1Panel-dev/1Panel
1
1
Fork 0
mirror of https://github.com/1Panel-dev/1Panel.git synced 2025-12-19 05:49:02 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: Fix iptables state persistence issue (#11137)

Browse source 
Refs #11126
This commit is contained in:
ssongliu 2025-12-01 14:33:38 +08:00 committed by GitHub
parent 5cede39e5c
commit 94f7d78cc9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 120 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
agent/app/service/iptables.go
View file

@ -8,6 +8,7 @@ import (
"github.com/1Panel-dev/1Panel/agent/app/dto" "github.com/1Panel-dev/1Panel/agent/app/dto"
"github.com/1Panel-dev/1Panel/agent/app/model" "github.com/1Panel-dev/1Panel/agent/app/model"
"github.com/1Panel-dev/1Panel/agent/constant"
"github.com/1Panel-dev/1Panel/agent/global" "github.com/1Panel-dev/1Panel/agent/global"
"github.com/1Panel-dev/1Panel/agent/utils/cmd" "github.com/1Panel-dev/1Panel/agent/utils/cmd"
"github.com/1Panel-dev/1Panel/agent/utils/firewall/client" "github.com/1Panel-dev/1Panel/agent/utils/firewall/client"
@ -189,9 +190,14 @@ func (s *IptablesService) Operate(req dto.IptablesOp) error {
if err := iptables.SaveRulesToFile(iptables.FilterTab, iptables.Chain1PanelBasicAfter, iptables.BasicAfterFileName); err != nil { if err := iptables.SaveRulesToFile(iptables.FilterTab, iptables.Chain1PanelBasicAfter, iptables.BasicAfterFileName); err != nil {
return err return err
} }
_ = settingRepo.Update("IptablesStatus", constant.StatusEnable)
return nil return nil
case "init-forward": case "init-forward":
return client.EnableIptablesForward() if err := client.EnableIptablesForward(); err != nil {
return err
}
_ = settingRepo.Update("IptablesForwardStatus", constant.StatusEnable)
return nil
case "init-advance": case "init-advance":
if err := iptables.AddChain(iptables.FilterTab, iptables.Chain1PanelInput); err != nil { if err := iptables.AddChain(iptables.FilterTab, iptables.Chain1PanelInput); err != nil {
return err return err
@ -206,6 +212,8 @@ func (s *IptablesService) Operate(req dto.IptablesOp) error {
if err := iptables.BindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelInput, number); err != nil { if err := iptables.BindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelInput, number); err != nil {
return err return err
} }
_ = settingRepo.Update("IptablesInputStatus", constant.StatusEnable)
_ = settingRepo.Update("IptablesOutputStatus", constant.StatusEnable)
return nil return nil
case "bind-base": case "bind-base":
if err := initPreRules(); err != nil { if err := initPreRules(); err != nil {
@ -220,6 +228,7 @@ func (s *IptablesService) Operate(req dto.IptablesOp) error {
if err := iptables.BindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicAfter, 3); err != nil { if err := iptables.BindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicAfter, 3); err != nil {
return err return err
} }
_ = settingRepo.Update("IptablesStatus", constant.StatusEnable)
return nil return nil
case "unbind-base": case "unbind-base":
if err := iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicAfter); err != nil { if err := iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicAfter); err != nil {
@ -231,16 +240,29 @@ func (s *IptablesService) Operate(req dto.IptablesOp) error {
if err := iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasic); err != nil { if err := iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasic); err != nil {
return err return err
} }
_ = settingRepo.Update("IptablesStatus", constant.StatusDisable)
return nil return nil
case "bind": case "bind":
if err := iptables.BindChain(iptables.FilterTab, targetChain, req.Name, loadBindNumber(req.Name)); err != nil { if err := iptables.BindChain(iptables.FilterTab, targetChain, req.Name, loadBindNumber(req.Name)); err != nil {
return err return err
} }
if req.Name == iptables.Chain1PanelInput {
_ = settingRepo.Update("IptablesInputStatus", constant.StatusEnable)
}
if req.Name == iptables.Chain1PanelOutput {
_ = settingRepo.Update("IptablesOutputStatus", constant.StatusEnable)
}
return nil return nil
case "unbind": case "unbind":
if err := iptables.UnbindChain(iptables.FilterTab, targetChain, req.Name); err != nil { if err := iptables.UnbindChain(iptables.FilterTab, targetChain, req.Name); err != nil {
return err return err
} }
if req.Name == iptables.Chain1PanelInput {
_ = settingRepo.Update("IptablesInputStatus", constant.StatusDisable)
}
if req.Name == iptables.Chain1PanelOutput {
_ = settingRepo.Update("IptablesOutputStatus", constant.StatusDisable)
}
return nil return nil
} }
return nil return nil

119
agent/init/firewall/firewall.go
View file

@ -2,9 +2,12 @@ package firewall
import ( import (
"fmt" "fmt"
"os"
"github.com/1Panel-dev/1Panel/agent/app/dto" "github.com/1Panel-dev/1Panel/agent/app/dto"
"github.com/1Panel-dev/1Panel/agent/app/repo"
"github.com/1Panel-dev/1Panel/agent/app/service" "github.com/1Panel-dev/1Panel/agent/app/service"
"github.com/1Panel-dev/1Panel/agent/constant"
"github.com/1Panel-dev/1Panel/agent/global" "github.com/1Panel-dev/1Panel/agent/global"
"github.com/1Panel-dev/1Panel/agent/utils/firewall" "github.com/1Panel-dev/1Panel/agent/utils/firewall"
firewallClient "github.com/1Panel-dev/1Panel/agent/utils/firewall/client" firewallClient "github.com/1Panel-dev/1Panel/agent/utils/firewall/client"
@ -12,11 +15,17 @@ import (
) )
func Init() { func Init() {
if !needInit() {
return
}
global.LOG.Info("initializing firewall settings...")
client, err := firewall.NewFirewallClient() client, err := firewall.NewFirewallClient()
if err != nil { if err != nil {
return return
} }
clientName := client.Name() clientName := client.Name()
settingRepo := repo.NewISettingRepo()
if clientName == "ufw" || clientName == "iptables" { if clientName == "ufw" || clientName == "iptables" {
if err := iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelForward, iptables.ForwardFileName); err != nil { if err := iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelForward, iptables.ForwardFileName); err != nil {
global.LOG.Errorf("load forward rules from file failed, err: %v", err) global.LOG.Errorf("load forward rules from file failed, err: %v", err)
@ -30,12 +39,17 @@ func Init() {
global.LOG.Errorf("load postrouting rules from file failed, err: %v", err) global.LOG.Errorf("load postrouting rules from file failed, err: %v", err)
return return
} }
if err := firewallClient.EnableIptablesForward(); err != nil {
global.LOG.Errorf("enable iptables forward failed, err: %v", err)
return
}
global.LOG.Infof("loaded iptables rules for forward from file successfully") global.LOG.Infof("loaded iptables rules for forward from file successfully")
iptablesForwardStatus, _ := settingRepo.GetValueByKey("IptablesForwardStatus")
if iptablesForwardStatus == constant.StatusEnable {
if err := firewallClient.EnableIptablesForward(); err != nil {
global.LOG.Errorf("enable iptables forward failed, err: %v", err)
return
}
}
} }
if clientName == "ufw" { if clientName == "ufw" {
_ = iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicAfter) _ = iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicAfter)
_ = iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicBefore) _ = iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicBefore)
@ -43,52 +57,73 @@ func Init() {
_ = iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelInput) _ = iptables.UnbindChain(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelInput)
_ = iptables.UnbindChain(iptables.FilterTab, iptables.ChainOutput, iptables.Chain1PanelOutput) _ = iptables.UnbindChain(iptables.FilterTab, iptables.ChainOutput, iptables.Chain1PanelOutput)
} }
if clientName == "iptables" {
if err := iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelBasicBefore, iptables.BasicBeforeFileName); err != nil {
global.LOG.Errorf("load basic before rules from file failed, err: %v", err)
return
}
if err := iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelBasic, iptables.BasicFileName); err != nil {
global.LOG.Errorf("load basic rules from file failed, err: %v", err)
return
}
if err := iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelBasicAfter, iptables.BasicAfterFileName); err != nil {
global.LOG.Errorf("load basic after rules from file failed, err: %v", err)
return
}
if err := iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelInput, iptables.InputFileName); err != nil {
global.LOG.Errorf("load input rules from file failed, err: %v", err)
return
}
if err := iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelOutput, iptables.OutputFileName); err != nil {
global.LOG.Errorf("load output rules from file failed, err: %v", err)
return
}
global.LOG.Infof("loaded iptables rules for basic, input and output from file successfully")
panelPort := service.LoadPanelPort() if err := iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelBasicBefore, iptables.BasicBeforeFileName); err != nil {
if len(panelPort) == 0 { global.LOG.Errorf("load basic before rules from file failed, err: %v", err)
global.LOG.Errorf("find 1panel service port failed") return
return }
} if err := iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelBasic, iptables.BasicFileName); err != nil {
if err := iptables.AddRule(iptables.FilterTab, iptables.Chain1PanelBasicBefore, fmt.Sprintf("-p tcp -m tcp --dport %v -j ACCEPT", panelPort)); err != nil { global.LOG.Errorf("load basic rules from file failed, err: %v", err)
global.LOG.Errorf("add port accept rule %v failed, err: %v", panelPort, err) return
return }
} if err := iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelBasicAfter, iptables.BasicAfterFileName); err != nil {
global.LOG.Errorf("load basic after rules from file failed, err: %v", err)
iptablesService := service.IptablesService{} return
}
panelPort := service.LoadPanelPort()
if len(panelPort) == 0 {
global.LOG.Errorf("find 1panel service port failed")
return
}
if err := iptables.AddRule(iptables.FilterTab, iptables.Chain1PanelBasicBefore, fmt.Sprintf("-p tcp -m tcp --dport %v -j ACCEPT", panelPort)); err != nil {
global.LOG.Errorf("add port accept rule %v failed, err: %v", panelPort, err)
return
}
global.LOG.Infof("loaded iptables rules for basic from file successfully")
iptablesService := service.IptablesService{}
iptablesStatus, _ := settingRepo.GetValueByKey("IptablesStatus")
if iptablesStatus == constant.StatusEnable {
if err := iptablesService.Operate(dto.IptablesOp{Operate: "bind-base"}); err != nil { if err := iptablesService.Operate(dto.IptablesOp{Operate: "bind-base"}); err != nil {
global.LOG.Errorf("bind base chains failed, err: %v", err) global.LOG.Errorf("bind base chains failed, err: %v", err)
return return
} }
if err := iptablesService.Operate(dto.IptablesOp{Name: iptables.Chain1PanelOutput, Operate: "bind"}); err != nil { }
global.LOG.Errorf("bind output chains failed, err: %v", err)
return if err := iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelInput, iptables.InputFileName); err != nil {
} global.LOG.Errorf("load input rules from file failed, err: %v", err)
return
}
if err := iptables.LoadRulesFromFile(iptables.FilterTab, iptables.Chain1PanelOutput, iptables.OutputFileName); err != nil {
global.LOG.Errorf("load output rules from file failed, err: %v", err)
return
}
global.LOG.Infof("loaded iptables rules for input and output from file successfully")
iptablesInputStatus, _ := settingRepo.GetValueByKey("IptablesInputStatus")
if iptablesInputStatus == constant.StatusEnable {
if err := iptablesService.Operate(dto.IptablesOp{Name: iptables.Chain1PanelInput, Operate: "bind"}); err != nil { if err := iptablesService.Operate(dto.IptablesOp{Name: iptables.Chain1PanelInput, Operate: "bind"}); err != nil {
global.LOG.Errorf("bind input chains failed, err: %v", err) global.LOG.Errorf("bind input chains failed, err: %v", err)
return return
} }
} }
iptablesOutputStatus, _ := settingRepo.GetValueByKey("IptablesOutputStatus")
if iptablesOutputStatus == constant.StatusEnable {
if err := iptablesService.Operate(dto.IptablesOp{Name: iptables.Chain1PanelOutput, Operate: "bind"}); err != nil {
global.LOG.Errorf("bind output chains failed, err: %v", err)
return
}
}
}
func needInit() bool {
file, err := os.OpenFile("/run/1panel_boot_mark", os.O_RDWR|os.O_CREATE|os.O_EXCL, 0644)
if err != nil {
if os.IsExist(err) {
return false
}
global.LOG.Errorf("check boot mark file failed: %v", err)
return true
}
defer file.Close()
fmt.Fprintf(file, "Boot Mark for 1panel\n")
return true
} }

1
agent/init/migration/migrate.go
View file

@ -56,6 +56,7 @@ func InitAgentDB() {
migrations.UpdateDatabase, migrations.UpdateDatabase,
migrations.AddGPUMonitor, migrations.AddGPUMonitor,
migrations.UpdateDatabaseMysql, migrations.UpdateDatabaseMysql,
migrations.InitIptablesStatus,
}) })
if err := m.Migrate(); err != nil { if err := m.Migrate(); err != nil {
global.LOG.Error(err) global.LOG.Error(err)

19
agent/init/migration/migrations/init.go
View file

@ -756,3 +756,22 @@ var UpdateDatabaseMysql = &gormigrate.Migration{
return nil return nil
}, },
} }
var InitIptablesStatus = &gormigrate.Migration{
ID: "20251201-init-iptables-status",
Migrate: func(tx *gorm.DB) error {
if err := tx.Create(&model.Setting{Key: "IptablesStatus", Value: constant.StatusDisable}).Error; err != nil {
return err
}
if err := tx.Create(&model.Setting{Key: "IptablesForwardStatus", Value: constant.StatusDisable}).Error; err != nil {
return err
}
if err := tx.Create(&model.Setting{Key: "IptablesInputStatus", Value: constant.StatusDisable}).Error; err != nil {
return err
}
if err := tx.Create(&model.Setting{Key: "IptablesOutputStatus", Value: constant.StatusDisable}).Error; err != nil {
return err
}
return nil
},
}