chore: Optimize iptables initial state loading speed (#11085)

ssongliu · web-flow · commit 3b306f990a0a · 2025-11-26T22:29:48.000+08:00
diff --git a/agent/app/service/firewall.go b/agent/app/service/firewall.go
@@ -68,7 +68,7 @@ func (u *FirewallService) LoadBaseInfo(tab string) (dto.FirewallBaseInfo, error)
 	go func() {
 		defer wg.Done()
 		baseInfo.IsActive, _ = client.Status()
-		baseInfo.IsInit, baseInfo.IsBind = loadInitStatus(baseInfo.Name, tab)
+		baseInfo.IsInit, baseInfo.IsBind = iptables.LoadInitStatus(baseInfo.Name, tab)
 	}()
 	wg.Wait()
 	return baseInfo, nil
@@ -826,96 +826,3 @@ func checkPortUsed(ports, proto string, apps []portOfApp) string {
 	}
 	return ""
 }
-
-func loadInitStatus(clientName, tab string) (bool, bool) {
-	if clientName == "firewalld" {
-		return true, true
-	}
-	if clientName == "ufw" && tab != "forward" {
-		return true, true
-	}
-	switch tab {
-	case "base":
-		if isExist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelBasicBefore); !isExist {
-			return false, false
-		}
-		if exist := iptables.CheckRuleExist(iptables.FilterTab, iptables.Chain1PanelBasicBefore, iptables.IoRuleIn); !exist {
-			return false, false
-		}
-		if exist := iptables.CheckRuleExist(iptables.FilterTab, iptables.Chain1PanelBasicBefore, iptables.EstablishedRule); !exist {
-			return false, false
-		}
-		if exist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelBasic); !exist {
-			return false, false
-		}
-		if exist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelBasicAfter); !exist {
-			return false, false
-		}
-		if exist := iptables.CheckRuleExist(iptables.FilterTab, iptables.Chain1PanelBasicAfter, iptables.DropAllTcp); !exist {
-			return false, false
-		}
-		if exist := iptables.CheckRuleExist(iptables.FilterTab, iptables.Chain1PanelBasicAfter, iptables.DropAllUdp); !exist {
-			return false, false
-		}
-		if bind, _ := iptables.CheckChainBind(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicBefore); !bind {
-			return true, false
-		}
-		if bind, _ := iptables.CheckChainBind(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasic); !bind {
-			return true, false
-		}
-		if bind, _ := iptables.CheckChainBind(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicAfter); !bind {
-			return true, false
-		}
-		return true, true
-	case "advance":
-		isExist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelInput)
-		if !isExist {
-			return false, false
-		}
-		isExist, _ = iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelOutput)
-		if !isExist {
-			return false, false
-		}
-
-		isBind, _ := iptables.CheckChainBind(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelInput)
-		if !isBind {
-			return true, false
-		}
-		isBind, _ = iptables.CheckChainBind(iptables.FilterTab, iptables.ChainOutput, iptables.Chain1PanelOutput)
-		return true, isBind
-	case "forward":
-		stdout, err := cmd.RunDefaultWithStdoutBashC("cat /proc/sys/net/ipv4/ip_forward")
-		if err != nil {
-			global.LOG.Errorf("check /proc/sys/net/ipv4/ip_forward failed, err: %v", err)
-			return false, false
-		}
-		if strings.TrimSpace(stdout) == "0" {
-			return false, false
-		}
-
-		exist, _ := iptables.CheckChainExist(iptables.NatTab, iptables.Chain1PanelPreRouting)
-		if !exist {
-			return false, false
-		}
-		exist, _ = iptables.CheckChainExist(iptables.NatTab, iptables.Chain1PanelPostRouting)
-		if !exist {
-			return false, false
-		}
-		exist, _ = iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelForward)
-		if !exist {
-			return false, false
-		}
-		isBind, _ := iptables.CheckChainBind(iptables.NatTab, "PREROUTING", iptables.Chain1PanelPreRouting)
-		if !isBind {
-			return false, false
-		}
-		isBind, _ = iptables.CheckChainBind(iptables.NatTab, "POSTROUTING", iptables.Chain1PanelPostRouting)
-		if !isBind {
-			return false, false
-		}
-		isBind, _ = iptables.CheckChainBind(iptables.FilterTab, "FORWARD", iptables.Chain1PanelForward)
-		return true, isBind
-	default:
-		return false, false
-	}
-}
diff --git a/agent/server/server.go b/agent/server/server.go
@@ -42,11 +42,11 @@ func Start() {
 	i18n.Init()
 	cache.Init()
 	app.Init()
-	firewall.Init()
 	lang.Init()
 	validator.Init()
 	cron.Run()
 	hook.Init()
+	go firewall.Init()
 	InitOthers()
 
 	rootRouter := router.Routers()
diff --git a/agent/utils/firewall/client/iptables/common.go b/agent/utils/firewall/client/iptables/common.go
@@ -24,7 +24,7 @@ const (
 )
 
 const (
-	EstablishedRule = "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment 'ESTABLISHED Whitelist'"
+	EstablishedRule = "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment 'ESTABLISHED Whitelist'"
 	IoRuleIn        = "-i lo -j ACCEPT -m comment --comment 'Loopback Whitelist'"
 	DropAllTcp      = "-p tcp -j DROP"
 	DropAllUdp      = "-p udp -j DROP"
diff --git a/agent/utils/firewall/client/iptables/filter.go b/agent/utils/firewall/client/iptables/filter.go
@@ -5,6 +5,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/1Panel-dev/1Panel/agent/global"
 	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
 )
 
@@ -117,6 +118,120 @@ func LoadDefaultStrategy(chain string) (string, error) {
 	return ACCEPT, nil
 }
 
+func LoadInitStatus(clientName, tab string) (bool, bool) {
+	if clientName == "firewalld" {
+		return true, true
+	}
+	if clientName == "ufw" && tab != "forward" {
+		return true, true
+	}
+	switch tab {
+	case "base":
+		filterRules, err := RunWithStd(FilterTab, "-S")
+		if err != nil {
+			return false, false
+		}
+		lines := strings.Split(filterRules, "\n")
+		initRules := []string{
+			"-N " + Chain1PanelBasicBefore,
+			"-N " + Chain1PanelBasic,
+			"-N " + Chain1PanelBasicAfter,
+			fmt.Sprintf("-A %s %s -j ACCEPT", Chain1PanelBasicBefore, strings.ReplaceAll(strings.ReplaceAll(IoRuleIn, "'", "\""), " -j ACCEPT", "")),
+			fmt.Sprintf("-A %s %s -j ACCEPT", Chain1PanelBasicBefore, strings.ReplaceAll(strings.ReplaceAll(EstablishedRule, "'", "\""), " -j ACCEPT", "")),
+			fmt.Sprintf("-A %s %s", Chain1PanelBasicAfter, DropAllTcp),
+			fmt.Sprintf("-A %s %s", Chain1PanelBasicAfter, DropAllUdp),
+		}
+		bindRules := []string{
+			fmt.Sprintf("-A %s -j %s", ChainInput, Chain1PanelBasicBefore),
+			fmt.Sprintf("-A %s -j %s", ChainInput, Chain1PanelBasic),
+			fmt.Sprintf("-A %s -j %s", ChainInput, Chain1PanelBasicAfter),
+		}
+		return checkWithInitAndBind(initRules, bindRules, lines)
+	case "advance":
+		filterRules, err := RunWithStd(FilterTab, "-S")
+		if err != nil {
+			return false, false
+		}
+		lines := strings.Split(filterRules, "\n")
+		initRules := []string{
+			"-N " + Chain1PanelInput,
+			"-N " + Chain1PanelOutput,
+		}
+		bindRules := []string{
+			fmt.Sprintf("-A %s -j %s", ChainInput, Chain1PanelInput),
+			fmt.Sprintf("-A %s -j %s", ChainOutput, Chain1PanelOutput),
+		}
+		return checkWithInitAndBind(initRules, bindRules, lines)
+	case "forward":
+		stdout, err := cmd.RunDefaultWithStdoutBashC("cat /proc/sys/net/ipv4/ip_forward")
+		if err != nil {
+			global.LOG.Errorf("check /proc/sys/net/ipv4/ip_forward failed, err: %v", err)
+			return false, false
+		}
+		if strings.TrimSpace(stdout) == "0" {
+			return false, false
+		}
+		natRules, err := RunWithStd(NatTab, "-S")
+		if err != nil {
+			return false, false
+		}
+		lines := strings.Split(natRules, "\n")
+		initRules := []string{
+			"-N " + Chain1PanelPreRouting,
+			"-N " + Chain1PanelPostRouting,
+		}
+		bindRules := []string{
+			fmt.Sprintf("-A PREROUTING -j %s", Chain1PanelPreRouting),
+			fmt.Sprintf("-A POSTROUTING -j %s", Chain1PanelPostRouting),
+		}
+		isNatInit, isNatBind := checkWithInitAndBind(initRules, bindRules, lines)
+		if !isNatInit {
+			return false, false
+		}
+		filterRules, err := RunWithStd(FilterTab, "-S")
+		if err != nil {
+			return false, false
+		}
+		filterLines := strings.Split(filterRules, "\n")
+		filterInitRules := []string{"-N " + Chain1PanelForward}
+		filterBindRules := []string{fmt.Sprintf("-A FORWARD -j %s", Chain1PanelForward)}
+		isFilterInit, isFilterBind := checkWithInitAndBind(filterInitRules, filterBindRules, filterLines)
+		return isNatInit && isFilterInit, isNatBind && isFilterBind
+	default:
+		return false, false
+	}
+}
+
+func checkWithInitAndBind(initRules, bindRules []string, lines []string) (bool, bool) {
+	for _, rule := range initRules {
+		found := false
+		for _, line := range lines {
+			if strings.TrimSpace(line) == strings.TrimSpace(rule) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			global.LOG.Debugf("not found init rule: %s", rule)
+			return false, false
+		}
+	}
+	for _, rule := range bindRules {
+		found := false
+		for _, line := range lines {
+			if strings.TrimSpace(line) == strings.TrimSpace(rule) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			global.LOG.Debugf("not found bind rule: %s", rule)
+			return true, false
+		}
+	}
+	return true, true
+}
+
 func loadPort(position string, portStr []string) string {
 	if len(portStr) < 7 {
 		return ""

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ const (`
`24`	`24`	`)`
`25`	`25`
`26`	`26`	`const (`
`27`		`- EstablishedRule = "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment 'ESTABLISHED Whitelist'"`
	`27`	`+ EstablishedRule = "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment 'ESTABLISHED Whitelist'"`
`28`	`28`	`IoRuleIn = "-i lo -j ACCEPT -m comment --comment 'Loopback Whitelist'"`
`29`	`29`	`DropAllTcp = "-p tcp -j DROP"`
`30`	`30`	`DropAllUdp = "-p udp -j DROP"`