nftables：自动升级以前的drop规则为reject规则

2025-11-04 07:40:56 +08:00 · 2023-04-01 17:09:53 +08:00
parent 9bd4975478
commit f675b88761
1 changed files with 11 additions and 0 deletions
--- a/internal/firewalls/firewall_nftables.go
+++ b/internal/firewalls/firewall_nftables.go
@@ -13,6 +13,7 @@ import (
 	"github.com/TeaOSLab/EdgeNode/internal/goman"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	executils "github.com/TeaOSLab/EdgeNode/internal/utils/exec"
+	"github.com/google/nftables/expr"
 	"github.com/iwind/TeaGo/types"
 	"net"
 	"os/exec"
@@ -229,6 +230,16 @@ func (this *NFTablesFirewall) init() error {
 			// rule
 			var ruleName = []byte(setAction)
 			rule, err := chain.GetRuleWithUserData(ruleName)
+
+			// 将以前的drop规则删掉，替换成后面的reject
+			if err == nil && setAction != "allow" && rule != nil && rule.VerDict() == expr.VerdictDrop {
+				deleteErr := chain.DeleteRule(rule)
+				if deleteErr == nil {
+					err = nftables.ErrRuleNotFound
+					rule = nil
+				}
+			}
+
 			if err != nil {
 				if nftables.IsNotFound(err) {
 					if tableDef.IsIPv4 {