TRKJ/EdgeNode
2
0
Fork 0
mirror of https://github.com/TeaOSLab/EdgeNode.git synced 2025-11-07 10:40:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

修复IPTables+IPSet组合时在IPTables中生成了多个重复记录的Bug;增加IPSet最大值为1000000;IP范围只支持D段

Browse Source
This commit is contained in:
GoEdgeLab
2021-11-14 20:35:47 +08:00
parent 84a04ee014
commit f33ce88a3a
1 changed files with 66 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
internal/iplibrary/action_ipset.go
View File

@@ -5,9 +5,11 @@ import (
"errors" "errors"
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb" "github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs" "github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
"github.com/iwind/TeaGo/types"
"os/exec" "os/exec"
"runtime" "runtime"
"strconv" "strconv"
"strings"
"time" "time"
) )
@@ -23,14 +25,21 @@ import (
// - 添加Itemipset add edge_ip_list 192.168.2.32 timeout 30 // - 添加Itemipset add edge_ip_list 192.168.2.32 timeout 30
// - 删除Item: ipset del edge_ip_list 192.168.2.32 // - 删除Item: ipset del edge_ip_list 192.168.2.32
// - 创建setipset create edge_ip_list hash:ip timeout 0 // - 创建setipset create edge_ip_list hash:ip timeout 0
// - 查看统计ipset -t list edge_black_list
// - 删除setipset destroy edge_black_list
type IPSetAction struct { type IPSetAction struct {
BaseAction BaseAction
config *firewallconfigs.FirewallActionIPSetConfig config *firewallconfigs.FirewallActionIPSetConfig
errorBuf *bytes.Buffer
ipsetNotfound bool
} }
func NewIPSetAction() *IPSetAction { func NewIPSetAction() *IPSetAction {
return &IPSetAction{} return &IPSetAction{
errorBuf: &bytes.Buffer{},
}
} }
func (this *IPSetAction) Init(config *firewallconfigs.FirewallActionConfig) error { func (this *IPSetAction) Init(config *firewallconfigs.FirewallActionConfig) error {
@@ -54,7 +63,7 @@ func (this *IPSetAction) Init(config *firewallconfigs.FirewallActionConfig) erro
return err return err
} }
{ {
cmd := exec.Command(path, "create", this.config.WhiteName, "hash:ip", "timeout", "0") cmd := exec.Command(path, "create", this.config.WhiteName, "hash:ip", "timeout", "0", "maxelem", "1000000")
stderr := bytes.NewBuffer([]byte{}) stderr := bytes.NewBuffer([]byte{})
cmd.Stderr = stderr cmd.Stderr = stderr
err := cmd.Run() err := cmd.Run()
@@ -68,7 +77,7 @@ func (this *IPSetAction) Init(config *firewallconfigs.FirewallActionConfig) erro
} }
} }
{ {
cmd := exec.Command(path, "create", this.config.BlackName, "hash:ip", "timeout", "0") cmd := exec.Command(path, "create", this.config.BlackName, "hash:ip", "timeout", "0", "maxelem", "1000000")
stderr := bytes.NewBuffer([]byte{}) stderr := bytes.NewBuffer([]byte{})
cmd.Stderr = stderr cmd.Stderr = stderr
err := cmd.Run() err := cmd.Run()
@@ -163,7 +172,14 @@ func (this *IPSetAction) Init(config *firewallconfigs.FirewallActionConfig) erro
} }
{ {
cmd := exec.Command(path, "-A", "INPUT", "-m", "set", "--match-set", this.config.WhiteName, "src", "-j", "ACCEPT") // 检查规则是否存在
var cmd = exec.Command(path, "-C", "INPUT", "-m", "set", "--match-set", this.config.WhiteName, "src", "-j", "ACCEPT")
err := cmd.Run()
var exists = err == nil
// 添加规则
if !exists {
var cmd = exec.Command(path, "-A", "INPUT", "-m", "set", "--match-set", this.config.WhiteName, "src", "-j", "ACCEPT")
stderr := bytes.NewBuffer([]byte{}) stderr := bytes.NewBuffer([]byte{})
cmd.Stderr = stderr cmd.Stderr = stderr
err := cmd.Run() err := cmd.Run()
@@ -172,9 +188,16 @@ func (this *IPSetAction) Init(config *firewallconfigs.FirewallActionConfig) erro
return errors.New("iptables add rule: " + err.Error() + ", output: " + string(output)) return errors.New("iptables add rule: " + err.Error() + ", output: " + string(output))
} }
} }
}
{ {
cmd := exec.Command(path, "-A", "INPUT", "-m", "set", "--match-set", this.config.BlackName, "src", "-j", "REJECT") // 检查规则是否存在
var cmd = exec.Command(path, "-C", "INPUT", "-m", "set", "--match-set", this.config.BlackName, "src", "-j", "REJECT")
err := cmd.Run()
var exists = err == nil
if !exists {
var cmd = exec.Command(path, "-A", "INPUT", "-m", "set", "--match-set", this.config.BlackName, "src", "-j", "REJECT")
stderr := bytes.NewBuffer([]byte{}) stderr := bytes.NewBuffer([]byte{})
cmd.Stderr = stderr cmd.Stderr = stderr
err := cmd.Run() err := cmd.Run()
@@ -184,6 +207,7 @@ func (this *IPSetAction) Init(config *firewallconfigs.FirewallActionConfig) erro
} }
} }
} }
}
return nil return nil
} }
@@ -212,6 +236,16 @@ func (this *IPSetAction) runAction(action string, listType IPListType, item *pb.
return nil return nil
} }
for _, cidr := range cidrList { for _, cidr := range cidrList {
index := strings.Index(cidr, "/")
if index <= 0 {
continue
}
// 只支持/24以下的
if types.Int(cidr[index+1:]) < 24 {
continue
}
item.IpFrom = cidr item.IpFrom = cidr
item.IpTo = "" item.IpTo = ""
err := this.runActionSingleIP(action, listType, item) err := this.runActionSingleIP(action, listType, item)
@@ -246,6 +280,11 @@ func (this *IPSetAction) runActionSingleIP(action string, listType IPListType, i
if len(path) == 0 { if len(path) == 0 {
path, err = exec.LookPath("ipset") path, err = exec.LookPath("ipset")
if err != nil { if err != nil {
// 找不到ipset命令错误只提示一次
if this.ipsetNotfound {
return nil
}
this.ipsetNotfound = true
return err return err
} }
} }
@@ -264,13 +303,21 @@ func (this *IPSetAction) runActionSingleIP(action string, listType IPListType, i
args = append(args, "timeout", strconv.FormatInt(item.ExpiredAt-timestamp, 10)) args = append(args, "timeout", strconv.FormatInt(item.ExpiredAt-timestamp, 10))
} }
//logs.Println(args)
if runtime.GOOS == "darwin" { if runtime.GOOS == "darwin" {
// MAC OS直接返回 // MAC OS直接返回
return nil return nil
} }
this.errorBuf.Reset()
cmd := exec.Command(path, args...) cmd := exec.Command(path, args...)
return cmd.Run() cmd.Stderr = this.errorBuf
err = cmd.Run()
if err != nil {
var errString = this.errorBuf.String()
if action == "deleteItem" && strings.Contains(errString, "not added") {
return nil
}
return errors.New(strings.TrimSpace(errString))
}
return nil
} }