del: 删除获取防火墙相关代码
This commit is contained in:
TsMask
@@ -1,34 +0,0 @@
|
||||
package firewall
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"os"
|
||||
|
||||
"ems.agt/lib/core/utils/firewall/client"
|
||||
)
|
||||
|
||||
type FirewallClient interface {
|
||||
Name() string // ufw firewalld
|
||||
Start() error
|
||||
Stop() error
|
||||
Reload() error
|
||||
Status() (string, error) // running not running
|
||||
Version() (string, error)
|
||||
|
||||
ListPort() ([]client.FireInfo, error)
|
||||
ListAddress() ([]client.FireInfo, error)
|
||||
|
||||
Port(port client.FireInfo, operation string) error
|
||||
RichRules(rule client.FireInfo, operation string) error
|
||||
PortForward(info client.Forward, operation string) error
|
||||
}
|
||||
|
||||
func NewFirewallClient() (FirewallClient, error) {
|
||||
if _, err := os.Stat("/usr/sbin/firewalld"); err == nil {
|
||||
return client.NewFirewalld()
|
||||
}
|
||||
if _, err := os.Stat("/usr/sbin/ufw"); err == nil {
|
||||
return client.NewUfw()
|
||||
}
|
||||
return nil, errors.New("no such type")
|
||||
}
|
||||
@@ -1,209 +0,0 @@
|
||||
package client
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"ems.agt/lib/core/cmd"
|
||||
)
|
||||
|
||||
type Firewall struct{}
|
||||
|
||||
func NewFirewalld() (*Firewall, error) {
|
||||
return &Firewall{}, nil
|
||||
}
|
||||
|
||||
func (f *Firewall) Name() string {
|
||||
return "firewalld"
|
||||
}
|
||||
|
||||
func (f *Firewall) Status() (string, error) {
|
||||
stdout, _ := cmd.Exec("firewall-cmd --state")
|
||||
if stdout == "running\n" {
|
||||
return "running", nil
|
||||
}
|
||||
return "not running", nil
|
||||
}
|
||||
|
||||
func (f *Firewall) Version() (string, error) {
|
||||
stdout, err := cmd.Exec("firewall-cmd --version")
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("load the firewall version failed, err: %s", stdout)
|
||||
}
|
||||
return strings.ReplaceAll(stdout, "\n ", ""), nil
|
||||
}
|
||||
|
||||
func (f *Firewall) Start() error {
|
||||
stdout, err := cmd.Exec("systemctl start firewalld")
|
||||
if err != nil {
|
||||
return fmt.Errorf("enable the firewall failed, err: %s", stdout)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *Firewall) Stop() error {
|
||||
stdout, err := cmd.Exec("systemctl stop firewalld")
|
||||
if err != nil {
|
||||
return fmt.Errorf("stop the firewall failed, err: %s", stdout)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *Firewall) Reload() error {
|
||||
stdout, err := cmd.Exec("firewall-cmd --reload")
|
||||
if err != nil {
|
||||
return fmt.Errorf("reload firewall failed, err: %s", stdout)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *Firewall) ListPort() ([]FireInfo, error) {
|
||||
var wg sync.WaitGroup
|
||||
var datas []FireInfo
|
||||
wg.Add(2)
|
||||
go func() {
|
||||
defer wg.Done()
|
||||
stdout, err := cmd.Exec("firewall-cmd --zone=public --list-ports")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
ports := strings.Split(strings.ReplaceAll(stdout, "\n", ""), " ")
|
||||
for _, port := range ports {
|
||||
if len(port) == 0 {
|
||||
continue
|
||||
}
|
||||
var itemPort FireInfo
|
||||
if strings.Contains(port, "/") {
|
||||
itemPort.Port = strings.Split(port, "/")[0]
|
||||
itemPort.Protocol = strings.Split(port, "/")[1]
|
||||
}
|
||||
itemPort.Strategy = "accept"
|
||||
datas = append(datas, itemPort)
|
||||
}
|
||||
}()
|
||||
|
||||
go func() {
|
||||
defer wg.Done()
|
||||
stdout1, err := cmd.Exec("firewall-cmd --zone=public --list-rich-rules")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
rules := strings.Split(stdout1, "\n")
|
||||
for _, rule := range rules {
|
||||
if len(rule) == 0 {
|
||||
continue
|
||||
}
|
||||
itemRule := f.loadInfo(rule)
|
||||
if len(itemRule.Port) != 0 && itemRule.Family == "ipv4" {
|
||||
datas = append(datas, itemRule)
|
||||
}
|
||||
}
|
||||
}()
|
||||
wg.Wait()
|
||||
return datas, nil
|
||||
}
|
||||
|
||||
func (f *Firewall) ListAddress() ([]FireInfo, error) {
|
||||
stdout, err := cmd.Exec("firewall-cmd --zone=public --list-rich-rules")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var datas []FireInfo
|
||||
rules := strings.Split(stdout, "\n")
|
||||
for _, rule := range rules {
|
||||
if len(rule) == 0 {
|
||||
continue
|
||||
}
|
||||
itemRule := f.loadInfo(rule)
|
||||
if len(itemRule.Port) == 0 && len(itemRule.Address) != 0 {
|
||||
datas = append(datas, itemRule)
|
||||
}
|
||||
}
|
||||
return datas, nil
|
||||
}
|
||||
|
||||
func (f *Firewall) Port(port FireInfo, operation string) error {
|
||||
if cmd.CheckIllegal(operation, port.Protocol, port.Port) {
|
||||
return fmt.Errorf("errCmdIllegal %v", port)
|
||||
}
|
||||
|
||||
stdout, err := cmd.Execf("firewall-cmd --zone=public --%s-port=%s/%s --permanent", operation, port.Port, port.Protocol)
|
||||
if err != nil {
|
||||
return fmt.Errorf("%s port failed, err: %s", operation, stdout)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *Firewall) RichRules(rule FireInfo, operation string) error {
|
||||
if cmd.CheckIllegal(operation, rule.Address, rule.Protocol, rule.Port, rule.Strategy) {
|
||||
return fmt.Errorf("errCmdIllegal %v", rule)
|
||||
}
|
||||
ruleStr := ""
|
||||
if strings.Contains(rule.Address, "-") {
|
||||
std, err := cmd.Execf("firewall-cmd --permanent --new-ipset=%s --type=hash:ip", rule.Address)
|
||||
if err != nil {
|
||||
return fmt.Errorf("add new ipset failed, err: %s", std)
|
||||
}
|
||||
std2, err := cmd.Execf("firewall-cmd --permanent --ipset=%s --add-entry=%s", rule.Address, rule.Address)
|
||||
if err != nil {
|
||||
return fmt.Errorf("add entry to ipset failed, err: %s", std2)
|
||||
}
|
||||
if err := f.Reload(); err != nil {
|
||||
return err
|
||||
}
|
||||
ruleStr = fmt.Sprintf("rule source ipset=%s %s", rule.Address, rule.Strategy)
|
||||
} else {
|
||||
ruleStr = "rule family=ipv4 "
|
||||
if len(rule.Address) != 0 {
|
||||
ruleStr += fmt.Sprintf("source address=%s ", rule.Address)
|
||||
}
|
||||
if len(rule.Port) != 0 {
|
||||
ruleStr += fmt.Sprintf("port port=%s ", rule.Port)
|
||||
}
|
||||
if len(rule.Protocol) != 0 {
|
||||
ruleStr += fmt.Sprintf("protocol=%s ", rule.Protocol)
|
||||
}
|
||||
ruleStr += rule.Strategy
|
||||
}
|
||||
stdout, err := cmd.Execf("firewall-cmd --zone=public --%s-rich-rule '%s' --permanent", operation, ruleStr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("%s rich rules failed, err: %s", operation, stdout)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *Firewall) PortForward(info Forward, operation string) error {
|
||||
ruleStr := fmt.Sprintf("firewall-cmd --%s-forward-port=port=%s:proto=%s:toport=%s --permanent", operation, info.Port, info.Protocol, info.Target)
|
||||
if len(info.Address) != 0 {
|
||||
ruleStr = fmt.Sprintf("firewall-cmd --%s-forward-port=port=%s:proto=%s:toaddr=%s:toport=%s --permanent", operation, info.Port, info.Protocol, info.Address, info.Target)
|
||||
}
|
||||
|
||||
stdout, err := cmd.Exec(ruleStr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("%s port forward failed, err: %s", operation, stdout)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *Firewall) loadInfo(line string) FireInfo {
|
||||
var itemRule FireInfo
|
||||
ruleInfo := strings.Split(strings.ReplaceAll(line, "\"", ""), " ")
|
||||
for _, item := range ruleInfo {
|
||||
switch {
|
||||
case strings.Contains(item, "family="):
|
||||
itemRule.Family = strings.ReplaceAll(item, "family=", "")
|
||||
case strings.Contains(item, "ipset="):
|
||||
itemRule.Address = strings.ReplaceAll(item, "ipset=", "")
|
||||
case strings.Contains(item, "address="):
|
||||
itemRule.Address = strings.ReplaceAll(item, "address=", "")
|
||||
case strings.Contains(item, "port="):
|
||||
itemRule.Port = strings.ReplaceAll(item, "port=", "")
|
||||
case strings.Contains(item, "protocol="):
|
||||
itemRule.Protocol = strings.ReplaceAll(item, "protocol=", "")
|
||||
case item == "accept" || item == "drop" || item == "reject":
|
||||
itemRule.Strategy = item
|
||||
}
|
||||
}
|
||||
return itemRule
|
||||
}
|
||||
@@ -1,20 +0,0 @@
|
||||
package client
|
||||
|
||||
type FireInfo struct {
|
||||
Family string `json:"family"` // ipv4 ipv6
|
||||
Address string `json:"address"` // Anywhere
|
||||
Port string `json:"port"`
|
||||
Protocol string `json:"protocol"` // tcp udp tcp/udp
|
||||
Strategy string `json:"strategy"` // accept drop
|
||||
|
||||
APPName string `json:"appName"`
|
||||
IsUsed bool `json:"isUsed"`
|
||||
Description string `json:"description"`
|
||||
}
|
||||
|
||||
type Forward struct {
|
||||
Protocol string `json:"protocol"`
|
||||
Address string `json:"address"`
|
||||
Port string `json:"port"`
|
||||
Target string `json:"target"`
|
||||
}
|
||||
@@ -1,238 +0,0 @@
|
||||
package client
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"ems.agt/lib/core/cmd"
|
||||
)
|
||||
|
||||
type Ufw struct {
|
||||
CmdStr string
|
||||
}
|
||||
|
||||
func NewUfw() (*Ufw, error) {
|
||||
var ufw Ufw
|
||||
if cmd.HasNoPasswordSudo() {
|
||||
ufw.CmdStr = "sudo ufw"
|
||||
} else {
|
||||
ufw.CmdStr = "ufw"
|
||||
}
|
||||
return &ufw, nil
|
||||
}
|
||||
|
||||
func (f *Ufw) Name() string {
|
||||
return "ufw"
|
||||
}
|
||||
|
||||
func (f *Ufw) Status() (string, error) {
|
||||
stdout, _ := cmd.Execf("%s status | grep Status", f.CmdStr)
|
||||
if stdout == "Status: active\n" {
|
||||
return "running", nil
|
||||
}
|
||||
stdout1, _ := cmd.Execf("%s status | grep 状态", f.CmdStr)
|
||||
if stdout1 == "状态: 激活\n" {
|
||||
return "running", nil
|
||||
}
|
||||
return "not running", nil
|
||||
}
|
||||
|
||||
func (f *Ufw) Version() (string, error) {
|
||||
stdout, err := cmd.Execf("%s version | grep ufw", f.CmdStr)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("load the firewall status failed, err: %s", stdout)
|
||||
}
|
||||
info := strings.ReplaceAll(stdout, "\n", "")
|
||||
return strings.ReplaceAll(info, "ufw ", ""), nil
|
||||
}
|
||||
|
||||
func (f *Ufw) Start() error {
|
||||
stdout, err := cmd.Execf("echo y | %s enable", f.CmdStr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("enable the firewall failed, err: %s", stdout)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *Ufw) Stop() error {
|
||||
stdout, err := cmd.Execf("%s disable", f.CmdStr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("stop the firewall failed, err: %s", stdout)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *Ufw) Reload() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *Ufw) ListPort() ([]FireInfo, error) {
|
||||
stdout, err := cmd.Execf("%s status verbose", f.CmdStr)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
portInfos := strings.Split(stdout, "\n")
|
||||
var datas []FireInfo
|
||||
isStart := false
|
||||
for _, line := range portInfos {
|
||||
if strings.HasPrefix(line, "-") {
|
||||
isStart = true
|
||||
continue
|
||||
}
|
||||
if !isStart {
|
||||
continue
|
||||
}
|
||||
itemFire := f.loadInfo(line, "port")
|
||||
if len(itemFire.Port) != 0 && itemFire.Port != "Anywhere" && !strings.Contains(itemFire.Port, ".") {
|
||||
itemFire.Port = strings.ReplaceAll(itemFire.Port, ":", "-")
|
||||
datas = append(datas, itemFire)
|
||||
}
|
||||
}
|
||||
return datas, nil
|
||||
}
|
||||
|
||||
func (f *Ufw) ListAddress() ([]FireInfo, error) {
|
||||
stdout, err := cmd.Execf("%s status verbose", f.CmdStr)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
portInfos := strings.Split(stdout, "\n")
|
||||
var datas []FireInfo
|
||||
isStart := false
|
||||
for _, line := range portInfos {
|
||||
if strings.HasPrefix(line, "-") {
|
||||
isStart = true
|
||||
continue
|
||||
}
|
||||
if !isStart {
|
||||
continue
|
||||
}
|
||||
if !strings.Contains(line, " IN") {
|
||||
continue
|
||||
}
|
||||
itemFire := f.loadInfo(line, "address")
|
||||
if strings.Contains(itemFire.Port, ".") {
|
||||
itemFire.Address += ("-" + itemFire.Port)
|
||||
itemFire.Port = ""
|
||||
}
|
||||
if len(itemFire.Port) == 0 && len(itemFire.Address) != 0 {
|
||||
datas = append(datas, itemFire)
|
||||
}
|
||||
}
|
||||
return datas, nil
|
||||
}
|
||||
|
||||
func (f *Ufw) Port(port FireInfo, operation string) error {
|
||||
switch port.Strategy {
|
||||
case "accept":
|
||||
port.Strategy = "allow"
|
||||
case "drop":
|
||||
port.Strategy = "deny"
|
||||
default:
|
||||
return fmt.Errorf("unsupport strategy %s", port.Strategy)
|
||||
}
|
||||
if cmd.CheckIllegal(port.Protocol, port.Port) {
|
||||
return fmt.Errorf("errCmdIllegal %v", port)
|
||||
}
|
||||
|
||||
command := fmt.Sprintf("%s %s %s", f.CmdStr, port.Strategy, port.Port)
|
||||
if operation == "remove" {
|
||||
command = fmt.Sprintf("%s delete %s %s", f.CmdStr, port.Strategy, port.Port)
|
||||
}
|
||||
if len(port.Protocol) != 0 {
|
||||
command += fmt.Sprintf("/%s", port.Protocol)
|
||||
}
|
||||
stdout, err := cmd.Exec(command)
|
||||
if err != nil {
|
||||
return fmt.Errorf("%s port failed, err: %s", operation, stdout)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *Ufw) RichRules(rule FireInfo, operation string) error {
|
||||
switch rule.Strategy {
|
||||
case "accept":
|
||||
rule.Strategy = "allow"
|
||||
case "drop":
|
||||
rule.Strategy = "deny"
|
||||
default:
|
||||
return fmt.Errorf("unsupport strategy %s", rule.Strategy)
|
||||
}
|
||||
|
||||
if cmd.CheckIllegal(operation, rule.Protocol, rule.Address, rule.Port) {
|
||||
return fmt.Errorf("errCmdIllegal %v", rule)
|
||||
}
|
||||
|
||||
ruleStr := fmt.Sprintf("%s %s ", f.CmdStr, rule.Strategy)
|
||||
if operation == "remove" {
|
||||
ruleStr = fmt.Sprintf("%s delete %s ", f.CmdStr, rule.Strategy)
|
||||
}
|
||||
if len(rule.Protocol) != 0 {
|
||||
ruleStr += fmt.Sprintf("proto %s ", rule.Protocol)
|
||||
}
|
||||
if strings.Contains(rule.Address, "-") {
|
||||
ruleStr += fmt.Sprintf("from %s to %s ", strings.Split(rule.Address, "-")[0], strings.Split(rule.Address, "-")[1])
|
||||
} else {
|
||||
ruleStr += fmt.Sprintf("from %s ", rule.Address)
|
||||
}
|
||||
if len(rule.Port) != 0 {
|
||||
ruleStr += fmt.Sprintf("to any port %s ", rule.Port)
|
||||
}
|
||||
|
||||
stdout, err := cmd.Exec(ruleStr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("%s rich rules failed, err: %s", operation, stdout)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *Ufw) PortForward(info Forward, operation string) error {
|
||||
ruleStr := fmt.Sprintf("firewall-cmd --%s-forward-port=port=%s:proto=%s:toport=%s --permanent", operation, info.Port, info.Protocol, info.Target)
|
||||
if len(info.Address) != 0 {
|
||||
ruleStr = fmt.Sprintf("firewall-cmd --%s-forward-port=port=%s:proto=%s:toaddr=%s:toport=%s --permanent", operation, info.Port, info.Protocol, info.Address, info.Target)
|
||||
}
|
||||
|
||||
stdout, err := cmd.Exec(ruleStr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("%s port forward failed, err: %s", operation, stdout)
|
||||
}
|
||||
if err := f.Reload(); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *Ufw) loadInfo(line string, fireType string) FireInfo {
|
||||
fields := strings.Fields(line)
|
||||
var itemInfo FireInfo
|
||||
if len(fields) < 4 {
|
||||
return itemInfo
|
||||
}
|
||||
if fields[1] == "(v6)" {
|
||||
return itemInfo
|
||||
}
|
||||
if fields[0] == "Anywhere" && fireType != "port" {
|
||||
itemInfo.Strategy = "drop"
|
||||
if fields[1] == "ALLOW" {
|
||||
itemInfo.Strategy = "accept"
|
||||
}
|
||||
itemInfo.Address = fields[3]
|
||||
return itemInfo
|
||||
}
|
||||
if strings.Contains(fields[0], "/") {
|
||||
itemInfo.Port = strings.Split(fields[0], "/")[0]
|
||||
itemInfo.Protocol = strings.Split(fields[0], "/")[1]
|
||||
} else {
|
||||
itemInfo.Port = fields[0]
|
||||
itemInfo.Protocol = "tcp/udp"
|
||||
}
|
||||
itemInfo.Family = "ipv4"
|
||||
if fields[1] == "ALLOW" {
|
||||
itemInfo.Strategy = "accept"
|
||||
} else {
|
||||
itemInfo.Strategy = "drop"
|
||||
}
|
||||
itemInfo.Address = fields[3]
|
||||
|
||||
return itemInfo
|
||||
}
|
||||
Reference in New Issue
Block a user