Hugging Face's logo

Spaces:
GGSheng
/
fe
Running

App Files Community
fe / bt-source /panel /class /firewallModel /comModel.py
GGSheng's picture
GGSheng
feat: deploy Gemma 4 to hf space
3a5cf48 verified
raw
history blame contribute delete
80.5 kB
# coding: utf-8
# -------------------------------------------------------------------
# 宝塔Linux面板
# -------------------------------------------------------------------
# Copyright (c) 2014-2099 宝塔软件(http://bt.cn) All rights reserved.
# -------------------------------------------------------------------
# Author: wzz <wzz@bt.cn>
# -------------------------------------------------------------------
import json
import re
import time
import os
# ------------------------------
# 系统防火墙模型 - 业务接口类
# ------------------------------
import public
from firewallModel.firewallBase import Base
from firewallModel.iptablesServices import IptablesServices
class main(Base):
def __init__(self):
 super().__init__()
 self.iptables = IptablesServices()
# 2024/3/14 下午 12:01 获取防火墙状态信息
 def get_firewall_info(self, get):
 """
 @name 获取防火墙统计
 """
 cache_key = "firewall_info"
 from BTPanel import cache
 data = cache.get(cache_key)
 if data: return data
data = {}
 data['port'] = len(self.firewall.list_port())
 data['ip'] = len(self.iptables.list_address())+len(self.firewall.list_address())
 data['trans'] = len(self.iptables.list_port_forward())
 data['country'] = public.M('firewall_country').count()
 data['banned'] = public.M('firewall_malicious_ip').count()
 data['type'] = "firewalld" if self._isFirewalld else "ufw" if self._isUfw else "iptables"
 if not "m_time_file" in self.__dict__:
 self.m_time_file = "/www/server/panel/data/firewall/geoip_mtime.pl"
 m_time = public.readFile(self.m_time_file)
 data['update_time'] = public.format_date(times=int(m_time) if m_time else int(time.time()))
isPing = True
 try:
 file = '/etc/sysctl.conf'
 conf = public.readFile(file)
 rep = r"#*net\.ipv4\.icmp_echo_ignore_all\s*=\s*([0-9]+)"
 tmp = re.search(rep, conf).groups(0)[0]
 if tmp == '1': isPing = False
 except:
 isPing = True
data['ping'] = isPing
cache.set(cache_key, data, 3600)
 return data
# 2024/3/26 下午 3:40 获取防火墙状态
 def get_status(self, get):
 '''
 @name 获取防火墙状态
 @author wzz <2024/3/26 下午 3:40>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 firewall_status = self.get_firewall_status()
 firewall_init_status = self.check_iptables_env(firewall_status)
 return {"status": firewall_status, "init_status": firewall_init_status}
def clean_cache(self,get):
 '''
 @name 强制清除防火墙缓存
 @author csj
 '''
 from BTPanel import cache
 cache_keys = ["firewall_info","port_rules_list","ip_rules_list","port_forward_list"]
 for cache_key in cache_keys:
 cache.delete(cache_key)
return public.returnMsg(True, '清除缓存成功')
def check_iptables_env(self,firewall_status):
 if firewall_status:
 if not os.path.exists('/etc/systemd/system/BT-FirewallServices.service'):
 #判断 数据库是否有数据 如果没数据直接初始化(新安装面板场景)
 if public.M('firewall_country').count() == 0 and \
 public.M('firewall_ip').count() == 0 and \
 public.M('firewall_malicious_ip').count() == 0 and \
 public.M('firewall_forward').count() == 0 :
exec_shell = '('
 if not os.path.exists('/usr/sbin/ipset'):
 exec_shell = exec_shell + '{} install ipset -y;'.format(public.get_sys_install_bin())
 exec_shell = exec_shell + 'sh {panel_path}/script/init_firewall.sh)'.format(panel_path=public.get_panel_path())
 public.ExecShell(exec_shell)
 return {'status': True, 'msg': '已安装.'}
 return {'status': False, 'msg': '防火墙未初始化.'}
 elif public.ExecShell("iptables -C INPUT -j IN_BT")[1] != '': #丢失iptable链 需要重新创建
 exec_shell = 'sh {}/script/init_firewall.sh'.format(public.get_panel_path())
 public.ExecShell(exec_shell)
 return {'status': True, 'msg': '已安装.'}
 else:
 return {'status': True, 'msg': '已安装.'}
 else:
 return {'status': True, 'msg': '防火墙未开启.'}
def update_bt_firewall(self,get):
 if not os.path.exists('/etc/systemd/system/BT-FirewallServices.service'):
 panel_path = public.get_panel_path()
 exec_shell = '('
 if not os.path.exists('/usr/sbin/ipset'):
 exec_shell = exec_shell + '{} install ipset -y;'.format(public.get_sys_install_bin())
 exec_shell = exec_shell + 'sh {panel_path}/script/init_firewall.sh;btpython -u {panel_path}/script/upgrade_firewall.py )'.format(panel_path=panel_path)
import panelTask
 task_obj = panelTask.bt_task()
 task_id = task_obj.create_task('防火墙初始化任务', 0, exec_shell)
 public.print_log(f"防火墙初始化任务已创建,任务ID:{task_id}")
 return {'status': True, 'msg': '防火墙初始化任务已创建.', 'task_id': task_id}
 else:
 return {'status': False, 'msg': '已安装.'}
# 2024/3/26 下午 3:42 设置防火墙状态
 def set_status(self, get):
 '''
 @name 设置防火墙状态
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 get.status = get.get('status/s', '1')
 if get.status not in ['0', '1']:
 return public.returnMsg(False, '参数错误')
if get.status == '1':
 start_status = self.firewall.start()
 if not start_status["status"]:
 public.WriteLog("系统防火墙", "启动防火墙失败")
 return start_status
get.reload = 0
 default_ports = ["SSH", "80", "443", "39000-40000", "21","PanelPort"]
 close_ports = get.get('ports', '').split(",")
for port in default_ports:
 if port not in close_ports:
 if port == "PanelPort":
 _panel_port_file = '/www/server/panel/data/port.pl'
 port = public.readFile(_panel_port_file).strip(" ").strip("\n")
 elif port == "SSH":
 cmd = "cat /etc/ssh/sshd_config |grep -E '^Port'|awk '{print $2}'|awk 'NR == 1'"
 ssh_port = public.ExecShell(cmd)[0].strip(" ").strip("\n")
 if ssh_port != "": port = ssh_port
 get.port = port
 self.set_port_rule(get)
 self.firewall.reload()
 public.WriteLog("系统防火墙", "启动防火墙")
 return start_status
 else:
 public.WriteLog("系统防火墙", "停止防火墙")
 return self.firewall.stop()
# 2024/5/13 下午3:50 检查指定端口是否已经存在,如果存在则返回False,否则返回True
 def check_port_exist(self, get):
 '''
 @name 检查指定端口是否已经存在,如果存在则返回False,否则返回True
 @author wzz <2024/5/13 下午3:51>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 port_rules_list = self.port_rules_list(get)
 for item in port_rules_list['data']:
 if item["Port"] == get.port and item["Address"] == get.address and item["Protocol"] == get.protocol and \
 item["Strategy"] == get.strategy and item["Chain"] == get.chain:
 return False
return True
# 2024/5/13 下午4:13 检查指定ip规则是否已经存在,如果存在则返回False,否则返回True
 def check_ip_exist(self, get):
 '''
 @name 检查指定ip规则是否已经存在,如果存在则返回False,否则返回True
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 ip_rules_list = self.ip_rules_list(get)
 for item in ip_rules_list["data"]:
 if item["Address"] == get.address and item["Strategy"] == get.strategy and item["Chain"] == get.chain:
 return False
return True
# 2024/5/13 下午4:17 检查指定端口转发规则是否已经存在,如果存在则返回False,否则返回True
 def check_forward_exist(self, get):
 '''
 @name 检查指定端口转发规则是否已经存在,如果存在则返回False,否则返回True
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 forward_rules_list = self.port_forward_list(get)
 for item in forward_rules_list["data"]:
 if item["S_Port"] == get.S_Port and item["T_Address"] == get.T_Address and item["T_Port"] == get.T_Port and item["Protocol"].upper() == get.protocol.upper():
 return False
return True
# 2024/3/26 下午 6:09 从数据库中获取端口规则列表
 def get_port_db(self, get):
 '''
 @name 从数据库中获取端口规则列表
 @author wzz <2024/3/26 下午 6:13>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 try:
 where = '1=1'
 sql = public.M('firewall_new')
 data = sql.where(where, ()).select()
domain_sql = public.M('firewall_domain')
 domain_data = domain_sql.where(where, ()).select()
 for i in range(len(data)):
 if not "ports" in data[i]:
 data[i]['status'] = -1
 continue
if "brief" in data[i]:
 data[i]['brief'] = public.xssdecode(data[i]['brief'])
if not "chain" in data[i]:
 data[i]['chain'] = "INPUT"
 if "chain" in data[i] and data[i]['chain'] == "":
 data[i]['chain'] = "INPUT"
for j in range(len(domain_data)):
 if "domain" in domain_data[j] and data[i]['address'] in domain_data[j]['domain']:
 data[i]['domain'] = domain_data[j]['domain']
 break
return data
 except Exception as e:
 return []
# 2024/3/26 下午 11:53 从数据库中获取ip规则列表
 def get_ip_db(self, get):
 '''
 @name 从数据库中获取ip规则列表
 @author wzz <2024/3/26 下午 11:53>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 try:
 where = '1=1'
 sql = public.M('firewall_ip')
ip_data = sql.where(where, ()).select()
 ip_dict = {}
 for i_data in ip_data:
 if "brief" in i_data:
 i_data['brief'] = public.xssdecode(i_data['brief'])
 if not "chain" in i_data:
 i_data['chain'] = "INPUT"
 if "chain" in i_data and i_data['chain'] == "":
 i_data['chain'] = "INPUT"
if not ip_dict.get(i_data['address'],None):
 ip_dict[i_data['address']]=[]
 ip_dict[i_data['address']].append(i_data)
return ip_dict
 except Exception as e:
 return {}
# 2024/3/26 下午 11:58 从数据库中获取端口转发规则列表
 def get_forward_db(self, get):
 '''
 @name 从数据库中获取端口转发规则列表
 @author wzz <2024/3/26 下午 11:58>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 try:
 where = '1=1'
 sql = public.M('firewall_forward')
if hasattr(get, 'query'):
 where = " S_Address like '%{search}%' or S_Port like '%{search}%' or T_Address like '%{search}%' or T_Port like '%{search}%'".format(
 search=get.query
 )
 res = sql.where(where, ()).select()
 if type(res) != list:
 return []
 return res
 except Exception as e:
 return []
# 2024/3/26 下午 10:46 构造端口规则返回数据
 def structure_port_return_data(self, list_port, rule_db, get):
 '''
 @name 构造返回数据
 @author wzz <2024/3/26 下午 10:47>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 cache_key = "port_rules_list"
 from BTPanel import cache
 data = cache.get(cache_key)
 if data:
 new_list = []
 sort_data = data
 for j in range(len(sort_data)):
 if get.query != "":
 if get.query in sort_data[j]['Port'] or get.query in sort_data[j]['brief'] or get.query in \
 sort_data[j]['Address']:
 new_list.append(sort_data[j])
 elif "Chain" not in sort_data[j]:
 new_list.append(sort_data[j])
 elif get.chain != "ALL" and sort_data[j]['Chain'] == get.chain:
 new_list.append(sort_data[j])
if len(new_list) > 0 or get.query != "" or get.chain != "ALL":
 sort_data = sorted(new_list, key=lambda x: x['addtime'], reverse=True)
 else:
 new_list = []
 for j in range(len(list_port)):
 list_port[j]['id'] = 0
 list_port[j]['sid'] = 0
 list_port[j]['brief'] = ""
 list_port[j]['domain'] = ""
 if (list_port[j]['Port'].find(":") != -1 or list_port[j]['Port'].find("-") != -1 or
 list_port[j]['Port'].find("/") != -1 or list_port[j]['Port'].find(".") != -1):
 list_port[j]['status'] = 1
 else:
 try:
 if not ":" in list_port[j]['Port'] or not "-" in list_port[j]['Port']:
 list_port[j]['status'] = self.CheckPort(int(list_port[j]['Port']), list_port[j]['Protocol'])
 else:
 list_port[j]['status'] = -1
 except:
 list_port[j]['status'] = -1
if "Chain" in list_port[j] and list_port[j]['Chain'] == "OUTPUT":
 list_port[j]['status'] = -1
list_port[j]['addtime'] = "--"
list_port[j]['Port'] = list_port[j]['Port'].replace(":", "-")
 for i in range(len(rule_db)):
 if (rule_db[i]['ports'] == list_port[j]['Port'] and
 rule_db[i]['protocol'] == list_port[j]['Protocol'] and
 rule_db[i]['address'].lower() == list_port[j]['Address'].lower() and
 rule_db[i]['types'] == list_port[j]['Strategy'] and
 rule_db[i]['chain'] == list_port[j]['Chain']):
 list_port[j]['id'] = rule_db[i]['id']
 list_port[j]['sid'] = rule_db[i]['sid']
 list_port[j]['brief'] = rule_db[i]['brief']
 list_port[j]['addtime'] = rule_db[i]['addtime']
if "domain" in rule_db[i]:
 list_port[j]['domain'] = rule_db[i]['domain']
break
if get.query != "":
 if get.query in list_port[j]['Port'] or get.query in list_port[j]['brief'] or get.query in \
 list_port[j]['Address']:
 new_list.append(list_port[j])
if len(new_list) > 0 or get.query != "":
 sort_data = sorted(new_list, key=lambda x: x['addtime'], reverse=True)
 else:
 sort_data = sorted(list_port, key=lambda x: x['addtime'], reverse=True)
if get.query == "":
 cache.set(cache_key, sort_data, 86400)
 if get.export == "1":
 get.row = len(sort_data)
 return self.return_page(sort_data, get)
# 2024/3/27 上午 12:01 构造ip规则返回数据
 def structure_ip_return_data(self, get):
 '''
 @name 构造ip规则返回数据
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
cache_key = "ip_rules_list"
 from BTPanel import cache
 data = cache.get(cache_key)
if not data: #未缓存 处理逻辑
 rule_db = self.get_ip_db(get)
 if get.chain == "INPUT":
 list_ip = self.iptables.list_address(["INPUT"]) # 托管的IP规则
 system_list_address = self.firewall.list_input_address() # 系统防火墙的IP规则 ufw firewall 为了考虑用户手动添加的规则
 list_ip += system_list_address # 拼接
 elif get.chain == "OUTPUT":
 list_ip = self.iptables.list_address(["OUTPUT"])
 system_list_address = self.firewall.list_output_address()
 list_ip += system_list_address
 else:
 list_ip = self.iptables.list_address(["INPUT", "OUTPUT"])
 system_list_address = self.firewall.list_address()
 list_ip += system_list_address
new_list = []
 for j in range(len(list_ip)):
 import random
 list_ip[j]['id'] = random.randint(-100, -1)
 list_ip[j]['sid'] = 0
 list_ip[j]['brief'] = ""
 list_ip[j]['domain'] = ""
 list_ip[j]['addtime'] = "--"
 list_ip[j]["expiry_date"] = ''
 #BT-Services托管的IP规则
if "Timeout" in list_ip[j]:
 # BT-Services托管的IP规则
 if int(list_ip[j]["Timeout"]) > 0:
 from datetime import datetime
 timeout = int(time.time()) + int(list_ip[j]['Timeout'])
 timeout_str = datetime.fromtimestamp(timeout).strftime('%Y-%m-%d %H:%M:%S')
 list_ip[j]["expiry_date"] = timeout_str
 list_ip[j]["stype"] = '1'
 else:
 #系统防火墙的IP规则
 list_ip[j]["stype"] = '0'
for ip_rule in rule_db.get(list_ip[j]['Address'], []):
 if (ip_rule['address'] == list_ip[j]['Address'] and
 ip_rule['types'] == list_ip[j]['Strategy'] and
 ip_rule['chain'] == list_ip[j]['Chain']):
 list_ip[j]['id'] = ip_rule['id']
 list_ip[j]['sid'] = ip_rule['sid']
 list_ip[j]['brief'] = ip_rule['brief']
 list_ip[j]['addtime'] = ip_rule['addtime']
if "domain" in ip_rule:
 list_ip[j]['domain'] = ip_rule['domain']
 break
 if get.query != "":
 if get.query in list_ip[j]['brief'] or get.query in list_ip[j]['Address']:
 new_list.append(list_ip[j])
if len(new_list) > 0 or get.query != "":
 sort_data = sorted(new_list, key=lambda x: x['addtime'], reverse=True)
 else:
 sort_data = sorted(list_ip, key=lambda x: x['addtime'], reverse=True)
if get.query == "":
 cache.set(cache_key, sort_data, 86400)
 else: #缓存流程
 new_list = []
 sort_data = data
 for j in range(len(sort_data)):
 if get.query != "":
 if get.query in sort_data[j]['Address'] or get.query in sort_data[j]['brief']:
 new_list.append(sort_data[j])
 elif get.chain != "ALL" and sort_data[j]['Chain'] == get.chain:
 new_list.append(sort_data[j])
if len(new_list) > 0 or get.query != "" or get.chain != "ALL":
 sort_data = sorted(new_list, key=lambda x: x['addtime'], reverse=True)
from mod.project.ssh.base import SSHbase
 if get.export == "1":
 get.row = len(sort_data)
 page_data = self.return_page(sort_data, get)
 page_data["data"] = SSHbase.return_area(page_data["data"], "Address")
 return page_data
# 2024/3/27 上午 12:11 构造端口转发规则返回数据
 def structure_forward_return_data(self, list_forward, rule_db, get):
 '''
 @name 构造端口转发规则返回数据
 @author wzz <2024/3/27 上午 12:11>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 cache_key = "port_forward_list"
 from BTPanel import cache
 data = cache.get(cache_key)
 if data:
 new_list = []
 sort_data = data
 for j in range(len(sort_data)):
 if get.query != "":
 if get.query in sort_data[j]['S_Address'] or get.query in sort_data[j]['S_Port'] or get.query in \
 sort_data[j]['T_Address'] or get.query in sort_data[j]['T_Port'] or get.query in \
 sort_data[j]['brief']:
 new_list.append(sort_data[j])
if len(new_list) > 0 or get.query != "":
 sort_data = sorted(new_list, key=lambda x: x['addtime'], reverse=True)
 else:
 new_list = []
 for j in range(len(list_forward)):
 list_forward[j]['id'] = 0
 list_forward[j]['brief'] = ""
 list_forward[j]['addtime'] = "--"
for i in range(len(rule_db)):
 if (rule_db[i]['T_Address'] == list_forward[j]['T_Address'] and
 rule_db[i]['S_Port'] == list_forward[j]['S_Port'] and
 rule_db[i]['T_Port'] == list_forward[j]['T_Port'] and
 rule_db[i]['Protocol'].upper() == list_forward[j]['Protocol'].upper()
 ):
 list_forward[j]['id'] = rule_db[i]['id']
 list_forward[j]['brief'] = rule_db[i]['brief']
 list_forward[j]['addtime'] = rule_db[i]['addtime']
 break
if get.query != "":
 if (get.query in list_forward[j]['brief'] or get.query in list_forward[j][
 'S_Address'] or get.query in
 list_forward[j]['S_Port'] or
 get.query in list_forward[j]['T_Address'] or get.query in list_forward[j]['T_Port']):
 new_list.append(list_forward[j])
if len(new_list) > 0 or get.query != "":
 sort_data = sorted(new_list, key=lambda x: x['addtime'], reverse=True)
 else:
 sort_data = sorted(list_forward, key=lambda x: x['addtime'], reverse=True)
if get.query == "":
 cache.set(cache_key, sort_data, 86400)
return self.return_page(sort_data, get)
# 2024/3/25 上午 11:05 获取所有端口规则列表
 def port_rules_list(self, get):
 '''
 @name 获取所有端口规则列表
 @author wzz <2024/3/25 上午 11:06>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return list[dict{}...]
 '''
 get.chain = get.get('chain/s', 'ALL')
 get.query = get.get('query/s', '')
 get.p = get.get('p', 1)
 get.row = get.get('row', 20)
 get.export = get.get('export/s', '0') # 是否导出数据 0非导出 1导出
rule_db = self.get_port_db(get)
if get.chain == "INPUT":
 list_port = self.firewall.list_input_port()
 elif get.chain == "OUTPUT":
 list_port = self.firewall.list_output_port()
 else:
 list_port = self.firewall.list_port()
return self.structure_port_return_data(list_port, rule_db, get)
# 2024/3/26 下午 3:17 导出规则
 def export_rules(self, get):
 '''
 @name 导出规则
 @author wzz <2024/3/26 下午 3:17>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 get.rule = get.get('rule/s', 'port')
 get.export = "1"
 if get.rule == "port":
 return self.export_port_rules(get)
 elif get.rule == "ip":
 return self.export_ip_rules(get)
 else:
 return self.export_port_forward(get)
# 2024/3/26 下午 3:18 导入规则
 def import_rules(self, get):
 '''
 @name 导入规则
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 # 2024/4/17 下午4:47 检查防火墙状态,如果未启动则不允许设置导入规则
 if not self.get_firewall_status():
 return public.returnMsg(False, '请先启动防火墙后再导入规则!')
get.rule = get.get('rule/s', 'port')
 if get.rule == "port":
 return self.import_port_rules(get)
 elif get.rule == "ip":
 return self.import_ip_rules(get)
 else:
 return self.import_port_forward(get)
# 2024/3/26 下午 2:38 导出所有端口规则
 def export_port_rules(self, get):
 '''
 @name 导出所有端口规则
 @author wzz <2024/3/26 下午 2:39>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 get.chain = get.get('chain/s', 'all')
if get.chain == "INPUT":
 file_name = "input_port_rules_{}".format(int(time.time()))
 elif get.chain == "OUTPUT":
 file_name = "output_port_rules_{}".format(int(time.time()))
 else:
 file_name = "port_rules_{}".format(int(time.time()))
data = self.port_rules_list(get)['data']
 if not data:
 return public.returnMsg(False, '没有规则无法导出')
 if not os.path.exists(self.config_path):
 os.makedirs(self.config_path, exist_ok=True)
 file_path = "{}/{}.json".format(self.config_path, file_name)
public.writeFile(file_path, public.GetJson(data))
 public.WriteLog("系统防火墙", "导出端口规则")
 return public.returnMsg(True, file_path)
# 2024/3/26 下午 2:41 导入端口规则
 def import_port_rules(self, get):
 '''
 @name 导入端口规则
 @author wzz <2024/3/26 下午 2:58>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 get.file = get.get('file/s', '')
if not get.file:
 return public.returnMsg(False, '文件不能为空')
if not os.path.exists(get.file):
 return public.returnMsg(False, '文件不存在')
try:
 data = public.readFile(get.file)
 if "|" in data and not "{" in data:
 get.rule_name = "port_rule"
 return self.import_rules_old(get)
data = json.loads(data)
 # 2024/4/10 下午2:51 反转数据
 data.reverse()
 except:
 return public.returnMsg(False, '文件内容异常或格式错误')
args = public.dict_obj()
 for item in data:
 args.operation = 'add'
 args.protocol = item['Protocol']
 args.port = item['Port']
 args.strategy = item['Strategy']
 args.chain = item['Chain']
 args.address = item.get('Address', 'all')
 args.brief = item.get('brief', '')
 args.reload = "0"
self.set_port_rule(args)
if self._isFirewalld:
 self.firewall.reload()
return public.returnMsg(True, '导入成功')
# 2024/5/14 上午10:27 调用旧的导入规则方法
 def import_rules_old(self, get):
 '''
 @name 调用旧的导入规则方法
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 try:
 from safeModel.firewallModel import main as firewall
 firewall_obj = firewall()
 get.file_name = get.file.split("/")[-1]
 firewall_obj.import_rules(get)
return public.returnMsg(True, '导入成功')
 except Exception as e:
 return public.returnMsg(False, str(e))
# 2024/3/26 上午 9:30 处理多个ip以换行的方式添加/删除
 def set_nline_port_ip(self, get):
 '''
 @name 处理多个ip以换行的方式添加/删除
 @author wzz <2024/3/26 上午 9:32>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 address = get.address.split("\n")
 failed_list = []
 for addr in address:
 if not public.checkIp(addr):
 return public.returnMsg(False, '目标地址格式错误')
get.address = addr
 if get.chain == "INPUT":
 result = self.input_port(get)
 else:
 result = self.output_port(get)
if not result['status']:
 failed_list.append({
 "address": addr,
 "msg": result['msg']
 })
 if len(failed_list) > 0:
 return public.returnMsg(True, '设置成功,以下规则设置失败:{}'.format(failed_list))
# if self._isFirewalld:
 # self.firewall.reload()
return public.returnMsg(True, '设置成功')
# 2024/3/26 上午 9:30 处理多个ip以逗号的方式添加/删除
 def set_tline_port_ip(self, get):
 '''
 @name 处理多个ip以逗号的方式添加
 @author wzz <2024/3/26 上午 9:32>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 address = get.address.split(",")
 failed_list = []
 for addr in address:
 if not public.checkIp(addr):
 return public.returnMsg(False, '目标地址格式错误')
get.address = addr
 if get.chain == "INPUT":
 result = self.input_port(get)
 else:
 result = self.output_port(get)
if not result['status']:
 failed_list.append({
 "address": addr,
 "msg": result['msg']
 })
 if len(failed_list) > 0:
 return public.returnMsg(True, '设置成功,以下规则设置失败:{}'.format(failed_list))
# if self._isFirewalld:
 # self.firewall.reload()
return public.returnMsg(True, '设置成功')
# 2024/3/26 上午 9:34 处理192.168.1.10-192.168.1.20这种范围ip的添加/删除
 def set_range_port_ip(self, get):
 '''
 @name 处理192.168.1.10-192.168.1.20这种范围ip的添加/删除
 @author wzz <2024/3/26 上午 9:35>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 address = self.firewall.handle_ip_range(get.address)
 failed_list = []
 for addr in address:
 get.address = addr
 if get.chain == "INPUT":
 result = self.input_port(get)
 else:
 result = self.output_port(get)
if not result['status']:
 failed_list.append({
 "address": addr,
 "msg": result['msg']
 })
 if len(failed_list) > 0:
 return public.returnMsg(True, '设置成功,以下规则设置失败:{}'.format(failed_list))
# if self._isFirewalld:
 # self.firewall.reload()
return public.returnMsg(True, '设置成功')
# 2024/3/25 下午 6:27 设置端口规则
 def set_port_rule(self, get):
 '''
 @name 设置端口规则
 @author wzz <2024/3/25 下午 6:28>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 # 2024/4/17 下午4:47 检查防火墙状态,如果未启动则不允许设置端口规则
 if not self.get_firewall_status():
 return public.returnMsg(False, '请先启动防火墙后再设置规则!')
get.operation = get.get('operation/s', 'add')
 get.protocol = get.get('protocol/s', 'tcp')
 get.address = get.get('address/s', 'all')
 get.port = get.get('port/s', '')
 get.strategy = get.get('strategy/s', 'accept')
 get.chain = get.get('chain/s', 'INPUT')
 get.reload = get.get('reload/s', "1")
 get.brief = get.get('brief/s', '')
if get.address == "Anywhere" or get.address == "":
 get.address = "all"
if get.protocol == "all":
 get.protocol = "tcp/udp"
if get.port == "":
 return public.returnMsg(False, '目标端口不能为空')
if get.address != "all" and "," in get.address:
 import copy
 args = copy.deepcopy(get)
 address_list = get.address.split(",")
 for address in address_list:
 args.address = address
 result = self.more_prot_rule(args)
 if not result['status']:
 return result
 elif get.address != "all" and "\n" in get.address:
 import copy
 args = copy.deepcopy(get)
 address_list = get.address.split("\n")
 for address in address_list:
 args.address = address
 result = self.more_prot_rule(args)
 if not result['status']:
 return result
 else:
 result = self.more_prot_rule(get)
 if not result['status']:
 return result
if self._isFirewalld and get.reload == "1":
 self.firewall.reload()
cache_key = "firewall_info"
 from BTPanel import cache
 data = cache.get(cache_key)
 if data: cache.delete(cache_key)
 cache_key = "port_rules_list"
 data = cache.get(cache_key)
 if data: cache.delete(cache_key)
public.WriteLog("系统防火墙", "设置端口规则:{}".format(get.port))
 return public.returnMsg(True, '设置成功')
# 2024/3/29 下午 4:04 处理多个ip的端口规则情况
 def more_prot_rule(self, get):
 '''
 @name 处理多个ip的端口规则情况
 @author wzz <2024/3/29 下午 4:02>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 if get.port.find(",") != -1:
 import copy
 args = copy.deepcopy(get)
 port_list = get.port.split(",")
 for port in port_list:
 args.port = port
 result = self.exec_port_rule(args)
 if not result['status']:
 return result
 return public.returnMsg(True, '设置成功')
 else:
 return self.exec_port_rule(get)
# 2024/3/28 下午 6:29 执行端口设置
 def exec_port_rule(self, get):
 '''
 @name 执行端口设置
 @author wzz <2024/3/28 下午 6:29>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 if get.operation == "add" and not self.check_port_exist(get):
 return public.returnMsg(False, '端口{}已存在,请勿重复添加'.format(get.port))
self.set_port_db(get)
# 2024/3/25 下午 8:23 处理多个ip的情况,例如出现每行一个ip
 if get.address != "all" and "\n" in get.address:
 return self.set_nline_port_ip(get)
 elif get.address != "all" and "-" in get.address:
 return self.set_range_port_ip(get)
 elif get.address != "all" and "," in get.address:
 return self.set_tline_port_ip(get)
 elif get.address != "all" and "/" in get.address:
 if get.chain == "INPUT":
 result = self.input_port(get)
 else:
 result = self.output_port(get)
 elif get.address != "all" and not public.checkIp(get.address) and not public.is_ipv6(get.address):
 return public.returnMsg(False, '指定IP地址格式错误')
 else:
 if get.chain == "INPUT":
 result = self.input_port(get)
 else:
 result = self.output_port(get)
return result
# 2024/5/14 上午10:40 前置检测ip是否合法
 def check_ips(self, get):
 '''
 @name 前置检测ip是否合法
 @author wzz <2024/5/14 上午10:40>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 if get.address != "all" and "\n" in get.address:
 address = get.address.split("\n")
 for addr in address:
 if addr != "all" and not public.checkIp(addr) and not public.is_ipv6(addr):
 return public.returnMsg(False, '指定IP地址格式错误')
 elif get.address != "all" and "," in get.address:
 address = get.address.split(",")
 for addr in address:
 if addr != "all" and not public.checkIp(addr) and not public.is_ipv6(addr):
 return public.returnMsg(False, '指定IP地址格式错误')
 else:
 if get.address != "all" and not public.checkIp(get.address) and not public.is_ipv6(get.address):
 return public.returnMsg(False, '指定IP地址格式错误')
return public.returnMsg(True, 'ok')
# 2024/3/27 上午 9:37 修改端口规则
 def modify_port_rule(self, get):
 '''
 @name 修改端口规则
 @author wzz <2024/3/27 上午 9:38>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 # 2024/4/17 下午4:47 检查防火墙状态,如果未启动则不允许设置规则
 if not self.get_firewall_status():
 return public.returnMsg(False, '请先启动防火墙后再设置规则!')
 get.old_data = get.get('old_data/s', '')
 get.new_data = get.get('new_data/s', '')
if get.old_data == "":
 return public.returnMsg(False, '请传入old_data')
if get.new_data == "":
 return public.returnMsg(False, '请传入new_data')
get.old_data = json.loads(get.old_data)
 get.new_data = json.loads(get.new_data)
args1 = public.dict_obj()
 args1.operation = 'remove'
 args1.port = get.old_data['Port']
 args1.protocol = get.old_data['Protocol']
 args1.address = get.old_data['Address']
 args1.strategy = get.old_data['Strategy']
 args1.chain = get.old_data['Chain']
 args1.id = get.old_data['id']
 args1.sid = get.old_data['sid']
 args1.reload = "0"
 self.set_port_rule(args1)
args2 = public.dict_obj()
 args2.operation = 'add'
 args2.port = get.new_data['port']
 args2.protocol = get.new_data['protocol']
 args2.address = get.new_data['address'] if "address" in get.new_data else "all"
 args2.strategy = get.new_data['strategy']
 args2.chain = get.new_data['chain']
 args2.brief = get.new_data['brief'] if 'brief' in get.new_data else ""
 args2.reload = "1"
 self.set_port_rule(args2)
return public.returnMsg(True, '修改成功')
# 2024/3/27 下午 4:03 修改域名端口规则
 def modify_domain_port_rule(self, get):
 '''
 @name 修改域名端口规则
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 # 2024/4/17 下午4:47 检查防火墙状态,如果未启动则不允许设置设置规则
 if not self.get_firewall_status():
 return public.returnMsg(False, '请先启动防火墙后再设置规则!')
 get.old_data = get.get('old_data/s', '')
 get.new_data = get.get('new_data/s', '')
if get.old_data == "":
 return public.returnMsg(False, '请传入old_data')
if get.new_data == "":
 return public.returnMsg(False, '请传入new_data')
get.old_data = json.loads(get.old_data)
 get.new_data = json.loads(get.new_data)
address = self.get_a_ip(get.new_data['domain'])
if address == "":
 return public.returnMsg(False, '域名: 【{}】解析失败'.format(get.domain))
args1 = public.dict_obj()
 args1.operation = 'remove'
 args1.port = get.old_data['Port']
 args1.protocol = get.old_data['Protocol']
 args1.address = get.old_data['Address']
 args1.strategy = get.old_data['Strategy']
 args1.chain = get.old_data['Chain']
 args1.id = get.old_data['id']
 args1.sid = get.old_data['sid']
 self.set_port_rule(args1)
args2 = public.dict_obj()
 args2.operation = 'add'
 args2.port = get.new_data['port']
 args2.protocol = get.new_data['protocol']
 args2.address = address
 args2.strategy = get.new_data['strategy']
 args2.chain = get.new_data['chain']
 args2.brief = get.new_data['brief'] if "brief" in get.new_data else ""
 args2.domain = get.new_data['domain']
 self.set_port_rule(args2)
if self._isFirewalld:
 self.firewall.reload()
return public.returnMsg(True, '修改成功')
# 2024/3/26 下午 5:10 设置域名端口规则
 def set_domain_port_rule(self, get):
 '''
 @name 设置域名端口规则
 @author wzz <2024/3/26 下午 5:11>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 # 2024/4/17 下午4:47 检查防火墙状态,如果未启动则不允许设置规则
 if not self.get_firewall_status():
 return public.returnMsg(False, '请先启动防火墙后再设置规则!')
public.set_module_logs('设置域名端口规则', 'set_domain_port_rule', 1)
 get.operation = get.get('operation/s', 'add')
 get.protocol = get.get('protocol/s', 'tcp')
 get.domain = get.get('domain/s', '')
 get.port = get.get('port/s', '')
 get.strategy = get.get('strategy/s', 'accept')
 get.chain = get.get('chain/s', 'INPUT')
if get.domain == "":
 return public.returnMsg(False, '目标域名不能为空')
if get.port == "":
 return public.returnMsg(False, '目标端口不能为空')
if not public.is_domain(get.domain):
 return public.returnMsg(False, '目标域名格式错误')
if "|" in get.domain:
 get.domain = get.domain.split("|")[0]
address = self.get_a_ip(get.domain)
if address == "":
 return public.returnMsg(False, '域名: 【{}】解析失败'.format(get.domain))
get.address = address
 self.set_port_db(get)
if get.chain == "INPUT":
 result = self.input_port(get)
 else:
 result = self.output_port(get)
if result['status'] and self._isFirewalld:
 self.firewall.reload()
return result
# 2024/5/13 下午4:46 添加端口规则到指定数据库
 def add_port_db(self, get, protocol, addtime, domain):
 '''
 @name 添加端口规则到指定数据库
 @author wzz <2024/5/13 下午4:46>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 add_sid = public.M('firewall_new').add(
 'ports,brief,protocol,address,types,addtime,domain,sid,chain',
 (
 get.port, public.xsssec(get.brief), protocol, get.address, get.strategy, addtime, domain, 0,
 get.chain)
 )
if get.domain != "":
 domain_sid = public.M('firewall_domain').add(
 'types,domain,port,address,brief,addtime,sid,protocol,domain_total',
 (get.strategy, domain, get.port, get.address, public.xsssec(get.brief),
 addtime, add_sid, get.protocol, get.domain)
 )
 public.M('firewall_new').where("id=?", (add_sid,)).save('sid', domain_sid)
 self.check_resolve_crontab()
# 2024/5/13 下午4:49 从指定数据库删除端口规则
 def remove_port_db(self, get, protocol, addtime, domain):
 '''
 @name 从指定数据库删除端口规则
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 public.M('firewall_new').where("ports=? and protocol=? and address=? and types=? and chain=?", (
 get.port, protocol, get.address, get.strategy, get.chain
 )).delete()
 get.domain = get.get('domain/s', '')
 if get.domain != "":
 public.M('firewall_domain').where("domain=?", (get.domain)).delete()
self.remove_resolve_crontab()
# 2024/3/26 下午 5:52 添加/删除数据库的端口规则
 def set_port_db(self, get):
 '''
 @name 添加/删除数据库的端口规则
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 if get.operation == "add":
 # 检测端口是否已经添加过
 query_result = public.M('firewall_new').where(
 'ports=? and address=? and protocol=? and types=? and chain=?',
 (get.port, get.address, get.protocol, get.strategy, get.chain)
 ).find()
if not query_result:
 get.domain = get.get('domain/s', '')
 domain = "{}|{}".format(get.domain, get.address) if get.domain != "" else ""
 addtime = time.strftime('%Y-%m-%d %X', time.localtime())
if get.protocol == "tcp/udp" and self._isFirewalld:
 self.add_port_db(get, "tcp", addtime, domain)
 self.add_port_db(get, "udp", addtime, domain)
 else:
 self.add_port_db(get, get.protocol, addtime, domain)
 else:
 query_result = public.M('firewall_new').where(
 'ports=? and address=? and protocol=? and types=? and chain=?',
 (get.port, get.address, get.protocol, get.strategy, get.chain)
 ).find()
 if query_result:
 if get.protocol == "tcp/udp" and self._isFirewalld:
 self.remove_port_db(get, "tcp", query_result['addtime'], query_result['domain'])
 self.remove_port_db(get, "udp", query_result['addtime'], query_result['domain'])
 else:
 self.remove_port_db(get, get.protocol, query_result['addtime'], query_result['domain'])
# 2024/3/26 下午 11:23 添加/删除数据库的ip规则
 def set_ip_db(self, get):
 '''
 @name 添加/删除数据库的ip规则
 @author wzz <2024/3/26 下午 11:24>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 if get.operation == "add":
 get.domain = get.get('domain/s', '')
 domain = "{}|{}".format(get.domain, get.address) if get.domain != "" else ""
 query_result = public.M('firewall_ip').where("address=? and types=? and domain=? and chain=?",
 (get.address, get.strategy, domain, get.chain)).find()
if not query_result:
 addtime = time.strftime('%Y-%m-%d %X', time.localtime())
 self._add_sid = public.M('firewall_ip').add(
 'address,types,brief,addtime,domain,sid,chain',
 (get.address, get.strategy, public.xsssec(get.brief), addtime, domain, 0, get.chain)
 )
if get.domain != "":
 domain_sid = public.M('firewall_domain').add(
 'types,domain,port,address,brief,addtime,sid,protocol,domain_total',
 (get.strategy, domain, '', get.address, public.xsssec(get.brief), addtime, self._add_sid, '',
 get.domain)
 )
 public.M('firewall_ip').where("id=?", (self._add_sid,)).save('sid', domain_sid)
 self.check_resolve_crontab()
 else:
 get.address = get.get("address/s", '')
 get.strategy = get.get("strategy/s", '')
 if get.address == "":
 return public.returnMsg(False, '请传入id')
 public.M('firewall_ip').where("address=? and types=? and chain=?", (get.address, get.strategy, get.chain)).delete()
 get.domain = get.get('domain/s', '')
 if get.domain != "":
 public.M('firewall_domain').where("domain=?", (get.domain)).delete()
self.remove_resolve_crontab()
# 2024/3/26 下午 11:40 添加/删除数据库的端口转发规则
 def set_forward_db(self, get):
 '''
 @name 添加/删除数据库的端口转发规则
 @author wzz <2024/3/26 下午 11:40>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 if get.operation == "add":
 query_result = public.M('firewall_forward').where("S_Port=? and T_Address=? and T_Port=? and Protocol=?", (
 get.S_Port, get.T_Address, get.T_Port, get.protocol
 )).find()
if not query_result:
 get.brief = get.get('brief/s', '')
 addtime = time.strftime('%Y-%m-%d %X', time.localtime())
 self._add_sid = public.M('firewall_forward').add(
 'S_Port,T_Address,T_Port,Protocol,Family,addtime,brief',
 (get.S_Port, get.T_Address, get.T_Port, get.protocol, "ipv4", addtime, get.brief)
 )
 else:
 public.M('firewall_forward').where(
 "S_Port=? and T_Address=? and T_Port=? and Protocol=?",
 (get.S_Port, get.T_Address, get.T_Port, get.protocol)
 ).delete()
# 2024/3/25 下午 6:55 入站端口规则
 def input_port(self, get):
 '''
 @name 入站端口规则
 @param "data":{"参数名":""} <数据类型> 参数描述 dabao
 @return list[dict{}...]
 '''
 info = {
 "Port": get.port,
 "Protocol": get.protocol.lower(),
 "Strategy": get.strategy.lower(),
 "Family": "ipv4",
 }
if ":" in get.address:
 info["Family"] = "ipv6"
if get.address != "all":
 info["Address"] = get.address
 result = self.firewall.rich_rules(info=info, operation=get.operation)
 elif get.address == "all" and get.strategy == "drop":
 result = self.firewall.rich_rules(info=info, operation=get.operation)
 else:
 result = self.firewall.input_port(info=info, operation=get.operation)
return result
# 2024/3/25 下午 6:56 出站端口规则
 def output_port(self, get):
 '''
 @name 出站端口规则
 @author wzz <2024/3/25 下午 6:56>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 info = {
 "Port": get.port,
 "Protocol": get.protocol.lower(),
 "Strategy": get.strategy.lower(),
 "Priority": "0",
 "Family": "ipv4",
 }
if ":" in get.address:
 info["Family"] = "ipv6"
if get.address != "all":
 info["Address"] = get.address
 result = self.firewall.output_rich_rules(info=info, operation=get.operation)
 else:
 result = self.firewall.output_port(info=info, operation=get.operation)
return result
# 2024/3/26 上午 9:40 处理多个ip的情况,例如出现每行一个ip
 def set_nline_ip_rule(self, get):
 '''
 @name 处理多个ip的情况,例如出现每行一个ip
 @author wzz <2024/3/26 上午 9:40>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 address = get.address.split("\n")
 failed_list = []
 import copy
 for addr in address:
 verify_addr = addr.split("/")[0]
 if not public.is_ipv4(verify_addr) and not public.is_ipv6(verify_addr):
 continue
args = copy.deepcopy(get)
 args.address = addr
 args.family = "ipv4" if ":" not in addr else "ipv6"
if self.check_is_user_ip(args):
 continue
if get.operation == "add" and not self.check_ip_exist(args):
 continue
self.set_ip_db(args)
info = {
 "Address": args.address,
 "Family": args.family,
 "Strategy": args.strategy,
 "Priority": args.priority,
 "Zone": get.zone.lower(),
 }
result = self.iptables.rich_rules(info=info, operation=get.operation,chain=get.chain)
if not result['status']:
 failed_list.append({
 "address": addr,
 "msg": result['msg']
 })
 if len(failed_list) > 0:
 return public.returnMsg(True, '设置成功,以下规则设置失败:{}'.format(failed_list))
if self._isFirewalld:
 self.firewall.reload()
return public.returnMsg(True, '设置成功')
# 2024/3/26 上午 9:40 处理多个ip的情况,例如出现逗号隔开ip
 def set_tline_ip_rule(self, get):
 '''
 @name 处理多个ip的情况,例如出现逗号隔开ip
 @author wzz <2024/3/26 上午 9:40>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 address = get.address.split(",")
 failed_list = []
 import copy
 for addr in address:
 if "/" in addr:
 a_rgs = copy.deepcopy(get)
 a_rgs.address = addr
 self.set_mask_ip_rule(get)
 del a_rgs
 continue
 if "-" in addr:
 a_rgs = copy.deepcopy(get)
 a_rgs.address = addr
 self.set_range_ip_rule(a_rgs)
 del a_rgs
 continue
 if not public.checkIp(addr):
 return public.returnMsg(False, '目标地址格式错误')
args = copy.deepcopy(get)
 args.address = addr
if self.check_is_user_ip(args):
 continue
if get.operation == "add" and not self.check_ip_exist(args):
 continue
self.set_ip_db(args)
info = {
 "Address": args.address,
 "Family": args.family,
 "Strategy": args.strategy,
 "Priority": args.priority,
 "Zone": get.zone.lower(),
 }
result = self.iptables.rich_rules(info=info, operation=get.operation, chain=get.chain)
if not result['status']:
 failed_list.append({
 "address": addr,
 "msg": result['msg']
 })
 if len(failed_list) > 0:
 return public.returnMsg(True, '设置成功,以下规则设置失败:{}'.format(failed_list))
if self._isFirewalld:
 self.firewall.reload()
return public.returnMsg(True, '设置成功')
# 2024/3/26 上午 9:43 处理192.168.1.10-192.168.1.20这种范围ip的添加/删除
 def set_range_ip_rule(self, get):
 '''
 @name 处理192.168.1.10-192.168.1.20这种范围ip的添加/删除
 @author wzz <2024/3/26 上午 9:43>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 address = self.firewall.handle_ip_range(get.address)
 failed_list = []
 import copy
 for addr in address:
 args = copy.deepcopy(get)
 args.address = addr
if self.check_is_user_ip(args):
 continue
if get.operation == "add" and not self.check_ip_exist(args):
 continue
self.set_ip_db(args)
info = {
 "Address": args.address,
 "Family": args.family,
 "Strategy": args.strategy,
 "Priority": args.priority,
 "Zone": get.zone.lower(),
 }
result = self.iptables.rich_rules(info=info, operation=get.operation, chain=get.chain)
if not result['status']:
 failed_list.append({
 "address": addr,
 "msg": result['msg']
 })
 if len(failed_list) > 0:
 return public.returnMsg(True, '设置成功,以下规则设置失败:{}'.format(failed_list))
if self._isFirewalld:
 self.firewall.reload()
return public.returnMsg(True, '设置成功')
# 2024/3/26 上午 9:46 设置带掩码的ip段
 def set_mask_ip_rule(self, get):
 '''
 @name 设置带掩码的ip段
 @author wzz <2024/3/26 上午 9:47>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 if get.operation == "add" and not self.check_ip_exist(get):
 return public.returnMsg(False, '目标地址{}已存在,请勿重复添加'.format(get.address))
self.set_ip_db(get)
 info = {
 "Address": get.address,
 "Family": get.family,
 "Strategy": get.strategy,
 "Priority": get.priority,
 "Zone": get.zone.lower(),
 }
if get.chain == "INPUT":
 result = self.firewall.rich_rules(info=info, operation=get.operation)
 else:
 result = self.firewall.output_rich_rules(info=info, operation=get.operation)
if result['status'] and self._isFirewalld:
 self.firewall.reload()
return result
# 2024/4/9 下午11:31 检查是否会自己的ip,如果是则返回
 def check_is_user_ip(self, get):
 '''
 @name
 @author wzz <2024/4/9 下午11:31>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 # 2024/3/26 下午 11:27 处理用户当前的远程ip,如果添加的ip与此ip一直则返回
 try:
 from flask import request
 user_ip = request.remote_addr
 if user_ip in get.address:
 return True
 return False
 except:
 return False
# 2024/3/25 下午 7:16 设置ip规则
 def set_ip_rule(self, get):
 '''
 @name 设置ip规则
 @author wzz <2024/3/25 下午 7:16>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 # 2024/4/17 下午4:47 检查防火墙状态,如果未启动则不允许设置规则
 if not self.get_firewall_status():
 return public.returnMsg(False, '请先启动防火墙后再设置规则!')
get.operation = get.get('operation/s', 'add')
 get.address = get.get('address/s', '')
 get.strategy = get.get('strategy/s', 'accept')
 get.chain = get.get('chain/s', 'INPUT')
 get.family = get.get('family/s', 'ipv4')
 get.priority = get.get('priority/s', '0')
 get.reload = get.get('reload/s', "1")
 get.zone = get.get('zone', "public")
 get.timeout = get.get('timeout/d', 0)
 get.stype = get.get('stype/d', 1) #1托管的IPTABLES 0原生系统防火墙
if get.address == "":
 return public.returnMsg(False, '目标ip不能为空')
 if not get.strategy.lower() in ["accept", "drop"]:
 return public.returnMsg(False, "设置规则失败:{}".format("不支持的策略类型"))
 if get.chain not in ["INPUT", "OUTPUT"]:
 return public.returnMsg(False, '不支持的链类型')
option_result = self.ip_rule_option(get)
cache_key = "firewall_info"
 from BTPanel import cache
 data = cache.get(cache_key)
 if data: cache.delete(cache_key)
 cache_key = "ip_rules_list"
 data = cache.get(cache_key)
 if data: cache.delete(cache_key)
return option_result
# 2024/12/21 15:53 开始设置ip规则
 def ip_rule_option(self, get):
 '''
 @name 开始设置ip规则
 '''
 # 2024/3/25 下午 8:23 处理多个ip的情况,例如出现每行一个ip
 if get.address != "all" and "\n" in get.address:
 return self.set_nline_ip_rule(get)
 elif get.address != "all" and "," in get.address:
 return self.set_tline_ip_rule(get)
 elif get.address != "all" and "-" in get.address:
 return self.set_range_ip_rule(get)
 elif get.address != "all" and "/" not in get.address and not public.checkIp(get.address) and not public.is_ipv6(get.address):
 return public.returnMsg(False, '目标地址格式错误')
 else:
 if get.operation == "add" and get.strategy == "drop":
 if self.check_is_user_ip(get):
 return public.returnMsg(False, '不能添加自己的ip')
if get.operation == "add" and not self.check_ip_exist(get):
 return public.returnMsg(False, '目标地址{}已存在,请勿重复添加'.format(get.address))
if get.strategy == "drop":
 #读取封禁列表
 ip_rules_file = "data/ssh_deny_ip_rules.json"
 try:
 ip_rules = json.loads(public.readFile(ip_rules_file))
 except Exception:
 ip_rules = []
if get.address in ip_rules:
 #移除封禁列表
 ip_rules.remove(get.address)
 public.writeFile(ip_rules_file, json.dumps(ip_rules))
self.set_ip_db(get)
info = {
 "Address": get.address,
 "Family": get.family,
 "Strategy": get.strategy.lower(),
 "Priority": get.priority.lower(),
 "Zone": get.zone.lower(),
 "Timeout": get.timeout #过期时间 可以不传 默认为0永久
 }
 if get.stype == 1: #接管的iptables规则
 result = self.iptables.rich_rules(info=info, operation=get.operation, chain=get.chain)
 if get.reload == "1":
 public.ExecShell("systemctl reload BT-FirewallServices")
 else: #原生系统防火墙的规则
 result = self.firewall.rich_rules(info=info, operation=get.operation)
 if get.reload == "1":
 self.firewall.reload()
public.WriteLog("系统防火墙", "设置IP规则:{}".format(get.address))
 return result
# 2024/3/27 上午 9:44 修改ip规则
 def modify_ip_rule(self, get):
 '''
 @name 修改ip规则
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 # 2024/4/17 下午4:47 检查防火墙状态,如果未启动则不允许设置设置规则
 if not self.get_firewall_status():
 return public.returnMsg(False, '请先启动防火墙后再设置规则!')
 get.old_data = get.get('old_data/s', '')
 get.new_data = get.get('new_data/s', '')
if get.old_data == "":
 return public.returnMsg(False, '请传入old_data')
if get.new_data == "":
 return public.returnMsg(False, '请传入new_data')
get.old_data = json.loads(get.old_data)
 get.new_data = json.loads(get.new_data)
args1 = public.dict_obj()
 args1.operation = 'remove'
 args1.address = get.old_data['Address']
 args1.strategy = get.old_data['Strategy']
 args1.family = get.old_data['Family']
 args1.chain = get.old_data['Chain']
 args1.id = get.old_data['id']
 args1.sid = get.old_data['sid']
 args1.zone = get.old_data['Zone'] if "Zone" in get.old_data else "public"
 args1.reload = "0"
 args1.stype = get.old_data['stype']
 self.set_ip_rule(args1)
args2 = public.dict_obj()
 args2.operation = 'add'
 args2.address = get.new_data['address']
 args2.strategy = get.new_data['strategy']
 args2.family = get.new_data['family']
 args2.chain = get.new_data['chain']
 args2.brief = get.new_data['brief']
 args2.zone = get.new_data['zone'] if "zone" in get.new_data else "public"
 args2.reload = "0"
 self.set_ip_rule(args2)
if self._isFirewalld:
 self.firewall.reload()
return public.returnMsg(True, '修改成功')
# 2024/3/26 下午 5:18 设置域名ip规则
 def set_domain_ip_rule(self, get):
 '''
 @name 设置域名ip规则
 @author wzz <2024/3/26 下午 5:19>
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 get.operation = get.get('operation/s', 'add')
 get.protocol = get.get('protocol/s', 'tcp')
 get.domain = get.get('domain/s', '')
 get.port = get.get('port/s', '')
 get.strategy = get.get('strategy/s', 'accept')
 get.chain = get.get('chain/s', 'INPUT')
if get.domain == "":
 return public.returnMsg(False, '目标域名不能为空')
if get.port == "":
 return public.returnMsg(False, '目标端口不能为空')
if not public.is_domain(get.domain):
 return public.returnMsg(False, '目标域名格式错误')
address = self.get_a_ip(get.domain)
if address == "":
 return public.returnMsg(False, '域名: 【{}】解析失败'.format(get.domain))
if not public.checkIp(get.address):
 return public.returnMsg(False, '目标地址格式错误')
info = {
 "Address": address,
 "Family": get.family,
 "Strategy": get.strategy.lower(),
 "Priority": get.priority.lower(),
 }
 if get.chain == "INPUT":
 result = self.firewall.rich_rules(info=info, operation=get.operation)
 else:
 result = self.firewall.output_rich_rules(info=info, operation=get.operation)
if result['status'] and self._isFirewalld:
 self.firewall.reload()
return result
# 2024/3/25 上午 11:18 获取所有ip规则列表
 def ip_rules_list(self, get):
 '''
 @name 获取所有ip规则列表
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return list[dict{}...]
 '''
 get.chain = get.get('chain/s', 'all')
 get.query = get.get('query/s', '')
 get.p = get.get('p', 1)
 get.row = get.get('row', 20)
 get.export = get.get('export/s', '0') # 是否导出数据 0非导出 1导出
return self.structure_ip_return_data(get)
# 2024/3/26 下午 3:03 导出所有ip规则
 def export_ip_rules(self, get):
 '''
 @name 导出所有ip规则
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 get.chain = get.get('chain/s', 'all')
if get.chain == "INPUT":
 file_name = "input_ip_rules_{}".format(int(time.time()))
 elif get.chain == "OUTPUT":
 file_name = "output_ip_rules_{}".format(int(time.time()))
 else:
 file_name = "ip_rules_{}".format(int(time.time()))
data = self.ip_rules_list(get)["data"]
 if not data:
 return public.returnMsg(False, '没有规则无法导出')
file_path = "{}/{}.json".format(self.config_path, file_name)
 if not os.path.exists(self.config_path):
 os.makedirs(self.config_path)
 public.writeFile(file_path, public.GetJson(data))
 public.WriteLog("系统防火墙", "导出ip规则")
 return public.returnMsg(True, file_path)
# 2024/3/26 下午 3:05 导入ip规则
 def import_ip_rules(self, get):
 '''
 @name 导入ip规则
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 get.file = get.get('file/s', '')
if not get.file:
 return public.returnMsg(False, '文件不能为空')
if not os.path.exists(get.file):
 return public.returnMsg(False, '文件不存在')
try:
 data = public.readFile(get.file)
 if "|" in data and not "{" in data:
 get.rule_name = "ip_rule"
 return self.import_rules_old(get)
data = json.loads(data)
 # 2024/4/10 下午2:51 反转数据
 data.reverse()
 except:
 return public.returnMsg(False, '文件内容异常或格式错误')
args = public.dict_obj()
 for item in data:
 args.operation = 'add'
 args.address = item['Address']
 args.strategy = item['Strategy']
 args.chain = item['Chain']
 args.family = item['Family']
 args.brief = item['brief']
 args.reload = "0"
self.set_ip_rule(args)
if self._isFirewalld:
 self.firewall.reload()
return public.returnMsg(True, '导入成功')
# 2024/3/25 下午 2:34 获取端口转发列表
 def port_forward_list(self, get):
 '''
 @name 获取端口转发列表
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return list[dict{}...]
 '''
 get.query = get.get('query/s', '')
 get.p = get.get('p', 1)
 get.row = get.get('row', 20)
list_port_forward = self.iptables.list_port_forward()
 forward_db = self.get_forward_db(get)
 if type(list_port_forward) == list and type(forward_db) == list:
 return self.structure_forward_return_data(list_port_forward, forward_db, get)
 return self.return_page([], get)
# 2024/3/26 下午 3:08 导出所有端口转发规则
 def export_port_forward(self, get):
 '''
 @name 导出所有端口转发规则
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 data = self.iptables.list_port_forward()
 if not data:
 return public.returnMsg(False, '没有规则无法导出')
 file_name = "port_forward_{}".format(int(time.time()))
 file_path = "{}/{}.json".format(self.config_path, file_name)
public.writeFile(file_path, public.GetJson(data))
 public.WriteLog("系统防火墙", "导出端口转发规则")
 return public.returnMsg(True, file_path)
# 2024/3/26 下午 3:10 导入端口转发规则
 def import_port_forward(self, get):
 '''
 @name 导入端口转发规则
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 get.file = get.get('file/s', '')
if not get.file:
 return public.returnMsg(False, '文件不能为空')
if not os.path.exists(get.file):
 return public.returnMsg(False, '文件不存在')
try:
 data = public.readFile(get.file)
 if "|" in data and not "{" in data:
 get.rule_name = "trans_rule"
 return self.import_rules_old(get)
data = json.loads(data)
 # 2024/4/10 下午2:51 反转数据
 data.reverse()
 except:
 return public.returnMsg(False, '文件内容异常或格式错误')
args = public.dict_obj()
 for item in data:
 args.operation = 'add'
 args.protocol = item['Protocol']
 args.S_Address = item['S_Address']
 args.S_Port = item['S_Port']
 args.T_Address = item['T_Address']
 args.T_Port = item['T_Port']
 args.reload = "0"
self.set_port_forward(args)
if self._isFirewalld:
 self.firewall.reload()
return public.returnMsg(True, '导入成功')
# 2024/3/25 下午 3:43 设置端口转发
 def set_port_forward(self, get):
 '''
 @name 设置端口转发
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 # 2024/4/17 下午4:47 检查防火墙状态,如果未启动则不允许设置设置规则
 if not self.get_firewall_status():
 return public.returnMsg(False, '请先启动防火墙后再设置规则!')
get.operation = get.get('operation/s', 'add')
 get.protocol = get.get('protocol/s', 'tcp')
 get.S_Address = get.get('S_Address/s', '')
 get.S_Port = get.get('S_Port/s', '')
 get.T_Address = get.get("T_Address/s", '')
 get.T_Port = get.get("T_Port/s", '')
 get.reload = get.get('reload/s', "1")
if get.S_Port == "":
 return public.returnMsg(False, '源端口不能为空')
 # if get.T_Address == "":
 # return public.returnMsg(False, '目标地址不能为空')
 if get.T_Port == "":
 return public.returnMsg(False, '目标端口不能为空')
# 2024/3/25 下午 5:49 前置检测
 if get.operation == "add":
 check_ip_forward = self.firewall.check_ip_forward()
 if not check_ip_forward["status"]:
 return check_ip_forward
if not self.check_forward_exist(get):
 return public.returnMsg(False, '端口转发规则已存在,请勿重复添加')
self.set_forward_db(get)
# 2024/3/25 下午 5:50 构造传参,调用底层方法设置端口转发
 if get.protocol == "tcp/udp" or get.protocol == "all":
 info = {"Family": "ipv4", "Protocol": "tcp", "S_Address": get.S_Address, "S_Port": get.S_Port,
 "T_Address": get.T_Address, "T_Port": get.T_Port}
 result = self.iptables.port_forward(info=info, operation=get.operation)
 if not result['status']:
 return result
info["Protocol"] = "udp"
 result = self.iptables.port_forward(info=info, operation=get.operation)
 else:
 info = {
 "Family": "ipv4",
 "Protocol": get.protocol,
 "S_Address": get.S_Address,
 "S_Port": get.S_Port,
 "T_Address": get.T_Address,
 "T_Port": get.T_Port,
 }
 result = self.iptables.port_forward(info=info, operation=get.operation)
cache_key = "firewall_info"
 from BTPanel import cache
 data = cache.get(cache_key)
 if data: cache.delete(cache_key)
 cache_key = "port_forward_list"
 data = cache.get(cache_key)
 if data: cache.delete(cache_key)
return result
# 2024/3/27 上午 9:44 修改端口转发规则
 def modify_forward_rule(self, get):
 '''
 @name 修改端口转发规则
 @param "data":{"参数名":""} <数据类型> 参数描述
 @return dict{"status":True/False,"msg":"提示信息"}
 '''
 # 2024/4/17 下午4:47 检查防火墙状态,如果未启动则不允许设置规则
 if not self.get_firewall_status():
 return public.returnMsg(False, '请先启动防火墙后再设置规则!')
get.old_data = get.get('old_data/s', '')
 get.new_data = get.get('new_data/s', '')
if get.old_data == "":
 return public.returnMsg(False, '请传入old_data')
if get.new_data == "":
 return public.returnMsg(False, '请传入new_data')
get.old_data = json.loads(get.old_data)
 get.new_data = json.loads(get.new_data)
args1 = public.dict_obj()
 args1.operation = 'remove'
 args1.S_Address = get.old_data['S_Address']
 args1.S_Port = get.old_data['S_Port']
 args1.T_Address = get.old_data['T_Address']
 args1.T_Port = get.old_data['T_Port']
 args1.protocol = get.old_data['Protocol']
 args1.id = get.old_data['id']
 args1.reload = "0"
 self.set_port_forward(args1)
args2 = public.dict_obj()
 args2.operation = 'add'
 args2.S_Port = get.new_data['S_Port']
 args2.T_Address = get.new_data['T_Address']
 args2.T_Port = get.new_data['T_Port']
 args2.protocol = get.new_data['protocol']
 args2.brief = get.new_data['brief']
 args2.reload = "0"
 return self.set_port_forward(args2)