增加IP级别和WAF动作相关接口和配置

2025-11-04 05:00:24 +08:00 · 2021-02-06 17:37:27 +08:00
parent 310872f1d6
commit 6b2cbc2939
12 changed files with 1529 additions and 32 deletions
--- a/pkg/nodeconfigs/node_config.go
+++ b/pkg/nodeconfigs/node_config.go
@@ -29,10 +29,11 @@ type NodeConfig struct {
 	GlobalConfig *serverconfigs.GlobalConfig `yaml:"globalConfig" json:"globalConfig"` // 全局配置

 	// 集群统一配置
-	HTTPFirewallPolicy *firewallconfigs.HTTPFirewallPolicy `yaml:"httpFirewallPolicy" json:"httpFirewallPolicy"`
-	HTTPCachePolicy    *serverconfigs.HTTPCachePolicy      `yaml:"httpCachePolicy" json:"httpCachePolicy"`
-	TOA                *TOAConfig                          `yaml:"toa" json:"toa"`
-	SystemServices     map[string]maps.Map                 `yaml:"systemServices" json:"systemServices"` // 系统服务配置 type => params
+	HTTPFirewallPolicy *firewallconfigs.HTTPFirewallPolicy     `yaml:"httpFirewallPolicy" json:"httpFirewallPolicy"`
+	HTTPCachePolicy    *serverconfigs.HTTPCachePolicy          `yaml:"httpCachePolicy" json:"httpCachePolicy"`
+	TOA                *TOAConfig                              `yaml:"toa" json:"toa"`
+	SystemServices     map[string]maps.Map                     `yaml:"systemServices" json:"systemServices"` // 系统服务配置 type => params
+	FirewallActions    []*firewallconfigs.FirewallActionConfig `yaml:"firewallActions" json:"firewallActions"`

 	paddedId string

@@ -129,6 +130,14 @@ func (this *NodeConfig) Init() error {
 		}
 	}

+	// firewall actions
+	for _, action := range this.FirewallActions {
+		err := action.Init()
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }

--- a/pkg/rpc/pb/model_ip_item.pb.go
+++ b/pkg/rpc/pb/model_ip_item.pb.go
@@ -30,15 +30,17 @@ type IPItem struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Id        int64  `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
-	IpFrom    string `protobuf:"bytes,2,opt,name=ipFrom,proto3" json:"ipFrom,omitempty"`
-	IpTo      string `protobuf:"bytes,3,opt,name=ipTo,proto3" json:"ipTo,omitempty"`
-	Version   int64  `protobuf:"varint,4,opt,name=version,proto3" json:"version,omitempty"`
-	ExpiredAt int64  `protobuf:"varint,5,opt,name=expiredAt,proto3" json:"expiredAt,omitempty"`
-	Reason    string `protobuf:"bytes,6,opt,name=reason,proto3" json:"reason,omitempty"`
-	ListId    int64  `protobuf:"varint,7,opt,name=listId,proto3" json:"listId,omitempty"`
-	IsDeleted bool   `protobuf:"varint,8,opt,name=isDeleted,proto3" json:"isDeleted,omitempty"`
-	Type      string `protobuf:"bytes,9,opt,name=type,proto3" json:"type,omitempty"`
+	Id         int64  `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+	IpFrom     string `protobuf:"bytes,2,opt,name=ipFrom,proto3" json:"ipFrom,omitempty"`
+	IpTo       string `protobuf:"bytes,3,opt,name=ipTo,proto3" json:"ipTo,omitempty"`
+	Version    int64  `protobuf:"varint,4,opt,name=version,proto3" json:"version,omitempty"`
+	ExpiredAt  int64  `protobuf:"varint,5,opt,name=expiredAt,proto3" json:"expiredAt,omitempty"`
+	Reason     string `protobuf:"bytes,6,opt,name=reason,proto3" json:"reason,omitempty"`
+	ListId     int64  `protobuf:"varint,7,opt,name=listId,proto3" json:"listId,omitempty"`
+	IsDeleted  bool   `protobuf:"varint,8,opt,name=isDeleted,proto3" json:"isDeleted,omitempty"`
+	Type       string `protobuf:"bytes,9,opt,name=type,proto3" json:"type,omitempty"`
+	EventLevel string `protobuf:"bytes,10,opt,name=eventLevel,proto3" json:"eventLevel,omitempty"` // 级别
+	ListType   string `protobuf:"bytes,11,opt,name=listType,proto3" json:"listType,omitempty"`     // 所在名单类型，加此字段是为了快速定位IP的性质
 }

 func (x *IPItem) Reset() {
@@ -136,12 +138,26 @@ func (x *IPItem) GetType() string {
 	return ""
 }

+func (x *IPItem) GetEventLevel() string {
+	if x != nil {
+		return x.EventLevel
+	}
+	return ""
+}
+
+func (x *IPItem) GetListType() string {
+	if x != nil {
+		return x.ListType
+	}
+	return ""
+}
+
 var File_models_model_ip_item_proto protoreflect.FileDescriptor

 var file_models_model_ip_item_proto_rawDesc = []byte{
 	0x0a, 0x1a, 0x6d, 0x6f, 0x64, 0x65, 0x6c, 0x73, 0x2f, 0x6d, 0x6f, 0x64, 0x65, 0x6c, 0x5f, 0x69,
 	0x70, 0x5f, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x02, 0x70, 0x62,
-	0x22, 0xde, 0x01, 0x0a, 0x06, 0x49, 0x50, 0x49, 0x74, 0x65, 0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x69,
+	0x22, 0x9a, 0x02, 0x0a, 0x06, 0x49, 0x50, 0x49, 0x74, 0x65, 0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x69,
 	0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x69,
 	0x70, 0x46, 0x72, 0x6f, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x69, 0x70, 0x46,
 	0x72, 0x6f, 0x6d, 0x12, 0x12, 0x0a, 0x04, 0x69, 0x70, 0x54, 0x6f, 0x18, 0x03, 0x20, 0x01, 0x28,
@@ -155,8 +171,11 @@ var file_models_model_ip_item_proto_rawDesc = []byte{
 	0x1c, 0x0a, 0x09, 0x69, 0x73, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x64, 0x18, 0x08, 0x20, 0x01,
 	0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x64, 0x12, 0x12, 0x0a,
 	0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70,
-	0x65, 0x42, 0x06, 0x5a, 0x04, 0x2e, 0x2f, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x33,
+	0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x18,
+	0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x4c, 0x65, 0x76, 0x65,
+	0x6c, 0x12, 0x1a, 0x0a, 0x08, 0x6c, 0x69, 0x73, 0x74, 0x54, 0x79, 0x70, 0x65, 0x18, 0x0b, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x08, 0x6c, 0x69, 0x73, 0x74, 0x54, 0x79, 0x70, 0x65, 0x42, 0x06, 0x5a,
+	0x04, 0x2e, 0x2f, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
--- a/pkg/rpc/pb/model_node_cluster_firewall_action.pb.go
+++ b/pkg/rpc/pb/model_node_cluster_firewall_action.pb.go
@@ -0,0 +1,198 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.25.0
+// 	protoc        v3.12.3
+// source: models/model_node_cluster_firewall_action.proto
+
+package pb
+
+import (
+	proto "github.com/golang/protobuf/proto"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// This is a compile-time assertion that a sufficiently up-to-date version
+// of the legacy proto package is being used.
+const _ = proto.ProtoPackageIsVersion4
+
+type NodeClusterFirewallAction struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Id            int64  `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+	NodeClusterId int64  `protobuf:"varint,2,opt,name=nodeClusterId,proto3" json:"nodeClusterId,omitempty"`
+	Name          string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
+	EventLevel    string `protobuf:"bytes,4,opt,name=eventLevel,proto3" json:"eventLevel,omitempty"`
+	ParamsJSON    []byte `protobuf:"bytes,5,opt,name=paramsJSON,proto3" json:"paramsJSON,omitempty"`
+	Type          string `protobuf:"bytes,6,opt,name=type,proto3" json:"type,omitempty"`
+}
+
+func (x *NodeClusterFirewallAction) Reset() {
+	*x = NodeClusterFirewallAction{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_models_model_node_cluster_firewall_action_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *NodeClusterFirewallAction) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*NodeClusterFirewallAction) ProtoMessage() {}
+
+func (x *NodeClusterFirewallAction) ProtoReflect() protoreflect.Message {
+	mi := &file_models_model_node_cluster_firewall_action_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use NodeClusterFirewallAction.ProtoReflect.Descriptor instead.
+func (*NodeClusterFirewallAction) Descriptor() ([]byte, []int) {
+	return file_models_model_node_cluster_firewall_action_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *NodeClusterFirewallAction) GetId() int64 {
+	if x != nil {
+		return x.Id
+	}
+	return 0
+}
+
+func (x *NodeClusterFirewallAction) GetNodeClusterId() int64 {
+	if x != nil {
+		return x.NodeClusterId
+	}
+	return 0
+}
+
+func (x *NodeClusterFirewallAction) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *NodeClusterFirewallAction) GetEventLevel() string {
+	if x != nil {
+		return x.EventLevel
+	}
+	return ""
+}
+
+func (x *NodeClusterFirewallAction) GetParamsJSON() []byte {
+	if x != nil {
+		return x.ParamsJSON
+	}
+	return nil
+}
+
+func (x *NodeClusterFirewallAction) GetType() string {
+	if x != nil {
+		return x.Type
+	}
+	return ""
+}
+
+var File_models_model_node_cluster_firewall_action_proto protoreflect.FileDescriptor
+
+var file_models_model_node_cluster_firewall_action_proto_rawDesc = []byte{
+	0x0a, 0x2f, 0x6d, 0x6f, 0x64, 0x65, 0x6c, 0x73, 0x2f, 0x6d, 0x6f, 0x64, 0x65, 0x6c, 0x5f, 0x6e,
+	0x6f, 0x64, 0x65, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x66, 0x69, 0x72, 0x65,
+	0x77, 0x61, 0x6c, 0x6c, 0x5f, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x12, 0x02, 0x70, 0x62, 0x22, 0xb9, 0x01, 0x0a, 0x19, 0x4e, 0x6f, 0x64, 0x65, 0x43, 0x6c,
+	0x75, 0x73, 0x74, 0x65, 0x72, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x41, 0x63, 0x74,
+	0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52,
+	0x02, 0x69, 0x64, 0x12, 0x24, 0x0a, 0x0d, 0x6e, 0x6f, 0x64, 0x65, 0x43, 0x6c, 0x75, 0x73, 0x74,
+	0x65, 0x72, 0x49, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0d, 0x6e, 0x6f, 0x64, 0x65,
+	0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d,
+	0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1e, 0x0a,
+	0x0a, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0a, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x12, 0x1e, 0x0a,
+	0x0a, 0x70, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x4a, 0x53, 0x4f, 0x4e, 0x18, 0x05, 0x20, 0x01, 0x28,
+	0x0c, 0x52, 0x0a, 0x70, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x4a, 0x53, 0x4f, 0x4e, 0x12, 0x12, 0x0a,
+	0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70,
+	0x65, 0x42, 0x06, 0x5a, 0x04, 0x2e, 0x2f, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x33,
+}
+
+var (
+	file_models_model_node_cluster_firewall_action_proto_rawDescOnce sync.Once
+	file_models_model_node_cluster_firewall_action_proto_rawDescData = file_models_model_node_cluster_firewall_action_proto_rawDesc
+)
+
+func file_models_model_node_cluster_firewall_action_proto_rawDescGZIP() []byte {
+	file_models_model_node_cluster_firewall_action_proto_rawDescOnce.Do(func() {
+		file_models_model_node_cluster_firewall_action_proto_rawDescData = protoimpl.X.CompressGZIP(file_models_model_node_cluster_firewall_action_proto_rawDescData)
+	})
+	return file_models_model_node_cluster_firewall_action_proto_rawDescData
+}
+
+var file_models_model_node_cluster_firewall_action_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_models_model_node_cluster_firewall_action_proto_goTypes = []interface{}{
+	(*NodeClusterFirewallAction)(nil), // 0: pb.NodeClusterFirewallAction
+}
+var file_models_model_node_cluster_firewall_action_proto_depIdxs = []int32{
+	0, // [0:0] is the sub-list for method output_type
+	0, // [0:0] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_models_model_node_cluster_firewall_action_proto_init() }
+func file_models_model_node_cluster_firewall_action_proto_init() {
+	if File_models_model_node_cluster_firewall_action_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_models_model_node_cluster_firewall_action_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*NodeClusterFirewallAction); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_models_model_node_cluster_firewall_action_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_models_model_node_cluster_firewall_action_proto_goTypes,
+		DependencyIndexes: file_models_model_node_cluster_firewall_action_proto_depIdxs,
+		MessageInfos:      file_models_model_node_cluster_firewall_action_proto_msgTypes,
+	}.Build()
+	File_models_model_node_cluster_firewall_action_proto = out.File
+	file_models_model_node_cluster_firewall_action_proto_rawDesc = nil
+	file_models_model_node_cluster_firewall_action_proto_goTypes = nil
+	file_models_model_node_cluster_firewall_action_proto_depIdxs = nil
+}
--- a/pkg/rpc/pb/service_ip_item.pb.go
+++ b/pkg/rpc/pb/service_ip_item.pb.go
@@ -35,12 +35,13 @@ type CreateIPItemRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	IpListId  int64  `protobuf:"varint,1,opt,name=ipListId,proto3" json:"ipListId,omitempty"`   // IP列表ID
-	IpFrom    string `protobuf:"bytes,2,opt,name=ipFrom,proto3" json:"ipFrom,omitempty"`        // 开始IP
-	IpTo      string `protobuf:"bytes,3,opt,name=ipTo,proto3" json:"ipTo,omitempty"`            // 结束IP（可选）
-	ExpiredAt int64  `protobuf:"varint,4,opt,name=expiredAt,proto3" json:"expiredAt,omitempty"` // 过期时间戳（可选）
-	Reason    string `protobuf:"bytes,5,opt,name=reason,proto3" json:"reason,omitempty"`        // 加入理由（可选）
-	Type      string `protobuf:"bytes,6,opt,name=type,proto3" json:"type,omitempty"`            // 类型
+	IpListId   int64  `protobuf:"varint,1,opt,name=ipListId,proto3" json:"ipListId,omitempty"`    // IP列表ID
+	IpFrom     string `protobuf:"bytes,2,opt,name=ipFrom,proto3" json:"ipFrom,omitempty"`         // 开始IP
+	IpTo       string `protobuf:"bytes,3,opt,name=ipTo,proto3" json:"ipTo,omitempty"`             // 结束IP（可选）
+	ExpiredAt  int64  `protobuf:"varint,4,opt,name=expiredAt,proto3" json:"expiredAt,omitempty"`  // 过期时间戳（可选）
+	Reason     string `protobuf:"bytes,5,opt,name=reason,proto3" json:"reason,omitempty"`         // 加入理由（可选）
+	Type       string `protobuf:"bytes,6,opt,name=type,proto3" json:"type,omitempty"`             // 类型
+	EventLevel string `protobuf:"bytes,7,opt,name=eventLevel,proto3" json:"eventLevel,omitempty"` // 级别
 }

 func (x *CreateIPItemRequest) Reset() {
@@ -117,6 +118,13 @@ func (x *CreateIPItemRequest) GetType() string {
 	return ""
 }

+func (x *CreateIPItemRequest) GetEventLevel() string {
+	if x != nil {
+		return x.EventLevel
+	}
+	return ""
+}
+
 type CreateIPItemResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -170,12 +178,13 @@ type UpdateIPItemRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	IpItemId  int64  `protobuf:"varint,1,opt,name=ipItemId,proto3" json:"ipItemId,omitempty"`
-	IpFrom    string `protobuf:"bytes,2,opt,name=ipFrom,proto3" json:"ipFrom,omitempty"`
-	IpTo      string `protobuf:"bytes,3,opt,name=ipTo,proto3" json:"ipTo,omitempty"`
-	ExpiredAt int64  `protobuf:"varint,4,opt,name=expiredAt,proto3" json:"expiredAt,omitempty"`
-	Reason    string `protobuf:"bytes,5,opt,name=reason,proto3" json:"reason,omitempty"`
-	Type      string `protobuf:"bytes,6,opt,name=type,proto3" json:"type,omitempty"` // 类型
+	IpItemId   int64  `protobuf:"varint,1,opt,name=ipItemId,proto3" json:"ipItemId,omitempty"`
+	IpFrom     string `protobuf:"bytes,2,opt,name=ipFrom,proto3" json:"ipFrom,omitempty"`
+	IpTo       string `protobuf:"bytes,3,opt,name=ipTo,proto3" json:"ipTo,omitempty"`
+	ExpiredAt  int64  `protobuf:"varint,4,opt,name=expiredAt,proto3" json:"expiredAt,omitempty"`
+	Reason     string `protobuf:"bytes,5,opt,name=reason,proto3" json:"reason,omitempty"`
+	Type       string `protobuf:"bytes,6,opt,name=type,proto3" json:"type,omitempty"`             // 类型
+	EventLevel string `protobuf:"bytes,7,opt,name=eventLevel,proto3" json:"eventLevel,omitempty"` // 级别
 }

 func (x *UpdateIPItemRequest) Reset() {
@@ -252,6 +261,13 @@ func (x *UpdateIPItemRequest) GetType() string {
 	return ""
 }

+func (x *UpdateIPItemRequest) GetEventLevel() string {
+	if x != nil {
+		return x.EventLevel
+	}
+	return ""
+}
+
 // 删除IP
 type DeleteIPItemRequest struct {
 	state         protoimpl.MessageState
@@ -665,7 +681,7 @@ var file_service_ip_item_proto_rawDesc = []byte{
 	0x65, 0x6c, 0x73, 0x2f, 0x72, 0x70, 0x63, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x73,
 	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1a, 0x6d, 0x6f, 0x64, 0x65, 0x6c, 0x73, 0x2f, 0x6d,
 	0x6f, 0x64, 0x65, 0x6c, 0x5f, 0x69, 0x70, 0x5f, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x22, 0xa7, 0x01, 0x0a, 0x13, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x49, 0x50, 0x49,
+	0x74, 0x6f, 0x22, 0xc7, 0x01, 0x0a, 0x13, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x49, 0x50, 0x49,
 	0x74, 0x65, 0x6d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x70,
 	0x4c, 0x69, 0x73, 0x74, 0x49, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x69, 0x70,
 	0x4c, 0x69, 0x73, 0x74, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x69, 0x70, 0x46, 0x72, 0x6f, 0x6d,
@@ -675,11 +691,13 @@ var file_service_ip_item_proto_rawDesc = []byte{
 	0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x41, 0x74,
 	0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09,
 	0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65,
-	0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x22, 0x32, 0x0a, 0x14,
+	0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x1e, 0x0a, 0x0a,
+	0x65, 0x76, 0x65, 0x6e, 0x74, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x0a, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x22, 0x32, 0x0a, 0x14,
 	0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x49, 0x50, 0x49, 0x74, 0x65, 0x6d, 0x52, 0x65, 0x73, 0x70,
 	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x70, 0x49, 0x74, 0x65, 0x6d, 0x49, 0x64,
 	0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x69, 0x70, 0x49, 0x74, 0x65, 0x6d, 0x49, 0x64,
-	0x22, 0xa7, 0x01, 0x0a, 0x13, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x49, 0x50, 0x49, 0x74, 0x65,
+	0x22, 0xc7, 0x01, 0x0a, 0x13, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x49, 0x50, 0x49, 0x74, 0x65,
 	0x6d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x70, 0x49, 0x74,
 	0x65, 0x6d, 0x49, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x69, 0x70, 0x49, 0x74,
 	0x65, 0x6d, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x69, 0x70, 0x46, 0x72, 0x6f, 0x6d, 0x18, 0x02,
@@ -689,7 +707,9 @@ var file_service_ip_item_proto_rawDesc = []byte{
 	0x01, 0x28, 0x03, 0x52, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x41, 0x74, 0x12, 0x16,
 	0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
 	0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x06,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x22, 0x31, 0x0a, 0x13, 0x44, 0x65,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x65, 0x76,
+	0x65, 0x6e, 0x74, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a,
+	0x65, 0x76, 0x65, 0x6e, 0x74, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x22, 0x31, 0x0a, 0x13, 0x44, 0x65,
 	0x6c, 0x65, 0x74, 0x65, 0x49, 0x50, 0x49, 0x74, 0x65, 0x6d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
 	0x74, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x70, 0x49, 0x74, 0x65, 0x6d, 0x49, 0x64, 0x18, 0x01, 0x20,
 	0x01, 0x28, 0x03, 0x52, 0x08, 0x69, 0x70, 0x49, 0x74, 0x65, 0x6d, 0x49, 0x64, 0x22, 0x3b, 0x0a,
--- a/pkg/rpc/pb/service_node_cluster_firewall_action.pb.go
+++ b/pkg/rpc/pb/service_node_cluster_firewall_action.pb.go
--- a/pkg/rpc/protos/models/model_ip_item.proto
+++ b/pkg/rpc/protos/models/model_ip_item.proto
@@ -13,4 +13,6 @@ message IPItem {
 	int64 listId = 7;
 	bool isDeleted = 8;
 	string type = 9;
+	string eventLevel = 10; // 级别
+	string listType = 11; // 所在名单类型，加此字段是为了快速定位IP的性质
 }
--- a/pkg/rpc/protos/models/model_node_cluster_firewall_action.proto
+++ b/pkg/rpc/protos/models/model_node_cluster_firewall_action.proto
@@ -0,0 +1,13 @@
+syntax = "proto3";
+option go_package = "./pb";
+
+package pb;
+
+message NodeClusterFirewallAction {
+	int64 id = 1;
+	int64 nodeClusterId = 2;
+	string name = 3;
+	string eventLevel = 4;
+	bytes paramsJSON = 5;
+	string type = 6;
+}
--- a/pkg/rpc/protos/service_ip_item.proto
+++ b/pkg/rpc/protos/service_ip_item.proto
@@ -38,6 +38,7 @@ message CreateIPItemRequest {
 	int64 expiredAt = 4; // 过期时间戳（可选）
 	string reason = 5; // 加入理由（可选）
 	string type = 6; // 类型
+	string eventLevel = 7; // 级别
 }

 message CreateIPItemResponse {
@@ -52,6 +53,7 @@ message UpdateIPItemRequest {
 	int64 expiredAt = 4;
 	string reason = 5;
 	string type = 6; // 类型
+	string eventLevel = 7; // 级别
 }

 // 删除IP
--- a/pkg/rpc/protos/service_node_cluster_firewall_action.proto
+++ b/pkg/rpc/protos/service_node_cluster_firewall_action.proto
@@ -0,0 +1,70 @@
+syntax = "proto3";
+option go_package = "./pb";
+
+package pb;
+
+import "models/model_node_cluster_firewall_action.proto";
+import "models/rpc_messages.proto";
+
+// 防火墙动作服务
+service NodeClusterFirewallActionService {
+	// 创建动作
+	rpc createNodeClusterFirewallAction (CreateNodeClusterFirewallActionRequest) returns (NodeClusterFirewallActionResponse);
+
+	// 修改动作
+	rpc updateNodeClusterFirewallAction (UpdateNodeClusterFirewallActionRequest) returns (RPCSuccess);
+
+	// 删除动作
+	rpc deleteNodeClusterFirewallAction (DeleteNodeClusterFirewallActionRequest) returns (RPCSuccess);
+
+	// 查询集群的所有动作
+	rpc findAllEnabledNodeClusterFirewallActions (FindAllEnabledNodeClusterFirewallActionsRequest) returns (FindAllEnabledNodeClusterFirewallActionsResponse);
+
+	// 查询单个动作
+	rpc findEnabledNodeClusterFirewallAction (FindEnabledNodeClusterFirewallActionRequest) returns (FindEnabledNodeClusterFirewallActionResponse);
+}
+
+// 创建动作
+message CreateNodeClusterFirewallActionRequest {
+	int64 nodeClusterId = 1;
+	string name = 2;
+	string eventLevel = 3;
+	string type = 4;
+	bytes paramsJSON = 5;
+}
+
+message NodeClusterFirewallActionResponse {
+	int64 nodeClusterFirewallActionId = 1;
+}
+
+// 修改动作
+message UpdateNodeClusterFirewallActionRequest {
+	int64 nodeClusterFirewallActionId = 1;
+	string name = 2;
+	string eventLevel = 3;
+	string type = 4;
+	bytes paramsJSON = 5;
+}
+
+// 删除动作
+message DeleteNodeClusterFirewallActionRequest {
+	int64 nodeClusterFirewallActionId = 1;
+}
+
+// 查询集群的所有动作
+message FindAllEnabledNodeClusterFirewallActionsRequest {
+	int64 nodeClusterId = 1;
+}
+
+message FindAllEnabledNodeClusterFirewallActionsResponse {
+	repeated NodeClusterFirewallAction nodeClusterFirewallActions = 1;
+}
+
+// 查询单个动作
+message FindEnabledNodeClusterFirewallActionRequest {
+	int64 nodeClusterFirewallActionId = 1;
+}
+
+message FindEnabledNodeClusterFirewallActionResponse {
+	NodeClusterFirewallAction nodeClusterFirewallAction = 1;
+}
--- a/pkg/serverconfigs/firewallconfigs/firewall_action_config.go
+++ b/pkg/serverconfigs/firewallconfigs/firewall_action_config.go
@@ -0,0 +1,16 @@
+package firewallconfigs
+
+import "github.com/iwind/TeaGo/maps"
+
+// 防火墙动作配置
+type FirewallActionConfig struct {
+	Id         int64    `yaml:"id" json:"id"`                 // Id
+	Type       string   `yaml:"type" json:"type"`             // 类型
+	Params     maps.Map `yaml:"params" json:"params"`         // 参数
+	EventLevel string   `yaml:"eventLevel" json:"eventLevel"` // 事件级别
+}
+
+// 初始化
+func (this *FirewallActionConfig) Init() error {
+	return nil
+}
--- a/pkg/serverconfigs/firewallconfigs/firewall_actions.go
+++ b/pkg/serverconfigs/firewallconfigs/firewall_actions.go
@@ -0,0 +1,95 @@
+package firewallconfigs
+
+type FirewallActionType = string
+
+const (
+	FirewallActionTypeIPSet     FirewallActionType = "ipset"
+	FirewallActionTypeFirewalld FirewallActionType = "firewalld"
+	FirewallActionTypeIPTables  FirewallActionType = "iptables"
+	FirewallActionTypeScript    FirewallActionType = "script"
+	FirewallActionTypeHTTPAPI   FirewallActionType = "httpAPI"
+)
+
+type FirewallActionTypeDefinition struct {
+	Name        string             `json:"name"`
+	Code        FirewallActionType `json:"code"`
+	Description string             `json:"description"`
+}
+
+func FindAllFirewallActionTypes() []*FirewallActionTypeDefinition {
+	return []*FirewallActionTypeDefinition{
+		{
+			Name:        "ipset",
+			Code:        FirewallActionTypeIPSet,
+			Description: "使用特定的ipset管理IP，可以结合iptables和firewalld等工具一起工作。",
+		},
+		{
+			Name:        "firewalld",
+			Code:        FirewallActionTypeFirewalld,
+			Description: "使用Firewalld管理IP，非持久保存，reload之后重置规则。",
+		},
+		{
+			Name:        "iptables",
+			Code:        FirewallActionTypeIPTables,
+			Description: "使用IPTables管理IP，不支持超时时间设定，非持久保存，reload之后重置规则。",
+		},
+		{
+			Name:        "自定义脚本",
+			Code:        FirewallActionTypeScript,
+			Description: "使用自定义的脚本执行IP操作。",
+		},
+		{
+			Name:        "自定义HTTP API",
+			Code:        FirewallActionTypeHTTPAPI,
+			Description: "使用自定义的HTTP API执行IP操作。",
+		},
+	}
+}
+
+func FindFirewallActionTypeName(actionType FirewallActionType) string {
+	for _, a := range FindAllFirewallActionTypes() {
+		if a.Code == actionType {
+			return a.Name
+		}
+	}
+	return ""
+}
+
+type FirewallActionIPSetConfig struct {
+	Path               string `json:"path"`               // 命令路径 TODO 暂时不实现
+	WhiteName          string `json:"whiteName"`          // IPSet白名单名称
+	BlackName          string `json:"blackName"`          // IPSet黑名单名称
+	MaxElements        int    `json:"maxElements"`        // 最多IP数量 TODO 暂时不实现
+	AutoAddToIPTables  bool   `json:"autoAddToIPTables"`  // 是否自动创建IPTables规则
+	AutoAddToFirewalld bool   `json:"autoAddToFirewalld"` // 是否自动加入到Firewalld
+
+	// TODO 添加需要阻止的端口列表
+}
+
+type FirewallActionFirewalldConfig struct {
+	Path string `json:"path"` // 命令路径 TODO 暂时不实现
+
+	// TODO 添加需要阻止的端口列表
+}
+
+type FirewallActionIPTablesConfig struct {
+	Path string `json:"path"` // 命令路径 TODO 暂时不实现
+
+	// TODO 添加需要阻止的端口列表
+}
+
+type FirewallActionScriptConfig struct {
+	Path string   `json:"path"` // 脚本路径
+	Cwd  string   `json:"cwd"`  // 工作目录 TODO 暂时不实现
+	Args []string `json:"args"` // 附加参数 TODO 暂时不实现
+
+	// TODO 添加需要阻止的端口列表
+}
+
+type FirewallActionHTTPAPIConfig struct {
+	URL            string `json:"url"`            // URL路径
+	TimeoutSeconds int    `json:"timeoutSeconds"` // 超时时间 TODO 暂时不实现
+	Secret         string `json:"secret"`         // 认证密钥 TODO 暂时不实现
+
+	// TODO 添加需要阻止的端口列表
+}
--- a/pkg/serverconfigs/firewallconfigs/firewall_levels.go
+++ b/pkg/serverconfigs/firewallconfigs/firewall_levels.go
@@ -0,0 +1,51 @@
+package firewallconfigs
+
+type FirewallEventLevelDefinition struct {
+	Name        string `json:"name"`
+	Code        string `json:"code"`
+	Description string `json:"description"`
+}
+
+func FindAllFirewallEventLevels() []*FirewallEventLevelDefinition {
+	return []*FirewallEventLevelDefinition{
+		{
+			Name:        "调试",
+			Code:        "debug",
+			Description: "仅作为调试用途",
+		},
+		{
+			Name:        "通知",
+			Code:        "notice",
+			Description: "需要通知的事件",
+		},
+		{
+			Name:        "警告",
+			Code:        "warning",
+			Description: "需要警告的事件",
+		},
+		{
+			Name:        "错误",
+			Code:        "error",
+			Description: "发生系统错误的事件",
+		},
+		{
+			Name:        "严重",
+			Code:        "critical",
+			Description: "性质较为严重的事件",
+		},
+		{
+			Name:        "致命",
+			Code:        "fatal",
+			Description: "对系统有重大影响的事件",
+		},
+	}
+}
+
+func FindFirewallEventLevelName(code string) string {
+	for _, level := range FindAllFirewallEventLevels() {
+		if level.Code == code {
+			return level.Name
+		}
+	}
+	return ""
+}