Harden rule health checks
This commit is contained in:
@@ -150,6 +150,36 @@ ipt_apply_rule() {
|
||||
fi
|
||||
}
|
||||
|
||||
ipt_rule_healthy() {
|
||||
local uuid=$1 proto=$2 lport=$3 tip_raw=$4 tport=$5 ipver=$6
|
||||
local family protocol bin tip comment destination
|
||||
comment=$(ipt_comment_tag "${uuid}")
|
||||
|
||||
while IFS= read -r family; do
|
||||
[[ -n ${family} ]] || continue
|
||||
bin=$(ipt_bin_for_family "${family}")
|
||||
tip=$(ipt_target_for_family "${tip_raw}" "${family}")
|
||||
destination=$(ipt_to_destination "${tip_raw}" "${tport}" "${family}")
|
||||
|
||||
while IFS= read -r protocol; do
|
||||
[[ -n ${protocol} ]] || continue
|
||||
_ipt_check_rule "${bin}" nat PREROUTING \
|
||||
-p "${protocol}" --dport "${lport}" \
|
||||
-j DNAT --to-destination "${destination}" \
|
||||
-m comment --comment "${comment}" || return 1
|
||||
_ipt_check_rule "${bin}" nat POSTROUTING \
|
||||
-p "${protocol}" -d "${tip}" --dport "${tport}" \
|
||||
-j MASQUERADE \
|
||||
-m comment --comment "${comment}" || return 1
|
||||
_ipt_check_rule "${bin}" '' FORWARD \
|
||||
-p "${protocol}" -d "${tip}" --dport "${tport}" \
|
||||
-m conntrack --ctstate NEW,ESTABLISHED,RELATED \
|
||||
-j ACCEPT \
|
||||
-m comment --comment "${comment}" || return 1
|
||||
done < <(ipt_protocols_for "${proto}")
|
||||
done < <(ipt_families_for "${ipver}")
|
||||
}
|
||||
|
||||
ipt_remove_rule() {
|
||||
local uuid=$1 proto=$2 lport=$3 tip_raw=$4 tport=$5 ipver=$6
|
||||
local -a families protocols
|
||||
|
||||
@@ -130,8 +130,16 @@ rules_load_lines() {
|
||||
}
|
||||
|
||||
rule_health_mark() {
|
||||
local uuid=${1-}
|
||||
if ipt_find_by_uuid "${uuid}" >/dev/null 2>&1; then
|
||||
local line=${1-}
|
||||
local uuid proto lport tip tport ipver
|
||||
uuid=$(rule_field "${line}" uuid)
|
||||
proto=$(rule_field "${line}" proto)
|
||||
lport=$(rule_field "${line}" lport)
|
||||
tip=$(rule_field "${line}" tip)
|
||||
tport=$(rule_field "${line}" tport)
|
||||
ipver=$(rule_field "${line}" ipver)
|
||||
|
||||
if ipt_rule_healthy "${uuid}" "${proto}" "${lport}" "${tip}" "${tport}" "${ipver}"; then
|
||||
printf '✓\n'
|
||||
else
|
||||
printf '!\n'
|
||||
@@ -156,7 +164,7 @@ render_rules_plain() {
|
||||
tport=$(rule_field "${line}" tport)
|
||||
ipver=$(rule_ipver_label "$(rule_field "${line}" ipver)")
|
||||
desc=$(rule_field "${line}" desc || true)
|
||||
health=$(rule_health_mark "${uuid}")
|
||||
health=$(rule_health_mark "${line}")
|
||||
printf '%-3s %-10s %-10s %-32s %-10s %-12s %-4s %s\n' \
|
||||
"$((idx + 1))" "${proto}" "${lport}" "${tip}" "${tport}" "${ipver}" "${health}" "${desc}"
|
||||
done
|
||||
@@ -166,7 +174,7 @@ cmd_list() {
|
||||
local pause=${1:-1}
|
||||
rules_load_lines
|
||||
render_rules_plain "${RULES_CACHE[@]}"
|
||||
printf '[✓] 已在 iptables 中找到规则;[!] 仅存在于数据库中。\n'
|
||||
printf '[✓] 运行态规则完整;[!] 至少缺少一条运行态规则或仅存在于数据库中。\n'
|
||||
if [[ ${pause} == 1 ]]; then
|
||||
pause_return
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user