WAF策略增加JSCookie动作选项

2025-11-02 22:10:26 +08:00 · 2024-04-07 14:21:01 +08:00
parent 6cd284e6ec
commit 92f3238d19
5 changed files with 47 additions and 14 deletions
--- a/internal/db/models/http_firewall_policy_dao.go
+++ b/internal/db/models/http_firewall_policy_dao.go
@@ -134,7 +134,7 @@ func (this *HTTPFirewallPolicyDAO) CreateFirewallPolicy(tx *dbs.Tx, userId int64

 	if userId <= 0 && serverGroupId <= 0 && serverId <= 0 {
 		// synFlood
-		var synFloodConfig = firewallconfigs.DefaultSYNFloodConfig()
+		var synFloodConfig = firewallconfigs.NewSYNFloodConfig()
 		synFloodJSON, err := json.Marshal(synFloodConfig)
 		if err != nil {
 			return 0, err
@@ -142,7 +142,7 @@ func (this *HTTPFirewallPolicyDAO) CreateFirewallPolicy(tx *dbs.Tx, userId int64
 		op.SynFlood = synFloodJSON

 		// block options
-		var blockOptions = firewallconfigs.DefaultHTTPFirewallBlockAction()
+		var blockOptions = firewallconfigs.NewHTTPFirewallBlockAction()
 		blockOptionsJSON, err := json.Marshal(blockOptions)
 		if err != nil {
 			return 0, err
@@ -150,7 +150,7 @@ func (this *HTTPFirewallPolicyDAO) CreateFirewallPolicy(tx *dbs.Tx, userId int64
 		op.BlockOptions = blockOptionsJSON

 		// page options
-		var pageOptions = firewallconfigs.DefaultHTTPFirewallPageAction()
+		var pageOptions = firewallconfigs.NewHTTPFirewallPageAction()
 		pageOptionsJSON, err := json.Marshal(pageOptions)
 		if err != nil {
 			return 0, err
@@ -158,12 +158,20 @@ func (this *HTTPFirewallPolicyDAO) CreateFirewallPolicy(tx *dbs.Tx, userId int64
 		op.PageOptions = pageOptionsJSON

 		// captcha options
-		var captchaOptions = firewallconfigs.DefaultHTTPFirewallCaptchaAction()
+		var captchaOptions = firewallconfigs.NewHTTPFirewallCaptchaAction()
 		captchaOptionsJSON, err := json.Marshal(captchaOptions)
 		if err != nil {
 			return 0, err
 		}
 		op.CaptchaOptions = captchaOptionsJSON
+
+		// jscookie options
+		var jsCookieOptions = firewallconfigs.NewHTTPFirewallJavascriptCookieAction()
+		jsCookieOptionsJSON, err := json.Marshal(jsCookieOptions)
+		if err != nil {
+			return 0, err
+		}
+		op.JsCookieOptions = jsCookieOptionsJSON
 	}

 	err := this.Save(tx, op)
@@ -323,6 +331,7 @@ func (this *HTTPFirewallPolicyDAO) UpdateFirewallPolicy(tx *dbs.Tx,
 	blockOptionsJSON []byte,
 	pageOptionsJSON []byte,
 	captchaOptionsJSON []byte,
+	jsCookieOptionsJSON []byte,
 	mode firewallconfigs.FirewallMode,
 	useLocalFirewall bool,
 	synFloodConfig *firewallconfigs.SYNFloodConfig,
@@ -358,6 +367,9 @@ func (this *HTTPFirewallPolicyDAO) UpdateFirewallPolicy(tx *dbs.Tx,
 	if IsNotNull(captchaOptionsJSON) {
 		op.CaptchaOptions = captchaOptionsJSON
 	}
+	if IsNotNull(jsCookieOptionsJSON) {
+		op.JsCookieOptions = jsCookieOptionsJSON
+	}

 	if synFloodConfig != nil {
 		synFloodConfigJSON, err := json.Marshal(synFloodConfig)
@@ -528,7 +540,7 @@ func (this *HTTPFirewallPolicyDAO) ComposeFirewallPolicy(tx *dbs.Tx, policyId in

 	// Block动作配置
 	if IsNotNull(policy.BlockOptions) {
-		var blockAction = &firewallconfigs.HTTPFirewallBlockAction{}
+		var blockAction = firewallconfigs.NewHTTPFirewallBlockAction()
 		err = json.Unmarshal(policy.BlockOptions, blockAction)
 		if err != nil {
 			return config, err
@@ -538,7 +550,7 @@ func (this *HTTPFirewallPolicyDAO) ComposeFirewallPolicy(tx *dbs.Tx, policyId in

 	// Page动作配置
 	if IsNotNull(policy.PageOptions) {
-		var pageAction = firewallconfigs.DefaultHTTPFirewallPageAction()
+		var pageAction = firewallconfigs.NewHTTPFirewallPageAction()
 		err = json.Unmarshal(policy.PageOptions, pageAction)
 		if err != nil {
 			return config, err
@@ -548,7 +560,7 @@ func (this *HTTPFirewallPolicyDAO) ComposeFirewallPolicy(tx *dbs.Tx, policyId in

 	// Captcha动作配置
 	if IsNotNull(policy.CaptchaOptions) {
-		var captchaAction = &firewallconfigs.HTTPFirewallCaptchaAction{}
+		var captchaAction = firewallconfigs.NewHTTPFirewallCaptchaAction()
 		err = json.Unmarshal(policy.CaptchaOptions, captchaAction)
 		if err != nil {
 			return config, err
@@ -556,6 +568,16 @@ func (this *HTTPFirewallPolicyDAO) ComposeFirewallPolicy(tx *dbs.Tx, policyId in
 		config.CaptchaOptions = captchaAction
 	}

+	// JSCookie动作配置
+	if IsNotNull(policy.JsCookieOptions) {
+		var jsCookieAction = firewallconfigs.NewHTTPFirewallJavascriptCookieAction()
+		err = json.Unmarshal(policy.JsCookieOptions, jsCookieAction)
+		if err != nil {
+			return config, err
+		}
+		config.JSCookieOptions = jsCookieAction
+	}
+
 	// syn flood
 	if IsNotNull(policy.SynFlood) {
 		var synFloodConfig = &firewallconfigs.SYNFloodConfig{}
--- a/internal/db/models/http_firewall_policy_model.go
+++ b/internal/db/models/http_firewall_policy_model.go
@@ -19,6 +19,7 @@ const (
 	HTTPFirewallPolicyField_BlockOptions       dbs.FieldName = "blockOptions"       // BLOCK动作选项
 	HTTPFirewallPolicyField_PageOptions        dbs.FieldName = "pageOptions"        // PAGE动作选项
 	HTTPFirewallPolicyField_CaptchaOptions     dbs.FieldName = "captchaOptions"     // 验证码动作选项
+	HTTPFirewallPolicyField_JsCookieOptions    dbs.FieldName = "jsCookieOptions"    // JSCookie动作选项
 	HTTPFirewallPolicyField_Mode               dbs.FieldName = "mode"               // 模式
 	HTTPFirewallPolicyField_UseLocalFirewall   dbs.FieldName = "useLocalFirewall"   // 是否自动使用本地防火墙
 	HTTPFirewallPolicyField_SynFlood           dbs.FieldName = "synFlood"           // SynFlood防御设置
@@ -46,6 +47,7 @@ type HTTPFirewallPolicy struct {
 	BlockOptions       dbs.JSON `field:"blockOptions"`       // BLOCK动作选项
 	PageOptions        dbs.JSON `field:"pageOptions"`        // PAGE动作选项
 	CaptchaOptions     dbs.JSON `field:"captchaOptions"`     // 验证码动作选项
+	JsCookieOptions    dbs.JSON `field:"jsCookieOptions"`    // JSCookie动作选项
 	Mode               string   `field:"mode"`               // 模式
 	UseLocalFirewall   uint8    `field:"useLocalFirewall"`   // 是否自动使用本地防火墙
 	SynFlood           dbs.JSON `field:"synFlood"`           // SynFlood防御设置
@@ -72,6 +74,7 @@ type HTTPFirewallPolicyOperator struct {
 	BlockOptions       any // BLOCK动作选项
 	PageOptions        any // PAGE动作选项
 	CaptchaOptions     any // 验证码动作选项
+	JsCookieOptions    any // JSCookie动作选项
 	Mode               any // 模式
 	UseLocalFirewall   any // 是否自动使用本地防火墙
 	SynFlood           any // SynFlood防御设置
--- a/internal/rpc/services/service_http_firewall_policy.go
+++ b/internal/rpc/services/service_http_firewall_policy.go
@@ -304,7 +304,7 @@ func (this *HTTPFirewallPolicyService) UpdateHTTPFirewallPolicy(ctx context.Cont
 		req.MaxRequestBodySize = 0
 	}

-	err = models.SharedHTTPFirewallPolicyDAO.UpdateFirewallPolicy(tx, req.HttpFirewallPolicyId, req.IsOn, req.Name, req.Description, inboundConfigJSON, outboundConfigJSON, req.BlockOptionsJSON, req.PageOptionsJSON, req.CaptchaOptionsJSON, req.Mode, req.UseLocalFirewall, synFloodConfig, logConfig, req.MaxRequestBodySize, req.DenyCountryHTML, req.DenyProvinceHTML)
+	err = models.SharedHTTPFirewallPolicyDAO.UpdateFirewallPolicy(tx, req.HttpFirewallPolicyId, req.IsOn, req.Name, req.Description, inboundConfigJSON, outboundConfigJSON, req.BlockOptionsJSON, req.PageOptionsJSON, req.CaptchaOptionsJSON, req.JsCookieOptionsJSON, req.Mode, req.UseLocalFirewall, synFloodConfig, logConfig, req.MaxRequestBodySize, req.DenyCountryHTML, req.DenyProvinceHTML)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/setup/sql.json
+++ b/internal/setup/sql.json
@@ -102722,7 +102722,7 @@
      "name": "edgeHTTPFirewallPolicies",
      "engine": "InnoDB",
      "charset": "utf8mb4_general_ci",
-      "definition": "CREATE TABLE `edgeHTTPFirewallPolicies` (\n  `id` int(11) unsigned NOT NULL AUTO_INCREMENT COMMENT 'ID',\n  `templateId` int(11) unsigned DEFAULT '0' COMMENT '模版ID',\n  `adminId` int(11) unsigned DEFAULT '0' COMMENT '管理员ID',\n  `userId` int(11) unsigned DEFAULT '0' COMMENT '用户ID',\n  `serverId` int(11) unsigned DEFAULT '0' COMMENT '服务ID',\n  `groupId` int(11) unsigned DEFAULT '0' COMMENT '服务分组ID',\n  `state` tinyint(1) unsigned DEFAULT '1' COMMENT '状态',\n  `createdAt` bigint(11) unsigned DEFAULT '0' COMMENT '创建时间',\n  `isOn` tinyint(1) unsigned DEFAULT '1' COMMENT '是否启用',\n  `name` varchar(255) DEFAULT NULL COMMENT '名称',\n  `description` varchar(1024) DEFAULT NULL COMMENT '描述',\n  `inbound` json DEFAULT NULL COMMENT '入站规则',\n  `outbound` json DEFAULT NULL COMMENT '出站规则',\n  `blockOptions` json DEFAULT NULL COMMENT 'BLOCK动作选项',\n  `pageOptions` json DEFAULT NULL COMMENT 'PAGE动作选项',\n  `captchaOptions` json DEFAULT NULL COMMENT '验证码动作选项',\n  `mode` varchar(32) DEFAULT 'defend' COMMENT '模式',\n  `useLocalFirewall` tinyint(1) unsigned DEFAULT '1' COMMENT '是否自动使用本地防火墙',\n  `synFlood` json DEFAULT NULL COMMENT 'SynFlood防御设置',\n  `log` json DEFAULT NULL COMMENT '日志配置',\n  `maxRequestBodySize` int(11) unsigned DEFAULT '0' COMMENT '可以检查的最大请求内容尺寸',\n  `denyCountryHTML` text COMMENT '区域封禁提示',\n  `denyProvinceHTML` text COMMENT '省份封禁提示',\n  PRIMARY KEY (`id`),\n  KEY `userId` (`userId`),\n  KEY `serverId` (`serverId`)\n) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='HTTP防火墙'",
+      "definition": "CREATE TABLE `edgeHTTPFirewallPolicies` (\n  `id` int(11) unsigned NOT NULL AUTO_INCREMENT COMMENT 'ID',\n  `templateId` int(11) unsigned DEFAULT '0' COMMENT '模版ID',\n  `adminId` int(11) unsigned DEFAULT '0' COMMENT '管理员ID',\n  `userId` int(11) unsigned DEFAULT '0' COMMENT '用户ID',\n  `serverId` int(11) unsigned DEFAULT '0' COMMENT '服务ID',\n  `groupId` int(11) unsigned DEFAULT '0' COMMENT '服务分组ID',\n  `state` tinyint(1) unsigned DEFAULT '1' COMMENT '状态',\n  `createdAt` bigint(11) unsigned DEFAULT '0' COMMENT '创建时间',\n  `isOn` tinyint(1) unsigned DEFAULT '1' COMMENT '是否启用',\n  `name` varchar(255) DEFAULT NULL COMMENT '名称',\n  `description` varchar(1024) DEFAULT NULL COMMENT '描述',\n  `inbound` json DEFAULT NULL COMMENT '入站规则',\n  `outbound` json DEFAULT NULL COMMENT '出站规则',\n  `blockOptions` json DEFAULT NULL COMMENT 'BLOCK动作选项',\n  `pageOptions` json DEFAULT NULL COMMENT 'PAGE动作选项',\n  `captchaOptions` json DEFAULT NULL COMMENT '验证码动作选项',\n  `jsCookieOptions` json DEFAULT NULL COMMENT 'JSCookie动作选项',\n  `mode` varchar(32) DEFAULT 'defend' COMMENT '模式',\n  `useLocalFirewall` tinyint(1) unsigned DEFAULT '1' COMMENT '是否自动使用本地防火墙',\n  `synFlood` json DEFAULT NULL COMMENT 'SynFlood防御设置',\n  `log` json DEFAULT NULL COMMENT '日志配置',\n  `maxRequestBodySize` int(11) unsigned DEFAULT '0' COMMENT '可以检查的最大请求内容尺寸',\n  `denyCountryHTML` text COMMENT '区域封禁提示',\n  `denyProvinceHTML` text COMMENT '省份封禁提示',\n  PRIMARY KEY (`id`),\n  KEY `userId` (`userId`),\n  KEY `serverId` (`serverId`)\n) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='HTTP防火墙'",
      "fields": [
        {
          "name": "id",
@@ -102788,6 +102788,10 @@
          "name": "captchaOptions",
          "definition": "json COMMENT '验证码动作选项'"
        },
+        {
+          "name": "jsCookieOptions",
+          "definition": "json COMMENT 'JSCookie动作选项'"
+        },
        {
          "name": "mode",
          "definition": "varchar(32) DEFAULT 'defend' COMMENT '模式'"
@@ -103738,7 +103742,7 @@
      "name": "edgeIPItems",
      "engine": "InnoDB",
      "charset": "utf8mb4_general_ci",
-      "definition": "CREATE TABLE `edgeIPItems` (\n  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT 'ID',\n  `listId` int(11) unsigned DEFAULT '0' COMMENT '所属名单ID',\n  `type` varchar(64) DEFAULT 'ipv4' COMMENT '类型',\n  `ipFrom` varchar(64) DEFAULT NULL COMMENT '开始IP',\n  `ipTo` varchar(64) DEFAULT NULL COMMENT '结束IP',\n  `ipFromLong` bigint(20) unsigned DEFAULT '0' COMMENT '开始IP整型',\n  `ipToLong` bigint(20) unsigned DEFAULT '0' COMMENT '结束IP整型',\n  `version` bigint(20) unsigned DEFAULT '0' COMMENT '版本',\n  `createdAt` bigint(11) unsigned DEFAULT '0' COMMENT '创建时间',\n  `updatedAt` bigint(11) unsigned DEFAULT '0' COMMENT '修改时间',\n  `reason` varchar(255) DEFAULT NULL COMMENT '加入说明',\n  `eventLevel` varchar(64) DEFAULT NULL COMMENT '事件级别',\n  `state` tinyint(1) unsigned DEFAULT '1' COMMENT '状态',\n  `expiredAt` bigint(11) unsigned DEFAULT '0' COMMENT '过期时间',\n  `serverId` int(11) unsigned DEFAULT '0' COMMENT '有效范围服务ID',\n  `nodeId` int(11) unsigned DEFAULT '0' COMMENT '有效范围节点ID',\n  `sourceNodeId` int(11) unsigned DEFAULT '0' COMMENT '来源节点ID',\n  `sourceServerId` int(11) unsigned DEFAULT '0' COMMENT '来源服务ID',\n  `sourceHTTPFirewallPolicyId` int(11) unsigned DEFAULT '0' COMMENT '来源策略ID',\n  `sourceHTTPFirewallRuleGroupId` int(11) unsigned DEFAULT '0' COMMENT '来源规则集分组ID',\n  `sourceHTTPFirewallRuleSetId` int(11) unsigned DEFAULT '0' COMMENT '来源规则集ID',\n  `sourceUserId` bigint(11) unsigned DEFAULT '0' COMMENT '用户ID',\n  `isRead` tinyint(1) unsigned DEFAULT '1' COMMENT '是否已读',\n  PRIMARY KEY (`id`),\n  KEY `listId` (`listId`),\n  KEY `ipFrom` (`ipFrom`),\n  KEY `serverId` (`serverId`),\n  KEY `expiredAt_state` (`expiredAt`,`state`) USING BTREE,\n  KEY `isRead` (`expiredAt`,`isRead`) USING BTREE,\n  KEY `createdAt` (`createdAt`),\n  KEY `sourceUserId` (`sourceUserId`),\n  KEY `version` (`version`)\n) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='IP'",
+      "definition": "CREATE TABLE `edgeIPItems` (\n  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT 'ID',\n  `listId` int(11) unsigned DEFAULT '0' COMMENT '所属名单ID',\n  `type` varchar(64) DEFAULT 'ipv4' COMMENT '类型',\n  `ipFrom` varchar(64) DEFAULT NULL COMMENT '开始IP',\n  `ipTo` varchar(64) DEFAULT NULL COMMENT '结束IP',\n  `ipFromLong` bigint(20) unsigned DEFAULT '0' COMMENT '开始IP整型（弃用）',\n  `ipToLong` bigint(20) unsigned DEFAULT '0' COMMENT '结束IP整型（弃用）',\n  `version` bigint(20) unsigned DEFAULT '0' COMMENT '版本',\n  `createdAt` bigint(11) unsigned DEFAULT '0' COMMENT '创建时间',\n  `updatedAt` bigint(11) unsigned DEFAULT '0' COMMENT '修改时间',\n  `reason` varchar(255) DEFAULT NULL COMMENT '加入说明',\n  `eventLevel` varchar(64) DEFAULT NULL COMMENT '事件级别',\n  `state` tinyint(1) unsigned DEFAULT '1' COMMENT '状态',\n  `expiredAt` bigint(11) unsigned DEFAULT '0' COMMENT '过期时间',\n  `serverId` int(11) unsigned DEFAULT '0' COMMENT '有效范围服务ID',\n  `nodeId` int(11) unsigned DEFAULT '0' COMMENT '有效范围节点ID',\n  `sourceNodeId` int(11) unsigned DEFAULT '0' COMMENT '来源节点ID',\n  `sourceServerId` int(11) unsigned DEFAULT '0' COMMENT '来源服务ID',\n  `sourceHTTPFirewallPolicyId` int(11) unsigned DEFAULT '0' COMMENT '来源策略ID',\n  `sourceHTTPFirewallRuleGroupId` int(11) unsigned DEFAULT '0' COMMENT '来源规则集分组ID',\n  `sourceHTTPFirewallRuleSetId` int(11) unsigned DEFAULT '0' COMMENT '来源规则集ID',\n  `sourceUserId` bigint(11) unsigned DEFAULT '0' COMMENT '用户ID',\n  `isRead` tinyint(1) unsigned DEFAULT '1' COMMENT '是否已读',\n  PRIMARY KEY (`id`),\n  KEY `listId` (`listId`),\n  KEY `ipFrom` (`ipFrom`),\n  KEY `serverId` (`serverId`),\n  KEY `expiredAt_state` (`expiredAt`,`state`) USING BTREE,\n  KEY `isRead` (`expiredAt`,`isRead`) USING BTREE,\n  KEY `createdAt` (`createdAt`),\n  KEY `sourceUserId` (`sourceUserId`),\n  KEY `version` (`version`)\n) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='IP'",
      "fields": [
        {
          "name": "id",
@@ -103762,11 +103766,11 @@
        },
        {
          "name": "ipFromLong",
-          "definition": "bigint(20) unsigned DEFAULT '0' COMMENT '开始IP整型'"
+          "definition": "bigint(20) unsigned DEFAULT '0' COMMENT '开始IP整型（弃用）'"
        },
        {
          "name": "ipToLong",
-          "definition": "bigint(20) unsigned DEFAULT '0' COMMENT '结束IP整型'"
+          "definition": "bigint(20) unsigned DEFAULT '0' COMMENT '结束IP整型（弃用）'"
        },
        {
          "name": "version",
@@ -109864,7 +109868,7 @@
      "name": "edgeNodeClusters",
      "engine": "InnoDB",
      "charset": "utf8mb4_general_ci",
-      "definition": "CREATE TABLE `edgeNodeClusters` (\n  `id` int(11) unsigned NOT NULL AUTO_INCREMENT COMMENT 'ID',\n  `adminId` int(11) unsigned DEFAULT '0' COMMENT '管理员ID',\n  `userId` int(11) unsigned DEFAULT '0' COMMENT '用户ID',\n  `isOn` tinyint(1) unsigned DEFAULT '1' COMMENT '是否启用',\n  `name` varchar(255) DEFAULT NULL COMMENT '名称',\n  `useAllAPINodes` tinyint(1) unsigned DEFAULT '1' COMMENT '是否使用所有API节点',\n  `apiNodes` json DEFAULT NULL COMMENT '使用的API节点',\n  `installDir` varchar(512) DEFAULT NULL COMMENT '安装目录',\n  `order` int(11) unsigned DEFAULT '0' COMMENT '排序',\n  `createdAt` bigint(11) unsigned DEFAULT '0' COMMENT '创建时间',\n  `grantId` int(11) unsigned DEFAULT '0' COMMENT '默认认证方式',\n  `sshParams` json DEFAULT NULL COMMENT 'SSH默认参数',\n  `state` tinyint(1) unsigned DEFAULT '1' COMMENT '状态',\n  `autoRegister` tinyint(1) unsigned DEFAULT '1' COMMENT '是否开启自动注册',\n  `uniqueId` varchar(32) DEFAULT NULL COMMENT '唯一ID',\n  `secret` varchar(32) DEFAULT NULL COMMENT '密钥',\n  `healthCheck` json DEFAULT NULL COMMENT '健康检查',\n  `dnsName` varchar(255) DEFAULT NULL COMMENT 'DNS名称',\n  `dnsDomainId` int(11) unsigned DEFAULT '0' COMMENT '域名ID',\n  `dns` json DEFAULT NULL COMMENT 'DNS配置',\n  `toa` json DEFAULT NULL COMMENT 'TOA配置',\n  `cachePolicyId` int(11) unsigned DEFAULT '0' COMMENT '缓存策略ID',\n  `httpFirewallPolicyId` int(11) unsigned DEFAULT '0' COMMENT 'WAF策略ID',\n  `accessLog` json DEFAULT NULL COMMENT '访问日志设置',\n  `systemServices` json DEFAULT NULL COMMENT '系统服务设置',\n  `timeZone` varchar(64) DEFAULT NULL COMMENT '时区',\n  `nodeMaxThreads` int(11) unsigned DEFAULT '0' COMMENT '节点最大线程数',\n  `ddosProtection` json DEFAULT NULL COMMENT 'DDoS防护设置',\n  `autoOpenPorts` tinyint(1) unsigned DEFAULT '1' COMMENT '是否自动尝试开放端口',\n  `isPinned` tinyint(1) unsigned DEFAULT '0' COMMENT '是否置顶',\n  `webp` json DEFAULT NULL COMMENT 'WebP设置',\n  `uam` json DEFAULT NULL COMMENT 'UAM设置',\n  `clock` json DEFAULT NULL COMMENT '时钟配置',\n  `globalServerConfig` json DEFAULT NULL COMMENT '全局服务配置',\n  `autoRemoteStart` tinyint(1) unsigned DEFAULT '1' COMMENT '自动远程启动',\n  `autoInstallNftables` tinyint(1) unsigned DEFAULT '0' COMMENT '自动安装nftables',\n  `isAD` tinyint(1) unsigned DEFAULT '0' COMMENT '是否为高防集群',\n  `httpPages` json DEFAULT NULL COMMENT '自定义页面设置',\n  `cc` json DEFAULT NULL COMMENT 'CC设置',\n  `http3` json DEFAULT NULL COMMENT 'HTTP3设置',\n  `autoSystemTuning` tinyint(1) unsigned DEFAULT '1' COMMENT '是否自动调整系统参数',\n  `networkSecurity` json DEFAULT NULL COMMENT '网络安全策略',\n  PRIMARY KEY (`id`),\n  KEY `uniqueId` (`uniqueId`),\n  KEY `grantId` (`grantId`),\n  KEY `dnsDomainId` (`dnsDomainId`),\n  KEY `cachePolicyId` (`cachePolicyId`),\n  KEY `httpFirewallPolicyId` (`httpFirewallPolicyId`)\n) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='节点集群'",
+      "definition": "CREATE TABLE `edgeNodeClusters` (\n  `id` int(11) unsigned NOT NULL AUTO_INCREMENT COMMENT 'ID',\n  `adminId` int(11) unsigned DEFAULT '0' COMMENT '管理员ID',\n  `userId` int(11) unsigned DEFAULT '0' COMMENT '用户ID',\n  `isOn` tinyint(1) unsigned DEFAULT '1' COMMENT '是否启用',\n  `name` varchar(255) DEFAULT NULL COMMENT '名称',\n  `useAllAPINodes` tinyint(1) unsigned DEFAULT '1' COMMENT '是否使用所有API节点',\n  `apiNodes` json DEFAULT NULL COMMENT '使用的API节点',\n  `installDir` varchar(512) DEFAULT NULL COMMENT '安装目录',\n  `order` int(11) unsigned DEFAULT '0' COMMENT '排序',\n  `createdAt` bigint(11) unsigned DEFAULT '0' COMMENT '创建时间',\n  `grantId` int(11) unsigned DEFAULT '0' COMMENT '默认认证方式',\n  `sshParams` json DEFAULT NULL COMMENT 'SSH默认参数',\n  `state` tinyint(1) unsigned DEFAULT '1' COMMENT '状态',\n  `autoRegister` tinyint(1) unsigned DEFAULT '1' COMMENT '是否开启自动注册',\n  `uniqueId` varchar(32) DEFAULT NULL COMMENT '唯一ID',\n  `secret` varchar(32) DEFAULT NULL COMMENT '密钥',\n  `healthCheck` json DEFAULT NULL COMMENT '健康检查',\n  `dnsName` varchar(255) DEFAULT NULL COMMENT 'DNS名称',\n  `dnsDomainId` int(11) unsigned DEFAULT '0' COMMENT '域名ID',\n  `dns` json DEFAULT NULL COMMENT 'DNS配置',\n  `toa` json DEFAULT NULL COMMENT 'TOA配置',\n  `cachePolicyId` int(11) unsigned DEFAULT '0' COMMENT '缓存策略ID',\n  `httpFirewallPolicyId` int(11) unsigned DEFAULT '0' COMMENT 'WAF策略ID',\n  `accessLog` json DEFAULT NULL COMMENT '访问日志设置',\n  `systemServices` json DEFAULT NULL COMMENT '系统服务设置',\n  `timeZone` varchar(64) DEFAULT NULL COMMENT '时区',\n  `nodeMaxThreads` int(11) unsigned DEFAULT '0' COMMENT '节点最大线程数',\n  `ddosProtection` json DEFAULT NULL COMMENT 'DDoS防护设置',\n  `autoOpenPorts` tinyint(1) unsigned DEFAULT '1' COMMENT '是否自动尝试开放端口',\n  `isPinned` tinyint(1) unsigned DEFAULT '0' COMMENT '是否置顶',\n  `webp` json DEFAULT NULL COMMENT 'WebP设置',\n  `uam` json DEFAULT NULL COMMENT 'UAM设置',\n  `clock` json DEFAULT NULL COMMENT '时钟配置',\n  `globalServerConfig` json DEFAULT NULL COMMENT '全局服务配置',\n  `autoRemoteStart` tinyint(1) unsigned DEFAULT '1' COMMENT '自动远程启动',\n  `autoInstallNftables` tinyint(1) unsigned DEFAULT '0' COMMENT '自动安装nftables',\n  `isAD` tinyint(1) unsigned DEFAULT '0' COMMENT '是否为高防集群',\n  `httpPages` json DEFAULT NULL COMMENT '自定义页面设置',\n  `cc` json DEFAULT NULL COMMENT 'CC设置',\n  `http3` json DEFAULT NULL COMMENT 'HTTP3设置',\n  `autoSystemTuning` tinyint(1) unsigned DEFAULT '1' COMMENT '是否自动调整系统参数',\n  `networkSecurity` json DEFAULT NULL COMMENT '网络安全策略',\n  `autoTrimDisks` tinyint(1) unsigned DEFAULT '1' COMMENT '是否自动执行TRIM',\n  PRIMARY KEY (`id`),\n  KEY `uniqueId` (`uniqueId`),\n  KEY `grantId` (`grantId`),\n  KEY `dnsDomainId` (`dnsDomainId`),\n  KEY `cachePolicyId` (`cachePolicyId`),\n  KEY `httpFirewallPolicyId` (`httpFirewallPolicyId`)\n) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='节点集群'",
      "fields": [
        {
          "name": "id",
@@ -110033,6 +110037,10 @@
        {
          "name": "networkSecurity",
          "definition": "json COMMENT '网络安全策略'"
+        },
+        {
+          "name": "autoTrimDisks",
+          "definition": "tinyint(1) unsigned DEFAULT '1' COMMENT '是否自动执行TRIM'"
        }
      ],
      "indexes": [
--- a/internal/setup/sql_upgrade.go
+++ b/internal/setup/sql_upgrade.go
@@ -513,7 +513,7 @@ func upgradeV0_3_7(db *dbs.DB) error {
 // v0.4.0
 func upgradeV0_4_0(db *dbs.DB) error {
 	// 升级SYN Flood配置
-	synFloodJSON, err := json.Marshal(firewallconfigs.DefaultSYNFloodConfig())
+	synFloodJSON, err := json.Marshal(firewallconfigs.NewSYNFloodConfig())
 	if err == nil {
 		_, err := db.Exec("UPDATE edgeHTTPFirewallPolicies SET synFlood=? WHERE synFlood IS NULL AND state=1", string(synFloodJSON))
 		if err != nil {