fix: Fix firewalld range port forwarding failure issue (#11390)

Author: ssongliu

agent/utils/firewall/client/firewalld.go

@@ -9,7 +9,6 @@ import (
 	"github.com/1Panel-dev/1Panel/agent/global"
 	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
 	"github.com/1Panel-dev/1Panel/agent/utils/controller"
-	"github.com/1Panel-dev/1Panel/agent/utils/re"
 )
 
 type Firewall struct{}
@@ -119,24 +118,20 @@ func (f *Firewall) ListForward() ([]FireInfo, error) {
 	}
 	var datas []FireInfo
 	for _, line := range strings.Split(stdout, "\n") {
-		line = strings.TrimFunc(line, func(r rune) bool {
-			return r <= 32
-		})
-		if re.GetRegex(re.FirewalldForwardPattern).MatchString(line) {
-			match := re.GetRegex(re.FirewalldForwardPattern).FindStringSubmatch(line)
-			if len(match) < 4 {
-				continue
-			}
-			if len(match[4]) == 0 {
-				match[4] = "127.0.0.1"
-			}
-			datas = append(datas, FireInfo{
-				Port:       match[1],
-				Protocol:   match[2],
-				TargetIP:   match[4],
-				TargetPort: match[3],
-			})
+		line = strings.TrimSpace(line)
+		parts := strings.Split(line, ":")
+		if len(parts) < 4 {
+			continue
+		}
+		if parts[3] == "toaddr=" {
+			parts[3] = "127.0.0.1"
 		}
+		datas = append(datas, FireInfo{
+			Port:       strings.TrimPrefix(parts[0], "port="),
+			Protocol:   strings.TrimPrefix(parts[1], "proto="),
+			TargetIP:   strings.TrimPrefix(parts[3], "toaddr="),
+			TargetPort: strings.TrimPrefix(parts[2], "toport="),
+		})
 	}
 	return datas, nil
 }

agent/utils/firewall/client/iptables/forward.go

@@ -6,8 +6,8 @@ import (
 )
 
 func AddForward(protocol, srcPort, dest, destPort, iface string, save bool) error {
-	// iptabels destPort 范围端口规则为：%d-%d
-	destPort = strings.ReplaceAll(destPort, ":", "-")
+	srcPort = strings.ReplaceAll(srcPort, "-", ":")
+	itemDstPort := strings.ReplaceAll(destPort, "-", ":")
 	if dest != "" && dest != "127.0.0.1" && dest != "localhost" {
 		iptablesArg := fmt.Sprintf("-A %s", Chain1PanelPreRouting)
 		if iface != "" {
@@ -18,15 +18,15 @@ func AddForward(protocol, srcPort, dest, destPort, iface string, save bool) erro
 			return err
 		}
 
-		if err := Run(NatTab, fmt.Sprintf("-A %s -d %s -p %s --dport %s -j MASQUERADE", Chain1PanelPostRouting, dest, protocol, destPort)); err != nil {
+		if err := Run(NatTab, fmt.Sprintf("-A %s -d %s -p %s --dport %s -j MASQUERADE", Chain1PanelPostRouting, dest, protocol, itemDstPort)); err != nil {
 			return err
 		}
 
-		if err := Run(FilterTab, fmt.Sprintf("-A %s -d %s -p %s --dport %s -j ACCEPT", Chain1PanelForward, dest, protocol, destPort)); err != nil {
+		if err := Run(FilterTab, fmt.Sprintf("-A %s -d %s -p %s --dport %s -j ACCEPT", Chain1PanelForward, dest, protocol, itemDstPort)); err != nil {
 			return err
 		}
 
-		if err := Run(FilterTab, fmt.Sprintf("-A %s -s %s -p %s --sport %s -j ACCEPT", Chain1PanelForward, dest, protocol, destPort)); err != nil {
+		if err := Run(FilterTab, fmt.Sprintf("-A %s -s %s -p %s --sport %s -j ACCEPT", Chain1PanelForward, dest, protocol, itemDstPort)); err != nil {
 			return err
 		}
 	} else {
@@ -43,20 +43,21 @@ func AddForward(protocol, srcPort, dest, destPort, iface string, save bool) erro
 }
 
 func DeleteForward(num string, protocol, srcPort, dest, destPort, iface string) error {
+	itemDstPort := strings.ReplaceAll(destPort, "-", ":")
 	if err := Run(NatTab, fmt.Sprintf("-D %s %s", Chain1PanelPreRouting, num)); err != nil {
 		return err
 	}
 
 	if dest != "" && dest != "127.0.0.1" && dest != "localhost" {
-		if err := Run(NatTab, fmt.Sprintf("-D %s -d %s -p %s --dport %s -j MASQUERADE", Chain1PanelPostRouting, dest, protocol, destPort)); err != nil {
+		if err := Run(NatTab, fmt.Sprintf("-D %s -d %s -p %s --dport %s -j MASQUERADE", Chain1PanelPostRouting, dest, protocol, itemDstPort)); err != nil {
 			return err
 		}
 
-		if err := Run(FilterTab, fmt.Sprintf("-D %s -d %s -p %s --dport %s -j ACCEPT", Chain1PanelForward, dest, protocol, destPort)); err != nil {
+		if err := Run(FilterTab, fmt.Sprintf("-D %s -d %s -p %s --dport %s -j ACCEPT", Chain1PanelForward, dest, protocol, itemDstPort)); err != nil {
 			return err
 		}
 
-		if err := Run(FilterTab, fmt.Sprintf("-D %s -s %s -p %s --sport %s -j ACCEPT", Chain1PanelForward, dest, protocol, destPort)); err != nil {
+		if err := Run(FilterTab, fmt.Sprintf("-D %s -s %s -p %s --sport %s -j ACCEPT", Chain1PanelForward, dest, protocol, itemDstPort)); err != nil {
 			return err
 		}
 	}

agent/utils/re/re.go

@@ -10,7 +10,6 @@ const (
 	ComposeDisallowedCharsPattern      = `[^a-z0-9_-]+`
 	ComposeEnvVarPattern               = `\$\{([^}]+)\}`
 	DiskKeyValuePattern                = `([A-Za-z0-9_]+)=("([^"\\]|\\.)*"|[^ \t]+)`
-	FirewalldForwardPattern            = `^port=(\d{1,5}):proto=(.+?):toport=(\d{1,5}):toaddr=(.*)$`
 	ValidatorNamePattern               = `^[a-zA-Z\p{Han}]{1}[a-zA-Z0-9_\p{Han}]{0,30}$`
 	ValidatorIPPattern                 = `^((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}$`
 	DomainPattern                      = `^([\w\p{Han}\-\*]{1,100}\.){1,10}([\w\p{Han}\-]{1,24}|[\w\p{Han}\-]{1,24}\.[\w\p{Han}\-]{1,24})(:\d{1,5})?$`
@@ -41,7 +40,6 @@ func Init() {
 		ComposeDisallowedCharsPattern,
 		ComposeEnvVarPattern,
 		DiskKeyValuePattern,
-		FirewalldForwardPattern,
 		ValidatorNamePattern,
 		ValidatorIPPattern,
 		DomainPattern,

frontend/src/lang/modules/en.ts

@@ -2964,7 +2964,7 @@ const message = {
         targetPort: 'Destination port',
         forwardHelper1: 'If you want to forward to the local port, the destination IP should be set to "127.0.0.1".',
         forwardHelper2: 'Leave the destination IP blank to forward to the local port.',
-        forwardPortHelper: 'Support port range, e.g. 80:90',
+        forwardPortHelper: 'Supports port ranges, e.g. 8080-8089',
         forwardInboundInterface: 'Forward Inbound Network Interface',
         exportHelper: 'About to export {0} firewall rules. Continue?',
         importSuccess: 'Successfully imported {0} rules',

frontend/src/lang/modules/es-es.ts

@@ -2941,6 +2941,7 @@ const message = {
         targetPort: 'Puerto de destino',
         forwardHelper1: 'Si quieres reenviar al puerto local, la IP de destino debe ser "127.0.0.1".',
         forwardHelper2: 'Deja en blanco la IP de destino para reenviar al puerto local.',
+        forwardPortHelper: 'Admite rangos de puertos, ej.: 8080-8089',
         forwardInboundInterface: 'Interfaz de Red de Entrada para Reenvío',
         exportHelper: 'A punto de exportar {0} reglas de firewall. ¿Continuar?',
         importSuccess: 'Se importaron correctamente {0} reglas',

frontend/src/lang/modules/ja.ts

@@ -2882,6 +2882,7 @@ const message = {
         targetPort: '宛先ポート',
         forwardHelper1: 'ローカルポートに転送する場合は、宛先IPを「127.0.0.1」に設定する必要があります。',
         forwardHelper2: '宛先IPを空白のままにして、ローカルポートに転送します。',
+        forwardPortHelper: 'ポート範囲をサポートします。例: 8080-8089',
         forwardInboundInterface: '転送入站ネットワークインターフェース',
         exportHelper: '{0} 件のファイアウォールルールをエクスポートします。続行しますか？',
         importSuccess: '{0} 件のルールを正常にインポートしました',

frontend/src/lang/modules/ko.ts

@@ -2827,6 +2827,7 @@ const message = {
         targetPort: '대상 포트',
         forwardHelper1: "로컬 포트로 전달하려면, 대상 IP 를 '127.0.0.1'로 설정해야 합니다.",
         forwardHelper2: '대상 IP 를 비워두면 로컬 포트로 전달됩니다.',
+        forwardPortHelper: '포트 범위를 지원합니다, 예: 8080-8089',
         forwardInboundInterface: '포워딩 인바운드 네트워크 인터페이스',
         exportHelper: '{0}개의 방화벽 규칙을 내보내려고 합니다. 계속하시겠습니까?',
         importSuccess: '{0}개의 규칙을 성공적으로 가져왔습니다',

frontend/src/lang/modules/ms.ts

@@ -2944,6 +2944,7 @@ const message = {
         targetPort: 'Port sasaran',
         forwardHelper1: 'Jika anda ingin memajukan ke port tempatan, IP sasaran harus ditetapkan kepada "127.0.0.1".',
         forwardHelper2: 'Biarkan IP sasaran kosong untuk memajukan ke port tempatan.',
+        forwardPortHelper: 'Menyokong julat port, cth: 8080-8089',
         forwardInboundInterface: 'Antara Muka Rangkaian Masukan Penerusan',
         exportHelper: 'Akan mengeksport {0} peraturan firewall. Teruskan?',
         importSuccess: '{0} peraturan berjaya diimport',

frontend/src/lang/modules/pt-br.ts

@@ -2949,6 +2949,7 @@ const message = {
         forwardHelper1:
             'Se você deseja redirecionar para a porta local, o IP de destino deve ser definido como "127.0.0.1".',
         forwardHelper2: 'Deixe o IP de destino em branco para redirecionar para a porta local.',
+        forwardPortHelper: 'Suporta intervalos de portas, ex. 8080-8089',
         forwardInboundInterface: 'Interface de Rede de Entrada para Encaminhamento',
         exportHelper: 'Prestes a exportar {0} regras de firewall. Continuar?',
         importSuccess: '{0} regras importadas com sucesso',

frontend/src/lang/modules/ru.ts

@@ -2942,7 +2942,8 @@ const message = {
         forwardHelper1:
             'Если вы хотите перенаправить на локальный порт, целевой IP должен быть установлен как "127.0.0.1".',
         forwardHelper2: 'Оставьте целевой IP пустым для перенаправления на локальный порт.',
-        forwardInboundInterface: '转发入站Сетевой интерфейс для пересылки входящего трафика网卡',
+        forwardPortHelper: 'Поддерживает диапазоны портов, напр. 8080-8089',
+        forwardInboundInterface: 'Сетевой интерфейс для пересылки входящего трафика',
         exportHelper: 'Собираюсь экспортировать {0} правил брандмауэра. Продолжить?',
         importSuccess: 'Успешно импортировано {0} правил',
         importPartialSuccess: 'Импорт завершён: {0} успешно, {1} с ошибкой',