feat: support iptables firewall

agent/app/api/v2/entry.go

@@ -38,6 +38,7 @@ var (
 	fileService     = service.NewIFileService()
 	sshService      = service.NewISSHService()
 	firewallService = service.NewIFirewallService()
+	iptablesService = service.NewIIptablesService()
 	monitorService  = service.NewIMonitorService()
 	systemService   = service.NewISystemService()
 

agent/app/api/v2/firewall.go

@@ -8,12 +8,19 @@ import (
 
 // @Tags Firewall
 // @Summary Load firewall base info
+// @Accept json
+// @Param request body dto.OperationWithName true "request"
 // @Success 200 {object} dto.FirewallBaseInfo
 // @Security ApiKeyAuth
 // @Security Timestamp
-// @Router /hosts/firewall/base [get]
+// @Router /hosts/firewall/base [post]
 func (b *BaseApi) LoadFirewallBaseInfo(c *gin.Context) {
-	data, err := firewallService.LoadBaseInfo()
+	var req dto.OperationWithName
+	if err := helper.CheckBindAndValidate(&req, c); err != nil {
+		return
+	}
+
+	data, err := firewallService.LoadBaseInfo(req.Name)
 	if err != nil {
 		helper.InternalServer(c, err)
 		return
@@ -221,3 +228,112 @@ func (b *BaseApi) UpdateAddrRule(c *gin.Context) {
 	}
 	helper.Success(c)
 }
+
+// @Tags Firewall
+// @Summary search iptables filter rules
+// @Accept json
+// @Param request body dto.SearchPageWithType true "request"
+// @Success 200 {object} dto.PageResult
+// @Security ApiKeyAuth
+// @Security Timestamp
+// @Router /hosts/firewall/filter/search [post]
+func (b *BaseApi) SearchFilterRules(c *gin.Context) {
+	var req dto.SearchPageWithType
+	if err := helper.CheckBindAndValidate(&req, c); err != nil {
+		return
+	}
+
+	total, list, err := iptablesService.Search(req)
+	if err != nil {
+		helper.InternalServer(c, err)
+		return
+	}
+
+	helper.SuccessWithData(c, dto.PageResult{
+		Items: list,
+		Total: total,
+	})
+}
+
+// @Tags Firewall
+// @Summary Operate iptables filter rule
+// @Accept json
+// @Param request body dto.IptablesRuleOp true "request"
+// @Success 200
+// @Security ApiKeyAuth
+// @Security Timestamp
+// @Router /hosts/firewall/filter/rule/operate [post]
+// @x-panel-log {"bodyKeys":["operation","chain"],"paramKeys":[],"BeforeFunctions":[],"formatZH":"[operation] filter规则到 [chain]","formatEN":"[operation] filter rule to [chain]"}
+func (b *BaseApi) OperateFilterRule(c *gin.Context) {
+	var req dto.IptablesRuleOp
+	if err := helper.CheckBindAndValidate(&req, c); err != nil {
+		return
+	}
+	if err := iptablesService.OperateRule(req); err != nil {
+		helper.InternalServer(c, err)
+		return
+	}
+
+	helper.Success(c)
+}
+
+// @Tags Firewall
+// @Summary Batch operate iptables filter rules
+// @Accept json
+// @Param request body dto.IptablesBatchOperate true "request"
+// @Success 200
+// @Security ApiKeyAuth
+// @Security Timestamp
+// @Router /hosts/firewall/filter/rule/batch [post]
+func (b *BaseApi) BatchOperateFilterRule(c *gin.Context) {
+	var req dto.IptablesBatchOperate
+	if err := helper.CheckBindAndValidate(&req, c); err != nil {
+		return
+	}
+
+	if err := iptablesService.BatchOperate(req); err != nil {
+		helper.InternalServer(c, err)
+		return
+	}
+
+	helper.Success(c)
+}
+
+// @Tags Firewall
+// @Summary Apply/Unload/Init iptables filter
+// @Accept json
+// @Param request body dto.IptablesOp true "request"
+// @Success 200
+// @Security ApiKeyAuth
+// @Security Timestamp
+// @Router /hosts/firewall/filter/operate [post]
+// @x-panel-log {"bodyKeys":["operate"],"paramKeys":[],"BeforeFunctions":[],"formatZH":"[operate] iptables filter 防火墙","formatEN":"[operate] iptables filter firewall"}
+func (b *BaseApi) OperateFilterChain(c *gin.Context) {
+	var req dto.IptablesOp
+	if err := helper.CheckBindAndValidate(&req, c); err != nil {
+		return
+	}
+	if err := iptablesService.Operate(req); err != nil {
+		helper.InternalServer(c, err)
+		return
+	}
+
+	helper.Success(c)
+}
+
+// @Tags Firewall
+// @Summary load chain status with name
+// @Accept json
+// @Param request body dto.OperationWithName true "request"
+// @Success 200
+// @Security ApiKeyAuth
+// @Security Timestamp
+// @Router /hosts/firewall/filter/chain/status [post]
+func (b *BaseApi) LoadChainStatus(c *gin.Context) {
+	var req dto.OperationWithName
+	if err := helper.CheckBindAndValidate(&req, c); err != nil {
+		return
+	}
+
+	helper.SuccessWithData(c, iptablesService.LoadChainStatus(req))
+}

agent/app/dto/firewall.go

@@ -4,6 +4,8 @@ type FirewallBaseInfo struct {
 	Name       string `json:"name"`
 	IsExist    bool   `json:"isExist"`
 	IsActive   bool   `json:"isActive"`
+	IsInit     bool   `json:"isInit"`
+	IsBind     bool   `json:"isBind"`
 	Version    string `json:"version"`
 	PingStatus string `json:"pingStatus"`
 }
@@ -22,6 +24,7 @@ type FirewallOperation struct {
 }
 
 type PortRuleOperate struct {
+	ID        uint   `json:"id"`
 	Operation string `json:"operation" validate:"required,oneof=add remove"`
 	Address   string `json:"address"`
 	Port      string `json:"port" validate:"required"`
@@ -55,6 +58,7 @@ type UpdateFirewallDescription struct {
 }
 
 type AddrRuleOperate struct {
+	ID        uint   `json:"id"`
 	Operation string `json:"operation" validate:"required,oneof=add remove"`
 	Address   string `json:"address"  validate:"required"`
 	Strategy  string `json:"strategy" validate:"required,oneof=accept drop"`
@@ -76,3 +80,30 @@ type BatchRuleOperate struct {
 	Type  string            `json:"type" validate:"required"`
 	Rules []PortRuleOperate `json:"rules"`
 }
+
+type IptablesOp struct {
+	Name    string `json:"name" validate:"required,oneof=1PANEL_INPUT 1PANEL_OUTPUT 1PANEL_BASIC"`
+	Operate string `json:"operate" validate:"required,oneof=init-base init-forward init-advance bind-base unbind-base bind unbind"`
+}
+
+type IptablesRuleOp struct {
+	Operation   string `json:"operation" validate:"required,oneof=add remove"`
+	ID          uint   `json:"id"`
+	Chain       string `json:"chain" validate:"required,oneof=1PANEL_INPUT 1PANEL_OUTPUT"`
+	Protocol    string `json:"protocol"`
+	SrcIP       string `json:"srcIP"`
+	SrcPort     uint   `json:"srcPort"`
+	DstIP       string `json:"dstIP"`
+	DstPort     uint   `json:"dstPort"`
+	Strategy    string `json:"strategy" validate:"required,oneof=ACCEPT DROP REJECT"`
+	Description string `json:"description"`
+}
+
+type IptablesBatchOperate struct {
+	Rules []IptablesRuleOp `json:"rules"`
+}
+
+type IptablesChainStatus struct {
+	IsBind          bool   `json:"isBind"`
+	DefaultStrategy string `json:"defaultStrategy"`
+}

agent/app/model/firewall.go

@@ -3,20 +3,16 @@ package model
 type Firewall struct {
 	BaseModel
 
-	Type        string `gorm:"not null" json:"type"`
-	Port        string `gorm:"not null" json:"port"`
-	Protocol    string `gorm:"not null" json:"protocol"`
-	Address     string `gorm:"not null" json:"address"`
-	Strategy    string `gorm:"not null" json:"strategy"`
-	Description string `gorm:"not null" json:"description"`
-}
+	Type    string `json:"type"`
+	Port    string `json:"port"`    // Deprecated
+	Address string `json:"address"` // Deprecated
 
-type Forward struct {
-	BaseModel
-
-	Protocol   string `gorm:"not null" json:"protocol"`
-	Port       string `gorm:"not null" json:"port"`
-	TargetIP   string `gorm:"not null" json:"targetIP"`
-	TargetPort string `gorm:"not null" json:"targetPort"`
-	Interface  string `json:"interface"`
+	Chain       string `json:"chain"`
+	Protocol    string `json:"protocol"`
+	SrcIP       string `json:"srcIP"`
+	SrcPort     string `json:"srcPort"`
+	DstIP       string `json:"dstIP"`
+	DstPort     string `json:"dstPort"`
+	Strategy    string `gorm:"not null" json:"strategy"`
+	Description string `json:"description"`
 }

agent/app/repo/host.go

@@ -4,16 +4,16 @@ import (
 	"github.com/1Panel-dev/1Panel/agent/app/model"
 	"github.com/1Panel-dev/1Panel/agent/global"
 	"github.com/1Panel-dev/1Panel/agent/utils/encrypt"
+	"gorm.io/gorm"
 )
 
 type HostRepo struct{}
 
 type IHostRepo interface {
 	GetFirewallRecord(opts ...DBOption) (model.Firewall, error)
-	ListFirewallRecord() ([]model.Firewall, error)
+	ListFirewallRecord(opts ...DBOption) ([]model.Firewall, error)
 	SaveFirewallRecord(firewall *model.Firewall) error
 	DeleteFirewallRecordByID(id uint) error
-	DeleteFirewallRecord(fType, port, protocol, address, strategy string) error
 
 	SyncCert(data []model.RootCert) error
 	GetCert(opts ...DBOption) (model.RootCert, error)
@@ -22,6 +22,8 @@ type IHostRepo interface {
 	SaveCert(cert *model.RootCert) error
 	UpdateCert(id uint, vars map[string]interface{}) error
 	DeleteCert(opts ...DBOption) error
+
+	WithByChain(chain string) DBOption
 }
 
 func NewIHostRepo() IHostRepo {
@@ -38,12 +40,16 @@ func (h *HostRepo) GetFirewallRecord(opts ...DBOption) (model.Firewall, error) {
 	return firewall, err
 }
 
-func (h *HostRepo) ListFirewallRecord() ([]model.Firewall, error) {
-	var datas []model.Firewall
-	if err := global.DB.Find(&datas).Error; err != nil {
-		return datas, nil
+func (h *HostRepo) ListFirewallRecord(opts ...DBOption) ([]model.Firewall, error) {
+	var firewalls []model.Firewall
+	db := global.DB
+	for _, opt := range opts {
+		db = opt(db)
+	}
+	if err := global.DB.Find(&firewalls).Error; err != nil {
+		return firewalls, nil
 	}
-	return datas, nil
+	return firewalls, nil
 }
 
 func (h *HostRepo) SaveFirewallRecord(firewall *model.Firewall) error {
@@ -52,12 +58,12 @@ func (h *HostRepo) SaveFirewallRecord(firewall *model.Firewall) error {
 	}
 	var data model.Firewall
 	if firewall.Type == "port" {
-		_ = global.DB.Where("type = ? AND port = ? AND protocol = ? AND address = ? AND strategy = ?", "port", firewall.Port, firewall.Protocol, firewall.Address, firewall.Strategy).First(&data)
+		_ = global.DB.Where("type = ? AND dst_port = ? AND protocol = ? AND src_ip = ? AND strategy = ?", "port", firewall.DstPort, firewall.Protocol, firewall.SrcIP, firewall.Strategy).First(&data)
 		if data.ID != 0 {
 			firewall.ID = data.ID
 		}
 	} else {
-		_ = global.DB.Where("type = ? AND address = ? AND strategy = ?", "address", firewall.Address, firewall.Strategy).First(&data)
+		_ = global.DB.Where("type = ? AND src_ip = ? AND strategy = ?", "address", firewall.SrcIP, firewall.Strategy).First(&data)
 		if data.ID != 0 {
 			firewall.ID = data.ID
 		}
@@ -69,10 +75,6 @@ func (h *HostRepo) DeleteFirewallRecordByID(id uint) error {
 	return global.DB.Where("id = ?", id).Delete(&model.Firewall{}).Error
 }
 
-func (h *HostRepo) DeleteFirewallRecord(fType, port, protocol, address, strategy string) error {
-	return global.DB.Where("type = ? AND port = ? AND protocol = ? AND address = ? AND strategy = ?", fType, port, protocol, address, strategy).Delete(&model.Firewall{}).Error
-}
-
 func (u *HostRepo) GetCert(opts ...DBOption) (model.RootCert, error) {
 	var cert model.RootCert
 	db := global.DB
@@ -151,3 +153,9 @@ func (u *HostRepo) SyncCert(data []model.RootCert) error {
 	tx.Commit()
 	return nil
 }
+
+func (u *HostRepo) WithByChain(chain string) DBOption {
+	return func(g *gorm.DB) *gorm.DB {
+		return g.Where("chain = ?", chain)
+	}
+}