github.com/TeaOSLab/EdgeNode@v1.3.8/internal/iplibrary/action_iptables.go (about) 1 package iplibrary 2 3 import ( 4 "fmt" 5 "github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb" 6 "github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs" 7 "github.com/TeaOSLab/EdgeNode/internal/utils" 8 executils "github.com/TeaOSLab/EdgeNode/internal/utils/exec" 9 "runtime" 10 "strings" 11 "time" 12 ) 13 14 // IPTablesAction IPTables动作 15 // 相关命令: 16 // 17 // iptables -A INPUT -s "192.168.2.32" -j ACCEPT 18 // iptables -A INPUT -s "192.168.2.32" -j REJECT 19 // iptables -D INPUT ... 20 // iptables -F INPUT 21 type IPTablesAction struct { 22 BaseAction 23 24 config *firewallconfigs.FirewallActionIPTablesConfig 25 26 iptablesNotFound bool 27 } 28 29 func NewIPTablesAction() *IPTablesAction { 30 return &IPTablesAction{} 31 } 32 33 func (this *IPTablesAction) Init(config *firewallconfigs.FirewallActionConfig) error { 34 this.config = &firewallconfigs.FirewallActionIPTablesConfig{} 35 err := this.convertParams(config.Params, this.config) 36 if err != nil { 37 return err 38 } 39 return nil 40 } 41 42 func (this *IPTablesAction) AddItem(listType IPListType, item *pb.IPItem) error { 43 return this.runAction("addItem", listType, item) 44 } 45 46 func (this *IPTablesAction) DeleteItem(listType IPListType, item *pb.IPItem) error { 47 return this.runAction("deleteItem", listType, item) 48 } 49 50 func (this *IPTablesAction) runAction(action string, listType IPListType, item *pb.IPItem) error { 51 if item.Type == "all" { 52 return nil 53 } 54 if len(item.IpTo) == 0 { 55 return this.runActionSingleIP(action, listType, item) 56 } 57 cidrList, err := iPv4RangeToCIDRRange(item.IpFrom, item.IpTo) 58 if err != nil { 59 // 不合法的范围不予处理即可 60 return nil 61 } 62 if len(cidrList) == 0 { 63 return nil 64 } 65 for _, cidr := range cidrList { 66 item.IpFrom = cidr 67 item.IpTo = "" 68 err := this.runActionSingleIP(action, listType, item) 69 if err != nil { 70 return err 71 } 72 } 73 return nil 74 } 75 76 func (this *IPTablesAction) runActionSingleIP(action string, listType IPListType, item *pb.IPItem) error { 77 // 暂时不支持ipv6 78 // TODO 将来支持ipv6 79 if utils.IsIPv6(item.IpFrom) { 80 return nil 81 } 82 83 if item.Type == "all" { 84 return nil 85 } 86 var path = this.config.Path 87 var err error 88 if len(path) == 0 { 89 path, err = executils.LookPath("iptables") 90 if err != nil { 91 if this.iptablesNotFound { 92 return nil 93 } 94 this.iptablesNotFound = true 95 return err 96 } 97 this.config.Path = path 98 } 99 iptablesAction := "" 100 switch action { 101 case "addItem": 102 iptablesAction = "-A" 103 case "deleteItem": 104 iptablesAction = "-D" 105 default: 106 return nil 107 } 108 args := []string{iptablesAction, "INPUT", "-s", item.IpFrom, "-j"} 109 switch listType { 110 case IPListTypeWhite: 111 args = append(args, "ACCEPT") 112 case IPListTypeBlack: 113 args = append(args, "REJECT") 114 default: 115 return nil 116 } 117 118 if runtime.GOOS == "darwin" { 119 // MAC OS直接返回 120 return nil 121 } 122 123 var cmd = executils.NewTimeoutCmd(30*time.Second, path, args...) 124 cmd.WithStderr() 125 err = cmd.Run() 126 if err != nil { 127 var output = cmd.Stderr() 128 if strings.Contains(output, "No chain/target/match") { 129 err = nil 130 } else { 131 return fmt.Errorf("%w, output: %s", err, output) 132 } 133 } 134 return nil 135 }