1Panel-dev/1Panel
1
1
Fork 0
mirror of https://github.com/1Panel-dev/1Panel.git synced 2025-12-19 05:49:02 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: enhance ping status and update logic in firewall service (#10920)

Browse source 
* fix: Update ping status check method

* fix: Enhance ping status update logic and support for alternative sysctl configuration path
This commit is contained in:
KOMATA 2025-11-11 22:20:09 +08:00 committed by GitHub
parent 02d22ba63f
commit ffc81ea85a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 63 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

85
agent/app/service/firewall.go
View file

@ -24,6 +24,7 @@ import (
) )
const confPath = "/etc/sysctl.conf" const confPath = "/etc/sysctl.conf"
const panelSysctlPath = "/etc/sysctl.d/98-onepanel.conf"
type FirewallService struct{} type FirewallService struct{}
@ -592,61 +593,101 @@ func (u *FirewallService) cleanUnUsedData(client firewall.FirewallClient) {
_ = hostRepo.DeleteFirewallRecordByID(record.ID) _ = hostRepo.DeleteFirewallRecordByID(record.ID)
} }
} }
func (u *FirewallService) pingStatus() string { func (u *FirewallService) pingStatus() string {
if _, err := os.Stat("/etc/sysctl.conf"); err != nil { data, err := os.ReadFile("/proc/sys/net/ipv4/icmp_echo_ignore_all")
if err != nil {
return constant.StatusNone return constant.StatusNone
} }
stdout, _ := cmd.RunDefaultWithStdoutBashCf("%s sysctl -a 2>/dev/null | grep 'net.ipv4.icmp.echo_ignore_all'", cmd.SudoHandleCmd()) v6Data, v6err := os.ReadFile("/proc/sys/net/ipv6/icmp/echo_ignore_all")
if stdout == "net.ipv4.icmp_echo_ignore_all = 1\n" { if v6err != nil {
return constant.StatusEnable if strings.TrimSpace(string(data)) == "1" {
return constant.StatusEnable
}
return constant.StatusDisable
} else {
if strings.TrimSpace(string(data)) == "1" && strings.TrimSpace(string(v6Data)) == "1" {
return constant.StatusEnable
}
return constant.StatusDisable
} }
return constant.StatusDisable
} }
func (u *FirewallService) updatePingStatus(enable string) error { func (u *FirewallService) updatePingStatus(enable string) error {
lineBytes, err := os.ReadFile(confPath) var targetPath string
if err != nil { var applyCmd string
return err
if _, err := os.Stat(confPath); os.IsNotExist(err) {
// Debian 13
targetPath = panelSysctlPath
applyCmd = fmt.Sprintf("%s sysctl --system", cmd.SudoHandleCmd())
if err := cmd.RunDefaultBashCf("%s mkdir -p /etc/sysctl.d", cmd.SudoHandleCmd()); err != nil {
return fmt.Errorf("failed to create directory /etc/sysctl.d: %v", err)
}
} else {
targetPath = confPath
applyCmd = fmt.Sprintf("%s sysctl -p", cmd.SudoHandleCmd())
} }
files := strings.Split(string(lineBytes), "\n")
var newFiles []string lineBytes, err := os.ReadFile(targetPath)
if err != nil && !os.IsNotExist(err) {
return fmt.Errorf("failed to read %s: %v", targetPath, err)
}
if err := cmd.RunDefaultBashCf("echo %s | %s tee /proc/sys/net/ipv4/icmp_echo_ignore_all > /dev/null", enable, cmd.SudoHandleCmd()); err != nil {
return fmt.Errorf("failed to apply ipv4 ping status temporarily: %v", err)
}
var hasIpv6 bool var hasIpv6 bool
ipv6Status, _ := cmd.RunDefaultWithStdoutBashC("sysctl -a 2>/dev/null | grep 'net.ipv6.icmp.echo_ignore_all'") if _, err := os.Stat("/proc/sys/net/ipv6/icmp/echo_ignore_all"); err == nil {
if len(strings.ReplaceAll(ipv6Status, "\n", "")) != 0 {
hasIpv6 = true hasIpv6 = true
if err := cmd.RunDefaultBashCf("echo %s | %s tee /proc/sys/net/ipv6/icmp/echo_ignore_all > /dev/null", enable, cmd.SudoHandleCmd()); err != nil {
global.LOG.Warnf("failed to apply ipv6 ping status temporarily: %v", err)
}
} }
var files []string
if err == nil {
files = strings.Split(string(lineBytes), "\n")
}
var newFiles []string
hasIPv4Line, hasIPv6Line := false, false hasIPv4Line, hasIPv6Line := false, false
for _, line := range files { for _, line := range files {
if strings.Contains(line, "net/ipv4/icmp_echo_ignore_all") || strings.Contains(line, "net.ipv4.icmp_echo_ignore_all") { if strings.HasPrefix(strings.TrimSpace(line), "net.ipv4.icmp_echo_ignore_all") {
newFiles = append(newFiles, "net.ipv4.icmp_echo_ignore_all="+enable) newFiles = append(newFiles, "net.ipv4.icmp_echo_ignore_all="+enable)
hasIPv4Line = true hasIPv4Line = true
continue continue
} }
if hasIpv6 && strings.Contains(line, "net/ipv6/icmp/echo_ignore_all") || strings.Contains(line, "net.ipv6.icmp.echo_ignore_all") { if strings.HasPrefix(strings.TrimSpace(line), "net.ipv6.icmp.echo_ignore_all") {
newFiles = append(newFiles, "net.ipv6.icmp.echo_ignore_all="+enable) newFiles = append(newFiles, "net.ipv6.icmp.echo_ignore_all="+enable)
hasIPv6Line = true hasIPv6Line = true
continue continue
} }
newFiles = append(newFiles, line) newFiles = append(newFiles, line)
} }
if !hasIPv4Line { if !hasIPv4Line {
newFiles = append(newFiles, "net.ipv4.icmp_echo_ignore_all="+enable) newFiles = append(newFiles, "net.ipv4.icmp_echo_ignore_all="+enable)
} }
if !hasIPv6Line { if hasIpv6 && !hasIPv6Line {
newFiles = append(newFiles, "net.ipv6.icmp.echo_ignore_all="+enable) newFiles = append(newFiles, "net.ipv6.icmp.echo_ignore_all="+enable)
} }
file, err := os.OpenFile(confPath, os.O_WRONLY|os.O_TRUNC, constant.FilePerm)
file, err := os.OpenFile(targetPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, constant.FilePerm)
if err != nil { if err != nil {
return err return fmt.Errorf("failed to open %s: %v", targetPath, err)
} }
defer file.Close() defer file.Close()
_, err = file.WriteString(strings.Join(newFiles, "\n"))
if err != nil { if _, err = file.WriteString(strings.Join(newFiles, "\n")); err != nil {
return err return fmt.Errorf("failed to write to %s: %v", targetPath, err)
} }
if err := cmd.RunDefaultBashCf("%s sysctl -p", cmd.SudoHandleCmd()); err != nil { if err := cmd.RunDefaultBashCf(applyCmd); err != nil {
return fmt.Errorf("update ping status failed, %v", err) global.LOG.Warnf("failed to apply persistent config with '%s': %v", applyCmd, err)
} }
return nil return nil