From 46320634f6b4a097801d591542c301e4d556afc4 Mon Sep 17 00:00:00 2001
From: ssongliu <73214554+ssongliu@users.noreply.github.com>
Date: Fri, 3 Nov 2023 11:14:43 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E8=A7=A3=E5=86=B3=20firewalld=20?=
 =?UTF-8?q?=E9=98=B2=E7=81=AB=E5=A2=99=E8=A7=84=E5=88=99=20ipv6=20?=
 =?UTF-8?q?=E4=B8=8B=E4=B8=8D=E7=94=9F=E6=95=88=E7=9A=84=E9=97=AE=E9=A2=98?=
 =?UTF-8?q?=20(#2789)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 backend/utils/firewall/client/firewalld.go | 42 +++++++++-------------
 1 file changed, 16 insertions(+), 26 deletions(-)

diff --git a/backend/utils/firewall/client/firewalld.go b/backend/utils/firewall/client/firewalld.go
index 06b563ebc..3f92fe2d7 100644
--- a/backend/utils/firewall/client/firewalld.go
+++ b/backend/utils/firewall/client/firewalld.go
@@ -141,37 +141,27 @@ func (f *Firewall) RichRules(rule FireInfo, operation string) error {
 	if cmd.CheckIllegal(operation, rule.Address, rule.Protocol, rule.Port, rule.Strategy) {
 		return buserr.New(constant.ErrCmdIllegal)
 	}
-	ruleStr := ""
-	if strings.Contains(rule.Address, "-") {
-		std, err := cmd.Execf("firewall-cmd --permanent --new-ipset=%s --type=hash:ip", rule.Address)
-		if err != nil {
-			return fmt.Errorf("add new ipset failed, err: %s", std)
-		}
-		std2, err := cmd.Execf("firewall-cmd --permanent --ipset=%s --add-entry=%s", rule.Address, rule.Address)
-		if err != nil {
-			return fmt.Errorf("add entry to ipset failed, err: %s", std2)
-		}
-		if err := f.Reload(); err != nil {
-			return err
-		}
-		ruleStr = fmt.Sprintf("rule source ipset=%s %s", rule.Address, rule.Strategy)
-	} else {
-		ruleStr = "rule "
-		if len(rule.Address) != 0 {
-			ruleStr += fmt.Sprintf("source address=%s ", rule.Address)
-		}
-		if len(rule.Port) != 0 {
-			ruleStr += fmt.Sprintf("port port=%s ", rule.Port)
-		}
-		if len(rule.Protocol) != 0 {
-			ruleStr += fmt.Sprintf("protocol=%s ", rule.Protocol)
-		}
-		ruleStr += rule.Strategy
+	ruleStr := "rule family=ipv4 "
+	if len(rule.Address) != 0 {
+		ruleStr += fmt.Sprintf("source address=%s ", rule.Address)
 	}
+	if len(rule.Port) != 0 {
+		ruleStr += fmt.Sprintf("port port=%s ", rule.Port)
+	}
+	if len(rule.Protocol) != 0 {
+		ruleStr += fmt.Sprintf("protocol=%s ", rule.Protocol)
+	}
+	ruleStr += rule.Strategy
 	stdout, err := cmd.Execf("firewall-cmd --zone=public --%s-rich-rule '%s' --permanent", operation, ruleStr)
 	if err != nil {
 		return fmt.Errorf("%s rich rules failed, err: %s", operation, stdout)
 	}
+	if len(rule.Address) == 0 {
+		stdout1, err := cmd.Execf("firewall-cmd --zone=public --%s-rich-rule '%s' --permanent", operation, strings.ReplaceAll(ruleStr, "family=ipv4 ", "family=ipv6 "))
+		if err != nil {
+			return fmt.Errorf("%s rich rules failed, err: %s", operation, stdout1)
+		}
+	}
 	return nil
 }