实现自动SYN Flood防护

2025-11-23 06:50:25 +08:00 · 2022-01-10 19:54:37 +08:00
parent 00cba6a380
commit e48c02176b
4 changed files with 66 additions and 2 deletions
--- a/internal/db/models/http_firewall_policy_dao.go
+++ b/internal/db/models/http_firewall_policy_dao.go
@@ -130,6 +130,21 @@ func (this *HTTPFirewallPolicyDAO) CreateFirewallPolicy(tx *dbs.Tx, userId int64
 	if len(outboundJSON) > 0 {
 		op.Outbound = outboundJSON
 	}
 	op.UseLocalFirewall = true
 	{
 		synFloodJSON, err := json.Marshal(&firewallconfigs.SYNFloodConfig{
 			IsOn:           true,
 			MinAttempts:    10,
 			TimeoutSeconds: 600,
 			IgnoreLocal:    true,
 		})
 		if err != nil {
 			return 0, err
 		}
 		op.SynFlood = synFloodJSON
 	}
 	err := this.Save(tx, op)
 	return types.Int64(op.Id), err
 }
@@ -249,7 +264,7 @@ func (this *HTTPFirewallPolicyDAO) UpdateFirewallPolicyInbound(tx *dbs.Tx, polic
 }
 // UpdateFirewallPolicy 修改策略
-func (this *HTTPFirewallPolicyDAO) UpdateFirewallPolicy(tx *dbs.Tx, policyId int64, isOn bool, name string, description string, inboundJSON []byte, outboundJSON []byte, blockOptionsJSON []byte, mode firewallconfigs.FirewallMode, useLocalFirewall bool) error {
+func (this *HTTPFirewallPolicyDAO) UpdateFirewallPolicy(tx *dbs.Tx, policyId int64, isOn bool, name string, description string, inboundJSON []byte, outboundJSON []byte, blockOptionsJSON []byte, mode firewallconfigs.FirewallMode, useLocalFirewall bool, synFloodConfig *firewallconfigs.SYNFloodConfig) error {
 	if policyId <= 0 {
 		return errors.New("invalid policyId")
 	}
@@ -272,6 +287,17 @@ func (this *HTTPFirewallPolicyDAO) UpdateFirewallPolicy(tx *dbs.Tx, policyId int
 	if len(blockOptionsJSON) > 0 {
 		op.BlockOptions = blockOptionsJSON
 	}
 	if synFloodConfig != nil {
 		synFloodConfigJSON, err := json.Marshal(synFloodConfig)
 		if err != nil {
 			return err
 		}
 		op.SynFlood = synFloodConfigJSON
 	} else {
 		op.SynFlood = "null"
 	}
 	op.UseLocalFirewall = useLocalFirewall
 	err := this.Save(tx, op)
 	if err != nil {
@@ -413,6 +439,16 @@ func (this *HTTPFirewallPolicyDAO) ComposeFirewallPolicy(tx *dbs.Tx, policyId in
 		config.BlockOptions = blockAction
 	}
 	// syn flood
 	if len(policy.SynFlood) > 0 {
 		var synFloodConfig = &firewallconfigs.SYNFloodConfig{}
 		err = json.Unmarshal([]byte(policy.SynFlood), synFloodConfig)
 		if err != nil {
 			return nil, err
 		}
 		config.SYNFlood = synFloodConfig
 	}
 	if cacheMap != nil {
 		cacheMap.Put(cacheKey, config)
 	}
--- a/internal/db/models/http_firewall_policy_model.go
+++ b/internal/db/models/http_firewall_policy_model.go
@@ -18,6 +18,7 @@ type HTTPFirewallPolicy struct {
 	BlockOptions     string `field:"blockOptions"`     // BLOCK选项
 	Mode             string `field:"mode"`             // 模式
 	UseLocalFirewall uint8  `field:"useLocalFirewall"` // 是否自动使用本地防火墙
 	SynFlood         string `field:"synFlood"`         // SynFlood防御设置
 }
 type HTTPFirewallPolicyOperator struct {
@@ -37,6 +38,7 @@ type HTTPFirewallPolicyOperator struct {
 	BlockOptions     interface{} // BLOCK选项
 	Mode             interface{} // 模式
 	UseLocalFirewall interface{} // 是否自动使用本地防火墙
 	SynFlood         interface{} // SynFlood防御设置
 }
 func NewHTTPFirewallPolicyOperator() *HTTPFirewallPolicyOperator {
--- a/internal/rpc/services/service_http_firewall_policy.go
+++ b/internal/rpc/services/service_http_firewall_policy.go
@@ -285,7 +285,15 @@ func (this *HTTPFirewallPolicyService) UpdateHTTPFirewallPolicy(ctx context.Cont
 		return nil, err
 	}
-	err = models.SharedHTTPFirewallPolicyDAO.UpdateFirewallPolicy(tx, req.HttpFirewallPolicyId, req.IsOn, req.Name, req.Description, inboundConfigJSON, outboundConfigJSON, req.BlockOptionsJSON, req.Mode, req.UseLocalFirewall)
+	var synFloodConfig = &firewallconfigs.SYNFloodConfig{}
 	if len(req.SynFloodJSON) > 0 {
 		err = json.Unmarshal(req.SynFloodJSON, synFloodConfig)
 		if err != nil {
 			return nil, err
 		}
 	}
 	err = models.SharedHTTPFirewallPolicyDAO.UpdateFirewallPolicy(tx, req.HttpFirewallPolicyId, req.IsOn, req.Name, req.Description, inboundConfigJSON, outboundConfigJSON, req.BlockOptionsJSON, req.Mode, req.UseLocalFirewall, synFloodConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -476,6 +484,7 @@ func (this *HTTPFirewallPolicyService) FindEnabledHTTPFirewallPolicy(ctx context
 		InboundJSON:  []byte(policy.Inbound),
 		OutboundJSON: []byte(policy.Outbound),
 		Mode:         policy.Mode,
 		SynFloodJSON: []byte(policy.SynFlood),
 	}}, nil
 }
--- a/internal/rpc/services/service_ip_item.go
+++ b/internal/rpc/services/service_ip_item.go
@@ -566,6 +566,22 @@ func (this *IPItemService) ListAllEnabledIPItems(ctx context.Context, req *pb.Li
 			}
 		}
 		// 节点
 		var pbSourceNode *pb.Node
 		if item.SourceNodeId > 0 {
 			node, err := models.SharedNodeDAO.FindEnabledBasicNode(tx, int64(item.SourceNodeId))
 			if err != nil {
 				return nil, err
 			}
 			if node != nil {
 				pbSourceNode = &pb.Node{
 					Id:          int64(node.Id),
 					Name:        node.Name,
 					NodeCluster: &pb.NodeCluster{Id: int64(node.ClusterId)},
 				}
 			}
 		}
 		var pbItem = &pb.IPItem{
 			Id:                            int64(item.Id),
 			IpFrom:                        item.IpFrom,
@@ -587,6 +603,7 @@ func (this *IPItemService) ListAllEnabledIPItems(ctx context.Context, req *pb.Li
 			SourceHTTPFirewallPolicy:      pbSourcePolicy,
 			SourceHTTPFirewallRuleGroup:   pbSourceGroup,
 			SourceHTTPFirewallRuleSet:     pbSourceSet,
 			SourceNode:                    pbSourceNode,
 			IsRead:                        item.IsRead == 1,
 		}