fix: move acl from raw to mangle

2025-10-05 16:47:11 +08:00 · 2023-12-27 23:00:44 +08:00
parent 9909380092
commit d5bf8a9064
3 changed files with 62 additions and 103 deletions
--- a/pkg/network/firewall.go
+++ b/pkg/network/firewall.go
@@ -185,38 +185,6 @@ func (f *FireWallGlobal) Refresh() {
 	f.install()
 }

-type FireWallJump struct {
-	lock  sync.Mutex
-	rules IpRules
-}
-
-func (j *FireWallJump) Install(ch IpChain) {
-	j.lock.Lock()
-	defer j.lock.Unlock()
-	r := IpRule{
-		Order: "-I",
-		Table: ch.Table,
-		Chain: ch.From,
-		Jump:  ch.Name,
-	}
-
-	if _, err := r.Opr(r.Order); err != nil {
-		libol.Error("FireWallJump.install %s", err)
-		return
-	}
-	j.rules = j.rules.Add(r)
-}
-
-func (j *FireWallJump) Cancel() {
-	j.lock.Lock()
-	defer j.lock.Unlock()
-	for _, r := range j.rules {
-		if _, err := r.Opr("-D"); err != nil {
-			libol.Warn("FireWallJump.cancel %s", err)
-		}
-	}
-}
-
 type FireWallChain struct {
 	lock   sync.Mutex
 	name   string
@@ -233,28 +201,31 @@ func NewFireWallChain(name, table, parent string) *FireWallChain {
 	}
 }

-func (ch *FireWallChain) new() {
-	c := ch.Chain()
-	if _, err := c.Opr("-N"); err != nil {
-		libol.Error("FireWallChain.new %s", err)
-	}
-}
-
-func (ch *FireWallChain) free() {
-	c := ch.Chain()
-	if _, err := c.Opr("-X"); err != nil {
-		libol.Error("FireWallChain.free %s", err)
-	}
-}
-
 func (ch *FireWallChain) Chain() IpChain {
+	name := ch.name
+	if ch.parent != "" {
+		name = ch.parent + "-" + ch.name
+	}
+	if len(name) > 28 {
+		name = name[:28]
+	}
 	return IpChain{
 		Table: ch.table,
-		Name:  ch.parent + "-" + ch.name,
+		Name:  name,
 		From:  ch.parent,
 	}
 }

+func (ch *FireWallChain) Jump() IpRule {
+	c := ch.Chain()
+	return IpRule{
+		Order: "-I",
+		Table: c.Table,
+		Chain: c.From,
+		Jump:  c.Name,
+	}
+}
+
 func (ch *FireWallChain) AddRule(rule IpRule) {
 	chain := ch.Chain()
 	rule.Table = chain.Table
@@ -265,7 +236,12 @@ func (ch *FireWallChain) AddRule(rule IpRule) {
 func (ch *FireWallChain) Install() {
 	ch.lock.Lock()
 	defer ch.lock.Unlock()
-	ch.new()
+
+	c := ch.Chain()
+	if _, err := c.Opr("-N"); err != nil {
+		libol.Error("FireWallChain.new %s", err)
+	}
+
 	for _, r := range ch.rules {
 		order := r.Order
 		if order == "" {
@@ -275,17 +251,35 @@ func (ch *FireWallChain) Install() {
 			libol.Error("FireWallChain.install %s", err)
 		}
 	}
+
+	j := ch.Jump()
+	if j.Chain != "" {
+		if _, err := j.Opr(j.Order); err != nil {
+			libol.Error("FireWallChain.new %s", err)
+		}
+	}
 }

 func (ch *FireWallChain) Cancel() {
 	ch.lock.Lock()
 	defer ch.lock.Unlock()
-	for _, c := range ch.rules {
-		if _, err := c.Opr("-D"); err != nil {
+
+	j := ch.Jump()
+	if j.Chain != "" {
+		if _, err := j.Opr("-D"); err != nil {
+			libol.Error("FireWallChain.cancel %s", err)
+		}
+	}
+	for _, r := range ch.rules {
+		if _, err := r.Opr("-D"); err != nil {
 			libol.Warn("FireWall.cancel %s", err)
 		}
 	}
-	ch.free()
+
+	c := ch.Chain()
+	if _, err := c.Opr("-X"); err != nil {
+		libol.Error("FireWallChain.free %s", err)
+	}
 }

 type FireWallFilter struct {
@@ -293,7 +287,6 @@ type FireWallFilter struct {
 	In   *FireWallChain
 	Out  *FireWallChain
 	For  *FireWallChain
-	Jump *FireWallJump
 }

 func NewFireWallFilter(name string) *FireWallFilter {
@@ -301,7 +294,6 @@ func NewFireWallFilter(name string) *FireWallFilter {
 		In:  NewFireWallChain(name, TFilter, OLCInput),
 		For: NewFireWallChain(name, TFilter, OLCForward),
 		Out: NewFireWallChain(name, TFilter, OLCOutput),
-		Jump: &FireWallJump{},
 	}
 }

@@ -310,16 +302,9 @@ func (f *FireWallFilter) Install() {
 	f.In.Install()
 	f.For.Install()
 	f.Out.Install()
-
-	// Add Jump Rules
-	f.Jump.Install(f.In.Chain())
-	f.Jump.Install(f.For.Chain())
-	f.Jump.Install(f.Out.Chain())
 }

 func (f *FireWallFilter) Cancel() {
-	// Remove Jump Rules
-	f.Jump.Cancel()
 	// Cancel Chain Rules
 	f.In.Cancel()
 	f.For.Cancel()
@@ -344,7 +329,6 @@ type FireWallNAT struct {
 	In   *FireWallChain
 	Out  *FireWallChain
 	Post *FireWallChain
-	Jump *FireWallJump
 }

 func NewFireWallNAT(name string) *FireWallNAT {
@@ -353,7 +337,6 @@ func NewFireWallNAT(name string) *FireWallNAT {
 		In:   NewFireWallChain(name, TNat, OLCInput),
 		Out:  NewFireWallChain(name, TNat, OLCOutput),
 		Post: NewFireWallChain(name, TNat, OLCPost),
-		Jump: &FireWallJump{},
 	}
 }

@@ -363,17 +346,9 @@ func (n *FireWallNAT) Install() {
 	n.In.Install()
 	n.Out.Install()
 	n.Post.Install()
-
-	// Add Jump Rules
-	n.Jump.Install(n.Pre.Chain())
-	n.Jump.Install(n.In.Chain())
-	n.Jump.Install(n.Out.Chain())
-	n.Jump.Install(n.Post.Chain())
 }

 func (n *FireWallNAT) Cancel() {
-	// Remove Jump Rules
-	n.Jump.Cancel()
 	// Cancel Chain Rules
 	n.Pre.Cancel()
 	n.In.Cancel()
@@ -388,7 +363,6 @@ type FireWallMangle struct {
 	For  *FireWallChain
 	Out  *FireWallChain
 	Post *FireWallChain
-	Jump *FireWallJump
 }

 func NewFireWallMangle(name string) *FireWallMangle {
@@ -398,7 +372,6 @@ func NewFireWallMangle(name string) *FireWallMangle {
 		For:  NewFireWallChain(name, TMangle, OLCForward),
 		Out:  NewFireWallChain(name, TMangle, OLCOutput),
 		Post: NewFireWallChain(name, TMangle, OLCPost),
-		Jump: &FireWallJump{},
 	}
 }

@@ -409,18 +382,9 @@ func (m *FireWallMangle) Install() {
 	m.For.Install()
 	m.Out.Install()
 	m.Post.Install()
-
-	// Add Jump Rules
-	m.Jump.Install(m.Pre.Chain())
-	m.Jump.Install(m.In.Chain())
-	m.Jump.Install(m.For.Chain())
-	m.Jump.Install(m.Out.Chain())
-	m.Jump.Install(m.Post.Chain())
 }

 func (m *FireWallMangle) Cancel() {
-	// Remove Jump Rules
-	m.Jump.Cancel()
 	// Cancel Chain Rules
 	m.Pre.Cancel()
 	m.In.Cancel()
@@ -433,29 +397,21 @@ type FireWallRaw struct {
 	name string
 	Pre  *FireWallChain
 	Out  *FireWallChain
-	Jump *FireWallJump
 }

 func NewFireWallRaw(name string) *FireWallRaw {
 	return &FireWallRaw{
 		Pre: NewFireWallChain(name, TRaw, OLCPre),
 		Out: NewFireWallChain(name, TRaw, OLCOutput),
-		Jump: &FireWallJump{},
 	}
 }
 func (r *FireWallRaw) Install() {
 	// Install Chain Rules
 	r.Pre.Install()
 	r.Out.Install()
-
-	// Add Jump Rules
-	r.Jump.Install(r.Pre.Chain())
-	r.Jump.Install(r.Out.Chain())
 }

 func (r *FireWallRaw) Cancel() {
-	// Remove Jump Rules
-	r.Jump.Cancel()
 	// Cancel Chain Rules
 	r.Pre.Cancel()
 	r.Out.Cancel()
--- a/pkg/switch/network.go
+++ b/pkg/switch/network.go
@@ -193,7 +193,7 @@ func (w *WorkerImpl) Start(v api.Switcher) {

 	w.out.Info("WorkerImpl.Start")
 	if cfg.Acl != "" {
-		fire.Raw.Pre.AddRule(cn.IpRule{
+		fire.Mangle.Pre.AddRule(cn.IpRule{
 			Input: cfg.Bridge.Name,
 			Jump:  cfg.Acl,
 		})
@@ -336,7 +336,7 @@ func (w *WorkerImpl) toACL(acl, input string) {
 		return
 	}
 	if acl != "" {
-		w.fire.Raw.Pre.AddRule(cn.IpRule{
+		w.fire.Mangle.Pre.AddRule(cn.IpRule{
 			Input: input,
 			Jump:  acl,
 		})
--- a/pkg/switch/switch.go
+++ b/pkg/switch/switch.go
@@ -102,6 +102,7 @@ type Switch struct {
 	out     *libol.SubLogger
 	confd   *ConfD
 	l2tp    *L2TP
+	acls    []*network.FireWallChain
 }

 func NewSwitch(c *co.Switch) *Switch {
@@ -179,14 +180,9 @@ func (v *Switch) loadACLs() {
 		if acl.Name == "" {
 			continue
 		}
-		v.fire.AddChain(network.IpChain{
-			Table: network.TRaw,
-			Name:  acl.Name,
-		})
+		chain := network.NewFireWallChain(acl.Name, network.TMangle, "")
 		for _, rule := range acl.Rules {
-			v.fire.AddRule(network.IpRule{
-				Table:   network.TRaw,
-				Chain:   acl.Name,
+			chain.AddRule(network.IpRule{
 				Source:  rule.SrcIp,
 				Dest:    rule.DstIp,
 				Proto:   rule.Proto,
@@ -195,6 +191,7 @@ func (v *Switch) loadACLs() {
 				Jump:    rule.Action,
 			})
 		}
+		v.acls = append(v.acls, chain)
 	}
 }

@@ -401,6 +398,9 @@ func (v *Switch) Start() {
 	v.lock.Lock()
 	defer v.lock.Unlock()

+	for _, l := range v.acls {
+		l.Install()
+	}
 	v.fire.Start()
 	// firstly, start network.
 	for _, w := range v.worker {
@@ -457,6 +457,9 @@ func (v *Switch) Stop() {
 	}
 	v.server.Close()
 	v.fire.Stop()
+	for _, l := range v.acls {
+		l.Cancel()
+	}
 }

 func (v *Switch) Alias() string {