EdgeNode/internal/iplibrary/action_iptables.go

package iplibrary

import (
	"fmt"
	"runtime"
	"strings"
	"time"

	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
	"github.com/TeaOSLab/EdgeNode/internal/utils"
	executils "github.com/TeaOSLab/EdgeNode/internal/utils/exec"
)

// IPTablesAction IPTables动作
// 相关命令：
//
//	iptables -A INPUT -s "192.168.2.32" -j ACCEPT
//	iptables -A INPUT -s "192.168.2.32" -j REJECT
//	iptables -D INPUT ...
//	iptables -F INPUT
type IPTablesAction struct {
	BaseAction

	config *firewallconfigs.FirewallActionIPTablesConfig

	iptablesNotFound bool
}

func NewIPTablesAction() *IPTablesAction {
	return &IPTablesAction{}
}

func (this *IPTablesAction) Init(config *firewallconfigs.FirewallActionConfig) error {
	this.config = &firewallconfigs.FirewallActionIPTablesConfig{}
	err := this.convertParams(config.Params, this.config)
	if err != nil {
		return err
	}
	return nil
}

func (this *IPTablesAction) AddItem(listType IPListType, item *pb.IPItem) error {
	return this.runAction("addItem", listType, item)
}

func (this *IPTablesAction) DeleteItem(listType IPListType, item *pb.IPItem) error {
	return this.runAction("deleteItem", listType, item)
}

func (this *IPTablesAction) runAction(action string, listType IPListType, item *pb.IPItem) error {
	if item.Type == "all" {
		return nil
	}
	if len(item.IpTo) == 0 {
		return this.runActionSingleIP(action, listType, item)
	}
	cidrList, err := iPv4RangeToCIDRRange(item.IpFrom, item.IpTo)
	if err != nil {
		// 不合法的范围不予处理即可
		return nil
	}
	if len(cidrList) == 0 {
		return nil
	}
	for _, cidr := range cidrList {
		item.IpFrom = cidr
		item.IpTo = ""
		err := this.runActionSingleIP(action, listType, item)
		if err != nil {
			return err
		}
	}
	return nil
}

func (this *IPTablesAction) runActionSingleIP(action string, listType IPListType, item *pb.IPItem) error {
	// 暂时不支持ipv6
	// TODO 将来支持ipv6
	if utils.IsIPv6(item.IpFrom) {
		return nil
	}

	if item.Type == "all" {
		return nil
	}
	var path = this.config.Path
	var err error
	if len(path) == 0 {
		path, err = executils.LookPath("iptables")
		if err != nil {
			if this.iptablesNotFound {
				return nil
			}
			this.iptablesNotFound = true
			return err
		}
		this.config.Path = path
	}
	iptablesAction := ""
	switch action {
	case "addItem":
		iptablesAction = "-A"
	case "deleteItem":
		iptablesAction = "-D"
	default:
		return nil
	}
	args := []string{iptablesAction, "INPUT", "-s", item.IpFrom, "-j"}
	switch listType {
	case IPListTypeWhite:
		args = append(args, "ACCEPT")
	case IPListTypeBlack:
		args = append(args, "REJECT")
	default:
		return nil
	}

	if runtime.GOOS == "darwin" {
		// MAC OS直接返回
		return nil
	}

	var cmd = executils.NewTimeoutCmd(30*time.Second, path, args...)
	cmd.WithStderr()
	err = cmd.Run()
	if err != nil {
		var output = cmd.Stderr()
		if strings.Contains(output, "No chain/target/match") {
			err = nil
		} else {
			return fmt.Errorf("%w, output: %s", err, output)
		}
	}
	return nil
}
增加IP动作 2021-02-06 17:34:33 +08:00			`package iplibrary`

			`import (`
优化错误处理相关代码 2023-08-11 14:51:23 +08:00			`"fmt"`
v1.4.1 2024-07-27 15:42:50 +08:00			`"runtime"`
			`"strings"`
			`"time"`

增加IP动作 2021-02-06 17:34:33 +08:00			`"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"`
			`"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"`
修复在iptables中加入ipv6的错误 2022-10-24 16:37:54 +08:00			`"github.com/TeaOSLab/EdgeNode/internal/utils"`
优化命令执行相关代码 2022-09-15 11:14:33 +08:00			`executils "github.com/TeaOSLab/EdgeNode/internal/utils/exec"`
增加IP动作 2021-02-06 17:34:33 +08:00			`)`

增加注释 2021-11-14 20:46:08 +08:00			`// IPTablesAction IPTables动作`
增加IP动作 2021-02-06 17:34:33 +08:00			`// 相关命令：`
优化命令执行相关代码 2022-09-15 11:14:33 +08:00			`//`
			`// iptables -A INPUT -s "192.168.2.32" -j ACCEPT`
			`// iptables -A INPUT -s "192.168.2.32" -j REJECT`
			`// iptables -D INPUT ...`
			`// iptables -F INPUT`
增加IP动作 2021-02-06 17:34:33 +08:00			`type IPTablesAction struct {`
			`BaseAction`

			`config *firewallconfigs.FirewallActionIPTablesConfig`
优化iptables+firewall-cmd找不到时的提示 2021-11-15 09:45:03 +08:00
			`iptablesNotFound bool`
增加IP动作 2021-02-06 17:34:33 +08:00			`}`

			`func NewIPTablesAction() *IPTablesAction {`
			`return &IPTablesAction{}`
			`}`

			`func (this IPTablesAction) Init(config firewallconfigs.FirewallActionConfig) error {`
			`this.config = &firewallconfigs.FirewallActionIPTablesConfig{}`
			`err := this.convertParams(config.Params, this.config)`
			`if err != nil {`
			`return err`
			`}`
			`return nil`
			`}`

			`func (this IPTablesAction) AddItem(listType IPListType, item pb.IPItem) error {`
			`return this.runAction("addItem", listType, item)`
			`}`

			`func (this IPTablesAction) DeleteItem(listType IPListType, item pb.IPItem) error {`
			`return this.runAction("deleteItem", listType, item)`
			`}`

			`func (this IPTablesAction) runAction(action string, listType IPListType, item pb.IPItem) error {`
			`if item.Type == "all" {`
			`return nil`
			`}`
			`if len(item.IpTo) == 0 {`
			`return this.runActionSingleIP(action, listType, item)`
			`}`
			`cidrList, err := iPv4RangeToCIDRRange(item.IpFrom, item.IpTo)`
			`if err != nil {`
			`// 不合法的范围不予处理即可`
			`return nil`
			`}`
			`if len(cidrList) == 0 {`
			`return nil`
			`}`
			`for _, cidr := range cidrList {`
			`item.IpFrom = cidr`
			`item.IpTo = ""`
			`err := this.runActionSingleIP(action, listType, item)`
			`if err != nil {`
			`return err`
			`}`
			`}`
			`return nil`
			`}`

			`func (this IPTablesAction) runActionSingleIP(action string, listType IPListType, item pb.IPItem) error {`
修复在iptables中加入ipv6的错误 2022-10-24 16:37:54 +08:00			`// 暂时不支持ipv6`
			`// TODO 将来支持ipv6`
			`if utils.IsIPv6(item.IpFrom) {`
			`return nil`
			`}`

增加IP动作 2021-02-06 17:34:33 +08:00			`if item.Type == "all" {`
			`return nil`
			`}`
修复在iptables中加入ipv6的错误 2022-10-24 16:37:54 +08:00			`var path = this.config.Path`
增加IP动作 2021-02-06 17:34:33 +08:00			`var err error`
			`if len(path) == 0 {`
使用自定义 executils.LookPath() 代替 exec.LookPath() 避免因$PATH环境变量被破坏而无法工作 2023-07-03 10:37:36 +08:00			`path, err = executils.LookPath("iptables")`
增加IP动作 2021-02-06 17:34:33 +08:00			`if err != nil {`
优化iptables+firewall-cmd找不到时的提示 2021-11-15 09:45:03 +08:00			`if this.iptablesNotFound {`
			`return nil`
			`}`
			`this.iptablesNotFound = true`
增加IP动作 2021-02-06 17:34:33 +08:00			`return err`
			`}`
修复在iptables中加入ipv6的错误 2022-10-24 16:37:54 +08:00			`this.config.Path = path`
增加IP动作 2021-02-06 17:34:33 +08:00			`}`
			`iptablesAction := ""`
			`switch action {`
			`case "addItem":`
			`iptablesAction = "-A"`
			`case "deleteItem":`
			`iptablesAction = "-D"`
			`default:`
			`return nil`
			`}`
			`args := []string{iptablesAction, "INPUT", "-s", item.IpFrom, "-j"}`
			`switch listType {`
			`case IPListTypeWhite:`
			`args = append(args, "ACCEPT")`
			`case IPListTypeBlack:`
			`args = append(args, "REJECT")`
			`default:`
			`return nil`
			`}`

			`if runtime.GOOS == "darwin" {`
			`// MAC OS直接返回`
			`return nil`
			`}`

优化命令执行相关代码 2022-09-15 11:14:33 +08:00			`var cmd = executils.NewTimeoutCmd(30*time.Second, path, args...)`
			`cmd.WithStderr()`
增加IP动作 2021-02-06 17:34:33 +08:00			`err = cmd.Run()`
			`if err != nil {`
优化命令执行相关代码 2022-09-15 11:14:33 +08:00			`var output = cmd.Stderr()`
			`if strings.Contains(output, "No chain/target/match") {`
增加IP动作 2021-02-06 17:34:33 +08:00			`err = nil`
			`} else {`
优化错误处理相关代码 2023-08-11 14:51:23 +08:00			`return fmt.Errorf("%w, output: %s", err, output)`
增加IP动作 2021-02-06 17:34:33 +08:00			`}`
			`}`
			`return nil`
			`}`