fix: 防火墙禁 ping 方式修改 (#577)

2 years ago · ef16934952
4 changed files with 55 additions and 74 deletions
--- a/backend/app/service/firewall.go
+++ b/backend/app/service/firewall.go
@ -2,10 +2,12 @@ package service

 import (
 	"fmt"
+	"os"
 	"strconv"
 	"strings"

 	"github.com/1Panel-dev/1Panel/backend/app/dto"
+	"github.com/1Panel-dev/1Panel/backend/constant"
 	"github.com/1Panel-dev/1Panel/backend/utils/cmd"
 	"github.com/1Panel-dev/1Panel/backend/utils/common"
 	"github.com/1Panel-dev/1Panel/backend/utils/firewall"
@ -13,6 +15,8 @@ import (
 	"github.com/jinzhu/copier"
 )

+const confPath = "/etc/sysctl.conf"
+
 type FirewallService struct{}

 type IFirewallService interface {
@ -44,7 +48,7 @@ func (u *FirewallService) LoadBaseInfo() (dto.FirewallBaseInfo, error) {
 	if err != nil {
 		return baseInfo, err
 	}
-	baseInfo.PingStatus, err = client.PingStatus()
+	baseInfo.PingStatus, err = u.PingStatus()
 	if err != nil {
 		return baseInfo, err
 	}
@ -152,9 +156,9 @@ func (u *FirewallService) OperateFirewall(operation string) error {
 		_, _ = cmd.Exec("systemctl restart docker")
 		return nil
 	case "disablePing":
-		return client.UpdatePingStatus("0")
+		return u.UpdatePingStatus("0")
 	case "enablePing":
-		return client.UpdatePingStatus("1")
+		return u.UpdatePingStatus("1")
 	}
 	return fmt.Errorf("not support such operation: %s", operation)
 }
@ -361,3 +365,51 @@ func (u *FirewallService) loadPortByApp() []portOfApp {

 	return datas
 }
+
+func (u *FirewallService) PingStatus() (string, error) {
+	stdout, err := cmd.Exec("sudo cat /etc/sysctl.conf | grep net/ipv4/icmp_echo_ignore_all= ")
+	if err != nil {
+		return constant.StatusDisable, fmt.Errorf("load firewall ping status failed, err: %s", stdout)
+	}
+	if stdout == "net/ipv4/icmp_echo_ignore_all=1\n" {
+		return constant.StatusEnable, nil
+	}
+	return constant.StatusDisable, nil
+}
+
+func (u *FirewallService) UpdatePingStatus(enabel string) error {
+	lineBytes, err := os.ReadFile(confPath)
+	if err != nil {
+		return err
+	}
+	files := strings.Split(string(lineBytes), "\n")
+	var newFiles []string
+	hasLine := false
+	for _, line := range files {
+		if strings.Contains(line, "net/ipv4/icmp_echo_ignore_all") || strings.HasPrefix(line, "net/ipv4/icmp_echo_ignore_all") {
+			newFiles = append(newFiles, "net/ipv4/icmp_echo_ignore_all="+enabel)
+			hasLine = true
+		} else {
+			newFiles = append(newFiles, line)
+		}
+	}
+	if !hasLine {
+		newFiles = append(newFiles, "net/ipv4/icmp_echo_ignore_all="+enabel)
+	}
+	file, err := os.OpenFile(confPath, os.O_WRONLY|os.O_TRUNC, 0666)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	_, err = file.WriteString(strings.Join(newFiles, "\n"))
+	if err != nil {
+		return err
+	}
+
+	stdout, err := cmd.Exec("sudo sysctl -p")
+	if err != nil {
+		return fmt.Errorf("update ping status failed, err: %v", stdout)
+	}
+
+	return nil
+}
--- a/backend/utils/firewall/client.go
+++ b/backend/utils/firewall/client.go
@ -15,9 +15,6 @@ type FirewallClient interface {
 	Status() (string, error) // running not running
 	Version() (string, error)

-	PingStatus() (string, error) // Enable Disable
-	UpdatePingStatus(enable string) error
-
 	ListPort() ([]client.FireInfo, error)
 	ListAddress() ([]client.FireInfo, error)

--- a/backend/utils/firewall/client/firewalld.go
+++ b/backend/utils/firewall/client/firewalld.go
@ -4,7 +4,6 @@ import (
 	"fmt"
 	"strings"

-	"github.com/1Panel-dev/1Panel/backend/constant"
 	"github.com/1Panel-dev/1Panel/backend/utils/cmd"
 )

@ -42,26 +41,6 @@ func (f *Firewall) Start() error {
 	return nil
 }

-func (f *Firewall) PingStatus() (string, error) {
-	stdout, _ := cmd.Exec("firewall-cmd --zone=public  --query-rich-rule='rule protocol value=icmp drop'")
-	if stdout == "yes\n" {
-		return constant.StatusEnable, nil
-	}
-	return constant.StatusDisable, nil
-}
-
-func (f *Firewall) UpdatePingStatus(enabel string) error {
-	operation := "add"
-	if enabel == "0" {
-		operation = "remove"
-	}
-	stdout, err := cmd.Execf("firewall-cmd --permanent --%s-rich-rule='rule protocol value=icmp drop'", operation)
-	if err != nil {
-		return fmt.Errorf("update firewall ping status failed, err: %s", stdout)
-	}
-	return f.Reload()
-}
-
 func (f *Firewall) Stop() error {
 	stdout, err := cmd.Exec("systemctl stop firewalld")
 	if err != nil {
--- a/backend/utils/firewall/client/ufw.go
+++ b/backend/utils/firewall/client/ufw.go
@ -2,15 +2,11 @@ package client

 import (
 	"fmt"
-	"os"
 	"strings"

-	"github.com/1Panel-dev/1Panel/backend/constant"
 	"github.com/1Panel-dev/1Panel/backend/utils/cmd"
 )

-const confPath = "/etc/ufw/sysctl.conf"
-
 type Ufw struct{}

 func NewUfw() (*Ufw, error) {
@ -49,49 +45,6 @@ func (f *Ufw) Start() error {
 	return nil
 }

-func (f *Ufw) PingStatus() (string, error) {
-	stdout, err := cmd.Exec("cat /etc/ufw/sysctl.conf | grep net/ipv4/icmp_echo_ignore_all= ")
-	if err != nil {
-		return constant.StatusDisable, fmt.Errorf("load firewall ping status failed, err: %s", stdout)
-	}
-	if stdout == "net/ipv4/icmp_echo_ignore_all=1\n" {
-		return constant.StatusEnable, nil
-	}
-	return constant.StatusDisable, nil
-}
-
-func (f *Ufw) UpdatePingStatus(enabel string) error {
-	lineBytes, err := os.ReadFile(confPath)
-	if err != nil {
-		return err
-	}
-	files := strings.Split(string(lineBytes), "\n")
-	var newFiles []string
-	for _, line := range files {
-		if strings.Contains(line, "net/ipv4/icmp_echo_ignore_all") || strings.HasPrefix(line, "net/ipv4/icmp_echo_ignore_all") {
-			newFiles = append(newFiles, "net/ipv4/icmp_echo_ignore_all="+enabel)
-		} else {
-			newFiles = append(newFiles, line)
-		}
-	}
-	file, err := os.OpenFile(confPath, os.O_WRONLY|os.O_TRUNC, 0666)
-	if err != nil {
-		return err
-	}
-	defer file.Close()
-	_, err = file.WriteString(strings.Join(newFiles, "\n"))
-	if err != nil {
-		return err
-	}
-
-	stdout, err := cmd.Exec("sudo ufw reload")
-	if err != nil {
-		return fmt.Errorf("reload ufw setting failed, err: %v", stdout)
-	}
-
-	return nil
-}
-
 func (f *Ufw) Stop() error {
 	stdout, err := cmd.Exec("sudo ufw disable")
 	if err != nil {