deep parsing process, consume CPU resources, and increase the delay of packet processing, so the quintuple flow table
  • the existence of the message can improve the efficiency of message forwarding; there is only one database for recording user information and policies, that is, the database sub-module in the policy library management module, there is no data synchronization problem between multiple databases, and the system overhead is reduced.
  • the user terminal does not need to be installed with a client.
  • the preferred embodiment has a web authentication function, and the user authentication process is simpler.
  • the user and the user group are managed at two levels, and the service classification is based on a specific service application. It is convenient for network administrators to operate; low cost is embodied in this method, which is realized by software, and does not need to add hardware modules to effectively control the cost of the enterprise gateway.
  • FIG. 3 is a schematic diagram of an online behavior management application system according to a preferred embodiment of the present invention.
  • a company internal terminal accesses a company intranet, and an enterprise gateway dynamically allocates an IP address to a user terminal. Users accessing the external network need to pass the enterprise gateway device.
  • the online behavior management is completely implemented by the enterprise gateway device, and the user terminal does not need to install the client.
  • FIG. 4 is a block diagram showing the principle of the composition of the online behavior management according to a preferred embodiment of the present invention.
  • FIG. 5 is a schematic diagram of the processing flow of the online behavior management message according to a preferred embodiment of the present invention. As shown in FIG. 4 and FIG. 5, the preferred embodiment is applied.
  • the specific implementation process is as follows:
  • the packet forwarding module intercepts the user's Internet access packet, it searches the IP address authentication table to determine whether the user's IP address has been authenticated. If there is no authentication, the authentication process is entered.
  • the authentication is completed in the policy library management module, and the user name and password entered in the user authentication web page are saved in the database. The user name and password are compared. After the authentication is passed, the user IP address is saved in the user information of the database, and the IP address authentication table is written. If the authentication fails, the intercepted user's Internet message is discarded.
  • the packet finds the quintuple flow table. If the packet has a record in the quintuple flow table and does not need to be sent, it is forwarded according to the policy action in the quintuple flow table; if there is no record in the quintuple flow table or needs to be If the packet is sent, the packet is sent to the deep packet parsing module.
  • the deep packet parsing module parses the application, URL information, and the like of the packet by the DPI engine and the signature database. According to the application type, the policy library management module finds the current policy action.
  • the quintuple information of the packet, the application of the user's online behavior, the URL information, and the policy action are notified to the packet forwarding module, the quintuple flow table is written, and the flag of the deep packet parsing module is set to be non-true, and according to The policy action forwards the message.
  • the aging of the quintuple flow table is implemented by a timer. If no flow arrives after a period of time, the flow record is deleted from the quintuple flow table.
  • the policy library management module maintains a timer to check whether the time period template is valid. If the effective time period template of the user group binding is changed, the quintuple flow table of the packet forwarding module is notified, and the packet is sent to the flag position. true.
  • FIG. 6 is a schematic diagram of an administrator configuration according to a preferred embodiment of the present invention. As shown in FIG. 6, the specific implementation process is as follows:
  • the web administrator can configure or read the online behavior management parameters through the web page.
  • the configuration method is as follows: The user joins the user group, and the user group binds the policy template and the corresponding time period template.
  • the activation status in the user information can be activated or disabled by the network administrator.
  • the IP address supports multiple, and supports the same user to log in on multiple terminals.
  • the IP address and authentication status are read-only.
  • the policy template takes effect during the corresponding time period template time.
  • FIG. 7 is a schematic diagram of a policy search process according to a preferred embodiment of the present invention. As shown in FIG. 7, the specific implementation process is as follows:
  • the policy template bound to the user group is queried. And the time period template, the policy template that is valid at the current time is obtained, and the policy action of the application in the policy template and the quintuple information of the packet are written into the quintuple flow table, and the message is forwarded according to the policy action.
  • FIG. 8 is a schematic diagram of a process for releasing an IP address according to a preferred embodiment of the present invention. As shown in FIG. 8, the specific implementation process is as follows:
  • DHCP After DHCP releases the user IP address, it notifies the online behavior management module to delete the IP record in the IP address authentication table and delete the user's IP address in the database.
  • employees of the finance department are not allowed to log in to the Youku website during the working hours from 9:00 am to 5:00 pm.
  • the network administrator of the company provided Zhang San with the account zhangsan and password zhangs for accessing the Internet, and added the user zhangsan to the user group finance department.
  • the user group finance department binds the policy template p1 and the time period template t1.
  • P1 is configured to block Youku, applications that are not configured are allowed by default, and t1 is configured for working hours, which is Monday to Friday from 9:00 to 17:00.
  • Zhang San's computer obtains the internal network IP address 192.168.1.10 through the gateway. Zhang San tried to log in to the Youku website after going to work. Find the user authentication table based on the source IP address 192.168.1.10 in the request packet. Since there is no record of the client in the user authentication table, the gateway will push the WEB authentication page to Zhang San's computer. After Zhang San enters his account zhangsan and password zhangs, the user information recorded in the database is verified. After the verification is passed, In the user authentication table, the account zhangsan is recorded with the corresponding IP address 192.168.1.10. And recorded in the database user information, the user zhangsan corresponds to the IP address 192.168.1.10.
  • the quintuple flow table is searched according to the quintuple information in the request packet, and the matching entry of the quintuple information of the packet is not found in the record, and the deep packet parsing module needs to be sent to analyze the eigenvalue of the packet. It is judged that the application is Youku website, and then look up the database, and find that the user IP address 192.168.1.10 is not allowed to log in to Youku at the current time. So the system writes the quintuple information and the blocking action of Zhang San's request to log in the Youku website message into the quintuple flow table. According to the quintuple flow table, Youku application is blocked.
  • Zhang San found that he could not watch videos on Youku and tried to log in to Sina.com.
  • the request packet first looks up the authentication table, and finds that the IP address 192.168.1.10 corresponds to the user zhangsan has passed the authentication. Then look for the quintuple flow table, no matching message is found, and then send the deep message parsing module. After parsing out the Sina website, check the user IP address 192.168.1.10 in the database at the current moment. The quintuple information of the message and the allowed actions are written into the quintuple flow table. According to the quintuple flow table, Zhang San can log in to Sina.
  • Zhang San computer no longer uses the IP address 192.168.1.10 and becomes 192.168.1.20, the account zhangsan, IP address 192.168.1.10 previously passed in the IP address authentication table is deleted, and the user zhangsan in the database The IP address in it is also deleted.
  • Zhang San accesses the Internet, he needs to re-authenticate the user.
  • the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation.
  • the technical solution of the present invention which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk,
  • the optical disc includes a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present invention.
  • Embodiments of the present invention also provide a storage medium.
  • the foregoing storage medium may be configured to store program code for performing the method steps of the above embodiment:
  • the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • a mobile hard disk e.g., a hard disk
  • magnetic memory e.g., a hard disk
  • the processor executes the method of the above embodiment according to the stored program code in the storage medium.
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software.
  • the Internet access packet of the terminal is obtained, and the preset management policy corresponding to the packet is searched.
  • the preset management policy of the packet is found, the pre-recording of the packet is recorded.
  • Set the management policy to the quintuple flow table and obtain the Internet packet of the terminal again, and find out whether the packet has a record in the quintuple flow table, and the packet has a record in the quintuple flow table.
  • the packet is processed according to the preset management policy, and the technical operation for controlling the online behavior of the user in the local area network is complicated, the efficiency is low, and the cost is high, thereby achieving the purpose of improving efficiency and effectively controlling equipment cost. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a gateway management method and apparatus. The method comprises: acquiring a network access packet of a terminal, and searching for a preset management policy corresponding to the packet; in a case in which the preset management policy of the packet is found, recording the preset management policy of the packet to a 5-tuple flow table, and again acquiring the network access packet of the terminal, and making a search to determine whether the packet has a record in the 5-tuple flow table; in a case in which the packet has a record in the 5-tuple flow table, processing the packet according to the preset management policy. The problems of complex technical operations and low efficiency of controlling network access behaviors of a user in a local area network are resolved, thereby improving the efficiency, and effectively controlling device costs without adding hardware devices.

Description

网关管理方法及装置Gateway management method and device 技术领域Technical field

本发明涉及通信领域,具体而言,涉及一种网关管理方法及装置。The present invention relates to the field of communications, and in particular to a gateway management method and apparatus.

背景技术Background technique

对于企业的管理层来说,阻止员工在上班时间进行网络聊天、看在线电影、P2P下载、玩网络游戏和炒股等与工作无关的行为,不仅可以提高员工的工作效率,而且可以大幅度降低网络的负担,可谓是一举两得。在企业路由上实现上网行为管理功能,可以有效约束和规范员工的工作行为,提高工作效率,是行政管理的电子化辅助手段。For the management of the company, preventing employees from conducting online chats, watching online movies, P2P downloads, playing online games and stock trading during work hours can not only improve the efficiency of employees, but also greatly reduce the network. The burden can be described as two-fold. Implementing the online behavior management function on the enterprise route can effectively restrain and standardize the employee's work behavior and improve work efficiency. It is an electronic aid to administrative management.

在相关技术中,认证使用Radius协议,过程较复杂;边缘采集控制单元增加了数据同步的工作,系统开销较大;分类信息基于统一资源定位器(Uniform Resoure Locator,简称为URL)信息、传输控制协议(Transmission Control Protocol,简称为TCP)端口、目的IP等,与基于应用的分类相比,不够直观,对维护人员的要求较高。In the related art, the Radius protocol is used for authentication, and the process is complicated; the edge acquisition control unit increases the data synchronization work, and the system overhead is large; the classification information is based on the Uniform Resoure Locator (URL) information and transmission control. The Transmission Control Protocol (TCP) port and the destination IP address are not intuitive enough compared to the application-based classification, and the requirements for maintenance personnel are high.

另外,在普通路由器的基础上,增加硬件模块,实现对上网行为的判断,从而达到对局域网内所有用户的上网行为进行控制的目的。增加硬件模块,导致设备成本增加,不适合对成本敏感的中小型企业。In addition, on the basis of the ordinary router, the hardware module is added to realize the judgment of the online behavior, thereby achieving the purpose of controlling the online behavior of all users in the local area network. The addition of hardware modules has led to increased equipment costs and is not suitable for cost-sensitive SMEs.

针对相关技术中,对局域网内用户的上网行为进行控制的技术操作复杂,效率低,成本高问题,目前尚未提出有效的解决方案。In the related art, the technical operation for controlling the online behavior of users in the local area network is complicated, the efficiency is low, and the cost is high. Currently, an effective solution has not been proposed.

发明内容Summary of the invention

本发明提供了一种网关管理方法及装置,以至少解决相关技术中对局域网内用户的上网行为进行控制的技术操作复杂,效率低,成本高问题。The present invention provides a gateway management method and apparatus, which solves at least the technical operation of controlling the online behavior of users in a local area network in the related art, which is complicated in operation, low in efficiency, and high in cost.

根据本发明的一个实施例,提供了一种网关管理方法,包括:According to an embodiment of the present invention, a gateway management method is provided, including:

获取所述终端的上网报文,查找所述报文在所述五元组流表中是否有记录,其中,所述五元组流表是在查找到所述报文的预设管理策略的情况下,记录所述报文的预设管理策略生成的;Obtaining an Internet packet of the terminal, and searching whether the packet has a record in the quintuple flow table, where the quintuple flow table is a preset management policy for finding the packet In the case that the preset management policy of the packet is generated;

在所述报文在所述五元组流表中有记录的情况下,依据所述预设管理策略对所述报文进行处理。And if the packet is recorded in the quintuple flow table, the packet is processed according to the preset management policy.

在本发明实施例中,所述查找到所述报文对应的所述预设管理策略包括:In the embodiment of the present invention, the searching for the preset management policy corresponding to the packet includes:

依据所述报文的特征信息,识别所述报文的业务应用; Identifying a service application of the packet according to the feature information of the packet;

依据所述特征信息和所述业务应用,查找所述报文对应的预设管理策略。And searching for a preset management policy corresponding to the packet according to the feature information and the service application.

在本发明实施例中,所述报文的特征信息包括以下至少之一:In the embodiment of the present invention, the feature information of the packet includes at least one of the following:

IP地址、端口号、域名。IP address, port number, domain name.

在本发明实施例中,所述预设管理策略包括以下至少之一:In the embodiment of the present invention, the preset management policy includes at least one of the following:

执行与所述应用业务对应的执行动作,所述执行动作包括以下之一:转发,阻断,限速;Executing an execution action corresponding to the application service, where the performing action includes one of: forwarding, blocking, and speed limiting;

在预设时间段内,执行与所述应用业务对应的所述执行动作。The execution action corresponding to the application service is executed within a preset time period.

在本发明实施例中,查找到所述报文对应的所述预设管理策略之前,所述方法包括:In the embodiment of the present invention, before the preset management policy corresponding to the packet is found, the method includes:

获取所述终端接收的用户信息,对所述终端进行认证;Obtaining user information received by the terminal, and authenticating the terminal;

在认证通过的情况下,记录所述报文的IP地址到IP地址认证表,其中,所述IP地址认证表用于对所述IP地址的报文进行认证。When the authentication is passed, the IP address of the packet is recorded to the IP address authentication table, where the IP address authentication table is used to authenticate the packet of the IP address.

在本发明实施例中,在所述IP地址认证表的认证IP地址释放的情况下,在所述IP地址认证表上删除所述IP地址。In the embodiment of the present invention, when the authentication IP address of the IP address authentication table is released, the IP address is deleted on the IP address authentication table.

在本发明实施例中,在所述报文在所述五元组流表中没有记录的情况下,查找所述报文对应的预设管理策略;In the embodiment of the present invention, if the packet is not recorded in the quintuple flow table, the preset management policy corresponding to the packet is searched;

在查找到所述报文的预设管理策略的情况下,记录所述报文的预设管理策略到五元组流表中。In the case that the preset management policy of the packet is found, the preset management policy of the packet is recorded in the quintuple flow table.

在本发明实施例中,在所述报文在所述五元组流表中有指示上报所述报文的标志位的情况下,查找所述报文对应的预设管理策略;In the embodiment of the present invention, in the case that the packet has a flag indicating that the packet is reported in the quintuple flow table, the preset management policy corresponding to the packet is searched;

在查找到所述报文的预设管理策略的情况下,记录所述报文的预设管理策略到五元组流表。When the preset management policy of the packet is found, the preset management policy of the packet is recorded to the quintuple flow table.

在本发明实施例中,在预设时间阈值内没有接收所述报文对应的数据流,则将所述五元组流表中所述报文的记录删除。In the embodiment of the present invention, if the data stream corresponding to the packet is not received within the preset time threshold, the record of the packet in the quintuple flow table is deleted.

在本发明实施例中,所述五元组流表包括以下至少之一:In the embodiment of the present invention, the quintuple flow table includes at least one of the following:

报文的源IP地址,报文的源端口,报文的目的IP地址,报文的目的端口,传输层协议,报文对应的预设管理策略的执行动作,是否上报报文的标志位。The source IP address of the packet, the source port of the packet, the destination IP address of the packet, the destination port of the packet, the transport layer protocol, the execution action of the default management policy corresponding to the packet, and whether the flag of the packet is reported.

根据本发明的另一个实施例,还提供了一种网关管理装置,其特征在于,包括:According to another embodiment of the present invention, a gateway management apparatus is further provided, including:

获取模块,设置为获取所述终端的上网报文,查找所述报文在所述五元组流表中是否有记录,其中,所述五元组流表是在查找到所述报文的预设管理策略的情况下,记录 所述报文的预设管理策略生成的;Obtaining a module, configured to obtain an Internet packet of the terminal, and to find whether the packet has a record in the quintuple flow table, where the quintuple flow table is to find the packet Recording in the case of a preset management policy Generated by the preset management policy of the packet;

处理模块,设置为在所述报文在所述五元组流表中有记录的情况下,依据所述预设管理策略对所述报文进行处理。The processing module is configured to process the packet according to the preset management policy if the packet has a record in the quintuple flow table.

在本发明实施例中,所述装置还包括:In the embodiment of the present invention, the device further includes:

识别模块,设置为依据所述报文的特征信息,识别所述报文的业务应用;The identification module is configured to identify a service application of the packet according to the feature information of the packet;

查找模块,设置为依据所述特征信息和所述业务应用,查找所述报文对应的预设管理策略。The locating module is configured to search for a preset management policy corresponding to the packet according to the feature information and the service application.

在本发明实施例中,所述装置还包括:In the embodiment of the present invention, the device further includes:

接收模块,设置为获取所述终端接收的用户信息,对所述终端进行认证;a receiving module, configured to acquire user information received by the terminal, and perform authentication on the terminal;

认证模块,设置为在认证通过的情况下,记录所述报文的IP地址到IP地址认证表,其中,所述IP地址认证表用于对所述IP地址的报文进行认证。The authentication module is configured to record the IP address of the packet to the IP address authentication table, where the IP address authentication table is used to authenticate the packet of the IP address.

在本发明实施例中,所述五元组流表包括以下至少之一:In the embodiment of the present invention, the quintuple flow table includes at least one of the following:

报文的源IP地址,报文的源端口,报文的目的IP地址,报文的目的端口,传输层协议,报文对应的预设管理策略的执行动作,是否上报报文的标志位。The source IP address of the packet, the source port of the packet, the destination IP address of the packet, the destination port of the packet, the transport layer protocol, the execution action of the default management policy corresponding to the packet, and whether the flag of the packet is reported.

通过本发明,获取终端的上网报文,查找该报文对应的预设管理策略,在查找到该报文的预设管理策略的情况下,记录该报文的预设管理策略到五元组流表,再次获取该终端的上网报文,查找该报文在该五元组流表中是否有记录,在该报文在该五元组流表中有记录的情况下,依据该预设管理策略对该报文进行处理,解决了对局域网内用户的上网行为进行控制的技术操作复杂,效率低,成本高问题,实现了提高效率,不增加硬件设备,有效控制设备成本。According to the present invention, the Internet access message of the terminal is obtained, and the preset management policy corresponding to the packet is searched. When the preset management policy of the packet is found, the preset management policy of the packet is recorded to the quintuple. The flow table obtains the Internet packet of the terminal again, and finds whether the packet has a record in the quintuple flow table. If the packet has a record in the quintuple flow table, according to the preset The management policy processes the packet and solves the technical operation of controlling the online behavior of users in the local area network. The technical operation is complicated, the efficiency is low, and the cost is high. The efficiency is improved, the hardware equipment is not increased, and the equipment cost is effectively controlled.

附图说明DRAWINGS

此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:

图1是根据本发明实施例的一种网关管理方法的流程图;1 is a flowchart of a gateway management method according to an embodiment of the present invention;

图2是根据本发明实施例的一种网关管理装置的结构框图;2 is a structural block diagram of a gateway management apparatus according to an embodiment of the present invention;

图3是根据本发明优选实施例的上网行为管理应用系统示意图;3 is a schematic diagram of an online behavior management application system according to a preferred embodiment of the present invention;

图4是根据本发明优选实施例的上网行为管理构成原理方框图;4 is a block diagram showing the principle of online behavior management according to a preferred embodiment of the present invention;

图5是根据本发明优选实施例的上网行为管理报文处理流程示意图;FIG. 5 is a schematic flowchart of a process for processing an online behavior management message according to a preferred embodiment of the present invention; FIG.

图6是根据本发明优选实施例的管理员配置示意图; 6 is a schematic diagram of an administrator configuration in accordance with a preferred embodiment of the present invention;

图7是根据本发明优选实施例的策略查找流程示意图;7 is a schematic diagram of a policy search process according to a preferred embodiment of the present invention;

图8是根据本发明优选实施例的IP地址释放处理流程示意图。FIG. 8 is a flow chart showing an IP address release process according to a preferred embodiment of the present invention.

具体实施方式detailed description

下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The invention will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.

在本实施例中提供了一种网关管理方法,图1是根据本发明实施例的一种网关管理方法的流程图,如图1所示,该流程包括如下步骤:A gateway management method is provided in this embodiment. FIG. 1 is a flowchart of a gateway management method according to an embodiment of the present invention. As shown in FIG. 1, the process includes the following steps:

步骤S102,获取该终端的上网报文,查找该报文在该五元组流表中是否有记录,其中,该五元组流表是在查找到该报文的预设管理策略的情况下,记录该报文的预设管理策略生成的;Step S102: Obtain an Internet packet of the terminal, and find whether the packet has a record in the quintuple flow table, where the quintuple flow table is in a case where a preset management policy of the packet is found. , recording the preset management policy generated by the message;

步骤S104,在该报文在该五元组流表中有记录的情况下,依据该预设管理策略对该报文进行处理。Step S104: If the packet has a record in the quintuple flow table, the packet is processed according to the preset management policy.

通过上述步骤,获取终端的上网报文,查找该报文对应的预设管理策略,记录该报文的预设管理策略到五元组流表,对后续接收到的报文在该五元组流表中是否有记录,在该报文在该五元组流表中有记录的情况下,依据该预设管理策略对该报文进行处理,从而不需要每次都要对报文进行解析和记录,解决了对局域网内用户的上网行为进行控制的技术操作复杂,效率低,成本高问题,实现了提高效率,不增加硬件设备,有效控制设备成本。Through the above steps, the Internet access packet of the terminal is obtained, and the preset management policy corresponding to the packet is searched, and the preset management policy of the packet is recorded to the quintuple flow table, and the subsequently received packet is in the quintuple. Whether there is a record in the flow table. If the packet has a record in the quintuple flow table, the packet is processed according to the preset management policy, so that the packet does not need to be parsed every time. And the record solves the technical operation of controlling the online behavior of users in the local area network, the operation is complicated, the efficiency is low, the cost is high, the efficiency is improved, the hardware equipment is not increased, and the equipment cost is effectively controlled.

在本实施例中,该查找到该报文对应的该预设管理策略包括:依据该报文的特征信息,识别该报文的业务应用;依据该特征信息和该业务应用,查找该报文对应的预设管理策略。其中,该报文的特征信息包括以下至少之一:IP地址、端口号、域名。In this embodiment, the preset management policy corresponding to the packet is: the service application of the packet is identified according to the feature information of the packet; and the packet is searched according to the feature information and the service application. Corresponding preset management strategy. The feature information of the packet includes at least one of the following: an IP address, a port number, and a domain name.

在本实施例中,该预设管理策略可以有多种方式,可以根据报文的应用业务,访问时间,报文源地址所属的用户组权限等等,制定不同的预设管理策略,例如,该预设管理策略包括以下至少之一:执行与该应用业务对应的执行动作,该执行动作包括以下之一:转发,阻断,限速;在预设时间段内,执行与该应用业务对应的该执行动作。In this embodiment, the preset management policy may be in multiple manners, and different preset management policies may be formulated according to the application service of the packet, the access time, the user group rights to which the source address of the packet belongs, and the like. For example, The preset management policy includes at least one of the following: performing an execution action corresponding to the application service, where the performing action includes one of: forwarding, blocking, and speed limiting; performing, in the preset time period, performing an application corresponding to the application service The execution action.

在本实施例中,获取该终端接收的用户信息,对该终端进行认证;在认证通过的情况下,记录该报文的IP地址到IP地址认证表,其中,该IP地址认证表用于对该IP地址的报文进行认证。In this embodiment, the user information received by the terminal is obtained, and the terminal is authenticated. If the authentication is passed, the IP address of the packet is recorded to an IP address authentication table, where the IP address authentication table is used for The packet of the IP address is authenticated.

在本实施例中,在该IP地址认证表的认证IP地址释放的情况下,在该IP地址认证表上删除该IP地址。In this embodiment, when the authentication IP address of the IP address authentication table is released, the IP address is deleted on the IP address authentication table.

在本实施例中,该五元组流表包括以下至少之一:报文的源IP地址,报文的源端 口,报文的目的IP地址,报文的目的端口,传输层协议,报文对应的预设管理策略的执行动作,是否上报报文的标志位。In this embodiment, the quintuple flow table includes at least one of the following: a source IP address of the packet, and a source end of the packet. Indicates the destination IP address of the packet, the destination port of the packet, the transport layer protocol, the execution action of the default management policy corresponding to the packet, and whether the flag of the packet is reported.

在该报文在该五元组流表中没有记录的情况下,查找该报文对应的预设管理策略;在查找到该报文的预设管理策略的情况下,记录该报文的预设管理策略到五元组流表。在该报文在该五元组流表中有指示上报该报文的标志位的情况下,查找该报文对应的预设管理策略;在查找到该报文的预设管理策略的情况下,记录该报文的预设管理策略到五元组流表。If the packet is not recorded in the quintuple flow table, the preset management policy corresponding to the packet is searched; if the preset management policy of the packet is found, the pre-record of the packet is recorded. Set the management strategy to the quintuple flow table. If the packet has a flag indicating that the packet is reported in the quintuple flow table, the preset management policy corresponding to the packet is searched; if the preset management policy of the packet is found, Record the default management policy of the packet to the quintuple flow table.

在预设时间阈值内没有接收该报文对应的数据流,则将该五元组流表中该报文的记录删除。If the data stream corresponding to the packet is not received within the preset time threshold, the record of the packet in the quintuple flow table is deleted.

在本实施例中还提供了一种网关管理装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。In the embodiment, a gateway management device is also provided, which is used to implement the foregoing embodiments and preferred embodiments, and has not been described again. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.

图2是根据本发明实施例的一种网关管理装置的结构框图,如图2所示,该装置包括2 is a structural block diagram of a gateway management apparatus according to an embodiment of the present invention. As shown in FIG. 2, the apparatus includes

获取模块22,设置为获取该终端的上网报文,查找该报文在该五元组流表中是否有记录,其中,该五元组流表是在查找到该报文的预设管理策略的情况下,记录该报文的预设管理策略生成的;The obtaining module 22 is configured to obtain the Internet access message of the terminal, and find whether the packet has a record in the quintuple flow table, where the quintuple flow table is a preset management policy for finding the packet. In the case of recording the preset management policy of the message;

处理模块24,设置为在该报文在该五元组流表中有记录的情况下,依据该预设管理策略对该报文进行处理。The processing module 24 is configured to process the packet according to the preset management policy if the packet has a record in the quintuple flow table.

通过上述装置,获取终端的上网报文,查找该报文对应的预设管理策略,记录该报文的预设管理策略到五元组流表,对后续接收到的报文在该五元组流表中是否有记录,在该报文在该五元组流表中有记录的情况下,依据该预设管理策略对该报文进行处理,从而不需要每次都要对报文进行解析和记录,解决了对局域网内用户的上网行为进行控制的技术操作复杂,效率低,成本高问题,实现了提高效率,不增加硬件设备,有效控制设备成本。The device obtains the Internet access packet of the terminal, searches for a preset management policy corresponding to the packet, and records the preset management policy of the packet to the quintuple flow table, and the subsequent received packet is in the quintuple. Whether there is a record in the flow table. If the packet has a record in the quintuple flow table, the packet is processed according to the preset management policy, so that the packet does not need to be parsed every time. And the record solves the technical operation of controlling the online behavior of users in the local area network, the operation is complicated, the efficiency is low, the cost is high, the efficiency is improved, the hardware equipment is not increased, and the equipment cost is effectively controlled.

在本实施例中,该装置还包括:In this embodiment, the device further includes:

识别模块,设置为依据该报文的特征信息,识别该报文的业务应用;The identification module is configured to identify a service application of the packet according to the feature information of the packet;

查找模块,设置为依据该特征信息和该业务应用,查找该报文对应的预设管理策略。The locating module is configured to search for a preset management policy corresponding to the packet according to the feature information and the service application.

在本实施例中,该装置还包括:In this embodiment, the device further includes:

接收模块,设置为获取该终端接收的用户信息,对该终端进行认证; a receiving module, configured to acquire user information received by the terminal, and perform authentication on the terminal;

认证模块,设置为在认证通过的情况下,记录该报文的IP地址到IP地址认证表,其中,该IP地址认证表用于对该IP地址的报文进行认证。The authentication module is configured to record the IP address of the packet to the IP address authentication table, where the IP address authentication table is used to authenticate the packet of the IP address.

在本实施例中,该五元组流表包括以下至少之一:In this embodiment, the quintuple flow table includes at least one of the following:

报文的源IP地址,报文的源端口,报文的目的IP地址,报文的目的端口,传输层协议,报文对应的预设管理策略的执行动作,是否上报报文的标志位。The source IP address of the packet, the source port of the packet, the destination IP address of the packet, the destination port of the packet, the transport layer protocol, the execution action of the default management policy corresponding to the packet, and whether the flag of the packet is reported.

下面根据优选实施例和实施方式对本发明进行详细说明。The invention will now be described in detail in accordance with preferred embodiments and embodiments.

优选实施例1Preferred embodiment 1

本优选实施例提供了一种用户上网行为管理的实现方法,属于宽带接入通讯领域。特别是涉及中小型企业网关设备上的用户上网行为管理实现方法。The preferred embodiment provides a method for implementing user online behavior management, and belongs to the field of broadband access communication. In particular, it relates to a method for implementing online behavior management of users on a small and medium-sized enterprise gateway device.

本优选实施例实现用户认证、应用控制(阻断或限速)等功能。能实现用户上网行为的精细控制,可创建用户组,对不同的用户组绑定不同的策略模板,控制互联网访问权限。策略模板基于用户上网行为的具体应用(如QQ、优酷视频、PPLIVE等),时间段设置和用户分组结合起来,就可以指定出在什么时间段,对什么用户的何种上网行为作出限制的计划。本方法自带认证系统(web认证),用户不需要安装客户端,接入网络的终端(计算机或手机)用户,必须通过认证才能与以太网(Internet)连接。方便网络管理员操作和维护。The preferred embodiment implements functions such as user authentication, application control (blocking or speed limiting). It can implement fine-grained control of users' online behaviors, create user groups, bind different policy templates to different user groups, and control Internet access rights. The policy template is based on the specific application of the user's online behavior (such as QQ, Youku video, PPLIVE, etc.). When the time period setting is combined with the user grouping, it is possible to specify the schedule of what user's online behavior is restricted. . The method has its own authentication system (web authentication). The user does not need to install the client, and the terminal (computer or mobile phone) user accessing the network must be authenticated to connect with the Internet. Convenient for network administrators to operate and maintain.

本系统由策略库管理模块、深度报文解析模块、报文转发模块等组成。深度报文解析模块实现用户上网行为的判断,由软件实现,不需要增加硬件模块,可有效控制路由器成本,尤其适合对管理成本敏感的中小型企业。The system consists of a policy library management module, an in-depth packet parsing module, and a packet forwarding module. The deep packet parsing module implements the judgment of the user's online behavior, and is implemented by software. It does not need to add hardware modules, and can effectively control the cost of the router, and is particularly suitable for small and medium-sized enterprises that are sensitive to management costs.

本优选实施例所要解决的技术问题是:克服现有技术中缺少针对中小型企业网关实现用户上网行为管理功能的问题,提供一种在无源光纤网络(Passive Optical Network,简称为PON)上行中小型企业网关设备上实现高效率、易操作、低成本的用户上网行为管理方法。本优选实施例记录用户最近的上网行为,对于用户相同的上网行为可在报文转发模块处理完成,无需深度报文解析模块和策略库管理模块的参与,提高报文转发速率。本优选实施例自带web认证功能,用户终端不需要安装客户端,适合企业内网访问Internet的应用场景,上网行为基于具体的应用分类,且支持用户组配置,便于管理。本方法通过软件实现,不需要网关设备单独增加硬件模块,有效控制网关设备的成本。The technical problem to be solved by the preferred embodiment is to overcome the problem of implementing the user online behavior management function for the small and medium-sized enterprise gateway in the prior art, and providing a passive optical network (Passive Optical Network, PON for short) uplink. A high-efficiency, easy-to-operate, low-cost user online behavior management method is implemented on a small enterprise gateway device. The preferred embodiment records the user's recent online behavior. The same online behavior of the user can be processed in the packet forwarding module without the participation of the deep packet parsing module and the policy library management module, thereby improving the packet forwarding rate. The preferred embodiment has a web authentication function, and the user terminal does not need to install a client, and is suitable for an application scenario in which the intranet accesses the Internet. The online behavior is based on a specific application classification, and supports user group configuration and is convenient for management. The method is implemented by software, and does not require a gateway device to separately add a hardware module, thereby effectively controlling the cost of the gateway device.

本优选实施例所述上网行为管理系统包括以下模块:The online behavior management system described in the preferred embodiment includes the following modules:

A、策略库管理模块A, policy library management module

B、深度报文解析模块B. Deep packet parsing module

C、报文转发模块 C. Message forwarding module

其中,策略库管理模块包括配置子模块、数据库子模块和用户认证子模块。网络管理员通过企业网关的web配置界面操作,可实现对用户信息(包括用户名、密码、所属用户组等、禁用或激活状态)、用户组(包括用户组名、绑定的策略模板和时间模板等)、时间段模板(包括模板名称和起止时间)、策略模板(包括模板名称和某种或某类应用的策略动作)的配置,这些配置按照数据库的表结构保存在数据库中。策略模板包括应用(支持某种应用或某类应用,如QQ、迅雷下载、优酷视频、P2P类、视频类、游戏类等)和动作(转发、阻断、限速等)。具体配置方法是,把用户归类到用户组,用户组绑定策略模板和时间段模板,策略模板在对应的时间段内生效。The policy library management module includes a configuration submodule, a database submodule, and a user authentication submodule. The network administrator can operate the web configuration interface of the enterprise gateway to implement user information (including user name, password, user group, etc., disabled or activated state), user group (including user group name, bound policy template, and time). The configuration of the template, including the time period template (including the template name and start and end time), the policy template (including the template name, and the policy actions of one or a certain type of application), which are stored in the database according to the table structure of the database. The policy template includes applications (supporting an application or a certain type of application, such as QQ, Thunder download, Youku video, P2P class, video class, game class, etc.) and actions (forwarding, blocking, speed limit, etc.). The specific configuration method is to classify the user into a user group. The user group is bound to the policy template and the time period template. The policy template takes effect in the corresponding time period.

深度报文解析模块包括深度报文检测(Deep packet inspection,简称为DPI)引擎和特征库,实现对用户上网行为的解析。能够识别绝大多数常用的上网应用。基于该解析结果,查找策略库管理模块中数据库对应的策略配置,通知报文转发模块,实现对用户上网行为的阻断或者限速功能。The deep packet parsing module includes a Deep Packet Inspection (DPI) engine and a feature library to analyze the online behavior of the user. Can identify the most common online applications. Based on the analysis result, the policy configuration corresponding to the database in the policy library management module is searched, and the packet forwarding module is notified to implement the function of blocking or limiting the speed of the user's online behavior.

报文转发模块包括报文截获子模块、IP地址认证表、五元组流表。实现用户Inernet访问报文截取、IP地址认证记录、五元组流表记录等功能。IP地址认证表记录IP地址认证状态,如果认证通过,则进行五元组表的处理,如果未认证,则通知策略库管理模块的用户认证子模块进行认证。五元组流表主要记录报文源IP地址、源端口、目的IP地址、目的端口和传输层协议(即五元组)信息、策略动作、报文是否需要送深度报文解析模块的标志位等。认证通过后的报文,如果能够匹配五元组流表中某条记录的五元组信息,则可直接根据五元组流表中的策略动作进行转发,无需频繁送深度报文解析模块,除非时间段模板开始生效或开始失效,这种情况下,需要策略库管理模块通知五元组流表,把报文重新送深度报文解析模块,解析后查询策略库管理模块,再通知五元组流表执行当前策略动作。The packet forwarding module includes a packet intercepting submodule, an IP address authentication table, and a quintuple flow table. It implements functions such as user Inernet access packet interception, IP address authentication record, and quintuple flow table record. The IP address authentication table records the IP address authentication status. If the authentication is passed, the quintuple table is processed. If not, the user authentication sub-module of the policy library management module is notified for authentication. The quintuple flow table records the source IP address, the source port, the destination IP address, the destination port, and the transport layer protocol (that is, the quintuple), the policy action, and whether the packet needs to be sent to the deep packet parsing module. Wait. If the quintuple information of a record in the quintuple flow table can be matched, the packet can be directly forwarded according to the policy action in the quintuple flow table. In this case, the policy library management module is required to notify the quintuple flow table, send the packet to the deep packet parsing module, parse the query policy library management module, and then notify the five yuan. The group flow table performs the current policy action.

优选实施例2Preferred embodiment 2

本优选实施例提供了一种中小型企业网关实现用户上网行为管理的方法,包括以下步骤:The preferred embodiment provides a method for implementing a user's online behavior management by a small and medium-sized enterprise gateway, including the following steps:

第一步:用户通过企业网关,接入Internet。转发模块截获用户的Internet报文,查找IP地址认证表,如果该IP地址已认证,则进入下一步处理;如果该IP地址未认证,企业网关向用户终端推送web认证界面,用户输入用户名和密码进行验证。由策略库管理模块中的用户认证子模块对用户接入Internet的合法性进行检验。认证通过则在数据库中的用户信息中保存用户的IP地址,并记录IP地址认证表,进入下一步处理;认证未通过则丢弃该报文,禁止用户接入Internet。The first step: the user accesses the Internet through the enterprise gateway. The forwarding module intercepts the Internet packet of the user and searches for the IP address authentication table. If the IP address is authenticated, the process proceeds to the next step; if the IP address is not authenticated, the enterprise gateway pushes the web authentication interface to the user terminal, and the user inputs the username and password. authenticating. The user authentication sub-module in the policy library management module checks the legality of the user accessing the Internet. After the authentication is passed, the user's IP address is saved in the user information in the database, and the IP address authentication table is recorded, and the next step is processed. If the authentication fails, the packet is discarded and the user is prohibited from accessing the Internet.

第二步:查找五元组流表,如果有该报文记录且标记不需要送深度报文解析模块,则按照流表中的策略动作(转发、丢弃或限速等)执行,对该报文的上网行为管理操作结束;如果标记需要送深度报文解析模块或没有该报文的记录,则进入下一步处理。 The second step is to search for the quintuple flow table. If there is a packet record and the mark does not need to be sent to the deep packet parsing module, the action is performed according to the policy action (forward, discard, or rate limit) in the flow table. If the tag needs to send a deep packet parsing module or a record without the packet, go to the next step.

第三步:报文送深度报文解析模块,提取报文内容中的特征信息,如IP地址、端口号、域名等,识别用户上网行为的业务应用。某些报文的特征可能经常变化,如qq应用,qq客户端版本不同,登陆服务器的地址不同,报文特征不同。深度报文解析模块要确保根据报文不断变化的特征信息,正确判断出用户的应用。所以其特征库版本需要不断更新,对上网应用的报文特征做到向后兼容。对于某些业务应用,可能需要多个报文才能识别出来。报文解析动作完成后,进入下一步处理。Step 3: The packet is sent to the deep packet parsing module to extract the feature information in the packet content, such as the IP address, the port number, the domain name, and the like, and identify the service application of the user's online behavior. The characteristics of some messages may change frequently, such as qq application, different qq client versions, different login server addresses, and different message characteristics. The deep packet parsing module must ensure that the user's application is correctly determined based on the constantly changing feature information of the packet. Therefore, the version of the signature database needs to be continuously updated, and the message characteristics of the Internet application are backward compatible. For some business applications, multiple messages may be required to be identified. After the message parsing action is completed, proceed to the next step.

第四步:根据报文解析结果,在策略库管理模块的数据库中查找该用户(源IP地址)的该应用(深度报文解析的结果,如QQ、迅雷下载、优酷视频等)在当前时刻的策略(转发、阻断或限速等),并通知报文转发模块,进入下一步处理。Step 4: According to the result of the message parsing, the application of the user (source IP address) is searched in the database of the policy library management module (the result of deep packet parsing, such as QQ, Thunder download, Youku video, etc.) at the current moment. The policy (forward, block, or rate limit, etc.), and notify the packet forwarding module to proceed to the next step.

第五步:报文转发模块写五元组流表,记录报文五元组信息和策略动作等,并对报文执行策略动作。Step 5: The message forwarding module writes a quintuple flow table, records the message quintuple information and policy actions, and performs policy actions on the message.

第六步:如果用户的IP地址释放,则动态主机配置协议(Dynamic Host Configuration Protocol,简称为DHCP)模块通知报文转发模块,删除其IP地址认证表的条目,并通知数据库,删除用户信息中的IP地址。Step 6: If the user's IP address is released, the Dynamic Host Configuration Protocol (DHCP) module notifies the packet forwarding module, deletes the entry of the IP address authentication table, and notifies the database to delete the user information. IP address.

在本优选实施例中,具有高效率、易操作、低成本的特点。高效率体现在,本优选实施例维护五元组流表,可减少报文深度解析过程,报文深度解析过程,比较耗费CPU资源,并增加报文处理的延时,所以五元组流表的存在可提高报文转发效率;只有一个记录用户信息和策略的数据库,即策略库管理模块中的数据库子模块,不存在多数据库间的数据同步问题,减少了系统开销。易操作体现在,用户终端不需要安装客户端,本优选实施例自带web认证功能,用户认证过程更为简便;支持用户、用户组两级权限管理,且业务分类基于具体的业务应用,更便于网络管理员操作;低成本体现在,本方法通过软件实现,不需要增加硬件模块,有效控制企业网关的成本。In the preferred embodiment, it has the characteristics of high efficiency, easy operation, and low cost. The high efficiency is reflected in the preferred embodiment to maintain the quintuple flow table, which can reduce the packet depth parsing process, the packet deep parsing process, consume CPU resources, and increase the delay of packet processing, so the quintuple flow table The existence of the message can improve the efficiency of message forwarding; there is only one database for recording user information and policies, that is, the database sub-module in the policy library management module, there is no data synchronization problem between multiple databases, and the system overhead is reduced. The user terminal does not need to be installed with a client. The preferred embodiment has a web authentication function, and the user authentication process is simpler. The user and the user group are managed at two levels, and the service classification is based on a specific service application. It is convenient for network administrators to operate; low cost is embodied in this method, which is realized by software, and does not need to add hardware modules to effectively control the cost of the enterprise gateway.

优选实施例3Preferred embodiment 3

图3是根据本发明优选实施例的上网行为管理应用系统示意图,如图3所示,公司内部终端接入公司内网,由企业网关给用户终端动态分配IP地址。用户访问外网,需通过企业网关设备,上网行为管理完全由企业网关设备实现,用户终端不需要安装客户端。3 is a schematic diagram of an online behavior management application system according to a preferred embodiment of the present invention. As shown in FIG. 3, a company internal terminal accesses a company intranet, and an enterprise gateway dynamically allocates an IP address to a user terminal. Users accessing the external network need to pass the enterprise gateway device. The online behavior management is completely implemented by the enterprise gateway device, and the user terminal does not need to install the client.

图4是根据本发明优选实施例的上网行为管理构成原理方框图,图5是根据本发明优选实施例的上网行为管理报文处理流程示意图,如图4和图5所示,应用本优选实施例的具体实施流程如下:4 is a block diagram showing the principle of the composition of the online behavior management according to a preferred embodiment of the present invention. FIG. 5 is a schematic diagram of the processing flow of the online behavior management message according to a preferred embodiment of the present invention. As shown in FIG. 4 and FIG. 5, the preferred embodiment is applied. The specific implementation process is as follows:

报文转发模块截获用户上网报文后,查找IP地址认证表,判断该用户IP地址是否认证过,如果没有认证过,则进入认证流程。After the packet forwarding module intercepts the user's Internet access packet, it searches the IP address authentication table to determine whether the user's IP address has been authenticated. If there is no authentication, the authentication process is entered.

认证在策略库管理模块完成,用户认证web页面输入的用户名和密码与数据库保存 的用户名和密码比较,认证通过后,在数据库的用户信息中保存用户IP地址,并写IP地址认证表;如果认证未通过,则丢弃截获的用户上网报文。The authentication is completed in the policy library management module, and the user name and password entered in the user authentication web page are saved in the database. The user name and password are compared. After the authentication is passed, the user IP address is saved in the user information of the database, and the IP address authentication table is written. If the authentication fails, the intercepted user's Internet message is discarded.

查找五元组流表,如果报文在五元组流表中有记录且不需要上送,则按照五元组流表中的策略动作转发;如果五元组流表中没有记录或需要上送,则报文送深度报文解析模块。Find the quintuple flow table. If the packet has a record in the quintuple flow table and does not need to be sent, it is forwarded according to the policy action in the quintuple flow table; if there is no record in the quintuple flow table or needs to be If the packet is sent, the packet is sent to the deep packet parsing module.

深度报文解析模块收到报文后,由DPI引擎和特征库解析出报文的应用、URL信息等。根据应用类型,在策略库管理模块查找当前的策略动作。After receiving the packet, the deep packet parsing module parses the application, URL information, and the like of the packet by the DPI engine and the signature database. According to the application type, the policy library management module finds the current policy action.

把报文的五元组信息、用户上网行为的应用、URL信息、策略动作等通知报文转发模块,写五元组流表,送深度报文解析模块的标志位设置成非真,并根据策略动作转发报文。五元组流表的老化通过定时器实现,如果一段时间后没有流到达,则该流记录从五元组流表中删除。The quintuple information of the packet, the application of the user's online behavior, the URL information, and the policy action are notified to the packet forwarding module, the quintuple flow table is written, and the flag of the deep packet parsing module is set to be non-true, and according to The policy action forwards the message. The aging of the quintuple flow table is implemented by a timer. If no flow arrives after a period of time, the flow record is deleted from the quintuple flow table.

在策略库管理模块维护定时器,查询时间段模板是否生效,如果有用户组绑定的生效时间段模板改变,则通知报文转发模块的五元组流表,把报文上送标志位置为真。The policy library management module maintains a timer to check whether the time period template is valid. If the effective time period template of the user group binding is changed, the quintuple flow table of the packet forwarding module is notified, and the packet is sent to the flag position. true.

图6是根据本发明优选实施例的管理员配置示意图,如图6所示,具体实施流程如下:FIG. 6 is a schematic diagram of an administrator configuration according to a preferred embodiment of the present invention. As shown in FIG. 6, the specific implementation process is as follows:

网络管理员通过web页面可配置或读取上网行为管理参数。配置方法是:用户加入到用户组,用户组绑定策略模板和对应的时间段模板。用户信息中的激活状态可由网络管理员操作激活或者禁用,IP地址支持多个,支持同一个用户在多个终端上登陆,IP地址和认证状态都是只读的。策略模板在与之对应的时间段模板时间内生效。The web administrator can configure or read the online behavior management parameters through the web page. The configuration method is as follows: The user joins the user group, and the user group binds the policy template and the corresponding time period template. The activation status in the user information can be activated or disabled by the network administrator. The IP address supports multiple, and supports the same user to log in on multiple terminals. The IP address and authentication status are read-only. The policy template takes effect during the corresponding time period template time.

图7是根据本发明优选实施例的策略查找流程示意图,如图7所示,具体实施流程如下:FIG. 7 is a schematic diagram of a policy search process according to a preferred embodiment of the present invention. As shown in FIG. 7, the specific implementation process is as follows:

根据报文源IP地址和深度报文解析模块解析出的应用,查询数据库中用户组的用户信息,如果用户IP地址与报文的源IP地址相同,则查询用户所在用户组绑定的策略模板和时间段模板,获取当前时刻生效的策略模板,把策略模板中该应用的策略动作和报文的五元组信息写入五元组流表,并按照策略动作转发报文。Query the user information of the user group in the database according to the source IP address of the packet and the application of the deep packet parsing module. If the IP address of the user is the same as the source IP address of the packet, the policy template bound to the user group is queried. And the time period template, the policy template that is valid at the current time is obtained, and the policy action of the application in the policy template and the quintuple information of the packet are written into the quintuple flow table, and the message is forwarded according to the policy action.

图8是根据本发明优选实施例的IP地址释放处理流程示意图,如图8所示,具体实施流程如下:FIG. 8 is a schematic diagram of a process for releasing an IP address according to a preferred embodiment of the present invention. As shown in FIG. 8, the specific implementation process is as follows:

DHCP释放用户IP地址后,通知到上网行为管理模块,在IP地址认证表中删除该IP的记录,并在数据库中删除用户的IP地址。After DHCP releases the user IP address, it notifies the online behavior management module to delete the IP record in the IP address authentication table and delete the user's IP address in the database.

优选实施例4Preferred embodiment 4

如某公司使用了应用本发明的网关设备,以该公司财务部门员工张三的上网行为为例,详细说明本优选实施例的实际应用过程。 For example, if a company uses the gateway device to which the present invention is applied, the actual application process of the preferred embodiment is described in detail by taking the online behavior of the employee of the company's finance department, Zhang San, as an example.

公司规定,财务部门的员工在上班时间早上9点到下午5点期间不允许登陆优酷网站。公司的网络管理员给张三提供了接入Internet的账户zhangsan和密码zhangs,并把用户zhangsan添加到用户组finance department中,用户组finance department绑定策略模板p1和时间段模板t1。p1配置为阻止优酷,不配置的应用默认是允许的,t1配置为上班时间,即周一到周五的9点到17点。According to the company's regulations, employees of the finance department are not allowed to log in to the Youku website during the working hours from 9:00 am to 5:00 pm. The network administrator of the company provided Zhang San with the account zhangsan and password zhangs for accessing the Internet, and added the user zhangsan to the user group finance department. The user group finance department binds the policy template p1 and the time period template t1. P1 is configured to block Youku, applications that are not configured are allowed by default, and t1 is configured for working hours, which is Monday to Friday from 9:00 to 17:00.

张三的电脑通过网关获取内网IP地址192.168.1.10。张三上班后试图登陆优酷网站。根据请求报文中的源IP地址192.168.1.10,查找用户认证表。由于用户认证表中还没有张三客户端的记录,网关会向张三的电脑推送WEB认证页面,张三输入其账户zhangsan和密码zhangs后,数据库中记录的用户信息进行校验,校验通过后,在用户认证表中记录账户zhangsan对应IP地址192.168.1.10通过认证。并在数据库用户信息中记录,用户zhangsan对应IP地址192.168.1.10。Zhang San's computer obtains the internal network IP address 192.168.1.10 through the gateway. Zhang San tried to log in to the Youku website after going to work. Find the user authentication table based on the source IP address 192.168.1.10 in the request packet. Since there is no record of the client in the user authentication table, the gateway will push the WEB authentication page to Zhang San's computer. After Zhang San enters his account zhangsan and password zhangs, the user information recorded in the database is verified. After the verification is passed, In the user authentication table, the account zhangsan is recorded with the corresponding IP address 192.168.1.10. And recorded in the database user information, the user zhangsan corresponds to the IP address 192.168.1.10.

接下来根据请求报文中的五元组信息查找五元组流表,记录中没有找到报文五元组信息的匹配条目,需要送深度报文解析模块,通过对报文提取特征值分析,判断出该应用是优酷网站,再查找数据库,发现用户IP地址192.168.1.10在当前时刻是不允许登陆优酷的。于是系统把张三请求登陆优酷网站报文的五元组信息和阻止的动作写入五元组流表。根据五元组流表,优酷应用被阻断。Then, the quintuple flow table is searched according to the quintuple information in the request packet, and the matching entry of the quintuple information of the packet is not found in the record, and the deep packet parsing module needs to be sent to analyze the eigenvalue of the packet. It is judged that the application is Youku website, and then look up the database, and find that the user IP address 192.168.1.10 is not allowed to log in to Youku at the current time. So the system writes the quintuple information and the blocking action of Zhang San's request to log in the Youku website message into the quintuple flow table. According to the quintuple flow table, Youku application is blocked.

张三发现不能上优酷看视频,又试图登陆新浪网站。请求报文先查找认证表,发现IP地址192.168.1.10对应用户zhangsan已认证通过。再查找五元组流表,没有找到匹配的报文,再送深度报文解析模块,解析出是新浪网站后,再查数据库中用户IP地址192.168.1.10在当前时刻可以登陆新浪网站。把报文的五元组信息和允许通过的动作写入五元组流表,根据五元组流表,张三可以登陆新浪了。Zhang San found that he could not watch videos on Youku and tried to log in to Sina.com. The request packet first looks up the authentication table, and finds that the IP address 192.168.1.10 corresponds to the user zhangsan has passed the authentication. Then look for the quintuple flow table, no matching message is found, and then send the deep message parsing module. After parsing out the Sina website, check the user IP address 192.168.1.10 in the database at the current moment. The quintuple information of the message and the allowed actions are written into the quintuple flow table. According to the quintuple flow table, Zhang San can log in to Sina.

在五元组流表条目老化前,张三再次登陆新浪网站,查找五元组流表时,找到匹配的记录,可直接转发报文,不需要再送深度报文解析模块解析报文并查找数据库的策略动作。因此可提高报文处理速度。Before the quintuple flow table entry aging, Zhang San once again logged into the Sina website to find the matching record when searching for the quintuple flow table. The message can be directly forwarded without parsing the deep packet parsing module and searching the database. Strategic action. Therefore, the message processing speed can be improved.

如果张三电脑不再使用IP地址192.168.1.10,而变为192.168.1.20,则之前在IP地址认证表中记录的账户zhangsan,IP地址192.168.1.10认证通过的条目被删除,同时数据库中用户zhangsan中的IP地址也被删除。张三再访问Internet时,需要重新进行用户认证。If Zhang San computer no longer uses the IP address 192.168.1.10 and becomes 192.168.1.20, the account zhangsan, IP address 192.168.1.10 previously passed in the IP address authentication table is deleted, and the user zhangsan in the database The IP address in it is also deleted. When Zhang San accesses the Internet, he needs to re-authenticate the user.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。 Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, The optical disc includes a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present invention.

本发明的实施例还提供了一种存储介质。可选地,在本实施例中,上述存储介质可以被设置为存储用于执行上述实施例方法步骤的程序代码:Embodiments of the present invention also provide a storage medium. Optionally, in this embodiment, the foregoing storage medium may be configured to store program code for performing the method steps of the above embodiment:

可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in this embodiment, the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory. A variety of media that can store program code, such as a disc or a disc.

可选地,在本实施例中,处理器根据存储介质中已存储的程序代码执行上述实施例的方法。Optionally, in the embodiment, the processor executes the method of the above embodiment according to the stored program code in the storage medium.

显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。It will be apparent to those skilled in the art that the various modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.

以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

工业实用性Industrial applicability

基于本发明实施例提供的上述技术方案,获取终端的上网报文,查找该报文对应的预设管理策略,在查找到该报文的预设管理策略的情况下,记录该报文的预设管理策略到五元组流表,再次获取该终端的上网报文,查找该报文在该五元组流表中是否有记录,在该报文在该五元组流表中有记录的情况下,依据该预设管理策略对该报文进行处理,解决了对局域网内用户的上网行为进行控制的技术操作复杂,效率低,成本高问题,达到了提高效率,有效控制设备成本的目的。 According to the foregoing technical solution provided by the embodiment of the present invention, the Internet access packet of the terminal is obtained, and the preset management policy corresponding to the packet is searched. When the preset management policy of the packet is found, the pre-recording of the packet is recorded. Set the management policy to the quintuple flow table, and obtain the Internet packet of the terminal again, and find out whether the packet has a record in the quintuple flow table, and the packet has a record in the quintuple flow table. In this case, the packet is processed according to the preset management policy, and the technical operation for controlling the online behavior of the user in the local area network is complicated, the efficiency is low, and the cost is high, thereby achieving the purpose of improving efficiency and effectively controlling equipment cost. .

Claims (14)

一种网关管理方法,包括:A gateway management method includes: 获取所述终端的上网报文,查找所述报文在所述五元组流表中是否有记录,其中,所述五元组流表是在查找到所述报文的预设管理策略的情况下,记录所述报文的预设管理策略生成的;Obtaining an Internet packet of the terminal, and searching whether the packet has a record in the quintuple flow table, where the quintuple flow table is a preset management policy for finding the packet In the case that the preset management policy of the packet is generated; 在所述报文在所述五元组流表中有记录的情况下,依据所述预设管理策略对所述报文进行处理。And if the packet is recorded in the quintuple flow table, the packet is processed according to the preset management policy. 根据权利要求1所述的方法,其中,所述查找到所述报文对应的所述预设管理策略包括:The method according to claim 1, wherein the finding the preset management policy corresponding to the message comprises: 依据所述报文的特征信息,识别所述报文的业务应用;Identifying a service application of the packet according to the feature information of the packet; 依据所述特征信息和所述业务应用,查找所述报文对应的预设管理策略。And searching for a preset management policy corresponding to the packet according to the feature information and the service application. 根据权利要求2所述的方法,其中,所述报文的特征信息包括以下至少之一:The method according to claim 2, wherein the feature information of the message comprises at least one of the following: IP地址、端口号、域名。IP address, port number, domain name. 根据权利要求2所述的方法,其中,所述预设管理策略包括以下至少之一:The method of claim 2, wherein the preset management policy comprises at least one of the following: 执行与所述应用业务对应的执行动作,所述执行动作包括以下之一:转发,阻断,限速;Executing an execution action corresponding to the application service, where the performing action includes one of: forwarding, blocking, and speed limiting; 在预设时间段内,执行与所述应用业务对应的所述执行动作。The execution action corresponding to the application service is executed within a preset time period. 根据权利要求1所述的方法,其中,查找到所述报文对应的所述预设管理策略之前,所述方法包括:The method of claim 1, wherein before the finding the preset management policy corresponding to the packet, the method comprises: 获取所述终端接收的用户信息,对所述终端进行认证;Obtaining user information received by the terminal, and authenticating the terminal; 在认证通过的情况下,记录所述报文的IP地址到IP地址认证表,其中,所述IP地址认证表用于对所述IP地址的报文进行认证。When the authentication is passed, the IP address of the packet is recorded to the IP address authentication table, where the IP address authentication table is used to authenticate the packet of the IP address. 根据权利要求5所述的方法,其中,所述方法包括:The method of claim 5 wherein said method comprises: 在所述IP地址认证表的认证IP地址释放的情况下,在所述IP地址认证表上删除所述IP地址。When the authentication IP address of the IP address authentication table is released, the IP address is deleted on the IP address authentication table. 根据权利要求1所述的方法,其中,所述方法包括:The method of claim 1 wherein said method comprises: 在所述报文在所述五元组流表中没有记录的情况下,查找所述报文对应的预设管理策略;And if the packet is not recorded in the quintuple flow table, searching for a preset management policy corresponding to the packet; 在查找到所述报文的预设管理策略的情况下,记录所述报文的预设管理策略到五元组流表中。 In the case that the preset management policy of the packet is found, the preset management policy of the packet is recorded in the quintuple flow table. 根据权利要求1所述的方法,其中,所述方法包括:The method of claim 1 wherein said method comprises: 在所述报文在所述五元组流表中有指示上报所述报文的标志位的情况下,查找所述报文对应的预设管理策略;And in the case that the packet has a flag indicating that the packet is reported in the quintuple flow table, searching for a preset management policy corresponding to the packet; 在查找到所述报文的预设管理策略的情况下,记录所述报文的预设管理策略到五元组流表。When the preset management policy of the packet is found, the preset management policy of the packet is recorded to the quintuple flow table. 根据权利要求1所述的方法,其中,所述方法包括:The method of claim 1 wherein said method comprises: 在预设时间阈值内没有接收所述报文对应的数据流,则将所述五元组流表中所述报文的记录删除。If the data stream corresponding to the packet is not received within the preset time threshold, the record of the packet in the quintuple flow table is deleted. 根据权利要求1至9任一项所述的方法,其中,所述五元组流表包括以下至少之一:The method according to any one of claims 1 to 9, wherein the quintuple flow table comprises at least one of the following: 报文的源IP地址,报文的源端口,报文的目的IP地址,报文的目的端口,传输层协议,报文对应的预设管理策略的执行动作,是否上报报文的标志位。The source IP address of the packet, the source port of the packet, the destination IP address of the packet, the destination port of the packet, the transport layer protocol, the execution action of the default management policy corresponding to the packet, and whether the flag of the packet is reported. 一种网关管理装置,包括:A gateway management device includes: 获取模块,设置为获取所述终端的上网报文,查找所述报文在所述五元组流表中是否有记录,其中,所述五元组流表是在查找到所述报文的预设管理策略的情况下,记录所述报文的预设管理策略生成的;Obtaining a module, configured to obtain an Internet packet of the terminal, and to find whether the packet has a record in the quintuple flow table, where the quintuple flow table is to find the packet In the case of a preset management policy, the preset management policy of the message is generated; 处理模块,设置为在所述报文在所述五元组流表中有记录的情况下,依据所述预设管理策略对所述报文进行处理。The processing module is configured to process the packet according to the preset management policy if the packet has a record in the quintuple flow table. 根据权利要求11所述的装置,其中,所述装置还包括:The apparatus of claim 11 wherein said apparatus further comprises: 识别模块,设置为依据所述报文的特征信息,识别所述报文的业务应用;The identification module is configured to identify a service application of the packet according to the feature information of the packet; 查找模块,设置为依据所述特征信息和所述业务应用,查找所述报文对应的预设管理策略。The locating module is configured to search for a preset management policy corresponding to the packet according to the feature information and the service application. 根据权利要求11所述的装置,其中,所述装置还包括:The apparatus of claim 11 wherein said apparatus further comprises: 接收模块,设置为获取所述终端接收的用户信息,对所述终端进行认证;a receiving module, configured to acquire user information received by the terminal, and perform authentication on the terminal; 认证模块,设置为在认证通过的情况下,记录所述报文的IP地址到IP地址认证表,其中,所述IP地址认证表用于对所述IP地址的报文进行认证。The authentication module is configured to record the IP address of the packet to the IP address authentication table, where the IP address authentication table is used to authenticate the packet of the IP address. 根据权利要求11至13任一项所述的装置,其中,所述五元组流表包括以下至少之一:The apparatus according to any one of claims 11 to 13, wherein the quintuple flow table comprises at least one of the following: 报文的源IP地址,报文的源端口,报文的目的IP地址,报文的目的端口,传输层协议,报文对应的预设管理策略的执行动作,是否上报报文的标志位。 The source IP address of the packet, the source port of the packet, the destination IP address of the packet, the destination port of the packet, the transport layer protocol, the execution action of the default management policy corresponding to the packet, and whether the flag of the packet is reported.
PCT/CN2015/087844 2015-06-15 2015-08-21 Gateway management method and apparatus WO2016201780A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510329856.8 2015-06-15
CN201510329856.8A CN106330473A (en) 2015-06-15 2015-06-15 Gateway management method and device

Publications (1)

Publication Number Publication Date
WO2016201780A1 true WO2016201780A1 (en) 2016-12-22

Family

ID=57545008

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/087844 WO2016201780A1 (en) 2015-06-15 2015-08-21 Gateway management method and apparatus

Country Status (2)

Country Link
CN (1) CN106330473A (en)
WO (1) WO2016201780A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109636603A (en) * 2018-12-06 2019-04-16 大连飞创信息技术有限公司 Securities simulation trading platform based on message strategy configuration

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108134748B (en) * 2017-12-11 2022-01-25 杭州迪普科技股份有限公司 Packet loss method and device based on fast forwarding table entry
CN111131079B (en) * 2019-12-26 2023-11-24 杭州迪普科技股份有限公司 Policy query method and device
CN119109954A (en) * 2023-06-07 2024-12-10 中兴通讯股份有限公司 Message processing method, device, equipment and storage medium
WO2025065143A1 (en) * 2023-09-25 2025-04-03 新华三技术有限公司 Message processing

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050144297A1 (en) * 2003-12-30 2005-06-30 Kidsnet, Inc. Method and apparatus for providing content access controls to access the internet
CN101505236A (en) * 2009-03-12 2009-08-12 成都市华为赛门铁克科技有限公司 Method and apparatus for implementing green internet surfing
CN102035734A (en) * 2010-12-03 2011-04-27 成都飞鱼星科技开发有限公司 Multiple wide area network (WAN) broadband router with internet surfing behavior management function and realizing method thereof
CN102143143B (en) * 2010-10-15 2014-11-05 北京华为数字技术有限公司 Method and device for defending network attack, and router

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101184083A (en) * 2006-11-13 2008-05-21 中兴通讯股份有限公司 Green internet system and method thereof
CN101123559B (en) * 2007-08-27 2010-06-02 中兴通讯股份有限公司 A green network access service deployment system and authorized access method for this service
US8170015B2 (en) * 2008-12-01 2012-05-01 Electronics And Telecommunications Research Institute Integrated gateway apparatus and communications method
CN103179556B (en) * 2011-12-20 2016-06-08 深圳业拓讯通信科技有限公司 A kind of green internet system and method based on mobile network's strategy and charging framework

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050144297A1 (en) * 2003-12-30 2005-06-30 Kidsnet, Inc. Method and apparatus for providing content access controls to access the internet
CN101505236A (en) * 2009-03-12 2009-08-12 成都市华为赛门铁克科技有限公司 Method and apparatus for implementing green internet surfing
CN102143143B (en) * 2010-10-15 2014-11-05 北京华为数字技术有限公司 Method and device for defending network attack, and router
CN102035734A (en) * 2010-12-03 2011-04-27 成都飞鱼星科技开发有限公司 Multiple wide area network (WAN) broadband router with internet surfing behavior management function and realizing method thereof

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109636603A (en) * 2018-12-06 2019-04-16 大连飞创信息技术有限公司 Securities simulation trading platform based on message strategy configuration

Also Published As

Publication number Publication date
CN106330473A (en) 2017-01-11

Similar Documents

Publication Publication Date Title
US9100398B2 (en) Enhancing directory service authentication and authorization using contextual information
CN107277049B (en) Access method and device of application system
CN102098158B (en) Cross-domain name single sign on and off method and system as well as corresponding equipment
US8898765B2 (en) Signing off from multiple domains accessible using single sign-on
US9413750B2 (en) Facilitating single sign-on (SSO) across multiple browser instance
US20170185678A1 (en) Crawler system and method
CN112261172B (en) Service addressing access method, device, system, equipment and medium
US9444821B2 (en) Management server, communication cutoff device and information processing system
US20160373409A1 (en) Dns snooping to create ip address-based trust database used to select deep packet inspection and storage of ip packets
WO2017004947A1 (en) Method and apparatus for preventing domain name hijacking
CN103905395B (en) WEB access control method and system based on redirection
WO2017152754A1 (en) Method and apparatus for secure communication of software defined network (sdn)
US9769038B1 (en) Attributing network address translation device processed traffic to individual hosts
WO2016201780A1 (en) Gateway management method and apparatus
US10320784B1 (en) Methods for utilizing fingerprinting to manage network security and devices thereof
US20200267146A1 (en) Network analytics for network security enforcement
US20160142432A1 (en) Resource classification using resource requests
US11838214B2 (en) Stateful packet inspection and classification
WO2022214019A1 (en) Method and apparatus for deploying network device, and device, system and storage medium
CN108494755A (en) Method and device for transmitting application programming interface API request
US10462180B1 (en) System and method for mitigating phishing attacks against a secured computing device
CN109302397B (en) Network security management method, platform and computer readable storage medium
US20120246215A1 (en) Identying users of remote sessions
US10764307B2 (en) Extracted data classification to determine if a DNS packet is malicious
CN115913583A (en) Business data access method, device and equipment and computer storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15895353

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15895353

Country of ref document: EP

Kind code of ref document: A1