TRKJ/EdgeNode
2
0
Fork 0
mirror of https://github.com/TeaOSLab/EdgeNode.git synced 2025-11-04 07:40:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

优化nftables可执行文件查找方法

Browse Source
This commit is contained in:
GoEdgeLab
2023-04-02 18:37:24 +08:00
parent 63a66c5085
commit 6852195a90
2 changed files with 28 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
internal/firewalls/ddos_protection.go
View File

@@ -20,7 +20,6 @@ import (
"github.com/iwind/TeaGo/types" "github.com/iwind/TeaGo/types"
stringutil "github.com/iwind/TeaGo/utils/string" stringutil "github.com/iwind/TeaGo/utils/string"
"net" "net"
"os/exec"
"strings" "strings"
"time" "time"
) )
@@ -91,7 +90,7 @@ func (this *DDoSProtectionManager) Apply(config *ddosconfigs.ProtectionConfig) e
} }
remotelogs.Println("FIREWALL", "change DDoS protection config") remotelogs.Println("FIREWALL", "change DDoS protection config")
if len(this.nftExe()) == 0 { if len(NftExePath()) == 0 {
return errors.New("can not find nft command") return errors.New("can not find nft command")
} }
@@ -157,7 +156,7 @@ func (this *DDoSProtectionManager) Apply(config *ddosconfigs.ProtectionConfig) e
// 添加TCP规则 // 添加TCP规则
func (this *DDoSProtectionManager) addTCPRules(tcpConfig *ddosconfigs.TCPConfig) error { func (this *DDoSProtectionManager) addTCPRules(tcpConfig *ddosconfigs.TCPConfig) error {
var nftExe = this.nftExe() var nftExe = NftExePath()
if len(nftExe) == 0 { if len(nftExe) == 0 {
return nil return nil
} }
@@ -557,8 +556,3 @@ func (this *DDoSProtectionManager) updateAllowIPList(allIPList []string) error {
return nil return nil
} }
func (this *DDoSProtectionManager) nftExe() string {
path, _ := exec.LookPath("nft")
return path
}

33
internal/firewalls/firewall_nftables.go
View File

@@ -1,6 +1,5 @@
// Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved. // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
//go:build linux //go:build linux
// +build linux
package firewalls package firewalls
@@ -16,6 +15,7 @@ import (
"github.com/google/nftables/expr" "github.com/google/nftables/expr"
"github.com/iwind/TeaGo/types" "github.com/iwind/TeaGo/types"
"net" "net"
"os"
"os/exec" "os/exec"
"regexp" "regexp"
"runtime" "runtime"
@@ -23,6 +23,25 @@ import (
"time" "time"
) )
// NftExePath 查找nftables可执行文件路径
func NftExePath() string {
path, _ := exec.LookPath("nft")
if len(path) > 0 {
return path
}
for _, possiblePath := range []string{
"/usr/sbin/nft",
} {
_, err := os.Stat(possiblePath)
if err == nil {
return possiblePath
}
}
return ""
}
// check nft status, if being enabled we load it automatically // check nft status, if being enabled we load it automatically
func init() { func init() {
if !teaconst.IsMain { if !teaconst.IsMain {
@@ -38,8 +57,8 @@ func init() {
ticker.Stop() ticker.Stop()
break break
} }
_, err := exec.LookPath("nft") var nftExe = NftExePath()
if err == nil { if len(nftExe) > 0 {
nftablesFirewall, err := NewNFTablesFirewall() nftablesFirewall, err := NewNFTablesFirewall()
if err != nil { if err != nil {
continue continue
@@ -121,9 +140,9 @@ type NFTablesFirewall struct {
func (this *NFTablesFirewall) init() error { func (this *NFTablesFirewall) init() error {
// check nft // check nft
nftPath, err := exec.LookPath("nft") var nftPath = NftExePath()
if err != nil { if len(nftPath) == 0 {
return errors.New("nft not found") return errors.New("'nft' not found")
} }
this.version = this.readVersion(nftPath) this.version = this.readVersion(nftPath)
@@ -276,7 +295,7 @@ func (this *NFTablesFirewall) init() error {
for ipItem := range this.dropIPQueue { for ipItem := range this.dropIPQueue {
switch ipItem.action { switch ipItem.action {
case "drop": case "drop":
err = this.DropSourceIP(ipItem.ip, ipItem.timeoutSeconds, false) err := this.DropSourceIP(ipItem.ip, ipItem.timeoutSeconds, false)
if err != nil { if err != nil {
remotelogs.Warn("NFTABLES", "drop ip '"+ipItem.ip+"' failed: "+err.Error()) remotelogs.Warn("NFTABLES", "drop ip '"+ipItem.ip+"' failed: "+err.Error())
} }