增加IP级别和WAF动作相关API

2025-11-10 20:40:56 +08:00 · 2021-02-06 17:38:04 +08:00
parent 244acd9298
commit cd6a264730
17 changed files with 447 additions and 140 deletions
--- a/internal/db/models/firewall_action_dao.go
+++ b/internal/db/models/firewall_action_dao.go
@@ -1,71 +0,0 @@
-package models
-
-import (
-	_ "github.com/go-sql-driver/mysql"
-	"github.com/iwind/TeaGo/Tea"
-	"github.com/iwind/TeaGo/dbs"
-)
-
-const (
-	FirewallActionStateEnabled  = 1 // 已启用
-	FirewallActionStateDisabled = 0 // 已禁用
-)
-
-type FirewallActionDAO dbs.DAO
-
-func NewFirewallActionDAO() *FirewallActionDAO {
-	return dbs.NewDAO(&FirewallActionDAO{
-		DAOObject: dbs.DAOObject{
-			DB:     Tea.Env,
-			Table:  "edgeFirewallActions",
-			Model:  new(FirewallAction),
-			PkName: "id",
-		},
-	}).(*FirewallActionDAO)
-}
-
-var SharedFirewallActionDAO *FirewallActionDAO
-
-func init() {
-	dbs.OnReady(func() {
-		SharedFirewallActionDAO = NewFirewallActionDAO()
-	})
-}
-
-// 启用条目
-func (this *FirewallActionDAO) EnableFirewallAction(tx *dbs.Tx, id uint32) error {
-	_, err := this.Query(tx).
-		Pk(id).
-		Set("state", FirewallActionStateEnabled).
-		Update()
-	return err
-}
-
-// 禁用条目
-func (this *FirewallActionDAO) DisableFirewallAction(tx *dbs.Tx, id uint32) error {
-	_, err := this.Query(tx).
-		Pk(id).
-		Set("state", FirewallActionStateDisabled).
-		Update()
-	return err
-}
-
-// 查找启用中的条目
-func (this *FirewallActionDAO) FindEnabledFirewallAction(tx *dbs.Tx, id uint32) (*FirewallAction, error) {
-	result, err := this.Query(tx).
-		Pk(id).
-		Attr("state", FirewallActionStateEnabled).
-		Find()
-	if result == nil {
-		return nil, err
-	}
-	return result.(*FirewallAction), err
-}
-
-// 根据主键查找名称
-func (this *FirewallActionDAO) FindFirewallActionName(tx *dbs.Tx, id uint32) (string, error) {
-	return this.Query(tx).
-		Pk(id).
-		Result("name").
-		FindStringCol("")
-}
--- a/internal/db/models/firewall_action_model.go
+++ b/internal/db/models/firewall_action_model.go
@@ -1,26 +0,0 @@
-package models
-
-// 防火墙动作
-type FirewallAction struct {
-	Id      uint32 `field:"id"`      // ID
-	AdminId uint32 `field:"adminId"` // 管理员ID
-	Name    string `field:"name"`    // 名称
-	Code    string `field:"code"`    // 快速查询代号
-	Type    string `field:"type"`    // 动作类型
-	Params  string `field:"params"`  // 参数
-	State   uint8  `field:"state"`   // 状态
-}
-
-type FirewallActionOperator struct {
-	Id      interface{} // ID
-	AdminId interface{} // 管理员ID
-	Name    interface{} // 名称
-	Code    interface{} // 快速查询代号
-	Type    interface{} // 动作类型
-	Params  interface{} // 参数
-	State   interface{} // 状态
-}
-
-func NewFirewallActionOperator() *FirewallActionOperator {
-	return &FirewallActionOperator{}
-}
--- a/internal/db/models/firewall_action_model_ext.go
+++ b/internal/db/models/firewall_action_model_ext.go
@@ -1 +0,0 @@
-package models
--- a/internal/db/models/ip_item_dao.go
+++ b/internal/db/models/ip_item_dao.go
@@ -87,7 +87,7 @@ func (this *IPItemDAO) FindEnabledIPItem(tx *dbs.Tx, id int64) (*IPItem, error)
 }

 // 创建IP
-func (this *IPItemDAO) CreateIPItem(tx *dbs.Tx, listId int64, ipFrom string, ipTo string, expiredAt int64, reason string, itemType IPItemType) (int64, error) {
+func (this *IPItemDAO) CreateIPItem(tx *dbs.Tx, listId int64, ipFrom string, ipTo string, expiredAt int64, reason string, itemType IPItemType, eventLevel string) (int64, error) {
 	version, err := SharedIPListDAO.IncreaseVersion(tx)
 	if err != nil {
 		return 0, err
@@ -101,6 +101,7 @@ func (this *IPItemDAO) CreateIPItem(tx *dbs.Tx, listId int64, ipFrom string, ipT
 	op.IpToLong = utils.IP2Long(ipTo)
 	op.Reason = reason
 	op.Type = itemType
+	op.EventLevel = eventLevel
 	op.Version = version
 	if expiredAt < 0 {
 		expiredAt = 0
@@ -121,7 +122,7 @@ func (this *IPItemDAO) CreateIPItem(tx *dbs.Tx, listId int64, ipFrom string, ipT
 }

 // 修改IP
-func (this *IPItemDAO) UpdateIPItem(tx *dbs.Tx, itemId int64, ipFrom string, ipTo string, expiredAt int64, reason string, itemType IPItemType) error {
+func (this *IPItemDAO) UpdateIPItem(tx *dbs.Tx, itemId int64, ipFrom string, ipTo string, expiredAt int64, reason string, itemType IPItemType, eventLevel string) error {
 	if itemId <= 0 {
 		return errors.New("invalid itemId")
 	}
@@ -150,6 +151,7 @@ func (this *IPItemDAO) UpdateIPItem(tx *dbs.Tx, itemId int64, ipFrom string, ipT
 	op.IpToLong = utils.IP2Long(ipTo)
 	op.Reason = reason
 	op.Type = itemType
+	op.EventLevel = eventLevel
 	if expiredAt < 0 {
 		expiredAt = 0
 	}
--- a/internal/db/models/ip_item_model.go
+++ b/internal/db/models/ip_item_model.go
@@ -13,7 +13,7 @@ type IPItem struct {
 	CreatedAt  uint64 `field:"createdAt"`  // 创建时间
 	UpdatedAt  uint64 `field:"updatedAt"`  // 修改时间
 	Reason     string `field:"reason"`     // 加入说明
-	Action     string `field:"action"`     // 动作代号
+	EventLevel string `field:"eventLevel"` // 事件级别
 	State      uint8  `field:"state"`      // 状态
 	ExpiredAt  uint64 `field:"expiredAt"`  // 过期时间
 }
@@ -30,7 +30,7 @@ type IPItemOperator struct {
 	CreatedAt  interface{} // 创建时间
 	UpdatedAt  interface{} // 修改时间
 	Reason     interface{} // 加入说明
-	Action     interface{} // 动作代号
+	EventLevel interface{} // 事件级别
 	State      interface{} // 状态
 	ExpiredAt  interface{} // 过期时间
 }
--- a/internal/db/models/ip_list_dao.go
+++ b/internal/db/models/ip_list_dao.go
@@ -15,6 +15,8 @@ const (
 	IPListStateDisabled = 0 // 已禁用
 )

+var listTypeCacheMap = map[int64]string{} // listId => type
+
 type IPListDAO dbs.DAO

 func NewIPListDAO() *IPListDAO {
@@ -74,6 +76,36 @@ func (this *IPListDAO) FindIPListName(tx *dbs.Tx, id int64) (string, error) {
 		FindStringCol("")
 }

+// 获取名单类型
+func (this *IPListDAO) FindIPListTypeCacheable(tx *dbs.Tx, listId int64) (string, error) {
+	// 检查缓存
+	SharedCacheLocker.RLock()
+	listType, ok := listTypeCacheMap[listId]
+	SharedCacheLocker.RUnlock()
+	if ok {
+		return listType, nil
+	}
+
+	listType, err := this.Query(tx).
+		Pk(listId).
+		Result("type").
+		FindStringCol("")
+	if err != nil {
+		return "", err
+	}
+
+	if len(listType) == 0 {
+		return "", nil
+	}
+
+	// 保存缓存
+	SharedCacheLocker.Lock()
+	listTypeCacheMap[listId] = listType
+	SharedCacheLocker.Unlock()
+
+	return listType, nil
+}
+
 // 创建名单
 func (this *IPListDAO) CreateIPList(tx *dbs.Tx, userId int64, listType ipconfigs.IPListType, name string, code string, timeoutJSON []byte) (int64, error) {
 	op := NewIPListOperator()
--- a/internal/db/models/node_cluster_firewall_action_dao.go
+++ b/internal/db/models/node_cluster_firewall_action_dao.go
@@ -0,0 +1,169 @@
+package models
+
+import (
+	"github.com/TeaOSLab/EdgeAPI/internal/errors"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/iwind/TeaGo/Tea"
+	"github.com/iwind/TeaGo/dbs"
+	"github.com/iwind/TeaGo/maps"
+)
+
+const (
+	NodeClusterFirewallActionStateEnabled  = 1 // 已启用
+	NodeClusterFirewallActionStateDisabled = 0 // 已禁用
+)
+
+type NodeClusterFirewallActionDAO dbs.DAO
+
+func NewNodeClusterFirewallActionDAO() *NodeClusterFirewallActionDAO {
+	return dbs.NewDAO(&NodeClusterFirewallActionDAO{
+		DAOObject: dbs.DAOObject{
+			DB:     Tea.Env,
+			Table:  "edgeNodeClusterFirewallActions",
+			Model:  new(NodeClusterFirewallAction),
+			PkName: "id",
+		},
+	}).(*NodeClusterFirewallActionDAO)
+}
+
+var SharedNodeClusterFirewallActionDAO *NodeClusterFirewallActionDAO
+
+func init() {
+	dbs.OnReady(func() {
+		SharedNodeClusterFirewallActionDAO = NewNodeClusterFirewallActionDAO()
+	})
+}
+
+// 启用条目
+func (this *NodeClusterFirewallActionDAO) EnableFirewallAction(tx *dbs.Tx, id uint32) error {
+	_, err := this.Query(tx).
+		Pk(id).
+		Set("state", NodeClusterFirewallActionStateEnabled).
+		Update()
+	return err
+}
+
+// 禁用条目
+func (this *NodeClusterFirewallActionDAO) DisableFirewallAction(tx *dbs.Tx, actionId int64) error {
+	_, err := this.Query(tx).
+		Pk(actionId).
+		Set("state", NodeClusterFirewallActionStateDisabled).
+		Update()
+	if err != nil {
+		return err
+	}
+	return this.NotifyUpdate(tx, actionId)
+}
+
+// 查找启用中的条目
+func (this *NodeClusterFirewallActionDAO) FindEnabledFirewallAction(tx *dbs.Tx, actionId int64) (*NodeClusterFirewallAction, error) {
+	result, err := this.Query(tx).
+		Pk(actionId).
+		Attr("state", NodeClusterFirewallActionStateEnabled).
+		Find()
+	if result == nil {
+		return nil, err
+	}
+	return result.(*NodeClusterFirewallAction), err
+}
+
+// 根据主键查找名称
+func (this *NodeClusterFirewallActionDAO) FindFirewallActionName(tx *dbs.Tx, id uint32) (string, error) {
+	return this.Query(tx).
+		Pk(id).
+		Result("name").
+		FindStringCol("")
+}
+
+// 创建动作
+func (this *NodeClusterFirewallActionDAO) CreateFirewallAction(tx *dbs.Tx, adminId int64, clusterId int64, name string, eventLevel, actionType firewallconfigs.FirewallActionType, params maps.Map) (int64, error) {
+	if params == nil {
+		params = maps.Map{}
+	}
+
+	op := NewNodeClusterFirewallActionOperator()
+	op.AdminId = adminId
+	op.ClusterId = clusterId
+	op.Name = name
+	op.EventLevel = eventLevel
+	op.Type = actionType
+	op.Params = params.AsJSON()
+	op.State = NodeClusterFirewallActionStateEnabled
+	actionId, err := this.SaveInt64(tx, op)
+	if err != nil {
+		return 0, err
+	}
+	err = this.NotifyUpdate(tx, actionId)
+	if err != nil {
+		return 0, err
+	}
+	return actionId, nil
+}
+
+// 修改动作
+func (this *NodeClusterFirewallActionDAO) UpdateFirewallAction(tx *dbs.Tx, actionId int64, name string, eventLevel string, actionType firewallconfigs.FirewallActionType, params maps.Map) error {
+	if actionId <= 0 {
+		return errors.New("invalid actionId")
+	}
+
+	if params == nil {
+		params = maps.Map{}
+	}
+
+	op := NewNodeClusterFirewallActionOperator()
+	op.Id = actionId
+	op.Name = name
+	op.EventLevel = eventLevel
+	op.Type = actionType
+	op.Params = params.AsJSON()
+	_, err := this.SaveInt64(tx, op)
+	if err != nil {
+		return err
+	}
+	return this.NotifyUpdate(tx, actionId)
+}
+
+// 查找所有集群的动作
+func (this *NodeClusterFirewallActionDAO) FindAllEnabledFirewallActions(tx *dbs.Tx, clusterId int64) (result []*NodeClusterFirewallAction, err error) {
+	_, err = this.Query(tx).
+		Attr("clusterId", clusterId).
+		State(NodeClusterFirewallActionStateEnabled).
+		Slice(&result).
+		FindAll()
+	return
+}
+
+// 组合配置
+func (this *NodeClusterFirewallActionDAO) ComposeFirewallActionConfig(tx *dbs.Tx, action *NodeClusterFirewallAction) (*firewallconfigs.FirewallActionConfig, error) {
+	if action == nil {
+		return nil, nil
+	}
+	config := &firewallconfigs.FirewallActionConfig{}
+	config.Id = int64(action.Id)
+	config.Type = action.Type
+	config.EventLevel = action.EventLevel
+
+	params, err := action.DecodeParams()
+	if err != nil {
+		return nil, err
+	}
+	config.Params = params
+
+	return config, nil
+}
+
+// 通知更新
+func (this *NodeClusterFirewallActionDAO) NotifyUpdate(tx *dbs.Tx, actionId int64) error {
+	clusterId, err := this.Query(tx).
+		Pk(actionId).
+		Result("clusterId").
+		FindInt64Col(0)
+	if err != nil {
+		return err
+	}
+	if clusterId > 0 {
+		return SharedNodeClusterDAO.NotifyUpdate(tx, clusterId)
+	}
+	return nil
+}
--- a/internal/db/models/node_cluster_firewall_action_dao_test.go
+++ b/internal/db/models/node_cluster_firewall_action_dao_test.go
--- a/internal/db/models/node_cluster_firewall_action_model.go
+++ b/internal/db/models/node_cluster_firewall_action_model.go
@@ -0,0 +1,28 @@
+package models
+
+// 防火墙动作
+type NodeClusterFirewallAction struct {
+	Id         uint32 `field:"id"`         // ID
+	AdminId    uint32 `field:"adminId"`    // 管理员ID
+	ClusterId  uint32 `field:"clusterId"`  // 集群ID
+	Name       string `field:"name"`       // 名称
+	EventLevel string `field:"eventLevel"` // 级别
+	Type       string `field:"type"`       // 动作类型
+	Params     string `field:"params"`     // 参数
+	State      uint8  `field:"state"`      // 状态
+}
+
+type NodeClusterFirewallActionOperator struct {
+	Id         interface{} // ID
+	AdminId    interface{} // 管理员ID
+	ClusterId  interface{} // 集群ID
+	Name       interface{} // 名称
+	EventLevel interface{} // 级别
+	Type       interface{} // 动作类型
+	Params     interface{} // 参数
+	State      interface{} // 状态
+}
+
+func NewNodeClusterFirewallActionOperator() *NodeClusterFirewallActionOperator {
+	return &NodeClusterFirewallActionOperator{}
+}
--- a/internal/db/models/node_cluster_firewall_action_model_ext.go
+++ b/internal/db/models/node_cluster_firewall_action_model_ext.go
@@ -0,0 +1,19 @@
+package models
+
+import (
+	"encoding/json"
+	"github.com/iwind/TeaGo/maps"
+)
+
+// 解析参数
+func (this *NodeClusterFirewallAction) DecodeParams() (maps.Map, error) {
+	if IsNotNull(this.Params) {
+		params := maps.Map{}
+		err := json.Unmarshal([]byte(this.Params), &params)
+		if err != nil {
+			return nil, err
+		}
+		return params, nil
+	}
+	return maps.Map{}, nil
+}
--- a/internal/db/models/node_dao.go
+++ b/internal/db/models/node_dao.go
@@ -574,6 +574,21 @@ func (this *NodeDAO) ComposeNodeConfig(tx *dbs.Tx, nodeId int64) (*nodeconfigs.N
 		config.SystemServices = services
 	}

+	// 防火墙动作
+	actions, err := SharedNodeClusterFirewallActionDAO.FindAllEnabledFirewallActions(tx, clusterId)
+	if err != nil {
+		return nil, err
+	}
+	for _, action := range actions {
+		actionConfig, err := SharedNodeClusterFirewallActionDAO.ComposeFirewallActionConfig(tx, action)
+		if err != nil {
+			return nil, err
+		}
+		if actionConfig != nil {
+			config.FirewallActions = append(config.FirewallActions, actionConfig)
+		}
+	}
+
 	return config, nil
 }

--- a/internal/db/models/utils.go
+++ b/internal/db/models/utils.go
@@ -5,6 +5,7 @@ import (
 	"sync"
 )

+// 缓存专用Locker
 var SharedCacheLocker = sync.RWMutex{}

 // 处理JSON字节Slice
--- a/internal/nodes/api_node.go
+++ b/internal/nodes/api_node.go
@@ -234,6 +234,7 @@ func (this *APINode) listenRPC(listener net.Listener, tlsConfig *tls.Config) err
 	pb.RegisterServerClientBrowserMonthlyStatServiceServer(rpcServer, &services.ServerClientBrowserMonthlyStatService{})
 	pb.RegisterServerHTTPFirewallDailyStatServiceServer(rpcServer, &services.ServerHTTPFirewallDailyStatService{})
 	pb.RegisterDNSTaskServiceServer(rpcServer, &services.DNSTaskService{})
+	pb.RegisterNodeClusterFirewallActionServiceServer(rpcServer, &services.NodeClusterFirewallActionService{})
 	err := rpcServer.Serve(listener)
 	if err != nil {
 		return errors.New("[API_NODE]start rpc failed: " + err.Error())
--- a/internal/rpc/services/service_http_firewall_policy.go
+++ b/internal/rpc/services/service_http_firewall_policy.go
@@ -680,12 +680,13 @@ func (this *HTTPFirewallPolicyService) CheckHTTPFirewallPolicyIPStatus(ctx conte
 				IsAllowed: true,
 				IpList:    &pb.IPList{Name: "白名单", Id: firewallPolicy.Inbound.AllowListRef.ListId},
 				IpItem: &pb.IPItem{
-					Id:        int64(item.Id),
-					IpFrom:    item.IpFrom,
-					IpTo:      item.IpTo,
-					ExpiredAt: int64(item.ExpiredAt),
-					Reason:    item.Reason,
-					Type:      item.Type,
+					Id:         int64(item.Id),
+					IpFrom:     item.IpFrom,
+					IpTo:       item.IpTo,
+					ExpiredAt:  int64(item.ExpiredAt),
+					Reason:     item.Reason,
+					Type:       item.Type,
+					EventLevel: item.EventLevel,
 				},
 				RegionCountry:  nil,
 				RegionProvince: nil,
@@ -711,12 +712,13 @@ func (this *HTTPFirewallPolicyService) CheckHTTPFirewallPolicyIPStatus(ctx conte
 				IsAllowed: false,
 				IpList:    &pb.IPList{Name: "黑名单", Id: firewallPolicy.Inbound.DenyListRef.ListId},
 				IpItem: &pb.IPItem{
-					Id:        int64(item.Id),
-					IpFrom:    item.IpFrom,
-					IpTo:      item.IpTo,
-					ExpiredAt: int64(item.ExpiredAt),
-					Reason:    item.Reason,
-					Type:      item.Type,
+					Id:         int64(item.Id),
+					IpFrom:     item.IpFrom,
+					IpTo:       item.IpTo,
+					ExpiredAt:  int64(item.ExpiredAt),
+					Reason:     item.Reason,
+					Type:       item.Type,
+					EventLevel: item.EventLevel,
 				},
 				RegionCountry:  nil,
 				RegionProvince: nil,
--- a/internal/rpc/services/service_ip_item.go
+++ b/internal/rpc/services/service_ip_item.go
@@ -51,7 +51,7 @@ func (this *IPItemService) CreateIPItem(ctx context.Context, req *pb.CreateIPIte
 		req.Type = models.IPItemTypeIPv4
 	}

-	itemId, err := models.SharedIPItemDAO.CreateIPItem(tx, req.IpListId, req.IpFrom, req.IpTo, req.ExpiredAt, req.Reason, req.Type)
+	itemId, err := models.SharedIPItemDAO.CreateIPItem(tx, req.IpListId, req.IpFrom, req.IpTo, req.ExpiredAt, req.Reason, req.Type, req.EventLevel)
 	if err != nil {
 		return nil, err
 	}
@@ -85,7 +85,7 @@ func (this *IPItemService) UpdateIPItem(ctx context.Context, req *pb.UpdateIPIte
 		req.Type = models.IPItemTypeIPv4
 	}

-	err = models.SharedIPItemDAO.UpdateIPItem(tx, req.IpItemId, req.IpFrom, req.IpTo, req.ExpiredAt, req.Reason, req.Type)
+	err = models.SharedIPItemDAO.UpdateIPItem(tx, req.IpItemId, req.IpFrom, req.IpTo, req.ExpiredAt, req.Reason, req.Type, req.EventLevel)
 	if err != nil {
 		return nil, err
 	}
@@ -175,13 +175,14 @@ func (this *IPItemService) ListIPItemsWithListId(ctx context.Context, req *pb.Li
 		}

 		result = append(result, &pb.IPItem{
-			Id:        int64(item.Id),
-			IpFrom:    item.IpFrom,
-			IpTo:      item.IpTo,
-			Version:   int64(item.Version),
-			ExpiredAt: int64(item.ExpiredAt),
-			Reason:    item.Reason,
-			Type:      item.Type,
+			Id:         int64(item.Id),
+			IpFrom:     item.IpFrom,
+			IpTo:       item.IpTo,
+			Version:    int64(item.Version),
+			ExpiredAt:  int64(item.ExpiredAt),
+			Reason:     item.Reason,
+			Type:       item.Type,
+			EventLevel: item.EventLevel,
 		})
 	}

@@ -218,13 +219,14 @@ func (this *IPItemService) FindEnabledIPItem(ctx context.Context, req *pb.FindEn
 	}

 	return &pb.FindEnabledIPItemResponse{IpItem: &pb.IPItem{
-		Id:        int64(item.Id),
-		IpFrom:    item.IpFrom,
-		IpTo:      item.IpTo,
-		Version:   int64(item.Version),
-		ExpiredAt: int64(item.ExpiredAt),
-		Reason:    item.Reason,
-		Type:      item.Type,
+		Id:         int64(item.Id),
+		IpFrom:     item.IpFrom,
+		IpTo:       item.IpTo,
+		Version:    int64(item.Version),
+		ExpiredAt:  int64(item.ExpiredAt),
+		Reason:     item.Reason,
+		Type:       item.Type,
+		EventLevel: item.EventLevel,
 	}}, nil
 }

@@ -248,16 +250,24 @@ func (this *IPItemService) ListIPItemsAfterVersion(ctx context.Context, req *pb.
 			item.Type = models.IPItemTypeIPv4
 		}

+		// List类型
+		listType, err := models.SharedIPListDAO.FindIPListTypeCacheable(tx, int64(item.ListId))
+		if err != nil {
+			return nil, err
+		}
+
 		result = append(result, &pb.IPItem{
-			Id:        int64(item.Id),
-			IpFrom:    item.IpFrom,
-			IpTo:      item.IpTo,
-			Version:   int64(item.Version),
-			ExpiredAt: int64(item.ExpiredAt),
-			Reason:    "", // 这里我们不需要这个数据
-			ListId:    int64(item.ListId),
-			IsDeleted: item.State == 0,
-			Type:      item.Type,
+			Id:         int64(item.Id),
+			IpFrom:     item.IpFrom,
+			IpTo:       item.IpTo,
+			Version:    int64(item.Version),
+			ExpiredAt:  int64(item.ExpiredAt),
+			Reason:     "", // 这里我们不需要这个数据
+			ListId:     int64(item.ListId),
+			IsDeleted:  item.State == 0,
+			Type:       item.Type,
+			EventLevel: item.EventLevel,
+			ListType:   listType,
 		})
 	}

--- a/internal/rpc/services/service_node_cluster_firewall_action.go
+++ b/internal/rpc/services/service_node_cluster_firewall_action.go
@@ -0,0 +1,126 @@
+package services
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/iwind/TeaGo/maps"
+)
+
+// 防火墙动作服务
+type NodeClusterFirewallActionService struct {
+	BaseService
+}
+
+// 创建动作
+func (this *NodeClusterFirewallActionService) CreateNodeClusterFirewallAction(ctx context.Context, req *pb.CreateNodeClusterFirewallActionRequest) (*pb.NodeClusterFirewallActionResponse, error) {
+	adminId, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	params := maps.Map{}
+	if len(req.ParamsJSON) > 0 {
+		err = json.Unmarshal(req.ParamsJSON, &params)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var tx = this.NullTx()
+	actionId, err := models.SharedNodeClusterFirewallActionDAO.CreateFirewallAction(tx, adminId, req.NodeClusterId, req.Name, req.EventLevel, req.Type, params)
+	if err != nil {
+		return nil, err
+	}
+	return &pb.NodeClusterFirewallActionResponse{NodeClusterFirewallActionId: actionId}, nil
+}
+
+// 修改动作
+func (this *NodeClusterFirewallActionService) UpdateNodeClusterFirewallAction(ctx context.Context, req *pb.UpdateNodeClusterFirewallActionRequest) (*pb.RPCSuccess, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	params := maps.Map{}
+	if len(req.ParamsJSON) > 0 {
+		err = json.Unmarshal(req.ParamsJSON, &params)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var tx = this.NullTx()
+	err = models.SharedNodeClusterFirewallActionDAO.UpdateFirewallAction(tx, req.NodeClusterFirewallActionId, req.Name, req.EventLevel, req.Type, params)
+	if err != nil {
+		return nil, err
+	}
+	return this.Success()
+}
+
+// 删除动作
+func (this *NodeClusterFirewallActionService) DeleteNodeClusterFirewallAction(ctx context.Context, req *pb.DeleteNodeClusterFirewallActionRequest) (*pb.RPCSuccess, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	var tx = this.NullTx()
+	err = models.SharedNodeClusterFirewallActionDAO.DisableFirewallAction(tx, req.NodeClusterFirewallActionId)
+	if err != nil {
+		return nil, err
+	}
+	return this.Success()
+}
+
+// 查询集群的所有动作
+func (this *NodeClusterFirewallActionService) FindAllEnabledNodeClusterFirewallActions(ctx context.Context, req *pb.FindAllEnabledNodeClusterFirewallActionsRequest) (*pb.FindAllEnabledNodeClusterFirewallActionsResponse, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	var tx = this.NullTx()
+	actions, err := models.SharedNodeClusterFirewallActionDAO.FindAllEnabledFirewallActions(tx, req.NodeClusterId)
+	if err != nil {
+		return nil, err
+	}
+	pbActions := []*pb.NodeClusterFirewallAction{}
+	for _, action := range actions {
+		pbActions = append(pbActions, &pb.NodeClusterFirewallAction{
+			Id:            int64(action.Id),
+			NodeClusterId: int64(action.ClusterId),
+			Name:          action.Name,
+			EventLevel:    action.EventLevel,
+			Type:          action.Type,
+			ParamsJSON:    []byte(action.Params),
+		})
+	}
+	return &pb.FindAllEnabledNodeClusterFirewallActionsResponse{NodeClusterFirewallActions: pbActions}, nil
+}
+
+// 查询单个动作
+func (this *NodeClusterFirewallActionService) FindEnabledNodeClusterFirewallAction(ctx context.Context, req *pb.FindEnabledNodeClusterFirewallActionRequest) (*pb.FindEnabledNodeClusterFirewallActionResponse, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	var tx = this.NullTx()
+	action, err := models.SharedNodeClusterFirewallActionDAO.FindEnabledFirewallAction(tx, req.NodeClusterFirewallActionId)
+	if err != nil {
+		return nil, err
+	}
+	if action == nil {
+		return &pb.FindEnabledNodeClusterFirewallActionResponse{NodeClusterFirewallAction: nil}, nil
+	}
+	return &pb.FindEnabledNodeClusterFirewallActionResponse{NodeClusterFirewallAction: &pb.NodeClusterFirewallAction{
+		Id:            int64(action.Id),
+		NodeClusterId: int64(action.ClusterId),
+		Name:          action.Name,
+		EventLevel:    action.EventLevel,
+		Type:          action.Type,
+		ParamsJSON:    []byte(action.Params),
+	}}, nil
+}
--- a/internal/setup/sql.go
+++ b/internal/setup/sql.go